buu刷题目记录(第6页)

buumisc(6)

buu第六页,取证什么的后面在一块学习一下,目前暂时跳过了

[INSHack2018]42.tar.xz

压缩包,测试了一个需要疯狂解压解压,python脚本虽然可以,但是会爆盘

使用bash命令直接循环解压即可

1
while [ "`find . -type f -name '*.tar.xz' | wc -l`" -gt 0 ]; do find -type f -name "*.tar.xz" -exec tar xf '{}' \; -exec rm -- '{}' \;; done;

得到一堆文件和flag

1
INSA{04ebb0d6a87f9771f2eea4dce5b91a85e7623c13301a8007914085a91b3ca6d9}

[XMAN2018排位赛]AutoKey

https://github.com/WangYihang/UsbKeyboardDataHacker可以用这个工具

1
2
3
└─# python2 UsbKeyboardDataHacker.py attachment.pcapng
Running as user "root" and group "root". This could be dangerous.
[+] Found : <CAP>a<CAP>utokey('****').decipheer('<CAP>mplrvffczeyoujfjkybxgzvdgqaurkxzolkolvtufblrnjesqitwahxnsijxpnmplshcjbtyhzealogviaaissplfhlfswfehjncrwhtinsmambvexo<DEL>pze<DEL>iz')

然后处理一下密文,把<DEL>前面字母的删去

1
mplrvffczeyoujfjkybxgzvdgqaurkxzolkolvtufblrnjesqitwahxnsijxpnmplshcjbtyhzealogviaaissplfhlfswfehjncrwhtinsmambvexpziz
1
mplrvffczeyoujfjkybxgzvdgqaurkxzolkolvtufblrnjesqitwahxnsijxpnmplshcjbtyhzealogviaaissplfhlfswfehjncrwhtinsmambvexpziz

然后用autokey爆破环境配置

1
2
3
4
py文件下载地址
http://www.practicalcryptography.com/cryptanalysis/stochastic-searching/cryptanalysis-autokey-cipher/
配置文件下载地址
http://www.practicalcryptography.com/cryptanalysis/text-characterisation/quadgrams/#a-python-implementation

得到

1
-674.914569565 autokey, klen 8 :"FLAGHERE", HELLOBOYSANDGIRLSYOUARESOSMARTTHATYOUCANFINDTHEFLAGTHATIHIDEINTHEKEYBOARDPACKAGEFLAGISJHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF
1
FLAGISJHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF

得到flag

1
FLAG{JHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF}

[QCTF2018]X-man-Keyword

得到keyword:lovekfc

用lsb脚本解密可以得到https://github.com/livz/cloacked-pixel

PVSF{vVckHejqBOVX9C1c13GFfkHJrjIQeMwf}

猜测是Nihilist 密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import string

enc='PVSF{vVckHejqBOVX9C1c13GFfkHJrjIQeMwf}'
grid='LOVEKFC'+'ABDGHIJMNPQRSTUWXY'
flag=''

for i in enc:
    if i in string.ascii_lowercase:
        index=grid.lower().index(i)
        flag+=string.ascii_lowercase[index]
        continue
    if i in string.ascii_uppercase:
        index=grid.upper().index(i)
        flag+=string.ascii_uppercase[index]
        continue
    flag+=i
print(flag)

得到flag

1
QCTF{cCgeLdnrIBCX9G1g13KFfeLNsnMRdOwf}

[INSHack2017]hiding-in-plain-sight

直接用binwalk+foremost得到flag的图片

得到flag

1
INSA{l337_h4xx0r5_c0mmun1c473_w17h_PNGs}

[HDCTF2019]信号分析

得到一个wav文件,直接丢到Audacity,选择频谱图

可以看到是重复的频段,所以分析一个即可,然后安装粗1细0区分,得到

0101010101010101000000110

然后根据题目名称:PT2242信号:前面4bit表示同步码,中间的20bit表示地址码,后面的4bit表示功能码,最后一位是停止码

1
2
3
0101010101010101     00000011      0			#划分后的结果
01 代表 F		00 代表 0		11 代表 1		最后的0是结束符
FFFFFFFF0001,最后的0是结束符不计入

