GoogleCTF2023 Writeup

已于 2024-07-23 21:01:19 修改
阅读量783 收藏 22
点赞数 19
分类专栏: CTF 文章标签: python 开发语言
于 2024-07-23 20:59:14 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zaq0123/article/details/140646071
版权

GoogleCTF2023 Writeup

Misc

  • NPC

Crypto

  • LEAST COMMON GENOMINATOR?

Web

  • UNDER-CONSTRUCTION

NPC

A friend handed me this map and told me that it will lead me to the flag.
It is confusing me and I don’t know how to read it, can you help me out?

Attachment

使用Graphviz工具将hint.dot转换为图片,得到下图

dot -Tjpg  hint.dot -o hint.jpg
hint.jpg

分析代码:

  • USACONST.TXT中随机选择N个单词生成密码,使用passphrase.encrypt(secret, password)对flag加密

  • 对于password中的每个字母,创建一个带有唯一ID的节点,并添加到图中

  • 按照password的顺序,对密码中相邻的两个字符创建一条边

  • 向图中随机添加int(len(password) ** 1.3)条边

  • 随机打乱图中节点和边的顺序

  • 随机交换一些节点的起点和终点,由于random() % 2只有在random函数返回值为0时才为False,我们假定图中每条边的起点和终点都被交换了一遍

  • 将节点和边的信息写入到hint.dot文件中

我是思路是:

  1. 遍历words_list中的单词,从每个节点出发,使用DFS判断是否可以在图中找到,这样过滤后得到30个单词,即密码一定由该30个单词中的某几个单词组成

  2. 枚举密码中所用的单词个数N

  3. 使用组合数从这30个单词选择N个单词

  4. 判断所选的N个单词组成的字符集和hint.dot中的字符集是否一致

  5. 对N个单词进行全排列,并尝试解密 (为了提高效率,这里还用到了多进程)

当N=5时,得到passwordstandardwatersigngivenchosenflag.

代码 
import concurrent.futures
import itertools
import re
from collections import Counter

from pyrage import passphrase

from encrypt import get_word_list


class Node:
    def __init__(self, letter):
        self.letter = letter
        self.adjacent = []

    def __str__(self) -> str:
        return f"{self.letter} -> {[x.letter for x in self.adjacent]}"

    __repr__ = __str__

def build_nodes():
    pattern = r"\s+(\d+)\s+\[label=(\w+)\];"
    pattern2 = r"\s+(\d+)\s+--\s+(\d+);$"
    nodes = dict()
    with open("hint.dot", "r") as f:
        for line in f:
            if "label" in line
                match = re.match(pattern, line)
                node_id = match.group(1)
                letter = match.group(2)
                nodes[node_id] = Node(letter)
            elif "--" in line:
                match = re.match(pattern2, line)
                start = match.group(1)
                end = match.group(2)
                # nodes[start].adjacent.append(nodes[end])
                nodes[end].adjacent.append(nodes[start])
    return nodes

visited = set()

def dfs(node, index, word):
    if index == len(word):
        return True

    if node.letter != word[index]:
        return False

    visited.add(node)

    for adj in node.adjacent:
        if adj not in visited:
            if dfs(adj, index + 1, word):
                return True

    visited.remove(node)
    return False

def check(password):
    with open("secret.age", "rb") as f:
        enc = f.read()
    try:
        print("[FLAG] is ", passphrase.decrypt(enc, password))
        print("Password is ", password)
    except Exception as e:
        pass


def filter_words(nodes):
    ans = set()
    for word in get_word_list():
        visited.clear()
        for node in nodes.values():
            if dfs(node, 0, word):
                ans.add(word)
                break

    print("ans:", len(ans), ans)
    return ans


def main():
    nodes = build_nodes()

    letters = sorted([node.letter for node in nodes.values()])

    ans = filter_words(nodes)
    for num in range(1, len(ans) + 1):
        print(f"Num is {num}")
        for comb in itertools.combinations(ans, num):  # 组合
            if sorted("".join(comb)) == letters:
                passwords = [
                    "".join(perm) for perm in itertools.permutations(comb, len(comb))
                ]

                with concurrent.futures.ProcessPoolExecutor(max_workers=8) as executor:
                    executor.map(check, passwords)


if __name__ == "__main__":
    main()

flag: CTF{S3vEn_bR1dg35_0f_K0eN1g5BeRg}

参考:

LEAST COMMON GENOMINATOR?

Someone used this program to send me an encrypted message but I can’t read it! It uses something called an LCG, do you know what it is? I dumped the first six consecutive values generated from it but what do I do with it?!

