2018MOCTF新春欢乐赛WriteUp(部分)

发表于

Web

Web50

检查js代码,复制出来,把clicks=0直接改成var clicks=108000,然后整个粘贴到控制台中,回车

flag:moctf{Here_Is_Your_Surprise}

其他Web

Web被欺负得好惨,完美避开了所有窝会的东西……QAQ

飘零师傅的wp

Xishir师傅的官方wp

RE

只有Android部分

re150 我的VIP(Android)

感谢@Sakura师傅

jadx打开,定位到MainActivity

跟过去:

找到:

flag:moctf{20180202mqlsys}

re200 哇,有毒吧(Android)

jadx打开,定位到MainActivity:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public void check(String name, String pass) {
    if (name.equals("MQLSY_s") && pass.equals("66666")) {
        Toast.makeText(this, "bW9jdGZ7dGhlX0NURl9JU18/fQ==", 0).show();
    } else if (name.equals("mqlsys") && pass.equals("23333")) {
        Toast.makeText(this, "bW9jdGZ7ZmFsc2U/fQ==", 0).show();
    } else if (name.equals("") && pass.equals("")) {
        Toast.makeText(this, "哇,这你都敢尝试,厉害厉害", 0).show();
    } else if (name.equals("MQL") && pass.equals("2018")) {
        Toast.makeText(this, "bW9jdGZ7dGhpc19pc24ndF9mbGFnfQ==", 0).show();
    } else if (name.equals("admin") && pass.equals("admin")) {
        Toast.makeText(this, "登录成功", 0).show();
    } else if (name.equals("MQL") && pass.equals("666")) {
        Toast.makeText(this, "bW9jdGZ7dHJ1ZT99", 0).show();
    } else {
        Toast.makeText(this, "登录失败", 0).show();
    }
1
2
3
4
5
6
7
8
cyto$ base64 bW9jdGZ7dGhlX0NURl9JU18/fQ==
b'moctf{the_CTF_IS_?}'
cyto$ base64 bW9jdGZ7ZmFsc2U/fQ==
b'moctf{false?}'
cyto$ base64 bW9jdGZ7dGhpc19pc24ndF9mbGFnfQ==
b"moctf{this_isn't_flag}"
cyto$ base64 bW9jdGZ7dHJ1ZT99
b'moctf{true?}'

第一个base64解码,真的有毒

1
moctf{the_CTF_IS_?}

Misc

流量分析

选中Data字段,应用为列,竖着读:

1
moctf{c@N_y0U_4lnd_m8}

base全家桶

1
2
3
4
5
6
7
8
CytoMbp:Downloads cyto$ hex2str 4D4A4C545332544549354E444F554C4E495A35465556525A4B4A53464F5254564C4159484134435A4B5934564B595253475658474D554A3548553D3D3D3D3D3D
b'MJLTS2TEI5NDOULNIZ5FUVRZKJSFORTVLAYHA4CZKY4VKYRSGVXGMUJ5HU======'
CytoMbp:Downloads cyto$ base64 MJLTS2TEI5NDOULNIZ5FUVRZKJSFORTVLAYHA4CZKY4VKYRSGVXGMUJ5HU======
b'0\x92\xd3Kd\xc4#\x93C9B\xcd!\x9eEQTY(\x94\x859\x14\xd5,\x06\x07\x03\x80\x99)\x8e\x15)\x84R\x19U\xc61By\x1d'
CytoMbp:Downloads cyto$ base32 MJLTS2TEI5NDOULNIZ5FUVRZKJSFORTVLAYHA4CZKY4VKYRSGVXGMUJ5HU======
b'bW9jdGZ7QmFzZV9RdWFuX0ppYV9Ub25nfQ=='
CytoMbp:Downloads cyto$ base64 bW9jdGZ7QmFzZV9RdWFuX0ppYV9Ub25nfQ==
b'moctf{Base_Quan_Jia_Tong}'

颜文字

控制台执行

moctf{Yan_Wen_Zi}

奇怪的十六进制

1
5a 45 64 6f 63 45 35 57 4f 48 68 6a 4d 54 6c 74 59 6b 64 46 4e 51 3d 3d
1
ZEdocE5WOHhjMTltYkdFNQ==
1
2
3
4
cyto$ base64 ZEdocE5WOHhjMTltYkdFNQ==
b'dGhpNV8xc19mbGE5'
cyto$ base64 dGhpNV8xc19mbGE5
b'thi5_1s_fla9'

