启沅杯"2025年佛山市工业互联网安全技能竞赛(初赛)-夺旗赛" WriteUp
AI-摘要
Aurorp1g GPT
AI初始化中...
介绍自己 🙈
生成本文简介 👋
推荐相关文章 📖
前往主页 🏠
前往爱发电购买
启沅杯"2025年佛山市工业互联网安全技能竞赛(初赛)-夺旗赛" WriteUp
Aurorp1g这里整理了一下”2025年佛山市工业互联网安全技能竞赛(初赛)-夺旗赛”的部分writeup。writeup的编写归功于我们Fosusec这次参与了比赛的伙伴。
Crypto
简简单单RSA
题目:
1
2
3
4
5p+q = 17332455360280707854592797239541781064457217000051252242048972956650508752408557545940953531232012555952038739538159008066177841553393774416001282315251232
(p+1)(q+1) = 75060985494061979290002527985372483149589910080770172046513389090473559595653132515300214813964800259559296717198102242552980235438512129303856894210665874103393993811649396206516593825378782969854460843980363036539195478561539273955034058036587918913934718663494867802347030129198414815551738608136013764760
d = 47277757910941673300761620957751968078061581980012999250927356886425348529059396327251439145912278406310148605966407715799387691512677452210719269055984790060288860284974844233587804971656463719024386208514012034517785296959583110973892199649826529324743533626747422931804860295603070022856279380676276449705
e = 65537
c = 64363163556920249932882463531608345749223294865641032419611004220862051079260543363613739006213963136332181415252637859791252195633011020411435021889121095671767986496633551483585504892844146075797094004523026251396562193343632392335437804606051804520233433348438264991275125562760005482901192150072536213939分析:题如其名,确实很简单,RSA基础题。核心的公式为 N = pq = (p+1)(q+1)-(p+q)-1
实践:这里提供笔者的解密脚本。
1
2
3
4
5
6
7
8
9
10p_plus_q = 17332455360280707854592797239541781064457217000051252242048972956650508752408557545940953531232012555952038739538159008066177841553393774416001282315251232
p_plus_1_q_plus_1 = 75060985494061979290002527985372483149589910080770172046513389090473559595653132515300214813964800259559296717198102242552980235438512129303856894210665874103393993811649396206516593825378782969854460843980363036539195478561539273955034058036587918913934718663494867802347030129198414815551738608136013764760
c = 64363163556920249932882463531608345749223294865641032419611004220862051079260543363613739006213963136332181415252637859791252195633011020411435021889121095671767986496633551483585504892844146075797094004523026251396562193343632392335437804606051804520233433348438264991275125562760005482901192150072536213939
d = 47277757910941673300761620957751968078061581980012999250927356886425348529059396327251439145912278406310148605966407715799387691512677452210719269055984790060288860284974844233587804971656463719024386208514012034517785296959583110973892199649826529324743533626747422931804860295603070022856279380676276449705
N = p_plus_1_q_plus_1 - p_plus_q - 1
m = pow(c, d, N)
m_bytes = m.to_bytes((m.bit_length() + 7) // 8, byteorder='big')
print(m_bytes)
Misc
凯撒大帝
题目:
1
2jfBr3znzc1zyrbB7ewE9LyqAas0Azi0SrCWFoSIf4fb2DBrMs6tc5Msv
分析:根据题目,知道是凯撒加密。但是爆破了一下,发现没有得到flag。再根据密文形式,结合“flag{…}”,判断还有一层加密。根据密文的特征,推测是based类编码。经过尝试,发现是based62编码。故解题思路为:将密文进行base62解码,在凯撒爆破,得到明文。
