2018北邮自招复试-CTF-Writeup
web
easyphp
右键查看网站源码
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
</head>
<body>
<!--
index.php
<?php
$flag='xxx';
extract($_GET);
if(isset($gift)){
$content=trim(file_get_contents($flag));
if($gift==$content){
echo'flag'; }
else{
echo'flag has been encrypted';}
}
?>
-->
</body>
</html>
发现hint 存在flag这个文件 读入到content
输入gift 如果 gift=content则输出flag
尝试访问
http://10.112.163.9:8888/web2/index.php?gift=
返回
Warning: file_get_contents(xxx): failed to open stream: No such file or directory in /var/www/html/web2/index.php on line 6
flag is OHCG{82s5r276o3006q2054048p6799op543q}
根据提示 flag has been encrypted
所以猜测flag被某种方式加密
猜测为凯撒加密
用工具爆破了一下
PIDH{82t5s276p3006r2054048q6799pq543r}
QJEI{82u5t276q3006s2054048r6799qr543s}
RKFJ{82v5u276r3006t2054048s6799rs543t}
SLGK{82w5v276s3006u2054048t6799st543u}
TMHL{82x5w276t3006v2054048u6799tu543v}
UNIM{82y5x276u3006w2054048v6799uv543w}
VOJN{82z5y276v3006x2054048w6799vw543x}
WPKO{82a5z276w3006y2054048x6799wx543y}
XQLP{82b5a276x3006z2054048y6799xy543z}
YRMQ{82c5b276y3006a2054048z6799yz543a}
ZSNR{82d5c276z3006b2054048a6799za543b}
ATOS{82e5d276a3006c2054048b6799ab543c}
BUPT{82f5e276b3006d2054048c6799bc543d} //flag
CVQU{82g5f276c3006e2054048d6799cd543e}
DWRV{82h5g276d3006f2054048e6799de543f}
EXSW{82i5h276e3006g2054048f6799ef543g}
FYTX{82j5i276f3006h2054048g6799fg543h}
GZUY{82k5j276g3006i2054048h6799gh543i}
HAVZ{82l5k276h3006j2054048i6799hi543j}
IBWA{82m5l276i3006k2054048j6799ij543k}
JCXB{82n5m276j3006l2054048k6799jk543l}
KDYC{82o5n276k3006m2054048l6799kl543m}
LEZD{82p5o276l3006n2054048m6799lm543n}
MFAE{82q5p276m3006o2054048n6799mn543o}
NGBF{82r5q276n3006p2054048o6799no543p}
OHCG{82s5r276o3006q2054048p6799op543q}
因为提示flag格式为BUPT所以得到flag
BUPT{82f5e276b3006d2054048c6799bc543d}
计算题
题目提示 1s中回答随机产生的数学题
运算符号不发生改变 所以用python先取出需要运算的数然后进行运算 最后post提交即可
EXP
import urllib2, urllib
data = {'v' : '1'}
f = urllib2.urlopen(
url = 'http://10.112.163.9:8888/web1/index.php',
#data = urllib.urlencode(data)
)
res = f.readlines()
temp = str(res).split('<br/>')
print temp
res1 = temp[len(temp)-1]
print res1
temp = str(res1).split('=')
res2 = temp[len(temp)-6]
print res2
res =res2
re1 = str(res).split('*')
print re1
a = re1[len(re1)-3]
re2 = re1[len(re1)-2]
re2 = str(re2).split('+')
print re2
b = re2[len(re2)-2]
print b
q = int(a)*int(b)
print q //前两位相乘
c = re2[len(re2)-1]
print c
re3 = re1[len(re1)-1]
print re3
re3 = str(re3).split('(')
print re3
re3 = re3[len(re3)-1]
re3 = str(re3).split(')')
print re3
re3 = re3[len(re3)-2]
print re3
re3 = str(re3).split('+')
print re3
d = int(re3[len(re3)-2])+int(re3[len(re3)-1])
print d //括号里面的相加
p = int(c)*int(d)
print p //括号外相乘
ss = int(p)+int(q)
print ss //执行完整的运算
data = {'v' : ss}
f = urllib2.urlopen(
url = 'http://10.112.163.9:8888/web1/index.php',
data = urllib.urlencode(data)
)
print f.read()
运行即可获取flag
flag is BUPT{7b28f26afca4bc2654bd83d2a2bdc546}
RE
Kaisa
运行程序开了下流程 需要输入flag 通过题目可知应该是凯撒加密题目
导入到IDA分析
shift+F12搜索字符串
.rdata:0040789E 0000000D C KERNEL32.dll
.data:00408035 00000023 C FAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
.data:00408058 00000017 C Flag is your input!!!!
