Lv1 简单的题目
题目提示base64ZmxhZyU3QnRoaXMlMjBpcyUyMHNvJTIwZWFzeSU3RA
base64解码再URL解码即可
import base64
from urllib import parse
s = 'ZmxhZyU3QnRoaXMlMjBpcyUyMHNvJTIwZWFzeSU3RA==' #补全==
flag = parse.unquote(str(base64.b64decode(s)))
print(flag)
#b'flag{this is so easy}'Lv2 MD5
题目提示MD5其实也没那么暴力,给出下列代码
if(@md5($_GET['a']) == @md5($_GET['b']) and @$_GET['b']!=@$_GET['a']) { echo "flag{XXX}"; } /ctf/md5.php题目考察的是md5弱比较,为0e开头的会被识别为科学记数法,结果均为0
http://ctf.gcowsec.com/ctf/md5.php?a=QNKCDZO&b=aabg7XSs
<!--flag{what is it}-->Lv3 SHA1
//md5都有了那么我想
///ctf/sha1.php
if (isset($_GET['name']) and isset($_GET['password'])) {
if ($_GET['name'] == $_GET['password'])
echo '
Your password can not be your name!
';
else if (sha1($_GET['name']) === sha1($_GET['password']))
die('Flag: ');
else
echo '
Invalid password.
';
}
else{
echo '
Login first!
';
}
题目考察的是数组绕过,sha1函数只能处理字符串
http://ctf.gcowsec.com/ctf/sha1.php?name[]=1&password[]=2
<!--flag{bad}-->Lv4 搜索引擎
题目提示你不知 我知 百度知之而不知 /ctf/
这道题考察的是robots.txt文件,robots协议也叫robots.txt(统一小写)是一种存放于网站根目录下的ASCII编码的文本文件,它通常告诉网络搜索引擎的漫游器(又称网络蜘蛛),此网站中的哪些内容是不应被搜索引擎的漫游器获取的
http://ctf.gcowsec.com/ctf/robots.txt
<!--
User-agent: *
Disallow:myphp.php
-->
--- ---
http://ctf.gcowsec.com/ctf/myphp.php
<!--flag{you is good}-->Lv5 不可逆算法
题目提示
当没有提示 一种原始的密码学方法可能在向你招手 内容:08e16912bc372ae13558fbaea5743000
直接MD5解密即可
Lv6 计算机编码
题目提示
来放松一下,这段数字没有任何意义上的加密 如果有兴趣就试试破解吧(跟编码有关 呸 我提示了很多了) 102 108 97 103 123 77 85 125
这道题考察的是简单的编码加解密,看起来就是ASCII码,查找对应代表的字符串即可
flag{MU}
Lv7 计算机编码
题目提示
简单一点 you can have to enter the password to access Lv7. 提交 /ctf/lv7.php?answer=答案 然后获取通过答案 撇脚英文
/ctf/lv7.php
无厘头的一题,直接问了别人答案
http://ctf.gcowsec.com/ctf/lv7.php?answer=the password
<!--flag{haha}-->Lv8 数学问题
题目提示
Y has 12 X, X has 25 Z, and every 5 Z has one R. If 36Y plus 10 Z, how many R are there? 提交 /ctf/lv8.php?answer=答案 然后获取通过答案
/ctf/lv8.php
直接列方程解出来就好
Lv9 NO Base64
题目提示
看啥都是base64 该治疗下 电击疗法了
内容:ftlPb8D748qunH47zQJAEa92qiFas6I7SxAsRIYmaJIOWFU6Bz5KsT9H64UKwVnH/pLD4bFzJwfIYc1Foeqdpg==
题目给出的内容咋一看像RSA加密,右键查看源代码发现如下内容
<!-- 年纪青青眼睛瞎掉 啥都像base64-->
<!--JTIwJXU1RTc0JXU3RUFBJXU5NzUyJXU5NzUyJTIwJXU3NzNDJXU3NzVCJXU1QzMxJXU3NzhFJXU0RTg2JTIwJXU4RkQ5JXU0RTBEJXU2NjJGYmFzZTY0JTIwJXU4RkQ5JXU2NjJGci4uJTI4JXU1NTE0Li4lMjk=-->
