强网杯2020 部分writeup

简单记录一下做出的几道题目，以后还是科研为主科研为主

babyCRT#

# task.py
from Crypto.Util.number import getPrime, long_to_bytes, getStrongPrime
from hashlib import sha1
from random import randint
from secret import flag, p, q
import libnum

def gen_t(d):
    while True:
        t = getPrime(16)
        if t % 4 == 3 and libnum.gcd(d, t - 1) == 1:
            break
    return t

def sign(m, params):
    d, p, q, n, t1, t2, e1, e2 = params
    dp = d % ((p - 1) * (t1 - 1))
    dq = d % ((q - 1) * (t2 - 1))
    k = getPrime(16)
    Sp = pow(m + k, dp, p * t1)
    Sq = pow(m, dq, q * t2)
    Cp = q * t2 * libnum.invmod(q * t2, p * t1)
    Cq = p * t1 * libnum.invmod(p * t1, q * t2)
    S = (Cp * Sp + Cq * Sq) % (n * t1 * t2)
    c1 = (m - pow(S, e1, t1) + 1) % t1
    c2 = (m - pow(S, e2, t2) + 1) % t2
    return pow(S, c1 * c2, n)

e = 65537
assert p < q
assert flag == "flag{" + sha1(long_to_bytes(p)).hexdigest() + "}"

n = p*q
print(n)
d = libnum.invmod(e, (p - 1) * (q - 1))
t1 = gen_t(d)
et1 = libnum.invmod(d, t1 - 1)
t2 = gen_t(d)
et2 = libnum.invmod(d, t2 - 1)
params = (d, p, q, n, t1, t2, et1, et2)
m = randint(1, n-1)
print(m)
sig = sign(m, params)
print(sig)

论文题：http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.510.3146&rep=rep1&type=pdf

结论：$gcd(m^{c_1} - {Sig}^e,N)=p$

所以爆破$c_1$就行

from hashlib import sha1
from libnum import gcd
from Crypto.Util.number import long_to_bytes

e = 65537
n = 26318358382258215770827770763384603359524444566146134039272065206657135513496897321983920652242182112479484135343436206815722605756557098241887233837248519031879444740922789351356138322947108346833956405647578838873425658405513192437479359531790697924285889505666769580176431360506227506064132034621123828090480606055877425480739950809109048177976884825589023444901953529913585288143291544181183810227553891973915960951526154469344587083295640034876874318610991153058462811369615555470571469517472865469502025030548451296909857667669963720366290084062470583318590585472209798523021029182199921435625983186101089395997
m = 26275493320706026144196966398886196833815170413807705805287763413013100962831703774640332765503838087434904835657988276064660304427802961609185997964665440867416900711128517859267504657627160598700248689738045243142111489179673375819308779535247214660694211698799461044354352200950309392321861021920968200334344131893259850468214901266208090469265809729514249143938043521579678234754670097056281556861805568096657415974805578299196440362791907408888958917063668867208257370099324084840742435785960681801625180611324948953657666742195051492610613830629731633827861546693629268844700581558851830936504144170791124745540
s = 20152941369122888414130075002845764046912727471716839854671280255845798928738103824595339885345405419943354215456598381228519131902698373225795339649300359363119754605698321052334731477127433796964107633109608706030111197156701607379086766944096066649323367976786383015106681896479446835419143225832320978530554399851074180762308322092339721839566642144908864530466017614731679525392259796511789624080228587080621454084957169193343724515867468178242402356741884890739873250658960438450287159439457730127074563991513030091456771906853781028159857466498315359846665211412644316716082898396009119848634426989676119219246

for c1 in range(2**16):
    p = gcd(pow(m, c1, n)-pow(s, e, n), n)
    if(p != 1 and n % p == 0):
        q = n//p
        print(p*q==n)
        print("flag{" + sha1(long_to_bytes(p)).hexdigest() + "}")
        print("flag{" + sha1(long_to_bytes(q)).hexdigest() + "}")

bank#

nc看了下可以知道是ECB模式加密了sender+receiver+money，所以通过加密可以知道自己的账号对应的密文，同时在recorder里可以看到哪些人在相互转钱，题目让我们可以提供recorder来伪造其他账户转钱给自己，所以思路就很简单了：

