XYCTF2025 WP
签个到吧
观察发现没有输出,观察内存发现最终内存全为零,在内存清零之前输出即可,替换所有的[-]为.[-],运行即可得到flag
>+++++++++++++++++[<++++++>-+-+-+-]<.[-]>++++++++++++[<+++++++++>-+-+-+-]<..[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<..[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<..[-]>+++++++++++++++++++++++++++++++++++++++++[<+++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++[<+++>-+-+-+-]<.[-]>+++++++++++++++++[<+++>-+-+-+-]<.[-]>++++++++++++[<+++++++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<.[-]>++++++++[<++++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<.[-]>+++++++++++++++++++[<+++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<.[-]>++++++++[<++++++>-+-+-+-]<.[-]>+++++++++++++++++++[<+++++>-+-+-+-]<.[-]>+++++++++++[<++++++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<.[-]>++++++++++++[<+++++++>-+-+-+-]<.[-]>++++++++++[<+++++++>-+-+-+-]<.[-]>+++++++++++++++++++[<+++++>-+-+-+-]<.[-]>++++++++++[<+++++>-+-+-+-]<.[-]>++++++++[<++++++>-+-+-+-]<.[-]>++++++++++[<+++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<.[-]>+++++++++++++++++++[<+++++>-+-+-+-]<.[-]>+++++++++++++++++++++++[<+++>-+-+-+-]<.[-]>+++++++++++[<++++++++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<++>-+-+-+-]<.[-]>++++++++[<++++++>-+-+-+-]<.[-]>+++++++++++[<+++++>-+-+-+-]<.[-]>+++++++++++++++++++[<+++++>-+-+-+-]<.[-]>+++++++[<+++++++>-+-+-+-]<.[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<.[-]>+++++++++++[<+++>-+-+-+-]<.[-]>+++++++++++++++++++++++++[<+++++>-+-+-+-]<.[-]
fllaagg{W3lC0me_t0_XYCTF_2025_Enj07_1t!}
最终flag
flag{W3lC0me_t0_XYCTF_2025_Enj07_1t!}
XGCTF
bing搜索XGCTF 原题,发现是ciscn华东南原题
搜索dragonkeep blog
找到dragonkeep师傅的博客
发现wp
在源码中发现base64编码的flag,解码即可
flag{1t_I3_t3E_s@Me_ChAl1eNge_aT_a1L_P1e@se_fOrg1ve_Me}
WARMUP
将Execute改为MsgBox,得到源码
是rc4加密,秘钥为rc4key
密文为
90df4407ee093d309098d85a42be57a2979f1e51463a31e8d15e2fac4e84ea0df622a55c4ddfb535ef3e51e8b2528b826d5347e165912e99118333151273cc3fa8b2b3b413cf2bdb1e8c9c52865efc095a8dd89b3b3cfbb200bbadbf4a6cd4
解密得到
flag{We1c0me_t0_XYCTF_2025_reverse_ch@lleng3_by_th3_w@y_p3cd0wn's_chall_is_r3@lly_gr3@t_&_fuN!}
flag{}内md5得到最终flag
XYCTF{5f9f46c147645dd1e2c8044325d4f93c}
MADer也要当CTFer
使用PRTShark师傅的软件提取出字幕
观察文件发现是ae的项目文件,师傅的博客中也有提示
发现有红色的块,尝试复制,粘贴得到
here_are_your_flag,wait...
oh_you_find_me
l_re@IIy_w@nn@_2_Ie@rn_AE
flag{ }
flag2找半天最后发现是白色的,直接复制即可(不会ae
flag{l_re@IIy_w@nn@_2_Ie@rn_AE}
Division
random.getrandbits具有可预测漏洞,利用1选项生成624次随机数,然后用randcrack预测随机数即可
使用chatgpt写脚本如下
from pwn import *
from randcrack import RandCrack
HOST = '39.106.69.240'
PORT = 20567
rc = RandCrack()
def get_32bit_outputs(io, n=624):
print('[*] Collecting random numbers...')
for _ in range(n):
io.sendlineafter(': >>> ', '1')
io.sendlineafter('input the denominator: >>> ', '1')
line = io.recvline().decode()
try:
nominator = int(line.strip().split('//')[0])
rc.submit(nominator)
except Exception as e:
print(f'[-] Error parsing line: {line.strip()}')
continue
print('[+] Collected enough outputs to recover RNG state!')
def get_flag(io):
print('[*] Predicting rand1 and rand2...')
