[Writeup] WhiteHat Contest lần 6
BÓNG ĐÁ 360 (web)
Bài này cái form login chỉ là lừa tềnh thôi, dòm vô cookie sẽ thấy đoạn base64
Mã:
_uid=QWRtaW49RmFsc2U%3D
Mã:
Admin=False
Strings lần lượt 5 tấm ảnh sẽ thấy tấm cuối có chèn Flag:
Mã:
Flag{bong_da_la_so_mot}CUỐN SÁCH BÍ ẨN (crypto)
Mã:
[/SIZE][COLOR=#000000][FONT=monospace]JJ3W2ZLNNEQHQYZANJZXS2BAOZ2SAZTDO5UHEIDYNVUW64DTMNZCAZ3RNB4W2LRAIZ5HOZRAMVUCA4THMNTGY4LSMMQG63D2MNUWQIDJMYXCASTNNETWSZZAMFWWE6DQPJ5GQIDLOVVCA4TWOJQSA53TOR5HA6RMEBZGY3JAM5ZWG3JAMZTWS2JAOZ2WC6DEOJZWMZBAPFRHCIDQNF2HG3BAOFYWS2BAO5TS4ICUMQQG6YLBEBYXSYRANVSXO23UONYSA3DMOIQG45LPMNZCAYTUOVXGS6TTEBUGM43HNJUXAIDWPETWIIDNOFUWMIDVOBVHEIDOEB3HM432OMQGC3LNO5RWC3DKEBZHE5LNOBZSYIDCOATWYIDBNVRHCIDFMZZSA3TQO52XG3BOEBJW2J3ZEB3XG4RAMVTG6ZZAMNYGUIDWMNSCAZLEO53HEZBMEBTHOZRAM5VGIY3MMVQSYIDDNVTSA4LDMNXXU5JMEBWGOZZAOV4GUZDYO5RHS4JAN5SWOIDRNVUGGZ3JN5UXEIDPNIQG22DVM53CA23TNAXCAU3NE5XCA4TDM4QGGY3PPFXGGIDRNBWGM33COB3WC4RAMNVHE4BANJWWMIDHNRRHU5TXNZ3SA5LTNZXHQZRMEBYG6ZJANZVHMIDIOVYCA4LTOBYXEYRNOZ2XS3D2OYTWOIDROBVGSZTLONWCALJAMRWHAYLPNV2XELRAJQQHC2DON52CA3LUEB2WC6DNONVG45ZMEBWGGZZANJWXCIDDOF4S4ICQPIQGO33BEBYWOYTREBYHGIDIMNZSA5DWEBXWY4ZAMZSXA2LUNFYGGIDPNBXSA5TKEBXGG3BANBTHGYJANJUSAZTPNUQGIY3YM5ZXE33DOIXCAVLHEBTXSYRHNYQGI2LUEBSXAYTGOIQG6IDGNNZGK6TZEBSXAZDSOU5CAJ2HONTWOIDWOUQGCZTPNYQFIIDFOZZGQ4TPEB5HG4DDPFYXGICDEBUGS2LYONYSA5DSFQQGEYTWEBTGG4LVMZQXUIDNNAQHU3DCOMQHUYJAOJRXOYLTNJVHMZZAORWG44ZANZ3CA4LDE4XCASDCOB3CAY3JEBVWE6LCONSXKIDBMZWSAYTQE5QSA4DSOZXGC3TNFYQFMIDZONZXU6BAOJYXC2JANB2XAIDFMZZGG6DDM5XCAZDDNF3XGZZAORWCA2DVM4QGC3LGMZXSA3TKOYQGGYLQEBYXO5DKPAQG25BAJBYGKICUONTHQJ3EEBYXS3DONVWHGLRAJJWHU33NOFUHO6LGPFQSAYLGONUCA6TWPIQGO33BE5SSA4LTOIQHM3DDEBZHSZLJMRYGOLRAK5THC2BAM5VGSIDROZ2WC3LOFYQFQ5TSEBSGM33DM53SA6LCPAQGK4D2EB4HMYTGMV3GOIDWNR4WQIDHNRWHUIDYOZZHQLRAKJ3HEIDVN53SAY3QOB5CASLJNMQEY6TQPEQG44DIEBZHM6JANBYWO4BAMNZSA6DZMIQHUY3IMMQGUY3EOF3XA4ZOEBFHG6LIEBRHM3DDMYQGY4DUMRVXOYTZEBRGGIDKM4QHEY3TPA7SATDWPEQHQ5TSPEQG443COJYGGIDIPF3XIIDINEQG6332ONUCAY3LOBSWMY3YNFRGSZZAM55CA4LDPJTSA2DZMJSSAYLNNZ4HMYTXMMQHOYJAMMQG443CMF3W2IDSNRZWK4BAOJ3HEYJANNWSA2DJEBXXOIDDONQW44TDEBUGEIDDEBTXA2LHNV2GI4TVEBTXA23EPFTSYIDYNUQG6IDGOBWW23LCOQQGI4TDMFTSA4LNMJWWK3LNEBQXOZ3TEB4SAZDCOYQGMY32MZVCYIDLNVUW6Z3QMIQHA3BAOVZWW4ZAMZYHQ3LTNFTCAZDZNJXGS2JOEBDWOIDDMUQGU6TFNFTWUIDZMJYSA2LJNR3W6ZBAMJRWS3JANJWGY2BAM5YSA53DOM7SAWD2EBRGG2LNEBTHAY3ZEBXCA5LJNRTXSID2NYQG63DTEBTGM6T2OZXWSPZAJJZW4IDFOB5HCIDRMJ4GGIDIMIQFA2LVEBGWSY3TFQQG46DPMFXSA3LCEBTWU2JAOF3GSY3NEBVGUIDIOVYCARTJOF2XG3BMEB5GS6TTEB3HE4RAPB4WG43ZFYQFS3DDMIQEGIDENV5CA6DWOIQG4Z3INQQGQ5TNMEQGO2RAMVSHE4TCNAQC2IDMMMWCAVRAMZZWYJ3IEB5HA3LHEBWGG2RAMRVW66LOEBGSA6LBEAWSA5TGMIQEIIDKONZHOIDSOZXHMIDNMQQG6IDRNR5CA6DFMFZCAZLNEBUHK5DJPFUHS6JAMJRW2ZZMEBLCA2DNNF4WMIDYMZTGS2BAOV2HO43ZOEQGOYTHOEQHO3TPO5YCYIDXOFUWMIDHONRSA4LWOZRSYIDZMJ4CAYL2NJ4HG4DFEBZHM4TVNEQHU2LDO5WGI4TVMYQGQZ3IOUQG6YZAPJRXQ2ROEBIW6J3XEBZW4ZDXEBUGEIDUPFWCA2DJEB5GEY3JMZTC4ICUOITWOIDGOEQGY6LGPAQGK5ZANZ4G6YLPEBWWEIDCOBUSO4JAMNYXSID2PJTWGZLPFYQFOY3IEBSWK3BAOR2XM3JAOFWWMZ3GMMQHIYTUEBSWYIDPN5XXC6TSOFZC4ICKNVUSA4DDOITXEIDUOV3G2IDEPAQHOYJANJWWSZJAOFQWYIDTONYGCLRAKRZWSZJAOBSWGIDWOUQGG3LJNQQGIYTNNVYWO4DRNAQHO53IMVZS4ICOONWXIIDWNFQSA4LQMN5CA23YFYQFE5TZNIQGC23JMJYSAZLGON3HIIDQM5VHSZBAPJYHEYTWPFSS4ICXM4TXKIDJPFTWG4D2EBXXGIDSMJ4XS2DSEBRSA2TDNMQG443XOB3W6YLPEBZGGIDQNJSXA53ONIQGS2LIEBUHK5DMPEQGE4DJOFZWM4JAOZVGM6TSEBSWM33BEB3HGID2N5WXAIDBPJYHILLFOBYWI4TFPAQG2YRANJYHU3TTMJXHOIDRNBXHA2DZMZ4GIIDXMEQHI43FMRWWE3TOEBSWC5TDOBSHU4LTMFSS4ICHNATWMIDVNVVWIZTQEBRGUIDXONZHMIDRNFXXK6DHNBXWK3LOEBVGGZJANZWWCY3HPBRWE53QFUWWC4DHOYQHE3DRNUQGM53GOFUGGZLDN5UWOORAPF5HI4ZMEBYGUZLQMEWCAZLUOZ4XE43GMQWCAYLWNZ2G24TNFYQFMZTCEBXWY43FOAQGOZZAMFYSA53TOBWWK4LPPFUHEIDRNVTCA4DROFXHG3TQOZ4GSLQ=[/FONT][/COLOR]Nhìn sơ qua sẽ thấy đây là một dạng encode như base64, tuy nhiên các kí tự đều là chữ hoa => base32
Decode:
Mã:
Jwmemi xc jsyh vu fcwhr xmiopscr gqhym. Fzwf eh rgcflqrc olzcih if. Jmi'ig ambxpzzh kuj rvra wstzpz, rlm gscm fgii vuaxdrsfd ybq pitsl qqih wg. Td oaa qyb mewktsq llr nuocr btunizs hfsgjip vy'd mqif upjr n vvszs ammwcalj rrumps, bp'l ambq efs npwusl. Sm'y wsr efog cpj vcd edwvrd, fwf gjdclea, cmg qccozu, lgg uxjdxwbyq oeg qmhcgioir oj mhugv ksh. Sm'n rcg ccoync qhlfobpwar cjrp jmf glbzvwnw usnnxf, poe njv hup qspqrb-vuylzv'g qpjifksl - dlpaomur. L qhnot mt uaxmsjnw, lcg jmq cqy. Pz goa qgbq ps hcs tv ols fepitipc oho vj ncl hfsa ji fom dcxgsrocr. Ug gyb'n dit epbfr o fkrezy epdru: 'Gsgg vu afon T evrhro zspcyqs C hiixsq tr, bbv fcqufaz mh zlbs za rcwasjjvg tlns nv qc'. Hbpv ci kbybseu afm bp'a prvnanm. V ysszx rqqi hup efrcxcgn dciwsg tl hug amffo njv cap qwtjx