2018北邮自招复试-CTF-Writeup
2018/06/10 writeup RE WEB BUPT

web

easyphp

右键查看网站源码


<html>
    <head>
        <meta http-equiv="content-type" content="text/html;charset=utf-8">
    </head>
    <body>

        <!--
        index.php
        <?php     
        $flag='xxx';     
        extract($_GET);     
        if(isset($gift)){        
            $content=trim(file_get_contents($flag));
            if($gift==$content){ 
               echo'flag';     }
             else{       
               echo'flag has been encrypted';}   
             } 
        ?>
        -->
    </body>
</html>

发现hint 存在flag这个文件 读入到content
输入gift 如果 gift=content则输出flag
尝试访问

http://10.112.163.9:8888/web2/index.php?gift=

返回

Warning: file_get_contents(xxx): failed to open stream: No such file or directory in /var/www/html/web2/index.php on line 6
flag is OHCG{82s5r276o3006q2054048p6799op543q}

根据提示 flag has been encrypted
所以猜测flag被某种方式加密
猜测为凯撒加密
用工具爆破了一下

PIDH{82t5s276p3006r2054048q6799pq543r}

QJEI{82u5t276q3006s2054048r6799qr543s}

RKFJ{82v5u276r3006t2054048s6799rs543t}

SLGK{82w5v276s3006u2054048t6799st543u}

TMHL{82x5w276t3006v2054048u6799tu543v}

UNIM{82y5x276u3006w2054048v6799uv543w}

VOJN{82z5y276v3006x2054048w6799vw543x}

WPKO{82a5z276w3006y2054048x6799wx543y}

XQLP{82b5a276x3006z2054048y6799xy543z}

YRMQ{82c5b276y3006a2054048z6799yz543a}

ZSNR{82d5c276z3006b2054048a6799za543b}

ATOS{82e5d276a3006c2054048b6799ab543c}

BUPT{82f5e276b3006d2054048c6799bc543d} //flag

CVQU{82g5f276c3006e2054048d6799cd543e}

DWRV{82h5g276d3006f2054048e6799de543f}

EXSW{82i5h276e3006g2054048f6799ef543g}

FYTX{82j5i276f3006h2054048g6799fg543h}

GZUY{82k5j276g3006i2054048h6799gh543i}

HAVZ{82l5k276h3006j2054048i6799hi543j}

IBWA{82m5l276i3006k2054048j6799ij543k}

JCXB{82n5m276j3006l2054048k6799jk543l}

KDYC{82o5n276k3006m2054048l6799kl543m}

LEZD{82p5o276l3006n2054048m6799lm543n}

MFAE{82q5p276m3006o2054048n6799mn543o}

NGBF{82r5q276n3006p2054048o6799no543p}

OHCG{82s5r276o3006q2054048p6799op543q}

因为提示flag格式为BUPT所以得到flag

BUPT{82f5e276b3006d2054048c6799bc543d}

计算题

题目提示 1s中回答随机产生的数学题
运算符号不发生改变 所以用python先取出需要运算的数然后进行运算 最后post提交即可
EXP

import urllib2, urllib

data = {'v' : '1'}
f = urllib2.urlopen(
        url     = 'http://10.112.163.9:8888/web1/index.php',
        #data    = urllib.urlencode(data)
  )
res = f.readlines()
temp = str(res).split('<br/>')
print temp
res1 = temp[len(temp)-1]
print res1
temp = str(res1).split('=')
res2 = temp[len(temp)-6]
print res2
res =res2
re1 = str(res).split('*')
print re1
a = re1[len(re1)-3]
re2 = re1[len(re1)-2]
re2 = str(re2).split('+')
print re2 
b = re2[len(re2)-2]
print b
q = int(a)*int(b)
print q //前两位相乘
c = re2[len(re2)-1]
print c
re3 = re1[len(re1)-1]
print re3
re3 = str(re3).split('(')
print re3
re3 = re3[len(re3)-1]
re3 = str(re3).split(')')
print re3
re3 = re3[len(re3)-2]
print re3
re3 = str(re3).split('+')
print re3
d = int(re3[len(re3)-2])+int(re3[len(re3)-1])
print d //括号里面的相加
p = int(c)*int(d)
print p //括号外相乘
ss = int(p)+int(q)
print ss //执行完整的运算
data = {'v' : ss}
f = urllib2.urlopen(
        url     = 'http://10.112.163.9:8888/web1/index.php',
        data    = urllib.urlencode(data)
  )
print f.read()

