2i9Q8AtDZiEsSn13rF6xchPe1EaiU5u7qKbEd2HDH5jS7N4UfiL3DwFsBa
flag{2a098f9f-d384-b6d0-4096-9eaf0f5654a3}
wohz{k533q73q-t76t-9292-351w-h880t22q2q59}
a=3 b=7
CyberChef一把:
flag{b533d73d-e76e-9292-351f-a880e22d2d59}
chall.py
from Crypto.Util.number import *
from secret import flag
from sympy import nextprime
flag=b''
r = getRandomNBitInteger(64)
p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023
p =nextprime(p)
q =nextprime(q)
n = p*q
def enc(flag, n):
m = bytes_to_long(flag)
return pow(m, 65537, n)
c = enc(flag, n)
print(n)
print(c)
# 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
# 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
n = = p ? q = = ( r ? ? 5 + . . . ) ? ( r ? ? 5 ? . . . ) n==p*q == (r**5 + ...)*(r**5 - ...) n==p?q==(r??5+...)?(r??5?...)
由上可知, n约为r的10次方。如果对n开10次方,则低位可忽略,爆破一下即可求出r。
exp:
from Crypto.Util.number import *
from gmpy2 import iroot
N = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
t,f = iroot(N, 10)
for r in range(t-10000,t+10000):
p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023
p =nextprime(p)
q =nextprime(q)
n = p*q
if n==N:
print(f"p = {p}\nq = {q}\n")
break
# 得到:
p = 158324975897082020097339281935818129320954195255971408941591049179715138878370817761203475160123
q = 158324975897082020068454470275147007824077754451975255433855101769279209145578273309232489165459
再常规RSA:
n = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
c = 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
e = 65537
d = inverse(e, (p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{5afe5cbb-4b4c-9cb6-f8b6-032cabf4b7e7}
追踪TCP流,在第0个流中发现代码:
import hashlib
with open("flag") as f:
flag=f.readlines()[0]
if "c7e6ea42b7301e6330ba****fe407930191d371885935ad4cd51e95e********" == hashlib.sha256(flag.encode()).hexdigest():
print("......")
else:
print("......")
在第3个TCP流中发现flag(部分):
flag{22af230f-bbed-????-95fa-b6b1ca6dc32e}
爆破sha256:
from hashlib import sha256
from string import hexdigits
from itertools import product
for i in product(hexdigits, repeat=4):
f = "flag{22af230f-bbed-" + ''.join(i) + "-95fa-b6b1ca6dc32e}"
h = sha256(f.encode()).hexdigest()
if h[:20]== 'c7e6ea42b7301e6330ba':
print(f, h)
# flag{22af230f-bbed-48b9-95fa-b6b1ca6dc32e} c7e6ea42b7301e6330ba3959fe407930191d371885935ad4cd51e95e857a3155
原题:HWS第七期夏令营(硬件安全营)预选赛wp Misc1
https://www.cnblogs.com/fuxuqiannian/p/17560359.html
usb流量包.
键盘是8字节: usbhid.data
鼠标是4字节:
将键盘流量全部导出后加冒号:
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import os
pcapfile = "misc1.pcapng"
if not os.path.exists(pcapfile):
print("Pcap file not found!")
exit(0)
# hid.txt
usbKBf = 'usbKBf.txt'
cmd = "tshark -r " + pcapfile + " -T fields -Y \"usb.usbpcap_header_len==27\" -e usbhid.data > " + usbKBf
os.system(cmd)
# 删除空行,并加冒号
lline2 = []
lline1 = open(usbKBf, 'r').readlines()
for line in lline1:
line = line.strip()
if line:
newline = ':'.join([ line[i:i+2] for i in range(0, len(line), 2)])
lline2.append(newline)
with open('out.txt', 'w') as f:
f.write('\n'.join(lline2))
normalKeys = {
"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
"0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
"18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
"22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>",
"2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\", "32": "<NON>", "33": ";",
"34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>",
"3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>",
"45": "<F12>"
}
shiftKeys = {
"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I", "0d": "J",
"0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R", "16": "S", "17": "T",
"18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$",
"22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>",
"2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"",
"34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>",
"3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>",
"45": "<F12>"
}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[9] != '0' or line[10] != '0' or line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":
continue
if line[6:8] in normalKeys.keys():
output += [normalKeys[line[6:8]], shiftKeys[line[6:8]]][line[1] == '2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag = 0
print("".join(output))
for i in range(len(output)):
try:
a = output.index('<DEL>')
del output[a]
del output[a - 1]
except:
pass
for i in range(len(output)):
try:
if output[i] == "<CAP>":
flag += 1
output.pop(i)
if flag == 2:
flag = 0
if flag != 0:
output[i] = output[i].upper()
except:
pass
print('output: ' + "".join(output))
运行得到:
AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]
output: AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]
猜测是base85解密,但未成功。再看一下导出的HID Data,发现流量中有20开头的,这个20开头的也算是shiftKeys。
添加条件到代码中,重新运行得到:
base85 --> flag{ec1b8b96-56a9-f15c-4e39-503e92ab45d2}
先F12看一下字符串,发现有:
flag{Th14_15_a_xxxx_flAg},the MD5 hash value of xxxx is \"7c76fb919bab9a1abfe854cf80725a09\",just 4 bytes
爆破一下md5,结果是Fak3:
from hashlib import md5
from string import ascii_letters
from itertools import product
for i in product("FAKE43fake", repeat=4):
f = ''.join(i)
h = md5(f.encode()).hexdigest()
if h== '7c76fb919bab9a1abfe854cf80725a09':
print(f, h)
# Fak3 7c76fb919bab9a1abfe854cf80725a09 --> flag{Th14_15_a_Fak3_flAg}
但提交不正确。明显是一个fake flag.