mt Hpe Tsfx'd qylnmls. Jlzomqhwyfya afsh zvz goa'e qsr vlc ryeidpg. Wfqh gji qvuamn. Xvr dfocgw ybx epz xvbfevg vlyh gllz xvrx. Rvr uow cppz Iik Lzpy nph rvy hqgp cs xyb zchc jcdqwps. Jsyh bvlcf lptdkwby bc jg rcsx? Lvy xvry nsbrpc hywt hi oozsh ckpefcxibig gz qczg hybe amnxvbwc wa c nsbawm rlsep rvra km hi ow csanrc hb c gpigmtdru gpkdyg, xm o fpmmmbt drcag qmbmemm awgs y dbv fczfj, kmiogpb pl usks fpxmsif dyjnii. Gg ce jzeigj ybq iilwod bcim jllh gq wcs? Xz bcim fpcy n uilgy zn ols ffzzvoi? Jsn epzq qbxc hb Piu Mics, nxoao mb gji qvicm jj hup Fiqusl, zizs vrr xycsy. Ylcb C dmz xvr nghl hvma gj edrrbh - lc, V fsl'h zpmg lcj dkoyn M ya - vfb D jsrw rvnv md o qlz xear em hutiyhyy bcmg, V hmiyf xffih utwsyq gbgq wnowp, wqif gsc qvvc, ybx azjxspe rvrui zicwldruf hghu oc zcxj. Qo'w sndw hb tyl hi zbciff. Tr'g fq lyfx ew nxoao mb bpi'q cqy zzgceo. Wch eel tuvm qmfgfc tbt el oooqzrqr. Jmi pcr'r tuvm dx wa jmie qal sspa. Tsie pec vu cmil dbmmqgpqh wwhes. Nsmt via qpcz kx. Rvyj akibq efsvt pgjyd zprbvye. Wg'u iygcpz os rbyyhr c jck nswpwoao rc pjepwnj iih hutly bpiqsfq vjfzr efoa vs zomp azpt-epqdrex mb jpznsbnw qhnphyfxd wa tsedmbnn eavcpdzqsae. Gh'f umkdfp bj wsrv qiouxghoemn jce nmacgxcbwp--apgv rlqm fwfqhcecoig: yzts, pjepa, etvyrsfd, avntmrm. Vfb olsep gg aq wspmeqoyhr qmf pqqnsnpvxi.Tiếp tục là một Vigenère cipher, dùng cryptool để phân tích sẽ ra key là YOULIVEONLYONCE
Decrypt:
Mã:
Listen to what is being preached today. Look at everyone around us. You've wondered why they suffer, why they seek happiness and never find it. If any man stopped and asked himself whether he's ever held a truly personal desire, he'd find the answer. He'd see that all his wishes, his efforts, his dreams, his ambitions are motivated by other men. He's not really struggling even for material wealth, but for the second-hander's delusion - prestige. A stamp of approval, not his own. He can find no joy in the struggle and no joy when he has succeeded. He can't say about a single thing: 'This is what I wanted because I wanted it, not because it made my neighbors gape at me'. Then he wonders why he's unhappy. I would give the greatest sunset in the world for one sight of New York's skyline. Particularly when one can't see the details. Just the shapes. The shapes