2022DASCTF Apr X FATE 防疫挑战赛WP
共 22991字,需浏览 46分钟
·
2022-05-26 10:44
本文来自“白帽子社区知识星球”
作者:WHT
WHT战队招新:
WHT战队欢迎对CTF有浓厚兴趣的师傅加入我们。
有半年以上CTF竞赛经验的。
包括但不限于Web、Misc、Reverse、Crypto、Pwn等各方向的CTFer加入。
加分项:有一年以上CTF竞赛经验的各方向CTFer。
有意向的师傅请扫描二维码联系我们
warmup_php
题目源码
//index.php
创建一个未定义的类实例时会从/class/目录下的类文件里寻找,并且属性可以赋值,最后调用run方法
附件给的class目录下有4个php文件
在ListView文件里有run方法的调用
而TestView继承自ListView
当调用run方法时会有以下调用链
ListView#run->ListView#renderSection->TestView任意方法($this->template可控)
这里注意
preg_replace_callback("/{(\w+)}/",array($this,'renderSection'),$this->template);
令$this->template="{TableBody}"这种形式才会被/{(\w+)}/匹配到
从而调用TestView#renderTableBody方法,给$this->data赋值,在这里进入renderTableRow方法
renderTableRow方法中$this->rowHtmlOptionsExpression可控,进入evaluateExpression方法,因为TestView继承自ListView,而ListView继承自Base,我们可以在Base中找到evaluateExpression方法
$_expression_是我们传入可控的$this->rowHtmlOptionsExpression值,进入eval函数实现命令执行
漏洞复现
GET参数:
action=TestView
POST参数:
properties[template]={TableBody}&properties[rowHtmlOptionsExpression]=var_dump(system('/readflag'));&properties[data][1]=123
SimpleFlow
foremost
分离得到压缩包,有密码,在 tcp.stream eq 50
可发现进行了压缩处理
g479cf6f058cf8
传参是执行命令的地方,截断两位以后的字符进行base64解码
cd "/Users/chang/Sites/test";zip -P PaSsZiPWorD flag.zip ../flag.txt;echo [S];pwd;echo [E]
得到压缩密码,解压得到flag
Yes,this is the flag file.
And the flag is:
DASCTF{f3f32f434eddbc6e6b5043373af95ae8}
熟悉的猫
KeePass Password Safe:
https://keepass.info/news/n220109_2.50.html
需要密码,文件名提示len5
,爆破,密码长度为五位
keepass2john
获取hash,crunch
生成五位数字密码
这里爆破五位密码,猜测不太可能范围比较广,考爆破一般都是考一些简单的弱口令,所以首先猜测一下是不是五位数字
root@kali /home/mochu7/Desktop % file len5.kdbx
len5.kdbx: Keepass password database 2.x KDBX
root@kali /home/mochu7/Desktop % keepass2john len5.kdbx > keepass.txt
root@kali /home/mochu7/Desktop % ls
keepass.txt len5.kdbx password.txt
root@kali /home/mochu7/Desktop % vim keepass.txt
root@kali /home/mochu7/Desktop % ls
keepass.txt len5.kdbx password.txt
root@kali /home/mochu7/Desktop % cat keepass.txt
$keepass$*2*60000*0*202cd1ff66368c31010c30d785cf50b0bfcac3bec4fe987af9da5af836e9c38c*0e759e234e4a52cf5a1701cee13a1e531c399977c5f47e14821451eae209b393*c113ec1c681ac45ba118514db9c56824*c297910345ff2af4c1dca36d09d11b37831b49f91f50e57b7d530e0774614568*13db3f4b7a962fa9dae974f57678c3bca8a98e939d38b3aa3602e8aa61c96d34
root@kali /home/mochu7/Desktop % crunch 5 5 0123456789 -o password.txt
Crunch will now generate the following amount of data: 600000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 100000
crunch: 100% completed generating output
root@kali /home/mochu7/Desktop % ls -lha
total 864K
drwxr-xr-x 2 mochu7 mochu7 256K Apr 23 21:13 .
drwxr-xr-x 22 mochu7 mochu7 4.0K Nov 1 22:36 ..
