🇺🇸RiceTeaCatPandaCTF 2020 Writeup 21 min read
本文最后更新于 576 天前,其中的信息可能已经有所发展或是发生改变。

Author:颖奇L’Amore

Blog:www.gem-love.com

这个是美国的一个比赛,分超过200的有很多弱智题,低于200分的题又各种坑,很多题目都需要大脑洞。本文图片采用OSS存储进行访问加速


Web

Robots. Yeah, I know, pretty obvious.(25 points)

题目叙述有robots

于是访问/robots.txt,发现了/robot-nurses

访问后得到flag


No Sleep(100 points)

cookie有个gamerfuel,是日期,改一下即可出现flag


Phishing For Flag(105 points)

有个附件, 解压出来是几个邮件,其中一个打开之后有一个超链接

访问之后就是flag


Uwu?(125 points)

几个页面疯狂跳转,burp抓包,在其中一个页面可以找到flag


What’s in The Box?!(200 points)

审查元素,在最下方有几个注释,连起来就是flag


web invaders(250points)

是个太空大战的游戏,审查元素发现是个<iframe>标签指向了一个GitHub页面 https://jef1056.github.io/

于是顺势找到了对应的gayhub仓库 https://github.com/JEF1056/jef1056.github.io

对其中的所有的文件一个一个分析,hex文件需要转string查看,可以使用HEXFriend或者WinHex等工具,最终在archive/game.arcd0中找到flag:rtcp{web_h^ck3r_0004212}


*growls at the chicken*(1000 points)

别看他1000分,其实都是脑洞

题目描述:

grrrrrrR
big chicken, i hisS At you!!!

Hint1:

NQr2MIa1jsaifAVOn3zYeMynNJwd4oBiiem4fJHsA1WjzfyhUp1+seCW0GMijoDHb3w9BMKj7aw6hhtae5/Qw5xOqMioJU3vvEj0BEHO1wInPqlOeTRdZb8BcTsXP+Z/KBA2FjSZcpGHo7rOZ7NtR15y3eY4s/e/tgKUHvPe9MdmDe1kINtyRXgjghJO9e3uMEQmFe2Ai5moVnG7yIVfUd3QG6/Z+K4PSttbJtjWSLFO7zpmYpEOg3XBxsOw/w5scJQqJ7OLGiH22u4+JFXRlD/wPmDzk9uYlLWLcCuxnY0xuMlSfKIFJtVmF0ViO4o4X89ZwsQjjHuYYDaB3el7iA63BzBlsC54Q7Ekv70/GI0UA3R3zJkMaBV12Z6NAE/kAgEJu9ZRcVm6MAIZInLwMU4R1frM0Bks1jeTe72agmxnAIrR8XDeAxzovbvXFwoxNyxiA63fPJGPVoGZq4ecfGvJ23i/Cg+cynB35lc3f+4QifpjCn+MxWkKCzCVEJXdDah19yXKlIxbaR1zm+YHkS0YSUzjr7NJUXHfDCrwAUpXpikfi2f9tgcXEnuhszScE1PCbdt22rRz1pS7MNdRxjCZ5j+8BQNRBLi2BjLGW14X3zd4d6ieoHWH+4fmbqU9dFsUgKN5qL4Gs2LZbbQwkf3+VbIRQK9RaSO9Hj+4/T0=

Hint2:

Public MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmy27XroKLfED3q32/K7G +TnREe2ZkSgceDJH9X+Jf2I++kJHxNxe5HbQBdTHW/tLTWxwMEpric9zGFlt1f76 zdG2iocGw81BVznN/btVAYJBGbhJPYTeULSCv4WG+NTrss8NSl6WGS9NCOKEWTA/ JjR1z8fXik5foTK18sLJloRFGmxcKV6ZI0VFEi77U6PouOseaPBRYgVlPAjNM/pl AuJotPjFYtNTQWCgpj+Vgt3cxm9erBl8G9K9rIsK6snNA1yEZT774CMLCnyovkd5 i55/5mIjGOdmy+x3qCYC2J+Xmssx56OebPyO8cAou8XQf5E/PMxBZ+8X5zuqnHza 2oK9Lo4K2hYVGpCBmG8WhCstYVvfxeb0cXifPOZnpiC4DrQ3q5atx7sH1V4OaAze eJ+nWKTKVaT9NLKEC3ObUNtLLjoh3AZr/RFh9OsYf3rmRFflJkswlVpfMQF6MAR4 CrDITaTdL0M5RWzE2/1Mh98p2HvTJXz0bFbcIfAvd3rAYku0P3OyO3EZ7KrpGXZa 4Mdu10GKEllk9bwCmDFHK/HMVzZPFK9RvKNpMyWchLCLO2gRxIHySn3lF/MHlBkq 0+DH3YM5L0EW92Uzu/IkZJ4o3z7YnrMHdVVN14bGlBfspn+t7LT2xTx3sWYQLm6r xYeQDSkiY24IqAiQzwdPmi0CAwEAAQ==

Hint3:

Private MIIJKQIBAAKCAgEAmy27XroKLfED3q32/K7G+TnREe2ZkSgceDJH9X+Jf2I++kJH xNxe5HbQBdTHW/tLTWxwMEpric9zGFlt1f76zdG2iocGw81BVznN/btVAYJBGbhJ PYTeULSCv4WG+NTrss8NSl6WGS9NCOKEWTA/JjR1z8fXik5foTK18sLJloRFGmxc KV6ZI0VFEi77U6PouOseaPBRYgVlPAjNM/plAuJotPjFYtNTQWCgpj+Vgt3cxm9e rBl8G9K9rIsK6snNA1yEZT774CMLCnyovkd5i55/5mIjGOdmy+x3qCYC2J+Xmssx 56OebPyO8cAou8XQf5E/PMxBZ+8X5zuqnHza2oK9Lo4K2hYVGpCBmG8WhCstYVvf xeb0cXifPOZnpiC4DrQ3q5atx7sH1V4OaAzeeJ+nWKTKVaT9NLKEC3ObUNtLLjoh 3AZr/RFh9OsYf3rmRFflJkswlVpfMQF6MAR4CrDITaTdL0M5RWzE2/1Mh98p2HvT JXz0bFbcIfAvd3rAYku0P3OyO3EZ7KrpGXZa4Mdu10GKEllk9bwCmDFHK/HMVzZP FK9RvKNpMyWchLCLO2gRxIHySn3lF/MHlBkq0+DH3YM5L0EW92Uzu/IkZJ4o3z7Y nrMHdVVN14bGlBfspn+t7LT2xTx3sWYQLm6rxYeQDSkiY24IqAiQzwdPmi0CAwEA AQKCAgEAj4nc0IGL2vUenEMUvKS6vlwhrNC4BRIyS2hPMaH4QJFTKdBXbJxfVjsk rtAkXEv1Wrecir67/GyczQAj3heOTQXYMQk3U7Sv5Qw+I569wbiHmU/ix3n43nQq oRfVQqRJJUvqwkj91GvxeO92dr1vHFrYQwtar79RK92pedV9/LF67jcfhNDRHFP9 0RUOO07ZfPtXVMA+t0nAW6jUj2jlOKbPLd8TThel4kqML1uPY87vYcowq0aji2UD N/AheA6UibBxcumwuKIRm3C18dRRdLl3G1bZmjap2qVwBWSrq07sQC4GinrJl4yC eNJDm3UeKHHlKcrSEV6TILwLU9cV5CnfADzGIKVvyU6O9OWs2bk2r0w2pZ3VUJjC Wmm19S5gAWwAvgUEABnKODJGs28ttljaTOrgPlNMSEDVl56REyaD9Bl9Y7bjQop2 E7+F+9SiWYmb1sQz2/77zk3ZxtonAsVP7XixSW7hp0UZDur7Vo8XuzP5fnOP30c0 RWjlQwuixdtaYLavKP3W4HspTQL3jOa6Wq0zetcPv3rLYGXQ0L9fNhkA7AncO4Zi FGMBs4J7ReuCQQmWWb80DhBAQ7NN7kiZo7uuHLIGD1cQcg7KHycCu2OOBWrolq6r ZOY8I5tjjzEGGkmczcwkaArCVhiDBRW2m8TgqnYBEPsFgF/5FgECggEBANah1wjI R36bynDfEF2XyxCZFmvXdu5xPyhAgjbVsDTy0p5eWS+fBuxr574lt5cxUv4Alzv0 fdtuCaL/fEOe/bv8ZlSXzLZPkqdOpTOQqAKKXB05rLBhGMNkZjQDFAQkjY+SppSl 5AtdbIuhdhlbeyX7NwczbFVVh6ZnOdnU3rMNkLZoxEJUztFrPJBownRbRm+QQUp9 wxrZqKPiLhhKnTXfAvM1jrdlOarKpldrBsYxdTeuOP2gsij/RsGI/dhxLueAlCvi zsQzS94VgtLrJJ02ZEyZVqkGzGW+tYnvluydLFU9CXyC6jfw6eoZY+wTG3TRRbkR M7hJaj1Ov5xZsoECggEBALkWZXYj661GctJ54R+n2Ulm1r9gMXVsdmiqOOwmsqtA VKIks5ykhi0n05NJdan24+t5c9u8tP8Orq5qbhIBAUMQJtorRTntixJZa4oZ5lDC csSLKvTHKqcAnUwlL2sydy/IxvTsjRdnrEX8QV2oq40fb2tBI80XfBySDy7KEPdG bzI2/KbPaFZjphc5qNOV9BagvjqFmNO8DYyRHsSEnVyTuXOlkbJPvKIRNniNJRBI P0iFtwFtLZGUCMH7TK+9aKjBYizPAzklSf9/poeGluuKn5M0G4mvCCZVtOFw6p2Q 7j1jXUYQEcs9vgyobAfQNev/JLMjeGjaaXaV71nTea0CggEBAL6IGN4g/Oa14fZk 7qBHGer4G2FMerWdLpXK/k0zUSMP1EzmMIIHyBukhqrTzLCZBrWZTKfamMdsXX2n E2bsAw8YNrctsnq9FNEVDa5C4gKvVKpVAqno6BS8UcYmXWR4Fnq3ks0unsw/+RXT FYXZIe9LnUP1MFxoeu0Lgd2QDMoiZq6nPmIr6xUY/0Cq3sRwKozrICrCjaqOQhiJ tqW1xu2FtZa1mqXPZGvrTdMYnYDfctElBk6Qkte2FdfEhqPXhe3YxLBYvXiKmPTj X6lhOLWfDVa6YKXX9Sb1Ly7t06rks/BPKNaxWL6kTOKV+5AcPilrhVuOm70i3v7h o1NmhQECggEAaW6MlWOY2LeMqMCssK+YYuul4JYXFmCWgsCUdFEG7e5TR5nIhq5h kE9jgj8SO6Nb6cLhcIZqQ/BFKS2PTcoswdrthtGnOXxLAETXsW9XdyGM5tCvw4fA kCkVcU6tWE8C/cFNNC+bn3168NLlGUj/kAAcI+iTUDzUgiHhbDHGwFTq+pvAB/WV 5cAV2J0Lwptk0471TbjUeahhv3TbJe61BQtRVMM33270cQ2FDd65AjFlexZQTQu4 LXk6E+XmpSUr/RVLq2Kw31iScmxwnDratYndpKjGFwQRjGS+CL2dp+vrCiUT+Nkm ibO+Es/N2hWM4cYRTcoiyPfBo798/JoucQKCAQBw2Vm2CUbWC1IlgHU2rEngB1F1 c6asxmpIn3j4EiigwO+27G9cmpQ54CvRjp18Fw2/ZABok8C8edm+VMtWRd5gXFTP K7lmWJnGJ0W2eGcjdOCrHZx3sFxoer0Vdy3dQbcWtAQJhqUBbIqCwLkWIQgrsNdl CQiaeKqBz0cQrj6UkNs2qXfjzTg8xPgR/Yapps4O9yoJUKpVUiMlcHgRGi/wsgHx Mq/Ghvz6tYMW7zIXjgYw575Nd9BJy+si9dXShsFmwFQ0MoU0uHFI5oGTGvqc07j8 eVFNV+dm4dr9Irt0qhSHxcaVCyDs36bXz7S0kSgvECV1QhgtFQPOrVQdgsTn

题目描述中只有RSA三个字母是大写的,hint中有给出了public和private,不难想到RSA算法和public key&private key。由于RSA是一种非对称加密算法,公钥加密私钥解密,我们解密这个消息只需要用private key就可以了,公钥实际上没什么用,网上有很多在线解密,解出明文得到了一个网址:

unknown-123-246-470-726.herokuapp.com

通过查看html源代码,得到了两个hidden的段落:

<p hidden>9 20 30 15 16 5 14 19 30 27 29 8 20 13 12 28</p>
 
<p hidden>"abcdefghijklmnopqrstuvwxyz[]. "</p>

这个研究了好久,后来发现:

  • 第一排数字时第二排的索引
  • 9就对应第二排的第9个字符i,20就是第二十个字符

写个解密脚本

num = [9, 20, 30, 15, 16, 5, 14, 19, 30, 27, 29, 8, 20, 13, 12, 28]
letter = "0abcdefghijklmnopqrstuvwxyz[]. "
s = ''
for i in range(len(num)):
    s += letter[num[i]]
print(s)

得到:

it opens [.html]

还有个信息就是console.log:

依然是脑洞,度这段对话我们可以得到两个关键词:

  1. 有个defuser
  2. 它在drawer里

结合刚刚得到的明文:用.html打开,既然要去drawer里grab一个东西,还要.html方式打开它,所以访问https://unknown-123-246-470-726.herokuapp.com/drawer.html,<p hidden>标签内找到flag:rtcp{ch1ck3n_4nd_th3_3gg}


Sprite Viewer (400 points)

这道题在ak了其他web后出现。题目是个Unity游戏,题目需要让我们找到哥布林(小妖精)的图片并算md5

查阅了大量的Unity WebG手册之后了解到,很多数据都存在.data.unityweb格式的文件内,使用Chrome的控制台Network可以查看加载的文件,找到了Builds。data.unityweb

之后需要从这个.data.unityweb中把哥布林的图片提取出来,查询游戏资源导出查到了一个叫AssetStudioGUI的工具,参考:

Unity游戏资源提取  https://www.jianshu.com/p/bc2257332722

通过AssetStudioGUI打开这个unityweb文件,找到goblin导出,即可导出goblin.png

之后计算goblin.png的md5值:

文件md5在线计算 http://www.metools.info/other/o21.html

得到md5:4698b70704c2c4dbd427dafc1bbf5c89

因为题目的hint告诉这个题的答案是md5,并且不需要rtcp{},所以这个md5值就是flag了


Misc

Strong Password(5 points)

签到题,题目:

Eat, Drink, Pet, Hug, Repeat!

flags are entered in the format rtcp{flag}

Words are separated by underscores ("_")

Come on, repeat it! Just once!

根据题目说的,Eat Drink Pet Hug四个单词重复一遍,就是照抄一遍,然后用下换线分隔;比赛名叫Rice Tea Cat Panda,Rice对应Eat,Tea对应Drink,Cat对应Pet,Panda对应Hug,所以flag为rtcp{rice_tea_cat_panda}


Survey(100points)

白给题,填个问卷即可得到flag


A Friend In Need Is A Friend Indeed(50points)

和Jade Bot聊天

发送第一道misc题目的flag,他就会回复这个题的flag: rtcp{awaken_winged_sun_dragon_of_ra}

只是没搞懂这种题出的意义在哪儿


Off-Topic(5points)

这道题在做完上一个题之后出现,题目描述:

who here knows the name of the catpanda in the server picture? will give points if you know

来到ctf主页,对catpanda那个图片审查元素,得知她叫Jubie

flag就是Jubie


Forensics

取证题是国内CTF很少出的方向,只有工控类等比赛比较常见,其实都是老套路,其实都是misc和crypto

BTS-Crazed(75points)

题目描述:

My friend made this cool remix, and it's pretty good, but everyone says there's a deeper meaning in the music. To be honest, I can't really tell - the second drop's 808s are just too epic.

下载下来一个Save Me.mp3文件,是一首歌,开始一直没思路,也不是频谱分析,播放什么的也没问题,也没有捆绑的隐藏文件

后来发现只要直接查找字符串就行了

或者hexfrend


Allergic College Application(100points)

题目:

I was writing my common app essay in Mandarin when my cat got on my lap and sneezed. Being allergic, I sneezed with him, and when I blew my nose into a tissue, the text for my essay turned really weird! Get out, Bad Kitty!

一道Mandarin(普通话)的题,本来以为老外出中文题应该很好玩,结果啥也没有,下载下来附件打开就看到flag了:rtcp{我_只_修改_了_两_次}

难道是老外的电脑的记事本没有gb2312之类的编码。。。。


cat-chat(125points)

题目:

nyameowmeow nyameow nyanya meow purr nyameowmeow nyameow nyanya meow purr nyameowmeow nyanyanyanya nyameow meow purr meow nyanyanyanya nya purr nyanyanyanya nya meownyameownya meownyameow purr nyanya nyanyanya purr meowmeownya meowmeowmeow nyanya meownya meowmeownya purr meowmeowmeow meownya purr nyanyanyanya nya nyameownya nya !!!!

真就cat chat呗?

hint:

once you've figured this out, head to discord's #catchat channel.

来到#catchat频道,属实有点混乱

大脑洞题!

机器人的猫语只有三个声音:nya meow purr,nya有时连着meow而purr永远是个单独单词。经过很久很久的头脑风暴,将他们对应成摩斯电码:

  1. nya => .
  2. meow => _
  3. purr => /

编写简易脚本对题目给的text进行解密:

def deCatChat(str):
    decr = ''
    tmp = ''
    str = str.replace("nya", ".")
    str = str.replace("meow", "_")
    str = str.replace("purr", "/")
    for letter in str:
        if (letter != ' ' and letter != '\n'):
            i = 0
            tmp += letter
        else:
            i += 1
            if i == 2:
                decr += ' '
            else:
                decr += list(MORSE_CODE_DICT.keys())[list(MORSE_CODE_DICT.values()).index(tmp)]
                tmp = ''
    return decr

MORSE_CODE_DICT = {'A': '._', 'B': '_...',
                   'C': '_._.', 'D': '_..', 'E': '.',
                   'F': '.._.', 'G': '__.', 'H': '....',
                   'I': '..', 'J': '.___', 'K': '_._',
                   'L': '._..', 'M': '__', 'N': '_.',
                   'O': '___', 'P': '.__.', 'Q': '__._',
                   'R': '._.', 'S': '...', 'T': '_',
                   'U': '.._', 'V': '..._', 'W': '.__',
                   'X': '_.._', 'Y': '_.__', 'Z': '__..',
                   '1': '.____', '2': '..___', '3': '...__',
                   '4': '...._', '5': '.....', '6': '_....',
                   '7': '__...', '8': '___..', '9': '____.',
                   '0': '_____', ', ': '__..__', '.': '._._._',
                   '?': '..__..', '/': '_.._.', '_': '_...._', '_': '..__._',
                   '(': '_.__.', ')': '_.__._', ' ': '/', '\n': '\n', '': '', ':': "___...", '\'': '.____.'}

cipher = str(input())
print(deCatChat(cipher))

