2021自治区第六届个人决赛

Misc

1

签到题

2

加密的压缩包，不是伪加密，也不是别的加密，尝试通过1-8位的数字，但是没有爆破成功。

总之就是各种试，最后用6位的小写字母加数字成功爆破

解压后拿到flag

Crypto

3

USB题目

导出usbdata

tshark -r out.pcapng -T fields -e usb.capdata > usbdata.txt

观察数据，发现只有2位。。。而传统的usb键盘是八位，鼠标是四位。。。。

看了官方的wp，通过观察数据，发现数据有效位只有最后两位，前两位表示是否按下shift（这里脑洞不过去，似乎就做不出来了），由于flag最终是md5，所以，可以不用管是否按下了shift（拿到最终结果小写，然后方括号替换为花括号）

exp利用之前题目的，修改一下长度判断、字典key值判断就行

USB题目

记录一下比较全的映射

mappings = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0", "28":"<RET>", "29":"<ESC>", "2a":"<DEL>", "2b":"<ALT>",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>", "33":";","34":"'", "35":"<GA>", "36":",", "37":".",
"38":"/", "39":"<CAP>", "3a":"<F1>", "3b":"<F2>", "3c":"<F3>", "3d":"<F4>",
"3e":"<F5>", "3f":"<F6>", "40":"<F7>", "41":"<F8>", "42":"<F9>", "43":"<F10>",
"44":"<F11>", "45":"<F12>", "4a":"<HOME>", "4c":"<DELETE>", "4d":"<END>",
"4f":"<RightArrow>",
"50":"<LeftArrow>", "51":"<DownArrow>", "52": "<UpArrow>", "53":"<NumLock>",
"54":"/",
"55":"*", "56":"-", "57":"+", "58":"<RET>", "59":"1", "5a":"2", "5b":"3", "5c":"4",
"5d":"5",
"5e":"6", "5f":"7", "60":"8", "61":"9", "62":"0"}

1

二进制转ascii

4 | 没做出来

源码两次加密flag，第一层用共模攻击，解除明文

import time
import gmpy2
n = 19480194268503154082585439617469272557956480654338230653649781307502248349736627457645610039075322792401295497793319660989127612453321247314231223037248639179632241519788148438867262758659703084192216884800101436972686780783514671667056106822567336892698113850435751753115412000666459984030669713294333539032045400298062683899143819804114386839248963503450542556462603187337800896458359367665520406940496692062407947628368273827695233395737811491126295428760151633201729571399675514722184509759224132307755688328665937945934980164533757853150121827814509756304512520586995228758336494277567433918761102876950415111991
e = [53,29]
c = [3475935727102647437000192228742579965235100816544115426886033563197359263547830252588257651875950781823874292157388330756640055027262523492684623209631922119272054800380697037592675236211520596382088611366345886153662035067949028494517719941135530094949923394735879359874573886875525661848691848746241573236859764651536219924388071361730858704291823281574121689263776192763439731401668207550718269274064267407498240976598717948582616941465244398483063674966985119090804958616523953561327923151982425949097547775915037627018663742833454589881950554134226688644209963788384895142984328555188650501209147616729264430052,1866749338684663372269453340894898293613924260545776078415822433654108359226781024094873434073304303753757789583783931840075544823042112088686013249536725113005907948973626889754068973373834680960277466135359308892460790640416326700493190319888920496607295715965597196902579152560554495355315803148472045133637803460189054924639267745448569051557400535647663783943525902113549843529907910966424228938135907633326895731033445161009385749272587394426270031236366063632386315314011533857189378999987202426396145311401119078728310556140667452467192288084502899037367944088716287626792688969133554418744382408505280561151]
print '[+]Detecting m...'
time.clock()
c1 = c[0]
c2 = c[1]
e1 = e[0]
e2 = e[1]
s = gmpy2.gcdext(e1, e2)
s1 = s[1]
s2 = s[2]
if s1 < 0:
    s1 = -s1
    c1 = gmpy2.invert(c1, n)
elif s2 < 0:
    s2 = -s2
    c2 = gmpy2.invert(c2, n)
m = pow(c1, s1, n) * pow(c2, s2, n) % n
print m

p泄露了824个低位。。。。。卡在这里，之前只做过p泄露高位的。。。。

Web

1

查看源码发现flag，但是提交报错，以为环境问题后俩才知道是姿势不对。

页面提示input signin

尝试输入Signin，发现页面回显flag在哪

查看头，找到flag

2

输入绕过md5判断

http://192.168.10.22:52002/pony.php/?a[]=1&b[]=2&pony=phpinfo();

查看php信息，发现禁用了几乎所有的函数。

尝试了一圈，没发现能够拿到flag的方式，最后考虑用蚁剑的disable_function绕过，拿到flag

3

<?php
error_reporting(0);
require_once("config.php");
function alertMes($mes)
{
    die("<script>alert('{$mes}');location.href='index.php';</script>");
}

function checkSql($s)
{
    if (preg_match("/regexp|between|right|left|reverse|update|extractvalue|floor|for|schema|substr|replace|like|sleep|bench|and|=|>|<|\||&|;|\\\$|0x/i", $s)) {
        alertMes('hacker');
    }
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
    $username = $_POST['username'];
    $password = $_POST['password'];
    if ($username !== 'admin') {
        alertMes('only admin can login');
    }
    checkSql($password);
    $sql = "SELECT password FROM users WHERE username = 'admin' and password = '$password';";
    $user_result = mysqli_query($conn, $sql);
    $row = mysqli_fetch_array($user_result);
    if (!$row) {
        alertMes("something wrong");
    }
    if ($row['password'] === $password) {
        alertMes("success");
    } else {
        alertMes("wrong password");
    }
}

if (isset($_GET['source'])) {
    highlight_file(__FILE__);
    die();
}
?>

4

反序列化题目

题目提示读取到/flag，现在需要构造反序列化的ROP