[CTF]Defcon-CTF-Quals-2014-Routarded/Hackertool/3dttt-Writeup

By Le4F - 2014-05-20

Routarded Points: 1

Description:

Wow, they forwarded http on a router with default creds? It must be my birthday!
http://routarded_87f7837f50a5370771b9467d840c93c5.2014.shallweplayaga.me:5000/

我不会向你叙述一个汉语狗由于对It must be my birthday的错误理解引起的辛酸历程...
题目已述,使用默认凭据可以登陆服务器,基础认证,BurpSuite跑了几遍,没有结果,后google默认密码,发现自己忘记尝试空账户
故使用

Username:
Password:admin

成功登陆
登陆后发现web提供一个ping功能,看了下,这是最直观的输入点,尝试:

localhost;ls

发现;被过滤,不过很明显是本地JS干的好事
禁用后提交,列出目录

bower_components
flag
requirements.txt
routarded.py
static
templates

接着

localhost;cat flag

即可

img01


Hackertool Points: 1

Description:

hey, we need to check that your connection works, torrent this file and md5 it
http://services.2014.shallweplayaga.me/hackertool.torrent_fe3b8b75e9639d35e8ac1d9809726ee2

题目给出一个种子文件,大约4M,会下载一个every_ip_address.txt的文件.要求给出文件的MD5

起初下载一部分,发现是就是单纯的IP信息,以0A分隔,但是没想到要自己构造.后想了各种思路,分析了torrent格式,种子中只提供了info信息的info_hash,尤其是官方给出这样一个提示后:

KINDA A HINT FOR HACKERTOOL: http://imgur.com/XCtMjJ2

说什么限速到1KB/s,然后就傻乎乎去看数据包里有没有猫腻.
最后才开始从0.0.0.0跑到255.255.255.255看MD5

测试脚本如下:

import hashlib,time

m = hashlib.md5()
starttime = time.time()

for a in range(256):
    for b in range(256):
        for c in range(256):
            for d in range(256):
                ip = str(a)+"."+str(b)+"."+str(c)+"."+str(d)+"\n"
                m.update(ip)
            print ip
    print time.time() - starttime
print m.hexdigest()
print time.time() - starttime

速度略慢,考虑过多线程,写了这样一个Demo:

import hashlib

from threading import Lock, Thread
lock=Lock()
ip = 0
now = 0
m = hashlib.md5()

class IncrementThread(Thread):
    def run(self):
        global ip,now,m
        lock.acquire()
        genip=ip+str(int(now))+'\n'
    now+=1
        print genip
    m.update(genip)
    lock.release()

def use_increment_thread():
    threads=[]
    for i in range(256):
        t=IncrementThread()
        threads.append(t)
        t.start()
    for t in threads:
        t.join()

for a in range(256):
    for b in range(256):
        for c in range(256):
            global ip,now
            now=0
            ip = str(a)+"."+str(b)+"."+str(c)+"."
            use_increment_thread()

print m.hexdigest()

写完就发现,线程锁可能更耗时间.事实也证明是这样子.
后来默默的等第一个脚本跑完,得到flag

感谢官方给我们一个这么认真学习种子文件知识的机会


3DTTT Points: 1

Description:

Play well and play fast.
3dttt_87277cd86e7cc53d2671888c417f62aa.2014.shallweplayaga.me:1234

一个3D的井字棋游戏,无奈玩2D的赢起来都费劲...
靠脚本取胜50轮可得到flag

#!/usr/bin/env python2

import itertools
import socket
import random
import os
import time

def read_until(s, u):
        d = ""
        while not d.endswith(u):
                c = s.recv(4096)
                if not c:
                        print d
                        assert(False)
                d += c
        return d

s = socket.socket()
s.connect(("3dttt_87277cd86e7cc53d2671888c417f62aa.2014.shallweplayaga.me", 1234))
cs = {" ":"free", "X": "X", "O": "O"}

fieldAnnotated = {}
preferencesVector = { 'corners': 1, 'centers': 2, 'attack': 3, 'defense': 4 }