运行 输入题目描述的喵语即可解码:

WAIT WAIT WHAT THE HECK IS GOING ON HER

虽然没得到flag,但是至少运行成功了,说明思路正确。

接下来将rctp转换成摩斯电码再转换成喵语去channel里搜索,搜到的喵语再放回脚本里解码即可。

得到flag:rtcp{TH15_1Z_A_C4T_CH4T_N0T_A_M3M3_CH4T}


catch-at(66 point)

这是cat chat的后续题,在做出来cat chat后出现的。题目只给出一个神秘数字:

636274425917865984

这个数字不知道是干嘛的,但是因为这个题是接着cat chat的,我把频道里所有的喵语都解密了一下,发现了一个消息:

用上一题的脚本,解密得到:

OH BY THE WAY, HERE'S A LITTLE SOMETHING: W0W_D15C0RD_H4S_S34RCH_F34TUR3

得到flag:rtcp{W0W_D15C0RD_H4S_S34RCH_F34TUR35}


Chugalug’s Footpads(150)

题目描述:

Chugalug makes footpads that he can chug and lug. However, his left one is different from his right... I wonder why?

附件为两张图片

首先将图片转换为hex文件

然后使用vimdiff或者Sublimerge等工具比较不同,不同的地方连起来就是flag了

flag:rtcp{Th3ze_^r3_n0TcH4nC1a5}


BASmati ricE 64(150)

题目描述:

There's a flag in that bowl somewhere...

Replace all zs with _ in your flag and wrap in rtcp{...}.

首先使用Steghide分离隐藏信息

由题目可知需要转base64

由题目描述,将z替换成_,flag:rtcp{s0m3t1m35_th1ng5_Ar3_3nc0D3d}


League of Asian Grandmas (200 points)

题目是4个图片,利用Photoshop拼在一起,旋转扭曲功能转一下,就出来了

虽然看的不是很清楚,还是能大概看出来的,多试着提交几次,flag:rtcp{Y3p_N0th1Ng_t0_s33_H3rE}


i turned a bad copypasta into a bad challenge(300points)

取证的压轴大题,到目前写wp一共算上我13个solovs,其他题目都三四百个solovs,本以为质量很高,结果。。。

题目是个音频文件,拖进Audacity分析频谱

flag:rtcp{Th4t_w4$nT_b4D}


Binary/Excecutable

本来我二进制很菜,比赛从来不做,结果看了这个比赛的binary瞬间充满了信心。。。

print(f) to Pay Respects (100 points)

题目描述:

Lulu recently began to collect rice granules, she needs so many! (like over 9999) Jake says it might be a cure to Lulu's disease. Go help her get enough by throwing rice at the portal, print(f) to pay respects.

Careful not to throw rice in the wrong direction, just thow it close by (not into) the portal - Jake can pick it up later.

题目的文件:

Portal.exe无法运行,拖进IDA一通分析结果连个main函数都没有。因为还有个dll动态链接库文件,结果用记事本打开解压出来的.text就找到了flag。。

flag:rtcp{s0m3t1m35_0n1y_s0m3tImEz_sn^k3z_ar3_u5EfuL}


Work In Progress (400 points)

是个游戏,不难,控制小人移动和跳跃,通关了就给flag

flag:rtcp{Th3_qu1ck_br0WN_^dv3nturEr_jump$_0v3r_ThE_l^zy_cL1ff}


Snakes (500points)

不知道为啥这个题500分。。。。可能老外不会IDA吧。。。拖进IDA 还没来得及f5 就随便看看就直接找到了FLAG。。。

flag:rtcp{Sn^k3s_41wAyz_g3T_F0uNd}


General Skills

依然是杂项

Come Eat Grandma (25points)

题目是个Google Doc

https://docs.google.com/spreadsheets/d/1EQDYaEU9jWZGIh96nGQpzpMnMdcT9ukZGT5GwRBfos4/edit#gid=0

但是怎么也找不到flag,后来发现可以看历史版本,就像GitHub的commit

在2019.10.16的一个版本里找到flag:rtcp{D0n’t_E^t_Gr4NDmA_734252}


Basic C4 (30 points)

题目附件:

SGFoLCB5b3UgdGhvdWdodA==
UmVhbGx5PyBEaWQgeW91IGFjdHVhbGx5IGtlZXAgZ29pbmc=
bG93a2V5IGRpc3NhcG9pbnRlZC4uLg==
ZnVuIGZhY3Q6IEplc3MgaXMgYWN0dWFsbHkgYSBjYXQ=
bWVycA==
Kmluc2VydCBmaWxsZXIgbWF0ZXJpYWwgaGVyZSo=
d2VscCB0aGF0IHNob3VsZCBiZSBlbm91Z2ggZGF0YQ==
aWYgeW91IGNhbid0IHRlbGwgYWxyZWFkeSwgZGVjb2RpbmcgdGhpcyBpc24ndCB0aGUgYW5zd2Vy

一开始以为是base64隐写,结果放进脚本跑不出东西,回去看题目描述:

If you use that bomb, you might cause an Avalanche...
Let's not destroy my IO, ok?
The flag starts with c4
Submit in the format: rtcp{90-char-flag}

题目名称和描述都在强调C4,另外还有个关键字IO

查了半个多小时的Google,最后找到了一个网站: http://www.cccc.io/

果然是c4+io 无语了,但是就像每个文件都有独特的md5值sha1值等哈希值(当然也有两个不同文件相同md5的),这个网站提供了一种全新的哈希标记——C4 ID,看下他的介绍:

C4 IDs are better than other identification systems in most respects. They are better for identification then filenames, URLs, and UUIDs. C4 IDs are an encoding of a SHA-512 hash that is shorter and more ergonomic than hex and yet packed with features.