-rw-r--r-- 1 mochu7 mochu7 50 Dec 25 2020 .directory
-rw-r--r-- 1 root root 313 Apr 23 21:13 keepass.txt
-rw------- 1 mochu7 mochu7 2.1K Apr 9 03:11 len5.kdbx
-rw-r--r-- 1 root root 586K Apr 23 21:08 password.txt
然后利用hashcat
爆破即可,这里爆破过了,所以直接出了
root@kali /home/mochu7/Desktop % hashcat -m 13400 keepass.txt -a 0 password.txt --force
hashcat (v6.1.1) starting...
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, 2868/2932 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
INFO: All hashes found in potfile! Use --show to display them.
Started: Sat Apr 23 21:15:58 2022
Stopped: Sat Apr 23 21:15:58 2022
root@kali /home/mochu7/Desktop % hashcat -m 13400 keepass.txt -a 0 password.txt --force --show
$keepass$*2*60000*0*202cd1ff66368c31010c30d785cf50b0bfcac3bec4fe987af9da5af836e9c38c*0e759e234e4a52cf5a1701cee13a1e531c399977c5f47e14821451eae209b393*c113ec1c681ac45ba118514db9c56824*c297910345ff2af4c1dca36d09d11b37831b49f91f50e57b7d530e0774614568*13db3f4b7a962fa9dae974f57678c3bca8a98e939d38b3aa3602e8aa61c96d34:13152
root@kali /home/mochu7/Desktop %
得到密码:13152
输入密码进去,把zipzip
的密码右键复制出来:jbRw5PB2kFmor6IeYYil
hint.txt
有零宽度字符隐写
做过塔珀自指公式(Tupper's self-referential formula)
题目的应该很明显看得出来,网上找几个多试试即可,有些可能出来的结果不同
import numpy as np
import matplotlib.pyplot as plt
from PIL import Image
a=22
b=160
def Tupper_self_referential_formula(k):
aa = np.zeros((a,b))
def f(x, y):
y += k
a1 = 2**-(-a*x - y%a)
a2 = (y // a) // a1
return 1 if a2 % 2 > 0.5 else 0
for y in range(a):
for x in range(b):
aa[y, x] = f(x, y)
return aa[:,::-1]
k=92898203278702907929705938676672021500394791427205757369123489204565300324859717082409892641951206664564991991489354661871425872649524078000948199832659815275909285198829276929014694628110159824930931595166203271443269827449505707655085842563682060910813942504507936625555735585913273575050118552353192682955310220323463465408645422334101446471078933149287336241772448338428740302833855616421538520769267636119285948674549756604384946996184385407505456168240123319785800909933214695711828013483981731933773017336944656397583872267126767778549745087854794302808950100966582558761224454242018467578959766617176016660101690140279961968740323327369347164623746391335756442566959352876706364265509834319910419399748338894746638758652286771979896573695823608678008814861640308571256880794312652055957150464513950305355055495262375870102898500643010471425931450046440860841589302890250456138060738689526283389256801969190204127358098408264204643882520969704221896973544620102494391269663693407573658064279947688509910028257209987991480259150865283245150325813888942058
aa = Tupper_self_referential_formula(k)
plt.figure(figsize=(15,10))
plt.imshow(aa,origin='lower')
plt.savefig("tupper.png")
img = Image.open('flag.png')
#翻转
dst1 = img.transpose(Image.FLIP_LEFT_RIGHT).rotate(180)
plt.imshow(dst1)
plt.show()
PS
水平翻转一下
三个数值33
、121
、141
,结合题目名称以及flag.png
的特征,猜测猫变换
from PIL import Image
