JUSTCTF2020 新生赛(校内)wp
JUSTCTF2020 Crypto&Misc wp
Crypto
1.Crypto Sign IN
打開附件可以得到如下的顏文字
゚ω゚ノ= /`m′)ノ ~┻━┻ //*′?`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');將其復制到瀏覽器的控制臺就可以得到flag,如圖
2.So easy
打開附件得到三個文件,根據題目的提示直接去看py腳本,將腳本拉到最下方可以看到如圖
當然這個腳本輸入任意值進去最后都會跳轉到這,所以不影響,然后將{}內值逆序就是正確的flag
3.Basic and advanced
題目:
Xzetgstv?axivgi?gh?dbqnl?uhf?kkq?hbarcgrbha?rls?xouv?mu?ngg,?rls?usizlcxfu?rpt?htvvl?wtff?km?rkoeb,?qd?bh?kj?yalc?erjaxr?LLQI?hp?ksnulcafnol?eeiq根據提示可知使用了凱撒加密和維吉尼亞加密
解法一:觀察到“LLQI”與其他不同,聯想到flag格式JUST{},初步猜測LLQI=JUST,在這種假設下可推得密鑰的一部分為cryp,那么又可以聯想到crypto,嘗試解密,得到
Vigenere?cipher?is?known?for?its?simplicity?and?ease?of?use,?and?beginners?are?often?hard?to?crack,?so?it?is?also?called?JUST?ob?ibpfsoyopzs?qcrs確實出現了JUST,并且前面明文可讀,說明key就是crypto
接下來對JUST后面的內容進行凱撒解密,枚舉所有偏移量得到下圖,可看到可讀字符串
按照題目給的格式處理以后就是flag
解法二:通過在線網站爆破key可得到,網址:https://www.dcode.fr/
之后解法與解法一相同
4.Drunk Laffey
題目:
0111001000111110111010010101101101111001101000000011010001110011010010100100000100101101111101提示:
101011101111010100101101011010110001101111111100010011001000110011001100110001101110000110001101101根據題目描述可知這是摩斯密碼,嘗試01轉摩斯,但是發現題目無空格。再看提示,因為考慮到是一道簡單題,所以嘗試將提示的01轉字符或十進制這種簡單的轉換。將提示轉十進制可得
433174344136236336221131312237猜測這應該是分組,按照提示分組后得到
0111 001 000 1 1111011 1010 010 1011 0110 1 111 001101 00 000 001101 000 111 001101 00 10 1 0 010 0 000 1 00 10 110 1111101然后就可以01→摩斯→明文
JUST%u7bCRYPTO_IS_SO_INTERESTING%u7d將此值處理一下就可以得到flag
5.Are you blind?
附件打開,一段盲文,一個加密的key
ciphertext: ????????????????????????????== encrypted key: rrted ushsq wgpv最后給了三個提示:
根據提示一:bifid cipher需要一個5*5的密碼表,但是現在沒有密碼表
根據提示二:猜測密碼表是按照電腦鍵盤的順序排列,但是鍵盤有26位,密碼表只需要25位
根據提示三:約定俗成的規則是指剔除“z”,因為“z”的出現頻率是26個英文字母中最低的
然后就可以得到密碼表:
1 2 3 4 5 1 q w e r t 2 y u i o p 3 a s d f g 4 h j k l x 5 c v b n m之后的話可以選擇手擼,也可以用工具
手擼版解法:
密文:rrted ushsq wgpv
推出坐標:14 14 15 13 33 22 32 41 32 11 12 35 25 52
合并坐標:1414151333 2232413211 12352552
然后根據bifid的原理要將其分為“行”和“列”,即
行:14141 22324 1235
列:51333 13211 2552
然后根據行列坐標得到明文:the key is yhwpgv
然后去解盲文密碼即可(寫這個主要是讓你們加深對bifid的理解)
工具版解法:
注意去掉空格
6.Big_Gift
題目:
import Crypto.PublicKey.RSA as RSAdef enc(msg, pubkey):(n,e) = pubkeym = int.from_bytes(msg.encode(), byteorder = 'little')c = pow(m, e, n)ctxt = (c).to_bytes(c.bit_length() // 8 + 1, byteorder = 'little')return ctxtwith open("pubkey.pem", "r") as f:ciph = RSA.importKey(f.read())pubkey = (ciph.n, ciph.e)with open("flag.txt", "r") as f:flag = f.read()flag = enc(flag, pubkey)with open("flag.enc","wb") as fs:fs.write(flag)還有一個pubkey以及加密的flag文件