<!--JXU1NzMwJXU1NzQwJXU2NjJGJTIwY3RmL3JzYS5waHAlMjByc2EldTdCOTcldTZDRDUlMjAldTYwNkQldTU1OUMldTRGNjAldTc5QkIldTgwREMldTUyMjkldTUzQzgldThGRDEldTRFODY= -->
<p>内容:ftlPb8D748qunH47zQJAEa92qiFas6I7SxAsRIYmaJIOWFU6Bz5KsT9H64UKwVnH/pLD4bFzJwfIYc1Foeqdpg==</p>对注释中的两个base64进行解码再进行URL解码发现第二个注释内容为:地址是 ctf/rsa.php rsa算法 恭喜你离胜利又近了
访问 view-source:http://ctf.gcowsec.com/ctf/rsa.php 得到如下内容:
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAIb2tnnyvn/WoZnHEmDaGKuzLXv/ys0QXyvSzHhDi9KaFKTzDrpk
beXGeexQKk220RRZoNkZAl5b6mkNmyJTotcCAwEAAQJAaEb+vkI7xfJDcdlJ7eMU
5LTQE9qTCtX3cpiwussVoWWkCETWTdjKdcNyVfhHMTRGsUwZamczn8w/QJhJkfp6
wQIhALry6dMHRKoNMFYVzrV1W/Y2jOpNT/bibqOybasCI1t5AiEAuNBOHoEy2pBC
npU7zafxvM6zCWLUw4la/VIZhstLDM8CIQCumltqffpSfJjtfdaewaqPLWm1F1oc
8mR1PRuSQR/2uQIgeSKv0XbFqlScFe2jAS1vWV3yI9jPtEq3hQrnCF7/likCIGGV
+1CnPSWYGTQSCJ7sNhBcp8KQlFTs+r5dqO7jpv/c
-----END RSA PRIVATE KEY-----拿到私钥后拿去解密即可
#https://www.bejson.com/enc/rsa/
#
#请输入私钥
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAIb2tnnyvn/WoZnHEmDaGKuzLXv/ys0QXyvSzHhDi9KaFKTzDrpk
beXGeexQKk220RRZoNkZAl5b6mkNmyJTotcCAwEAAQJAaEb+vkI7xfJDcdlJ7eMU
5LTQE9qTCtX3cpiwussVoWWkCETWTdjKdcNyVfhHMTRGsUwZamczn8w/QJhJkfp6
wQIhALry6dMHRKoNMFYVzrV1W/Y2jOpNT/bibqOybasCI1t5AiEAuNBOHoEy2pBC
npU7zafxvM6zCWLUw4la/VIZhstLDM8CIQCumltqffpSfJjtfdaewaqPLWm1F1oc
8mR1PRuSQR/2uQIgeSKv0XbFqlScFe2jAS1vWV3yI9jPtEq3hQrnCF7/likCIGGV
+1CnPSWYGTQSCJ7sNhBcp8KQlFTs+r5dqO7jpv/c
-----END RSA PRIVATE KEY-----
#请输入要解密的签名
ftlPb8D748qunH47zQJAEa92qiFas6I7SxAsRIYmaJIOWFU6Bz5KsT9H64UKwVnH/pLD4bFzJwfIYc1Foeqdpg==
#解密结果
flag{this is good game do you think}Lv10 搜索引擎2
题目提示
If there is a shadow in front of you,don‘t be fear,that because sunshine behind ___. 好了不坑了(嘤嘤嘤 别打咱) 提交格式:flag{答案}
按照出题者思路应该是百度这段话后面填啥,然后填进去,但是我潜意识中觉得是填you,还真对了
Lv11 让我进去
题目提示
//轻松点 (开始正式的了)
///ctf/2.php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
$cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
$cip = $_SERVER["REMOTE_ADDR"];
else
$cip = "0.0.0.0";
return $cip;
}
$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "flag{XXXX}";
}
else{
echo "错误!你的IP不在访问列表之内!(1.1.1.1)";
} 看起来是要伪造IP为1.1.1.1,直接用Client-Ip伪造就好,但是这里要注意的是不能使用burp,使用火狐自带的编辑重放就好,不然会响应超时,不知道为什么flag{Fuck Game}
Lv12 No js
题目提示
flag??没有的 别看了 f12也不管用
然后还是F12获取到了下面一串代码
<script type="text/javascript">