img = Image.open('flag.png')
if img.mode == "P":
img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
st = 33
a = 121
b = 144
for _ in range(st):
with Image.new(img.mode, dim) as canvas:
for nx in range(img.size[0]):
for ny in range(img.size[0]):
y = (ny - nx * a) % width
x = (nx - y * b) % height
canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('ok2.png')
可能会运行的久一点
DASCTF{751476c0-6cff-497f-9541-83ede0ebc5a0}
冰墩墩
解压出来(虽然不愿意解压这样的恶心题目),随机观察一下
一部分是二进制数据,这里仔细观察发现最长是16
位,有些则没有16
位,
但是没有16
位,但是没有16
位的二进制最高位肯定是1
,猜测不足十六位的
需要补高。
并且在写脚本测试的时候,发现了一个start.txt
,猜测就是从这里开始
import re
from binascii import *
tmp_filename = 'start.txt'
bin_data = ''
while True:
try:
file_path = './BinDunDun/' + tmp_filename
with open(file_path) as f:
content = f.read()
next_file = re.findall(r'\w{10}\.txt', content)
if next_file != []:
tmp_filename = next_file[0]
bin_data += content[:content.find(' ')].zfill(16)
else:
print(file_path)
break
except:
break
hex_data = ''
with open('BinDunDun.zip', 'wb') as f1:
for i in range(0, len(bin_data), 8):
hex_data += '{:02x}'.format(int(bin_data[i:i+8], 2))
f1.write(unhexlify(hex_data))
得到压缩包解压,图片文件修改文件头,添加后缀名
BinDunDun.pyc
用pyc反编译看了下是画冰墩墩的Python代码,网上有,
没有啥线索,尝试pyc隐写
root/mnt/d/Tools/Misc/stegosaurus# ls -pc:
BinDunDun.pyc CONTRIBUTORS.md LICENSE README.md sample.py stegosaurus stegosaurus.py steg.pyc
root/mnt/d/Tools/Misc/stegosaurus# ./stegosaurus -x BinDunDun.pyc -pc:
Extracted payload: BingD
root/mnt/d/Tools/Misc/stegosaurus# -pc:
猜测是密码,尝试jpg
各种隐写,最后发现是JPHS5
PS C:\Users\Administrator> php -r "var_dump(base64_decode('REFTQ1RGe0dvb2RfSm9kX0dpdmVfVGhlX0ZGRkZMQGdfVG9fWW91IX0='));"
Command line code:1:
string(41) "DASCTF{Good_Jod_Give_The_FFFFL@g_To_You!}"
Crypto
easy_real
# -*- encoding: utf-8 -*-
'''
@File : 1.py
@Time : 2022/04/23 10:21:35
@Author : David
@Version : 1.0
'''
import random
import hashlib, gmpy2
from Crypto.Util.number import *
p = 64310413306776406422334034047152581900365687374336418863191177338901198608319
n = 4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523
c = 3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397
# for i in range(1,100):
# if hashlib.md5(str(i)).hexdigest() == "37693cfc748049e45d87b8c7d8b9aacd":
# e=i
# break
e = 23
q = n / p
d = gmpy2.invert(e, (p-1)*(q-1))
m = pow(c, d, n)
xored = (long_to_bytes(m))
for i in range(1,10):
print("".join(chr(ord(j)^i) for j in xored))
flag{W31coM3_C0m3_7o_f4T3ctf}
specialRSA
题目中e与phi互素且gcd(e,phi)=e,尝试AMM算法。共有26层,将每层解出来的m为下一层的c。每层的m可能会有多解,又因为每层的c小于当前的n。因此解出来的m小于下一层的n。可以做限定条件,最后每层至多得到两个m,分别尝试,最后跑通。
import random
def AMM(o, r, q):
g = GF(q)
o = g(o)
p = g(random.randint(1, q))
while p ^ ((q - 1) // r) == 1:
p = g(random.randint(1, q))
t = 0
s = q - 1
while s % r == 0:
t += 1
s = s // r
k = 1
while (k * s + 1) % r != 0:
k += 1
alp = (k * s + 1) // r
a = p ^ (r ** (t - 1) * s)
b = o ^ (r * alp - 1)
c = p ^ s
h = 1
for i in range(1, t):
d = b ^ (r ^ (t - 1 - i))
if d == 1:
j = 0
else:
