MISC

signin

  • misc果然是脑洞题,我不是很做的来

image-20240925221800032

  • 已签和未签的如下

image-20240925221831551

image-20240925221841614

  • 按照题目要求,直接就把luo记为缺勤,把其他人都签到了,即可得到flag,moectf{Thanks_For_You_signing_in_4ND_W3l0c0me_T0_M0ecTf_2024!!!}

image-20240925221950816

ez_Forensics

  • 下载附件,看到是一个.raw文件,题目也说了是内存取证,所以我决定使用Linux下的volatility进行取证

  • 题目描述中给了提示,在关闭cmd之前ubw保存了电脑的内存镜像

image-20240925220325061

  • 题目给出了cmd是Windows下的终端,现在我要先使用volatility -f ./flag.raw imageinfo命令查看一下该.raw文件的信息
  • 发现是可能是这些操作系统 Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
  • 经过筛查是Win7SP1x64

image-20240925220623871

  • 然后再使用volatility -f /home/myheart/Forensic/flag.raw --profile=Win7SP1x64 pslist命令提取进程
  • 发现cmd.exePID 344 PPID 2148 Thds 1 Hnds20 Sess 1
  • 从而确认了cmd.exe有在进程中运行

image-20240925220941496

  • 然后再使用volatility -f /home/myheart/Forensic/flag.raw --profile=Win7SP1x64 cmdscan
  • cmdscan是一个插件,用于查找 cmd.exe(命令提示符)相关的命令历史记录。它会扫描内存中的数据,以寻找用户在命令提示符中输入的命令。然后发现有npm将flag写入flag.txt文件的历史记录,并且还可以看到flag的具体内容

image-20240925221410015

  • 所以得到flag为moectf{WWBGY-TLVC5-XKYBZ}

WEB

Web渗透测试与审计入门指北

  • 下载pdf,浏览一遍pdf,在最后会看到一个附件,搭建网站就有flag

image-20241003091713670

  • 下载好phpstudy,然后启动一些服务

image-20241003091851587

  • 点击网站,再点击管理,打开根目录,将附件给的东西复制粘贴过去

image-20241003091919475

  • 这样再选择打开网站,就会得到flag
image-20241003092045948
  • 网站如下,flag:moectf{H3r3'5_@_flYinG_kIss_f0r_yoU!}

image-20241003092058496

弗拉格之地的入口

  • 打开环境,进入环境对应的网站,会出现如下的提示

image-20241003092340330

  • 看到有爬虫字样,我想到了Python课讲到爬虫时会有一个爬虫协议,一般都是在网站的robots.txt这个网页下

image-20241003092606655

  • 进入网页果然看到了一些信息,发现这里面给出了一个/webtutorEntry.php,进入这个文件对应的网页
  • 进入后就会看到flag了moectf{cONGraTU1atioN_foR_Kn0w1ng_RoboTS-txT250f2}

image-20241003092719956

弗拉格之地的挑战

垫刀之路01: MoeCTF?启动!

  • 打开题目可以看到,这里已经是getshell了,并且可以输出执行命令的结果

image-20241003094742832

  • 然后先ls,查看一下该目录,发现是web网页的后端代码,这里应该是在web目录下

image-20241003094936733

  • 我这边直接ls ../../../,查看到了根目录下有flagcat flag后却发现flag不再这里面,在环境变量里面

image-20241003095052518

image-20241003095125592

  • 所以我又执行了env发现环境变量里面有flag,这样flag就找到了,flag moectf{wEIc0m3-To-MOECtF_anD_rOaDI_ST@rTup-By_sxrHHh15f}

image-20241003095233782

ez_http

  • 打开环境,环境这边显示着要使用post方法,这么一看就需要burp进行抓包了

image-20241003095952730

  • 抓包到后的http包是这样的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET / HTTP/1.1
Host: 127.0.0.1:60635
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i

  • 使用post参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST / HTTP/1.1
Host: 127.0.0.1:60635
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i


  • 又看到提示,要求POST参数要imoau=sb

image-20241003100246989

  • 上网搜了下,POST参数要放在Priority: u=0, i需要空一行,即post头结束后要空一行,然后Content-Length: 8这一行内容burp在发送时会自动补全,这边遇到问题,怎么发包都发不过去(问题是第二次做(复现)的时候遇到的,第一次做没遇到这个问题)。问题出来我没有使用burp的右键修改方法,而是直接手动修改POST参数导致发包出现问题。
image-20241003104644673 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST / HTTP/1.1
Host: 127.0.0.1:50088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

imoau=sb
  • 之后收到提示,才get头这边添加参数,但是方法还是post,由于发包不支持中文,所以就将大帅转换成十六进制

image-20241003110415410

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /?xt=%E5%A4%A7%E5%B8%85b HTTP/1.1
Host: 127.0.0.1:50088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

imoau=sb
  • 之后要求,即添加Referer: https://www.xidian.edu.cn/

image-20241003110611836

  • 又要求cookie参数

image-20241003110653715

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /?xt=%E5%A4%A7%E5%B8%85b HTTP/1.1
Host: 127.0.0.1:50088
cookie: user=admin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Referer: https://www.xidian.edu.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

imoau=sb
  • 要求使用指定浏览器源

image-20241003110808320

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /?xt=%E5%A4%A7%E5%B8%85b HTTP/1.1
Host: 127.0.0.1:50088
cookie: user=admin
User-Agent: MoeDedicatedBrowser
Referer: https://www.xidian.edu.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

imoau=sb
  • 然后只要求本地通过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /?xt=%E5%A4%A7%E5%B8%85b HTTP/1.1
Host: 127.0.0.1:50088
cookie: user=admin
User-Agent: MoeDedicatedBrowser
Referer: https://www.xidian.edu.cn/
X-Forwarded-For:127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

imoau=sb
  • 最后得到flagmoectf{y0u-@Re_ReaIIy_Re4LLY_VerY-c13VER!!!46056}

image-20241003111044152

CRYPTO

现代密码学入门指北

  • 下载入门指北并阅读到末尾的时候,给出了题目,简单的rsa加密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import bytes_to_long, getPrime
from secret import flag
p = getPrime(128)
q = getPrime(128)
n = p*q
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n)
print(f"n = {n}")
print(f"p = {p}")
print(f"q = {q}")
print(f"c = {c}")

