PolarCTF网络安全2025春季个人挑战赛 WRITE UP

1-1 可老师签到
本题思路如下：
提示“发送的内容为双写字符串拼接”

公众号发送flagflag即可

1-2 find
本题思路如下：
把表格文件当压缩包解压，找到flag.xlsx\xl\worksheets\sheet1.xml
发现里面存了数据，于是考虑把数据格子上色以得到flag
先将xml文件处理以获得纯数据

代码：

from openpyxl import load_workbook
from openpyxl.styles import PatternFill# 加载目标工作簿
wb = load_workbook('flag.xlsx')
ws = wb.active# 定义颜色填充
red_fill = PatternFill(start_color='FF0000', fill_type='solid')# 从文本文件读取单元格地址
with open('1.txt', 'r') as f:cell_positions = [line.strip() for line in f if line.strip()]# 应用颜色
for cell_address in cell_positions:try:ws[cell_address].fill = red_fillexcept:print(f"警告：单元格 {cell_address} 不存在，已跳过")wb.save('colored_target.xlsx')

运行就可以获得一个二维码，扫描获得flag

1-3 pfsense
本题思路如下：
T1使用工具分析

Base64解密获得flag

T2 火眼

1-4 WinCS
本题思路如下：
T1
用CurrPorts

T2、3使用工具对流量包进行解密

从中可以获得flag内容和压缩包密码
用密码解压可以获得压缩包里的flag

第二部分：CRYPTO
2-1 LCG
本题思路如下：

import gmpy2
import libnuma = 156506070439514915241840745761803504236863873655854161309517219593159285490218416513868431750791509039364033002042672969954633160268127141912185884526880436614313300761314810148356686577662643452299620703125833160716418003026915719584690230453993382155777985020586206612864299316237848416232290650753975103343
b = 99238154412252510462155206432285862925162164007834452250464130686978914370223020006347851539449419633688760095534852514797292083351953228730558335170313299274579966373474363445106224340638196799329142279344558612634392675992734275683700752827665429269516389277374408716314038483357418130704741371183923688601
c = 46154227430594568448486764587707836676441274677362557668215680998009402508945237578201692757688901737765923819819981974561807236454825684824157481322486008937560337004555948283870920377643907746645702190355761172293685309340938249454686807948964629553755585562990983237480387614548526918576791297250747752579
m = 94993804003827679355988952056520996247311128806455111011781585397953533782675757682874584547665028872979112598462143541626190903596606261782592703863749024490737374603789002750194481545579020929239629410573307193150780522563772690101754723829224534622557370960012364614566294197235191962517037441643656951249# 计算a的模逆元
def modinv(a, m):g, x, y = gmpy2.gcdext(a, m)if g != 1:return Noneelse:return x % ma_inv = modinv(a, m)
if a_inv is None:print("a和m不互质，无法求逆元")exit()# 从X10 = c开始逆推10次得到X0
current = c
for _ in range(10):current = (current - b) * a_inv % m# 将X0转换为字节
flag = libnum.n2s(int(current))
print("原文:", flag.decode())运行就可以获得flag2-2 knock knock
本题思路如下：2-3 Ununicast
本题思路如下：
import libnum
import gmpy2
from functools import reduce# 给定的n和c值
n1 = 22103870455568232891149694305142888751834308614394265111616851946569600408214771004642537180847811632101335684526571461971168013515137837024900824805617026937904594229522094231161022911739124543737188196687483192656237801622618078066399259928261566545087643719410735482610730976575506701177108423445928193645406926842010985319473171710362525271971508507747952666476652082985675013329629912123828667561346609223913700779782291638584038925201698832368301491167548373412290987271213331940429281040520028261848410995501268272516219976073764836056701179000719299634048587399330114683369803481960168019956231748933059575086
c1 = 11932229075145446680509155897048554062128427256365407597246250504495581359308426337230014475362231568192824606320775755785288148002607456528824047021370456983795336102290050703706457189838464034831160081682076095173411617546158489572376376884672473947738113750437924641752734999601688973523833305072494573210602790160977994408649942476416234572187935125916149727341802693373659080702112924850348826357976589797895053949499171267826718541148026541242636886850084012913015158312606367900952240929619627369492395483334316329627526281924799100659188037308919177852074431004118744919974806767580700568542188744931220106105
n2 = 75527641277099990800438920440041058388427571492243099817050670120985557789492014161535482889418153237600686779752008243731659250445079816272020155052679163716181164111466120389153470493389801068487079484957125572093805976995390398541806299511780722297642464948545911633969882049338027366168822259177038560221615245305724815740962661657512543487558774545803259821939839314547049519064559274668861232108875651136746020639698802437427698294031084596199751751480045337605111284980409927684686225365555725770862339970487179511801140925931587981761559129421142486178642732741442537609122284807214875446647952010067400441059
c2 = 124027357006179169026958610630330051622067042499828335143384044470302479154098199844981110929954078399392164965842575040140695741764719533745054315027041147434320473103634538090232615962998187567447484128103678001361703834076345621055674269048895730502155866761233018172058631071676397257894588728272913258599692996320058955017804506826897453939809574483310935927402899939042162496213745140970798253433830063777555869660983592646174581212241911650074643983280676238861065129884340834318081282521338654119292893592735294429956139729060770783817702837759047833794757601190967753969500822631312988106678317432186105038268