得到flag

1
flag{FFFFFFFF0001}

[INSHack2017]remote-multimedia-controller

得到一个流量包,解压直接搜flag

然后定位到流量包去追踪

1
Vmxkd1NrNVhVbk5qUlZKU1ltdGFjRlJYZEhOaWJFNVhWR3RPV0dKVmJEWldiR1JyV1ZkS1ZXRXphRnBpVkVaVFYycEtVMU5IUmtobFJYQlRUVmhDTmxZeFdtdGhhelZ5WWtWYWFWSlViRmRVVlZaYVRURmFjbFpyT1ZaV2JXUTJWa1pvYTFkck1YVlVhbHBoVWxack1GUlZaRXRqVmxaMVZHMTRXRkpVUlRCWFdIQkdUbGRHY2s1VmFFOVdNWEJoV1Zkek1XSldaSFJPVm1SclZsZDRXbFJWVm5wUVVUMDk=

经过好几次base64解密之后得到,flag

1
INSA{TCP_s0ck3t_4n4lys1s_c4n_b3_fun!}

一路到底

首先得到大量的txt,最下面有个start.txt,然后根据txt中的内容

1
20555 : The next is a8242a234560a0d3cf121864ee34d7fb.txt

可以知道下一个文件的是,a8242a234560a0d3cf121864ee34d7fb.txt,并且20555是效数据

然后用一个脚本提取所有信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import binascii
from tqdm import tqdm
flag=''
with open('files/start.txt') as f:
    text=f.read()
    nexttxt=text[-36:]
    data='{:04x}'.format(int(text[0:text.find(':')-1]))#4位小数,并且16进制
    print(type(data))
    flag=flag+data
    print(text, '\t', nexttxt, '\t', data)
    for i in tqdm(range(160000)):
        try:
            with open('files/'+nexttxt) as f:
                text = f.read()
                nexttxt = text[-36:]
                data = '{:04x}'.format(int(text[0:text.find(':') - 1]))
                flag = flag + data
                #print(text, '\t', nexttxt, '\t', data)
        except:
            print(flag)
            break

with open('fla.zip','wb') as f:
    f.write(binascii.unhexlify(flag))

得到一个压缩包hint:年轻人,能走到这一步不容易啊!不要灰心,密码十分钟就可以破解哦,加油!

爆破用字母小写+数字,得到密码tgb678,解压得到图片,但是不能直接打开,用010查看文件头,修改文件头为

得到图片,查看得到flag

1
flag{0c6b489ca956e2fd94dce12be4bf0729}

[RoarCTF2019]forensic

得到没有后缀名的文件,直接打开能看到部分信息,全文可以猜测是python文件,猜测是pyc隐写

需要用python3.6之前的python版本

1
python3 stegosaurus.py -x ctf.pyc#Extracted payload: SUCTF{Z3r0_fin411y_d34d}

得到flag

1
SUCTF{Z3r0_fin411y_d34d}

[INSHack2018] (not) so deep

得到一个wav,然后直接放在,Audacity选择频谱分析得到flag的前面部分:flag{Aud1o_st3G4n

然后用deepsound打开的时候需要密码,然后用密码的hash值然后使用john进行爆破,得到密码azerty

附上deepsound_john脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/env python3
import logging
import os
import sys
import textwrap
def decode_data_low(buf):
  return buf[::2]
def decode_data_normal(buf):
  out = bytearray()
  for i in range(0, len(buf), 4):
    out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
  return out
def decode_data_high(buf):
  out = bytearray()
  for i in range(0, len(buf), 8):
    out.append((buf[i] & 3) << 6     | (buf[i + 2] & 3) << 4 \
             | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
  return out
def is_magic(buf):
  return (buf[0] & 15)  == (68 >> 4) and (buf[2]  & 15) == (68 & 15) \
     and (buf[4] & 15)  == (83 >> 4) and (buf[6]  & 15) == (83 & 15) \
     and (buf[8] & 15)  == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
     and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)
def is_wave(buf):
  return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'
def process_deepsound_file(f):
  bname = os.path.basename(f.name)
  logger = logging.getLogger(bname)
  buf = f.read(12)
  if not is_wave(buf):
    global convert_warn
    logger.error('file not in .wav format')
    convert_warn = True
    return
  f.seek(0, os.SEEK_SET)
  hdrsz = 104
  hdr = None
  while True:
    off = f.tell()
    buf = f.read(hdrsz)
    if len(buf) < hdrsz: break
    if is_magic(buf):
          hdr = decode_data_normal(buf)
          logger.info('found DeepSound header at offset %i', off)
          break
    f.seek(-hdrsz + 1, os.SEEK_CUR)
  if hdr is None:
    logger.warn('does not appear to be a DeepSound file')
    return
  mode = hdr[4]
  encrypted = hdr[5]
  modes = {2: 'low', 4: 'normal', 8: 'high'}
  if mode in modes:
    logger.info('data is encoded in %s-quality mode', modes[mode])
  else:
    logger.error('unexpected data encoding mode %i', modes[mode])
    return
  if encrypted == 0:
    logger.warn('file is not encrypted')
    return
  elif encrypted != 1:
    logger.error('unexpected encryption flag %i', encrypted)
    return
  sha1 = hdr[6:6+20]
  print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))
if __name__ == '__main__':
  import argparse
  parser = argparse.ArgumentParser()
  parser.add_argument('--verbose', '-v', action='store_true')
  parser.add_argument('files', nargs='+', metavar='file',
    type=argparse.FileType('rb', bufsize=4096))
  args = parser.parse_args()
  if args.verbose:
    logging.basicConfig(level=logging.INFO)
  else:
    logging.basicConfig(level=logging.WARN)
  convert_warn = False
  for f in args.files:
    process_deepsound_file(f)

