CTF-安恒19年二月月赛部分writeup
CTF-安恒19年二月月赛部分writeup
MISC1-来玩个游戏吧
题目:
第一关,一眼可以看出是盲文,之前做过类似题目
拿到在线网站解一下
??41402abc4b2a76b9719d911017c592,那么就奇怪了,这个??是什么东西,数一下加上??正好32位,应该是个MD5了,索性直接百度一下,
第一关答案出来了,试过了MD5值不对,hello是正确的,下一关。
第二关提示
没见过这种的,还是百度一下,
下载了这个脚本后执行命令
fastcoll_v1.0.0.5.exe -p C:\windows\notepad.exe -o D:\notepad1.exe D:\notepad2.exe
(因为没有规定文件名啥的就直接复制他的命令了)
直接将文件路径复制到文本框即可
Dear Professional ; Especially for you - this cutting-edge
intelligence ! If you no longer wish to receive our
publications simply reply with a Subject: of "REMOVE"
and you will immediately be removed from our club .
This mail is being sent in compliance with Senate bill
, Title ; Section ! THIS IS NOT MULTI-LEVEL
MARKETING . Why work for somebody else when you can
become rich as few as weeks . Have you ever noticed
more people than ever are surfing the web and people
will do almost anything to avoid mailing their bills
. Well, now is your chance to capitalize on this !
WE will help YOU decrease perceived waiting time by
% & decrease perceived waiting time by % . You
can begin at absolutely no cost to you . But don't
believe us ! Mrs Jones of Minnesota tried us and says
"I was skeptical but it worked for me" . We assure
you that we operate within all applicable laws . Because
the Internet operates on "Internet time" you must act
now ! Sign up a friend and your friend will be rich
too . Warmest regards . Dear Cybercitizen , We know
you are interested in receiving red-hot announcement
! We will comply with all removal requests ! This mail
is being sent in compliance with Senate bill 1619 ;
Title 2 ; Section 301 . This is NOT unsolicited bulk
mail ! Why work for somebody else when you can become
rich within 53 MONTHS ! Have you ever noticed more
people than ever are surfing the web and more people
than ever are surfing the web . Well, now is your chance
to capitalize on this . We will help you use credit
cards on your website plus decrease perceived waiting
time by 150% . The best thing about our system is that
it is absolutely risk free for you ! But don't believe
us ! Mrs Simpson of Washington tried us and says "Now
I'm rich, Rich, RICH" . We assure you that we operate
within all applicable laws ! We beseech you - act now
! Sign up a friend and your friend will be rich too
. Thank-you for your serious consideration of our offer
! Dear Friend ; This letter was specially selected
to be sent to you ! If you no longer wish to receive
our publications simply reply with a Subject: of "REMOVE"
and you will immediately be removed from our mailing
list . This mail is being sent in compliance with Senate
bill 2716 , Title 2 ; Section 306 ! This is a ligitimate
business proposal . Why work for somebody else when
you can become rich inside 33 weeks . Have you ever
noticed more people than ever are surfing the web plus
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! WE will help
YOU SELL MORE and process your orders within seconds
. You can begin at absolutely no cost to you . But
don't believe us ! Mrs Jones of Kentucky tried us and
says "I was skeptical but it worked for me" ! This
offer is % legal ! We implore you - act now . Sign
up a friend and you'll get a discount of 50% . God
Bless .
题目提示了:需要一个在线的网站去解密,而这个网站使用了栅格密码。
栅格密码也没听说过,还是百度
搜索关键字Spam Mimic到网站 http://www.spammimic.com/解码
flag为:flag{a0dd1e2e6b87fe47e5ad0184dc291e04}
MISC2-简单的流量分析
题目:
过滤http协议,按照info排序一下
发现存在/xinhu/robots.txt
追踪http流到/xinhu/robots.txt
发现abc.html,继续跟进
发现MD5和两串DES
md5 0x99a98e067af6b09e64f3740767096c96 DES 0xb19b21e80c685bcb052988c11b987802d2f2808b2c2d8a0d (->) DES 0x684a0857b767672d52e161aa70f6bdd07c0264876559cb8b (->)
继续向下分析,发现都是IPSec加密后的流量,尝试使用前面给的MD5和DES解密
wireshark进入Preference菜单下的Profile,找到ESP, 配置如下:
此时再次过滤http发现有部分响应包带上了数字,102 108 转换为ASCII码则为f l 所以统一提取转换。
a = [102,108,97,103,123,50,55,98,48,51,98,55,53,56,102,50,53,53,50,55,54,101,53,97,57,56,100,97,48,101,49,57,52,55,98,101,100,125]
flag = ''
for i in a:
flag +=chr(i)
print flag
flag:flag{27b03b758f255276e5a98da0e1947bed}
CRYPTO1-hahaha
题目:
压缩包题目,其实看到这压缩包里的短位CRC32应该就能猜出是CRC32爆破了
当然也可以一步一步排除一下
首先binwalk分析得出非伪加密,爆破的话没有提示,不理想。
所以直接上脚本
所以加起来就是tanny_is_very_beautifu1_
哈哈
按照给的提示,flag应该是flag{1or! 2or@ sechn}
然后给了sha1值,应该是要爆破了。。。
当时做到这里就停了,因为不会写脚本了
下面献上一叶飘零大佬的脚本
import itertools
import hashlib def sha1(str):
sha = hashlib.sha1(str)
encrypts = sha.hexdigest()
return encrypts
a1 = '1!'
