Necromancer来自VulHub的CTF
来源:互联网 发布:蕨类植物 分形 算法 编辑:程序博客网 时间:2024/06/05 22:38
参考:
https://sdsdkkk.github.io/2016/vulnhub-necromancer-writeup/
flag1
using tshark
# tshark -i eth0 -f "tcp port 4444"
得到
str="V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi"echo $str|base64 -d
得到
‘Welcome!
You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. “Chant the string of flag1 - u666”#’
flag1{e6078b9b1aac915d11b9fd59791030bf}
flag2
将该hash在hashid
中识别
得到应该是md5类型的。
通过强大的在线md5, sha逆向网站 ‘http://hashtoolkit.com/’
得到其原始字符串为 ‘opensesame’
根据其提示: ‘“Chant the string of flag1 - u666’
方法一
通过本地监听在与Necro网卡同一网段的那个网卡上,把 ‘opensesame’ chant给Necro
echo opensesame |nc -u 192.168.170.159 666
得到
’
A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again…. alone… tortured by the deafening sound of silence.
666 is closed.
‘
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
方法二
看到
http://scriptkittysecurity.com/the-necromancer-walkthrough/
这个博客上写的,原来nmap默认使用的TCP扫描,还可以指明使用UDP扫描来扫描UDP端口。
nmap -sU 192.168.170.0/24 -p 1-65535
然后看到他博客里说的,发现了那个UDP端口666
flag3
然后用nmap扫一下端口发现,发现80端口已经打开了。
于是curl一下主页。查看源代码没发现什么不同的,只有一张图片。 <img src="/pics/pileoffeathers.jpg">
用wget下载该图片,
wget http://192.168.170.159/
于是在kali中用hexeditor
分析该图片。
然后
cp pileoffeathers.jpg pileoffeathers.zip
然后解压缩
unzip pileoffeathers.zip
得到一个feathers.txt
cat feathers.txt
得到一个base64字符串
‘ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==’
将其解码,
echo $str |base64 -d
得到
flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm
进入到
http://192.168.170.159/amagicbridgeappearsatthechasm/
注意这个最后面的/ 不能丢,否则会碰到301
flag4
用dirb找到了网站的子目录 talisman
用gdb调试。
gdb talisman(gdb) info functionsAll defined functions:Non-debugging symbols:0x080482d0 _init0x08048310 printf@plt0x08048320 __libc_start_main@plt0x08048330 __isoc99_scanf@plt0x08048350 _start0x08048380 __x86.get_pc_thunk.bx0x08048390 deregister_tm_clones0x080483c0 register_tm_clones0x08048400 __do_global_dtors_aux0x08048420 frame_dummy0x0804844b unhide0x0804849d hide0x080484f4 myPrintf0x08048529 wearTalisman0x08048a13 main0x08048a37 chantToBreakSpell0x08049530 __libc_csu_init0x08049590 __libc_csu_fini0x08049594 _fini(gdb) break wearTalismanBreakpoint 1 at 0x804852d(gdb) rStarting program: /root/talismanBreakpoint 1, 0x0804852d in wearTalisman ()(gdb) jump chantToBreakSpellContinuing at 0x8048a3b.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!You fall to your knees.. weak and weary.Looking up you can see the spell is still protecting the cave entrance.The talisman is now almost too hot to touch!Turning it over you see words now etched into the surface:flag4{ea50536158db50247e110a6c89fcf3d3}Chant these words at u31337!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![Inferior 1 (process 1871) exited normally](gdb)
参考:
http://deceiveyour.team/vulnhub-the-necromancer-ctf-report/
to be continued…
- Necromancer来自VulHub的CTF
- CTF 他的情书
- CTF常见的题型
- CTF
- ctf
- ctf
- ctf
- CTF
- 关于这个专版(Necromancer)先说两句
- asis-ctf的writeup收集
- 越南CTF的crypto 100
- CTF之常见的加密
- 一个CTF网站的rules
- 南邮ctf平台的/x00
- 转载的ctf练习链接
- CTF短秘钥的RSA解密
- bugku ctf 奇怪的密码
- CTF比赛中必备的瑞士军刀ctf-tools
- Linux TEQL (True Link Equalizer)
- Servlet
- RSTP、 EtherChannel、私有VLAN等做一下总结笔记
- jquery$().each和$.each()遍历的区别
- Android隐藏应用程序图标
- Necromancer来自VulHub的CTF
- poj3159-Candies差分约束-spfa+栈
- [LeetCode]Binary Tree Maximum Path Sum
- Session超时后,Ajax请求处理方式
- 学生做题章节掌握率评估流程
- 嵌入式Qt-4.8.6显示中文并且改变字体大小和应用自己制作的字体库
- c语言趣味编程100例——迭代循环:
- 使用进程来打开应用程序
- running doppia on Jetson TX1