BASECTF 2024

MISC

正着看还是反着看呢？

看到要倒序，注意他这里是两个字节一组进行倒序的

jpg 文件头 FF D8 FF E0

文件尾是 FF D9

D9FF

可以发现有个flag.txt的倒序，所以我们整个都复制过去进行处理

如果只复制到文件尾的话就会丢失文件，导致隐藏文件的消失

选中尾部拉到最底部，然后（编辑→复制为→复制为十六进制文本）然后在桌面创建一个文本文件，ctrl+v直接复制进去，然后编写脚本

# 打开并读取原始文件内容
with open(r'D:\网站下载\exppy\1.txt', 'rb') as f:
    a = f.read()

# 去掉原始数据中的换行符、空格等不可见字符
a = a.replace(b'\n', b'').replace(b'\r', b'').replace(b' ', b'')

# 将内容逆序
a = a[::-1]

# 将逆序内容写入新的文件
with open(r'D:\网站下载\exppy\new.txt', 'wb') as new:
    new.write(a)

# 读取逆序后的文件内容
with open(r'D:\网站下载\exppy\new.txt', 'rb') as f:
    b = f.read()

# 将内容转换为可变的字节数组
blist = bytearray(b)

# 按两个字节为一组进行交换
for i in range(0, len(blist) - 1, 2):
    blist[i], blist[i + 1] = blist[i + 1], blist[i]

# 打开目标文件以写入最终内容
with open(r'D:\网站下载\exppy\flag.txt', 'wb') as flag:
    # 将所有处理后的字节内容连续写入文件
    flag.write(blist)

# 打印最终处理的内容（以逆序显示）
print(blist)

def format_hex_data_from_file(input_file, output_file):
    # 读取文件内容
    with open(input_file, 'r') as file:
        hex_data = file.read().strip()

    # 将字符串分成每两个字符一组
    grouped_data = [hex_data[i:i + 2] for i in range(0, len(hex_data), 2)]

    # 以16组为一行，每组之间用空格隔开
    formatted_data = '\n'.join([' '.join(grouped_data[i:i + 16]) for i in range(0, len(grouped_data), 16)])

    # 将格式化后的数据写入输出文件
    with open(output_file, 'w') as file:
        file.write(formatted_data)


# 输入和输出文件路径
input_file = r'D:\网站下载\exppy\flag.txt'
output_file = r'D:\网站下载\exppy\newflag.txt'

# 格式化并写入输出文件
format_hex_data_from_file(input_file, output_file)

导入十六进制，保存，修改后缀名为jpg，（文件→导入十六进制→保存→重命名为flag.jpg)

得到照片

打开就可以看到啦

你也喜欢圣物吗

lsb隐写

还可以用zsteg

拿到key解开zip

真正的flag在txt下面（wcnmd）

Base

海上遇到了鲨鱼

追踪tcp流，然后倒序输出就行

1 2	`a='}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB' print(a[::-1])`

捂住X只耳

Web

HTTP 是什么呀

A Dark Room

查看源代码即可

喵喵喵´•ﻌ•`

md5绕过欸

upload

是php的固定规范写法

@表示后面如果执行错误不会报错

eval()函数表示括号里的语句字符串为执行代码

&_POST[‘cmd’]表示从页面中以post方式接受变量cmd

cmd是蚁剑的连接密码

先写一句木马，传入木马文件

要上传照片，所以改成jpg

然后用burp抓包截取，将改成php（像这样）

传入后连接蚁剑

这里的意思是将传入的文件保存到uploads目录下面

注意他这里要访问到传入php的文件地址

测试连接成功后就可以查找flag了，就在根目录下面

RE

You are good at IDA

BaseCTF{Y0u_4Re_900d_47_id4}

UPX mini

base解码即可

ez_xor

看汇编提取数据

a=[0x1,0x9,0x5,0x25,0x26,0x2d,0x0b,0x1d,0x24,0x7a,0x31,0x20,0x1e,0x49,0x3d,0x67,0x4d,0x50,0x8,0x25,0x2e,0x6e,0x5,0x34,0x22,0x40,0x3b,0x25]
print(len(a))
b=[]
v5=[0x58,0x6f,0x72]
# 第一个循环：生成 b 列表的字符并打印
for i in range(28):
    b.append(i ^ (v5[i % 3]))
    print(chr(b[i] % 256), end='')
print("\n")
# 第二个循环：将 a[i] 和 c[28-i-1] 异或，转换为字符并打印
for i in range(28):
    a[i] ^= b[28 - i - 1]
    print(chr(a[i]), end='')

ez_maze

小写的md5

到y就是胜利，$,ord为36是invalidmovehit，不能移动

15x15的迷宫

from collections import deque
# str为ida中使用快捷键[shift+e]提取到的数据, 如果提取的是string literal则加上引号视作字符串，如果是C array(decimal)则加上中括号视作列表
str = [

