Daily CTF Writeup 20210607

Spider (75pts) - Web

地址:https://spider.031337.xyz
转跳地址为:https://spider.031337.xyz/0
第一反应是ssti,但是测试没用,访问 https://spider.031337.xyz/4 时发现回包有{
爆破得到flag,注意把线程调低

1
ictf{f0ll0w_th3_numb3rs}

Add and Add (75pts) - Crypto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import random

with open("flag.txt") as f:
flag = f.read().strip().encode()

x = bytes([random.randrange(256)])
while flag:
y = flag[:len(x)]
flag = flag[len(x):]
x += bytes([(a + b) % 256 for a, b in zip(x, y)])

with open("output.txt", "w") as f:
f.write(x[1:].hex())

#output.txt
26209a23a154fe21578e0182d5c2621c89810d86d5b82f8fbeed62f03921c3218a89088a00886c85b6f135f53823c64df7e88a

梳理逻辑:
第一轮,(x + ord(‘i’)) % 256=int(‘26’,16),x=189
第二轮,x=[189,38] y=[99,116]
第三轮,x=[189,38,32,154]……

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
stringT = '26209a23a154fe21578e0182d5c2621c89810d86d5b82f8fbeed62f03921c3218a89088a00886c85b6f135f53823c64df7e88a'
listT = [0]
for i in range(len(stringT)//2):
listT.append(int(stringT[2*i:2*i+2],16))
def find(a,b):
if a>b:
return a-b
else:
return 256+a-b

for j in range(256):
listT[0] = j
flagT = ''
for i in range(51):
if i == 0:
continue
elif i+1 <= 2:
tmp = find(listT[i],listT[i-1])#后一位减前一位
elif i+1 <= 4:
tmp = find(listT[i],listT[i-2])#4-2,3-1
elif i+1 <=8:
tmp = find(listT[i],listT[i-4])#5-1,6-2,7-3,8-4
elif i+1 <=16:
tmp = find(listT[i],listT[i-8])
elif i+1 <=32:
tmp = find(listT[i],listT[i-16])
else:
tmp = find(listT[i],listT[i-32])
flagT += chr(tmp)
if 'ctf' in flagT:
print(flagT)
1
ictf{4dd1ng_4nd_casc4d1ng_and_adding_4nd_c4scad1ng}

Word (50pts) - Forensics

word改为zip,解压全局搜索得flag

1
ictf{4ll_0ff1c3_F1l3s_4r3_Z1p5}