Attachment

generate.py 
from secret import config
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long, isPrime

class LCG:
    lcg_m = config.m
    lcg_c = config.c
    lcg_n = config.n

    def __init__(self, lcg_s):
        self.state = lcg_s

    def next(self):
        self.state = (self.state * self.lcg_m + self.lcg_c) % self.lcg_n
        return self.state

if __name__ == '__main__':

    assert 4096 % config.it == 0
    assert config.it == 8
    assert 4096 % config.bits == 0
    assert config.bits == 512

    # Find prime value of specified bits a specified amount of times
    seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635
    lcg = LCG(seed)
    primes_arr = []

    dump = True
    items = 0
    dump_file = open("dump.txt", "w")

    primes_n = 1
    while True:
        for i in range(config.it):
            while True:
                prime_candidate = lcg.next()
                if dump:
                    dump_file.write(str(prime_candidate) + '\n')
                    items += 1
                    if items == 6:
                        dump = False
                        dump_file.close()
                if not isPrime(prime_candidate):
                    continue
                elif prime_candidate.bit_length() != config.bits:
                    continue
                else:
                    primes_n *= prime_candidate
                    primes_arr.append(prime_candidate)
                    break

        # Check bit length
        if primes_n.bit_length() > 4096:
            print("bit length", primes_n.bit_length())
            primes_arr.clear()
            primes_n = 1
            continue
        else:
            break

    # Create public key 'n'
    n = 1
    for j in primes_arr:
        n *= j
    print("[+] Public Key: ", n)
    print("[+] size: ", n.bit_length(), "bits")

    # Calculate totient 'Phi(n)'
    phi = 1
    for k in primes_arr:
        phi *= (k - 1)

    # Calculate private key 'd'
    d = pow(config.e, -1, phi)

    # Generate Flag
    assert config.flag.startswith(b"CTF{")
    assert config.flag.endswith(b"}")
    enc_flag = bytes_to_long(config.flag)
    assert enc_flag < n

    # Encrypt Flag
    _enc = pow(enc_flag, config.e, n)

    with open ("flag.txt", "wb") as flag_file:
        flag_file.write(_enc.to_bytes(n.bit_length(), "little"))

    # Export RSA Key
    rsa = RSA.construct((n, config.e))
    with open ("public.pem", "w") as pub_file:
        pub_file.write(rsa.exportKey().decode())

分析可知:

  • flag是使用RSA加密的,已知公🔑 文件,即n,e

  • 使用LCG线性同余生成器生成素数

  • 已知LCG的种子和前6个连续生成的数字

  • config.it = 8

  • config.bits = 256

LCG是伪随机数生成器和流密码的一种,递推公式是 𝑋𝑛+1=(𝑎𝑋𝑛+𝑐) 𝑚𝑜𝑑 𝑚

已知初值和随后LCG连续生成的6个值,未知增量、乘数和模数.

我们可以通过攻击得到这三个值,然后模拟原算法通过LCG得到8个素数后,进一步计算n的欧拉函数并求逆元得到d,解密即可.

题解: 
import math
from functools import reduce

import gmpy2

from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long, isPrime, long_to_bytes

dump_file = open("dump.txt")
output_values = [int(x) for x in dump_file.readlines()]  # 已知的 LCG 输出值

def crack_unknown_increment(states, modulus, multiplier):
    """
    已知:a,m,s0,s1
    求c
    """
    increment = (states[1] - states[0] * multiplier) % modulus
    return modulus, multiplier, increment

def crack_unknown_multiplier(states, modulus):
    """
    已知:m,s0,s1,s2
    求a
    """
    multiplier = (
        (states[2] - states[1]) * gmpy2.invert(states[1] - states[0], modulus) % modulus
    )  # 注意这里求逆元
    return crack_unknown_increment(states, modulus, multiplier)

def crack_unknown_modulus(states):
    """
    已知:s0-s6
    求a,c,m
    """
    diffs = [s1 - s0 for s0, s1 in zip(states, states[1:])]
    zeroes = [t2 * t0 - t1 * t1 for t0, t1, t2 in zip(diffs, diffs[1:], diffs[2:])]
    modulus = abs(reduce(math.gcd, zeroes))
    return crack_unknown_multiplier(states, modulus)

class LCG:
    def __init__(self, lcg_m, lcg_c, lcg_n, lcg_s):
        self.state = lcg_s
        self.lcg_m = lcg_m
        self.lcg_c = lcg_c
        self.lcg_n = lcg_n

