LoRexxar's Blog

hctf_game_week1_writeup

2016/02/18

鍋囨湡闅惧緱鏈夋椂闂寸┖闂蹭笅鏉ワ紝灏卞拰鍗忎細鐨勫皬浼欎即缁勭粐浜嗕竴娆℃瘮杈冪畝鍗曠殑ctf姣旇禌閽堝瀛︽牎鐨勫寮熷濡逛滑锛岃繖閲屽氨璐翠笂姣忎竴娆$殑writeup锛屼互渚涙暣鐞嗗涔犵敤銆

WEB

WEB浠0寮濮嬩箣PHP浠g爜瀹¤0 POINT: 100 DONE

棰樼洰ID锛 55
棰樼洰鎻忚堪锛 http://ctf.lazysheep.cc:8081/web1.php
Hint: 鍓嶇疆鎶鑳斤細PHP

棰樼洰鐨勫師棰樻槸鍑哄湪hctf2015鐨刦uck===锛屽嚭棰樻濊矾鏉ヨ嚜http://www.secbox.cn/hacker/1889.html.
payload: ?a[]=adsa&b[]=dsadsa
杩欓噷涔嬫墍浠===鑳借繃锛屾槸鍥犱负鍦╬hp涓紝md5涓嶈兘鍔犲瘑鏁扮粍锛屼細杩斿洖null锛宯ull==null杩斿洖flag

MISC

MISC 椹鹃┒鎶鏈鐩竴 POINT: 100 DONE

棰樼洰ID锛 36
棰樼洰鎻忚堪锛 濡傛灉鐜╄浆 MISC 蹇潵寮濮嬩綘鐨勭鐩竴鍚э紒 閾炬帴: http://pan.baidu.com/s/1c1c7fiC 瀵嗙爜: cyyd
Hint: 鍣 閮戒笂浜涘暐绔欏憖

绉戠洰涓姣旇緝绠鍗曪紝鍜屼箣鍓嶇殑娴侀噺鍒嗘瀽绫讳技锛屽ぇ姒傚氨鏄竴涓猦ttp鏄庢枃璇锋眰锛屼粩缁嗘壘鎵惧緢蹇氨鑳芥壘鍒般俧lag涓『渚挎壘鍒扮鐩簩鐨勫叆鍙c

MISC 椹鹃┒鎶鏈鐩簩 POINT: 100 DONE

棰樼洰ID锛 37
棰樼洰鎻忚堪锛 鑰冨畬绉戠洰涓鐨勫皬浼欎即蹇繃鏉ョ鐩簩鍟︼紝鏃╀笂涓婅矾锛屼簤褰撲腑鍥藉ソ鍙告満銆
Hint: 鏃

绉戠洰浜屾壘鍒板悗鍙戠幇鏄竴寮犲浘鐗囷紝杩欓噷浣跨敤鍒颁竴涓猯inux涓嬬殑宸ュ叿锛宐inwalk锛屽彲浠ュ彂鐜板浘鐗囨槸鐢卞涓枃浠跺悎骞剁殑锛屼娇鐢╢oremost灏卞彲浠ユ妸鎵鏈夌殑涓滆タ鎷嗗紑鏉ワ紝寰楀埌flag鐨勪簩缁寸爜锛屾壂鐮乬etflag銆

MISC浠0寮濮嬩箣缂栫爜1 POINT: 75 DONE

棰樼洰ID锛 49
棰樼洰鎻忚堪锛 鑰佸徃鏈虹殑棰樼洰鍋氫笉鍑烘潵锛熶涪涓棰樼畝鍗曠殑缁欎綘浠仛銆傘
http://ctf.lazysheep.cc:8081/misc1.html
Hint: base鍏ㄥ妗讹紝鑰佸徃鏈轰滑鍒姠鏂扮敓鐨勫墠涓夎鍟婏綖