先越过这道栅栏再说

1
2
3
n=6 npdug{z0v_g1oe_1u}
rot25 moctf{y0u_f1nd_1t}

空word

显示不可见元素,·当成.,箭头当成-,一行一个,转换为摩斯密码:

1
-..../-../-..../..-./-..../...--/--.../....-/-..../-..../--.../-.../....-/..---/-..../-.-./...--/....-/-...././-..../-.../...../..-./...--/-----/--.../..---/...../..-./--.../....-/-..../.----/-..../..---/...--/..-./--.../-../

摩斯解密:

1
6d6f6374667b426c346e6b5f30725f7461623f7d
1
2
cyto$ hex2str 6D6F6374667B426C346E6B5F30725F7461623F7D
b'moctf{Bl4nk_0r_tab?}'

一万年的爱有多久

感谢@pcat师傅

解题思路就是写个脚本来解压题目的zip文件(Mac下窝试了一下,归档工具会自动循环解压,但是速度好慢)

pcat师傅的脚本(py2):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# -*- coding:utf8 -*-
import zipfile
import os
def dzip(file_name):
    zip_file = zipfile.ZipFile(file_name)
    for names in zip_file.namelist():  
        zip_file.extract(names)
    zip_file.close()
    os.remove(file_name)
    return names
def foo():
    file_name='KIhn9j7FfG.zip'
    count=0
    while True:
        file_name=dzip(file_name)
        count+=1
        print count,
        if '.zip' not in file_name:
            break
    print file_name
    pass
if __name__ == '__main__':
    foo()

照着pcat师傅的脚本,自己写了一个试试,代码如下(py3):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from zipfile import *
import os
def decomp(name):
    zip_file = ZipFile(name) # open a zip file
    for names in zip_file.namelist(): # a name list of archive members
        zip_file.extract(names) # extract a member from the archive
    zip_file.close()
    os.remove(name)
    return names
if __name__ == '__main__':
    zip_file_name = 'KIhn9j7FfG.zip'
    cnt = 0
    while True:
        zip_file_name = decomp(zip_file_name)
        cnt += 1
        print(cnt)
        if '.zip' not in zip_file_name:
            break
    print(zip_file_name)

解压得到flag,直接打开就可以看到flag啦

flag:moctf{Just_a_few_minutes}

是兄弟就来干我

感谢@pcat师傅,@一叶飘零师傅

flag.zip要密码,那密码就从tanwanlanyue.png里找

binwalk没结果,Stegsolve打开:

PNG文件头:

1
89 50 4E 47 0D 0A 1A 0A

对照文件头,把前面几个字节去掉,打开看到:

猜密码为zhazhahui,解压flag.zip,得到:

1
f_hfv7m_y8{kThk43a_xrk0?n}

栅栏n=13 fhvmy{Tk3_r0n_f7_8kh4axk?}

凯撒rot7 moctf{Ar3_y0u_m7_8ro4her?}

Hacker!!!

感谢@Sakura师傅和Sakura师傅的学弟

参考这篇博文

  1. 导出http对象
  2. 分析盲注
  3. 长度1326为正确
1
109 111 99 116 102 123 72 116 116 112 95 49 115 95 100 52 110 103 51 114 73 48 117 53 125
1
2
3
4
5
6
7
if __name__ == '__main__':
    a = '109 111 99 116 102 123 72 116 116 112 95 49 115 95 100 52 110 103 51 114 73 48 117 53 125'
    l = a.split()
    rst = ''
    for i in l:
        rst += chr(int(i))
    print(rst)

flag:moctf{Http_1s_d4ng3rI0u5}

李华的诱惑

解压看到password.txt,看着像像素值

Sublime打开,一共22500行,150 * 150试试

Python借助PIL还原,搜到的一个脚本,修改后如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from PIL import Image
x = 150    #x坐标  通过对txt里的行数进行整数分解
y = 150    #y坐标  x * y = 行数
im = Image.new("RGB", (x, y))   #创建图片
file = open('password.txt')    #打开rbg值的文件
#通过每个rgb点生成图片
for i in range(0, x):
    for j in range(0, y):
        line = file.readline()  #获取一行的rgb值
        rgb = line.split(",")  
        im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2])))    #将rgb转化为像素
im.show()

zip压缩包密码为PPPPPPass_word

1
U2FsdGVkX18R9EylBVacP/j0XpCISh9nZth6TFwoh5GUv0edeVp3ZV9gXVqd/rlH66OIZgSHn2Mock4hcdqFEg==

直接解AES,flag:

1
moctf{D0_You_1ik3_tO_pAinH_wi4h_pi8e1}

签到

签到

moctf{500000000}

窝很可爱,请给窝钱