    def next(self):
        self.state = (self.state * self.lcg_m + self.lcg_c) % self.lcg_n
        return self.state


m, a, c = crack_unknown_modulus(output_values)
seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635
lcg = LCG(a, c, m, seed)
print(a, c, m)
primes_n = 1
primes_arr = []
for i in range(8):
    while True:
        prime_candidate = lcg.next()
        if not isPrime(prime_candidate):
            continue
        elif prime_candidate.bit_length() != 512:
            continue
        else:
            primes_n *= prime_candidate
            primes_arr.append(prime_candidate)
            break

print(list(primes_arr))

phi = 1
for k in primes_arr:
    phi *= k - 1

key = RSA.importKey(open("public.pem", "r").read())
n = key.n
e = key.e
d = gmpy2.invert(e, phi)

enc = open("flag.txt", "rb").read()

flag = pow(int.from_bytes(enc, "little"), d, n)
print(long_to_bytes(flag))

flag: CTF{C0nGr@tz_RiV35t_5h4MiR_nD_Ad13MaN_W0ulD_b_h@pPy}

参考:

UNDER-CONSTRUCTION

We were building a web app but the new CEO wants it remade in php.

Attachment
https://under-construction-web.2023.ctfcompetition.com
https://under-construction-php-web.2023.ctfcompetition.com

题目提供了Flask和PHP两个站点,用户可以在Flask站点进行注册,注册的账号可以同时用于登录Flask和PHP两个站点.

分析代码:

Flask会将HTTP请求原始查询参数转发到PHP应用程序中完成用户注册.

# File: /flask/authorized_routes.py
@authorized.route('/signup', methods=['POST'])
def signup_post():
    raw_request = request.get_data()
    ...
    requests.post(f"http://{PHP_HOST}:1337/account_migrator.php", 
        headers={"token": TOKEN, "content-type": request.headers.get("content-type")}, data=raw_request)
    return redirect(url_for('authorized.login'))

只有gold级别的用户,在PHP站点登录后才可以看到FLAG

# File: /php/index.php
function getResponse()
{
    ...
    $response = "Login successful. Welcome " . htmlspecialchars($username) . ".";

    if ($tier === "gold") {
        $response .= " " . getenv("FLAG");
    }

    return $response;
}

Flask会对查询参数进行校验,防止创建高权限的用户.

# File: /flask/authorized_routes.py
@authorized.route('/signup', methods=['POST'])
def signup_post():
    ...
    tier = models.Tier(request.form.get('tier'))
    if(tier == models.Tier.GOLD):
        flash('GOLD tier only allowed for the CEO')
        return redirect(url_for('authorized.signup'))
    ...

HTTP查询参数中存在重复的key时,在Flask和PHP有不同的行为,flask会取第一个值,而PHP会取最后一个值.

因此我们可以构造如下命令,以此绕过Flask对查询参数的校验,并在PHP中注册高权限用户.

curl

curl -X POST https://under-construction-web.2023.ctfcompetition.com/signup -d "username=admin&password=admin&tier=blue&tier=gold"

然后用上述的用户名和密码去PHP站点登录即可.

