BCACTF

Ghostgame

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

##########    ##########    ##########    ##########    ##########
#        #    #        #    #        #    #        #    #        #
#        #    #        #    #        #    #        #    #        #
#     #  #    #     #  #    #     #  #    #     #  #    #     #  #
#        #    #        #    #        #    #        #    #        #
#        #    #        #    #        #    #        #    #        #
##########    ##########    ##########    ##########    ##########

### SO MANY DOORS, WHICH ONE TO CHOOSE??? ###

import random
FLAG = 'REDACTED'
REQ_WINS = 10
DOORS = 10
usr_choice = ''
random.seed(123049)
print(random.seed(123049))
wins = 0
#4257759040
def play():
    comp_choice = random.randint(-10000, 10000)
    comp_choice %= DOORS
    print(comp_choice)
    print(f'\nYou are presented with {DOORS} doors, {DOORS - 1} are haunted and 1 will allow you to pass.')
    door_choice = int(input('Which will you choose?\n'))
    print(f'\nYou chose door {door_choice}...')
    return door_choice == comp_choice
print(f'Welcome to Ghost Game! Win {REQ_WINS} times in a row for your reward.')
while True:
    print('\n1. Play\n2. Quit')
    usr_choice = input()
    if usr_choice == '1':
        if play():
            print('You chose the right door and survived! Phew.')
            wins += 1
        else:
            print('That door had a ghost behind it. RIP.')
            wins = 0
    elif usr_choice == '2':
        break
    else:
        print('Invalid input.')
    if wins >= REQ_WINS:
        print('You must have insane luck! Here is your treasure:')
        print(FLAG)

这题用的是随机数的seed,知道了seed,打印出随机数输入就行

Pwnmanager

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
HASHEDPWD = '111210122915474114123027144625104141324527134638392719373948'
#bcactf{5ecure_pa55w5rd_23rj13}
key = {
    'a':10,
    'b':11,
    'c':12,
    'd':13,
    'e':14,
    'f':15,
    'g':16,
    'h':17,
    'i':18,
    'j':19,
    'k':20,
    'l':21,
    'm':22,
    'n':23,
    'o':24,
    'p':25,
    'q':26,
    'r':27,
    's':28,
    't':29,
    'u':30,
    'v':31,
    'w':32,
    'x':33,
    'y':34,
    'z':35,
    '0':36,
    '1':37,
    '2':38,
    '3':39,
    '4':40,
    '5':41,
    '6':42,
    '7':43,
    '8':44,
    '0':45,
    '_':46,
    '{':47,
    '}':48
}

unhashed = input("Enter the password!")

result = ''
# The Hash
for element in unhashed:
    result += str(key[element])

if result == HASHEDPWD:
    print("That's Right! The password is the flag.")
else:
    print("That's not right!")

直接写出来捏

shuffle

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# below from https://stackoverflow.com/a/10238140
# (licensed CC BY-SA 3.0, by John Gaines Jr.)
def tobits(s):
    result = []
    for c in s:
        bits = bin(ord(c))[2:]
        bits = '00000000'[len(bits):] + bits
        result.extend([b for b in bits])
    return result
# end copied text

txt = open("flag.txt", "r").read()
f = open("shuffled", "wb")
order = [ 0, 1, 1, 0, 0, 0, 1, 0 ]
deck = tobits(txt)
for i in order:
    newdeck = []
    for j in range(int(len(deck)/2)):
        if i == 0:
            newdeck.append(deck[j])
            newdeck.append(deck[j+int(len(deck)/2)])
        else:
            newdeck.append(deck[j+int(len(deck)/2)])
            newdeck.append(deck[j])
    deck = newdeck
f.write(int("".join(deck),2).to_bytes(len(deck)//8, byteorder="big"))

逻辑很简单

写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
def tobits(s):  #str变成bitliststr
    result = []
    for c in s:
        bits = bin(c)[2:]
        bits = '00000000'[len(bits):] + bits
        result.extend([b for b in bits])
    return result
# end copied text

txt = [0x18,0xd9,0x70,0x9e,0xf5,0x5a,0xb0,0x5b,0x88,0x12,0xa6,0xae,0x05,0xa9,0x3c,0x26,
      0x15,0x70,0x4a,0x47,0x68,0xcc,0xd2,0x43,0x28,0x10,0x6f]
f = open("shuffled", "wb")
order = [0,1,0,0,0,1,1,0]
deck = tobits(txt)
print(deck,len(deck)/2)
for i in order:
    newdeck = [] #从中间分开分成两组,组成新数组
    tempa=[]
    tempb=[]
    for j in range(int(len(deck)/2)):
        if i == 0:
            tempa.append(deck[j*2])
            tempb.append(deck[j*2+1])
        else:
            tempa.append(deck[j * 2])
            tempb.append(deck[j * 2 + 1])
    if i==0:
            for x in range(108):
             tempa.append(tempb[x])
             newdeck = tempa
    else:
            for o in range(108):
                tempb.append(tempa[o])
                newdeck = tempb

    deck = newdeck
f.write(int("".join(deck),2).to_bytes(len(deck)//8, byteorder="big"))

img

bcactf{b!gG3r_!mg_29354758} 滤镜拉满就行

pickle

pickle反序列化初探 - 先知社区 (aliyun.com)

这题似乎不是普通的pickle,在用普通的pickle 反序列化包之后返回了错误的信息

查阅wp后知道,这个是一个marshal 的python序列化

使用marshal的库就可以解决了捏

marshal — 内部 Python 对象序列化 — Python 3.10.5 文档

检查 — 检查活动对象 — Python 3.10.5 文档

1
2
3
import inspect, marshal
x = marshal.loads(open("data.ctf", "rb").read())
print(inspect.getsource(marshal.loads(x)))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import marshal

def main():
    b = bytearray.fromhex(
        "1536857675937743771546d367f38636471677f2d6f636e25626574757f697e2777777f2f2a33707474786"[::-1]).decode()
    _q = "N9KwQV"
    _w = "1NBl"
    _e = "USGi8"
    _t = '4633c6b4361307'
    _r = "l7"
    r = _q + _e + _w + _r
    x = ""
    for z in r:
        x += chr(ord(z) - 3)
    i = input("Enter password: ")
    if i == x[::-1][1:]:
        c = "aJ4Dz4h5"
        print(bytearray.fromhex(_t[::-1]).decode() + "_" + c[::-1] + r[4:])
    else:
        print("Incorrect")

with open('data.ctf', 'wb') as fh:
    fh.write(marshal.dumps(main.__code__))

data = open("data.ctf", "rb").read()
with open('data.ctf', 'wb') as fh:
    fh.write(marshal.dumps(data))