1. 加密一次，得到自己的账号
2. 得到所有已有的其他账户信息
3. 伪造recorder让其他账户给自己打钱

from pwn import *
import string
from hashlib import sha256
import itertools

#context.log_level = 'debug'
p = remote('39.101.134.52', 8005)

def proof_of_work(token):
    p.recvuntil("sha256(XXX+")
    pad = p.recvuntil(")")[:-1]
    p.recvuntil(" == ")
    target = bytes.fromhex(p.recvline().strip().decode())
    for s in itertools.product(string.printable, repeat=3):
        if sha256(''.join(s).encode()+pad).digest() == target:
            p.sendlineafter("Give me XXX:", ''.join(s))
            p.sendlineafter("teamtoken:", token)
            return

token = ''
proof_of_work(token)

p.sendlineafter("give me your name:", "ycdxsb")
p.sendlineafter("> ", "transact")
p.sendlineafter("> ", "Mote 10")
receiver = p.recvline().strip()[:32]
p.sendlineafter("> ", "view records")
p.recvline()

senders = []
cashs = []
for i in range(10):
    line = p.recvline().strip()
    senders.append(line[32:-32])
    cashs.append(line[-32:])
print(senders)
print(cashs)
for i in range(10):
    payload = senders[i]+receiver+cashs[i]
    p.sendlineafter("> ", "provide a record")
    p.sendlineafter("> ", payload)

p.recvuntil('> ')
p.sendline('get flag')
import time
time.sleep(1)
print(p.recv())

modestudy#

是真的让人头大

六个Chanllege 分别对应：

• CBC 字节翻转攻击
• CBC预测iv
• ECB 块加密，可以发现有两个块只差一个字节，可以通过覆盖修改admin=0 为admin=1(session:dfc684a3;timedl=1;admin=0;guess_cookie_ma=1;guess_mp_ab=1;guess_cookie_mb=0;hell_pad=233)
• ECB padding oracle
• 自己写的ECB块加密，两个字节为一个块，先建立明文和密文的字典，然后直接爆破
• CBC padding oracle

import binascii
from zio import *
import string
import random
import hashlib
import pickle
from Crypto.Util.number import bytes_to_long, long_to_bytes

'''
# get Challedge dict
idx = 0
for key in d.keys():
    if(ord(d[key][0])>=idx):
        idx = ord(d[key][0])
for i in range(idx,256):
    for j in range(32):
        sendmsg = ""
        for k in range(8):
            sendmsg += chr(i)+chr(8*j+k)
        io.read_until('your choice:')
        io.writeline('1')
        io.read_until('input(encode hex):')
        io.writeline(sendmsg.encode('hex'))
        line = io.readline().strip()
        line = line.split(':')[1]
        for k in range(8):
            d[line[4*k:4*k+4]] = chr(i)+chr(8*j+k)
        #print(d)
    with open('challege5.pickle','wb') as f:
        pickle.dump(d,f)
'''

def passpow(io, difficulty):
    io.read_until("[+] sha256(")
    prefix = io.read_until("+")[:-1]
    while 1:
        answer = ''.join(random.choice(
            string.ascii_letters + string.digits) for i in range(8))
        hashresult = hashlib.sha256(prefix+answer).digest()
        bits = ''.join(bin(ord(j))[2:].zfill(8) for j in hashresult)
        if bits.startswith('0'*difficulty):
            io.read_until("=")
            io.writeline(answer)
            return

token = ''
ip = '139.224.254.172'
target = (ip, 7777)
io = zio(target, timeout=1000000, print_read=COLORED(
    RAW, 'red'), print_write=COLORED(RAW, 'green'))
passpow(io, 5)
io.writeline(token)


# Challege 1
io.read_until('your choice:')
io.writeline('1')
line = io.readline()
line = io.readline()
message = io.readline().strip().split(' ')[1]
cookie = message.split(';checksum=')[0].split(':')[1]
checksum = message.split(';checksum=')[1]
target = cookie[:31]+'1'
print('\n')
print('cookie:'+cookie)
print('checksum:'+checksum)
print('target:'+target)
checksum = long_to_bytes(int(checksum, 16))
print([checksum], len(checksum))
checksum = checksum[0:15]+chr(0x49 ^ 0x48 ^ ord(checksum[15]))+checksum[16:]
result = target+';checksum='+binascii.b2a_hex(checksum)

print("Challege 1:", result)
io.writeline(result)


# Challege 2
io.read_until('your choice:')
io.writeline('2')
line = io.readline()
line = io.readline()
iv_sha256  = io.readline().strip().split('=')[1]

print(iv_sha256)
io.read_until('your choice:')
io.writeline('1')
A = '1'*16
B = '1'*16
io.read_until('c:')
io.writeline(A+B)
line = io.readline().strip().split(' ')[1]
plaintext = long_to_bytes(int(line,16))
D = bytes_to_long(b'1'*16)^bytes_to_long(plaintext[16:])
iv = D^bytes_to_long(plaintext[:16])
iv = long_to_bytes(iv)
print(iv)
print(hashlib.sha256(iv).hexdigest())
io.read_until('your choice:')
io.writeline('2')
io.read_until('iv(encode hex):')
io.writeline(iv.encode('hex'))


# Challege 3
io.read_until('your choice:')
io.writeline('3')
line = io.readline()
line = io.readline()
cookie = io.readline().strip()[11:]
ciphertext = io.readline().strip().split('(cookie):')[1]
print('\n')
print("cookie:"+cookie)
print("ciphtertext:"+ciphertext)

io.read_until('input your encrypted cookie(encode hex):')
ciphertext = list(ciphertext)
for i in range(32):
    ciphertext[64+i] = ciphertext[128+i]
result = ''.join(ciphertext)
io.writeline(result)
print("Challege 3:", result)


