PolarCTF网络安全2025春季个人挑战赛 WRITE UP

ljnljn Lv6
  2025-03-23 16:18 2025-03-23 16:18 创建   2026-05-25 22:04:46 2026-05-25 22:04:46 更新      1.3k 字  6 分钟  

1-1 可老师签到
本题思路如下:
提示“发送的内容为双写字符串拼接”
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161402057-1435817907.png)

公众号发送flagflag即可
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161405132-1539185332.png)


1-2 find
本题思路如下:
把表格文件当压缩包解压,找到flag.xlsx\xl\worksheets\sheet1.xml
发现里面存了数据,于是考虑把数据格子上色以得到flag
先将xml文件处理以获得纯数据
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161421568-1190171095.png)

代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from openpyxl import load_workbook
from openpyxl.styles import PatternFill

# 加载目标工作簿
wb = load_workbook('flag.xlsx')
ws = wb.active

# 定义颜色填充
red_fill = PatternFill(start_color='FF0000', fill_type='solid')

# 从文本文件读取单元格地址
with open('1.txt', 'r') as f:
    cell_positions = [line.strip() for line in f if line.strip()]

# 应用颜色
for cell_address in cell_positions:
    try:
        ws[cell_address].fill = red_fill
    except:
        print(f"警告:单元格 {cell_address} 不存在,已跳过")

wb.save('colored_target.xlsx')

运行就可以获得一个二维码,扫描获得flag
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161529769-1636670690.png)


1-3 pfsense
本题思路如下:
T1使用工具分析
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161534227-1294777701.png)

Base64解密获得flag
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161536250-842536870.png)

T2 火眼
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161539502-2012654807.png)


1-4 WinCS
本题思路如下:
T1
用CurrPorts
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161543621-845444200.png)

T2、3使用工具对流量包进行解密
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161546003-1439780050.png)

从中可以获得flag内容和压缩包密码
用密码解压可以获得压缩包里的flag

第二部分:CRYPTO
2-1 LCG
本题思路如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import gmpy2
import libnum

a = 156506070439514915241840745761803504236863873655854161309517219593159285490218416513868431750791509039364033002042672969954633160268127141912185884526880436614313300761314810148356686577662643452299620703125833160716418003026915719584690230453993382155777985020586206612864299316237848416232290650753975103343
b = 99238154412252510462155206432285862925162164007834452250464130686978914370223020006347851539449419633688760095534852514797292083351953228730558335170313299274579966373474363445106224340638196799329142279344558612634392675992734275683700752827665429269516389277374408716314038483357418130704741371183923688601
c = 46154227430594568448486764587707836676441274677362557668215680998009402508945237578201692757688901737765923819819981974561807236454825684824157481322486008937560337004555948283870920377643907746645702190355761172293685309340938249454686807948964629553755585562990983237480387614548526918576791297250747752579
m = 94993804003827679355988952056520996247311128806455111011781585397953533782675757682874584547665028872979112598462143541626190903596606261782592703863749024490737374603789002750194481545579020929239629410573307193150780522563772690101754723829224534622557370960012364614566294197235191962517037441643656951249

# 计算a的模逆元
def modinv(a, m):
    g, x, y = gmpy2.gcdext(a, m)
    if g != 1:
        return None
    else:
        return x % m

a_inv = modinv(a, m)
if a_inv is None:
    print("a和m不互质,无法求逆元")
    exit()

# 从X10 = c开始逆推10次得到X0
current = c
for _ in range(10):
    current = (current - b) * a_inv % m

# 将X0转换为字节
flag = libnum.n2s(int(current))
print("原文:", flag.decode())

运行就可以获得flag
 


2-2 knock knock
本题思路如下:



2-3 Ununicast
本题思路如下:
import libnum
import gmpy2
from functools import reduce

# 给定的n和c值
n1 = 22103870455568232891149694305142888751834308614394265111616851946569600408214771004642537180847811632101335684526571461971168013515137837024900824805617026937904594229522094231161022911739124543737188196687483192656237801622618078066399259928261566545087643719410735482610730976575506701177108423445928193645406926842010985319473171710362525271971508507747952666476652082985675013329629912123828667561346609223913700779782291638584038925201698832368301491167548373412290987271213331940429281040520028261848410995501268272516219976073764836056701179000719299634048587399330114683369803481960168019956231748933059575086
c1 = 11932229075145446680509155897048554062128427256365407597246250504495581359308426337230014475362231568192824606320775755785288148002607456528824047021370456983795336102290050703706457189838464034831160081682076095173411617546158489572376376884672473947738113750437924641752734999601688973523833305072494573210602790160977994408649942476416234572187935125916149727341802693373659080702112924850348826357976589797895053949499171267826718541148026541242636886850084012913015158312606367900952240929619627369492395483334316329627526281924799100659188037308919177852074431004118744919974806767580700568542188744931220106105
n2 = 75527641277099990800438920440041058388427571492243099817050670120985557789492014161535482889418153237600686779752008243731659250445079816272020155052679163716181164111466120389153470493389801068487079484957125572093805976995390398541806299511780722297642464948545911633969882049338027366168822259177038560221615245305724815740962661657512543487558774545803259821939839314547049519064559274668861232108875651136746020639698802437427698294031084596199751751480045337605111284980409927684686225365555725770862339970487179511801140925931587981761559129421142486178642732741442537609122284807214875446647952010067400441059
c2 = 124027357006179169026958610630330051622067042499828335143384044470302479154098199844981110929954078399392164965842575040140695741764719533745054315027041147434320473103634538090232615962998187567447484128103678001361703834076345621055674269048895730502155866761233018172058631071676397257894588728272913258599692996320058955017804506826897453939809574483310935927402899939042162496213745140970798253433830063777555869660983592646174581212241911650074643983280676238861065129884340834318081282521338654119292893592735294429956139729060770783817702837759047833794757601190967753969500822631312988106678317432186105038268
n3 = 67087501562139943813249584173215038264768218519355997619681399311361081244680048116472803745503996059873261361695629103578075388683394265112338602330356608572716276538183020643625652731722917269342461918246200053767885270359910155650804090015847462552469649420213346519159991670579334968778366255234963922378971680452094795318028353408405313888877068259282684640458674087251102468714734787171166396014144021959441774122328495595094512659302451021226956296868717965902597097040721193168373568780684532295504916946312087113872338693404258549907349353138009767393388073227204853717415106619739522003848121147803734511476
c3 = 34907142326483502918854711671956997110565154361385230791804714287500927140885225814711150443792832759398271249995064551044140838772959358268339105708186456545576271462167016667528764892342067422814982959975071847067493078241698635502292984200940132917130864956317815578073656622172241742542237740221147402449228459532782232518010610903660510875077798419046748683570340175197592449547071220020985311569095928938768945219762563190314531483012532595972282105394784611117089120803198848347397871670119847470687912177591609360741114570213377874848453859418234331921560384819899391157666714587396643397702710016410117040255
n4 = 107655225342909323493747650996643964780949305458547565103531987767712606044684527447631280423897684091717655597473336978923442425477823322239803312759244627308704521511743542550831030718035257133033470431042111429555597381959609892666206716219532081847930970282959800999825630713834546858387640307817593411764905032303294057112362597297253851687870254992314351948709124427458348128204263663881362955482132512838054738519685384575921373737470245719421223898475756247409282692966862335515090757754459242168056461013405091180148696649963461602177212697836496306046456138474445624214914814699390257673835554848791003397055
c4 = 260074379614284795599484546451240257157763532480505168853160303924952553177325935242853666448209970957052626857104522597130316456316378917529016900063473199051496246209878864043477905068893003923546332891289993179385753129868269775271722630762054161951558359984426822705582509592976962739279251035941138103001411061238095611738024433238447078804016593599525582868080696498271912174235479368671466666819582104245707176341268617126063957318342864903403961673418935623112290599738566078566393961145470677825235949530460449737989243772214379341818676279908757907698136648847166264635580606733816599243489965651372128251328
n5 = 70199621485671842359044641866403168058670803503736686351887502686934276983786039926002198676793045683182125769300687612734657616494815167750772182403321230734527784596550124329071164871143795929191396166096178482901122962656943854107741654772981259089537233024363295465966490361367216383217631330482253245796203648485653095242684462412133029510769320566443165990471527944889669809129572843754832577807509454633886982402256837076791468127186325307925886447397529190962280905611709973103713165872442266384750885343667064502988575278416037070011939869923447549518023420261237007329747290577829325263253564790709373901618
c5 = 207467685064436795719671032825183115862587233648672449925340580227825675452627031507906214773278665727530027025673966750973641715014217092820995216768554881760711270444952703291126925400881160114713107315867759288572987159233984669439942981888636828978580980986834342715153361271280814208437227309185682033733871844684874967978852089340054449142896831217885786745795842561143568848428620959961049292832772489885193639646881909425599177539209159664137785111991625129191354004990699226809474030005545318219197509201907072684957499981194498761673049651408375607248956494019809957851295451628144493493011699904221882421955


n_list = [n1, n2, n3, n4, n5]
c_list = [c1, c2, c3, c4, c5]

s_list = [2, 3, 4, 5, 6]
coefficients = [1, 2, 3, 4, 5]  # index + 1的值

# 分解n_i为s_i * N_i
N_list = []
for i in range(5):
    s = s_list[i]
    n = n_list[i]
    assert n % s == 0, f"n{i+1}无法被{s}整除"
    N_list.append(n // s)

