首页 > 其他分享 >NewStarCTF-firstweek

NewStarCTF-firstweek

时间:2024-04-01 19:12:19浏览次数:32  
标签:127.0 return NewStarCTF 0.1 firstweek flag key print

一、Crypto-brainfuck

1.附件内容如下。

++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++.

2.直接brainfuck解码即可。(https://www.splitbrain.org/services/ook)

image

二、Crypto-Caesar's Secert

1.附件内容如下。

kqfl{hf3x4w'x_h1umjw_n5_a4wd_3fed}

2.凯撒解码即可。(https://ctf.bugku.com/tool/caesar)

image

三、Crypto-Fence

1.附件内容如下。

fa{ereigtepanet6680}lgrodrn_h_litx#8fc3

2.栅栏解码即可。(https://ctf.bugku.com/tool/railfence)

image

四、Crypto-Vigenère

1.附件内容如下。

pqcq{qc_m1kt4_njn_5slp0b_lkyacx_gcdy1ud4_g3nv5x0}

2.维吉尼亚解码,只不过这里缺少一个密钥,,因为知道解码出来的开头肯定是flag,所以可以慢慢尝试,经过尝试密钥是kfc。(https://ctf.bugku.com/tool/vigenere)

image

五、Crypto-babyrsa

1.附件内容如下。

from Crypto.Util.number import *
from flag import flag

def gen_prime(n):
    res = 1

    for i in range(15):
        res *= getPrime(n)

    return res


if __name__ == '__main__':
    n = gen_prime(32)
    e = 65537
    m = bytes_to_long(flag)
    c = pow(m,e,n)
    print(n)
    print(c)
# 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
# 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595

2.n分解出来有15个素因数,因为知道Φ(n)=(p-1)(q-1)=(a-1)(b-1)····(f-1)(有几个素因数就乘几个),故脚本如下。

image

n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
e = 65537
primes = [2217990919, 3831680819, 3654864131, 2463878387, 3939901243, 2706073949, 2970591037, 2370292207, 2338725373,
          2923072267, 4278428893, 4093178561, 2794985117, 2804303069, 3207148519]
phi = 1
for i in primes:
    phi *= (i - 1)
d = invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))			# b'flag{us4_s1ge_t0_cal_phI}'

六、Crypto-Small d

1.附件内容如下。

from secret import flag
from Crypto.Util.number import *

p = getPrime(1024)
q = getPrime(1024)

d = getPrime(32)
e = inverse(d, (p-1)*(q-1))
n = p*q
m = bytes_to_long(flag)

c = pow(m,e,n)

print(c)
print(e)
print(n)

# c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
# e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
# n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433

2.尝试去分解n,无果。由于此题e很大,d很小,属于低解密指数攻击,直接利用脚本破解。

from Crypto.Util.number import *


def rational_to_contfrac(x, y):
    '''
    Converts a rational x/y fraction into
    a list of partial quotients [a0, ..., an]
    '''
    a = x // y
    if a * y == x:
        return [a]
    else:
        pquotients = rational_to_contfrac(y, x - a * y)
        pquotients.insert(0, a)
        return pquotients


def convergents_from_contfrac(frac):
    '''
    computes the list of convergents
    using the list of partial quotients
    '''
    convs = [];
    for i in range(len(frac)):
        convs.append(contfrac_to_rational(frac[0:i]))
    return convs


def contfrac_to_rational(frac):
    '''Converts a finite continued fraction [a0, ..., an]
     to an x/y rational.
     '''
    if len(frac) == 0:
        return (0, 1)
    elif len(frac) == 1:
        return (frac[0], 1)
    else:
        remainder = frac[1:len(frac)]
        (num, denom) = contfrac_to_rational(remainder)
        # fraction is now frac[0] + 1/(num/denom), which is
        # frac[0] + denom/num.
        return (frac[0] * num + denom, num)


def egcd(a, b):
    '''
    Extended Euclidean Algorithm
    returns x, y, gcd(a,b) such that ax + by = gcd(a,b)
    '''
    u, u1 = 1, 0
    v, v1 = 0, 1
    while b:
        q = a // b
        u, u1 = u1, u - q * u1
        v, v1 = v1, v - q * v1
        a, b = b, a - q * b
    return u, v, a


def gcd(a, b):
    '''
    2.8 times faster than egcd(a,b)[2]
    '''
    a, b = (b, a) if a < b else (a, b)
    while b:
        a, b = b, a % b
    return a


