LitCTF2023
LitCTF2023是郑州轻工业大学首届网络安全赛,作为第一次举办的网络安全类型的校赛,它的难度极其容易,很加适合对CTF感兴趣但是没有基础的同学。
WEB
我flag呢
源码最底
Follow me and hack me
根据题意,用HackBar传参即可
导弹迷踪
提示说通过6关就可以拿Flag,我们打开源码搜索6
Ping
前端校验
Vim yyds
扫到备份文件
post一个password,值为Give_Me_Your_Flag的base64,并用参数cmd执行命令
作业管理系统
上传一句话
蚁剑连接
PHP是世界上最好的语言!!
彩蛋
第一个
第二个
第三个
扫出备份文件
第四个
这是什么?SQL !注一下 !
题目给了查询语句,按照提示进行闭合操作
and 1=1 和 1=2可以控制页面回显,接下来开始手工注入
group by 确定字段长度为2,union select 找到显示位
找到数据库名CTF
接着找到这个数据库只有一个表,users
非常激动的发现了user和password
结果爆出来发现是彩蛋的一部分~~
-----------------------------------------------------------------------------------------------------
于是我们转换思路,去其他数据库里找找信息,我们发现一共有7个数据库,除了ctf还有一个库叫做ctftraining,
于是我们转换目标进行爆破
然后就找到啦
发现这个flag表里只有一列,这列也叫flag, 跨库注入最后一步要指定库
还有一种方法就是没有灵魂的,用sqlmap去跑
先跑ctf数据库
然后找到了菜单,再去ctftraining找flag
1zjs
js源码中发现php路径
得到jsfuck
解得
Http pro max plus
抓包,重放(套娃)
尝试xff无效
client-ip
啧啧,缺少来源
ua,测(还分大小写
via,(又分大小写
访问目标地址,源码中找到
要素过多(x.x
就当无事发生
直接进姬姬github里面找到
Flag点击就送
拿到一个普通用户session
flask session伪造
**解密:**python flask_session_cookie_manager3.py decode -s “LitCTF” -c “eyJuYW1lIjoiYWFhIn0.ZGDnug.MWyv0ru020If5mQWFBCYPcVBor4”
**加密:**python flask_session_cookie_manager3.py encode -s “LitCTF” -t “{‘name’: ‘admin’}”
PWN
只需要nc一下~
nc 找flag,绕过
口算题卡
纯口算,硬解
REVERSE
世界上最棒的程序员
文本视图下滑,跳转
ez_XOR
import pwn
v8 = 'E`}J]OrQF[V8zV:hzpV}fVF[t'
print(pwn.xor(v8,3*3))
snake
pyc文件头缺失,补齐4
反编译pyc文件
拿到源码,找出求flag
enbase64
main函数中
把表拿出来解一下
s = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
def basechange(source):
destination = list(source)
v3 = [
16, 34, 56, 7, 46, 2, 10, 44, 20, 41, 59, 31, 51, 60, 61, 26, 5, 40, 21, 38,
4, 54, 52, 47, 3, 11, 58, 48, 32, 15, 49, 14, 37, 0, 55, 53, 24, 35, 18, 25,
33, 43, 50, 39, 12, 19, 13, 42, 9, 17, 28, 30, 23, 36, 1, 22, 57, 63, 8, 27,
6, 62, 45, 29
]
for _ in range(48):
for j in range(64):
source[j] = destination[v3[j]]
destination = source.copy()
return ''.join(destination)
print(basechange(list(s)))
CRYPTO
Hex?Hex!
十六进制
梦想是红色的
社会主义核心价值观编码
原来你也玩原神
眼看花了,对着找吧
家人们!谁懂啊,RSA签到都不会
基础rsa
import gmpy2
import binascii
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
e = 65537
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
n = p*q
phin = (p-1)*(q-1)
d=gmpy2.invert(e,phin)
m=pow(c,d,n)
print ('d='+str(d))
print ('m='+str(m))
print ('decode='+str(binascii.unhexlify(hex(m)[2:])))
factordb
factordb,一个可以用来分解因数的网站
代码同上
你是我的关键词(Keyworld)
keyworld关键字密码
yafu
yafu,分解
from Crypto.Util.number import *
# 参数
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
e = 65537
# 质因数列表
primes = [2201440207, 3354884521, 2719600579, 4171911923, 2585574697,
2758708999, 3355651511, 2923522073, 4044505687, 4021078331,
2767137487, 3989697563, 2906576131, 2315495107, 2151018733]
temp = n
for _ in range(15):
prime = getPrime(32)
primes.append(prime)
temp = temp // prime
# 计算欧拉函数 phi
phi = 1
for prime in primes:
phi *= (prime - 1)
# 计算私钥 d
d = inverse(e, phi)
# 解密密文 c,还原明文 m
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)
The same common divisor
因为已知n1,n3可以直接异或求n2 求公约数就可以知道q
from Crypto.Util.number import *
import gmpy2
n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269
n2 = n1^n3
p = gmpy2.gcd(n1,n2)
q = n1//p
phi = (p-1)*(q-1)
e = 65537
d = gmpy2.invert(e,phi)
m = pow(c1,d,n1)
print(long_to_bytes(m))
easy_math
sagemath构造零点求根
hint = 392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
var('q')
f = q^8+(q^3)*hint-n^3 ==0
solve([f],q)
带入求常规rsa
import gmpy2
import binascii
e = 65537
c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280
n=2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
q = 304683618109085947723284393392507415311
p=n//q
phin = (p-1)*(q-1)
d=gmpy2.invert(e,phin)
m=pow(c,d,n)
print ('decode='+str(binascii.unhexlify(hex(m)[2:])))
MISC
【Minecraft】玩的开心~~~
要进入探姬的MC服务器,用钻石可以兑换魔法书,但是里面都是已经钻石套的大佬,有个好心人在地上丢了一本魔法书,上面写着flag
签到
动动小手
What_1s_BASE
base64
404notfound
010打开直接搜
这羽毛球怎么只有一半啊(恼
010改图片高度
喜欢我的压缩包么
爆破,不喜欢里面没我想要的(0.o)
Take me hand
握手之后发现post
破损的图片
010打开发现png文件头损坏,随便打开一张png补全
两仪生四象
hash映射,解密脚本如下
_hash = {"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}
_reverse_hash = {v: k for k, v in _hash.items()}
encoded_text = "坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑"
binary_text = ''.join(_hash[c] for c in encoded_text)
plaintext = ""
for i in range(0, len(binary_text), 10):
try:
plaintext += chr(int(binary_text[i:i + 10], 2))
except ValueError:
plaintext += " "
print("明文:", plaintext)
OSINT 小麦果汁
hacker&craft,一个酒吧
OSINT 探姬去哪了?_0
属性中发现经纬度,浙江嘉兴
高德地图直接搜嘉兴中国电信,且目测图片不是普通营业厅,筛选后确定中国电信大厦
OSINT 探姬去哪了?_1
图片放大,发现sangel,百度得到松果酒店
没猜错的话是数据安全大赛,线下赛郑州,高德地图搜郑州松果酒店,一个一个尝试
OSINT 探姬去哪了?_2
一眼上周hacking club沙龙,漫香音乐酒吧
OSINT 探姬去哪了?_3
i轻工大扫码(汉字数字混着来过分了)
OSINT 这是什么地方?!
百度识图找到相关网页,b站某视频直接给出答案
https://www.bilibili.com/video/BV1Js4y1R7JR/