NSSCTF_Round23

easy_math

nc连接发现是根据4个数字判断能不能实现24点，输入True或False，输入的True或False按顺序变成1和0，再解码就能得到flag，直接用脚本实现

from exp1 import *
from pwn import *
import re
from itertools import permutations, product

p = remote("node1.anna.nssctf.cn",28072)
sum=5
bollen=""
flag=""
response=p.recvuntil('(True/False):')
while True:

    numbers_match = re.findall(r'\d+', str(response))
    numbers = [int(num) for num in numbers_match if num!='24']
    result,exper=solve24(numbers)
    if str(result)=="True":
        bollen=bollen+"1"
    else:
        bollen=bollen+"0"
    if len(bollen)==8:
        flag=flag+chr(int(bollen, 2))
        print(flag)
        bollen=""
    p.sendline(str(result))
    try:
        response = p.recvuntil('(True/False):').strip()
    except:
        response = p.recv().strip()
p.interactive()

import operator
from itertools import permutations, product

# 定义四种基本运算
ops = { "+": operator.add, "-": operator.sub, "*": operator.mul, "/": operator.truediv }

def solve24(nums):
    # 为每一个数字添加一个空字符串作为表达式
    nums = list(map(lambda x: (x, str(x)), nums))

    def helper(nums):
        # 如果nums列表只有一个元素，且该元素几乎等于24（为了避免浮点数的精度问题），那么返回该元素的表达式。
        if len(nums) == 1:
            return abs(nums[0][0] - 24) < 1e-6, nums[0][1]

        # 尝试所有可能的数字对和运算符的组合
        for (a, astr), (b, bstr), *rest in permutations(nums):
            for op in ops.keys():
                # 避免除以0
                if op == '/' and abs(b) < 1e-6:
                    continue
                # 尝试运算后将结果和剩余的数再进行递归运算
                result, expr = helper([(ops[op](a, b), f"({astr} {op} {bstr})")] + rest)
                if result:
                    return result, expr

        # 如果所有可能的组合都无法得到24，返回False。
        return False, ""

    return helper(nums)

在exp.py中调用了exp1.py用来算24点

画师

📎flag.xml

发现一个flag.xml文件，上网查资料发现可能是流程图数据，找到在线网站https://app.diagrams.net/，打开flag.xml文件，再全选更改一下线条的颜色，得到下图

这很抽象，最后猜出flag为flag{easy_diagram}

easy_signin1

📎easy_signin1.zip

提示说：image to 01 然后找一下2.png相对于1.png不同的地方，一开始以为是异或，结果就是传统的找出2.png的二进制和1.png不一样的地方然后打印

from PIL import Image
import math
import sys

def is_black(pixel):
    # 判断像素是否是黑色
    # 如果红、绿、蓝通道的值都很低，则认为是黑色
    return all(value < 10 for value in pixel[:3])


def is_white(pixel):
    # 判断像素是否是白色
    # 如果红、绿、蓝通道的值都很高，则认为是白色
    return all(value > 245 for value in pixel[:3])

flag1=""
flag2=""
def scan_image(image_path):
    global flag1
    # 打开图像文件
    image = Image.open(image_path)
    # 获取图像的像素数据
    pixels = image.load()
    width, height = image.size

    for y in range(height):
        for x in range(width):
            # 获取像素的RGB值
            pixel = pixels[x, y]
            # 判断像素是黑色还是白色
            if is_black(pixel):
                flag1=flag1+"1"
            elif is_white(pixel):
                flag1=flag1+"0"
            else:
                print("err")
def scan_image2(image_path):
    global flag2
    # 打开图像文件
    image = Image.open(image_path)
    # 获取图像的像素数据
    pixels = image.load()
    width, height = image.size

    for y in range(height):
        for x in range(width):
            # 获取像素的RGB值
            pixel = pixels[x, y]
            # 判断像素是黑色还是白色
            if is_black(pixel):
                flag2=flag2+"1"
            elif is_white(pixel):
                flag2=flag2+"0"
            else:
                print("err")
# 调用函数扫描图像
scan_image("1.png")

scan_image2("2.png")
for i in range(len(flag1)):
    if flag1[i] != flag2[i]:
        print(flag2[i],end="")