n3 = 67087501562139943813249584173215038264768218519355997619681399311361081244680048116472803745503996059873261361695629103578075388683394265112338602330356608572716276538183020643625652731722917269342461918246200053767885270359910155650804090015847462552469649420213346519159991670579334968778366255234963922378971680452094795318028353408405313888877068259282684640458674087251102468714734787171166396014144021959441774122328495595094512659302451021226956296868717965902597097040721193168373568780684532295504916946312087113872338693404258549907349353138009767393388073227204853717415106619739522003848121147803734511476
c3 = 34907142326483502918854711671956997110565154361385230791804714287500927140885225814711150443792832759398271249995064551044140838772959358268339105708186456545576271462167016667528764892342067422814982959975071847067493078241698635502292984200940132917130864956317815578073656622172241742542237740221147402449228459532782232518010610903660510875077798419046748683570340175197592449547071220020985311569095928938768945219762563190314531483012532595972282105394784611117089120803198848347397871670119847470687912177591609360741114570213377874848453859418234331921560384819899391157666714587396643397702710016410117040255
n4 = 107655225342909323493747650996643964780949305458547565103531987767712606044684527447631280423897684091717655597473336978923442425477823322239803312759244627308704521511743542550831030718035257133033470431042111429555597381959609892666206716219532081847930970282959800999825630713834546858387640307817593411764905032303294057112362597297253851687870254992314351948709124427458348128204263663881362955482132512838054738519685384575921373737470245719421223898475756247409282692966862335515090757754459242168056461013405091180148696649963461602177212697836496306046456138474445624214914814699390257673835554848791003397055
c4 = 260074379614284795599484546451240257157763532480505168853160303924952553177325935242853666448209970957052626857104522597130316456316378917529016900063473199051496246209878864043477905068893003923546332891289993179385753129868269775271722630762054161951558359984426822705582509592976962739279251035941138103001411061238095611738024433238447078804016593599525582868080696498271912174235479368671466666819582104245707176341268617126063957318342864903403961673418935623112290599738566078566393961145470677825235949530460449737989243772214379341818676279908757907698136648847166264635580606733816599243489965651372128251328
n5 = 70199621485671842359044641866403168058670803503736686351887502686934276983786039926002198676793045683182125769300687612734657616494815167750772182403321230734527784596550124329071164871143795929191396166096178482901122962656943854107741654772981259089537233024363295465966490361367216383217631330482253245796203648485653095242684462412133029510769320566443165990471527944889669809129572843754832577807509454633886982402256837076791468127186325307925886447397529190962280905611709973103713165872442266384750885343667064502988575278416037070011939869923447549518023420261237007329747290577829325263253564790709373901618
c5 = 207467685064436795719671032825183115862587233648672449925340580227825675452627031507906214773278665727530027025673966750973641715014217092820995216768554881760711270444952703291126925400881160114713107315867759288572987159233984669439942981888636828978580980986834342715153361271280814208437227309185682033733871844684874967978852089340054449142896831217885786745795842561143568848428620959961049292832772489885193639646881909425599177539209159664137785111991625129191354004990699226809474030005545318219197509201907072684957499981194498761673049651408375607248956494019809957851295451628144493493011699904221882421955n_list = [n1, n2, n3, n4, n5]
c_list = [c1, c2, c3, c4, c5]s_list = [2, 3, 4, 5, 6]
coefficients = [1, 2, 3, 4, 5]  # index + 1的值# 分解n_i为s_i * N_i
N_list = []
for i in range(5):s = s_list[i]n = n_list[i]assert n % s == 0, f"n{i+1}无法被{s}整除"N_list.append(n // s)# 计算c_i' = c_i * inverse(coefficient, n_i) % n_i，然后取模N_i得到余数
m_e_mod_N = []
for i in range(5):s = s_list[i]n = n_i = n_list[i]c_i = c_list[i]coeff = coefficients[i]inv_coeff = gmpy2.invert(coeff, n_i)c_prime = (c_i * inv_coeff) % n_im_e_mod_Ni = c_prime % N_list[i]m_e_mod_N.append(m_e_mod_Ni)# 应用中国剩余定理
def crt(moduli, remainders):product = reduce(lambda a, b: a * b, moduli)total = 0for m_i, r_i in zip(moduli, remainders):Mi = product // m_iinv_Mi = gmpy2.invert(Mi, m_i)total = (total + r_i * Mi * inv_Mi) % productreturn totalD = crt(N_list, m_e_mod_N)# 尝试可能的e值来解密密文
possible_e = [11, 13, 17, 19, 23, 29]
for e in possible_e:root, is_exact = gmpy2.iroot(D, e)if is_exact:m = int(root)flag = libnum.n2s(m)print(f"Found e = {e}")print("Flag:", flag)break
else:print("未找到正确的e值，请检查输入数据。")