rand1 = rc.predict_getrandbits(11000)
rand2 = rc.predict_getrandbits(10000)
correct_ans = rand1 // rand2
io.sendlineafter(': >>> ', '2')
io.sendlineafter('input the answer: >>> ', str(correct_ans))
io.interactive()
def main():
io = remote(HOST, PORT)
get_32bit_outputs(io)
get_flag(io)
if __name__ == '__main__':
main()
会飞的雷克萨斯
根据图片信息,高德直接搜索得到相关地点,查看附近店铺,以及高德评论,确认了地点
四川省内江市资中县春岚北路
查看附近店铺确认详细地点
四川省内江市资中县春岚北路城市中心内
曼波曼波曼波
smn.txt开头有等号怀疑是base64
smn.txt反转,base64转图片,得到图片
用foremost提取得到压缩包
根据提示,内层压缩包xixi.zip的密码是XYCTF2025
外层的图片和内层压缩包的图片一样,怀疑是双图盲水印,使用随波逐流双图盲水印解密即可
XYCTF{easy_yin_xie_dfbfuj877}
Greedymen
贪心算法,易得每次选择因数个数等于2的最大数,可以让对手的分最少,写代码如下
def generate_answers(counter,scope):
# 初始化 1-100 的数字及其因数
answers = []
numbers = {num: set(compute_factors(num)) for num in range(1, scope+1)}
for step in range(1, counter+1): # 重复 counter 次
# 找出当前因数数量=1 的最大数字
selected_num = max([num for num, factors in numbers.items() if len(factors) == 2])
answers.append(selected_num)
selected_factors = numbers[selected_num]
# 从所有其他数字的因数中删除 selected_num 的因数
for num in numbers:
if num != selected_num:
numbers[num] -= selected_factors
# 删除已选数字,避免重复选择
del numbers[selected_num]
print(answers)
return answers
得到数字选择的顺序如下
[47, 49, 35, 21, 39, 33, 27, 45, 26, 46, 38, 34, 18, 42, 30, 50, 28, 44, 36]
[97, 49, 91, 77, 65, 95, 85, 57, 93, 87, 69, 62, 98, 94, 86, 82, 74, 28, 92, 76, 68, 56, 52, 44, 32, 27, 99, 66, 78, 63, 54, 45, 75, 50, 100, 90, 80]
[199, 169, 143, 187, 119, 161, 133, 115, 185, 155, 145, 125, 175, 111, 183, 177, 159, 141, 129, 123, 122, 194, 178, 166, 158, 146, 142, 134, 75, 105, 147, 98, 70, 63, 189, 171, 153, 135, 117, 195, 130, 182, 99, 165, 110, 154, 78, 114, 190, 102, 170, 76, 196, 188, 172, 164, 152, 148, 140, 136, 124, 186, 116, 174, 104, 156, 100, 200, 150, 92, 138, 90, 198, 132, 126, 80]
写脚本自动化提交答案,最终完整代码如下
from pwn import *
def compute_factors(n):
"""计算数字 n 的所有因数(包括1和本身)"""
factors = set()
for i in range(1, int(n**0.5)+1):
if n % i == 0:
factors.add(i)
factors.add(n / i)
return factors
def generate_answers(counter,scope):
# 初始化 1-100 的数字及其因数
answers = []
numbers = {num: set(compute_factors(num)) for num in range(1, scope+1)}
for step in range(1, counter+1): # 重复 counter 次
# 找出当前因数数量=1 的最大数字
selected_num = max([num for num, factors in numbers.items() if len(factors) == 2])
answers.append(selected_num)
selected_factors = numbers[selected_num]
# 从所有其他数字的因数中删除 selected_num 的因数
for num in numbers:
if num != selected_num:
numbers[num] -= selected_factors
# 删除已选数字,避免重复选择
del numbers[selected_num]
print(answers)
return answers
def submit_answers(conn, answers):
for answer in answers:
conn.sendlineafter(b"Choose a Number:",str(answer))
def main():
"""开始游戏"""
# context.log_level = "debug"
conn = remote("47.94.103.208","26810") # 连接服务器
conn.sendlineafter(b"3.Quit",b"1")
#第1级
answers = generate_answers(19,50)
# answers = [47, 49, 35, 21, 39, 33, 27, 45, 26, 46, 38, 34, 18, 42, 30, 50, 28, 44, 36]
submit_answers(conn, answers)
#第2级
answers = generate_answers(37,100)
# answers = [97, 49, 91, 77, 65, 95, 85, 57, 93, 87, 69, 62, 98, 94, 86, 82, 74, 28, 92, 76, 68, 56, 52, 44, 32, 27, 99, 66, 78, 63, 54, 45, 75, 50, 100, 90, 80]
submit_answers(conn, answers)
#第3级
answers = generate_answers(76,200)
#answers = [199, 169, 143, 187, 119, 161, 133, 115, 185, 155, 145, 125, 175, 111, 183, 177, 159, 141, 129, 123, 122, 194, 178, 166, 158, 146, 142, 134, 75, 105, 147, 98, 70, 63, 189, 171, 153, 135, 117, 195, 130, 182, 99, 165, 110, 154, 78, 114, 190, 102, 170, 76, 196, 188, 172, 164, 152, 148, 140, 136, 124, 186, 116, 174, 104, 156, 100, 200, 150, 92, 138, 90, 198, 132, 126, 80]
submit_answers(conn, answers)
conn.interactive()
if __name__ == "__main__":
main()
flag{Greed, is......key of the life.}
浙公网安备 33010602011771号