一百多名，我觉得还行欸，多亏了队里的crypto手

八卦迷宫

签到题，走迷宫，换成字就可以了

朴实无华的取证

老规矩先看pslist

进程里面有文本查看器，360压缩和图片查看器

cmd运行过的程序也可以印证，发现有flag.zip和flag.png

λ volatility_2.6_win64_standalone.exe -f D:\download\xp_sp3\xp_sp3.raw --profile=WinXPSP2x86 cmdline

filescan取出flag.zip和flag.png

λ volatility_2.6_win64_standalone.exe -f D:\download\xp_sp3\xp_sp3.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000017ad6a8 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x017ad6a8   None   \Device\HarddiskVolume1\Documents and Settings\Administrator\妗岄潰\flag.zip
SharedCacheMap 0x017ad6a8   None   \Device\HarddiskVolume1\Documents and Settings\Administrator\妗岄潰\flag.zipλ volatility_2.6_win64_standalone.exe -f D:\download\xp_sp3\xp_sp3.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000001e65028 -D ./ -n
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x01e65028   None   \Device\HarddiskVolume1\Documents and Settings\Administrator\妗岄潰\flag.png

flag.zip导出有损坏，可以winrar用自带的修复

密码是在记事本里面20211209

encrypt.txt的内容

//幼儿园水平的加密（部分）
void Encrypt(string& str)
{for(int i = 0; i < str.length(); i++){if(str[i] >='a'&& str[i]<='w')str[i]+=3;else if(str[i]=='x')str[i]='a';else if(str[i]=='y')str[i]='b';else if(str[i]=='z')str[i]='c';   else if(str[i]=='_')str[i]='|';str[i] -= 32;}
}

flag.png内容

FDCB[8LDQ?ZLOO?FHUHDLQOB?VXFFHHG?LQ?ILJKWLQJ?WKH?HSLGHPLF]

解密脚本

e = "FDCB[8LDQ?ZLOO?FHUHDLQOB?VXFFHHG?LQ?ILJKWLQJ?WKH?HSLGHPLF]"
d = ""
for i in e:i = chr(ord(i)+32)if 'd'<=i<='z':i = chr(ord(i)-3)elif i=='a':i='x'elif i=='b':i='y'elif i=='c':i='z'elif i=='|':i=='_'d += i
print(d)

cazy{Xian_will_certainly_succeed_in_fighting_the_epidemic}

西安加油

发现http流里面有secret.txt

导出

base64解密（https://the-x.cn/base64），发现是压缩包

里面是一堆图片，看起来是要拼图

montage和gap安装使用时参考的博客
https://blog.csdn.net/m0_47643893/article/details/113778577
https://www.cnblogs.com/bhxdn/p/14094717.html
https://github.com/nemanja-m/gaps

先把图片合成一张

sudo apt-get install montage
montage *.png -tile 8x6 -geometry +0+0 flag.png

然后用gaps拼图

gaps --image=../flag.png --size=100 --save

cazy{make_XiAN_great_Again}

当时只出了三条……

ez_Encrypt

导出http流可以发现最后有个web123

再向上看，分析蚁 剑 命令执行的流量

cd "/var/www/html/public";base64 www.zip > web123;echo [S];pwd;echo [E]

