2023-2024 Pointer Overflow CTF WP

一个很有意思的比赛，最近闲着没事就来玩玩！只做了一部分，哎！后面有时间再做吧！
比赛时间：September 17th, 2023 to January 21st, 2024

目前排名

 
Crypto

Unquestioned and Unrestrained

题目

First crypto challenge so we have to keep it easy. Here's the flag, but it's encoded. All you have to do is figure out which method was used. Luckily, it's a common one.
cG9jdGZ7dXdzcF80MTFfeTB1Ml84NDUzXzQyM184MzEwbjlfNzBfdTV9

我的解答：
签到题，密文直接base64解码
poctf{uwsp_411_y0u2_8453_423_8310n9_70_u5}
A Pale, Violet Light

题目

1. e= 5039
3. N = 34034827
5. C = 933969 15848125 24252056 5387227 5511551 10881790 3267174 14500698 28242580 933969 32093017 18035208 2594090 2594090 9122397 21290815 15930721 4502231 5173234 21290815 23241728 2594090 21290815 18035208 10891227 15930721 202434 202434 21290815 5511551 202434 4502231 5173234 25243036

复制代码

我的解答：
考点：c列表循环，广播攻击
先分解N得到

1. p=5807
2. q=5861

复制代码

exp:

1. #coding:utf-8from Crypto.Util.number import *import gmpy2n = 34034827p=5807
2. q=5861e = 5039message = "933969 15848125 24252056 5387227 5511551 10881790 3267174 14500698 28242580 933969 32093017 18035208 2594090 2594090 9122397 21290815 15930721 4502231 5173234 21290815 23241728 2594090 21290815 18035208 10891227 15930721 202434 202434 21290815 5511551 202434 4502231 5173234 25243036"phi = (p - 1) * (q - 1)d = gmpy2.invert(e, phi)flag = ''for i in message.split(" "):    m = gmpy2.powmod(int(i), d, n)    flag += str(long_to_bytes(m))[2:3]print(flag)#poctf{uwsp_533k 4nd y3 5h411 f1nd}

复制代码

记得结果补全：_
poctf{uwsp_533k_4nd_y3_5h411_f1nd}
Missing and Missed

题目

1. A little cerebral fornication to round out the crypto challenges.
3. ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++++.-.------------.+++++++++++++++++.--------------.+++++++++++++++++++++.------.++.----.---.-----------------.<<++++++++++++++++++++.-.++++++++.>>+++++++++.<<--.>>---------.++++++++++++++++++++++++.<<-----.--.>>---------.<<+++++++++.>>---------------.<<---------.++.>>.+++++++.<<--.++.+++++++.---------.+++++++..----.>>++++++++.+++++++++++++++.

复制代码

我的解答：
考点：BrainFuck
poctf{uwsp_219h7_w20n9_02_f0290773n}
MISC

Here You See A Passer By

题目

Simple task - solve the maze and find the flag. The password is poctf2023
题目给了一个加密的pdf

我的解答：
使用提示密码打开得到：

大眼一看需要走迷宫，我们根据关键字走迷宫即可，如下：

得到
poctf{uwsp_pr377y_bu7_p377y_bu7_pr377y}
Forensics

If You Don't, Remember Me

题目

Here is a PDF file that seems to have some problems. I'm not sure what it used to be, but that's not important. I know it contains the flag, but I'm sure you can find it and drag it out of the file somehow. This is a two-step flag as you will find it partially encoded.
给了一个pdf

我的解答：
010打开文件，在末尾直接看到结果

hex解码得到
poctf{uwsp_w31c0m3_70_7h3_94m3}
A Petty Wage in Regret

题目

Here is a very interesting image. The flag has been broken up into several parts and embedded within it, so it will take a variety of skills to assemble it. 

我的解答：
010打开图片，文件头发现一串16进制

解码得到flag前一段
poctf{uwsp_7h3_w0rld_h4d
试了好多隐写发现图片并没有。后来无意间把图片放大发现有锐化部分，找出来（这个17前面的下划线真的狗！一开始没找出来，太不显眼了！，后来提交不对猜测有这个下划线。。）

最终flag为：poctf{uwsp_7h3_w0rld_h4d_17_f1257}
Better to Burn in the Light

题目

This is an image of a disk that once contained several files. They were deleted prior to imaging, unfortunately. To find the flag, we're going to need to bring some of them back from the dead. The flag is actually broken up between two of them. Carve the files out of the image and restore any missing file headers to find the pieces to reassemble.