得到

0010001101101001011011100110001101101100011101010110010001100101001111000110001001101001011101000111001100101111011100110111010001100100011000110010101100101011001011100110100000111110000010100111010101110011011010010110111001100111001000000110111001100001011011010110010101110011011100000110000101100011011001010010000001110011011101000110010000111011000010100111001101110100011100100110100101101110011001110010000001101011011001010111100100100000001111010010000000100010001000100011101100100000000010100000101001101001011011100111010000100000011011010110000101101001011011100010100000101001011110110000101000001001011100110111010001110010011010010110111001100111001000000110001101110010011110010111000001110100011011110101111101110100011110000111010000111011000010100000100101100011011010010110111000111110001111100110001101110010011110010111000001110100011011110101111101110100011110000111010000111011001000000000101000001010000010010110011001101111011100100010000000101000011010010110111001110100001000000110100100100000001111010010000000110000001110110010000001101001001000000011110000100000011000110111001001111001011100000111010001101111010111110111010001111000011101000010111001101100011001010110111001100111011101000110100000101000001010010011101100100000001010110010101101101001001010010111101100001010001000000010000000100000001000000010000000100000001000000010000001100011011010000110000101110010001000000110010101101110011000110111001001111001011100000111010001100101011001000101111101110100011110000111010000100000001111010010000001100011011010000110000101110010001010000110001101110010011110010111000001110100011011110101111101110100011110000111010001011011011010010101110100100000010111100010000001101011011001010111100101011011011010010010000000100101001000000110101101100101011110010010111001101100011001010110111001100111011101000110100000101000001010010101110100100000010111100010000001100011011100100111100101110000011101000110111101011111011101000111100001110100010110110010100001101001001000000010101100100000001100010010100100100000001001010010000001100011011100100111100101110000011101000110111101011111011101000111100001110100001011100110110001100101011011100110011101110100011010000010100000101001010111010010100100111011000010100010000000100000001000000010000000100000001000000010000000100000011000110110111101110101011101000010000000111100001111000010000001101001011011100111010000101000011001010110111001100011011100100111100101110000011101000110010101100100010111110111010001111000011101000010100100100000001111000011110000100000001000100010000000100010001110110000101000100000001000000010000000100000011111010010000000100000001000000000101000100000001000000010000000100000011100100110010101110100011101010111001001101110001000000011000000111011000010100111110100001010000010100010111100101111001000000110010101101110011000110111001001111001011100000111010001100101011001000101111101110100011110000111010000110001001000000011110100100000001100010011001000110010001011000011000100110010001101110010110000110001001100010011000100101100001100010011000100110001001011000011100100110110001011000011000100110001001101000010110000110001001100010011010100101100001100010011001000110111001011000011011100110111001011000011100100110000001011000011000100110001001110010010110000111001001100100010110000111000001110010010110000110001001100010011011100101100001100010011001000110110001011000011100000110101001011000011100000110111001011000011000100110001001101110010110000110001001100010011000100101100001100010011000100110001001011000011100000110110001011000011100000110100001011000011000100110010001100100010110000110001001100100011011100101100001100010011000100110001001011000011011100110101001011000011100000110001001011000011100100110111001011000011000100110010001100000010110000111001001101000010110000111001001100110010110000110001001100010011000000101100001110010011100000101100001101100011010100101100001110000011010000101100001100010011001000110111001011000011000100110000001101010010110000110110001110010010110000111000001101110010110000110001001100100011010100101100001110010011100000101100001100010011000000110111001011000011100000110111001011000011011100110000001011000011000100110000001110000010110000110001001100100011011100101100001110000011001100101100001110000011100000101100001100010011000000110101001011000011000100110000001101010010110000111001001110000010110000111001001101010010110000111000001110000010110000110001001100000011001000101100001110010011011000101100001100010011000100111000001011000011000100110000001101000010110000110001001100010011010000001010001011110010111100100000011001000110111001100011011100100111100101110000011101000110010101100100010111110111010001111000011101000010000000111101001000000110011001101100011000010110011101111011011101000110100001101001011100110101111101101001011100110101111101110100011010000110010