还是太菜，害

有几题后面借鉴大佬的博客才做出来的，在BUU复现

Crypto

天干地支+甲子

查一下每一个代表的数字，然后加上60（甲子），ASCII转一下就ok

1
2
3

a= [11, 51,51,40,46,51,38]
 
print ''.join(chr(i+60) for i in a)

MRCTF{Goodjob}

keyboard

键盘密码，手机9键走起

解出来是mobilephond，改一下mobilephone

MRCTF{mobilephone}

古典密码知多少

蓝色：猪圈密码，黄色：圣武士堂密码，黑色：银河密码

解出来：FGCPFLIRTUASYON

然后栅栏一下：FLAGISCRYPTOFUN

最后MRCTF{CRYPTOFUN}

vigenere

直接在线解密：https://www.guballa.de/vigenere-solver

a declaration of the independence of cyberspace
by john perry barlow 
governments of the industrial world, you weary giants of flesh and steel, i come from cyberspace, the new home of mind. on behalf of the future, i ask you of the past to leave us alone. you are not welcome among us. you have no sovereignty where we gather.
we have no elected government, nor are we likely to have one, so i address you with no greater authority than that with which liberty itself always speaks. i declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. you have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
governments derive their just powers from the consent of the governed. you have neither solicited nor received ours. we did not invite you. you do not know us, nor do you know our world. cyberspace does not lie within your borders. do not think that you can build it, as though it were a public construction project. you cannot. it is an act of nature and it grows itself through our collective actions.
you have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. you do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.
you claim there are problems among us that you need to solve. you use this claim as an excuse to invade our precincts. many of these problems don't exist. where there are real conflicts, where there are wrongs, we will identify them and address them by our means. we are forming our own social contract. this governance will arise according to the conditions of our world, not yours. our world is different.
cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. ours is a world that is both everywhere and nowhere, but it is not where bodies live.
we are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
we are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.
your legal concepts of property, expression, identity, movement, and context do not apply to us. they are all based on matter, and there is no matter here.
our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. we believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. our identities may be distributed across many of your jurisdictions. the only law that all our constituent cultures would generally recognize is the golden rule. we hope we will be able to build our particular solutions on that basis. but we cannot accept the solutions you are attempting to impose.
in the united states, you have today created a law, the telecommunications reform act, which repudiates your own constitution and insults the dreams of jefferson, washington, mill, madison, detoqueville, and brandeis. these dreams must now be born anew in us.
you are terrified of your own children, since they are natives in a world where you will always be immigrants. because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. in our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. we cannot separate the air that chokes from the air upon which wings beat.
in china, germany, france, russia, singapore, italy and the united states, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of cyberspace. these may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.
your increasingly obsolete information industries would perpetuate themselves by proposing laws, in america and elsewhere, that claim to own speech itself throughout the world. these laws would declare ideas to be another industrial product, no more noble than pig iron. in our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. the global conveyance of thought no longer requires your factories to accomplish.
these increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. we must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. we will spread ourselves across the planet so that no one can arrest our thoughts.
we will create a civilization of the mind in cyberspace. may it be more humane and fair than the world your governments have made before.
flag is mrctf vigenere crypto crack man, please add underscore and curly braces.

flag:MRCTF{vigenere_crypto_crack_man}

babyRSA

看了一下源代码，找到p和q就行，然后先看p

def gen_p():
    P = [0 for i in range(17)]
    P[0] = getPrime(128)
    for i in range(1, 17):
        P[i] = sympy.nextprime(P[i-1])
    print("P_p :", P[9])
    n = 1
    for i in range(17):
        n *= P[i]
    p = getPrime(1024)
    factor = pow(p, base, n)
    print("P_factor :", factor)
    return sympy.nextprime(p)

因为已经给出了P[9]，而且使用的是nextprime()，即可以将数组测试出来，这样就得到了这里面的n，从而得到后面需要的p

然后看q

def gen_q():
    sub_Q = getPrime(1024)
    Q_1 = getPrime(1024)
    Q_2 = getPrime(1024)
    Q = sub_Q ** Q_2 % Q_1
    print("Q_1: ", Q_1)
    print("Q_2: ", Q_2)
    print("sub_Q: ", sub_Q)
    return sympy.nextprime(Q)