    120, 36, 36, 36, 36, 36, 36, 36, 36, 36,
    36, 36, 36, 36, 36, 38, 38, 38, 38, 38,
    38, 36, 36, 36, 36, 36, 36, 36, 36, 36,
    38, 36, 38, 36, 36, 38, 36, 36, 38, 38,
    38, 38, 38, 36, 36, 38, 36, 38, 36, 36,
    36, 38, 38, 36, 36, 36, 36, 38, 36, 36,
    38, 36, 36, 36, 38, 38, 38, 36, 36, 36,
    36, 36, 38, 36, 36, 38, 36, 36, 36, 38,
    36, 38, 38, 36, 38, 36, 36, 36, 36, 36,
    38, 36, 36, 36, 38, 36, 38, 36, 36, 38,
    38, 38, 36, 36, 36, 38, 38, 38, 38, 38,
    36, 38, 38, 38, 38, 36, 38, 36, 36, 36,
    36, 36, 36, 36, 36, 36, 38, 38, 38, 38,
    38, 38, 36, 36, 36, 36, 36, 36, 36, 36,
    36, 38, 36, 36, 36, 36, 36, 36, 36, 36,
    36, 36, 36, 38, 38, 38, 38, 36, 36, 38,
    38, 38, 36, 36, 36, 36, 36, 36, 38, 38,
    38, 38, 38, 38, 38, 36, 36, 36, 36, 36,
    36, 36, 36, 36, 36, 36, 36, 36, 36, 38,
    36, 36, 38, 36, 36, 36, 36, 36, 36, 36,
    36, 36, 36, 36, 38, 36, 38, 36, 36, 36,
    36, 36, 36, 36, 36, 36, 38, 38, 38, 38,
    38, 38, 38, 38, 121
]
s = 0  # s用作索引访问str, 供下面tmp列表取值

# 分析题目后设置迷宫的行列
row = 15 # 设置二维迷宫行数
col = 15 # 设置二维迷宫列数

maze = []
for i in range(row):
    tmp = []
    for j in range(col):
        tmp.append(str[s])
        s += 1
    maze.append(tmp)  # 凑一行添加一行到迷宫中
print(maze)
# 设置二维四向迷宫, 如果题目是多个小迷宫问题, 拆分多次调用脚本获取路径即可
path_len = 0x7fffffff  # 如果题目未给出终点坐标，则一定会指定路径的长度，在此处修改路径长度并+1，否则请保留path_len的极大值 0x7fffffff


# 进行BFS寻找路径
def bfs(start, end, barrier):
    directions = [(0, 1), (1, 0), (0, -1), (-1, 0)]  # 定义四个方向的移动
    for i in range(len(maze)):  # 获取起点和终点在列表中的索引
        for j in range(len(maze[i])):
            if (maze[i][j] == start):
                start = (i, j)
            if (maze[i][j] == end):
                end = (i, j)
    # 以下均是bfs算法套路
    queue = deque()
    queue.append((start, [start]))  # (当前位置, 路径)
    visited = set()
    visited.add(start)
    while queue:
        position, path = queue.popleft()
        if position == end:
            return path
        elif len(path) == path_len:
            return path
        for d in directions:
            next_position = (position[0] + d[0], position[1] + d[1])
            if 0 <= next_position[0] < len(maze) and 0 <= next_position[1] < len(maze[0]) and \
                    maze[next_position[0]][next_position[1]] != barrier and next_position not in visited:
                queue.append((next_position, path + [next_position]))
                visited.add(next_position)
    return None


# 执行BFS搜索并打印结果
if __name__ == '__main__':
    # maze[起点x坐标][起点y坐标] = 'S' #如果题目给了起点终点的坐标，在这里直接给起点和终点添加特征
    # maze[终点x坐标][终点y坐标] = 'E'

    path = bfs(120, 121, 36)  # bfs函数传入参数代表起点、终点、障碍的特征(若题目给出的数据无特征, 手动添加特征即可, 通常障碍是1也有可能是0或其它字符如'#')
    print("移动路径坐标：", path)
    print("移动路径方位：", end='')
    for i in range(1, len(path)):
        x1, y1, x2, y2 = path[i - 1][0], path[i - 1][1], path[i][0], path[i][1]
        if (x1 > x2):  # 上
            print("w", end='')
        elif (x1 < x2):  # 下
            print("s", end='')
        elif (y1 > y2):  # 左
            print("a", end='')
        elif (y1 < y2):  # 右
            print("d", end='')

