【2020 “第五空间”】智能安全大赛 WP
2020-06-25 本文已影响0人
Du1in9
比赛地址:https://5space.360.cn/competition
- [MISC] loop
考察点:写脚本解压缩包
简单题,以前也遇到过,照着脚本修改一下就行了
file解压 - > tarfile解压 - > zipfile解压 - >tarfile解压 - > zipfile解压 ...
用手撸肯定不行的,咱们用python
import os
import tarfile
import zipfile
t = 0
while 1:
# t记录解压次数
t = t+1
# 获取当前目录文件名
filelist = os.listdir()
# 第一次时,使a="file"
for i in filelist:
if "file" in i:
a=i
break
# 如果文件名不包含"file",则暂停
if "file" not in a:
print("Done!")
break
# 如果是tarfile,tar解压方式
if a[:3]=="tar":
tar = tarfile.open(a, mode = "r:tar")
tar.extractall()
tar.close()
# 如果是zipfile,zip解压方式
if a[:3]=="zip":
tar = zipfile.ZipFile(a,"r")
tar.extractall()
tar.close()
print("delete {}, {}".format(a,t))
最后得到的是动态flag
- [MISC] philosopher
考察点:隐写内容查找,png文件格式
题目挺简单,干扰项挺多,主要靠发现细节的能力
在010editor内找到敏感信息“FL4G LOVE”,紧接着就是"IHDR“(49484452),这是png文件头包含的信息,咱们把他的文件头(89504E47)补上
保存为png,得到flag{that_is_not_right_man}
- [MISC] run
考察点:隐写内容查找,图层隐写
题目挺简单,干扰项挺多(有不少师傅逆向程序,陷入了md5加密的坑),只学会了用PS...
对run.exe进行foremost分离,得到压缩包。解压,再运行run.exe,得到tif文件
在tif里找到有用信息:njCp1HJBPLVTxcMhUHDPwE7mPW
从run.exe还分离出了jpg,打开
发现右下角的黑色长方形很可疑(仿佛遮住了什么,而且他和tif的图片是一模一样的,一定有啥关系),先他弄开
这就对了,结合前面tif的信息写解密脚本(注意这里的i是从1开始的!!!泪目)
c="njCp1HJBPLVTxcMhUHDPwE7mPW"
flag=""
for i in range(1,len(c)+1):
if i%2==0:
x=ord(c[i-1])+1
else:
x=ord(c[i-1])-1
flag+=chr(x)
print(flag)
flag{mkBq0IICOMUUwdLiTICQvF6nOX}
- [MISC] 麒麟系统
考察点:sudo的CVE漏洞
第一次做出这种题,不过也不算难,网上查得到
普通用户在Ubuntu下,不用” su root “切换到root用户,通常/root目录是不能访问的
假如pwn题中,在/root下放置一个FLAG,出题人在/etc/sudoers中添加一个普通用户可以执行ls与cat命令,则可以通过此方法提权从而拿到FLAG
这题直接参考了某pwn爷的复现秒解了
若用户执行 /usr/bin/id
>>sudo id
则出现报错
>>对不起,用户无权以 root 的身份在 localhost.localdomain 上执行 /bin/id
而sudo 有个参数 “-u” 可以指定特定的UID执行命令
此时漏洞点就在于 当-u指定的UID为-1 或者 4294967295的时候,则会以root权限执行命令
先登录:ssh 用户名@ip -p 端口
再提权拿flag:sudo -u#-1 cat /root/flag
- [CRYPTO] rosb
考察点:RSA共模攻击
签到题
from flag import flag
from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime
from os import urandom
# 返回n,e,p,q
def gen_arg():
p=getPrime(1024)
q=getPrime(1024)
open("log.txt","w").write(hex(p)+"\n"+hex(q))
n=p*q
e=getPrime(32)
return n,e,p,q
# 明文前4个字符为"rose"
def mamacheck(c):
if long_to_bytes(c)[0:4]!="rose":
return False
return True
def babasay(m):
n,e,p,q=gen_arg()
c=pow(m,e,n)
print hex(n)
print hex(e)
print hex(c)
# 找到满足条件的e
if not mamacheck(c):
e=getPrime(32)
c = pow(m, e, n)
print hex(e)
print hex(c)
# 密文是flag+随机产生64个字节的字符
m=bytes_to_long(flag+urandom(64))
babasay(m)
'''otuput:
n=0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557L
e=0xf4c1158fL
c=0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707L
e2=0xf493f7d1L
c2=0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcbL
'''
n是一样的,c和e有不同的两组,rsa加密方式,可以进行共模攻击
import gmpy2 as gp
def exgcd(a, b):
if b==0:
return 1, 0, a
x2, y2, r = exgcd(b, a%b)
x1 = y2
y1 = x2-(a//b)*y2
return x1, y1, r
c1=gp.mpz(0x2f6546062ff19fe6a3155d76ef90410a3cbc07fef5dff8d3d5964174dfcaf9daa003967a29c516657044e87c1cbbf2dba2e158452ca8b7adba5e635915d2925ac4f76312feb3b0c85c3b8722c0e4aedeaec2f2037cc5f676f99b7260c3f83ffbaba86cda0f6a9cd4c70b37296e8f36c3ceaae15b5bf0b290119592ff03427b80055f08c394e5aa6c45bd634c80c59a9f70a92dc70eebec15d4a5e256bf78775e0d3d14f3a0103d9ad8ea6257a0384091f14da59e52581ba2e8ad3adb9747435e9283e8064de21ac41ab2c7b161a3c072b7841d4a594a8b348a923d4cc39f02e05ce95a69c7500c29f6bb415c11e4e0cdb410d0ec2644d6243db38e893c8a3707)
e1=gp.mpz(0xf4c1158f)
c2=gp.mpz(0xd32dfad68d790022758d155f2d8bf46bb762ae5cc17281f2f3a8794575ec684819690b22106c1cdaea06abaf7d0dbf841ebd152be51528338d1da8a78f666e0da85367ee8c1e6addbf590fc15f1b2182972dcbe4bbe8ad359b7d15febd5597f5a87fa4c6c51ac4021af60aeb726a3dc7689daed70144db57d1913a4dc29a2b2ec34c99c507d0856d6bf5d5d01ee514d47c7477a7fb8a6747337e7caf2d6537183c20e14c7b79380d9f7bcd7cda9e3bfb00c2b57822663c9a5a24927bceec316c8ffc59ab3bfc19f364033da038a4fb3ecef3b4cb299f4b600f76b8a518b25b576f745412fe53d229e77e68380397eee6ffbc36f6cc734815cd4065dc73dcbcb)
e2=gp.mpz(0xf493f7d1)
n=gp.mpz(0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557)
r1, r2, t = exgcd(e1, e2)
m = gp.powmod(c1, r1, n) * gp.powmod(c2, r2, n) % n
#print(m)
#print(hex(m)[2:])
print(bytes.fromhex(str(hex(m)[2:])))
flag{g0od_go0d_stu4y_d4yd4y_Up}
