WxMCTF ‘24

Mua王叔叔

已于 2024-03-17 10:16:51 修改

阅读量1k

点赞数 35

文章标签：其他

于 2024-03-11 10:10:43 首次发布

本文链接：https://blog.csdn.net/weixin_52230368/article/details/136616054

版权

最近忙着复试，学不进去就玩会儿CTF。还是菜，只写了一眼看上去有思路的题目，记录一下吧。都比较简单，部分题目附件保存在我网盘，web 有Dockerfile非常良心，pwn有源码。

Web 2 - Compiler

在这里插入图片描述

RE1

def split_string_by_length(string, length):
    return [string[i:i+length] for i in range(0, len(string), length)]

string =  "000100011001000100100000000100001001000010011001000100010110000100000010000100100011000001100110000001001001000100010000000010010111000100010100000100100001000010010101000010000010000001010001000100011000000001010001000100010100000100010101000001001001000100010000000100000011000010010101000001010010000100010110000010010101000001001001000100010110000100010101000010010101000001110000000001001001000100010000000001010001000100010101000100010110000100100101"
length = 4
result = split_string_by_length(string, length)
num = [str(int(result[i],2)) for i in range(len(result))]

for i in range(0,len(num),3):
    a = ""
    for j in range(3):
        a+=num[i+j]
    print(chr(int(a,10)),end="")

附件链接：百度网盘提取码: idju
有师傅复现完web记得给我来个博客链接，俺也学习一下。

补充 Crypto

一、whitespace + pikalang
whitespace解密网址：添加链接描述
pikalang ：

pip install pikalang

import pikalang

sourcecode = """
    pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pi pi pikachu ka ka ka ka ka ka ka ka ka ka pikachu ka ka pikachu pi pi pi pi pikachu pi pi pi pi pi pikachu ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pi pi pikachu pi pi pi pi pikachu pichu pichu pichu pikachu 
    """

# or use sourcecode = pikalang.load_source("FILENAME.pokeball") to load from file

pikalang.evaluate(sourcecode)

Crypto 1 - whitespace + pikalang
Crypto 2 - rsa with common prime among past keys and n
Crypto 3 - greedy algo brute force until you get lucky
Crypto 4 - ECC, test possible (x,y) pairs and then find the one w highest order, then apply ECDH to obtain the shared key with the provided key values
Crypto 5 - The pseudo-AES scheme has no diffusion, you can do a lookup and solve everything in just 256 queries

1. Web 3 - Brawl: The Heist

再来补充一道题目，这道题目要分析源码。
在这里插入图片描述
这道题目考察的是服务端参数污染。
参考：https://portswigger.net/web-security/api-testing/server-side-parameter-pollution
https://cloud.tencent.com/developer/article/1516333
这里第一次请求是flask框架的请求，对于Flask服务器，取第一个参数的值。
第二次的本地请求是php的请求，对于PHP/Apache服务器，取最后一个值。所以我们构造payload
在这里插入图片描述
这样就可以绕过flask的条件判断。