Title: 2024 College Network Security Management Operation and Maintenance Competition wp

0x00 Introduction

This article is a detailed solution to the "2024 College Network Security Management Operation and Maintenance Competition", which mainly targets the problem-solving process of multi-directional questions such as Web, Pwn, Re, Misc and Algorithm, including but not limited to phishing email recognition, traffic analysis, SQLite file analysis, ssrf, xxe, etc. If there are any errors, please correct them.

0x01 Misc

Sign in

Give a gif, directly frame it online

Get synt{fvtava-dhvm-jryy-qbar}, take a look at Caesar, and directly decode it with rot13

flag{signin-quiz-well-done}

Phing email recognition

I gave an eml email file, which can be viewed using the email software or directly (maybe troublesome)

Flag 1

Direct base64 decoding to get flag{wElCoMeTo}

Flag 2

The following content is the information encoded by base64

After decoding, check it and get flag{phIsHhuntINg}

Flag 3

The remaining content of the emml file has no flags, so I can only start with the sender's domain name.

Check the DNS analysis, here is the 360 Threat Intelligence Center

https://ti.360.net/domain/foobar-edu-cn.com

(This intelligence center will record the analysis history of the competition process, so you can get the flag by just looking at the subdomain information)

The query process is still normal

In addition to third-party service platforms, you can also use the nslookup that comes with Windows to view the TXT records of the domain name.

nslookup -qt=txt foobar-edu-cn.com

According to the prompt, you should find the analysis record of the subdomain name under the domain name, and splice the complete flags in three ways

Since the domain name is applied abroad, many domestic websites cannot be parsed, so they can only use foreign websites to try it slowly

https://www.virustotal.com/gui/domain/spf.foobar-edu-cn.com/detailsspf

https://dnsspy.io/scan/foobar-edu-cn.comdefault._domainkey

https://www.misk.com/tools/#dns/_dmarc.foobar-edu-cn.com_dmarc

Get three parts separately, and splicing them to get flag

flag_part1={N0wY0u

flag_part2=_Kn0wH0wt0_

flag_part3=ANAlys1sDNS}

flag{N0wY0u_Kn0wH0wt0_ANAlys1sDNS}

In fact, those three subdomains are several protocols corresponding to the email server, such as SPF, DKIM and DMARC, which provide corresponding services respectively.

https://help.aliyun.com/document_detail/2685946.html

easyshell

Give a pcap traffic package, you can directly see the request for shell.php in post, which should be executed after the horse is transmitted.

Filter the http stream and be sure of the above guess

Tracking http streams, the content of the post is encrypted. Combining the question and the traffic characteristics of Ice Scorpion 4.0, it is guessed that this is Ice Scorpion Horse.

Ice scorpion flow characteristics:

Accept: application/json, text/javascript, */*; q=0.01Content-type: Application/x-www-form-urlencodedConnection: Keep-Alive…

Ice Scorpion 4.0 uses AES encryption, and the default key is e45e329feb5d925b, that is, the first 16 bits of md5('rebeyond')

Ice Scorpion 3.0, the default password is: e45e329feb5d925b, you can check it out: behind_decrypt/decropt.php at master 马云惹不起马云 melody27/behinder_decrypt 马云惹不起马云 GitHub

Try decoding from the last response package back

Here you need to note that Cyber's AES-CBC mode iv cannot be empty, but does not need to be offset, so fill in 0

Find one with content

See what the request package is requesting. Here, put the decoded result, you can see that it is reading the secret2.txt file

secret2.txt

Hello, but what you're looking for isn't me.

Then find the key content in the previous response package

It's a zip compressed package, save it directly

Check the zip, there is a secret1.txt and secret2.txt, and the password is required.

Combining the content of known secret2.txt, we can attack through known plaintext

First write a secret2.txt and save it as zip to ensure that it is the same as the original encryption algorithm

Start plain text attack. Here is a small trick. Stop when it shows the password to retrieve. Click Save in the pop-up window to decompress.

Get flag{70854278-ea0c-462e-bc18-468c7a04a505}

SecretDB

The title gives a sqlite db file, and only Too late, no flag for you are opened.