a2 = '2@'
a3 = '{'
a4 = '}'
for str1 in itertools.combinations(a1,1):
for str2 in itertools.combinations(a2,1):
str3 = str1[0]+str2[0]+'sechn'
for i in itertools.permutations(str3):
tmp = (''.join(i))
res = 'flag{'+tmp+'}'
# print sha1(res)
if sha1(res) == 'e6079c5ce56e781a50f4bf853cdb5302e0d8f054':
print res
break
flag:flag{sh@1enc}
小结:web没做出来太菜,pwn刚起步,压根没看,密码2也没做出来,需要的脑洞太大了,另外膜飘零师傅。
参考:https://www.anquanke.com/post/id/171543
CTF-安恒19年二月月赛部分writeup的更多相关文章
- CTF-安恒19年一月月赛部分writeup
CTF-安恒19年一月月赛部分writeup MISC1-赢战2019 是一道图片隐写题 linux下可以正常打开图片,首先到binwalk分析一下. 里面有东西,foremost分离一下 有一张二维 ...
- CTF-安恒18年十二月月赛部分writeup
CTF-安恒十二月月赛部分writeup 这次题目都比较简单蛤,连我这菜鸡都能做几道. WEB1-ezweb2 打开网站,啥也没有,审计源代码,还是啥都没有,也没什么功能菜单,扫了一下目录,扫到了ad ...
- CTF-安恒18年十一月月赛部分writeup
安恒十一月月赛writeup 昨天做了一下十一月的题目,不才只做出来几道 签到web1 这个是十月的原题,因为忘了截图所以只能提供思路 Web消息头包含了登陆框的密码 输入密码后进入上传页面,上传一句 ...
- 【CTF】2019湖湘杯 miscmisc writeup
题目来源:2019湖湘杯 题目链接:https://adworld.xctf.org.cn/task/answer?type=misc&number=1&grade=1&id= ...
- 安恒杯2月月赛-应该不是xss
1. 打开题目一看,是个留言板 2. 查看源码发现有几个js文件 依次打开发现在main.js里存在这样一段代码 3. 访问 /#login是登录的界面,/#chgpass是修改密码的界面,其中修改密 ...
- 安恒杯11月月赛web题目-ezsql详细记录
通过此题目可以学习到 1.通过load_file+like来盲注获取文件内容 2.php魔术方法__get函数的用法 3.bypass linux命令过滤 题目中给了注册和登录的功能,没有源码泄露 ...
- 2018安恒杯11月月赛 MISC
题目放评论了 Numeric password 这次隐写没有按照套路出牌,很强. 记录一下 看来自主学习的能力很有待提高. 打开Numeric password.txt 中华文化博大精深,近日在教小外 ...
- 安恒2018年三月月赛MISC蜘蛛侠呀
到处都是知识盲区hhh 下载了out.pcap之后,里面有很多ICMP包 看到ttl之后联想到西湖论剑里面的一道杂项题,无果 看WP知道可以使用wireshark的tshark命令提取流量包里面的文件 ...
- 【CTF】CTFHub 技能树 文件头检查 writeup
PHP一句话木马 <?php @eval($_POST["pass"]);?> <?php eval($_REQUEST["pass"]);? ...
随机推荐
- Django路由系统---django重点之url命名分组
django重点之url命名分组[参数无顺序要求]. settigs.py:增加STATICFILES_DIRS静态资源路径配置,名称为创建的文件夹名称 'DIRS': [os.path.join(B ...
- Apache配置支持目录浏览
主配置文件 httpd.conf 中修改: 1)添加支持模块 LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir ...
- [EffectiveC++]item02:尽量以const,enum,inline代替#define
- 怎么知道是哪个div被点击了
怎么知道是哪个div被点击了 不在div中加onclick等事件调用函数 ,用事件监听函数,但是如果div中的div被点击了,addEventListener得到了两个监听事件,我想点击div里的di ...
- 用ABAP代码读取S/4HANA生产订单工序明细
在S/4HANA事务码CO03显示的Production Order里,我希望用ABAP代码显示出该订单的operation(工序)ID,描述和状态Status,如下图所示: 很简单的几行ABAP代码 ...
- java内部类之成员内部类之局部内部类
局部内部类特点: 1.定义在代码块.方法体内的类叫局部内部类 2.局部内部类访问外部类的属性和方法使用“外部类名.this.属性名”和“外部类名.this.方法名(参数)”的形式 3.对外部世界完全隐 ...
- MySQL 事务没有提交导致 锁等待 Lock wait timeout exceeded
java.lang.Exception: ### Error updating database. Cause: java.sql.SQLException: Lock wait timeout e ...
- BZOJ2588:Count on a tree(主席树)
Description 给定一棵N个节点的树,每个点有一个权值,对于M个询问(u,v,k),你需要回答u xor lastans和v这两个节点间第K小的点权.其中lastans是上一个询问的答案,初始 ...
- 【LeetCode每天一题】Remove Duplicates from Sorted Array II(移除有序数组中重复的两次以上的数字)
Given a sorted array nums, remove the duplicates in-place such that duplicates appeared at most twic ...
- ctf经典好题复习
WEB200-2 这是swpu-ctf的一道题. <?php if(isset($_GET['user'])){ $login = @unserialize(base64_decode($_GE ...