UnionCTF-2021 committee writeup

这个题我觉得是这场CTF比赛中很有意思的一个Misc题。

题目需要我们理解Git Hash的本质,同时复现出整个哈希过程,从而实现对答案的爆破。

可以参考这篇文章

下面上脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
'''commit ff26e028a3faebd461c4cc0265d0f7b9ca049feb
Author: John J. Johnson <jojojo@legal.committee>
Date: Wed Jan 27 12:45:00 2021 +0000

Proceedings of the flag-deciding committee: 22, 23, 25

commit a23b600c786b05623b765b4f0d7a3f52df63cdd5
Author: Peter G. Anderson <pepega@legal.committee>
Date: Fri Dec 18 12:30:00 2020 +0000

Proceedings of the flag-deciding committee: 7, 9, 13

commit 6c35a04d1fdb8eedbbc9821b4c23b610bd3b4488
Author: Christopher L. Hatch <crisscross.the.hatch@legal.committee>
Date: Fri Nov 27 12:00:00 2020 +0000

Proceedings of the flag-deciding committee: 44, 45, 46

commit 8984f8eac466cbf86a6aa6b0480be53a86d8108c
Author: Pamela W. Mathews <pammy.emm@legal.committee>
Date: Thu Oct 29 12:00:00 2020 +0000

Proceedings of the flag-deciding committee: 38, 39, 40

commit 9b5ee533d17a9c0ff87d22bf0a433a621fbd55bf
Author: Robert J. Lawful <boblaw@legal.committee>
Date: Mon Oct 19 12:30:00 2020 +0000

Proceedings of the flag-deciding committee: 41, 42, 43

commit 8a951bd3e56432dd689e83034c1ee7e21ae6ee56
Author: Robert S. Storms <tempest@legal.committee>
Date: Fri Sep 11 11:45:00 2020 +0000

Proceedings of the flag-deciding committee: 1, 3, 4

commit 59c9f723bff0952f6589157f3ef8e1858d01bfdc
Author: John J. Johnson <jojojo@legal.committee>
Date: Fri Aug 28 12:45:00 2020 +0000

Proceedings of the flag-deciding committee: 19, 20, 21

commit 45ec9aba969782c72d18018126c2d9aeffde28b7
Author: Peter G. Anderson <pepega@legal.committee>
Date: Wed Aug 12 12:30:00 2020 +0000

Proceedings of the flag-deciding committee: 17, 24, 37

commit 30240b427e09aa75f034527e91aaa1fbc1b243ee
Author: Christopher L. Hatch <crisscross.the.hatch@legal.committee>
Date: Tue Jul 28 12:00:00 2020 +0000

Proceedings of the flag-deciding committee: 28, 30, 35

commit 6356e3d17ca6b7515c67cfe0a8712d1e8b57d713
Author: Pamela W. Mathews <pammy.emm@legal.committee>
Date: Wed Jul 1 12:45:00 2020 +0000

Proceedings of the flag-deciding committee: 10, 11, 12

commit a6880ed0c8bb30263bd0a2a631eb9bf50dc72344
Author: Robert J. Lawful <boblaw@legal.committee>
Date: Thu Jun 11 12:00:00 2020 +0000

Proceedings of the flag-deciding committee: 2, 5, 6

commit 9dbf985598f5ef000ba2e8856c6bec12435f0ef8
Author: Robert S. Storms <tempest@legal.committee>
Date: Tue May 12 12:30:00 2020 +0000

Proceedings of the flag-deciding committee: 14, 15, 16

commit d9af34e8a8ca6a24790d20262dafac71c3ddc980
Author: John J. Johnson <jojojo@legal.committee>
Date: Fri May 1 12:00:00 2020 +0000

Proceedings of the flag-deciding committee: 26, 27, 29

commit cb18d2984f9e99e69044d18fd3786c2bf6425733
Author: Peter G. Anderson <pepega@legal.committee>
Date: Tue Apr 14 12:00:00 2020 +0000

