Out of Space

这个程序不能直接运行,我队友试了,直接死机。看了看是用C#写的,直接用.NET Reflector反编译,源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public static void Main()
{
    Console.WriteLine("Generating data...");
    StreamWriter writer = new StreamWriter("temp.txt");
    ulong num = 1L;
    do
    {
        writer.Write("ISG");
        num += (ulong) 1L;
    }
    while (num <= 0xfa00000000L);
    writer.Close();
    Console.WriteLine("Almost done...");
    SHA1CryptoServiceProvider provider = new SHA1CryptoServiceProvider();
    FileStream inputStream = new FileStream("temp.txt", FileMode.Open, FileAccess.Read);
    byte[] buffer = provider.ComputeHash(inputStream);
    inputStream.Close();
    File.Delete("temp.txt");
    Console.WriteLine("ISG{" + BitConverter.ToString(buffer).ToLower() + "}");
    Console.ReadKey();
}

代码功能,主要就是计算0xfa00000000个“ISG”的SHA1值,所以无需写入文件,直接在内存里计算,这里直接写个Python脚本跑一下:

1
2
3
4
5
6
7
8
9
10
11
import hashlib
part = 'ISG' * 40
sha1 = hashlib.sha1()
i = 0
while i < 0xfa00000000:
	sha1.update(part)
	if i % 10000000000 == 0:
		print str(i) + ': ' + sha1.hexdigest()
	i += 40
print 'ISG{' + sha1.hexdigest() + '}'

当时失误,一次计算的数据量有点小,导致计算了将近6个小时,最后得到结果:ISG{86386ac8da052d2dc694218affa57b920d02583b}
。直接提交,结果不对,我又去翻了翻SHA1的原理,发现这么计算没问题,后来让队友在C#下试了试,发现Bitonvert会在每个字节间加“-“,最后加上:ISG{86-38-6a-c8-da-05-2d-2d-c6-94-21-8a-ff-a5-7b-92-0d-02-58-3b}

X-Area

首先,有登录框,一顿尝试未果,取消后给了个邮箱,一开始不知道有啥用,后来想到泄漏的500万Gmail帐号,在其中一搜,果真有,用搜到的密码登录,得到如下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
/*
I found a piece of hash from an old basic auth file.
0ops:$apr1$XZ6oHreE$rYRGk9cFLxm1hF4TAc0m50
That may be helpful.
It is said that in the password nums and Lowercase letter only.
Good luck!
*/
$valid_passwords = array ("hack.the.life@gmail.com" => "zasada");
$valid_users = array_keys($valid_passwords);
$user = @$_SERVER['PHP_AUTH_USER'];
$pass = @$_SERVER['PHP_AUTH_PW'];
$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
if (!$validated) {
  header('WWW-Authenticate: Basic realm="X-Area"');
  header('HTTP/1.0 401 Unauthorized');
  die ("I don't think you are 'hack.the.life@gmail.com'. Get out!");
}
eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKCmZ1bmN0aW9uIGRlY3J5cHQoJGVuY3J5cHRlZCwgJGtleSkKewoJJGtleT1tZDUoJGtleSk7CiAgICAkY2lwaGVydGV4dF9kZWMgPSBwYWNrKCJIKiIsJGVuY3J5cHRlZCk7CiAgICAkbW9kdWxlID0gbWNyeXB0X21vZHVsZV9vcGVuKE1DUllQVF9SSUpOREFFTF8xMjgsICcnLCBNQ1JZUFRfTU9ERV9DQkMsICcnKTsKICAgICRpdiA9IHN1YnN0cihtZDUoJGtleSksMCxtY3J5cHRfZW5jX2dldF9pdl9zaXplKCRtb2R1bGUpKTsKICAgIG1jcnlwdF9nZW5lcmljX2luaXQoJG1vZHVsZSwgJGtleSwgJGl2KTsKICAgICRkZWNyeXB0ZWQgPSBtZGVjcnlwdF9nZW5lcmljKCRtb2R1bGUsICRjaXBoZXJ0ZXh0X2RlYyk7CiAgICBtY3J5cHRfZ2VuZXJpY19kZWluaXQoJG1vZHVsZSk7CiAgICBtY3J5cHRfbW9kdWxlX2Nsb3NlKCRtb2R1bGUpOwogICAgcmV0dXJuIHJ0cmltKCRkZWNyeXB0ZWQsIlwwIik7Cn0KCmlmKEAkX1JFUVVFU1RbJ2tleSddKXsKCSRrZXk9JF9SRVFVRVNUWydrZXknXTsKCWVjaG8gZXZhbCh+J5qcl5Dfmomek9ebmpyNho+L193OyJ2bzZyanp2am8zKns7Pz5mZnJuZyp2bm8bPzpmems7OxsrHypzJncrLyc7Nm8bHz8vMy8jKns6ZxpqdnJvGxsvPx86ZnJ7NnczLx57JzsvMz8jLycrKyprInM2dyMjKzJnPzcadysedz87IxpydzZvOzsidnc/Kmc7My5zNm57NmcnPxp3OzMzMys7OmZzIyMidmZ3PxpzNnMycx8uczZqdxpmcms/Mzp3Gxs7LyczJxpucmc2emsfNy8nJx8mby5qezJmbzcbOycidyciczMzPzMqdncuezcjKmsaanJ3IzsaczMidyc+Zyp2azZnNzZzJxpyazcvGyciam5zOncrGyJ7NxsedmZnGz8qbmZqamsbInsyezciZnpnIxp3Myp7HzMrHx8jPz5mdz8/Kz8vOnJqans3HyJuamcvHnsiemZmdx8zOx52dm8bHmsadnZ2ezcbJm52Zm57Gm8/O3dPf25SahtbWxCcpOwp9ZWxzZXsKCWVjaG8gIkFjY2VzcyBERU5JRUQhIjsKfQ=='));
echo '<!-- ';echo file_get_contents(__FILE__);?>

