2023-2024 Pointer Overflow CTF WP
一个很有意思的比赛,最近闲着没事就来玩玩!只做了一部分,哎!后面有时间再做吧!比赛时间:September 17th, 2023 to January 21st, 2024
目前排名
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212233149812-945376209.png
Crypto
Unquestioned and Unrestrained
题目
First crypto challenge so we have to keep it easy. Here's the flag, but it's encoded. All you have to do is figure out which method was used. Luckily, it's a common one.
cG9jdGZ7dXdzcF80MTFfeTB1Ml84NDUzXzQyM184MzEwbjlfNzBfdTV9
我的解答:
签到题,密文直接base64解码
poctf{uwsp_411_y0u2_8453_423_8310n9_70_u5}
A Pale, Violet Light
题目
e= 5039
N = 34034827
C = 933969 15848125 24252056 5387227 5511551 10881790 3267174 14500698 28242580 933969 32093017 18035208 2594090 2594090 9122397 21290815 15930721 4502231 5173234 21290815 23241728 2594090 21290815 18035208 10891227 15930721 202434 202434 21290815 5511551 202434 4502231 5173234 25243036我的解答:
考点:c列表循环,广播攻击
先分解N得到
p=5807
q=5861exp:
#coding:utf-8from Crypto.Util.number import *import gmpy2n = 34034827p=5807
q=5861e = 5039message = "933969 15848125 24252056 5387227 5511551 10881790 3267174 14500698 28242580 933969 32093017 18035208 2594090 2594090 9122397 21290815 15930721 4502231 5173234 21290815 23241728 2594090 21290815 18035208 10891227 15930721 202434 202434 21290815 5511551 202434 4502231 5173234 25243036"phi = (p - 1) * (q - 1)d = gmpy2.invert(e, phi)flag = ''for i in message.split(" "): m = gmpy2.powmod(int(i), d, n) flag += str(long_to_bytes(m))print(flag)#poctf{uwsp_533k 4nd y3 5h411 f1nd}记得结果补全:_
poctf{uwsp_533k_4nd_y3_5h411_f1nd}
Missing and Missed
题目
A little cerebral fornication to round out the crypto challenges.
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++++.-.------------.+++++++++++++++++.--------------.+++++++++++++++++++++.------.++.----.---.-----------------.<<++++++++++++++++++++.-.++++++++.>>+++++++++.<<--.>>---------.++++++++++++++++++++++++.<<-----.--.>>---------.<<+++++++++.>>---------------.<<---------.++.>>.+++++++.<<--.++.+++++++.---------.+++++++..----.>>++++++++.+++++++++++++++.我的解答:
考点:BrainFuck
poctf{uwsp_219h7_w20n9_02_f0290773n}
MISC
Here You See A Passer By
题目
Simple task - solve the maze and find the flag. The password is poctf2023
题目给了一个加密的pdf
我的解答:
使用提示密码打开得到:
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212194209720-367634476.png
大眼一看需要走迷宫,我们根据关键字走迷宫即可,如下:
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212194438902-1617905151.png
得到
poctf{uwsp_pr377y_bu7_p377y_bu7_pr377y}
Forensics
If You Don't, Remember Me
题目
Here is a PDF file that seems to have some problems. I'm not sure what it used to be, but that's not important. I know it contains the flag, but I'm sure you can find it and drag it out of the file somehow. This is a two-step flag as you will find it partially encoded.
给了一个pdf
我的解答:
010打开文件,在末尾直接看到结果
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212195240774-652554988.png
hex解码得到
poctf{uwsp_w31c0m3_70_7h3_94m3}
A Petty Wage in Regret
题目
Here is a very interesting image. The flag has been broken up into several parts and embedded within it, so it will take a variety of skills to assemble it.
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212195608877-1603368335.jpg
我的解答:
010打开图片,文件头发现一串16进制
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212195910527-158200928.png
解码得到flag前一段
poctf{uwsp_7h3_w0rld_h4d
试了好多隐写发现图片并没有。后来无意间把图片放大发现有锐化部分,找出来(这个17前面的下划线真的狗!一开始没找出来,太不显眼了!,后来提交不对猜测有这个下划线。。)
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212201046912-981612785.jpg
最终flag为:poctf{uwsp_7h3_w0rld_h4d_17_f1257}
Better to Burn in the Light
题目
This is an image of a disk that once contained several files. They were deleted prior to imaging, unfortunately. To find the flag, we're going to need to bring some of them back from the dead. The flag is actually broken up between two of them. Carve the files out of the image and restore any missing file headers to find the pieces to reassemble.
