XAUTCTF2024 NewCup Part_1 WriteUp

HelloCTFer

XAUTCTF{Welcome_to_XAUTCTF2024_NewCup!!!}

XAUTcraft

我一般玩的是PCL启动器

将XAUTCTF_World导入.minecraft\versions\1.20.1-Forge_47.0.3-OptiFine_I5_pre5\saves

MINECRAFT，启动！

即可看到XAUTCTF_World存档

打开就一直往下掉

![屏幕截图 2024-10-04 110216](D:\Users\G15\Pictures\Screenshots\屏幕截图 2024-10-04 110216.png)

发现第一次下落之前面前有大字，遂更新存档重新导入，找准时机截下下图

![屏幕截图 2024-10-04 105900](D:\Users\G15\Pictures\Screenshots\屏幕截图 2024-10-04 105900.png)

XAUTCTF{BR_S_MINECRAFT}

小海报

本以为是高深的图片隐写术，第二天早上才看到图片下面有一串神秘小密码

574531634f6d655f74305f5841555443544621

Base解码未果

分析代码，数字多字母少，符合Base16特征，但是Base16的字母均为大写

修改密码：574531634F6D655F74305F5841555443544621

Base16解码得：WE1cOme_t0_XAUTCTF!

XAUTCTF{WE1cOme_t0_XAUTCTF!}

学号

早先了解Peng✌名曰李鹏程

根据此：

【腾讯文档】2024年国庆节假期学生去向统计表
https://docs.qq.com/sheet/DQ3hoUlFoaFd1QURq?tab=BB08J2

XAUTCTF{3231423008}

What’s Base?

原密文

4B3543554D565357495648464B55544F4F4D594532564352475248554B5753464A565554414D324F495646454D5443554D4E3456433653424F5249564B5653464A35425443524B50495241544954544B4B4A43564532535A474249585551525A

base16解密
K5CUMVSWIVHFKUTOOMYE2VCRGRHUKWSFJVUTAM2OIVFEMTCUMN4VC6SBORIVKVSFJ5BTCRKPIRATITTKKJCVE2SZGBIXUQRZ

base32解密
WEFVVENURns0MTQ4OEZEMi03NEJFLTcyQzAtQUVEOC1EODA4NjRERjY0QzB9

base64解密
XAUTCTF{41488FD2-74BE-72C0-AED8-D80864DF64C0}

Where are you?

根据图寻图片，为九号楼五楼，又由教室窗户朝北靠向校门一侧，推理得教室号码为偶数，数较小

XAUTCTF{9-504}

MD5

运行脚本attachment更新，如下，不知其缘由

在网络上找MD5解密网站均败下阵来

编写如下代码

from hashlib import md5


def double_md5(char: str) -> str:
    # 对单个字符进行两次 MD5 哈希处理
    return md5(md5(char.encode()).hexdigest().encode()).hexdigest()


def find_original_char(double_hashed_value: str) -> str:
    # 遍历所有可能的 ASCII 可打印字符
    for i in range(32, 127):  # ASCII 可打印字符范围
        char = chr(i)
        if double_md5(char) == double_hashed_value:
            return char
    return None


def decrypt_file(file_path: str):
    with open(file_path, 'r') as file:
        lines = file.readlines()

    original_chars = []
    for line in lines:
        double_hashed_value = line.strip()  # 去除行尾换行符
        original_char = find_original_char(double_hashed_value)
        if original_char:
            original_chars.append(original_char)
        else:
            original_chars.append('?')  # 如果没有找到匹配的字符，用问号表示

    # 输出解密后的字符串
    decrypted_string = ''.join(original_chars)
    print(f"解密后的字符串是: {decrypted_string}")


# 使用提供的文件路径调用函数
decrypt_file('attachment.txt')

运行代码：

XAUTCTF{1614d17d-01b4-8b9f-ceca-52562069202a}

Base64?

