2021 L3HCTF Misc lambda WP

开局一个pcap数据包，flag在哪全靠猜～

两天只做了一道题，不过还是挺有收获的。顺便纪念一下第一次在大型CTF比赛中拿到带血的flag～

第一部分的flag的获取非常简单，只需要打开数据包追踪tcp流，就可以看到。

因为做到这里的时候还没有提示，开始在数据包内进行自由探索。感觉题目中的DNS数据包和ICMP数据包都有明显的构造痕迹，所以思路开始发散。走了不少的弯路。

第一天下午的时候题目突然发了hint，题目提供了一个github地址 https://github.com/dreamstalker/rehlds，是一个游戏引擎，和flag3有关。

我们开始重新收束思路，根据题目描述，后两部分的flag应该还是跟这个游戏服务器有关。

继续查看数据包中http传输的数据。发现有传输一个flag.wad文件还有一个flag.bsp文件。

我们首先尝试解析那个wad文件，google一下可知，这两个都是游戏数据文件。bsp是游戏地图。

找到了一个在线https://www.coolutils.com/online/WAD-to-PNG，但是转成图片之后只得到了一张没太大用处的图片。

bsp折腾了半天，也没找到一个可以打开的方式，所以…

那我们直接安装 CS 1.6！！

加载 flag.bsp 对应的地图，进入游戏可以看到 FLAG 的相关提示。通过穿墙，可以找到 flag 的 part2。(想哥tql！

根据这里的提示，我们可以明确flag有三部分。

进入游戏 flag 地图后，并没有 hint2 的提示，但是对比连接服务器之后的欢迎界面，我们大概可以明确flag3应该就在服务器和客户端通信的udp数据包中。

但是查看udp流，这些数据明显经过了特殊的加密处理，我们没有办法直接获得通信的数据。

根据题目给出的hint，游戏服务器很可能是采用了上面的github代码搭建的。那为了弄懂这些udp乱码，我们就只有去看代码一条路了。(喂，说好是道misc呢？！

因为我们要找的数据一定是从服务器发到客户端的，所以我们要去看服务器发包部分的代码。

最开始我们开的却是是服务器发包部分的代码，但后来才意识到，我们需要解包，其实我们直接看收包部分的代码就好了。

又经过一番摸索后，我们找到了关于服务器收包部分代码的入口——SV_ReadPacket函数。这里为了逻辑清晰，删去了一些对我们意义不大的代码。

void SV_ReadPackets(void)
{
	while (NET_GetPacket(NS_SERVER))
	{

		for (int i = 0 ; i < g_psvs.maxclients; i++)
		{
			client_t *cl = &g_psvs.clients[i];
			if (!cl->connected && !cl->active && !cl->spawned)
			{
				continue;
			}

			if (NET_CompareAdr(net_from, cl->netchan.remote_address) != TRUE)
			{
				continue;
			}

			if (Netchan_Process(&cl->netchan))
			{
				if (g_psvs.maxclients == 1 || !cl->active || !cl->spawned || !cl->fully_connected)
				{
					cl->send_message = TRUE;
				}

				SV_ExecuteClientMessage(cl);
				gGlobalVariables.frametime = host_frametime;
			}

			if (Netchan_IncomingReady(&cl->netchan))
			{
				if (Netchan_CopyNormalFragments(&cl->netchan))
				{
					MSG_BeginReading();
					SV_ExecuteClientMessage(cl);
				}
				if (Netchan_CopyFileFragments(&cl->netchan))
				{
					host_client = cl;
					SV_ProcessFile(cl, cl->netchan.incomingfilename);
				}
			}
		}
	}
}

但是似乎看不懂… g_psvs、netchan都是些什么QAQ

让我们耐心一些，一点点抽丝剥茧。

server_static_t g_psvs;
typedef struct server_static_s
{
	qboolean dll_initialized;
	struct client_s *clients;
	int maxclients;
	int maxclientslimit;
	int spawncount;
	int serverflags;
	server_log_t log;
	double next_cleartime;
	double next_sampletime;
	server_stats_t stats;
	qboolean isSecure;
} server_static_t;
// 从上面我们能大概看出这个结构体里维护了一些服务器的基本数据，记录了服务器支持的最大客户端数量，还有客户端的信息。

