2019安恒2月月赛Writeip-Web&Crypto&Misc

前言

周末叕刷了安恒月赛，以下是Web&Crypto&Misc题解记录

Web

babycms

打开题目，发现是Yii2框架写的平台，首先进行信息搜集，得到源码泄露

101.71.29.5:10015/web.zip

审计代码，发现 /views/medicine/view.php 存在反序列化操作

寻找可利用类，查看composer.json，发现存在RCE漏洞组件

利用phpggc，可以看到有对应版本的攻击

查看文件运行路径

尝试文件目录

/var/www/html/runtime

直接使用

phpggc SwiftMailer/FW3 /var/www/html/runtime/sky.php ~/Desktop/sky.php -b

得到payload

同时发现登录密码

登入后，即可使用payload getshell拿到flag

Misc

来玩个游戏吧

第一关一看就知道是盲文加密

使用在线网站解密

https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=mangwen

⠏⠏⠄⠁⠄⠀⠂⡑⡒⡓⠄⡒⠂⡑⠇⠆⡒⠉⠇⠁⠉⡔⠉⠁⠁⠀⠁⠇⡓⠅⠉⠂=

得到结果

??41402abc4b2a76b9719d911017c592

发现是开头未知2位的md5，扔到百度去

发现是hello，提交通过第一关，第二关是一个md5碰撞，我们使用github的项目

python3 gen_coll_test.py

得到几百个相同md5的文件，随便挑选两个

得到最后一步

Dear Professional ; Especially for you - this cutting-edge 
intelligence ! If you no longer wish to receive our 
publications simply reply with a Subject: of "REMOVE" 
and you will immediately be removed from our club . 
This mail is being sent in compliance with Senate bill 
2216 , Title 9 ; Section 306 ! THIS IS NOT MULTI-LEVEL 
MARKETING . Why work for somebody else when you can 
become rich as few as 35 weeks . Have you ever noticed 
more people than ever are surfing the web and people 
will do almost anything to avoid mailing their bills 
. Well, now is your chance to capitalize on this ! 
WE will help YOU decrease perceived waiting time by 
120% & decrease perceived waiting time by 140% . You 
can begin at absolutely no cost to you . But don't 
believe us ! Mrs Jones of Minnesota tried us and says 
"I was skeptical but it worked for me" . We assure 
you that we operate within all applicable laws . Because 
the Internet operates on "Internet time" you must act 
now ! Sign up a friend and your friend will be rich 
too . Warmest regards . Dear Cybercitizen , We know 
you are interested in receiving red-hot announcement 
! We will comply with all removal requests ! This mail 
is being sent in compliance with Senate bill 1619 ; 
Title 2 ; Section 301 . This is NOT unsolicited bulk 
mail ! Why work for somebody else when you can become 
rich within 53 MONTHS ! Have you ever noticed more 
people than ever are surfing the web and more people 
than ever are surfing the web . Well, now is your chance 
to capitalize on this . We will help you use credit 
cards on your website plus decrease perceived waiting 
time by 150% . The best thing about our system is that 
it is absolutely risk free for you ! But don't believe 
us ! Mrs Simpson of Washington tried us and says "Now 
I'm rich, Rich, RICH" . We assure you that we operate 
within all applicable laws ! We beseech you - act now 
! Sign up a friend and your friend will be rich too 
. Thank-you for your serious consideration of our offer 
! Dear Friend ; This letter was specially selected 
to be sent to you ! If you no longer wish to receive 
our publications simply reply with a Subject: of "REMOVE" 
and you will immediately be removed from our mailing 
list . This mail is being sent in compliance with Senate 
bill 2716 , Title 2 ; Section 306 ! This is a ligitimate 
business proposal . Why work for somebody else when 
you can become rich inside 33 weeks . Have you ever 
noticed more people than ever are surfing the web plus 
more people than ever are surfing the web . Well, now 
is your chance to capitalize on this ! WE will help 
YOU SELL MORE and process your orders within seconds 
. You can begin at absolutely no cost to you . But 
don't believe us ! Mrs Jones of Kentucky tried us and 
says "I was skeptical but it worked for me" ! This 
offer is 100% legal ! We implore you - act now . Sign 
up a friend and you'll get a discount of 50% . God 
Bless .