我的解答：
压缩包解压后一堆阿巴阿巴！！
这题真的很艹！搞了半天啥也没搞到，后来发现这个压缩包可以修复，而且修复出来会有多出的文件。。
找到了可疑的m.jpg，010打开发现有两个jpg文件头。。

看着第一个文件头内容很短，删掉第一部分的，然后保存得到flag第一段。


有点糊！但没关系。。
下一步找第二段，分析下其他文件吧！毕竟给的很多不可能都没有用。
经过010挨个查找发现文档d实际为一张没有文件头的jpg文件，补全即可。


最终flag为：poctf{uwsp_5h1v3r_m3_71mb3r5}
Crack

The Gentle Rocking of the Sun

题目

Here's a password protected archive. Problem is that I seem to have forgotten das Passwort. All I have is this post-it note on my monitor that says "crack2 = 4bd939ed2e01ed1e8540ed137763d73cd8590323"

我的解答：
根据题目描述4bd939ed2e01ed1e8540ed137763d73cd8590323，直接cmd5得到
zwischen
解压打开后发现文件夹套娃，每个文件夹名字对应就是flag的每个字符，找全即可
poctf{uwsp_c411f02n14_d234m1n9}
RE

Easy as it Gets

题目

It doesn't get much easier than this when it comes to reverse engineering. Here we have a "secure" PowerShell script. All you need to do is figure out the super secret passphrase to decrypt the flag. 

查看代码

1.  [Reflection.Assembly]::LoadWithPartialName("System.Security")  
3. function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)  
4. {  
5.     $r = new-Object System.Security.Cryptography.RijndaelManaged  
6.     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)  
7.     $salt = [Text.Encoding]::UTF8.GetBytes($salt)  
8.     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8  
9.     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]  
10.     $c = $r.CreateEncryptor()  
11.     $ms = new-Object IO.MemoryStream  
12.     $cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"  
13.     $sw = new-Object IO.StreamWriter $cs  
14.     $sw.Write($String)  
15.     $sw.Close()  
16.     $cs.Close()  
17.     $ms.Close()  
18.     $r.Clear()  
19.     [byte[]]$result = $ms.ToArray()  
20.     return [Convert]::ToBase64String($result)  
21. }  
22.   
23. function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")  
24. {  
25.     if($Encrypted -is [string]){  
26.         $Encrypted = [Convert]::FromBase64String($Encrypted)  
27.     }  
29.     $r = new-Object System.Security.Cryptography.RijndaelManaged  
30.     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)  
31.     $salt = [Text.Encoding]::UTF8.GetBytes($salt)  
32.     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8  
33.     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]  
34.     $d = $r.CreateDecryptor()  
35.     $ms = new-Object IO.MemoryStream @(,$Encrypted)  
36.     $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"  
37.     $sr = new-Object IO.StreamReader $cs  
39.     Write-Output $sr.ReadToEnd()  
41.     $sr.Close()  
42.     $cs.Close()  
43.     $ms.Close()  
44.     $r.Clear()  
45. }  
47. cls  
49. ####
50. # TODO: use strong password
51. # Canadian_Soap_Opera
52. ###
54. $pwd = read-host "(Case Sensitive) Please Enter User Password"  
56. $pcrypted = "TTpgx3Ve2kkHaFNfixbAJfwLqTGQdk9dkmWJ6/t0UCBH2pGyJP/XDrXpFlejfw9d"  
58. write-host "Encrypted Password is: $pcrypted"  
59. write-host ""  
60. write-host "Testing Decryption of Username / Password..."  
61. write-host ""      
63. $pdecrypted = Decrypt-String $pcrypted $pwd
65. write-host "Decrypted Password is: $pdecrypted"

复制代码

我的解答：
我们分析powershell代码，发现只需要把pwd变量赋值为”Canadian_Soap_Opera“，然后运行powershell代码即可

1. function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")  
2. {  
3.     if($Encrypted -is [string]){  
4.         $Encrypted = [Convert]::FromBase64String($Encrypted)  
5.     }  
7.     $r = new-Object System.Security.Cryptography.RijndaelManaged  
8.     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)  
9.     $salt = [Text.Encoding]::UTF8.GetBytes($salt)  
10.     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8  
11.     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]  
12.     $d = $r.CreateDecryptor()  
13.     $ms = new-Object IO.MemoryStream @(,$Encrypted)  
14.     $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"  
15.     $sr = new-Object IO.StreamReader $cs  
17.     Write-Output $sr.ReadToEnd()  
19.     $sr.Close()  
20.     $cs.Close()  
21.     $ms.Close()  
22.     $r.Clear()  
23. }
24. $pwd = "Canadian_Soap_Opera"  
26. $pcrypted = "TTpgx3Ve2kkHaFNfixbAJfwLqTGQdk9dkmWJ6/t0UCBH2pGyJP/XDrXpFlejfw9d"  
28. write-host "Encrypted Password is: $pcrypted"  
29. write-host ""  
30. write-host "Testing Decryption of Username / Password..."  
31. write-host ""      
33. $pdecrypted = Decrypt-String $pcrypted $pwd
35. write-host "Decrypted Password is: $pdecrypted"  

复制代码

得到
poctf{uwsp_4d_v1c70r14m_w4573l4nd3r}
A Tangled Web We Weave

题目

The flag has been hidden in these assembly instructions, except I forgot how to decode it... If you figure it out you get the flag.