  if convert_warn:
    print(textwrap.dedent('''
    ---------------------------------------------------------------
    Some files were not in .wav format. Try converting them to .wav
    and try again. You can use: ffmpeg -i input output.wav
    ---------------------------------------------------------------'''.rstrip()), file=sys.stderr)

然后用得到的密码azerty 去用deepsound打开得到0_1s_4lwayS_Th3_S4me}拼接完整flag

1
flag{Aud1o_st3G4n0_1s_4lwayS_Th3_S4me}

[INSHack2017]10-cl0v3rf13ld-lane-signal

得到一个没有后缀名的文件,用file查看是个jpg文件,修改后缀名后可以看到下面

然后binwalk+foremost得到

00000075

可以看到左下角有信息

8

根据上面表格得到信息:HELPME,继续分析一开始的图片,在一个END后面发现ogg

Ogg全称是OGGVobis(oggVorbis)是一种音频压缩格式,类似于MP3等的音乐格式。新建一个文件把内容保存出来后缀名MP3

用Audacity打开看到莫斯密码

1
.. -. ... .- -.--. -- ----- .-. ..... ...-- ..--.- .-- .---- .-.. .-.. ..--.- -. ...-- ...- ...-- .-. ..--.- ....- --. ...-- -.-.-- -.--.-

解密后得到

1
INSA(M0R53_W1LL_N3V3R_4G3!)

[watevrCTF 2019]Unspaellablle

可以知道是https://imsdb.com/transcripts/Stargate-SG1-Children-Of-The-Gods.html原文

保存下载下来存为1.txt,linux下面使用vimdiff命令查看两个文件的差别,发现把差别字符提取出来也就是flag了。

命令:vimdiff attachment.txt 1.txt

提取出红色的字样拼接就是flag:

1
watevr{icantspeel_tiny.cc/2qtdez}

[NPUCTF2020]碰上彩虹,吃定彩虹!(未完成)

打开得到三个附件lookatme.txt用np++打开得打

莫斯密码:解密得到AUTOKEY

1
.- ..- - --- -.- . -.--

然后maybehint.txt用0宽隐写解密得到:do u know NTFS?

然后需要用到NTFS

[XMAN2018排位赛]ppap

直接搜flag,然后出来几个流量包,追踪到

复制出来,去掉前面和后面的正常信息,中间114876分界

然后吧114871行道114876行直接拿出来base64解密后保存为zip得到一个加密的zip包

1
UEsDBAoACQAAAOFTLkk/gs0NNAAAACgAAAAIABwAZmxhZy50eHRVVAkAA1aJ2Ve2h9xXdXgLAAEE6AMAAAToAwAAYrToA9yED6vL2Axm/JqV6236iHl0zKXB4CdAaOW9O+8glqQHuFocXUiDWXHqA+VHKkR0E1BLBwg/gs0NNAAAACgAAABQSwECHgMKAAkAAADhUy5JP4LNDTQAAAAoAAAACAAYAAAAAAABAAAAtIEAAAAAZmxhZy50eHRVVAUAA1aJ2Vd1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAhgAAAAAA

用网站https://passwordrecovery.io/zip-file-password-removal/得到密码skullandcrossbones

1
flag{b31Ng_4_P1r4tE_1s_4lR1GHT_w1Th_M3}

[羊城杯 2020]signin

玩具总动员里面,巴斯光年成功上天,胡迪给他发了一段加密短信,但是不知道是什么?胡迪给了一段明文,一表人才,二表倒立

1
BCEHACEIBDEIBDEHBDEHADEIACEGACFIBDFHACEGBCEHBCFIBDEGBDEGADFGBDEHBDEGBDFHBCEGACFIBCFGADEIADEIADFH

根据玩具总动员的英文名是Toy Story,因此是toy密码。 https://eprint.iacr.org/2020/301.pdf 得到一表

得到二表

然后根据一表人才,二表倒立可以编写下面的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cipherdic = {'M':'ACEG','R':'ADEG','K':'BCEG','S':'BDEG','A':'ACEH','B':'ADEH','L':'BCEH','U':'BDEH','D':'ACEI','C':'ADEI','N':'BCEI','V':'BDEI','H':'ACFG','F':'ADFG','O':'BCFG','W':'BDFG','T':'ACFH','G':'ADFH','P':'BCFH','X':'BDFH','E':'ACFI','I':'ADFI','Q':'BCFI','Y':'BDFI'}
cipher = 'BCEHACEIBDEIBDEHBDEHADEIACEGACFIBDFHACEGBCEHBCFIBDEGBDEGADFGBDEHBDEGBDFHBCEGACFIBCFGADEIADEIADFH'
flag=''
for i in range(0,len(cipher),4):
    for k, v in cipherdic.items():
        if v == cipher[i:i+4]:
            flag = flag + k
print(flag)#LDVUUCMEXMLQSSFUSXKEOCCG
ciphertext = 'LDVUUCMEXMLQSSFUSXKEOCCG'
original_list = ['M','R','K','S','A','B','L','U','D','C','N','V','H','F','O','W','T','G','P','X','E','I','Q','Y']
reversed_list = original_list[::-1]#倒装后的表
flag = ''
for char in ciphertext:
    for i in range(len(original_list)):
        if original_list[i] ==char:
            flag=flag+reversed_list[i]
print(flag)#GWHTTOYSAYGREENTEAISCOOL

得到flag

1
GWHT{TOYSAYGREENTEAISCOOL}

[INSHack2019]Passthru

给了一个流量包和一个sslkey.log文件,可以看到流量包中存在加密

1
http.request.method==GET

过滤请求包,这些包的URL中有个参数名是:kcahsni,而题目名是:inshack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D82290383-7480-487c-b78b-77ac769c56cd%26kcahsni%3D9ef773fe97f56554a3b4,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D8bd542b5-2056-489e-bc1c-4f028ef27894%26kcahsni%3D26cd07e1f71df3dcee9f,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3De76528cd-17d3-490a-be20-2d817ccee04e%26kcahsni%3D1eaf89725ab93968fc52,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D491c01dd-f1a3-43c3-b3c8-30c4ab73ff4b%26kcahsni%3Df03c0a7d653539616433,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3Deeed4c5d-8a5f-4b8c-a12d-a2ef007e09e2%26kcahsni%3D66333861303164636130,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3Db69d43cd-ac86-4b20-acc6-6a441d94ae3e%26kcahsni%3D30663937353965366432,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3De56bc952-42c2-4631-96ee-e2e7cac51406%26kcahsni%3D30353331373634326335,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3Dece42ab1-a9d1-44df-a0b5-6b7e83aa9cd0%26kcahsni%3D34323166636461643033,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D71ad1cf6-a31a-4694-812b-9ea5db6e3cad%26kcahsni%3D34656265373037376332,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D1b3c7025-b1a8-477f-9d16-89c254af258a%26kcahsni%3D62646464343732627b41,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D64ac599c-e5ac-43bc-a2e0-0447257cd5bc%26kcahsni%3D534e490b3295c3d06c24,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3Dd8af7f01-5b92-4ad3-8c80-c6af467eac30%26kcahsni%3Df2a8c7e8936667dbf7fe,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D01b77323-6be9-4abd-b427-9f09d992a4df%26kcahsni%3Dce28456a0fd24ac21ec6,encoded_image=,image_content=,filename=,hl=fr
/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D3f3e4f2f-5d92-4d3a-8ce8-f11943b42df3%26kcahsni%3Da12e3efe4b,encoded_image=,image_content=,filename=,hl=fr

