nctf-MISC与密码学(wp)后续会更新

MISC

3.图种
图种

将下载的图片改为rar解压.png

nctf{dssdcmlw}


5.丘比特De女神

  • 丘比龙是丘比特的弟弟,由于吃了太多的甜甜圈导致他飞不动了!
    没错 里面隐藏了一张女神的照片
    flag是照片文件的md5值(小写)
    记住加上flag{}

将丘比特图片命名为5.gif
使用binwalk分解一下。
从上到下依次为完好的gif图片(6.gif)。
丘比特图片(5.gif)。
完整的zip包。(a.zip)

binwalk运行结果.png

ctf中压缩包隐写总结

可以看出,这是一个损坏的压缩包,打开010编辑器,把压缩包文件头或者文件尾补全。
ctf中图片隐藏文件分离方法总结
常见文件头,文件尾

50 4Bzip文件尾.png

发现这里有个love???.png
gif的文件尾.png

003B之前是gif文件,之后是zip包,但是我们没有看到zip的文件头,将6C 6F 76 65到文件末尾抓取到一个新的文件里面。并将6C 6F 76 65改为50 4B 03 04。保存为zip文件。


image.png

image.png

flag{a6caad3aaafa11b6d5ed583bef4d8a54}


密码学

1.easy
bmN0Znt0aGlzX2lzX2Jhc2U2NF9lbmNvZGV9
nctf{this_is_base64_encode}


2.KeyBoard

ytfvbhn tgbgy hjuygbn yhnmki tgvhn uygbnjm uygbn yhnijm
a        r       e       u      h     a      c    k           

3.based64全家桶

import base64
print base64.b16decode(base64.b32decode(base64.b64decode('R1pDVE1NWlhHUTNETU4yQ0dZWkRNTUpYR00zREtNWldHTTJES1JSV0dJM0RDTlpUR1kyVEdNWlRHSTJVTU5SUkdaQ1RNTkJWSVkzREVOUlJHNFpUTU5KVEdFWlRNTjJF')))

