2021广东省强网杯WriteUp

个人赛

网络诈骗

参考
https://github.com/Heyxk/notes/issues/1
先把EnMicroMsg.db提出来

CompatibleInfo.cfg是0kb,用第一种方法
IMEI获取不到,用默认的1234567890ABCDEF
auth_info_key_prefs.xml里面"_auth_uin" value="1729159668"

取前8
48b55e5
sqlcipher EnMicroMsg.db 'PRAGMA key = "48b55e5"; PRAGMA cipher_use_hmac = off; PRAGMA kdf_iter = 4000; ATTACH DATABASE "decrypted_database.db" AS decrypted_database KEY "";SELECT sqlcipher_export("decrypted_database");DETACH DATABASE decrypted_database;'
用mac失败了,windows上下的sqlcipher

用sqllitestudio查看
message表中记录了所发送的所有消息信息https://blog.csdn.net/muzhicihe/article/details/109902849

88.88+500

找到攻击痕迹

CVE-2017-9993 找mp4附近

C

CVE-2017-8917 找index.php

A

CVE-2019-15107 找password

D
CVE-2020-1938 ajp的没找到,就剩下的三个里面猜了

ACDF

完美上传器

麻了 带后缀上传就失败
最后传个/flag

goodpy

python字节码逆向
https://www.cnblogs.com/blili/p/11804690.html
https://bbs.pediy.com/thread-246683.htm
参考手撕
逆到一半发现只要关键地方算法就可以了

a = [56, 17, 99, 1, 47, 4, 2, 62, 75, 102, 8, 242, 16, 242, 97, 97, 100, 107, 16, 9, 10, 3, 117, 20, 80, 87, 242, 2, 6, 119, 7, 17]
flag = ''
for i in range(len(a)):
    if i%7==1:
        flag += (chr(((a[i]-8)^51)+9))
    else:
        flag += (chr((((a[i]^119)-8)^51)+9))

print(flag)

前面有输入判断开头是不是flag

移下位flag{yCMWuWFsA0uNOhgq54WgcedvHC}

团队赛

love_Pokemon

<?php
error_reporting(0);
highlight_file(__FILE__);
$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';

if(!file_exists($dir)){
    mkdir($dir);
}

function DefenderBonus($Pokemon){
    if(preg_match("/'| |_|\\$|;|l|s|flag|a|t|m|r|e|j|k|n|w|i|\\\\|p|h|u|v|\\+|\\^|\`|\~|\||\"|\<|\>|\=|{|}|\!|\&|\*|\?|\(|\)/i",$Pokemon)){
        die('catch broken Pokemon! mew-_-two');
    }
    else{
        return $Pokemon;
    }

}

function ghostpokemon($Pokemon){
    if(is_array($Pokemon)){
        foreach ($Pokemon as $key => $pks) {
            $Pokemon[$key] = DefenderBonus($pks);
        }
    }
    else{
        $Pokemon = DefenderBonus($Pokemon);
    }
}

switch($_POST['myfavorite'] ?? ""){
    case 'picacu!':
        echo md5('picacu!').md5($_SERVER['REMOTE_ADDR']);
        break;
    case 'bulbasaur!':
        echo md5('miaowa!').md5($_SERVER['REMOTE_ADDR']);
        $level = $_POST["levelup"] ?? "";
    if ((!preg_match('/lv100/i',$level)) && (preg_match('/lv100/i',escapeshellarg($level)))){
            echo file_get_contents('./hint.php');
        }
        break;
    case 'squirtle':
        echo md5('jienijieni!').md5($_SERVER['REMOTE_ADDR']);
        break;
    case 'mewtwo':
        $dream = $_POST["dream"] ?? "";
        if(strlen($dream)>=20){
            die("So Big Pokenmon!");
        }
        ghostpokemon($dream);
        echo shell_exec($dream);
}

?>


通配符位运算符都ban了
/F[B-Z][@-C]G 过正则 od读

8进制解码
flag{Php_Rc3_1s_V3Ry_C001_But_I_l0v3_Pokemon~}

RSA and BASE?

e很大,想到维纳攻击,网上找个脚本跑

# -*- coding:utf-8 -*-
from Crypto.Util.number import *


def f(x, n):
    return (pow(x, n - 1, n) + 3) % n


def rho(n):
    i = 1
    while True:
        a = getRandomRange(2, n)
        b = f(a, n)
        j = 1
        while True:
            p = GCD(abs(a - b), n)
            # print('{} in {} circle'.format(j, i))
            if p == n:
                break
            elif p > 1:
                return (p, n // p)
            else:
                a = f(a, n)
                b = f(f(b, n), n)
            j += 1
        i += 1


def main():
    n = 84236796025318186855187782611491334781897277899439717384242559751095347166978304126358295609924321812851255222430530001043539925782811895605398187299748256080526691975084042025794113521587064616352833904856626744098904922117855866813505228134381046907659080078950018430266048447119221001098505107823645953039
    print(rho(n))


if __name__ == '__main__':
    main()
    
import gmpy2
import libnum

def continuedFra(x, y):
    """计算连分数
    :param x: 分子
    :param y: 分母
    :return: 连分数列表
    """
    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf
def gradualFra(cf):
    """计算传入列表最后的渐进分数
    :param cf: 连分数列表
    :return: 该列表最后的渐近分数
    """
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        # 这里的渐进分数分子分母要分开
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator
def solve_pq(a, b, c):
    """使用韦达定理解出pq,x^2−(p+q)∗x+pq=0
    :param a:x^2的系数
    :param b:x的系数
    :param c:pq
    :return:p,q
    """
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
    """计算列表所有的渐近分数
    :param cf: 连分数列表
    :return: 该列表所有的渐近分数
    """
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf


def wienerAttack(e, n):
    """
    :param e:
    :param n:
    :return: 私钥d
    """
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d


n=56661243519426563299920058134092862370737397949947210394843021856477420959615132553610830104961645574615005956183703191006421508461009698780382360943562001485153455401650697532951591191737164547520951628336941289873198979641173541232117518791706826699650307105202062429672725308809988269372149027026719779368169

e=36269788044703267426177340992826172140174404390577736281478891381612294207666891529019937732720246602062358244751177942289155662197410594434293004130952671354973700999803850153697545606312859272554835232089533366743867361181786472126124169787094837977468259794816050397735724313560434944684790818009385459207329

c=137954301101369152742229874240507191901061563449586247819350394387527789763579249250710679911626270895090455502283455665178389917777053863730286065809459077858674885530015624798882224173066151402222862023045940035652321621761390317038440821354117827990307003831352154618952447402389360183594248381165728338233

d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())

flag{TCMDIEOH2MJFBLKHT2J7BLYZ2WUE5NYR2HNG====}

base32换表,改一下base64换表的脚本,爆破一下得到YZ2T

import base64

a = "TCMDIEOH2MJFBLKHT2J7BLYZ2WUE5NYR2HNG===="

string1 = "GHI45FQRSCX" + "YZ2T" + "UVWJK67DELMNOPAB3"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"

flag = b'flag{'
flag += base64.b32decode(a.translate(str.maketrans(string1, string2))) + b"}"
print(flag)

flag{rsa_and_base_all_right}

posted @ 2021-10-14 22:34  twosmi1e  阅读(1076)  评论(0编辑  收藏  举报