实践:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18# 凯撒解密
def caesar_decrypt(ciphertext,j):
str_list = list(ciphertext)
i = 0
while i < len(ciphertext):
if not str_list[i].isalpha():
str_list[i] = str_list[i]
else:
a = "A" if str_list[i].isupper() else "a"
str_list[i] = chr((ord(str_list[i]) - ord(a) - j) % 26 + ord(a) or -j)
i = i + 1
return ''.join(str_list)
str_decode = input("请输入密文:")
for i in range(1,27):
flag = caesar_decrypt(str_decode,i)
print(i,flag,"\n")
Reverse
ezbase
题目:这里笔者就不提供题目了
分析:
查包
ida64打开,main函数关键部分
- 分析代码可知我们输入的s在sub11C8+1处进入了函数,变换后得到与s2相同的字符串
- 查看s2
- 找一下调用的函数的命令的地址
- 寻找其附近汇编代码,得到入口函数真实的地址为11c9
- r2命令查看11c9处函数的代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172; CALL XREF from main @ 0x158f(x)
┌ 462: fcn.000011c9 (char *arg1, size_t arg2, int64_t arg3);
│ ; arg char *arg1 @ rdi
│ ; arg size_t arg2 @ rsi
│ ; arg int64_t arg3 @ rdx
│ ; var int64_t canary @ rbp-0x8
│ ; var int64_t var_9h @ rbp-0x9
│ ; var int64_t var_ah @ rbp-0xa
│ ; var int64_t var_bh @ rbp-0xb
│ ; var int64_t var_ch @ rbp-0xc
│ ; var signed int64_t var_10h @ rbp-0x10
│ ; var int64_t var_14h @ rbp-0x14
│ ; var signed int64_t var_18h @ rbp-0x18
│ ; var int64_t var_19h @ rbp-0x19
│ ; var int64_t var_1ah @ rbp-0x1a
│ ; var int64_t var_1bh @ rbp-0x1b
│ ; var char *var_28h @ rbp-0x28
│ ; var size_t var_2ch @ rbp-0x2c
│ ; var int64_t var_38h @ rbp-0x38
│ 0x000011c9 f30f1efa endbr64
│ 0x000011cd 55 push rbp
│ 0x000011ce 4889e5 mov rbp, rsp
│ 0x000011d1 4883ec40 sub rsp, 0x40
│ 0x000011d5 48897dd8 mov qword [var_28h], rdi ; arg1
│ 0x000011d9 8975d4 mov dword [var_2ch], esi ; arg2
│ 0x000011dc 488955c8 mov qword [var_38h], rdx ; arg3
│ 0x000011e0 64488b0425.. mov rax, qword fs:[0x28]
│ 0x000011e9 488945f8 mov qword [canary], rax
│ 0x000011ed 31c0 xor eax, eax
│ 0x000011ef c745ec0000.. mov dword [var_14h], 0
│ 0x000011f6 c745e80000.. mov dword [var_18h], 0
│ ┌─< 0x000011fd e9ee000000 jmp 0x12f0
│ │ ; CODE XREF from fcn.000011c9 @ 0x12f6(x)
│ ┌──> 0x00001202 8b45e8 mov eax, dword [var_18h]
│ ╎│ 0x00001205 4863d0 movsxd rdx, eax
│ ╎│ 0x00001208 488b45d8 mov rax, qword [var_28h]
│ ╎│ 0x0000120c 4801d0 add rax, rdx
│ ╎│ 0x0000120f 0fb600 movzx eax, byte [rax]
│ ╎│ 0x00001212 8845e5 mov byte [var_1bh], al
│ ╎│ 0x00001215 8b45e8 mov eax, dword [var_18h]
│ ╎│ 0x00001218 83c001 add eax, 1
│ ╎│ 0x0000121b 3945d4 cmp dword [var_2ch], eax
│ ┌───< 0x0000121e 7e15 jle 0x1235
│ │╎│ 0x00001220 8b45e8 mov eax, dword [var_18h]
│ │╎│ 0x00001223 4898 cdqe
│ │╎│ 0x00001225 488d5001 lea rdx, [rax + 1]
│ │╎│ 0x00001229 488b45d8 mov rax, qword [var_28h]
│ │╎│ 0x0000122d 4801d0 add rax, rdx
│ │╎│ 0x00001230 0fb600 movzx eax, byte [rax]
│ ┌────< 0x00001233 eb05 jmp 0x123a
│ ││╎│ ; CODE XREF from fcn.000011c9 @ 0x121e(x)
│ │└───> 0x00001235 b800000000 mov eax, 0
│ │ ╎│ ; CODE XREF from fcn.000011c9 @ 0x1233(x)
