浙江省赛决赛 2024

本着已经有一届省一的奖项,二进制小登做完二进制也足以拿一等奖的想法,这次线下几乎全程划水,Misc和Web究极滑铁卢,六个题就解了一个,再就是做了个密码,做了个数据安全

同样,参考0RAYS公众号,有相对完整的Writeup:https://mp.weixin.qq.com/s/eQlZeeUigFIF-xQCTrs88Q

Misc

FinalSignin

  • 没看懂
恭喜你来到这里,你能解开下面的秘密吗?	     	      
2c243f2f3b3114345d0a0909333f06100143023b2c55020912   	   	   	 
 	   	   	  		  	       	 	  	    
   	    	       	      	   	   	    	      	      	      
  	      	   	 		
  • snow隐写得到helloworld,与这串hex异或得flag

天命人

  • 首先,没看到提示,但是发现了6个文件的拼接方式,按顺序每个文件依次取字节拼接
a = open("火照黑云", "rb").read()
b = open("风起黄昏", "rb").read()
c = open("夜生白露", "rb").read()
d = open("曲度紫鸳", "rb").read()
e = open("日落红尘", "rb").read()
f = open("未竟", "rb").read()

data = []
for i in range(387796):
    data.append(a[i])
    data.append(b[i])
    data.append(c[i])
    data.append(d[i])
    data.append(e[i])
    data.append(f[i])
data.append(a[-1])
data = bytes(data)
open("data.zip", "wb").write(data)
  • 得到压缩包,通过爆破CRC32得到未竟.zip密码
import binascii
import string

dic = string.printable  # 打印出字符表
crc1 = 0x76899d01
crc2 = 0x8e036aa6
crc3 = 0x881d716a
crc4 = 0x7f3d8e75
crc5 = 0x248d3c69
crc6 = 0xcb27d2bd

for i in dic:
    print(i)
    for j in dic:
        for n in dic:
            for m in dic:
                s = (i + j + n + m).encode()
                if crc1 == (binascii.crc32(s)):
                    text1 = s
                if crc2 == (binascii.crc32(s)):
                    text2 = s
                if crc3 == (binascii.crc32(s)):
                    text3 = s
                if crc4 == (binascii.crc32(s)):
                    text4 = s
                if crc5 == (binascii.crc32(s)):
                    text5 = s
                if crc6 == (binascii.crc32(s)):
                    text6 = s
print(text1 + text2 + text3 + text4 + text5 + text6)
  • 然后解压,对金箍棒.png进行降采样(ps即可,10%
  • 然后卡住,然后以图片文件为密钥文件,jinggubang为密码挂载即可

非黑即白

  • 逆序一个GIF,大致看了眼有1500多张图,大致一猜便是转二进制,又是个什么什么文件,懒,没做(后续听别人聊天说找不到zip解压密码,那我猜我也找不到
  • 二进制转换后得到zip,帧间隔转二进制得到解压密码

Web

wucanrce

  • 字面意思

unserialize

  • 反序列化链,懒,没做

login

  • 题有问题吧,怎么会限制我一个小时之后再来登录,直接摸,直到结束好像才有一解,幸好没纠结这题,纯浪费时间
  • 对不起,是我太菜,Client-IP盲注

数据安全

数据安全2

  • 习惯将数据导出为csv再用python处理,但这次发现这样导出的数据会有损失(当数据较长时),还是不能偷懒,用pyshark处理比较好
from pyshark import FileCapture
from re import compile


def check_id(data: str) -> bool:
    data = data.replace("X", "A")
    x = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2]
    check_sum = [1, 0, 0xa, 9, 8, 7, 6, 5, 4, 3, 2]
    res = sum([int(data[i]) * x[i] for i in range(17)]) % 11
    if check_sum[res] == int(data[17], 16):
        return True
    return False


def check_phone(data: str) -> bool:
    prefix = [
        734, 735, 736, 737, 738, 739, 747, 748, 750, 751, 752, 757, 758, 759, 772, 778,
        782, 783, 784, 787, 788, 795, 798, 730, 731, 732, 740, 745, 746, 755, 756, 766,
        767, 771, 775, 776, 785, 786, 796, 733, 749, 753, 773, 774, 777, 780, 781, 789,
        790, 791, 793, 799
    ]
    if int(data[:3]) in prefix:
        return True
    return False


def get_ip(data: str) -> list:
    return compile(r'(?:(?:1[0-9][0-9]\.)|(?:2[0-4][0-9]\.)|(?:25[0-5]\.)|(?:[1-9][0-9]\.)|(?:[0-9]\.)){3}(?:(?:1[0-9][0-9])|(?:2[0-4][0-9])|(?:25[0-5])|(?:[1-9][0-9])|(?:[0-9]))').findall(data)


def get_id(data: str) -> list:
    p = compile(r'\d{17}[\d|X]|\d{6} \d{8} \d{3}[\d|X]|\d{6}-\d{8}-\d{3}[\d|X]')
    data = [i.replace("-", "").replace(" ", "") for i in p.findall(data)]
    return [i for i in data if check_id(i)]


def get_phone(data: str) -> list:
    p = compile(r'\d{11}|\d{3} \d{4} \d{4}|\d{3}-\d{4}-\d{4}')
    data = [i.replace("-", "").replace(" ", "") for i in p.findall(data)]
    return [i for i in data if check_phone(i)]


def main():
    file = FileCapture('data.pcapng', display_filter='http.request', tshark_path="./tshark.exe")
    with open("result.csv", "w", encoding="utf-8") as f:
        f.write("category,value\n")
        for i in file:
            if i.http.request_method == "POST":
                data = bytes.fromhex(i.http.data).decode()
                ips = get_ip(data)
                ids = get_id(data)
                phones = get_phone(data)
                phones = [i for i in phones if i not in ids]
                for _ in ips:
                    f.write(f"ip,{_}\n")
                for _ in ids:
                    f.write(f"idcard,{_}\n")
                for _ in phones:
                    f.write(f"phone,{_}\n")


if __name__ == '__main__':
    main()

碎碎念

省赛感觉质量变差了,虽然以前也不是特别高

这次尽管很多题都只是看了眼便结束,但是不影响得第五,二进制小登还是挺强大的

评论

  1. Avatar photo
    dbgbgtf
    4 周前
    2024-11-11 8:37:29

    二进制小登报道

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