Jarvis OJ BASIC 完整writeup

握手包

给你握手包,flag是Flag_is_here这个AP的密码,自己看着办吧。

提交格式:flag{WIFI密码}

利用 hashcat 爆破, 以 Arch Linux 为例

1
2
3
4
5
6
# 安装必要工具
sudo pacman -S hashcat hashcat-utils
# 格式转换
cap2hccapx wifi.cap wifi.hccapx
# 用字典爆破
hashcat -m 2500 wifi.hccapx 10k_most_common.txt

很快就跑出了结果
e56452df7244988624af174fa692d81d:560a64ffe917:b8ee65ac640b:Flag_is_here:11223344

flag 为 flag{11223344}

德军的密码

已知将一个flag以一种加密形式为使用密钥进行加密,使用密钥WELCOMETOCFF加密后密文为000000000000000000000000000000000000000000000000000101110000110001000000101000000001 请分析出flag。Flag为12位大写字母 题目来源:CFF2016

密钥长度 12 位, 密文长度 84 位. 初步推断密文七位一组.

尝试将密文七位一组转成数字以后与密钥进行各种运算, 最终试出 flag 是异或得到的 WELCOMECISRG

(查了一下这种密码其实叫 费纳姆密码 )

-.-字符串

请选手观察以下密文并转换成flag形式

..-. .-.. .- --. ..... ..--- ..--- ----- .---- ---.. -.. -.... -.... ..... ...-- ---.. --... -.. .---- -.. .- ----. ...-- .---- ---.. .---- ..--- -... --... --... --... -.... ...-- ....- .---- -----

flag形式为32位大写md5

题目来源:CFF2016

摩斯密码, 解码后得到 FLAG522018D665387D1DA931812B77763410

A Piece Of Cake

nit yqmg mqrqn bxw mtjtm nq rqni fiklvbxu mqrqnl xwg dvmnzxu lqjnyxmt xatwnl, rzn nit uxnntm xmt zlzxuuk mtjtmmtg nq xl rqnl. nitmt vl wq bqwltwlzl qw yivbi exbivwtl pzxuvjk xl mqrqnl rzn nitmt vl atwtmxu xamttetwn xeqwa tsftmnl, xwg nit fzruvb, nixn mqrqnl ntwg nq gq lqet qm xuu qj nit jquuqyvwa: xbbtfn tutbnmqwvb fmqamxeevwa, fmqbtll gxnx qm fiklvbxu ftmbtfnvqwl tutbnmqwvbxuuk, qftmxnt xznqwqeqzluk nq lqet gtamtt, eqdt xmqzwg, qftmxnt fiklvbxu fxmnl qj vnltuj qm fiklvbxu fmqbtlltl, ltwlt xwg exwvfzuxnt nitvm twdvmqwetwn, xwg tsivrvn vwntuuvatwn rtixdvqm - tlftbvxuuk rtixdvqm yivbi evevbl izexwl qm qnitm xwvexul. juxa vl lzrlnvnzntfxllvldtmktxlkkqzaqnvn. buqltuk mtuxntg nq nit bqwbtfn qj x mqrqn vl nit jvtug qj lkwnitnvb rvquqak, yivbi lnzgvtl twnvnvtl yiqlt wxnzmt vl eqmt bqefxmxrut nq rtvwal nixw nq exbivwtl.

一堆看不懂的玩意儿, 可能是凯撒或者替代密码之类的

找各种网站试试, 最后试出来是替代密码, 解密网站: https://quipqiup.com/

解密结果

​ the word robot can refer to both physical robots and virtual software agents, but the latter are usually referred to as bots. there is no consensus on which machines qualify as robots but there is general agreement among experts, and the public, that robots tend to do some or all of the following: accept electronic programming, process data or physical perceptions electronically, operate autonomously to some degree, move around, operate physical parts of itself or physical processes, sense and manipulate their environment, and exhibit intelligent behavior - especially behavior which mimics humans or other animals. flag is substitutepassisveryeasyyougotit. closely related to the concept of a robot is the field of synthetic biology, which studies entities whose nature is more comparable to beings than to machines.

flag is substitutepassisveryeasyyougotit

Shellcode

啥鬼畜题目...

在 Windows 用 shellcodeexec 跑一下得到结果...

Help!!

先是伪加密, zip -FF 修复一下. 再解压 .docx 找到隐藏的图片文件

PGTF [You_Know_moR3_4boUt_woRd}

Baby's Crack

很简单的加密算法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from Crypto.Util import number

cipher = open('./flag.enc', 'rb').read()

def wtf(n):
if 47 < n <= 96:
return n + 53
elif n <= 46:
return n % 11
else:
return 61 * (n // 61)

d = {wtf(i): i for i in range(255)}

p = ''.join((chr(d[i]) for i in cipher))
print(number.long_to_bytes(int(p, 16)).decode())

熟悉的声音

两种元素, 声音, 联想到摩斯电码, 解密得到 JBLUWEWNZ

然而其实并不是最终 flag, 还套了一层凯撒......

