cdxy.me
Footprints on Cyber Security and Python

 

IDF实验室CTF训练营-WEB

题解

1 一种编码而已

老题,复制粘贴到console里运行,其实是js代码。 key:WCTF{H3110_J0t4er}


2 你关注最新的漏洞吗

下载发现是一个数据包,格式转换成pcap格式。 使用WireShark打开之,发现四个包。 协议不熟,查之发现是kerberos。 查了一下协议以及题中提示的漏洞。 第一反应是用漏洞原理破解这个包中的密文找到key之类的。 后发现漏洞编号就是答案= =

是在下输了

key:wctf{MS14-068}


3 简单的js解密

查看源代码:

function pseudoHash(string, method) {
  // Default method is encryption
  if (!('ENCRYPT' == method || 'DECRYPT' == method)) {
    method = 'ENCRYPT';
  }
  // Run algorithm with the right method
  if ('ENCRYPT' == method) {
    // Variable for output string
    var output = '';
    // Algorithm to encrypt
    for (var x = 0, y = string.length, charCode, hexCode; x < y; ++x) {
      charCode = string.charCodeAt(x);
      if (128 > charCode) {
        charCode += 128;
      } else if (127 < charCode) {
        charCode -= 128;
      }
      charCode = 255 - charCode;
      hexCode = charCode.toString(16);
      if (2 > hexCode.length) {
        hexCode = '0' + hexCode;
      }

      output += hexCode;
    }
    // Return output
    return output;
  } else if ('DECRYPT' == method) {
    // DECODE MISS
    // Return ASCII value of character
    return string;
  }
}
document.getElementById('password').value = pseudoHash('4e4a1a4e4d4d1a474c461b191b1e1e481c1a4649464a4c4919464b1e1a1c1949', 'DECRYPT');

意思就是我们要根据已给出的加密算法写一段解密的算法,如果解密成功就出key。 添加解密算法如下:

var output = '';

for(var x=0,y=string.length,charcode,hexcode;x<y;x=x+2){
    hexcode=string.substr(x,2);
    charcode=parseInt(hexcode,16);
    charcode=255-charcode;
    if (charcode<128) {
    charcode += 128;
    }  
    if (charcode>127) {
        charcode -= 128;
    }
    output+=String.fromCharCode(charcode);
}

return output;
document.write(output);

提交解密字串得到key:wctf{jS_decRypt__Eaaasy}


4 超简单的js题

查看源码:

var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%62%34%36%61%64%35%66%66%61%31';
var p2 = '%30%66%66%33%36%32%31%63%32%66%64%63%39%33%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
eval(unescape(p1) + unescape('%61%64%62%33%61%66%33%63' + p2));

使用XSSEE解码得到:

//P1
var p1 = '
function checkSubmit(){
    var a=document.getElementById("password");
    if("undefined"!=typeof a){
        if("b46ad5ffa1';

//P2
var p2 = '0ff3621c2fdc93"==a.value)
        return!0;
        alert("Error");
        a.focus();
        return!1
    }
}
document.getElementById("levelQuest").onsubmit=checkSubmit;
';

//eval
eval(unescape(p1) + unescape('adb3af3c' + p2));

组合起来就是:

function checkSubmit(){
    var a=document.getElementById("password");
    if("undefined"!=typeof a){
        if("4eeca40b0f5661864a12d73f4d3ddc0a"==a.value)
            return!0;
        alert("Error");
        a.focus();
        return!1
    }
}
document.getElementById("levelQuest").onsubmit=checkSubmit;

提交4eeca40b0f5661864a12d73f4d3ddc0a 得到key:wctf{webclieNt_c0py}


5 古老的邮件密码

uuencode解码 key:wctf{uuuuuencode__}