2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

  • A+
所属分类:CTF专场

附件下载

https://awwwj.lanzoui.com/iqyGdpj6rmj


先从第一个题目开始吧

反汇编得到base64密文.

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up


将“RmxhZ3tHaUZUX0NWVkR9”base64解密得到flag。


2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

Flag: Flag{GiFT_CVVD}


也可以不先从第一个题目开始

反汇编得到逆置的base64密文“=gO1MUiJSSL1S6iP

Base64字典被替换成

vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/

自定义字典后解密得到flag

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

Flag: flag {carHacker}



你知道这个程序为什么闪退么

反汇编分析,将‘cvvd’进行sha256和sha512的迭代。取最后四位,与cvvd的大写拼接。

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up


脚本如下:

import hashlib
def sha256(strings):
s = hashlib.sha256()
s.update(strings)
b = s.hexdigest()
return b

def sha512(strings):
s = hashlib.sha512()
s.update(strings)
b = s.hexdigest()
return b
a = 'cvvd'
res1 = sha256(sha512(sha256(sha256(sha512(sha256(sha512(a)))))))
res2 = sha256(sha512(sha256(sha256(sha512(sha256(sha512(res1)))))))
res3 = sha256(sha512(sha256(sha256(sha512(sha256(sha512(res2)))))))
print 'Flag{'+a.upper() + res3[len(res2)-4: len(res1)]+'}'



flag: Flag{CVVD3edb}



PIN

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up


2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up



Base58自定义

alphabet = ['y','b','n','d','r','f','g','8','e','j','k','m','c','p','q','x','o','t','1','u','w','i','s','z','a','3','4','5','h','7','6','9']

cipher = "cpwsg7uwp7zgq35fc71sq3e"

def cut(obj, sec):
return [obj[i:i+sec] for i in range(0,len(obj),sec)]

plain_encode = ''
cipher_list=[]
for i in cipher:
plain_encode += bin(alphabet.index(i)).replace("0b","").rjust(5,"0")
cipher_list = cut(plain_encode,8)
for i in range(0,len(cipher_list)):
cipher_list[i] = chr(int(cipher_list[i].rjust(8,"0"),2))
print("".join(cipher_list))





2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up



小明和PDU


file查看附件发现是wav放到au里查看

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

放大查看

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

试了一下摩斯电码发现格式不对

长度是8直接转二进制01

01101001 01011111 01101100 01101111 01110110 01100101 01011111 01100011 01110110 01110110 01100100

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

flag{i_love_cvvd}


小明和BLE


原题,根据BLE的前导码,以及crc校验确定有效数据包,其中:

1.BLE的前导码有两种:0101010110101010

2.crc校验可以使用pwntoolspwnlib.util.crc.crc_24_ble

from pwn import *
rawbit = '100000011011110100111011001000110010110001001010011110101100011110010101100101011101000111100000110111100111010010101010011110011011000001001101000000001010011000000101100000010000001100011101011100111000001001000100000101011000100010101010100001100101110010011001010011101101001011111001011101101001011101111100110111101101001010000010110101110001100111000100010001000011001110000101111110110001111000001110111110100001001111000110001001100101010101010011001000110010011101101011000101000110101010001001100011100110110011010001000011101100111100110011000100010000001100101001111111100110000101000011101001101110010010100100100011000001111000011011100111100011100110110101110100111011100100001010000110011111100011110101101001001101000100100111011001011100010011101111010100101010110010111110000101011011011100000010010001010111001011111001010110010000100010100100101001111000100101011010010101100010001011110100001011110001101101001100010101101010001010000101101000110001111100010100110010110100001110111001101001101010001011011010101100011010010011110111111001101000111001010100011100001010000010111110000110000110100011101011101111000010011111100111011001001111011010111000110111011100110010001000101100101111100101010111111001011011100001100011110101101000100000010101010010101000011001100000100010000110101110001101100110101000111110010000111011010010110000011100000100100110100000010111101010010000110001010011100111011111011000001111100011111110011100101111011110100001101000001111011101010111010010110101010110001010000011110001010000100110110000010011110000000111110101011101110000101101011010010111011000011110000100100001001011011100010100010010011100111111001111101001011010010110110000101010110001001011110011100000011100000010011100111100000001010000001001000000010110111100111110101010001010110000101010111111011101000101111001110101101000110111011001100110001100000110101001110000000101011001000111001110010000100011111011110101010011111001110001111110000000000110000010001100100011010011110010101100011010010110010011100001000011100001100011001010010000110000110011100111100010001011101000000000010010000100111011010100110101000010000000010110001110000101001010010010100100011100000000100111011101011100110010001001001000111010000100010100000000110011110101010010011001011010111011011100001000100101010100011001110011001010111101110010111010101001001101000110001110011011011110111010111001110011000010010010001010001000010011001010101100011011100001100001100110001000011101010111000101011000010011010101001000001101011100011101111010110100111001111011101001011001010101101111000100101100010101100010101011001110110111000001010111000111001100100101110100001010000101110001110010010010001111011100010011011111110001010101100001111011011010001111000000101001101011000110100000110001001101100011001010011011100000101111000011100011100001110010011111010011010100101110111111100100011101011001000010010000001000110100110101110101010010111010101010000110001111101000010010001111100110100000101011110111000011000011001100011100001101100010101110010010110110010111100011010100011011101101100101111000010101010000010101010111010101110111110100101101100000111010001001010110011010111101110010110101001001010011000011100101000000111011001011100101110100101101111110101010000010000111001001110010011010101110101101101000001011110010011011101100011001100100000001101001100101010110110000100001100101101001011101001111000011111110111100010101111111011101010101011010110111110110010001011100010000001010000100101100001100011000101000100000110101110100011011111100001001000000100010101001101100111010010110111001100111011010100110010011100000010010110010111101101010111011001110101001101100000010011000010000111100000001000000100000001010000011000000110000000100100000011000010001101001001110111010001011001111000011100100100010010011100001111110001100100110110110111011100000110010101000110100101010100110100110000001110000011111111010000101000001010101101011010001001101000001001111001011010101010010000101011111011100100000000100001001100100000010000001101111010011101100100011001011000100101001111010110001111001010110010101110100011110000011011110011101001010101001111001101100000100110100000000101001100000010110000001000000110001110101110011100000100100010000010101100010001010101010000110010111001001100101001110110100101111100101110110100101110111110011011110110100101000001011010111000110011100010001000100001100111000010111111011000111100000111011111010000100111100011000100110010101010101001100100011001001110110101100010100011010101000100110001110011011001101000100001110110011110011001100010001000000110010100111111110000011011110100111011001000110010110001001010011110101100011110010101100101011101000111100000110111100111010010101010011110011011000001001101000000001010011000000101100000010000001100011101011100111000001001000100000101011000100010101010100001100101110010011001010011101101001011111001011101101001011101111100110111101101001010000010110101110001100111000100010001000011001110000101111110110001111000001110111110100001001111000110001001100101010101010011001000110010011101101011000101000110101010001001100011100110110011010001000011101100111100110011000100010000001100101001111111100110000101000011101001101110010010100100100011000001111000011011100111100011100110110101110100111011100100001010000110011111100011110101101001001101000100100111011'
def find_all(sub,s):
index_list = []
index = s.find(sub)
while index != -1:
index_list.append(index)
index = s.find(sub,index+1)
if len(index_list) > 0:
return index_list
else:
return -1
def print_hex(a):
c= ''
for i in range(len(a)/8):
c += chr(int(a[i*8:(i+1)*8][::-1],2))
return c.encode("hex")
def find_ble_package(pre,data):
index = find_all(pre,data)
for i in index:
prehead = print_hex(data[i:i+40])
head = print_hex(data[i+40:i+48])
l = print_hex(data[i+48:i+56])
l0 = int(str(l),16)&0x3f ; l1 = l0*8
d = print_hex(data[i+56:i+56+l1])
crc = print_hex(data[i+56+l1:i+56+l1+24])
crc_data = head + l + d
check_crc = hex(pwnlib.util.crc.crc_24_ble(crc_data.decode("hex")))

if(check_crc[2:4] == crc[4:6]):
print "--------------------------------------------"
print "package : " + prehead + head + l + d + crc
print "head : " + prehead
print "PDU head : " + head
print "PDU len : " + l
print "PDU data : " + d
print "crc : " + crc
print "crc_check: "+ (check_crc[2:])
print "--------------------------------------------"
find_ble_package('01010101',rawbit)find_ble_package('10101010',rawbit)