def modInverse(e, n):
    '''
    d such that de = 1 (mod n)
    e must be coprime to n
    this is assumed to be true
    '''
    return egcd(e, n)[0] % n


def totient(p, q):
    '''
    Calculates the totient of pq
    '''
    return (p - 1) * (q - 1)


def bitlength(x):
    '''
    Calculates the bitlength of x
    '''
    assert x >= 0
    n = 0
    while x > 0:
        n = n + 1
        x = x >> 1
    return n


def isqrt(n):
    '''
    Calculates the integer square root
    for arbitrary large nonnegative integers
    '''
    if n < 0:
        raise ValueError('square root not defined for negative numbers')

    if n == 0:
        return 0
    a, b = divmod(bitlength(n), 2)
    x = 2 ** (a + b)
    while True:
        y = (x + n // x) // 2
        if y >= x:
            return x
        x = y


def is_perfect_square(n):
    '''
    If n is a perfect square it returns sqrt(n),

    otherwise returns -1
    '''
    h = n & 0xF;  # last hexadecimal "digit"

    if h > 9:
        return -1  # return immediately in 6 cases out of 16.

    # Take advantage of Boolean short-circuit evaluation
    if (h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8):
        # take square root if you must
        t = isqrt(n)
        if t * t == n:
            return t
        else:
            return -1

    return -1


def hack_RSA(e, n):
    frac = rational_to_contfrac(e, n)
    convergents = convergents_from_contfrac(frac)

    for (k, d) in convergents:
        # check if d is actually the key
        if k != 0 and (e * d - 1) % k == 0:
            phi = (e * d - 1) // k
            s = n - phi + 1
            # check if the equation x^2 - s*x + n = 0
            # has integer roots
            discr = s * s - 4 * n
            if (discr >= 0):
                t = is_perfect_square(discr)
                if t != -1 and (s + t) % 2 == 0:
                    print("\nHacked!")
                    return d


def main():
    n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
    e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
    d = hack_RSA(e, n)
    print("d=")
    print(d)		#  2357048593

if __name__ == '__main__':
    main()

得到d之后,就很简单了。

c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
d = 2357048593
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825

m = pow(c, d, n)
print(long_to_bytes(m))			#  b'flag{learn_some_continued_fraction_technique#dc16885c}'

七、Crypto-babyxor

1.附件内容如下。

from secret import *

ciphertext = []

for f in flag:
    ciphertext.append(f ^ key)

print(bytes(ciphertext).hex())
# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2

2.由于此题不知道key,所以只能写脚本去破解了。

import binascii

s = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
unhex = binascii.unhexlify(s)
for j in range(255):
    res = ''
    for i in unhex:
        res += chr(j ^ i)
    print(res)

image

八、Crypto-babyencoding

1.附件内容如下。

part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=			
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`

2.第一段base64,第二段base32,第三段uuencode,依次解码即可。

image

image

image

九、Crypto-Affine

1.附件内容如下。

from flag import flag, key

modulus = 256

ciphertext = []

for f in flag:
    ciphertext.append((key[0]*f + key[1]) % modulus)

print(bytes(ciphertext).hex())

# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064

2.Affine是一个映射密码,y=(a*x+b)%c,所以解码需要知道a、b、c这三个参数。由于知道答案开头肯定是flag,故可以写出方程式

(102*a+b)%256=221		(1)
(108*a+b)%256=67		(2)
(97*a+b)%256=136		(3)
(103*a+b)%256=238		(4)

由(1)式和(4)式可以很容易得到a=17,接着就可以解出b=23。知道了这两个,编写脚本获取flag。

s = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
unhex = binascii.unhexlify(s)
res = ''
strings = string.printable
for i in unhex:
    for j in strings:
        if int((ord(j) * 17 + 23) % 256) == i:
            res += j
print(res)		# flag{4ff1ne_c1pher_i5_very_3azy}

十、Crypto-babyaes

1.附件内容如下。

from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *


def pad(data):
    return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])


def main():
    flag_ = pad(flag)
    key = os.urandom(16) * 2
    iv = os.urandom(16)
    print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
    aes = AES.new(key, AES.MODE_CBC, iv)
    enc_flag = aes.encrypt(flag_)
    print(enc_flag)


if __name__ == "__main__":
    main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'

