lc4t's blog

一些随想和笔记

, , Read

ISCC2015(base&web)

BASE50-easy?

1
2
3
4
5
6
7
8
9
10
11
12
13
#ISCC-BASE50_easy?.py
code = "mzdvezc"
CHARBASE = ord('a')
# encode y = 5x + 12 (mod 26)
# decode x = 21(y - 12) (mod 26)
for i in code:
    y = ord(i) - CHARBASE - 12
    if (y < 0):
        y += 26
    x = y * 21 % 26
    print (chr(x + 97),end="")

#flag : anthony

BASE50-神秘纸条

这是一个BASE64-ENCODED MD5HASH:

HEX-ENCODED MD5 HASH: a4704fd35f0308287f2937ba3eccf5fe
BASE64-ENCODED MD5HASH: pHBP018DCCh/KTe6Psz1/g
HEX-ENCODED SHA HASH: 93ef0dd827103681fcee453b78be2ff14e1a261d
BASE64-ENCODED SHA HASH:k+8N2CcQNoH87kU7eL4v8U4aJh0
CLEARTEXT: The

1
2
3
4
5
6
7
8
9
10
#pHBP018DCCh/KTe6Psz1/g==     -->    The
#Lo1tv5ESqHnUzrFUA9EKeA==     -->    death
#pHV9dBn/O0jpLpBZbw51SA==     -->    god
#Ypm6LL2WYaXjhytxVSHNag==     -->    only
#mpftptifXJ6EVgRooGeXBw==     -->    eat

#google : The death god only eat
#get : The Death God Only Eat Apples

#flag : apples

BASE150-恶作剧or机密?

下载压缩文件,提示是4位密码,爆破之


发现密码:hj7k

打开看到:
WkhWaGJtY3lNREUxWkhWaGJtZGtZUW89Cg==
base64解密之
ZHVhbmcyMDE1ZHVhbmdkYQo=
再解密之得到flag
flag : duang2015duangda

Base150-Decrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Ma=[
    1,4,7,
    2,5,8,
    3,6,10
   ]

code=[
      22,9,0,
      12,3,1,
      10,3,4,
      8,1,17
     ]

answer=[]

flag = 0
for t in range(0,12,3):
    flag = 0
    for i in range(0,99,1):
        for j in range(0,99,1):
            for k in range(0,99,1):
                if ((1*i + 4*j + 7*k)%26 == code[t]  and
                    (2*i + 5*j + 8*k)%26 ==  code[t+1] and
                     (3*i + 6*j + 10*k)%26 == code[t+2]):
                    answer.append(i)
                    answer.append(j)
                    answer.append(k)
                    flag = 1
                    break
            if(flag):
                break
        if(flag):
            break
    if(flag):
        continue
print (answer)

for i in answer:
    print (chr(i + 97),end="")
#flag : overthehillx

BASE150-蛛丝马迹

下载文件 提示是异或机密且给出了密钥 ,先解异或

1
2
3
4
5
6
s = [  0xBE,  0x2A,  0x28,  0x48,  0x7A,  0x5C,  0x2A,  0x21,  0xCB,  0x93,  0x0D,  0x2A,  0x70,  0x36,  0xD3,  0x4E,  0xC9,  0xB6,  0xCF,  0x3C,  0xB6,  0x71,  0x99,  0xF5,  0x46,  0x69,  0xA1,  0x24,  0xF9,  0x71,  0x70,  0x11,  0x2A,  0x37,  0x31,  0x27,  0x30,  0x16,  0x71,  0x90,  0x26,  0xC9,  0x18,  0x72,  0xC9,  0x09,  0x4E,  0xC9,  0x0B,  0x5E,  0xC9,  0x4B,  0xC9,  0x2B,  0x4A,  0xEF,  0x7F,  0x28,  0x48,  0x7A,  0x5C,  0x37,  0x47,  0xD7,  0xBD,  0x15,  0xBA,  0xD7,  0x22,  0xC9,  0x07,  0x7E,  0xC9,  0x0E,  0x47,  0x3A,  0x41,  0x8F,  0xC9,  0x1B,  0x62,  0x41,  0x9F,  0x71,  0xBD,  0x05,  0xC9,  0x76,  0xF9,  0x41,  0xB7,  0xDB,  0x4D,  0xFC,  0x44,  0x78,  0x86,  0x36,  0x4A,  0x83,  0x88,  0x45,  0x41,  0x92,  0x04,  0xA9,  0xB3,  0x79,  0x16,  0x66,  0x5E,  0x37,  0xA6,  0xC9,  0x1B,  0x66,  0x41,  0x9F,  0x24,  0xC9,  0x7E,  0x39,  0xC9,  0x1B,  0x5E,  0x41,  0x9F,  0x41,  0x6E,  0xF9,  0xD7,  0x1D,  0xE9,  0x15,  0x23,  0x7F,  0x28,  0x48,  0x7A,  0x5C,  0x37,  0xEB,  0x71,  0x99,  0x11,  0x2A,  0x35,  0x34,  0x36,  0x64,  0x2A,  0x14,  0x29,  0x68,  0x7A,  0xC9,  0x86,  0x11,  0x12,  0x12,  0x11,  0xBD,  0x15,  0xBE,  0x11,  0xBD,  0x15,  0xBA,  0xD2,  0xD2,  0xD2,  0xD2]

