发表更新安全竞赛10 分钟读完 (大约1526个字)0次访问

2023中国工业互联网安全大赛线下决赛

d7f807d4ee6957e9456eee87e167f6e

CTF题目

check_in

直接base64解码获取flag

1
2
ZmxhZ3tXM2xjMG02X0NIM2NLXzFOfQ==
flag{W3lc0m6_CH3cK_1N}

DNS_Query

观察流量包

提取所有01字符串进行如下拼接

1
1111111010011110010010111111110000010011001100001101000001101110100010111100111010111011011101000001100011010101110110111010010100100011001011101100000100010110001001010000011111111010101010101010111111100000000101101101001000000000110110100111000101011010000011101110111001001101110011110001100111001101110110110011000101010010111101111001100110111111001111011011001101110001110001101010001010000101111001011010111111111100011001001011100110111110011101001111010110001110100001111001110001001111000001111101111110101100001101101110010111011101111000111011101101011100000000000101111100110000101001011111111010000000010100101101110001010011111110001010010101101011100100000100100001001001000100001011101011100111001111111001010111010111010110111100101001101110100100001100010000100111000001010101111100101111110111111110110110010000100010000

猜测是29*29的图片转码 将其转换成图片 使用如下脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env python
import Image

width = 29
height = 29
pic = Image.new("RGB",(width,height))

image = "1111111010011110010010111111110000010011001100001101000001101110100010111100111010111011011101000001100011010101110110111010010100100011001011101100000100010110001001010000011111111010101010101010111111100000000101101101001000000000110110100111000101011010000011101110111001001101110011110001100111001101110110110011000101010010111101111001100110111111001111011011001101110001110001101010001010000101111001011010111111111100011001001011100110111110011101001111010110001110100001111001110001001111000001111101111110101100001101101110010111011101111000111011101101011100000000000101111100110000101001011111111010000000010100101101110001010011111110001010010101101011100100000100100001001001000100001011101011100111001111111001010111010111010110111100101001101110100100001100010000100111000001010101111100101111110111111110110110010000100010000"
i=0
print image [0]

for y in range (0,height):
    for x in range (0,width):
        if(image [i] == '1'):
            pic.putpixel([x,y],(0, 0, 0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i+1
pic.show()
pic.save("tmp.png")

获得一个二维码图片

进行二维码扫描得到flag

flag{3a9e87ec-0507-45d4-a4ae-c493254ab340}

ObfSudan

Ida分析程序

image-20230714105817820

分析校验1

img

分析校验2,明显是数独行列及九宫格不重复的校验代码

img

因此编写对应脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
Exp
from z3 import *
import sys

def solve(puzzle):
	grid = [Int(str(i)) for i in range(81)]
	s = Solver()
	s.add(grid[0] < grid[1])
	s.add(grid[2] < grid[3])
	s.add(grid[5] < grid[4])
	s.add(grid[9] < grid[0])
	s.add(grid[2] < grid[11])
	s.add(grid[14] < grid[5])
	s.add(grid[10] < grid[11])
	s.add(grid[15] < grid[14])
	s.add(grid[19] < grid[10])
	s.add(grid[13] < grid[22])
	s.add(grid[24] < grid[15])
	s.add(grid[18] < grid[19])
	s.add(grid[21] < grid[22])
	s.add(grid[25] < grid[24])
	s.add(grid[27] < grid[18])
	s.add(grid[21] < grid[30])
	s.add(grid[34] < grid[25])
	s.add(grid[30] < grid[29])
	s.add(grid[35] < grid[34])
	s.add(grid[38] < grid[29])
	s.add(grid[35] < grid[44])
	s.add(grid[37] < grid[38])
	s.add(grid[43] < grid[42])
	s.add(grid[36] < grid[45])
	s.add(grid[51] < grid[42])
	s.add(grid[50] < grid[51])
	s.add(grid[45] < grid[46])
	s.add(grid[46] < grid[55])
	s.add(grid[50] < grid[59])
	s.add(grid[53] < grid[62])
	s.add(grid[55] < grid[56])
	s.add(grid[58] < grid[59])
	s.add(grid[62] < grid[61])
	s.add(grid[56] < grid[65])
	s.add(grid[58] < grid[67])
	s.add(grid[61] < grid[70])
	s.add(grid[65] < grid[66])
	s.add(grid[69] < grid[70])
	s.add(grid[66] < grid[75])
	s.add(grid[78] < grid[69])
	s.add(grid[71] < grid[80])
	s.add(grid[75] < grid[76])
	s.add(grid[78] < grid[77])
	s.add(grid[80] < grid[79])
	for i in range(len(puzzle)):
		if puzzle[i] != ' ':
			s.add(grid[i] == int(puzzle[i]))
	for i in grid:
		s.add(i >0, i <10)
	for i in range(9):
		across = []
		down = []
		for j in range(9):
			down.append(grid[i+(9*j)])
			across.append(grid[(9*i)+j])
		s.add(Distinct(across))
		s.add(Distinct(down))
	for q in range(3):
		for p in range(3):
			square = []
			for i in range(3):
				for j in range(3):
					index = (q*27) + (p*3) + (i * 9) + j
					square.append(grid[index])
			s.add(Distinct(square))
	