根据题目描述信息，google一下”垃圾邮件+栅格密码”，得到解密网站 http://www.spammimic.com/decode.shtml进行解密得到

flag{a0dd1e2e6b87fe47e5ad0184dc291e04}

非常简单的流量分析

下载附件，打开流量包过滤 http

发现robots.txt，进一步分析发现robots.txt，发现存在abc.html

继续分析abc.html

http contains "abc.html"

得到md5字符串和两串DES

md5 0x99a98e067af6b09e64f3740767096c96

DES 0xb19b21e80c685bcb052988c11b987802d2f2808b2c2d8a0d    (129->143)

DES 0x684a0857b767672d52e161aa70f6bdd07c0264876559cb8b    (143->129)

继续往下分析

发现都是IPSec加密后的流量，尝试使用wireshark和前面的信息进行还原

还原之后发现http带着ascii码，尝试拼接前几个，为flag

于是将38个asiic码提取出来，然后拼接

a = [102,108,97,103,123,50,55,98,48,51,98,55,53,56,102,50,53,53,50,55,54,101,53,97,57,56,100,97,48,101,49,57,52,55,98,101,100,125]
res = ''
for i in a:
    res +=chr(i)
print res

Crypto

拿到题目信息

这个密码本本该只使用一次的，但是却使用了多次，导致密文易被破解
经过一番尝试发现，秘钥的首字母很可能是y，剩下的就靠你了

cip1: rlojsfklecby
cip2: ulakqfgfsjlu
cip3: dpaxwxtjgtay

寻找首字母为y的单词，尝试一下year

key = 'year'
c1 = 'rlojsfklecby'
c2 = 'ulakqfgfsjlu'
c3 = 'dpaxwxtjgtay'
res1 = ''
res2 = ''
res3 = ''
for i in range(len(key)):
    res1+=chr((((ord(c1[i])-ord('a'))-(ord(key[i])-ord('a')))%26)+ord('a'))
    res2+=chr((((ord(c2[i])-ord('a'))-(ord(key[i])-ord('a')))%26)+ord('a'))
    res3+=chr((((ord(c3[i])-ord('a'))-(ord(key[i])-ord('a')))%26)+ord('a'))
print res1
print res2
print res3

得到结果

thos
what
flag

看到thos，猜测下一个是e，即those，测试了一下，发现key此时为 yearo
得到结果为

those
whatc
flagi

估摸着下一个应该是s，毕竟 flagis ，继续探测出，此时为 yearof ，得到结果

thosea
whatca
flagis

此时没有了头绪，去词典搜一下

尝试了一下，发现key到 yearofthe 为止是有意义的，结果为

thosearea
whatcanyo
flagisacc

看第二个明文，猜测下一个是u，因为what can you，测试得到key为 yearofthep ，明文为

thosearean
whatcanyou
flagisacce

猜测第3个明文是flagisaccess，此时key为 yearofthepig ，解出明文

thoseareants
whatcanyoudo
flagisaccess

我真是服了这个出题人了………………

拿到题目发现是CRC32爆破，使用 工具 进行如下破解

得到压缩包密码为：

tanny_is_very_beautifu1_

解密后拿到flag.pdf，得到如下信息

需要我们进行排列组合，得到结果的Sha1为

e6079c5ce56e781a50f4bf853cdb5302e0d8f054

排列组合大致如下

1!
2@
{[
}]
asefcghnl

直接刚可能性太多，这里我们知道应该是flag{}样式，所以缩小范围为

1!
2@
sechn

编写如下脚本

import itertools
import hashlib

def sha1(str):
    sha = hashlib.sha1(str)
    encrypts = sha.hexdigest()
    return encrypts
a1 = '1!'
a2 = '2@'
a3 = '{'
a4 = '}'
for str1 in itertools.combinations(a1,1):
    for str2 in itertools.combinations(a2,1):
        str3 = str1[0]+str2[0]+'sechn'
        for i in itertools.permutations(str3):
            tmp = (''.join(i))
            res = 'flag{'+tmp+'}'
            # print sha1(res)
            if sha1(res) == 'e6079c5ce56e781a50f4bf853cdb5302e0d8f054':
                print res
                break

运行后得到flag

flag{sh@1enc}

后记

这次脑洞有点大，还有个web没写进去，准备下次好好分析一下XD