直接使用pow(sub_Q,Q-2,Q_1)得到Q，然后nextprime得到q
脚本：

import libnum
import sympy
import gmpy2
from Crypto.Util.number import getPrime

e = 65537
factor = 213671742765908980787116579976289600595864704574134469173111790965233629909513884704158446946409910475727584342641848597858942209151114627306286393390259700239698869487469080881267182803062488043469138252786381822646126962323295676431679988602406971858136496624861228526070581338082202663895710929460596143281673761666804565161435963957655012011051936180536581488499059517946308650135300428672486819645279969693519039407892941672784362868653243632727928279698588177694171797254644864554162848696210763681197279758130811723700154618280764123396312330032986093579531909363210692564988076206283296967165522152288770019720928264542910922693728918198338839

p = [0 for i in range(17)]
p[0]=206027926847308612719677572554991142909
p[1]=206027926847308612719677572554991142911
p[2]=206027926847308612719677572554991142977
p[3]=206027926847308612719677572554991143071
p[4]=206027926847308612719677572554991143103
p[5]=206027926847308612719677572554991143121
p[6]=206027926847308612719677572554991143133
p[7]=206027926847308612719677572554991143317
p[8]=206027926847308612719677572554991143401
p[9]=206027926847308612719677572554991143421
for i in range(10,17):
    p[i]=sympy.nextprime(p[i-1])

n = 1
for i in range(17):
        x= n*p[i]
        n=x
phi=1
for i in range(0,17):
    phi *=p[i]-1

#print n
#print sympy.nextprime(n)
d1 = gmpy2.invert(e,phi)
p = pow(factor, d1, n)
p = sympy.nextprime(p)
print p

Q_1 = 103766439849465588084625049495793857634556517064563488433148224524638105971161051763127718438062862548184814747601299494052813662851459740127499557785398714481909461631996020048315790167967699932967974484481209879664173009585231469785141628982021847883945871201430155071257803163523612863113967495969578605521
Q_2 =  151010734276916939790591461278981486442548035032350797306496105136358723586953123484087860176438629843688462671681777513652947555325607414858514566053513243083627810686084890261120641161987614435114887565491866120507844566210561620503961205851409386041194326728437073995372322433035153519757017396063066469743
sub_Q = 168992529793593315757895995101430241994953638330919314800130536809801824971112039572562389449584350643924391984800978193707795909956472992631004290479273525116959461856227262232600089176950810729475058260332177626961286009876630340945093629959302803189668904123890991069113826241497783666995751391361028949651
Q = pow(sub_Q, Q_2, Q_1)
q = sympy.nextprime(Q)
print q

c = 1709187240516367141460862187749451047644094885791761673574674330840842792189795049968394122216854491757922647656430908587059997070488674220330847871811836724541907666983042376216411561826640060734307013458794925025684062804589439843027290282034999617915124231838524593607080377300985152179828199569474241678651559771763395596697140206072537688129790126472053987391538280007082203006348029125729650207661362371936196789562658458778312533505938858959644541233578654340925901963957980047639114170033936570060250438906130591377904182111622236567507022711176457301476543461600524993045300728432815672077399879668276471832

ph = (p-1)*(q-1)
d = gmpy2.invert(e, ph)
m = pow(c, d, p*q)

print libnum.n2s(m)
# flag：MRCTF{sti11_@_b@by_qu3st10n}

Easy_RSA

跟上一题相似，也是求p和q的

先看p：

def gen_p():
    p = getPrime(1024)
    q = getPrime(1024)
    assert (p < q)
    n = p * q
    print("P_n = ", n)
    F_n = (p - 1) * (q - 1)
    print("P_F_n = ", F_n)
    factor2 = 2021 * p + 2020 * q
    if factor2 < 0:
        factor2 = (-1) * factor2
    return sympy.nextprime(factor2)

可以知道这里已知的数有n = p q和φ(n) = (p-1) (q-1) ，这里就可以使用二分法来计算

然后是q：

def gen_q():
    p = getPrime(1024)
    q = getPrime(1024)
    assert (p < q)
    n = p * q
    print("Q_n = ", n)
    e = getRandomNBitInteger(53)
    F_n = (p - 1) * (q - 1)
    while gcd(e, F_n) != 1:
        e = getRandomNBitInteger(53)
    d = invert(e, F_n)
    print("Q_E_D = ", e * d)
    factor2 = 2021 * p - 2020 * q
    if factor2 < 0:
        factor2 = (-1) * factor2
    return sympy.nextprime(factor2)