BaseCTF{131b7d6e60e8a34cb01801ae8de07efe}

Baseplus

先进行base64然后xor

所以反过来解码就行

UPX

可能改了一些东西

将小写改成大写就可以脱壳了

import base64


def custom_base64_decode(encoded_string, custom_chars):
    # 创建一个映射表，将自定义字符映射到标准 Base64 字符
    standard_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    translation_table = str.maketrans(custom_chars, standard_chars)

    # 转换自定义 Base64 字符串为标准 Base64 字符串
    standard_encoded_string = encoded_string.translate(translation_table)

    # 进行 Base64 解码
    decoded_bytes = base64.b64decode(standard_encoded_string)

    # 将解码后的字节转换为字符串
    return decoded_bytes.decode('utf-8')


# 示例使用
encoded_string = "$rg7_dhd~Alidg+zeyhz`vnz_d,7sy0="
custom_chars = 'A,.1fgvw#`/2ehux$~"3dity%_;4cjsz^+{5bkrA&=}6alqB*-[70mpC()]89noX'  # 示例自定义字符集

# 解码
decoded_string = custom_base64_decode(encoded_string, custom_chars)

# 输出结果
print("解码结果:", decoded_string)
#BaseCTF{UPX_1s_$o_e@sy}

lk

改为2**9

from z3 import *
s = Solver()
v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11,v12,v13,v14,v15,v16,v17,v18,v19,v20 = Ints("v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16 v17 v18 v19 v20")
s.add(948 * v20+ 887 * v19+ 410 * v18+ 978 * v17+ 417 * v16+ 908 * v15 + 965 * v14+ 987 * v13
+ 141 * v12+ 257 * v11+ 323 * v10+ 931 * v9+ 773 * v8 + 851 * v7+ 758 * v6+ 891 *v5+ 575 * v4
+ 616 * v3+ 860 * v2+ 283 * v1 == 913686)
s.add(938 * v20+ 490 * v19+ 920 * v18+ 50 * v17+ 568 * v16+ 68 * v15+ 35 * v14+ 708 * v13+ 938 * v12
+ 718 * v11+ 589 * v10+ 954 * v9+ 974 * v8+ 62 * v7+ 580 * v6+ 80 * v5+ 111 * v4+ 151 * v3
+ 421 * v2+ 148 * v1 == 630335)
s.add(908 * v20+ 590 * v19+ 668 * v18+ 222 * v17+ 489 * v16+ 335 * v15+ 778 * v14+ 622 * v13+ 95 * v12
+ 920 * v11+ 932 * v10+ 892 * v9+ 409 * v8+ 392 * v7+ 11 * v6+ 113 * v5+ 948 * v4+ 674 * v3
+ 506 * v2+ 182 * v1== 707525)
s.add( 479 * v20+ 859 * v19+ 410 * v18+ 399 * v17+ 891 * v16+ 266 * v15+ 773 * v14+ 624 * v13
+ 34 * v12+ 479 * v11+ 465 * v10+ 728 * v9+ 447 * v8+ 427 * v7+ 890 * v6+ 570 * v5+ 716 * v4
+ 180 * v3+ 571 * v2+ 707 * v1 == 724203)
s.add(556 * v20+ 798 * v19+ 380 * v18+ 716 * v17+ 71 * v16+ 901 * v15+ 949 * v14+ 304 * v13
+ 142 * v12+ 679 * v11+ 459 * v10+ 814 * v9+ 282 * v8+ 49 * v7+ 873 * v6+ 169 * v5+ 437 * v4
+ 199 * v3+ 771 * v2+ 807 * v1== 688899)
s.add(465 * v20
     + 898 * v19
     + 979 * v18
     + 198 * v17
     + 156 * v16
     + 831 * v15
     + 856 * v14
     + 322 * v13
     + 25 * v12
     + 35 * v11
     + 369 * v10
     + 917 * v9
     + 522 * v8
     + 654 * v7
     + 235 * v6
     + 385 * v5
     + 469 * v4
     + 231 * v3
     + 496 * v2
     + 83 * v1 == 604784)
s.add(305 * v20
     + 928 * v19
     + 260 * v18
     + 793 * v17
     + 787 * v16
     + 708 * v15
     + 758 * v14
     + 236 * v13
     + 688 * v12
     + 747 * v11
     + 711 * v10
     + 195 * v9
     + 50 * v8
     + 648 * v7
     + 787 * v6
     + 376 * v5
     + 220 * v4
     + 33 * v3
     + 194 * v2
     + 585 * v1 == 665485)
s.add(767 * v20
     + 573 * v19
     + 22 * v18
     + 909 * v17
     + 598 * v16
     + 588 * v15
     + 136 * v14
     + 848 * v12
     + 964 * v11
     + 311 * v10
     + 701 * v9
     + 653 * v8
     + 541 * v7
     + 443 * v6
     + 7 * v5
     + 976 * v4
     + 803 * v3
     + 273 * v2
     + 859 * v1 == 727664)
s.add(776 * v20
     + 59 * v19
     + 507 * v18
     + 164 * v17
     + 397 * v16
     + 744 * v15
     + 377 * v14
     + 768 * v13
     + 456 * v12
     + 799 * v11
     + 9 * v10
     + 215 * v9
     + 365 * v8
     + 181 * v7
     + 634 * v6
     + 818 * v5
     + 81 * v4
     + 236 * v3
     + 883 * v2
     + 95 * v1 == 572015)
s.add(873 * v20
     + 234 * v19
     + 381 * v18
     + 423 * v17