key = 0x42
for t in s:
    print ("\\x%x" % (key^t),end = "")
print ("")
得到一段shellcode,分别用win和linux编译看看哪个能运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include <stdlib.h>
const unsigned char shellcode[] =
"\xfc\x68\x6a\xa\x38\x1e\x68\x63\x89\xd1\x4f\x68\x32\x74"
"\x91\xc\x8b\xf4\x8d\x7e\xf4\x33\xdb\xb7\x4\x2b\xe3\x66"
"\xbb\x33\x32\x53\x68\x75\x73\x65\x72\x54\x33\xd2\x64"
"\x8b\x5a\x30\x8b\x4b\xc\x8b\x49\x1c\x8b\x9\x8b\x69\x8"
"\xad\x3d\x6a\xa\x38\x1e\x75\x5\x95\xff\x57\xf8\x95\x60"
"\x8b\x45\x3c\x8b\x4c\x5\x78\x3\xcd\x8b\x59\x20\x3\xdd"
"\x33\xff\x47\x8b\x34\xbb\x3\xf5\x99\xf\xbe\x6\x3a\xc4\x74"
"\x8\xc1\xca\x7\x3\xd0\x46\xeb\xf1\x3b\x54\x24\x1c\x75"
"\xe4\x8b\x59\x24\x3\xdd\x66\x8b\x3c\x7b\x8b\x59\x1c\x3"
"\xdd\x3\x2c\xbb\x95\x5f\xab\x57\x61\x3d\x6a\xa\x38\x1e"
"\x75\xa9\x33\xdb\x53\x68\x77\x76\x74\x26\x68\x56\x6b"
"\x2a\x38\x8b\xc4\x53\x50\x50\x53\xff\x57\xfc\x53\xff\x57"
"\xf8\x90\x90\x90\x90";
int main(int argc, char **argv) {
    int (*ret)();
    ret = (int(*)())shellcode;
    (int)(*ret)();
    exit(0);
}
linux不行,wine把exe执行后直接弹出Vk*8wvt&
flag : Vk*8wvt&

WEB200-What should you do now?

打开网站看源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
var chr = "1311|1337|1357|1294|1325|1337|1333|1340|1325|1347|1353|1350|1313|1341|1346|1336|";
var str = "";

function a(arg)
{
    var i, k;
    i = "";
    for (k = 0; k < chr.length; k++)
    {
        if (chr.charAt(k) == '|')
        {                 //如果是|就让i减去arg
            i -= arg;
            str += String.fromCharCode(i);
            i = "";
        }
        else
        {               //取出chr的每个四位数字给i
            i += chr.charAt(k);
        }
    }
}

function b()
{
    str = "";
    a(pass.value);
    alert(str);
}

for (var i = 1294 - 255; i <= 1357 + 255; i++)
{           //我们自己来调用a()来爆破一下密码,由于密码肯定是ASCII范围内,直接在min-255max+255内找
    a(i);
    console.log(str+">>>>"+i);
    str = "";
}

//Key:YeahYourMind>>>>1236
//flag : YeahYourMind

WEB250-How?

打开网页,提交一次抓包
发现sql语句


是个强制md5输入,不过用了true参数,那么加密结果返回的就是md5 hash的raw值
想要绕过sql只能注入,考虑最短的可能性
'or'1
其中1可以为任意非0值

爆破之得到密文ffifdyop
其加密结果为


提交得到You got it! flag:{45dcbc39e5596ffbb0d09dd3e2bde0fa}
flag : 45dcbc39e5596ffbb0d09dd3e2bde0fa

剩下两个web题

4.流量考的是溢出,只需要输入一个非常长的数字,比如按30s的1,然后 *0,提交返回flag


5.第二个简直了,抓包看到hint是cmd,cookies直接设置名称为cmd,值为执行的命令,题目说明了是windows,dir发现当前目录下有个文件,复制到地址栏打开得到flag

RE350-不择手段

凝聚(CNSS)2014新生招新题

出来解压出来elf执行文件丢安卓模拟器
输出是一个class文件
class文件用jd-gui打开直接看到flag


flag : CN55_ARM

MISC300-Godlike

下载文件发现里面是个.pcap


丢给wireshark检查http,发现一个可以的php


再过滤ip


这是一个shell(phpspy),上传了一个zip


跟入TCP,把hehe.zip提出来


继续跟踪发现再shell上执行时还有密码


解压 看到flag


flag{ce8c136df237e86bb7a553347f}

MISC300-道中道

这个被坑惨了,上神器stegsolve看RGB的0通道都能找到PK头 甚至还有flag.txt 感觉是个选择通道合并 然而并没有操作成功
后来观察图片的hex,手动读取差异位..而且最后有个rot13的提示


写了片不合格的代码


输出发现是有问题的--hex的顺序..


调整好后..发现是个加密的zip,密码是最后那一串的rot13

打开flag.txt flag:{40a4156965b782efb4f574c5d0cf219a}
flag : 40a4156965b782efb4f574c5d0cf219a

MISC350-细节决定成败

真的是细节决定成败,直接V2.1.0的binwalk跑出来


a6be8a33b7c987f4ffb76d9c9805c7eb
Newer Post

彻底清除wine的打开方式列表和快捷方式

正式卸载wine之后, 12345678910111213#打开方式rm -f ~/.local/share/mime/packages/x-wine*rm -f ~/.local/share/applications/wine-extension*rm -f ~/.local/share/icon …

, ,
Older Post

gnome3禁用触摸板后怎样打开

gnome3在 菜单的设置选项中禁用了触摸板后无法启用,经过摸索找到了解决办法: …

, ,