杩欓噷灏辨槸base鍏ㄥ妗朵簡锛岀洰鍓嶅ソ鍍忔病瑙佽繃鐢╬ython浠ュ鐨勬柟寮忓仛鐨勶紝涓嶈繃濡傛灉鑷繁鍐欎唬鐮佸疄鐜板簲璇ヤ篃鏄彲浠ョ殑銆

1
2
3
4
5
import base64
bb64=base64.b64encode('xxxxx')
bb32=base64.b32encode(bb64)
b=base64.b16endcode(bb32)
print b

澶ф灏辨槸杩欐牱鈥

MISC浠0寮濮嬩箣娴侀噺鍒嗘瀽1 POINT: 75 DONE

棰樼洰ID锛 53
棰樼洰鎻忚堪锛 http://ctf.lazysheep.cc:8081/misc1.pcap
Hint: 鏆傛棤HINT

姣旇緝鎺ヨ繎涓鑸鐩殑娴侀噺鍒嗘瀽浜嗭紝鍙互鐪嬪埌鍦ㄦ渶鍚庝竴涓猦ttp璇锋眰涓姹備簡涓涓猣lag鐨剒ip鏂囦欢銆傞偅涔堝氨闇瑕亀ireshark鍔犱竴涓16杩涘埗缂栬緫鍣ㄦ妸杩欎釜鏂囦欢鎵e嚭鏉ヤ簡锛屼竴鑸綉涓婅繕鏄兘鎼滃埌鏁欑▼鐨勶紝鎳掑緱璧樿堪浜嗐

CTF coding step1 POINT: 50 DONE

棰樼洰ID锛 47
棰樼洰鎻忚堪锛 鎵揅TF灏辨槸鎷垮伐鍏凤紵 涓嶄笉涓嶏紝涔熻鍐欏緢澶氫唬鐮佺殑銆傝繖涓郴鍒楀氨鏄浣犵啛鎮塁TF椋庢牸鐨勭紪绋嬮鐩紝鍏蜂綋鐨勮姹傝棰樼洰鍚с伄銇 灏辨槸璁╀綘浠鐪嬬偣鑻辨枃锛
nc 115.29.77.78 9979
Hint: repr

nc杩炰笂鍙戠幇鏄绠楁暟瀛﹀紡瀛愶紝閭d箞寮濮嬪啓浠g爜鍚с

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('115.29.77.78',9979))
import time
sock11=sock.recv(1024)
print sock11
sock11=sock.recv(1024)
print sock11
pos2=sock11.find('=',950)
sendr = eval(sock11[945:pos2])
print sendr
sock.send(repr(sendr)+'\n')
while 1:
sock11=sock.recv(1024)
print sock11
pos=sock11.find('=')
i=sock11.find(']')
if(i!=-1):
sendr=eval(sock11[i+2:pos].replace('\xc3\x97','*'))
print sendr
sock.send(repr(sendr)+'\n')
else:
sendr=eval(sock11[:pos])
print sendr
sock.send(repr(sendr)+'\n')
sock.close()

鍥犱负鏄涓娆″啓socket锛屾墍浠ヨ繕鏄俯浜嗕笉灏戝潙锛岄鍏堣繖涓枃浠朵笉鑳藉彨鍋歴ocket.py鍚﹀垯涓嶈兘閫氳繃缂栬瘧锛屽叾娆″氨鏄瘡涓涓猻end蹇呴』鍦ㄥ悗闈㈠姞涓娾橽n鈥欏惁鍒欎笉浼氭湁涓嬩竴姝ワ紝鑷繁璇曡瘯鍚с傘傘

crypto

瀵嗙爜瀛︿粠0寮濮嬩箣1 POINT: 20 DONE

棰樼洰ID锛 50
棰樼洰鎻忚堪锛 http://ctf.lazysheep.cc:8081/cry1.html
flag涓嶆槸鏍囧噯鏍煎紡锛屾彁浜や綘瑙e嚭鐨勬槑鏂囧氨琛岋紝flag鍏ㄦ槸澶у啓
Hint: 杩欎釜绠鍗曪紝搴旇涓嶉渶瑕乭int