     + 960 * v16
     + 689 * v15
     + 617 * v14
     + 240 * v13
     + 933 * v12
     + 300 * v11
     + 998 * v10
     + 773 * v9
     + 484 * v8
     + 905 * v7
     + 806 * v6
     + 792 * v5
     + 606 * v4
     + 942 * v3
     + 422 * v2
     + 789 * v1 == 875498)
s.add(766 * v20
     + 7 * v19
     + 283 * v18
     + 900 * v17
     + 211 * v16
     + 305 * v15
     + 343 * v14
     + 696 * v13
     + 590 * v12
     + 736 * v11
     + 817 * v10
     + 603 * v9
     + 414 * v8
     + 828 * v7
     + 114 * v6
     + 845 * v5
     + 175 * v4
     + 212 * v3
     + 898 * v2
     + 988 * v1 == 714759)
s.add(220 * v20
     + 30 * v19
     + 788 * v18
     + 106 * v17
     + 574 * v16
     + 501 * v15
     + 366 * v14
     + 952 * v13
     + 121 * v12
     + 996 * v11
     + 735 * v10
     + 689 * v9
     + 998 * v8
     + 689 * v7
     + 729 * v6
     + 886 * v5
     + 860 * v4
     + 70 * v3
     + 466 * v2
     + 961 * v1 == 778853)
s.add(313 * v20
     + 748 * v19
     + 522 * v18
     + 864 * v17
     + 156 * v16
     + 362 * v15
     + 283 * v14
     + 49 * v13
     + 316 * v12
     + 79 * v11
     + 136 * v10
     + 299 * v9
     + 271 * v8
     + 604 * v7
     + 907 * v6
     + 540 * v5
     + 141 * v4
     + 620 * v3
     + 701 * v2
     + 866 * v1 == 584591)
s.add(922 * v20
     + 399 * v19
     + 425 * v18
     + 26 * v17
     + 159 * v16
     + 224 * v15
     + 438 * v14
     + 770 * v13
     + 144 * v12
     + 406 * v11
     + 110 * v10
     + 991 * v9
     + 749 * v8
     + 701 * v7
     + 646 * v6
     + 147 * v5
     + 979 * v4
     + 674 * v3
     + 999 * v2
     + 913 * v1 == 717586)
s.add(13 * v20
     + 537 * v19
     + 225 * v18
     + 421 * v17
     + 153 * v16
     + 484 * v15
     + 654 * v14
     + 743 * v13
     + 779 * v12
     + 74 * v11
     + 325 * v10
     + 439 * v9
     + 797 * v8
     + 41 * v7
     + 784 * v6
     + 269 * v5
     + 454 * v4
     + 725 * v2
     + 164 * v1 == 537823)
s.add(591 * v20
     + 210 * v19
     + 874 * v18
     + 204 * v17
     + 485 * v16
     + 42 * v15
     + 433 * v14
     + 176 * v13
     + 436 * v12
     + 634 * v11
     + 82 * v10
     + 978 * v9
     + 818 * v8
     + 683 * v7
     + 404 * v6
     + 562 * v5
     + 41 * v4
     + 789 * v3
     + 200 * v2
     + 220 * v1 == 587367)
s.add(584 * v20
     + 597 * v19
     + 928 * v18
     + 532 * v17
     + 902 * v16
     + 858 * v15
     + 820 * v14
     + 240 * v13
     + 124 * v12
     + 899 * v11
     + 848 * v10
     + 822 * v9
     + 409 * v8
     + 491 * v7
     + 587 * v6
     + 715 * v5
     + 410 * v4
     + 268 * v3
     + 721 * v2
     + 915 * v1 == 842245)
s.add(421 * v20
     + 302 * v19
     + 327 * v18
     + 180 * v17
     + 512*v16
     + 160 * v15
     + 623 * v14
     + 28 * v13
     + 411 * v12
     + 53 * v11
     + 633 * v10
     + 560 * v9
     + 623 * v8
     + 477 * v7
     + 901 * v6
     + 287 * v5
     + 149 * v4
     + 726 * v3
     + 934 * v2
     + 875 * v1 == 610801)
s.add(838 * v20
     + 434 * v19
     + 792 * v18
     + 649 * v17
     + 462 * v16
     + 170 * v15
     + 980 * v14
     + 15 * v13
     + 295 * v12
     + 495 * v11
     + 666 * v10
     + 934 * v9
     + 17 * v8
     + 69 * v7
     + 367 * v6
     + 780 * v5
     + 291 * v4
     + 834 * v3
     + 587 * v2
     + 133 * v1 == 653127)
s.add( 41 * v20
     + 422 * v19
     + 420 * v18
     + 224 * v17
     + 475 * v16
     + 854 * v15
     + 233 * v14
     + 179 * v13
     + 620 * v12
     + 69 * v11
     + 42 * v10
     + 684 * v9
     + 300 * v8
     + 745 * v7
     + 894 * v6
     + 554 * v5
     + 495 * v4
     + 66 * v3
     + 316 * v2
     + 391 * v1 == 533470)

