0xnull-sec/ctf-writeups
GitHub: 0xnull-sec/ctf-writeups
一个涵盖 PWN、逆向、密码学、Web 安全与取证方向的 CTF 竞赛解题报告集合,提供详细思路与利用代码。
Stars: 1 | Forks: 0
# ctf-writeups
CTF writeups — pwn、rev、crypto、web、forensics。包含详细解题思路和 exploit 代码。
# CTF Writeups
## 分类
| 分类 | 描述 | 工具 |
|----------|-------------|-------|
| **PWN** | 二进制漏洞利用、ROP chains、堆 | pwntools, gdb+peda, ROPgadget |
| **REV** | 逆向工程、crackmes | Ghidra, radare2, angr |
| **WEB** | XSS, SQLi, SSRF, IDOR, LFI | Burp Suite, ffuf, sqlmap |
| **CRYPTO** | 密码、RSA、哈希 | Python, pycryptodome |
| **FORENSICS** | PCAP、隐写术、内存转储 | Wireshark, Volatility, binwalk |
## Writeup 模板
每篇 writeup 遵循以下结构:
```
Challenge name | CTF name | Category | Difficulty | Points
─────────────────────────────────────────────────────────
1. Challenge description
2. Static analysis
3. Dynamic analysis / debugging
4. Vulnerability found
5. Exploit code
6. Flag
```
## Writeups
| # | CTF | 题目 | 分类 | 难度 | 链接 |
|---|-----|-----------|----------|------------|------|
| — | — | 敬请期待 | — | — | — |
## PWN — 快速参考
```
from pwn import *
# Setup
elf = ELF('./binary')
libc = ELF('./libc.so.6')
p = process('./binary')
# p = remote('challenge.ctf.io', 1337)
# 寻找 offset
cyclic(100)
cyclic_find(0x6161616c)
# ROP chain
rop = ROP(elf)
rop.raw(rop.ret) # stack alignment
rop.call('puts', [elf.got['puts']])
rop.call('main')
# 发送 payload
payload = flat(b'A' * offset, rop.chain())
p.sendline(payload)
p.interactive()
```
## REV — 快速参考
```
# Basic recon
file binary
strings binary | grep -i flag
checksec binary
# Ghidra headless
analyzeHeadless /tmp/proj MyProject -import ./binary -postScript PrintAST.java
# radare2
r2 -A ./binary
afl # list functions
pdf @ main # disassemble main
db 0x401234 # breakpoint
dc # run
```
## CRYPTO — 快速参考
```
from Crypto.Util.number import *
import gmpy2
# RSA — small e attack (e=3)
c, n, e = ...
m = gmpy2.iroot(c, e)[0]
print(long_to_bytes(m))
# RSA — common modulus
# n1 == n2, e1 != e2, same plaintext
from sympy import gcd
g = gcd(e1, e2)
# Extended Euclidean...
# XOR key recovery
ct = bytes.fromhex("...")
known = b"flag{"
key = bytes(a^b for a,b in zip(ct, known))
```
## 资源
- [CTFtime](https://ctftime.org/) — 即将举办的 CTF
- [pwn.college](https://pwn.college/) — pwn 训练
- [cryptohack.org](https://cryptohack.org/) — crypto 训练
- [PicoCTF](https://picoctf.org/) — 新手友好
- [HackTheBox](https://hackthebox.com/) — 靶机 + 挑战
*更多内容 → [t.me/oxnull_security](https://t.me/oxnull_security) · [dev.to/0xnull](https://dev.to/0xnull)*
标签:Web安全, 云资产清单, 域环境安全, 密码学, 手动系统调用, 电子取证, 网络安全, 蓝队分析, 逆向工具, 逆向工程, 隐私保护