【WriteUp】CryptixCTF'19 题解

被 RoarCTF 整自闭了以后到这场比赛放松了一下

Finally…

Hidden deep within

Description:

“This is just noise… There is nothing….”

Is it?

---

Solution:

LSB 隐写题，第一次用 StegSolve 将得到的十六进制值保存为 bin 形式
第二次直接就能看到 flag

---

Flag:

flag{st3g4n0gr4phy_i5_34sy}

Pure Magic

Description:

Like all fairy tails, you need a passphrase to pass through the cave and get the flag!

https://cryptixctf.com/web3

NOTE: The flag format is flag{XXXXX} as usual.

---

Solution:

打开只有一个密码框，随便输入点什么会返回字符串

Please just stop guessing.

写日常的注入字符串1'or'1'='1，得到这样一段返回文

You thought it would be that easy?! Hahaha. There is no flag.
But since you have passed the phrase check, here is the query
SELECT * FROM data where password='XXXXX' :)

无

---

Flag:

无

Crack it

Description:

Some weird kind of key checking is going on for the flag.
See if you can get the right key!

---

Solution:

无

---

Flag:

无

Welcome to the real deal

Hash Hash Hash

Description:

Recently, n00b learned about Hashing.
But, he finds nothing special in it. So he decides to make a Hashing algorithm himself.
Now he is boasting about it. He is so confident that he even provided the algorithm and challenges everyone to crack it.
Put him back onto the ground

---

Solution:

无

---

Flag:

无

Let’s climb the ladder

Description:

Here is an executable. You know what to do.

Note: The flag format is as usual flag{XXXX…}

---

Solution:

程序关键点

__int64 __fastcall check(const char *a1)
{
  if ( (unsigned int)strlen(a1) != 21 )
    return fail();
  if ( a1[7] != a1[16] )
    return fail();
  if ( a1[1] != a1[11] )
    return fail();
  if ( a1[2] != a1[8] )
    return fail();
  if ( a1[8] != a1[18] )
    return fail();
  if ( a1[3] != a1[17] )
    return fail();
  if ( a1[5] != a1[20] )
    return fail();
  if ( a1[9] != a1[10] )
    return fail();
  if ( a1[12] != a1[19] )
    return fail();
  if ( *a1 != 114 )
    return fail();
  if ( a1[2] - a1[1] != 1 )
    return fail();
  if ( a1[10] - a1[8] != 1 )
    return fail();
  if ( a1[2] != 52 )
    return fail();
  if ( a1[3] + *a1 != 214 )
    return fail();
  if ( a1[4] - a1[3] != 5 )
    return fail();
  if ( a1[5] + a1[6] != 213 )
    return fail();
  if ( a1[5] - a1[6] != 7 )
    return fail();
  if ( a1[7] - a1[8] != 43 )
    return fail();
  if ( a1[12] + a1[13] != 207 )
    return fail();
  if ( a1[12] * a1[13] != 10682 )
    return fail();
  if ( a1[15] - a1[14] != 13 )
    return fail();
  if ( a1[15] - *a1 == 7 )
    return success();
  return fail();
}

对着写个python就完了

res = []
for i in range(0, 21):
    res.append(0)

res[0] = 114
res[2] = 52
res[1] = res[2] - 1
res[5] = 110
res[6] = 103
res[12] = 109
res[13] = 98
res[20] = res[5]
res[15] = res[0] + 7
res[19] = res[12]
res[11] = res[1]
res[8] = res[2]
res[7] = res[8] + 43
res[18] = res[8]
res[10] = res[8] + 1
res[3] = 214 - res[0]
res[17] = res[3]
res[14] = res[15] - 13
res[4] = res[3] + 5
res[16] = res[7]
res[9] = res[10]

for i in range(0, 21):
    res[i] = chr(res[i])
print ''.join(res)

---

Flag:

flag{r34ding_4553mbly_d4mn}

Your ID please

Description:

This is super secure, confidential research. You are just not meant to access it. Don’t even try, it’s futile.
Okay, you don’t believe me? have the source code too!
https://cryptixctf.com/web4/php_code.txt

https://cryptixctf.com/web4

---

Solution:

这里是源码

include_once 'flag.php';

if($_SERVER["REQUEST_METHOD"] == "POST"){
    if(isset($_POST["ID"])&&isset($_POST["pwd"])){
        if(strcmp($secretpassphrase, $_POST["pwd"]) == 0){
            echo "Hey, you are in!  " . $_POST["ID"]  . "<br>";
            if($_POST["ID"] == "SuperUser1337"){
                echo "Your Flag: " . $flag;
            }
        }else{
            echo "<script type='text/javascript'>alert('Unable to Login');</script>";
        }
    }
}

传参方式是 POST，ID 变量的值需要是 SuperUser1337
pwd 的值不能等于变量 secretpassphrase 的值

毕竟是题目，所以猜测 secretpassphrase 可以匹配所有字符串
这样我们使 pwd 的变量类型改成数组就永远也不会和字符串相等了
POST 如下数据即可

ID=SuperUser1337&pwd[]=

---

Flag:

flag{Why_Juggl3_th3_Typ5}

Still Manageable

The Spy

Description:

You have been eavesdropping a conversation between two suspects who may know something about the flag. The conversation goes like this:

HackCrypt1337: Do you know, primes are great way to hide secrets!

n00b1001: Whatt..? primes? I don’t believe you

HackCrypt1337: You are being too loud!, remember this number, 3073416132828889709313918053975078361304902307, it will be useful to understand the flag. and one more is……
Oh no! Someone is here, you can guess other one yourself. It is trivial anyways.
Here, keep this number safe with you!
1217323181436745647195685030986548015017805440

And they leave….