Proceedings of the flag-deciding committee: 32, 33, 34

commit dca4ca5150b82e541e2f5c42d00493ba8d4aa84a
Author: Christopher L. Hatch <crisscross.the.hatch@legal.committee>
Date: Mon Mar 23 12:30:00 2020 +0000

Proceedings of the flag-deciding committee: 8, 31, 36

commit c3e6c8ea777d50595a8b288cbbbd7a675c43b5df
Author: Pamela W. Mathews <pammy.emm@legal.committee>
Date: Fri Mar 13 12:30:00 2020 +0000

Proceedings of the flag-deciding committee: 18

commit 08e1f0dd3b9d710b1eea81f6b8f76c455f634e87
Author: Robert J. Lawful <boblaw@legal.committee>
Date: Wed Mar 4 12:00:00 2020 +0000

Initial formation of the flag-deciding committee.'''

import hashlib
import binascii
import time
import string

position = [[32, 33, 34],[26, 27, 29],[14, 15, 16],[2, 5, 6],
[10, 11, 12],[28, 30, 35],[17, 24, 37],[19, 20, 21],[1, 3, 4],
[41, 42, 43],[38, 39, 40],[44, 45, 46],[7, 9, 13],[22, 23, 25]]

hashes = [
'cb18d2984f9e99e69044d18fd3786c2bf6425733',
'd9af34e8a8ca6a24790d20262dafac71c3ddc980',
'9dbf985598f5ef000ba2e8856c6bec12435f0ef8',
'a6880ed0c8bb30263bd0a2a631eb9bf50dc72344',
'6356e3d17ca6b7515c67cfe0a8712d1e8b57d713',
'30240b427e09aa75f034527e91aaa1fbc1b243ee',
'45ec9aba969782c72d18018126c2d9aeffde28b7',
'59c9f723bff0952f6589157f3ef8e1858d01bfdc',
'8a951bd3e56432dd689e83034c1ee7e21ae6ee56',
'9b5ee533d17a9c0ff87d22bf0a433a621fbd55bf',
'8984f8eac466cbf86a6aa6b0480be53a86d8108c',
'6c35a04d1fdb8eedbbc9821b4c23b610bd3b4488',
'a23b600c786b05623b765b4f0d7a3f52df63cdd5',
'ff26e028a3faebd461c4cc0265d0f7b9ca049feb'
]

authors = [
'Peter G. Anderson <pepega@legal.committee>',
'John J. Johnson <jojojo@legal.committee>',
'Robert S. Storms <tempest@legal.committee>',
'Robert J. Lawful <boblaw@legal.committee>',
'Pamela W. Mathews <pammy.emm@legal.committee>',
'Christopher L. Hatch <crisscross.the.hatch@legal.committee>',
'Peter G. Anderson <pepega@legal.committee>',
'John J. Johnson <jojojo@legal.committee>',
'Robert S. Storms <tempest@legal.committee>',
'Robert J. Lawful <boblaw@legal.committee>',
'Pamela W. Mathews <pammy.emm@legal.committee>',
'Christopher L. Hatch <crisscross.the.hatch@legal.committee>',
'Peter G. Anderson <pepega@legal.committee>',
'John J. Johnson <jojojo@legal.committee>'
]

committer = 'Flag-deciding Committee <committee@legal.committee>'

times = [
'Tue Apr 14 12:00:00 2020 +0000',
'Fri May 1 12:00:00 2020 +0000',
'Tue May 12 12:30:00 2020 +0000',
'Thu Jun 11 12:00:00 2020 +0000',
'Wed Jul 1 12:45:00 2020 +0000',
'Tue Jul 28 12:00:00 2020 +0000',
'Wed Aug 12 12:30:00 2020 +0000',
'Fri Aug 28 12:45:00 2020 +0000',
'Fri Sep 11 11:45:00 2020 +0000',
'Mon Oct 19 12:30:00 2020 +0000',
'Thu Oct 29 12:00:00 2020 +0000',
'Fri Nov 27 12:00:00 2020 +0000',
'Fri Dec 18 12:30:00 2020 +0000',
'Wed Jan 27 12:45:00 2021 +0000'
]

