0x01base64?
GUYDIMZVGQ2DMN3CGRQTONJXGM3TINLGG42DGMZXGM3TINLGGY4DGNBXGYZTGNLGGY3DGNBWMU3WI===
很明显这不是base64,base32decode一下得到一串16进制
504354467b4a7573745f743373745f683476335f66346e7d
s=b'504354467b4a7573745f743373745f683476335f66346e7d'.decode("hex")
for i in s:
print i
得到flag PCTF{Just_t3st_h4v3_f4n}
0x02关于USS Lab.
USS的英文全称是什么,请全部小写并使用下划线连接_,并在外面加上PCTF{}之后提交
百度得到flag PCTF{ubiquitous_system_security}
0x03veryeasy
使用基本命令获取flag
用HXD打开搜索PCTF得到flag
PCTF{strings_i5_3asy_isnt_i7}
0x04段子
程序猿圈子里有个非常著名的段子:
手持两把锟斤拷,口中疾呼烫烫烫。
请提交其中"锟斤拷"的十六进制编码。(大写)
FLAG: PCTF{你的答案}
用gbk编码转十六进制输出即可
s='锟斤拷'.decode('utf-8').encode('gbk').encode('hex')
print s.upper()
得到flag PCTF{EFBFBDEFBFBD}
0x05手贱
某天A君的网站被日,管理员密码被改,死活登不上,去数据库一看,啥,这密码md5不是和原来一样吗?为啥登不上咧?
d78b6f302l25cdc811adfe8d4e7c9fd34
请提交PCTF{原来的管理员密码}
计算一下发现这串字符长度为33,然后枚举得到33个长度为32的可疑md5依次查询
s='d78b6f302l25cdc811adfe8d4e7c9fd34'//len(s)==33
for i in range(33):
print s[0:i]+s[i+1:]
查询md5得到flag PCTF{hack},原来的md5为d78b6f30225cdc811adfe8d4e7c9fd34
注:火眼金睛可以看出d78b6f302l25cdc811adfe8d4e7c9fd34第十个字符为'l'非十六进制字符直接排除即可
0x06美丽的实验室logo
出题人丢下个logo就走了,大家自己看着办吧
丢进Stegsolve ,放Frame Broswer
得到flag PCTF{You_are_R3ally_Car3ful}
0x07神秘的文件
binwalk下可以看到是一个磁盘文件
Linux EXT filesystem, rev 1.0, ext2 filesystem data
用binwalk -e 尝试分离分件得到254个文本文件,打开发现每一个文本文件都有一个字符,推测flag藏在里面写脚本直接获取每一个文本文件的字符
import os
s=""
for i in range(254): #分离得到的文件夹文件名为1~253
f = open(str(i),'r')
str1 = f.read()
s+=str1
print s
得到字符串
Haha ext2 file system is easy, and I know you can easily decompress of it and find the content in it.But the content is spilted in pieces can you make the pieces together. Now this is the flag PCTF{P13c3_7oghter_i7}. The rest is up to you. Cheer up, boy.
很明显flag 为PCTF{P13c3_7oghter_i7}
0x08公倍数
请计算1000000000以内3或5的倍数之和。
如:10以内这样的数有3,5,6,9,和是23
请提交PCTF{你的答案}
直接运算会造成内存溢出,所以只能分段计算
ans = 0
# for i in range(1000000000):
# if i%3==0 or i%5==0:
# ans+=i
n=100000
for i in range(1,10001):
for j in range((i-1)*n,i*n):
if j%3==0 or j%5==0:
ans+=j
print ans
经过几分钟的等待得到flag:PCTF{233333333166666668}
0x09Easy Crackme
这是一个ELF 64-bit 文件,拖进IDA64得到main函数伪代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rdi
char v5; // [rsp+0h] [rbp-38h]
char v6; // [rsp+1h] [rbp-37h]
char v7; // [rsp+2h] [rbp-36h]
char v8; // [rsp+3h] [rbp-35h]
char v9; // [rsp+4h] [rbp-34h]
char v10; // [rsp+5h] [rbp-33h]
unsigned __int8 v11; // [rsp+10h] [rbp-28h]
_BYTE v12[7]; // [rsp+11h] [rbp-27h]
v5 = -85;
v6 = -35;
v7 = 51;
v8 = 84;
v9 = 53;
v10 = -17;
printf((unsigned __int64)"Input your password:");
_isoc99_scanf((unsigned __int64)"%s");
if ( strlen((const char *)&v11) == 26 )
{
v3 = 0LL;
if ( (v11 ^ 0xAB) == list1 )
{
while ( (v12[v3] ^ (unsigned __int8)*(&v5 + ((signed int)v3 + 1) % 6)) == byte_6B41D1[v3] )
{
if ( ++v3 == 25 )
{
printf((unsigned __int64)"Congratulations!");
return 0;
}
}
}
}
printf((unsigned __int64)"Password Wrong!! Please try again.");
return 0;
}
阅读伪代码可以看到flag长度为26,输入的flag需满足第一个字符和0xab异或后得到的字符==某固定字符,剩余的25个字符依次异或==固定字符。
整理出一个固定字符和两个固定字符数组
0xfb
L=[0x9e,0x67,0x12,0x4e,0x9d,0x98,0xab,0x00,0x06,0x46,0x8a,0xf4,0xb4,0x06,0x0b,0x43,0xdc,0xd9,0xa4,0x6c,0x31,0x74,0x9c,0xd2,0xa0]
M=[-85,-35,51,84,53,-17]
分析一波
if ( (v11 ^ 0xAB) == list1 )//v11=list1(0xfb)^0xab
while ( (v12[v3] ^ (unsigned __int8)*(&v5 + ((signed int)v3 + 1) % 6)) == byte_6B41D1[v3] )
//while(v12[v3]^M[(v3+1)%6]==L[v3])
//即v12[v3]=M[(v3+1)%6]^L[v3] 0<=v3<=25
//flag=v11+v12
OK,直接用C++写代码逆向加密算法
#include <iostream>
#include <string>
using namespace std;
int main(){
string flag="";
flag+=char(0xfb^0xab);
int L[]={0x9e,0x67,0x12,0x4e,0x9d,0x98,0xab,0x00,0x06,0x46,0x8a,0xf4,0xb4,0x06,0x0b,0x43,0xdc,0xd9,0xa4,0x6c,0x31,0x74,0x9c,0xd2,0xa0};
int M[]={-85,-35,51,84,53,-17};
for (int i = 0; i < 25; ++i)
{
flag+=char(L[i]^M[(i+1)%6]);
}
cout<<flag;
}
得到flag PCTF{r3v3Rse_i5_v3ry_eAsy}
0x0a Secret
传说中的签到题
题目入口:http://web.jarvisoj.com:32776/
用postman发送请求在headers->secret发现Welcome_to_phrackCTF_2016
得到flag为 PCTF{Welcome_to_phrackCTF_2016}
0x0b 爱吃培根的出题人
听说你也喜欢吃培根?那我们一起来欣赏一段培根的介绍吧:
bacoN is one of aMerICa'S sWEethEartS. it's A dARlinG, SuCCulEnt fOoD tHAt PaIRs FlawLE
什么,不知道要干什么?上面这段巨丑无比的文字,为什么会有大小写呢?你能发现其中的玄机吗?
