cyi 源鲁杯2024第一轮wp

Round 1

Misc

[Round 1] hide_png

stegsolve黑白通道（需要自己适当调整大小），然后丁真

YLCTF{a27f2d1a-9176-42cf-a2b6-1c87b17b98dc}

[Round 1] plain_crack

给了build.py和初始的build，

压缩后发现两个文件一样，且加密算法为zipcrypto，考虑明文攻击

APCHPR，得到秘钥就可以停了

使用bkcrack提取，提取后是deflate压缩模式，使用bkcrack的inflate.py解压缩

打开word里有个假flag，word本质是zip，将后缀改成zip并解压

word-->media-->得到flag

YLCTF{a709598c-f54c-4db5-ab69-8ddb499df053}

[Round 1] pngorzip

方法一：stegsolve

将多余数据移除

方法二：zsteg

提取对应通道的信息

zsteg -e b1,rgb,lsb,xy out.png > 1.zip

压缩包，注释提示114514????

掩码攻击

YLCTF{d359d6e4-740a-49cf-83eb-5b0308f09c8c}

[Round 1] trafficdet

喂给gpt

模型训练，通过train.csv所有标签及其lable进行训练，使用test.csv进行模拟，最后输出仅有id和label答案的csv

import pandas as pd
from sklearn.preprocessing import StandardScaler
from sklearn.ensemble import RandomForestClassifier# 加载数据
train_df = pd.read_csv("D:\\contest\\attachments\\train.csv")
test_df = pd.read_csv("D:\\contest\\attachments\\test.csv")# 删除不必要的列
train_df.drop('Src Port', axis=1, inplace=True)
test_df.drop('Src Port', axis=1, inplace=True)# 分离特征和标签
X = train_df.drop('Label', axis=1)
y = train_df['Label']# 特征缩放
scaler = StandardScaler()
X_scaled = scaler.fit_transform(X)
X_test_scaled = scaler.transform(test_df)# 训练模型
model = RandomForestClassifier(n_estimators=100, random_state=42)
model.fit(X_scaled, y)# 预测测试集
y_test_pred = model.predict(X_test_scaled)# 创建提交文件
submission_df = pd.DataFrame({'id': test_df.index, 'Label': y_test_pred})
submission_df.to_csv('submission.csv', index=False)

[Round 1] 乌龟子啦

base64解码得到长图片，放大发现是01

在线ocr：图片转文字在线 - 图片文字提取 - 网页OCR文字识别 - 白描网页版 (baimiaoapp.com)

对于连续的01，识别有问题，自己缝缝补补又一题

随便放大缩小，发现是二维码

宽高知道（180x180），1--黑，0--白

YLCTF{f6a6f8cf-c25b-49a8-8f17-c8fbd751faa4}

[签到] 打卡小能手

公众号启动

Web

[Round 1] Disal

robots.txt

php特性题

a：大于999999＋至少6个字母

b：numeric函数特性

[Round 1] Injct

ssti，fenjing 一把梭，无回显，使用dns外带

[Round 1] shxpl

经典命令执行，fuzz发现&没过滤，ls被ban了，用dir

再fuzz一下读取文件的函数，发现空格被ban了

nl可以，%09可以

得到源码

查看根目录

过滤了flag、？、*

用正则匹配

Reverse

[Round 1] xor

upx脱个壳先

简单的异或

list1=[0x45,0x50,0x5f,0x48,0x5a,0x67,0x7d,0x28,0x29,0x2d,0x25,0x29,0x29,0x2c,0x31,0x7d,0x7f,0x24,0x28,0x31,0x28,0x7f,0x7e,0x7e,0x31,0x25,0x25,0x7f,0x7f,0x31,0x2f,0x7d,0x28,0x2c,0x2c,0x2e,0x2b,0x7d,0x28,0x28,0x79,0x78,0x61,0x1c]
for i in range(43):print(chr(list1[i]^0x1C),end='')

[Round 1] ezgo

全都是go的一些临时变量，主要加密逻辑就是异或，+53并异或

list = [108, 122, 116, 108, 127, 65, 11, 94, 91, 90, 90, 116, 34, 38, 110, 38, 35, 118, 114, 101, 125, 47, 114, 45, 96,118, 124, 49, 105, 127, 103, 49, 51, 97, 110, 62, 96, 108, 105, 108, 104, 105, 34]
len = len(list)
for i in range(len):print(chr(list[i] ^ (i + 53)), end='')

Crypto

[Round 1] BREAK

p，q给了，爆破e，直接加解密

# encoding:utf-8
from Crypto.Util.number import *
from gmpy2 import invertc = 2924474039245207571198784141495689937992753969132480503242933533024162740004938423057237165017818906240932582715571015311615140080805023083962661783117059081563515779040295926885648843373271315827557447038547354198633841318619550200065416569879422309228789074212184023902170629973366868476512892731022218074481334467704848598178703915477912059538625730030159772883926139645914921352787315268142917830673283253131667111029720811149494108036204927030497411599878456477044315081343437693246136153310194047948564341148092314660072088671342677689405603317615027453036593857501070187347664725660962477605859064071664385456
p = 112201812592436732390795120344111949417282805598314874949132199714697698933980025001138515893011073823715376332558632580563147885418631793000008453933543935617128269371275964779672888059389120797503550397834151733721290859419396400302434404551112484195071653351729447294368676427327217463094723449293599543541
q = 177020901129489152716203177604566447047904210970788458377477238771801463954823395388149502481778049515384638107090852884561335334330598757905074879935774091890632735202395688784335456371467073899458492800214225585277983419966028073512968573622161412555169766112847647015717557828009246475428909355149575012613n = p * q
phi = (p - 1) * (q - 1)for e in range(55555, 66666):if GCD(e, phi) != 1:continued = invert(e, phi)m = pow(c, d, n)flag = long_to_bytes(m)if 'YLCTF' in flag:print flag