取证

搜吧, 最后搜到是 Volatility

ROPGadget

用 pwntools 的 asm 命令编译一下

1
asm('xchg eax, esp;ret;mov ecx, [eax];mov [edx], ecx;pop ebx;ret').encode('hex').upper()

Easy RSA

N 这么小, 直接用 factor 命令就能分解

1
2
3
4
5
6
7
8
9
10
import gmpy2
from Crypto.Util import number

c = 0xdc2eeeb2782c
p, q = 13574881, 23781539
n = p * q
e = 23
d = gmpy2.invert(e, (p-1) * (q-1))
m = pow(c, d, n)
print(number.long_to_bytes(m))

爱吃培根的出题人

培根密码

Secret

藏在 HEADERS 里

Easy Crackme

拖进 IDA F5, 整理一下以后其实是这样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rdi
char v5[6]; // [rsp+0h] [rbp-38h]
char v6[28]; // [rsp+10h] [rbp-28h]

v5[0] = 0xABu;
v5[1] = 0xDDu;
v5[2] = 0x33;
v5[3] = 0x54;
v5[4] = 0x35;
v5[5] = 0xEFu;
printf("Input your password:");
_isoc99_scanf("%s");
if ( strlen(v6) == 26 )
{
v3 = 0LL;
if ( (v6[0] ^ 0xAB) == list1[0] )
{
while ( (v6[v3 + 1] ^ v5[(v3 + 1) % 6]) == list1[v3 + 1] )
{
if ( ++v3 == 25 )
{
printf("Congratulations!");
return 0;
}
}
}
}
printf("Password Wrong!! Please try again.");
return 0;
}

来尝试一下不同的解法

爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#include <stdio.h>

unsigned char list1[] = {
0xFB, 0x9E, 0x67, 0x12, 0x4E, 0x9D, 0x98, 0xAB, 0x00, 0x06,
0x46, 0x8A, 0xF4, 0xB4, 0x06, 0x0B, 0x43, 0xDC, 0xD9, 0xA4,
0x6C, 0x31, 0x74, 0x9C, 0xD2, 0xA0, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
};

unsigned char v5[] = {
0xAB, 0xDD, 0x33, 0x54, 0x35, 0xEF
};

int main(void)
{
char flag[27] = {0};
for (int i = 0; i < 26; i++) {
for (char c = ' '; c <= '~'; c++) {
if ((c ^ v5[i % 6]) == list1[i]) {
printf("%c", c);
break;
}
}
}

return 0;
}

(tcc -run - 可以直接从标准输入读取代码然后执行, 妙啊妙啊)

flag PCTF{r3v3Rse_i5_v3ry_eAsy}

z3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from z3 import *
list1 = [
0xFB, 0x9E, 0x67, 0x12, 0x4E, 0x9D, 0x98, 0xAB, 0x00, 0x06,
0x46, 0x8A, 0xF4, 0xB4, 0x06, 0x0B, 0x43, 0xDC, 0xD9, 0xA4,
0x6C, 0x31, 0x74, 0x9C, 0xD2, 0xA0, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
]
v5 = [0xAB, 0xDD, 0x33, 0x54, 0x35, 0xEF]
flag = [BitVec(f'f{i}', 8) for i in range(26)]

solver = Solver()
for i in range(26):
solver.add((flag[i] ^ v5[i % 6]) == list1[i])

assert solver.check() == sat
m = solver.model()
for c in flag:
print(chr(m[c].as_long()), end='')

很快很棒棒

pin

M4x 师傅推荐的妙妙工具. 来尝试一下.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python

from subprocess import Popen, PIPE
from string import printable
from sys import argv

PIN = '/home/aloxaf/Program/pin/pin'
INSCOUNT32 = '/home/aloxaf/Program/pin/source/tools/ManualExamples/obj-ia32/inscount0.so'
INSCOUNT64 = '/home/aloxaf/Program/pin/source/tools/ManualExamples/obj-intel64/inscount0.so'

class Pin:
def __init__(self, program, arch=32, charset=printable, padding='_'):
self.program = program
self.inscount = INSCOUNT32 if arch == 32 else INSCOUNT64
self.charset = charset
self.padding = padding
# print(program)

def run_pin(self, payload):
args = [PIN, '-t', self.inscount, '--', self.program]
p = Popen(args, stdin=PIPE, stdout=PIPE)
out = p.communicate(payload.encode())
# print(out)
return int(open('./inscount.out').read().split()[1])

def guess_length(self):
inscount = []
payload = ''
for _ in range(100):
payload += self.padding
inscount.append(self.run_pin(payload))

delta1 = inscount[-1] - inscount[-2] if len(inscount) >= 2 else None
delta2 = inscount[-2] - inscount[-3] if len(inscount) >= 3 else None