'''
n = 40600296529065757616876034307502386207424439675894291036278463517602256790833
p = 197380555956482914197022424175976066223
q = 205695522197318297682903544013139543071
c = 36450632910287169149899281952743051320560762944710752155402435752196566406306
'''
  • 解密脚本如下:
1
2
3
4
5
6
7
8
9
10
11
12
import libnum
import gmpy2
n = 40600296529065757616876034307502386207424439675894291036278463517602256790833
p = 197380555956482914197022424175976066223
q = 205695522197318297682903544013139543071
c = 36450632910287169149899281952743051320560762944710752155402435752196566406306
e = 65537
phi_n = (p-1)*(q-1)
d = gmpy2.invert(e,phi_n)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
# moectf{the_way_to_crypto}

Signin

  • 题目给了一个简单的rsa加密,正常解密即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from Crypto.Util.number import*
from secret import flag


m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p*q
e = 65537
c = pow(m,e,n)
pq = (p-1)*(q-2)
qp = (q-1)*(p-2)
p_q = p + q

print(f"{c = }")
print(f"{pq = }")
print(f"{qp = }")
print(f"{n = }")
print(f"{p_q = }")
'''
c = 5654386228732582062836480859915557858019553457231956237167652323191768422394980061906028416785155458721240012614551996577092521454960121688179565370052222983096211611352630963027300416387011219744891121506834201808533675072141450111382372702075488292867077512403293072053681315714857246273046785264966933854754543533442866929316042885151966997466549713023923528666038905359773392516627983694351534177829247262148749867874156066768643169675380054673701641774814655290118723774060082161615682005335103074445205806731112430609256580951996554318845128022415956933291151825345962528562570998777860222407032989708801549746
pq = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687154230787854196153067547938936776488741864214499155892870610823979739278296501074632962069426593691194105670021035337609896886690049677222778251559566664735419100459953672218523709852732976706321086266274840999100037702428847290063111455101343033924136386513077951516363739936487970952511422443500922412450462
qp = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687077087914198877794354459669808240133383828356379423767736753506794441545506312066344576298453957064590180141648690226266236642320508613544047037110363523129966437840660693885863331837516125853621802358973786440314619135781324447765480391038912783714312479080029167695447650048419230865326299964671353746764860
n = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687534959910892789661065614807265825078942931717855566686073463382398417205648946713373617006449901977718981043020664616841303517708207413215548110294271101267236070252015782044263961319221848136717220979435486850254298686692230935985442120369913666939804135884857831857184001072678312992442792825575636200505903
p_q = 279533706577501791569740668595544511920056954944184570513187478007551195831693428589898548339751066551225424790534556602157835468618845221423643972870671556362200734472399328046960316064864571163851111207448753697980178391430044714097464866523838747053135392202848167518870720149808055682621080992998747265496
'''
  • 先根据方程,利用sage解出方程
1
2
3
4
5
6
p = var('p')
q = var('q')

eq1=(p-1)*(q-2)==18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687154230787854196153067547938936776488741864214499155892870610823979739278296501074632962069426593691194105670021035337609896886690049677222778251559566664735419100459953672218523709852732976706321086266274840999100037702428847290063111455101343033924136386513077951516363739936487970952511422443500922412450462
eq2 = (q-1)*(p-2)==18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687077087914198877794354459669808240133383828356379423767736753506794441545506312066344576298453957064590180141648690226266236642320508613544047037110363523129966437840660693885863331837516125853621802358973786440314619135781324447765480391038912783714312479080029167695447650048419230865326299964671353746764860
solve([eq1,eq2],p,q)
  • 得到p、q后直接rsa解密即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
import libnum
import gmpy2
c = 5654386228732582062836480859915557858019553457231956237167652323191768422394980061906028416785155458721240012614551996577092521454960121688179565370052222983096211611352630963027300416387011219744891121506834201808533675072141450111382372702075488292867077512403293072053681315714857246273046785264966933854754543533442866929316042885151966997466549713023923528666038905359773392516627983694351534177829247262148749867874156066768643169675380054673701641774814655290118723774060082161615682005335103074445205806731112430609256580951996554318845128022415956933291151825345962528562570998777860222407032989708801549746
pq = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687154230787854196153067547938936776488741864214499155892870610823979739278296501074632962069426593691194105670021035337609896886690049677222778251559566664735419100459953672218523709852732976706321086266274840999100037702428847290063111455101343033924136386513077951516363739936487970952511422443500922412450462
qp = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687077087914198877794354459669808240133383828356379423767736753506794441545506312066344576298453957064590180141648690226266236642320508613544047037110363523129966437840660693885863331837516125853621802358973786440314619135781324447765480391038912783714312479080029167695447650048419230865326299964671353746764860
n = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687534959910892789661065614807265825078942931717855566686073463382398417205648946713373617006449901977718981043020664616841303517708207413215548110294271101267236070252015782044263961319221848136717220979435486850254298686692230935985442120369913666939804135884857831857184001072678312992442792825575636200505903
p_q = 279533706577501791569740668595544511920056954944184570513187478007551195831693428589898548339751066551225424790534556602157835468618845221423643972870671556362200734472399328046960316064864571163851111207448753697980178391430044714097464866523838747053135392202848167518870720149808055682621080992998747265496
p = 101195416461091716428326199733504078281010548412226222689665080411126731520752210150756388683557219973649948209094722629248795549538890771346214761833764975454769057589710497693291150424006859232283601953197097456280805871953601208233200402046794268614613979577032173301390416040533984248749301081715040789947
q = 178338290116410075141414468862040433639046406531958347823522397596424464310941218439142159656193846577575476581439833972909039919079954450077429211036906580907431676882688830353669165640857711931567509254251656241699372519476443505864264464477044478438521412625815994217480304109274071433871779911283706475549
phi_n = (p-1)*(q-1)
e = 65537
d = gmpy2.invert(e,phi_n)
print(libnum.n2s(int(pow(c,d,n))))
# moectf{Just_4_signin_ch4ll3ng3_for_y0u}

