BUU [GKCTF 2021]签到
1.题目概述
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/147f1141b62f45acafa7c3a41c59d95c.jpg)
文章图片
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/47d2daedf4694fbba5366afb6da0a69e.jpg)
文章图片
2.解题过程
追踪HTTP流
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/57803ec74a614dc68da2bb7655548b1d.jpg)
文章图片
在下面发现了一串可疑字符
Base16转base64
放到010里看看
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/5e45c816e2cd438fb25bac3f48669bb5.jpg)
文章图片
复制下来,去转字符
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/0d410c79beeb4fe0a6416c3d464b49ae.jpg)
文章图片
好像不是,再回去找找其他的
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/23a590410b604bd9b65e3cd74313d86e.jpg)
文章图片
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/fce5925295014d54a377b3d26c83ace3.png)
文章图片
又发现了这个
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/a4174e67288a43ecae204e566deef907.jpg)
文章图片
看来flag与Base64编码有关,那么怎么才能得到呢?
可以利用base16转成base64,然后base64又可以转成字符,就这么干
又找出来2个base16字符串
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/cb3f44a2a50c4f54ae9fc160c1308f43.jpg)
文章图片
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/79e7d65887c94963ab8ad73b739745c1.jpg)
文章图片
复制到010
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/23f2587a500d47abb21be4808b5462af.png)
文章图片
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/b857d02605864503be075c0cbc4f4f2c.jpg)
文章图片
【BUU|BUU [GKCTF 2021]签到】但是第一个解出来啥都没有
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/d39bcfb0e2b24e63a35641428734a595.jpg)
文章图片
再解解第二个
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/c1180443a9e24c36b97ac92df56f1ea0.jpg)
文章图片
看来有戏,但是解了一下没出来什么东西,还提示编码有误
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/dff0cda1ebfe4a2bb11c03af1476af6c.jpg)
文章图片
看了看才发现,他这个地方有点问题
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/52fa2e4732ad4b2facea33c5398cd259.jpg)
文章图片
正常的==应该在最后,把他逆序一下
wIDIgACIgACIgAyIK0wIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMiCNoQD
jMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjoQDjACIgACIgACIggDM6EDM6AjMgAzMtMDMtEjM
t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0iCNMyIjMyIjMyIjMyI
6AjMgAzMtMDMtEjMwIjO0eZ62ep5K0wKrQWYwVGdv5EItAiM1Aydl5mK6M6jlfpqnrQDt0SLt0SL
t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLK0AIdZavo75mlvlCNMTM6EDM
z0yMw0SMyAjM6Q7lpb7lmrQDrsCZhBXZ09mTg0CIyUDI3VmbqozoPW+lqeuCN0SLt0SLt0SLt0SL
sxWZld1V913e7d2ZhFGbsZmZg0lp9iunbW+Wg0lp9iunbW+Wg0lp9iunbW+WK0wMxoTMwoDMyACM
DN0QDN0QDlWazNXMx0Wbf9lRGRDNDN0ard0Rf9VZl1WbwADIdRampDKilvFIdRampDKilvVKpM2Y
==QIhM0QDN0Q
#正常情况应该是XXX==这种,所以逆序一下试试,注意是每行逆序才能得到标准的XXX==
然后建一个脚本:
每行逆序
a='wIDIgACIgACIgAyIK0wIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMiCNoQD'
b='jMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjoQDjACIgACIgACIggDM6EDM6AjMgAzMtMDMtEjM'
c='t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0iCNMyIjMyIjMyIjMyI'
d='6AjMgAzMtMDMtEjMwIjO0eZ62ep5K0wKrQWYwVGdv5EItAiM1Aydl5mK6M6jlfpqnrQDt0SLt0SL'
e='t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLK0AIdZavo75mlvlCNMTM6EDM'
f='z0yMw0SMyAjM6Q7lpb7lmrQDrsCZhBXZ09mTg0CIyUDI3VmbqozoPW+lqeuCN0SLt0SLt0SLt0SL'
g='sxWZld1V913e7d2ZhFGbsZmZg0lp9iunbW+Wg0lp9iunbW+Wg0lp9iunbW+WK0wMxoTMwoDMyACM'
h='DN0QDN0QDlWazNXMx0Wbf9lRGRDNDN0ard0Rf9VZl1WbwADIdRampDKilvFIdRampDKilvVKpM2Y'
i='==QIhM0QDN0Q'
print(a[::-1])
print(b[::-1])
print(c[::-1])
print(d[::-1])
print(e[::-1])
print(f[::-1])
print(g[::-1])
print(h[::-1])
print(i[::-1])
#耐心一点,正确分行
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/12e363b3d683482489bfca014f006d88.jpg)
文章图片
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/0413e5e5fef64825aed917fcff8a14c0.jpg)
文章图片
逆序后再转一下看看
base64转字符
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/f5bf7f722aac4ae89b7bf8bf4fe5a0f3.jpg)
文章图片
哇,终于出来了,去重一下
flag{Welc0me_GkC4F_m1siC!}
或者利用栅栏密码网站,调整一下{}的位置就好了
![BUU|BUU [GKCTF 2021]签到](https://img.it610.com/image/info8/a74fe183b32d4d26a42f9eb3e6891b2d.jpg)
文章图片
(注意,下划线_不要漏了)
这道签到题好难啊!!!
3.flag
flag{Welc0me_GkC4F_m1siC!}
