2022DASCTF Apr X FATE 防疫挑战赛WP

白帽子社区

共 22991字,需浏览 46分钟

 ·

2022-05-26 10:44

本文来自“白帽子社区知识星球”

作者:WHT



白帽子社区知识星球

加入星球,共同进步

WHT战队招新:


  • WHT战队欢迎对CTF有浓厚兴趣的师傅加入我们。

  • 有半年以上CTF竞赛经验的。

  • 包括但不限于Web、Misc、Reverse、Crypto、Pwn等各方向的CTFer加入。

  • 加分项:有一年以上CTF竞赛经验的各方向CTFer。


    有意向的师傅请扫描二维码联系我们

01

Web

  • warmup_php

题目源码

//index.php



创建一个未定义的类实例时会从/class/目录下的类文件里寻找,并且属性可以赋值,最后调用run方法

附件给的class目录下有4个php文件


在ListView文件里有run方法的调用

而TestView继承自ListView




当调用run方法时会有以下调用链

ListView#run->ListView#renderSection->TestView任意方法($this->template可控)

这里注意

preg_replace_callback("/{(\w+)}/",array($this,'renderSection'),$this->template);

令$this->template="{TableBody}"这种形式才会被/{(\w+)}/匹配到

从而调用TestView#renderTableBody方法,给$this->data赋值,在这里进入renderTableRow方法


renderTableRow方法中$this->rowHtmlOptionsExpression可控,进入evaluateExpression方法,因为TestView继承自ListView,而ListView继承自Base,我们可以在Base中找到evaluateExpression方法



$_expression_是我们传入可控的$this->rowHtmlOptionsExpression值,进入eval函数实现命令执行


 

漏洞复现

 

 

GET参数:

action=TestView

 

POST参数:

properties[template]={TableBody}&properties[rowHtmlOptionsExpression]=var_dump(system('/readflag'));&properties[data][1]=123


02

Misc


  • SimpleFlow

 

 

foremost 分离得到压缩包,有密码,在 tcp.stream eq 50 可发现进行了压缩处理

 

 

g479cf6f058cf8 传参是执行命令的地方,截断两位以后的字符进行base64解码

 

cd "/Users/chang/Sites/test";zip -P PaSsZiPWorD flag.zip ../flag.txt;echo [S];pwd;echo [E]


得到压缩密码,解压得到flag

 

Yes,this is the flag file.And the flag is:DASCTF{f3f32f434eddbc6e6b5043373af95ae8}


  • 熟悉的猫


KeePass Password Safe:

https://keepass.info/news/n220109_2.50.html



需要密码,文件名提示len5,爆破,密码长度为五位

keepass2john获取hash,crunch生成五位数字密码


这里爆破五位密码,猜测不太可能范围比较广,考爆破一般都是考一些简单的弱口令,所以首先猜测一下是不是五位数字


root@kali /home/mochu7/Desktop % file len5.kdbx len5.kdbx: Keepass password database 2.x KDBXroot@kali /home/mochu7/Desktop % keepass2john len5.kdbx > keepass.txtroot@kali /home/mochu7/Desktop % lskeepass.txt  len5.kdbx  password.txtroot@kali /home/mochu7/Desktop % vim keepass.txt root@kali /home/mochu7/Desktop % lskeepass.txt  len5.kdbx  password.txtroot@kali /home/mochu7/Desktop % cat keepass.txt $keepass$*2*60000*0*202cd1ff66368c31010c30d785cf50b0bfcac3bec4fe987af9da5af836e9c38c*0e759e234e4a52cf5a1701cee13a1e531c399977c5f47e14821451eae209b393*c113ec1c681ac45ba118514db9c56824*c297910345ff2af4c1dca36d09d11b37831b49f91f50e57b7d530e0774614568*13db3f4b7a962fa9dae974f57678c3bca8a98e939d38b3aa3602e8aa61c96d34root@kali /home/mochu7/Desktop % crunch 5 5 0123456789 -o password.txtCrunch will now generate the following amount of data: 600000 bytes0 MB0 GB0 TB0 PBCrunch will now generate the following number of lines: 100000 
crunch: 100% completed generating outputroot@kali /home/mochu7/Desktop % ls -lhatotal 864Kdrwxr-xr-x 2 mochu7 mochu7 256K Apr 23 21:13 .drwxr-xr-x 22 mochu7 mochu7 4.0K Nov 1 22:36 ..-rw-r--r-- 1 mochu7 mochu7 50 Dec 25 2020 .directory-rw-r--r-- 1 root root 313 Apr 23 21:13 keepass.txt-rw------- 1 mochu7 mochu7 2.1K Apr 9 03:11 len5.kdbx-rw-r--r-- 1 root root 586K Apr 23 21:08 password.txt