def annotate(field):
        for x,y,z in itertools.product(range(3), repeat = 3):
                fieldAnnotated[x,y,z] = { 'attack':0, 'defend':0, 'niceness':0 }
                if field[x,y,z] == "free":
                        for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
                                if (dx,dy,dz) == (0,0,0): continue
                                for d in xrange(2):
                                        p1 = x+dx+d*dx, y+dy+d*dy, z+dz+d*dz
                                        p2 = x+ 0+d*dx, y+ 0+d*dy, z+ 0+d*dz
                                        p3 = x-dx+d*dx, y-dy+d*dy, z-dz+d*dz
                                        if any( p not in field for p in [p1,p2,p3] ): continue
                                        s1,s2,s3 = field[p1],field[p2],field[p3]
                                        if ("X","X") in [(s1,s2),(s2,s3),(s3,s1)]:
                                                fieldAnnotated[x,y,z]['attack'] += 1
                                        elif ("O","O") in [(s1,s2),(s2,s3),(s3,s1)]:
                                                fieldAnnotated[x,y,z]['defend'] += 1

        for x1,y1,z1 in itertools.product(range(0,3,2), repeat = 3):
                if field[x1,y1,z1] == "X":
                        for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
                                x2,y2,z2 = x1+2*dx, y1+2*dy, z1+2*dz
                                if ( not (x2,y2,z2) in field ) or any( d == 0 for d in [x2,y2,z2] ): continue
                                if field[x2,y2,z2] == "free" and field[x1+dx,y1+dy,z1+dz] == "free":
                                        #print "taking max distant corner..."
                                        fieldAnnotated[x2,y2,z2]['niceness'] += preferencesVector['centers'] + 1

        for x1,y1,z1 in itertools.product(range(0,3,2), repeat = 3):
                if field[x1,y1,z1] == "free":
                        fieldAnnotated[x1,y1,z1]['niceness'] += preferencesVector['centers']

        if field[1,1,1] == "free":
                fieldAnnotated[1,1,1]['niceness'] += preferencesVector['corners'] + 2
        for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
                if (dx,dy,dz) == (0,0,0) or (0,0) not in [(dx,dy),(dy,dz),(dz,dx)]: continue
                if field[1+dx,1+dy,1+dz] == "free":
                        fieldAnnotated[1+dx,1+dy,1+dz]['niceness'] += preferencesVector['corners'] + 1
        for dx,dy,dz in itertools.product(range(-1,2), repeat = 3):
                if (dx,dy,dz) == (0,0,0) or 0 not in [dx,dy,dz]: continue
                if field[1+dx,1+dy,1+dz] == "free":
                        fieldAnnotated[1+dx,1+dy,1+dz]['niceness'] += preferencesVector['corners'] + 0


        return fieldAnnotated

def highestRankedCell(fieldAnnotated):
        currentHighestRank = 0
        currentHighestRankedCell = 0,0,0
        for x,y,z in itertools.product(range(3), repeat = 3):
                currentRank = 0
                currentRank += fieldAnnotated[x,y,z]['attack'] * 10 * preferencesVector['attack']
                currentRank += fieldAnnotated[x,y,z]['defend'] * 10 * preferencesVector['defense']
                currentRank += fieldAnnotated[x,y,z]['niceness']
                if currentRank > currentHighestRank:
                        currentHighestRank = currentRank
                        currentHighestRankedCell = x,y,z
        return currentHighestRankedCell, currentHighestRank



while 1:
        d = read_until(s, "Choose Wisely (x,y,z): ").split("\n")
        assert(len(d) != 1)
        field = {}
        for l in d:
                print l
                if l.startswith(" x 0   1   2    z="):
                        z = int(l[-1])
                elif any(l.startswith("%d " % i) for i in xrange(3)):
                        y = int(l[0])
                        for x, c in enumerate(l[3::4]):
                                field[x,y,z] = cs[c]

        preferencesVector = {
          'corners': 1,
          'centers': 2,
          'attack': 3,
          'defense': 4
        }


        fieldAnnotated = annotate(field)
        (x,y,z),rank = highestRankedCell(fieldAnnotated)
        while rank == 0:
                x,y,z = random.randrange(3), random.randrange(3), random.randrange(3)
                if field[x,y,z] == "free":
                        print "taking random, how desperate..."
                        #exit()
                        break

        print "choosing %d,%d,%d cause of overall rank %d   %s" % (x,y,z,rank,fieldAnnotated[x,y,z])
        s.sendall("%d,%d,%d\n" % (x,y,z))

img03

赛中还有很多有趣的经历,其他题目也会在后续Writeup中描述我们的解决思路.

最后L的Achievements

img02

@Le4F ::L TEAM::

From Le4F'Blog