四川技能大赛——2023年四川网信人才技能大赛(网络安全管理员赛项)决赛

2023-12-13 12:34:11

四川技能大赛——2023年四川网信人才技能大赛(网络安全管理员赛项)决赛

C1-比64少的bas - DONE

2i9Q8AtDZiEsSn13rF6xchPe1EaiU5u7qKbEd2HDH5jS7N4UfiL3DwFsBa

在这里插入图片描述

flag{2a098f9f-d384-b6d0-4096-9eaf0f5654a3}

C2-affine - DONE

wohz{k533q73q-t76t-9292-351w-h880t22q2q59}
a=3 b=7

CyberChef一把:
在这里插入图片描述

flag{b533d73d-e76e-9292-351f-a880e22d2d59}

C3-简单的RSA - DONE

chall.py

from Crypto.Util.number import *
from secret import flag
from sympy import nextprime

flag=b''

r = getRandomNBitInteger(64)
p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023
p =nextprime(p)
q =nextprime(q)
n = p*q

def enc(flag, n):
    m = bytes_to_long(flag)
    return pow(m, 65537, n)


c = enc(flag, n)
print(n)
print(c)

# 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
# 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422

n = = p ? q = = ( r ? ? 5 + . . . ) ? ( r ? ? 5 ? . . . ) n==p*q == (r**5 + ...)*(r**5 - ...) n==p?q==(r??5+...)?(r??5?...)

由上可知, n约为r的10次方。如果对n开10次方,则低位可忽略,爆破一下即可求出r。

exp:

from Crypto.Util.number import *
from gmpy2 import iroot

N = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
t,f = iroot(N, 10)


for r in range(t-10000,t+10000):
    p = r**5 + r**4 - r**3 + r**2 - r + 2023
    q = r**5 - r**4 + r**3 - r**2 + r + 2023
    p =nextprime(p)
    q =nextprime(q)
    n = p*q
    if n==N:
        print(f"p = {p}\nq = {q}\n")
        break
# 得到:
p = 158324975897082020097339281935818129320954195255971408941591049179715138878370817761203475160123
q = 158324975897082020068454470275147007824077754451975255433855101769279209145578273309232489165459

再常规RSA:

n = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
c = 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
e = 65537
d = inverse(e, (p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{5afe5cbb-4b4c-9cb6-f8b6-032cabf4b7e7}

M1-不要动我的flag - DONE

追踪TCP流,在第0个流中发现代码:

import hashlib

with open("flag") as f:
    flag=f.readlines()[0]
if "c7e6ea42b7301e6330ba****fe407930191d371885935ad4cd51e95e********" == hashlib.sha256(flag.encode()).hexdigest():
    print("......")
else:
    print("......")

在第3个TCP流中发现flag(部分):

flag{22af230f-bbed-????-95fa-b6b1ca6dc32e}

爆破sha256:

from hashlib import sha256
from string import hexdigits
from itertools import product

for i in product(hexdigits, repeat=4):
    f = "flag{22af230f-bbed-" + ''.join(i) + "-95fa-b6b1ca6dc32e}"
    h = sha256(f.encode()).hexdigest()
    if h[:20]== 'c7e6ea42b7301e6330ba':
        print(f, h)
# flag{22af230f-bbed-48b9-95fa-b6b1ca6dc32e}  c7e6ea42b7301e6330ba3959fe407930191d371885935ad4cd51e95e857a3155

M2-simpleUSB -

原题:HWS第七期夏令营(硬件安全营)预选赛wp Misc1
https://www.cnblogs.com/fuxuqiannian/p/17560359.html

usb流量包.

键盘是8字节:   usbhid.data
鼠标是4字节:   

在这里插入图片描述

将键盘流量全部导出后加冒号:

#!/usr/bin/env python
# -*- coding:utf-8 -*-

import os

pcapfile = "misc1.pcapng"
if not os.path.exists(pcapfile):
    print("Pcap file not found!")
    exit(0)

