ctfshow渔人杯2021 部分WP

图片较多,手机加载较慢
python写的及其拉胯,所以请见谅(是真的拉胯)
解题用的方法都是笨方法,大家知道怎么做了之后可以找简单的方法
已解题:签到抽奖、神仙姐姐、飘啊飘、感受下气氛、我跟你拼了、套神应援团.png、贪吃蛇的秘密、简单二维码、misc41、亚当和夏娃
加上自己的两道题:你以为是easyRSA吗,其实是我套娃之神哒 、我想要获得旗帜
后面补充的题(在很后面)阿拉丁、迷、LunaticRE

ctfshow渔人杯2021 部分WP
1.签到抽奖
ctfshow渔人杯2021 部分WP
得到flag

中文也可能是英文及其他小众语言字符

2.神仙姐姐
ctfshow渔人杯2021 部分WP

当然我不会写脚本,我是不会这样做的。。

ctfshow渔人杯2021 部分WP
首先打开burp,点击一下“拜”
ctfshow渔人杯2021 部分WP
发现会向sx.php发送一个GET请求,访问
ctfshow渔人杯2021 部分WP
可以看到,返回了fake flag,num即我们拜的次数
群里说只需要拜1-1000次随机会有一次出现flag,所以我用burp发包
ctfshow渔人杯2021 部分WP
使用数值,1-1000
ctfshow渔人杯2021 部分WP
因为响应都是fake,所以使用↓箭头,一直翻,直到那个real flag一闪而过

ctfshow渔人杯2021 部分WP

3.飘啊飘
有手X就行
虽然当时没看题目描述,当时是接近9点,在上课,所以想用手机看看,结果打开之后(写WP复现,所以时间为下午6点)ctfshow渔人杯2021 部分WP
显示重定向错误,换了5个浏览器,都是重定向错误,其中via显示重定向的地址
ctfshow渔人杯2021 部分WP
所以我用qq浏览器换成电脑的UA访问
ctfshow渔人杯2021 部分WP

4.感受下气氛
flag是ctfshow{[0-9]{9}}
所以随便填就好了,只要满足正则

ctfshow{012345678}

5.我跟你拼了
把ttt下载下来,乱操作一通,最后习惯性改了高度(不会吧不会吧不会真的有人去拼吧
ctfshow渔人杯2021 部分WP

ctfshow{hello_67373}

6.套神应援团.png
先天八卦操的改版,先看看附件。。。。
说多了都是泪。。。直接讲思路
因为开头非常像brainfuck,并且的确一眼就能看出是先天八卦操的改版,所以找到对应关系即可。可以有多种解法,我是读的某个特定的RGB

from PIL import Image  img = Image.open("套神应援团.png") w, h = img.size for y in range(0,h,250):     for x in range(0,w,230):         s = img.getpixel((30+x,30+y))         print(s) 

然后去brainfuck解码的网站生成一个ctfshow{}
然后找到对应关系
(247, 230, 237)="+"
(154, 12, 8)="["
(250, 217, 244)="-"
(245, 246, 250)=">"
(244, 246, 250)="<"
(157, 8, 14)="]"
(220, 200, 199)="."
然后写解密脚本

from PIL import Image flag = '' img = Image.open("套神应援团.png") w, h = img.size for y in range(0, h, 250):     for x in range(0, w, 230):         test = img.getpixel((x + 30, y + 30))         if(test==(247, 230, 237)):             flag += "+"         if(test==(154, 12, 8)):             flag += "["         if(test==(250, 217, 244)):             flag += "-"         if(test==(245, 246, 250)):             flag += ">"         if(test==(244, 246, 250)):             flag += "<"         if(test==(157, 8, 14)):             flag += "]"         if(test==(220, 200, 199)):             flag += "." print(flag) 

ctfshow渔人杯2021 部分WP
ctfshow渔人杯2021 部分WP
解码即可https://www.splitbrain.org/services/ook

7.贪吃蛇的秘密
python编译的exe文件,直接反编译,参考如下
软件地址https://github.com/countercept/python-exe-unpacker/

第一步:python pyinstxtravtor.py xxxxx.exe
第二步:得到一个文件夹
其中有一个struct 跟 xxxxx(都没有后缀名)
十六进制查看struct,xxxxx。
会发现xxxxx比struct少了一行
这时将struct的那一行复制给xxxxx,然后xxxxx保存后添加后缀
xxxxx.pyc
第三步:使用uncompyle6(我是kali)
uncompyle6 xxxxx.pyc > xxxxx.py

根据提示POS,查看POS

allpos = [              (100, 540), (200, 200), (500, 160), (360, 400), (280, 300), (500, 300), (360, 160), (420, 360), (160, 320), (420, 300), (320, 200), (540, 440), (360, 120), (100, 220), (380, 100), (440, 140), (40, 440), (100, 300), (480, 140), (420, 480), (460, 520), (280, 380), (600, 260), (440, 320), (480, 400), (40, 540), (440, 300), (440, 80), (400, 40), (300, 580), (540, 400), (180, 320), (80, 340), (40, 520), (340, 140), (160, 540), (260, 300), (480, 380), (280, 60), (40, 480), (340, 40), (260, 220), (440, 500), (380, 40), (80, 360), (340, 280), (480, 80), (200, 340), (240, 300), (600, 120), (120, 40), (520, 80), (480, 520), (100, 100), (320, 560), (100, 80), (260, 580), (40, 400), (540, 560), (440, 380), (220, 600), (40, 420), (260, 420), (560, 160), (140, 600), (80, 240), (580, 460), (40, 60), (360, 560), (80, 40), (600, 200), (140, 440), (520, 440), (440, 480), (280, 160), (100, 420), (520, 220), (80, 160), (600, 140), (120, 220), (500, 320), (400, 560), (440, 100), (140, 480), (240, 220), (220, 200), (120, 520), (340, 200), (180, 240), (40, 240), (500, 540), (60, 480), (40, 580), (100, 120), (440, 440), (460, 300), (480, 560), (540, 300), (320, 300), (240, 380), (480, 300), (140, 280), (180, 300), (540, 480), (600, 160), (460, 220), (240, 180), (120, 400), (200, 220), (380, 240), (380, 560), (540, 160), (320, 380), (160, 200), (80, 380), (200, 520), (440, 580), (360, 260), (40, 160), (480, 160), (440, 520), (580, 420), (280, 260), (540, 120), (80, 260), (400, 300), (600, 220), (160, 120), (240, 100), (240, 40), (580, 560), (200, 560), (100, 340), (40, 360), (120, 120), (80, 100), (260, 520), (200, 180), (480, 260), (420, 80), (600, 100), (160, 600), (560, 300), (220, 100), (500, 220), (360, 420), (580, 580), (540, 100), (600, 40), (260, 320), (200, 160), (440, 120), (480, 120), (260, 280), (220, 560), (520, 300), (560, 100), (140, 400), (40, 380), (300, 420), (420, 600), (40, 100), (420, 540), (440, 240), (280, 520), (40, 560), (260, 480), (520, 260), (200, 60), (480, 420), (80, 440), (360, 440), (340, 80), (580, 200), (520, 40), (320, 260), (160, 240), (600, 300), (40, 280), (360, 600), (360, 320), (200, 360), (80, 200), (600, 460), (280, 200), (560, 80), (340, 580), (200, 540), (220, 340), (200, 140), (120, 360), (140, 160), (300, 460), (220, 280), (520, 460), (40, 340), (220, 300), (100, 480), (340, 260), (400, 460), (540, 500), (320, 240), (340, 360), (340, 600), (520, 600), (100, 400), (80, 600), (280, 460), (160, 280), (320, 340), (280, 220), (320, 440), (120, 340), (320, 280), (300, 180), (440, 360), (160, 400), (300, 400), (160, 100), (260, 540), (240, 360), (320, 420), (360, 520), (300, 380), (500, 200), (100, 560), (520, 100), (120, 320), (120, 240), (100, 40), (340, 340), (440, 260), (160, 480), (80, 120), (380, 440), (560, 120), (360, 360), (120, 200), (360, 500), (140, 40), (340, 520), (200, 80), (300, 500), (400, 420), (120, 560), (580, 380), (520, 500), (520, 560), (560, 380), (200, 300), (220, 60), (260, 200), (520, 380), (60, 340), (100, 280), (580, 260), (180, 380), (380, 60), (540, 600), (540, 40), (340, 480), (460, 380), (600, 80), (260, 600), (500, 580), (440, 180), (200, 460), (540, 80), (300, 60), (340, 100), (460, 240), (540, 380), (400, 340), (340, 240), (360, 40), (220, 420), (580, 220), (40, 600), (560, 200), (120, 600), (100, 520), (400, 200), (580, 160), (100, 600), (500, 520), (460, 420), (80, 520), (380, 500), (80, 480), (60, 220), (500, 380), (200, 260), (500, 280), (100, 360), (600, 380), (300, 540), (240, 520), (40, 140), (420, 280), (320, 160), (40, 120), (440, 160), (160, 60), (540, 340), (360, 180), (520, 420), (260, 240), (520, 120), (100, 160), (120, 540), (560, 40), (520, 520), (540, 220), (380, 580), (140, 260), (580, 360), (420, 100), (340, 440), (440, 460), (600, 420), (240, 160), (260, 440), (80, 540), (60, 160), (520, 480), (500, 600), (500, 240), (400, 120), (400, 160), (440, 40), (160, 440), (160, 500), (320, 60), (240, 260), (320, 600), (80, 560), (340, 460), (360, 540), (160, 160), (500, 440), (360, 80), (380, 220), (540, 280), (380, 320), (520, 160), (160, 80), (340, 220), (240, 240), (160, 40), (480, 220), (60, 600), (160, 140), (220, 480), (320, 480), (120, 100), (80, 300), (40, 80), (320, 400), (200, 40), (480, 340), (340, 500), (480, 480), (420, 500), (420, 380), (480, 200), (120, 480), (160, 560), (480, 320), (320, 120), (240, 140), (280, 180), (280, 320), (400, 240), (120, 440), (460, 440), (560, 360), (400, 360), (320, 220), (300, 300), (160, 580), (40, 300), (420, 340), (280, 120), (40, 500), (400, 140), (460, 560), (320, 580), (220, 120), (160, 520), (480, 440), (420, 60), (300, 320), (120, 160), (340, 60), (80, 80), (120, 80), (40, 40), (540, 260), (120, 260), (100, 200), (460, 200), (320, 500), (380, 420), (200, 380), (300, 600), (320, 80), (580, 40), (160, 360), (260, 460), (540, 580), (260, 120), (560, 520), (500, 40), (540, 420), (600, 60), (220, 460), (480, 100), (180, 360), (460, 600), (400, 600), (300, 140), (500, 560), (480, 40), (220, 80), (60, 40), (440, 400), (480, 60), (440, 420), (560, 400)]             

因为给了坐标点,所以很容易想到QR,就去尝试了一下,但是因为我不会读行…所以只好写了个很憨的脚本

from PIL import Image s=[100,200,500,360,280,500,360,420,160,420,320,540,360,100,380,440,40,100,480,420,460,280,600,440,480,40,440,440,400,300,540,180,80,40,340,160,260,480,280,40,340,260,440,380,80,340,480,200,240,600,120,520,480,100,320,100,260,40,540,440,220,40,260,560,140,80,580,40,360,80,600,140,520,440,280,100,520,80,600,120,500,400,440,140,240,220,120,340,180,40,500,60,40,100,440,460,480,540,320,240,480,140,180,540,600,460,240,120,200,380,380,540,320,160,80,200,440,360,40,480,440,580,280,540,80,400,600,160,240,240,580,200,100,40,120,80,260,200,480,420,600,160,560,220,500,360,580,540,600,260,200,440,480,260,220,520,560,140,40,300,420,40,420,440,280,40,260,520,200,480,80,360,340,580,520,320,160,600,40,360,360,200,80,600,280,560,340,200,220,200,120,140,300,220,520,40,220,100,340,400,540,320,340,340,520,100,80,280,160,320,280,320,120,320,300,440,160,300,160,260,240,320,360,300,500,100,520,120,120,100,340,440,160,80,380,560,360,120,360,140,340,200,300,400,120,580,520,520,560,200,220,260,520,60,100,580,180,380,540,540,340,460,600,260,500,440,200,540,300,340,460,540,400,340,360,220,580,40,560,120,100,400,580,100,500,460,80,380,80,60,500,200,500,100,600,300,240,40,420,320,40,440,160,540,360,520,260,520,100,120,560,520,540,380,140,580,420,340,440,600,240,260,80,60,520,500,500,400,400,440,160,160,320,240,320,80,340,360,160,500,360,380,540,380,520,160,340,240,160,480,60,160,220,320,120,80,40,320,200,480,340,480,420,420,480,120,160,480,320,240,280,280,400,120,460,560,400,320,300,160,40,420,280,40,400,460,320,220,160,480,420,300,120,340,80,120,40,540,120,100,460,320,380,200,300,320,580,160,260,540,260,560,500,540,600,220,480,180,460,400,300,500,480,220,60,440,480,440,560] t=[540,200,160,400,300,300,160,360,320,300,200,440,120,220,100,140,440,300,140,480,520,380,260,320,400,540,300,80,40,580,400,320,340,520,140,540,300,380,60,480,40,220,500,40,360,280,80,340,300,120,40,80,520,100,560,80,580,400,560,380,600,420,420,160,600,240,460,60,560,40,200,440,440,480,160,420,220,160,140,220,320,560,100,480,220,200,520,200,240,240,540,480,580,120,440,300,560,300,300,380,300,280,300,480,160,220,180,400,220,240,560,160,380,200,380,520,580,260,160,160,520,420,260,120,260,300,220,120,100,40,560,560,340,360,120,100,520,180,260,80,100,600,300,100,220,420,580,100,40,320,160,120,120,280,560,300,100,400,380,420,600,100,540,240,520,560,480,260,60,420,440,440,80,200,40,260,240,300,280,600,320,360,200,460,200,80,580,540,340,140,360,160,460,280,460,340,300,480,260,460,500,240,360,600,600,400,600,460,280,340,220,440,340,280,180,360,400,400,100,540,360,420,520,380,200,560,100,320,240,40,340,260,480,120,440,120,360,200,500,40,520,80,500,420,560,380,500,560,380,300,60,200,380,340,280,260,380,60,600,40,480,380,80,600,580,180,460,80,60,100,240,380,340,240,40,420,220,600,200,600,520,200,160,600,520,420,520,500,480,220,380,260,280,360,380,540,520,140,280,160,120,160,60,340,180,420,240,120,160,540,40,520,220,580,260,360,100,440,460,420,160,440,540,160,480,600,240,120,160,40,440,500,60,260,600,560,460,540,160,440,80,220,280,320,160,80,220,240,40,220,600,140,480,480,100,300,80,400,40,340,500,480,500,380,200,480,560,320,120,140,180,320,240,440,440,360,360,220,300,580,300,340,120,500,140,560,580,120,520,440,60,320,160,60,80,80,40,260,260,200,200,500,420,380,600,80,40,360,460,580,120,520,40,420,60,460,100,360,600,600,140,560,40,80,40,400,60,420,400] img0 = Image.new('RGB', (1000, 1000), '#ffffff') for i in range(len(s)): 	for j in range(20): 		for n in range(20): 			img0.putpixel ((s[i]+j,t[i]+n), (0,0,0)) img0.save("result.png") 

其中,20是试出来的,第一次用的10,第二次用的20就出来了
ctfshow渔人杯2021 部分WP

扫描即出flag

8.简单二维码
先说real flag:
ctfshow渔人杯2021 部分WP

用这个来控制左右偏移,之前哪场比赛(忘了)就用到了
ctfshow渔人杯2021 部分WP
然后说fake flag
fake flag1:打开WP,全选改字体颜色
ctfshow渔人杯2021 部分WP

fake flag2:
刚刚那段话后面有隐藏文字,选项—格式标记—勾选隐藏文字
ctfshow渔人杯2021 部分WP
fake flag3:
提示用stegsolve梭一下,用stegsolve打开发现LSB隐写和二维码,扫描二维码又是一个fake flag
ctfshow渔人杯2021 部分WP
fake flag4:LSB
ctfshow渔人杯2021 部分WP
fake flag5:
在B通道
ctfshow渔人杯2021 部分WP