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212201851578-1492066803.png
我的解答:
压缩包解压后一堆阿巴阿巴!!
这题真的很艹!搞了半天啥也没搞到,后来发现这个压缩包可以修复,而且修复出来会有多出的文件。。
找到了可疑的m.jpg,010打开发现有两个jpg文件头。。
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212202855277-1062300819.png
看着第一个文件头内容很短,删掉第一部分的,然后保存得到flag第一段。
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212203118701-575100452.png
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212203133074-1321410327.jpg
有点糊!但没关系。。
下一步找第二段,分析下其他文件吧!毕竟给的很多不可能都没有用。
经过010挨个查找发现文档d实际为一张没有文件头的jpg文件,补全即可。
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212203533595-1858634204.png
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212203612284-894862100.jpg
最终flag为:poctf{uwsp_5h1v3r_m3_71mb3r5}
Crack
The Gentle Rocking of the Sun
题目
Here's a password protected archive. Problem is that I seem to have forgotten das Passwort. All I have is this post-it note on my monitor that says "crack2 = 4bd939ed2e01ed1e8540ed137763d73cd8590323"
https://img2023.cnblogs.com/blog/3343449/202312/3343449-20231212204015784-1213734582.png
我的解答:
根据题目描述4bd939ed2e01ed1e8540ed137763d73cd8590323,直接cmd5得到
zwischen
解压打开后发现文件夹套娃,每个文件夹名字对应就是flag的每个字符,找全即可
poctf{uwsp_c411f02n14_d234m1n9}
RE
Easy as it Gets
题目
It doesn't get much easier than this when it comes to reverse engineering. Here we have a "secure" PowerShell script. All you need to do is figure out the super secret passphrase to decrypt the flag.
查看代码 ::LoadWithPartialName("System.Security")
function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", $arrayOutput)
{
$r = new-Object System.Security.Cryptography.RijndaelManaged
$pass = ::UTF8.GetBytes($Passphrase)
$salt = ::UTF8.GetBytes($salt)
$r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8
$r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( ::UTF8.GetBytes($init) )
$c = $r.CreateEncryptor()
$ms = new-Object IO.MemoryStream
$cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"
$sw = new-Object IO.StreamWriter $cs
$sw.Write($String)
$sw.Close()
$cs.Close()
$ms.Close()
$r.Clear()
]$result = $ms.ToArray()
return ::ToBase64String($result)
}
function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")
{
if($Encrypted -is ){
$Encrypted = ::FromBase64String($Encrypted)
}
$r = new-Object System.Security.Cryptography.RijndaelManaged
$pass = ::UTF8.GetBytes($Passphrase)
$salt = ::UTF8.GetBytes($salt)
$r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8
$r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( ::UTF8.GetBytes($init) )
$d = $r.CreateDecryptor()
$ms = new-Object IO.MemoryStream @(,$Encrypted)
$cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"
$sr = new-Object IO.StreamReader $cs
Write-Output $sr.ReadToEnd()
$sr.Close()
$cs.Close()
$ms.Close()
$r.Clear()
}
cls
####
# TODO: use strong password
# Canadian_Soap_Opera
###
$pwd = read-host "(Case Sensitive) Please Enter User Password"
$pcrypted = "TTpgx3Ve2kkHaFNfixbAJfwLqTGQdk9dkmWJ6/t0UCBH2pGyJP/XDrXpFlejfw9d"
write-host "Encrypted Password is: $pcrypted"
write-host ""
write-host "Testing Decryption of Username / Password..."
