NewStarCTF-Week1-Sdegree

web

泄漏的秘密

robot.txt

www.zip

直接下载就行

Begin of HTTP

r.c.e

begin of php

前面4个比较简单，基本都是数组，最后一个我用了

这里两个脚本，他的作用就是无字母数字rce

<?php

$myfile = fopen("xor_rce.txt", "w"); $contents=""; for ($i=0; $i < 256; $i++) { for ($j=0; $j <256 ; $j++) {

if($i<16){ $hex_i='0'.dechex($i); } else{ $hex_i=dechex($i); } if($j<16){ $hex_j='0'.dechex($j); } else{ $hex_j=dechex($j); } $preg = '/[a-z0-9]/i'; //根据题目给的正则表达式修改即可 if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){ echo ""; }

else{ $a='%'.$hex_i; $b='%'.$hex_j; $c=(urldecode($a)^urldecode($b)); if (ord($c)>=32&ord($c)<=126) { $contents=$contents.$c." ".$a." ".$b."\n"; } }

} } fwrite($myfile,$contents); fclose($myfile);

# -- coding: utf-8 --

# author yu22x

# import requests import urllib from sys import * import os def action(arg): s1="" s2="" for i in arg: f=open("xor_rce.txt","r") while True: t=f.readline() if t=="": break if t[0]==i: #print(i) s1+=t[2:5] s2+=t[6:9] break f.close() output="(""+s1+""^""+s2+"")" return(output)

while True: param=action(input("\n[+] your function:") )+action(input("[+] your command:"))+";" print(param)

Begin of Upload

直接禁用js，就可以上传了，然后蚁剑连接

ErrorFlask

传1会报错，答案就在源代码里

EasyLogin

先注册，然后注意到

将自己的0改成1

进入命令行界面

ctrl d退出

发现有admin账户，返回包有一个假的flag

有源代码得知，是md5加密

于是生成一个字典

import hashlib

md5_dict = {}

for i in range(1000000): # 使用字符串格式化确保生成的字符串是6位长度 input_string = "{:06}".format(i) md5_hash = hashlib.md5(input_string.encode()).hexdigest() md5_dict[input_string] = md5_hash

# 打印前几个MD5值以进行检查 for key, value in list(md5_dict.items())[:10]: print(f"{key}: {value}")

# 保存MD5字典到文件 with open("md5_dictionary.txt", "w") as file: for key, value in md5_dict.items(): file.write(f"{value}\n")

爆破就行

账号admin 密码000000

登录的返回包有一个302

就是flag

misc

CyberChef's Secret

base系列加密套娃

就不停的的一个一个试就行

第一个是base32

gprRdQCoa6VMNpWA1K1rjW7dWBgadzFcSrixdcX69YxLeKn8L

第二个是base58

ZmxhZ3tCYXNlXzE1X1MwX0Vhc3lfXl9efQ==

最后一个base64

flag{Base_15_S0_Easy^^}

空白格

https://vii5ard.github.io/whitespace/

粘贴进去就行

flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

压缩包们

先加文件头50 4B 03 04

然后发现是损毁的压缩包

有一段密文提示密码是6位

010打开发现14 00 00 00

第三个部分不是单数

改为14 00 09 00

这样就好了

爆破即可

得到flag

flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

隐秘的眼睛

机密图片

flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

流量！鲨鱼！

crypto

babyxor

# coding:utf-8 import itertools

from Crypto.Util.number import * import string

hex_string = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2" c = bytes.fromhex(hex_string) # m = b'flag{' key = bytes_to_long(b'\x8f') s = b'' for i in c: s = s + long_to_bytes(key ^ i) print(s)

babyrsa

import gmpy2 from Crypto.Util.number import long_to_bytes

a = '2217990919<10> · 2338725373<10> · 2370292207<10> · 2463878387<10> · 2706073949<10> · 2794985117<10> · 2804303069<10> · 2923072267<10> · 2970591037<10> · 3207148519<10> · 3654864131<10> · 3831680819<10> · 3939901243<10> · 4093178561<10> · 4278428893' a = a.split('<10> · ') # print(a) n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261 phi = 1 e = 65537 for i in a: phi = phi * (int(i)-1) d = gmpy2.invert(e,phi) c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595 m = gmpy2.powmod(c,d,n) print(long_to_bytes(m))

Caesar's Secert

凯撒密码

Fence

Vigenère

brainfuck

https://www.w3cschool.cn/tryrun/runcode?lang=brainfuck

这个网站

babyencoding

flag{dazzling_encoding#4e0ad4

f0ca08d1e1d0f10c0c7afe422fea7

c55192c992036ef623372601ff3a}

flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

Affine

ciphertext_hex = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064" ciphertext = bytes.fromhex(ciphertext_hex) modulus = 256

def decrypt(ciphertext, key): a_inv, b = key plaintext = [] for c in ciphertext: p = (a_inv * (c - b)) % modulus plaintext.append(p) return bytes(plaintext)

def mod_inv(a, m): g, x, _ = egcd(a, m) if g != 1: raise Exception('Modular inverse does not exist') else: return x % m

def egcd(a, b): if a == 0: return (b, 0, 1) else: g, x, y = egcd(b % a, a) return (g, y - (b // a) * x, x)

found = False for a_inv in range(modulus): if found: break for b in range(modulus): try: decrypted_text = decrypt(ciphertext, (a_inv, b)).decode(errors="ignore") if "flag" in decrypted_text.lower(): found = True print(f"Key found: a_inv = {a_inv}, b = {b}") print(f"Decrypted Text: {decrypted_text}") break except Exception as e: continue

if not found: print("无法找到合适的密钥")

babyaes

from Crypto.Cipher import AES from Crypto.Util.number import *

a = 3657491768215750635844958060963805125333761387746954618540958489914964573229 enc_flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i' a = a ^ 1 #_a = b'\x08 \x16 \x11 % \xa0 \xa6 \xc5 \xcb ^ \x02 \x99 N F \xea , \xeb L \x08 b \xc1 \x98 \xc2 \x07 \x8f \xa3 \xc1 O % q \xfc , ' key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF\xea,' key = bytes_to_long(key) iv = key ^ a key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF\xea,\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF\xea,' iv = b'\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00' aes = AES.new(key, AES.MODE_CBC, iv) # 解密enc_flag dec_flag = aes.decrypt(enc_flag) print(dec_flag)

flag{firsT_cry_Aes}

Small d

import gmpy2 import libnum

def continuedFra(x, y): cf = [] while y: cf.append(x // y) x, y = y, x % y return cf def gradualFra(cf): numerator = 0 denominator = 1 for x in cf[::-1]: numerator, denominator = denominator, x denominator + numerator return numerator, denominator def solve_pq(a, b, c): par = gmpy2.isqrt(b b - 4 a c) return (-b + par) // (2 a), (-b - par) // (2 a) def getGradualFra(cf): gf = [] for i in range(1, len(cf) + 1): gf.append(gradualFra(cf[:i])) return gf

def wienerAttack(e, n): cf = continuedFra(e, n) gf = getGradualFra(cf) for d, k in gf: if k == 0: continue if (e d - 1) % k != 0: continue phi = (e d - 1) // k p, q = solve_pq(1, n - phi + 1, n) if p * q == n: return d

n= 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433 e= 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825 c= 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248 d=wienerAttack(e, n) m=pow(c, d, n) print(libnum.n2s(m).decode())