由client_t *cl = &g_psvs.clients[i];这句代码我们可以知道cl是一个连接服务器的客户端。

让我们再来看看client的结构体长什么样子吧。

typedef struct client_s
{
	qboolean active;
	qboolean spawned;
	qboolean fully_connected;
	qboolean connected;
	qboolean uploading;
	qboolean hasusrmsgs;
	qboolean has_force_unmodified;
	netchan_t netchan;
	...
} client_t;

netchan_t netchan;又是在client里面定义的另一个结构体。结构体真是一个比一个长啊，不过我们好像接近真相了。

// Network Connection Channel
typedef struct netchan_s
{
	// NS_SERVER or NS_CLIENT, depending on channel.
	netsrc_t sock;

	// Address this channel is talking to.
	netadr_t remote_address;

	int player_slot;
	// For timeouts.  Time last message was received.
	float last_received;
	// Time when channel was connected.
	float connect_time;

	// Bandwidth choke
	// Bytes per second
	double rate;
	// If realtime > cleartime, free to send next packet
	double cleartime;

	// Sequencing variables
	//
	// Increasing count of sequence numbers
	int incoming_sequence;
	// # of last outgoing message that has been ack'd.
	int incoming_acknowledged;
	// Toggles T/F as reliable messages are received.
	int incoming_reliable_acknowledged;
	// single bit, maintained local
	int incoming_reliable_sequence;
	// Message we are sending to remote
	int outgoing_sequence;
	// Whether the message contains reliable payload, single bit
	int reliable_sequence;
	// Outgoing sequence number of last send that had reliable data
	int last_reliable_sequence;

	void *connection_status;
	int (*pfnNetchan_Blocksize)(void *);

	// Staging and holding areas
	sizebuf_t message;
	byte message_buf[MAX_MSGLEN];

	// Reliable message buffer. We keep adding to it until reliable is acknowledged. Then we clear it.
	int reliable_length;
	byte reliable_buf[MAX_MSGLEN];

	// Waiting list of buffered fragments to go onto queue. Multiple outgoing buffers can be queued in succession.
	fragbufwaiting_t *waitlist[MAX_STREAMS];

	// Is reliable waiting buf a fragment?
	int reliable_fragment[MAX_STREAMS];
	// Buffer id for each waiting fragment
	unsigned int reliable_fragid[MAX_STREAMS];

	// The current fragment being set
	fragbuf_t *fragbufs[MAX_STREAMS];
	// The total number of fragments in this stream
	int fragbufcount[MAX_STREAMS];

	// Position in outgoing buffer where frag data starts
	short int frag_startpos[MAX_STREAMS];
	// Length of frag data in the buffer
	short int frag_length[MAX_STREAMS];

	// Incoming fragments are stored here
	fragbuf_t *incomingbufs[MAX_STREAMS];
	// Set to true when incoming data is ready
	qboolean incomingready[MAX_STREAMS];

	// Only referenced by the FRAG_FILE_STREAM component
	// Name of file being downloaded
	char incomingfilename[MAX_PATH];

	void *tempbuffer;
	int tempbuffersize;

	// Incoming and outgoing flow metrics
	flow_t flow[MAX_FLOWS];
} netchan_t;

从上面的变量名还有注释中，我们可以看出，Netchan这个结构体主要是用来处理网络传输的数据的。

大致理解了这些变量的含义后，我们就可以尝试阅读后面关于数据包处理的代码。从上面的 我们可以看到Netchan_Process这个函数，结合我们对于Netchan结构体的判断，可以确认这个函数是比较重要的。 因为这个函数比较大，所以我们一段一段来看。（代码有删减）

int MSG_ReadLong(void)
{
	int c;
	if (msg_readcount + 4 <= net_message.cursize)
	{
		c = *(uint32 *)&net_message.data[msg_readcount];
		msg_readcount += 4;
	}
	else
	{
		msg_badread = 1;
		c = -1;
	}
	return c;
}

qboolean Netchan_Process(netchan_t *chan)
{
	int				i;
	unsigned int	sequence, sequence_ack;
	unsigned int	reliable_ack, reliable_message;
	unsigned int	fragid[MAX_STREAMS] = { 0, 0 };
	qboolean		frag_message[MAX_STREAMS] = { false, false };
	int				frag_offset[MAX_STREAMS] = { 0, 0 };
	int				frag_length[MAX_STREAMS] = { 0, 0 };
	qboolean		message_contains_fragments;