ez_hash

  • 该题是hash爆破,这题原本暑假的时候就尝试做了,但是使用Python爆破不出来,然后去在线md5查询,查询出来了,但是看结果要钱,就没查看了
  • 到了开学知道了有hashcat这个工具,可以使用显卡爆破,就爆破出来了
  • 题目附件
1
2
3
4
5
6
7
8
9
from hashlib import sha256
from secret import flag, secrets

assert flag == b'moectf{' + secrets + b'}'
assert secrets[:4] == b'2100' and len(secrets) == 10
hash_value = sha256(secrets).hexdigest()
print(f"{hash_value = }")
# secret = 2100******
# hash_value = '3a5137149f705e4da1bf6742e62c018e3f7a1784ceebcb0030656a2b42f50b6a'
  • 使用hashcat爆破,在Linux下安装好hash,然后输入指令
    • SHA256: -m 1400
    • -a 3 指定使用掩码攻击(暴力破解)
    • 2100 固定为前 4 位,?d?d?d?d?d?d 表示 6 个未知的数字
1
hashcat -m 1400 -a 3 3a5137149f705e4da1bf6742e62c018e3f7a1784ceebcb0030656a2b42f50b6a 2100?d?d?d?d?d?d
  • 爆破得到的结果为
1
2100360168
  • flag:moectf{2100360168}

Big and small

  • 还是一个rsa加密,但是e很小,直接开方即可
  • 题目:
1
2
3
4
5
6
7
8
9
10
11
12
13
from secret import flag
from Crypto.Util.number import*
m = long_to_bytes(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p*q
e = 3
c = pow(m,e,n)
'''
c = 150409620528288093947185249913242033500530715593845912018225648212915478065982806112747164334970339684262757
e = 3
n = 20279309983698966932589436610174513524888616098014944133902125993694471293062261713076591251054086174169670848598415548609375570643330808663804049384020949389856831520202461767497906977295453545771698220639545101966866003886108320987081153619862170206953817850993602202650467676163476075276351519648193219850062278314841385459627485588891326899019745457679891867632849975694274064320723175687748633644074614068978098629566677125696150343248924059801632081514235975357906763251498042129457546586971828204136347260818828746304688911632041538714834683709493303900837361850396599138626509382069186433843547745480160634787
'''
  • exp:
1
2
3
4
5
6
7
8
import libnum
import gmpy2
c = 150409620528288093947185249913242033500530715593845912018225648212915478065982806112747164334970339684262757
e = 3
n = 20279309983698966932589436610174513524888616098014944133902125993694471293062261713076591251054086174169670848598415548609375570643330808663804049384020949389856831520202461767497906977295453545771698220639545101966866003886108320987081153619862170206953817850993602202650467676163476075276351519648193219850062278314841385459627485588891326899019745457679891867632849975694274064320723175687748633644074614068978098629566677125696150343248924059801632081514235975357906763251498042129457546586971828204136347260818828746304688911632041538714834683709493303900837361850396599138626509382069186433843547745480160634787
m = libnum.nroot(c,e)
print(libnum.n2s(int(m)))
# flag{xt>is>s>b}

baby_equation

  • 这题开了俩个提示,还是没思路,最后和某个已经做出来的师傅对了下思路,发现思路问题,之后思路正确了就做下去了

  • 其中题目中的俩个提示也还是有用的

  • 题目附件如下,主要聚焦到assert的这个式子中

1
2
3
4
5
6
7
8
9
10
from Crypto.Util.number import *
from secret import flag


l = len(flag)
m1, m2 = flag[:l//2], flag[l//2:]
a = bytes_to_long(m1)
b = bytes_to_long(m2)
k = 0x2227e398fc6ffcf5159863a345df85ba50d6845f8c06747769fee78f598e7cb1bcf875fb9e5a69ddd39da950f21cb49581c3487c29b7c61da0f584c32ea21ce1edda7f09a6e4c3ae3b4c8c12002bb2dfd0951037d3773a216e209900e51c7d78a0066aa9a387b068acbd4fb3168e915f306ba40
assert ((a**2 + 1)*(b**2 + 1) - 2*(a - b)*(a*b - 1)) == 4*(k + a*b)
  • 题目提示用yafu分解,我这边是将4k分解,得到,很明显,k能分解出这么多式子,甚至都是俩个或偶数个的素数,这就要想到,4k可以因式分解成与ab相关的因式而且还是代平方的那种
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 3
P1 = 3
P1 = 3
P1 = 3
P2 = 31
P2 = 31
P2 = 61
P2 = 61
P3 = 223
P3 = 223
P4 = 4013
P4 = 4013
P6 = 281317
P6 = 281317
P7 = 4151351
P7 = 4151351
P13 = 5404604441993
P13 = 5404604441993
P14 = 26798471753993
P14 = 26798471753993
P44 = 64889106213996537255229963986303510188999911
P44 = 64889106213996537255229963986303510188999911
P29 = 25866088332911027256931479223
P29 = 25866088332911027256931479223
P9 = 370523737
P9 = 370523737
P9 = 339386329
P9 = 339386329
  • 所以接下来就对assert的那个式子进行因式分解,结果分解半天分解错了QAQ
  • 最后得到的结果还是AI跑出来的