2.整体观察一下,发现是CBC模式下的AES。key是32字节(256bits),iv是16字节(128bits),所以两者异或的结果其实是key的低128bits与iv异或,再加上key的高128bits。即输出结果的高128bits就是key的高128bits,从而能得到key。

xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
key = long_to_bytes(xor^1)[:16]*2

这里需要注意的一点是,输出的结果的高位部分在左侧,低位部分在右侧,一开始我就是想不通为什么取[:16]部分。得到了key之后,取低128bits再与输出结果的低128bits进行异或得到iv。完整脚本如下:

rom Crypto.Util.number import *
from Crypto.Cipher import AES

xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc_flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'

key = long_to_bytes(xor ^ 1)[:16] * 2
iv = bytes_to_long(key[16:]) ^ bytes_to_long(long_to_bytes(xor ^ 1)[16:])
iv = long_to_bytes(iv)

aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(enc_flag)
print(flag)		# b'firsT_cry_Aes\x00\x00\x00'

十一、Misc-CyberChef's Secret

1.附件内容如下。

来签到吧!下面这个就是flag,不过它看起来好像怪怪的:-)
M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA=

2.依次经过base32、base58、base64解码即可。

image

十二、Misc-机密图片

1.附件是一张图片。

image

扫码得到。

image

看来密码不在这里。

2.尝试LSB隐写,得到flag。

image

十三、Misc-流量!鲨鱼!

1.附件是一个流量包,里面总共有3000多条流量,故一条一条看是不可能的,发现有http流量,将http对象提取出来。

选择“文件”->“导出对象”->"http"

image

将所有文件都导出来。

image

2.看到有很多文件名为flag的,一个一个查看,发现都是404 NOT FOUND。

image

再翻翻,看到最后有一个(1).ffffllllllll11111144444GGGGGG%7cbase64这样的文件。

image

打开。文件内容如下。

Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=

两次base64解码即可。

image

十四、Misc-空白格

1.附件内容如下,刚打开什么都看不到,必须全选才能看到。

image

2.看到有点和横线,以为是莫斯密码,尝试了一下不对。再通过空白格这条线索,找到了white_space隐写。(https://vii5ard.github.io/whitespace/)

image

十五、Misc-隐秘的眼睛

1.附件又是一张图片。

image

2.尝试了LSB隐写等等都不对。但是有经验的人根据题目名字就可以知道这是SlientEye隐写。(工具放在附件中)