提交格式:PCTF{你发现的玄机}
字符串有大小写又因为题目说是培根,尝试将大小写转换为'a','b'
s="bacoN is one of aMerICa'S sWEethEartS. it's A dARlinG, SuCCulEnt fOoD tHAt PaIRs FlawLE"
m1=""
m2=""
for i in s:
if i.isupper():
m1+='a'
m2+='b'
elif i.islower():
m1+='b'
m2+='a'
print m1
print m2
得到两串疑似培根的密文
bbbbabbbbbbbbabbaababaabbbabbbabbbabaabbbaabaabbabbbababaababaababbbaa
aaaabaaaaaaaabaabbababbaaabaaabaaababbaaabbabbaabaaabababbababbabaaabb
排除第一串
尝试将密文解密
aaaabaaaaaaaabaabbababbaaabaaabaaababbaaabbabbaabaaabababbababbabaaabb
培根密码有两种加密方式
培根.jpg
尝试解密
m2='aaaabaaaaaaaabaabbababbaaabaaabaaababbaaabbabbaabaaabababbababbabaaabb'
L=[]
for i in range(len(m2)/5):
L.append(m2[:5])
m2=m2[5:]
dir1 = {'aaaaa':'A','aaaab':'B','aaaba':'C','aaabb':'D','aabaa':'E','aabab':'F','aabba':'G','aabbb':'H','abaaa':'I',
'abaab':'J','ababa':'K','ababb':'L','abbaa':'M','abbab':'N','abbba':'O','abbbb':'P','baaaa':'Q','baaab':'R',
'baaba':'S','baabb':'T','babaa':'U','babab':'V','babba':'W','babbb':'X','bbaaa':'Y','bbaab':'Z'}
dir2 = {'AAAAA':'a','AABBA':'g','ABBAA':'n','BAABA':'t','AAAAB':'b','AABBB':'h','ABBAB':'o','BAABB':'u/v',
'AAABA':'c','ABAAA':'i/j','ABBBA':'p','BABAA':'w','AAABB':'d','ABAAB':'k','ABBBB':'q','BABAB':'x',
'AABAA':'e','ABABA':'l','BAAAA':'r','BABBA':'y','AABAB':'f','ABABB':'m','BAAAB':'s','BABBB':'z'}
flag1=""
flag2=""
for i in L:
flag1+=str(dir1.get(i.lower()))
flag2+=str(dir2.get(i.upper()))
print "flag1:%s"%flag1
print "flag2:%s"%flag2
得到明文
flag1:BACNMIRMNSFNND
flag2:baconi/jsnotfood
提交得到最终flag为 PCTF{baconisnotfood}
0x0c veryeasyRSA
已知RSA公钥生成参数:
p = 3487583947589437589237958723892346254777
q = 8767867843568934765983476584376578389
e = 65537
求d =
请提交PCTF{d}
已知p、q、e
那么直接用扩展欧几里得算法可以直接求d咯
######得到Flag PCTF{19178568796155560423675975774142829153827883709027717723363077606260717434369}
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
p = 3487583947589437589237958723892346254777
q = 8767867843568934765983476584376578389
e = 65537
phi=(p-1)*(q-1)
print modinv(e,phi)
得到flag为PCTF{19178568796155560423675975774142829153827883709027717723363077606260717434369}
0x0d Easy RSA
还记得veryeasy RSA吗?是不是不难?那继续来看看这题吧,这题也不难。
已知一段RSA加密的信息为:0xdc2eeeb2782c且已知加密所用的公钥(N=322831561921859 e = 23)
请解密出明文,提交时请将数字转化为ascii码提交
比如你解出的明文是0x6162,那么请提交字符串ab
提交格式:PCTF{明文字符串}
已知公钥(N,e)
尝试分解N得到
p=13574881 q=23781539
通过扩展欧几里得算法由p、q、e求出私钥(d,e)
密文c=0xdc2eeeb2782c
直接解出明文然后十六进制字符转化为ascii码得到flag
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
c=0xdc2eeeb2782c
N=322831561921859
p=13574881
q=23781539
e=23
phi=(p-1)*(q-1)
d=modinv(e,phi)
print hex(pow(c,d,N))
