输出1000000以上的两个最小的质数,且这个质数每一位的加和也是质数
def isPrime(num) :
for i in range(2,num) :
if i * i > num :
break
if num % i == 0 :
return False
return True
cnt = 0
num = [0,0]
for i in range(1000001,100000000) :
if isPrime(i) and isPrime(sum([int(x) for x in str(i)])) :
num[cnt] = i
cnt += 1
if cnt == 2 :
break
print(str(num[0]) + str(num[1]))
然后算出来的答案是
10000331000037
一堆二进制说要解码
尝试八位二进制转ASCII,没有任何有效内容……
那么数字串的长度是……441?441是7的倍数,于是尝试每7个计算然后转ASCII
s = "101010011010001101001111001101000001110100110010111110001110100010000011010011110011010000001101110101101110001011010011110100010000011001011101110110001111011111100100110010111001000100000110000111100111100011110100111010010101110010000010110011101111111010111100100100000111000011000011110011111001111101111101111111001011001000100000110100111100110100000110010111000011110011111100111100111110100110000111100101110100110010111100100101110"
print(len(s))
ans = ""
for i in range(0,len(s),7) :
ans += chr(int(s[i:i + 7],2))
print(ans)
得到了
This text is 7-bit encoded ascii. Your password is easystarter.
所以答案是:easystarter
时间看起来好充裕!有手速老哥要挑战一下吗(狗头
先点击一下链接,出现了随机串,下面的一句话是让我们用?answer=xxxxxxx的方式传递信息吧
因为wechall有限定IP链接,然而我的梯子只挂了浏览器,导致登陆一直失败,就先把梯子下了
首先我们要登陆!(不然WeChall怎么知道题是你过了呢
登陆的话我们可以传Cookie,cookie怎么看呢,按F12,刷新页面,可以得到
然后把Cookie作为头传过去就好了
(中途还经历了request.get反复超时,看到session能保持会话,用了session快了很多
import requests
headers = {
"Cookie": "input your own cookie"
}
session = requests.Session()
t = session.get("https://www.wechall.net/challenge/training/programming1/index.php?action=request",headers = headers).text
b = session.get(f"https://www.wechall.net/challenge/training/programming1/index.php?answer={t}",headers=headers)
print(b.text)
大意好像是输出一个匹配空字符串的正则表达式,并且只匹配一个
好像是要带"定界符" /
/^$/
这是匹配空的
第二个是匹配wechall
/^wechall$/
第三个匹配合法的图像文件
前面必须是wechall或者wechall4
这里的(?:)是非捕捉的匹配(capture)
/^wechall4?\.(?:jpg|gif|tiff|bmp|png)$/
第四个是匹配到了wechall4.png,但是要返回的是wechall4
这里的()是捕捉的匹配(capture)
/^(wechall4?)\.(?:jpg|gif|tiff|bmp|png)$/
要利用一段代码,这段代码有LFI 漏洞
Local File inclusion vulnerability
我们要访问http://www.wechall.net/challenge/training/php/lfi/solution.php,然而无法访问
读这段代码的话,
$filename = ‘pages/‘.(isset($_GET["file"])?$_GET["file"]:"welcome").‘.html‘;
include $filename;
include命令包含并运行指定文件
然后我尝试输入?file=../solution.php%00……发现报错,然后看了一眼安全目录里还有pages/../../
那就再加一个../,居然过了
所以说,这个相对目录(../是返回上一层)可能是从index.php开始返回……第一个返回up,然后返回lfi
所以只要输入
http://www.wechall.net/challenge/training/php/lfi/up/index.php?file=../../solution.php%00
即可,%00是url结束位置,让后面的.html不会跟上来
又是要运行一个不让运行的php,看了一下链接应该是
http://www.wechall.net/challenge/php0817/solution.php
……以为有什么奇怪的地方,结果直接输了?which=solution就过了,为什么
答案是输入:
http://www.wechall.net/challenge/php0817/index.php?which=solution
连出题人都问我……
那么为什么……?