這道題很簡單,因為N過大導致m^e%N == m^e,直接開方得到flag,但是要注意分組
payload:
import sys import Crypto.PublicKey.RSA as RSA# with open("pubkey.pem", "r") as f: # ciph = RSA.importKey(f.read())# with open("result.txt","w") as fs: # fs.write("e = "+str(ciph.e) + "\nn="+str(ciph.n))# def enc(msg, pubkey): # (n,e) = pubkey # m = int.from_bytes(msg, byteorder = 'little') # c = pow(m, e, n) # ctxt = (c).to_bytes(c.bit_length() // 8 + 1, byteorder = 'little') # return ctxtimport gmpy2 from Crypto.Util.number import long_to_bytes def dec(msg,privatekey):c = int.from_bytes(msg,byteorder="little")assert gmpy2.iroot(c,privatekey)[1] == Truem = gmpy2.iroot(c,privatekey)[0]m = int(m)ctxt = (m).to_bytes(m.bit_length() // 8 + 1 ,byteorder = 'little' )return ctxtwith open('flag.enc',"rb") as rs:msg = rs.read()print(str(dec(msg,65537)))7.Baby Rsa
題目:
from Crypto.Util.number import getPrime flag = 'JUST{**********}'p,q = [getPrime(40) for _ in range(2)] n = p*q m = int.from_bytes(flag.strip("JUST")[1:-1].encode(),"big") # e = secretprint("c ="+pow(m,e,n)) print("x ="+pow(3,e,n)) print("y ="+pow(9,e,n)) print("z ="+pow(27,e,n)) """ c = 549255654365864476196144 x = 153618743392211321669273 y = 294470439622467776032293 z = 396326281365084844903098 """由
x = 3^e%n
y = 9^e%n
z = 27^e%n
可得
y = x^2%n
z = x^3%n
所以
(y - x^2)%n = 0
(z - x^3)%n = 0
有
(z - x^3)%n = (y - x^2)%n
發現(y - x^2)和(z - x^3)存在公因數n
在線分解n(之前課上給過網址的)
離散對數求e
e,c,p,q全部得到,常規rsa解密
payload:
from Crypto.Util.number import * import sympy c = 549255654365864476196144 x = 153618743392211321669273 y = 294470439622467776032293 z = 396326281365084844903098n = GCD(x**2-y,x**3-z) print(n) p = 722402380069 q = 762582733951 phi = (p-1)*(q-1) e = sympy.discrete_log(n,x,3) d = sympy.invert(e,phi) m = pow(c,int(d),n)print(long_to_bytes(m))8.LLL
題目:
from Crypto.Util.number import bytes_to_long,GCD import randomflag = "JUST{****************}"def init(n):privKey = [random.randint(1, 4**n)]s = privKey[0]for i in range(1, n):privKey.append(random.randint(s + 1, 4**(n + i)))s += privKey[i]q = random.randint(privKey[n-1] + 1, 2*privKey[n-1])r = random.randint(1, q)while GCD(r, q) != 1:r = random.randint(1, q)pubKey = [ r*w % q for w in privKey ]return pubKey,r,qdef encrypt(key,m):global flagdata = [int(i, 2) for i in bin(bytes_to_long(bytes(flag[5:-1], encoding='utf-8')))[2:].rjust(128, '0')]enc = 0for i in range(len(data)):enc += (key[i]*data[i])%mreturn encdef main():data, w, m = init(128)enc = encrypt(data,m)with open("public.key","w") as fs:fs.write(str(data))with open("flag.enc","w") as fs:fs.write("flag_chiper = "+str(enc))fs.write("\nw = "+str(w))fs.write("\nm = "+str(m))if __name__ == '__main__':main()還有一個pubkey以及加密的flag文件