# hid.txt
usbKBf = 'usbKBf.txt'
cmd = "tshark -r " + pcapfile + " -T fields -Y \"usb.usbpcap_header_len==27\" -e usbhid.data > " + usbKBf
os.system(cmd)
# 删除空行,并加冒号
lline2 = []
lline1 = open(usbKBf, 'r').readlines()
for line in lline1:
    line = line.strip()
    if line:
        newline = ':'.join([ line[i:i+2] for i in range(0, len(line), 2)])
        lline2.append(newline)
with open('out.txt', 'w') as f:
    f.write('\n'.join(lline2))

normalKeys = {
    "04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
    "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
    "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
    "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>",
    "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\", "32": "<NON>", "33": ";",
    "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>",
    "3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>",
    "45": "<F12>"
}

shiftKeys = {
    "04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I", "0d": "J",
    "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R", "16": "S", "17": "T",
    "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$",
    "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>",
    "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"",
    "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>",
    "3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>",
    "45": "<F12>"
}

output = []
keys = open('out.txt')

for line in keys:
    try:
        if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[9] != '0' or line[10] != '0' or line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":
            continue

        if line[6:8] in normalKeys.keys():
            output += [normalKeys[line[6:8]], shiftKeys[line[6:8]]][line[1] == '2']
        else:
            output += ['[unknown]']
    except:
        pass

keys.close()

flag = 0
print("".join(output))

for i in range(len(output)):
    try:
        a = output.index('<DEL>')
        del output[a]
        del output[a - 1]
    except:
        pass

for i in range(len(output)):
    try:
        if output[i] == "<CAP>":
            flag += 1
            output.pop(i)
            if flag == 2:
                flag = 0

        if flag != 0:
            output[i] = output[i].upper()
    except:
        pass

print('output: ' + "".join(output))

运行得到:

AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]
output: AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]

猜测是base85解密,但未成功。再看一下导出的HID Data,发现流量中有20开头的,这个20开头的也算是shiftKeys。

添加条件到代码中,重新运行得到:


base85 --> flag{ec1b8b96-56a9-f15c-4e39-503e92ab45d2}

M3-我我我是谁 -

P1-getitez -

P2-bbstack -

R1-谁的DNA动了 - DONE

先F12看一下字符串,发现有:

flag{Th14_15_a_xxxx_flAg},the MD5 hash value of xxxx is \"7c76fb919bab9a1abfe854cf80725a09\",just 4 bytes

爆破一下md5,结果是Fak3:

from hashlib import md5
from string import ascii_letters
from itertools import product

for i in product("FAKE43fake", repeat=4):
    f = ''.join(i)
    h = md5(f.encode()).hexdigest()
    if h== '7c76fb919bab9a1abfe854cf80725a09':
        print(f, h)
# Fak3 7c76fb919bab9a1abfe854cf80725a09  --> flag{Th14_15_a_Fak3_flAg}

但提交不正确。明显是一个fake flag.

有以下判断逻辑:

for ( i = 0; i < v4; ++i )
{
    memset(&s, 0, sizeof(s));
    encode((unsigned int)inputs[i], &s);  // 对输入的flag进行编码
    outputs[4 * i + 3] = s;               // 这里是4字符中,高低位的字符互换: 1234 --> 4321
    outputs[4 * i + 2] = BYTE1(s);
    outputs[4 * i + 1] = BYTE2(s);
    outputs[4 * i] = HIBYTE(s);
}
if ( judge((__int64)outputs, (__int64)CODE, v4) )  // judge()函数需返回为真
{
    puts("well done!you get it");
}

CODE的内容是:
在这里插入图片描述

Shift+E导出:

"CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"

ps: 开始以为是DNA编码,使用ToolxFX解码未成功。只能硬逆了。

先看下judge()函数:

bool __fastcall judge(__int64 a1, __int64 a2, int a3)
{
  int v4; // ebx
  int v5; // ebx
  int v6; // r12d
  int v8; // [rsp+28h] [rbp-18h]
  int i; // [rsp+2Ch] [rbp-14h]

  v8 = 0;
  if ( 4 * a3 > strlen(CODE) )
    return 0;
  for ( i = 0; i < a3; ++i )       // 主要逻辑在这里。
  {
    v4 = Int((unsigned int)*(char *)(i + a1));
    v5 = Int((unsigned int)*(char *)(i + a2)) + v4;
    v6 = Int(75LL);  // 75 --> 'K':Int('K')=7
    if ( v5 == v6 - (unsigned int)Int(66LL) ) // 66 --> 'B':Int('B')=4
      ++v8;
  }
  return 4 * v8 == strlen(CODE);
}