取出来取出这些包的kcahsni的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kcahsni%3D9ef773fe97f56554a3b4
kcahsni%3D26cd07e1f71df3dcee9f
kcahsni%3D1eaf89725ab93968fc52
kcahsni%3Df03c0a7d653539616433
kcahsni%3D66333861303164636130
kcahsni%3D30663937353965366432
kcahsni%3D30353331373634326335
kcahsni%3D34323166636461643033
kcahsni%3D34656265373037376332
kcahsni%3D62646464343732627b41
kcahsni%3D534e490b3295c3d06c24
kcahsni%3Df2a8c7e8936667dbf7fe
kcahsni%3Dce28456a0fd24ac21ec6
kcahsni%3Da12e3efe4b

拼接一下得到

1
9ef773fe97f56554a3b426cd07e1f71df3dcee9f1eaf89725ab93968fc52f03c0a7d653539616433663338613031646361303066393735396536643230353331373634326335343231666364616430333465626537303737633262646464343732627b41534e490b3295c3d06c24f2a8c7e8936667dbf7fece28456a0fd24ac21ec6a12e3efe4b

逆序输出16进制转二进制,然后逆序输出

1
INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}

[WMCTF2020]行为艺术

打开看到crc报错,爆破得到正确是长宽,然后通过手动记录得到下面信息,看起来是个zip

1
504B0304140000000800DB93C55086A39007D8000000DF01000008000000666C61672E74787475504B0E823010DD93708771DDCCB0270D5BBD0371815A9148AC6951C2ED9D271F89C62E2693D7F76BB7DE9FC80D2E6E68E782A326D2E01F81CE6D55E76972E9BA7BCCB3ACEF7B89F7B6E90EA16A6EE2439D45179ECDD1C5CCFB6B9AA489C1218C92B898779D765FCCBB58CC920B6662C5F91749931132258F32BBA7C288C5AE103133106608409DAC419F77241A3412907814AB7A922106B8DED0D25AEC8A634929025C46A33FE5A1D3167A100323B1ABEE4A7A0708413A19E17718165F5D3E73D577798E36D5144B66315AAE315078F5E51A29246AF402504B01021F00140009000800DB93C55086A39007D8000000DF010000080024000000000000002000000000000000666C61672E7478740A00200000000000010018004A0A9A64243BD601F9D8AB39243BD6012D00CA13223BD601504B050600000000010001005A000000FE00000000000000

发现是伪加密,得到Brainfuck加密的结果

1
2
3
4
5
6
+++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++ [->-- -<]>- .<+++ [->-- -<]>-
.<+++ +[->+ +++<] >+.<+ ++[-> ---<] >---- -.<++ +++++ [->++ +++++ <]>++
++.-- --.<+ +++[- >---- <]>-- ----. +++++ +++.< +++[- >---< ]>-.+ ++.++
+++++ .<+++ [->-- -<]>- .+++. -.... --.++ +.<++ +[->+ ++<]> ++++. <++++
++++[ ->--- ----- <]>-- ----- ----- --.<+ +++[- >++++ <]>+. +...< +++++
+++[- >++++ ++++< ]>+++ +++++ +++.. .-.<

得到flag

1
WMCTF{wai_bi_baaaa_bo!2333~~~}

[INSHack2018]Spreadshit

给了一个表格,但是里面看起来什么都没有,ctrl+F是搜索空格是由东西的,然后替换成黑色

然后去格式里面列宽调整一下宽的值,然后得到flag

1
INSA{3cf6463910edffb0}

[GKCTF 2021]银杏岛の奇妙冒险

打开文件存在一个路径附件\.minecraft\saves\Where is the flag根据文件夹的名字猜测flag

然后找附件\.minecraft\saves\Where is the flag\customnpcs\quests到三个任务

分别是寻找flag,支线,主线,在主线2.json中的得到下面字样的w3lc0me_猜测是flag中的一段

在主线3.json中的得到下面字样的t0_9kctf_

同理在其他的json寻找到完整flag

1
2
flag{w3lc0me_t0_9kctf_2021_Check_1n}
GKCTF{w3lc0me_t0_9kctf_2021_Check_1n}