第二届海啸杯write up

**

Web

**
1、你是Gzmtu的学生吗?

先按正常流程进去该网址，发现

这里我们测试应该是通过ip地址来判断是否是Gzmtu的学生，所应我们要捉包修改x-forwarded-for为127.0.0.1，发现

我们再把cookie上user=0改为1，则有

2、宁静致远

点击进去发现：

捉包看看

MQ%3D%3D是url编码，解码，

**MQ==**像base64编码，base64解码为

看到这里，基本可以测试是考cookie注入，用cookie注入知识解决即可
最后把hexo的值改为
hexo=-1’union select 1,(select group_concat(flag)from ctf.flag) –
把它转码为base64，即可得到flag

3、who are you ？

解题思路:
(1)捉包发现post传值为xml代码，由此可猜测是xxe漏洞,

(2)但是，很奇怪的是不管我构造了什么样的xxe payload，最终服务器只返回一开始进入题目的源码，最后安照答案给出的payload也一样。

4、EasyWeb

这道题考察代码审计，这道题要我们传两个值，分别是s，x。要求s=flag.php
md5(x)返回的值为false。因为这里flag、php 会被过滤为空值，所以我们需要绕过过滤。构建传入的参数为

index.php?s=flflagag.phflagp&x[]=1 

REVERSE

1、baby reverse

把文件下载下来，然后丢到IDA中进行反编译即可，然后搜索flag

Misc
1、签到题
题目给了一个txt文件，和提示说“这是pic”，则这可以猜测base64转换为图片

iVBORw0KGgoAAAANSUhEUgAAAfQAAADICAIAAACRe4S/AAAACXBIWXMAAAsTAAALEwEAmpwYAAAGjWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxNDIgNzkuMTYwOTI0LCAyMDE3LzA3LzEzLTAxOjA2OjM5ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdEV2dD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlRXZlbnQjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ0MgKFdpbmRvd3MpIiB4bXA6Q3JlYXRlRGF0ZT0iMjAxOS0wOC0xN1QyMzoyNjo0NiswODowMCIgeG1wOk1ldGFkYXRhRGF0ZT0iMjAxOS0wOC0xN1QyMzoyNzo0MCswODowMCIgeG1wOk1vZGlmeURhdGU9IjIwMTktMDgtMTdUMjM6Mjc6NDArMDg6MDAiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NDk4MTViMzgtZjA2YS1mNTQ4LWFhY2YtNDljOTgzMGIyNGMzIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YjE2Yzg5ZTQtMzU1NC00MDRmLWFlYjEtMDY1M2U0OGFiYzBiIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6ODk3ODcyOTYtMmY0Ni1hOTQ4LWJiYmUtZWQ0MjFmNzcwMzFlIiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBkYzpmb3JtYXQ9ImltYWdlL3BuZyI+IDx4bXBNTTpIaXN0b3J5PiA8cmRmOlNlcT4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImNyZWF0ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6ODk3ODcyOTYtMmY0Ni1hOTQ4LWJiYmUtZWQ0MjFmNzcwMzFlIiBzdEV2dDp3aGVuPSIyMDE5LTA4LTE3VDIzOjI2OjQ2KzA4OjAwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgQ0MgKFdpbmRvd3MpIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDpmODIzZDcwNi0zMWI1LTBlNDYtOTdjYi0wMjE2ZWNiZjZjNTQiIHN0RXZ0OndoZW49IjIwMTktMDgtMTdUMjM6MjY6NDYrMDg6MDAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCBDQyAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOjQ5ODE1YjM4LWYwNmEtZjU0OC1hYWNmLTQ5Yzk4MzBiMjRjMyIgc3RFdnQ6d2hlbj0iMjAxOS0wOC0xN1QyMzoyNzo0MCswODowMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIENDIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz7heTAAAAAM1UlEQVR4nO3d73mi2hbHcXKf+x6mApkKZCqQqSCcCjQVxA7CVKCngmAFkgqCFQxWIFYwUEHui/Wc9XAVCRr/4Drfz6vEQNwg/tx7s8CHj48PBwBgy39u3QAAwPkR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7gBgEOEOAAYR7nevKIo4jsMwDMMwSZJbNwe4oCRJ5FCfz+dlWd66Ob3231s3AF9SFMX379/l58FgcNvGAFdQFMV2u12tVnEcF0Xhed6tW9RT9NzvW5qm8sPr62tRFJPJ5JatAS5sMpkURfHy8uI4TlVVeZ7fukX9ZS3ckyQJguDh4eHh4cH3/e4zFTLWm06nl23fuenI9KhYD/9xgRad+YnKspxOp77vy2saBEEcxy3jcR22x3HcuECWZS2vdZ7n4WcuGijyCa3b++kBrA1u3JzpdNp9/+vCXTZQF57P50c1aUdZlvrKdmmkuMKha8GHIePxeH8DR6NRl3WPWrg/pAtz7Ot4tVf/i0/0+/dv13X3X1PXdX///n1oFVlmMBg0LvD8/CwLPD8/7//1/f3907fM+/v7aZvzqeVy2bi94/H40Cra4MZDdzQadd//unCXDdSFXdf98+dP9ybteH191c3cbDZd2ll/isu9FgbYmXPPsmyxWDiO47puFEW+7zu1WQvcnaIowjCsqspxHNd1ZWiSJElVVVVVRVGU5/n+fGsQBK7rVlW13W7zPN/vD2ZZJj9EUdTy7K7rHupLXmiSN8/zv/76S34eDAYy/5CmaVVVi8XC87z9PnIfVFWVpunJ84H6csjPzCue060/Xc5Ge2TL5bL+eMfugKxLz/28vvJEOg4bDofaN9xsNnre+OXlpX3F2Wy286fNZiN/cl23cd2jep3nNRwO5anr/fT62KXxSL55z93ZGyQdtQ/rI5XHx8cu7fyg596NnTl3nSjc6ZFJFx53R0dd8/lcO8u+72sH9tBktB4A9V7hziN9m7RN03S9XjuOMxgM6tsVBIF2Zns7DN1ut6e1Lc9zGZmJ/dcLX2En3GFJlmXyth8OhztBHEWRdPe2221RFPvr6vIt4d4+J3N9Go77JyFbPqv647QpI91qGQdUVdXnbbw7hDv6SN/kjRPf+mBjuHuedygsNE36Fu4tQwodevbzmh35oF2tVicUEdUHZzuP4OvuO9y1Hqtev1WvWrtoaaNUrXme9/CPIAg6Vl7meR5FkazleV4URUVRJEkiNXB9mzS4ocZZNX3wUEevsberkwDD4bBvV75st1v5Yf/DzPf90Wg0Go2OKha8Gn2LHdt5L8tSZqIeHx/lNLhDuJ/VfVfL5Hm+Wq12Htx/5BKkQqA+Y+g4znq9fnp6yvO8/UCXQmBdt6qqt7e3t7e3E5ph9SKO9uH5p+dR9NMxTVMteD9qTqYsy8Y2eJ539pDVJzp0jXGXyYrGBl+hsy+V+NvtdrFYxHHc/RSX5ri8WGEYvr29yVTbUa8vPaFD7jvc6/eXmE6n0hGolypfqINWlqUm+3A4jKJIhg5xHFdV9ffff8t1N4dWj6JI1h2Px1EUpWkqFW+u68oR3/E9OZlM5P38+Pj49Y3qp9OSNAiCwWCw3W7X63VZlnIYHBXu6/X658+f+4+PRqPLzQt/5eT/oQZfQRzHT09PjuMkSXLo2rF9OzNREu6O46Rp2mXALa9vkiRlWXJLpWa3Ltc5m6OqvvbJuh0L4PTKi+FwWH98NpvJ4/tFeEqvsqkXfmn13qFrc1ra7OxVf3Zf8ai1TnDyE7WX5WkB6KFqyI/aLtWdI78eKoIUn17EdIkSya/UX3a56qrj/j+tFFIWlkkVuaCp4+boKvJr4/uiRf3qpy7