相当于是已知e，d，n，借鉴了大佬的博客

脚本：

import sympy
import libnum
from gmpy2 import *

def get_P():
    # P_n = p * q
    P_n =  14057332139537395701238463644827948204030576528558543283405966933509944444681257521108769303999679955371474546213196051386802936343092965202519504111238572269823072199039812208100301939365080328518578704076769147484922508482686658959347725753762078590928561862163337382463252361958145933210306431342748775024336556028267742021320891681762543660468484018686865891073110757394154024833552558863671537491089957038648328973790692356014778420333896705595252711514117478072828880198506187667924020260600124717243067420876363980538994101929437978668709128652587073901337310278665778299513763593234951137512120572797739181693
    # P_F_n = p*q - (p+q) + 1
    P_F_n =  14057332139537395701238463644827948204030576528558543283405966933509944444681257521108769303999679955371474546213196051386802936343092965202519504111238572269823072199039812208100301939365080328518578704076769147484922508482686658959347725753762078590928561862163337382463252361958145933210306431342748775024099427363967321110127562039879018616082926935567951378185280882426903064598376668106616694623540074057210432790309571018778281723710994930151635857933293394780142192586806292968028305922173313521186946635709194350912242693822450297748434301924950358561859804256788098033426537956252964976682327991427626735740
    # P_Q = p+q
    P_Q = P_n - P_F_n + 1
    #print P_Q

    l=P_Q/2
    r=P_Q

    while l<r:
      p=(l+r)/2
      y=p*(P_Q-p)
      if y==P_n:
          #print p
          break
      if y>P_n:
          #print 'y>P_n'
          l=p
      else:
          #print 'y<P_n'
          r=p
      
    #print 'done'
    q=P_Q-p
    #print q
    if p>q:
        p,q=q,p
        factor2 = 2021 * p + 2020 * q
    if factor2 < 0:
        factor2 = (-1) * factor2
    return sympy.nextprime(factor2)
    
def get_Q():
    # Q_n = p * q
    Q_n =  20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
    # Q_E_D = e * d
    Q_E_D =  100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
    f, s, tem = Q_E_D-1, 0, 1
    while f % 2 == 0:
        f = f // 2
        s += 1
    i, a, t = s, 2, f
    b = pow(a, t, Q_n)
    while b == 1:
        a = sympy.nextprime(a)
        b = pow(a, t, Q_n)

    while i != 1:
        c = pow(b, 2, Q_n)
        if c != 1:
            b = c
            i -= 1
        else:
            break
    if b == Q_n-1:
        a = sympy.nextprime(a)
        b = pow(a, t, Q_n)
        while b == 1:
            a = sympy.nextprime(a)
            b = pow(a, t, Q_n)

    p = gcd(b-1, Q_n)
    q = Q_n//p
    
    factor2 = 2021 * p - 2020 * q
    if factor2 < 0:
        factor2 = (-1) * factor2
    return sympy.nextprime(factor2)
    
p = get_P()
print p
q = get_Q()
print q
c =  40855937355228438525361161524441274634175356845950884889338630813182607485910094677909779126550263304194796000904384775495000943424070396334435810126536165332565417336797036611773382728344687175253081047586602838685027428292621557914514629024324794275772522013126464926990620140406412999485728750385876868115091735425577555027394033416643032644774339644654011686716639760512353355719065795222201167219831780961308225780478482467294410828543488412258764446494815238766185728454416691898859462532083437213793104823759147317613637881419787581920745151430394526712790608442960106537539121880514269830696341737507717448946962021
e = 65537
n = p * q
phi = (p-1) * (q-1)
d = invert(e, phi)
m = pow(c,d,n)
print libnum.n2s(m)
# flag：MRCTF{Ju3t_@_31mp13_que3t10n}

Misc

你能看懂音符吗

打开压缩包，发现一文档，不知道把文档里的内容藏哪去了，直接解压文档，在document.xml中找到音符

在线网站解密

flag：MRCTF{thEse_n0tes_ArE_am@zing~}

ezmisc

图片显示问题，估计改了高，爆破一下，修改得到flag

import zlib
import struct

filename = 'flag.png'
with open(filename, 'rb') as f:
    all_b = f.read()
    crc32key = int(all_b[29:33].hex(),16)
    data = bytearray(all_b[12:29])
    n = 4095            #理论上0xffffffff,但考虑到屏幕实际/cpu，0x0fff就差不多了
    for w in range(n):          #高和宽一起爆破
        width = bytearray(struct.pack('>i', w))     #q为8字节，i为4字节，h为2字节
        for h in range(n):
            height = bytearray(struct.pack('>i', h))
            for x in range(4):
                data[x+4] = width[x]
                data[x+8] = height[x]
            crc32result = zlib.crc32(data)
            if crc32result == crc32key:
                print("宽为：",end="")
                print(width)
                print("高为：",end="")
                print(height)
                exit(0)

flag:MRCTF{1ts_vEryyyyyy_ez!}

CyberPunk

将系统时间改成2020/09/17就行了

flag:MRCTF{We1cOm3_70_cyber_security}

不眠之夜

直接拼图

flag：MRCTF{Why_4re_U_5o_ShuL1an??}

(听说nb的大佬都是直接montage，但是我这种菜鸟不会用啊啊啊)