Get the flag!

---

Solution:

RSA 题，写个脚本就行

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import gmpy2
import binascii

p = gmpy2.mpz(13558774610046711780701)
q = gmpy2.mpz(226673591177742970257407)
n = gmpy2.mpz(3073416132828889709313918053975078361304902307)
e = gmpy2.mpz(65537)
phi_n = (p - 1) * (q - 1)
d = gmpy2.mpz(gmpy2.invert(e, phi_n))  # 求逆元
c = gmpy2.mpz(1217323181436745647195685030986548015017805440)
m = pow(c, d, n)
m_hex = hex(m)[2:]
print "ascii:\n%s"%(binascii.a2b_hex(m_hex).decode("utf8"))

---

Flag:

flag{w3ak_R5A_bad}

Weird machine

Description:

Recently, H4c3R1337 came across a weird machine, which keeps spitting 0 or 1. He wrote down the complete sequence in a file

He decided to find out what it means, but could barely manage to recover an incomplete python script from the machine.
Help him to find out

---

Solution:

这题给我坑惨了，才知道 Python2 和 Python3 在随机数的选取上是不一样的

一开始 py2 脚本写好了以后试了好多遍都不能爆破出来

但是自己加密的密文能出来(因为也是在 py2 环境下加密的)

之后换了 py3 尝试，一下就出来了

exp如下：

# This problem needs Python3
import string
import random

str_sed = '000010010101110100011000010100110011110101100010011000000001111100110101'\
          '011000110101010100110100010010110101101001010101001101100110110000111100'\
          '011000010001111000001011000011010000100000000001010101100011100000100101'
list_sed = []
alphanum = string.ascii_letters + string.digits

for i in range(0, len(str_sed), 8):
    list_sed.append(int('0b' + str_sed[i: i + 8], 2))


def check(str_res):
    for j in str_res:
        if ord(j) < 32 or ord(j) > 127:
            return False
    return True


def brute_force(rand_seed):
    global list_sed
    global alphanum
    rand_string = ''
    message = ''
    random.seed(rand_seed)
    for j in range(len(list_sed)):
        rand_string += alphanum[random.randint(1, 1000) % len(alphanum)]
    for j in range(len(list_sed)):
        message += chr(list_sed[j] ^ ord(rand_string[j]))
    # print('[\033[0;32m+\033[0m]num ' + str(rand_seed) + ' :' + message)
    return message


for i in range(0, 10001):
    try:
        res = brute_force(i)
        if check(res):
            print('[\033[0;32m+\033[0m]flag is ' + res)
    except:
        pass
        # print('[\033[0;31m-\033[0m]There is something wrong')

---

Flag:

flag{R4nd0m_s33d_s4v3d_y0u}

Moving On

Mixed Up

Description:

Here is a text file containing some information. Try to gain this information, hopefully you will find your flag.

---

Solution:

直接去这解密，选择 static 模式

https://quipqiup.com/

---

Flag:

flag{freqanalysisworkxzz}

Where to run this

Description:

Here is a zip file
We were wondering what it does….but colorful tiles are awesome!

Can you find the secret?

Note: The flag is in usual format i.e. flag{XXXX…}

---

安卓逆向，主要代码，在classes2.dex里

package com.example.password;

import android.support.v7.app.AppCompatActivity;

public abstract class AppComputActivity extends AppCompatActivity {
    int a = 57;
    int b = 29;
    int[] key = new int[]{4817, 6356, 3107, 6014, 2993, 6584, 5444, 2195, 5444, 4817, 6527, 6014, 3050};

    /* Access modifiers changed, original: 0000 */
    public int obf(String val) {
        for (int i = 0; i < val.length(); i++) {
            if ((this.a * val.charAt(i)) + this.b != this.key[i]) {
                return 0;
            }
        }
        return 1;
    }
}

写个脚本反着推就 ok

from __future__ import print_function
key = [4817, 6356, 3107, 6014, 2993, 6584, 5444, 2195, 5444, 4817, 6527, 6014, 3050]
for i in range(0, len(key)):
    print(chr((key[i] - 29) / 57), end="")

---

Flag:

flag{To6i4s_&_Tri5}

Infiltrate

Description:

You need to have a username and password to log in. Yes! you need to have it!

https://cryptixctf.com/web2

---

Solution:

简单的 sql 注入

账号输入1'or'1'or'1，密码随意

---

Flag:

flag{s1mpl3_5QL_1nj3cti0n}

Make yourself comfortable

Welcome gift

Description:

Now that you are here, and want some free points
Here is a gift, open it.
ZmxhZ3t3ZWxjb21lX3RvX2NyeXB0aXhDVEZfYmFzZTY0aXRpc30K

---

Solution:

base64 解密即可

---

Flag:

flag{welcome_to_cryptixCTF_base64itis}

You made it here!

Description:

Remember, you have to get the flag.

https://cryptixctf.com/web1

---

Solution:

第一部分在网页源代码找到

<!-- Came for the flag? Bingo!
              first part: flag{Pr3tty_ 
        -->

第二部分在https://cryptixctf.com/web1/style.css找到

/* second part: b4s1c_ */

第三部分在https://cryptixctf.com/web1/script.js找到

// last part: 5tuff}

---

Flag:

flag{Pr3tty_b4s1c_5tuff}

Secret Code

Description:

Here is a program which gives you flag only after giving the secret code.
Can you get the flag?

---

Solution:

拖到 IDA 里，直接就能在 main 函数看到

---

Flag:

flag{sTring5_To_tH3_R35cU3}