鎵撳紑鐪嬪埌涓鍫嗙偣鍟婃í鍟婂氨鐭ラ亾鏄懇鏂瘑鐮侊紝闅忎究涓鎼滈兘鑳芥悳鍒板悇绉嶈В鐮

瀵嗙爜瀛︿粠0寮濮嬩箣1.1 POINT: 150 DONE

棰樼洰ID锛 54
棰樼洰鎻忚堪锛 http://ctf.lazysheep.cc:8081/cry2.html
浣犵煡閬01鐨勫ゥ绉樹箞锛
Hint: 杩欏彲涓嶆槸鍟ュ彜鍏稿瘑鐮佷簡

鎵撳紑鐪嬪埌0101锛岀涓鍙嶅簲鏄湅鐪嬫湁澶氬皯浣嶏紝鑳介櫎寮8鐨勮瘽锛屽叓鎴愭槸瑕佽浆ascii鐮侊紝閭e氨鍐欎釜浠g爜鍚

1
2
3
4
5
6
7
8
9
10
11
import binascii
f = file('./test','w+')
str11 = '100010010101000001001110010001110000110100001010000110100000101000000000000000000000000000001101010010010100100001000100010100100000000000000000000000001011001000000000000000000000000000110010000010000000011000000000000000000000000011111000001110101000000110110000000000000000000000000101001111010100100101000100010000010101010001111000100111001110110110011100110011110100101110011011010010010001100011000111101111111101100111101110000111111010000011010000010010110010010010001011000111100000110010000010110101000100101100010111000101001101110100000101000011110101110100010110101101100000101010001101100100010001011001101111000000011011101111011000100000101011000010100110100001111110001000001010010110101000101000001101011101001001011100011110101101001000011110000010000110111001011001000000011011101010010101001011011011011000010001110101000011111010010100111101000010000101010101010001010110000010111101001010110000011001101001000011011001001100010101011100000010101111000100011111100100001110110011001100111110110010001100100110011011111101111010011000001101111111001111001110111110110011011000011001100111100000111100000100110110100011011111101111001111001110111101100100111001100011101111001111111100111001110101111001010010110000001110000101100100110100110000010001000001001101000111100010011111001111010110100101001110110100000000010000001100100010000000100001000100110100101001000000010000100010011010010100100000001000010001001100001010000000000100001001100110010101000000000010000100100011001010100001000001000010010001100100010000100000100101001000110010001000010000010010100100001001000000001001001001010010000000100001000100110100101001000000010000100010011010010100100000001000010001001100001010000000000100001001100110010101000000000010000100100011001010100001000001000010010001100100010000100000100101001000110010001000010000010010010010000001000111110010111101100110010000000100111011011001001100111001000110011010000101101100011010010101101111011011110000000100100010001000001111011000001101111101010001100001111010011101001101111101010011010110010010011101111110110100011110110110111001101100111000001111001101101110110100000100010100101111111001011100010111110001000110100011011111100011110110011010110000110100011111010100011001101110110110111100110111100001110111101111010000010010001100001111100100011010100001011001001100001100110101100001011110101111111010001101011101010111110100100101001000100110101000100110110111110111000111001001111110001110011001011111010001010011010011100001110001000111110011110011001001111110011110111011101110000000000110001100101111000111101100111011100010111010100000111100110111010001010100001100110111000101110011100111111101010011111110100100011011100011010010011100101001011100001010001011001100101011111110101000001011111110111111000110100001000001111010111010011111111001011101110010111101101000000110100010000111110011000000011001111010110101111110111011000111111001011000110001110010100000000011110111011110111110000011011001010111011101011110111000111011100111011111111011110111000001000100001001101110001100100100101011000001101011101101011010111111000011010110011111111100010101110001001101111001100111010100000111100000111111100011001010101111111101011110011110000111111110110010111000101001010011000011110010111011100010010000000010001010001011111001010001011100111011100110100001000010001011001011110001111000000000101010010111000111100111011000101011011000011001010011110110111111101000010000111010111100110001000101010101011100010111100111111010000000111000001111111000011001100100111000100011011101101100011110110101010010101101100110100100011011001000001101011100100111100111101100000101010101110101111100010011111101111100001111000000010010101110011101010111100000111101000110011100110110000101101110011000000011110001111000110101110111001100100110000111101000001000010011100010000000111101110110011000011110101101110011010000111111001110001011000100110111011110011011100011110001111101001000001101100010000101001000010000111111000011010010110001010110110010010110010100001011110100010011111011101001101010111101011001100101011001101100110111010010001111111000010010011101111001101110110100000000110100100011100010010010111011001001111001100100011000001010001001010101001011010111101111001000000010000010010011011001110001110110000100011101111100100110100101111101011111010000000111101010101101011110101011001001101010101101010111011111011010001101111010101110110111101101011111011011010011011010011001011010010111000101011010011101100110101110111111110000000111101111000110001000001011011110001010101001111111101100001110001011111110111011101000111001101110111000001111000000011101110101101110101100010100000000101110101101111000000001101010001000111111111000110111100100000011110001011010001111011100011010101101010010011011011010111011111110010001001001111110010010110111011100011100010011110000010110001111001110110001110001011101010101100101010011001110000100001101011011101100111010111101101111001001100001010100010111100001001010011001110110000000111000001100101011111010101111011101111101110000101110110000101111100110011110010100000111101010110100001101100110111010010011111001100111011001001000010111000111100100110001100101101101001001001011000100110010110001010000101111101001011000010110010011001001111000100011011101101010100001111011111001010110101110110110011101111101101010110100011100110011010100001101011010111110100001100100111001101101011011111111110111001100100100010011100011100101001