commitdesc = [
'Proceedings of the flag-deciding committee: 32, 33, 34',
'Proceedings of the flag-deciding committee: 26, 27, 29',
'Proceedings of the flag-deciding committee: 14, 15, 16',
'Proceedings of the flag-deciding committee: 2, 5, 6',
'Proceedings of the flag-deciding committee: 10, 11, 12',
'Proceedings of the flag-deciding committee: 28, 30, 35',
'Proceedings of the flag-deciding committee: 17, 24, 37',
'Proceedings of the flag-deciding committee: 19, 20, 21',
'Proceedings of the flag-deciding committee: 1, 3, 4',
'Proceedings of the flag-deciding committee: 41, 42, 43',
'Proceedings of the flag-deciding committee: 38, 39, 40',
'Proceedings of the flag-deciding committee: 44, 45, 46',
'Proceedings of the flag-deciding committee: 7, 9, 13',
'Proceedings of the flag-deciding committee: 22, 23, 25'
]

#flag = 'union{*******3*********_************r****d**********}\n'
flag = 'union{*0**1t*3*_d3*1de*_*******_d*t*rm1n*d**********}\n'

strpool = string.printable

#parent = 'dca4ca5150b82e541e2f5c42d00493ba8d4aa84a'
parent = '6356e3d17ca6b7515c67cfe0a8712d1e8b57d713'

def sha_utf8(s):
return hashlib.sha1(s).hexdigest()

def make_file(s):
return 'blob 54\x00'.encode('UTF-8') + s.encode('UTF-8')

def make_tree(s):
return 'tree 36\x00100644 flag.txt\x00'.encode('UTF-8') + binascii.unhexlify(s)

def convert_time(s):
return int(str(time.mktime(time.strptime(s, "%a %b %d %X %Y %z")))[0:-2])+28800

def make_commit(real_flag,parent_sha,real_time,real_author,real_committer,commits):
flag_sha = sha_utf8(make_file(real_flag))
#print(flag_sha)
tree_sha = sha_utf8(make_tree(flag_sha))
time_real = convert_time(real_time)
author_line = 'author {0} {1} +0000'.format(real_author,time_real)
committer_line = 'committer {0} {1} +0000'.format(real_committer,time_real)
commit_str = 'tree {0}\nparent {1}\n{2}\n{3}\n\n{4}\n'.format(tree_sha,parent_sha,author_line,committer_line,commits)
commit = 'commit {0}\x00{1}'.format(len(commit_str),commit_str)
return commit

def modify_str(s,x,y):
l = list(s)
l[x] = y
return ''.join(l)

'''test_commit = make_commit('union{*****************_****************************}\n',
'08e1f0dd3b9d710b1eea81f6b8f76c455f634e87',
'Fri Mar 13 12:30:00 2020 +0000','Pamela W. Mathews <pammy.emm@legal.committee>',
committer,'Proceedings of the flag-deciding committee: 18')

print(test_commit)
print(sha_utf8(test_commit.encode('UTF-8')))
'''
if __name__ == '__main__':
for i in range(5,14):
pos = position[i]
nowflag = flag
ok = False
for p1 in strpool:
for p2 in strpool:
for p3 in strpool:
nowflag = modify_str(nowflag,pos[0]+5,p1)
nowflag = modify_str(nowflag,pos[1]+5,p2)
nowflag = modify_str(nowflag,pos[2]+5,p3)
if sha_utf8(make_commit(nowflag,parent,times[i],authors[i],committer,commitdesc[i]).encode('UTF-8')) == hashes[i]:
print('flag = {0}'.format(nowflag))
print('parent = {0}'.format(parent))
parent = hashes[i]
flag = nowflag
ok = True
break
#else:
#print('[BAD]:{0}'.format(nowflag))
if ok:
break
if ok:
break

最终爆破出结果union{c0mm1tt33_d3c1deD_bu7_SHA_d3t3rm1n3d_6a7c2619a}


UnionCTF-2021 committee writeup
http://hexo.init-new-world.com/UnionCTF-20210-committee-writeup
Author
John Doe
Posted on
February 22, 2021
Licensed under