本文最后更新于 58 天前,其中的信息可能已经有所发展或是发生改变。
本着已经有一届省一的奖项,二进制小登做完二进制也足以拿一等奖
的想法,这次线下几乎全程划水,Misc和Web究极滑铁卢,六个题就解了一个,再就是做了个密码,做了个数据安全
同样,参考0RAYS公众号,有相对完整的Writeup:https://mp.weixin.qq.com/s/eQlZeeUigFIF-xQCTrs88Q
Misc
FinalSignin
没看懂
恭喜你来到这里,你能解开下面的秘密吗?
2c243f2f3b3114345d0a0909333f06100143023b2c55020912
- snow隐写得到
helloworld
,与这串hex异或得flag
天命人
- 首先,没看到提示,但是发现了6个文件的拼接方式,按顺序每个文件依次取字节拼接
a = open("火照黑云", "rb").read()
b = open("风起黄昏", "rb").read()
c = open("夜生白露", "rb").read()
d = open("曲度紫鸳", "rb").read()
e = open("日落红尘", "rb").read()
f = open("未竟", "rb").read()
data = []
for i in range(387796):
data.append(a[i])
data.append(b[i])
data.append(c[i])
data.append(d[i])
data.append(e[i])
data.append(f[i])
data.append(a[-1])
data = bytes(data)
open("data.zip", "wb").write(data)
- 得到压缩包,通过爆破CRC32得到
未竟.zip
密码
import binascii
import string
dic = string.printable # 打印出字符表
crc1 = 0x76899d01
crc2 = 0x8e036aa6
crc3 = 0x881d716a
crc4 = 0x7f3d8e75
crc5 = 0x248d3c69
crc6 = 0xcb27d2bd
for i in dic:
print(i)
for j in dic:
for n in dic:
for m in dic:
s = (i + j + n + m).encode()
if crc1 == (binascii.crc32(s)):
text1 = s
if crc2 == (binascii.crc32(s)):
text2 = s
if crc3 == (binascii.crc32(s)):
text3 = s
if crc4 == (binascii.crc32(s)):
text4 = s
if crc5 == (binascii.crc32(s)):
text5 = s
if crc6 == (binascii.crc32(s)):
text6 = s
print(text1 + text2 + text3 + text4 + text5 + text6)
- 然后解压,对
金箍棒.png
进行降采样(ps即可,10%
然后卡住,然后以图片文件为密钥文件,jinggubang为密码挂载即可
非黑即白
- 逆序一个GIF,大致看了眼有1500多张图,大致一猜便是转二进制
,又是个什么什么文件,懒,没做(后续听别人聊天说找不到zip解压密码,那我猜我也找不到 - 二进制转换后得到zip,帧间隔转二进制得到解压密码
Web
wucanrce
- 字面意思
unserialize
- 反序列化链,懒,没做
login
题有问题吧,怎么会限制我一个小时之后再来登录,直接摸,直到结束好像才有一解,幸好没纠结这题,纯浪费时间- 对不起,是我太菜,
Client-IP
盲注
数据安全
数据安全2
- 习惯将数据导出为csv再用python处理,但这次发现这样导出的数据会有损失(当数据较长时),还是不能偷懒,用pyshark处理比较好
from pyshark import FileCapture
from re import compile
def check_id(data: str) -> bool:
data = data.replace("X", "A")
x = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2]
check_sum = [1, 0, 0xa, 9, 8, 7, 6, 5, 4, 3, 2]
res = sum([int(data[i]) * x[i] for i in range(17)]) % 11
if check_sum[res] == int(data[17], 16):
return True
return False
def check_phone(data: str) -> bool:
prefix = [
734, 735, 736, 737, 738, 739, 747, 748, 750, 751, 752, 757, 758, 759, 772, 778,
782, 783, 784, 787, 788, 795, 798, 730, 731, 732, 740, 745, 746, 755, 756, 766,
767, 771, 775, 776, 785, 786, 796, 733, 749, 753, 773, 774, 777, 780, 781, 789,
790, 791, 793, 799
]
if int(data[:3]) in prefix:
return True
return False
def get_ip(data: str) -> list:
return compile(r'(?:(?:1[0-9][0-9]\.)|(?:2[0-4][0-9]\.)|(?:25[0-5]\.)|(?:[1-9][0-9]\.)|(?:[0-9]\.)){3}(?:(?:1[0-9][0-9])|(?:2[0-4][0-9])|(?:25[0-5])|(?:[1-9][0-9])|(?:[0-9]))').findall(data)
def get_id(data: str) -> list:
p = compile(r'\d{17}[\d|X]|\d{6} \d{8} \d{3}[\d|X]|\d{6}-\d{8}-\d{3}[\d|X]')
data = [i.replace("-", "").replace(" ", "") for i in p.findall(data)]
return [i for i in data if check_id(i)]
def get_phone(data: str) -> list:
p = compile(r'\d{11}|\d{3} \d{4} \d{4}|\d{3}-\d{4}-\d{4}')
data = [i.replace("-", "").replace(" ", "") for i in p.findall(data)]
return [i for i in data if check_phone(i)]
def main():
file = FileCapture('data.pcapng', display_filter='http.request', tshark_path="./tshark.exe")
with open("result.csv", "w", encoding="utf-8") as f:
f.write("category,value\n")
for i in file:
if i.http.request_method == "POST":
data = bytes.fromhex(i.http.data).decode()
ips = get_ip(data)
ids = get_id(data)
phones = get_phone(data)
phones = [i for i in phones if i not in ids]
for _ in ips:
f.write(f"ip,{_}\n")
for _ in ids:
f.write(f"idcard,{_}\n")
for _ in phones:
f.write(f"phone,{_}\n")
if __name__ == '__main__':
main()
碎碎念
省赛感觉质量变差了,虽然以前也不是特别高
这次尽管很多题都只是看了眼便结束,但是不影响得第五,二进制小登还是挺强大的
二进制小登报道