.data:00408074 00000014 C input your flag?\n>>
.data:00408318 00000006 C \t-\r]
发现一个特殊字符串 FAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
通过交叉引用定位到关键函数
int result; // eax
char v9[64]; // [esp+Ch] [ebp-40h]
sub_4012C9(aInputYourFlag);
scanf(aS, v9);
v3 = strlen(v9);
v4 = 0;
if ( v3 > 0 )
{
v5 = byte_408030;
do
{
v6 = v9[v4];
if ( (unsigned __int8)v6 < 0x61u || (unsigned __int8)v6 > 0x7Au )
{
if ( (unsigned __int8)v6 >= 0x41u && (unsigned __int8)v6 <= 0x5Au )
v6 = (unsigned __int16)((unsigned __int8)(v6 + v5 - 65) % 26) + 65;
}
else
{
v6 = (unsigned __int16)((unsigned __int8)(v6 + v5 - 97) % 26) + 97;
}
v9[v4++] = v6;
}
while ( v4 < v3 );
}
v7 = 0;
if ( v3 <= 0 )
{
LABEL_13:
sub_4012C9(aFlagIsYourInpu);
if ( --stru_408088._cnt < 0 )
_filbuf(&stru_408088);
else
++stru_408088._ptr;
if ( --stru_408088._cnt < 0 )
_filbuf(&stru_408088);
else
++stru_408088._ptr;
result = 0;
}
else
{
while ( v9[v7] == byte_408034[v7] )
{
if ( ++v7 >= v3 )
goto LABEL_13;
}
result = -1;
}
return result;
}
查看V5
.data:00408034 byte_408034 db 'M' ; DATA XREF: _main+95↑r
.data:00408035 aFaeVl13lT3Gpcj db 'FAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}',0
.data:00408058 aFlagIsYourInpu db 'Flag is your input!!!!',0
找到密文 MFAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
通过暴力跑位移得到flag
NGBF{Wm1_3M_U3_hQDk_EymdF_D1Szu?!?}
OHCG{Xn1_3N_V3_iREl_FzneG_E1Tav?!?}
PIDH{Yo1_3O_W3_jSFm_GaofH_F1Ubw?!?}
QJEI{Zp1_3P_X3_kTGn_HbpgI_G1Vcx?!?}
RKFJ{Aq1_3Q_Y3_lUHo_IcqhJ_H1Wdy?!?}
SLGK{Br1_3R_Z3_mVIp_JdriK_I1Xez?!?}
TMHL{Cs1_3S_A3_nWJq_KesjL_J1Yfa?!?}
UNIM{Dt1_3T_B3_oXKr_LftkM_K1Zgb?!?}
VOJN{Eu1_3U_C3_pYLs_MgulN_L1Ahc?!?}
WPKO{Fv1_3V_D3_qZMt_NhvmO_M1Bid?!?}
XQLP{Gw1_3W_E3_rANu_OiwnP_N1Cje?!?}
YRMQ{Hx1_3X_F3_sBOv_PjxoQ_O1Dkf?!?}
ZSNR{Iy1_3Y_G3_tCPw_QkypR_P1Elg?!?}
ATOS{Jz1_3Z_H3_uDQx_RlzqS_Q1Fmh?!?}
BUPT{Ka1_3A_I3_vERy_SmarT_R1Gni?!?} //flag
CVQU{Lb1_3B_J3_wFSz_TnbsU_S1Hoj?!?}
DWRV{Mc1_3C_K3_xGTa_UoctV_T1Ipk?!?}
EXSW{Nd1_3D_L3_yHUb_VpduW_U1Jql?!?}
FYTX{Oe1_3E_M3_zIVc_WqevX_V1Krm?!?}
GZUY{Pf1_3F_N3_aJWd_XrfwY_W1Lsn?!?}
HAVZ{Qg1_3G_O3_bKXe_YsgxZ_X1Mto?!?}
IBWA{Rh1_3H_P3_cLYf_ZthyA_Y1Nup?!?}
JCXB{Si1_3I_Q3_dMZg_AuizB_Z1Ovq?!?}
KDYC{Tj1_3J_R3_eNAh_BvjaC_A1Pwr?!?}