image

十六、Misc-压缩包们

1.附件是一个无后缀名的文件,通过16进制编辑器查看,可以得到是个zip文件。

image

2.但是文件头不对,所以修改文件头为504B0304,修改后缀名为zip,解压得到flag.zip文件。解压flag.zip发生错误。

image

3.16进制编辑器打开,发现在文件尾有一串base64编码。

image

解码。

image

提示我们密码是个6位数,利用工具爆破得到密码为232311。

image

删除最后的base64后再保存,我发现个奇怪的问题,这个压缩包只能用bandzip打开,其他压缩软件打开都会有问题。

image

image

十七、Web-泄漏的秘密

1.直接目录扫描得到robots.txt和www.zip,访问一下拿到flag。

image

image

十八、Web-Begin of Upload

1.文件上传漏洞,前端校验后缀名。

image

2.故这题需要利用%00截断。

image

成功上传。

image

执行一句话木马,拿到flag。

image

image

十九、Web-ErrorFlask

1.页面叫我们传入两个参数,随便传一下看一下效果。

image

2.提示我们不是ssti,flag在源代码中。既然他说不是ssti,我就非要试试。果然页面报错了。

image

可以看到有个/app/app.py文件,点进去看看,直接得到flag。

image

二十、Web-Begin of HTTP

1.页面如下。

image

哎,这种题目就是按照提示一步步做就完事了。

image

又要以POST方式对secret传参,先对注释中的编码解码后再传。

image

又要验证power,直接把cookie中的power字段改为ctfer即可。

image

要通过NewStarCTF2023浏览器访问,修改User-Agent。

image

要从newstarctf.com这个网址访问过来的,添加referer字段。

image

要本地用户访问,需要添加X-Fordwarded-For之类的字段,把下列的字段全部加进去,总有一个是能成功的。

X-Custom-IP-Authorization:127.0.0.1
X-Forward-For:127.0.0.1
X-Forward:127.0.0.1
X-Forward:localhost
X-Forwarded-By:127.0.0.1
X-Forwarded-By:localhost
X-Forwarded-For-Original:127.0.0.1
X-Forwarded-For-Original:localhost
X-Forwarded-Server:127.0.0.1
X-Forwarded-Server:localhost
X-Forwarded:127.0.0.1
X-Forwarded:localhost
X-Forwarded-For:127.0.0.1
X-Forwarded-For:localhost
X-Forwarded-Host:127.0.0.1
X-Forwarded-Host:localhost
X-Host:127.0.0.1
X-Host:localhost
X-HTTP-Host-Override:127.0.0.1
X-Real-IP:127.0.0.1
X-Remote-Addr:127.0.0.1
X-Remote-Addr:localhost
X-Remote-IP:127.0.0.1
Client-IP:127.0.0.1
Forwarded-For:localhost
Forwarded-For:127.0.0.1
Forwarded:localhost
Forwarded:127.0.0.1
Forwarded-For-IP:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
X-Originating-IP:127.0.0.1

image

二十一、Web-Begin of PHP

1.源代码如下。

 <?php
error_reporting(0);
highlight_file(__FILE__);

if(isset($_GET['key1']) && isset($_GET['key2'])){
    echo "=Level 1=<br>";
    if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
        $flag1 = True;
    }else{
        die("nope,this is level 1");
    }
}

if($flag1){
    echo "=Level 2=<br>";
    if(isset($_POST['key3'])){
        if(md5($_POST['key3']) === sha1($_POST['key3'])){
            $flag2 = True;
        }
    }else{
        die("nope,this is level 2");
    }
}

if($flag2){
    echo "=Level 3=<br>";
    if(isset($_GET['key4'])){
        if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
            $flag3 = True;
        }else{
            die("nope,this is level 3");
        }
    }
}

if($flag3){
    echo "=Level 4=<br>";
    if(isset($_GET['key5'])){
        if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
            $flag4 = True;
        }else{
            die("nope,this is level 4");
        }
    }
}

if($flag4){
    echo "=Level 5=<br>";
    extract($_POST);
    foreach($_POST as $var){
        if(preg_match("/[a-zA-Z0-9]/",$var)){
            die("nope,this is level 5");
        }
    }
    if($flag5){
        echo file_get_contents("/flag");
    }else{
        die("nope,this is level 5");
    }
} 

2.代码审计,第一个if判断要求两个值不等,但是两个值的md5值要想等,利用数组绕过;第二个if还是利用数组绕过;第三个if是比较两个字符串,还是用数组绕过;第四个if要求不是数字但是得大于2023,输入2024a绕过;第五个if通过正则判断你传入的是否有大小写字母和数字,故这里需要利用异或操作绕过,传入的值为flag5=true,需要把true用异或的形式表示。

<?php
$a="true";
for($i=0;$i<strlen($a);$i++){
		echo "%".dechex(ord($a[$i])^0xff);
}
echo "^";
for($i=0;$i<strlen($a);$i++){
	echo "%ff";
}
//  %8b%8d%8a%9a^%ff%ff%ff%ff

image

二十二、Web-R!C!E!

1.源代码如下。

 <?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
    $password=md5($_POST['password']);
    $code=$_POST['e_v.a.l'];
    if(substr($password,0,6)==="c4d038"){
        if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
            eval($code);
        }
    }
} 

2.对password和e_v.a.l传参,需要满足password的md5值的前六位为c4d038,并且e_v.a.l的值会交给eval执行,但是不能出现flag、system等关键词。

第一步:暴力破解得到应该传给password的值。

import hashlib

def md5(s):
 return hashlib.md5(s.encode(encoding='UTF-8')).hexdigest()

for i in range(1000000000):
    h = md5(str(i))
    if h[0:6] == "c4d038":
        print(i)		# 114514
        break

第二步给e_v.a.l传一个eval($_GET[1])就可以逃脱出不能使用那些关键字的情况了。

但是传完参,发现页面没有任何反应。

image

哪里错了呢,本地搭一个环境,经过测试,发现连第一个if判断都没通过,关键在给e_v.a.l这个参数传参。(这里特别感谢王马老师的解答)我们都知道这不是一个规范的变量名,所以传参的时候直接用题目所给是有问题的。这里参考(https://blog.csdn.net/qq_45086218/article/details/114113971)