image-20241008013015286

  • 接下来用上第二个提示,由于我并不知道a+1可以分解成那些素数的乘积,但我知道flag中有moectf(这也就是第二个提示),所以我就考虑使用随机数的办法进行爆破,结果当然是爆破出来了
1
2
3
4
5
6
7
8
9
10
11
12
13
c = [64889106213996537255229963986303510188999911,25866088332911027256931479223,26798471753993,339386329,370523737,5404604441993,4151351,281317,4013,223,61,31,2,2,2,2,3,3]
for i in range(len(c)):
    for j in range(100000):
        random_elements = random.sample(c, i)
        p = 1
        for x in random_elements:
            p *= x
        b = libnum.n2s(p)
        if b'moectf' in b:
            print(b)
            print(libnum.s2n(b))
# b'moectf{7he_Fund4m3nt4l_th30r4' 这个是a+1跑出来的,而不是a的值
# 2950365559902224963252311699604518749050102395042841254385700637274676
  • 得到a+1的值就可以利用因式分解的值可以算出b的值,从而知道flag的后半部分了
1
2
3
4
5
6
7
8
9
a_plus_1 = 2950365559902224963252311699604518749050102395042841254385700637274676
a = a_plus_1-1
print(libnum.n2s(a))
b_1 = g//(a_plus_1**2)
b_1 = libnum.nroot(b_1,2)
print(libnum.n2s(b_1+1))
# b'moectf{7he_Fund4m3nt4l_th30r3'  这个才是真正的flag的前半部分
# b'm_0f_4rithm3tic_i5_p0w4rful!}'
# moectf{7he_Fund4m3nt4l_th30r3m_0f_4rithm3tic_i5_p0w4rful!}

RE

逆向工程入门指北

  • 下载pdf附件翻到第二页
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <iostream>
int main()
{
    char password_enc[] = {
    123, 121, 115, 117, 98, 112, 109, 100, 37, 96, 37, 100, 101, 37, 73, 39,
    101, 73, 119, 73, 122, 121, 120, 113, 73, 122, 121, 120, 113, 73, 97, 119,
    111, 73, 98, 121, 73, 115, 110, 102, 122, 121, 100, 115, 107, 22 };
    // 因为a^b=c时, b^c=a, 所以我们可以这样还原数据:
    char password[47];
    for (int i = 0; i < 46; i++) {
    password[i] = password_enc[i] ^ 22;
    }
    password[46] = 0; // 使用0字符来截断掉%s的无尽输出..
    printf("%s\n", password); // 哈哈,这就是本题的f l a g,自己运行一下交上去吧!
    return 0;
}
  • 这个就是本题flag
1
2
3
4
5
6
a = [ 123, 121, 115, 117, 98, 112, 109, 100, 37, 96, 37, 100, 101, 37, 73, 39,
    101, 73, 119, 73, 122, 121, 120, 113, 73, 122, 121, 120, 113, 73, 97, 119,
    111, 73, 98, 121, 73, 115, 110, 102, 122, 121, 100, 115, 107, 22]
for i in a:
    print(chr(i^22),end='')
# moectf{r3v3rs3_1s_a_long_long_way_to_explore}

异或

  • 使用IDA反编译附件,然后查看反编译的代码,发现就是简单的异或

image-20241007222336914

  • 加密后的数据保存在byte_1400022B8数据段中,使用shift+E提取数组

image-20241007222423810

  • 编写解密脚本
1
2
3
4
5
6
7
8
a = [ 73,  75,  65,  71,  80,  66,  95,  65,  28,  22,
   70,  16,  19,  28,  64,   9,  66,  22,  70,  28,
    9,  16,  16,  66,  29,   9,  70,  21,  20,  20,
    9,  23,  22,  20,  65,  64,  64,  22,  20,  71,
   18,  64,  20,  89]
for i in a:
    print(chr(i^0x24),end='')
# moectf{e82b478d-f2b8-44f9-b100-320edd20c6d0}

UPX

  • 简单的upx脱壳,直接下载upx脱壳工具,使用指令upx-d脱壳,这里就不演示了
  • 脱壳后使用IDA反编译,反编译完即可看到flagmoectf{ec5390dd-f8cf-4b02-bc29-3bb0c5604c29}

image-20241007223024688

upx-revenge

  • 魔改的upx脱壳,下载附件后使用010Editor打开,然后将这两个地方分别改为UPX0UPX1

  • 然后就可以使用upx脱壳软件upx -d进行自动脱壳了

image-20240927202757801

  • 脱壳完之后再使用IDA打开,即可看到flag

image-20240927202824136

  • flag文件moectf{554ea35c-a1bb-4d8f-a323-bd697564bf27}

RC4

  • 下载附件后使用IDA打开,然后快速定位到main函数中
  • 发现A71A68ECD82711CC8C9B16155CD2673E82ADCE75D4BC5756C28A52B86BD6CCF8A4BA722FE05715B92411是密文
  • 密钥是RC4_1s_4w3s0m3

image-20241007223630697

  • 然后直接在线rc4解密即可,如果是为了学习而做题的话建议使用Python手搓rc4解密脚本,得到flag
1
moectf{why_Rc4_haS_The_Rev32sabl3_pr0ceSS}

image-20241007223759632

Tea

  • 在另一篇文章中写过了,这里直接复制粘贴

  • 题目附件就只给一个.exe的可执行程序

image-20240827142857426

  • 先运行一下这个点exe文件。发现程序已经给出后面一部分的flag。然后前面的flag使用未知数表示。该程序让用户输入前三段的flag

image-20240827142943495

  • 然后使用IDA反编译一下,主要加密函数如下

image-20240827143206799

  • 由于该题将库函数的符号表给去掉了,所以先推出一些函数,更方便看代码

image-20240827144926606

  • 对于这一步就是要用户输入正确的部分flag

image-20240827143256972

  • 接下来对下面进行分析,发现有几个变量
    • 但是由于scanf后面需要跟一个变量,但是可能由于反编译的问题。
    • 这样v10、v9、v11三个变量可能就是要求输入的明文
    • 所以变量v4、v5是明文

