本文为之前参加过的ctf比赛的writeup,迁移到这个博客来吧

Re

lzzy (solved)

  • 读了一个flag.txt文件,然后用一段shell脚本跑一下输出一个result.txt文件;
  • shell脚本里面有python代码,扒出来运行一下,发现是一个顺序序列的生成代码;
  • 然后把这个顺序序列拿去和结果异或就得到答案了…
  • 不过学到的一点是使用bytes.fromhex(字符串)可以把hex形式的字符串转成字符串;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import os
import decimal
import time

def test1():
    decimal.getcontext().prec = 2992
    index=0xfd
    x = str(decimal.Decimal(1) / decimal.Decimal((1010 - int(time.strftime('%m')))*1000 +1))[2:]
    print(x)
    print(int(x[3*index:3*index+3]))


def test2():
    a='2855140337590c3434040c5b411346492b3113430c11254a49220a17b3def0b3b0e1f2b7d7bdfdb8'
    j=100
    with open('tmp','w') as f:
        for i in range(0,len(a),2):
            p=int(a[i:i+2],16)
            print(hex(p))
            print(hex(p^j))
            print(chr(p^j))
            f.write(chr(p^j))
            j+=1


if __name__=='__main__':
    # test2()
    # test1()
    a='2855140337590c3434040c5b411346492b3113430c11254a49220a17b3def0b3b0e1f2b7d7bdfdb8'
    print(bytes.fromhex(a))

Crusoe (solved)

  • 给了个可执行文件,运行之后是输入字符给你输出字符串,然后给了个flag.crusoe,看来是翻译回去;
  • 看了下规律,9*9扁平化可以作为hash,但是发现如果是数字的话还有一个前缀,所以要做一下特殊处理;
  • 后面就是写脚本了,看了别人的wp,有多解,但是没有和我一样扁平化去匹配的,难道真的是一个一个对比出来的,牛皮;
  • 结果
1
2
3
4
5
6
7
robin@ubuntu:~/ctf/asis20$ nc 66.172.10.203 9999
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+       ..:: Crusoe flag checker ::..       +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| Please input your right answer for Crusoe task: 
QXNJU3TJUNXTMDNHMT0WM19HMIJIDTXJNHQZZH9HYZ4T251NZUHIX1
Congrats! this is the flag: ASIS{cRuS03_10V3__0bFu5c4T3d__c0COnu75!!}
  • 脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
a=''
for i in range(10):
    a+=str(i)
for i in range(26):
    a+=chr(ord('a')+i)
for i in range(26):
    a+=chr(ord('A')+i)

with open('re\\crusoe\\Crusoe\\table','r') as f:
    b=f.read()
b=b.split('\n\n')

def sp8(input8):
    cur8=['']*8
    lines=input8.split('\n')
    for line in lines:
        for k in range(0,len(line),9):
            cur8[k//9]+=line[k:k+9]
    return cur8


cur=sp8(b[0])
cctable=list()
for cccc in b:
    cur=sp8(cccc)
    cctable.extend(cur)

print(len(a))
print(len(cctable))

mapp=dict()
zero=cctable[0]
mapp[zero]='0'

for i in range(0,9):
    mapp[''.join(cctable[i*2+1:i*2+3])]=str(i+1)

for i,j in mapp.items():
    print(i,j)

for i in range(10,len(a)):
    print(i)
    mapp[cctable[i+9]]=a[i]
print(mapp)

with open('re\\crusoe\\Crusoe\\flag.crusoe','r') as f:
    b=f.read().split('\n\n')

cctable=list()
for cccc in b:
    cur=sp8(cccc)
    cctable.extend(cur)

i=0
while i<len(cctable):
# for i in range(0,len(cctable)):  这里很坑,i只能逐个增加,所以改while
    if cctable[i]==zero:
        if ''.join(cctable[i:i+2]) in mapp:
            print(mapp[''.join(cctable[i:i+2])],end='')
            i+=2
            continue
        else:
            print('0',end='')
    elif cctable[i] in mapp:
        print(mapp[cctable[i]],end='')
    else:
        print()
        print('error')
        # print(cctable[i])
        for l in range(0,len(cctable[i]),9):
            for k in range(9):
                print(cctable[i][l+k],end='')
            print()
    i+=1
        
# a='QXNJU3QTJUNXTMDNHMT0WM1K9IHMIJIDTXJNHQZZH9IHYZ4DT225E1KNZUHIX1'
# re_mapp={}
# for i,j in mapp.items():
#     re_mapp[j]=i
# lll=['']*20
# for i in a:
#     cur=re_mapp[i]
#     for i in range(0,len(cur),9):
#         lll[i//9]+=cur[i:i+9]
# for j in lll:
#     print(j)