四川技能大赛——2023年四川网信人才技能大赛（网络安全管理员赛项）决赛

四川技能大赛——2023年四川网信人才技能大赛（网络安全管理员赛项）决赛

C1-比64少的bas - DONE

2i9Q8AtDZiEsSn13rF6xchPe1EaiU5u7qKbEd2HDH5jS7N4UfiL3DwFsBa

flag{2a098f9f-d384-b6d0-4096-9eaf0f5654a3}

C2-affine - DONE

wohz{k533q73q-t76t-9292-351w-h880t22q2q59}
a=3 b=7

CyberChef一把：

flag{b533d73d-e76e-9292-351f-a880e22d2d59}

C3-简单的RSA - DONE

chall.py

from Crypto.Util.number import *
from secret import flag
from sympy import nextprimeflag=b''r = getRandomNBitInteger(64)
p = r**5 + r**4 - r**3 + r**2 - r + 2023
q = r**5 - r**4 + r**3 - r**2 + r + 2023
p =nextprime(p)
q =nextprime(q)
n = p*qdef enc(flag, n):m = bytes_to_long(flag)return pow(m, 65537, n)c = enc(flag, n)
print(n)
print(c)# 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
# 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422

$n==p\ast q==(r\ast \ast 5+...)\ast (r\ast \ast 5-...)$

由上可知， n约为r的10次方。如果对n开10次方，则低位可忽略，爆破一下即可求出r。

exp:

from Crypto.Util.number import *
from gmpy2 import irootN = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
t,f = iroot(N, 10)for r in range(t-10000,t+10000):p = r**5 + r**4 - r**3 + r**2 - r + 2023q = r**5 - r**4 + r**3 - r**2 + r + 2023p =nextprime(p)q =nextprime(q)n = p*qif n==N:print(f"p = {p}\nq = {q}\n")break
# 得到：
p = 158324975897082020097339281935818129320954195255971408941591049179715138878370817761203475160123
q = 158324975897082020068454470275147007824077754451975255433855101769279209145578273309232489165459

再常规RSA:

n = 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457
c = 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
e = 65537
d = inverse(e, (p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{5afe5cbb-4b4c-9cb6-f8b6-032cabf4b7e7}

M1-不要动我的flag - DONE

追踪TCP流，在第0个流中发现代码：

import hashlibwith open("flag") as f:flag=f.readlines()[0]
if "c7e6ea42b7301e6330ba****fe407930191d371885935ad4cd51e95e********" == hashlib.sha256(flag.encode()).hexdigest():print("......")
else:print("......")

在第3个TCP流中发现flag(部分)：

flag{22af230f-bbed-????-95fa-b6b1ca6dc32e}

爆破sha256:

from hashlib import sha256
from string import hexdigits
from itertools import productfor i in product(hexdigits, repeat=4):f = "flag{22af230f-bbed-" + ''.join(i) + "-95fa-b6b1ca6dc32e}"h = sha256(f.encode()).hexdigest()if h[:20]== 'c7e6ea42b7301e6330ba':print(f, h)
# flag{22af230f-bbed-48b9-95fa-b6b1ca6dc32e}  c7e6ea42b7301e6330ba3959fe407930191d371885935ad4cd51e95e857a3155

M2-simpleUSB -

原题：HWS第七期夏令营（硬件安全营）预选赛wp Misc1
https://www.cnblogs.com/fuxuqiannian/p/17560359.html

usb流量包.

键盘是8字节:   usbhid.data
鼠标是4字节:   

