MISC
3.圖種
圖種
將下載的圖片改為rar解壓.png
nctf{dssdcmlw}
5.丘比特De女神
- 丘比龍是丘比特的弟弟,由于吃了太多的甜甜圈導致他飛不動了驰坊!
沒錯 里面隱藏了一張女神的照片
flag是照片文件的md5值(小寫)
記住加上flag{}
將丘比特圖片命名為5.gif
使用binwalk分解一下匾二。
從上到下依次為完好的gif圖片(6.gif)。
丘比特圖片(5.gif)拳芙。
完整的zip包察藐。(a.zip)
binwalk運行結果.png
ctf中壓縮包隱寫總結
可以看出,這是一個損壞的壓縮包舟扎,打開010編輯器分飞,把壓縮包文件頭或者文件尾補全。
ctf中圖片隱藏文件分離方法總結
常見文件頭睹限,文件尾
50 4Bzip文件尾.png
發(fā)現(xiàn)這里有個love???.png
gif的文件尾.png
003B之前是gif文件譬猫,之后是zip包,但是我們沒有看到zip的文件頭邦泄,將6C 6F 76 65到文件末尾抓取到一個新的文件里面删窒。并將6C 6F 76 65改為50 4B 03 04。保存為zip文件顺囊。
image.png
image.png
flag{a6caad3aaafa11b6d5ed583bef4d8a54}
密碼學
1.easy
bmN0Znt0aGlzX2lzX2Jhc2U2NF9lbmNvZGV9
nctf{this_is_base64_encode}
2.KeyBoard
ytfvbhn tgbgy hjuygbn yhnmki tgvhn uygbnjm uygbn yhnijm
a r e u h a c k
3.based64全家桶
import base64
print base64.b16decode(base64.b32decode(base64.b64decode('R1pDVE1NWlhHUTNETU4yQ0dZWkRNTUpYR00zREtNWldHTTJES1JSV0dJM0RDTlpUR1kyVEdNWlRHSTJVTU5SUkdaQ1RNTkJWSVkzREVOUlJHNFpUTU5KVEdFWlRNTjJF')))
nctf{base64_base32_and_base16}
4.n次based64
import base64
s='Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVMjA1VjAxV2JETlhhMk0xVmpKS1NHVkVRbUZXVmxsM1ZtcEJlRll5U2tWVWJHaG9UVlZ3VlZacVFtRlRNbEpJVm10a1dHSkdjSEJXYTFwaFpWWmFkRTFVVWxSTmF6RTFWa2QwYzJGc1NuUmhSemxWVmpOT00xcFZXbUZrUjA1R1drWlNUbUpGY0VwV2JURXdZVEZrU0ZOclpHcFNWR3hoV1d4U1IyUnNXbGRYYlhSWFRWaENSbFpYZUhkV01ERkZVbFJDVjAxdVVuWldha3BIVmpGT2RWVnNXbWhsYlhob1ZtMXdUMkl5UmtkalJtUllZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSa1pWYkZKRFZqSkdjbUV6YUZaaGExcG9WakJhVDJOdFJrZFhiV2hzWWxob2IxWnRNWGRVTVZWNVVtdGtWMWRIYUZsWmJGWmhZMVphZEdONlJteFNiSEJaV2xWb2ExWXdNVVZTYTFwV1lrWktSRlpxU2tabFZsSlpZVVprVTFKV2NIbFdWRUpoVkRKT2MyTkZhR3BTYkVwVVZteG9RMWRzV25KWGJHUmFWakZHTkZaSGRHdFdiVXBIVjJ4U1dtSkhhRlJXTUZwVFZqRmtkRkp0ZUZkaVZrbzFWbXBLTkZReFdsaFRiRnBxVWxkU1lWUlZXbmRsYkZweFVtMUdUMkpGV2xwWlZWcHJWVEZLVjJOSWJGZFdSVXBvVmtSS1QyUkdTbkphUm1ocFZqTm9WVmRXVWs5Uk1XUkhWMjVTVGxaRlNsaFVWbVEwVjBaYVdHUkhkRmhTTUhCSlZsZDRjMWR0U2toaFJsSlhUVVp3VkZacVNrZFNiRkp6Vlcxc1UwMHhSalpXYWtvd1ZURlZlRmR1U2s1WFJYQnhWVzB4YjFZeFVsaE9WemxzWWtad2VGVnRNVWRVTWtwR1YyeHdXbFpXY0hKV1ZFWkxWMVpHY21KR1pHbFhSVXBKVm10U1MxVXhXWGhXYmxaV1lsaENWRmxyVm5kV1ZscDBaVWM1VWsxWFVucFdNV2h2VjBkS1JrNVdVbFZXTTJoSVZHdGFjMk5zWkhSa1IyaHBVbGhCZDFkV1ZtOVVNVnAwVTJ4V1YyRXhTbUZhVjNSaFYwWndSbFpZYUZkTlZrcDVWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbHFTa1psUm1SWldrVTFWMVpzY0ZWWFZsSkhaREZrUjJKSVRtaFNlbXhQVkZaYWQyVkdWblJsU0dScFVqQndWMVl5ZEhkV01ERnhVbXRvVjFaRldreFdNVnBIWTIxS1IxcEdaRTVOUlhCS1ZtMTBVMU14VlhoWFdHaGhVMFphVmxscldrdGpSbHB4VkcwNWEySkhVbnBYYTFKVFYyeFpkMkpFVWxkTmFsWlVWa2Q0WVZKc1RuTmhSbkJZVTBWS1NWWnFRbUZXYlZaWVZXdG9hMUp0YUZSWmJGcExVMnhrVjFadFJtcE5WMUl3Vld4b2MyRkdTbGRUYlVaaFZqTlNhRmxWV25OT2JFcHpXa2R3YVZORlNrbFdiR040WXpGVmQwMUliR2hTYlhoWVdXeG9RMVJHVW5KYVJWcHNVbTFTZWxsVldsTmhSVEZ6VTI1b1YxWjZSVEJhUkVaclVqSktTVlJ0YUZObGJYaFFWa1phWVdReVZrZFdibEpPVmxkU1YxUlhkSGRXTVd4eVZXMUdXRkl3VmpSWk1HaExWMnhhV0ZWclpHRldWMUpRVldwS1MxSXlSa2hoUlRWWFltdEtNbFp0TVRCVk1VMTRWVzVTVjJKSFVsVlpiWFIzWWpGV2NWTnRPVmRTYlhoYVdUQmFhMkV3TVZkalJteGhWbGROTVZaWGMzaGpNVTUxWTBaa1RtRnNXbFZXYTJRMFV6RktjMXBJVmxSaVJscFlXV3RhZG1Wc1drZFdiVVphVmpGS1IxUnNXbUZWUmxsNVlVaENWbUpIYUVSVWJYaHJWbFpHZEZKdGNFNVdNVWwzVmxkNGIyTXlSa2RUYkdSVVlsVmFWbFp1Y0Zka2JGcHlWMjFHYWxacmNEQmFSV1F3VlRKRmVsRllaRmhpUmxwb1dWUktSMVl4VG5OYVIyaE9UV3hLV1ZkWGVHOVJNVTE0WTBaYVdHRXpRbk5WYlRGVFpXeHNWbGRzVG1oV2EzQXhWVmMxYjFZeFdYcGhTRXBYVmtWYWVsWnFSbGRqTVdSellVZG9UazFWY0RKV2JHTjRUa2RSZVZaclpGZGlSMUp2Vlc1d2MySXhVbGRYYm1Sc1ZteHNOVlJzYUd0V01rcEhZa1JhV2xaV1NsQldNakZHWlZaV2NscEhSbGRXTVVwUlZsUkNWazVXV1hsU2EyaG9VbFJXV0ZsdGRFdE5iRnAwVFZSQ1ZrMVZNVFJXVnpWVFZqSktTRlZzV2xwaVdGSXpXV3BHVjJOV1RuUlBWbVJUWWxob1lWZFVRbUZoTVZwelUyNU9hbEp0ZUZaV2JGcExVMFphV0dNemFGaFNiRnA1V1ZWYWExUnRSbk5YYkZaWFlUSlJNRmxVUms5U01WcDFWR3hvYVZKc2NGbFhWM1JoWkRGa1YxZHJhR3hTTUZwaFZtcEdTMUl4VW5OWGJVWldVbXhzTlZsVldsTldNa1Y0VjJ0MFZWWnNjSEpaZWtaaFpFVTVWMVpyTlZkaWEwWXpWbXhqZDAxV1RYaFZXR2hZWW1zMVZWbHNWbUZXYkZwMFpVaGtUazFXY0hsV01qRkhZV3hhY21ORVJsaGhNWEJRVmtkNFlXTnRUa1ZYYkdST1lteEtlVmRZY0VkV2JWWlhWRzVXVkdKRk5XOVpXSEJYVjFaa1YxVnJaR3ROYTFwSVdXdGFiMkZ0Vm5KWGJHaFZWbTFTVkZZeWVHdGpiRnBWVW14b1UyRXpRbUZXVm1NeFlqRlplRmRxV2xKWFIyaFhWbXRXWVdWc1duRlNiWFJyVm14S01GVnRlRTloUjFaelYyeGtWMkpIVGpSVWEyUlNaVlphY2xwR1pGaFNNMmg1Vmxkd1ExbFhUa2RXYmxKc1UwZFNjMWxyV2xkT1ZsSnpXWHBXVjAxRVJsaFphMUpoVjJ4YVYyTklXbGROYm1ob1ZtcEdZV05XVm5OYVJUVlhZbXRLU2xZeGFIZFNNVmw1VkZoc1UyRXlhSEJWYlhNeFkwWnNWVkZ1WkU1aVJuQXdXbFZqTldFd01WWk5WRkpYWWtkb2RsWXdXbXRUUjBaSFlVWndhVmRIYUc5V2JURTBZekpPYzFwSVZtRlNNMEpVV1d0YWQwNUdXbGhOVkVKT1VteHNORll5TlZOV2JVcElaVWRvVm1KSFVsUlZNRnBoWTFaT2NscEZPV2xTV0VJMlZtdGtORmxXVlhsVGExcFlWMGhDV0Zac1duZFNNVkY0VjJ0T1ZtSkZTbFpVVlZGM1VGRTlQUT09'
while 1:
s=base64.b64decode(s)
print s
flag:nctf{please_use_python_to_decode_base64}
5.騷年來一發(fā)嗎
密文:iEJqak3pjIaZ0NzLiITLwWTqzqGAtW2oyOTq1A3pzqas
加密函數(shù)
<?php
function encode($str){
$_o=strrev($str); //strrev反轉(zhuǎn)字符串
for($_0=0;$_0<strlen($_o);$_0++){
$_c=substr($_o,$_0,1);
$__=ord($_c)+1; //返回字符串 string 第一個字符的 ASCII 碼值肌索。
$_c=chr($__); //返回相對應于 ascii 所指定的單個字符。
$_=$_.$_c;
}
return str_rot13(strrev(base64_encode($_)));
}
?>
substr函數(shù)
strrev函數(shù)
str_rot13函數(shù)
寫解密函數(shù)
<?php
function decode($str)
{
$str=base64_decode(strrev(str_rot13($str)));
$_o=strrev($str);
