⭐HECTF
我真是又菜又沒時間肝題。。又又又只水了波簡單題。。。
⭐Reverse
1、Hello_Re
file查一波 32bit,拖進IDA中 老規矩shift+F12 查看字符串:
跳轉 F5查看
scanf("%s", &v4);
if ( strlen(&v4) == 25 && judge0(&v4, 26) )
puts("Congratulations! You found the flag!");
雙擊 judge0 進入:
if ( *a1 != 67 )
goto LABEL_12;
if ( a1[1] != 84 )
return 0;
if ( a1[2] == 70 && a1[3] == 123 && a1[24] == 125 && judge1(a1) )
result = 1;
else
LABEL_12:
result = 0;
return result;
可以看到: 最后解出來的flag 前四位鐵定是 ASCII為 : 76 84 70 123 最后一位為 125
即:
CTF{20個字符}
繼續雙擊judge1跳轉
for ( i = 0; i <= 25; ++i )
{
if ( *(_BYTE *)(i + a1) )
*(_BYTE *)(i + a1) ^= (_BYTE)i + 1;
}
for ( j = 0; j <= 25; ++j )
{
if ( *(char *)(j + a1) != arr[j] )
return 0;
}
return 1;
很顯然 arr[j] 是個關鍵數組,先是對數組a1進行異或處理,再把 把數組a1賦值數組arr。因此我們只要搞清楚
數組arr是什么,再對其進行一次異或處理即可。
雙擊進入,建議和Hex窗口結合起來看
【踩坑】以下是 IDA6.6老版本顯示,與我上面所用的7.0版本顯示不同。
一開始一直把空的那個 當成 ' ' 來處理,但是得到的flag是不正確的。后來經過版本考察,要當成 '',即6.6版本中的樣子。 最后腳本如下:
#include <stdio.h>
#include <stdlib.h>
int main() {
char arr[25] = {'B','V','E','','2','n','N','=','V',';','x','S','L','O','P','b','t','s','','K','s','!','V','','d'};
int i;
int a1[25];
for ( i = 0; i <= 25; ++i ){
*(char *)(i + a1)= arr[i];
}
for(i=0;i<=25;i++){
if(*(int*)(a1+i))
*(int*)(a1+i)^=(int)i + 1;
printf("%c",a1[i]);
}
return 0;
}
得到flag 為:
CTF{7hI5_1s_AA_real_f7Ag}
2、game1
file一波 發現是32bit ,拖進IDA 。shift+12查看字符串
點擊進入。 F5查看偽代碼:
int __cdecl flag(int *a1)
{
int result; // eax
signed int v2; // [esp+14h] [ebp-14h]
signed int i; // [esp+18h] [ebp-10h]
int v4; // [esp+1Ch] [ebp-Ch]
v2 = strlen(_data_start__);
for ( i = 0; i < v2; ++i )
{
if ( _data_start__[i] <= 96 || _data_start__[i] > 122 )
{
if ( _data_start__[i] <= 64 || _data_start__[i] > 90 )
LOBYTE(v4) = _data_start__[i];
else
v4 = (_data_start__[i] - 65 + a1[i % 5]) % 26 + 97;
}
else
{
v4 = (_data_start__[i] - 97 + a1[i % 5]) % 26 + 65;
}
_data_start__[i] = v4;
}
gotoxy(24, 5);
color(20);
if ( _data_start__[0] != 72
|| _data_start__[1] != 69
|| _data_start__[2] != 67
|| _data_start__[3] != 84
|| _data_start__[4] != 70 )
{
result = printf("No! you're cheating!");
}
else
{
result = printf("You win! The flag is %s ", _data_start__);
}
return result;
}
注意到 _data_start__ 是個關鍵。flag就在其中。 雙擊 查看,得到
bxukv{pW1SiFW_J0_jV}
很顯然 這是原始數據,也就是說 bxukv{pW1SiFW_J0_jV} 這串字符串經過編碼 變為flag
也很明顯, 最后驗證鍾 寫了開頭五個字符 其ASCII為 : 72、69、67、84、70 即為
HECTF
而 在上述編碼過程鍾,出現的a1[i % 5]恰好可以通過bxukv與HECTF相對應得到
搞清其原理,話不多說,直接上腳本:
data = 'bxukv{pW1SiFW_J0_jV}'
str = 'HECTF'
a1 = []
len = len(data)
for i in range(0,5):
m = ord(str[i:i+1:1])-65-ord(data[i:i+1:1])+97
if (m<0):
m+=26
a1.append(m)
得到 a1 [6,7,8,9,10]
