AAA CTF101 安全攻防实践短学期 Lab 0

环境:macOS Ventura / Kali Linux

实验指导

仅供参考。

Prerequisite

Challenge 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/python3

data = input('give me your string: ')
print('length of string:', len(data))

data_old = data
data_new = ''
for d in data:
    if d in 'abcdefghijklmnopqrstuvwxyz':
        data_new += chr(ord(d) - 32)
    elif d in 'ABCDEFGHIJKLMNOPQRSTUVWXYZ':
        data_new += chr(ord(d) + 32)
    else:
        data_new += d

print('now your string:', data_new)

单双引号混用好难受,data_old 这不是没用到嘛
ord() 获取单字符的 Unicode 码点,chr() 将 Unicode 码点转换为单字符。这个程序将输入字符串中英文字母的大小写反转。

校巴 calculator

1
2
3
4
5
6
7
8
9
import pwn


with pwn.remote('10.214.160.13', 11002) as dst:
    for i in range(10):
        dst.recvuntil(b'\n\n')
        expr = dst.recvuntil(b'=', drop=True).decode()
        dst.sendline(str(eval(expr)).encode())
    dst.interactive()

Challenge 3

What is the value of dh after line 138 executes?

00
x ^ x == 0

What is the value of dl after line 141 executes?

00
~(-1) == 0

What is the value of di after line 161 executes?

0000
Line 161: di = bp. Line 159: bp = dx. Line 144 guarantees dx == 0.

What is the value of ax after line 178 executes?

0e74
{0x0e, ord('t')}

What is the value of ax after line 208 executes for the third time?

0e4f
{0x0e, ord('O')}

What is the value of dx after line 224 executes?

030f

ACTF{We1com3_7o_R3_00_00_0000_0e74_0e4f_030f}

Web

之前是 esifielnb.php 来着

在浏览器菜单中打开控制台,在 <head> 中可以看到 getflag() 函数中对 /flag.php?token=785b2a229473dfa4 的请求。每个 token 只能请求一次,所以可以每次请求 /lab0.php 解析 token,再请求 /flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
import re
import requests


URL = 'http://pumpk1n.com'
PATH_IDX = '/lab0.php'

CK = {'PHPSESSID': 'l5ca2f4dfiu06m5ukr4b4c20eh'}

for i in range(1338):
    resp = requests.get(URL + PATH_IDX, cookies=CK).content.decode()
    path_tk = re.findall(r'/flag\.php\?token=.{16}', resp)[0]
    print(requests.get(URL + path_tk, cookies=CK).content.decode())

flag{56297ad00e70449a16700a77bf24b071}

Pwn

  • L10 处 ptr 没有初值,L32 处 free() 可能崩溃
  • L13 的 scanf() 有缓存区溢出的风险,可能会破坏栈
  • L20 对 offset 的访问没有限制,可能非法访问,或者把 buffer 的结尾 0 破坏掉
    • 若如此,则 L24/L27 处 strlen() 的调用可能非法访问
  • L24 处有符号数与无符号数比较,若输入 size 为负数则溢出
  • L29 与 L32 处 double free
    no_program.c
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    int main(int argc, char *argv[]) {
      int offset;
      size_t size;
      char buffer[64];
      char *ptr = NULL;

      printf("please input: ");
      scanf("%63s", buffer);
      printf("you input %lu characters\n", strlen(buffer));
      printf("your data: %s\n", buffer);

      printf("index: ");
      scanf("%d", &offset);
      getchar();
      if (offset < strlen(buffer))
        buffer[offset] = getchar();
      else
        puts("index too large");

      printf("size: ");
      scanf("%zu", &size);
      if (size >= strlen(buffer))
        printf("size too large");
      else {
        ptr = malloc(strlen(buffer));
        memcpy(ptr, buffer, size);
        free(ptr);
        ptr = NULL;
      }

      free(ptr);
      return 0;
    }

Reverse

可执行文件的入口点地址(Entry Point Address)是多少?

使用 nm 查看:1060 _start

可执行文件无法运行的原因是什么?通过什么方法可以让它正常运行?

动态链接 ELF,loader 被修改为不存在的路径(?)这样说把 loader 修改回 ld 就可以了吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sudo apt install patchelf

$ ldd rev_challenge
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000004001852000)
    /no/such/interpreter => /lib64/ld-linux-x86-64.so.2 (0x0000004000000000)

$ patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 rev_challenge

$ ./rev_challenge
Where is the flag?

$ ldd rev_challenge
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000004001853000)
    /lib64/ld-linux-x86-64.so.2 (0x0000004000000000)

可执行文件中隐藏的秘密(即格式为 AAA{...} 的字符串)是?你是如何获得它的?

Ghidra 分析 rev_challenge 查看 main() 调用了 wh4t_the_h3ll_i5_th1s(),其又调用了 ooooooo()……通过读这个很长的调用链,可以知道每个函数赋值一个字节。连接起来得到 AAA{hope_u_have_fun~}

Misc

Challenge 1

将编码字符串丢进 CyberChef,Magic 功能直接得到
AAA{wELCOm3_7o_CTf_5umMeR_c0uR5E_2023}

Challenge 2

仍然使用 CyberChef 加载 misc_challenge2.png,使用 View Bit Plane 得到 AAA{gr3@t_J08!_1et'5_
在 CyberChef 查看文件内容最末尾有 P1@y_m1SC_TOG3Th3R}

AAA{gr3@t_J08!_1et'5_P1@y_m1SC_TOG3Th3R}

Crypto

按照题目描述和注释即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def add_round_key(s, k):
    result = [[0] * 4 for _ in range(4)]
    for i in range(4):
        for j in range(4):
            result[i][j] = s[i][j] ^ k[i][j]
    return result


def sub_bytes(s, sbox):
    result = [[0] * 4 for _ in range(4)]
    for i in range(4):
        for j in range(4):
            result[i][j] = sbox[s[i][j]]
    return result

AAA{AE5_aEs_a1s}

ZJU > CTF 暑 2023
AAA CTF101 安全攻防实践短学期 Lab 0
https://heap.45gfg9.net/t/ZJU/2023-CTF101/db1965c86279/
作者
45gfg9
发布于
2023-05-29
许可协议