将键盘流量全部导出后加冒号：

#!/usr/bin/env python
# -*- coding:utf-8 -*-import ospcapfile = "misc1.pcapng"
if not os.path.exists(pcapfile):print("Pcap file not found!")exit(0)# hid.txt
usbKBf = 'usbKBf.txt'
cmd = "tshark -r " + pcapfile + " -T fields -Y \"usb.usbpcap_header_len==27\" -e usbhid.data > " + usbKBf
os.system(cmd)
# 删除空行，并加冒号
lline2 = []
lline1 = open(usbKBf, 'r').readlines()
for line in lline1:line = line.strip()if line:newline = ':'.join([ line[i:i+2] for i in range(0, len(line), 2)])lline2.append(newline)
with open('out.txt', 'w') as f:f.write('\n'.join(lline2))normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j","0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r", "16": "s", "17": "t","18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4","22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>","2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\", "32": "<NON>", "33": ";","34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>","3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>","45": "<F12>"
}shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I", "0d": "J","0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R", "16": "S", "17": "T","18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$","22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>","2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"","34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>","3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>","45": "<F12>"
}output = []
keys = open('out.txt')for line in keys:try:if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[9] != '0' or line[10] != '0' or line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":continueif line[6:8] in normalKeys.keys():output += [normalKeys[line[6:8]], shiftKeys[line[6:8]]][line[1] == '2']else:output += ['[unknown]']except:passkeys.close()flag = 0
print("".join(output))for i in range(len(output)):try:a = output.index('<DEL>')del output[a]del output[a - 1]except:passfor i in range(len(output)):try:if output[i] == "<CAP>":flag += 1output.pop(i)if flag == 2:flag = 0if flag != 0:output[i] = output[i].upper()except:passprint('output: ' + "".join(output))

运行得到：

AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]
output: AomgHy<DEL>Y$\<CAP>a@q7<CAP>gW2d6oO0fGm1hAI'/4<DEL>;<CAP>ms@p<CAP>frQ149K[unknown]

猜测是base85解密，但未成功。再看一下导出的HID Data，发现流量中有20开头的，这个20开头的也算是shiftKeys。

添加条件到代码中，重新运行得到：

base85 --> flag{ec1b8b96-56a9-f15c-4e39-503e92ab45d2}

M3-我我我是谁 -

P1-getitez -

P2-bbstack -

R1-谁的DNA动了 - DONE

先F12看一下字符串，发现有：

flag{Th14_15_a_xxxx_flAg},the MD5 hash value of xxxx is \"7c76fb919bab9a1abfe854cf80725a09\",just 4 bytes

爆破一下md5，结果是Fak3：

from hashlib import md5
from string import ascii_letters
from itertools import productfor i in product("FAKE43fake", repeat=4):f = ''.join(i)h = md5(f.encode()).hexdigest()if h== '7c76fb919bab9a1abfe854cf80725a09':print(f, h)
# Fak3 7c76fb919bab9a1abfe854cf80725a09  --> flag{Th14_15_a_Fak3_flAg}

但提交不正确。明显是一个fake flag.

有以下判断逻辑：

for ( i = 0; i < v4; ++i )
{memset(&s, 0, sizeof(s));encode((unsigned int)inputs[i], &s);  // 对输入的flag进行编码outputs[4 * i + 3] = s;               // 这里是4字符中，高低位的字符互换： 1234 --> 4321outputs[4 * i + 2] = BYTE1(s);outputs[4 * i + 1] = BYTE2(s);outputs[4 * i] = HIBYTE(s);
}
if ( judge((__int64)outputs, (__int64)CODE, v4) )  // judge()函数需返回为真
{puts("well done!you get it");
}

CODE的内容是：

Shift+E导出：

"CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"ps: 开始以为是DNA编码，使用ToolxFX解码未成功。只能硬逆了。

先看下judge()函数：

bool __fastcall judge(__int64 a1, __int64 a2, int a3)
{int v4; // ebxint v5; // ebxint v6; // r12dint v8; // [rsp+28h] [rbp-18h]int i; // [rsp+2Ch] [rbp-14h]v8 = 0;if ( 4 * a3 > strlen(CODE) )return 0;for ( i = 0; i < a3; ++i )       // 主要逻辑在这里。{v4 = Int((unsigned int)*(char *)(i + a1));v5 = Int((unsigned int)*(char *)(i + a2)) + v4;v6 = Int(75LL);  // 75 --> 'K':Int('K')=7if ( v5 == v6 - (unsigned int)Int(66LL) ) // 66 --> 'B':Int('B')=4++v8;}return 4 * v8 == strlen(CODE);
}// Int()函数可以视为一个字典：
__int64 __fastcall Int(char a1)
{__int64 result; // raxswitch ( a1 ){case 'A':result = 0LL;break;case 'B':result = 4LL;break;case 'C':result = 2LL;break;case 'D':result = 5LL;break;case 'F':result = 6LL;break;case 'G':result = 1LL;break;case 'K':result = 7LL;break;case 'M':result = 8LL;break;case 'T':result = 3LL;break;default:result = 10LL;break;}return result;
}