data = 'bxukv{pW1SiFW_J0_jV}'
str = 'HECTF'
a1 = [6,7,8,9,10]
len = len(data)
flag =''
# for i in range(0,5):
# m = ord(str[i:i+1:1])-65-ord(data[i:i+1:1])+97
# if (m<0):
# m+=26
# a1.append(m)
for i in range(0,len):
n = ord(data[i:i+1:1])
if (n<=96 or n>122):
if (n <=64 or n >90):
flag+= chr(n)
else:
flag+= chr((n-65+a1[i%5]) % 26 +97)
else:
flag+= chr((n-97+a1[i%5]) % 26 +65)
print(flag)
跑出flag
HECTF{We1cOme_t0_Re}
⭐web
1、簽到
點進進入看到一個登錄界面
ctrl+u 查看源碼, 發現 <!-- 15970773575 --> 得到手機號碼 15970773575
之后,點擊 忘記密碼,跳轉到 /findpass.php 頁面。
也是查看源碼,發現發送驗證碼功能子虛烏有。 看來 四位數驗證碼 是爆破密碼的線索。
對其進行抓包, 爆破
於是 將 233 驗證碼輸入,便跳轉到 updatepassword.php 頁面
自己修改密碼,用新密碼登錄即可拿到flag
HECTF{a9a102c0c06fcf6c8072c30f0a52f1f2}
2、ezphp
<?php
error_reporting(0);
highlight_file(__file__);
include('flag.php');
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
if($_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])){
if(is_numeric($string_1)){
$md5_1 = md5($string_1);
$md5_2 = md5($string_2);
if($md5_1 != $md5_2){
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
else {
die('you are close');
}
}
else {
die("md5 is wrong");
}
}
else {
die('str1 not number');
}
}
else {
die('you are wrong!');
}
?>
you are wrong!
這里有兩個考點。 第一個就是得繞過
$_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])
注意,這里是 !== 和 === 是強比較,我們可以利用數組繞過
即: error===error ,那么payload為:
param1[]=1¶m2[]=2
第二個考點就是md5比較
# is_numeric($string_1)
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
得找到一個數 md5加密后 開頭是 ce 這樣就可以轉換到 0e
即: a與b均為 0e開頭 繞過相等
md5加密后以0E開頭:
- QNKCDZO
- 240610708
- s878926199a
- s155964671a
- s214587387a
- s214587387a
則:payload為:
str1=9427417&str2=QNKCDZO
最后的payload就是:
http://121.196.32.184:8081/index.php?param1[]=1¶m2[]=2&str1=9427417&str2=QNKCDZO
得到flag:
hectf{b0c65ccf32a96a1f8dc3326f16ed4498}
3、ssrfme
<?php
error_reporting(0);
highlight_file(__FILE__);
//try flag.php
function filter($url) {
$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error');
return false;
}
$hostname=$url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}
$url = $_GET['url'];
if(!filter($url)){
echo file_get_contents($url);
}
?> url fomat error
構造payload:
?url=http://0.0.0.0/flag.php
得到:
flag{04f3eaef-ec7c-4a44-8b54-062cd19295f3}
⭐misc
1、簽到題
直播間即可。
2、png
下載得到一個png 放進010editor 發現最后有一串base64字符串
M2I3OWJkZjhmY2ZkNTVmZH0=
得到:
3b79bdf8fcfd55fd}
顯然是后部分的flag
接下來就是要尋找前部分。嘗試修改圖片高度-----
果然,前部分就出來了。
flag為:
flag{94ed7fdae8f504743b79bdf8fcfd55fd}
3、不說人話
很清楚得到 ook!編碼
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... .....
!.!!! !!!!. !!!!! .?... ..... .!?!! .?... ..... ?.?!. ?..!. ?.... ...!?