image-20240827145604067

  • 然后查看循环和循环里面的式子
    • 可以初步判断v6是循环次数,也就是TEA加密的轮数
    • 而循环内部就是加密的算法

image-20240827143829326

  • 然后最后的是判断flag是否正确

image-20240827144143170

  • 现在目前的重点在于分析该步骤的算法
  • 由最后一步判断得知
    • v4加密后最终的值为676078132
    • v5加密后最终的值为957400408
  • 由一开始v3=0然后每次循环都有v3 -= 1640531527,可知最后一次加密时的值为v3 =-1640531527*32
  • 然后是最核心的算法,这里还要注意的是可能存在溢出或者回绕,可能需要取模或者进行位运算
1
2
v4 += (v5+v3)^(16*v5 + 170260386) ^ ((v5 >> 5) + 1870148662);
v5 += (v4+v3)^(16*v4 + 1634038898) ^ ((v4 >> 5) + 1634038904);
  • 由于v5的最后一次加密与运算后的v4有关,所以解密的时候应该是v5先进行运算
1
2
3
4
5
6
7
v5 = 957400408
v4 = 676078132
v3  = -1640531527*32

v5 -=  (v4 + v3) ^ (16 * v4 + 1634038898) ^ ((v4 >> 5) + 1634038904);
v4 -=  (v5 + v3) ^ (16 * v5 + 1702060386) ^ ((v5 >> 5) + 1870148662);
v3 += 1640531527;

image-20240827145956235

  • 通过加密可以编写解密脚本,但是由于存在整数溢出和回绕的问题,为了不取模,直接编写C语言脚本进行解密。而不编写Python脚本解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include<stdio.h>
int main()
{
	unsigned int v4 = 676078132;
	unsigned int v5 = 957400408;
	int v3 = -1640531527 * 32;
	printf("%d\n",v6);
	for(int i = 0;i < 32;i++)
	{
		v5 -=  (v4 + v3) ^ (16 * v4 + 1634038898) ^ ((v4 >> 5) + 1634038904);
		v4 -=  (v5 + v3) ^ (16 * v5 + 1702060386) ^ ((v5 >> 5) + 1870148662);
		v3 += 1640531527;
	}
	
	printf("%u   %u",v4,v5);
	return 0;
}
  • Python脚本实现解密是通过位运算
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
def decrypt(v4, v5, rounds):
    delta = 1640531527
    v3 = (-delta * rounds) & 0xFFFFFFFF  # 初始值,保持32位无符号整数

    for _ in range(rounds):
        # 计算解密过程中的 v5
        v5 = (v5 - ((v4 + v3) ^ (16 * v4 + 1634038898) ^ ((v4 >> 5) + 1634038904))) & 0xFFFFFFFF
        # 计算解密过程中的 v4
        v4 = (v4 - ((v5 + v3) ^ (16 * v5 + 1702060386) ^ ((v5 >> 5) + 1870148662))) & 0xFFFFFFFF
        # 更新 v3
        v3 = (v3 + delta) & 0xFFFFFFFF
    
    return v4, v5

# 示例使用
if __name__ == "__main__":
    # 假设这是加密后的 v4 和 v5 值
    v4_encrypted = 676078132
    v5_encrypted = 957400408
    
    # 解密轮数 (与加密时使用的轮数相同)
    rounds = 32
    
    # 解密
    v4_decrypted, v5_decrypted = decrypt(v4_encrypted, v5_encrypted, rounds)
    
    print(f"Decrypted v4 = {v4_decrypted}")
    print(f"Decrypted v5 = {v5_decrypted}")

  • 运行后将结果转换为16进制
1
2
3
4
0x836153a5
0x8e0049bd
将x那部分替换为836153a5,将y那部分替换为8e00,将z那部分替换为49bd。
moectf{836153a5-8e00-49bd-9c42-caf30620caaf}

d0tN3t

  • .dll逆向,使用工具ILSpy逆向,可以直接反编译出内容,然后进行解密,主要问题就出在工具上。IDApro反编译不了.dll文件

  • ILSpy下载地址:Releases · icsharpcode/ILSpy (github.com)

image-20241007215824029

  • 下载.exe版后解压,进入解压文件,.exe文件,然后点击进去
image-20241007215923583
  • 在程序内部打开附件就行

image-20241007220006913

  • 然后点击进入到这里,就可以看到加密逻辑了

image-20241007220032190

  • 加密逻辑如下图

image-20241007220046748

  • 编写脚本一把梭,注意异或i*i有时候会超出255,所以要异或i*i后要与一个0xFF
1
2
3
4
5
6
7
8
a = [173, 146, 161, 174, 132, 179, 187, 234, 231, 244,177, 161, 65, 13, 18, 12, 166, 247, 229, 207,125, 109, 67, 180, 230, 156, 125, 127, 182, 236,105, 21, 215, 148, 92, 18, 199, 137, 124, 38,228, 55, 62, 164]
b = []
for i in range(len(a)):
     b.append(((a[i]^(i*i))&0xff^0x72) - 114)
print(b)
for i in b:
    print(chr(i),end='')
# moectf{7ce581d2-b2ab-4ceb-9bbe-435873083db6}

dynamic

  • 简单的动态调试题目,下载附件,使用IDA打开发现有给数据,但是给的数据是加密过后的数据,不是真正的flag
  • 但是在程序运行的过程中就会调用加密(解密)函数,可以把flag给解密出来,这时就会出现flag,但是flag在栈上
  • 所以我们需要动态调试取查看栈上的内容