我尝试打开Wampserver然后写了一个类似的php,似乎是case 0成立了……
然后尝试var_dump($which==0),居然是true……
D:\project\blog\index.php:5:boolean true
之后尝试搜索啦……
答案是:
当一个数字与一个字符串/字符进行大小比较时,首先系统尝试将此字符串/字符转换为整型/浮点型
会把开始能转换为数字的部分转换为数字,如果开始就是非数字那么就转化成0,所以case 0就成立了
把原来的明文按照一定规律改变位置的加密……但是开头隐隐约约就能发现wonderful好吧!拿着wonderful比对一下……原来就是交换了相邻两个字母的位置啊!(好蠢
s = "oWdnreuf.lY uoc nar ae dht eemssga eaw yebttrew eh nht eelttre sra enic roertco drre . Ihtni koy uowlu dilekt oes eoyrup sawsro don:wg edlacpcmgb.l"
ans = ""
for i in range(0,len(s),2) :
ans += s[i + 1] + s[i]
print(ans);
然后输出是
Wonderful. You can read the message way better when the letters are in correct order. I think you would like to see your password now: gdealpcmcbgl.
所以密码就是:gdealpcmcbgl
这个加密好像是叫:简单替换
em,暴力枚举的话有点大呢
猜一猜有什么单词吧……
WO PBQ RMGVABPO AIL OIY ZRU TQRL PBVX GO ETVQUL V RG VGHTQXXQL DQTO CQMM LIUQ OIYT XIMYPVIU JQO VX EGXAIWUVZZIZ PBVX MVPPMQ ZBRMMQUAQ CRX UIP PII BRTL CRX VP
V是单用的,大概是I
PB这个前缀好常用啊,大概是PBQ=the?
然后扔到一个网站上https://quipqiup.com/
就获得了答案
BY THE ALMIGHTY GOD YOU CAN READ THIS MY FRIEND I AM IMPRESSED VERY WELL DONE YOUR SOLUTION KEY IS FMSGOBNICCOC THIS LITTLE CHALLENGE WAS NOT TOO HARD WAS IT
似乎是凯撒升级版!(字符集26到128)但也只有128的枚举量,怕甚么(哼
s = "6E 16 16 0B 20 11 16 09 53 20 20 16 1C 20 1A 16 13 1D 0C 0B 20 16 15 0C 20 14 16 19 0C 20 0A 0F 08 13 13 0C 15 0E 0C 20 10 15 20 20 16 1C 19 20 11 16 1C 19 15 0C 20 55 20 7B 0F 10 1A 20 16 15 0C 20 1E 08 1A 20 0D 08 10 19 13 20 20 0C 08 1A 20 20 1B 16 20 0A 19 08 0A 12 55 20 7E 08 1A 15 4E 1B 20 10 1B 66 20 58 59 5F 20 12 0C 20 1A 20 10 1A 20 08 20 18 1C 10 1B 0C 20 1A 14 08 13 13 20 12 0C 20 1A 17 08 0A 0C 53 20 1A 16 20 10 1B 20 1A 0F 16 1C 13 0B 15 4E 1B 20 0F 08 1D 0C 20 1B 08 12 0C 15 20 20 16 1C 20 1B 16 16 20 13 16 15 0E 20 1B 16 20 0B 0C 0A 19 20 17 1B 20 1B 0F 10 1A 20 14 0C 1A 1A 08 0E 0C 55 20 7E 0C 13 13 20 0B 16 15 0C 53 20 20 16 1C 19 20 1A 16 13 1C 1B 10 16 15 20 10 1A 20 16 19 0F 0A 08 0F 09 08 0B 14 1A 14 55"
for i in range(128) :
print("".join([chr((int(x,16) + i) % 128) for x in s.split(" ")]))
print("-------------------------------------------------")
很容易就发现唯一一个可以阅读的文本了……
Goodyjob,yyouysolvedyoneymoreychallengeyinyyouryjourney.yThisyoneywasyfairlyyeasyytoycrack.yWasn‘tyit?y128ykeysyisyayquiteysmallykeyspace,ysoyityshouldn‘tyhaveytakenyyouytooylongytoydecryptythisymessage.yWellydone,yyourysolutionyisyorhcahbadmsm.
y似乎是空格……修改一下……
Good job, you solved one more challenge in your journey. This one was fairly easy to crack. Wasn‘t it? 128 keys is a quite small keyspace, so it shouldn‘t have taken you too long to decrypt this message. Well done, your solution is orhcahbadmsm.