然后利用hashcat爆破即可,这里爆破过了,所以直接出了


root@kali /home/mochu7/Desktop % hashcat -m 13400 keepass.txt -a 0 password.txt --forcehashcat (v6.1.1) starting...
You have enabled --force to bypass dangerous warnings and errors!This can hide serious problems and should only be done when debugging.Do not report hashcat issues encountered when using --force.OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]=============================================================================================================================* Device #1: pthread-Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, 2868/2932 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0Maximum password length supported by kernel: 256
INFO: All hashes found in potfile! Use --show to display them.
Started: Sat Apr 23 21:15:58 2022Stopped: Sat Apr 23 21:15:58 2022root@kali /home/mochu7/Desktop % hashcat -m 13400 keepass.txt -a 0 password.txt --force --show$keepass$*2*60000*0*202cd1ff66368c31010c30d785cf50b0bfcac3bec4fe987af9da5af836e9c38c*0e759e234e4a52cf5a1701cee13a1e531c399977c5f47e14821451eae209b393*c113ec1c681ac45ba118514db9c56824*c297910345ff2af4c1dca36d09d11b37831b49f91f50e57b7d530e0774614568*13db3f4b7a962fa9dae974f57678c3bca8a98e939d38b3aa3602e8aa61c96d34:13152root@kali /home/mochu7/Desktop %


得到密码:13152


输入密码进去,把zipzip的密码右键复制出来:jbRw5PB2kFmor6IeYYil

hint.txt有零宽度字符隐写



做过塔珀自指公式(Tupper's self-referential formula)题目的应该很明显看得出来,网上找几个多试试即可,有些可能出来的结果不同


import numpy as npimport matplotlib.pyplot as pltfrom PIL import Imagea=22b=160def Tupper_self_referential_formula(k):     aa = np.zeros((a,b))    def f(x, y):        y += k        a1 = 2**-(-a*x - y%a)        a2 = (y // a) // a1        return 1 if a2 % 2 > 0.5 else 0    for y in range(a):        for x in range(b):            aa[y, x] = f(x, y)     return aa[:,::-1]
k=92898203278702907929705938676672021500394791427205757369123489204565300324859717082409892641951206664564991991489354661871425872649524078000948199832659815275909285198829276929014694628110159824930931595166203271443269827449505707655085842563682060910813942504507936625555735585913273575050118552353192682955310220323463465408645422334101446471078933149287336241772448338428740302833855616421538520769267636119285948674549756604384946996184385407505456168240123319785800909933214695711828013483981731933773017336944656397583872267126767778549745087854794302808950100966582558761224454242018467578959766617176016660101690140279961968740323327369347164623746391335756442566959352876706364265509834319910419399748338894746638758652286771979896573695823608678008814861640308571256880794312652055957150464513950305355055495262375870102898500643010471425931450046440860841589302890250456138060738689526283389256801969190204127358098408264204643882520969704221896973544620102494391269663693407573658064279947688509910028257209987991480259150865283245150325813888942058aa = Tupper_self_referential_formula(k)plt.figure(figsize=(15,10))plt.imshow(aa,origin='lower')plt.savefig("tupper.png")img = Image.open('flag.png')#翻转dst1 = img.transpose(Image.FLIP_LEFT_RIGHT).rotate(180) plt.imshow(dst1)plt.show()



