머리정리하는곳
Profile

머리정리하는곳

c2w2m2

Kiwi - pplopy...?

CTF Writeup · c2w2m2 · 2017. 10. 16. 18:33
<?php
$password='qinrZcX';    // Flag
$d='3c3f7068700a24703d275a47566d49484e725a58646c636968304b546f4b4943416749484a6c6448567962694276636d516f64436b744e544d37436d6c74634739796443427a65584d73596d467a5a5459304c47397a4c484a6c4f33426863334e3362334a6b50574a68633255324e4335694e6a526b5a574e765a47556f496e42694d6a51694b5474795056746a6148496f4b4867724e5374354b696f794b5355794e54597049475a76636942354c486767615734675a573531625756795958526c4b46747a613256335a58496f65436b724e7955794e5459675a6d397949486767615734676347467a63336476636d52644b563037436d4e765a4755394a79636e43694e6a6232526c4947686c636d554b64584e6c4945314a545555364f6b4a68633255324e44734b62586b674a4842335a44316b5a574e765a475666596d467a5a5459304b434a4b51564e56557949704f776f6b6348646b50584e31596e4e306369676b6348646b4c43307a4b53357a64574a7a6448496f4a4842335a4377774c4368735a57356e644767674a4842335a436b674c544d704f776f6a63484a70626e51674a4842335a44734b64584e6c49455a70624755364f6c526c625841676358636f6447567463475a70624755704f776f6f4a475a6f4c43416b5a6d6c735a57356862575570494430676447567463475a706247556f49436b37436d31354943526a6232526c50534938496934385043645a4a7a734b5033426f6343416b6344306e536b565353316b6e4f32566a614738674a475a73595763394a4842624d463039505364424a7a386b63467378585430394a314d6e50795277577a4a645054306e5579632f4a4842624d313039505364494a7a386b63467330585430394a30456e50795277577a56645054306e5353632f4a4842624e6c3039505364534a7a397a64484a735a57346f4a484170505430335079645a52564d734948526f5a53426d6247466e49476c7a4f69416e4f6a41364d446f774f6a41364d446f774f6a41364a3035504a7a734b57516f6b5932396b5a5341396669427a4c307046556b745a4c795277643251765a7a736763484a70626e51674a475a6f4943526a6232526c4f3342796157353049474277614841674a48746d6157786c626d46745a5831674f776f6e4a796375636d56776247466a5a53676e536b465456564d6e4c474a68633255324e4335694e6a526c626d4e765a47556f49694975616d3970626968794b536b704f326c7463473979644342305a5731775a6d6c735a54734b5a6941394948526c6258426d6157786c4c6b35686257566b564756746347397959584a35526d6c735a53686b5a57786c64475539526d4673633255704f32597564334a706447556f5932396b5a536b375a69356a6247397a5a5367704f334279615735304947397a4c6e4276634756754b434a775a584a73494349725a6935755957316c4b5335795a57466b4b436b37273b0a24703d7374725f7265706c616365282270623234222c206261736536345f656e636f6465282470617373776f7264292c206261736536345f6465636f646528247029293b0a66756e6374696f6e20696e746f5f74656d702824636f6465290a7b0a0924663d74656d706e616d286e756c6c2c22706f6c79676c6f745f22293b0a0966696c655f7075745f636f6e74656e74732824662c2024636f6465293b0a0972657475726e2024663b0a7d0a66756e6374696f6e207379732824636f64652c24706c290a7b0a0972657475726e207368656c6c5f657865632824706c2e2220222e696e746f5f74656d702824636f646529293b0a7d0a69662028737472706f732824723d7379732824702c22707974686f6e22292c225945532229213d3d66616c736520616e642063747970655f616c6e756d282470617373776f726429292024722e3d6d6435282470617373776f7264293b0a6563686f2024723b0a0a';
eval(substr(pack("H*",$d),5));
?>


처음 문제를 보면 이런 코드가 나옵니당.


저 $d 변수에 담긴 것을 pack 으로 풀고 substr 한다음 eval 시키는 걸로 보아서


저 eval 을 echo 로 바꾸면 어떤 코드가 나올것이다 라고 예측이 가능합니다.