print('len={}\tins={}\tdelta={}'.format(
len(payload), inscount[-1], delta1))
if delta2 is not None and delta1 != delta2:
self.len = len(payload)

print(f'key length is {self.len}? (y/n) ', end='')
if input().strip() == 'y':
return self.len
print("Can't guess key length!\nPlease input your guess: ", end='')
self.len = int(input())

def guess_key(self):
payload = [self.padding] * self.len
for i in range(self.len):
inscount = []
for c in self.charset:
payload[i] = c
_payload = ''.join(payload)
inscount.append(self.run_pin(_payload))

delta1 = inscount[-1] - inscount[-2] if len(inscount) >= 2 else None
delta2 = inscount[-2] - inscount[-3] if len(inscount) >= 3 else None

print('\rpayload:{}\tins={}\tdelta={}'.format(
_payload, inscount[-1], delta1), end='')
if delta2 is not None and delta1 != delta2:
# print(f'fount {c} !')
print('')
break
else:
print("Didn't find password!")
return None
print(''.join(payload))
return ''.join(payload)

if __name__ == '__main__':
if len(argv) != 1:
p = Pin(*argv[1:])
if p.guess_length():
p.guess_key()

写得很长 = = , 因为进行了封装

看起来好像很划不来的样子, 不过这样可以重复利用~

公倍数

请计算1000000000以内3或5的倍数之和。

如:10以内这样的数有3,5,6,9,和是23

请提交PCTF{你的答案}

1
2
3
4
_3 = (3 + 1000000000 // 3 * 3) * (1000000000 // 3) // 2
_5 = (5 + 1000000000 - 15) * (1000000000 // 5 - 1) // 2
_15 = (15 + 1000000000 // 15 * 15) * (1000000000 // 15) // 2
print(_3 + _5 - _15)

注意是 1000000000 以内

神秘的文件

出题人太懒,还是就丢 了个文件就走了,你能发现里面的秘密吗?

file 一下.

1
haha: Linux rev 1.0 ext2 filesystem data, UUID=8eecd08f-bae8-41ff-8497-8338f58ad15b

挂上去发现一堆小文件, 里面各有一个字符
写个 zsh 脚本跑一下

1
2
3
4
5
mkdir loli
sudo mount haha loli
for i ({0..253}) {
cat $i
}

结果

1
Haha ext2 file system is easy, and I know you can easily decompress of it and find the content in it.But the content is spilted in pieces can you make the pieces together. Now this is the flag PCTF{P13c3_7oghter_i7}. The rest is up to you. Cheer up, boy.

veryeasyRSA

已知RSA公钥生成参数:

p = 3487583947589437589237958723892346254777 q = 8767867843568934765983476584376578389

e = 65537

求d =

请提交PCTF{d}

1
2
3
4
5
import gmpy2
p = 3487583947589437589237958723892346254777
q = 8767867843568934765983476584376578389
e = 65537
print(gmpy2.invert(e, (p-1) * (q-1)))

美丽的实验室logo

出题人丢下个logo就走了,大家自己看着办吧

拖到 StegSolve 里用 Frame Browser......

还行......

手贱

某天A君的网站被日,管理员密码被改,死活登不上,去数据库一看,啥,这密码md5不是和原来一样吗?为啥登不上咧?

d78b6f302l25cdc811adfe8d4e7c9fd34

请提交PCTF{原来的管理员密码}

多了一位, 某个不属于 hexdigits 的字符混进来了

段子

程序猿圈子里有个非常著名的段子:

手持两把锟斤拷,口中疾呼烫烫烫。

请提交其中"锟斤拷"的十六进制编码。(大写)

FLAG: PCTF{你的答案}

段子

程序猿圈子里有个非常著名的段子:

手持两把锟斤拷,口中疾呼烫烫烫。

请提交其中"锟斤拷"的十六进制编码。(大写)

FLAG: PCTF{你的答案}

1
''.join(f'{i:X}' for i in '锟斤拷'.encode('GBK'))

veryeasy

使用基本命令获取flag

1
2
3
curl https://dn.jarvisoj.com/challengefiles/veryeasy.d944f0e9f8d5fe5b358930023da97d1a --output - | grep -aoP 'PCTF{.+?}'
# or
curl https://dn.jarvisoj.com/challengefiles/veryeasy.d944f0e9f8d5fe5b358930023da97d1a --output - | strings | rg PCTF

PCTF{strings_i5_3asy_isnt_i7}

关于USS Lab.

USS的英文全称是什么,请全部小写并使用下划线连接_,并在外面加上PCTF{}之后提交

PCTF{ubiquitous_system_security}

base64?

GUYDIMZVGQ2DMN3CGRQTONJXGM3TINLGG42DGMZXGM3TINLGGY4DGNBXGYZTGNLGGY3DGNBWMU3WI===

base32 再转 ASCII: rax2 -s $(base32 -d)

结果 PCTF{Just_t3st_h4v3_f4n}