011011111010011101011000000001111111011010101001011011010111011001010001101100100100101000111000110011000111011101001111110001101011001000101111011101111110001010111001101100101101110001111001000111001000100111001000000100110111001111001110000000111010010101000110111101010101001001111111110101111101111110000100100001101010110111011100111000010011000110000110001000111001010010010111110001001110010100001011100000011001110011011100000110100100011011101100101111101100000001000001111011100110110010110001111011010110101100110010101000010000001101111100101010110100001011110011100100001001010110110110011001010111000001010001110000001111011010001011110001111011000101101001111101101101001011101000000001011011101110110100111011110010111110110011000001001111101011111001111010011001110100110100101011101100010001101111001111001101111001101110010111011001111110010101100000101001110010111000110001110000010110011111110110001111001110100110010010101111001010000101110111011101100101011000011110101001001001101010100101010100010000010001111101001100110000001111111100001100111111101010100111111100111110110011110010010110010101111100101100100001001011111101000111100111011001111011000011001000101011100010111001110010100001001100001101010100111101011000101110110000000010101011000110110101100111000110000011100110110101100001011000011011101110100101100100001111000000110100111000011000001111111111100000110110010001101111101100011101111111100101110001011110100101000101111100100110111011110110001011011001110111011101100011101011000011110010000010001101110010001101011110111011010000000011000011100110000111100110101010000111111000011010001100000111010010111000100001000111000001010100010101001101000101100010011100011100110111010010100011101111001101110111001001010100000001101010000101101100001100100110111100111110011000100100011011001110000110001111100011111010010110011101011111101111001101001010101110110110111110110000001011011010011001100101000000101011001101111111101111101000101101010100111000000011101111111000001000110110010010101100101011010000000100000111101001100010011001110011111000110101110000011110011001101011111100101101100010100100111001011110100101101101001011100000000001010011011110111001010001101110010010011111100100100000100111101010100110010110100001001000000101011000110110100011100010110010000101010010110110001100111011001000110101111101011001110000110011001001111100110011100110001111011011111101100000010001000101000000000111011000011101000010101101001010110010010110011111100011101100100100101000101001001011101011100101100110100100001101100100001110101111101111010000111101100111100000100010111001000101001101000111111011010010010101000110101010111100101000001010101101110000100111010110001100101110001101011100111011000111011010011110110100001111010111100010110010010011111111000100101111011011111110101101101100011000010001001010001101101110000010011100011111100011001011100001001101100110101011001100110110000110111101000111001100111111010111001100111011011011000110110110000011100000111110101111110011100001101101011000011100111110001000101001011111011100110001011101000111101001000010111110001111110110111010011110101111010101101110111101001110011110011101111011100110101011100110111000100100100100110010001111101111110110110001010000011111000110011000001011100110110010111101011111000000000101100011111001010110101010111110000111111010010010011100001011000111010101110001011111100011101011000001111111011001111101110001100100000110110011111111000010110010100001111101111100010011010100001110110001011011001001001111001000000011000010001110111101100001010000101010010111100111011100111001110000010110110011111010010100100001110110010111000010010010001101101010000100000000010010100011111001100001010110111111110000100110111111000001100011101011101110001100011000111011011101101011001011111110110011110101001010111101101101110001011010100111010001110100101110101000000011110000111101000000000011100011110001110001110001010011001011111100101010110101111011110101111101011111101000100111011001101111100111010101100110011001101001011000101000101111101101011111100011101001011000100111111111110001011010110001011000101000010011111010000100010101111111110001001101000011101011101111110100010111001000000001111101011110011010011011111010011011110011100110000101111111111101000101011000001100011110101111000111100111110100101011011010001101001011011001011001101111110100001100101010111101111000110010101011001100010001100011010110011111011101000100010100110001000101100100111011010011111011100100101001010111011111101000111010011111001110110010101011101100101100101110001111111001000111011101101100101101110110010111111111011111011000011000101011111000111110011011000101000111111100000101101100110011001000100111001111110100000101011010111111111111111000110001011100010001000010100100000111111001000001110111111000001010000110000110011101110110010011101100010110100011001110011010010101100100100001000100110100010000111001001011010111011100001110010011001001000001110110000100000001000010001001101001010010000000100001000100110100101001000000010000100010011000010100000000001000010011001100101010000000000100001001000110010101000010000010000100100011001000100001000001001010010001100100010000100000100101001000010010000000010010010010100100000001000010001001101001010010000000100001000100110100101001000000010000100010011000010100000000001000010011001100101010000000000100001001000110010101000010000010000100100011001000100001000001001010010001100100010000100000100101001000010010000000010010010010111111000000111110010101111000111110000110011110111101010111110101111011100011110000000000000000000000000000000000100100101000101010011100100010010101110010000100110000010000010'
for k in xrange (0,11184,8):
stt=str11[k:k+8]
f.write(chr(int(stt,2)))
f.close()