for($_0=0;$_0<strlen($_o);$_0++)
{
$_c=substr($_o,$_0,1);
$__=ord($_c)-1;
$_c=chr($__);
$_=$_.$_c;
}
return $_;
}
$string='iEJqak3pjIaZ0NzLiITLwWTqzqGAtW2oyOTq1A3pzqas';
echo decode($string);
?>
nctf{rot13_and_base64_and_strrev}
6.mixed_base64
mixed_base64.png
import random
from base64 import *
result={
'16':lambda x:b16encode(x),
'32':lambda x:b32encode(x),
'64':lambda x:b64encode(x),
}
flag=b"nctf{************}"
for i in range(10):
a=random.choice(['16','32','64'])
flag=result[a](flag)
with open("code.txt","wb")as f:
f.write(flag)
lambda匿名函數(shù)
從based64,32,16隨機選一個特碳,反復加密十次诚亚。
from base64 import *
import itertools
s=open('mixed_based64.txt','r').read()
result={
'16':lambda x:b16decode(x),
'32':lambda x:b32decode(x),
'64':lambda x:b64decode(x)
}
for i_1 in ['16','32','64']:
for i_2 in ['16','32','64']:
for i_3 in ['16','32','64']:
for i_4 in ['16','32','64']:
for i_5 in ['16','32','64']:
for i_6 in ['16','32','64']:
for i_7 in ['16','32','64']:
for i_8 in ['16','32','64']:
for i_9 in ['16','32','64']:
for i_10 in ['16','32','64']:
try:
print result[i_10](result[i_9](result[i_8](result[i_7](result[i_6](result[i_5](result[i_4](result[i_3](result[i_2](result[i_1](s))))))))))
except:
continue
python2跑一下nctf{random_mixed_base64_encode}
7.異性相吸
按照提示跑一下
ens=open('encode.txt','r').read()#密文
des=open('decode.txt','r').read()#明文
for i in range(len(des)):
print chr(ord(des[i])^ord(ens[i]))
nctf{xor_xor_xor_biubiubiu}
8.MD5
import hashlib
for i in range(32,127):
for j in range(32,127):
for k in range(32,127):
m=hashlib.md5()
m.update('TASC'+chr(i)+'O3RJMV'+chr(j)+'WDJKX'+chr(k)+'ZM')
des=m.hexdigest()
if 'e9032' in des and 'da' in des and '911513' in des:
print des
nctf{e9032994dabac08080091151380478a2}
9.Vigenere
放一個別人大佬跑的
#include <stdio.h>
#define KEY_LENGTH 2 // Can be anything from 1 to 13
main(){
unsigned char ch;
FILE *fpIn, *fpOut;
int i;
unsigned char key[KEY_LENGTH] = {0x00, 0x00};
/* of course, I did not use the all-0s key to encrypt */
fpIn = fopen("ptext.txt", "r");
fpOut = fopen("ctext.txt", "w");
i=0;
while (fscanf(fpIn, "%c", &ch) != EOF) {
/* avoid encrypting newline characters */
/* In a "real-world" implementation of the Vigenere cipher,
every ASCII character in the plaintext would be encrypted.
However, I want to avoid encrypting newlines here because
it makes recovering the plaintext slightly more difficult... */
/* ...and my goal is not to create "production-quality" code =) */
if (ch!='\n') {
fprintf(fpOut, "%02X", ch ^ key[i % KEY_LENGTH]); // ^ is logical XOR
i++;
}
}
fclose(fpIn);
fclose(fpOut);
return;
}
