记录一些ctf杂项思路

记录一些ctf杂项思路

技能分析题

1.小明的密码

97年出生的小明用自己的生日作为自己网站的密码,现在,得到一串被篡改过一个字符的字符串,你能解出小明的生日吗?

0175501585710a89h5a60dc9ed2f88d7

md5加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import hashlib

s = '0175501585710a89h5a60dc9ed2f88d7'
for day in range(1, 32):
for month in range(1, 13):
birth = '1997%02d%02d' % (month, day)
m = hashlib.md5()
m.update(birth)
md5 = m.hexdigest()
if s[:10] in md5: #以部分字符串的值来对比完整字符串
print md5
print birth

2.仿射加密

已知仿射加密变换为c=(11m+7)mod26,试对密文dikxourxd解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
a = 'dikxourxd'
a1=[]
for i in a:
a2 = ord(i)-97
a1.append(a2)
print a1
s = ""
for i in a1:
for j in range(0,26):
c = (11*j+7)%26
if(c==i):
s += chr(j+97)
print s

1541058836411

3.黑客的机密信息

黑客通过webshell往Web服务器写入了一串机密信息,你能找出机密信息吗?

首先分析流量包,过滤http请求,在数据包末端发现shell.php,利用Wireshark的filter过滤出带有shell.php的流量,http contains "shell.php"

利用一句话执行的命令都经过base64编码,不能直接搜索到flag关键词。

1541066006979

通过跟踪流来查找flag

1541065964330

1541065942519

4.远控木马

某次应急响应时,工程师发现一个远控木马的客户端程序,请分析该远程控制木马的控制端IP及端口号。

在虚拟机上运行netstat -ano查看

1541067213545

5.人生苦短

两个文件有什么不一样吗?

查看一下两个文件,发现其中一个为png图片,WinHex查看之后,发现其中一个文件的头部做了修改。

根据文件名提示,xor,将两个文件的头部进行异或运算。

代码如下:

异或操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
def xor(str1, str2):
return ''.join(chr(ord(x) ^ ord(y)) for x, y in zip(str1,str2))


if __name__ == '__main__':

for i in range(20):
#png_1 = open(sys.argv[1], "rb").read(i)
png_1 = open("xor.png", "rb").read(i)
png_2 = open("flag.png", "rb").read(i)
key = xor(png_1, png_2)

print key

7.Web漏洞

黑客利用漏洞从Web系统中窃取了什么机密信息?

日志读取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import urllib
import re


flag = ''
flag_list = []

with open('access.log', 'r') as file:
#print file.read()
line_lists = file.readlines()
#print len(line_lists)
flag_lines = []
for i in line_lists:
if 'flag' in i:
flag_lines.append(i)
#print len(flag_lines)


for i in flag_lines:
s = i.split(" ")[6]
s=urllib.unquote(s)
if '!=' in s :
print s
p = re.compile(r'!=[1-9]\d*')
flag = flag + chr(int(p.findall(s)[0].replace('!=','')))

print flag

8.终端的老东西

奇奇怪怪的东西在终端里面显示会有什么特殊效果吗?

附件:console.pcap

答案格式改为:flag{***}

获取到flag后,请自行更改提交格式。

tshark -T fields -e data -r console.pcap | xxd -r -p

img

9.颜文字

(ノ`Д)ノ

1541133206799

10.磁盘镜像

磁盘里藏着flag

7z解压,挂载,分离都可以

1541133297090

11.gakki

修改高度

1541133673140

1541133695949

12.神奇的二维码

用notepad++打开发现每行都是坐标利用python制作二维码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
from PIL import Image

pic = Image.new("RGB",(280, 280))
f = open("flag.txt","r")
flag_s = []

for i in f.readlines():
j = i.strip("\n").replace(")","").replace("(","")
flag_s.append(j)
f.close()

s = ""
k = 0
for i in range(280):
for j in range(280):
s = flag_s[k].split(",")
pic.putpixel([i,j],(int(s[0]),int(s[1]),int(s[2])))
k += 1

pic.show()
pic.save("flag.png")

扫码获得

1541138662853

base32解密

1541138688983

观察是栅栏加密

1541138924428

应该是凯撒加密

1541138977862

14.base家族

base混合编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
import base64

f = open('base.txt')
content = ""
for i in f.readlines():
content = content + i.replace('\r','').replace('\n','').replace('\t','')
f.close()
while True:
try:
content = base64.b64decode(content).decode()
#print(content)
except:
try:
content = base64.b32decode(content).decode()
#print(content)
except:
try:
content = base64.b16decode(content).decode()
# print(content)
except:
print('result: ', content)
break

