2022中国海洋大学校赛WriteUp

Web

你比香农都牛逼

直接看源码124.221.190.49/assets/index.9c4d6006.js

控制台运行：flag{blue-whalerdle}

very old php game

old php game

Baby Unserialize

利用=&对变量进行引用

<?php

require_once "flag.php";

class Foo
{
    private $i_am_flag;
    public $i_am_not_flag;

    public function __construct() {
        $this->i_am_not_flag =& $this->i_am_flag;
    }

    // public function __destruct()
    // {
    //     // You want my flag? There you are.
    //     global $flag;
    //     $this->i_am_flag = $flag;

    //     echo $this->i_am_not_flag;
    // }

    // public function __wakeup()
    // {
    //     $this->i_am_not_flag = 'I am not flag!';
    // }
}

$a = new Foo;
// $a->i_am_not_flag =& $a->i_am_flag;
echo base64_encode(serialize($a));
//TzozOiJGb28iOjI6e3M6MTQ6IgBGb28AaV9hbV9mbGFnIjtOO3M6MTM6ImlfYW1fbm90X2ZsYWciO1I6Mjt9

企业级项目实训

Log4j2

Misc

缺了好多工具，慢慢补全吧

Checkin

simplepcap

wireshark，导出tcp链接的原始数据

再用ida逆一下

warmatap

每个案件对应不同的音符，听就行

出题人手抖多按了几个键，flag里别写就行了

bitjungle

盲水印可以解出另一个附件

里面是一个图，图里有个加密的压缩包，解不出来了

---

赛后听群里师傅说，在小黄鸭图片的末尾有点东西，于是拖出来看看，转为utf8编码后，才发现这么个东西

在线工具解一下：兽音译者在线编码解码 - 兽音翻译咆哮体加密解密 (iiilab.com)

解压缩，getflag

flag{bitjungle_@_2022ouc_security_competation}

ps：这广告最后还是没打好，flag就没几个师傅看见

问卷

略

Pwn

flag_in_stack

白给格式化字符串

%9$p%10$p%11$p%12$p%13$p%14$p

最后flag是

flag{22318482-897e-4e4a-9b99-b9389177f8f3}

Crypto

rsa0

网上有exp，用sage跑

n=99458509668079240764185524318888149882712572088614461971298107463369834453088459456711728470353911743012102202401459506420834538745340718629443665356118527820744084764722600596423213368145625200314910178619550190760027522939148808084672161717108834912031065957105792556025057670251126369910028034643093394503
c1=89197280386921965661197790711420784410262382208534132234085116791910615673169858527481477831574905081301421275552903510097047200583014062866861073549357212721466816307907010360542055607004721289805632304584130841060138244596306574846436860126904020143491716153319277054077200643464827586604236845487354987915
c2=45959797671430481467332101148072465819627575670155123389013237210739239421635837916637386390202868822695476269782607749447310008721672509747039543011018639490424678005705921693560042291238100913368239888847987849534236313165006247961048196341554357508978141969877614250433715368123748776872299192957911667056
RR.<x>=Zmod(n)[]
f=x**Integer(2)-(c1+c2)*x + c1*c2
f.small_roots(X=2^400)
#[38321129010650526466511322627534659186847622818705021]

Re

easyxor

xpu

脱壳，flag用base64加密了

asm_master

gcc -c main.S -o main.o

oh_my_python

$ uncompyle6 chall.pyc > chall.py

$ cat chall.py
# uncompyle6 version 3.8.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.10 (default, Mar 15 2022, 12:22:08)
# [GCC 9.4.0]
# Embedded file name: chall.py
# Compiled at: 2022-02-23 14:51:34


def chall():
    flag = input()
    l = 'CKNOPWY_acfghkloruwy{}'
    index = [10, 14, 8, 11, 20, 0, 8, 2, 7, 6, 3, 17, 7, 1, 3, 5, 2, 7, 12, 3, 5, 7, 4, 19, 9, 7, 18, 15, 16, 13, 21]
    answer = ''
    for i in index:
        answer += l[i]

    if flag == answer:
        print 'Right!'
    else:
        print 'No!'


if __name__ == '__main__':
    chall()
# okay decompiling chall.pyc