前言
Web
Empty
進入到網頁後,看到有個怪怪標頭,感覺可以直接前往 
找到其中一段 
看一下cookie有什麼東東 
FLAG:THJCC{cookie_&_view_source_!} THJCC CTF
Blog
這題靠通靈 
密碼是這個 
username=admin password=iloveshark
FLAG:THJCC{w31c0me_h@cker} THJCC CTF
Reverse
Baby C
會發現這題只是XOR而已,反著回去就好,反正數值都給你了 截原題目程式
int main(){ char c[50]; int a[50]={44, 48, 50, 59, 59, 3, 16, 12, 12, 8, 11, 66, 87, 87, 15, 15, 15, 86, 1, 23, 13, 12, 13, 26, 29, 86, 27, 23, 21, 87, 15, 25, 12, 27, 16, 71, 14, 69, 75, 32, 59, 46, 53, 75, 63, 75, 8, 22, 11, 5}; scanf("%s", c); for(int i=0;i<50;i++){ if (((int)c[i]^120)!=a[i]){ printf("Password Incorrect!!!\n"); return 0; } } printf("Password Correct!!!\n"); return 0;}解題程式
int main() { int a[50] = {44, 48, 50, 59, 59, 3, 16, 12, 12, 8, 11, 66, 87, 87, 15, 15, 15, 86, 1, 23, 13, 12, 13, 26, 29, 86, 27, 23, 21, 87, 15, 25, 12, 27, 16, 71, 14, 69, 75, 32, 59, 46, 53, 75, 63, 75, 8, 22, 11, 5}; char c[51]; for(int i = 0; i < 50; i++) { c[i] = (char)(a[i] ^ 120); } printf("%s\n", c); return 0;}FLAG:THJCC{https://www.youtube.com/watch?v=3XCVM3G3pns}↗ THJCC CTF
PYC REVERSE
這題要把.pyc還原 用線上反編譯工具就好 反編譯的結果
#!/usr/bin/env python# visit https://tool.lu/pyc/ for more information# Version: Python 3.10
from FLAG import FLAGfrom Crypto.Util.number import bytes_to_long
def xor1(flag): return flag ^ 124789
def xor2(flag): return flag ^ 487531
def xor3(flag): return flag ^ 784523
def xor4(flag): return flag ^ 642871
def xor5(flag): return flag ^ 474745
flag = bytes_to_long(FLAG)count = 0count += 1if count == 1: flag = xor1(flag) count += 2 if count == 3: flag = xor2(flag) count += 1 if count == 4: flag = xor3(flag) count -= 2 else: flag = xor2(flag) count += 1else: flag = xor3(flag) count += 5if count == 2: flag = xor4(flag)elif count == 6: flag = xor5(flag)print(flag)發現跟著msg.txt逆著XOR回去就好 解題程式:
from Crypto.Util.number import long_to_bytesflag = FLAG = 10730390416708814647386325276467849806006354580175878786363505755256613965929606057246313695def xor1(flag): return flag ^ 124789def xor2(flag): return flag ^ 487531def xor3(flag): return flag ^ 784523def xor4(flag): return flag ^ 642871def xor5(flag): return flag ^ 474745count = 0count += 1if count == 1: flag = xor1(flag) count += 2 if count == 3: flag = xor2(flag) count += 1 if count == 4: flag = xor3(flag) count -= 2 else: flag = xor2(flag) count += 1else: flag = xor3(flag) count += 5if count == 2: flag = xor4(flag)elif count == 6: flag = xor5(flag)print(long_to_bytes(flag))FLAG:THJCC{pyc_rev3r3e_C3n_u32_on1i5e_t0Ol} THJCC CTF
Pwn
nc
連上nc後他會問你Never Gonna Give You Up的作者是誰
FLAG:THJCC{N3veR_g0nn4_l37_You_dOwn!!!} THJCC CTF
NPSC
我用垃圾寫法寫得 運算之久讓我感到疑惑