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('8 0(){1 0="";1 3="0";1 2="{";1 4="}";1 5="7 6 b a";1 0="0";0=3+2+5+4;9 0}',12,12,'flag|var|flag1|flag0|flag2|flag3|no|js|function|return|good|is'.split('|'),0,{}))
</script>可以比较轻松判断为JavaScript Eval Encode/Decode类型的题目
<!--http://www.oicqzone.com/tool/eval/ 在线解码可以轻易得到解码后的js代码,下面为解码后的结果-->
<script>
function flag() {
var flag = "";
var flag0 = "flag";
var flag1 = "{";
var flag2 = "}";
var flag3 = "js no is good";
var flag = "flag";
flag = flag0 + flag1 + flag3 + flag2;
return flag
}
</script>
<!--flag{js no is good}-->Lv13 简单的标题
题目没有什么特别的提示,F12获得一串字符串
<!-- <pre>iVBORw0KGgoAAAANSUhEUgAAAJYAAAAcCAIAAAAMSNELAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAAhdEVYdENyZWF0aW9uIFRpbWUAMjAxOTowNzoyMSAxMTo1OTo0NnMZAJkAAAeCSURBVGhD7ZoJU
FNXFEB/dkIUCMiOAtoFtO51wbrg7pSpVqxjW1vRulWLFRDBlUGtWldc6lKXui841elUK5a6VKtU3EfHqq1WCRCWECBA9q33//cak/B/SFq0k2nO
ZC7v3vdy/3/3vn/f+xlYj+saCA/uDBv/9eC2eFLo9nhS6PZ4Uuj2eFLo9nhS6PZ4Uuj22KfQqKiVzU+X9O9VPLgvqM+6xMAHdb04HF+lLOmDsknj
seIEro5/OXN8cdinUL50sTLvlH/GgrATp7CpOVBfLSgeNgArcJUvl5W8MwwrTWIykR/ncXX8y0Vz60b59ElFb3Uv6tmJNgiyRZnWqwriBtFDbVrsU6guu
AJSNCKB4+uHLM1C9bpVAQuysEIQ9UcPGYolWGmK0AO5ofuOYMUJXB3/MlH+dKZ88sccsTj825NtCm4Fb9mJO/5GeTbfUFpCcDhYJwiIG0QPK3TYp9CsVo
FkcblIbS70T/8U9n3+FP4/McrlVdkL+bEdWq1Yyw0NgyDz2kTiPgpDlax65VIogYTRiE0EAXEzFD3FCh02KbQ8vEzbAzzR5dMmop0S7sbU8Pz3VagP0g/fI4
tDwpCG0yftPRj0lmXBdBXdk8cVM6cWxXUjnS/LMqnVyG49zKzX1e7+ujQxoah3F5DKH08juzWujkfoS0sqM1JhajAF6Udj1YW/4g7mWTM5R6mSDOpDuno/UXX
xArLXH881K5W+SZ+w2PZPDkKetaDFqERBbAesU0DczDodVuiw8RV156GlYWlbU597WJyWGXHmvChhZMN3x2s2rkV2mH/FzCnGannI/tyQPYfqjxxEdlqYriLPXih
OmQPOBV26Nhw/VrttM+6wQjZ/bu3mnJZjxrW+WBi4bpPq5/O4gwHnx1fOniEa8TZcPWjLTmNZGUxHc+cW6mKaNa1zOA+WTRinunQhaMPWiLwLbB+fypSZmrt3oEt
95ReQXj17k19uRN2xIwZpqd+MZKw7Df1yYCIo5ytBTCzbW+SbNBlUy/pSfLPDrNGIk1OglxsU7J+xENkRsFoJLg8rzPh9Npv/WgzswX7JKaCqzuUjuzXqS+QVW4we
wxYI+NHtAlfiaDLh/HjfiVNEg4bC1IQ9eonnZEIpU+zYhrqYZk3rHFYebGbimbO9OnXhBASIZ6URZrNi+xbogt2EJfTW/f5IOu5dslyNGqHYv4d0BF2SopqcNQFLV
7B4fGSxgcsjY8iAaykER1BhFAf31mzdCKpRVons2ps3QFrWFz+2PWogVOfPCmwttAg6d0UNXkRrkIaKCqRaw4tuC7IqexEUK2RxjPPjhf0H4ha0e/UBqb1HPjoA06
xpncNkQQr7xyOV98qrIHV/PAJpUjYQRkPdgT1Bm7aHnz7HC29ds34VZNFsMskWpLdMHAtZp75kD0QPuaXFhRRCYSkeHl+1eJ6ppkYYR741wvqieghDuRQkxz8AqXa