│ └────> 0x0000123a 8845e6 mov byte [var_1ah], al
│ ╎│ 0x0000123d 8b45e8 mov eax, dword [var_18h]
│ ╎│ 0x00001240 83c002 add eax, 2
│ ╎│ 0x00001243 3945d4 cmp dword [var_2ch], eax
│ ┌───< 0x00001246 7e15 jle 0x125d
│ │╎│ 0x00001248 8b45e8 mov eax, dword [var_18h]
│ │╎│ 0x0000124b 4898 cdqe
│ │╎│ 0x0000124d 488d5002 lea rdx, [rax + 2]
│ │╎│ 0x00001251 488b45d8 mov rax, qword [var_28h]
│ │╎│ 0x00001255 4801d0 add rax, rdx
│ │╎│ 0x00001258 0fb600 movzx eax, byte [rax]
│ ┌────< 0x0000125b eb05 jmp 0x1262
│ ││╎│ ; CODE XREF from fcn.000011c9 @ 0x1246(x)
│ │└───> 0x0000125d b800000000 mov eax, 0
│ │ ╎│ ; CODE XREF from fcn.000011c9 @ 0x125b(x)
│ └────> 0x00001262 8845e7 mov byte [var_19h], al
│ ╎│ 0x00001265 0fb645e5 movzx eax, byte [var_1bh]
│ ╎│ 0x00001269 c0e802 shr al, 2
│ ╎│ 0x0000126c 8845f4 mov byte [var_ch], al
│ ╎│ 0x0000126f 0fb645e5 movzx eax, byte [var_1bh]
│ ╎│ 0x00001273 c1e004 shl eax, 4
│ ╎│ 0x00001276 83e030 and eax, 0x30
│ ╎│ 0x00001279 89c2 mov edx, eax
│ ╎│ 0x0000127b 0fb645e6 movzx eax, byte [var_1ah]
│ ╎│ 0x0000127f c0e804 shr al, 4
│ ╎│ 0x00001282 09d0 or eax, edx
│ ╎│ 0x00001284 8845f5 mov byte [var_bh], al
│ ╎│ 0x00001287 0fb645e6 movzx eax, byte [var_1ah]
│ ╎│ 0x0000128b c1e002 shl eax, 2
│ ╎│ 0x0000128e 83e03c and eax, 0x3c
│ ╎│ 0x00001291 89c2 mov edx, eax
│ ╎│ 0x00001293 0fb645e7 movzx eax, byte [var_19h]
│ ╎│ 0x00001297 c0e806 shr al, 6
│ ╎│ 0x0000129a 09d0 or eax, edx
│ ╎│ 0x0000129c 8845f6 mov byte [var_ah], al
│ ╎│ 0x0000129f 0fb645e7 movzx eax, byte [var_19h]
│ ╎│ 0x000012a3 83e03f and eax, 0x3f
│ ╎│ 0x000012a6 8845f7 mov byte [var_9h], al
│ ╎│ 0x000012a9 c745f00000.. mov dword [var_10h], 0
│ ┌───< 0x000012b0 eb34 jmp 0x12e6
│ │╎│ ; CODE XREF from fcn.000011c9 @ 0x12ea(x)
│ ┌────> 0x000012b2 8b45f0 mov eax, dword [var_10h]
│ ╎│╎│ 0x000012b5 4898 cdqe
│ ╎│╎│ 0x000012b7 0fb64405f4 movzx eax, byte [rbp + rax - 0xc]
│ ╎│╎│ 0x000012bc 0fb6c8 movzx ecx, al
│ ╎│╎│ 0x000012bf 8b45ec mov eax, dword [var_14h]
│ ╎│╎│ 0x000012c2 8d5001 lea edx, [rax + 1]
│ ╎│╎│ 0x000012c5 8955ec mov dword [var_14h], edx
│ ╎│╎│ 0x000012c8 4863d0 movsxd rdx, eax
│ ╎│╎│ 0x000012cb 488b45c8 mov rax, qword [var_38h]
│ ╎│╎│ 0x000012cf 4801c2 add rdx, rax
│ ╎│╎│ 0x000012d2 4863c1 movsxd rax, ecx
│ ╎│╎│ 0x000012d5 488d0d440d.. lea rcx, str.AI12345JKLMNOPQRSTUCDEFuvwxyBGHz06VWXYZabcdefghijklmnopqrst789_ ; 0x2020 ; "AI12345JKLMNOPQRSTUCDEFuvwxyBGHz06VWXYZabcdefghijklmnopqrst789+/"
│ ╎│╎│ 0x000012dc 0fb60408 movzx eax, byte [rax + rcx]
│ ╎│╎│ 0x000012e0 8802 mov byte [rdx], al
│ ╎│╎│ 0x000012e2 8345f001 add dword [var_10h], 1
│ ╎│╎│ ; CODE XREF from fcn.000011c9 @ 0x12b0(x)
│ ╎└───> 0x000012e6 837df003 cmp dword [var_10h], 3
│ └────< 0x000012ea 7ec6 jle 0x12b2
│ ╎│ 0x000012ec 8345e803 add dword [var_18h], 3
│ ╎│ ; CODE XREF from fcn.000011c9 @ 0x11fd(x)
│ ╎└─> 0x000012f0 8b45e8 mov eax, dword [var_18h]
│ ╎ 0x000012f3 3b45d4 cmp eax, dword [var_2ch]