# 计算c_i' = c_i * inverse(coefficient, n_i) % n_i,然后取模N_i得到余数
m_e_mod_N = []
for i in range(5):
    s = s_list[i]
    n = n_i = n_list[i]
    c_i = c_list[i]
    coeff = coefficients[i]
    inv_coeff = gmpy2.invert(coeff, n_i)
    c_prime = (c_i * inv_coeff) % n_i
    m_e_mod_Ni = c_prime % N_list[i]
    m_e_mod_N.append(m_e_mod_Ni)

# 应用中国剩余定理
def crt(moduli, remainders):
    product = reduce(lambda a, b: a * b, moduli)
    total = 0
    for m_i, r_i in zip(moduli, remainders):
        Mi = product // m_i
        inv_Mi = gmpy2.invert(Mi, m_i)
        total = (total + r_i * Mi * inv_Mi) % product
    return total

D = crt(N_list, m_e_mod_N)

# 尝试可能的e值来解密密文
possible_e = [11, 13, 17, 19, 23, 29]
for e in possible_e:
    root, is_exact = gmpy2.iroot(D, e)
    if is_exact:
        m = int(root)
        flag = libnum.n2s(m)
        print(f"Found e = {e}")
        print("Flag:", flag)
        break
else:
    print("未找到正确的e值,请检查输入数据。")

运行即可获得flag


2-4 beginner
本题思路如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
s = '16732186163543403522711798960598469149029861032300263763941636254755451456334507142958574415880945599253440468447483752611840'
D = int(s)

# 检查D是否被2^125整除
mod_2_125 = 1 << 125
assert D % mod_2_125 == 0, "D is not divisible by 2^125"

mod_5_125 = 5 ** 125
D_5 = D % mod_5_125

# 计算2^10000的逆元 mod 5^125
inv_2_10000 = pow(2, -10000, mod_5_125)
N = (D_5 * inv_2_10000) % mod_5_125

# 转换为字节并解码为字符串
flag_bytes = N.to_bytes((N.bit_length() + 7) // 8, byteorder='big')
flag = flag_bytes.decode('utf-8')

print(flag)

运行即可获得flag


第三部分:WEB
3-3 来个弹窗
本题思路如下:
输入<script>alert(0)就可以触发
随后出现的图片是白金之星,直接转换成32位小写md5

3-6 coke的登陆
本题思路如下:
“曲奇饼干s”就是cookies
注释里写了账号
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161717846-162908984.png)

Bp抓包获得cookies
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161650994-2015370358.png)
密码就是coke-lishuai
![image](/assets/cnblogs/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/3539156-20250323161720431-823741459.png)

第四部分:REVERSE

4-2 解码器
本题思路如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cipher = [0x53, 0x46, 0x4e, 0x58, 0x58, 0x4a, 0x26, 0x5b, 0x57, 0x29, 0x56, 0x50, 0x53, 0x52, 0x5c, 0x53]
plain = []
for i in range(16):
    c = cipher[i]
    # 情况一:temp = c(未被调整)
    p1 = (c - i) % 127
    # 情况二:temp = c -32(被调整过)
    p2 = (c - 32 - i) % 127
    # 选择可打印字符
    if 32 <= p1 <= 126:
        plain.append(p1)
    elif 32 <= p2 <= 126:
        plain.append(p2)
    else:
        plain.append(p1)  # 默认情况

result = ''.join(chr(c) for c in plain)
print(result)

发现运行之后就是ida中的原文,所以考虑包上32位小写md5加密,得到flag

  • 标题: PolarCTF网络安全2025春季个人挑战赛 WRITE UP
  • 作者: ljnljn
  • 创建于 : 2025-03-23 16:18:00
  • 更新于 : 2026-05-25 22:04:46
  • 链接: https://ljnljn2005.github.io/2025/03/23/PolarCTF网络安全2025春季个人挑战赛 WRITE UP/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
目录
PolarCTF网络安全2025春季个人挑战赛 WRITE UP