nctf{base64_base32_and_base16}


4.n次based64

import base64
s='Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVMjA1VjAxV2JETlhhMk0xVmpKS1NHVkVRbUZXVmxsM1ZtcEJlRll5U2tWVWJHaG9UVlZ3VlZacVFtRlRNbEpJVm10a1dHSkdjSEJXYTFwaFpWWmFkRTFVVWxSTmF6RTFWa2QwYzJGc1NuUmhSemxWVmpOT00xcFZXbUZrUjA1R1drWlNUbUpGY0VwV2JURXdZVEZrU0ZOclpHcFNWR3hoV1d4U1IyUnNXbGRYYlhSWFRWaENSbFpYZUhkV01ERkZVbFJDVjAxdVVuWldha3BIVmpGT2RWVnNXbWhsYlhob1ZtMXdUMkl5UmtkalJtUllZbGhTV0ZSV2FFTlNiRnBZWlVoa1YwMUVSa1pWYkZKRFZqSkdjbUV6YUZaaGExcG9WakJhVDJOdFJrZFhiV2hzWWxob2IxWnRNWGRVTVZWNVVtdGtWMWRIYUZsWmJGWmhZMVphZEdONlJteFNiSEJaV2xWb2ExWXdNVVZTYTFwV1lrWktSRlpxU2tabFZsSlpZVVprVTFKV2NIbFdWRUpoVkRKT2MyTkZhR3BTYkVwVVZteG9RMWRzV25KWGJHUmFWakZHTkZaSGRHdFdiVXBIVjJ4U1dtSkhhRlJXTUZwVFZqRmtkRkp0ZUZkaVZrbzFWbXBLTkZReFdsaFRiRnBxVWxkU1lWUlZXbmRsYkZweFVtMUdUMkpGV2xwWlZWcHJWVEZLVjJOSWJGZFdSVXBvVmtSS1QyUkdTbkphUm1ocFZqTm9WVmRXVWs5Uk1XUkhWMjVTVGxaRlNsaFVWbVEwVjBaYVdHUkhkRmhTTUhCSlZsZDRjMWR0U2toaFJsSlhUVVp3VkZacVNrZFNiRkp6Vlcxc1UwMHhSalpXYWtvd1ZURlZlRmR1U2s1WFJYQnhWVzB4YjFZeFVsaE9WemxzWWtad2VGVnRNVWRVTWtwR1YyeHdXbFpXY0hKV1ZFWkxWMVpHY21KR1pHbFhSVXBKVm10U1MxVXhXWGhXYmxaV1lsaENWRmxyVm5kV1ZscDBaVWM1VWsxWFVucFdNV2h2VjBkS1JrNVdVbFZXTTJoSVZHdGFjMk5zWkhSa1IyaHBVbGhCZDFkV1ZtOVVNVnAwVTJ4V1YyRXhTbUZhVjNSaFYwWndSbFpZYUZkTlZrcDVWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbHFTa1psUm1SWldrVTFWMVpzY0ZWWFZsSkhaREZrUjJKSVRtaFNlbXhQVkZaYWQyVkdWblJsU0dScFVqQndWMVl5ZEhkV01ERnhVbXRvVjFaRldreFdNVnBIWTIxS1IxcEdaRTVOUlhCS1ZtMTBVMU14VlhoWFdHaGhVMFphVmxscldrdGpSbHB4VkcwNWEySkhVbnBYYTFKVFYyeFpkMkpFVWxkTmFsWlVWa2Q0WVZKc1RuTmhSbkJZVTBWS1NWWnFRbUZXYlZaWVZXdG9hMUp0YUZSWmJGcExVMnhrVjFadFJtcE5WMUl3Vld4b2MyRkdTbGRUYlVaaFZqTlNhRmxWV25OT2JFcHpXa2R3YVZORlNrbFdiR040WXpGVmQwMUliR2hTYlhoWVdXeG9RMVJHVW5KYVJWcHNVbTFTZWxsVldsTmhSVEZ6VTI1b1YxWjZSVEJhUkVaclVqSktTVlJ0YUZObGJYaFFWa1phWVdReVZrZFdibEpPVmxkU1YxUlhkSGRXTVd4eVZXMUdXRkl3VmpSWk1HaExWMnhhV0ZWclpHRldWMUpRVldwS1MxSXlSa2hoUlRWWFltdEtNbFp0TVRCVk1VMTRWVzVTVjJKSFVsVlpiWFIzWWpGV2NWTnRPVmRTYlhoYVdUQmFhMkV3TVZkalJteGhWbGROTVZaWGMzaGpNVTUxWTBaa1RtRnNXbFZXYTJRMFV6RktjMXBJVmxSaVJscFlXV3RhZG1Wc1drZFdiVVphVmpGS1IxUnNXbUZWUmxsNVlVaENWbUpIYUVSVWJYaHJWbFpHZEZKdGNFNVdNVWwzVmxkNGIyTXlSa2RUYkdSVVlsVmFWbFp1Y0Zka2JGcHlWMjFHYWxacmNEQmFSV1F3VlRKRmVsRllaRmhpUmxwb1dWUktSMVl4VG5OYVIyaE9UV3hLV1ZkWGVHOVJNVTE0WTBaYVdHRXpRbk5WYlRGVFpXeHNWbGRzVG1oV2EzQXhWVmMxYjFZeFdYcGhTRXBYVmtWYWVsWnFSbGRqTVdSellVZG9UazFWY0RKV2JHTjRUa2RSZVZaclpGZGlSMUp2Vlc1d2MySXhVbGRYYm1Sc1ZteHNOVlJzYUd0V01rcEhZa1JhV2xaV1NsQldNakZHWlZaV2NscEhSbGRXTVVwUlZsUkNWazVXV1hsU2EyaG9VbFJXV0ZsdGRFdE5iRnAwVFZSQ1ZrMVZNVFJXVnpWVFZqSktTRlZzV2xwaVdGSXpXV3BHVjJOV1RuUlBWbVJUWWxob1lWZFVRbUZoTVZwelUyNU9hbEp0ZUZaV2JGcExVMFphV0dNemFGaFNiRnA1V1ZWYWExUnRSbk5YYkZaWFlUSlJNRmxVUms5U01WcDFWR3hvYVZKc2NGbFhWM1JoWkRGa1YxZHJhR3hTTUZwaFZtcEdTMUl4VW5OWGJVWldVbXhzTlZsVldsTldNa1Y0VjJ0MFZWWnNjSEpaZWtaaFpFVTVWMVpyTlZkaWEwWXpWbXhqZDAxV1RYaFZXR2hZWW1zMVZWbHNWbUZXYkZwMFpVaGtUazFXY0hsV01qRkhZV3hhY21ORVJsaGhNWEJRVmtkNFlXTnRUa1ZYYkdST1lteEtlVmRZY0VkV2JWWlhWRzVXVkdKRk5XOVpXSEJYVjFaa1YxVnJaR3ROYTFwSVdXdGFiMkZ0Vm5KWGJHaFZWbTFTVkZZeWVHdGpiRnBWVW14b1UyRXpRbUZXVm1NeFlqRlplRmRxV2xKWFIyaFhWbXRXWVdWc1duRlNiWFJyVm14S01GVnRlRTloUjFaelYyeGtWMkpIVGpSVWEyUlNaVlphY2xwR1pGaFNNMmg1Vmxkd1ExbFhUa2RXYmxKc1UwZFNjMWxyV2xkT1ZsSnpXWHBXVjAxRVJsaFphMUpoVjJ4YVYyTklXbGROYm1ob1ZtcEdZV05XVm5OYVJUVlhZbXRLU2xZeGFIZFNNVmw1VkZoc1UyRXlhSEJWYlhNeFkwWnNWVkZ1WkU1aVJuQXdXbFZqTldFd01WWk5WRkpYWWtkb2RsWXdXbXRUUjBaSFlVWndhVmRIYUc5V2JURTBZekpPYzFwSVZtRlNNMEpVV1d0YWQwNUdXbGhOVkVKT1VteHNORll5TlZOV2JVcElaVWRvVm1KSFVsUlZNRnBoWTFaT2NscEZPV2xTV0VJMlZtdGtORmxXVlhsVGExcFlWMGhDV0Zac1duZFNNVkY0VjJ0T1ZtSkZTbFpVVlZGM1VGRTlQUT09'
while 1:
    s=base64.b64decode(s)
    print s