是吧www.zip的备份base编码成web123了

转成zip

然后比赛时候我就卡住了，其实联系题目里的Encrypt，可以猜想是用了什么加密函数。
D盾扫描一下就找到了

# \app\controller\index.php
<?php define('IKlSux1227',__FILE__);$DusPFr=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdqZHF0d3lpT2VBY1VaTHBDdUhuYm1ndkZzZlNhUFlsTUpCTmpSVmtLeFFEVFdJcnpFb1hHaA==");$arCiCL=$DusPFr[3].$DusPFr[6].$DusPFr[33].$DusPFr[30];$VvUrBZ=$DusPFr[33].$DusPFr[10].$DusPFr[24].$DusPFr[10].$DusPFr[24];$DEomKk=$VvUrBZ[0].$DusPFr[18].$DusPFr[3].$VvUrBZ[0].$VvUrBZ[1].$DusPFr[24];$LnpnvY=$DusPFr[7].$DusPFr[13];$arCiCL.=$DusPFr[22].$DusPFr[36].$DusPFr[29].$DusPFr[26].$DusPFr[30].$DusPFr[32].$DusPFr[35].$DusPFr[26].$DusPFr[30];eval($arCiCL("JFZDQlpRVz0iZ29NVFFoZXFpYVVPdWJtWWZSSlNya1dObmRFc1BaR2pBS3BDVnRCSUh3REZ4Y3pYTGx2eVlUY2lVdVBuZ3BzeXFib09saGpGSVpOU3d6bU1IR3ZEeHRrWFZhV2ZkQUpFclJLTENCUWVISjlBcGR4WUd2Vm9wTjVCdFh6WmhCdXVwWmZyY0RmM2plcmpGMnJpekxZcmNEZjN0aU1aR21qbmkwOWpITmp1UjJzMlNFOVpHTlNRR3ZzVGZvam5oREdHcGlCME5WaE5PMmhxc0x6dVZtWjBpRXVYU3ZoT2hEVkNwQmtLTzIxMHAxazZidkdwVjJ1bk9LU1p6WjVKenYxU1BvaHJPMXo0ekV6cWlEVkdjMUdVVnYxQXMxU3ZVWjVzRkVrVFZaVk1iVkVMR0VqRGJCZktWMHVBek5tQXpkekZoVmtrc05ycGIxek9wRWhwVktCdlZEV1podkVMc0JHaUdLMDlmZ1o3am1rM2JadTFWSzBaR21qbmkwOWpOS1N6Q2doWlVva0hpMEJiU0IwcWp2aFhwWjlIRlZNS2MxMHFqdmhYcFo5SEZWTUtjRTA3amRHaGl2emRGSzBaR21qbmkwOWpOS2NLTEY0Wkdtam5pMDlqTkttQUxGNFpHbWpuaTA5ak5LZjBMRjRaR21qbmkwOWpOS21BTEY0Wkdtam5pMDlqTktmMExpTVpOTkdNendHc0hGaDJzc3J3aDBhYmNFMHFqdmhYcFo5SEZWTXJ5RTBxanZoWHBaOUhGVk1LTEY0WnpCRWNHMHpDTktXekNnaDJzc3J3aDBhYmNWMHFqdmhYcFo5SEZWTWVTRTA3anYxRVVWRXZPSzBaR21qbmkwOWpOS3p6Q2doWlVva0hpMEJiY2lTenllaHR6MjVmelZScUhGaFpVb2tIaTBCYmNEanpDZ2haVW9rSGkwQmJjS0d6Q2doWlVva0hpMEJiY0RCekNnaFpVb2tIaTBCYmNER3pDZ2haVW9rSGkwQmJjS1d6Q2doWlVva0hpMEJiY0tqekNnaFpVb2tIaTBCYmNLVnpDZ2haVW9rSGkwQmJjREd6Q2doWlVva0hpMEJiY0tXenkyVjJPTkFUam1rM2JadTFWZVlnRlpWcGlWVHJSZGtOcERXa1ZFVjBSQlRlU0xoc2hOck1zTnJwcEJqT05vQlpoTmhFR05hVE9WR05HbWpaVjFUS1YwenZTVmphUEVWREZtNTVOWnpBaHZmZXBFalZjb3JpczJyTVNFVUtoWjlWaFZqSlZ2NU16VlRBekVXZ2hOdUZPS2pwczFaS05CekJidmhTVlpWeXBWQk5SSldwVk5yTk9EV05oMVZkYkVoZ1ZOVUtWRXVYUHZWZHNCQlpWb3JlczIxQVBORUVoWmpCcG9yTVZCVjRwdlZWaEJ1eWhKV2tpS2pOY0JCTHoyOXRQRFlJRndaMHAxU3FHZFZpRkVHT0YwU0ZjQlZWUHY1RmNkU1FGWkdNYk5qZk5Eak5VMnpJc29hNGJCenFpQnpjVTFqMHNCVnZzQmphaUxFU3BOYUtGWkdNYk5qZk5Eak5VMnpJc29hNGJCenFpQnpjVTFqMHNCVnZzQmphaUxTdGhLRXZzVkd2aDFCNXAzU3Rob3JhT1p1cGNCR0pHMmFGcDN1cVYyNXlWMHJtVUxTdGhLRXZzVkd2aDFCNXAzV0NzMk0zZmdaa3lLOCtISjlBcGR4WUd2Vm9wTjVCdFh6ZEdOU3RiczRyY0RmM2plcmpGMnJpekxZcmNEZjN0aU1aaEJrUVBtajBITmp1UjJzMlNFOVpHTlNRR3ZzVGZvam5oREdHcGlCME5WaE5PMmhxc0x6dVZtWjBpRXVYU3ZoT2hEVkNwQmtLTzIxMHAxazZidkdwVjJ1bk9LU1p6WjVKenYxU1BvaHJHc1ZaVnZtZVNMekRiRVQyT0tFRk52aGFWWmhWYm1HME9OMVROTkVPYkVFWmNOclVzS1dGekJFSWJtYU5WMEduc1ZzMXBWalZwZFNwRm1HdXNvNUZjVmhkTm81c3NpMDlmZ1o3anYxcVYydWlGSjBaaEJrUVBtajBOS1N6Q2dodk5vOTRVd2hiU0IwcWptR3BiM3VYekVNS2MxMHFqbUdwYjN1WHpFTUtjRTA3akVHR1YyUzRHSjBaaEJrUVBtajBOS2NLTEY0WmhCa1FQbWowTkttQUxGNFpoQmtRUG1qME5LZjBMRjRaaEJrUVBtajBOS21BTEY0WmhCa1FQbWowTktmMExpTVpPTkdWekJ6c0hGaE5OVnpEUHZoYmNFMHFqbUdwYjN1WHpFTXJ5RTBxam1HcGIzdVh6RU1LTEY0WlZCQkxPM3VaTktXekNnaE5OVnpEUHZoYmNWMHFqbUdwYjN1WHpFTWVTRTA3anZCWnoyclNzSzBaaEJrUVBtajBOS3p6Q2dodk5vOTRVd2hiY2lTenllaGFiQnpUczBZcUhGaHZObzk0VXdoYmNEanpDZ2h2Tm85NFV3aGJjS0d6Q2dodk5vOTRVd2hiY0RCekNnaHZObzk0VXdoYmNER3pDZ2h2Tm85NFV3aGJjS1d6Q2dodk5vOTRVd2hiY0tqekNnaHZObzk0VXdoYmNLVnpDZ2h2Tm85NFV3aGJjREd6Q2dodk5vOTRVd2hiY0tXenkyVjJPTkFUanYxcVYydWlGWFlnRlp6cHMxVnFzRGhHUERXa1ZOYTRpMmhJY2loQmJOdW5zWlZwc3ZoRUZCekZjc0d1czF1WnpWa2RjTEJnaEJqTnNpVzBob0VMR3YxQlZvcnJWaVN5UEVFTlVaYVpObWprczB6TnBFenZHZGpnYzFmMXMxek1SQlpyaW81R1ZzRzRPREVGT1ZWRUd2ckZWTGhKVm1zcnMyU2RTVmpOY0JrS3NaR01oRWhJTndrWmNEbTJWMEdwY0JTZFJ2Qk5ORU8wczI1dHN2RWRzRGpoVnZySnMyNU5WMmp2VkJTRFZCanZPMmFNVTJjQXlza2dwM2hmTzFWdHB2U0xpRFNOVm1acmlzenZzMDlPUkVHRmNzamRPRFd0cDJqRWNMQmlWS1Zjc0RTdlUxQk9ob2twYlo1NXMxUjFibTFuYmRFc05FR2pPVkdORkVaZVNOdVpjM1dLTm9ydEZvVnFpd0JpVlo1Y3NaUjFSVmpWR0VFeWhMaGZWc2hGaUJmclV3RUZORUdlc2lqTnMyU05pWkdOY3ZyQVZCVjRjRWpNVkxCR2MzV3ZPMmEwUjJWRUZvYWhjZGhhVm9heXB2aE5VQmtOVk5oMUdKVzBGRWpzaEJHVnAyYTNzMk00U05FSXptdWdiTFd2c0RFV2N2amRObzlnaExoYVZvYXlpdmhPUmRTaWNCa0xzaVcwYlZHSWlacnBiZFdrc0JHTWhFVEFWQldTVnNreUdFelRwMVNmaGlWWk5FamhHbUdORnMwclJkV0dWMWt5VkV6NHp2am5HdjFMVkJrbXNLanBWMW1BenYxTnAwNWNOb3JwaEVjS1ZCRXVic1Y1VnNWcEYxVUtoREdpYlpra09vMTRGRVNkR3Z1U2J2UzVzMXVFU05FRVZCV2lWMnJ2c0RFWnAxU2ZoaVZaTkVqaEdtR05GczByUmRXR1Yxa3lWRXo0enZFbUd2MUxWQmttc0tqcFYxbUF6djFOcDA1SE5CekZoRWNlTkJ6aGNkaGFWb2F5aXZoVnBkVnNORUdoc29yTk5CR01iRUVTYm1mMk8za2pTVkdFemR1WmgycmNzWlZNT1ZVZVNOcnBjZGg0TkRqdEZzMXFod0VpY0VqdE9WR05zRU9BaUJqU3BCanFzS1NaU29qRXp2MU5wMDVjR0VoWFIxa01iRXpoY2RoYVYyYXRpQlVBcEpHaXBLQmVzaVdOaVZWZFJka1NjMWprVkJoamNFbWVWQmhaaEVUMFZEajBVMUdOaFprWmJFR3BzaWp0YlZ6Tk5aaGljQmt1aURqcE5CR0lpWnJwYkVrbXNLanBWMW1laEJTVmhtanlPMmFUUlZjZU5aNVpjMDU1Tk5rTlNtMU5SbXJOYzBzMVYwVkFzb2h2c3dqVmh2dW5OVmhFU1ZzZXptak5wMGtlc1ZHQWkyRTZGd3VWTnZ1NU9va05TdlNhU0pFQkZtazFpQnVUUE5qbmJtQlZjM1dLc0tqcFYxbUF6SkVTaDN1SE5Cemh5c0JuenZyWmJzR0tGMFNEQzFXa08zVnRoS0UxVkRqVFZFU0pHMmFOYnZyT05pU1RwMGFKc291cGJFT2VWREVoYjBrZE5CU1ZiQmYwTkxCM3AyRUxzRFNnaGlFc0Yya2pSbXJKc291cGJFT2VWREVoYjBrZE5CU1ZiQmYwTkxCM3AyRUxzRFNnaGlFc2ltU0ZSRWtmR2RTc1ZaMUFpbVNGcEVrTVZEak5jVkVRRlp6cHMxVnFzRGhHUEx6M2ltU0ZSRWtmR2RTc1ZaMUFGMVNJUm05M0hpMGd0Rlo3SEs0PSI7ZXZhbCgnPz4nLiRhckNpQ0woJFZ2VXJCWigkREVvbUtrKCRWQ0JaUVcsJExucG52WSoyKSwkREVvbUtrKCRWQ0JaUVcsJExucG52WSwkTG5wbnZZKSwkREVvbUtrKCRWQ0JaUVcsMCwkTG5wbnZZKSkpKTs="));?>