flag: CTF{ff79e2741f21abd77dc48f17bab64c3d}

温柔小猪
关注
专栏目录
OSCP 2023 challenge Writeup-Medtech
fuckskyboy的博客
08-26 8795
OSCP lab writeup
NBCTF2023逆向方向 Writeup(部分)
Okuu__的博客
12-04 2359
nbctf的难度对像我这样入坑逆向没多久的初学者来说绝对不算简单 但是同时又能学到不少新东西email: okuusuku@gmail.com给了一个python程序和它的输出: 求出flag每一位对应的(需要注意的是和的排列顺序类似) 再稍微改一下原程序爆破出flag: Shifty Sands | 进阶的迷宫题 用DIE打开附件 64位ELF无壳 IDA64打开 主函数结构非常简单 胜利的判断是走到 失败的判定是走到 唯一需要费点时间看的是加了点混淆(永真判断)的函数: 既然是会动的迷宫
Byte Bandits CTF 2023 Write Up
02-14 248
Byte Bandits CTF 2023 Crypto&Misc&Forensics Write Up
2023第五届 Real World CTF 体验赛 Writeup(web)
一只爱吃橙子的羊
01-12 2798
2023第五届 Real World CTF 体验赛 Writeup(web)
2023 Real World CTF体验赛部分Writeup
Keepb1ue的博客
01-09 3093
2023 Real World CTF体验赛部分Writeup
HDCTF2023 Writeup
S4n_v1的博客
04-23 3113
HDCTF2023 wp,pwn 全部,web 2/6,crypto 4/5,reverse 6/7,misc 3/5 题解。
2023 强网杯 Writeup
最新发布
01-29
2023 强网杯 Writeup 是一篇关于 Capture The Flag(CTF)的 writeup,内容涵盖了多个挑战题目,涉及到 Python、 Cryptography、Reverse Engineering、Web 等多个领域。下面是对每个挑战题目的详细分析和知识点总结...
D3CTF2022-官方WriteUp1
08-03
"D3CTF2022-官方WriteUp1" 本文将对 D3CTF 2022 官方 WriteUp1 进行总结,主要涉及 MySQL UDF 提权、Java 反序列化、MySQLInject、Web 短链技术等多方面的知识点。 1. MySQL UDF 提权 在 MySQL 中,可以使用 User...
智能网联汽车 天融信杯 信息安全攻防赛 2023 CTF真题
07-14
智能网联汽车 天融信杯 信息安全攻防赛 2023 CTF真题
网鼎杯writeup-护网先锋1
08-04
【网鼎杯writeup-护网先锋1】的知识点总结: 在网络安全竞赛“网鼎杯”中,参赛者需要解决一系列挑战,这些挑战涉及到多种安全技术,如代码泄露、漏洞利用、加壳破解、文件格式分析等。以下是各部分的具体知识点: ...
【CTF WriteUp】2023数字中国创新大赛网络数据安全赛道决赛WP(2)
cccchhhh6819的博客
04-27 2973
菜的要死,各种不会,答案也不全,凑合吧。
SharkCTF2023 web WriteUp(第二周)
qq_45491553的博客
08-18 338
查看题目,提示需要admin进入查看网页源代码,获取密码返回登陆,进入后发现url中有MD5字样,猜测此题与MD5有关,再次查看网页源代码关键信息就在--你给我hint我给你hint-->>我们不妨猜测此页面可以传入一个hint参数,给他一个hint得到hint,分析php代码,这里需要传入对应参数使得if中的代码执行就能够得到flag这里为MD5强比较,可以传入a,b两个数组进行绕过preg_match()函数中第一个参数为正则表达式,第二个参数为要进行匹配的字符串。
PolarCTF 2023冬季个人挑战赛 WriteUp (pwn部分)
m0_62652276的博客
01-05 1915
在本次PolarCTF 2023冬季个人挑战赛中,pwn部分题目题量较大,对栈溢出及堆溢出相关知识均有所考查。但同时,有相当一部分题目侧重于对基础知识,经典题型的考查,对于CTF入门学习者来说相对友好。本题主要考查pwn堆溢出fastbin attack相关知识使用checksec工具分析,开启了canary和NX保护运行程序有三个选项,分别进行测试设定note大小并新建一个note显示已新建的note删除创建的note可以发现main函数中有一个def()函数查看函数,该函数对应一开始出现的"Hi! Wh
PolarCTF 2023冬季个人挑战赛 WriteUp (web部分)
m0_62652276的博客
12-14 499
PolarCTF 2023冬季个人挑战赛 web部分赛题 WriteUp
LitCTF 2023 WriteUp(部分)
红叶的博客
05-17 3269
迄今为止做出来题目最多的比赛,不过嘛新生赛,加油。
2023NKCTF Writeup——W4ntY0u.
weixin_52365980的博客
03-27 4361
NKCTF2023是由N0wayBack战队举办。本次比赛采用线上网络安全技能大赛实践赛的形式,覆盖Web、Reverse、Pwn、Misc、Crypto、SocialEngineering等主流赛题方向,面向国内所有个体及团队 除了梦想外我们一无所有,将会和蔑视与困境做最后的斗争,这是最后一舞
2023LaCTFWriteup
Amherstieae的博客
02-15 718
2023LaCTFWriteup
[ISCTF 2023]——Web、Misc较全详细Writeup、Re、Crypto部分Writeup
Leaf_initial的博客
12-04 4121
由于懒我直接把上交的wp稍加修改拉上来了,凑活看。
2023FSCTF--writrup -- by Crypto0
qq_69956003的博客
10-24 860
FSCTF2023
oscp 2023 challenge writeup-medtech-csdn博客
10-29
OSCP 2023 Challenge Writeup-MedTech-CSDN博客是一个关于OSCP挑战赛的技术解析博客。在这篇博客中,作者详细讲解了一个名为MedTech的挑战项目,并提供了解决该挑战所需的步骤和工具。 这篇博客的开头介绍了OSCP...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值