南邮ctf-题解(持续更新)

由于专业名字叫网络空间安全,所以感觉不学点安全知识对不起专业名= =,本人大学四年完全没有接触过信息安全知识,发现本科母校有个网络安全训练平台,就开始练练手,做做ctf入门训练吧。

南京邮电大学网络攻防训练平台:http://ctf.nuptzj.cn/challenges#

>_签到题:

就是直接查看网页源代码。

<html>
    <title>key在哪里?</title>
    <head>
        <meta http-equiv="content-type" content="text/html;charset=utf-8">
        <a style="display:none">nctf{flag_admiaanaaaaaaaaaaa}</a>
    </head>
    <body>
    key在哪里?
    </body>
</html>

flag:nctf{flag_admiaanaaaaaaaaaaa}

>_签到2:

查看源码,发现网页输入框maxlength = "10",口令为zhimakaimen,共11位,用chrome开发者工具改一下maxlength即可。

<html>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
flag is:nctf{follow_me_to_exploit}<form action="./index.php" method="post">
	<p>输入框:<input type="password" value="" name="text1" maxlength="20"><br>
	请输入口令:zhimakaimen
	<input type="submit" value="开门">
</form>

</html>

flag:nctf{follow_me_to_exploit}

>_层层递进:

直接查看源码,找到SO.html转到S0.html转到SO.htm再转到S0.htm最后转到404.html,查看源码。


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>有人偷偷先做题,哈哈飞了吧?</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">
<STYLE type="text/css">
  BODY { font: 9pt/12pt 宋体 }
  H1 { font: 12pt/15pt 宋体 }
  H2 { font: 9pt/12pt 宋体 }
  A:link { color: red }
  A:visited { color: maroon }
</STYLE>
</HEAD><BODY>
<center>
<TABLE width=500 border=0 cellspacing=10><TR><TD>
<!-- Placed at the end of the document so the pages load faster -->
<!--  
<script src="./js/jquery-n.7.2.min.js"></script>
<script src="./js/jquery-c.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-{.7.2.min.js"></script>
<script src="./js/jquery-t.7.2.min.js"></script>
<script src="./js/jquery-h.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-i.7.2.min.js"></script>
<script src="./js/jquery-s.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-a.7.2.min.js"></script>
<script src="./js/jquery-_.7.2.min.js"></script>
<script src="./js/jquery-f.7.2.min.js"></script>
<script src="./js/jquery-l.7.2.min.js"></script>
<script src="./js/jquery-4.7.2.min.js"></script>
<script src="./js/jquery-g.7.2.min.js"></script>
<script src="./js/jquery-}.7.2.min.js"></script>
-->

<p>来来来,听我讲个故事:</p>
<ul>
<li>从前,我是一个好女孩,我喜欢上了一个男孩小A。</li>
<li>有一天,我终于决定要和他表白了!话到嘴边,鼓起勇气...
</li>
<li>可是我却又害怕的<a href="javascript:history.back(1)">后退</a>了。。。</li>
</ul>
<h2>为什么?<br>为什么我这么懦弱?</h2>
<hr>
<p>最后,他居然向我表白了,好开森...说只要骗足够多的笨蛋来这里听这个蠢故事浪费时间,</p>
<p>他就同意和我交往!</p>
<p>谢谢你给出的一份支持!哇哈哈\(^o^)/~!</p>

</TD></TR></TABLE>
</center>
</BODY></HTML>

flag:nctf{this_is_a_fl4g}

>_单身二十年:

./search_key.php被重定向成了./no_key_is_here_forever.php,使用burp抓包即可。

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 16 Aug 2018 17:55:52 GMT
Content-Type: text/html
Connection: close
Via: 15146
Content-Length: 100

<script>window.location="./no_key_is_here_forever.php"; </script>
key is : nctf{yougotit_script_now}

flag:nctf{yougotit_script_now}

>_单身一百年:

直接burp抓包看Response。

HTTP/1.1 302 Found
Server: nginx
Date: Thu, 16 Aug 2018 18:28:49 GMT
Content-Type: text/html
Content-Length: 0
Connection: close
flag: nctf{this_is_302_redirect}
Location: http://chinalover.sinaapp.com/web8/no_key_is_here_forever.php
Via: 1529

flag:nctf{this_is_302_redirect}

>_COOKIE:

修改Request头部里的Cookie:Login = 1即可。

Requset:
GET /web10/index.php HTTP/1.1
Host: chinalover.sinaapp.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://ctf.nuptzj.cn/challenges
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Login=1
Connection: close

Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Aug 2018 03:27:58 GMT
Content-Type: text/html
Connection: close
Via: 1566
Content-Length: 43

flag:nctf{cookie_is_different_from_session}

flag:nctf{cookie_is_different_from_session}

>_php decode:

直接运行就好了,打印输出

<?php
function CLsI($ZzvSWE) {

    $ZzvSWE = gzinflate(base64_decode($ZzvSWE));

    for ($i = 0; $i < strlen($ZzvSWE); $i++) {

        $ZzvSWE[$i] = chr(ord($ZzvSWE[$i]) - 1);

    }

    return $ZzvSWE;

}
echo CLsI("+7DnQGFmYVZ+eoGmlg0fd3puUoZ1fkppek1GdVZhQnJSSZq5aUImGNQBAA==");
?>

flag:nctf{gzip_base64_hhhhhh}

>_伪装者:

Request头部添加Client-IP:127.0.0.1即可,伪造ip,添加X-Forward-For:127.0.0.1按理说应该也可以,但是不行,只显示flag。

参考:https://www.cnblogs.com/sanler/p/7249069.html

GET /web4/xxx.php HTTP/1.1
Host: chinalover.sinaapp.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://ctf.nuptzj.cn/challenges
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Client-IP: 127.0.0.1

flag:nctf{happy_http_headers}

>_起名字真难:

一段PHP代码,分析代码,表单传入的数字要是在0到9之间直接返回false,那么就只有16进制了,16进制的54975581388对应为0xccccccccc,

<?php
 function noother_says_correct($number)
{
        $one = ord('1');
        $nine = ord('9');
        for ($i = 0; $i < strlen($number); $i++)
        {   
                $digit = ord($number{$i});
                if ( ($digit >= $one) && ($digit <= $nine) )
                {
                        return false;
                }
        }
           return $number == '54975581388';
}
$flag='*******';
if(noother_says_correct($_GET['key']))
    echo $flag;
else 
    echo 'access denied';
?>
Request:
GET /web12/index.php?key=0xccccccccc HTTP/1.1
Host: chinalover.sinaapp.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://ctf.nuptzj.cn/challenges
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Aug 2018 10:06:10 GMT
Content-Type: text/html
Connection: close
Via: 15146
Content-Length: 35

The flag is:nctf{follow_your_dream}

flag:The flag is:nctf{follow_your_dream}

>_这题不是WEB

macOS下直接用Hex Fiend打开图片,最底下有flag。

flag:nctf{photo_can_also_hid3_msg}

>_Hello,RE!

使用IDA打开文件即可,然后F5查看伪代码,直接看到flag。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+11h] [ebp-7Fh]
  char v5[4]; // [esp+75h] [ebp-1Bh]

  __main();
  printf(&fmt);
  strcpy(v5, "flag{Welcome_To_RE_World!}");
  while ( scanf("%s", &v4) != -1 && strcmp(&v4, v5) )
    printf(aFlag);
  printf(aFlag_0);
  printf(&byte_410030);
  printf(&byte_410064);
  printf(&byte_41008F);
  getchar();
  getchar();
  return 0;
}

flag:flag{Welcome_To_RE_World!

>_ReadAsm2

—————————————————————————————————————————————————————

硕士研究方向不是攻防,放弃啦= =老老实实刷算法题了

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 技术黑板 设计师:CSDN官方博客 返回首页