1. section .data
2.     encoded_message db 0x0F, 0x10, 0x1C, 0x0B, 0x19, 0x04, 0x0A, 0x08, 0x0C, 0x0F, 0x20, 0x14, 0x4E, 0x11, 0x46, 0x20, 0x14, 0x4F, 0x11, 0x46, 0x20, 0x46, 0x4F, 0x48, 0x20, 0x11, 0x4F, 0x48, 0x17, 0x4E, 0x11, 0x46, 0x20, 0x4F, 0x11, 0x20, 0x12, 0x4C, 0x02
4. section .text
5.     global _start
7. _start:
8.     mov ecx, 0
9.     mov edi, encoded_message
10.     find_length:
11.         cmp byte [edi], 0
12.         je print_message
13.         inc ecx
14.         inc edi
15.         jmp find_length
17.     print_message:
18.         xor esi, esi
19.         mov edi, encoded_message
20.         decode:
21.             xor eax, eax
22.             mov al, byte [edi + esi]
23.             xor al, ; something missing?
24.             mov byte [edi + esi], al
25.             inc esi
26.             cmp byte [edi + esi], 0
27.             jne decode
29.         mov edx, ecx
30.         mov eax, 4
31.         mov ebx, 1
32.         mov ecx, encoded_message
33.         int 0x80
35.     mov eax, 1
36.     xor ebx, ebx
37.     int 0x80

复制代码

我的解答：
分析汇编代码可知解密第一步是异或4，第二步是异或一个未知的值。
我们可以根据flag的形式猜测encoded_message的第一个字符应该为p，0x0F^4^ord('p')得到123，依次检测第二个字符异或后为o，
OK！就是这样，写个脚本

1. a = "0x0F, 0x10, 0x1C, 0x0B, 0x19, 0x04, 0x0A, 0x08, 0x0C, 0x0F, 0x20, 0x14, 0x4E, 0x11, 0x46, 0x20, 0x14, 0x4F, 0x11, 0x46, 0x20, 0x46, 0x4F, 0x48, 0x20, 0x11, 0x4F, 0x48, 0x17, 0x4E, 0x11, 0x46, 0x20, 0x4F, 0x11, 0x20, 0x12, 0x4C, 0x02"
2. a = a.split(',')
3. for i in a:
4.     print(chr(int(i,16)^4^123),end="")
6. #poctf{uwsp_k1n9_k0n9_907_n07h1n9_0n_m3}

复制代码

Sunshine on Filth is Not Polluted

题目

Log in with a valid username and PIN code, and this program will give you a shell. The username is easy to identify, but the PIN code is randomly generated!
Here's a hint, but you'll need to work for it a bit. Two hashed words: f704f57ea420275ad51bf55b7dec2c96 87cd8b8808600624d8c590cfc2e6e94b
To get the flag, you will need to exploit the binary on a live system. The binary is running on 34.123.210.162 port 20231 and the flag can be found in the /home/re3 directory when you get a shell.

我的解答：
题目提示的两个哈希没什么用，我们看到main函数如下：

1. int __cdecl main(int argc, const char **argv, const char **envp)
2. {
3.   init(argc, argv, envp);
4.   generate_code();
5.   configure_username();
6.   login();
7.   return 0;
8. }

复制代码

首先执行函数generate_code()创建随机认证码：

1. __int64 generate_code()
2. {
3.   __int64 result; // rax
4.   unsigned int v1; // [rsp+0h] [rbp-10h]
6.   v1 = (rand() + 123) % 10000;
7.   result = v1;
8.   auth_code = v1;
9.   return result;
10. }

复制代码

创建完后显示选项，与user进行交互：
[code]__int64 configure_username(){  __int64 result; // rax  char src[16]; // [rsp+0h] [rbp-10h] BYREF  while ( 1 )  {    printf("Options: (1) Enter username, (2) Confirm username, (3) Done: ");    result = get_int();    if ( (_DWORD)result == 3 )      break;    if ( (int)result