确定后只有一个有效数据包:

package  : aad6be898e40210d6314c1bad80f0944657369676e6572204d6f7573650319c2030201050303121862c95d
head     : aad6be898e
PDU head : 40
PDU len  : 21
PDU data : 0d6314c1bad80f0944657369676e6572204d6f7573650319c20302010503031218
crc      : 62c95d
crc_check: 5dc962
flag{humaninterfacedevice5dc962}



透过现象看本质

foremost出来三张图片


2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

第三张就是flag

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up


Easy

检测一下发现是upx壳

解压报错

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

修复一下p_info就可以了

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

再upx -d 解压

ida查看

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

逻辑非常简单

0xFADED^0x5D281F=5408242

flag{5408242}


ez_calc

原题,根据https://hackmd.io/@st98/Sy7D5NymO构造poc 执行以下命令即可获得flag:

curl http://192.168.1.101:8007/?code=a%3D%3E%5B...arguments%5B0%5D%2B0%5D%7D%29%28b%3D%3E%7B

easy_php

原题,https://www.sohu.com/a/286047773_354899 上传webshell之后读取根目录下的flag文件即可获得flag

这里有个bug


把程序下载下来之后用qemu运行,然后手动人工fuzz,发现输入3578的时候会崩溃


2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up


Flag{cvvd_3578}


设置ECU的ACR

汽车上所有ECU的收发器均采用SJA1000,且支持CAN2.0A规范,ECU1与ECU2在同一CAN网段上,ECU1发出4个报文,报文ID分别为ID1=0x669,ID2=0x661,ID3=0x649,ID4=0x641,为了使ECU2只接收ID2、ID4报文,该如何设置ECU2收发器的ACR,ACR=XXXXXXXX。


将ID 转化为二进制 取 ID10-ID3

11001100001

11001101001

11001000001

11001001001

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up


计算ACR

flag{11001100}


设置ECU的AMR

汽车上所有ECU的收发器均采用SJA1000,且支持CAN2.0A规范,ECU1与ECU2在同一CAN网段上,ECU1发出4个报文,报文ID分别为ID1=0x669,ID2=0x661,ID3=0x649,ID4=0x641,为了使ECU2只接收ID2、ID4报文,该如何设置ECU2收发器的AMR,AMR=XXXXXXXX。


将ID 转化为二进制 取 ID10-ID3

11001100001

11001101001

11001000001

11001001001

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

计算AMR


flag{00000100}



CAN总线仲裁

总线冲突在多个节点同时发送报文时,首次出现不同,且发送显性位的节点占用总线,发送隐性位的节点转为接受所以ecu1和ecu3均转为接受最终以ecu2为输出


2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

flag{0x537}


ECU该怎么回复否定响应码

因为是不支持发送过来的27号服务,所以ECU否定应答的代码16进制为0x11

2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

flag{0x11}


多几个Bit

7FF:011111111111

18999F1B:1 1000 1001 1001 1001 1111 0001 1011


转化成二进制以后位数相减为18

flag{18}





山石网科安全技术研究院简称“山石安研院”正式成立于2020年4月,是山石网科的信息安全智库部门,其前身是原安全服务部下的安全研究团队。山石安研院整体架构包括干将、莫邪两大安全实验室,以及安全预警分析、高端攻防培训两支独立的技术团队。安研院主要负责反APT跟踪和研究、出战及承办全球攻防赛事、高端攻防技术培训、全球中英文安全预警分析发布、各类软硬件漏洞挖掘和利用研究、承接国家网络安全相关课题、不定期发布年度或半年度的各类技术报告及公司整体攻防能力展现。技术方向包括移动安全、虚拟化安全、工控安全、物联安全、区块链安全、协议安全、源码安全、反APT及反窃密。


自2015年以来为多省公安厅提供技术支撑工作,为上合峰会、财富论坛、金砖五国等多次重大活动提供网络安保支撑工作。在多次攻防赛事中连获佳绩,网安中国行第一名,连续两届红帽杯冠军、网鼎杯线上第一名,在补天杯、极棒杯、全国多地的护网演习等也都获得优秀的成绩,每年获得大量的CNVD、CNNVD、CVE证书或编号。


如需帮助请咨询 [email protected]


2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up



附件下载链接或点击原文链接

https://awwwj.lanzoui.com/iqyGdpj6rmj



本文始发于微信公众号(山石网科安全技术研究院):2021 CVVD首届车联网漏洞挖掘赛线下赛Write-Up

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: