2018ustcCTF部分题目wp

签到题

题目非常基础,chrome浏览器,F12打开控制台,将页面源码中的 maxlength 改为14即可完整输入hackergame2018,提交得到flag

猫咪问答

这道题前四个空都是可以Google出来的,第五个空因为无法查到具体教室,所以需要burpsuite进行爆破。

爆破的时候,找到了中科大官网上的查询教室网站教室网站链接
然后最终发现是西区三教的教室。

最终得到教室编号3A202,得到flag

游园会的集章卡片

本题比较简单,下载题目压缩包,然后按照中科大给的标识,将图片拼起来即可(滑稽脸)

Word文档

本题为Misc基础题,直接winhex打开下载下来的word文档,查看文件的开头和结尾格式,发现是zip文件开头(50 4B 03 04)

然后解压文件,发现flag.txt,打开之后即为flag

猫咪银行

本题目感觉是非预期解
按照正常的格式输入的话,肯定无法在规定的时间内得到足够的钱。于是测试大数溢出。

发现预计收益变成了负数,说明大数字可能是后台的算法出现溢出,当存入时间输入为555555555555555555(可为别的数字,这里只是我随机选取的),发现取出时间变为负数,预计收益变得特别大,然后立即取出,兑换flag即可。

flag兑换

黑曜石浏览器

本题有点坑,刚开始以为真的要用黑曜石浏览器打开网站,但是黑曜石浏览器下载不好,刚开始以为要绕过,后来发现自己想多了。
Google搜索到黑曜石浏览器,然后发现不能注册。

然后想到的是burpsuite修改浏览器标识,但是不知道具体的版本号,最终在黑曜石官网所谓官网查看源码,找到了版本号。
源码地址

然后burp suite抓包改包(User-Agent部分),得到flag

回到过去

本题是一个Misc题目,没有难度,考了linux下的ed编辑器,本人之前也没用过,上网查找ed使用说明 linux系统输入之后,写入文件即可得到flag。

我是谁

哲学思考

这个题感觉脑洞比较大,之前卡了半天,然后朋友才告诉我,要看状态码……

然后输入 taepot ,得到flag

Can I help U?


题目提示要换种方法请求页面,先burpsuite抓包,然后将本来的GET方法改为POST方法

然后页面提示要看一个RFC-7168的东西,然后搜索找到它。https://www.rfc-editor.org/rfc/rfc7168.txt

根据文档提示,应该是将POST方法改为BREW方法(虽然我开始也不知道是啥方法),然后添加Content-Type: message/coffeepot

根据返回包提示,应该把coffeepot改为teapot,再GO一下

发现返回包给了地址,然后将地址改为返回包的地址,GO一下,得到flag。

猫咪遥控器

本题为Misc方向题目,查看题目给的文档,里面只出现了四个字母,U D L R 应该是表示方向所以本题应该是作图。然后就用到了python的matplotlib库和numpy库。将题目给的文档作图,得到flag

python代码(py2.7)

#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
import numpy as np
import matplotlib.pyplot as plt

xxx="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRLLLLLLLLLLLLLLLLLLLLLLLLRRRRDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUUDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUULLLLLLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLLLUUUUUUUUUUUUUUUURRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRRRRRLLLLDDDDDDDDRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUURRRRRRRRRRRRRRRRRRRRRRRRLLLLDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLLLLLLLRRRRRRRRRRRRRRRRRRRRRRRRRRRRLLLLUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUURRRRRRRRLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDLLLLLLLLDDDDRRRRRRRRDDDDDDDDDDDDDDDDDDDDDDDDRRRRRRRRLLLLLLLLUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLUUUURRRRRRRRUUUURRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUURRRRDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUURRRRRRRRUUUUUUUURRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUURRRRRRRRRRRRUUUURRRRUUUURRRRRRRRRRRRRRRRDDDDRRRRDDDDRRRRDDDDDDDDLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLUUUURRRRUUUUDDDDLLLLDDDDDDDDRRRRDDDDRRRRDDDDRRRRRRRRRRRRUUUURRRRRRRRUUUUDDDDLLLLLLLLDDDDLLLLLLLLLLLLUUUULLLLUUUULLLLUUUUUUUURRRRUUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLLLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUURRRRRRRRUUUULLLLUUUUDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDDDDDRRRRUUUUUUUUUUUURRRRUUUUUUUUDDDDDDDDRRRRDDDDDDDDDDDDRRRRUUUUUUUUUUUUUUUUUUUURRRRUUUURRRRUUUUDDDDLLLLDDDDRRRRRRRRRRRRUUUUUUUUUUUUUUUUDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUURRRRDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUURRRRUUUURRRRUUUURRRRDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDUUUUUUUUUUUUUUUUUUUUDDDDUUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRLLLLLLLLLLLLLLLLUUUULLLLUUUULLLLLLLLDDDDLLLLDDDDLLLLDDDDDDDDDDDDRRRRDDDDRRRRDDDDRRRRRRRRUUUURRRRRRRRUUUUDDDDLLLLLLLLDDDDLLLLLLLLUUUULLLLUUUULLLLUUUUUUUURRRRRRRRRRRRRRRRRRRRRRRRUUUULLLLUUUUDDDDRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUUUUUULLLLLLLLLLLLLLLLLLLLDDDDDDDDUUUUUUUURRRRRRRRRRRRRRRRRRRRDDDDRRRRRRRRRRRRUUUULLLLUUUUDDDDRRRRDDDDRRRRDDDDDDDDDDDDDDDDDDDDRRRRUUUUUUUUUUUUUUUURRRRUUUUUUUUDDDDDDDDRRRRDDDDDDDDDDDDDDDDRRRRRRRRUUUUUUUUUUUUUUUURRRRUUUUUUUURRRRUUUUDDDDLLLLDDDDRRRRRRRRRRRRRRRRRRRRUUUUUUUUUUUUUUUULLLLLLLLRRRRRRRRDDDDDDDDDDDDDDDDDDDDRRRRRRRRDDDDLLLLLLLLDDDDDDDDDDDDDDDDDDDDLLLLLLLL"
# print xxx.__len__()
xxxx=0
yyyy=0
for i in range(2813):
    if xxx[i]=='D':
        x=np.linspace(xxxx,xxxx,100)
        yyyy=yyyy-1
        y=np.linspace(yyyy,yyyy+1,100)
        print y
        plt.plot(x,y)
        continue
    if xxx[i]=='U':
        x = np.linspace(xxxx, xxxx, 100)
        yyyy = yyyy + 1
        y = np.linspace(yyyy-1, yyyy, 100)
        plt.plot(x, y)
        continue
    if xxx[i]=='R':
        y=np.linspace(yyyy,yyyy,100)
        xxxx=xxxx+1
        x=np.linspace(xxxx-1,xxxx,100)
        plt.plot(x,y)
        continue
    if xxx[i]=='L':
        y = np.linspace(yyyy, yyyy, 100)
        xxxx = xxxx - 1
        x = np.linspace(xxxx, xxxx+1, 100)
        plt.plot(x, y)
        continue
plt.show()

她的诗

原题关键代码为

for i in fin:
    data = "begin 666 <data>\n" + i + " \nend\n"
    decode_data = decode(data.encode("ascii"), "uu")
    print(decode_data)
    fout.write(decode_data.decode("ascii") + "\n")

但是根据官方给出的代码,只能解出一首诗

所以我们需要自己解析官方给的文档,google搜索begin 666,发现这是UUencode编码,找到uuencode解码网站,解码。
发现解码出来的东西和用官方python代码解出的东西有一些不同,然后上python代码,调用difflib库
解得flag

python代码(py2.7)

# coding:utf-8
import re
import string
import difflib
flag=""
a='''
---------
There is something in this world
that no one has ever seen before.
It is gentle and sweet.
Maybe if it could be seen,
everyone would fight over it.
That is why the world hid it,
so that no one could get their hands
on it so easily.
However, someday, someone will find it.
The person who deserves it the most
will definitely find it.
---------
Do you like this school?
I really, really love it.
But nothing can stay unchanged.
Fun things... Happy things...
They can't all possibly stay unchanged.
Even so,
can you go on loving this place?
---------
Sometimes I wonder,
what if this town was alive?
What if it had thoughts and feelings
like one of us?
If it did,
I think it would want to make the people
who live here happy.
---------
Expectations are what you have
when you have given up.
Expectations are born from
a despairingly large difference in skill.
---------
A joke only lasts for a moment,
if it leaves a misunderstanding,
it becomes a lie.
---------
If someone didn't have any pride,
wouldn't they also be lacking
in self-confidence?
If someone was free of greed,
wouldn't they have trouble
supporting their family?
And if people didn't envy one another,
wouldn't they stop inventing new things?
---------
If I don't have to do it, I won't.
If I have to do it, I'll make it.
---------
/* Here is the end of my poem.
'''
a=a.replace("\n","")
b="---------There is something in this worldfthat no one has ever seen before.It is gentle and sweet.lMaybe if it could be seen,aeveryone would fight over it.gThat is why the world hid it,{so that no one could get their handson it so easily.STHowever, someday, someone will find it.The person who deserves it the mostewill definitely find it.---------Do you like this school?I really, really love it.gABut nothing can stay unchanged.n0Fun things... Happy things...gThey can't all possibly stay unchanged.Even so,rcan you go on loving this place?A---------Sometimes I wonder,Phwhat if this town was alive?y_What if it had thoughts and feelingslike one of us?If it did,w1I think it would want to make the peopletHwho live here happy._---------Expectations are what you havewhen you have given up.uExpectations are born fromUa despairingly large difference in skill.e---------A joke only lasts for a moment,Ncif it leaves a misunderstanding,0it becomes a lie.D---------If someone didn't have any pride,wouldn't they also be lackingEin self-confidence?_IIf someone was free of greed,5wouldn't they have trouble_supporting their family?And if people didn't envy one another,5wouldn't they stop inventing new things?0_---------If I don't have to do it, I won't.fuIf I have to do it, I'll make it.---------/* Here is the end of my poem."
d = difflib.Differ()
diff = list(d.compare(a,b))
for line in diff:
    if line[0]=='+':
        flag+=line
flag=flag.replace("+","").replace(" ","")
print flag

猫咪克星

本题为python脚本编写题目,nc对面的端口,对面发来一些表达式,需要再规定时间内计算出这些表达式,并且将计算结果返回到对面。解出来之后发现是30s内算100道表达式。服务器从第50道题之后开始发一些不正规的表达式,这时候需要将里面的一些东西替换为0,具体看代码。
结果:

python代码:

#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
from socket import*
import socket
import re
HOST = '202.38.95.46'    # The remote host
PORT = 12009                 # The same port as used by the server
s = None

def RRR(shizi):
    xxxx=str(shizi)
    xxxx = xxxx.replace(r"__import__('time').sleep(100)",'0')
    xxxx = xxxx.replace(r"__import__('os').system('find ~')", '0')
    xxxx = xxxx.replace(r"exit()",'0')
    xxxx = xxxx.replace(r"print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')",'0')
    print(xxxx)
    t = str(eval(xxxx)) + '\n'
    print(t)
    b1 = t.encode(encoding='utf-8')
    print(b1)
    return b1

sock = socket.socket()
sock.connect((HOST,PORT))
szBuf = sock.recv(1024)
print(szBuf)
x=0
while 1:
    x=x+1
    print('--------------------第'+str(x)+'轮-------------------')
    szBuf = sock.recv(1024)
    print(szBuf)
    b1=RRR(szBuf)
    sock.send(b1)

Z同学的RSA

本题比赛的时候没有解出来,后期看官方wp,发现是低位爆破。刚开始学crypto,还不咋会,解题代码:

#!/usr/bin/env python2
#coding=utf-8
import gmpy2
import codecs
a=20177650286553319048656572431426864683972322616537528728644836950907654167144961938429509778926505938147163259147328872178897507791522569632637628576826135964471897661414351261453774090509205324220367785291196302551202990322952833839519685942136552490589504983264090018782888509594899124308485994909369157739590678421913334422763356613026472743079024933233557565198057398238454462971661266735075199307328588913060033329742394868127944469289321187036511972057975816136466581904044150309083660596527476198646767207896234322280486096803109351478982849399252765905154625449629131202246956928879278104313464399748896654335
b=-20177650286553319048656572431426864683972322616537528728644836950907654167144961938429509778926505938147163259147328872178897507791522569632637628576826135964471897661414351261453774090509205324220367785291196302551202990322952833839519685942136552490589504983264090018782888509594899124308485994909369157739690798236942786515359420891819523078078001184938002588184640997371794236705658312351156161124668283889171041058024858239408724965303885485356611059740480075879221661858319606783376958758348179998879989787088907672913468336293174408246405953882533580841784122100084676690051777413318254860735992696612183461891
c=13366903717795173429187761381567634048063984815133198408928503123602872647318097072713914639532980123537673828080136443096769208675278048903846468093331645356496756288494505939828792144555809683756644579691988377803769792505153509199204570978899052097185497377390921828391436597604626534413078392906362225675998274015504081511064143613477551873256333146732640157434336327576006467405800870704016822007754775192350360613102361780884075519253676949699170275909029570177548059093617965631063061181238396995096224186949430603966487712969428525308725462401758888441403291459307185920723957045088801754933390532219059494721

f1 = lambda p, q: (p * q) ^ (p + q)
f2 = lambda p, q: (p * q) ^ (p - q)
candidates = {(0, 0)}

def run(m):#b2s
    m=hex(m)[2:]
    if len(m)%2==1:
        m='0'+m
    print(codecs.decode(m,'hex_codec'))

for m in range(1025):
    print(m, len(candidates))
    candidates_ = set()
    mask = (2 << m) - 1
    for x, y in candidates:
        if f1(x, y) == a and f2(x, y) == b:
            p, q = x, y
            d = gmpy2.invert(65537, (p - 1) * (q - 1))#计算私钥
            m = pow(c, d, p * q)#计算明文
            run(m)
            exit()
        for bx in range(2):
            for by in range(2):
                xx = x + (bx << m)
                yy = y + (by << m)
                if f1(xx, yy) & mask != a & mask:
                    continue
                if f2(xx, yy) & mask != b & mask:
                    continue
                candidates_.add((xx, yy))
    candidates = candidates_

print libnum.b2s(int(46327402297749971590423845809525539212404427397452776326201243339568645242122))

源链接

Hacking more

...