flag:nctf{please_use_python_to_decode_base64}


5.骚年来一发吗
密文:iEJqak3pjIaZ0NzLiITLwWTqzqGAtW2oyOTq1A3pzqas
加密函数

<?php   
function encode($str){  
    $_o=strrev($str);  //strrev反转字符串
    for($_0=0;$_0<strlen($_o);$_0++){  
        $_c=substr($_o,$_0,1);  
        $__=ord($_c)+1; //返回字符串 string 第一个字符的 ASCII 码值。
        $_c=chr($__);  //返回相对应于 ascii 所指定的单个字符。
        $_=$_.$_c;  
    }  
    return str_rot13(strrev(base64_encode($_)));  
}  
?>

substr函数
strrev函数
str_rot13函数

写解密函数

<?php
function decode($str)
{  
    $str=base64_decode(strrev(str_rot13($str)));
    $_o=strrev($str);  
    for($_0=0;$_0<strlen($_o);$_0++)
    {  
        $_c=substr($_o,$_0,1);  
        $__=ord($_c)-1;  
        $_c=chr($__);  
        $_=$_.$_c;  
    }  
    return $_;  
}  
$string='iEJqak3pjIaZ0NzLiITLwWTqzqGAtW2oyOTq1A3pzqas';  
echo decode($string);
?>

nctf{rot13_and_base64_and_strrev}


6.mixed_base64

mixed_base64.png

import random
from base64 import *
result={
        '16':lambda x:b16encode(x),
        '32':lambda x:b32encode(x),
        '64':lambda x:b64encode(x),
        }
flag=b"nctf{************}"
for i in range(10):
    a=random.choice(['16','32','64'])
    flag=result[a](flag)
with open("code.txt","wb")as f:
    f.write(flag)