and the thought that made them. The sky over New York and the will of man made visible. What other religion do we need? And then people tell me about pilgrimages to some dank pesthole in a jungle where they go to do homage to a crumbling temple, to a leering stone monster with a pot belly, created by some leprous savage. Is it beauty and genius they want to see? Do they seek a sense of the sublime? Let them come to New York, stand on the shore of the Hudson, look and kneel. When I see the city from my window - no, I don't feel how small I am - but I feel that if a war came to threaten this, I would throw myself into space, over the city, and protect these buildings with my body. It's easy to run to others. It's so hard to stand on one's own record. You can fake virtue for an audience. You can't fake it in your own eyes. Your ego is your strictest judge. They run from it. They spend their lives running. It's easier to donate a few thousand to charity and think oneself noble than to base self-respect on personal standards of personal achievement. It's simple to seek substitutes for competence--such easy substitutes: love, charm, kindness, charity. But there is no substitute for competence.[/FONT]
[FONT=georgia, serif]EXPLOIT IT (Pwn)
[/FONT]
[FONT=georgia, serif][/FONT]
Mấu chốt bài này nằm ở dòng 21
Mã:
[/SIZE][/SIZE][/COLOR][/FONT]datax = pickle.loads(input)[COLOR=#181818][FONT=georgia]Cách một: push object db_user từ module __main__ vào stack để khi unpickle thì nó lấy được giá trị của db_user, dấu chấm là kết thúc chuỗi pickle, chữ c là load object từ module nào đó.
Mã:
'c__main__\ndb_user\n.'Cách hai: push hàm system từ module os rồi truyền vào tuple là lệnh cần thực thi, ở đây là lệnh đọc flag rồi truyền vào file temp để khi str(datax) != str(db_user) thì read từ temp:
Mã:
"cos\nsystem\n(S'type flag > temp'\ntR."[/FONT]
VIÊN GẠCH CỦA QUỶ XANH (ACM)
Đây là một bài thuộc dạng thuật toán coding cao siêu, mình rất ngu khoảng này nhưng may là khi thử mấy trường hợp đơn giản 2x2, 2x3, 2x4, 2x5 thì thấy na ná chuỗi Fibonacci, đáp án là chuỗi Fibonacci thứ 1000000001%20142014
Mình sử dụng code này để giải: https://www.dropbox.com/s/16fgiibn5po750l/fib_src.zip (chỉnh sửa lại một chút cho nó mod 20142014 rồi in ra màn hình)
Flag: 13415913