	if s.check():
		return s.model()
	else:
		return None

def draw(grid):
	tmp = {}
	for i in grid:
		tmp[int(str(i))] = grid[i]
	for i in range(9):
		out = "|"
		for j in range(9):
			out += str(tmp[(9*i)+j]) + "|"
		print(out)

def draw_puzzle(puzzle):
	for i in range(9):
		out = "|"
		for j in range(9):
			out += str(puzzle[(9*i)+j]) + "|"
		print(out)

if __name__ == "__main__":
	puzzle = "                                                                                 "
	draw_puzzle(puzzle)
	print("")
	print("-" * 30)
	print("")
	solution = solve(puzzle)
	draw(solution)

结果

image-20230714105921076

EzException

在程序中根据关键字符串可以找到如下内容,分别对输入长度和输入字符进行限制

image-20230714105940046

image-20230714105945644

Ida分析发现有异常处理,简单写两个jmp,得到如下代码

image-20230714105954502

可知将输入作为下标去140007050处取数据进行计算,最后和140007160进行比较,变形过程通过以为将对应位进行加操作形成结果的对应位,说白了就是亦或操作,简单写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
str1 = [0xDB, 0x80, 0x99, 0xE6, 0xBC, 0xD2, 0x1E, 0x23, 0xBE, 0xA5, 0x5D, 0x17, 0xBF, 0x9B, 0x13, 0x20, 0x49, 0xDA, 0x8F, 0xF0, 0x81, 0xB1, 0x06, 0xFA, 0x93, 0xFB, 0xEB, 0xAB, 0xE3, 0x67, 0x59, 0x3D, 0x26, 0x6E, 0x9E, 0x78, 0x22, 0x4D, 0xA8, 0x8C, 0x03, 0xE7, 0x9A, 0xA4, 0x74, 0x3F, 0xD9, 0x35, 0x92, 0x89, 0x7C, 0x12, 0x50, 0x7D, 0x5F, 0x10, 0x64, 0xE4, 0x77, 0x2D, 0x8A, 0xB5, 0xCB, 0xCC, 0x47, 0xB9, 0x11, 0x6B, 0xBA, 0x2E, 0xD0, 0x98, 0xF1, 0x56, 0x5C, 0x79, 0x0F, 0x54, 0xAC, 0xB0, 0x73, 0xCE, 0x75, 0x1A, 0xFC, 0xA0, 0x90, 0x94, 0x66, 0x07, 0x31, 0x82, 0x5E, 0xB7, 0x38, 0xFF, 0xF8, 0xDD, 0xC8, 0xE0, 0x30, 0x72, 0x8B, 0xD7, 0x21, 0xCD, 0xF6, 0x91, 0x69, 0x36, 0x42, 0x09, 0x1F, 0xC0, 0x18, 0x4B, 0x25, 0x34, 0xF5, 0x9D, 0xB4, 0x60, 0x0E, 0x86, 0x33, 0xA2, 0xDC, 0xD4, 0x52, 0x8D, 0xC9, 0x16, 0x4A, 0x15, 0x7F, 0x83, 0xC2, 0x68, 0x14, 0x04, 0x08, 0xC4, 0x3C, 0xB2, 0x44, 0x4E, 0x63, 0x55, 0xE2, 0xF2, 0xEF, 0x00, 0x3B, 0x0C, 0x5B, 0x45, 0x6A, 0x2C, 0x19, 0x3E, 0x70, 0xEE, 0xA6, 0xA9, 0x62, 0x37, 0x6D, 0x6F, 0x76, 0x43, 0xB6, 0xC6, 0x41, 0x65, 0x0D, 0x5A, 0x2F, 0xB3, 0x51, 0x1C, 0x95, 0x3A, 0xA1, 0xAD, 0xF4, 0xCA, 0x71, 0x28, 0x0B, 0xED, 0xA3, 0xAF, 0x9F, 0xD1, 0xC3, 0x29, 0x46, 0xEC, 0x58, 0x1D, 0xAE, 0x6C, 0x9C, 0xD3, 0xCF, 0xBB, 0x0A, 0xA7, 0x53, 0xE5, 0x96, 0xB8, 0xEA, 0x87, 0x02, 0x7A, 0xC5, 0x61, 0xE9, 0x2B, 0x8E, 0xD8, 0xAA, 0xF7, 0xBD, 0x97, 0x85, 0xE1, 0xFD, 0x24, 0xFE, 0xC7, 0x27, 0x32, 0xD6, 0x88, 0x7B, 0x4C, 0x84, 0xC1, 0x01, 0xF3, 0xE8, 0x4F, 0xDF, 0x05, 0x48, 0xF9, 0x2A, 0x1B, 0xDE, 0x57, 0x40, 0x39, 0x7E, 0xD5]