PS水平翻转一下

三个数值33121141,结合题目名称以及flag.png的特征,猜测猫变换


from PIL import Image
img = Image.open('flag.png')if img.mode == "P": img = img.convert("RGB")assert img.size[0] == img.size[1]dim = width, height = img.size
st = 33a = 121b = 144for _ in range(st): with Image.new(img.mode, dim) as canvas: for nx in range(img.size[0]): for ny in range(img.size[0]): y = (ny - nx * a) % width x = (nx - y * b) % height canvas.putpixel((y, x), img.getpixel((ny, nx)))canvas.show()canvas.save('ok2.png')


可能会运行的久一点


DASCTF{751476c0-6cff-497f-9541-83ede0ebc5a0}


  • 冰墩墩


解压出来(虽然不愿意解压这样的恶心题目),随机观察一下



一部分是二进制数据,这里仔细观察发现最长是16位,有些则没有16位,

但是没有16位,但是没有16位的二进制最高位肯定是1,猜测不足十六位的

需要补高。

并且在写脚本测试的时候,发现了一个start.txt,猜测就是从这里开



import refrom binascii import *

tmp_filename = 'start.txt'bin_data = ''while True: try: file_path = './BinDunDun/' + tmp_filename with open(file_path) as f: content = f.read() next_file = re.findall(r'\w{10}\.txt', content) if next_file != []: tmp_filename = next_file[0] bin_data += content[:content.find(' ')].zfill(16) else: print(file_path) break except: break
hex_data = ''with open('BinDunDun.zip', 'wb') as f1: for i in range(0, len(bin_data), 8): hex_data += '{:02x}'.format(int(bin_data[i:i+8], 2)) f1.write(unhexlify(hex_data))


得到压缩包解压,图片文件修改文件头,添加后缀名


BinDunDun.pyc用pyc反编译看了下是画冰墩墩的Python代码,网上有,

没有啥线索,尝试pyc隐写


root@mochu7-pc:/mnt/d/Tools/Misc/stegosaurus# lsBinDunDun.pyc  CONTRIBUTORS.md  LICENSE  README.md  sample.py  stegosaurus  stegosaurus.py  steg.pycroot@mochu7-pc:/mnt/d/Tools/Misc/stegosaurus# ./stegosaurus -x BinDunDun.pycExtracted payload: BingD@nD@n_in_BeiJing_Winter_Olympicsroot@mochu7-pc:/mnt/d/Tools/Misc/stegosaurus#


猜测是密码,尝试jpg各种隐写,最后发现是JPHS5


PS C:\Users\Administrator> php -r "var_dump(base64_decode('REFTQ1RGe0dvb2RfSm9kX0dpdmVfVGhlX0ZGRkZMQGdfVG9fWW91IX0='));"Command line code:1:string(41) "DASCTF{Good_Jod_Give_The_FFFFL@g_To_You!}"

03

Crypto


  • easy_real


# -*- encoding: utf-8 -*-'''@File    :   1.py@Time    :   2022/04/23 10:21:35@Author  :   David@Version :   1.0'''
import randomimport hashlib, gmpy2from Crypto.Util.number import *
p = 64310413306776406422334034047152581900365687374336418863191177338901198608319n = 4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523c = 3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397# for i in range(1,100):# if hashlib.md5(str(i)).hexdigest() == "37693cfc748049e45d87b8c7d8b9aacd":# e=i# breake = 23q = n / pd = gmpy2.invert(e, (p-1)*(q-1))m = pow(c, d, n)xored = (long_to_bytes(m))for i in range(1,10): print("".join(chr(ord(j)^i) for j in xored))


flag{W31coM3_C0m3_7o_f4T3ctf}


 