运行即可获得flag

2-4 beginner
本题思路如下：

s = '16732186163543403522711798960598469149029861032300263763941636254755451456334507142958574415880945599253440468447483752611840'
D = int(s)# 检查D是否被2^125整除
mod_2_125 = 1 << 125
assert D % mod_2_125 == 0, "D is not divisible by 2^125"mod_5_125 = 5 ** 125
D_5 = D % mod_5_125# 计算2^10000的逆元 mod 5^125
inv_2_10000 = pow(2, -10000, mod_5_125)
N = (D_5 * inv_2_10000) % mod_5_125# 转换为字节并解码为字符串
flag_bytes = N.to_bytes((N.bit_length() + 7) // 8, byteorder='big')
flag = flag_bytes.decode('utf-8')print(flag)

运行即可获得flag

第三部分：WEB
3-3 来个弹窗
本题思路如下：
输入<script>alert(0)就可以触发
随后出现的图片是白金之星，直接转换成32位小写md5

3-6 coke的登陆
本题思路如下：
“曲奇饼干s”就是cookies
注释里写了账号

Bp抓包获得cookies

密码就是coke-lishuai

第四部分：REVERSE

4-2 解码器
本题思路如下：

cipher = [0x53, 0x46, 0x4e, 0x58, 0x58, 0x4a, 0x26, 0x5b, 0x57, 0x29, 0x56, 0x50, 0x53, 0x52, 0x5c, 0x53]
plain = []
for i in range(16):c = cipher[i]# 情况一：temp = c（未被调整）p1 = (c - i) % 127# 情况二：temp = c -32（被调整过）p2 = (c - 32 - i) % 127# 选择可打印字符if 32 <= p1 <= 126:plain.append(p1)elif 32 <= p2 <= 126:plain.append(p2)else:plain.append(p1)  # 默认情况result = ''.join(chr(c) for c in plain)
print(result)

发现运行之后就是ida中的原文，所以考虑包上32位小写md5加密，得到flag