所以答案就是:orhcahbadmsm
似乎叫:表格加密
一个字母变成两个字母
可以变成26*26个不同的双字
gztyldjdelilpwrcfxilpwnltyldknsj dptyrc rsyhkwelctdwpwyhrs pwpanlkn gvyhknkniljdyh knrckwkwyhknknqnrcfxfxctsj jxilkn ldtypw pwtyty rsnlqnqnnlkwrcfxpw yhnlpwpayhelbx ipilkn nlpwjw jxyhfxfxbx jdtytyrs rltysasj jhldpwyhel pwpanlkn aiyhctiptyelrs ilkn kntyfxrcpwnltyldhh sagvsarsfxdwtyileltyknrssj
啊,看起来似乎单词变长了,并且都是偶数,那么,我把相同双字组合的标上号就变成之前的简单替换加密了吧
30
ABCDEFGHIFGJBCKL MBH NOPEQRGON GSJK TOKKFDO KHPPOKKUHIIQL VFK CBG GBB NJUUJPHIG OJGSOEW XFK JGY VOIIW DBBN ZB[L \CGOE GSJK ]OQXBEN FK KBIHGJBC^ [T[NIRBFEBKNL
哦,似乎还有标点的说,总共的pattern数要多4个,那么句子最后的sj应该就对应句点吧
还会有什么呢,看看排在单词最后的pattern哪些最多吧
恰好只有四个只在最后出现的pattern,那么就应该是它们了
分别是sj bx jw 和hh,然后枚举以下, ? !的填法看怎样更顺眼
26
ABCDEFGHIFGJBCK! LBH MNOEPQGNM GRJK SNKKFDN KHOONKKTHIIP! UFK CBG GBB MJTTJOHIG NJGRNE, VFK JG? UNII, DBBM WBX! YCGNE GRJK ZNPVBEM FK KBIHGJBC. XSXMIQBFEBKM!
感觉第一个单词congratulations实锤了!当然还是找回老朋友quipqiup吧
哎哎哎?老朋友怎么翻译不出明文了……
难道有重复映射吗……
只好手动加字典了,最后生成的字典是这样的
s = "gztyldjdelilpwrcfxilpwnltyldknsj dptyrc rsyhkwelctdwpwyhrs pwpanlkn gvyhknkniljdyh knrckwkwyhknknqnrcfxfxctsj jxilkn ldtypw pwtyty rsnlqnqnnlkwrcfxpw yhnlpwpayhelbx ipilkn nlpwjw jxyhfxfxbx jdtytyrs rltysasj jhldpwyhel pwpanlkn aiyhctiptyelrs ilkn kntyfxrcpwnltyldhh sagvsarsfxdwtyileltyknrssj"
dict = {
"sj" : ‘!‘,
"jw" : ‘?‘,
"bx" : ‘,‘,
"hh" : ‘.‘,
"gz" : ‘c‘,
"ty" : ‘o‘,
"ld" : ‘n‘,
"jd" : ‘g‘,
"el" : ‘r‘,
"il" : ‘a‘,
"pw" : ‘t‘,
"rc" : ‘u‘,
"fx" : ‘l‘,
"nl" : ‘i‘,
"kn" : ‘s‘,
"dp" : ‘y‘,
"pa" : ‘h‘,
"rs" : ‘d‘,
"rl" : ‘j‘,
"sa" : ‘b‘,
"jx" : ‘w‘,
"yh" : ‘e‘,
"qn" : ‘f‘,
"kw" : ‘c‘,
"ct" : ‘y‘,
"gv" : ‘m‘,
"jh" : ‘e‘,
"ai" : ‘k‘,
"ip" : ‘w‘,
"dw" : ‘p‘
}
cnt = 0
ans = ""
for x in s.split(" ") :
tmp = ""
for i in range(0,len(x),2) :
if x[i:i+2] not in dict :
dict[x[i:i + 2]] = chr(ord(‘A‘) + cnt)
cnt += 1
print(chr(ord(‘A‘) + cnt - 1) + " " + x[i:i + 2])
tmp += dict[x[i:i + 2]]
ans += " " + tmp
print(cnt)
print(ans.strip())
看上去果然是呢,c有两遍,b有两遍,e也有两遍
最后的句子是
congratulations! you decrypted this message successfully! was not too difficult either, was it? well, good job! enter this keyword as solution. bmbdlpoarosd!
应该最后要转成大写,答案就是:BMBDLPOAROSD
原文:https://www.cnblogs.com/unlovelyspider/p/14402081.html