  • specialRSA


题目中e与phi互素且gcd(e,phi)=e,尝试AMM算法。共有26层,将每层解出来的m为下一层的c。每层的m可能会有多解,又因为每层的c小于当前的n。因此解出来的m小于下一层的n。可以做限定条件,最后每层至多得到两个m,分别尝试,最后跑通。


import random

def AMM(o, r, q): g = GF(q) o = g(o) p = g(random.randint(1, q)) while p ^ ((q - 1) // r) == 1: p = g(random.randint(1, q))
t = 0 s = q - 1 while s % r == 0: t += 1 s = s // r k = 1 while (k * s + 1) % r != 0: k += 1 alp = (k * s + 1) // r
a = p ^ (r ** (t - 1) * s) b = o ^ (r * alp - 1) c = p ^ s h = 1 for i in range(1, t): d = b ^ (r ^ (t - 1 - i)) if d == 1: j = 0 else: # print('[+] Calculating DLP...') j = - discrete_log(d, a) # print('[+] Finish DLP...') b = b * (c ^ r) ^ j h = h * c ^ j c = c ^ r result = o ^ alp * h
return result

def findAllPRoot(p, e): proot = set() while len(proot) < e: proot.add(pow(random.randint(2, p - 1), (p - 1) // e, p))
return proot

def findAllSolutions(mp, proot, cp, p): all_mp = set() for root in proot: mp2 = mp * root % p assert (pow(mp2, e, p) == cp) all_mp.add(mp2)
return all_mp