from pwn import *def max_score(balls): if not balls: return 0 max_score = 0 for i in range(len(balls)): score = balls[i] remaining_balls = balls[i+1:] for j in range(len(remaining_balls)): if score >= remaining_balls[j]: score += remaining_balls[j] else: break max_score = max(max_score, score) return max_score
io = remote('23.146.248.36', 30003)io.recvlines(4)
for round_ in range(3): print(f'=============== ROUND {round_+1} ===============') if round_ in [1, 2]: for _ in range(10): numbers = eval(io.recvline().decode().strip()) io.sendline(str(max_score(numbers)).encode()) result = io.recvline().decode().strip() print(f'Input: {numbers}') print(f'Output: {result}')io.interactive()Crypto
博元婦產科
其實也就解密這個TUFDVlZ7cFBwLnU0VXJmVGQzay52MEYubVB9Cg== 先憑直覺,Base64回去 
確實格式有對,然後試試看是不是凱薩 一個一個try會發現是位移19個 
FLAG:THJCC{wWw.b4BymAk3r.c0M.tW↗} THJCC CTF
Baby RSA
只要用線上的rsa decoder就好了 
FLAG:THJCC{small_eeeee_can_be_pwned_easily} THJCC CTF
《SSS.GRIDMAN》
在題目中看到會生成二次方程式的樣子
def random_ploy(): poly=[] for i in range(2): poly.append(random.randint(99,999)) return polypolyc 被定義為這兩個係數加上secret用成常數項:
polyc =random_ploy()polyc.append(secret)poly_enc = numpy.poly1d(polyc)numpy.poly1d(polyc) 會 return ax^2 + bx + c 的二次方程式,其中 a 和 b 是隨機的,c 是secret f(x_value, y_value, x) 給定一系列的資料點(x_value, y_value),函數計算了多項式在 x 點的值。 其中,shares是題目給我的資料點,就可以找到了。 總體而現 就是藉由三個點找到方程式的常數項而已。 參考文獻:拉格朗日插值多項式↗ 解決程式:
def f(x_value, y_value, x): result = 0 for i in range(len(x_value)): temp = y_value[i] for j in range(len(x_value)): if j != i: temp = temp * (x - x_value[j]) / (x_value[i] - x_value[j]) result += temp return resultshares = [(139, 3875728327), (982, 4473718807), (707, 4179926407)] #把點點丟進來x_value, y_value = zip(*shares)secret = f(x_value, y_value, 0)print("密碼是:", int(secret))
FLAG:THJCC{SSS_1s_a_c001_w2y_t0_pr0t3c7_s3c23t} THJCC CTF
Misc
原神帳號外流
會有一個登入介面,要從網路封包去抓取 
打開封包來看,每一組都試一遍,FLAG就噴出來了 
FLAG:
THJCC{W3r3_sHarKKKKKK_MasT3R_C8763}THJCC CTF
PyJail-0
這是題目執行程式
WELCOME=''' ____ _ _ _| _ \ _ _ | | __ _(_) || |_) | | | |_ | |/ _` | | || __/| |_| | |_| | (_| | | ||_| \__, |\___/ \__,_|_|_| |___/'''
def main():
print("-"*30) print(WELCOME) print("-"*30) print("Try to escape!!This is a jail") a=input("> ") eval(a)
if __name__ == '__main__': main()會發現只要能跳過就可以 所以只要輸入eval(input()) 然後拿到存取的方式__import__('os').system('sh') 
這樣就拿到了
FLAG:THJCC{Use_M2g1c_f2un3ti0n_in_P9Ja1l!!} THJCC CTF
PyJail-1
WELCOME=''' ____ _ _ _| _ \ _ _ | | __ _(_) || |_) | | | |_ | |/ _` | | || __/| |_| | |_| | (_| | | ||_| \__, |\___/ \__,_|_|_| |___/'''
def main(): try: print("-"*30) print(WELCOME) print("-"*30) print("Try to escape!!This is a jail") print("I increased security!!!") a=input("> ") if len(a)<15: eval(a) else: print("Don't escape!!") except: print("error") exit()
if __name__ == '__main__': main()感覺相較上一題變複雜了,但是用同一個策略還是行的通 
FLAG:THJCC{Inp3t_b9p2sss_lim1t_1n+p3j2i1!} THJCC CTF