2025网络安全振兴杯wp

振兴杯wp

web1 神探狄仁杰

image-20251019170925796

在js和源代码,以及关于里面有flag的base64字段

css中

image-20251019171147833

关于的源代码中

image-20251019171232724

image-20251019171549337

然后解密就行了

web2Darksale

这个是一个原型链污染

我们发现购买的金额可以被改变

image-20251019171944065

我们发现改价格后会回显出来

image-20251019172051705

我们尝试修改文件读取环境变量

image-20251019172228914

然后发送得到flag

image-20251019172348727

misc1-checkin

oclz{loovyd_vb_l_bvnucd_hqpumj}

是反射密码

x≡19y+25(mod26)

逐个处理字母(只转换字母):

  • o (14) → x=(19×14+25) mod 26=(266+25) mod 26=291 mod 26=5x=(19×14+25)mod26=(266+25)mod26=291mod26=5 → f
  • c (2) → 19×2+25=38+25=63 mod 26=1119×2+25=38+25=63mod26=11 → l
  • l (11) → 19×11+25=209+25=234 mod 26=019×11+25=209+25=234mod26=0 → a
  • z (25) → 19×25+25=475+25=500 mod 26=619×25+25=475+25=500mod26=6 → g
flag{affine_is_a_simple_crypto}

Crypto affie

一眼看是

放到工具

image-20251019172950165

image-20251019173015984

re-re1

image-20251019173115726

放到base32里面去

f12看字符串

image-20251019173236565

image-20251019173410688

然后找到主函数

image-20251019173431388

看逻辑很清楚

对进行是字符串比较

image-20251019173517718

image-20251019173606708

char *__cdecl sub_4118C0(char *Str)
{
  size_t v1; // eax
  char v3; // [esp+Dh] [ebp-127h]
  char v4; // [esp+Eh] [ebp-126h]
  char v5; // [esp+Eh] [ebp-126h]
  char v6; // [esp+Fh] [ebp-125h]
  char v7; // [esp+Fh] [ebp-125h]
  int v8; // [esp+E0h] [ebp-54h]
  size_t i; // [esp+ECh] [ebp-48h]
  char v10[56]; // [esp+F8h] [ebp-3Ch] BYREF

  memset(v10, 0, 50);
  v1 = j_strlen(Str);
  j_memcpy(v10, Str, v1);
  for ( i = 0; i < j_strlen(Str); ++i )
  {
    v8 = dword_41D1D0[i] + v10[i];
    if ( (unsigned __int8)sub_41127B(v10[i]) )
    {
      v6 = 122;
    }
    else
    {
      if ( (unsigned __int8)sub_4112B2(v10[i]) )
        v4 = 90;
      else
        v4 = v10[i];
      v6 = v4;
    }
    while ( v8 > v6 )
      v8 -= 26;
    if ( v10[i] == 123 )
    {
      v7 = 125;
    }
    else
    {
      if ( v10[i] == 125 )
      {
        v5 = 123;
      }
      else
      {
        if ( (unsigned __int8)sub_41120D(v10[i]) )
          v3 = v8;
        else
          v3 = v10[i];
        v5 = v3;
      }
      v7 = v5;
    }
    v10[i] = v7;
  }
  return v10;
}

可以直接写了

def decrypt(cipher):
    plain = []
    for i, c in enumerate(cipher):
        offset = i % 7 + 1
        if 'A' <= c <= 'Z':
            new_ord = ord(c) - offset
            if new_ord < ord('A'):
                new_ord += 26
            plain.append(chr(new_ord))
        elif 'a' <= c <= 'z':
            new_ord = ord(c) - offset
            if new_ord < ord('a'):
                new_ord += 26
            plain.append(chr(new_ord))
        elif c == '{':
            plain.append('}')
        elif c == '}':
            plain.append('{')
        else:
            plain.append(c)
    return ''.join(plain)

cipher = "AZFXK}qyuc_ge_ogwatxr_uhgzxpua_ktukKQErh{"
print(decrypt(cipher))

ZXCTF{jxsz_by_network_security_goodJOBnc}
posted @ 2025-10-20 21:46  Godjian  阅读(44)  评论(0)    收藏  举报