n = [1134876149917575363176366704410565158549594427794901202977560677131703617, 68506321231437453734007374706367120760326482177047006099953454136095248103663, 7783503593765446343363083302704731608384677185199537317445372251030064778965500447, 1070135687488356161164202697449500843725645617129661751744246979913699130211505096520493, 84012402115704505952834528733063574032699054524475028392540927197962976150657887637275643641, 4497278582433699034700211877087309784829036823057043402314297478185216205338241432310114079123771, 222438508972972285373674471797570608108219830357859030918870564627162064662598790037437036093579139489, 19116847751264029874551971240684579996570601026679560309305369168779130317938356692609176166515369250878437, 1549903986709797721131070830901667744892392382636347158789834851868638863292232718716074359148785900673192362699, 62387766690725996279968636478698222263235233511074646032501495855928095611796694112573478405813305623307157261619643, 1496134688150941811618178638810353297864345150241986530472328508974364124440160181353848429438725939837967063441528305921, 128744123633657656499069966444992201456797762973822340505291131642660343436783413140023509983315177426811890315424928661125061, 6917342652058596217869122177298094984415751234677039849514181349685079073411591975537016273056773954075238307918266361998553646469, 1999306851167477770905800721615579416365273707414308684419794311809177595829473632853128686208533753019224536487399393397120864878000113, 138594056023048386926766329537127538558164718841925506735112367176642328352257472034381662493666299220910783237918231719166519833124529218331, 8397272388904583425531462714999219642572091279898695377838194583995214737828538895164195817973441184775814069396690436662985593377966417476040659, 83372889332166088651413254885376085265561130214754686361784964744744711092668473281132249352040520639092871294276293287744276919265091479681667169671, 10684953914628370830889219903654707140968094024767031366624595731918523435466123514094659595357231410471738736952266383928737163485550013190959149252435167, 428359134899960532964729749713513106760306719712194950954567619156985067322564731294653991204666853689688900339268764469280769569535109069729404621290809120793, 24491413133428851306933688733518898516890217803647806829002775935975741568422047344206442746983871735723486865901743352102305801200224958166496937663406627341150101, 2247517335600310176909964109060502815240207684510918447209767597511414934626668616704865548059751008841620288545344598917362752622130186820039265603312354963258673860579, 157978379942536176944325875241196121764116712487226808271002140500926678942090491383544034591205964958130852055691446362753906164711087278555153881606839791499207025307202087, 43938571869497484913682975192955012614794498816057204091016374302341854100775132924321569876797699342959191646206571444845883942305710956894334106963321644724361549027630634869933, 2609065298534470914730686454716224905333131812890643378630636043224255484662185236061585264231004975072801053316107165770342161619265243081616632312934742288262985830181883449780965531, 222235907202454132555071455958700740228567465616560859711214102245461514428187391909176054661864893645713338391509536653547350134615807194339839952004333949540567943568810413945779642106201, 44890472824427626252451120059527486677662371033945481542195354255473403815853320591468917295474578271680865394304946847791535710766947049195816261224382109115684638995528332538466194474846836399, 1062789633774349417938788353001516763303743389381120380522262327123099728631034935663418832664265833959487018276693680850987382421521055508477988016246558095545925414048663082368488342633334571240563]tmp_n = n[::-1]#factordb 分解全部N得到pqpq = [[978009050697262759337388871320370165458800566798280419667959552859180906066907114053826258140106617, 1086686910531802445146659484012613083647370307628438760118376029969836222533970554565751069314622539], [5952590790902091635268726673538951527433355660839816621733964706901441977862333411532558667717227, 7541333580839789645678699855290145212677767915429008863004397257213367753100058966625356835737037], [14702310219802004876082313481498680940324963613770096574742182597840558294030859405666549879531, 15115713372931874518523751684548940147062395364112500028355694776530968944848166318295947674571], [43870497594014737833600078975099212558645315030912084285417550950854483979406797450479252891, 59471978701477648587546053450213894562580907285714122639903144859545186463681183925646967041], [206721456778089912780641186795393376537372828449722520397829606593267585681448641482345737, 212549643149353357950643557614966235999942509894271006476145929120541407503538644651435909], [368461902207817023013078031477042541053987571003677386333567043030477451518424731838173, 428750921047556327595864876619292414694543668237320723518704707914310601565770504401619], [1328165608715012145707239303399129070657427496129541416861187541092152796676371237057, 1692196606246085729483398884059069884182535824953762329164855466589577530953493347747], [4479430800690915874719403516331677127806963529247809966024777708496270901092401687, 5467527956822382309398095704409409074818664888285375307055715842283183939297839923], [15874438801602936764330936047390981280096007684699625987478211613419079727910193, 26984206512970181742033712455904984758134288864531714209886622060356697128804201], [102366458668689911004027849640392002821642295855327735994412634235696717329671, 104379442774418262390337411577160146519860415840398189010112686742489182665577], [262775599542220820608778738911414710660835549772895468394761119434220071003, 317277895959173163347650321012213555955385929418622006880521870012130207557], [2623629589005115152329094552749299711026240699896424120660145647226563547, 3200631836176555526009533059891690177091538103904679780020639896015937897], [11136261905010083405430254612464029672882837025885682392810368001188527, 12445294229358634680867170058509842935273054334385354032543323581223253], [43449898447639409732732812916430042263570178747794530133229640125923, 