NewStarCTF 2023 week1

NewStarCTF 2023

WEEK1|CRYPTO

brainfuck

http://bf.doleczek.pl/

flag{Oiiaioooooiai#b7c0b1866fe58e12}

Caesar's Secert

凯撒密码

flag{ca3s4r's_c1pher_i5_v4ry_3azy}

Fence

栅栏密码，栏数为2

flag{reordering_the_plaintext#686f8c03}

Vigenère

key: kfc ，试出来的

flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}

babyrsa

直接分解n

flag{us4_s1ge_t0_cal_phI}

Small d

维纳攻击

flag{learn_some_continued_fraction_technique#dc16885c}

babyxor

已知正确flag的开头是f，先得到key，再xor

for i in range(1,200):
    if 0xe9 ^ i == ord('f'):
        print(hex(i))

cipher_text='e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
flag=''
for i in range(0,len(cipher_text),2):
    #print(cipher_text[i:i+2])
    s=int(cipher_text[i:i+2],16)^0x8f
    #print(s)
    flag+=chr(s)
print(flag)

flag{x0r_15_symm3try_and_e4zy!!!!!!}

babyencoding

base64：flag{dazzling_encoding#4e0ad4

base32：f0ca08d1e1d0f10c0c7afe422fea7

uuencode：c55192c992036ef623372601ff3a}

flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

Affine

仿射密码，爆破key

import gmpy2
from Crypto.Util.number import *

modulus = 256
c = 'dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064'
b_c = long_to_bytes(int(c,16))
def get_a():
    aList = []
    for i in range(1,256):
        if gmpy2.gcd(i,modulus) == 1:
            aList.append(i)
    return aList

for a in get_a():
    for b in range(1,256):
        if (a*b_c[0] + b) % modulus == ord('f') and (a*b_c[1] + b) % modulus == ord('l') and (a*b_c[2] + b) % modulus == ord('a'):
            print(a,b)

# 241 89
a,b = 241,89
for i in b_c:
    print(chr((a*i + b) % modulus),end="")

flag{4ff1ne_c1pher_i5_very_3azy}

babyaes

exp

题目给了我们bytes_to_long(key) ^ bytes_to_long(iv) ^ 1的值

那我们就可以先得出bytes_to_long(key) ^ bytes_to_long(iv)的值

异或操作具有自反性，因为异或了1 异或完是奇数则减1，偶数则加1

如 64^1=65,651=64

c = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229 - 1
b_xor = long_to_bytes(xor)
key_tem = b_xor[:16]
iv = long_to_bytes(bytes_to_long((b_xor[16:])) ^ bytes_to_long(key_tem))
key = key_tem*2
aes = AES.new(key, AES.MODE_CBC, iv)
print(aes.decrypt(c))
#b'firsT_cry_Aes\x00\x00\x00'

flag{firsT_cry_Aes}

WEEK1|MISC

CyberChef's Secret

flag{Base_15_S0_Easy_^_^}

机密图片

flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

流量！鲨鱼！

导出解两层base

flag{Wri35h4rk_1s_u53ful_b72a609537e6}

压缩包们

修复文件头得到flag.zip，这里先用winrar修复一下，这样虽然有报错但能正常使用了

在备注处得到base64解得 I like six-digit numbers because they are very concise and easy to remember.

6位数字爆破

flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

隐秘的眼睛

silenteye

flag{R0ck1ng_y0u_63b0dc13a591}

空白格

whitespace解密

https://vii5ard.github.io/whitespace/

flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

WEEK1|WEB

泄漏的秘密

robots.txt：PART ONE: flag{r0bots_1s_s0_us3ful

www.zip：$PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}";

flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}

Begin of Upload

修改文件后缀上传后，蚁剑连接即可

flag{212ce1e2-b45b-4efe-8942-1bd8f471b647}

ErrorFlask

flag就在报错里

flag{Y0u_@re_3enset1ve_4bout_deb8g}

Begin of HTTP

GET	?ctf=1
POST secret=n3wst4rCTF2023g00000d
Cookie:	power=ctfer
User-Agent: NewStarCTF2023
Referer: newstarctf.com
X-Real-IP: 127.0.0.1

flag{e95db539-df58-4d02-a5f8-b31f813ffcaa}

Begin of PHP

弱比较，数组绕过

flag{b1cf87aa-47b5-4dec-8ff3-7aa25d72d0ff}

R!C!E!

爆破个MD5值头部符合的字符串就行 ，_用[代替

password=4f2853676e292b0ad3855938987107f3&e[v.a.l=var_dump(exec('tac /fl'.'ag'));

flag{0decef82-6e36-4e90-afa8-a499623405e7}

EasyLogin

爆破得到admin的密码是000000

抓登录包后Forward,flag在重定向

flag{9b90a3e9-bb26-4385-a649-225eed42ad31}

WEEK1|REVERSE

easy_RE

找到main函数

F5

flag{we1c0me_to_rev3rse!!}

咳

UPX脱壳

进入main函数得到enc：gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~

把这块逆出来就好了

 for ( i = 0i64; ; ++i )
  {
    v4 = &Str1[strlen(Str1)];
    if ( i >= v4 - Str1 )
      break;
    ++Str1[i];
  }

exp

cipher_text='gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'
flag=""
for i in range(len(cipher_text)):
    flag+=chr(ord(cipher_text[i])-1)
print(flag)

flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

ELF

进入main函数得到得到密文 VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t

主要看encode函数

 v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;

exp

from base64 import b64decode
flag = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
flag = b64decode(flag).hex()
for i in range(0,len(flag),2):
    print(chr((int(flag[i:i+2],16)-16) ^ 0x20),end='')

flag{D0_4ou_7now_wha7_ELF_1s?}

Segments

shift+F7

flag{You_ar3_g0od_at_f1nding_ELF_segments_name}

Endian

  v5 = v6;
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )
    {
      printf("wrong!");
      exit(0);
    }
    v5 += 4;
  }
  printf("you are right");
  return 0;

array 的值 75553A1Eh, 7B583A03h, 4D58220Ch, 7B50383Dh, 736B3819h

注意小端序

cipher = "75553A1E 7B583A03 4D58220C 7B50383D 736B3819".split(' ')
#print(cipher)
flag = []
for i in cipher:
    flag.append(hex(int(i,16) ^ 0x12345678)[2:])
print(flag)
real_flag = ""
for i in flag:
    r = ""
    for j in range(0,len(i),2):
        r = chr(int(i[j:j+2],16)) + r
    real_flag += r
print(real_flag)

flag{llittl_Endian_a}

AndroXor

找到关键函数

enc=[14, ord('\r'), 17, 23, 2, ord('K'), ord('I'), ord('7'), ord(' '), 30, 20, ord('I'), ord('\n'), 2, ord('\f'), ord('>'), ord('('), ord('@'), 11, ord('\''), ord('K'), ord('Y'), 25, ord('A'), ord('\r')]
key='happyx3'
flag=''
for i in range(len(enc)):
    flag += chr(enc[i] ^ ord(key[i % len(key)]))
print(flag)

flag{3z_And0r1d_X0r_x1x1}

EzPE

拿别的exe文件对比，修改相应字节

关键函数

  scanf("%s", input);
  for ( i = 0; i < strlen(input) - 1; ++i )
    input[i] ^= i ^ input[i + 1];
  if ( !strcmp(input, data) )
    puts("You Win!");
  else
    puts("You lose!");
  system("pause");
  return 0;

找到data（0Ah--7Dh）

exp

data = [0x0a,0x0c,0x4,0x1f,0x26,0x6C,0x43,0x2D,0x3C,0x0C,0x54,0x4C,0x24,0x25,0x11,0x6,0x5,0x3A,0x7C,0x51,0x38,0x1A,0x3,0x0D,0x1,0x36,0x1F,0x12,0x26,0x4,0x68,0x5D,0x3F,0x2D,0x37,0x2A,0x7D]
for i in range(len(data) - 2, -1, -1):
    data[i] ^= (data[i + 1]) ^ i
flag=''
for i in data:
    flag+=chr(i)
print(flag)

flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

lazy_activtiy

关键函数

大致意思为每次点击按钮，cnt 值会自增，并在界面上显示出来。当点击次数达到 10000 或以上时，会显示 editText 中输入的文本。

emmm但在我尝试动调前，AndroidKiller一把梭了

flag{Act1v1ty_!s_so00oo0o_Impor#an#}