// Int()函数可以视为一个字典:
__int64 __fastcall Int(char a1)
{
  __int64 result; // rax

  switch ( a1 )
  {
    case 'A':
      result = 0LL;
      break;
    case 'B':
      result = 4LL;
      break;
    case 'C':
      result = 2LL;
      break;
    case 'D':
      result = 5LL;
      break;
    case 'F':
      result = 6LL;
      break;
    case 'G':
      result = 1LL;
      break;
    case 'K':
      result = 7LL;
      break;
    case 'M':
      result = 8LL;
      break;
    case 'T':
      result = 3LL;
      break;
    default:
      result = 10LL;
      break;
  }
  return result;
}

Int()函数可以视为一个字典:

intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}

judge是一个简单的加减算法,逆一下:

intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}
CODE = "CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"
# uniq一下CODE,只有AGCT共4个字符,对应于0123.
CODE2 = ''
for i in range(len(CODE)):
    v5 = 3
    t = intD[CODE[i]]
    v4 = v5 - t
    for k in intD.keys():
        if intD[k] == v4:
            D = k
            print(D)
            CODE2 += D
            break
    else:
        print("WRONG", v4, t)
print(CODE2) # GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG

再看以下代码和encode()函数:

  for ( i = 0; i < v4; ++i )
  {
    memset(&s, 0, sizeof(s));
    encode((unsigned int)inputs[i], &s);  // 对输入的flag进行编码
    outputs[4 * i + 3] = s;               // 这里是4字符中,高低位的字符互换: 1234 --> 4321
    outputs[4 * i + 2] = BYTE1(s);
    outputs[4 * i + 1] = BYTE2(s);
    outputs[4 * i] = HIBYTE(s);
  }

__int64 __fastcall encode(unsigned int a1, __int64 a2)
{
  __int64 result; // rax
  int i; // [rsp+1Ch] [rbp-4h]

  result = a1;
  for ( i = 0; i <= 3; ++i )
  {
    result = (unsigned __int8)box[((char)a1 >> (2 * i)) & 3];
    *(_BYTE *)(i + a2) = result;
  }
  return result;
}

可以发现,该代码逻辑是将字符转换为二进制(8bit),分4个2bit分别处理,映射为:

00 --> 0 --> A
01 --> 1 --> G
10 --> 2 --> C
11 --> 3 --> T

于是,写一下逆向代码:

CODE2 = GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG
box = "AGCT"
for i in range(0, len(CODE2), 4):
    t = box.index(CODE2[i]) * 64 + box.index(CODE2[i+1]) * 16 + box.index(CODE2[i+2]) * 4 + box.index(CODE2[i+3])
    print(chr(t), end='')
# flag{725008a5e6e65da01c04914c476ae087}

R2-DontTouchMe - DONE

W1-little_game - DONE

js代码小游戏。找到success()函数,在浏览器中F12,在控制台下运行一下即可得到flag:
在这里插入图片描述

arr='1234567890qwertyuiopasdfghjklzxcvbnm{}-'
index = [23,28,20,24,36,1,3,7,6,3,38,2,8,9,5,7,21,38,9,3,6,18,22,38,26,16,6,18,15,37]
s = ''
for i in index:
    s += arr[i]
    print(s)
# flag{24874-39068s-047od-ju7oy}

W2-justppb - DONE

题目提示:使用Burp。

题目给了一个登录框,输入admin等常规的账号名时,提示用户名错误。

【考点】:使用Burp中自带的字典、密码。
在这里插入图片描述

爆破成功后,登录即显示flag. 【坑】

W3-ezbbs -

一个jar。

W4-smart -

smarty反序列化漏洞利用。

赛后评价:

1 - 线下赛,现场不提供零食,中午却可以一起就餐…

2 - 题目质量嘛:呵呵,

(1)W2-justppb

考点是Burp自带的用户名、密码字典,这个。

我现场用自己的fuzz字典、爆破的字典,居然都不行。哎,痛失5分。

(2)M3-我我我是谁

这个题硬是不知道怎么做。听大佬说,是他们用自己团队的一个脚本自动跑出来的。

哎!

(3)C1-比64少的base, C2-affine:

这2题是拿来当省级赛事的吗?

(4)M2-simpleUSB

原题。HWS第七期夏令营(硬件安全营)预选赛wp Misc1

(5)其他

反正不会做了。

文章来源:https://blog.csdn.net/rickliuxiao/article/details/134905283
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。