46014074200352892806829193743016415423205917845271691428043440245531], [66882708962198932251728043152245270662769508317424500666902658099, 103424977238409568447978495499643051307907366367259219393937014631], [350121371461894793578110243222665782247737840410076591434903787, 367712839396521757736384350030802803477965822058616833553305103], [954412804126450754097808991490470782833291028309980575506163, 1567597041534155679238655992215022394597376421096298363211067], [6623023178993627032758350846838617937710601663528839184727, 9419832152875820180139633405089278278408407453522978357309], [37185691759470013533730603170661686570987787098353146897, 41680117092754807988080699273322244961911189757589699867], [135813272566456906193934636644217527100917542578856697, 140758317578347635848563045232314610161039815135897421], [385788223643735590500185001710758495904528462058461, 576581905150085393327734090419529952232186498060949], [1656848589754467667368312855929759764100120657831, 2714357008989072105081411295741540337141142641741], [7832299017937880395583715032476962329929226581, 10726403821316775206273675267109184566904426261], [24335212484189159197840692460327461505035059, 43974782968656404951924524450501283426052127], [88067722275537586769787599991567203589751, 88380889077762105057154017276462714444697], [232079231415308325450092906880606082069, 295185057334340451492588650872876746227], [953730950786751671162019537171974567, 1189933229053113361422958527792232151]]
c = 1028324919038104683475485759234995158466543298184637219012354053883391759172761125802189697762778242175407876548832454351014064525118465877297277847501477586955680645311999174005606833294172830817159e = 113#暂存每轮得到的正确的mmmm = [ 34477005676820162206313524350718388995388964361111914461122792945404747258640626572519670215765749828347378102656628531443002193905830917576501911098980764185815997345702819264240009751148442426, 122251474355770407049299923720807002619294038964768766444097932240736660221208587524190952184175408395327264273947998924572358674189845633957638043199338228060748873522292564061697159084155, 2302982988306130873718678248046965635619977122378875400979845776887964102490919700970705411214473299613671701762260147495040038609477011076066320527267277326015932285789720472919789158, 23537451475264654783397519677185909863292665248941544646127041892810699254693157668878272163047447965494360147684605330696871807540713768499564637999043110095219692999410680226995, 140177373424899679430074829392928313477693819706173332758040927339401517742208025981523425936186925200196496612125625456430631622632150834127049737384042503028994857458226467, 963130018196161068022561826136699615972631158326273266709450636152057794259408910239684181019014240059847446622341252471979045951190123708301480386597157821916163544334, 22099780396461829722379389411334090279609060431701121609182515723815260652756755053990706324709932514832032225698612585831935469922880299786763383240418382919799321, 105203615092085867196180713024031580953262645244470745062806287628728083957360817366488801411967688912343820375347382249694217193012009121220949533257603223298, 2770807474173138559681583722575063626632396109101990628426422882126692567611876893424492013746533498499436328221834686503730687608977519563790607788117242, 79522563507420097241671540749267415107213223614814036174487708662964551801437232540659877853816396875693921978483029788328787752167530021794795431857, 2037298899016874045219277999643220063198097234557335235921481885211253636813115803603315238074035822211603707964528777576900935877949510316646223, 91620534205913166538263094639686621545207290194630647497982781366417941090195313655420047805846906050555821244135842146392017800438719304994, 634223615344447851225076194238185184332604736515528218505996221339671015125769748828654573318605955936504358040759056745442253727290998, 1151747077760886031968395300122212971249677857649906015143598211944659498637807719069388997270109028927478629593266598515428543599, 4885555691619901252961116690244561429850119193038756404218077274265730135140315447675335151534535632576283303735514949638673, 441483827088168645513094641426499891374571558703981036806090540801685962515269086990244001450093104554187188047355883908, 50746207344403804443969898876160025928774123141871973214027095925794652197169084777221214441362057146919986427284274, 851834034713920072016294826766890940103178167607817794715692270318536007164857863881508649769981422663639184163, 5772224180179962397158418478468305994920422145855450551932850591253169055736728137194928021864521464661511, 201270414263671865648131358230135006175090857068415686069148837994386901812348962669414590276244279652, 1631195497375922229848480131202350147418728908365651197102485655617240528564830722486663140830762, 83436593835736927783034931301466249878138772728555530531816534785622373800125814331410735801, 612402625116056383171913080691265536933185153779141510100715847406642891544437819056399, 7523449601904104920623925101649366402016181450187359849499567637389273313904203215, 23388304805925808822689623463866376122782272519632037291479310043364093060855]
for i in range(len(n)): if i < len(mmm): c = mmm[i] print(i, ":", c) continue f = 1 if i + 1 == len(n): nnn = tmp_n[i] else: nnn = tmp_n[i + 1] p = pq[i][0] q = pq[i][1] cp = c % p cq = c % q mp = AMM(cp, e, p) mq = AMM(cq, e, q) p_proot = findAllPRoot(p, e) q_proot = findAllPRoot(q, e) mps = findAllSolutions(mp, p_proot, cp, p) mqs = findAllSolutions(mq, q_proot, cq, q)
for mpp in mps: for mqq in mqs: solution = CRT_list([int(mpp), int(mqq)], [p, q]) if i == 26: try: flag = bytes.fromhex(hex(solution)[2:]) if b'DASCTF' in flag: print(flag) except: pass if solution < nnn: # print(i, solution) if f: c = solution f = 0#b'DASCTF{s4g3m4th_i5_co0l!}'




如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。



▼扫码关注白帽子社区公众号&加入知识星球▼



浏览 30
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报
评论
图片
表情
推荐
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报