把附件提交上去计算C4 ID,得到:

c42CW3TbiGhvptM36RJJ9ScctgkskjvZPo6dG8JexzZRvzQR6hwovZJLDkYK5pZ6cq9e7fX1ShUiYUdM7H1Uuqj64G

正好是C4开头、90个字符,所以flag为:rtcp{c42CW3TbiGhvptM36RJJ9ScctgkskjvZPo6dG8JexzZRvzQR6hwovZJLDkYK5pZ6cq9e7fX1ShUiYUdM7H1Uuqj64G}


Sticks and Stones (50 points)

题目链接:https://raw.githubusercontent.com/JEF1056/riceteacatpanda/master/Sticks%20and%20Stones%20(50)/worbz.txt

里面有几百万个flag,都是rtcp{xxxx}的形式,很明显需要我们从中找到真的flag。观察发现,这些flag基本上都是一堆字母连起来比如rtcp{connexuremidrashBrantwood}这样的,但是正常flag应该是数字字母符号都有,[email protected]}

由于数字有10个,而符号的话,flag里最常见的就是下换线了,所以直接搜索下划线即可搜到flag:rtcp{w0Rd5_HuRt_,_d0n’T_Bu11y_,_k1Dz}


Types of Rice and Cookies, Because Those Definitely Go Together Well (100 points)

题目描述:

It's important to know all the different kinds of rice. After all, what kind of cook would Delphine be if she couldn't identify the different types? But GIANt needs to learn too. So Delphine is having him research different kinds of cookies. She wants him to find the cookie that help websites remember her information and settings when she visit them in the future. Creepy? Yes. Important? Also yes.

This challenge still follows typical flag format, just wrap your answer with rtcp{answer_here}.

Non-case sensitive.

脑洞题,题目说让找不同类型的cookie,没给url,比赛平台除了session以外也没有别的cookie了。根据题目的提示,去搜索cookie的种类

https://blog.csdn.net/pzqingchong/article/details/70856063

a.Session Cookie
b.Persistent Cookie
c.Secure cookie
d.HttpOnly Cookie
e.3rd-party cookie
f.Super Cookie

根据cookie的种类名一通乱试,flag:rtcp{persistent_cookies}


Grandma’s Recipes (100 points)

题目:

So Delphine and the GIANt wanted to make a recipe that Delphine's grandma passed down to her. The problem is, her grandma is extremely tech-savvy. In fact, she likes using a Certain Website on the endless Inter-Webs. She says it's very useful for storing her recipes. It'll be kinda hard for Delphine and the GIANt to git her recipes though; they don't know her username. Oh well. But hey, they know that she likes naming things after the Holy Rice Goddess.

I wonder what recipe Delphine and GIANt are making. . .

脑洞题+信息搜搜。题目中有gitthe Holy Rice Goddess这两个关键词,对于这种只有一段话的题目,只能靠各种脑洞了。于是我Google到了一个仓库:

https://github.com/pandaram/holy-rice-goddess-recipes

在meatloaf_recipe.txt中找到了flag:rtcp{ju5t_l1k3_gr4ndm45_m34tl04f_1029837}


pandamonium (100 points)

题目:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

91 7 10 D 95 42 28 A

underscore between 6th and 7th char, not including the flag wrapping (rtcp{})

实在想不出来这什么东西,比赛过程中也很少人做出来,对于做出来少的题目 在没开始做之前就已经有了恐惧,稍微遇到点困难就容易放弃。

后来看了个wp:

勉强能看懂,大致讲述了作者的思想过程,作者也没有想到这是什么东西,对于72个A和下面的8个数字/字母,A和D是16进制还是什么东西么?实在是想不明白啊于是去看了其他人的wp

元素周期表!完全没想到啊!

把数字换成元素周期表中对应的元素,再在题目要求的地方(第6 7个字符中间)加上下划线,即可得到flag: rtcp{PaNNeD_AmMoNiA}

无语。。。其实我前段时间出了一个偏脑洞的元素周期表题,web的,不过还是没想到,哪怕是给点门捷列夫之类的关键词都可以的。


Treeeeeeee (200 points)

题目:

It appears that my cat has gotten itself stuck in a tree... It's really tall and I can't seem to reach it. Maybe you can throw a snake at the tree to find it?
Oh, you want to know what my cat looks like? I put a picture in the hints.

还有一个附件,里面各种子目录和一些图片,图片都是flag而且不完全相同,但是会有重复的

百度了一个删除重复文件的工具

fdupes:Linux 中查找并删除重复文件的命令行工具
https://linux.cn/article-6127-1.html

按照他文章里的用法-r -d,没删除成功。不过无所谓,可以通过-S -r命令搜索重复文件并显示大小

发现重复的图片只有2种:1496字节和1718字节

所以我们通过搜索除了这两个大小以外的其他大小的jpg图片,或许就能找到flag了。先搜索比1718B大的:

[email protected]:~/桌面# fdupes -Sr bigtree/ >> 1.txt
[email protected]:~/桌面# find bigtree/ -name "*.jpg" -size +1719c
bigtree/P24AKQCA/I0E91C/6SF60/N02AKM/EAJCOQ6/ENP92.jpg

打开这个搜索到的图片即可得到flag


Editor (300 points)

题目:

Mr. Willis, my computor science principals teacher, taught us how to web scrape using google sheets! He assinged us a webscraping prodjects and it's due soon and I finished it, but some of these functions aren't working because of my atrosious spelling >.< can you please help me edit my spelling?

Objectives: Edit the spelling of the google sheets functions

Notes: Make a personal copy of the sheets document to edit. Don't edit E22. Only edit the functions themselves, all values and URLs should be correct.

https://docs.google.com/spreadsheets/d/1CoEtIpjEVCh9UrsuyBBRqTiZDytVP9Avq8ZpyX8oStg/edit?usp=sharing

题目给了个谷歌文档,叫Oops my spelig(哎呀我的拼写啊),只读的

里面有很多错误的公式导致了Error,考虑flag可能隐藏在这些ERROR下面

把文档下载下来,把各种公式的错误(比如括号打错了)都给改好,flag就出来了

flag:rtcp{Mr.Wi11is_is_4W3S0me}


Cryptography

密码是最近才接触的方向,只能做一些简单题。但是国外的密码出题风格和国内不尽相同,比如国内的CTF RSA相关题目占很大部分,而这个比赛基本都是传统的”编码”和“古典密码”,对复杂的DES RSA等加密算法却很少。但是做起来也很不好做,脑洞太大了

HOOOOOOOOOOMEEEEEE RUNNNNNNNNNNNNN!!!!! (50points)

题目:

AND JAKE IS ROUNDING THE BASES
HE PASSES BASE 32!!!
HE ROUNDS BASE 64!!!!!!!
WE'RE WITNESSING A MIRACLE!!!!!!!!!!!!!