fake flag6:(啊这里没有flag)
因为WP里面有两张不显示的图片,所以将WP改成zip后缀解压,进入word—media
发现第二张png图缺少文件头所以不显示,将其补上(89504E47)
ctfshow渔人杯2021 部分WPctfshow渔人杯2021 部分WP

fake flag7:
第三张png图winhex查看
ctfshow渔人杯2021 部分WP

fake flag8:
word里面还有个flag.xml
ctfshow渔人杯2021 部分WP
ctfshow渔人杯2021 部分WP

9.你以为是easyRSA吗,其实是我套娃之神哒

题目描述 里 有
说明零宽,直接复制之后去解就可以了
https://offdev.net/demos/zwsp-steg-js
ctfshow渔人杯2021 部分WP
然后解压
e=62其实是提示base62,因为这明显不满足RSA
把c拿去16进制转字符串之后,得到4PNR3rDPYKOUENdjw4ovN8CILBFNmq
再拿去base62(cyberchef),得到解压密码password is ctfshowHHH
flag.zip是伪加密,把09改成00即可
ctfshow渔人杯2021 部分WP
some password is the flag,I means such as “password is abcde”,the flag is ctfshow{.*} 其中 ctfshow{正则} 最后得到 flag:ctfshow{some password}

10.我想要获得旗帜
真的能通关。。几分钟就好了,反编译用gm8decompiler(github),在反编译中,鼠标移动到那个问号上就知道了。
第一关(11)
ctfshow渔人杯2021 部分WP
第二关左上角(2)
ctfshow渔人杯2021 部分WP

第三关(114514)
ctfshow渔人杯2021 部分WP

第四关(1919810)
ctfshow渔人杯2021 部分WP
其中,这里给了flag格式,其他地方也分别有提示
ctfshow渔人杯2021 部分WP

第五关(233)
ctfshow渔人杯2021 部分WP
结合in order,按照顺序连起来即可

11.misc41
注意F001,直接搜这个!
ctfshow渔人杯2021 部分WP

一眼就看出来了,flag大家自己去写

12.亚当和夏娃
出题人说是非预期,我就直接说非预期了(预期也不会。。)
去binwalk 亚当和夏娃-Adam and s Eve n.png(或者tweakpng.exe)
我就用tweakpng吧,第一行这个(binwalk第一个文本)
ctfshow渔人杯2021 部分WP

提取出来保存,然后用notepad+±----插件-----converter----HEX–>ASCII
转了之后保存,然后winhex查看
ctfshow渔人杯2021 部分WP

把jpg文件头前面的都删掉,然后改成jpg打开
ctfshow渔人杯2021 部分WP
得到flag

13.阿拉丁
ctfshow渔人杯2021 部分WP
不知道是怎么出的,群主说只需要问他flagxxxxxx?即可,如果有数字则会返回数字位,例如
ctfshow渔人杯2021 部分WPctfshow渔人杯2021 部分WP

用此方法组合起来即可

14.迷
也是群主说的,访问/flag
ctfshow渔人杯2021 部分WP
根据题目描述,访问/菜
ctfshow渔人杯2021 部分WPctfshow渔人杯2021 部分WP

15.LunaticRE
气死了气死了,明明找到了BUG()但是没对flag部分做手脚
无壳,IDA64打开
期间,反复看了sub_140001730(),还找到了fake flag
ctfshow渔人杯2021 部分WP

还有提示,base58解码即可
ctfshow渔人杯2021 部分WP
ctfshow渔人杯2021 部分WP

最后一个个函数的找,找到了他,可恶,当时没有太去注意。
ctfshow渔人杯2021 部分WP
将其转成字符串形式,就能明显发现是flag,全部组合起来即可
ctfshow渔人杯2021 部分WP

版权声明:玥玥 发表于 2021-04-03 3:28:09。
转载请注明:ctfshow渔人杯2021 部分WP | 女黑客导航