101011111011001100110000101101011011001010101111101100110011011000110000101100111010111110110000101101110011001000101111101100011011000010110111001011111011110010110111101110101010111110110011001101001011011100110010001011111011101000110100001100101010111110111010001110010011101010110010101011111011001100110110001100001011001110111110100001010001011110010111100100000011001010110111001100011011100100111100101110000011101000110010101100100010111110111010001111000011101000011001000100000001111010010000000110111001101100010110000110001001100100011011100101100001100110011001100101100001101100011001100101100001100010011000000111000001011000011000100110010001101110010110000110001001100010011000000101100001100010011000000110010001011000011000100110010001100000010110000110001001100000011100100101100001100010011001000110100001011000011010100110110001011000011010000110111001011000011000100110001001110000010110000110001001100000011011100101100001100010011001000110101001011000011000100110010001100010010110000110001001100000011010000101100001110010011100000101100001100010011001000110011001011000011000100110000001101100010110000110001001100100011001100101100001101010011011100101100001101000011001000101100001100010011000100110111001011000011000100110010001101100010110000110011001110010010110000110100001110010010110000110001001100000011000100101100001100010011000100110101001011000011000100110000001100110010110000110001001100010011011100101100001100010011000100110111001011000011000100110000001110010010110000110001001100010011011100101100001110010011011000101100001101010011011100101100001101000011011000101100001100010011000000111001001011000011000100110001001101010010110000110001001100010011000000101100001100010011000000110100001011000011000100110000001101010010110000110001001100000011011000101100001100010011001000110011001011000011000100110000001100000010110000110001001100000011010100101100001101000011010000101100001101010011010100101100001100010011000100110100001011000011000100110010001101110010110000110100001101010010110000110110001100000010110000110001001100100011000100101100001100010011001000110010001011000011000100110001001100110010110000110001001100010011000000101100001100010011000000110100001011000011010000111000001011000011010100110011001011000011000100110001001100110010110000110001001100010011011100101100001100110011100100101100001101010011011000101100001100010011001000110101001011000011000100110000001101010010110000110001001100010011010000101100001100010011001000110001001011000011000100110000001100000010110000110001001100000011000100101100001101000011100100101100001101010011100000101100001100010011000000110000001011000011000100110010001101110010110000110101001101110010110000110101001100110010110000110001001100010011100000101100001101010011000000101100001101010011000100101100001100010011000000110110001011000011000100110000001101100010110000110001001100100011010000101100001100110011100000101100001101010011010000101100001100010011001000110111001011000011011000110000001011000011000100110000001110000010110000110001001100000011100100101100001100010011000100110010001011000011000100110001001101000010110000110001001100000011010100101100001100010011100100101100001100010011000100110100001011000011000100110001001100000010110000111001001110000010110000110001001100010011010000101100001100010011000100110101001011000011100000110001001011000011000100110001001101010010110000111000001101010010110000110110001101010010110000111001001110010010110000111000001101010010110000110110001101110010110000110100001101000010110000110011001101100010110000110001001100000011100000101100001100010011000000110010001011000011000100110000001101110010110000111001001100100010110000110011001100010010110000110100001101000010110000111000001110000010110000111000001110000010110000110001001100010011010100101100001101010011010100101100001101000011100000101100001101110011001100101100001110000011011000101100001101100011100000101100001110010011001100101100001100010011000100110010001011000011000100110010001100110010110000110111001110010010110000110001001100100011011100101100001100010011010100101100001101010011000100101100001100010011001000110000001011000011100100110110001011000011000100110010001100010010110000110111001101000010110000110001001100010011010000101100001110010011010000101100001100010011001000110000001011000011100000110010001011000011100100110001001011000011010000110001001011000011010000110100001011000011000100110000001101010010110000111000001100100010110000110111001100010010110000110011001101110010110000110001001100010011000000101100001100100011100000101100001101100011100100101100001110010011011000101100001100010011000000110000001011000011010000110010001011000011001000101100001101110011010100101100001100010011000100111000001011000011000100110010001100100010110000110011001101010010110000110100001110010010110000111000001110010000101000001010