千层套路

直接上解压脚本：

import zipfile,os 
def unzip(path,zfile):
    file_path=path+os.sep+zfile
    desdir=path
    print(desdir)
    srcfile=zipfile.ZipFile(file_path)
    for filename in srcfile.namelist():
        srcfile.extract(filename,desdir,pwd= bytes(zfile.split(".")[0],"utf8"))
        if filename.endswith('.zip'):
            # if zipfile.is_zipfile(filename):
            path=desdir
            zfile=filename
            unzip(path,zfile)

path="C:\\Users\\Admin\\Downloads\\[MRCTF2020]千层套路"
zfile="0573.zip"
unzip(path,zfile)

然后得到rgb

from PIL import Image
x=200
y=200
im=Image.new("RGB",(x,y))
file=open('qr.txt')
for i in range(0,x):
    for j in range(0,y):
        line=file.readline()
	rgb=line.replace("\n","").replace("(","").replace(")","").split(", ")
	#print rgb
	if(rgb[0]==''):
	    continue
	im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2])))
	
im.show()

得到二维码，扫码得flag：MRCTF{ta01uyout1nreet1n0usandtimes}

Unravel!!

首先是Look_at_the_file_ending.wav文件，直接010打开，可以看到有一串字符串

key=U2FsdGVkX1/nSQN+hoHL8OwV9iJB/mSdKk5dmusulz4=

然后看看JM.png这张图片，binwalk，foremost一下，得到压缩包，解压得到aes.png图片，上面写着“Tokyo”

估计是aes加密，找个网站在线解密一下https://www.sojson.com/encrypt_aes.html

又得到一串字符串CCGandGulu

最后看看Ending.wav，用SilentEye打开，输入密码，得到flag:MRCTF{Th1s_is_the_3nd1n9}

Hello_ misc

拿到图片，binwalk,foremost直接走起，得到压缩包，然后用Stegsolve看看图片，将Red的0通道保存得到压缩包密码：!@#$%67*()-+

压缩包解压后，打开文件是一大堆63,127,191,255，TTL隐写

fp = open('out.txt','r')
a = fp.readlines()
p = []
for i in a:
    p.append(int(i))
s = ''
for i in p:
    if i == 63:
        a = '00'
    elif i == 127:
        a = '01'
    elif i == 191:
        a = '10'
    elif i == 255:
        a = '11'
    s += a

import binascii
flag = ''
for i in range(0,len(s),8):
    flag += chr(int(s[i:i+8],2))
print (flag)
# rar-passwd:0ac1fe6b77be5dbe

得到了rar的密码：0ac1fe6b77be5dbe

rar解压后发现文档中的5串base64编码，解码之后全是0和1

然后仔细一看，将1替换成空格，然后缩小至最小（sublime Text），就能看出flag了

flag:MRCTF{He1Lo_mi5c~} (居然是5。。。)

pyFlag

给了3张图片，010打开发现文件尾都有点数据，foremost分不出来，仔细看了看，将三个数据合并成一个后，解压得到一个txt，里面是flag的base套娃，直接一个一个的试

解码顺序：base85->base16->base32->base16->base64

flag:MRCTF{Y0u_Are_4_p3rFect_dec0der}

寻找xxx

电话音，使用dtmf2num.exe，得到电话号码18684221609

发送到公众号，得到flag:MRCTF{Oh!!!_Y0u_f1nd_my_secret}

A Signal From ISS

SSTV无线电相关知识，将图片转换成声音，使用MMSSTV即可

flag:merak{r3ce1ved_4n_img}

小O的考研复试

简单数学题

flag=0
for i in range(0,19260817):
  flag=(flag*10+2)%1000000007

print flag
# 577302567

flag:MRCTF{577302567}

SCERush's Blog

MRCTF2020 Misc&Crypto部分Write Up