LitCTF2023 WP

最新推荐文章于 2024-04-23 21:30:22 发布

Shadow丶S

最新推荐文章于 2024-04-23 21:30:22 发布

阅读量674

点赞数 1

分类专栏： CTF刷题文章标签： CTF

本文链接：https://blog.csdn.net/song123sh/article/details/130749652

版权

CTF刷题专栏收录该内容

27 篇文章 17 订阅

订阅专栏

LitCTF2023

LitCTF2023是郑州轻工业大学首届网络安全赛，作为第一次举办的网络安全类型的校赛，它的难度极其容易，很加适合对CTF感兴趣但是没有基础的同学。

文章目录

LitCTF2023

WEB

我flag呢

源码最底

Follow me and hack me

根据题意，用HackBar传参即可

导弹迷踪

提示说通过6关就可以拿Flag，我们打开源码搜索6

Ping

前端校验

Vim yyds

扫到备份文件

post一个password，值为Give_Me_Your_Flag的base64，并用参数cmd执行命令

作业管理系统

上传一句话

蚁剑连接

PHP是世界上最好的语言！！

彩蛋

第一个

第二个

第三个

扫出备份文件

第四个

这是什么？SQL ！注一下！

题目给了查询语句，按照提示进行闭合操作

and 1=1 和 1=2可以控制页面回显，接下来开始手工注入

group by 确定字段长度为2，union select 找到显示位

找到数据库名CTF

接着找到这个数据库只有一个表，users

非常激动的发现了user和password

结果爆出来发现是彩蛋的一部分~~

-----------------------------------------------------------------------------------------------------

于是我们转换思路，去其他数据库里找找信息，我们发现一共有7个数据库，除了ctf还有一个库叫做ctftraining，

于是我们转换目标进行爆破

然后就找到啦

发现这个flag表里只有一列，这列也叫flag，跨库注入最后一步要指定库

还有一种方法就是没有灵魂的，用sqlmap去跑

先跑ctf数据库

然后找到了菜单，再去ctftraining找flag

1zjs

js源码中发现php路径

得到jsfuck

解得

Http pro max plus

抓包，重放（套娃）

尝试xff无效

client-ip

啧啧，缺少来源

ua，测（还分大小写

via，（又分大小写

访问目标地址，源码中找到

要素过多（x.x

就当无事发生

直接进姬姬github里面找到

Flag点击就送

拿到一个普通用户session

flask session伪造

**解密：**python flask_session_cookie_manager3.py decode -s “LitCTF” -c “eyJuYW1lIjoiYWFhIn0.ZGDnug.MWyv0ru020If5mQWFBCYPcVBor4”

**加密：**python flask_session_cookie_manager3.py encode -s “LitCTF” -t “{‘name’: ‘admin’}”

PWN

只需要nc一下~

nc 找flag，绕过

口算题卡

纯口算，硬解

REVERSE

世界上最棒的程序员

文本视图下滑，跳转

ez_XOR

import pwn
v8 = 'E`}J]OrQF[V8zV:hzpV}fVF[t'
print(pwn.xor(v8,3*3))

snake

pyc文件头缺失，补齐4

反编译pyc文件

拿到源码，找出求flag

enbase64

main函数中

把表拿出来解一下

s = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

def basechange(source):
    destination = list(source)
    v3 = [
        16, 34, 56, 7, 46, 2, 10, 44, 20, 41, 59, 31, 51, 60, 61, 26, 5, 40, 21, 38,
        4, 54, 52, 47, 3, 11, 58, 48, 32, 15, 49, 14, 37, 0, 55, 53, 24, 35, 18, 25,
        33, 43, 50, 39, 12, 19, 13, 42, 9, 17, 28, 30, 23, 36, 1, 22, 57, 63, 8, 27,
        6, 62, 45, 29
    ]

    for _ in range(48):
        for j in range(64):
            source[j] = destination[v3[j]]
        destination = source.copy()

    return ''.join(destination)
print(basechange(list(s)))

CRYPTO

Hex？Hex！

十六进制

梦想是红色的

社会主义核心价值观编码

原来你也玩原神

眼看花了，对着找吧

家人们！谁懂啊，RSA签到都不会

基础rsa

import gmpy2
import binascii

p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073

e = 65537

c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057

q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451

n = p*q

phin = (p-1)*(q-1)

d=gmpy2.invert(e,phin)

m=pow(c,d,n)

print ('d='+str(d))
print ('m='+str(m))
print ('decode='+str(binascii.unhexlify(hex(m)[2:])))

factordb

factordb，一个可以用来分解因数的网站

代码同上

你是我的关键词(Keyworld)

keyworld关键字密码

yafu

yafu，分解

from Crypto.Util.number import *

# 参数
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
e = 65537

# 质因数列表
primes = [2201440207, 3354884521, 2719600579, 4171911923, 2585574697, 
          2758708999, 3355651511, 2923522073, 4044505687, 4021078331, 
          2767137487, 3989697563, 2906576131, 2315495107, 2151018733]

temp = n
for _ in range(15):
    prime = getPrime(32)
    primes.append(prime)
    temp = temp // prime

# 计算欧拉函数 phi
phi = 1
for prime in primes:
    phi *= (prime - 1)

# 计算私钥 d
d = inverse(e, phi)

# 解密密文 c，还原明文 m
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)

The same common divisor

因为已知n1,n3可以直接异或求n2 求公约数就可以知道q

from Crypto.Util.number import *
import gmpy2

n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269
n2 = n1^n3
p = gmpy2.gcd(n1,n2)
q = n1//p
phi = (p-1)*(q-1)
e = 65537
d = gmpy2.invert(e,phi)
m = pow(c1,d,n1)
print(long_to_bytes(m))

easy_math

sagemath构造零点求根

hint = 392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
var('q')
f = q^8+(q^3)*hint-n^3 ==0
solve([f],q)

带入求常规rsa

import gmpy2
import binascii


e = 65537

c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280

n=2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797

q = 304683618109085947723284393392507415311

p=n//q

phin = (p-1)*(q-1)

d=gmpy2.invert(e,phin)
m=pow(c,d,n)
print ('decode='+str(binascii.unhexlify(hex(m)[2:])))

MISC

【Minecraft】玩的开心～～～

要进入探姬的MC服务器，用钻石可以兑换魔法书，但是里面都是已经钻石套的大佬，有个好心人在地上丢了一本魔法书，上面写着flag

M_5}BJ543KT4XO3G968~2.png

签到

动动小手

What_1s_BASE

base64

404notfound

010打开直接搜

这羽毛球怎么只有一半啊（恼

010改图片高度

喜欢我的压缩包么

爆破，不喜欢里面没我想要的(0.o)

Take me hand

握手之后发现post

破损的图片

010打开发现png文件头损坏，随便打开一张png补全

两仪生四象

hash映射，解密脚本如下

_hash = {"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}
_reverse_hash = {v: k for k, v in _hash.items()}

encoded_text = "坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑"

binary_text = ''.join(_hash[c] for c in encoded_text)

plaintext = ""
for i in range(0, len(binary_text), 10):
    try:
        plaintext += chr(int(binary_text[i:i + 10], 2))
    except ValueError:
        plaintext += " "

print("明文:", plaintext)