Int()函数可以视为一个字典：

intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}

judge是一个简单的加减算法，逆一下：

intD = {"A":0, "B":4, "C":2, "D":5, "F":6, "G":1, "K":7, "M":8, "T":3, "O":10}
CODE = "CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC"
# uniq一下CODE，只有AGCT共4个字符，对应于0123.
CODE2 = ''
for i in range(len(CODE)):v5 = 3t = intD[CODE[i]]v4 = v5 - tfor k in intD.keys():if intD[k] == v4:D = kprint(D)CODE2 += Dbreakelse:print("WRONG", v4, t)
print(CODE2) # GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG

再看以下代码和encode()函数：

  for ( i = 0; i < v4; ++i ){memset(&s, 0, sizeof(s));encode((unsigned int)inputs[i], &s);  // 对输入的flag进行编码outputs[4 * i + 3] = s;               // 这里是4字符中，高低位的字符互换： 1234 --> 4321outputs[4 * i + 2] = BYTE1(s);outputs[4 * i + 1] = BYTE2(s);outputs[4 * i] = HIBYTE(s);}__int64 __fastcall encode(unsigned int a1, __int64 a2)
{__int64 result; // raxint i; // [rsp+1Ch] [rbp-4h]result = a1;for ( i = 0; i <= 3; ++i ){result = (unsigned __int8)box[((char)a1 >> (2 * i)) & 3];*(_BYTE *)(i + a2) = result;}return result;
}

可以发现，该代码逻辑是将字符转换为二进制（8bit），分4个2bit分别处理，映射为：

00 --> 0 --> A
01 --> 1 --> G
10 --> 2 --> C
11 --> 3 --> T

于是，写一下逆向代码：

CODE2 = GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTG
box = "AGCT"
for i in range(0, len(CODE2), 4):t = box.index(CODE2[i]) * 64 + box.index(CODE2[i+1]) * 16 + box.index(CODE2[i+2]) * 4 + box.index(CODE2[i+3])print(chr(t), end='')
# flag{725008a5e6e65da01c04914c476ae087}

R2-DontTouchMe - DONE

W1-little_game - DONE

js代码小游戏。找到success()函数，在浏览器中F12，在控制台下运行一下即可得到flag:

arr='1234567890qwertyuiopasdfghjklzxcvbnm{}-'
index = [23,28,20,24,36,1,3,7,6,3,38,2,8,9,5,7,21,38,9,3,6,18,22,38,26,16,6,18,15,37]
s = ''
for i in index:s += arr[i]print(s)
# flag{24874-39068s-047od-ju7oy}

W2-justppb - DONE

题目提示：使用Burp。

题目给了一个登录框，输入admin等常规的账号名时，提示用户名错误。

【考点】：使用Burp中自带的字典、密码。

爆破成功后，登录即显示flag. 【坑】

W3-ezbbs -

一个jar。

W4-smart -

smarty反序列化漏洞利用。

赛后评价：

1 - 线下赛，现场不提供零食，中午却可以一起就餐…

2 - 题目质量嘛：呵呵，

（1）W2-justppb

考点是Burp自带的用户名、密码字典，这个。

我现场用自己的fuzz字典、爆破的字典，居然都不行。哎，痛失5分。

（2）M3-我我我是谁

这个题硬是不知道怎么做。听大佬说，是他们用自己团队的一个脚本自动跑出来的。

哎！

（3）C1-比64少的base, C2-affine：

这2题是拿来当省级赛事的吗？

（4）M2-simpleUSB

原题。HWS第七期夏令营（硬件安全营）预选赛wp Misc1

（5）其他

反正不会做了。