image-20240927194435239

  • 先在该处打下断点

image-20240927194643539

  • 然后再按下F9键,选择该选项

image-20240927194724747

  • 选择完后就会进入动态调试的模式,这样就在栈上可以看到flag的16进制模式

image-20240927194806319

  • 将这一串16进制复制下来,丢入在线16进制转字符串

image-20240927194846304

  • flag其实已经得到了,但是由于是小端序的内存表示,所以我写了个Python脚本,将flag变成正常的flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
a = '''317B667463656F6D
2D34343963346438
3038342D63373439
632D363335392D38
3362366434336437
000000007D373238'''
b = a.split('\n')
#print(b[0][-2:16])
print(int('38',16))
print(b)
for i in b:
    for j in range(len(i)-8):
        print(chr(int(i[-2-2*j:16-2*j],16)),end='')
# moectf{18d4c944-947c-4808-9536-c7d34d6b3827}

Just-Run-It

  • 下载附件,然后打开,发现给了4个程序,分别是exeelfriscv.elfapk四个文件

image-20240928120901652

  • 先运行一下.exe文件,这样就会给出一个十六进制的字符串

image-20240928120953384

1
6257396c5933526d657a55355a6d45
  • 然后转字符串后就变成
1
bW9lY3RmezU5ZmE
  • 运行apk文件,就直接将该文件拖入雷电模拟器中,然后运行
  • 运行了一下0x3.riscv0x64.elf,运行结果显示一串数组(十进制),将这一串数组转为字符串。

image-20240928122109231

1
WU1NzRjZjliOX0=

逆向工程进阶之北

ezMAZE

  • 此题考点算是比较综合的了,深搜和广搜,位压缩,动态调试
  • 拿到附件后使用IDA进行反编译,反编译之后就会解读代码

image-20241001092428464

  • 然后在检查迷宫路径这边有一个函数,函数名称为sub_7FF70B961190,点击去查看,发现是检查位压缩的0、1位
  • 所以 byte_7FF70B965000就是地图了

image-20241001092509624

  • 点击 byte_7FF70B965000查看地图,发现是一个位压缩的地图形式,1为墙,0为路

image-20241001092641526

  • 这样我就先在该位置打下断点

image-20241001092745346

  • 进行动态调试,找到迷宫存放的地址,然后将迷宫提取为二进制文件

image-20241001092812481

  • 使用Python将其转换为0、1字符串的迷宫
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def extract_and_convert_to_binary_string(input_file):
    # 读取二进制文件
    with open(input_file, 'rb') as f:
        data = f.read()

    # 将二进制数据转换为01字符串
    binary_string = ''.join(format(byte, '08b') for byte in data)

    return binary_string


# 示例使用
binary_string = extract_and_convert_to_binary_string("D:\\aaa")
print(binary_string)

# 示例使用
#compress_binary_file("D:\\aaa", 'D:\\output')
a = '1111111111111111111111111111111111111111111111111111111111111111111111111111111110111111111111111110101010101000101001001001001001001111111111111111111111111111100000000000000000111101000101001001010010010010101110000000000000000000111111111111111111111111101110111101101000011111001010010111101111111111111111101111111111000000000000000011101111011010110111000000000000000011000000000000000011111111110111111111111111111011110110101101110111111111111111110111111111111111111111111100000000000000001110111101101011011100000000000000001100000000000000001111111111111111111111111011100001000010000111111111111111111011111111111111111011111111110000000000000000111111111111111111110000000000000000110000000000000000111111111101111111111111111110000111110000111101111111111111111101111111111111111111111111000000000000000011101111111101101111000000000000000011000000000011111000011111111111111111111110111000011111000111111111111111111110111111111110111110110111111111111111111111101111110111110110111101001010010111101111111111101111101101111111111111111111111001100001111100001111111111111111111011111111111011111011011111100000000000000001001111111111111111100000000000000000100000000000111110110111111011111101111111011011111111111111111011111111111111111011111111111111101101111110010110101010110110000000000000000010000000000000000010000000011111111011011111100101101010101101111111111111111110111111111111111110111111110111111110110111111001010101001011011100000000000000001100000000000000001100000001111111101101111110010101010010110111011111111111111111011111111111111111011111111111111011011111101010101001011001110000000000000000110000000000000000110000000000000110110111111001001001010111011111111111111111101111111111111111101111111111111101101101111110010010100101000111000000000000000011000000000000000011000000000000011011011111100010100100101101110111111111111111110111111111111111110111111111111110110111111010111011010101011100000000000000001100000000000000001100000000000011101101111110010101010010101111111111111111111011111111111111111011111111111110111011011111100010100100101001001010010100001110110000000000000000111111111111101110110111111011111101111111011111111111111111100001111111111111111111111111111011101101111111111111111111111111010101011101011111111111111111111111111111111110111011011111100000000000000000111000110101010011010100101010100110000000000000001110110111111011111111111111101111010101000100101111111111111111101111111111111111101101111110100000000000000011111111111111111111000000000000000011000000000000000011011111101011111111111111111111110000000111110111111111111111110111111111111111110111111010000000000000001111111101111101111100000000000000001100000000000000001101111110111111111111111011111111011111011111111111111111111011111111111111111011011111101000000000000000111111110111110111110000000000000000110000000000000000110111111010111111111111111111111101111101111101111111111111111101111111111111111101111110100000000000000011111111011111011111000000000000000011000000000000000011011111101111111111111110111111110111110111111111111111111110111111111111111110110111111011110010001011101111111101111101111111111111111111101111111111111111101101111110101001001001001001111111011111011111111111111111111011111111111111111001011111101100101010000111001111110111110111100000000000000000100000000000000011010111111011000101010010111011111101111111111011111111111111111011111111111110110101111110101010001000101110000000000000000010000000000000000010000000011111100001011111101111010010100111111111111111111110111111111111111110111111110111111111110111111011001001010010101100000000000000001100000000000000001100000001111111111101111110110100100101001011011111111111111111011111111111111111011111111111111111011111101100100100101010110000000000000000110000000000000000110000000000000000110111111011001001010010010111111111111111101111111111111111101111111111111111101101111110110010010101001101000000000000000011000000000000000011000000000000000011011111101100100101001001010111111111111111110111111111111111110111111111111111110111111011001010010001001100000000000000000000000000000000111100000000000000001101111110110000100010010111111111111111111111111111111111111000011111111111111011011111101111001001000100010000111111111110000000000000000000111111111111111110110111111000000000000000000000000000000000001101111111111111111010010100100010100101111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
print(len(a)//80)
for i in range(56-1):
    print(a[0+i*80:80+i*80])

