0%

2021自治区第六届个人决赛

Misc

1

签到题

image-20211014125923032

2

加密的压缩包,不是伪加密,也不是别的加密,尝试通过1-8位的数字,但是没有爆破成功。

总之就是各种试,最后用6位的小写字母加数字成功爆破

image-20211014125652887

解压后拿到flag

image-20211014125717991

Crypto

3

USB题目

导出usbdata

1
tshark -r out.pcapng -T fields -e usb.capdata > usbdata.txt

观察数据,发现只有2位。。。而传统的usb键盘是八位,鼠标是四位。。。。

image-20211025175013223

看了官方的wp,通过观察数据,发现数据有效位只有最后两位,前两位表示是否按下shift(这里脑洞不过去,似乎就做不出来了),由于flag最终是md5,所以,可以不用管是否按下了shift(拿到最终结果小写,然后方括号替换为花括号)

exp利用之前题目的,修改一下长度判断、字典key值判断就行

USB题目

image-20211025181141637

记录一下比较全的映射

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mappings = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0", "28":"<RET>", "29":"<ESC>", "2a":"<DEL>", "2b":"<ALT>",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>", "33":";","34":"'", "35":"<GA>", "36":",", "37":".",
"38":"/", "39":"<CAP>", "3a":"<F1>", "3b":"<F2>", "3c":"<F3>", "3d":"<F4>",
"3e":"<F5>", "3f":"<F6>", "40":"<F7>", "41":"<F8>", "42":"<F9>", "43":"<F10>",
"44":"<F11>", "45":"<F12>", "4a":"<HOME>", "4c":"<DELETE>", "4d":"<END>",
"4f":"<RightArrow>",
"50":"<LeftArrow>", "51":"<DownArrow>", "52": "<UpArrow>", "53":"<NumLock>",
"54":"/",
"55":"*", "56":"-", "57":"+", "58":"<RET>", "59":"1", "5a":"2", "5b":"3", "5c":"4",
"5d":"5",
"5e":"6", "5f":"7", "60":"8", "61":"9", "62":"0"}

1

二进制转ascii

image-20211014125437192

4 | 没做出来

源码两次加密flag,第一层用共模攻击,解除明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import time
import gmpy2
n = 19480194268503154082585439617469272557956480654338230653649781307502248349736627457645610039075322792401295497793319660989127612453321247314231223037248639179632241519788148438867262758659703084192216884800101436972686780783514671667056106822567336892698113850435751753115412000666459984030669713294333539032045400298062683899143819804114386839248963503450542556462603187337800896458359367665520406940496692062407947628368273827695233395737811491126295428760151633201729571399675514722184509759224132307755688328665937945934980164533757853150121827814509756304512520586995228758336494277567433918761102876950415111991
e = [53,29]
c = [3475935727102647437000192228742579965235100816544115426886033563197359263547830252588257651875950781823874292157388330756640055027262523492684623209631922119272054800380697037592675236211520596382088611366345886153662035067949028494517719941135530094949923394735879359874573886875525661848691848746241573236859764651536219924388071361730858704291823281574121689263776192763439731401668207550718269274064267407498240976598717948582616941465244398483063674966985119090804958616523953561327923151982425949097547775915037627018663742833454589881950554134226688644209963788384895142984328555188650501209147616729264430052,1866749338684663372269453340894898293613924260545776078415822433654108359226781024094873434073304303753757789583783931840075544823042112088686013249536725113005907948973626889754068973373834680960277466135359308892460790640416326700493190319888920496607295715965597196902579152560554495355315803148472045133637803460189054924639267745448569051557400535647663783943525902113549843529907910966424228938135907633326895731033445161009385749272587394426270031236366063632386315314011533857189378999987202426396145311401119078728310556140667452467192288084502899037367944088716287626792688969133554418744382408505280561151]
print '[+]Detecting m...'
time.clock()
c1 = c[0]
c2 = c[1]
e1 = e[0]
e2 = e[1]
s = gmpy2.gcdext(e1, e2)
s1 = s[1]
s2 = s[2]
if s1 < 0:
s1 = -s1
c1 = gmpy2.invert(c1, n)
elif s2 < 0:
s2 = -s2
c2 = gmpy2.invert(c2, n)
m = pow(c1, s1, n) * pow(c2, s2, n) % n
print m

p泄露了824个低位。。。。。卡在这里,之前只做过p泄露高位的。。。。

Web

1

查看源码发现flag,但是提交报错,以为环境问题后俩才知道是姿势不对。

页面提示input signin

image-20211014130022115

尝试输入Signin,发现页面回显flag在哪

查看头,找到flag

image-20211014130057217

2

输入绕过md5判断

1
http://192.168.10.22:52002/pony.php/?a[]=1&b[]=2&pony=phpinfo();

查看php信息,发现禁用了几乎所有的函数。

image-20211014130257572

尝试了一圈,没发现能够拿到flag的方式,最后考虑用蚁剑的disable_function绕过,拿到flag

image-20211014130514749

3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
error_reporting(0);
require_once("config.php");
function alertMes($mes)
{
die("<script>alert('{$mes}');location.href='index.php';</script>");
}

function checkSql($s)
{
if (preg_match("/regexp|between|right|left|reverse|update|extractvalue|floor|for|schema|substr|replace|like|sleep|bench|and|=|>|<|\||&|;|\\\$|0x/i", $s)) {
alertMes('hacker');
}
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
$username = $_POST['username'];
$password = $_POST['password'];
if ($username !== 'admin') {
alertMes('only admin can login');
}
checkSql($password);
$sql = "SELECT password FROM users WHERE username = 'admin' and password = '$password';";
$user_result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($user_result);
if (!$row) {
alertMes("something wrong");
}
if ($row['password'] === $password) {
alertMes("success");
} else {
alertMes("wrong password");
}
}

if (isset($_GET['source'])) {
highlight_file(__FILE__);
die();
}
?>

未完

4

反序列化题目

image-20211116175932144

题目提示读取到/flag,现在需要构造反序列化的ROP

未完