投稿條件 必須在 LoTuX 平台上取得 2000 分以上。 同意將題目提供給我們發布至 LoTuX 平台 投稿流程 從 Google 表單上傳所有資料 ➡️ 初步審核（檢查是否有明顯缺漏及是否符合資格） ➡️ 通知初步審核結果 ➡️ 最終審核（確認題目和解答的完成度、測試部屬） ➡️ 通知最終審核結果 ➡️ 題目發布排程 ➡️ 部屬和發布題目 投稿所需準備資料 投稿題目時，請準備以下內容並一併提供給我們：

[name=FlyDragon] Step.1 By observing output.txt and executing the code, it can be inferred that the program flag.exe will output the flag after shuffling it. Step.2 By examining main() using Ghidra, it can be discovered that this program reads in the contents of flag.txt and outputs them after performing specific swaps in a particular order. order = [5, 13, 0, 12, 1, 16, 3, 2, 8, 7, 15, 4, 6, 17, 11, 10, 9]

[name=FlyDragon] Step.1 觀察 output.txt 以及執行程式碼 可猜測 flag.exe 會將flag打亂後輸出 Step.2 使用ghidra查看 main() 可以發現這個程式會讀入flag.txt、照特定的順序交換後輸出

--- title: LoTuX CTF Writeup Dark Theme tags: Themes description: LoTuX CTF Writeup Dark Theme Design By Curious --- <style> @import url('https://fonts.googleapis.com/css2?family=Roboto+Mono:wght@400;700&display=swap'); .modal-body { color: whitesmoke !important; } .ui-user-name { color: whitesmoke; } .modal-content { background-color: #000; } .modal-header { background-color: #222; border-bottom-color:

[name=Curious] Train of Thought & Solution Continuing from the previous question's Writeup, after downloading app.py, you can find the following piece of code: @app.get('/1d538e83d6f6b08f') def secret(): try: with open('/proc/sys/kernel/random/boot_id') as f: hint = f.readline().strip()

[name=Curious] 思路 承接上一題的 Writeup，在下載 app.py 之後可以看到這樣一段程式碼 @app.get('/1d538e83d6f6b08f') def secret(): try: with open('/proc/sys/kernel/random/boot_id') as f: hint = f.readline().strip()

[name=FlyDragon] Step.1 Download passwd and shadow They are related to a linux account Step.2 Challenge name Johnny , which let you know this challenge can be solved with John the ripper $ unshadow passwd shadow > unshadow

[name=FlyDragon] Step.1 下載 passwd 跟 shadow 檔案 這兩個檔案和一個 linux 帳號有關 Step.2 題目名稱 Johnny 提示這題可以使用 John the ripper 工具解題 $ unshadow passwd shadow > unshadow

[name=Curious] Train of Thought & Solution From chal.c, we can see that this problem has a BOF in read(0, buf, 0x40), and there is a FMT in printf(buf). Additionally, flag is a global variable, meaning it shares the same base address as main. We know that there will be some useful addresses left on the stack at runtime, and when this binary is executed: If we use objdump -t chal to check the offset of flag and main, we get: Furthermore, the problem provides the last two bytes of the main address. So, all we need to do is to use BOF to overwrite the last two bytes of the main address with those of flag, and then use FMT to print out the flag."

[name=Curious] 思路和解法 從 chal.c 可以知道這題在 read(0, buf, 0x40) 有一個 BOF，然後在 printf(buf) 這邊有一個 FMT，而且 flag 是一個全域變數，也就是說位址和 main 有同一個 base。 我們知道執行時會在 stack 上殘留一些有用的位址，而這個 binary 執行時 如果使用 objdump -t chal 去看 flag 和 main 的 offset 時 又題目會給 main 位址的最後兩個 bytes，所以只要用 BOF 把 main 位址的最後兩位寫成 flag 的然後用 FMT 把 flag 印出來就可以了。

[name=Curious] Train of Thought & Solution First, put chal into IDA It can be observed that this challenge can utilize an FMT leak to obtain an address, and then utilize a One Gadget to gain shell access. Therefore, it is necessary to leak the address of the libc Next, let's take a look at the conditions for the One Gadget If you carefully examine the asm of main, you can notice that at the end, there are xor rsi, rsi and xor rdx, rdx instructions. Therefore, the conditions for the One Gadget boil down to requiring rbp - 0x78 to be writable. Since we've already leaked the libc address, we can directly use an address from the writable segment of libc to write to rbp

[name=FlyDragon] Step.1 Using UnityExplorer plugin to enable freecam. After that, you can see the flag.

[name=FlyDragon] Step.1 使用 UnityExplorer 插件開啟 freecam 即可看到 flag

[name=FlyDragon] Step.1 http://lotuxctf.com:20008 It is a image uploader. Upload a test.png , and you will get this message. Uploaded at : uploads/64fd8aff877ba_test.png

[name=FlyDragon] Step.1 http://lotuxctf.com:20008 這是個圖片上傳網站，可以上傳圖片 上傳 test.png ，得到以下訊息 Uploaded at : uploads/64fd8aff877ba_test.png

[name=Curious] Train of Thought & Solution Continuing from the previous question LoTuX CTF Min 0, you can obtain the code for this website. Upon analyzing, you can see in profile.php that: $query = "SELECT * FROM users WHERE username = '" . $_SESSION["username"] . "'"; This can lead to SQL Injection, so we need to register a user with a username as a payload.

[name=Curious] 思路和解法 承接上一題 LoTuX CTF Min 0，可以得到這個網站的程式碼。 分析一下可以發現在 profile.php 裡 $query = "SELECT * FROM users WHERE username = '" . $_SESSION["username"] . "'"; 會造成 SQL Injection，所以我們需要註冊一個 username 是 payload 的使用者。

[name=Curious] 思路和解法 首先可以發現網站有 Git 洩漏 所以使用 GitHacker 把洩漏的文件抓下來 githacker --url http://lotuxctf.com:20006/.git/ --output-folder result 把抓下來的檔案都看一下後沒有發現 flag，所以回到到一個 commit 看看

[name=Curious] Train of Thought & Solution Firstly, it can be observed that the website has a Git leak. Thus, the leaked files are retrieved using GitHacker githacker --url http://lotuxctf.com:20006/.git/ --output-folder result After inspecting the downloaded files and not finding the flag, we revert to a specific commit to examine

[name=Curious] Train Of Thought & Solution Upon entering the challenge, it was noticed that there was an image. Upon closer inspection, it was observed that this image was loaded from /uploads?file=BlankSite.png. It was hypothesized that it might be possible to exploit the file parameter to read files from the server. If an arbitrary filename is inputted It can be observed that the server returns an error message. Within the error message, the presence of the /app/app.py file is visible. By using ../../../../app/app.py, it is possible to download this file and obtain the flag.