# print('[+] Calculating DLP...')
j = - discrete_log(d, a)
# print('[+] Finish DLP...')
b = b * (c ^ r) ^ j
h = h * c ^ j
c = c ^ r
result = o ^ alp * h
return result
def findAllPRoot(p, e):
proot = set()
while len(proot) < e:
p - 1), (p - 1) // e, p))
return proot
def findAllSolutions(mp, proot, cp, p):
all_mp = set()
for root in proot:
mp2 = mp * root % p
assert (pow(mp2, e, p) == cp)
all_mp.add(mp2)
return all_mp
n = [1134876149917575363176366704410565158549594427794901202977560677131703617,
68506321231437453734007374706367120760326482177047006099953454136095248103663,
7783503593765446343363083302704731608384677185199537317445372251030064778965500447,
1070135687488356161164202697449500843725645617129661751744246979913699130211505096520493,
84012402115704505952834528733063574032699054524475028392540927197962976150657887637275643641,
4497278582433699034700211877087309784829036823057043402314297478185216205338241432310114079123771,
222438508972972285373674471797570608108219830357859030918870564627162064662598790037437036093579139489,
19116847751264029874551971240684579996570601026679560309305369168779130317938356692609176166515369250878437,
1549903986709797721131070830901667744892392382636347158789834851868638863292232718716074359148785900673192362699,
62387766690725996279968636478698222263235233511074646032501495855928095611796694112573478405813305623307157261619643,
1496134688150941811618178638810353297864345150241986530472328508974364124440160181353848429438725939837967063441528305921,
128744123633657656499069966444992201456797762973822340505291131642660343436783413140023509983315177426811890315424928661125061,
6917342652058596217869122177298094984415751234677039849514181349685079073411591975537016273056773954075238307918266361998553646469,
1999306851167477770905800721615579416365273707414308684419794311809177595829473632853128686208533753019224536487399393397120864878000113,
138594056023048386926766329537127538558164718841925506735112367176642328352257472034381662493666299220910783237918231719166519833124529218331,
8397272388904583425531462714999219642572091279898695377838194583995214737828538895164195817973441184775814069396690436662985593377966417476040659,
83372889332166088651413254885376085265561130214754686361784964744744711092668473281132249352040520639092871294276293287744276919265091479681667169671,
10684953914628370830889219903654707140968094024767031366624595731918523435466123514094659595357231410471738736952266383928737163485550013190959149252435167,
428359134899960532964729749713513106760306719712194950954567619156985067322564731294653991204666853689688900339268764469280769569535109069729404621290809120793,
24491413133428851306933688733518898516890217803647806829002775935975741568422047344206442746983871735723486865901743352102305801200224958166496937663406627341150101,
2247517335600310176909964109060502815240207684510918447209767597511414934626668616704865548059751008841620288545344598917362752622130186820039265603312354963258673860579,
157978379942536176944325875241196121764116712487226808271002140500926678942090491383544034591205964958130852055691446362753906164711087278555153881606839791499207025307202087,
43938571869497484913682975192955012614794498816057204091016374302341854100775132924321569876797699342959191646206571444845883942305710956894334106963321644724361549027630634869933,
2609065298534470914730686454716224905333131812890643378630636043224255484662185236061585264231004975072801053316107165770342161619265243081616632312934742288262985830181883449780965531,
222235907202454132555071455958700740228567465616560859711214102245461514428187391909176054661864893645713338391509536653547350134615807194339839952004333949540567943568810413945779642106201,
44890472824427626252451120059527486677662371033945481542195354255473403815853320591468917295474578271680865394304946847791535710766947049195816261224382109115684638995528332538466194474846836399,