绐佺劧鍙戠幇濂介暱鍟娿傘傘傚嚭鏉ユ椂涓寮犲浘鐗囷紝get锛

pentest

lightless&aklis鐨勬笚閫忔暀瀹-2 POINT: 75 DONE

棰樼洰ID锛 45
棰樼洰鎻忚堪锛 http://120.27.53.238/pentest/02/http-header.php
Hint: Mozilla/5.0 (iPhone; CPU iPhone OS 9_0 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13A344 Safari/601.1
xff: 127.0.0.1

鍧戝凡缁忚韪╁畬浜嗚繕鎵鍋氫笉鍑洪偅灏辨病鍔炴硶浜嗭紝璁板緱瑕佹敼ios99鍟婏紝hint涓殑鏄痠os9鐨勨

璁板緱鐪嬫枃妗e晩锛侊紒锛

CATALOG
  1. 1. WEB
    1. 1.1. WEB浠0寮濮嬩箣PHP浠g爜瀹¤0 POINT: 100 DONE
  2. 2. MISC
    1. 2.1. MISC 椹鹃┒鎶鏈鐩竴 POINT: 100 DONE
    2. 2.2. MISC 椹鹃┒鎶鏈鐩簩 POINT: 100 DONE
    3. 2.3. MISC浠0寮濮嬩箣缂栫爜1 POINT: 75 DONE
    4. 2.4. MISC浠0寮濮嬩箣娴侀噺鍒嗘瀽1 POINT: 75 DONE
    5. 2.5. CTF coding step1 POINT: 50 DONE
  3. 3. crypto
    1. 3.1. 瀵嗙爜瀛︿粠0寮濮嬩箣1 POINT: 20 DONE
    2. 3.2. 瀵嗙爜瀛︿粠0寮濮嬩箣1.1 POINT: 150 DONE
  4. 4. pentest
    1. 4.1. lightless&aklis鐨勬笚閫忔暀瀹-2 POINT: 75 DONE