去解密

得到一份加密脚本

#include<bits/stdc++.h>
using namespace std;
string key = ""; 

int main(){
	string crypto_txt;
	cin>>crypto_txt; 

	for (int i = 0; i < crypto_txt.length(); ++i){
        char encrypted_txt = char(crypto_txt[i] ^ key[i % key.length()] ^ crypto_txt[(i + 1) % crypto_txt.length()]);
        cout << int(encrypted_txt) << " ";
    }   
    return 0;
}

// encrypted_txt1 = 122,127,111,111,96,114,115,127,77,90,119,92,89,117,126,85,87,117,111,111,86,84,122,127,111,75,81,97,120,94,93,110,98,65,84,127,105,69,87,125,98,107,87,70,108,127,83,88,105,105,98,95,88,102,96,118,104,114
// dncrypted_txt = flag{this_is_the_fake_flag_and_can_you_find_the_true_flag}
// encrypted_txt2 = 76,127,33,63,108,127,110,102,120,109,124,56,47,118,107,125,121,104,98,123,106,123,57,42,117,126,39,49,101,115,103,117,117,109,117,96,57,46,109,115,110,104,105,106,123,100,105,44,55,114,127,45,60,121,122,113,110,104,48,53,113,117,39,56,125,105,114,121,100,101,49,58,100,127,57,53,118,50,51,106,106,124,38,54,127,60,108,109,112,114,105,19,114,110,98,114,115,81,115,85,65,99,85,67,44,36,108,102,107,92,31,44,88,88,115,55,48,73,86,68,93,112,123,79,127,15,51,120,96,121,74,114,94,120,82,91,41,44,105,82,71,37,110,28,69,96,100,42,2,75,118,122,35,49,89

直接逆向脚本得到flag

import string
encrypted_txt1 =[122,127,111,111,96,114,115,127,77,90,119,92,89,117,126,85,87,117,111,111,86,84,122,127,111,75,81,97,120,94,93,110,98,65,84,127,105,69,87,125,98,107,87,70,108,127,83,88,105,105,98,95,88,102,96,118,104,114]
dncrypted_txt = "flag{this_is_the_fake_flag_and_can_you_find_the_true_flag}"
encrypted_txt2 = [76,127,33,63,108,127,110,102,120,109,124,56,47,118,107,125,121,104,98,123,106,123,57,42,117,126,39,49,101,115,103,117,117,109,117,96,57,46,109,115,110,104,105,106,123,100,105,44,55,114,127,45,60,121,122,113,110,104,48,53,113,117,39,56,125,105,114,121,100,101,49,58,100,127,57,53,118,50,51,106,106,124,38,54,127,60,108,109,112,114,105,19,114,110,98,114,115,81,115,85,65,99,85,67,44,36,108,102,107,92,31,44,88,88,115,55,48,73,86,68,93,112,123,79,127,15,51,120,96,121,74,114,94,120,82,91,41,44,105,82,71,37,110,28,69,96,100,42,2,75,118,122,35,49,89]
key=""
really_key=""
key_flag=0
for i in range(len(encrypted_txt1)):
    key_son=""
    key = key + chr(encrypted_txt1[i] ^ ord(dncrypted_txt[i]) ^ ord(dncrypted_txt[(i+1)%len(dncrypted_txt)]))
    for j in range(len(key)):
        key_son=key_son+key[j]
        if key.count(key_son)==2 and len(key)/len(key_son)==2:
            key_flag=1
            really_key=key_son
            break
    if key_flag==1:
        break
dncrypted_txt2=""
dict=string.printable
for chr1 in dict:
    dncrypted_txt2=dncrypted_txt2+chr1
    for i in range(0,len(encrypted_txt2)):
        dncrypted_txt2=dncrypted_txt2+chr(encrypted_txt2[i]^ord(really_key[i % len(really_key)]) ^ ord(dncrypted_txt2[i]))
    if "flag" in dncrypted_txt2 or "NSSCTF" in dncrypted_txt2:
        print(dncrypted_txt2)
    dncrypted_txt2=""

