CCTF writeup (part)

Last week participated in the CCTF, also was practiced for a period of time since the first formal play and finished the whole process, the final result took a 11, still satisfied, after all, is the first time. But this game is really not many strong teams, and the gap between our team and others is also very big, after all, also less than half a year, there are too many things to learn, slowly come, right before next year to play a line under the strength of the game.
First, put on the wp:http://bobao.360.cn/ctf/detail/159.html of the great God.
On the sticker our own WP put.

WEB 350

gave a static page, swept the sweep also did not find anything,

Then gave a hint, said is looking for a blog, OK, crazy looking for the group of Administrators blog, finally found on the github Pocky Nya , and then found the repositories destination URL

Then the source code is also downloaded, after a simple read, most of the places have authentication, and get the parameters of the place is two, can not XSS, and then accidentally found the source of the background.py '/kamisama/posts/add ' Here is no authentication, as follows:

 class addposthandler(basehandler):    @tornado. web.authenticated     def get(self):Self.background_render (' add_post.html ', post=None) def post(self):title = Self.get_argument (' title ',None) content = Self.get_argument (' content ',None) tags = self.get_argument (' tags ',"'). Strip (). Split (', ')if  notTitleor  notContentreturnSelf.redirect ('/kamisama/posts/add ') post = Self.orm.query (Post.title). Filter (Post.title = = title). All ()ifPostreturnSelf.write (' <script>alert ("Title has already existed"); Window.history.go ( -1);</script> ') Self.orm.add (Post (Title=title, Content=content, Created_time=date.today ())) Self.orm.commit ()returnSelf.redirect ('/kamisama/posts ')

So you can forge the packet that adds the article, and then set the storage-type XSS to get the administrator's cookie. As shown below:

Because in the case of the content in the case of the administrator can not see it is not good, so I put the XSS in the title above, although a little cancer, but this way can be hundred percent get to the administrator's cookie, soon someone logged in, the result is not the first time to get the administrator, Is someone else to get logged in, although did get a cookie, but there is no flag, the result spent n long and the various code reread again, found in background.py the inside SignInHandler really is the flag in the cookie, So I submitted the above payload again, this time successfully obtained the correct cookie, as follows:

username=2|1:0|10:1461405568|8:username|12:cG9ja3lueWE=|2821528813698c6ee9c1650c8420cfb4da968ec97ae080e65c07542f0d249df0;flag=434354467b434f44455f41554449545f425553544552537d

And then turn it in ASCII code flag .CCTF{CODE_AUDIT_BUSTERS}

WEB 300

After logging in with the previously acquired cookie, you pocky.loli.club:41293/diaries can access the directory to see a new hint that a robot was placed on the telegram, and the LUA code for the robot was given, and then we went to the telegram social worker and Pockynya the account.

And then, according to the LUA code given in its blog, the following:

 DoLocal  function run(msg, matches)  ifmatches[1] ~='!minecraft '  ThenOperation = matches[1]Else    return "!minecraft Start|stop|restart"  End  if string. Find (Operation,' & ')or string. Find (Operation,' | ')or string. Find (Operation," ") Then    return "Invalid operation".. OperationEnd  Localt = Io.popen (' Cd/home/telegram &&/mc '.. Operation)Local a= T:Read("*all")return aEndreturn{Description ="loli.club Minecraft bot!", usage ="!minecraft Start|stop|restart", patterns = {"^!minecraft$","^!minecraft (. *) $"}, run = run}End

So we can ; break the previous command, then we can execute our command, as follows:

!minecraft ;xxx

xxxYou can insert our command line code at the back, and the last flag is ../wwwroot/flag inside.

So flag is CCTF{TELEGRAM_BOT_AND_Lf} .

MISC 1

Given a picture, the last 32 bits of the picture have a very continuous pile of letters, as follows

Base64 decode and get flag,ctf{we1c0me t0 anmactf!}

MISC 2

Here, in the No. 5560, we find something like this.
type s4cr4t.txt
So next this is the file content that we need, is a Base64 encoded thing, after decoding is this, CCTF{do_you_like_sniffer} , according to its format, he also need is ms beginning of the vulnerability code, according to casually Google MS SMB 漏洞 溢出 a bit, After trying a few, I tried it out. The final and definitive vulnerability number is MS08067, so the final answer isMS08067CCTF{do_you_like_sniffer}

Re1:

Ida post-compilation review, found that the running requirements contain three parameters, and in which randomly selected one to test, here Note that the Md5_custom function is useless ....