	// get sequence numbers
	MSG_BeginReading();
	sequence = MSG_ReadLong();
	sequence_ack = MSG_ReadLong();

	...

	reliable_message = sequence >> 31;
	reliable_ack = sequence_ack >> 31;
	message_contains_fragments = sequence & (1 << 30) ? true : false;

	COM_UnMunge2(&net_message.data[8], net_message.cursize - 8, sequence & 0xFF);

函数开始定义了一堆sequence, sequence_ack什么的变量，如果学过计算机网络，对此应该都不会陌生，核心意义是为了在udp中模拟tcp实现可靠数据传输，保证一些关键数据包的到达。

虽然函数整体看上去很复杂，但是其实我们主要关注的是代码如何处理输入的数据包数据，所以我们主要关注MSG_ReadLong和MSG_ReadShort这类的函数就可以了。因为只有这类函数才会直接从输入数据中读取信息。

继续阅读Netchan_Process函数，可以知道数据流的前四个字节是seq num，再之后四个字节是seq ack。

Reliable_message和reliable_ack是基于seq和seq_ack生成的标记位，主要与实现可靠传输有关，我们这里可以不太关注。

message_contains_fragments是一个比较关键的变量，他是seq num的第二位，它标记着这段数据有没有被分片。

再之后调用了COM_UnMunge2函数，传递的第一个参数是收到网络数据包第9个字节及以后的内容，第二个参数是这个数据包的大小，第三个参数是序列号的后16位。

void COM_UnMunge2(unsigned char *data, int len, int seq)
{
	int i;
	int mungelen;
	int c;
	int *pc;
	unsigned char *p;
	int j;

	mungelen = len & ~3;
	mungelen /= 4;

	for (i = 0; i < mungelen; i++)
	{
		pc = (int *)&data[i * 4];
		c = *pc;
		c ^= seq;

		p = (unsigned char *)&c;
		for (j = 0; j < 4; j++)
		{
			*p++ ^= (0xa5 | (j << j) | j | mungify_table2[(i + j) & 0x0f]);
		}

		c = LongSwap(c);
		c ^= ~seq;
		*pc = c;
	}
}

并不是一段太复杂的代码，甚至我们没必要都读懂，只需要能够大致清楚这段代码是用来对数据做加密的就可以了，似乎是个开发者自己实现的对称加密。而且因为它把代码已经写好了，我们解密的时候直接调用就可以了～

	if (message_contains_fragments)
	{
		for (i = 0; i < MAX_STREAMS; i++)
		{
			if (MSG_ReadByte())
			{
				frag_message[i] = true;
				fragid[i] = MSG_ReadLong();
				frag_offset[i] = MSG_ReadShort();
				frag_length[i] = MSG_ReadShort();
			}
		}

		if (!Netchan_Validate(chan, frag_message, fragid, frag_offset, frag_length))
			return FALSE;
	}

	sequence &= ~(1 << 31);
	sequence &= ~(1 << 30);
	sequence_ack &= ~(1 << 31);
	sequence_ack &= ~(1 << 30);

	if (net_showpackets.value != 0.0 && net_showpackets.value != 3.0)
	{
		char c = (chan == &g_pcls.netchan) ? 'c' : 's';