lambda匿名函数
从based64,32,16随机选一个,反复加密十次。

from base64 import *
import itertools
s=open('mixed_based64.txt','r').read()
result={
    '16':lambda x:b16decode(x),
    '32':lambda x:b32decode(x),
    '64':lambda x:b64decode(x)
    }
for i_1 in ['16','32','64']:
    for i_2 in ['16','32','64']:
        for i_3 in ['16','32','64']:
            for i_4 in ['16','32','64']:
                for i_5 in ['16','32','64']:
                    for i_6 in ['16','32','64']:
                        for i_7 in ['16','32','64']:
                            for i_8 in ['16','32','64']:
                                for i_9 in ['16','32','64']:
                                    for i_10 in ['16','32','64']:
                                        try:
                                            print result[i_10](result[i_9](result[i_8](result[i_7](result[i_6](result[i_5](result[i_4](result[i_3](result[i_2](result[i_1](s))))))))))
                                        except:
                                            continue

python2跑一下nctf{random_mixed_base64_encode}


7.异性相吸
按照提示跑一下

ens=open('encode.txt','r').read()#密文
des=open('decode.txt','r').read()#明文
for i in range(len(des)):
    print chr(ord(des[i])^ord(ens[i]))

nctf{xor_xor_xor_biubiubiu}


8.MD5

import hashlib   
for i in range(32,127):
    for j in range(32,127):
        for k in range(32,127):
            m=hashlib.md5()
            m.update('TASC'+chr(i)+'O3RJMV'+chr(j)+'WDJKX'+chr(k)+'ZM')
            des=m.hexdigest()
            if 'e9032' in des and 'da' in des and '911513' in des:
                print des

nctf{e9032994dabac08080091151380478a2}


9.Vigenere
放一个别人大佬跑的

#include <stdio.h>
#define KEY_LENGTH 2 // Can be anything from 1 to 13

main(){
  unsigned char ch;
  FILE *fpIn, *fpOut;
  int i;
  unsigned char key[KEY_LENGTH] = {0x00, 0x00};
  /* of course, I did not use the all-0s key to encrypt */

  fpIn = fopen("ptext.txt", "r");
  fpOut = fopen("ctext.txt", "w");

  i=0;
  while (fscanf(fpIn, "%c", &ch) != EOF) {
    /* avoid encrypting newline characters */  
    /* In a "real-world" implementation of the Vigenere cipher, 
       every ASCII character in the plaintext would be encrypted.
       However, I want to avoid encrypting newlines here because 
       it makes recovering the plaintext slightly more difficult... */
    /* ...and my goal is not to create "production-quality" code =) */
    if (ch!='\n') {
      fprintf(fpOut, "%02X", ch ^ key[i % KEY_LENGTH]); // ^ is logical XOR    
      i++;
      }
    }
 
  fclose(fpIn);
  fclose(fpOut);
  return;
} 

推荐阅读更多精彩内容

  • 文章简介:大致介绍了CTF比赛中Fornesics题目的常见类型和各类使用工具,此类题目在国内CTF中偶尔出现,但...
    看雪学院阅读 5,643评论 0 19
  • 取证类题目 在CTF中,取证赛题包括了文件分析、隐写、内存镜像分析和流量抓包分析。任何要求检查一个静态数据文件(与...
    查无此人asdasd阅读 534评论 0 2
  • 第一题 栅栏密码 五栏解密成功得到flag 第二题 一张图片 很明显是摩斯电码拉长了,修改图片高度得到摩斯电码 摩...
    Sund4y阅读 1,716评论 0 2
  • The person I'm closest to in my family is definitely my ...
    Victoriaplus阅读 103评论 0 1
  • 作为一个在三里屯上班的普通青年,虽然坐拥各地美食,可是中午有限的时间,想要用来吃一顿丰盛的午宴,也是不太够的。 理...
    帕克儿阅读 216评论 0 0