Test by check function

Fetch in memory: Find string F2332291a6e1e6154f3cf4ad8b7504d8

Attempt to commit, success
FLAG:CCTF{F2332291A6E1E6154F3CF4AD8B7504D8}

Re2:

A. NET program that uses reflector to decompile and get the code

Found that this is a communication with the local port program, so first to shut down the firewall, the local loopback through the RAWPCAP to grab packets can be

Get flag::cctf{7eb67b0bb4427e0b43b40b6042670b55}

Re3:

A simple disassembly
Discovery is a comparison of two strings

Try to submit the string above and find the correct one.
flag:cctf{789101112131415123456}

True-or-false

Two Linux programs, through Ida disassembly, found that two programs will call system two at the beginning, through the ASCLL code to know that false will overwrite themselves to true, true will delete themselves.
Then in false found the Print_f function, Disassembly + Caesar encryption to get the result of the flag
Ppgs{yvahk-enva-ova}
\\\\\\\\\\
Cctf{linux-rain-bin}

Difffffffffffuse

The anti-compiled C language is observed through IDA.
There are a total of 3,000 functions, and 3 functions are one-week periods. But in some of the periods, the second function is to extract the data directly, and the third function shift has a slight difference. By extracting the assembly code to generate a TXT file, and then using Python to read the file to simulate the generation of C program, that is, the 3*1000 function of the second function is stripped out to generate SECOND.C file

The program finally compares the 40 bytes of these 3,000 functions to the existing 40 bytes, so we grab the 40 bytes in Ida

    0x83    0xec    0x5f    0xa2    0x93    0xce    0xa3    0xfb       0x5a    0x17    0x06    0xff    0x13    0x2d    0xd7    0xc4    0xbe    0xce    0x8d    0x6a    0xb8    0x15    0x26    0xfc    0x84    0x01    0x94    0x44    0xf8    0xd7    0x23    0x1c    0x4b    0xc2    0x31    0x04    0xa6    0x33    0x08    0x57

Each character's encryption is run independently, which means that we can separate the explosion for each character, see if the encrypted data is the same, through a simple explosion, and finally get flag:
Cctf{1f_y0u_w4nna_r3ven93_____purpleroc}

Mystery file 1

Get forensic.7z after decompression to get Level1 and mem.vmem two files, observe the beginning of the file, after Baidu came to Level1 for hard disk files, mem for memory files
Happen I have an empty hard disk, so the hard disk format, with Bootice will level1 write to the hard disk,

Discovered that the hard disk was encrypted by BitLocker, and because of the possibility of a forgotten password, BitLocker provides a file recovery password mechanism with a password of 48-bit pure digits

After considering the possibility of recovering the password in memory, open mem with Winhex, in which the search for BitLocker was not found, remembered the recovery password ID hint for F2298561, and found the relevant content after searching

Found in-memory data in many cases separated by 00, so search F2298561 16 binary, every two numbers with 00 separated, finally found a 48-digit password

To 046409-191059-605495-680889-626109-111617-371668-451517

Unlock success! Get Flag cctf{u_m4st_g00d_4t_f0nr4n51c}

Best_ez_misc

Get the compressed package named Reverze.zip, with a winhex look, it is easy to think of the zip pseudo-encryption

The 5th byte after the PK 01 02 is changed to 00, found can be decompressed, get reverse

Opened to look, found that is mousse code, after decryption to get 0,9 string, the program ran a total of 2048 characters, because the title of the result is a picture, so try to observe the different pixels, and finally get the results

Although not very clear, but upside down it is easy to see Flag:ctf{pixelnice}

Misc100t2

Very simple traffic analysis, open later try to search CTF directly get results

Flag is Ctf{anma_qwe3_as34_gty6}

CCTF writeup (part)