[Round 1] signrsa

主要的加密逻辑

c = pow(m,e,n1)
c = pow(c,e,n2)

两个n都可用factordb进行大素数分解，填入n1，n2进行分解，得到对应p、q

import requestsdef queryFactors(n):s=[]url="http://factordb.com/api?query="+str(n)r = requests.get(url)factors=r.json()['factors']for f in factors:for i in range(f[1]):s.append(int(f[0]))return sn1=
n2=
print(queryFactors(n1))
print(queryFactors(n2))

一层一层进行rsa解密即可

# encoding:utf-8
from Crypto.Util.number import *
from gmpy2 import invert
e = 65537
n1 = 18674375108313094928585156581138941368570022222190945461284402673204018075354069827186085851309806592398721628845336840532779579197302984987661547245423180760958022898546496524249201679543421158842103496452861932183144343315925106154322066796612415616342291023962127055311307613898583850177922930685155351380500587263611591893137588708003711296496548004793832636078992866149115453883484010146248683416979269684197112659302912316105354447631916609587360103908746719586185593386794532066034112164661723748874045470225129298518385683561122623859924435600673501186244422907402943929464694448652074412105888867178867357727
n2 = 20071978783607427283823783012022286910630968751671103864055982304683197064862908267206049336732205051588820325894943126769930029619538705149178241710069113634567118672515743206769333625177879492557703359178528342489585156713623530654319500738508146831223487732824835005697932704427046675392714922683584376449203594641540794557871881581407228096642417744611261557101573050163285919971711214856243031354845945564837109657494523902296444463748723639109612438012590084771865377795409000586992732971594598355272609789079147061852664472115395344504822644651957496307894998467309347038349470471900776050769578152203349128951
p1 = 122281872221091773923842091258531471948886120336284482555605167683829690073110898673260712865021244633908982705290201598907538975692920305239961645109897081011524485706755794882283892011824006117276162119331970728229108731696164377808170099285659797066904706924125871571157672409051718751812724929680249712137
q1 = 152715809540018210476585794506755656304018419053948315845024020442944919163424223089911596424947890322440115812073982242024003568582438886041563636295260718520579341235023201649280953992781776747918771204104127874320443126139004728988091615072560392886456699262578469698870106391640100933195833135586571108071p2 = 122281872221091773923842091258531471948886120336284482555605167683829690073110898673260712865021244633908982705290201598907538975692920305239961645109897081011524485706755794882283892011824006117276162119331970728229108731696164377808170099285659797066904706924125871571157672409051718751812724929680249712137
q2 = 164145170653883024647553629463737123010827979171828830103523021501297388761756036648096075592988518245508893542122459154529428778971624332785030551503124716064026198761937539065927958768419405758793987137195172361163960622671936646689220816452043219075732911538605192466301352357559388894114979459113315335423
phi1 = (p1 - 1) * (q1 - 1)
phi2 = (p2 - 1) * (q2 - 1)c2 = 12870694735548290866897639823672353371259339057761805824639632908565936588212576228170701561894938714624019797214256315619791127774911578660863180776914038219073243852067758972965837654176939513411220900256906892671727332530559672859911435188203655483295073730944835188398956395704453835920160070478734582194350774731015758752651764286801746471308589338823535488053653255016284611927915846869319917353182058315137707765063243187448090766762073836454333735044002500383946976916388370472148122113256884693336433185941799945776508628779804064191876873643116471914986013620650152736214320352131610081946978231932382638533d2 = invert(e, phi2)
d1 = invert(e, phi1)m1 = pow(c2,d2,n2)
m2 = pow(m1,d1,n1)flag = long_to_bytes(m2)
print flag

[Round 1] r(A)=3

用python sympy库进行多项式求解

有时候会EOF不知道为什么（运行多几次就行了）

import socket
from sympy import *hostname = 'challenge.yuanloo.com'
port = 37852
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, port))
x, y, z = symbols('x,y,z')
while True:eq1, eq2, eq3 = "", "", ""ans = {}r = s.recv(1024).decode()print(r)if "function" in r and len(r) <= 15:r = s.recv(1024)while len(r) <= 55:r += s.recv(1024)print(r)r = r.split("\n")f1 = 0for eq in r:if "+" in eq and "=" in eq:f2 = 0a, b, c = 0, 0, 0eq = eq.split("=")right = int(eq[1])shizi = eq[0].split("+")for num in shizi:num = num.split("*")if f2 == 0:a = int(num[0])elif f2 == 1:b = int(num[0])else:c = int(num[0])f2 += 1if f1 == 0:eq1 = Eq((a * x + b * y + c * z), right)elif f1 == 1:eq2 = Eq((a * x + b * y + c * z), right)else:eq3 = Eq((a * x + b * y + c * z), right)f1 = f1 + 1ans = solve((eq1, eq2, eq3), (x, y, z))print anss.sendall((str(ans[x]) + '\n').encode())r = s.recv(1024)s.sendall((str(ans[y]) + '\n').encode())r = s.recv(1024)s.sendall((str(ans[z]) + '\n').encode())