The deleted information should be restored. No tool can be found to be restored directly. Either it cannot be restored or it is garbled. Try to extract it manually.

Reference: https://www.cnblogs.com/jiangcsu/p/6569045.html

The focus is on the structure within the unit

010editor opens secret.db and locates it to the flag to view it. The part below the red box is the data that was deleted before.

From the structure of the above database flag table, we can see that the columns are id, sort and message. sort is the index used for sorting. The message stores visible characters, so we can simply observe the visible characters in the figure above, that is, message, and their previous digit is sort. For example, the hexadecimal of the visible character 9 is 39, and its previous digit is 0e, so the value of the index 0e is 9 is 9

So in turn, extract the remaining values

0x17 -

0x0 f

0xe 9

0x1b 7

0x10 3

0xa b

0x19 2

0x14 b

0xf 2

0x12 -

0x23 4

0x16 6

0x1f a

0x25 8

0x2 a

0x1e

0x5 f

0x3 g

0x11 c

0xc 0

0x4 {

0x22 a

0x21 b

0x7 2

0x1d f

0x26 f

0x1c -

0x9 1

0x27 0

0xd -

0xb

0x8 9

0x1 l

0x13 4

0x29 }

0x15 a

0x28 b

0x6 6

0x1a d

0x24 e

0x20 b

Write a script to sort it, output flag

with open('1.txt', 'r') as f:

data=f.readlines()

out=[' ' for i in range(43)]

for i in data:

index, val=i.replace('\n', '').split(' ')

index=int(index, 16)

out[index]=val

flag=''

index=0

for i in out:

print(hex(index), i)

index +=1

flag +=i

print(flag)

# flag{f6291bf0-923c-4ba6- 2d7-ffabba4e8f0b}

One is missing, blast it and get flag{f6291bf0-923c-4ba6-82d7-ffabba4e8f0b}

Gateway

gave a gateway source code, index.html has the product name HS8145V

Query password, there is a string of passwords in cgi-bin/baseinfoSet.json

10611210110712710110449575653565456495151105561031064956505610310256521011041021055310153102129

Search for cgi-bin/baseinfoSet.json

https://github.com/iheshime/ChinaTelecom-ESurfing-Gateway-HG260-Admin-Password-Algorithm

It was found that it was a common encryption algorithm for gateway administrators, and the script was slightly modified.

exp.py:

def passwd_decode(code) - str:

passwd_list=map(int, code.split(''))

result=[]

for i in passwd_list:

if 97=i=100 or 65=i=68:

i +=22

elif i 57:

i -=4

result.append(chr(i))

#print(i, chr(i))

return (''.join(result))

passwd=passwd_decode('10611210110712710110449575653565456495151105561031064956505610310256521011041021055310153102129')

print(passwd)

# flag{ad1985868133e8cf1828cb84adbe5a5b} or code='10611210110712710110449575653565456495151105561031064956505610310256521011041021055310153102129'[:-1] ## 'baseinfoSet_TELECOMPASSWORD':'1147355110693753113'list=map(int,code.split(''))result=[]for i in list: if i 57: i-=4 result.append(chr(i))print (''.join(result))#flag{ad1985868133e8cf1828cb84adbe5a5b}

zip

#include arpa/inet.h

#include sys/wait.h

#include stdbool.h

#include stdlib.h

#include string.h

#include unistd.h

#include stdio.h

#include pty.h

char token[1024], buf[1024];

void load() {

FILE *f=fopen('token.txt', 'r');

fgets(token, sizeof(token), f);

token[64]=0; //maybe 64 bytes is enough

fclose(f);

}

int cmmpstr(char const *a, char const *b) {

return memcmp(a, b, strlen(a));

}

void zip(char *password) {

int master, pid;

pid=forkpty(master, NULL, NULL, NULL);

if (pid==0) {

char* argv[]={ '7z', 'a', 'flag.zip', 'tmp/flag.txt', '-mem=AES256', '-p', NULL };

execve('/usr/bin/7z', argv, NULL);

} else {

char buffer[4097];

while (true) {

ssize_t n=read(master, buffer, 4096);

if (n 0) break;

ffflush(stdout);

write(1, buffer, n);

buffer[n]=0;