运行base64.py

import base64
from flag import flag

standard_alphabet = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
custom_alphabet =   b'JXaYOjSNTet1dDrHsVlc0m5EknG7Ko6qibhFBuyzQUwxWCp4ZLf23gAvMR8PI9+/'
encode_trans = bytes.maketrans(standard_alphabet, custom_alphabet)

def encode(input):
   return base64.b64encode(input).translate(encode_trans)

enstr = encode(flag.encode())
print(enstr.decode())

得到：

1	D09w75gHVYX56BDaV2mp6mnFcAnBsmTZVcehkFXXdOjOcFd9

编写Base64解码脚本

import base64

standard_alphabet = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
custom_alphabet =   b'JXaYOjSNTet1dDrHsVlc0m5EknG7Ko6qibhFBuyzQUwxWCp4ZLf23gAvMR8PI9+/'

decode_trans = bytes.maketrans(custom_alphabet, standard_alphabet)

def decode(input):
    input_bytes = input.encode()
    # 首先将自定义Base64编码转回标准Base64编码
    standard_b64 = input_bytes.translate(decode_trans)
    # 然后使用标准库解码
    return base64.b64decode(standard_b64).decode('utf-8')

encoded_string = "D09w75gHVYX56BDaV2mp6mnFcAnBsmTZVcehkFXXdOjOcFd9"

decoded_flag = decode(encoded_string)
print(decoded_flag)

将D09w75gHVYX56BDaV2mp6mnFcAnBsmTZVcehkFXXdOjOcFd9赋给encoded_string，运行得

5OjmmOD0VzCBG5nyVcOfdAR0E2bb0A0ADN3=

再将5OjmmOD0VzCBG5nyVcOfdAR0E2bb0A0ADN3=赋给encoded_string，运行得

XAUTCTF{diffE123nT_8aSe64}

Get d!!!

import math
import os


def exgcd(m, n, x=0, y=0):
    if n == 0:
        x = 1
        y = 0
        return (m, x, y)
    a1 = b = 1
    a = b1 = 0
    c = m
    d = n
    q = int(c / d)
    r = c % d
    while r:
        c = d
        d = r
        t = a1
        a1 = a
        a = t - q * a
        t = b1
        b1 = b
        b = t - q * b
        q = int(c / d)
        r = c % d
    x = a
    y = b
    return x


def quick_algorithm(a, b, c):
    a = a % c
    ans = 1
    while b != 0:
        if b & 1:
            ans = (ans * a) % c
        b >>= 1
        a = (a * a) % c
    return ans


# 假设p，q是下面的数字
p = 2147483647
q = 524287

n = p * q

phi_n = (p - 1) * (q - 1)
# 因为e一般是65537，但是也可以指定符合要求的e值
e = 17
d = 0
d = exgcd(e, phi_n)
print(d)

运行代码，输出：132458307156089

XAYUTCTF{132458307156089}

Do you know rsa’s key?

import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5

data = "kZXHviP8yVEdvuZG7nDfEKXfKMW2E0h0f0oSTyEwNX5Ju67ETr+zKqP9w2swTlF17qi2zP14hJY3/jOBNmBCt64LR6N8OPLHV1DqIVlnbub9danFLaupNNvVofZRTIeGMnI+RJ9BdvEfHjimSsZMm0nRPeQ3I2IA/tMxA/EakMvh7pGPcN+fnbITBWWI9ukWqqxofsaOlfECU8QkG+P1svVz8pi8xpIaN+3Dn0Y7khG1ybPckavnSmY1UO9rIbS98Y3ujQfQnkvCCbKJ06L7eWxX8mhBXFd2169e1BnQKLHres5MqWg1LHMlDIRFy+23RWU13PW8tfGaVe1NwftGoA=="
with open("rsa_private_key.pem", 'r') as fp:
    # 读取私钥
    pri_key = fp.read()
    # 加载私钥对象
    rsa_key = RSA.importKey(pri_key)
    # 构建解密器
    rsa = PKCS1_v1_5.new(rsa_key)
    # 进行数据解密,解密前需要现将base64进行解码;
    result = rsa.decrypt(base64.b64decode(data), None)
    print(result.decode("utf-8"))

data值为encrypt_text.txt文本

运行得

XAUTCTF{rSA_iS_wiD3LY_usED}

WEB_Starter

WEFVVENURnsyYTMwZDkyMy00MTY2LTQ1MmYtYWU3NS04ODhmMGZkMWE5NzN9Cg==

Base64解码得

XAUTCTF{2a30d923-4166-452f-ae75-888f0fd1a973}

To Hack AI

emmm

XAUTCTF{Y0v_hAVe_SuccesZFv1LY_tRain3d_thE_ai}