2022Space Heroes CTF

web

R2D2

提示robot机器人，直接访问robots.txt即可

Space Traveler

前端验证，直接右键源代码，

var _0xb645=["\x47\x75\x65\x73\x73\x20\x54\x68\x65\x20\x46\x6C\x61\x67","\x73\x68\x63\x74\x66\x7B\x66\x6C\x61\x67\x7D","\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x72\x69\x67\x68\x74\x2E","\x73\x68\x63\x74\x66\x7B\x65\x69\x67\x68\x74\x79\x5F\x73\x65\x76\x65\x6E\x5F\x74\x68\x6F\x75\x73\x61\x6E\x64\x5F\x6D\x69\x6C\x6C\x69\x6F\x6E\x5F\x73\x75\x6E\x73\x7D","\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x77\x72\x6F\x6E\x67\x2E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x64\x65\x6D\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];function myFunction(){let _0xb729x2;let _0xb729x3=prompt(_0xb645[0],_0xb645[1]);switch(_0xb729x3){case _0xb645[3]:_0xb729x2= _0xb645[2];break;default:_0xb729x2= _0xb645[4]};document[_0xb645[7]](_0xb645[6])[_0xb645[5]]= _0xb729x2}

这里函数拼接 不用管，直接把所有的16进制提出来，解一下就出了.

\x47\x75\x65\x73\x73\x20\x54\x68\x65\x20\x46\x6C\x61\x67\x73\x68\x63\x74\x66\x7B\x66\x6C\x61\x67\x7D\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x72\x69\x67\x68\x74\x2E\x73\x68\x63\x74\x66\x7B\x65\x69\x67\x68\x74\x79\x5F\x73\x65\x76\x65\x6E\x5F\x74\x68\x6F\x75\x73\x61\x6E\x64\x5F\x6D\x69\x6C\x6C\x69\x6F\x6E\x5F\x73\x75\x6E\x73\x7D\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x77\x72\x6F\x6E\x67\x2E\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C\x64\x65\x6D\x6F\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64

crypto

Khaaaaaan!

开局一张图，是四种图形编码

分别对应的是

https://www.dcode.fr/symbols-ciphers
shctf{without_freedom_of_choice_there_is_no_creativity}

MobileInfantry

# def len_check(pad):
#     if len(pad) != 38:
#         return False
#     return True

# 38位，
# def check1(pad):
#     for i in range(0, int(len(pad)/2)+1):
#         if not pad[i].isupper():
#             return False
#     return True
# isupper():大写，1-20

# def check2(pad):
#     for i in range(int(len(pad)/2)+1, len(pad)):
#         if not pad[i].islower():
#             return False
#     return True

# islower():小写，21-38
# def check3(pad):
#     for i in range(0, int(len(pad)/2)):
#         if ord(pad[i]) != ord(pad[i+1])-1:
#             return False
#     return True
# 1-19  ABCDEFGHIJKLMNOPQRSTaaaaaaaaaaaaaaaaaa
# ABCDEFGHIJKLMNOPQRSTUVWXYZ
# zyxwvutsrqponmlkjihgfedcba
# zyxwvutsrqponmlkji
# def check4(pad):
#     for i in range(int(len(pad)/2)+1, len(pad)-1):
#         if ord(pad[i]) != ord(pad[i+1])+1:
#             return False
#     return True
# ABCDEFGHIJKLMNOPQRSTzyxwvutsrqponmlkji

from pwn import *
strqian = "ABCDEFGHIJKLMNOPQRST"
strhou = "zyxwvutsrqponmlkji"
listqian = []
listhou = []
#循环出所有前缀listqian
for j in range(7):
    s = ""
    for i in strqian:
        s = s + chr(ord(i)+j)
        #print("\n")
    #print("\n")
    listqian.append(s)

#print(listqian)

#循环出所有后缀listhou
for j in range(9):
    s = ""
    for i in strhou:
        s = s + chr(ord(i)-j)
        #print("\n")
    #print("\n")
    listhou.append(s)
#print(listhou)
for i in range(7):
    for j in range(9):
        sendstr = listqian[i]+listhou[j]
        try:
            io = remote("0.cloud.chals.io",27602)
            io.sendline(sendstr)
            a = io.recvall()
            # io.recvuntil("[+]",)
            # a = io.recvuntil(".",)
            #print(a.encode())
            #if "{" in str(a) or "}" in str(a):
            if "flag" in str(a):
                print(sendstr)
                #io.interactive()
                print(a)
                break
                
        except:
            pass