!!.?! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ....! ?!!.? ..... .....
....? .?!.? ..... ...!. ?.... ..... ....! ?!!.? !!!!! !!!!! !!?.? !.?!!
!!!!! .?... ....! ?!!.? !!!!! !?.?! .?!!! !!!!. ?.... ..... !?!!. ?!!!!
!!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... .....
..... .?.?! .?... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!!! !!.?.
..... ..... ..!?! !.?!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!!!! !!!!! !!.?.
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ...!. ?.... .....
!?!!. ?!!!! !!!!? .?!.? !!!!! !!!!. ..... ...!. ?.... ...!? !!.?. .....
?.?!. ?.... ..... ...!. ..... ..... ....! .!!!! !!!!! !!!!! !!!!! .....
....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ..... .....
..!.? ..... ..... ...!? !!.?! !!!!! !!!!! !?.?! .?!!! !!.!! !!!!! !!!!!
!!!!! ..... ..!.? ..... ..... ..... !?!!. ?.... ..... ..... ?.?!. ?....
..... ..... ....! .?... ....! ?!!.? !!!!! !?.?! .?!!! .!!!! !!!.? .....
..... ..... !?!!. ?!!!! !!!!! !!!!! ?.?!. ?!.?. ..... ..... ..... .!?!!
.?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... !.?.
HECTF{TH1s_1s_crypt0_914nda0}
⭐crypto
1、rsa
下載得到 n、e、c
n = 11419768903339716189261532371559705252086398275876008505047375123074727093589680611869748263351554093957968142343831331654606932684767042958427409579115435445187908134556329979271179879129295667476493886787230948520371350715808988496083694717544298343260369816980228394498856751096191942011545898984240281874509791880690092840536597771674772617299407710771426964764347566008897012753022763270832647775571317162594044338095870404550665457899223394942640876850692848671826594750236910363027949459768124646230555766323417693441861436560072288812137944884954974348317322412816157152702695143094487806945533233359294549423
e = 65537
c = 575061710950381118206735073806398116370706587076775765253483131078316908073202143802386128272374323616239083134747318254436706806781744501903333604772961927966747648954315962269321297121495398057938617145017999482722197661065698707836824505023856306403892307944203245563411961302499347604417024064678999003637933185177922884103362203639349298263339808508185861692596967147081382566246627668898774233029198694500565511361867375668367875805985660705137109665107860799277624050210666866958502948062330037309873148963011192405012811945540153592090345668265964477204465327474208098404082920129178960510763496025906621820
分解n得到p、q
跑腳本:
import libnum
from Crypto.Util.number import long_to_bytes
c = 575061710950381118206735073806398116370706587076775765253483131078316908073202143802386128272374323616239083134747318254436706806781744501903333604772961927966747648954315962269321297121495398057938617145017999482722197661065698707836824505023856306403892307944203245563411961302499347604417024064678999003637933185177922884103362203639349298263339808508185861692596967147081382566246627668898774233029198694500565511361867375668367875805985660705137109665107860799277624050210666866958502948062330037309873148963011192405012811945540153592090345668265964477204465327474208098404082920129178960510763496025906621820
e = 65537
q = 2499568793
p = 4568695582742345507136251229217400959960856046691733722988345503429689799935696593516299458516865110324638359470761456115925725067558499862591063153473862179550706262380644940013531317571260647226561004191266100720745936563550699000939117068559232225644277283541933064331891245169739139886735615435506152070330233107807124410892978280063993668726927377177983100529270996547002022341628251905780873531481682713820809147098305289391835297208890779643623465917824350382592808578978330348769060448006691307027594085634520759293965723855183484366752511654099121387261343686017189426761536281948007104498017003911
n = q * p
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n) # m 的十進制形式
string = long_to_bytes(m) # m明文
print(string) # 結果為 b‘ m ’ 的形式
#print(libnum.n2s(m)) #(n2s將數值轉化為字符串)
得到flag:
flag{8fb873baba0df4a6423be9f4bd525d93}
大佬們輕噴。。。下次一定一定一定好好肝!!!
【轉載請放鏈接】 https://www.cnblogs.com/Jlay/p/HECTF_2020_eywp.html