image

所以此处应该是给e[v.a.l传参就可以了。

image

成功执行,获取flag。

image

二十三、Web-EasyLogin

1.页面是个登录框,首先注册一个用户叫admin,发现已经被注册过了。

image

题目既然叫easyLogin,说明这里有可能需要爆破密码。抓个包,发现password经过了处理。

image

查看页面源代码,发现是md5值。

image

知道了密码的转换过程,就可以爆破了。

image

爆破得到密码的md5值,解密一下密码是000000。

image

2.登录进去之后,按ctrl+C和ctrl+D后进入shell,输入pwd,成功执行。

image

按向上键,查找命令历史记录。

image

提示我们用burpsuite,重新回到登录界面抓包,找到一个302跳转的包,查看响应获得flag。

image

二十四、Reverse-easy_RE

1.ida打开,main函数反编译,可看到一部分flag,还有一部分flag需要从变量v6到v16处获得。

image

ascii转换一下得到另一部分flag。

image

拼接一下即可。

标签:127.0,return,NewStarCTF,0.1,firstweek,flag,key,print
From: https://www.cnblogs.com/sbhglqy/p/18109180

相关文章

  • NewStarCTF(Reserve) WEEK1
    easy_RE咳有UPX壳,先脱壳enc="gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~"flag=''foriinenc:b=(ord(i)-1)flag+=chr(b)print(flag)#flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}Segmentssegments用sh......
  • NewStarCTF-thirdweek
    一、阳光开朗大男孩1.题目给出了secret.txt和flag.txt两个文件,secret.txt内容如下:法治自由公正爱国公正敬业法治和谐平等友善敬业法治富强公正民主法治和谐法治和谐法治法治公正友善敬业法治文明公正自由平等诚信平等公正敬业法治和谐平等友善敬业法治和谐和谐富强和谐富强和谐......
  • NewStarCTF-secondweek
    一、新建Word文档1.doc文档隐写,将如图所示的设置打开,即可看到文字。2.新佛曰加密,在线网站解密。(http://hi.pcmoe.net/buddha.html)二、永不消逝的电波1.附件是个音频,audacity打开,可以看到明显的长短波。2.莫斯密码解密即可。源报文:..-./.-../.-/--./-/...././-..././.../......
  • NewStarCTF-fourthweek
    一、R通大残下载附件后发现图片最上面有一行色块:编写脚本提取出第一行像素色块的RGB值:fromPILimportImageimage=Image.open('secret.png')pixels=image.load()width,height=image.sizeforxinrange(width):r,g,b=pixels[x,0]print(f"......
  • NewStarCTF-firstweek
    一、Crypto-brainfuck1.附件内容如下。++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>+++++......
  • NewStarCTF-fifthweek
    一、隐秘的图片给出了两张图片,像是二维码,但是其中一张图片是损坏的,因此想到使用Stegsolve对两张图片进行异或:异或得到一张新的二维码,扫描获得Flag:二、ezhard拿到文件之后发现是硬盘格式文件新建目录挂载flag在hint.png三、新建Python文件pyc文件隐写很容易就能找......
  • NewStarCTF 2023 公开赛道 做题随笔(WEEK1|MISC部分)
    第一题下载打开得到TXT文件好的看样子应该是base32,复制到base在线转换看看得到这玩意 base58转换得到 出了flag  第二题 下载得到一张二维码用隐写软件试试得到一张这个以为是摩斯密码,试试得到有个这玩意,嘶,好像不是试试LSB 得到flag 第三题......
  • [newstarctf2023] --RE wp
    AndroGenshin:rc4加密表,base64换表:脚本梭就行username=b"genshinimpact"base64_table=[125,239,101,151,77,163,163,110,58,230,186,206,84,84,189,193,30,63,104,178,130,211,        164,94,75,16,32,33,193,160,120,......
  • NewStarCTF 2023 WEEK2|REVERSE SMC 使用IDApython静态解决SMC
    先来一篇IDApyhotn的指令教程https://www.cnblogs.com/zydt10/p/17676018.html*自己编的这题对应的expa=[0x11,0x22,0x33,0x44]foriinrange(38):result=a[i&3]ida_bytes.patch_byte(0x403040+i,get_wide_byte(0x403040+i)^result)在IDA中运行完exp之后,......
  • newstarctf2023 reverse 题解汇总
    newstarctf2023reverse题解汇总week1easy_REdie查无壳64直接IDA启动跟到main函数找到两部分flag拼起来就行了。flag{we1c0me_to_rev3rse!!}ELFdie查64ELFIDA启动稍微读一下写个py逆一下它的加密就行了flag{D0_4ou_7now_wha7_ELF_1s?}importbase64a="VlxRV......