Just one more base to go ;D

cipher:

Ecbf1HZ_kd8jR5K?[";(7;aJp?[4>J?Slk3<+n'pF]W^,F>._lB/=r

题目告知于base有关,又不是base32和base64,还告诉one more base to go,所以考虑是base85

编码一次即可得到flag:rtcp{uH_JAk3_w3REn’t_y0u_4t_Th3_uWust0r4g3}


Don’t Give The GIANt a COOKie (100 points)

题目:

It was just a typical day in the bakery for Delphine. She was preparing her famous chocolate cake, when all of a sudden a GIANt burst through the doors of her establishment and demanded a cookie. Being the strong-willed girl she was, Delphine refused and promptly threw her rolling pin at the GIANt. Doing what any sensible being would do when faced with projectiles, the GIANt let out a shriek and ran out of the shop. Delphine smiled to herself, it was another day well done.

But oh? What's this? It seems the GIANt dropped this behind while he was screaming and scrambling out of the shop.

69acad26c0b7fa29d2df023b4744bf07

This challenge still follows typical flag format, just wrap your answer with rtcp{answer_here}.

Non-case sensitive.

逼话一大堆,直接解密md5

空格换成下划线,flag:rtcp{chocolate_mmm}


15 (100 points)

题目:

Lhzdwt eceowwl: Dhtnwt Pcln Eaao Qwoohvw

Okw qsyo okcln bah'i fslo cl baht Dhtnwt Pcln dhtnwt cy yazwalw'y eaao ehlnhy. Dho sy co ohtly aho, okso zcnko dw fkso bah nwo. S 4vksllwt hmqasiwi s mkaoa slalbzahyqb oa okw ycow ykafvsycln kcy ewwo cl s mqsyocv dcl ae qwoohvw, fcok okw yosowzwlo: "Okcy cy okw qwoohvw bah wso so Dhtnwt Pcln." Sizcoowiqb, kw ksi ykawy al. Dho okso'y wgwl fatyw.

Okw mayo fwlo qcgw so 11:38 MZ al Xhqb 16, sli s zwtw ofwlob zclhowy qsowt, okw Dhtnwt Pcln cl rhwyocal fsy sqwtowi oa okw tanhw wzmqabww. So qwsyo, C kamw kw'y tanhw. Kaf ici co ksmmwl? Fwqq, okw DP wzmqabww ksil'o twzagwi okw WJCE isos etaz okw hmqasiwi mkaoa, fkcvk yhnnwyowi okw vhqmtco fsy yazwfkwtw cl Zsbecwqi Kwcnkoy, Akca. Okcy fsy so 11:47. Oktww zclhowy qsowt so 11:50, okw Dhtnwt Pcln dtslvk siitwyy fsy mayowi fcok fcykwy ae ksmmb hlwzmqabzwlo. Ecgw zclhowy qsowt, okw lwfy yosocal fsy valosvowi db slaokwt 4vksllwt. Sli oktww zclhowy qsowt, so 11:58, s qclp fsy mayowi: DP'y "Owqq hy sdaho hy" alqclw eathz. Okw eaao mkaoa, aokwtfcyw plafl sy wjkcdco S, fsy soosvkwi. Vqwgwqsli Yvwlw Zsnsuclw valosvowi okw DP cl rhwyocal okw lwjo isb. Fkwl rhwyocalwi, okw dtwspesyo ykceo zslsnwt ysci "Ak, C plaf fka okso cy. Kw'y nwoocln ectwi." Zbyowtb yaqgwi, db 4vksl. Laf fw vsl sqq na dsvp oa wsocln aht esyo eaai cl mwsvw.

tovm{v4T3Ehq_f1oK_3J1e_i4O4}

cipher:

tovm{v4T3Ehq_f1oK_3J1e_i4O4}

这个cipher看得出来就是flag,但是并不是凯撒、栅栏、维吉尼亚等密码,根据tovm对应rtcp也能知道加密过程中每个字母在ascii表上的偏移也不完全一样。想了半天,决定拿密文去爆破。

幸好已经有人做好了这种工具,quipquip可以自动检测密文,爆破密文为英文。直接扔进去自动检测自动爆破即可

解密得到:

Number fifteen: Burger King Foot Lettuce The last thing you'd want in your Burger King burger is someone's foot fungus. But as it turns out, that might be what you get. A 4channer uploaded a photo anonymously to the site showcasing his feet in a plastic bin of lettuce, with the statement: "This is the lettuce you eat at Burger King." Admittedly, he had shoes on. But that's even worse. The post went live at 11:38 PM on July 16, and a mere twenty minutes later, the Burger King in question was alerted to the rogue employee. At least, I hope he's rogue. How did it happen? Well, the BK employee hadn't removed the EXIF data from the uploaded photo, which suggested the culprit was somewhere in Mayfield Heights, Ohio. This was at 11:47. Three minutes later at 11:50, the Burger King branch address was posted with wishes of happy unemployment. Five minutes later, the news station was contacted by another 4channer. And three minutes later, at 11:58, a link was posted: BK's "Tell us about us" online forum. The foot photo, otherwise known as exhibit A, was attached. Cleveland Scene Magazine contacted the BK in question the next day. When questioned, the breakfast shift manager said "Oh, I know who that is. He's getting fired." Mystery solved, by 4chan. Now we can all go back to eating our fast food in peace. rtcp{c4R3Ful_w1tH_3X1f_d4T4}

flag:rtcp{c4R3Ful_w1tH_3X1f_d4T4}

(A few day later I will participate in making CTF challenges. If you are reading this writeup, just pay attention.)


notice me senpai (100 points)

题目:

uwu...senpai placed this note on my desk before class but i cant wead what it says!!!!!! can you hewp me????????? uwu tysm

tlyrc_o_0pnvhu}{137rmi__i_omwm

Challenge Author: Jess (the other one)/J

cipher:

tlyrc_o_0pnvhu}{137rmi__i_omwm

套路题。观察cipher发现有{},就考虑是不是把字符串顺序打乱了?继续发现rtcp也都有,考虑顺序被打乱,但是观察不出来打乱的规则。想了好半天,考虑和上一个题一样爆破,如果爆破出英文那么应该就是flag。

首先去除rtcp{}

ly_o_0nvhu137mi__i_omwm

将数字转化为英文,即0->o, 3->e, 7->t, 1->i

ly_o_onvhuietrmi__i_omwm

直接写脚本并不好写,除非是随机乱序后人工往出挑,但是组合的次数是指数计算的,太多了!

