NSSCTF 2nd WP
title: NSSCTF 2nd wp
tags: ctf
categories: 赛题复现
abbrlink: 4b18615c
date: 2023-08-30 00:31:50
NSSCTF 2nd WP
MISC
gift_in_qrcode
import qrcode
from PIL import Image
from random import randrange, getrandbits, seed
import os
import base64
flag = os.getenv("FLAG")
if flag == None:
flag = "flag{test}"
secret_seed = randrange(1, 1000)
seed(secret_seed)
reveal = []
for i in range(20):
reveal.append(str(getrandbits(8)))
target = getrandbits(8)
reveal = ",".join(reveal)
img_qrcode = qrcode.make(reveal)
img_qrcode = img_qrcode.crop((35, 35, img_qrcode.size[0] - 35, img_qrcode.size[1] - 35))
offset, delta, rate = 50, 3, 5
img_qrcode = img_qrcode.resize(
(int(img_qrcode.size[0] / rate), int(img_qrcode.size[1] / rate)), Image.LANCZOS
)
img_out = Image.new("RGB", img_qrcode.size)
for y in range(img_qrcode.size[1]):
for x in range(img_qrcode.size[0]):
pixel_qrcode = img_qrcode.getpixel((x, y))
if pixel_qrcode == 255:
img_out.putpixel(
(x, y),
(
randrange(offset, offset + delta),
randrange(offset, offset + delta),
randrange(offset, offset + delta),
),
)
else:
img_out.putpixel(
(x, y),
(
randrange(offset - delta, offset),
randrange(offset - delta, offset),
randrange(offset - delta, offset),
),
)
img_out.save("qrcode.png")
with open("qrcode.png", "rb") as f:
data = f.read()
print("This my gift:")
print(base64.b64encode(data).decode(), "\n")
print(target)
ans = input("What's your answer:")
if ans == str(target):
print(flag)
else:
print("No no no!")
题目所给附件内容如上
分析过后发现直接输入打印出的target即可获得flag
Magic Docker
题目提示执行命令,docker run randark/nssctf-round15-magic-docker
执行过后发现要求输入secrect
查看docker文件
发现app文件下的miain.py文件为
import click
import random
import sys
import os
from time import sleep
@click.command()
@click.option('--secret',help='default=none,between 0 and 100',type=int)
def func(secret):
if str(secret)==str(answer):
print("Congratulations!")
print("But where is your flag? (=‵ω′=)")
else:
print("No! You don't know anything about docker!")
print("How dare you! ")
BANNER="""
███╗ ██╗███████╗███████╗ ██████╗████████╗███████╗ ██████╗ ███╗ ██╗██████╗
████╗ ██║██╔════╝██╔════╝██╔════╝╚══██╔══╝██╔════╝ ╚════██╗████╗ ██║██╔══██╗
██╔██╗ ██║███████╗███████╗██║ ██║ █████╗ █████╔╝██╔██╗ ██║██║ ██║
██║╚██╗██║╚════██║╚════██║██║ ██║ ██╔══╝ ██╔═══╝ ██║╚██╗██║██║ ██║
██║ ╚████║███████║███████║╚██████╗ ██║ ██║ ███████╗██║ ╚████║██████╔╝
╚═╝ ╚═══╝╚══════╝╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝╚═════╝
███╗ ███╗ █████╗ ██████╗ ██╗ ██████╗ ██████╗ ██████╗ ██████╗██╗ ██╗███████╗██████╗
████╗ ████║██╔══██╗██╔════╝ ██║██╔════╝ ██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗
██╔████╔██║███████║██║ ███╗██║██║ ██║ ██║██║ ██║██║ █████╔╝ █████╗ ██████╔╝
██║╚██╔╝██║██╔══██║██║ ██║██║██║ ██║ ██║██║ ██║██║ ██╔═██╗ ██╔══╝ ██╔══██╗
██║ ╚═╝ ██║██║ ██║╚██████╔╝██║╚██████╗ ██████╔╝╚██████╔╝╚██████╗██║ ██╗███████╗██║ ██║
╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
"""
if __name__ == "__main__":
os.system("rm -f /flag")
print(BANNER)
random.seed("NSSCTF 2nd")
answer=random.randint(0,100)
if len(sys.argv)<2:
print("You need to give me the secret!")
else:
func()
若按照预设命令执行完main.py后,容器会删除flag文件
所以我们自定义docker启动命令
直接执行cat /flag
gift_in_qrcode(revenge)
链接一下得到一堆Base64编码
先写个脚本解码Base64保存为png
import base64
# Paste the Base64 encoded string here
base64_string = "your_base64_string_here"
# Decode the Base64 string
decoded_data = base64.b64decode(base64_string)
# Save the decoded data as a PNG file
with open("image.png", "wb") as f:
f.write(decoded_data)
扫码得到二十个随机数
根据计算随机数种子,并计算下一个随机数,输入程序中即可拿到flag
然后最无脑的爆破来了
为什么要爆这么久,早知道我再多爆一会的..
from pwn import *
count = 0
while True:
conn = remote("node5.anna.nssctf.cn", 28380)
conn.recvline().decode()
conn.recvline().decode()
conn.recv().decode()
conn.sendline(str('110').encode())
count += 1
print('count:', count)
output = conn.recvline().decode()
if 'No no no!' not in output:
print(output)
break
Crypto
EzRSA
发现e - 3 ,低加密指数爆破
脚本一把梭
import binascii
import gmpy2
e = 3
# 读入 n, 密文
n = 115383855234466224643769657979808398804254899116842846340552518876890834212233960206021018541117724144757264778086129841154749234706140951832603640953383528482125663673926452745186670807057426128028379664506531814550204605131476026038420737951652389070818761739123318769460392218629003518050621137961009397857
c = 5329266956476837379347536739209778690886367516092584944314921220156032648621405214333809779485753073093853063734538746101929825083615077
i = 0
while 1:
res = gmpy2.iroot(c+i*n,3)
if(res[1] == True):
m=res[0]
print(binascii.unhexlify(hex(m)[2:].strip("L")))
break
print("i="+str(i))
i = i+1
NSSCTF{Rea1_Si9n3n}
FunnyEncrypt
本来想看看能不能词频分析的,结果发现完全对不到
只好根据已知的nssctf和前面的一堆话里面寻找符合预感的字符与字母对应关系 , 慢慢对应着可以找到的