比賽地址:https://5space.#/competition
- [MISC] loop
考察點(diǎn):寫腳本解壓縮包
簡單題结借,以前也遇到過饱普,照著腳本修改一下就行了
file解壓 - > tarfile解壓 - > zipfile解壓 - >tarfile解壓 - > zipfile解壓 ...
用手?jǐn)]肯定不行的医吊,咱們用python
import os
import tarfile
import zipfile
t = 0
while 1:
# t記錄解壓次數(shù)
t = t+1
# 獲取當(dāng)前目錄文件名
filelist = os.listdir()
# 第一次時,使a="file"
for i in filelist:
if "file" in i:
a=i
break
# 如果文件名不包含"file"糙捺,則暫停
if "file" not in a:
print("Done!")
break
# 如果是tarfile邪驮,tar解壓方式
if a[:3]=="tar":
tar = tarfile.open(a, mode = "r:tar")
tar.extractall()
tar.close()
# 如果是zipfile,zip解壓方式
if a[:3]=="zip":
tar = zipfile.ZipFile(a,"r")
tar.extractall()
tar.close()
print("delete {}, {}".format(a,t))
最后得到的是動態(tài)flag
- [MISC] philosopher
考察點(diǎn):隱寫內(nèi)容查找酷窥,png文件格式
題目挺簡單咽安,干擾項(xiàng)挺多,主要靠發(fā)現(xiàn)細(xì)節(jié)的能力
在010editor內(nèi)找到敏感信息“FL4G LOVE”蓬推,緊接著就是"IHDR“(49484452)妆棒,這是png文件頭包含的信息,咱們把他的文件頭(89504E47)補(bǔ)上
保存為png,得到flag{that_is_not_right_man}
- [MISC] run
考察點(diǎn):隱寫內(nèi)容查找糕珊,圖層隱寫
題目挺簡單动分,干擾項(xiàng)挺多(有不少師傅逆向程序,陷入了md5加密的坑)红选,只學(xué)會了用PS...
對run.exe進(jìn)行foremost分離澜公,得到壓縮包。解壓喇肋,再運(yùn)行run.exe坟乾,得到tif文件
在tif里找到有用信息:njCp1HJBPLVTxcMhUHDPwE7mPW
從run.exe還分離出了jpg,打開
發(fā)現(xiàn)右下角的黑色長方形很可疑(仿佛遮住了什么蝶防,而且他和tif的圖片是一模一樣的甚侣,一定有啥關(guān)系),先他弄開
這就對了间学,結(jié)合前面tif的信息寫解密腳本(注意這里的i是從1開始的R蠓选!低葫!淚目)
c="njCp1HJBPLVTxcMhUHDPwE7mPW"
flag=""
for i in range(1,len(c)+1):
if i%2==0:
x=ord(c[i-1])+1
else:
x=ord(c[i-1])-1
flag+=chr(x)
print(flag)
flag{mkBq0IICOMUUwdLiTICQvF6nOX}
- [MISC] 麒麟系統(tǒng)
考察點(diǎn):sudo的CVE漏洞
第一次做出這種題详羡,不過也不算難,網(wǎng)上查得到
普通用戶在Ubuntu下,不用” su root “切換到root用戶,通常/root目錄是不能訪問的
假如pwn題中,在/root下放置一個FLAG,出題人在/etc/sudoers中添加一個普通用戶可以執(zhí)行l(wèi)s與cat命令嘿悬,則可以通過此方法提權(quán)從而拿到FLAG
這題直接參考了某pwn爺?shù)膹?fù)現(xiàn)秒解了
若用戶執(zhí)行 /usr/bin/id
>>sudo id
則出現(xiàn)報(bào)錯
>>對不起实柠,用戶無權(quán)以 root 的身份在 localhost.localdomain 上執(zhí)行 /bin/id
而sudo 有個參數(shù) “-u” 可以指定特定的UID執(zhí)行命令
此時漏洞點(diǎn)就在于 當(dāng)-u指定的UID為-1 或者 4294967295的時候,則會以root權(quán)限執(zhí)行命令
先登錄:ssh 用戶名@ip -p 端口
再提權(quán)拿flag:sudo -u#-1 cat /root/flag
- [CRYPTO] rosb
考察點(diǎn):RSA共模攻擊
簽到題
from flag import flag
from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime
from os import urandom
# 返回n,e,p,q
def gen_arg():
p=getPrime(1024)
q=getPrime(1024)
open("log.txt","w").write(hex(p)+"\n"+hex(q))
n=p*q
e=getPrime(32)
return n,e,p,q
# 明文前4個字符為"rose"
def mamacheck(c):
if long_to_bytes(c)[0:4]!="rose":
return False
return True
def babasay(m):
n,e,p,q=gen_arg()
c=pow(m,e,n)
print hex(n)
print hex(e)
print hex(c)
# 找到滿足條件的e
if not mamacheck(c):
e=getPrime(32)
c = pow(m, e, n)
print hex(e)
print hex(c)
# 密文是flag+隨機(jī)產(chǎn)生64個字節(jié)的字符
m=bytes_to_long(flag+urandom(64))
babasay(m)
'''otuput:
n=0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557L
e=0xf4c1158fL
c=0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707L
e2=0xf493f7d1L
c2=0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcbL
'''
n是一樣的,c和e有不同的兩組鹊漠,rsa加密方式主到,可以進(jìn)行共模攻擊
import gmpy2 as gp
def exgcd(a, b):
if b==0:
return 1, 0, a
x2, y2, r = exgcd(b, a%b)
x1 = y2
y1 = x2-(a//b)*y2
return x1, y1, r
c1=gp.mpz(0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707)
e1=gp.mpz(0xf4c1158f)
c2=gp.mpz(0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcb)
e2=gp.mpz(0xf493f7d1)
n=gp.mpz(0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557)
r1, r2, t = exgcd(e1, e2)
m = gp.powmod(c1, r1, n) * gp.powmod(c2, r2, n) % n
#print(m)
#print(hex(m)[2:])
print(bytes.fromhex(str(hex(m)[2:])))
flag{g0od_go0d_stu4y_d4yd4y_Up}