write-host ""
$pdecrypted = Decrypt-String $pcrypted $pwd
write-host "Decrypted Password is: $pdecrypted"我的解答:
我们分析powershell代码,发现只需要把pwd变量赋值为”Canadian_Soap_Opera“,然后运行powershell代码即可
function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")
{
if($Encrypted -is ){
$Encrypted = ::FromBase64String($Encrypted)
}
$r = new-Object System.Security.Cryptography.RijndaelManaged
$pass = ::UTF8.GetBytes($Passphrase)
$salt = ::UTF8.GetBytes($salt)
$r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8
$r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( ::UTF8.GetBytes($init) )
$d = $r.CreateDecryptor()
$ms = new-Object IO.MemoryStream @(,$Encrypted)
$cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"
$sr = new-Object IO.StreamReader $cs
Write-Output $sr.ReadToEnd()
$sr.Close()
$cs.Close()
$ms.Close()
$r.Clear()
}
$pwd = "Canadian_Soap_Opera"
$pcrypted = "TTpgx3Ve2kkHaFNfixbAJfwLqTGQdk9dkmWJ6/t0UCBH2pGyJP/XDrXpFlejfw9d"
write-host "Encrypted Password is: $pcrypted"
write-host ""
write-host "Testing Decryption of Username / Password..."
write-host ""
$pdecrypted = Decrypt-String $pcrypted $pwd
write-host "Decrypted Password is: $pdecrypted"得到
poctf{uwsp_4d_v1c70r14m_w4573l4nd3r}
A Tangled Web We Weave
题目
The flag has been hidden in these assembly instructions, except I forgot how to decode it... If you figure it out you get the flag.
section .data
encoded_message db 0x0F, 0x10, 0x1C, 0x0B, 0x19, 0x04, 0x0A, 0x08, 0x0C, 0x0F, 0x20, 0x14, 0x4E, 0x11, 0x46, 0x20, 0x14, 0x4F, 0x11, 0x46, 0x20, 0x46, 0x4F, 0x48, 0x20, 0x11, 0x4F, 0x48, 0x17, 0x4E, 0x11, 0x46, 0x20, 0x4F, 0x11, 0x20, 0x12, 0x4C, 0x02
section .text
global _start
_start:
mov ecx, 0
mov edi, encoded_message
find_length:
cmp byte , 0
je print_message
inc ecx
inc edi
jmp find_length
print_message:
xor esi, esi
mov edi, encoded_message
decode:
xor eax, eax
mov al, byte
xor al, ; something missing?
mov byte , al
inc esi
cmp byte , 0
jne decode
mov edx, ecx
mov eax, 4
mov ebx, 1
mov ecx, encoded_message
int 0x80
mov eax, 1
xor ebx, ebx
int 0x80我的解答:
分析汇编代码可知解密第一步是异或4,第二步是异或一个未知的值。
我们可以根据flag的形式猜测encoded_message的第一个字符应该为p,0x0F^4^ord('p')得到123,依次检测第二个字符异或后为o,
OK!就是这样,写个脚本
a = "0x0F, 0x10, 0x1C, 0x0B, 0x19, 0x04, 0x0A, 0x08, 0x0C, 0x0F, 0x20, 0x14, 0x4E, 0x11, 0x46, 0x20, 0x14, 0x4F, 0x11, 0x46, 0x20, 0x46, 0x4F, 0x48, 0x20, 0x11, 0x4F, 0x48, 0x17, 0x4E, 0x11, 0x46, 0x20, 0x4F, 0x11, 0x20, 0x12, 0x4C, 0x02"
a = a.split(',')
for i in a:
print(chr(int(i,16)^4^123),end="")
#poctf{uwsp_k1n9_k0n9_907_n07h1n9_0n_m3}Sunshine on Filth is Not Polluted
题目
Log in with a valid username and PIN code, and this program will give you a shell. The username is easy to identify, but the PIN code is randomly generated!
Here's a hint, but you'll need to work for it a bit. Two hashed words: f704f57ea420275ad51bf55b7dec2c96 87cd8b8808600624d8c590cfc2e6e94b
To get the flag, you will need to exploit the binary on a live system. The binary is running on 34.123.210.162 port 20231 and the flag can be found in the /home/re3 directory when you get a shell.
我的解答:
题目提示的两个哈希没什么用,我们看到main函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
init(argc, argv, envp);
generate_code();
configure_username();
login();
return 0;
}首先执行函数generate_code()创建随机认证码:
__int64 generate_code()
{
__int64 result; // rax
unsigned int v1; //
v1 = (rand() + 123) % 10000;
result = v1;
auth_code = v1;
return result;
}创建完后显示选项,与user进行交互:
__int64 configure_username(){__int64 result; // raxchar src; // BYREFwhile ( 1 ){ printf("Options: (1) Enter username, (2) Confirm username, (3) Done: "); result = get_int(); if ( (_DWORD)result == 3 ) break; if ( (int)result
页:
[1]