Online Anagram Solver

https://anagram-solver.net/

Anagram Solver是一款专门修复乱序字符为英文单词和句子的在线工具,放进去即可修复:

得到flag的原型: rtcp{im_in_love_with_your_mom}

但是比如只有1个1却有3个i、有1个0却有3个o,恢复0137这4个数字时候需要不同的组合,只能所有情况都列出来然后一个一个的去提交flag,

试了几次试,得到正确的flag:rtcp{im_1n_lov3_wi7h_y0ur_mom}


Wrong Way (150 points)

题目:

Did you know that you've been going the wrong way entire time?

E7Rq<G:Kǒ

Format in rtcp{} format, adding _ underscores as needed. The flag should be case insensitive

cipher:

E7Rq<G:Kǒ

这个密钥扔进cipher detector也检测不出来什么东西。完全没有思路,后来只能靠脑洞,进行base64 encode

import base64
cipher = 'E7Rq<G:Kǒ'
print(str(base64.b64encode(cipher.encode())))
/usr/local/bin/python3 base64enoder.py
b'RTcPUnEXPEcTEDpLAceS'

根据题目所说,需要用rtcp{},需要添加添加下换线,字母大小写不敏感,所以flag:RTcP{UnEXPEcTED_pLAceS}


That’s Some Interesting Tea(rs) (175 points)

Cipher:

O53GG4CSJRHEWQT2GJ5HC4CGOM4VKY3SOZGECZ2YNJTXO6LROV3DIR3CK4ZEMWCDHFMTOWSXGRSHU23DLJVTS5BXOQZXMU3ONJSFKRCVO5BEGVSELJSGUNSYLI2XQ32UOI3FKWDYMJQWOMKQOJ4XIU2WN5KTKWT2INUW44SZONGUUN2BMFRTQQJYKM3WGSSUNVXGEU3THFIFUSDHIVWVEQ3LJVUXEMSXK5MXSZ3TG5JXORKTMZRFIVQ=

依次base32 base58 base62 base64 base85,flag:rtcp{th4t5_50m3_54lty_t34_1_bl4m3_4ll_th0s3_t34rs}


That’s a Lot of Stuff (275points)

cipher:

31 34 33 20 31 35 36 20 31 32 32 20 31 35 32 20 31 34 33 20 31 31 30 20 31 36 34 20 31 35 32 20 31 31 35 20 31 30 37 20 36 35 20 36 32 20 31 31 35 20 36 33 20 31 31 32 20 31 37 32 20 31 31 35 20 31 32 34 20 31 30 32 20 31 36 35 20 31 34 33 20 36 31 20 37 31 20 31 35 30 20 31 34 33 20 31 35 32 20 31 31 36 20 31 34 36 20 31 31 36 20 31 30 36 20 37 31 20 31 35 32 20 31 31 35 20 31 30 34 20 31 30 32 20 31 31 35 20 31 33 30 20 36 32 20 31 31 35 20 36 30 20 31 34 34 20 31 31 30 20 31 31 36 20 37 31

依次hex ortal base64,得到flag:rtcp{c0nv3rs10ns_ar3_4_c00L_c4ts}


Pandas Like Salads (350 points)

题目:

Did you know a new panda was added to the Washington DC zoo recently? Yep, apparently she really like salads. Interesting, yeah? Also, the panda keepers of the zoo said that the key to happiness in life is a little CUTENESS every day. You know, all the keepers who are on the panda's rotation all said the same thing to me. Very interesting.

附件:

猪圈密码(pigpen cipher),解密得到:

YSAY{HJKAHR_QQGDIA_UNR_KW_YRQ_PM_NNFB}

YSAY和RTCP之间ASCII的偏移量并不相同,考虑维吉尼亚密码。

这里有点坑,开始以为是维吉尼亚之后就得到flag了,由YSAY和rtcp进行维吉尼亚加密可以得到HZYJ,在用密钥HZYJ进行解密得到:

RTCP{AKMRAS_SHZEKR_NOT_BP_ZTH_IN_PEYC}

但是这个并不是flag。

由题目描述可看到一个明显大写的单词:CUTENESS 考虑是维吉尼亚密码的key,解密之

然后题目描述还说了rotation,考虑是否需要rot变化,开始观察:WYHU对应RTCP,每个相差都是5,W-R =5,Y-T=5,以此类推

但是这个不叫rot5,rot5是R-W=5,这个是ROT21。没在网上找到rot21的在线解码,自己写了一个rot21的脚本:

s = '''WYHU{UFSIFX_XMTZQI_STY_GJ_UZY_NS_UJSX}'''
for i in s:
	if (i != '{' and i != '_' and i != '}'):
		print(chr(ord(i)-5), end='')
	else:
		print(i, end='')

得到RTCP{PANDAS_SHOULD_NOT_BE_PUT_IN_PENS},但是提交不对,因为其他题目flag都是rtcp{},至少RTCP都是小写,就把这次flag都换成小写提交成功了,flag:rtcp{pandas_should_not_be_put_in_pens}


Code On (500 points)

题目:

My houseplant and I were working on a biology assignment together. Yes, my houseplant. Don't question it. Anyways, she ended up giving me a new cipher to use in my next project! So I'm giving it to my biology friends to see if they can solve it. They are, after all, studying DNA and mRNA right now.

cipher:

AUGCAAGGUCUCUUGACCCAGUGGAUACUAAAUGCCUGGAAGGUAGCAUACUAG

Key: 6, 3, 4, 3, 1, 9, 8, 3, 3, 2, 7, 4, 1, 2, 4, 1

这题也是个脑洞题,还好当年上学时候专门研究了两年的基因的分子生物学,加上一点脑洞,做起来还是很轻松的。

DNA根据碱基互补配对原则转录出mRNA,DNA不含有U(尿嘧啶)而RNA不含有T(胸腺嘧啶)。mRNA的每3个核糖核苷酸组成一个密码子,密码子除了起始密码子和终止密码子外,每个密码子对应一种氨基酸,也有可能多个密码子对应同一种氨基酸(简并性)。这些应该高中生物就学过,如果是理科生的话。