L/wvdd8/9VsIwlCN4p6ulkyQtXW/9U304GQSBXIF11Dh6PB5Ll38+n/ftDOG5NJ4y7SKKItmlWZZFUXRsncxwOGycW+vbZL1qbLAOZy9tOp3++vVLLmjqMv7Q8x++7+tLI1efdZyflCGCXt2GfYT7KXzflyNYJjqzLCuKIssyPS3Wvq78UJ8uPy3CkiSZTCaLxeI6pxmuSTP05HCvT8vO5/NjK9w9z7v+ZO6hj3ZpSRAELedyGht8tY8iCXfHceI47jJJoss0zialadr+GVyWpbzXJpNJPy/c7YP7rpa5ITkp+u3bt58/f/769WuxWHRJdsdxfN+X82ZpmuqMoUy1t1zy3vLfjm35XWjfD5rULeHleZ6cipBzdL0tgnRqW9HYyy7LcrVanVZreDWe58k8WMcLmtrPW3x6VuPQFYuoI9xPkWXZjx8/pL88GAxGo9HLy8tyuVwul11Wl75GVVVPT0/fvn17enqSD4Y4jns76r8y3Q+NiaY93PbPgHrnXXKzh0WQzv9vxf5Ipc+ZXqenUj/tuRdFoZfjvtfo24eCyLMg3E+hZ/Nns5lMyMRxHEVRl+DI81xmCet31XBddzab3d0Nhy+n5SpTrY92Pgt37dbpyL23HT09P7m/vRr3/axzV1KP7zjOTn3wvvoUWV0URTKoPXTtMY5CuJ9Cw2UnjrvMNs7n86qqhsNhWZbaZ5G7lp+/oXdLahkdx6mqamev6q+fdsN1BkxnzHob7tqw/VJC3d7+F3R3rIPcqXCv0/1A5/3rCPcv0f6FVL5LeUYX6/Va7ukqv2ZZdi+j76vRKojpdKp9PRkk6eOf/pN6mg8Gg952fieTid4wZzKZyLyTfK+Izv719pNJhWHY5bseW05ut4zYcLRb12KezTXr3Ov3Ox2NRnqzVtX4RRDi0BdQiJavZWh0L7f8bdFSq17fscPhsP5rx1eqfhaky749Y9n4sepP7bruzkF16FKGm9/yd2fhevl5Y5O0wTvXiIg/f/7o6jvfAdL4T7jlbwt67qeYz+ca0KvVSmZpXNetnxE6VNbmeZ6UuDRG/GKx4HI7lWWZZtx6vdbZsNFo1HHYXu/t9rznKxdPyFFRVZVurOu6r6+vPW+80iHIIS1zMo7jeJ6nrzid9y+yU+c+mUy+MikpXeCOlYVBEMh9vuRI9X0/CAL5+qfZbCaxXhRF4yRAGIbb7XY8HtdvU16WZZ7ncsnJdDrteG62Ti+y70L7+5fW5YlaXjXP8/I8T5JEriRwHMf3/SiKjkq65+dnmfLqcnj4vn+1nbMvDEM5rrIsk6MoDEP5StVDq2iDG5c56k2hC3d5F7QsnCSJ7PDG/xMEgTT40IsYx7Gs3sO6pjtz66HDv0v7cFK/TKr7YFNvePDy8tIyjAXM2Gw2ejMlpmVaEO5XVf/65uVyWf/2OJ2sbL/5yY7NZlMfBbfMXwMG1MdVjbP2UA8f3c564Vzai2oGg0GapscWdaRpqjMP5y2Y636Tv2MXNoYddR1ytw/nAoe6PYT7Dcg88k7to+/7MsF6mzYd8PDw0H3hf/OxxI5C3xDuAGAQpZAAYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYBDhDgAGEe4AYND/APtlfDw1UiM8AAAAAElFTkSuQmCC

base64解密后保存为png图片，如

2、捉黑客

这道题考察日志审计,查看增加了root权限的用户

grep "Accepted " auth.log | awk '{print $1,$2,$3,$9,$11}'

由此可确定flag，

flag= mysq1+10:34:30 +172.16.5.143

3、老烟枪
这道题给了一个年轻明星吸烟的图片，应该考察的是图片的隐写,

发现有个flag.png图片，由此可得到flag，不过不处理图片直接看可能有难受，可以用ps将图片水平翻转即可以得到正常图片

4、表白
给了一个压缩包，压缩包里有个图片

给出图片一般是考查图片的隐写，我们用010编译器打开看看，改了它的高度

如红色部分以前是00，现在改为FF，保存再打开，发现

5、小明的求助

下载下来，发现打不开，提示文件错误。把它丢到010编译器上试试

zip头文件格式是50 4B 03 04，修改后再打开

这里使用爆破

解压后得到flag.txt,里面包含flag值

flag{5oiR54ix6buE6I6J6I2D}

Cryptography

1、小明家的小花园

根据提示可知考查栅栏密码