1062789633774349417938788353001516763303743389381120380522262327123099728631034935663418832664265833959487018276693680850987382421521055508477988016246558095545925414048663082368488342633334571240563]
tmp_n = n[::-1]
#factordb 分解全部N得到pq
pq = [[978009050697262759337388871320370165458800566798280419667959552859180906066907114053826258140106617,
1086686910531802445146659484012613083647370307628438760118376029969836222533970554565751069314622539],
[5952590790902091635268726673538951527433355660839816621733964706901441977862333411532558667717227,
7541333580839789645678699855290145212677767915429008863004397257213367753100058966625356835737037],
[14702310219802004876082313481498680940324963613770096574742182597840558294030859405666549879531,
15115713372931874518523751684548940147062395364112500028355694776530968944848166318295947674571],
[43870497594014737833600078975099212558645315030912084285417550950854483979406797450479252891,
59471978701477648587546053450213894562580907285714122639903144859545186463681183925646967041],
[206721456778089912780641186795393376537372828449722520397829606593267585681448641482345737,
212549643149353357950643557614966235999942509894271006476145929120541407503538644651435909],
[368461902207817023013078031477042541053987571003677386333567043030477451518424731838173,
428750921047556327595864876619292414694543668237320723518704707914310601565770504401619],
[1328165608715012145707239303399129070657427496129541416861187541092152796676371237057,
1692196606246085729483398884059069884182535824953762329164855466589577530953493347747],
[4479430800690915874719403516331677127806963529247809966024777708496270901092401687,
5467527956822382309398095704409409074818664888285375307055715842283183939297839923],
[15874438801602936764330936047390981280096007684699625987478211613419079727910193,
26984206512970181742033712455904984758134288864531714209886622060356697128804201],
[102366458668689911004027849640392002821642295855327735994412634235696717329671,
104379442774418262390337411577160146519860415840398189010112686742489182665577],
[262775599542220820608778738911414710660835549772895468394761119434220071003,
317277895959173163347650321012213555955385929418622006880521870012130207557],
[2623629589005115152329094552749299711026240699896424120660145647226563547,
3200631836176555526009533059891690177091538103904679780020639896015937897],
[11136261905010083405430254612464029672882837025885682392810368001188527,
12445294229358634680867170058509842935273054334385354032543323581223253],
[43449898447639409732732812916430042263570178747794530133229640125923,
46014074200352892806829193743016415423205917845271691428043440245531],
[66882708962198932251728043152245270662769508317424500666902658099,
103424977238409568447978495499643051307907366367259219393937014631],
[350121371461894793578110243222665782247737840410076591434903787,
367712839396521757736384350030802803477965822058616833553305103],
[954412804126450754097808991490470782833291028309980575506163,
1567597041534155679238655992215022394597376421096298363211067],
[6623023178993627032758350846838617937710601663528839184727,
9419832152875820180139633405089278278408407453522978357309],
[37185691759470013533730603170661686570987787098353146897,
41680117092754807988080699273322244961911189757589699867],
140758317578347635848563045232314610161039815135897421],
576581905150085393327734090419529952232186498060949],
2714357008989072105081411295741540337141142641741],
10726403821316775206273675267109184566904426261],
43974782968656404951924524450501283426052127],
88380889077762105057154017276462714444697],
295185057334340451492588650872876746227],
1189933229053113361422958527792232151]]
c = 1028324919038104683475485759234995158466543298184637219012354053883391759172761125802189697762778242175407876548832454351014064525118465877297277847501477586955680645311999174005606833294172830817159
e = 113
#暂存每轮得到的正确的m
mmm = [
34477005676820162206313524350718388995388964361111914461122792945404747258640626572519670215765749828347378102656628531443002193905830917576501911098980764185815997345702819264240009751148442426,