LEZD{Uk1_3K_S3_fOBi_CwkbD_B1Qxs?!?}
MFAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
得到flag BUPT{Ka1_3A_I3_vERy_SmarT_R1Gni?!?}
simple
载入IDA
分析了整个流程
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // kr04_4
int result; // eax
int i; // esi
char v6; // cl
char v7; // al
char v8; // al
char v9; // [esp+4h] [ebp-34h]
char v10[31]; // [esp+5h] [ebp-33h]
char v11; // [esp+24h] [ebp-14h]
char v12; // [esp+35h] [ebp-3h]
v9 = 0;
memset(v10, 0, 0x30u);
v12 = 0;
sub_4012E9(aPlzGiveMeYourF); //输出give me your flag
scanf(aS, &v9); //输入v9
v3 = strlen(&v9) + 1; //v3 等于v9的长度+1
if ( (signed int)(v3 - 1) > 31 ) //判断v9的长度是否大于31
{
if ( (signed int)(v3 - 1) <= 40 ) //判断v9的长度是否小于等于40
{
sub_4012E9(aOkYouCanContin); //如果上面两个条件满足 则 输出 ok you can continue
i = 0;
v11 = 0;
if ( v9 )
{
while ( 1 )
{
v6 = byte_408054[i]; //定义了一个数组到v6
v7 = byte_408030[i] ^ (16 * *(&v9 + i) | ((unsigned __int8)*(&v9 + i) >> 4)); //执行运算得到v7
*(&v9 + i) = v7;
if ( v7 != v6 )
break;
v8 = v10[i++];
if ( !v8 )
goto LABEL_10;
}
sub_4012E9(aNononoYourInpu);
LABEL_10:
if ( i == 32 ) //这里提示了flag位数 如果等于32位然后满足 运算过得v7 等于v6 则
sub_4012E9(aGoodYouVeGotTh); //输出 good you have got the flag
}
if ( --stru_408110._cnt < 0 )
_filbuf(&stru_408110);
else
++stru_408110._ptr;
if ( --stru_408110._cnt < 0 )
_filbuf(&stru_408110);
else
++stru_408110._ptr;
result = 0;
}
else
{
sub_4012E9(aTooLong);
result = -1;
}
}
else
{
sub_4012E9(aTooShort);
result = -1;
}
return result;
}
这里用Z3约束求解
from z3 import *
v6 = [0x4f,0x3b,0x23,0x11,0xe1,0x1f,0xfe,0xb3,0x4b,0xdd,0x75,0xfe,0x47,0xec,0xf2,0x43,0xdc,0x38,0xd4,0x64,0xde,0x45,0xbd,0x01,0x1b,0x04,0xb9,0x89,0x7d,0xb6,0x4e,0xe2]
v7 = [0x6b,0x6e,0x26,0x54,0x56,0x4b,0xe8,0x80,0xdc,0x28,0x46,0x18,0x71,0xcb,0x65,0x44,0x9b,0x2b,0x22,0x82,0x2b,0x56,0x8e,0xe7,0x69,0x41,0x4c,0x1f,0x3a,0x45,0x5c,0x35]
v9 = [BitVec("v9%d"%i,16) for i in range(32)]
#print v9
S = Solver()
for i in range(32):
S.add(v9[i] > 32)
S.add(v9[i] < 128)
S.add((v7[i]^(((16*(v9[i]))|(v9[i]>>4))%256)) == v6[i]) // 代码处uint8强制类型转换 uint8的上限是256-1 下限是0 所以这里需要%256 让他自然溢出
if S.check() == sat:
m = S.model()
flag = ''
for i in range(32):
flag += chr(m[v9[i]].as_long())
print flag