第四届强网杯部分writeup

CT 强网杯Writeup

Misc

签到

打开题目就可以得知flag,输入即可
第四届强网杯部分writeup_第1张图片

问卷调查

打开题目所给的链接,填写问卷就可以获得flag
第四届强网杯部分writeup_第2张图片

miscstudy

第四届强网杯部分writeup_第3张图片

第四届强网杯部分writeup_第4张图片

下载附件
第四届强网杯部分writeup_第5张图片

在Wireshark打开该附件并在上方的筛选HTTP协议

第四届强网杯部分writeup_第6张图片

点开最下面的那个选项,看到有一条链接http://39.99.247.28/fonts/1
第四届强网杯部分writeup_第7张图片

打开链接
第四届强网杯部分writeup_第8张图片

成功获得flag的两部分,并把这个页面保存下来,这个页面放在下面的环境变量设置的那个文件夹里面

然后在电脑设置环境变量

第四届强网杯部分writeup_第9张图片
第四届强网杯部分writeup_第10张图片

后面的那个文件目录可以随便填一个,但是前面的值是固定的
这个操作目的是为了能在Wireshark进行TLS解密

来Wireshark的首选项选择协议TLS,然后右边选择那个刚刚保存下来的1文件,由于我不知道是题目的那个1是什么后缀名,我就直接改为txt
第四届强网杯部分writeup_第11张图片