1541139674345

15.rsa1

openssl解rsa

先用rsactftool去用公钥计算私钥

python RsaCtfTool.py –publickey ~/Desktop/pub.key –private > priv.key

然后用ssl解密

openssl rsautl -decrypt -inkey pri.key -in enc1 -out text

16.rsa2

共享素数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
def gcd(a, b):
if a < b:
a, b = b, a
while b != 0:
temp = a % b
a = b
b = temp
return a


def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)

def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m

def n2s(n):
s=hex(n)[2:-1]
if len(s)%2!=0:
s='0'+s
return s.decode('hex')

n4=18674375108313094928585156581138941368570022222190945461284402673204018075354069827186085851309806592398721628845336840532779579197302984987661547245423180760958022898546496524249201679543421158842103496452861932183144343315925106154322066796612415616342291023962127055311307613898583850177922930685155351380500587263611591893137588708003711296496548004793832636078992866149115453883484010146248683416979269684197112659302912316105354447631916609587360103908746719586185593386794532066034112164661723748874045470225129298518385683561122623859924435600673501186244422907402943929464694448652074412105888867178867357727
n5=20071978783607427283823783012022286910630968751671103864055982304683197064862908267206049336732205051588820325894943126769930029619538705149178241710069113634567118672515743206769333625177879492557703359178528342489585156713623530654319500738508146831223487732824835005697932704427046675392714922683584376449203594641540794557871881581407228096642417744611261557101573050163285919971711214856243031354845945564837109657494523902296444463748723639109612438012590084771865377795409000586992732971594598355272609789079147061852664472115395344504822644651957496307894998467309347038349470471900776050769578152203349128951
c4=0x8C3CF3161AA3E37831030985C60566A7604688B73E5B1D3B36E72EF06ED4F71289EFE80E0D94BD755034E6C210F17DA85B9D0388F3AD104C68BC514A8EB1569A109EB5F266F7C5FA4DDFA638258949B43D4CF1406720CCD4CA11E74FDF8AEB35C56A79781C87157FC4213573329C5B0FF411F8A4F34580AA103DB9FD403C0D409FA11860A7C4595FDC49DC2CF94E5112B772E5DEC8F17E24B10A7FD7A95DCB87BE5E27C32FC931574A7847BC506A61EFE9DB3D3F612143845FE80D7B3EA548B886A67A29CBDB2775B1F91178B6DA763F1A6ECFF46592E4C7FFAAB6C9FEF29D9CB9E035A3D98ECFFB26BA2EEAA56D1CD096E6A2CF9A58086CAD7718DDA5CB0C1B
e=65537

p4=gcd(n4,n5)
print "p4",p4
q4=n4/p4
q5=n5/p4
# print "q4",q4
# print "q5",q5
phi=(p4-1)*(q5-1)
d4=modinv(e,phi)
print "d4",d4
m=pow(c4,d4,n5)
print "m=%s"%m
print "flag is",n2s(int(m))

17.进制转换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
f = open("text.txt","r")
flag_s = f.read()
flag_list = ""
for i in flag_s.split(" "):
if i[0] == "b" :
print chr(int("0"+i,2))
flag_list = flag_list + chr(int("0"+i,2))
elif i[0] == "o" :
print chr(int("0"+i,8))
flag_list = flag_list + chr(int("0"+i,8))
elif i[0] == "d" :
print chr(int(i[1:]))
flag_list = flag_list + chr(int(i[1:]))
elif i[0] == "x" :
print chr(int("0"+i,16))
flag_list = flag_list + chr(int("0"+i,16))

print flag_list

1541297802913

18.Crack it

1541298107753

19.日志分析

1541308920936

20.icmp流量分析

1541310361939

21.神奇的图片

可能是二维码也可能是图形,要根据生成的图片进行判断。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
from PIL import Image

x = 150
y = 900
pic = Image.new("RGB",(x, y))
f = open("basic.txt","r")
flag_s = []

for i in f.readlines():
j = i.strip("\n").replace(")","").replace("(","")
flag_s.append(j)
f.close()

s = ""
k = 0
for i in range(x):
for j in range(y):
s = flag_s[k].split(",")
pic.putpixel([i,j],(int(s[0]),int(s[1]),int(s[2])))
k += 1

pic.show()
pic.save("flag.png")

更改x,y值可以看到里面不是二维码而是数字,继续修改到合适的位置

1541315900155

得到的图片用ps翻转即可得到下面的图

1541315883258

-------------本文结束感谢您的阅读-------------
如有疑问或需要技术讨论,请发邮件到 zlem0n@foxmail.com