122251474355770407049299923720807002619294038964768766444097932240736660221208587524190952184175408395327264273947998924572358674189845633957638043199338228060748873522292564061697159084155,
2302982988306130873718678248046965635619977122378875400979845776887964102490919700970705411214473299613671701762260147495040038609477011076066320527267277326015932285789720472919789158,
23537451475264654783397519677185909863292665248941544646127041892810699254693157668878272163047447965494360147684605330696871807540713768499564637999043110095219692999410680226995,
140177373424899679430074829392928313477693819706173332758040927339401517742208025981523425936186925200196496612125625456430631622632150834127049737384042503028994857458226467,
963130018196161068022561826136699615972631158326273266709450636152057794259408910239684181019014240059847446622341252471979045951190123708301480386597157821916163544334,
22099780396461829722379389411334090279609060431701121609182515723815260652756755053990706324709932514832032225698612585831935469922880299786763383240418382919799321,
105203615092085867196180713024031580953262645244470745062806287628728083957360817366488801411967688912343820375347382249694217193012009121220949533257603223298,
2770807474173138559681583722575063626632396109101990628426422882126692567611876893424492013746533498499436328221834686503730687608977519563790607788117242,
79522563507420097241671540749267415107213223614814036174487708662964551801437232540659877853816396875693921978483029788328787752167530021794795431857,
2037298899016874045219277999643220063198097234557335235921481885211253636813115803603315238074035822211603707964528777576900935877949510316646223,
91620534205913166538263094639686621545207290194630647497982781366417941090195313655420047805846906050555821244135842146392017800438719304994,
634223615344447851225076194238185184332604736515528218505996221339671015125769748828654573318605955936504358040759056745442253727290998,
1151747077760886031968395300122212971249677857649906015143598211944659498637807719069388997270109028927478629593266598515428543599,
4885555691619901252961116690244561429850119193038756404218077274265730135140315447675335151534535632576283303735514949638673,
441483827088168645513094641426499891374571558703981036806090540801685962515269086990244001450093104554187188047355883908,
50746207344403804443969898876160025928774123141871973214027095925794652197169084777221214441362057146919986427284274,
851834034713920072016294826766890940103178167607817794715692270318536007164857863881508649769981422663639184163,
5772224180179962397158418478468305994920422145855450551932850591253169055736728137194928021864521464661511,
201270414263671865648131358230135006175090857068415686069148837994386901812348962669414590276244279652,
1631195497375922229848480131202350147418728908365651197102485655617240528564830722486663140830762,
83436593835736927783034931301466249878138772728555530531816534785622373800125814331410735801,
612402625116056383171913080691265536933185153779141510100715847406642891544437819056399,
7523449601904104920623925101649366402016181450187359849499567637389273313904203215,
23388304805925808822689623463866376122782272519632037291479310043364093060855
]
for i in range(len(n)):
if i < len(mmm):
c = mmm[i]
":", c)
continue
f = 1
if i + 1 == len(n):
nnn = tmp_n[i]
else:
nnn = tmp_n[i + 1]
p = pq[i][0]
q = pq[i][1]
cp = c % p
cq = c % q
mp = AMM(cp, e, p)
mq = AMM(cq, e, q)
p_proot = findAllPRoot(p, e)
q_proot = findAllPRoot(q, e)
mps = findAllSolutions(mp, p_proot, cp, p)
mqs = findAllSolutions(mq, q_proot, cq, q)
for mpp in mps:
for mqq in mqs:
solution = CRT_list([int(mpp), int(mqq)], [p, q])
if i == 26:
try:
flag = bytes.fromhex(hex(solution)[2:])
if b'DASCTF' in flag:
print(flag)
except:
pass
if solution < nnn:
# print(i, solution)
if f:
c = solution
f = 0
#b'DASCTF{s4g3m4th_i5_co0l!}'
如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。
▼扫码关注白帽子社区公众号&加入知识星球▼