고로케 하니까


$p='ZGVmIHNrZXdlcih0KToKICAgIHJldHVybiBvcmQodCktNTM7CmltcG9ydCBzeXMsYmFzZTY0LG9zLHJlO3Bhc3N3b3JkPWJhc2U2NC5iNjRkZWNvZGUoInBiMjQiKTtyPVtjaHIoKHgrNSt5KioyKSUyNTYpIGZvciB5LHggaW4gZW51bWVyYXRlKFtza2V3ZXIoeCkrNyUyNTYgZm9yIHggaW4gcGFzc3dvcmRdKV07CmNvZGU9JycnCiNjb2RlIGhlcmUKdXNlIE1JTUU6OkJhc2U2NDsKbXkgJHB3ZD1kZWNvZGVfYmFzZTY0KCJKQVNVUyIpOwokcHdkPXN1YnN0cigkcHdkLC0zKS5zdWJzdHIoJHB3ZCwwLChsZW5ndGggJHB3ZCkgLTMpOwojcHJpbnQgJHB3ZDsKdXNlIEZpbGU6OlRlbXAgcXcodGVtcGZpbGUpOwooJGZoLCAkZmlsZW5hbWUpID0gdGVtcGZpbGUoICk7Cm15ICRjb2RlPSI8Ii48PCdZJzsKP3BocCAkcD0nSkVSS1knO2VjaG8gJGZsYWc9JHBbMF09PSdBJz8kcFsxXT09J1MnPyRwWzJdPT0nUyc/JHBbM109PSdIJz8kcFs0XT09J0EnPyRwWzVdPT0nSSc/JHBbNl09PSdSJz9zdHJsZW4oJHApPT03PydZRVMsIHRoZSBmbGFnIGlzOiAnOjA6MDowOjA6MDowOjA6J05PJzsKWQokY29kZSA9fiBzL0pFUktZLyRwd2QvZzsgcHJpbnQgJGZoICRjb2RlO3ByaW50IGBwaHAgJHtmaWxlbmFtZX1gOwonJycucmVwbGFjZSgnSkFTVVMnLGJhc2U2NC5iNjRlbmNvZGUoIiIuam9pbihyKSkpO2ltcG9ydCB0ZW1wZmlsZTsKZiA9IHRlbXBmaWxlLk5hbWVkVGVtcG9yYXJ5RmlsZShkZWxldGU9RmFsc2UpO2Yud3JpdGUoY29kZSk7Zi5jbG9zZSgpO3ByaW50IG9zLnBvcGVuKCJwZXJsICIrZi5uYW1lKS5yZWFkKCk7';
$p=str_replace("pb24", base64_encode($password), base64_decode($p));
function into_temp($code)
{
$f=tempnam(null,"polyglot_");
file_put_contents($f, $code);
return $f;
}
function sys($code,$pl)
{
return shell_exec($pl." ".into_temp($code));
}
if (strpos($r=sys($p,"python"),"YES")!==false and ctype_alnum($password)) $r.=md5($password);
echo $r;

라는 또다른 php 코드를 주는데 tmp 에 넣고 python 으로 실행시키는걸 또 보아서


$p 를 그대로 출력하면 python 이 나올것 임다


def skewer(t):

    return ord(t)-53;

import sys,base64,os,re;password=base64.b64decode("");r=[chr((x+5+y**2)%256) for y,x in enumerate([skewer(x)+7%256 for x in password])];

code='''

#code here

use MIME::Base64;

my $pwd=decode_base64("JASUS");

$pwd=substr($pwd,-3).substr($pwd,0,(length $pwd) -3);

#print $pwd;

use File::Temp qw(tempfile);

($fh, $filename) = tempfile( );

my $code="<".<<'Y';

?php $p='JERKY';echo $flag=$p[0]=='A'?$p[1]=='S'?$p[2]=='S'?$p[3]=='H'?$p[4]=='A'?$p[5]=='I'?$p[6]=='R'?strlen($p)==7?'YES, the flag is: ':0:0:0:0:0:0:0:'NO';

Y

$code =~ s/JERKY/$pwd/g; print $fh $code;print `php ${filename}`;

'''.replace('JASUS',base64.b64encode("".join(r)));import tempfile;

f = tempfile.NamedTemporaryFile(delete=False);f.write(code);f.close();print os.popen("perl "+f.name).read();

자 또 이 python 을 뽑아주면 perl 이 나올겁니다


#code here
use MIME::Base64;
my $pwd=decode_base64("");
$pwd=substr($pwd,-3).substr($pwd,0,(length $pwd) -3);
#print $pwd;
use File::Temp qw(tempfile);
($fh, $filename) = tempfile( );
my $code="<".<<'Y';
?php $p='JERKY';echo $flag=$p[0]=='A'?$p[1]=='S'?$p[2]=='S'?$p[3]=='H'?$p[4]=='A'?$p[5]=='I'?$p[6]=='R'?strlen($p)==7?'YES, the flag is: ':0:0:0:0:0:0:0:'NO';
Y
$code =~ s/JERKY/$pwd/g; print $fh $code;print `php ${filename}`;

마지막으로 이걸 뽑으면 php가 나옵니다


<?php $p='';echo $flag=$p[0]=='A'?$p[1]=='S'?$p[2]=='S'?$p[3]=='H'?$p[4]=='A'?$p[5]=='I'?$p[6]=='R'?strlen($p)==7?'YES, the flag is: ':0:0:0:0:0:0:0:'NO?>


후욱 이걸로 key 가 ASSHAIR 가 되면 되는건데


중간중간에 코드를 보면 어떤 연산을 해서 처음 password 를 바꿉니다.


이연산을 쓱싹쓱싹해서 역연산 해봅시다.


substr($X, -3).substr($X, 0, len($X), -3) => ASSHAIR


$X = HAIRASS

그후 python 역연산을 해주면



저 qinrZcx 가 바로 password 고 첫 코드에 저걸 넣어주면 flag 를 출력해 줍니다 ㅎㅎ


(정 귀찮으시면 저거 md5 하시면 뎁니다)

저작자표시

'CTF Writeup' 카테고리의 다른 글

[h4ccctf] 출제자 write up  (0) 2017.10.29
Cyber Guardians 예선  (0) 2017.10.28
YISF  (0) 2017.08.10
[Trust&Stealth] 1학년 ctf  (0) 2017.08.04
[DIMICTF2017]  (0) 2017.07.17
Close

티스토리툴바