国赛几题wp

微信扫一扫,分享到朋友圈

国赛几题wp

题目

import flag
import hashlib
from Crypto.Util.number import getPrime, long_to_bytes, bytes_to_long
from Crypto.Cipher import AES
import random


def gen_iv(seed):
    s = random.Random()
    s.seed(seed)
    while True:
        iv = long_to_bytes(s.randint(
            0xfffffffffffffffffffffffffffffff, 0xffffffffffffffffffffffffffffffff))
        if hashlib.sha256(iv).hexdigest()[0:4] == hashlib.sha256(long_to_bytes(seed)).hexdigest()[0:4]:
            return iv


def gen_password(seed):
    s = random.Random()
    s.seed(seed)
    while True:
        password = long_to_bytes(s.randint(
            0xfffffffffffffffffffffffffffffff, 0xffffffffffffffffffffffffffffffff))
        if hashlib.sha256(password).hexdigest()[4:8] == hashlib.sha256(long_to_bytes(seed)).hexdigest()[4:8]:
            return password


def gen_seed():
    iv = flag.iv
    key = flag.key
    evil = flag.evil
    m = "token=5t43g5g2j1;admin=0;group=0"
    c = "bMPWOsg+YH0eSwchPY6HTEvf3ESETSrEQ3/M1d0lUm0=".decode("base64")
    cipher = AES.new(key, AES.MODE_CBC, iv)
    testc = cipher.encrypt(m)
    assert testc == c
    assert "admin=1" in evil
    assert "group=1" in evil
    cipher = AES.new(key, AES.MODE_CBC, iv)
    monster = cipher.encrypt(evil)
    counter = 0
    for i in range(len(monster)):
        if monster[i] != c[i]:
            counter += 1
    assert counter == 2
    return int(hashlib.sha256(monster).hexdigest(), 16)


def main():
    msgtemp = str(int(flag.encode(flag.flag), 16))
    msg = msgtemp + "A" * (16 - len(msgtemp) % 16)
    seed = gen_seed()
    iv = gen_iv(seed)
    password = gen_password(seed)
    cipher = AES.new(password, AES.MODE_CBC, iv)
    c = cipher.encrypt(msg)
    open("heheda.txt", "w").write(c.encode("hex"))


if __name__ == '__main__':
    main()

思路

AES-CBC翻转攻击,解出monster,作为seed去得到iv和password,解密,最后有一系列的base64,base32,base16的俄罗斯套娃

脚本

import hashlib
import random
from Crypto.Util.number import long_to_bytes
from Crypto.Cipher import AES
import base64

m = "token=5t43g5g2j1;admin=0;group=0"
c = "bMPWOsg+YH0eSwchPY6HTEvf3ESETSrEQ3/M1d0lUm0=".decode("base64")
c = list(c)
c[7] = chr(ord(c[7]) ^ ord("0") ^ ord("1"))
c[15] = chr(ord(c[15]) ^ ord("0") ^ ord("1"))
monster = ''.join(c)

seed = int(hashlib.sha256(monster).hexdigest(), 16)


def gen_iv(seed):
    s = random.Random()
    s.seed(seed)
    while True:
        iv = long_to_bytes(s.randint(
            0xfffffffffffffffffffffffffffffff, 0xffffffffffffffffffffffffffffffff))
        if hashlib.sha256(iv).hexdigest()[0:4] == hashlib.sha256(long_to_bytes(seed)).hexdigest()[0:4]:
            return iv


def gen_password(seed):
    s = random.Random()
    s.seed(seed)
    while True:
        password = long_to_bytes(s.randint(
            0xfffffffffffffffffffffffffffffff, 0xffffffffffffffffffffffffffffffff))
        if hashlib.sha256(password).hexdigest()[4:8] == hashlib.sha256(long_to_bytes(seed)).hexdigest()[4:8]:
            return password


iv = gen_iv(seed)
password = gen_password(seed)
cipher = AES.new(password, AES.MODE_CBC, iv)
c = open("heheda.txt", "r").read().decode('hex')
msg = cipher.decrypt(c)
print base64.b32decode(base64.b32decode(base64.b32decode(hex(int(msg[:-16]))[2:-1].decode('hex')).decode('base64').decode('base64')).decode('base64').decode('base64').decode('base64').decode('base64').decode('hex').decode('hex').decode('base64')).decode('base64').decode('base64').decode('base64')

misc

picture

binwalk -e 提取一下,010打开97E4这个文件,是base64的,解出来保存到文件,看到这个文件头是KP,我们替换成PK,得到一个压缩包

但是打开有密码,于是看文件最后,是一个python的0除报错,打开python,1/0,得到密码,解压得到code文件

begin 644 key.txt
G0TE30TY[.3-#-C5#.#`W0S,X,#!",35&,S8P,$0T-#E#-C0V.3)]
`
end

UUencode,在线解码得到flag

寻找入侵者

从attack包中找到攻击者的mac地址,这里打开无线统计,把所有MAC地址存到字典,aircrack跑一下,得到正确的握手包密码 88:25:93:c1:c8:eb

参考 https://xz.aliyun.com/t/1972 ,解密握手包流量,得到一大堆HTTP流量,导出对象,发现有个rar文件,但是wireshark导出时分成了很多个,这里直接找到他GET的地址,下一个就好了,解压得到key.pcap。

最后是找畸形数据,试了半天,最后 strings key.pcap ,最后有一条“畸形?”数据,这脑洞可以啊

去掉前面的感叹号,加上CISCN{xxxxxx},就是flag了

Apple to take over two storefronts with expanded Lehigh Valley outlet

上一篇

Sergei Brin: Silicon Valley has outgrown the time of being 'wide-eyed and idealistic' about...

下一篇

你也可能喜欢

国赛几题wp

长按储存图像,分享给朋友