  • 然后以迷宫56行,80列的形式输出

image-20241001093024171

  • 起点坐标为(2,2),真实起点应该为(1,1),终点坐标为(55,75),真实的终点应该为(54,74),知道起点和终点,直接编写深度搜索和广度搜索算法寻找迷宫路径
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
from collections import deque


def is_valid_move(maze, visited, row, col):
    return (0 <= row < len(maze)) and (0 <= col < len(maze[0])) and (maze[row][col] == '0' and not visited[row][col])


def iterative_dfs(maze, start_row, start_col):
    stack = [(start_row, start_col, '')]  # (行, 列, 路径)
    visited = [[False] * len(maze[0]) for _ in range(len(maze))]

    while stack:
        row, col, path = stack.pop()
        print(f"DFS访问: 行={row}, 列={col}, 路径={path}")  # 打印当前访问的位置和路径

        if (row, col) == (54, 74):  # 到达终点
            return path

        visited[row][col] = True
        directions = [(0, 1, 'd'), (1, 0, 's'), (0, -1, 'a'), (-1, 0, 'w')]  # 右,下,左,上

        for dr, dc, direction in directions:
            new_row, new_col = row + dr, col + dc
            if is_valid_move(maze, visited, new_row, new_col):
                stack.append((new_row, new_col, path + direction))

    return None


def bfs(maze):
    rows, cols = len(maze), len(maze[0])
    queue = deque([(1, 1, '')])  # 起点 (1, 1)
    visited = [[False] * cols for _ in range(rows)]
    visited[1][1] = True

    directions = [(0, 1, 'd'), (1, 0, 's'), (0, -1, 'a'), (-1, 0, 'w')]  # 右,下,左,上

    while queue:
        row, col, path = queue.popleft()
        print(f"BFS访问: 行={row}, 列={col}, 路径={path}")  # 打印当前访问的位置和路径

        if (row, col) == (54, 74):  # 到达终点
            return path

        for dr, dc, direction in directions:
            new_row, new_col = row + dr, col + dc
            if is_valid_move(maze, visited, new_row, new_col):
                visited[new_row][new_col] = True
                queue.append((new_row, new_col, path + direction))

    return None
# 示例迷宫字符串
maze_str = """\
11111111111111111111111111111111111111111111111111111111111111111111111111111111
10111111111111111110101010101000101001001001001001001111111111111111111111111111
10000000000000000011110100010100100101001001001010111000000000000000000011111111
11111111111111111011101111011010000111110010100101111011111111111111111011111111
11000000000000000011101111011010110111000000000000000011000000000000000011111111
11011111111111111111101111011010110111011111111111111111011111111111111111111111
11000000000000000011101111011010110111000000000000000011000000000000000011111111
11111111111111111011100001000010000111111111111111111011111111111111111011111111
11000000000000000011111111111111111111000000000000000011000000000000000011111111
11011111111111111111100001111100001111011111111111111111011111111111111111111111
11000000000000000011101111111101101111000000000000000011000000000011111000011111
11111111111111111011100001111100011111111111111111111011111111111011111011011111
11111111111111111011111101111101101111010010100101111011111111111011111011011111
11111111111111111001100001111100001111111111111111111011111111111011111011011111
10000000000000000100111111111111111110000000000000000010000000000011111011011111
10111111011111110110111111111111111110111111111111111110111111111111111011011111
10010110101010110110000000000000000010000000000000000010000000011111111011011111
10010110101010110111111111111111111011111111111111111011111111011111111011011111
10010101010010110111000000000000000011000000000000000011000000011111111011011111
10010101010010110111011111111111111111011111111111111111011111111111111011011111
10101010100101100111000000000000000011000000000000000011000000000000011011011111
10010010010101110111111111111111111011111111111111111011111111111111011011011111
10010010100101000111000000000000000011000000000000000011000000000000011011011111
10001010010010110111011111111111111111011111111111111111011111111111111011011111
10101110110101010111000000000000000011000000000000000011000000000000111011011111
10010101010010101111111111111111111011111111111111111011111111111110111011011111
10001010010010100100101001010000111011000000000000000011111111111110111011011111
10111111011111110111111111111111111000011111111111111111111111111110111011011111
11111111111111111111010101011101011111111111111111111111111111111110111011011111
10000000000000000011100011010101001101010010101010011000000000000000111011011111
10111111111111111011110101010001001011111111111111111011111111111111111011011111
10100000000000000011111111111111111111000000000000000011000000000000000011011111
10101111111111111111111111000000011111011111111111111111011111111111111111011111
10100000000000000011111111011111011111000000000000000011000000000000000011011111
10111111111111111011111111011111011111111111111111111011111111111111111011011111
10100000000000000011111111011111011111000000000000000011000000000000000011011111
10101111111111111111111111011111011111011111111111111111011111111111111111011111
10100000000000000011111111011111011111000000000000000011000000000000000011011111
10111111111111111011111111011111011111111111111111111011111111111111111011011111
10111100100010111011111111011111011111111111111111111011111111111111111011011111
10101001001001001001111111011111011111111111111111111011111111111111111001011111
10110010101000011100111111011111011110000000000000000010000000000000001101011111
10110001010100101110111111011111111110111111111111111110111111111111101101011111
10101010001000101110000000000000000010000000000000000010000000011111100001011111
10111101001010011111111111111111111011111111111111111011111111011111111111011111
10110010010100101011000000000000000011000000000000000011000000011111111111011111
10110100100101001011011111111111111111011111111111111111011111111111111111011111
10110010010010101011000000000000000011000000000000000011000000000000000011011111
10110010010100100101111111111111111011111111111111111011111111111111111011011111
10110010010101001101000000000000000011000000000000000011000000000000000011011111
10110010010100100101011111111111111111011111111111111111011111111111111111011111
10110010100100010011000000000000000000000000000000001111000000000000000011011111
10110000100010010111111111111111111111111111111111111000011111111111111011011111
10111100100100010001000011111111111000000000000000000011111111111111111011011111
10000000000000000000000000000000000011011111111111111110100101001000101001011111
"""
maze = [list(row) for row in maze_str.strip().split('\n')]