这道题给出了mRNA的核苷酸序列和一个奇怪的key,把mRNA逆转录回DNA没有什么意义,因为题目cipher的形式没有改变,所以考虑用mRNA来翻译氨基酸。

我们可以看到,mRNA一共18个核苷酸,按照3个一组是一共18个密码子,而key有16个。Google了一个密码子对照表(不要百度中文的,不利于做题):

其中起始密码子:AUG GUG UUG,终止密码子:UAA UGA UAG

我们可以发现他这个mRNA的开头正好是AUG起始密码子、结尾正好是UAG终止密码子。除了这两个密码子还剩16个密码子能对应16个aa,而key正好是16个,不管行不行得通,先对照着表手工进行一下翻译:

glutamine glycine leucine leucine threonine glutamine tryptophan isoleucine leucine asparagine alanine tryptophan lysine valine alanine tyrosine

将key和氨基酸一一对应,唯一能想到的对应关系就是:key这个数字对应氨基酸的单词中的第几个单词

比如glutamine对应6,就是第六个字母m,根据这个对应关系把所有的都对应起来:

连起来:mycutehouseplant 正好是英文单词 说明思路正确,所以flag就是:rtcp{mycutehouseplant}


IdleRPG (800 points)

cipher:

Y9xwh`iXm<Vy==0x957d3d19b4d2a__dZGmZ6=j?I%Q||0o112575172146646270--ASLyRE>;9zt,==0x2123efad3594b3__n>#M`=DmchH8||0o411076765515312077--t?V5{I{gMU|U==0x14a976197c2915__;+dC,.R/G~kw||0o245227303137024262---,8f`zTVPdNt==0x93dbfd1c5928f__xt\8X*]zyGL1||0o111733772161311037--%o]c"&z9?1b+==0x147f84671e56d__lV!*DK"1p*qq||0o12177410634362362--V9ik@"E]^\;|==0xf036125564a45__vDgZ*k.>imxm||0o170066044525444727--f!h3bI`YK|x5==0x723a8f0523b99__%z<[email protected]<'%||0o71072436024435551--sP]R0lq*[N:S==0x1b05a7c82fd37a__75=~hT~Q~fA?||0o330132371013751406--gbh(YZ>+"Gs~==0xdd2ea5ce253cf__,1yS%GL?*k;G||0o156456513470451560--Y?L5Ug:EI_A&==0x962f5786b2bc8__9\_65mO4<I:R||0o113057257032625565--^&QlEKy{o=SD==0xbb0e5e66a974a__;U^"Auqq,^K\||0o135416274632513432--3{RI(9`\~O~|==0x6c1cbf73e807b__hj6Nd(1Oro7e||0o66034576717500034--)=)MXYb~oA-m==0x267abd0c92e17__S7@`w(.e)h:%||0o23172572062226746--d1$dXWtmmZ[1==0x191edd987d99db__7tBUDZ$Fp0O3||0o310755663037314567--_nzHHj1KU#/Y==0xc3018045513b0__>}UA.s+SDkW%||0o141401400425211504--WfuvK}2)@XLd==0x4810904aed9ad__o!lr_oS1JuDJ||0o44020440453554572--%`53NS?<NyzQ==0x1ffa7a900063e4__:*+KK)"7*SkV||0o377647522000061605--!rI<c/~6Zc7$==0x1185db7ab832fc__R"%xF/*^#E6f||0o214135557256031310--,_rdR4O;uAo#==0x208c01f7ff8f55__iC5nt]G\.%#M||0o404300076777707357--&z=pJ5Fs(_^w==0x1204c1acf2a0cf__P:sPjc6,-XBh||0o220114065474520133--0d.rnoZ%t@:B==0x194749d970ca7__65fGWLm!z7,(||0o14507223545606164--OxCdv)/{2+/G==0xcc26fb68a1315__W7mtQfg>6/zy||0o146046766642411303--ZBrIi^,<%U)W==0x70d920ffd960__BSILih9EK-Rz||0o3415444077754401--G[@>aOM,CLcC==0x19ded68575f483__61U8qn0}5mIJ||0o316755320535372042--|1v<xMUqbcOq==0x2f81c8def09eb__:h6YYBB%^l9l||0o27601621573604672--kTx{=gbY#O26==0x4a21a24bfe0a7__S|]Re7U}^<s0||0o45041504457760136--L2E!4Z_~y_qh==0x2091f66c71e4ad__qJA|4AEE{aqC||0o404437315434362060--

整理一下:

可以看到一共是4列,乱七八糟字符+HEX+乱字符+八进制,对于这两个字符串并没有发现什么,先把焦点关注到这两个数字上

这完全不知道啥东西,只能走一步算一步,看着来。写个脚本把他们都转化成相同的进制然后来看一下有没有什么联系

#Author: 颖奇L'Amore
#Blog: WWW.GEM-LOVE.COM
with open('cipher.txt', 'r') as f:
    allCipher = f.read()
    allCipher = allCipher.split('--')
f.close()

for i in allCipher:
	i = i.replace('__', '==')
	i = i.replace('||', '==')
	l = i.split("==")
	hexText = l[1]
	octText = l[3]
	print(eval(hexText), end=' ')
	print(eval(octText))

结果简直是非常的amazing啊,发现这两个数相差甚微

但是依然很迷惑,这两个数字是什么?干嘛的?他们为什么差不多?他们为什么又差一点?另外两排有什么用?

只能蒙着来了,如果把他们做差会怎么样?得到:

114  116  99  112  123  110  48  116  95  83  48  95  49  100  108  51  95  52  102  116  51  82  95  97  49  73  125

r和t的ascii相差2!114和116也相差2!这难道就是flag的ascii码?!!

print(chr(eval(hexText)-eval(octText)), end='')

amazing!得到flag:rtcp{n0t_S0_1dl3_4ft3R_a1I}

到目前为止,这是第一个真正需要写脚本做题的crypto题目(其他题都可以用网上的在线工具),开始有国内的crypto的味了

后面的题就难了,不会做了。

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/pwn/933.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

暂无评论

发送评论 编辑评论

上一篇
下一篇