有以下判断逻辑:
for ( i = 0; i < v4; ++i )
{
memset(&s, 0, sizeof(s));
encode((unsigned int)inputs[i], &s); // 对输入的flag进行编码
outputs[4 * i + 3] = s; // 这里是4字符中,高低位的字符互换: 1234 --> 4321
outputs[4 * i + 2] = BYTE1(s);
outputs[4 * i + 1] = BYTE2(s);
outputs[4 * i] = HIBYTE(s);
}
if ( judge((__int64)outputs, (__int64)CODE, v4) ) // judge()函数需返回为真
{
puts("well done!you get it");
}
CODE的内容是:
Shift+E导出:
"CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"
ps: 开始以为是DNA编码,使用ToolxFX解码未成功。只能硬逆了。
先看下judge()函数:
bool __fastcall judge(__int64 a1, __int64 a2, int a3)
{
int v4; // ebx
int v5; // ebx
int v6; // r12d
int v8; // [rsp+28h] [rbp-18h]
int i; // [rsp+2Ch] [rbp-14h]
v8 = 0;
if ( 4 * a3 > strlen(CODE) )
return 0;
for ( i = 0; i < a3; ++i ) // 主要逻辑在这里。
{
v4 = Int((unsigned int)*(char *)(i + a1));
v5 = Int((unsigned int)*(char *)(i + a2)) + v4;
v6 = Int(75LL); // 75 --> 'K':Int('K')=7
if ( v5 == v6 - (unsigned int)Int(66LL) ) // 66 --> 'B':Int('B')=4
++v8;
}
return 4 * v8 == strlen(CODE);
}
// Int()函数可以视为一个字典:
__int64 __fastcall Int(char a1)
{
__int64 result; // rax
switch ( a1 )
{
case 'A':
result = 0LL;
break;
case 'B':
result = 4LL;
break;
case 'C':
result = 2LL;
break;
case 'D':
result = 5LL;
break;
case 'F':
result = 6LL;
break;
case 'G':
result = 1LL;
break;
case 'K':
result = 7LL;
break;
case 'M':
result = 8LL;
break;
case 'T':
result = 3LL;
break;
default:
result = 10LL;
break;
}
return result;
}
Int()函数可以视为一个字典:
intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}
judge是一个简单的加减算法,逆一下:
intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}
CODE = "CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"
# uniq一下CODE,只有AGCT共4个字符,对应于0123.
CODE2 = ''
for i in range(len(CODE)):
v5 = 3
t = intD[CODE[i]]
v4 = v5 - t
for k in intD.keys():
if intD[k] == v4:
D = k
print(D)
CODE2 += D
break
else:
print("WRONG", v4, t)
print(CODE2) # GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG
再看以下代码和encode()函数:
for ( i = 0; i < v4; ++i )
{
memset(&s, 0, sizeof(s));
encode((unsigned int)inputs[i], &s); // 对输入的flag进行编码
outputs[4 * i + 3] = s; // 这里是4字符中,高低位的字符互换: 1234 --> 4321
outputs[4 * i + 2] = BYTE1(s);
outputs[4 * i + 1] = BYTE2(s);
outputs[4 * i] = HIBYTE(s);
}
__int64 __fastcall encode(unsigned int a1, __int64 a2)
{
__int64 result; // rax
int i; // [rsp+1Ch] [rbp-4h]
result = a1;
for ( i = 0; i <= 3; ++i )
{
result = (unsigned __int8)box[((char)a1 >> (2 * i)) & 3];
*(_BYTE *)(i + a2) = result;
}
return result;
}
可以发现,该代码逻辑是将字符转换为二进制(8bit),分4个2bit分别处理,映射为:
00 --> 0 --> A
01 --> 1 --> G
10 --> 2 --> C
11 --> 3 --> T
于是,写一下逆向代码:
CODE2 = GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG
box = "AGCT"
for i in range(0, len(CODE2), 4):
t = box.index(CODE2[i]) * 64 + box.index(CODE2[i+1]) * 16 + box.index(CODE2[i+2]) * 4 + box.index(CODE2[i+3])
print(chr(t), end='')
# flag{725008a5e6e65da01c04914c476ae087}
js代码小游戏。找到success()函数,在浏览器中F12,在控制台下运行一下即可得到flag:
arr='1234567890qwertyuiopasdfghjklzxcvbnm{}-'
index = [23,28,20,24,36,1,3,7,6,3,38,2,8,9,5,7,21,38,9,3,6,18,22,38,26,16,6,18,15,37]
s = ''
for i in index:
s += arr[i]
print(s)
# flag{24874-39068s-047od-ju7oy}
题目提示:使用Burp。
题目给了一个登录框,输入admin等常规的账号名时,提示用户名错误。
【考点】:使用Burp中自带的字典、密码。
爆破成功后,登录即显示flag. 【坑】
一个jar。
smarty反序列化漏洞利用。
赛后评价:
1 - 线下赛,现场不提供零食,中午却可以一起就餐…
2 - 题目质量嘛:呵呵,
(1)W2-justppb
考点是Burp自带的用户名、密码字典,这个。
我现场用自己的fuzz字典、爆破的字典,居然都不行。哎,痛失5分。
(2)M3-我我我是谁
这个题硬是不知道怎么做。听大佬说,是他们用自己团队的一个脚本自动跑出来的。
哎!
(3)C1-比64少的base, C2-affine:
这2题是拿来当省级赛事的吗?
(4)M2-simpleUSB
原题。HWS第七期夏令营(硬件安全营)预选赛wp Misc1
(5)其他
反正不会做了。