然后就会有这一栏出现
第四届强网杯部分writeup_第12张图片

就已经成功解密了TLS

他这里是经过TLS访问页面的加密隐藏了一张图片

访问链接就得到这个图片

第四届强网杯部分writeup_第13张图片

把图片拉进winhex打开

第四届强网杯部分writeup_第14张图片

然后仔细分析一下图片的最下面的十六进制

第四届强网杯部分writeup_第15张图片

然后把最后面的那句密文进行base64解密
第四届强网杯部分writeup_第16张图片
第四届强网杯部分writeup_第17张图片

这个是flag的第三部分

然后将图片的最下面的4组IDAT的前三组都合拼一起,但必须把每组的IDAT头和尾都要去掉
第四届强网杯部分writeup_第18张图片

MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTExMTExMTExMTEwMDAwMDAwMTAwMTEwMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDAwMDAwMTEwMTExMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMTExMTEwMDEwMDAwMDAwMDAxMTAwMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDAwMTEwMTEwMDEwMDAwMDAwMDAwMDAxMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMTExMTAwMTEwMDEwMDAwMTAwMTEwMDEwMDExMTAwMDAwMDExMTAxMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAwMDAxMTEwMDExMTExMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMDAwMDAwMDAxMTEwMDExMTEwMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDExMTAwMTAwMTExMTExMTExMTAwMTEwMDExMTAwMDAwMDAxMTExMTAwMTAwMDAxMTAwMDAwMDAwMTEwMDExMDAwMDAwMDAwMTExMTAwMTEwMTEwMTEwMDAwMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMDAwMDAwMDExMTAwMDExMTExMTEwMDExMDAxMDAwMDAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMDAxMTAwMTEwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMTAwMDAwMTAwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMTExMTEwMDEwMDExMDAwMTExMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDAxMTExMTAwMDEwMDExMDAwMDExMTAxMTAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDAwMTExMTAwMDAwMDAxMDAwMDAwMDExMDAwMDAxMTExMTExMDAxMTExMDAwMTExMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDExMDAwMDAwMDAwMDExMDAxMDAwMDAwMDAwMDAwMDAwMDEwMDAwMDAxMDAwMDExMTAwMDAxMDAwMDAwMTExMTAwMTEwMDAwMDExMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDExMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTAwMTExMDAwMDAwMDExMTExMDAwMDAwMDEwMDAwMTAwMDAwMTAwMTAwMTExMDAwMDAwMTAwMTAwMDAwMDAxMTAwMDAwMDAwMTExMDExMDAwMDAwMTExMDAwMTAwMDAxMTAwMDAwMTExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMTExMTEwMDExMDAwMDAxMTExMTExMTAwMDAxMTAwMDExMTExMTEwMDEwMDAwMDAwMDAwMDAwMTExMDAxMDAxMTAwMDAwMDAwMDAxMTAwMDAwMTExMDAxMTEwMDExMTExMDAxMDAwMTAwMTAwMDAwMDAwMTExMDAxMDAxMDAwMDAwMDAwMDAxMDAwMDAwMTExMDAxMTEwMDExMTExMDAxMTAwMTAwMTAwMDAwMDExMTAwMDAwMTEwMDExMTExMTExMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAxMTEwMDExMTAwMDAwMDExMDAwMDAwMDEwMDExMTExMTEwMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAwMTEwMDAxMTAwMDAwMDAwMDAwMTAwMDAwMDEwMDAwMDAwMDAwMDAwMDExMDAwMDAxMTEwMDExMDAxMDAwMDAwMTAwMTAwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDExMTAwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTExMTEwMDAwMTAwMDAwMDAwMTAwMDAwMDExMTExMTExMTAxMTExMTAwMDAwMDAwMDAwMDExMDAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTEwMDAwMDAxMTAwMDAwMDAwMDEwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTExMDAwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDAwMTAwMTExMTExMTExMTExMDAwMDAwMDExMTAwMTExMDAwMDExMDAwMDAxMTAwMDAwMDAwMDAxMTExMDAwMTEwMDAxMDAxMTAwMTExMDAwMDAwMDExMDAwMDExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAxMTExMTAwMTExMDAxMTAwMTAwMTAxMTExMTExMTExMDAxMTExMTAwMDAxMDAxMTEwMDExMTExMTAwMDAxMTAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMTAwMDExMDAwMDAwMDExMTAwMTAwMDAxMDAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMDAwMDExMDAwMDAwMDExMTAwMTAwMDAwMDExMDExMTAwMDAwMDExMTAwMDAwMDAwMDAwMDAwMDAxMTEwMDAwMDExMTExMDAwMDAxMTAwMTAwMDAwMTExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTAxMDAwMDAwMTAwMTAwMDAxMTExMTAwMDAwMTEwMDEwMDAwMTAwMDAwMDAwMDExMTExMDAwMDEwMDAwMDAwMDAxMTAwMDEwMDAwMDAwMTExMTAwMDAwMDAwMDEwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAxMTAwMDAwMDAwMDAwMDExMTAwMTAwMDAwMDEwMDExMTExMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMDAwMTAwMDAwMDAxMTAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMDEwMDExMTExMTExMTAwMDExMDAwMDAxMDAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMTEwMDExMDExMTExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAxMDAxMTEwMDAwMDAxMTEwMDAxMTExMDAwMDAxMTAwMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMDExMDAwMDAxMTAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAwMTExMDAwMTEwMDAwMTExMTAwMDExMDAxMDAxMTAwMTExMTAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDAxMDAwMDAxMTAwMTExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDExMDAwMDAxMTAwMTExMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAwMTAwMDAxMDAxMTEwMDExMTExMTExMTAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAxMTAwMDAxMDAxMTAwMDAxMTExMTExMDAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDEwMDExMDAwMTExMTExMTExMDAwMTExMTEwMDAwMTExMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMDAwMTEwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMTExMTEwMDAwMDAwMTAwMDAxMTEwMDExMDAwMDAwMDAwMDExMTAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMDExMTExMTExMDEwMDEwMDExMTExMTEwMDExMTExMDAxMDAxMTEwMDExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

再去base64解密得出这样的二进制
第四届强网杯部分writeup_第19张图片

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

然后下一步我们要去把二进制转二维码

直接上python脚本
第四届强网杯部分writeup_第20张图片

把刚才base64解密出来的二进制复制到str=””里面
但是这里必须要按python的PIL库
第四届强网杯部分writeup_第21张图片

得出的一个二维码

把这个二维码用QR扫描工具打开

经过扫描,得出一条百度网盘的链接

第四届强网杯部分writeup_第22张图片

然后把这个压缩包下载,解压

第四届强网杯部分writeup_第23张图片

解压之后发现有一张图片

第四届强网杯部分writeup_第24张图片

第四届强网杯部分writeup_第25张图片

把这个图片用stegbreak爆破得出密码为power123
在这里插入图片描述

然后用JPHS工具来打开这图片,并选择Seek进行输入密码power123

第四届强网杯部分writeup_第26张图片

然后导出一个文件

第四届强网杯部分writeup_第27张图片

用记事本或者用notepad++打开查看获得flag的第四部分
第四届强网杯部分writeup_第28张图片

然后发现这里有一条百度网盘链接和提取码

结果真的有一个压缩包

第四届强网杯部分writeup_第29张图片

下载完打开后得出第五部分的flag
第四届强网杯部分writeup_第30张图片

但是发现两个压缩包都被加密了

第四届强网杯部分writeup_第31张图片

发现里面三个文本文件都没超过5字节
第四届强网杯部分writeup_第32张图片

然后使用CRC32碰撞攻击脚本把level6.zip直接碰撞爆破出来

在这里插入图片描述
第四届强网杯部分writeup_第33张图片

看着文本是5、4、5字节,就只把红色框圈住的5、4、5位挑选出来,而且也要把奇怪的符号去掉,就剩下黄色箭头指向的那三个就直接组合成flag的第六部分
Level6_isready