str2 = [0x48, 0x4E, 0x83, 0x48, 0xDD, 0x4E, 0x4E, 0xBC, 0x64, 0xED, 0x69, 0xED, 0x54, 0xDD, 0x83, 0x54, 0xED, 0xB8, 0xAA, 0xDD, 0xDD, 0x64, 0xED, 0x83, 0x48, 0x4E, 0xB8, 0xA2, 0xB8, 0xDD, 0xED, 0x48]

flag = ''
for i in range(0x20):
​    temp = 0
​    temp1 = 0
​    temp2 = 0
for j in range(0x20,0x80):
if (0x30<=j<=0x39) or (97<=j<=102):
​             temp = j ^ str1[j]
if temp == str2[i]:
​                 \#print(chr(j))
​                 flag += chr(j)
break
print(flag)

得到

img

测试发现不对,进行调试,根据每轮结果可知调整了位置

img

这里经过调试得到验证顺序以8字节为一组,组内顺序如下

img

调整位置得到flag

img

runinroot

  1. 条件竞争上传shell,有禁用函数,用蚁剑弹shell

img

2.反弹shell

img

3.发现需要提权,tmp目录下发现tomcat日志,猜测tomcat是root运行。

简单写一个jsp马,本地开个web服务,用curl命令上传

img

curl tomcat服务拿到flag

img

cry3

1
2
3
4
5
6
7
8
9
rom gmpy2 import gcd
from  Crypto.Util.number import long_to_bytes
n = 9858036118742475059433629759400140149605427966433887001108914046633590983713890376353399251885596714047941627222518567515364827340623251995233155278723954926352575221234142199002389819918370754455018819109203109519495493316781422680537687252828642561153832774006286448224016306003631037545643746379044035822029246823483754854602215035869280453855199171915302879406862793807947285344105991067005185493038370882005106069286893165426035453262949739088328689761676541415552066845538243916687080015277379248062286846119847500455125785281216888979581104100416760176854106890525904804003871967844912776926419778292365918733
k1 = 4961356980843219227031667558158760111429474781353239042846946454889308337426649950562701556812878479419482114480334396560017050901408543482904510839046375272618911899662922000275482705215097956326853000314956770940510205507508883917322367747195211326932972446951696070952604655668087834669239815290687449340666091764203568518066586476150861542456340936303824392273004883320273039066213750777751436497551151274574369325153858390731248298056433816285354182588883715211738843801326831297181947562239993323202961410530072969013398669658073337273085171642258091164822631807295793886169033827781164115751086585872189121242
k2 = 8943660577405892997099415246000964332413663135286363632645590478753346989578467429954062835807609942851365774880023144520942029315601785638267996044694835031239940919206726351387647791985293576677117144309222345482756402074345845506698221273703274410853004407629888264128027446878663894377503365831077629911487977796118893231354280680598325548327444053575447407791091256260091884824630356121390983373431984667887019137026219503921285289004358685317477667095203722657823621429988685962573778350234701781053232256494914398637744373081735647622790113318562356606831868682912936768762749860591989864642992367932846710665
c1 = 4115578106197062017294044310891024039554438131787269391154862526142866937938155870549829472424386226484625850457327387070755337288822640509004443484397234720914851433620556887385729540499953724033259937785600491548446806766462413179765702810698096381537513314758346885921106310631278002150697458246447235914052771405341899822588463120295331632180131956205362147784798497203957828308109092025630961803808101730731656980785388965672073473370194469269645377465298620585379296063436880502566076330461976785816470877632107769103280243111778113065038163250625042092690628478547757779278811188187028242267396799577953511519
c2 = 1069417390392712224013484466911946251479515132512683148923109806683426116132220974153759944203026795479272077929265429391851629949467649257513543604050970026412281764244254971122378729482985044535740328359563865949603944075625096242664299209143911115287867129678168308056632406522013494918385694044348658310785409548526884085469813804712945302487796400392901241763662852123731910949146709219711388725430757562836225353975933990961286601256351973981732004724397292031523206145692402321288085912884435326461626793886145952474077975796841103796283781865005879515976167187625178845457630564285181509041968859289264784559
q=(gcd(n,k1-1))
print(long_to_bytes(c1%q))

image-20230714110127469

工业场景题目

智慧仓储物流中心

利用后台任意文件读取拿到flag

img

智能汽车制造产线

shiro,然后上内存马

img

天然气官网监控平台

抓包该文件名直接写入一句话getshell

img

获取flag

img

2023中国工业互联网安全大赛线下决赛

http://www.greetdawn.top/2023/07/14/安全竞赛/中国工业互联网安全大赛线下决赛/

作者

丨greetdawn丨

发布于

2023-07-14

更新于

2023-07-14

许可协议

#

喜欢这篇文章?打赏一下作者吧

评论

关注我

目录

×