背包公鑰密碼體系,使用LLL算法進行超遞增序列偽造,詳見ctf_wiki,注意payload運行環境是sage
payload:
# open the public key and strip the spaces so we have a decent array fileKey = open("public.key", 'r') pubKey = fileKey.read().replace(' ', '').replace('L', '').strip('[]').split(',') nbit = len(pubKey) # open the encoded message fileEnc = open("flag.enc", 'r') encoded = fileEnc.read().replace('L', '') print ("start") # create a large matrix of 0's (dimensions are public key length +1) A = Matrix(ZZ, nbit + 1, nbit + 1) # fill in the identity matrix for i in range(nbit):A[i, i] = 1 # replace the bottom row with your public key for i in range(nbit):A[i, nbit] = int(pubKey[i]) # last element is the encoded message A[nbit, nbit] = -int(encoded)res = A.LLL() for i in range(0, nbit + 1):# print solutionM = res.row(i).list()flag = Truefor m in M:if m != 0 and m != 1:flag = Falsebreakif flag:print (i, M)M = ''.join(str(j) for j in M)# remove the last bitM = M[:-1]print(eval("0b"+M).to_bytes(16,"big"))Misc
1.Eazy SignIn
掃描二維碼簽到
2.抽象帶師
題目:
🏇🐔💥🚒🐻🍤😶🤔🕗🔩🍍🐾🛑👜🕗🤷🎥🌪🎧🍀🐾🤛🍉🤗🕒👱🏥🥊🎀🐾📀😹🤶🤯🛑🤳🐉emoji編碼,在線網站:emoji cipher 即可解碼
3. Can you see me?
打開附件一片空白,全選以后出現
根據題目提示的二進制,將短空格轉“0”,長空格轉“1”,得到
01轉字符串即可得到flag
4.Mikutap
題目給的是一段音頻,然后給了源網站:Mikutap,然后聽就完事了
5.PUZZLE
拼圖題,詳見我unctf wp那篇博客
6.CTFerの奇妙歷險
游戲題,通關得flag,或者用修改器等等都行
7.社工
戳這里→社工wp
8.抽象帶帶帶師
題目:
message:🛩🚫🏹🌉🔪🎈?👣🔬🌊😊😀🎅😎😎👉🕹🎃🚫🍌🐅🚫🏎🚪😎🎤🌿🍎👑😎?😍🔬🌪🚨🔬🏎🔪😂👑🌉🎈?🖐😍🎤🥋👌🚪🍌🌪😆🏎👉👉😇🔬💵🔄😀🐍🤣🖐? If you want to decrypt what laffey said, you need two keys. However,the two keys are also encrypted. key1:🛢😗🐶🏢💋🍅🧘🌯📟😆🏝🍄🏖🎼🍶🌆🤨🤹🤶🐺🙄👞🏳🕹🗄🤝🦉🌭🧠🤛🏐📦🐑🐉💳💅🐼📀🎢👊🧚🎭🔋🕐🍦🍴🙊🐙😊🏫🦈🐯 key2:👫👟👜🐗👢👜👰🐩🐗👠👪🐗👤👘👪👫👜👩message使用emoji aes加密;key1同misc2;key2使用base100
9.Take Over–Heroes Never Die
考點:音頻流隱寫,zip
mp3tag分離封面以及得到key1:feng
010editor分析圖片,在末尾發現二進制字符串
嘗試轉字符串(二進制-acsii)獲得key2:xiao
mp3stegz分離出壓縮包task.mp3.7z
解壓壓縮包又得到一個壓縮包ziptask.7z,但是這個壓縮包加密了,但是上一個壓縮包有提示,猜得密碼為JUST
解壓得到一個壓縮包和txt
這個壓縮包也是加密的,但觀察到壓縮包里也有一個readme.txt
cracked中的txt文件crc32值為
ziptask中的txt文件crc32值為
發現兩者一致,得知是zip明文攻擊,將readme.txt用winrar壓縮,務必使用winrar,否則會報錯,然后用archpr工具得到密碼為youfound
解壓得到一個無后綴文件拖進010editor,發現pk結尾,補pk開頭50 4B 03 04
得到壓縮包,發現解壓還需要密碼,再次拖進010editor,發現全局方式位標記為09 00改成00 00即可,解壓得到flag
結束語
希望各位新生可以從這次比賽中有所收獲,并能明確自己的方向,也祝各位新生能在CTF的道路上越走越遠,有所成就!
總結
以上是生活随笔為你收集整理的JUSTCTF2020 新生赛(校内)wp的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Tiny4412裸机程序之代码重定位初体
- 下一篇: html漫画简易查看器