# 调用迭代DFS和BFS
print("DFS路径:")
dfs_path = iterative_dfs(maze, 1, 1)  # 起点为 (1, 1)
print("BFS路径:")
bfs_path = bfs(maze)

print(f"DFS最终路径: {dfs_path}")
print(f"BFS最终路径: {bfs_path}")
  • 得到最终路径
1
2
3
4
DFS最终路径: sddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddsssdsdssddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddsssdddwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaaawwddddddddddddddddwwwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwddwdsddddwdsdddddddwwddddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddssssaaaaaaaaaassdddddddssaaaaaassddddddddddddssaaaaaaaaaaaassdddddddddddsssssaaaaaaaaaaaaaassaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssssaaaaaaaaaaaaaaaassddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassaaaaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaaawwawawwwaaaaaaaaaaaaaawwddddddddddddddwwaaaaaaaaaaaaaawwddddddddddddddwwaaaaaaaaaaaaaaaasssssssssssssssssssssssssdddddwwdssddwwwdsssddwdwwdsssddwdsdddwdsdwdsddddddddddddwddddddddddddddddddwdddwwwdddddddddddddddwwaaaaaaaaaaaaaaawwddddddwwaaaaaaawwddddddddddddddssdddwwwawwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwwwwwwwwwwwwwwwwwwwwdddssssssssssssssssssssssssssssssssssssssssssss
BFS最终路径: sddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddsssdsdssddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddsssdddwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaaawwddddddddddddddddwwwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwddddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddssssaaaaaaaaaassdddddddssaaaaaassddddddddddddssaaaaaaaaaaaassdddddddddddsssssaaaaaaaaaaaaaassaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssssaaaaaaaaaaaaaaaassddddddddddddddddssaaaaaaaaaaaaaaassdddddddddddddddssaaaaaaaaaaaaaaassaaaaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaaawwawawwwaaaaaaaaaaaaaawwddddddddddddddwwaaaaaaaaaaaaaawwddddddddddddddwwaaaaaaaaaaaaaaaasssssssssssssssssssssssssddddddddddddddddddddddddddddddddddwddddddddddddddddddwdddwwwdddddddddddddddwwaaaaaaaaaaaaaaawwddddddwwaaaaaaawwddddddddddddddssdddwwwawwwaaaaaaaaaaaaaaawwdddddddddddddddwwaaaaaaaaaaaaaaawwdddddddddddddddwwwwwwwwwwwwwwwwwwwwwdddssssssssssssssssssssssssssssssssssssssssssss


  • 最后输入最终路径,得到flag,这里只有输入BFS最终路径才能得到flag

image-20241001094650144

moectf{the_18446744024826406994_amazing_maze!!}

PWN

二进制漏洞审计入门指北

  • 题目给了个入门指北,最好还是看一下

image-20240904113011026

  • 签到题,学会nc直接就送flag

image-20240904112505198

flag:moectf{Welcome_to_the_journey_of_Pwn}

NotEnoughTime

  • 题目:说是检测数学能力,其实是练习接收与发送,与靶机交互。

image-20240904114303972

  • 这题会发送一些数学四则运算的题目,算式均为 C 语言表达式,整数除法。还有时间限制

image-20240904114553199

  • 这种情况就需要使用Python脚本实现交互
    • 先将第一个和第二个固定的算式单独做一个接收和发送
    • 然后再接收一行字符串
    • 接下来使用Python的eval()函数,eval()函数执行其传递的参数内容,并返回结果
    • 对接收的算式先进行处理,比如将换行符去掉,将最后接收到的=号去掉
    • 最后使用eval()函数进行计算
    • 再将计算结果发送出去,进而实现自动化计算脚本
  • exp如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
context(log_level = 'debug')
p = remote("172.25.144.1",50357)
p.sendlineafter(b'1 + 1 = ',str(2).encode("utf-8"))
p.sendlineafter(b'4 / 3 - 1 = ',str(0).encode("utf-8"))
p.recvuntil(b'OK, then some tough ones. Be WELL PREPARED!')
while True:
    a = p.recvuntil(b'=')
    a = a.decode("utf-8")
    b = ''
    for i in a:
        if i == '\n':
            continue
        if i == '=':
            continue
        if i == '/':
            b += '//'
            continue
        b += i
    print('b = ',b)
    c = eval(b)
    print(c)
    p.send(str(int(c)).encode('utf-8'))
    p.sendline(b'')
# 最后得到flag	
# moectf{ar1tHMETiC-IS_NOT_M@th3mATIcs1d259bb}

no_more_gets

  • 题目:

image-20240904120653431

AI