		Con_Printf(
			" %c <-- sz=%i seq=%i ack=%i rel=%i tm=%f\n",
			c,
			net_message.cursize,
			sequence,
			sequence_ack,
			reliable_message,
			(chan == &g_pcls.netchan) ? g_pcl.time : g_psv.time);
	}

	if (sequence <= (unsigned)chan->incoming_sequence)
	{
		if (net_showdrop.value != 0.0) {
			if (sequence == (unsigned)chan->incoming_sequence)
				Con_Printf("%s:duplicate packet %i at %i\n", NET_AdrToString(chan->remote_address), sequence, chan->incoming_sequence);
			else
				Con_Printf("%s:out of order packet %i at %i\n", NET_AdrToString(chan->remote_address), sequence, chan->incoming_sequence);
		}
		return FALSE;
	}

	//
	// dropped packets don't keep the message from being used
	//
	net_drop = sequence - (chan->incoming_sequence + 1);
	if (net_drop > 0 && net_showdrop.value != 0.0)
	{
		Con_Printf("%s:Dropped %i packets at %i\n", NET_AdrToString(chan->remote_address), net_drop, sequence);
	}

	//
	// if the current outgoing reliable message has been acknowledged
	// clear the buffer to make way for the next
	//
	if (reliable_ack == (unsigned)chan->reliable_sequence)
	{
		// Make sure we actually could have ack'd this message
#ifdef REHLDS_FIXES
		if (sequence_ack >= (unsigned)chan->last_reliable_sequence)
#else // REHLDS_FIXES
		if (chan->incoming_acknowledged + 1 >= chan->last_reliable_sequence)
#endif // REHLDS_FIXES
		{
			chan->reliable_length = 0;	// it has been received
		}
	}

	//
	// if this message contains a reliable message, bump incoming_reliable_sequence
	//
	chan->incoming_sequence = sequence;
	chan->incoming_acknowledged = sequence_ack;
	chan->incoming_reliable_acknowledged = reliable_ack;
	if (reliable_message)
	{
		chan->incoming_reliable_sequence ^= 1;
	}

	int statId = chan->flow[FLOW_INCOMING].current & 0x1F;
	chan->flow[FLOW_INCOMING].stats[statId].size = net_message.cursize + UDP_HEADER_SIZE;
	chan->flow[FLOW_INCOMING].stats[statId].time = realtime;
	chan->flow[FLOW_INCOMING].current++;
	Netchan_UpdateFlow(chan);

	if (message_contains_fragments)
	{
		for (i = 0; i < MAX_STREAMS; i++)
		{
			int j;
			fragbuf_t *pbuf;
			int inbufferid;
			int intotalbuffers;

			if (!frag_message[i])
				continue;

			inbufferid = FRAG_GETID(fragid[i]);
			intotalbuffers = FRAG_GETCOUNT(fragid[i]);

			if (fragid[i] != 0)
			{
				pbuf = Netchan_FindBufferById(&chan->incomingbufs[i], fragid[i], true);
				if (pbuf) {
					int len = frag_length[i];
					SZ_Clear(&pbuf->frag_message);
					SZ_Write(&pbuf->frag_message, &net_message.data[msg_readcount + frag_offset[i]], len);
				}
				else {
					Con_Printf("Netchan_Process:  Couldn't allocate or find buffer %i\n", inbufferid);
				}
				// Count # of incoming bufs we've queued? are we done?
				Netchan_CheckForCompletion(chan, i, intotalbuffers);
			}

			// Rearrange incoming data to not have the frag stuff in the middle of it
			int wpos = msg_readcount + frag_offset[i];
			int rpos = wpos + frag_length[i];

			Q_memmove(net_message.data + wpos, net_message.data + rpos, net_message.cursize - rpos);
			net_message.cursize -= frag_length[i];

			for (j = i + 1; j < MAX_STREAMS; j++)
			{
				frag_offset[j] -= frag_length[i]; // fragments order already validated
			}
		}

		// Is there anything left to process?
		if (net_message.cursize <= 16)
			return FALSE;
	}

	return TRUE;
}

看！我们终于看到了服务器传输的明文！也拿到了第三部分flag～

part2: _@@w4d_
part3: h4ppyY*!uNmUng3}
L3HCTF{v41v3#_@@w4d_h4ppy!uNmUng3}

END！🎉

Worked by wchhlbt & idealeer

赏

谢谢你请我吃糖果