Lun4R-CyBRICSCTF wp

微信扫一扫,分享到朋友圈

Lun4R-CyBRICSCTF wp

和小伙伴们一起打了这个xctf|俄罗斯战队的比赛,题目质量真心不错hhh,部分题解小伙伴们还没更新,先发出来,嘻嘻。

WEB

Hunt (Web, Baby, 50 pts)

打断点,然后就一个一个被抓住了…

接着F12就出现了.(这个flag是白色的,藏在下面。。。。)…

RE

Baby Rev

题目给了个github项目链接 看懂就行 一个简单的疑惑加密 , key 是33

c=[92,0,74,66,116,77,126,69,17,17,102,126,
69,79,97,126,18,76,17,98,16,77,18,
86,90,82,66,72,83,67,88,66]
flag=''
for i in range(len(c)):
c[i]=c[i]^33
flag+=chr(c[i])
print (flag[::-1])

polyglot

先根据给的code.c改一下key跑出来一个c++的代码

因为递归深度限制在900,所以也要改代码,我菜所以直接手算了,t1是乘,t2是加,然后算出key,跑出来是个py+机器语言的代码:

import types
import dis
def define_func(argcount, nlocals, code, consts, names):
#PYTHON3.8!!!
def inner():
return 0
fn_code = inner.__code__
cd_new = types.CodeType(argcount,
0,
fn_code.co_kwonlyargcount,
nlocals,
1024,
fn_code.co_flags,
code,
consts,
names,
tuple(["v%d" for i in range(nlocals)]),
fn_code.co_filename,
fn_code.co_name,
fn_code.co_firstlineno,
fn_code.co_lnotab,
fn_code.co_freevars,
fn_code.co_cellvars)
inner.__code__ = cd_new
return inner
f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None,  'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
(None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
dis.dis(f4)

然后dis得到汇编代码(关键就是给了字符串的那个)

运行结果:

F:\python\venv\py3.8\Scripts\python.exe D:/download/re2.py
7           0 LOAD_CONST               1 (99)
2 LOAD_CONST               2 (121)
4 LOAD_CONST               3 (98)
6 LOAD_CONST               4 (114)
8 LOAD_CONST               5 (105)
10 LOAD_CONST               1 (99)
12 LOAD_CONST               6 (115)
14 LOAD_CONST               7 (123)
16 LOAD_CONST               8 (52)
18 LOAD_CONST               9 (97)
20 LOAD_CONST               3 (98)
22 LOAD_CONST              10 (100)
24 LOAD_CONST              11 (51)
26 LOAD_CONST              12 (101)
28 LOAD_CONST              13 (55)
30 LOAD_CONST               8 (52)
32 LOAD_CONST              12 (101)
34 LOAD_CONST              14 (57)
36 LOAD_CONST              12 (101)
38 LOAD_CONST              15 (53)
40 LOAD_CONST              14 (57)
42 LOAD_CONST              16 (54)
44 LOAD_CONST              17 (48)
46 LOAD_CONST               9 (97)
48 LOAD_CONST              18 (49)
50 LOAD_CONST               3 (98)
52 LOAD_CONST              16 (54)
54 LOAD_CONST               3 (98)
56 LOAD_CONST              14 (57)
58 LOAD_CONST              19 (50)
60 LOAD_CONST              11 (51)
62 LOAD_CONST              10 (100)
64 LOAD_CONST              20 (56)
66 LOAD_CONST               8 (52)
68 LOAD_CONST              19 (50)
70 LOAD_CONST               1 (99)
72 LOAD_CONST               1 (99)
74 LOAD_CONST              10 (100)
76 LOAD_CONST               9 (97)
78 LOAD_CONST               1 (99)
80 LOAD_CONST              18 (49)
82 LOAD_CONST              11 (51)
84 LOAD_CONST              16 (54)
86 LOAD_CONST              15 (53)
88 LOAD_CONST              20 (56)
90 LOAD_CONST               3 (98)
92 LOAD_CONST              11 (51)
94 LOAD_CONST              21 (102)
96 LOAD_CONST              22 (125)
98 BUILD_LIST              49
100 STORE_FAST               1 (v%d)
102 LOAD_GLOBAL              0 (len)
104 LOAD_FAST                0 (v%d)
106 CALL_FUNCTION            1
108 LOAD_GLOBAL              0 (len)
110 LOAD_FAST                1 (v%d)
112 CALL_FUNCTION            1
114 COMPARE_OP               3 (!=)
116 POP_JUMP_IF_FALSE      130
118 LOAD_GLOBAL              1 (print)
120 LOAD_CONST              23 ('Length mismatch!')
122 CALL_FUNCTION            1
124 POP_TOP
126 LOAD_CONST              24 (False)
128 RETURN_VALUE
>>  130 LOAD_GLOBAL              2 (zip)
132 LOAD_FAST                0 (v%d)
134 LOAD_FAST                1 (v%d)
136 CALL_FUNCTION            2
138 GET_ITER
>>  140 FOR_ITER                36 (to 178)
142 STORE_FAST               2 (v%d)
144 LOAD_GLOBAL              3 (f1)
146 LOAD_FAST                2 (v%d)
148 LOAD_CONST              25 (1)
150 BINARY_SUBSCR
152 LOAD_GLOBAL              4 (f2)
154 LOAD_FAST                2 (v%d)
156 LOAD_CONST              26 (0)
158 BINARY_SUBSCR
160 CALL_FUNCTION            1
162 CALL_FUNCTION            2
164 LOAD_CONST              24 (False)
166 COMPARE_OP               2 (==)
168 POP_JUMP_IF_FALSE      140
170 POP_TOP
172 LOAD_CONST              24 (False)
174 RETURN_VALUE
176 JUMP_ABSOLUTE          140
>>  178 LOAD_CONST              27 (True)
180 RETURN_VALUE
Process finished with exit code 0

然后写c跑出flag

#include<iostream>
#include <stdlib.h>
#include <stdio.h>
using namespace std;
int main(){
char flag[]={99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125};
cout <<flag;
}

CTB

DockEsc

直接试出来,正确的没回显

CRYPTO

签到题:

已经告知是加密了,然后windows下常用

rot13解密

换个flag头即可

NETWORK

XCorp

导出smb对象

在流里有用户名

直接登录

Google Cloud

I am storing some important stuff in Google’s cloud.

Nooo no no, not on Google’s disks — in the cloud itself.

全是ping。。。

foremost直接读

实际上从data里拼出完整图片应该也是可行的,大佬直接看出来了。。。

Forensic

Keyshooter

视频里 mahchudqotlzeeb

再用openssl解密就行

Krevedka

wireshark过滤

http contains "User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; www1.smart.com.ph/; GT-S5360) U2/1.0.0 UCBrowser/9.8.0.534 Mobile"

rebyC

Hellish Reverse

7z就可了。。。

超硬核Java工程师秋招回忆录+面经汇总,为了拿BAT的研发offer我都做了那些准备?

上一篇

SpringBean的几个问题以及原理

下一篇

你也可能喜欢

Lun4R-CyBRICSCTF wp

长按储存图像,分享给朋友