Litctf2024

本文最后更新于 2024年8月27日晚上

前言：抽空写了一下挺适合新生的，但是复现环境一直没上，把中途写了的先放上面，如果后期上环境会写一下，要不然就咕了吧。

Misc

涐贪恋和伱、甾―⑺dé毎兮毎秒

下载图片，尝试改宽高，binwalk无果，steg看看，调成000就出来了

每分每秒

你说得对，但__

下载扫一下，进入云原神，foremost得到四张图拼一下得到二维码

在word里面就可以

扫一下得到flag

原铁，启动！

类似flag的特殊文字，以前写过类似的

放图片对照

flag{good_gamer}

盯帧珍珠

010看一下是gif改一下，写个脚本出截图

Everywhere We Go

下载得到MP3

用aud看一下找到flag

where

舔到最后应有尽有

密文，看着眼熟一把梭

关键，太关键了!

jetnta{e_kess_ymu_imss}

猜测前面对应的是litctf，后面估计就是i_miss_you_什么,写个代码看出现词频

得到为b，最后为boss

Web

SAS - Serializing Authentication System

$a = new User('admin', 'secure_password');

// 序列化并编码对象
$b = serialize($a);
$b = base64_encode($b);
echo $b;

Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjE1OiJzZWN1cmVfcGFzc3dvcmQiO30=

得到答案

exx

xxe构造，bp发包

exx

一个….池子？

测试为ssit,fenjing一把梭

浏览器也能套娃？

这题的话考察的是ssrf，这方面类型的题目之前没写过，相关的知识点也不太清楚。

先随机尝试看看

正常输入网站是可以的，尝试输入其他的看看

明显是ssrf，尝试绕过

1	`file:///flag`

或者用伪协议绕过

1	`php://filter/resource=/flag`

得到flag

高亮主题(划掉)背景查看器


<?php

// 文件包含漏洞演示

if (isset($_GET['url'])) {

    // 读取并包含用户输入的文件

    $file = $_GET['url'];

    if (strpos($file, '..') === false) {

        include $file;

    } else {

        echo "Access denied.";

    }

} else {

    echo "No file specified.";

}

?>

看着像文件包含啊，匹配是否有..，试了一会没出，抓个包看看

给theme输入flag,会有报错回显，那估计就是通过这个来具体在那一层需要挨个试

背景1

得到flag

百万美元的诱惑

 <?php
error_reporting(0);

$a = $_GET['a'];
$b = $_GET['b'];

$c = $_GET['c'];

if ($a !== $b && md5($a) == md5($b)) {
        if (!is_numeric($c) && $c > 2024) {
            echo "好康的";
        } else {
            die("干巴爹干巴爹先辈~");
        }
    }
else {
    die("开胃小菜))");
}
开胃小菜))

简单的分析一下传三个值，a和b是个很常规的MD5弱比教，c是利用php的特性就可以绕过

方法1：数组绕过

1	`?a[]=1&b[]=2&c=2025a`

方法2：积累字符串

1	`?a=s878926199a&b=s155964671a&c=2025a`

跳到第二页面


<?php
//flag in 12.php
error_reporting(0);
if(isset($_GET['x'])){
    $x = $_GET['x'];
    if(!preg_match("/[a-z0-9;`|#'\"%&\x09\x0a><.,?*\-=\\[\]]/i", $x)){
            system("cat ".$x.".php");
    }
}else{
    highlight_file(__FILE__);
}
?>

很常见的无字母数字绕过，只要构造12就可以了

我尝试了异或和自反失败了，应该用的是linux的特性构造自增

可以看看这篇文章，好多题这篇都可以解决

文章，按照图片然后往后加就行

dollar

1	`$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))`

最后看一下源码得到flag

Crypto

small_e

gpt一把梭

import gmpy2
from Crypto.Util.number import long_to_bytes

n = 19041138093915757361446596917618836424321232810490087445558083446664894622882726613154205435993358657711781275735559409274819618824173042980556986038895407758062549819608054613307399838408867855623647751322414190174111523595370113664729594420259754806834656490417292174994337683676504327493103018506242963063671315605427867054873507720342850038307517016687659435974562024973531717274759193577450556292821410388268243304996720337394829726453680432751092955575512372582624694709289019402908986429709116441544332327738968785428501665254894444651547623008530708343210644814773933974042816703834571427534684321229977525229
c_list = [438976, 1157625, 1560896, 300763, 592704, 343000, 1860867, 1771561, 1367631, 1601613, 857375, 1225043, 1331000, 1367631, 1685159, 857375, 1295029, 857375, 1030301, 1442897, 1601613, 140608, 1259712, 857375, 970299, 1601613, 941192, 132651, 857375, 1481544, 1367631, 1367631, 1560896, 857375, 110592, 1061208, 857375, 1331000, 1953125]

flag = ""

for c in c_list:
    m, exact = gmpy2.iroot(c, 3)  # 求立方根
    if exact:
        flag += long_to_bytes(m).decode('utf-8')
    else:
        print("解密失败，密文可能过大或不是精确的立方")

print(flag)

common_primes

gpt一把梭

from Crypto.Util.number import long_to_bytes, inverse, GCD
import gmpy2

# Given values
n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420
e = 65537

# Compute gcd of n1 and n2 to find shared prime p
p = GCD(n1, n2)

# Compute the other primes q1 and q2
q1 = n1 // p
q2 = n2 // p

# Compute phi values
phi_n1 = (p - 1) * (q1 - 1)
phi_n2 = (p - 1) * (q2 - 1)

# Compute the private keys d1 and d2
d1 = inverse(e, phi_n1)
d2 = inverse(e, phi_n2)

# Decrypt the messages
m1 = pow(c1, d1, n1)
m2 = pow(c2, d2, n2)

# Convert the long integers back to bytes
message1 = long_to_bytes(m1)
message2 = long_to_bytes(m2)

# Check if the messages are equal
if message1 == message2:
    print("Decrypted message:", message1.decode('utf-8'))
else:
    print("The decrypted messages are different.")
    print("Message 1:", message1.decode('utf-8'))
    print("Message 2:", message2.decode('utf-8'))

ctf

#ctf #ssrf #ssti #xxe

Litctf2024

http://example.com/2024/06/01/litctf2024/

作者

orange

发布于

2024年6月1日

许可协议

Polarctf2024夏上一篇

ciscn2024 下一篇