然后用Advanced Archive Password Recovery软件将level7.zip压缩包用level5.zip压缩包中的1.png作为明文密钥进行明文爆破

第四届强网杯部分writeup_第34张图片
第四届强网杯部分writeup_第35张图片

等到剩下一个小时就可以直接按停止就会出现这个弹窗

第四届强网杯部分writeup_第36张图片

第四届强网杯部分writeup_第37张图片

之后会让你保存一个新名为level7_decrypted.zip,然后直接解压

由于4.png和5.png两张图片的分辨率是一样的,但是大小不一样,猜测是盲水印攻击
第四届强网杯部分writeup_第38张图片

直接用盲水印攻击脚本进行分离
第四届强网杯部分writeup_第39张图片

获得flag的第七部分level7ishere

但是在这个图里面发现了有一个网址http://39.99.247.28/final_level 访问后看到了一个百度

第四届强网杯部分writeup_第40张图片

感觉就直接复制了百度的页面下来

然后通过查看元素,发现了有一行这样的注释,可以看到它的空格和TAB生成的空格就可以判断出是典型的SNOW隐写

在这里插入图片描述
第四届强网杯部分writeup_第41张图片

直接去使用SNOW隐写工具破解出,但是这里又看到了一个括号里面的no one can find me
就猜测一下,是不是密码呢?

第四届强网杯部分writeup_第42张图片

解密得出flag的最后一部分
第四届强网杯部分writeup_第43张图片

然后通过把flag所有部分进行拼接得出

flag{level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel6_isreadylevel7isherethe_misc_examaaaaaaa_!!!}

强网先锋

upload

下载附件解压后是一个.pcap,打开后看到一条数据非常可疑
第四届强网杯部分writeup_第44张图片
追踪TCP流,发现了文件,文件头和filename,觉得是一张图片
第四届强网杯部分writeup_第45张图片
找到JPEG File Interchange Format右键导出分组字节流,后缀为jpg,就可以看见一张图片了
在这里插入图片描述
第四届强网杯部分writeup_第46张图片
看到图片的文件名有点特别,用搜索引擎看了一下原来是个隐写软件,在kali安装后
输入steghide info a.jpg发现需要输入密码
第四届强网杯部分writeup_第47张图片
使用以下脚本暴力破解密码

#bruteStegHide.sh 
#!/bin/bash

for line in `cat $2`;do
    steghide extract -sf $1 -p $line > /dev/null 2>&1
    if [[ $? -eq 0 ]];then
        echo 'password is: '$line
        exit
    fi  
done 

得到密码为123456,输入密码后得到输入获得flag.txt文件信息,用steghide extract -sf a.jpg获取flag.txt文件并用cat查看flag
第四届强网杯部分writeup_第48张图片

主动

打开题目很明显是命令注入

ls查看一下发现有flag.php和index.php
第四届强网杯部分writeup_第49张图片
由于过滤了flag,就是用通配符?来绕过,发现cat不行,经过测试好像只有tac可以,就用
ip=127.0.01;tac ????.php来获取flag
第四届强网杯部分writeup_第50张图片

Funhash

打开链接查看代码,发现应该是要过三关
第四届强网杯部分writeup_第51张图片

level1

//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
    die('level 1 failed');
}

条件为hash1的值,需要等于自身md4加密后的值,就是加密前后的值都要相等。
这跟md5($_GET['a'])==md5($_GET['a'])差不多
PHP在处理哈希会将0E开头的都解释为0,所以找一个0E开头的字符串且其哈希值是0E开头的
第四届强网杯部分writeup_第52张图片
百度时发现了一个0e251288019这个md4后也是0E结尾的,所以
payload:?hash1=0e251288019

level2

if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
    die('level 2 failed');
}

需要hash2不能和hash3全等或者hash2的md5不能和hash3的md5全等
这里就可以用数组绕过
第四届强网杯部分writeup_第53张图片
此时payload:?hash1=0e251288019&hash2[]=1&hash3[]=2

level3

$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc(); 
var_dump($row);
$result->free();
$mysqli->close();

很明显是sql注入和hash结合,参考添加链接描述构造payload为
?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop
第四届强网杯部分writeup_第54张图片
flag就出来了

你可能感兴趣的:(CTFWriteup)