# Challege 4
io.read_until('your choice:')
io.writeline('4')
line = io.readline()
line = io.readline()
line = io.readline()
secret_sha256 = line.split('=')[1]
print("sha256(secret):"+secret_sha256)
guess = ""
for i in range(16):
    for ch in range(256):
        io.read_until('your choice:')
        io.writeline('1')
        sendmsg = chr(ch)+guess+'\x00'*16
        io.read_until('input(encode hex):')
        io.writeline(sendmsg.encode('hex'))
        line = io.readline()
        ciphertext = io.readline().strip().split('msg: ')[1]
        if(ciphertext[0:32] == ciphertext[64:]):
            guess = chr(ch)+guess
            break
        # io.interact()
    print(guess)
print("Challege 4:", guess)
io.read_until('your choice:')
io.writeline('2')
io.read_until('secret(encode hex):')
io.writeline(guess.encode('hex'))
# edd11570a9bad21c0d6d97d32cc36674



# Challege 5
io.read_until('your choice:')
io.writeline('5')
line = io.readline()
line = io.readline()
line = io.readline()
line = io.readline()
line = io.readline()
secret = line.strip().split('=')[1]
print("secret:"+secret)

with open('challege5.pickle','rb') as f:
	d = pickle.load(f)

result = ""
for i in range(0, 8):
    result += d[secret[4*i:4*i+4]]
print('Challege 5:'+result)
io.read_until('your choice:')
io.writeline('2')
io.read_until('secret(encode hex):')
io.writeline(result.encode('hex'))


# Challege 6
io.read_until('your choice:')
io.writeline('6')
line = io.readline()
line = io.readline()
line = io.readline()
line = io.readline()
line = io.readline()
line = io.readline().strip().split(':')[1]
iv = long_to_bytes(int(line[:32],16))
se_c = long_to_bytes(int(line[32:],16))

tmp_iv = map(ord,list(iv))
tmp_c = map(ord,list(se_c[:16]))
zero = '0'*16

ans = [0] * 16
for idx in range(16):
    for num in range(0, 256):
        io.read_until('your choice:')
        io.writeline('1')
        io.read_until('iv+c (encode hex):')
        tmp_iv[-(1+idx)] = num
        payload = zero + ''.join(map(chr, tmp_iv+tmp_c))
        payload = ''.join(['%02x' % ord(ch) for ch in payload])
        io.writeline(payload)
        if 'error' not in io.readline():
            ans[-(1+idx)] = num ^ (idx+1)
            for j in range(idx+1):
                tmp_iv[-(j+1)] = ans[-(1+j)] ^ (idx+2)
            print(ans)
            break
    else:
        raise Exception("unknow error")
ans = ''.join(['%02x' % (ch^0x31) for ch in ans])
io.read_until('your choice:')
io.writeline('2')
io.read_until('ecret(encode hex):')
io.writeline(ans)
io.interact()
# 974c3485c74af5a38c874d3c9d03b2c3

xx_warmup_obf#

应该是被我非预期了23333。

一道混淆的re，但我向来是一个不喜欢麻烦的人，所以我抱着侥幸的心理试了下pin的指令数目侧信道，前置知识可以看之前这篇博客(https://blog.ycdxsb.cn/c61763eb.html)

可以看到有bad passcode,you got it和you failed it三个不同的字符串

根据位置和经验猜测第一个bad passcode是判断输入长度的，所以试了下知道输入长度为28字节

然后试了下第一个字节，发现f是指令数最少的，又简单测试了一下第二个l也满足条件，所以直接侧信道走起，吃个饭回来拿flag岂不是美滋滋，可惜题目看的太迟了，第4个做出来，连3血都没拿到

import os
import sys
import subprocess

class Shell(object):
    def runCmd(self, cmd):
        res = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
        sout, serr = res.communicate()
        return res.returncode, sout, serr, res.pid

    def initPin(self, cmd):
        res = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
        self.res = res

    def pinWrite(self, input):
        self.res.stdin.write(input)

    def pinRun(self):
        sout, serr = self.res.communicate()
        return sout, serr

cmd = './pin -t ./source/tools/ManualExamples/obj-intel64/inscount0.so -- ./xx_warmup_obf'

shell = Shell()

s = "f"
import string
chs=string.printable
chs = string.digits+string.ascii_letters+'{}_'
for i in range(27):
    min_num = 2**32
    min_ch = ""
    for ch in chs:
        tmp = s + ch +(28-len(s)-1)*'a'+'\n'
        shell.initPin(cmd)
        shell.pinWrite(tmp)
        sout,serr = shell.pinRun()
        with open('inscount.out') as f:
            count = f.readline().split(' ')[1]
        count = int(count)
        print(count,tmp,sout)
        if(count<min_num):
            min_num = count
            min_ch = ch
    s+=min_ch
    print(min_num,min_ch)
    print('flag:'+s)