Reverse engineering flag finder (1pts) I’ve forgotten my flag. I remember it has the format 9447{<some string>}, but what could it be?
This task is sadly broken (it is too easy).
直接运行就得flag:1
2
3
# ./flagfinder
Try again
9447{C0ngr47ulaT1ons_p4l_buddy_y0Uv3_solved_the_H4LT1N6_prObL3M_n1c3_} 1000024
The real flag finder (70pts) I’ve forgotten my flag. I remember it has the format “9447{}”, but what could it be?
Unfortunately the program no longer just prints the flag.
由上一题知道,整个循环在1000024此后结束,把整个过程用Python实现一下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
data = [0x32, 0x4A, 0xDB, 0xA5, 0xDB, 0x0D, 0x31, 0x54, 0xD4, 0x41, 0xF1, 0x89, 0x97, 0xE3, 0x4F, 0xD9,
0xF2, 0xED, 0x0B, 0xFF, 0xC9, 0xE3, 0x4B, 0xE1, 0x6A, 0x1A, 0x1B, 0xDA, 0x05, 0xAC, 0xE7, 0x82,
0x73, 0x20, 0xDF, 0x5B, 0x27, 0x5F, 0xA5, 0x95, 0xDC, 0xD5, 0xBD, 0x1A, 0xC7, 0xAB, 0x9A, 0x0E,
0x5E, 0x1B, 0xF5, 0x1D, 0x41, 0xDD, 0x43, 0xAC, 0x4D, 0x2A, 0x34, 0x2E, 0xBC, 0x7A, 0x6C, 0x37,
0x9C, 0x4C, 0x87, 0xCD, 0xE2, 0x4C]
data_len = 70
data_80 = 0x19660D
data_84 = 0x3C6EF35F
data_88 = 0x1571
i = 0
while True:
data_88 = data_88 * data_80 + data_84
c = (data_88 & 0xFF00) >> 8
data_88 &= 0xFFFFFFFFFFFFFFFF
data[i % data_len] = c ^ data[i % data_len]
i += 1
if i > 1000024:
break
print 'The flag is:', ''.join(chr(d) for d in data)
要考虑到data_88在C下会溢出,而在Python下就不会,后面计算会耗时很长,所以这里要做溢出处理。
运行得到flag:1
9447{C0ngr47ulaT1ons_p4l_buddy_y0Uv3_solved_the_re4l__H4LT1N6_prObL3M}
Web sanutf8y_check (1pts) Visit http://sanutf8y-check-n2wisexx.9447.plumbing for the flag.
Hint! The flag is in the format 9447{[a-zA-Z0-9_]*}
访问链接得到:1
9447{ΤҺiႽ_ⅰЅ_ԝ㏊t_Α_fl...{℮kⅠⅬ_skОOⅬ_ɡᴀ
把内容转换成字母加数字,可得flag:9447{ThiS_iS_what_A_flAg_LOOks_LIke}
YWS (130pts) My friend wrote a cool web server. I’m sure he’s stored some great doxxxs on the website. Can you take a look and report back any interesting things you find?
The web page is at http://yws-fsiqc922.9447.plumbing
尝试robots.txt文件,内容如下:1
2
3
4
5
6
7
8
User-agnet: *
Disallow: /
Disallow: /..
Disallow: .
Disallow: ..
Disallow: /work
Disallow: /imegas/
Allow: /sounds/pljesus.wav
既然不让搜索引擎看这些目录,那我们就来看看,访问/..目录得到:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<html>
<head>
<title>Directory listing for /..</title>
</head>
<body>
<h2>Directory listing for /..</h2>
<hr>
<ul>
<li>
<a href="/../9447{D1rect0ries_ARe_h4rd}">9447{D1rect0ries_ARe_h4rd}</a>
<li>
<a href="/../.">.</a>
<li>
<a href="/../..">..</a>
<li>
<a href="/../gws">gws</a>
<li>
<a href="/../files">files</a>
</ul>
<hr>
</body>
</html>
flag:9447{D1rect0ries_ARe_h4rd}
Misc Get help (10pts) Where would you go to get help?
访问提供的irc,公告如下:1
#9447CTF: Signups for 9447CTF 2015 open at https://9447.plumbing/ - welcome! 9447{Ask_for_help_here} | Hint released for sanutf8y_check | New exploitation released - RedOS
flag:9447{Ask_for_help_here}