Home Qiangwnagbei WriteUp
Post
Cancel

Qiangwnagbei WriteUp

Posted Mar 27, 2018
By Jiacen (Jason) Xu
1 min read

Team Result

rank:53

score:1066

others’ writeup

  1. http://www.cnblogs.com/iamstudy/articles/ctf_writeup_rpo_attack.html

MISC

1. ai-animal

I got a picture and a script in python. The script is running on the server. The following function is responsible for printing the flag. The server just receives packets which are smaller than 1024 bits. And the server will decode the packets by base64.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

    def remote_sub(conn, address):
        print address
        (ip, port) = address
        conn.send("plz input your base64 encode pic:")
        expect_len = 62256
        data = ''
        while True:
            rdata = conn.recv(1024)
            data += rdata
            expect_len -= 1024
            if expect_len < 0:
                 break
        image_data = base64.b64decode(data)
        ori_image = open('/tf_files/test/basque-shepherd-dog.jpg', 'rb').read()
        
        if check_diff(image_data, ori_image) == -1:
            conn.send('no\n')
            sys.exit(0)
        else:
            conn.send('lets go\n')
        
        # Loads label file, strips off carriage return
        label_lines = [line.rstrip() for line
                           in tf.gfile.GFile("/tf_files/retrained_labels.txt")]
        
        # Unpersists graph from file
        with tf.gfile.FastGFile("/tf_files/retrained_graph.pb", 'rb') as f:
            graph_def = tf.GraphDef()
            graph_def.ParseFromString(f.read())
            _ = tf.import_graph_def(graph_def, name='')
        
        with tf.Session() as sess:
            # Feed the image_data as input to the graph and get first prediction
            softmax_tensor = sess.graph.get_tensor_by_name('final_result:0')
        
            predictions = sess.run(softmax_tensor, \
                     {'DecodeJpeg/contents:0': image_data})
        
            # Sort to show labels of first prediction in order of confidence
            top_k = predictions[0].argsort()[-len(predictions[0]):][::-1]
            print top_k
        
            if top_k[0] == 1:
                conn.send(config.flag + '\n')

And the encoded text is 4/3 longger than plain text in base64. So everytime I need to send a packet which has 768 bits. And then receiving 2 packets will lead to the flag. The following script will get the flag automatically.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

	# -*- coding=UTF-8
	import socket
	import base64
	import time
	
	bind_ip ="117.50.13.213"
	bind_port = 12345
	
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((bind_ip, bind_port))
	print(s.recv(1024).decode('utf-8'))
	
	with open('/root/Desktop/test/basque-shepherd-dog.jpg', 'rb') as f:
	    while True:
	        time.sleep(0.01)
	        piece = f.read(768)   
	        if not piece:
	            break
	        s.sendall(base64.b64encode(piece))
	        # print piece
	print(s.recv(1024).decode('utf-8'))
	print(s.recv(1024).decode('utf-8'))
CTF
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Metasploit

Go language