flag=[]
if s.check() == sat:
    ans=s.model()
    flag.append(ans[v1])
    flag.append(ans[v2])
    flag.append(ans[v3])
    flag.append(ans[v4])
    flag.append(ans[v5])
    flag.append(ans[v6])
    flag.append(ans[v7])
    flag.append(ans[v8])
    flag.append(ans[v9])
    flag.append(ans[v10])
    flag.append(ans[v11])
    flag.append(ans[v12])
    flag.append(ans[v13])
    flag.append(ans[v14])
    flag.append(ans[v15])
    flag.append(ans[v16])
    flag.append(ans[v17])
    flag.append(ans[v18])
    flag.append(ans[v19])
    flag.append(ans[v20])


for x in flag:
    print(x,end=',')
flag=[67,68,66,66,68,67,65,65,65,66,66,68,66,67,67,66,67,67,65,67]
for i in flag:
    print(chr(i),end='')

Crypto

helloCrypto

from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import random

flag=b'BaseCTF{}'

key=random.randbytes(16)
print(bytes_to_long(key))

my_aes=AES.new(key=key,mode=AES.MODE_ECB)
print(my_aes.encrypt(pad(flag,AES.block_size)))

# key1 = 208797759953288399620324890930572736628
# c = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'

exp

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Util.number import long_to_bytes

# 示例密钥和密文（来自加密脚本中的注释）
key1 = 208797759953288399620324890930572736628
c = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'

# 将密钥从长整数转换为字节串
key = long_to_bytes(key1, 16)

# 初始化AES加密器
my_aes = AES.new(key=key, mode=AES.MODE_ECB)

# 解密密文
decrypted_data = unpad(my_aes.decrypt(c), AES.block_size)

# 输出解密后的数据
print(decrypted_data)

你会算md5吗

import hashlib

flag='BaseCTF{}'

output=[]
for i in flag:
    my_md5=hashlib.md5()
    my_md5.update(i.encode())
    output.append(my_md5.hexdigest())
print("output =",output)
'''
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']
'''

exp

import hashlib

# 输出的MD5哈希列表
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661',
          '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32',
          '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3',
          '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506',
          '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c',
          '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7',
          'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3',
          '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5',
          '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3',
          '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7',
          '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327',
          'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543',
          '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c',
          '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f',
          '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661',
          'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327',
          '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7',
          'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32',
          'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c',
          '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f',
          '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661',
          'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661',
          'cbb184dd8e05c9709e5dcaedaa0495cf']

# 已知的字符MD5映射表（常见的ASCII字符集）
md5_map = {}
for i in range(128):  # ASCII 字符范围
    char = chr(i)
    md5_map[hashlib.md5(char.encode()).hexdigest()] = char

# 还原原始 flag
recovered_flag = ''.join(md5_map[md5] for md5 in output)

print("Recovered flag:", recovered_flag)

#2024比赛

BASECTF 2024

http://example.com/2024/12/09/BASEctf/

Author

chaye

Posted on

December 9, 2024

Licensed under

菜狗杯 2024 Previous

0xGAME 2024 Next