https://www.zhaoyuanma.com/phpjm.html这个网站可以在线解密

得到flag 'cazy{PHP_ji4m1_1s_s00000_3aSyyyyyyyyyyy}'

2021长安“战疫”网络安全卫士守护赛 misc部分writeup相关推荐

1. 长安“战疫”网络安全卫士守护赛部分wp

   摘要:长安"战疫"网络安全卫士守护赛部分wp            然后就是朴实无华的取证那个题 不知道是大小写的原因还是啥交不上,无字天书卡到最后那个长得好像摩斯密码的地方,收获 ...

2. 长安“战疫”网络安全卫士守护赛writeup

   长安"战疫"网络安全卫士守护赛writeup misc 八卦迷宫 得到flag cazy{zhanchangyangchangzhanyanghechangshanshananzh ...

3. 长安“战疫”网络安全卫士守护赛_crypto_复现

   长安"战疫"网络安全卫士守护赛_Crypto math 涉及的知识点:RSA加密未知模数,已知p对q的逆元以及q对p的逆元求RSA的模数N 题目描述 题目没有描述,只有已知量c,e ...

4. 2022 长安“战疫”网络安全卫士守护赛 WriteUp

   麻薯星的zyz想要生猴子!!!麻薯星的zyz想要生猴子!!!麻薯星的zyz想要生猴子!!! 队友第一轮做了俩Web之后就摆烂了 寄 总体来说长安战疫基本大部分题都偏向入门,适合大一新生练练手 少部分多 ...

5. 长安“战疫”网络安全卫士守护赛部分writeup

   解题过程 题目一 八卦迷宫 用画图工具手工连接,然后将路上的图表和字相对应 按顺序打出,然后根据题目要求换成全拼,加上图片里的前缀cazy{}提交 flag为: cazy{zhanchangyangc ...

6. 长安“战疫”网络安全卫士守护赛crypto

   cry1 题目如下,就是一个脚本: from Crypto.Util.number import* from secret import flag,keyassert len(key) <= 5 ...

7. 长安“战疫”网络安全卫士守护赛 WriteUp

   1.RCE_No_Para 参考一篇比较详细的bloghttps://skysec.top/2019/03/29/PHP-Parametric-Function-RCE/#%E6%B3%951%EF% ...

8. 2021---长安“战疫”网络安全卫士守护赛 Writeup

   文章目录 Misc 八gua迷宫 无字天书 西安加油 steg binary Crypto no_cry_no_bb no_cry_no_can no_math_no_cry Reverse comb ...

9. 长安战疫网络安全卫士守护赛 Shiro?

   赛题:Shiro? 需要准备的环境: 反弹shell需要准备VPS.JNDI-Injection-Exploit工具启动rmi和ldap服务 JNDI-Injection-Exploit 需要jdk. ...

最新文章

1. 409 Longest Palindrome
2. HDU 5527：Too Rich（DFS+贪心）***
3. 【机器学习基础】xgboost系列丨xgboost建树过程分析及代码实现
4. Windows Azure 安全最佳实践 - 第 1 部分：深度解析挑战防御对策
5. Spring Boot 整合 Redis 实现缓存操作
6. 大归因+小归因，先崛网络帮你还原SEM的真实价值
7. 面向对象思想封装狙击手狙击敌人
8. 缓存（Cache）管理 ---- 系列文章
9. MySQL中实现连续日期内数据统计,缺省天数0补全
10. Emmet 快速编写html代码
11. tcping下载安装步骤，如何ping端口，tcping详解
12. Git环境傻瓜式讲解
13. 金山WPS暑期前端实习一面凉经
14. 2021年终总结——工作第四年
15. 强化学习实践四：编写通用的格子世界环境类
16. react 实现渐变色背景样式
17. python多线程请求接口_python多线程实现http请求
18. 阿里巴巴内推一面过程
19. 专利在线申请之入门到精通再到放弃
20. ngx.print与ngx.say

热门文章

1. 查看当前设备是否启用SR-IOV
2. 每个人都值得学的一项技能
3. Error while executing topic command : replication factor: 3 larger than available brokers: 0
4. 面试最常考、最常用的10大机器学习算法
5. 学习FPGA之一：初识FPGA
6. wifi室内定位讲解——K邻近法
7. RocketMQ 介绍
8. 解读论文EPSILON: An Efficient Planning System for Automated Vehicles in Highly Interactive Environments
9. Spring入门——SpringBoot（春季靴？？？）
10. 你知道什么是自带PLC的网关吗？