运行即可获取flag
flag is BUPT{7b28f26afca4bc2654bd83d2a2bdc546}

RE

Kaisa

运行程序开了下流程 需要输入flag 通过题目可知应该是凯撒加密题目
导入到IDA分析
shift+F12搜索字符串

.rdata:0040789E    0000000D    C    KERNEL32.dll
.data:00408035    00000023    C    FAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
.data:00408058    00000017    C    Flag is your input!!!!
.data:00408074    00000014    C    input your flag?\n>>
.data:00408318    00000006    C     \t-\r]

发现一个特殊字符串 FAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
通过交叉引用定位到关键函数

int result; // eax
char v9[64]; // [esp+Ch] [ebp-40h]

sub_4012C9(aInputYourFlag);
scanf(aS, v9);
v3 = strlen(v9);
v4 = 0;
if ( v3 > 0 )
{
  v5 = byte_408030;
  do
  {
    v6 = v9[v4];
    if ( (unsigned __int8)v6 < 0x61u || (unsigned __int8)v6 > 0x7Au )
    {
      if ( (unsigned __int8)v6 >= 0x41u && (unsigned __int8)v6 <= 0x5Au )
        v6 = (unsigned __int16)((unsigned __int8)(v6 + v5 - 65) % 26) + 65;
    }
    else
    {
      v6 = (unsigned __int16)((unsigned __int8)(v6 + v5 - 97) % 26) + 97;
    }
    v9[v4++] = v6;
  }
  while ( v4 < v3 );
}
v7 = 0;
if ( v3 <= 0 )
{
LABEL_13:
  sub_4012C9(aFlagIsYourInpu);
  if ( --stru_408088._cnt < 0 )
    _filbuf(&stru_408088);
  else
    ++stru_408088._ptr;
  if ( --stru_408088._cnt < 0 )
    _filbuf(&stru_408088);
  else
    ++stru_408088._ptr;
  result = 0;
}
else
{
  while ( v9[v7] == byte_408034[v7] )
  {
    if ( ++v7 >= v3 )
      goto LABEL_13;
  }
  result = -1;
}
return result;
}

查看V5

.data:00408034 byte_408034     db 'M'                  ; DATA XREF: _main+95↑r
.data:00408035 aFaeVl13lT3Gpcj db 'FAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}',0
.data:00408058 aFlagIsYourInpu db 'Flag is your input!!!!',0

找到密文 MFAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}
通过暴力跑位移得到flag

NGBF{Wm1_3M_U3_hQDk_EymdF_D1Szu?!?}
OHCG{Xn1_3N_V3_iREl_FzneG_E1Tav?!?}
PIDH{Yo1_3O_W3_jSFm_GaofH_F1Ubw?!?}
QJEI{Zp1_3P_X3_kTGn_HbpgI_G1Vcx?!?}
RKFJ{Aq1_3Q_Y3_lUHo_IcqhJ_H1Wdy?!?}
SLGK{Br1_3R_Z3_mVIp_JdriK_I1Xez?!?}
TMHL{Cs1_3S_A3_nWJq_KesjL_J1Yfa?!?}
UNIM{Dt1_3T_B3_oXKr_LftkM_K1Zgb?!?}
VOJN{Eu1_3U_C3_pYLs_MgulN_L1Ahc?!?}
WPKO{Fv1_3V_D3_qZMt_NhvmO_M1Bid?!?}
XQLP{Gw1_3W_E3_rANu_OiwnP_N1Cje?!?}
YRMQ{Hx1_3X_F3_sBOv_PjxoQ_O1Dkf?!?}
ZSNR{Iy1_3Y_G3_tCPw_QkypR_P1Elg?!?}
ATOS{Jz1_3Z_H3_uDQx_RlzqS_Q1Fmh?!?}
BUPT{Ka1_3A_I3_vERy_SmarT_R1Gni?!?} //flag
CVQU{Lb1_3B_J3_wFSz_TnbsU_S1Hoj?!?}
DWRV{Mc1_3C_K3_xGTa_UoctV_T1Ipk?!?}
EXSW{Nd1_3D_L3_yHUb_VpduW_U1Jql?!?}
FYTX{Oe1_3E_M3_zIVc_WqevX_V1Krm?!?}
GZUY{Pf1_3F_N3_aJWd_XrfwY_W1Lsn?!?}
HAVZ{Qg1_3G_O3_bKXe_YsgxZ_X1Mto?!?}
IBWA{Rh1_3H_P3_cLYf_ZthyA_Y1Nup?!?}
JCXB{Si1_3I_Q3_dMZg_AuizB_Z1Ovq?!?}
KDYC{Tj1_3J_R3_eNAh_BvjaC_A1Pwr?!?}
LEZD{Uk1_3K_S3_fOBi_CwkbD_B1Qxs?!?}
MFAE{Vl1_3L_T3_gPCj_DxlcE_C1Ryt?!?}

