山东省“技能兴鲁”职业技能大赛——第五届山东省信息产业职业技能竞赛“网络与信息安全管理员”赛项 WP#
前段时间回济南参加了这个技能兴鲁,整体的题不算难,但是做题做爽了没来得及做理论,只做了50个题就草草截止了::300分的理论只拿了126………
Web3道 Re2道 Crypto3道 Misc3道,很遗憾一道Pwn都没看到,赛后老师说本来有一道但是没上,Pwn✌jj
Web#
Web1#
下载附件打开网址,f12搜索flag
Web2#
0解
Re#
Rev#
IDA打开就是flag
re2-asm#
010打开能看到汇编代码
section .data
encrypted db 0x8A, 0x9E, 0x84, 0x88, 0xB0, 0xF6, 0x36, 0x2A, 0xF8, 0x84, 0xA0, 0x9C, 0xF8, 0xB6, 0x98, 0xA2, 0xF8, 0xA6, 0x9E, 0xAC, 0xA0, 0xF8, 0x34, 0x36, 0x28, 0xBC #密文
len equ $ - encrypted
msg db "Decrypted flag: ", 0x0A
msg_len equ $ - msg
section .bss
decrypted resb len
section .text
global _start
_start:
mov rax, 1
mov rdi, 1
mov rsi, msg
mov rdx, msg_len
syscall
mov rcx, len
mov rsi, encrypted
mov rdi, decrypted
decrypt_loop: #解密循环
lodsb #读取密文至al
add al, 0x14 #al加0x14
mov bl, 2 #向bl传2
div bl #整除bl
#AX除以bl,商AL,余AH(AH是ax的高8位,AL是ax的低8位)
sub al, 0x0A #al减0x0a
xor al, 0x23 #al异或0x23
stosb #存储到缓存
loop decrypt_loop#循环
#AL是8位寄存器,溢出会自动取低8位(mod 256)
mov rax, 1
mov rdi, 1
mov rsi, decrypted
mov rdx, len
syscall
mov rax, 1
mov rdi, 1
mov rsi, 0x0A
mov rdx, 1
syscall
mov rax, 60
mov rdi, 0
syscall
payload:
s=[0x8A, 0x9E, 0x84, 0x88, 0xB0, 0xF6, 0x36, 0x2A, 0xF8, 0x84, 0xA0, 0x9C, 0xF8, 0xB6, 0x98, 0xA2, 0xF8, 0xA6, 0x9E, 0xAC, 0xA0, 0xF8, 0x34, 0x36, 0x28, 0xBC]
flag =''
for i in range(0,len(s)):
flag+=chr((s[i]+0x14) //2 -0x0a ^0x23)
print(flag)
Misc#
一叶障目#
图片向下移即可看到flag
线索迷踪#
没寻思是空白十字处,我一直以为是我office卡了…………
打开线索迷影.zip看到SafeBox.docx,找到一个flag保险箱和保险箱密码,毫无疑问密码就在Excel里
打开后看到空白十字架
Th1s_1s_Sup4r_P@sswd!
暴破#
打开有一个txt和zip,很明显是带密码本的爆破,……不知道为啥比赛的时候用ARCHPR一直报错
Crypto#
Base#
直接base64解码
凯撒?撒凯#
base64解码
给了提示,反过来,然后再凯撒解码得到flag
easy_crypto#
求WP
源码:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
from flag import flag
m = bytes_to_long(flag)
def getpq(nbit):
p = getPrime(nbit)
q = getPrime(nbit)
if p > q:
return p, q
else:
return q, p
p, q = getpq(512)
P = (p - q) & ((1 << 130) - 1)
n = p * q
leak_p = p >> 256
c = pow((1 + P * n), m, n ** 3)
print('n =', n)
print('leak_p =', leak_p)
print("c =", c)
#n = 96022622354138216950993943640136679876590769300247186019870115790739156671119183018435487609142107275707624919452563239472051147511141142786098113701959581659719783304684094252903712963326164189728364248859484066477729405696499665172100588530656287740233626599569177438068553008261997794524672130563832061821
#leak_p = 87147534324719852193727352973537697394970761650283676238538341320424184222614
#c = 2096558619334374529903764983127830761098995092050350175342396684702343173787623984370078839431845282431369372614965889902861545083878720902017875211789511143878798900889429365417889526842639509528090636708623982692396850504079433855327659337434100758137620348802364542810805754413841744536406642350286467602279602416684063869565079908354026842441418262760911874045100559005811623704484502277928942109305700225151242367617396198474996477605610030959049594614544293735932626840861744130664934089256855511009596588388873340943999703712066368260681167722895411328727406331139779257493631101987984851450524980758154778724662479083738271486098444885788635813656155742499147101436320660677944476842764657909768172508071412868473859364586732276656813505924347707585271422398403688598449382019560594775711611566827469293195877095517491899536517090342747460205285665124373087716521541