nIVlmmu/kaVhhhi0UogZeiQY9pdkQuCqHH9NelZ9XkjBYvnq5Zb9kwtnxHA7Hxwe34QZatABpUmtAOpg1rXOjvApkybABaEuWxJHrEmWdxRfAruafPp8bHMJtFSieO
w+MsEEqdmwF536fp4FKC0QPYoiVRriQQjgsmaqrg7ftFs9KFfazOV6yRdScYZVRGOvqUAMRuGZD7d9F6V/Ci4oOO3oiaMMWblh4/eEDsrmzcQcDzo43mcwGA27D/V
eUg+QGB4N0MGta5+yW5FJofeka2uktHzByqerCCQ0DCaBiYyyT1u7cBrVX0qszyrrlLGZpQ/QghsjYGBdSqC96BpLXpg1I3aMHlA2DyoX29k2kam9dRw2E98Ahs
AFghYLFJ58z66i5hHf84JCd+6GhoQp4kzQ93mzW3Hx+z8r8PJDCAWRpdTBrhJ1zr67dyfaNQrKPwrKNeVPVVXf/HlL1zyjP0W2jbt5vnG/A0oboQQyRsTEupBDlq
eHU91D64dlHRoTvpKkgazat15cU654+UezegewIsq7aVkX+67Eg1ZcvwvkNWZwEzv3w7kFuTteugirsTW5aDnB+vHzFEqiZJpWyIe8Hxa7tnMAgv8mfgt3BrGmd
+06bAaeP6tUr1NcLTVqt9uGDiuTp1HDCZ8IkcFu96guIkqGyAhoEi+WXnIp6HWH1StYYF1LYaslKQcfOUFjKp0/0oc5mFuDuA7KWmlQqaWKCPHuR/7xFpJX5FBqw
eAm//RuyjFTpuNHY5ByiocNl8+ZI+vWs3bzeZ3xSq+WOfrYAnB8fMD8L4i7p3xsmCEs+9OAxOE+C3cGsaZ3DW13Irn1QJCtnTS+Oj4M3EHFKOhoPh+2QvYe5YRFw
Ii0dOdxsNEJ99rYtzv+AF/LvT7DEYD+HHSLi9DlkefZmx8irtx0sJQ9MwHYj6dMt8tpdrDfChafQMZaKD2iowmL9DsuLikJGD66iLizgRkZjhY5mS2HFjCnaB/fh
YK0uuAxvqSyRyHcKuZcg/NMyq7Jt3vc9OIl8yWL/1LlYoaPZCqnm7p2aNSu1D35je3t79ejpl5zCj26H+zy8SDz/Cuz2NFsh9fBf4Umhm0MQfwEltfvIq3kejAAA
AABJRU5ErkJggg==
</pre> -->注意到,这对字符串里面开头是iVBORw0KGgoAAAANSUhEUgAAA,不难判断为图片转base64后的特征,补全其他标签另存为html打开即可获得一张图片,图片内容即为flag
F12选图片看看
<img src="data:image/png;base64,iVBORw0KGgoAAA..." />
<!--flag{this is base64}-->Lv14 Unicode
题目提示\u0066\u006c\u0061\u0067\u007b\u0041\u0053\u0043\u0049\u0049\u005f\u0054\u0065\u0073\u0074\u005f\u0066\u006f\u0072\u005f\u0066\u0075\u006e\u007d
直接Unicode解码成字符串即可
flag{ASCII_Test_for_fun}
Lv15 凯撒大佬
题目提示
这就是答案 iodj{sdvvzrug lv}
简单的凯撒密码,对照可知f-i平移三位flag{password is}
Lv16 密码学
题目提示
上题都过了 别给我说你这题过不了 fa{o o r ih}lgwwyuaergt
简单的栅栏密码,每组字数二解密可获得flag
<!--https://www.qqxiuzi.cn/bianma/zhalanmima.php-->
fa{o o r ih}lgwwyuaergt
<!--每组字数2 解密-->
flag{wow you are right}Lv17 图片
题目提示
这是一张图片 但是我们考虑到您下载图片的麻烦所以我们将图片改后辍为xxx以便下载 /ctf/sos.xxx
访问路径后得到图片,下载到本地后使用binwalk分析
llmf@DESKTOP-CUGCI8H:/mnt/f/文档资料/CTF/HackGame$ binwalk sos.xxx.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
7589 0x1DA5 Zip archive data, at least v2.0 to extract, compressed size: 21, uncompressed size: 18, name: eng.key
7647 0x1DDF Zip archive data, at least v2.0 to extract, compressed size: 16569, uncompressed size: 16683, name: eng.png
24431 0x5F6F End of Zip archive, footer length: 22