得到flag BUPT{Ka1_3A_I3_vERy_SmarT_R1Gni?!?}

simple

载入IDA
分析了整个流程

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // kr04_4
  int result; // eax
  int i; // esi
  char v6; // cl
  char v7; // al
  char v8; // al
  char v9; // [esp+4h] [ebp-34h]
  char v10[31]; // [esp+5h] [ebp-33h]
  char v11; // [esp+24h] [ebp-14h]
  char v12; // [esp+35h] [ebp-3h]

  v9 = 0; 
  memset(v10, 0, 0x30u);
  v12 = 0;
  sub_4012E9(aPlzGiveMeYourF); //输出give me your flag
  scanf(aS, &v9); //输入v9
  v3 = strlen(&v9) + 1; //v3 等于v9的长度+1
  if ( (signed int)(v3 - 1) > 31 ) //判断v9的长度是否大于31
  {
    if ( (signed int)(v3 - 1) <= 40 ) //判断v9的长度是否小于等于40
    {
      sub_4012E9(aOkYouCanContin); //如果上面两个条件满足 则 输出 ok you can continue
      i = 0;
      v11 = 0;
      if ( v9 )
      {
        while ( 1 )
        {
          v6 = byte_408054[i]; //定义了一个数组到v6
          v7 = byte_408030[i] ^ (16 * *(&v9 + i) | ((unsigned __int8)*(&v9 + i) >> 4)); //执行运算得到v7
          *(&v9 + i) = v7;
          if ( v7 != v6 )
            break;
          v8 = v10[i++];
          if ( !v8 )
            goto LABEL_10;
        }
        sub_4012E9(aNononoYourInpu);  
LABEL_10:
        if ( i == 32 ) //这里提示了flag位数 如果等于32位然后满足 运算过得v7 等于v6 则
          sub_4012E9(aGoodYouVeGotTh); //输出 good you have got the flag
      }
      if ( --stru_408110._cnt < 0 )
        _filbuf(&stru_408110);
      else
        ++stru_408110._ptr;
      if ( --stru_408110._cnt < 0 )
        _filbuf(&stru_408110);
      else
        ++stru_408110._ptr;
      result = 0;
    }
    else
    {
      sub_4012E9(aTooLong);
      result = -1;
    }
  }
  else
  {
    sub_4012E9(aTooShort);
    result = -1;
  }
  return result;
}

这里用Z3约束求解

from z3 import *

v6 = [0x4f,0x3b,0x23,0x11,0xe1,0x1f,0xfe,0xb3,0x4b,0xdd,0x75,0xfe,0x47,0xec,0xf2,0x43,0xdc,0x38,0xd4,0x64,0xde,0x45,0xbd,0x01,0x1b,0x04,0xb9,0x89,0x7d,0xb6,0x4e,0xe2]
v7 = [0x6b,0x6e,0x26,0x54,0x56,0x4b,0xe8,0x80,0xdc,0x28,0x46,0x18,0x71,0xcb,0x65,0x44,0x9b,0x2b,0x22,0x82,0x2b,0x56,0x8e,0xe7,0x69,0x41,0x4c,0x1f,0x3a,0x45,0x5c,0x35]
v9 = [BitVec("v9%d"%i,16) for i in range(32)]
#print v9
S = Solver()

for i in range(32):
    S.add(v9[i] > 32)
    S.add(v9[i] < 128)
    S.add((v7[i]^(((16*(v9[i]))|(v9[i]>>4))%256)) == v6[i]) // 代码处uint8强制类型转换  uint8的上限是256-1 下限是0 所以这里需要%256 让他自然溢出

if S.check() == sat:  
    m = S.model()  
    flag = '' 
    for i in range(32):  
       flag += chr(m[v9[i]].as_long())    
    print flag
请杯咖啡呗~
支付宝
微信
本文作者:ios
版权声明:本文首发于ios的博客,转载请注明出处!