│ └──< 0x000012f6 0f8c06ffffff jl 0x1202
│ 0x000012fc c745e80000.. mov dword [var_18h], 0
│ ┌─< 0x00001303 eb1a jmp 0x131f
│ │ ; CODE XREF from fcn.000011c9 @ 0x136e(x)
│ ┌──> 0x00001305 8b45ec mov eax, dword [var_14h]
│ ╎│ 0x00001308 83e801 sub eax, 1
│ ╎│ 0x0000130b 2b45e8 sub eax, dword [var_18h]
│ ╎│ 0x0000130e 4863d0 movsxd rdx, eax
│ ╎│ 0x00001311 488b45c8 mov rax, qword [var_38h]
│ ╎│ 0x00001315 4801d0 add rax, rdx
│ ╎│ 0x00001318 c6003d mov byte [rax], 0x3d ; '='
│ ╎│ ; [0x3d:1]=0
│ ╎│ 0x0000131b 8345e801 add dword [var_18h], 1
│ ╎│ ; CODE XREF from fcn.000011c9 @ 0x1303(x)
│ ╎└─> 0x0000131f 8b45d4 mov eax, dword [var_2ch]
│ ╎ 0x00001322 4863d0 movsxd rdx, eax
│ ╎ 0x00001325 4869d25655.. imul rdx, rdx, 0x55555556
│ ╎ 0x0000132c 48c1ea20 shr rdx, 0x20
│ ╎ 0x00001330 89c6 mov esi, eax
│ ╎ 0x00001332 c1fe1f sar esi, 0x1f
│ ╎ 0x00001335 89d1 mov ecx, edx
│ ╎ 0x00001337 29f1 sub ecx, esi
│ ╎ 0x00001339 89ca mov edx, ecx
│ ╎ 0x0000133b 01d2 add edx, edx
│ ╎ 0x0000133d 01ca add edx, ecx
│ ╎ 0x0000133f 29d0 sub eax, edx
│ ╎ 0x00001341 89c1 mov ecx, eax
│ ╎ 0x00001343 b803000000 mov eax, 3
│ ╎ 0x00001348 29c8 sub eax, ecx
│ ╎ 0x0000134a 89c2 mov edx, eax
│ ╎ 0x0000134c 4863c2 movsxd rax, edx
│ ╎ 0x0000134f 4869c05655.. imul rax, rax, 0x55555556
│ ╎ 0x00001356 48c1e820 shr rax, 0x20
│ ╎ 0x0000135a 89d1 mov ecx, edx
│ ╎ 0x0000135c c1f91f sar ecx, 0x1f
│ ╎ 0x0000135f 29c8 sub eax, ecx
│ ╎ 0x00001361 89c1 mov ecx, eax
│ ╎ 0x00001363 01c9 add ecx, ecx
│ ╎ 0x00001365 01c1 add ecx, eax
│ ╎ 0x00001367 89d0 mov eax, edx
│ ╎ 0x00001369 29c8 sub eax, ecx
│ ╎ 0x0000136b 3945e8 cmp dword [var_18h], eax
│ └──< 0x0000136e 7c95 jl 0x1305
│ 0x00001370 8b45ec mov eax, dword [var_14h]
│ 0x00001373 4863d0 movsxd rdx, eax
│ 0x00001376 488b45c8 mov rax, qword [var_38h]
│ 0x0000137a 4801d0 add rax, rdx
│ 0x0000137d c60000 mov byte [rax], 0
│ 0x00001380 90 nop
│ 0x00001381 488b45f8 mov rax, qword [canary]
│ 0x00001385 64482b0425.. sub rax, qword fs:[0x28]
│ ┌─< 0x0000138e 7405 je 0x1395
│ │ 0x00001390 e81bfdffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│ │ ; CODE XREF from fcn.000011c9 @ 0x138e(x)
│ └─> 0x00001395 c9 leave
└ 0x00001396 c3 ret
- 实践:
分析汇编代码写出脚本:1
2
3
4
5
6
7
8
9
10
11
12import base64
CUSTOM_TBL='AI12345JKLMNOPQRSTUCDEFuvwxyBGHz06VWXYZabcdefghijklmnopqrst789+/'
STD_TBL='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
enc_trans=str.maketrans(STD_TBL, CUSTOM_TBL)
dec_trans=str.maketrans(CUSTOM_TBL, STD_TBL)
def custom_b64encode(data:bytes)->str:
return base64.b64encode(data).decode().translate(enc_trans)
def custom_b64decode(txt:str)->bytes:
return base64.b64decode(txt.translate(dec_trans))
s2="wZk6wqfmwZSpwWGWvUoWvWEVNCTYPW3gQ2BnOlo6w5DkvWEYPZKrvZL9"
plain=custom_b64decode(s2)
print("s=", plain)
Web
WelcomeToHarbin
题目描述:相信我,哈尔滨的风光是逛不完的,让我们一起领略哈尔滨的绝美风光吧,相信在浏览的过程中一定能有一些意外的收获~
分析:看网页,确实在浏览的过程中一定能有一些意外的收获(严重怀疑是文旅广子)
实践:
喜欢这篇文章的人也看了
评论
匿名评论隐私政策