可以看到,注释中有个帐号:0ops:$apr1$XZ6oHreE$rYRGk9cFLxm1hF4TAc0m50,用John the Ripper解密得到密码:5s41t。还有一段base64编码的,解码得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
error_reporting(0);
set_time_limit(0);
function decrypt($encrypted, $key)
{
    $key=md5($key);
    $ciphertext_dec = pack("H*",$encrypted);
    $module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
    $iv = substr(md5($key),0,mcrypt_enc_get_iv_size($module));
    mcrypt_generic_init($module, $key, $iv);
    $decrypted = mdecrypt_generic($module, $ciphertext_dec);
    mcrypt_generic_deinit($module);
    mcrypt_module_close($module);
    return rtrim($decrypted,"\0");
}
if(@$_REQUEST['key']){
    $key=$_REQUEST['key'];
    echo eval(~'šœ—ßš‰ž“×›šœ†‹×ÝÎȝ›Íœšžš›ÌʞÎÏϙ™œ›™Ê››ÆÏɞšÎÎÆÊÇʜɝÊËÉÎ͛ÆÇÏËÌËÈʞΙƚœ›ÆÆËÏÇɜžÍÌËǞÉÎËÌÏÈËÉÊÊʚȜ͝ÈÈÊ̙ÏÍƝÊǝÏÎÈƜÍ›ÎÎȝÏʙÎ̘͛žÍ™ÉÏƝÎÌÌÌÊÎɜÈÈȝ™ÏƜ̜͜ǘ͚Æ™œšÏÌΝÆÆÎËÉÌÉƛœ™ÍžšÇÍËÉÉÇɛ˚žÌ™›ÍÆÎÉȝÉȜÌÌÏÌʝËžÍÈʚƚœÈÎƜÌȝÉϙʝšÍ™Í͜ÉƜšÍËÆÉȚ›œÎÊÆȞÍÆǝ™™ÆÏʛ™šššÆȞ̞Íșž™ÈƝÌʞÇÌÊÇÇÈÏϙÏÏÊÏË̚šžÍÇțš™ËǞȞ™™ÇÌÎǝ›ÆǚƝžÍÆɛ™›žÆ›ÏÎÝÓß۔š†ÖÖÄ');
}else{
    echo "Access DENIED!";
}

eval的参数是将一个字符串取反,直接取反得到结果:

1
decrypt("17bd2ceabed35a100ffcdf5bdd901fae119585c6b54612d98043475a1f9ebcd994081fca2b348a61430746555e7c2b7753f029b58b0179cb2d117bb05f134c2da2f609b1333511fc777bfb09c2c3c84c2eb9fce031b99146369dcf2ae8246686d4ea3fd29167b67c33035bb4a275e9ecb719c37b60f5be2f22c69ce24967edc1b597a298bff905dfeee97a3a27faf79b35a83588700fb005041ceea287def48a7affb8318bbd98e9bbba296dbfda9d01", $key));

把这段代码和decrypt函数放在一起,然后执行得到:

1
ob_start(); //the flag is ISG{tHe_MaGic_pHP_S0UrCE_c0D3} echo " Just get the flag!!"; $info = ob_get_contents(); ob_end_clean(); echo "Hello Hackers!"; return $info;

得到flag:ISG{tHe_MaGic_pHP_S0UrCE_c0D3}