#The-absolute-powerhouse,the-resulting-loneliness,the-person-who-teaches-you-to-love-is......NSSCTF{e@sy_s1gnin_0n_th1s_h@ppy_S3nday_@nd_w1sh_y03_hav3_fun!}T

NSSCTF{e@sy_s1gnin_0n_th1s_h@ppy_S3nday_@nd_w1sh_y03_hav3_fun!}

去010查看，可以分离出一张类似于二维码的东西，但不是二维码，根据提示，去使用npiet

接着查看10xbig_to_more_clear.png，用脚本放大10倍看得更加清楚（其实也不清楚）

from PIL import Image

def process_image(input_image_path, output_image_path):
    # 打开图像
    image = Image.open(input_image_path).convert('L')
    # 获取图像的像素数据
    pixels = image.load()
    width, height = image.size

    # 遍历图像的每个像素
    for y in range(height):
        for x in range(width):
            # 获取当前像素的灰度值
            pixel_value = pixels[x, y]

            # 如果像素值在10到200之间，将其设置为255
            if 0 < pixel_value < 250:
                pixels[x, y] = 0

    # 保存修改后的图像
    image.save(output_image_path)

# 输入和输出图像的文件路径
input_image_path = "10xbig.png"
output_image_path = "out.png"

# 处理图像
process_image(input_image_path, output_image_path)

得到字符串di`f{cfd7d1fd1ba254dcfa7f4155cfdadadc}

解密

得到flag

NSSCTF{dge8f3hf3da45cd414f7affc5db5dadd}

easy_signin2

📎easy_signin2.zip

附件看到两张图，先去看一下here_is_your_flag.png，用010打卡发现根本不是png图片数据，题目给了提示是要异或pngchunk，但是不知道异或什么，因为我们知道png的是89开始的，所以用现在的第一个字节去异或89，就可以得到应该要异或的字节了

可以看到我们要异或的应该是0x44，所以我们把这个文件的每一字节提取出来然后去异或0x44并写入文件

s=""
sum=0
with open("here_is_your_flag.png",'rb') as file:
    byte=file.read(1)
    with open("flag.txt",'w') as f:
        f.write(s)
        while byte:
            sum+=1
            # byte = ord(byte)
            xor_byte=str(hex(byte[0]^0x44))[2::]
            xor_byte = xor_byte.zfill(2)
            # xor_byte = byte ^ 0x44
            # s=s+str(hex(xor_byte))[2::]
            # print(sum)
            print(xor_byte,end="")
            f.write(xor_byte)
            byte=file.read(1)

去转换成flag，然后得到图片

去010查看，可以分离出一张类似于二维码的东西，但不是二维码，根据提示，去使用npiet

接着查看10xbig_to_more_clear.png，用脚本放大10倍看得更加清楚（其实也不清楚）

from PIL import Image

def process_image(input_image_path, output_image_path):
    # 打开图像
    image = Image.open(input_image_path).convert('L')
    # 获取图像的像素数据
    pixels = image.load()
    width, height = image.size

    # 遍历图像的每个像素
    for y in range(height):
        for x in range(width):
            # 获取当前像素的灰度值
            pixel_value = pixels[x, y]

            # 如果像素值在10到200之间，将其设置为255
            if 0 < pixel_value < 250:
                pixels[x, y] = 0

    # 保存修改后的图像
    image.save(output_image_path)

# 输入和输出图像的文件路径
input_image_path = "10xbig.png"
output_image_path = "out.png"

# 处理图像
process_image(input_image_path, output_image_path)

得到字符串di`f{cfd7d1fd1ba254dcfa7f4155cfdadadc}

解密

得到flag

NSSCTF{dge8f3hf3da45cd414f7affc5db5dadd}